npm - @enterprisestandard/core - Versions diffs - 0.0.14 → 0.0.15-beta.20260420.1 - Mend

@enterprisestandard/core 0.0.14 → 0.0.15-beta.20260420.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (7) hide show

package/dist/index.d.ts +332 -21
package/dist/index.js +1 -1
package/dist/server.d.ts +423 -16
package/dist/server.js +1 -1
package/dist/shared/core-assxr5dn.js +12 -0
package/package.json +3 -3
package/dist/shared/core-kk9hdwwp.js +0 -12

package/dist/index.d.ts CHANGED Viewed

@@ -817,6 +817,118 @@ type StoredUser<TExtended = object> = User2 & {
 	*/
 	tenantId?: string;
 	/**
+	* Optional external identifier from the provisioning client.
+	* Commonly set by IAM inbound SCIM provisioning flows.
+	*/
+	externalId?: string;
+	/**
+	* Optional SCIM display name distinct from the simple `name` field.
+	* Commonly set by IAM inbound SCIM provisioning flows.
+	*/
+	displayName?: string;
+	/**
+	* Optional structured SCIM name.
+	* Commonly set by IAM inbound SCIM provisioning flows.
+	*/
+	scimName?: Name;
+	/**
+	* Optional SCIM email collection.
+	* The simple `email` field still stores the primary email for quick lookup.
+	*/
+	emails?: Email[];
+	/**
+	* Optional SCIM nickname.
+	* Commonly set by IAM inbound SCIM provisioning flows.
+	*/
+	nickName?: string;
+	/**
+	* Optional SCIM account state.
+	* Commonly set by IAM inbound SCIM provisioning flows.
+	*/
+	active?: boolean;
+	/**
+	* Optional SCIM job title.
+	* Commonly set by IAM inbound SCIM provisioning flows.
+	*/
+	title?: string;
+	/**
+	* Optional SCIM preferred language.
+	* Commonly set by IAM inbound SCIM provisioning flows.
+	*/
+	preferredLanguage?: string;
+	/**
+	* Optional SCIM locale.
+	* Commonly set by IAM inbound SCIM provisioning flows.
+	*/
+	locale?: string;
+	/**
+	* Optional SCIM timezone.
+	* Commonly set by IAM inbound SCIM provisioning flows.
+	*/
+	timezone?: string;
+	/**
+	* Optional SCIM phone numbers.
+	* Commonly set by IAM inbound SCIM provisioning flows.
+	*/
+	phoneNumbers?: PhoneNumber[];
+	/**
+	* Optional SCIM instant messaging addresses.
+	* Commonly set by IAM inbound SCIM provisioning flows.
+	*/
+	ims?: Array<{
+		value: string;
+		display?: string;
+		type?: string;
+		primary?: boolean;
+	}>;
+	/**
+	* Optional SCIM photos.
+	* Commonly set by IAM inbound SCIM provisioning flows.
+	*/
+	photos?: Photo[];
+	/**
+	* Optional SCIM addresses.
+	* Commonly set by IAM inbound SCIM provisioning flows.
+	*/
+	addresses?: Address[];
+	/**
+	* Optional SCIM roles.
+	* Commonly set by IAM inbound SCIM provisioning flows.
+	*/
+	roles?: Role[];
+	/**
+	* Optional SCIM groups.
+	* Commonly set by IAM inbound SCIM provisioning flows.
+	*/
+	groups?: Group[];
+	/**
+	* Optional SCIM entitlements.
+	* Commonly set by IAM inbound SCIM provisioning flows.
+	*/
+	entitlements?: Array<{
+		value: string;
+		display?: string;
+		type?: string;
+		primary?: boolean;
+	}>;
+	/**
+	* Optional SCIM X.509 certificates.
+	* Commonly set by IAM inbound SCIM provisioning flows.
+	*/
+	x509Certificates?: X509Certificate[];
+	/**
+	* Optional SCIM enterprise extension.
+	* Mirrors `urn:ietf:params:scim:schemas:extension:enterprise:2.0:User`.
+	* Commonly set by IAM inbound SCIM provisioning flows.
+	*/
+	scimEnterprise?: EnterpriseExtension;
+	/**
+	* Optional pass-through SCIM schema extensions keyed by full URN.
+	* Use this when your validator accepts custom top-level SCIM extensions and
+	* you want them to round-trip through a `UserStore` implementation.
+	*/
+	scimSchemaExtensions?: Record<string, unknown>;
+	/**
 	* Timestamp when the user was first stored.
 	*/
 	createdAt: Date;
@@ -899,6 +1011,12 @@ interface UserStore<TExtended = object> {
 	list(options?: UserListOptions): Promise<ListResult<StoredUser<TExtended>>>;
 }
 import { StandardSchemaV1 as StandardSchemaV14 } from "@standard-schema/spec";
+type ChangeListener = () => void;
+type ReactiveHandle = {
+	beforeChange?(listener: ChangeListener): () => void;
+	afterChange?(listener: ChangeListener): () => void;
+	isAvailable?(): boolean;
+};
 import { StandardSchemaV1 as StandardSchemaV13 } from "@standard-schema/spec";
 /**
 * JWT Assertion Claims for OAuth2 JWT Bearer Grant (RFC 7523) and OAuth2 Access Tokens
@@ -1393,7 +1511,7 @@ type WorkloadIdentity = {
 /**
 * Workload Identity Authentication Interface
 */
-type Workload = WorkloadConfig & {
+type Workload = WorkloadConfig & ReactiveHandle & {
 	/**
 	* Returns a token for this workload configuration.
 	* The optional argument overrides the configured default scope.
@@ -1408,7 +1526,7 @@ type Workload = WorkloadConfig & {
 	/** Framework-agnostic request handler for the Workload module (token, validate, jwks, refresh). */
 	handler: (request: Request) => Promise<Response>;
 };
-type WorkloadClient = Pick<Workload, "getToken" | "refreshToken" | "generateJWTAssertion" | "revokeToken">;
+type WorkloadClient = Pick<Workload, "getToken" | "refreshToken" | "generateJWTAssertion" | "revokeToken" | "beforeChange" | "afterChange" | "isAvailable">;
 /**
 * SCIM Error response structure
 */
@@ -1449,6 +1567,10 @@ interface IAMHandlerConfig {
 	* Base path for the SCIM Groups endpoints (e.g., '/api/iam/Groups')
 	*/
 	groupsUrl?: string;
+	/**
+	* Handler overrides for SCIM discovery endpoints (e.g., '/api/iam/ServiceProviderConfig')
+	*/
+	discovery?: IAMDiscoveryHandlerConfig;
 }
 /**
 * IAM configuration
@@ -1469,6 +1591,12 @@ type IAMConfig = {
 	*/
 	userStore?: UserStore;
 	/**
+	* Optional inbound user mapping hooks for SCIM provisioning.
+	* Use these when the default StoredUser <-> SCIM mapping is not a direct fit
+	* for your application's database model.
+	*/
+	inboundUsers?: IAMInboundUsersConfig;
+	/**
 	* Store for inbound group provisioning from external IAM providers.
 	* When configured, enables groups_inbound (external IAM -> app).
 	*/
@@ -1479,11 +1607,142 @@ type IAMConfig = {
 	*/
 	usersUrl?: string;
 	groupsUrl?: string;
+	discovery?: IAMDiscoveryConfig;
 };
 type IAMValidators = {
 	user: StandardSchemaV15<unknown, User>;
 	group: StandardSchemaV15<unknown, GroupResource>;
 };
+interface IAMInboundUserContext {
+	/**
+	* Current stored user when replacing or patching an existing resource.
+	*/
+	existing?: StoredUser;
+	/**
+	* Operation mode for the inbound mapper.
+	*/
+	mode: "create" | "replace" | "patch";
+}
+interface IAMInboundUsersConfig {
+	/**
+	* Replace the default validated SCIM -> StoredUser mapper.
+	*/
+	mapValidatedScimToStoredUser?: (validated: User, context: IAMInboundUserContext) => StoredUser | Promise<StoredUser>;
+	/**
+	* Replace the default StoredUser -> SCIM response mapper.
+	*/
+	mapStoredUserToScim?: (stored: StoredUser) => User | Promise<User>;
+}
+interface ScimAuthenticationScheme {
+	type: string;
+	name: string;
+	description?: string;
+	specUri?: string;
+	documentationUri?: string;
+	primary?: boolean;
+}
+interface ScimServiceProviderConfig {
+	schemas: string[];
+	documentationUri?: string;
+	patch: {
+		supported: boolean;
+	};
+	bulk: {
+		supported: boolean;
+		maxOperations?: number;
+		maxPayloadSize?: number;
+	};
+	filter: {
+		supported: boolean;
+		maxResults?: number;
+	};
+	changePassword: {
+		supported: boolean;
+	};
+	sort: {
+		supported: boolean;
+	};
+	etag: {
+		supported: boolean;
+	};
+	authenticationSchemes?: ScimAuthenticationScheme[];
+	meta?: {
+		resourceType?: string;
+		location?: string;
+	};
+}
+interface ScimResourceTypeSchemaExtension {
+	schema: string;
+	required: boolean;
+}
+interface ScimResourceType {
+	schemas: string[];
+	id: string;
+	name: string;
+	description?: string;
+	endpoint: string;
+	schema: string;
+	schemaExtensions?: ScimResourceTypeSchemaExtension[];
+	meta?: {
+		resourceType?: string;
+		location?: string;
+	};
+}
+interface ScimSchemaAttributeDefinition {
+	name: string;
+	type: "string" | "boolean" | "complex" | "reference" | "dateTime";
+	multiValued: boolean;
+	description?: string;
+	required?: boolean;
+	caseExact?: boolean;
+	mutability?: "readOnly" | "readWrite" | "immutable" | "writeOnly";
+	returned?: "always" | "never" | "default" | "request";
+	uniqueness?: "none" | "server" | "global";
+	referenceTypes?: string[];
+	subAttributes?: ScimSchemaAttributeDefinition[];
+}
+interface ScimSchemaDefinition {
+	schemas: string[];
+	id: string;
+	name: string;
+	description?: string;
+	attributes: ScimSchemaAttributeDefinition[];
+	meta?: {
+		resourceType?: string;
+		location?: string;
+	};
+}
+interface IAMDiscoveryContext {
+	request: Request;
+	basePath: string;
+	usersUrl: string;
+	groupsUrl: string;
+	supportsUsers: boolean;
+	supportsGroups: boolean;
+}
+interface IAMDiscoveryConfig {
+	/**
+	* Public IAM base path used for SCIM discovery. When omitted, the SDK derives
+	* it from `usersUrl` or `groupsUrl`.
