@enterprisestandard/core 0.0.15-beta.20260407.1 → 0.0.16

package/dist/index.d.ts

@@ -1,6 +1,6 @@
 import { version } from "../package.json";
 import { StandardSchemaV1 as StandardSchemaV18 } from "@standard-schema/spec";
-import { StandardSchemaV1 as StandardSchemaV15 } from "@standard-schema/spec";
+import { StandardSchemaV1 as StandardSchemaV17 } from "@standard-schema/spec";
 /**
 * Minimal logger interface compatible with common patterns (console, pino, winston, etc.)
 */
@@ -641,37 +641,8 @@ interface GroupStore<TExtended = Record<string, never>> {
 	*/
 	removeMember(groupId: string, memberId: string): Promise<void>;
 }
-/**
-* Base user with simple, developer-friendly attributes.
-* Extended by User (SSO) and EnterpriseUser (SCIM).
-*/
-interface BaseUser {
-	/**
-	* Unique identifier for the user
-	*/
-	id?: string;
-	/**
-	* REQUIRED. Unique identifier for login
-	*/
-	userName: string;
-	/**
-	* REQUIRED. Simple display name
-	*/
-	name: string;
-	/**
-	* REQUIRED. Primary email address
-	*/
-	email: string;
-	/**
-	* URL to user's avatar/profile picture
-	*/
-	avatar?: string;
-	/**
-	* User type (e.g., "employee", "contractor", "customer").
-	* Shared by SSO/CIAM and enterprise/SCIM user representations.
-	*/
-	userType?: string;
-}
+import { StandardSchemaV1 as StandardSchemaV16 } from "@standard-schema/spec";
+import { StandardSchemaV1 as StandardSchemaV13 } from "@standard-schema/spec";
 import { StandardSchemaV1 as StandardSchemaV12 } from "@standard-schema/spec";
 /**
 * OIDC Code Flow Callback URL Parameters
@@ -758,175 +729,360 @@ interface IdTokenClaims {
 */
 declare function idTokenClaimsSchema(vendor: string): StandardSchemaV12<Record<string, unknown>, IdTokenClaims>;
 /**
-* Primary user type for SSO/OIDC applications.
-* Extends BaseUser with SSO-specific data.
+* Session management for tracking user sessions and enabling backchannel logout.
+*
+* Session stores are optional - the package works with JWT cookies alone.
+* Sessions are only required for backchannel logout functionality.
+*
+* ## Session Validation Strategies
+*
+* When using a session store, you can configure when sessions are validated:
+*
+* ### 'always' (default)
+* Validates session on every authenticated request.
+* - **Security**: Maximum - immediate session revocation
+* - **Performance**: InMemory ~0.00005ms, Redis ~1-2ms per request
+* - **Backchannel Logout**: Takes effect immediately
+* - **Use when**: Security is paramount, using InMemory or Redis backend
+*
+* ### 'refresh-only'
+* Validates session only during token refresh (typically every 5-15 minutes).
+* - **Security**: Good - 5-15 minute revocation window
+* - **Performance**: 99% reduction in session lookups
+* - **Backchannel Logout**: Takes effect within token TTL (5-15 min)
+* - **Use when**: Performance is critical AND delayed revocation is acceptable
+* - **WARNING**: Compromised sessions remain valid until next refresh
+*
+* ### 'disabled'
+* Never validates sessions against the store.
+* - **Security**: None - backchannel logout doesn't work
+* - **Performance**: No overhead
+* - **Use when**: Cookie-only mode without session store
+* - **WARNING**: Do not use with sessionStore configured
+*
+* ## Performance Characteristics
+*
+* | Backend      | Lookup Time | Impact on Request | Recommendation         |
+* |--------------|-------------|-------------------|------------------------|
+* | InMemory     | <0.00005ms  | Negligible        | Use 'always'           |
+* | Redis        | 1-2ms       | 2-4% increase     | Use 'always' or test   |
+* | Database     | 5-20ms      | 10-40% increase   | Use Redis cache layer  |
+*
+* ## Example Usage
+*
+* ```typescript
+* import { sso, InMemorySessionStore } from '@enterprisestandard/server';
+*
+* // Maximum security (default)
+* const secure = sso({
+*   // ... other config
+*   sessionStore: new InMemorySessionStore(),
+*   session_validation: 'always', // Immediate revocation
+* });
+*
+* // High performance
+* const fast = sso({
+*   // ... other config
+*   sessionStore: new InMemorySessionStore(),
+*   session_validation: {
+*     strategy: 'refresh-only' // 5-15 min revocation delay
+*   }
+* });
+* ```
 */
-interface User2 extends BaseUser {
-	/**
-	* SSO/OIDC authentication data
-	*/
-	sso: {
-		/**
-		* ID Token claims from the identity provider
-		*/
-		profile: IdTokenClaims;
-		/**
-		* Tenant/organization information
-		*/
-		tenant: {
-			id: string;
-			name: string;
-		};
-		/**
-		* OAuth scopes granted
-		*/
-		scope?: string;
-		/**
-		* Token type (typically "Bearer")
-		*/
-		tokenType: string;
-		/**
-		* Session state from the identity provider
-		*/
-		sessionState?: string;
-		/**
-		* Token expiration time
-		*/
-		expires: Date;
-	};
-}
 /**
-* Stored user data with required id and tracking metadata.
-*
-* Extends the SSO User type with:
-* - Required `id` (the `sub` claim from the IdP)
-* - Timestamps for tracking when users were first seen and last updated
-* - Optional custom extended data
+* Core session data tracked for each authenticated user session.
 *
-* @template TExtended - Type-safe custom data that consumers can add to users
+* @template TExtended - Type-safe custom data that consumers can add to sessions
 */
-type StoredUser<TExtended = object> = User2 & {
+type Session<TExtended = object> = {
 	/**
-	* Required unique identifier (the `sub` claim from the IdP).
-	* This is the primary key for user storage.
+	* Session ID from the Identity Provider (from `sid` claim in ID token).
+	* This is the unique identifier for the session.
 	*/
-	id: string;
+	sid: string;
 	/**
-	* Optional Enterprise Standard tenant identifier for tenant-aware apps.
-	* Built-in user stores can use this when registering HRD mappings.
+	* Subject identifier (user ID) from the Identity Provider.
+	* From the `sub` claim in the ID token.
 	*/
-	tenantId?: string;
+	sub: string;
 	/**
-	* Timestamp when the user was first stored.
+	* Timestamp when the session was created.
 	*/
 	createdAt: Date;
 	/**
-	* Timestamp when the user was last updated (e.g., on re-login).
+	* Timestamp of the last activity in this session.
+	* Can be updated to track session activity.
 	*/
-	updatedAt: Date;
+	lastActivityAt: Date;
+	/**
+	* Allow consumers to add runtime data to sessions.
+	*/
+	[key: string]: unknown;
 } & TExtended;
 /**
-* Abstract interface for user storage backends.
+* Abstract interface for session storage backends.
 *
 * Consumers can implement this interface to use different storage backends:
-* - In-memory (for development/testing)
-* - Redis (for production with fast lookups)
+* - Redis
 * - Database (PostgreSQL, MySQL, etc.)
+* - Distributed cache
+* - Custom solutions
 *
-* @template TExtended - Type-safe custom data that consumers can add to users
+* @template TExtended - Type-safe custom data that consumers can add to sessions
 *
 * @example
 * ```typescript
-* // Custom user data
-* type MyUserData = {
-*   department: string;
-*   roles: string[];
+* // Custom session data
+* type MySessionData = {
+*   ipAddress: string;
+*   userAgent: string;
 * };
 *
 * // Implement custom store
-* class RedisUserStore implements UserStore<MyUserData> {
-*   async get(sub: string): Promise<StoredUser<MyUserData> | null> {
-*     const data = await redis.get(`user:${sub}`);
-*     return data ? JSON.parse(data) : null;
+* class RedisSessionStore implements SessionStore<MySessionData> {
+*   async create(session: Session<MySessionData>): Promise<void> {
+*     await redis.set(`session:${session.sid}`, JSON.stringify(session));
 *   }
 *   // ... other methods
 * }
 * ```
 */
-interface UserStore<TExtended = object> {
-	/**
-	* Retrieve a user by their subject identifier (sub).
-	*
-	* @param sub - The user's unique identifier from the IdP
-	* @returns The user if found, null otherwise
-	*/
-	get(sub: string): Promise<StoredUser<TExtended> | null>;
+interface SessionStore<TExtended = object> {
 	/**
-	* Retrieve a user by their email address.
+	* Create a new session in the store.
 	*
-	* @param email - The user's email address
-	* @returns The user if found, null otherwise
+	* @param session - The session data to store
+	* @throws Error if session with same sid already exists
 	*/
-	getByEmail(email: string): Promise<StoredUser<TExtended> | null>;
+	create(session: Session<TExtended>): Promise<void>;
 	/**
-	* Retrieve a user by their username.
+	* Retrieve a session by its IdP session ID (sid).
 	*
-	* @param userName - The user's username
-	* @returns The user if found, null otherwise
+	* @param sid - The session.sid from the Identity Provider
+	* @returns The session if found, null otherwise
 	*/
-	getByUserName(userName: string): Promise<StoredUser<TExtended> | null>;
+	get(sid: string): Promise<Session<TExtended> | null>;
 	/**
-	* Create or update a user in the store.