+	*/
+	basePath?: string;
+	/**
+	* Optional documentation URI advertised in ServiceProviderConfig.
+	*/
+	documentationUri?: string;
+	/**
+	* Override the default ServiceProviderConfig response.
+	*/
+	buildServiceProviderConfig?: (context: IAMDiscoveryContext, defaults: ScimServiceProviderConfig) => ScimServiceProviderConfig | Promise<ScimServiceProviderConfig>;
+	/**
+	* Override the default ResourceTypes response.
+	*/
+	buildResourceTypes?: (context: IAMDiscoveryContext, defaults: ScimResourceType[]) => ScimResourceType[] | Promise<ScimResourceType[]>;
+	/**
+	* Override the default Schemas response.
+	*/
+	buildSchemas?: (context: IAMDiscoveryContext, defaults: ScimSchemaDefinition[]) => ScimSchemaDefinition[] | Promise<ScimSchemaDefinition[]>;
+}
 /**
 * Options for creating a user
 */
@@ -1524,6 +1783,12 @@ interface UsersInboundHandlerConfig {
 	*/
 	basePath?: string;
 }
+interface IAMDiscoveryHandlerConfig {
+	/**
+	* Base path for the IAM discovery endpoints (e.g., '/api/iam')
+	*/
+	basePath?: string;
+}
 /**
 * Groups Outbound extension - for creating groups in external IAM providers.
 * Enabled when `url` is configured in IAMConfig.
@@ -1594,7 +1859,7 @@ type IAM = IAMConfig & {
 	users_inbound?: IAMUsersInbound;
 	/**
 	* Framework-agnostic request handler for the IAM module.
-	* Routes to users_inbound or groups_inbound based on the request path.
+	* Routes to discovery, users_inbound, or groups_inbound based on the request path.
 	*/
 	handler: (request: Request, config?: IAMHandlerConfig) => Promise<Response>;
 };
@@ -1754,8 +2019,8 @@ interface SessionStore<TExtended = object> {
 	delete(sid: string): Promise<void>;
 }
 type SSOConfig<
-	TSessionData = {},
-	TUserData = {}
+	TSessionData = Record<string, never>,
+	TUserData = Record<string, never>
 > = {
 	authority?: string;
 	tokenUrl?: string;
@@ -1838,10 +2103,17 @@ type SSOValidators = {
 	tokenResponse: StandardSchemaV16<unknown, TokenResponse>;
 };
 type SSO<
-	TSessionData = {},
-	TUserData = {}
+	TSessionData = Record<string, never>,
+	TUserData = Record<string, never>
 > = SSOConfig<TSessionData, TUserData> & {
 	getUser: (request: Request) => Promise<User2 | undefined>;
+	/**
+	* Read the SSO user from cookies without ever issuing an IdP refresh-token round
+	* trip. Returns `undefined` when access cookies are missing, the control cookie
+	* reports expiry in the past, or JWT verification fails. Intended for multi-session
+	* listing paths where N candidates must not silently fan out N IdP requests.
+	*/
+	getUserNoRefresh: (request: Request) => Promise<User2 | undefined>;
 	getRequiredUser: (request: Request) => Promise<User2>;
 	getJwt: (request: Request) => Promise<string | undefined>;
 	initiateLogin: (config: LoginConfig, requestUrl?: string) => Promise<Response>;
@@ -1871,7 +2143,7 @@ type SecretsOperationOptions = {
 	/** Optional timeout in milliseconds for this secrets operation. */
 	timeout?: number;
 };
-type SecretsSource = {
+type SecretsSource = ReactiveHandle & {
 	type: SecretsSourceType;
 	getFullSecret: <T>(path: string, options?: SecretsOperationOptions) => Promise<Secret<T>>;
 	getSecret: <T>(path: string, options?: SecretsOperationOptions) => Promise<T>;
@@ -1919,7 +2191,7 @@ type SecretsValidators = {
 	*/
 	validateSourceConfig?(sourceName: string, config: SecretsSourceConfig): void;
 };
-type Secrets = {
+type Secrets = ReactiveHandle & {
 	/** Named secrets sources client configurations from RemoteConfig. */
 	config: SecretsSourceMap;
 	/** Returns configured secrets source names/keys. */
@@ -2010,7 +2282,7 @@ type VaultLfvSecretsConfig = {
 	* Optional logger for request/response tracing. Use `debugLogger` from `@enterprisestandard/core`
 	* to get debug output with request_id for LFV operations.
 	*/
-	logger?: Logger;
+	log?: Logger;
 };
 /**
 * Runtime-ready LFV source config.
@@ -2328,11 +2600,42 @@ type TenantLookupMethods<
 	TExtended extends object
 > = TMode extends "singleTenantOnly" ? {
 	findTenantByUserId(userId: string): Promise<StoredTenant<TExtended> | null>;
-	findTenantsByUserId?: never;
+	findTenantsByUserIds?: never;
 } : {
 	findTenantByUserId?: never;
-	findTenantsByUserId(userId: string): Promise<StoredTenant<TExtended>[]>;
-};
+	/**
+	* Batched HRD lookup. Resolves the tenants associated with each user id and
+	* returns a `Map` keyed by the original `userId`. Implementations MUST handle
+	* up to {@link MAX_TENANTS_BATCH_USER_IDS} ids per call (matches
+	* `MAX_SSO_DISCOVERY_CANDIDATES`); larger inputs are a programming error.
+	*
+	* **Per-engine guidance for store authors:**
+	*
+	* - Modern engines (PostgreSQL, MySQL/MariaDB, SQLite, MS SQL Server): a single
+	*   parameterized `WHERE user_id IN (?, ?, ...)` is fine at this batch size.
+	* - PostgreSQL specifically: prefer `WHERE user_id = ANY($1::text[])` to keep
+	*   one prepared-statement plan in cache.
+	* - Oracle (≤19c with the 1000-element `IN`-list cap): 32 is well within range;
+	*   if you ever raise this cap upstream, chunk by 1000.
+	* - IBM DB2 / strict engines with low `IN`-list or 32 KB statement-text limits:
+	*   safe at 32, but if the cap is raised the implementation MUST chunk or fall
+	*   back to N+1 lookups internally — never throw and never return partial
+	*   results silently.
+	* - Always parameterize the `IN` value type to match the `user_id` column
+	*   (text vs numeric) to avoid implicit-conversion full table scans.
+	*/
+	findTenantsByUserIds(userIds: string[]): Promise<Map<string, StoredTenant<TExtended>[]>>;
+};
+/**
+* Hard upper bound on the number of user ids accepted by
+* {@link TenantStore.findTenantsByUserIds} (and the public
+* `getTenantsForUserIds`/`getSSOUsers` helpers). Tied to the SSO discovery cap so
+* a single cookie-first browser request never exceeds this value.
+*
+* Treat this as an upper bound, not a target. See per-engine implementation
+* guidance on `findTenantsByUserIds`.
+*/
+declare const MAX_TENANTS_BATCH_USER_IDS = 32;
 type TenantStore<
 	TMode extends UserMode = "singleTenantOnly",
 	TExtended extends object = Record<string, never>
@@ -2362,7 +2665,7 @@ declare class InMemoryTenantStore<
 	readonly userMode: TMode;
 	private readonly createEs?;
 	readonly findTenantByUserId: TMode extends "singleTenantOnly" ? (userId: string) => Promise<StoredTenant<TExtended> | null> : never;
-	readonly findTenantsByUserId: TMode extends "multipleTenantsPerUser" ? (userId: string) => Promise<StoredTenant<TExtended>[]> : never;
+	readonly findTenantsByUserIds: TMode extends "multipleTenantsPerUser" ? (userIds: string[]) => Promise<Map<string, StoredTenant<TExtended>[]>> : never;
 	constructor(options: InMemoryTenantStoreOptions<TMode, TExtended>);
 	get(tenantId: string): Promise<StoredTenant<TExtended> | null>;
 	list(options?: TenantListOptions): Promise<ListResult<StoredTenant<TExtended>>>;
@@ -2372,7 +2675,7 @@ declare class InMemoryTenantStore<
 	getCachedTenantIds(): string[];
 	registerUserTenantId(userId: string, tenantId: string | null | undefined): Promise<void>;
 	private findSingleTenantByUserId;
-	private findMultipleTenantsByUserId;
+	private findMultipleTenantsByUserIds;
 	private resolveTenantsByUserId;
 }
 declare function sendTenantWebhook(webhookUrl: string, payload: TenantWebhookPayload, log: Logger): Promise<void>;
@@ -2485,7 +2788,8 @@ type ApplicationValidators = ESValidators & {
 * from ConfigSource / adaptive (typed as the module type, non-optional).