+	* Update an existing session with partial data.
 	*
-	* If a user with the same `id` (sub) exists, it will be updated.
-	* Otherwise, a new user will be created.
+	* Commonly used to update lastActivityAt or add custom fields.
 	*
-	* @param user - The user data to store
+	* @param sid - The session.sid to update
+	* @param data - Partial session data to merge
+	* @throws Error if session not found
 	*/
-	upsert(user: StoredUser<TExtended>): Promise<void>;
+	update(sid: string, data: Partial<Session<TExtended>>): Promise<void>;
 	/**
-	* Delete a user by their subject identifier (sub).
+	* Delete a session by its IdP session ID (sid).
 	*
-	* @param sub - The user's unique identifier to delete
-	*/
-	delete(sub: string): Promise<void>;
-	/**
-	* List users in the store with optional pagination and sort.
+	* Used for both normal logout and backchannel logout flows.
 	*
-	* @param options - Optional start (0-based), limit (page size), and sort
-	* @returns ListResult with total, count, items, size, page, pages
+	* @param sid - The session.sid to delete
 	*/
-	list(options?: UserListOptions): Promise<ListResult<StoredUser<TExtended>>>;
+	delete(sid: string): Promise<void>;
 }
-import { StandardSchemaV1 as StandardSchemaV14 } from "@standard-schema/spec";
-import { StandardSchemaV1 as StandardSchemaV13 } from "@standard-schema/spec";
 /**
-* JWT Assertion Claims for OAuth2 JWT Bearer Grant (RFC 7523) and OAuth2 Access Tokens
-* @see https://datatracker.ietf.org/doc/html/rfc7523
-* @see https://datatracker.ietf.org/doc/html/rfc9068
+* Base user with simple, developer-friendly attributes.
+* Extended by User (SSO) and EnterpriseUser (SCIM).
 */
-interface JWTAssertionClaims {
+interface BaseUser {
 	/**
-	* REQUIRED. Issuer - the workload identity (e.g., SPIFFE ID) or authorization server
+	* Unique identifier for the user
 	*/
-	iss: string;
+	id?: string;
 	/**
-	* REQUIRED. Subject - the workload identity or service account
+	* REQUIRED. Unique identifier for login
 	*/
-	sub: string;
+	userName: string;
 	/**
-	* OPTIONAL. Audience - may be a string or array of strings
-	* Note: Required for JWT assertions, but may be absent in OAuth2 access tokens
+	* REQUIRED. Simple display name
 	*/
-	aud?: string | string[];
+	name: string;
 	/**
-	* REQUIRED. Expiration time (Unix timestamp)
+	* REQUIRED. Primary email address
 	*/
-	exp: number;
+	email: string;
 	/**
-	* REQUIRED. Issued at time (Unix timestamp)
+	* URL to user's avatar/profile picture
 	*/
-	iat: number;
+	avatar?: string;
+	/**
+	* User type (e.g., "employee", "contractor", "customer").
+	* Shared by SSO/CIAM and enterprise/SCIM user representations.
+	*/
+	userType?: string;
+}
+/**
+* Primary user type for SSO/OIDC applications.
+* Extends BaseUser with SSO-specific data.
+*/
+interface User2 extends BaseUser {
+	/**
+	* SSO/OIDC authentication data
+	*/
+	sso: {
+		/**
+		* ID Token claims from the identity provider
+		*/
+		profile: IdTokenClaims;
+		/**
+		* Tenant/organization information
+		*/
+		tenant: {
+			id: string;
+			name: string;
+		};
+		/**
+		* OAuth scopes granted
+		*/
+		scope?: string;
+		/**
+		* Token type (typically "Bearer")
+		*/
+		tokenType: string;
+		/**
+		* Session state from the identity provider
+		*/
+		sessionState?: string;
+		/**
+		* Token expiration time
+		*/
+		expires: Date;
+	};
+}
+type SSOConfig<
+	TSessionData = Record<string, never>,
+	TUserData = Record<string, never>
+> = {
+	authority?: string;
+	tokenUrl?: string;
+	authorizationUrl?: string;
+	clientId?: string;
+	clientSecret?: string;
+	redirectUri?: string;
+	responseType?: "code";
+	scope?: string;
+	silentRedirectUri?: string;
+	jwksUri?: string;
+	cookiesPrefix?: string;
+	cookiesPath?: string;
+	cookiesSecure?: boolean;
+	cookiesSameSite?: "Strict" | "Lax";
+	/**
+	* Optional cookie name for tracking the active session across tenants.
+	* Defaults to 'es.active_session' when using the helper utilities.
+	*/
+	activeSessionCookieName?: string;
+	endSessionEndpoint?: string;
+	revocationEndpoint?: string;
+	sessionStore?: SessionStore<TSessionData>;
+	/**
+	* Optional user store for persisting user profiles from SSO authentication.
+	* When configured, users are automatically stored/updated on each login.
+	*/
+	userStore?: UserStore<TUserData>;
+	/**
+	* Enable Just-In-Time (JIT) user provisioning.
+	* When enabled, new users are automatically created in the userStore on their first login.
+	* When disabled (default), only existing users in the userStore are updated on login.
+	* Requires userStore to be configured.
+	* @default false
+	*/
+	enableJitUserProvisioning?: boolean;
+	validators?: SSOValidators;
+} & SSOHandlerConfig;
+type StateCookie = {
+	state: string;
+	codeVerifier: string;
+	landingUrl: string;
+	errorUrl?: string;
+};
+type CookieOptions = {
+	cookieName?: string;
+	path?: string;
+	maxAge?: number;
+	secure?: boolean;
+	sameSite?: "Strict" | "Lax";
+};
+declare function getActiveSession(request: Request, options?: CookieOptions): string | undefined;
+declare function setActiveSession(clientId: string, options?: CookieOptions): string;
+declare function clearActiveSession(options?: CookieOptions): string;
+declare function listSsoClientIdsFromCookies(requestOrCookieHeader: Request | string | null | undefined, options?: {
+	cookiePrefix?: string;
+}): string[];
+declare function findTenantFromStateParam(cookieHeader: string | null | undefined, stateParam: string): {
+	clientId: string;
+	stateCookie: StateCookie;
+} | undefined;
+type LoginConfig = {
+	landingUrl: string;
+	errorUrl?: string;
+};
+type SSOHandlerConfig = {
+	loginUrl?: string;
+	userUrl?: string;
+	errorUrl?: string;
+	landingUrl?: string;
+	tokenUrl?: string;
+	refreshUrl?: string;
+	jwksUrl?: string;
+	logoutUrl?: string;
+	logoutBackChannelUrl?: string;
+};
+type SSOValidators = {
+	callbackParams: StandardSchemaV13<unknown, OidcCallbackParams>;
+	idTokenClaims: StandardSchemaV13<unknown, IdTokenClaims>;
+	tokenResponse: StandardSchemaV13<unknown, TokenResponse>;
+};
+type SSO<
+	TSessionData = Record<string, never>,
+	TUserData = Record<string, never>
+> = SSOConfig<TSessionData, TUserData> & {
+	getUser: (request: Request) => Promise<User2 | undefined>;
+	getRequiredUser: (request: Request) => Promise<User2>;
+	getJwt: (request: Request) => Promise<string | undefined>;
+	initiateLogin: (config: LoginConfig, requestUrl?: string) => Promise<Response>;
+	logout: (request: Request, config?: LoginConfig) => Promise<Response>;
+	logoutBackChannel2: (request: Request) => Promise<Response>;
+	callbackHandler: (request: Request) => Promise<Response>;
+	handler: (request: Request) => Promise<Response>;
+};
+import { StandardSchemaV1 as StandardSchemaV15 } from "@standard-schema/spec";
+type ChangeListener = () => void;
+type ReactiveHandle = {
+	beforeChange?(listener: ChangeListener): () => void;
+	afterChange?(listener: ChangeListener): () => void;
+	isAvailable?(): boolean;
+};
+import { StandardSchemaV1 as StandardSchemaV14 } from "@standard-schema/spec";
+/**
+* JWT Assertion Claims for OAuth2 JWT Bearer Grant (RFC 7523) and OAuth2 Access Tokens
+* @see https://datatracker.ietf.org/doc/html/rfc7523
+* @see https://datatracker.ietf.org/doc/html/rfc9068
+*/
+interface JWTAssertionClaims {
+	/**
+	* REQUIRED. Issuer - the workload identity (e.g., SPIFFE ID) or authorization server
+	*/
+	iss: string;
+	/**
+	* REQUIRED. Subject - the workload identity or service account
+	*/
+	sub: string;
+	/**
+	* OPTIONAL. Audience - may be a string or array of strings
+	* Note: Required for JWT assertions, but may be absent in OAuth2 access tokens
+	*/
+	aud?: string | string[];
+	/**
+	* REQUIRED. Expiration time (Unix timestamp)
+	*/
+	exp: number;
+	/**
+	* REQUIRED. Issued at time (Unix timestamp)
+	*/
+	iat: number;
 	/**
 	* OPTIONAL. JWT ID - unique identifier for this token
 	* Note: Required for JWT assertions, optional for access tokens
@@ -946,7 +1102,7 @@ interface JWTAssertionClaims {
 * @param vendor - The name of the vendor creating this schema
 * @returns A StandardSchemaV1 instance for JWT Assertion Claims validation
 */
-declare function jwtAssertionClaimsSchema(vendor: string): StandardSchemaV13<Record<string, unknown>, JWTAssertionClaims>;
+declare function jwtAssertionClaimsSchema(vendor: string): StandardSchemaV14<Record<string, unknown>, JWTAssertionClaims>;
 /**
 * Workload Token Response from OAuth2 token endpoint
 * @see https://datatracker.ietf.org/doc/html/rfc6749#section-5.1
@@ -982,7 +1138,7 @@ interface WorkloadTokenResponse {
 * @param vendor - The name of the vendor creating this schema
 * @returns A StandardSchemaV1 instance for Workload Token Response validation
 */
-declare function workloadTokenResponseSchema(vendor: string): StandardSchemaV13<Record<string, unknown>, WorkloadTokenResponse>;
+declare function workloadTokenResponseSchema(vendor: string): StandardSchemaV14<Record<string, unknown>, WorkloadTokenResponse>;
 /**
 * Token Validation Result
 */
@@ -1229,8 +1385,8 @@ type WorkloadConfigBase = {
 	validators?: WorkloadValidators;
 };
 type WorkloadValidators = {
-	jwtAssertionClaims: StandardSchemaV14<unknown, JWTAssertionClaims>;
-	tokenResponse: StandardSchemaV14<unknown, WorkloadTokenResponse>;
+	jwtAssertionClaims: StandardSchemaV15<unknown, JWTAssertionClaims>;
+	tokenResponse: StandardSchemaV15<unknown, WorkloadTokenResponse>;
 };
 /**
 * JWT Bearer Grant (RFC 7523) Configuration
@@ -1393,7 +1549,7 @@ type WorkloadIdentity = {
 /**
 * Workload Identity Authentication Interface
 */
-type Workload = WorkloadConfig & {
+type Workload = WorkloadConfig & ReactiveHandle & {
 	/**
 	* Returns a token for this workload configuration.