 */
 type FrameworkConfig = {
-	logger?: Logger;
+	/** Optional `Logger` implementation (e.g. `consoleLogger`); exposed on the instance as `log`. */
+	log?: Logger;
 	sso?: SSOConfig | null;
 	iam?: IAMConfig | null;
 	workload?: FrameworkWorkloadConfig | null;
@@ -2553,9 +2857,9 @@ type ConfigSource = {
 	secret: SecretsSource;
 	/**
 	* Optional. If not set by the creator, the framework may set this before calling load/subscribe
-	* so the source can use the same logger.
+	* so the source can use the same logger as the Enterprise Standard instance (`log`).
 	*/
-	logger?: Logger;
+	log?: Logger;
 	/**
 	* Optional. If not set by the creator, the framework may set this before calling load/subscribe
 	* so the source can use the same validators.
@@ -2599,7 +2903,8 @@ type WorkloadModuleFromConfig<C extends FrameworkConfig> = Exclude<C["workload"]
 type EnterpriseStandardFromConfig<C extends FrameworkConfig = FrameworkConfig> = EnterpriseStandardStrict<C>;
 /** Base shape shared by all EnterpriseStandard variants (modules optional for backward compatibility). */
 type EnterpriseStandardBase = {
-	logger?: Logger;
+	/** Effective framework logger for this instance (from framework `log` or `defaultLogger`). */
+	log: Logger;
 	/** App/tenant identifier when provided by ConfigSource (e.g. vault). */
 	tenantId?: string;
 	/** Most recent remote config applied to this instance (from ConfigSource, after beforeChange if any). */
@@ -2627,7 +2932,7 @@ type EnterpriseStandardBase = {
 };
 /** Config-driven module types: null in config → never; otherwise module type (non-optional). */
 type EnterpriseStandardStrict<C extends FrameworkConfig> = {
-	logger?: Logger;
+	log: Logger;
 	tenantId?: string;
 	config?: RemoteConfig;
 	secret: SecretsSource;
@@ -3213,6 +3518,12 @@ declare function mergeConfig<T extends Record<string, unknown>>(fromVault: T | u
 declare function stripJsonComments(content: string): string;
 declare function parseJsonc<T>(content: string): T;
 /**
+* Deep equality for JSON-like values used in config snapshots.
+* Treats object key order as irrelevant and treats missing and `undefined`
+* object properties as equal by ignoring `undefined` keys on both sides.
+*/
+declare function deepEqualPlain(a: unknown, b: unknown): boolean;
+/**
 * Waits for a HTTP service to be ready by polling its URL.
 * Connection errors (e.g. connection refused) are treated as "not ready" and retried.
 * @param url - The URL to poll.
@@ -3222,4 +3533,4 @@ declare function parseJsonc<T>(content: string): T;
 * @returns A promise that resolves when the service is ready.
 */
 declare function waitOn(url: string, test?: (resp: Response) => boolean | Promise<boolean>, pingInterval?: number, warnInterval?: number, timeout?: number): Promise<void>;
-export { workloadTokenResponseSchema, withValidate, waitOn, version, validationFailureResponse, userSchema, tokenResponseSchema, stripJsonComments, silentLogger, setActiveSession, serializeESConfig, sendTenantWebhook, parseJsonc, oidcCallbackSchema, normalizeTenantRoutingStrategy, normalizeTenantPathNamespace, must, mergeConfig, matchTenantPath, listSsoClientIdsFromCookies, list, jwtAssertionClaimsSchema, infoLogger, idTokenClaimsSchema, groupResourceSchema, getActiveSession, findTenantFromStateParam, defaultLogger, decodeUser, debugLogger, consoleLogger, clearActiveSession, claimsToUser, buildTenantPath, X509Certificate, WorkloadValidators, WorkloadTokenStore, WorkloadTokenResponse, WorkloadIncomingOutgoing, WorkloadIdentity, WorkloadConfigMap, WorkloadConfig, WorkloadClient, Workload, VaultWebSocketSecretsConfig, VaultWebSocketAuthHeader, VaultSecretsConfig, VaultLfvSecretsConfig, ValidateResult, UsersInboundHandlerConfig, UserStore, UserSortOptions, UserSortField, UserMode, UserListOptions, User2 as User, UpsertTenantResponse, UpsertTenantRequest, TokenValidationResult, TokenResponse, TenantWebhookPayload, TenantValidators, TenantUserRegistration, TenantStoredConfigLocator, TenantStoreWithESOptions, TenantStoreWithES, TenantStoreUpsertRecord, TenantStore, TenantStatus, TenantSortOptions, TenantSortField, TenantSecretsConfig, TenantRoutingStrategy, TenantRequestError, TenantRemoteConfigLocator, TenantPathRoutingStrategy, TenantPathNamespace, TenantPathMatch, TenantListOptions, TenantJwtRoutingStrategy, TenantEsFactory, TenantDirectoryTenant, TenantDirectoryResponse, TenantDirectoryAccount, TenantConfigStoreRequest, TenantConfigSourceInput, TenantConfigLocator, TenantConfigEnv, StoredUser, StoredTenantRecord, StoredTenant, StoredGroup, StateCookie, StandardSchemaWithValidate, SortDirection, SessionStore, Session, ServerOnlyWorkloadConfig, SecretsValidators, SecretsSourceType, SecretsSourceMap, SecretsSourceConfig, SecretsSource, SecretsOperationOptions, SecretsModuleConfig, Secrets, SecretRequestSeverity, SecretLifecycleRequest, Secret, User as ScimUser, ScimResult, ScimListResponse, ScimError, SSOValidators, SSOHandlerConfig, SSOConfig, SSOAppValidators, SSOAppRegistry, SSO, Role, ResolvedVaultLfvSecretsConfig, RemoteConfig, RegisterSSOAppResult, RegisterSSOAppPayload, RegisterSSOAppError, RegisterIAMAppResult, RegisterIAMAppPayload, RegisterIAMAppError, Photo, PhoneNumber, OidcCallbackParams, Name, MultipleTenantsForUserError, ModifiableFrameworkConfig, MetaData, MagicLinkStore, MagicLink, LoginConfig, Logger, ListResult, LfvOtpResponse, LfvOtpRequest, LfvErrorResponse, LfvErrorCode, LfvActionRequestBase, LfvActionName, LfvActionAcceptedResponse, JwtBearerWorkloadConfig, JWTAssertionClaims, InMemoryTenantStoreOptions, InMemoryTenantStore, IdTokenClaims, IAMValidators, IAMUsersInbound, IAMHandlerConfig, IAMGroupsOutbound, IAMGroupsInbound, IAMConfig, IAMAppValidators, IAMAppRole, IAMAppRegistry, IAM, GroupsInboundHandlerConfig, GroupStore, GroupSortOptions, GroupSortField, GroupResource, GroupMember, GroupListOptions, Group, GcpSecretsConfig, FrameworkWorkloadIncomingOutgoing, FrameworkWorkloadConfig, FrameworkStores, FrameworkSecretsSourceConfig, FrameworkSecretsModuleConfig, FrameworkConfig, EnvironmentType, EnterpriseUser, EnterpriseStandardFromConfig, EnterpriseStandardBase, EnterpriseStandard, EnterpriseExtension, Email, ESValidators, ESRoutingOptions, ESRouteModule, ESRouteFilterResult, ESResolvedRoute, ESModuleFromConfig, ESConfigChangeResult, ESConfigChangeOptions, ESConfigChangeCallback, ESConfig, DevSecretsConfig, DEFAULT_TENANT_UI_NAMESPACE, DEFAULT_TENANT_API_NAMESPACE, CreateUserOptions, CreateTenantResponse, CreateTenantRequest, CreateGroupOptions, ConfigSourceType, ConfigSource, ClientCredentialsWorkloadConfig, CachedWorkloadToken, CIAMValidators, CIAMConfigFromCode, CIAMConfig, CIAM, BaseUser, AzureSecretsConfig, AwsSecretsConfig, AwsAuthMethod, ApplicationValidators, Address };