 	* The optional argument overrides the configured default scope.
@@ -1408,1159 +1564,1279 @@ type Workload = WorkloadConfig & {
 	/** Framework-agnostic request handler for the Workload module (token, validate, jwks, refresh). */
 	handler: (request: Request) => Promise<Response>;
 };
-type WorkloadClient = Pick<Workload, "getToken" | "refreshToken" | "generateJWTAssertion" | "revokeToken">;
-/**
-* SCIM Error response structure
-*/
-interface ScimError {
-	schemas: string[];
-	status: string;
-	scimType?: string;
-	detail?: string;
-}
-/**
-* SCIM List Response for bulk operations
-*/
-interface ScimListResponse<T> {
-	schemas: string[];
-	totalResults: number;
-	startIndex?: number;
-	itemsPerPage?: number;
-	Resources: T[];
-}
-/**
-* Result of a SCIM operation
-*/
-interface ScimResult<T> {
-	success: boolean;
-	data?: T;
-	error?: ScimError;
-	status: number;
-}
-/**
-* Handler configuration for IAM
-*/
-interface IAMHandlerConfig {
-	/**
-	* Base path for the SCIM Users endpoints (e.g., '/api/iam/Users')
-	*/
-	usersUrl?: string;
-	/**
-	* Base path for the SCIM Groups endpoints (e.g., '/api/iam/Groups')
-	*/
-	groupsUrl?: string;
-}
+type WorkloadClient = Pick<Workload, "getToken" | "refreshToken" | "generateJWTAssertion" | "revokeToken" | "beforeChange" | "afterChange" | "isAvailable">;
 /**
-* IAM configuration
+* Magic link data stored in the store.
 *
-* - If `url` is provided, groups_outbound is enabled (app calls external IAM)
-* - If `groupStore` is provided, groups_inbound is enabled (external IAM calls app)
-* - If `userStore` is provided, users_inbound is enabled (external IAM calls app)
+* @template TExtended - Type-safe custom data that consumers can add to magic links
 */
-type IAMConfig = {
+type MagicLink<TExtended = object> = {
 	/**
-	* Base URL of the external SCIM endpoint (e.g., https://sailpoint.example.com/scim/v2)
-	* If provided, enables outbound SCIM operations (app -> external IAM)
+	* The magic link token (unique identifier)
 	*/
-	url?: string;
+	token: string;
 	/**
-	* Store for inbound user provisioning from external IAM providers.
-	* When configured, the app can receive user CRUD operations via SCIM.
+	* User information associated with this magic link
 	*/
-	userStore?: UserStore;
+	user: BaseUser;
 	/**
-	* Store for inbound group provisioning from external IAM providers.
-	* When configured, enables groups_inbound (external IAM -> app).
+	* Timestamp when the magic link was created
 	*/
-	groupStore?: GroupStore;
+	createdAt: Date;
 	/**
-	* Optional handler defaults. These are merged with per-call overrides in
-	* `iam.handler`, with per-call values taking precedence.
+	* Timestamp when the magic link expires
 	*/
-	usersUrl?: string;
-	groupsUrl?: string;
-};
-type IAMValidators = {
-	user: StandardSchemaV15<unknown, User>;
-	group: StandardSchemaV15<unknown, GroupResource>;
-};
-/**
-* Options for creating a user
-*/
-interface CreateUserOptions {
+	expiresAt: Date;
 	/**
-	* External identifier for the user
+	* Allow consumers to add runtime data to magic links
 	*/
-	externalId?: string;
-}
+	[key: string]: unknown;
+} & TExtended;
 /**
-* Options for creating a group
-*/
-interface CreateGroupOptions {
-	/**
-	* External identifier for the group
-	*/
-	externalId?: string;
-	/**
-	* Initial members to add to the group
-	*/
-	members?: GroupMember[];
-}
-/**
-* Handler configuration for groups_inbound
+* Abstract interface for magic link storage backends.
+*
+* Consumers can implement this interface to use different storage backends:
+* - In-memory (for development/testing)
+* - Redis (for production with fast lookups and automatic expiration)
+* - Database (PostgreSQL, MySQL, etc.)
+*
+* @template TExtended - Type-safe custom data that consumers can add to magic links
+*
+* @example
+* ```typescript
+* // Custom magic link data
+* type MyMagicLinkData = {
+*   source: string;
+*   metadata: Record<string, unknown>;
+* };
+*
+* // Implement custom store
+* class RedisMagicLinkStore implements MagicLinkStore<MyMagicLinkData> {
+*   async create(token: string, user: BaseUser, expiresAt: Date): Promise<void> {
+*     const magicLink: MagicLink<MyMagicLinkData> = {
+*       token,
+*       user,
+*       createdAt: new Date(),
+*       expiresAt,
+*       source: 'api',
+*       metadata: {},
+*     };
+*     const ttl = Math.floor((expiresAt.getTime() - Date.now()) / 1000);
+*     await redis.setex(`magic-link:${token}`, ttl, JSON.stringify(magicLink));
+*   }
+*   // ... other methods
+* }
+* ```
 */
-interface GroupsInboundHandlerConfig {
+interface MagicLinkStore<TExtended = object> {
 	/**
-	* Base path for the SCIM Groups endpoints (e.g., '/api/iam/Groups')
+	* Create a new magic link in the store.
+	*
+	* @param token - The magic link token (unique identifier)
+	* @param user - The user information to associate with this magic link
+	* @param expiresAt - When the magic link expires
+	* @throws Error if magic link with same token already exists
 	*/
-	basePath?: string;
-}
-/**
-* Handler configuration for users_inbound
-*/
-interface UsersInboundHandlerConfig {
+	create(token: string, user: BaseUser, expiresAt: Date): Promise<void>;
 	/**
-	* Base path for the SCIM Users endpoints (e.g., '/api/iam/Users')
+	* Retrieve a magic link by its token.
+	*
+	* @param token - The magic link token
+	* @returns The magic link if found and not expired, null otherwise
 	*/
-	basePath?: string;
-}
-/**
-* Groups Outbound extension - for creating groups in external IAM providers.
-* Enabled when `url` is configured in IAMConfig.
-*/
-type IAMGroupsOutbound = {
+	get(token: string): Promise<MagicLink<TExtended> | null>;
 	/**
-	* Create a new group in the external IAM provider
-	* @param displayName - The display name for the group
-	* @param options - Optional configuration for the group creation
-	* @returns The created group resource from the provider
+	* Delete a magic link by its token.
+	*
+	* Used after a magic link has been consumed (one-time use).
+	*
+	* @param token - The magic link token to delete
 	*/
-	createGroup: (displayName: string, options?: CreateGroupOptions) => Promise<ScimResult<GroupResource>>;
+	delete(token: string): Promise<void>;
+}
+type Secret<T> = {
+	data: T;
+	metadata: MetaData;
 };
-/**
-* Groups Inbound extension - for receiving group provisioning from external IAM providers.
-* Enabled when `groupStore` is configured in IAMConfig.
-*/
-type IAMGroupsInbound = {
-	/**
-	* Handle inbound SCIM requests for group management.
-	* Routes: GET/POST /Groups, GET/PUT/PATCH/DELETE /Groups/:id
-	*/
-	handler: (request: Request, config?: GroupsInboundHandlerConfig) => Promise<Response>;
+type MetaData = {
+	path: string;
+	version: number;
+	created: Date;
 };
-/**
-* Users Inbound extension - for receiving user provisioning from external IAM providers.
-* Enabled when `userStore` is configured in IAMConfig.
-*/
-type IAMUsersInbound = {
-	/**
-	* Handle inbound SCIM requests for user management.
-	* Routes: GET/POST /Users, GET/PUT/PATCH/DELETE /Users/:id
-	*/
-	handler: (request: Request, config?: UsersInboundHandlerConfig) => Promise<Response>;
+type SecretsSourceType = "vault" | "azure" | "aws" | "gcp" | "dev";
+type SecretRequestSeverity = "low" | "medium" | "high" | "critical";
+type SecretLifecycleRequest = {
+	reason?: string;
+	severity?: SecretRequestSeverity;
+	incidentRef?: string;
 };
-/**
-* Core IAM service interface.
-*
-* - Core functions are user-related (outbound to external IAM)
-* - `groups_outbound` is available when `url` is configured
-* - `groups_inbound` is available when `groupStore` is configured
-* - `users_inbound` is available when `userStore` is configured
-*/
-type IAM = IAMConfig & {
-	/**
-	* Create a new user/account in the external IAM provider
-	* Only available when `url` is configured.
-	*/
-	createUser?: (user: User, options?: CreateUserOptions) => Promise<ScimResult<User>>;
+type SecretsOperationOptions = {
+	/** Optional timeout in milliseconds for this secrets operation. */
+	timeout?: number;
+};
+type SecretsSource = ReactiveHandle & {
+	type: SecretsSourceType;
+	getFullSecret: <T>(path: string, options?: SecretsOperationOptions) => Promise<Secret<T>>;
+	getSecret: <T>(path: string, options?: SecretsOperationOptions) => Promise<T>;
 	/**
-	* Get the configured external SCIM base URL
+	* Write a secret at the given path.
+	* Implementations may throw for read-only or unsupported secret sources.
 	*/
-	getBaseUrl: () => string | undefined;
+	putSecret: (path: string, value: Record<string, unknown>, options?: SecretsOperationOptions) => Promise<void>;
 	/**
-	* Groups Outbound extension - create groups in external IAM provider.
-	* Available when `url` is configured in IAMConfig.
+	* When set, the secret source supports change detection and will call onChange when the secret changes.
+	* Implementations must only invoke onChange when the secret version has changed from the last time
+	* that subscription was notified (same version must not trigger a second call).
+	* @returns a unsubscribe/cleanup function.
 	*/
-	groups_outbound?: IAMGroupsOutbound;
+	subscribe<T>(path: string, onChange: (fullSecret: Secret<T>) => void): () => void;
 	/**
-	* Groups Inbound extension - receive group provisioning from external IAM.
-	* Available when `groupStore` is configured in IAMConfig.
+	* Deletes a secret at the given path.
 	*/
-	groups_inbound?: IAMGroupsInbound;
+	deleteSecret(path: string, options?: SecretsOperationOptions): Promise<void>;
 	/**
-	* Users Inbound extension - receive user provisioning from external IAM.
-	* Available when `userStore` is configured in IAMConfig.
+	* Lists child paths under the given base path.
 	*/
-	users_inbound?: IAMUsersInbound;
+	listPaths(path: string, options?: SecretsOperationOptions): Promise<string[]>;
 	/**
-	* Framework-agnostic request handler for the IAM module.
-	* Routes to users_inbound or groups_inbound based on the request path.
+	* Returns true when a secret path exists.
 	*/
-	handler: (request: Request, config?: IAMHandlerConfig) => Promise<Response>;
-};
-import { StandardSchemaV1 as StandardSchemaV16 } from "@standard-schema/spec";
-/**
-* Session management for tracking user sessions and enabling backchannel logout.
-*
-* Session stores are optional - the package works with JWT cookies alone.
-* Sessions are only required for backchannel logout functionality.
-*
-* ## Session Validation Strategies
-*
-* When using a session store, you can configure when sessions are validated:
-*
-* ### 'always' (default)
-* Validates session on every authenticated request.
-* - **Security**: Maximum - immediate session revocation
-* - **Performance**: InMemory ~0.00005ms, Redis ~1-2ms per request
-* - **Backchannel Logout**: Takes effect immediately
-* - **Use when**: Security is paramount, using InMemory or Redis backend
-*
-* ### 'refresh-only'
-* Validates session only during token refresh (typically every 5-15 minutes).
-* - **Security**: Good - 5-15 minute revocation window
-* - **Performance**: 99% reduction in session lookups
-* - **Backchannel Logout**: Takes effect within token TTL (5-15 min)
-* - **Use when**: Performance is critical AND delayed revocation is acceptable
-* - **WARNING**: Compromised sessions remain valid until next refresh
-*
-* ### 'disabled'
-* Never validates sessions against the store.
-* - **Security**: None - backchannel logout doesn't work
-* - **Performance**: No overhead
-* - **Use when**: Cookie-only mode without session store
-* - **WARNING**: Do not use with sessionStore configured
-*
-* ## Performance Characteristics
-*
-* | Backend      | Lookup Time | Impact on Request | Recommendation         |
-* |--------------|-------------|-------------------|------------------------|
-* | InMemory     | <0.00005ms  | Negligible        | Use 'always'           |
-* | Redis        | 1-2ms       | 2-4% increase     | Use 'always' or test   |
-* | Database     | 5-20ms      | 10-40% increase   | Use Redis cache layer  |
-*
-* ## Example Usage
-*
-* ```typescript
-* import { sso, InMemorySessionStore } from '@enterprisestandard/server';
-*
-* // Maximum security (default)
-* const secure = sso({
-*   // ... other config
-*   sessionStore: new InMemorySessionStore(),
-*   session_validation: 'always', // Immediate revocation
-* });
-*
-* // High performance
-* const fast = sso({
-*   // ... other config
-*   sessionStore: new InMemorySessionStore(),
-*   session_validation: {
-*     strategy: 'refresh-only' // 5-15 min revocation delay
-*   }
-* });
-* ```
-*/
-/**
-* Core session data tracked for each authenticated user session.
-*
-* @template TExtended - Type-safe custom data that consumers can add to sessions
-*/
-type Session<TExtended = object> = {
+	exists(path: string, options?: SecretsOperationOptions): Promise<boolean>;
 	/**
-	* Session ID from the Identity Provider (from `sid` claim in ID token).
-	* This is the unique identifier for the session.
+	* Requests secret rotation for the given path.
 	*/
-	sid: string;
+	requestRotate(path: string, request?: SecretLifecycleRequest, options?: SecretsOperationOptions): Promise<void>;
 	/**
-	* Subject identifier (user ID) from the Identity Provider.
-	* From the `sub` claim in the ID token.
+	* Requests secret revocation for the given path.
 	*/
-	sub: string;
+	requestRevoke(path: string, request?: SecretLifecycleRequest, options?: SecretsOperationOptions): Promise<void>;
 	/**
-	* Timestamp when the session was created.
+	* Reads metadata for the given path.
 	*/
-	createdAt: Date;
+	getMetadata(path: string, options?: SecretsOperationOptions): Promise<Record<string, unknown>>;
+};
+type SecretsValidators = {
 	/**
-	* Timestamp of the last activity in this session.
-	* Can be updated to track session activity.
+	* Optional hook to validate merged source configs before they are resolved.
+	* Throw from this callback to reject invalid secrets source configuration.
 	*/
-	lastActivityAt: Date;
+	validateSourceConfig?(sourceName: string, config: SecretsSourceConfig): void;
+};
+type Secrets = ReactiveHandle & {
+	/** Named secrets sources client configurations from RemoteConfig. */
+	config: SecretsSourceMap;
+	/** Returns configured secrets source names/keys. */
+	listSecretsSources(): string[];
+	/** Gets a named secrets source client. Throws when missing. */
+	getSecretsSource(sourceName: string): SecretsSource;
+	/** Reads a secret from a named secrets source client. */
+	getSecret<T>(sourceName: string, path: string, options?: SecretsOperationOptions): Promise<T>;
+	/** Reads full secret data + metadata from a named secrets source client. */
+	getFullSecret<T>(sourceName: string, path: string, options?: SecretsOperationOptions): Promise<Secret<T>>;
+	/** Writes a secret to a named secrets source client. */
+	putSecret(sourceName: string, path: string, value: Record<string, unknown>, options?: SecretsOperationOptions): Promise<void>;
+	/** Deletes a secret from a named secrets source client. */
+	deleteSecret(sourceName: string, path: string, options?: SecretsOperationOptions): Promise<void>;
+	/** Lists child paths under a base path for a named secrets source client. */
+	listPaths(sourceName: string, path: string, options?: SecretsOperationOptions): Promise<string[]>;
+	/** Returns true when a path exists for a named secrets source client. */
+	exists(sourceName: string, path: string, options?: SecretsOperationOptions): Promise<boolean>;
+	/** Requests rotation for a secret path in a named secrets source client. */
+	requestRotate(sourceName: string, path: string, request?: SecretLifecycleRequest, options?: SecretsOperationOptions): Promise<void>;
+	/** Requests revocation for a secret path in a named secrets source client. */
+	requestRevoke(sourceName: string, path: string, request?: SecretLifecycleRequest, options?: SecretsOperationOptions): Promise<void>;
+	/** Reads metadata for a secret path in a named secrets source client. */
+	getMetadata(sourceName: string, path: string, options?: SecretsOperationOptions): Promise<Record<string, unknown>>;
+	/** Subscribes to secret changes on a named secrets source client. */
+	subscribe<T>(sourceName: string, path: string, onChange: (fullSecret: Secret<T>) => void): () => void;
+	/** Returns true when request matches any configured LFV delivery path. */
+	isLfvDeliveryRequest?(request: Request): boolean;
+	/** Returns true when request matches any configured LFV events path. */
+	isLfvEventsRequest?(request: Request): boolean;
+	/** Handles LFV delivery callbacks for configured LFV sources. */
+	handleLfvDelivery?(request: Request): Promise<Response>;
+	/** Handles LFV events callbacks for configured LFV sources. */
+	handleLfvEvents?(request: Request): Promise<Response>;
+};
+/**
+* Partial secrets source config used in framework/app code to declare expected source names.