+export { workloadTokenResponseSchema, withValidate, waitOn, version, validationFailureResponse, userSchema, tokenResponseSchema, stripJsonComments, silentLogger, setActiveSession, serializeESConfig, sendTenantWebhook, parseJsonc, oidcCallbackSchema, normalizeTenantRoutingStrategy, normalizeTenantPathNamespace, must, mergeConfig, matchTenantPath, listSsoClientIdsFromCookies, list, jwtAssertionClaimsSchema, infoLogger, idTokenClaimsSchema, groupResourceSchema, getActiveSession, findTenantFromStateParam, defaultLogger, deepEqualPlain, decodeUser, debugLogger, consoleLogger, clearActiveSession, claimsToUser, buildTenantPath, X509Certificate, WorkloadValidators, WorkloadTokenStore, WorkloadTokenResponse, WorkloadIncomingOutgoing, WorkloadIdentity, WorkloadConfigMap, WorkloadConfig, WorkloadClient, Workload, VaultWebSocketSecretsConfig, VaultWebSocketAuthHeader, VaultSecretsConfig, VaultLfvSecretsConfig, ValidateResult, UsersInboundHandlerConfig, UserStore, UserSortOptions, UserSortField, UserMode, UserListOptions, User2 as User, UpsertTenantResponse, UpsertTenantRequest, TokenValidationResult, TokenResponse, TenantWebhookPayload, TenantValidators, TenantUserRegistration, TenantStoredConfigLocator, TenantStoreWithESOptions, TenantStoreWithES, TenantStoreUpsertRecord, TenantStore, TenantStatus, TenantSortOptions, TenantSortField, TenantSecretsConfig, TenantRoutingStrategy, TenantRequestError, TenantRemoteConfigLocator, TenantPathRoutingStrategy, TenantPathNamespace, TenantPathMatch, TenantListOptions, TenantJwtRoutingStrategy, TenantEsFactory, TenantDirectoryTenant, TenantDirectoryResponse, TenantDirectoryAccount, TenantConfigStoreRequest, TenantConfigSourceInput, TenantConfigLocator, TenantConfigEnv, StoredUser, StoredTenantRecord, StoredTenant, StoredGroup, StateCookie, StandardSchemaWithValidate, SortDirection, SessionStore, Session, ServerOnlyWorkloadConfig, SecretsValidators, SecretsSourceType, SecretsSourceMap, SecretsSourceConfig, SecretsSource, SecretsOperationOptions, SecretsModuleConfig, Secrets, SecretRequestSeverity, SecretLifecycleRequest, Secret, User as ScimUser, ScimServiceProviderConfig, ScimSchemaDefinition, ScimSchemaAttributeDefinition, ScimResult, ScimResourceTypeSchemaExtension, ScimResourceType, ScimListResponse, ScimError, ScimAuthenticationScheme, SSOValidators, SSOHandlerConfig, SSOConfig, SSOAppValidators, SSOAppRegistry, SSO, Role, ResolvedVaultLfvSecretsConfig, RemoteConfig, RegisterSSOAppResult, RegisterSSOAppPayload, RegisterSSOAppError, RegisterIAMAppResult, RegisterIAMAppPayload, RegisterIAMAppError, ReactiveHandle, Photo, PhoneNumber, OidcCallbackParams, Name, MultipleTenantsForUserError, ModifiableFrameworkConfig, MetaData, MagicLinkStore, MagicLink, MAX_TENANTS_BATCH_USER_IDS, LoginConfig, Logger, ListResult, LfvOtpResponse, LfvOtpRequest, LfvErrorResponse, LfvErrorCode, LfvActionRequestBase, LfvActionName, LfvActionAcceptedResponse, JwtBearerWorkloadConfig, JWTAssertionClaims, InMemoryTenantStoreOptions, InMemoryTenantStore, IdTokenClaims, IAMValidators, IAMUsersInbound, IAMInboundUsersConfig, IAMInboundUserContext, IAMHandlerConfig, IAMGroupsOutbound, IAMGroupsInbound, IAMDiscoveryHandlerConfig, IAMDiscoveryContext, IAMDiscoveryConfig, IAMConfig, IAMAppValidators, IAMAppRole, IAMAppRegistry, IAM, GroupsInboundHandlerConfig, GroupStore, GroupSortOptions, GroupSortField, GroupResource, GroupMember, GroupListOptions, Group, GcpSecretsConfig, FrameworkWorkloadIncomingOutgoing, FrameworkWorkloadConfig, FrameworkStores, FrameworkSecretsSourceConfig, FrameworkSecretsModuleConfig, FrameworkConfig, EnvironmentType, EnterpriseUser, EnterpriseStandardFromConfig, EnterpriseStandardBase, EnterpriseStandard, EnterpriseExtension, Email, ESValidators, ESRoutingOptions, ESRouteModule, ESRouteFilterResult, ESResolvedRoute, ESModuleFromConfig, ESConfigChangeResult, ESConfigChangeOptions, ESConfigChangeCallback, ESConfig, DevSecretsConfig, DEFAULT_TENANT_UI_NAMESPACE, DEFAULT_TENANT_API_NAMESPACE, CreateUserOptions, CreateTenantResponse, CreateTenantRequest, CreateGroupOptions, ConfigSourceType, ConfigSource, ClientCredentialsWorkloadConfig, ChangeListener, CachedWorkloadToken, CIAMValidators, CIAMConfigFromCode, CIAMConfig, CIAM, BaseUser, AzureSecretsConfig, AwsSecretsConfig, AwsAuthMethod, ApplicationValidators, Address };

package/dist/index.js CHANGED Viewed

	@@ -1 +1 @@
1	- import{I as B,a as D0,b as T0,c as $0,d as f0,e as x0,f as A0,g as Q0,h as X0,i as Z0,j as G0,k as R0,l as Y0,m as c0,n as y0,o as z0,p as B0,q as H0,t as N0,u as W0,v as C0,w as M0,x as _0}from"./shared/core-kk9hdwwp.js";var k="0.0.14";var V=["sessionStore","userStore","groupStore","tokenStore","magicLinkStore"];function C(L){if(L===null\|\|typeof L!=="object")return L;let T={};for(let[J,D]of Object.entries(L)){if(V.includes(J)\|\|J==="validators"\|\|J==="setStores")continue;T[J]=D!==null&&typeof D==="object"&&!Array.isArray(D)&&Object.getPrototypeOf(D)===Object.prototype?C(D):D}return T}function E(L){return C(L)}function z(L,T,J,D){let $=T.length,A=D??L,f=A>0?Math.floor(J/A)+1:1,x=A>0?Math.ceil(L/A):0;return{total:L,count:$,items:T,size:A,page:f,pages:x}}class N extends Error{constructor(L,T){super(L,T);this.name="TenantRequestError",Object.setPrototypeOf(this,N.prototype)}}class c extends Error{userId;tenantIds;constructor(L,T,J){super(`Multiple tenants found for user id "${L}"`,J);this.name="MultipleTenantsForUserError",this.userId=L,this.tenantIds=T,Object.setPrototypeOf(this,c.prototype)}}var H=Number.POSITIVE_INFINITY;class M{tenants=new Map;tenantEsMap=new Map;userTenantIds=new Map;ttl;userMode;createEs;findTenantByUserId;findTenantsByUserId;constructor(L){if(this.ttl=O(L.ttl),this.userMode=L.userMode,this.createEs=L.createEs,this.userMode==="singleTenantOnly"){this.findTenantByUserId=this.findSingleTenantByUserId.bind(this),this.findTenantsByUserId=void 0;return}this.findTenantByUserId=void 0,this.findTenantsByUserId=this.findMultipleTenantsByUserId.bind(this)}async get(L){return this.tenants.get(L)??null}async list(L){let T=Array.from(this.tenants.values()),J=Math.max(0,L?.start??0),D=L?.limit,$=L?.sort;if($?.length)T=[...T].sort((X,G)=>{for(let{field:Z,direction:q}of $){let F=X[Z],U=G[Z],y=j(F,U);if(y!==0)return q==="desc"?-y:y}return 0});let A=T.length,f=D!=null?J+D:void 0,x=T.slice(J,f);return z(A,x,J,D)}async upsert(L){let T=new Date,J=this.tenants.get(L.tenantId),D={...J??{},...L,companyId:L.companyId??J?.companyId??"",companyName:L.companyName??J?.companyName??"",environmentType:L.environmentType??J?.environmentType??"DEV",email:L.email??J?.email,webhookUrl:L.webhookUrl??J?.webhookUrl,callbackUrl:L.callbackUrl??J?.callbackUrl,tenantUrl:L.tenantUrl??J?.tenantUrl,status:L.status??J?.status??"completed",createdAt:L.createdAt??J?.createdAt??T,updatedAt:L.updatedAt??T};return this.tenants.set(D.tenantId,D),this.tenantEsMap.delete(D.tenantId),D}async delete(L){this.tenantEsMap.delete(L),this.tenants.delete(L)}async getEs(L){let T=await this.get(L);if(!T)throw Error(`Tenant "${L}" not found`);if(!this.createEs)throw Error("InMemoryTenantStore requires options.createEs to use getEs()");if(this.ttl===0)return this.createEs(B(T));let J=Date.now(),D=this.tenantEsMap.get(L);if(D&&D.expiresAt>J)return D.es;if(D)this.tenantEsMap.delete(L);let $=this.createEs(B(T));return this.tenantEsMap.set(L,{es:$,expiresAt:g(J,this.ttl)}),$}getCachedTenantIds(){if(this.ttl===0)return[];let L=Date.now();for(let[T,J]of this.tenantEsMap.entries())if(J.expiresAt<=L)this.tenantEsMap.delete(T);return Array.from(this.tenantEsMap.keys())}async registerUserTenantId(L,T){if(!L)return;let J=S(T);if(this.userMode==="singleTenantOnly"){this.userTenantIds.set(L,new Set([J]));return}let D=this.userTenantIds.get(L);if(D){D.add(J);return}this.userTenantIds.set(L,new Set([J]))}async findSingleTenantByUserId(L){let T=await this.resolveTenantsByUserId(L);if(T.length>1)throw new c(L,T.map((J)=>J.tenantId));return T[0]??null}async findMultipleTenantsByUserId(L){return this.resolveTenantsByUserId(L)}async resolveTenantsByUserId(L){let T=this.userTenantIds.get(L);if(!T\|\|T.size===0)return[];let J=T.has(null),D=Array.from(T).filter((f)=>f!=null);if(D.length===0)return[];let $=await Promise.all(D.map(async(f)=>({tenantId:f,tenant:await this.get(f)}))),A=$.filter((f)=>f.tenant!=null).map((f)=>f.tenantId);if(A.length===0){if(J)this.userTenantIds.set(L,new Set([null]));else this.userTenantIds.delete(L);return[]}if(A.length!==D.length){let f=J?[null,...A]:A;this.userTenantIds.set(L,new Set(f))}return $.map((f)=>f.tenant).filter((f)=>f!=null)}}function j(L,T){let J=L===void 0\|\|L===null,D=T===void 0\|\|T===null;if(J&&D)return 0;if(J)return 1;if(D)return-1;if(L instanceof Date&&T instanceof Date)return L.getTime()-T.getTime();let $=String(L),A=String(T);return $.localeCompare(A)}function S(L){if(typeof L!