+* ConfigSource-backed values may still provide the actual source details at runtime.
+*/
+type FrameworkSecretsSourceConfig = Partial<SecretsSourceConfig>;
+/**
+* Framework-level named secrets source declarations keyed by source name.
+* Values may be partial or empty when the app only wants to declare expected names/types.
+*/
+type FrameworkSecretsModuleConfig = Record<string, FrameworkSecretsSourceConfig>;
+/**
+* TODO: Let's see if we can do some clean inference and remove this!!!
+*/
+type SecretsSourceMap = Record<string, SecretsSource>;
+type SecretsSourceConfig = DevSecretsConfig | GcpSecretsConfig | VaultSecretsConfig | AwsSecretsConfig | AzureSecretsConfig;
+/**
+* Raw module config keyed by source name.
+* The secrets module resolves this into a runtime SecretsSourceMap.
+*/
+type SecretsModuleConfig = Record<string, SecretsSourceConfig>;
+type DevSecretsConfig = {
+	type: "dev";
+	ioniteUrl: string;
+};
+type GcpSecretsConfig = {
+	type: "gcp";
+};
+type VaultLfvSecretsConfig = {
+	/** LFV server base URL for OTP/action endpoints. */
+	lfvServerUrl?: string;
+	/** LFV client id used for OTP issuance. */
+	clientId?: string;
+	/** Signature value for X-LFV-Signature header. */
+	signature?: string;
+	deliveryEndpoint: string;
 	/**
-	* Allow consumers to add runtime data to sessions.
+	* Optional LFV signature verification key.
+	* When omitted, LFV callbacks are accepted without signature verification.
 	*/
-	[key: string]: unknown;
-} & TExtended;
+	verifyPublicKey?: string;
+	eventsEndpoint: string;
+	path?: string;
+	/**
+	* Timeout in milliseconds when waiting for a LFV delivery payload after a read request.
+	* After this duration, an error is thrown.
+	*/
+	deliveryTimeout?: number;
+	/** Retry interval in milliseconds between LFV transport retry attempts. */
+	retryInterval?: number;
+	/** Warning interval in milliseconds for LFV retry logs. Set to 0 to disable warnings. */
+	warnInterval?: number;
+	/**
+	* Optional logger for request/response tracing. Use `debugLogger` from `@enterprisestandard/core`
+	* to get debug output with request_id for LFV operations.
+	*/
+	log?: Logger;
+};
 /**
-* Abstract interface for session storage backends.
-*
-* Consumers can implement this interface to use different storage backends:
-* - Redis
-* - Database (PostgreSQL, MySQL, etc.)
-* - Distributed cache
-* - Custom solutions
-*
-* @template TExtended - Type-safe custom data that consumers can add to sessions
-*
-* @example
-* ```typescript
-* // Custom session data
-* type MySessionData = {
-*   ipAddress: string;
-*   userAgent: string;
-* };
-*
-* // Implement custom store
-* class RedisSessionStore implements SessionStore<MySessionData> {
-*   async create(session: Session<MySessionData>): Promise<void> {
-*     await redis.set(`session:${session.sid}`, JSON.stringify(session));
-*   }
-*   // ... other methods
-* }
-* ```
+* Runtime-ready LFV source config.
+* Input config can be partially declared/merged, but LFV operations require these fields.
 */
-interface SessionStore<TExtended = object> {
+type ResolvedVaultLfvSecretsConfig = Omit<VaultLfvSecretsConfig, "lfvServerUrl" | "clientId" | "path"> & {
+	lfvServerUrl: string;
+	clientId: string;
+	path: string;
+};
+type VaultWebSocketAuthHeader = "X-Vault-Token" | "Authorization";
+type VaultWebSocketSecretsConfig = {
+	/** Websocket URL for vault command execution and live secret subscriptions. */
+	url?: string;
+	/** Token used during websocket connect/auth. */
+	token?: string;
+	/** Header name used to send the websocket token. Defaults to X-Vault-Token. */
+	header?: VaultWebSocketAuthHeader;
+};
+type VaultSecretsConfig = {
+	type: "vault";
+	url?: string;
+	token?: string;
+	/** Optional LFV transport capability for reads/lifecycle operations. */
+	lfv?: VaultLfvSecretsConfig;
+	/** Optional websocket capability for vault commands and live subscriptions. */
+	websocket?: VaultWebSocketSecretsConfig;
 	/**
-	* Create a new session in the store.
-	*
-	* @param session - The session data to store
-	* @throws Error if session with same sid already exists
+	* MINIMUM: 600_000 milliseconds (10 minutes). Polls the path every ttl milliseconds and calls onConfig when config changes.
 	*/
-	create(session: Session<TExtended>): Promise<void>;
+	ttl?: number;
+};
+type AwsSecretsConfig = {
+	type: "aws";
+	webhookUrl: string;
+};
+type AwsAuthMethod = "client_secret" | "workload_identity" | "managed_identity";
+type AzureSecretsConfig = {
+	type: "azure";
 	/**
-	* Retrieve a session by its IdP session ID (sid).
+	* How to authenticate to Azure to fetch Key Vault access tokens.
 	*
-	* @param sid - The session.sid from the Identity Provider
-	* @returns The session if found, null otherwise
-	*/
-	get(sid: string): Promise<Session<TExtended> | null>;
-	/**
-	* Update an existing session with partial data.
+	* - client_secret: Entra app client secret (client credentials)
+	* - workload_identity: AKS Workload Identity (federated token file)
+	* - managed_identity: Azure Managed Identity via IMDS
 	*
-	* Commonly used to update lastActivityAt or add custom fields.
+	* If omitted, we auto-detect:
+	* - workload_identity if a federated token file is present
+	* - else client_secret if a clientSecret is present
+	* - else managed_identity
 	*
-	* @param sid - The session.sid to update
-	* @param data - Partial session data to merge
-	* @throws Error if session not found
+	* Env: ES_AZURE_AUTH_METHOD
 	*/
-	update(sid: string, data: Partial<Session<TExtended>>): Promise<void>;
+	authMethod?: AwsAuthMethod;
 	/**
-	* Delete a session by its IdP session ID (sid).
-	*
-	* Used for both normal logout and backchannel logout flows.
-	*
-	* @param sid - The session.sid to delete
+	* Azure Entra tenant id (GUID), used for OAuth2 token exchange.
+	* Env: ES_AZURE_TENANT_ID
+	*/
+	tenantId?: string;
+	/**
+	* Azure app registration client id (GUID).
+	* Env: ES_AZURE_CLIENT_ID
 	*/
-	delete(sid: string): Promise<void>;
-}
-type SSOConfig<
-	TSessionData = Record<string, never>,
-	TUserData = Record<string, never>
-> = {
-	authority?: string;
-	tokenUrl?: string;
-	authorizationUrl?: string;
 	clientId?: string;
+	/**
+	* Azure app registration client secret.
+	* Env: ES_AZURE_CLIENT_SECRET
+	*/
 	clientSecret?: string;
-	redirectUri?: string;
-	responseType?: "code";
-	scope?: string;
-	silentRedirectUri?: string;
-	jwksUri?: string;
-	cookiesPrefix?: string;
-	cookiesPath?: string;
-	cookiesSecure?: boolean;
-	cookiesSameSite?: "Strict" | "Lax";
 	/**
-	* Optional cookie name for tracking the active session across tenants.
-	* Defaults to 'es.active_session' when using the helper utilities.
+	* Path to the projected federated token file (AKS Workload Identity).
+	* Env: ES_AZURE_FEDERATED_TOKEN_FILE or AZURE_FEDERATED_TOKEN_FILE
 	*/
-	activeSessionCookieName?: string;
-	endSessionEndpoint?: string;
-	revocationEndpoint?: string;
-	sessionStore?: SessionStore<TSessionData>;
+	federatedTokenFile?: string;
 	/**
-	* Optional user store for persisting user profiles from SSO authentication.
-	* When configured, users are automatically stored/updated on each login.
+	* Managed Identity client id (user-assigned), optional.
+	* Env: ES_AZURE_MANAGED_IDENTITY_CLIENT_ID
 	*/
-	userStore?: UserStore<TUserData>;
+	managedIdentityClientId?: string;
 	/**
-	* Enable Just-In-Time (JIT) user provisioning.
-	* When enabled, new users are automatically created in the userStore on their first login.
-	* When disabled (default), only existing users in the userStore are updated on login.
-	* Requires userStore to be configured.
-	* @default false
+	* IMDS API version (managed identity).
+	* Env: ES_AZURE_IMDS_API_VERSION
+	* Default: 2018-02-01
 	*/
-	enableJitUserProvisioning?: boolean;
-	validators?: SSOValidators;
-} & SSOHandlerConfig;
-type StateCookie = {
-	state: string;
-	codeVerifier: string;
-	landingUrl: string;
-	errorUrl?: string;
-};
-type CookieOptions = {
-	cookieName?: string;
-	path?: string;
-	maxAge?: number;
-	secure?: boolean;
-	sameSite?: "Strict" | "Lax";
-};
-declare function getActiveSession(request: Request, options?: CookieOptions): string | undefined;
-declare function setActiveSession(clientId: string, options?: CookieOptions): string;
-declare function clearActiveSession(options?: CookieOptions): string;
-declare function listSsoClientIdsFromCookies(requestOrCookieHeader: Request | string | null | undefined, options?: {
-	cookiePrefix?: string;
-}): string[];
-declare function findTenantFromStateParam(cookieHeader: string | null | undefined, stateParam: string): {
-	clientId: string;
-	stateCookie: StateCookie;
-} | undefined;
-type LoginConfig = {
-	landingUrl: string;
-	errorUrl?: string;
+	imdsApiVersion?: string;
+	/**
+	* Key Vault URL, e.g. https://myvault.vault.azure.net
+	* Env: ES_AZURE_KEY_VAULT_URL
+	*/
+	vaultUrl?: string;
+	/**
+	* Alternative to vaultUrl. If provided, vaultUrl is derived as:
+	* https://${vaultName}.vault.azure.net
+	* Env: ES_AZURE_KEY_VAULT_NAME
+	*/
+	vaultName?: string;
+	/**
+	* Key Vault API version.
+	* Env: ES_AZURE_KEY_VAULT_API_VERSION
+	* Default: 7.4
+	*/
+	apiVersion?: string;
+	/**
+	* Maps vault "path" to a Key Vault secret name.
+	* Default: replaces `/` with `--` and trims leading/trailing `/`.
+	*/
+	secretNameTransform?: (path: string) => string;
+	/**
+	* Optional prefix added to all computed secret names.
+	* Useful to namespace secrets by app/environment.
+	*/
+	secretNamePrefix?: string;
+	/**
+	* OAuth2 scope; default is Key Vault resource scope.
+	* Default: https://vault.azure.net/.default
+	*/
+	scope?: string;
+	/**
+	* When set, the vault implements subscribe: poll this path every ttl seconds and call onConfig when config changes.
+	*/
+	ttl?: number;
 };
-type SSOHandlerConfig = {
-	loginUrl?: string;
-	userUrl?: string;
-	errorUrl?: string;
-	landingUrl?: string;
-	tokenUrl?: string;
-	refreshUrl?: string;
-	jwksUrl?: string;
-	logoutUrl?: string;
-	logoutBackChannelUrl?: string;
+type ConfigSourceType = "vault" | "azure" | "aws" | "gcp";
+type ESValidators = {
+	sso: SSOValidators;
+	iam: IAMValidators;
+	workload: WorkloadValidators;
+	ciam: CIAMValidators;
+	secrets?: SecretsValidators;
 };
-type SSOValidators = {
-	callbackParams: StandardSchemaV16<unknown, OidcCallbackParams>;
-	idTokenClaims: StandardSchemaV16<unknown, IdTokenClaims>;
-	tokenResponse: StandardSchemaV16<unknown, TokenResponse>;
+type ApplicationValidators<TTenantValidators extends TenantValidators = TenantValidators> = ESValidators & {
+	tenant: TTenantValidators;
 };
-type SSO<
-	TSessionData = Record<string, never>,
-	TUserData = Record<string, never>
-> = SSOConfig<TSessionData, TUserData> & {
-	getUser: (request: Request) => Promise<User2 | undefined>;
-	getRequiredUser: (request: Request) => Promise<User2>;
-	getJwt: (request: Request) => Promise<string | undefined>;
-	initiateLogin: (config: LoginConfig, requestUrl?: string) => Promise<Response>;
-	logout: (request: Request, config?: LoginConfig) => Promise<Response>;
-	logoutBackChannel2: (request: Request) => Promise<Response>;
-	callbackHandler: (request: Request) => Promise<Response>;
-	handler: (request: Request) => Promise<Response>;
+/**
+* Configuration supplied by the framework/application when creating an Enterprise Standard instance.
+* Merged with RemoteConfig from the ConfigSource (framework config wins). Pass as the second
+* argument to enterpriseStandard(source, config).
+* Set a module to `null` to explicitly disable it; then the corresponding property on the
+* EnterpriseStandard instance is typed as `never`. Omit a module to allow it to be supplied
+* from ConfigSource / adaptive (typed as the module type, non-optional).
+*/
+type FrameworkConfig = {
+	/** Optional `Logger` implementation (e.g. `consoleLogger`); exposed on the instance as `log`. */
+	log?: Logger;
+	sso?: SSOConfig | null;
+	iam?: IAMConfig | null;
+	workload?: FrameworkWorkloadConfig | null;
+	secrets?: FrameworkSecretsModuleConfig | null;
+	ciam?: CIAMConfig | null;
+	validators: ESValidators;
 };
-import { StandardSchemaV1 as StandardSchemaV17 } from "@standard-schema/spec";
-type Secret<T> = {
-	data: T;
-	metadata: MetaData;
+/**
+* Final configuration after merging ConfigSource (RemoteConfig) and FrameworkConfig.
+* Same shape as FrameworkConfig; each module (SSO, IAM, etc.) resolves its config from
+* both sources at runtime. Use this type when referring to the effective/merged config.
+*/
+type ESConfig = FrameworkConfig;
+/**
+* Remote config read from a config source (vault, lfv, etc.).
+*/
+type RemoteConfig = {
+	/** Optional app/tenant identifier for this ESA (e.g. from vault path or config). */
+	tenantId?: string;
+	sso?: SSOConfig;
+	iam?: IAMConfig;
+	/**
+	* Workload: single config, or incoming/outgoing (server vs client roles), or flat map of named clients.
+	* Preferred: { incoming: { jwksUri, issuer }, outgoing: { TNT_*: { clientId, ... } } }.
+	* Legacy: { default: { jwksUri, issuer }, TNT_*: { ... } } (flat map).
+	* TODO: Let's see if we can do some clean inference here!!!
+	*/
+	workload?: WorkloadConfig | WorkloadConfigMap | WorkloadIncomingOutgoing;
+	/** Optional named secrets-source configs available to this ESA instance. */
+	secrets?: SecretsModuleConfig;
+	ciam?: CIAMConfig;
 };
-type MetaData = {
+/**
+* Stores supplied by the framework/application when creating an Enterprise Standard instance.
+*/
+type FrameworkStores = {
+	sessionStore?: SessionStore<unknown>;
+	userStore?: UserStore<unknown>;
+	groupStore?: GroupStore<unknown>;
+	magicLinkStore?: MagicLinkStore<unknown>;
+	workloadTokenStore?: WorkloadTokenStore;
+};
+type ModifiableFrameworkConfig = FrameworkConfig & {
+	setStores(stores: FrameworkStores): void;
+};
+/** Return type from the beforeChange hook passed to enterpriseStandard(). */
+type ESConfigChangeResult = {
+	config?: RemoteConfig;
+	frameworkConfig?: FrameworkConfig;
+};
+/** beforeChange callback invoked on every config application (initial load and updates). */
+type ESConfigChangeCallback = (config: RemoteConfig, frameworkConfig: ModifiableFrameworkConfig, oldConfig: RemoteConfig | undefined) => ESConfigChangeResult | void;
+type ConfigSource = {
+	load(): Promise<RemoteConfig>;
+	/**
+	* Called when the config changes.
+	* @param onConfig - The callback to call when the config changes.
+	* @return an unsubscribe/cleanup function.
+	*/
+	subscribe(onConfig: (config: RemoteConfig) => void): undefined | (() => void);
+	/**
+	* Default secret client for the config source itself.
+	* For vault-backed sources this is the vault used to read RemoteConfig.
+	*/
+	secret: SecretsSource;
+	/**
+	* Optional. If not set by the creator, the framework may set this before calling load/subscribe
+	* so the source can use the same logger as the Enterprise Standard instance (`log`).
+	*/
+	log?: Logger;
+	/**
+	* Optional. If not set by the creator, the framework may set this before calling load/subscribe
+	* so the source can use the same validators.
+	*/
+	validators?: ESValidators;
+};
+type EnvironmentType = "POC" | "DEV" | "QA" | "PROD";
+type TenantStatus = "pending" | "processing" | "completed" | "failed" | "action_required";
+type UpsertTenantRequestBase = {
+	tenantId: string;
+	companyId: string;
+	companyName: string;
+	environmentType: EnvironmentType;
+	email?: string;
+	webhookUrl?: string;
+	callbackUrl?: string;
+	configSource: TenantSecretsConfig;
+};
+type UpsertTenantRequest<TExtended extends object = object> = UpsertTenantRequestBase & TExtended;
+type UpsertTenantResponse = {
+	tenantUrl?: string;
+	status: Exclude<TenantStatus, "action_required">;
+	error?: string;
+	refs?: RefUrls[];
+} | {
+	status: "action_required";
+	actionUrl: string;
+	requestToken: string;
+	expiresAt: string;
+	refs?: RefUrls[];
+};
+type CreateTenantRequest = UpsertTenantRequest;
+type CreateTenantResponse = UpsertTenantResponse;
+/**
+* The audience of the reference URL.