=="string")return null;return L.trim()\|\|null}function O(L){if(L===void 0)return H;if(L<=0)return L===0?0:H;return L}function g(L,T){if(!Number.isFinite(T))return H;return L+T}function I(L,T,J){return(async()=>{try{let D=await fetch(L,{method:"POST",headers:{"Content-Type":"application/json"},body:JSON.stringify(T)});if(!D.ok)J.error(`Failed to send webhook update: ${D.status} ${D.statusText}`)}catch(D){J.error("Failed to send webhook update:",D)}})()}async function P(L,T,J){return I(L,T,J)}var p={beforeTenantSegments:["ui"]},m={beforeTenantSegments:["api"]};function _(L){return{segments:W(L?.segments)}}function W(L){return(L??[]).map((T)=>T.trim()).filter(Boolean)}function h(L){let T=L.trim();if(!T)return"/";let J=T.replace(/\\/g,"/").replace(/\/+/g,"/");return J.startsWith("/")?J:`/${J}`}function K(L){return h(L).split("/").filter(Boolean)}function R(L){return{beforeTenantSegments:W(L?.beforeTenantSegments),afterTenantSegments:W(L?.afterTenantSegments)}}function b(L){if(!L\|\|L.type===void 0\|\|L.type==="path"){let J=L;return{type:"path",ui:R(J?.ui),api:R(J?.api)}}let T=L;return{...T,ui:_(T.ui),api:_(T.api)}}function o(L,T){let J=R(T),D=J.beforeTenantSegments??[],$=J.afterTenantSegments??[],A=K(L),f=D.length+1+$.length;if(A.length<f)return null;for(let Z=0;Z<D.length;Z++)if(A[Z]!==D[Z])return null;let x=D.length,X=A[x];if(!X)return null;for(let Z=0;Z<$.length;Z++)if(A[x+1+Z]!==$[Z])return null;let G=A.slice(x+1+$.length);return{tenantId:decodeURIComponent(X),restSegments:G,restPath:G.length>0?`/${G.join("/")}`:"/"}}function n(L,T="/",J){let D=R(J),$=D.beforeTenantSegments??[],A=D.afterTenantSegments??[],f=K(T),x=[...$,encodeURIComponent(L),...A,...f];return x.length>0?`/${x.join("/")}`:"/"}function Q(L,T,J,D,$){if(L===void 0\|\|L===null){if(J)D.push({message:`${T} is required`,path:$});return}if(typeof L!=="string"){D.push({message:`${T} must be a string`,path:$});return}return L}function Y(L,T,J,D){if(L===void 0\|\|L===null)return;if(typeof L!=="boolean"){J.push({message:`${T} must be a boolean`,path:D});return}return L}function v(L,T,J){if(L===void 0\|\|L===null)return;if(typeof L!=="object"\|\|L===null){T.push({message:"name must be an object",path:J});return}let D=L,$={};return $.formatted=Q(D.formatted,"formatted",!1,T,[...J,"formatted"]),$.familyName=Q(D.familyName,"familyName",!1,T,[...J,"familyName"]),$.givenName=Q(D.givenName,"givenName",!1,T,[...J,"givenName"]),$.middleName=Q(D.middleName,"middleName",!1,T,[...J,"middleName"]),$.honorificPrefix=Q(D.honorificPrefix,"honorificPrefix",!1,T,[...J,"honorificPrefix"]),$.honorificSuffix=Q(D.honorificSuffix,"honorificSuffix",!1,T,[...J,"honorificSuffix"]),$}function d(L,T,J){if(L===void 0\|\|L===null)return;if(!Array.isArray(L)){T.push({message:"emails must be an array",path:J});return}let D=[];for(let $=0;$<L.length;$++){let A=L[$],f=[...J,$];if(typeof A!=="object"\|\|A===null){T.push({message:"email must be an object",path:f});continue}let x=A,X=Q(x.value,"value",!0,T,[...f,"value"]);if(X)D.push({value:X,display:Q(x.display,"display",!1,T,[...f,"display"]),type:Q(x.type,"type",!1,T,[...f,"type"]),primary:Y(x.primary,"primary",T,[...f,"primary"])})}return D.length>0?D:void 0}function r(L,T,J){if(L===void 0\|\|L===null)return;if(!Array.isArray(L)){T.push({message:"phoneNumbers must be an array",path:J});return}let D=[];for(let $=0;$<L.length;$++){let A=L[$],f=[...J,$];if(typeof A!=="object"\|\|A===null){T.push({message:"phoneNumber must be an object",path:f});continue}let x=A,X=Q(x.value,"value",!0,T,[...f,"value"]);if(X)D.push({value:X,display:Q(x.display,"display",!1,T,[...f,"display"]),type:Q(x.type,"type",!1,T,[...f,"type"]),primary:Y(x.primary,"primary",T,[...f,"primary"])})}return D.length>0?D:void 0}function l(L,T,J){if(L===void 0\|\|L===null)return;if(!Array.isArray(L)){T.push({message:"addresses must be an array",path:J});return}let D=[];for(let $=0;$<L.length;$++){let A=L[$],f=[...J,$];if(typeof A!=="object"\|\|A===null){T.push({message:"address must be an object",path:f});continue}let x=A;D.push({formatted:Q(x.formatted,"formatted",!1,T,[...f,"formatted"]),streetAddress:Q(x.streetAddress,"streetAddress",!1,T,[...f,"streetAddress"]),locality:Q(x.locality,"locality",!1,T,[...f,"locality"]),region:Q(x.region,"region",!1,T,[...f,"region"]),postalCode:Q(x.postalCode,"postalCode",!1,T,[...f,"postalCode"]),country:Q(x.country,"country",!1,T,[...f,"country"]),type:Q(x.type,"type",!1,T,[...f,"type"]),primary:Y(x.primary,"primary",T,[...f,"primary"])})}return D.length>0?D:void 0}function t(L,T,J){if(L===void 0\|\|L===null)return;if(!Array.isArray(L)){T.push({message:"groups must be an array",path:J});return}let D=[];for(let $=0;$<L.length;$++){let A=L[$],f=[...J,$];if(typeof A!=="object"\|\|A===null){T.push({message:"group must be an object",path:f});continue}let x=A,X=Q(x.value,"value",!0,T,[...f,"value"]);if(X)D.push({value:X,$ref:Q(x.$ref,"$ref",!1,T,[...f,"$ref"]),display:Q(x.display,"display",!1,T,[...f,"display"]),type:Q(x.type,"type",!1,T,[...f,"type"])})}return D.length>0?D:void 0}function i(L,T,J){if(L===void 0\|\|L===null)return;if(!Array.isArray(L)){T.push({message:"roles must be an array",path:J});return}let D=[];for(let $=0;$<L.length;$++){let A=L[$],f=[...J,$];if(typeof A!=="object"\|\|A===null){T.push({message:"role must be an object",path:f});continue}let x=A,X=Q(x.value,"value",!0,T,[...f,"value"]);if(X)D.push({value:X,display:Q(x.display,"display",!1,T,[...f,"display"]),type:Q(x.type,"type",!1,T,[...f,"type"]),primary:Y(x.primary,"primary",T,[...f,"primary"])})}return D.length>0?D:void 0}function u(L,T,J){if(L===void 0\|\|L===null)return;if(typeof L!=="object"\|\|L===null){T.push({message:"Enterprise User extension must be an object",path:J});return}let D=L,$={};if($.employeeNumber=Q(D.employeeNumber,"employeeNumber",!1,T,[...J,"employeeNumber"]),$.costCenter=Q(D.costCenter,"costCenter",!1,T,[...J,"costCenter"]),$.organization=Q(D.organization,"organization",!1,T,[...J,"organization"]),$.division=Q(D.division,"division",!1,T,[...J,"division"]),$.department=Q(D.department,"department",!1,T,[...J,"department"]),D.manager!==void 0&&D.manager!==null)if(typeof D.manager!=="object"\|\|D.manager===null)T.push({message:"manager must be an object",path:[...J,"manager"]});else{let A=D.manager;$.manager={value:Q(A.value,"value",!1,T,[...J,"manager","value"]),$ref:Q(A.$ref,"$ref",!1,T,[...J,"manager","$ref"]),displayName:Q(A.displayName,"displayName",!1,T,[...J,"manager","displayName"])}}return $}function a(L){return{"~standard":{version:1,vendor:L,validate:(T)=>{if(typeof T!=="object"\|\|T===null)return{issues:[{message:"Expected an object"}]};let J=T,D=[],$={},A=Q(J.userName,"userName",!0,D,["userName"]);if(!A)return{issues:D};$.userName=A,$.id=Q(J.id,"id",!1,D,["id"]),$.externalId=Q(J.externalId,"externalId",!1,D,["externalId"]),$.displayName=Q(J.displayName,"displayName",!1,D,["displayName"]),$.nickName=Q(J.nickName,"nickName",!1,D,["nickName"]),$.profileUrl=Q(J.profileUrl,"profileUrl",!1,D,["profileUrl"]),$.title=Q(J.title,"title",!1,D,["title"]),$.userType=Q(J.userType,"userType",!1,D,["userType"]),$.preferredLanguage=Q(J.preferredLanguage,"preferredLanguage",!1,D,["preferredLanguage"]),$.locale=Q(J.locale,"locale",!1,D,["locale"]),$.timezone=Q(J.timezone,"timezone",!1,D,["timezone"]),$.password=Q(J.password,"password",!1,D,["password"]),$.active=Y(J.active,"active",D,["active"]),$.name=v(J.name,D,["name"]),$.emails=d(J.emails,D,["emails"]),$.phoneNumbers=r(J.phoneNumbers,D,["phoneNumbers"]),$.addresses=l(J.addresses,D,["addresses"]),$.groups=t(J.groups,D,["groups"]),$.roles=i(J.roles,D,["roles"]);let f="urn:ietf:params:scim:schemas:extension:enterprise:2.0:User";if(J[f]!==void 0)$[f]=u(J[f],D,[f]);if(J.schemas!==void 0)if(Array.isArray(J.schemas))$.schemas=J.schemas.filter((x)=>typeof x==="string");else D.push({message:"schemas must be an array",path:["schemas"]});if(J.meta!==void 0)if(typeof J.meta==="object"&&J.meta!==null){let x=J.meta;$.meta={resourceType:typeof x.resourceType==="string"?x.resourceType:void 0,created:typeof x.created==="string"?x.created:void 0,lastModified:typeof x.lastModified==="string"?x.lastModified:void 0,location:typeof x.location==="string"?x.location:void 0,version:typeof x.version==="string"?x.version:void 0}}else D.push({message:"meta must be an object",path:["meta"]});if(D.length>0)return{issues:D};return{value:$}}}}}function e(L,T,J){if(L===void 0\|\|L===null)return;if(!Array.isArray(L)){T.push({message:"members must be an array",path:J});return}let D=[];for(let $=0;$<L.length;$++){let A=L[$],f=[...J,$];if(typeof A!=="object"\|\|A===null){T.push({message:"member must be an object",path:f});continue}let x=A,X=Q(x.value,"value",!0,T,[...f,"value"]);if(X){let G=Q(x.type,"type",!1,T,[...f,"type"]);D.push({value:X,$ref:Q(x.$ref,"$ref",!1,T,[...f,"$ref"]),display:Q(x.display,"display",!1,T,[...f,"display"]),type:G==="User"\|\|G==="Group"?G:void 0})}}return D.length>0?D:void 0}function s(L){return{"~standard":{version:1,vendor:L,validate:(T)=>{if(typeof T!=="object"\|\|T===null)return{issues:[{message:"Expected an object"}]};let J=T,D=[],$={},A=Q(J.displayName,"displayName",!0,D,["displayName"]);if(!A)return{issues:D};if($.displayName=A,$.id=Q(J.id,"id",!1,D,["id"]),$.externalId=Q(J.externalId,"externalId",!1,D,["externalId"]),$.members=e(J.members,D,["members"]),J.schemas!==void 0)if(Array.isArray(J.schemas))$.schemas=J.schemas.filter((f)=>typeof f==="string");else D.push({message:"schemas must be an array",path:["schemas"]});if(J.meta!==void 0)if(typeof J.meta==="object"&&J.meta!==null){let f=J.meta;$.meta={resourceType:typeof f.resourceType==="string"?f.resourceType:void 0,created:typeof f.created==="string"?f.created:void 0,lastModified:typeof f.lastModified==="string"?f.lastModified:void 0,location:typeof f.location==="string"?f.location:void 0,version:typeof f.version==="string"?f.version:void 0}}else D.push({message:"meta must be an object",path:["meta"]});if(D.length>0)return{issues:D};return{value:$}}}}}function J0(L){return{"~standard":{version:1,vendor:L,validate:(T)=>{if(typeof T!=="object"\|\|T===null)return{issues:[{message:"Expected an object"}]};let J=T,D=[],$={...J},A=["iss","sub"];for(let X of A)if(X in J){if(typeof J[X]!=="string")D.push({message:`${X} must be a string`,path:[X]})}else D.push({message:`${X} is required`,path:[X]});if("aud"in J&&J.aud!==void 0){let X=J.aud;if(typeof X!=="string"&&!Array.isArray(X))D.push({message:"aud must be a string or array of strings",path:["aud"]});else if(Array.isArray(X)&&!X.every((G)=>typeof G==="string"))D.push({message:"aud array must contain only strings",path:["aud"]})}let f=["jti","scope"];for(let X of f)if(X in J&&J[X]!==void 0){if(typeof J[X]!=="string")D.push({message:`${X} must be a string`,path:[X]})}let x=["exp","iat"];for(let X of x)if(X in J){if(typeof J[X]!=="number")D.push({message:`${X} must be a number`,path:[X]})}else D.push({message:`${X} is required`,path:[X]});if(D.length>0)return{issues:D};return{value:$}}}}}function L0(L){return{"~standard":{version:1,vendor:L,validate:(T)=>{if(typeof T!=="object"\|\|T===null)return{issues:[{message:"Expected an object"}]};let J=T,D=[],$={};if("access_token"in J)if(typeof J.access_token==="string")$.access_token=J.access_token;else D.push({message:"access_token must be a string",path:["access_token"]});else D.push({message:"access_token is required",path:["access_token"]});if("token_type"in J)if(typeof J.token_type==="string")$.token_type=J.token_type;else D.push({message:"token_type must be a string",path:["token_type"]});else D.push({message:"token_type is required",path:["token_type"]});if("scope"in J)if(typeof J.scope==="string"\|\|J.scope===void 0)$.scope=J.scope;else D.push({message:"scope must be a string",path:["scope"]});if("refresh_token"in J)if(typeof J.refresh_token==="string"\|\|J.refresh_token===void 0)$.refresh_token=J.refresh_token;else D.push({message:"refresh_token must be a string",path:["refresh_token"]});if("expires"in J)if(typeof J.expires==="string"\|\|J.expires===void 0)$.expires=J.expires;else D.push({message:"expires must be a string",path:["expires"]});if("expires_in"in J)if(typeof J.expires_in==="number"\|\|J.expires_in===void 0)$.expires_in=J.expires_in;else D.push({message:"expires_in must be a number",path:["expires_in"]});if(D.length>0)return{issues:D};return{value:$}}}}}export{L0 as workloadTokenResponseSchema,f0 as withValidate,G0 as waitOn,k as version,A0 as validationFailureResponse,a as userSchema,T0 as tokenResponseSchema,X0 as stripJsonComments,y0 as silentLogger,W0 as setActiveSession,E as serializeESConfig,P as sendTenantWebhook,Z0 as parseJsonc,D0 as oidcCallbackSchema,b as normalizeTenantRoutingStrategy,R as normalizeTenantPathNamespace,x0 as must,Q0 as mergeConfig,o as matchTenantPath,M0 as listSsoClientIdsFromCookies,z as list,J0 as jwtAssertionClaimsSchema,z0 as infoLogger,$0 as idTokenClaimsSchema,s as groupResourceSchema,N0 as getActiveSession,_0 as findTenantFromStateParam,c0 as defaultLogger,Y0 as decodeUser,B0 as debugLogger,H0 as consoleLogger,C0 as clearActiveSession,R0 as claimsToUser,n as buildTenantPath,N as TenantRequestError,c as MultipleTenantsForUserError,M as InMemoryTenantStore,p as DEFAULT_TENANT_UI_NAMESPACE,m as DEFAULT_TENANT_API_NAMESPACE};
1	+ import{N as C,a as f0,b as D0,c as x0,d as Q0,e as Z0,f as G0,g as Y0,h as X0,i as z0,j as R0,k as W0,l as A0,m as K0,n as y0,o as C0,p as H0,q as M0,r as B0,v as N0,w as c0,x as q0,y as F0,z as T0}from"./shared/core-assxr5dn.js";var U="0.0.15-beta.20260420.1";var E=["sessionStore","userStore","groupStore","tokenStore","magicLinkStore"];function c(L){if(L===null\|\|typeof L!=="object")return L;let $={};for(let[J,f]of Object.entries(L)){if(E.includes(J)\|\|J==="validators"\|\|J==="setStores")continue;$[J]=f!==null&&typeof f==="object"&&!Array.isArray(f)&&Object.getPrototypeOf(f)===Object.prototype?c(f):f}return $}function j(L){return c(L)}function y(L,$,J,f){let D=$.length,Z=f??L,x=Z>0?Math.floor(J/Z)+1:1,Q=Z>0?Math.ceil(L/Z):0;return{total:L,count:D,items:$,size:Z,page:x,pages:Q}}class B extends Error{constructor(L,$){super(L,$);this.name="TenantRequestError",Object.setPrototypeOf(this,B.prototype)}}class A extends Error{userId;tenantIds;constructor(L,$,J){super(`Multiple tenants found for user id "${L}"`,J);this.name="MultipleTenantsForUserError",this.userId=L,this.tenantIds=$,Object.setPrototypeOf(this,A.prototype)}}var H=32,M=Number.POSITIVE_INFINITY;class q{tenants=new Map;tenantEsMap=new Map;userTenantIds=new Map;ttl;userMode;createEs;findTenantByUserId;findTenantsByUserIds;constructor(L){if(this.ttl=g(L.ttl),this.userMode=L.userMode,this.createEs=L.createEs,this.userMode==="singleTenantOnly"){this.findTenantByUserId=this.findSingleTenantByUserId.bind(this),this.findTenantsByUserIds=void 0;return}this.findTenantByUserId=void 0,this.findTenantsByUserIds=this.findMultipleTenantsByUserIds.bind(this)}async get(L){return this.tenants.get(L)??null}async list(L){let $=Array.from(this.tenants.values()),J=Math.max(0,L?.start??0),f=L?.limit,D=L?.sort;if(D?.length)$=[...$].sort((Y,z)=>{for(let{field:X,direction:w}of D){let _=Y[X],k=z[X],K=O(_,k);if(K!==0)return w==="desc"?-K:K}return 0});let Z=$.length,x=f!=null?J+f:void 0,Q=$.slice(J,x);return y(Z,Q,J,f)}async upsert(L){let $=new Date,J=this.tenants.get(L.tenantId),f={...J??{},...L,companyId:L.companyId??J?.companyId??"",companyName:L.companyName??J?.companyName??"",environmentType:L.environmentType??J?.environmentType??"DEV",email:L.email??J?.email,webhookUrl:L.webhookUrl??J?.webhookUrl,callbackUrl:L.callbackUrl??J?.callbackUrl,tenantUrl:L.tenantUrl??J?.tenantUrl,status:L.status??J?.status??"completed",createdAt:L.createdAt??J?.createdAt??