+* - 'human' for human-readable documentation such as user guides, documentation, etc.
+* - 'ai' for AI-generated reference such as llms.txt, AI-optimized markdown, etc.
+* - 'spec' for specifications and code-gen ready docs such as OpenAPI, GraphQL, etc.
+*/
+type Audience = "human" | "ai" | "spec";
+interface RefUrls {
+	audience: Audience;
+	url: string;
+	description: string;
+	createdAt: Date;
+	updatedAt: Date;
+}
+interface TenantWebhookPayload {
+	tenantId: string;
+	companyId: string;
+	status: TenantStatus;
+	tenantUrl?: string;
+	actionUrl?: string;
+	requestToken?: string;
+	expiresAt?: string;
+	error?: string;
+}
+declare class TenantRequestError extends Error {
+	constructor(message: string, options?: ErrorOptions);
+}
+declare class MultipleTenantsForUserError extends Error {
+	readonly userId: string;
+	readonly tenantIds: string[];
+	constructor(userId: string, tenantIds: string[], options?: ErrorOptions);
+}
+type TenantValidators<
+	TUpsertTenantRequest extends UpsertTenantRequest = UpsertTenantRequest,
+	TUpsertTenantResponse extends UpsertTenantResponse = UpsertTenantResponse
+> = {
+	upsertTenantRequest: StandardSchemaV16<unknown, TUpsertTenantRequest>;
+	upsertTenantResponse?: StandardSchemaV16<unknown, TUpsertTenantResponse>;
+	createTenantRequest?: StandardSchemaV16<unknown, TUpsertTenantRequest>;
+	createTenantResponse?: StandardSchemaV16<unknown, TUpsertTenantResponse>;
+};
+/**
+* Env-like tenant config variables used to build a ConfigSource at runtime.
+* These mirror the ES_* variables read by envConfig().
+*/
+type TenantConfigEnv = {
+	ES_CONFIG_TYPE?: ConfigSourceType;
+	ES_VAULT_URL?: string;
+	ES_VAULT_TOKEN?: string;
+	ES_VAULT_PATH?: string;
+	ES_VAULT_TTL?: string;
+	ES_VAULT_LFV_SERVER_URL?: string;
+	ES_VAULT_LFV_CLIENT_ID?: string;
+	ES_VAULT_LFV_SIGNATURE?: string;
+	ES_VAULT_LFV_DELIVERY_ENDPOINT?: string;
+	ES_VAULT_LFV_VERIFY_PUBLIC_KEY?: string;
+	ES_VAULT_LFV_EVENTS_ENDPOINT?: string;
+	ES_VAULT_LFV_DELIVERY_TIMEOUT?: string;
+	ES_VAULT_LFV_RETRY_INTERVAL?: string;
+	ES_VAULT_LFV_WARN_INTERVAL?: string;
+	ES_VAULT_WEBSOCKET_URL?: string;
+	ES_VAULT_WEBSOCKET_TOKEN?: string;
+	ES_VAULT_WEBSOCKET_HEADER?: "X-Vault-Token" | "Authorization";
+	ES_AZURE_API_VERSION?: string;
+	ES_AZURE_SCOPE?: string;
+	ES_AZURE_SECRET_NAME_PREFIX?: string;
+	ES_AZURE_AUTH_METHOD?: AwsAuthMethod;
+	ES_AZURE_TENANT_ID?: string;
+	ES_AZURE_CLIENT_ID?: string;
+	ES_AZURE_CLIENT_SECRET?: string;
+	ES_AZURE_FEDERATED_TOKEN_FILE?: string;
+	ES_AZURE_MANAGED_IDENTITY_CLIENT_ID?: string;
+	ES_AZURE_IMDS_API_VERSION?: string;
+	ES_AZURE_VAULT_URL?: string;
+	ES_AZURE_VAULT_NAME?: string;
+	ES_AZURE_TTL?: string;
+	ES_AWS_WEBHOOK_URL?: string;
+	ES_AWS_TTL?: string;
+	ES_GCP_TTL?: string;
+};
+type TenantSecretsConfig = (VaultSecretsConfig & {
+	path: string;
+	retryInterval?: number;
+}) | (AwsSecretsConfig & {
+	ttl?: number;
+}) | AzureSecretsConfig | (GcpSecretsConfig & {
+	ttl?: number;
+});
+type TenantStoredConfigLocator = {
+	/** Indicates that the tenant config descriptor is stored securely outside the tenant record. */
+	type: "stored";
+	/** Root secure source type used to fetch the stored tenant config descriptor. */
+	sourceType: "vault";
+	/** Path to the stored tenant config descriptor. */
 	path: string;
-	version: number;
-	created: Date;
 };
-type SecretsSourceType = "vault" | "azure" | "aws" | "gcp" | "dev";
-type SecretRequestSeverity = "low" | "medium" | "high" | "critical";
-type SecretLifecycleRequest = {
-	reason?: string;
-	severity?: SecretRequestSeverity;
-	incidentRef?: string;
+type TenantRemoteConfigLocator = {
+	/** Indicates that the tenant RemoteConfig already exists at this secure source path. */
+	type: "remoteConfig";
+	/** Secure source type used to load the RemoteConfig document directly. */
+	sourceType: "vault";
+	/** Path to the tenant RemoteConfig document. */
+	path: string;
 };
-type SecretsOperationOptions = {
-	/** Optional timeout in milliseconds for this secrets operation. */
-	timeout?: number;
+type TenantConfigLocator = TenantStoredConfigLocator | TenantRemoteConfigLocator;
+type TenantConfigSourceInput = TenantConfigLocator | ConfigSource;
+type TenantBaseRecord = {
+	tenantId: string;
+	companyId: string;
+	companyName: string;
+	environmentType: EnvironmentType;
+	email?: string;
+	webhookUrl?: string;
+	callbackUrl?: string;
+	tenantUrl?: string;
+	status: TenantStatus;
+	error?: string;
+	actionUrl?: string;
+	requestToken?: string;
+	expiresAt?: string;
+	createdAt: Date;
+	updatedAt: Date;
+	/** Persisted tenant config metadata, or a runtime ConfigSource for internal-only tenants. */
+	configSource: TenantConfigSourceInput;
+	/** Runtime helper that returns a ConfigSource for this tenant. */
+	config?: (source?: SecretsSource) => ConfigSource;
+};
+type TenantBaseConstraint = Omit<TenantBaseRecord, "configSource"> & {
+	configSource?: TenantConfigSourceInput;
+};
+type TenantRecordBase = TenantBaseConstraint;
+type StoredTenant<TTenant extends TenantRecordBase = TenantRecordBase> = TTenant;
+type StoredTenantRecord<TTenant extends TenantRecordBase = TenantRecordBase> = Omit<StoredTenant<TTenant>, "config">;
+type TenantEsFactory<TTenant extends TenantRecordBase = TenantRecordBase> = (tenant: StoredTenant<TTenant>) => EnterpriseStandard;
+type TenantConfigStoreRequest<
+	TTenant extends TenantRecordBase = TenantRecordBase,
+	TRequest extends UpsertTenantRequest = UpsertTenantRequest
+> = {
+	es: EnterpriseStandard;
+	tenantId: string;
+	request: TRequest;
+	configData: TenantSecretsConfig;
+	existingTenant: StoredTenant<TTenant> | undefined;
 };
-type SecretsSource = {
-	type: SecretsSourceType;
-	getFullSecret: <T>(path: string, options?: SecretsOperationOptions) => Promise<Secret<T>>;
-	getSecret: <T>(path: string, options?: SecretsOperationOptions) => Promise<T>;
+type TenantStoreWithESOptions<TTenant extends TenantRecordBase = TenantRecordBase> = {
+	/**
+	* TTL for cached per-tenant EnterpriseStandard instances, in milliseconds.
+	* Default is forever; set to 0 to recreate ES on every getEs() call.
+	*/
+	ttl?: number;
+	/**
+	* Optional factory used to create an ES instance for a tenant.
+	* If omitted, getEs() throws.