$,updatedAt:L.updatedAt??$};return this.tenants.set(f.tenantId,f),this.tenantEsMap.delete(f.tenantId),f}async delete(L){this.tenantEsMap.delete(L),this.tenants.delete(L)}async getEs(L){let $=await this.get(L);if(!$)throw Error(`Tenant "${L}" not found`);if(!this.createEs)throw Error("InMemoryTenantStore requires options.createEs to use getEs()");if(this.ttl===0)return this.createEs(C($));let J=Date.now(),f=this.tenantEsMap.get(L);if(f&&f.expiresAt>J)return f.es;if(f)this.tenantEsMap.delete(L);let D=this.createEs(C($));return this.tenantEsMap.set(L,{es:D,expiresAt:P(J,this.ttl)}),D}getCachedTenantIds(){if(this.ttl===0)return[];let L=Date.now();for(let[$,J]of this.tenantEsMap.entries())if(J.expiresAt<=L)this.tenantEsMap.delete($);return Array.from(this.tenantEsMap.keys())}async registerUserTenantId(L,$){if(!L)return;let J=S($);if(this.userMode==="singleTenantOnly"){this.userTenantIds.set(L,new Set([J]));return}let f=this.userTenantIds.get(L);if(f){f.add(J);return}this.userTenantIds.set(L,new Set([J]))}async findSingleTenantByUserId(L){let $=await this.resolveTenantsByUserId(L);if($.length>1)throw new A(L,$.map((J)=>J.tenantId));return $[0]??null}async findMultipleTenantsByUserIds(L){if(L.length>H)throw Error(`findTenantsByUserIds called with ${L.length} ids; max is ${H}.`);let $=new Map;return await Promise.all(L.map(async(J)=>{$.set(J,await this.resolveTenantsByUserId(J))})),$}async resolveTenantsByUserId(L){let $=this.userTenantIds.get(L);if(!$\|\|$.size===0)return[];let J=$.has(null),f=Array.from($).filter((x)=>x!=null);if(f.length===0)return[];let D=await Promise.all(f.map(async(x)=>({tenantId:x,tenant:await this.get(x)}))),Z=D.filter((x)=>x.tenant!=null).map((x)=>x.tenantId);if(Z.length===0){if(J)this.userTenantIds.set(L,new Set([null]));else this.userTenantIds.delete(L);return[]}if(Z.length!==f.length){let x=J?[null,...Z]:Z;this.userTenantIds.set(L,new Set(x))}return D.map((x)=>x.tenant).filter((x)=>x!=null)}}function O(L,$){let J=L===void 0\|\|L===null,f=$===void 0\|\|$===null;if(J&&f)return 0;if(J)return 1;if(f)return-1;if(L instanceof Date&&$ instanceof Date)return L.getTime()-$.getTime();let D=String(L),Z=String($);return D.localeCompare(Z)}function S(L){if(typeof L!=="string")return null;return L.trim()\|\|null}function g(L){if(L===void 0)return M;if(L<=0)return L===0?0:M;return L}function P(L,$){if(!Number.isFinite($))return M;return L+$}function I(L,$,J){return(async()=>{try{let f=await fetch(L,{method:"POST",headers:{"Content-Type":"application/json"},body:JSON.stringify($)});if(!f.ok)J.error(`Failed to send webhook update: ${f.status} ${f.statusText}`)}catch(f){J.error("Failed to send webhook update:",f)}})()}async function p(L,$,J){return I(L,$,J)}var m={beforeTenantSegments:["ui"]},h={beforeTenantSegments:["api"]};function F(L){return{segments:N(L?.segments)}}function N(L){return(L??[]).map(($)=>$.trim()).filter(Boolean)}function b(L){let $=L.trim();if(!$)return"/";let J=$.replace(/\\/g,"/").replace(/\/+/g,"/");return J.startsWith("/")?J:`/${J}`}function T(L){return b(L).split("/").filter(Boolean)}function R(L){return{beforeTenantSegments:N(L?.beforeTenantSegments),afterTenantSegments:N(L?.afterTenantSegments)}}function o(L){if(!L\|\|L.type===void 0\|\|L.type==="path"){let J=L;return{type:"path",ui:R(J?.ui),api:R(J?.api)}}let $=L;return{...$,ui:F($.ui),api:F($.api)}}function n(L,$){let J=R($),f=J.beforeTenantSegments??[],D=J.afterTenantSegments??[],Z=T(L),x=f.length+1+D.length;if(Z.length<x)return null;for(let X=0;X<f.length;X++)if(Z[X]!==f[X])return null;let Q=f.length,Y=Z[Q];if(!Y)return null;for(let X=0;X<D.length;X++)if(Z[Q+1+X]!==D[X])return null;let z=Z.slice(Q+1+D.length);return{tenantId:decodeURIComponent(Y),restSegments:z,restPath:z.length>0?`/${z.join("/")}`:"/"}}function v(L,$="/",J){let f=R(J),D=f.beforeTenantSegments??[],Z=f.afterTenantSegments??[],x=T($),Q=[...D,encodeURIComponent(L),...Z,...x];return Q.length>0?`/${Q.join("/")}`:"/"}function G(L,$,J,f,D){if(L===void 0\|\|L===null){if(J)f.push({message:`${$} is required`,path:D});return}if(typeof L!=="string"){f.push({message:`${$} must be a string`,path:D});return}return L}function W(L,$,J,f){if(L===void 0\|\|L===null)return;if(typeof L!=="boolean"){J.push({message:`${$} must be a boolean`,path:f});return}return L}function d(L,$,J){if(L===void 0\|\|L===null)return;if(typeof L!=="object"\|\|L===null){$.push({message:"name must be an object",path:J});return}let f=L,D={};return D.formatted=G(f.formatted,"formatted",!1,$,[...J,"formatted"]),D.familyName=G(f.familyName,"familyName",!1,$,[...J,"familyName"]),D.givenName=G(f.givenName,"givenName",!1,$,[...J,"givenName"]),D.middleName=G(f.middleName,"middleName",!1,$,[...J,"middleName"]),D.honorificPrefix=G(f.honorificPrefix,"honorificPrefix",!1,$,[...J,"honorificPrefix"]),D.honorificSuffix=G(f.honorificSuffix,"honorificSuffix",!1,$,[...J,"honorificSuffix"]),D}function r(L,$,J){if(L===void 0\|\|L===null)return;if(!Array.isArray(L)){$.push({message:"emails must be an array",path:J});return}let f=[];for(let D=0;D<L.length;D++){let Z=L[D],x=[...J,D];if(typeof Z!=="object"\|\|Z===null){$.push({message:"email must be an object",path:x});continue}let Q=Z,Y=G(Q.value,"value",!0,$,[...x,"value"]);if(Y)f.push({value:Y,display:G(Q.display,"display",!1,$,[...x,"display"]),type:G(Q.type,"type",!1,$,[...x,"type"]),primary:W(Q.primary,"primary",$,[...x,"primary"])})}return f.length>0?f:void 0}function l(L,$,J){if(L===void 0\|\|L===null)return;if(!Array.isArray(L)){$.push({message:"phoneNumbers must be an array",path:J});return}let f=[];for(let D=0;D<L.length;D++){let Z=L[D],x=[...J,D];if(typeof Z!=="object"\|\|Z===null){$.push({message:"phoneNumber must be an object",path:x});continue}let Q=Z,Y=G(Q.value,"value",!0,$,[...x,"value"]);if(Y)f.push({value:Y,display:G(Q.display,"display",!1,$,[...x,"display"]),type:G(Q.type,"type",!1,$,[...x,"type"]),primary:W(Q.primary,"primary",$,[...x,"primary"])})}return f.length>0?f:void 0}function t(L,$,J){if(L===void 0\|\|L===null)return;if(!Array.isArray(L)){$.push({message:"addresses must be an array",path:J});return}let f=[];for(let D=0;D<L.length;D++){let Z=L[D],x=[...J,D];if(typeof Z!=="object"\|\|Z===null){$.push({message:"address must be an object",path:x});continue}let Q=Z;f.push({formatted:G(Q.formatted,"formatted",!1,$,[...x,"formatted"]),streetAddress:G(Q.streetAddress,"streetAddress",!1,$,[...x,"streetAddress"]),locality:G(Q.locality,"locality",!1,$,[...x,"locality"]),region:G(Q.region,"region",!1,$,[...x,"region"]),postalCode:G(Q.postalCode,"postalCode",!1,$,[...x,"postalCode"]),country:G(Q.country,"country",!1,$,[...x,"country"]),type:G(Q.type,"type",!1,$,[...x,"type"]),primary:W(Q.primary,"primary",$,[...x,"primary"])})}return f.length>0?f:void 0}function i(L,$,J){if(L===void 0\|\|L===null)return;if(!Array.isArray(L)){$.push({message:"groups must be an array",path:J});return}let f=[];for(let D=0;D<L.length;D++){let Z=L[D],x=[...J,D];if(typeof Z!=="object"\|\|Z===null){$.push({message:"group must be an object",path:x});continue}let Q=Z,Y=G(Q.value,"value",!0,$,[...x,"value"]);if(Y)f.push({value:Y,$ref:G(Q.$ref,"$ref",!1,$,[...x,"$ref"]),display:G(Q.display,"display",!1,$,[...x,"display"]),type:G(Q.type,"type",!1,$,[...x,"type"])})}return f.length>0?f:void 0}function u(L,$,J){if(L===void 0\|\|L===null)return;if(!Array.isArray(L)){$.push({message:"roles must be an array",path:J});return}let f=[];for(let D=0;D<L.length;D++){let Z=L[D],x=[...J,D];if(typeof Z!=="object"\|\|Z===null){$.push({message:"role must be an object",path:x});continue}let Q=Z,Y=G(Q.value,"value",!0,$,[...x,"value"]);if(Y)f.push({value:Y,display:G(Q.display,"display",!1,$,[...x,"display"]),type:G(Q.type,"type",!1,$,[...x,"type"]),primary:W(Q.primary,"primary",$,[...x,"primary"])})}return f.length>0?f:void 0}function a(L,$,J){if(L===void 0\|\|L===null)return;if(typeof L!=="object"\|\|L===null){$.push({message:"Enterprise User extension must be an object",path:J});return}let f=L,D={};if(D.employeeNumber=G(f.employeeNumber,"employeeNumber",!1,$,[...J,"employeeNumber"]),D.costCenter=G(f.costCenter,"costCenter",!1,$,[...J,"costCenter"]),D.organization=G(f.organization,"organization",!1,$,[...J,"organization"]),D.division=G(f.division,"division",!1,$,[...J,"division"]),D.department=G(f.department,"department",!1,$,[...J,"department"]),f.manager!==void 0&&f.manager!==null)if(typeof f.manager!=="object"\|\|f.manager===null)$.push({message:"manager must be an object",path:[...J,"manager"]});else{let Z=f.manager;D.manager={value:G(Z.value,"value",!1,$,[...J,"manager","value"]),$ref:G(Z.$ref,"$ref",!1,$,[...J,"manager","$ref"]),displayName:G(Z.displayName,"displayName",!1,$,[...J,"manager","displayName"])}}return D}function e(L){return{"~standard":{version:1,vendor:L,validate:($)=>{if(typeof $!=="object"\|\|$===null)return{issues:[{message:"Expected an object"}]};let J=$,f=[],D={},Z=G(J.userName,"userName",!0,f,["userName"]);if(!Z)return{issues:f};D.userName=Z,D.id=G(J.id,"id",!1,f,["id"]),D.externalId=G(J.externalId,"externalId",!1,f,["externalId"]),D.displayName=G(J.displayName,"displayName",!1,f,["displayName"]),D.nickName=G(J.nickName,"nickName",!1,f,["nickName"]),D.profileUrl=G(J.profileUrl,"profileUrl",!1,f,["profileUrl"]),D.title=G(J.title,"title",!1,f,["title"]),D.userType=G(J.userType,"userType",!1,f,["userType"]),D.preferredLanguage=G(J.preferredLanguage,"preferredLanguage",!1,f,["preferredLanguage"]),D.locale=G(J.locale,"locale",!1,f,["locale"]),D.timezone=G(J.timezone,"timezone",!1,f,["timezone"]),D.password=G(J.password,"password",!1,f,["password"]),D.active=W(J.active,"active",f,["active"]),D.name=d(J.name,f,["name"]),D.emails=r(J.emails,f,["emails"]),D.phoneNumbers=l(J.phoneNumbers,f,["phoneNumbers"]),D.addresses=t(J.addresses,f,["addresses"]),D.groups=i(J.groups,f,["groups"]),D.roles=u(J.roles,f,["roles"]);let x="urn:ietf:params:scim:schemas:extension:enterprise:2.0:User";if(J[x]!==void 0)D[x]=a(J[x],f,[x]);if(J.schemas!==void 0)if(Array.isArray(J.schemas))D.schemas=J.schemas.filter((Q)=>typeof Q==="string");else f.push({message:"schemas must be an array",path:["schemas"]});if(J.meta!==void 0)if(typeof J.meta==="object"&&J.meta!==null){let Q=J.meta;D.meta={resourceType:typeof Q.resourceType==="string"?Q.resourceType:void 0,created:typeof Q.created==="string"?Q.created:void 0,lastModified:typeof Q.lastModified==="string"?Q.lastModified:void 0,location:typeof Q.location==="string"?Q.location:void 0,version:typeof Q.version==="string"?Q.version:void 0}}else f.push({message:"meta must be an object",path:["meta"]});if(f.length>0)return{issues:f};return{value:D}}}}}function s(L,$,J){if(L===void 0\|\|L===null)return;if(!Array.isArray(L)){$.push({message:"members must be an array",path:J});return}let f=[];for(let D=0;D<L.length;D++){let Z=L[D],x=[...J,D];if(typeof Z!=="object"\|\|Z===null){$.push({message:"member must be an object",path:x});continue}let Q=Z,Y=G(Q.value,"value",!0,$,[...x,"value"]);if(Y){let z=G(Q.type,"type",!1,$,[...x,"type"]);f.push({value:Y,$ref:G(Q.$ref,"$ref",!1,$,[...x,"$ref"]),display:G(Q.display,"display",!1,$,[...x,"display"]),type:z==="User"\|\|z==="Group"?z:void 0})}}return f.length>0?f:void 0}function J0(L){return{"~standard":{version:1,vendor:L,validate:($)=>{if(typeof $!=="object"\|\|$===null)return{issues:[{message:"Expected an object"}]};let J=$,f=[],D={},Z=G(J.displayName,"displayName",!0,f,["displayName"]);if(!Z)return{issues:f};if(D.displayName=Z,D.id=G(J.id,"id",!1,f,["id"]),D.externalId=G(J.externalId,"externalId",!1,f,["externalId"]),D.members=s(J.members,f,["members"]),J.schemas!==void 0)if(Array.isArray(J.schemas))D.schemas=J.schemas.filter((x)=>typeof x==="string");else f.push({message:"schemas must be an array",path:["schemas"]});if(J.meta!==void 0)if(typeof J.meta==="object"&&J.meta!==null){let x=J.meta;D.meta={resourceType:typeof x.resourceType==="string"?x.resourceType:void 0,created:typeof x.created==="string"?x.created:void 0,lastModified:typeof x.lastModified==="string"?x.lastModified:void 0,location:typeof x.location==="string"?x.location:void 0,version:typeof x.version==="string"?x.version:void 0}}else f.push({message:"meta must be an object",path:["meta"]});if(f.length>0)return{issues:f};return{value:D}}}}}function L0(L){return{"~standard":{version:1,vendor:L,validate:($)=>{if(typeof $!=="object"\|\|$===null)return{issues:[{message:"Expected an object"}]};let J=$,f=[],D={...J},Z=["iss","sub"];for(let Y of Z)if(Y in J){if(typeof J[Y]!=="string")f.push({message:`${Y} must be a string`,path:[Y]})}else f.push({message:`${Y} is required`,path:[Y]});if("aud"in J&&J.aud!==void 0){let Y=J.aud;if(typeof Y!=="string"&&!Array.isArray(Y))f.push({message:"aud must be a string or array of strings",path:["aud"]});else if(Array.isArray(Y)&&!Y.every((z)=>typeof z==="string"))f.push({message:"aud array must contain only strings",path:["aud"]})}let x=["jti","scope"];for(let Y of x)if(Y in J&&J[Y]!==void 0){if(typeof J[Y]!=="string")f.push({message:`${Y} must be a string`,path:[Y]})}let Q=["exp","iat"];for(let Y of Q)if(Y in J){if(typeof J[Y]!=="number")f.push({message:`${Y} must be a number`,path:[Y]})}else f.push({message:`${Y} is required`,path:[Y]});if(f.length>0)return{issues:f};return{value:D}}}}}function $0(L){return{"~standard":{version:1,vendor:L,validate:($)=>{if(typeof $!=="object"\|\|$===null)return{issues:[{message:"Expected an object"}]};let J=$,f=[],D={};if("access_token"in J)if(typeof J.access_token==="string")D.access_token=J.access_token;else f.push({message:"access_token must be a string",path:["access_token"]});else f.push({message:"access_token is required",path:["access_token"]});if("token_type"in J)if(typeof J.token_type==="string")D.token_type=J.token_type;else f.push({message:"token_type must be a string",path:["token_type"]});else f.push({message:"token_type is required",path:["token_type"]});if("scope"in J)if(typeof J.scope==="string"\|\|J.scope===void 0)D.scope=J.scope;else f.push({message:"scope must be a string",path:["scope"]});if("refresh_token"in J)if(typeof J.refresh_token==="string"\|\|J.refresh_token===void 0)D.refresh_token=J.refresh_token;else f.push({message:"refresh_token must be a string",path:["refresh_token"]});if("expires"in J)if(typeof J.expires==="string"\|\|J.expires===void 0)D.expires=J.expires;else f.push({message:"expires must be a string",path:["expires"]});if("expires_in"in J)if(typeof J.expires_in==="number"\|\|J.expires_in===void 0)D.expires_in=J.expires_in;else f.push({message:"expires_in must be a number",path:["expires_in"]});if(f.length>0)return{issues:f};return{value:D}}}}}export{$0 as workloadTokenResponseSchema,Q0 as withValidate,W0 as waitOn,U as version,G0 as validationFailureResponse,e as userSchema,D0 as tokenResponseSchema,X0 as stripJsonComments,C0 as silentLogger,c0 as setActiveSession,j as serializeESConfig,p as sendTenantWebhook,z0 as parseJsonc,f0 as oidcCallbackSchema,o as normalizeTenantRoutingStrategy,R as normalizeTenantPathNamespace,Z0 as must,Y0 as mergeConfig,n as matchTenantPath,F0 as listSsoClientIdsFromCookies,y as list,L0 as jwtAssertionClaimsSchema,H0 as infoLogger,x0 as idTokenClaimsSchema,J0 as groupResourceSchema,N0 as getActiveSession,T0 as findTenantFromStateParam,y0 as defaultLogger,R0 as deepEqualPlain,K0 as decodeUser,M0 as debugLogger,B0 as consoleLogger,q0 as clearActiveSession,A0 as claimsToUser,v as buildTenantPath,B as TenantRequestError,A as MultipleTenantsForUserError,H as MAX_TENANTS_BATCH_USER_IDS,q as InMemoryTenantStore,m as DEFAULT_TENANT_UI_NAMESPACE,h as DEFAULT_TENANT_API_NAMESPACE};