+	*/
+	createEs?: TenantEsFactory<TTenant>;
+};
+type TenantUserRegistration = {
+	registerUserTenantId(userId: string, tenantId: string | null | undefined): void | Promise<void>;
+	registerUserToTenant?(userId: string, tenantId: string): void | Promise<void>;
+};
+declare abstract class TenantStore<TTenant extends TenantRecordBase = TenantRecordBase> implements TenantUserRegistration {
+	storeConfig?(config: TenantConfigStoreRequest<TTenant>): Promise<TenantConfigSourceInput>;
+	abstract get(tenantId: string): Promise<StoredTenant<TTenant> | undefined>;
+	abstract list(options?: TenantListOptions): Promise<ListResult<StoredTenant<TTenant>>>;
+	abstract upsert(tenant: StoredTenant<TTenant>): Promise<StoredTenant<TTenant>>;
+	abstract delete(tenantId: string): Promise<number>;
+	abstract registerUserTenantId(userId: string, tenantId: string | null | undefined): void | Promise<void>;
+	registerUserToTenant?(userId: string, tenantId: string): void | Promise<void>;
+	abstract findTenantsByUser(user: User2): Promise<StoredTenant<TTenant>[]>;
+	findTenantByUser(user: User2): Promise<StoredTenant<TTenant> | undefined>;
+}
+type TenantManagerStore<TTenant extends TenantRecordBase = TenantRecordBase> = Pick<TenantStoreWithES<TTenant>, "get" | "list" | "upsert" | "delete" | "getEs" | "findTenantByUser" | "findTenantsByUser"> & {
+	storeConfig?: TenantStoreWithES<TTenant>["storeConfig"];
+};
+type InMemoryTenantStoreOptions<TTenant extends TenantRecordBase = TenantRecordBase> = TenantStoreWithESOptions<TTenant>;
+type TenantStoreWithRequiredEsOptions<TTenant extends TenantRecordBase = TenantRecordBase> = Omit<TenantStoreWithESOptions<TTenant>, "createEs"> & {
+	createEs: TenantEsFactory<TTenant>;
+};
+type SingleTenantStoreOptions<TTenant extends TenantRecordBase = TenantRecordBase> = TenantStoreWithRequiredEsOptions<TTenant>;
+type MultiTenantStoreOptions<TTenant extends TenantRecordBase = TenantRecordBase> = TenantStoreWithRequiredEsOptions<TTenant>;
+declare abstract class TenantStoreWithEsCache<TTenant extends TenantRecordBase = TenantRecordBase> extends TenantStore<TTenant> {
+	readonly ttl: number;
+	private readonly createEs?;
+	private readonly tenantEsMap;
+	constructor(options: TenantStoreWithESOptions<TTenant>);
+	registerUserTenantId(userId: string, tenantId: string | null | undefined): Promise<void>;
+	registerUserToTenant(_userId: string, _tenantId: string): Promise<void>;
+	protected prepareTenantForCreateEs(tenant: StoredTenant<TTenant>): StoredTenant<TTenant>;
+	protected invalidateTenantEsCache(tenantId: string): void;
+	getEs(tenantId: string): Promise<EnterpriseStandard | undefined>;
+	getCachedTenantIds(): string[];
+}
+declare abstract class SingleTenantStore<TTenant extends TenantRecordBase = TenantRecordBase> extends TenantStoreWithEsCache<TTenant> {
+	abstract findTenantByUser(user: User2): Promise<StoredTenant<TTenant> | undefined>;
+	findTenantsByUser(user: User2): Promise<StoredTenant<TTenant>[]>;
+}
+declare abstract class MultiTenantStore<TTenant extends TenantRecordBase = TenantRecordBase> extends TenantStoreWithEsCache<TTenant> {}
+type TenantStoreWithES<TTenant extends TenantRecordBase = TenantRecordBase> = TenantStoreWithEsCache<TTenant>;
+type InMemorySingleTenantStoreOptions<TTenant extends TenantRecordBase = TenantRecordBase> = InMemoryTenantStoreOptions<TTenant>;
+type InMemoryMultiTenantStoreOptions<TTenant extends TenantRecordBase = TenantRecordBase> = InMemoryTenantStoreOptions<TTenant>;
+declare class InMemorySingleTenantStore<TTenant extends TenantRecordBase = TenantRecordBase> extends SingleTenantStore<TTenant> {
+	private readonly store;
+	constructor(options?: InMemorySingleTenantStoreOptions<TTenant>);
+	get(tenantId: string): Promise<StoredTenant<TTenant> | undefined>;
+	list(options?: TenantListOptions): Promise<ListResult<StoredTenant<TTenant>>>;
+	upsert(tenant: StoredTenant<TTenant>): Promise<StoredTenant<TTenant>>;
+	delete(tenantId: string): Promise<number>;
+	registerUserTenantId(userId: string, tenantId: string | null | undefined): Promise<void>;
+	findTenantByUser(user: User2): Promise<StoredTenant<TTenant> | undefined>;
+}
+declare class InMemoryMultiTenantStore<TTenant extends TenantRecordBase = TenantRecordBase> extends MultiTenantStore<TTenant> {
+	private readonly store;
+	constructor(options?: InMemoryMultiTenantStoreOptions<TTenant>);
+	get(tenantId: string): Promise<StoredTenant<TTenant> | undefined>;
+	list(options?: TenantListOptions): Promise<ListResult<StoredTenant<TTenant>>>;
+	upsert(tenant: StoredTenant<TTenant>): Promise<StoredTenant<TTenant>>;
+	delete(tenantId: string): Promise<number>;
+	registerUserTenantId(userId: string, tenantId: string | null | undefined): Promise<void>;
+	findTenantsByUser(user: User2): Promise<StoredTenant<TTenant>[]>;
+}
+declare function sendTenantWebhook(webhookUrl: string, payload: TenantWebhookPayload, log: Logger): Promise<void>;
+/**
+* Stored user data with required id and tracking metadata.
+*
+* Extends the SSO User type with:
+* - Required `id` (the `sub` claim from the IdP)
+* - Timestamps for tracking when users were first seen and last updated
+* - Optional custom extended data
+*
+* @template TExtended - Type-safe custom data that consumers can add to users
+*/
+type StoredUser<TExtended = object> = Omit<User2, "sso"> & {
+	/**
+	* Required unique identifier (the `sub` claim from the IdP).
+	* This is the primary key for user storage.
+	*/
+	id?: string;
+	/**
+	* Optional Enterprise Standard tenant identifier for tenant-aware apps.
+	* Built-in user stores can use this when registering HRD mappings.
+	*/
+	tenantId?: string;
+	/**
+	* Optional external identifier from the provisioning client.
+	* Commonly set by IAM inbound SCIM provisioning flows.
+	*/
+	externalId?: string;
+	/**
+	* Optional SCIM display name distinct from the simple `name` field.
+	* Commonly set by IAM inbound SCIM provisioning flows.
+	*/
+	displayName?: string;
+	/**
+	* Optional structured SCIM name.
+	* Commonly set by IAM inbound SCIM provisioning flows.
+	*/
+	scimName?: Name;
 	/**
-	* Write a secret at the given path.
-	* Implementations may throw for read-only or unsupported secret sources.
+	* Optional SCIM email collection.
+	* The simple `email` field still stores the primary email for convenience.
 	*/
-	putSecret: (path: string, value: Record<string, unknown>, options?: SecretsOperationOptions) => Promise<void>;
+	emails?: Email[];
 	/**
-	* When set, the secret source supports change detection and will call onChange when the secret changes.
-	* Implementations must only invoke onChange when the secret version has changed from the last time
-	* that subscription was notified (same version must not trigger a second call).
-	* @returns a unsubscribe/cleanup function.
+	* Optional SCIM nickname.
+	* Commonly set by IAM inbound SCIM provisioning flows.
 	*/
-	subscribe<T>(path: string, onChange: (fullSecret: Secret<T>) => void): () => void;
+	nickName?: string;
 	/**
-	* Deletes a secret at the given path.
+	* Optional SCIM account state.
+	* Commonly set by IAM inbound SCIM provisioning flows.
 	*/
-	deleteSecret(path: string, options?: SecretsOperationOptions): Promise<void>;
+	active?: boolean;
 	/**
-	* Lists child paths under the given base path.
+	* Optional SCIM job title.
+	* Commonly set by IAM inbound SCIM provisioning flows.
 	*/
-	listPaths(path: string, options?: SecretsOperationOptions): Promise<string[]>;
+	title?: string;
 	/**
-	* Returns true when a secret path exists.
+	* Optional SCIM preferred language.
+	* Commonly set by IAM inbound SCIM provisioning flows.
 	*/
-	exists(path: string, options?: SecretsOperationOptions): Promise<boolean>;
+	preferredLanguage?: string;
 	/**
-	* Requests secret rotation for the given path.
+	* Optional SCIM locale.
+	* Commonly set by IAM inbound SCIM provisioning flows.
 	*/
-	requestRotate(path: string, request?: SecretLifecycleRequest, options?: SecretsOperationOptions): Promise<void>;
+	locale?: string;
 	/**
-	* Requests secret revocation for the given path.
+	* Optional SCIM timezone.
+	* Commonly set by IAM inbound SCIM provisioning flows.
 	*/
-	requestRevoke(path: string, request?: SecretLifecycleRequest, options?: SecretsOperationOptions): Promise<void>;
+	timezone?: string;
 	/**
-	* Reads metadata for the given path.
+	* Optional SCIM phone numbers.
+	* Commonly set by IAM inbound SCIM provisioning flows.
 	*/
-	getMetadata(path: string, options?: SecretsOperationOptions): Promise<Record<string, unknown>>;
-};
-type SecretsValidators = {
+	phoneNumbers?: PhoneNumber[];
 	/**
-	* Optional hook to validate merged source configs before they are resolved.
-	* Throw from this callback to reject invalid secrets source configuration.
+	* Optional SCIM instant messaging addresses.
+	* Commonly set by IAM inbound SCIM provisioning flows.
 	*/
-	validateSourceConfig?(sourceName: string, config: SecretsSourceConfig): void;
-};
-type Secrets = {
-	/** Named secrets sources client configurations from RemoteConfig. */
-	config: SecretsSourceMap;
-	/** Returns configured secrets source names/keys. */
-	listSecretsSources(): string[];
-	/** Gets a named secrets source client. Throws when missing. */
-	getSecretsSource(sourceName: string): SecretsSource;
-	/** Reads a secret from a named secrets source client. */
-	getSecret<T>(sourceName: string, path: string, options?: SecretsOperationOptions): Promise<T>;
-	/** Reads full secret data + metadata from a named secrets source client. */
-	getFullSecret<T>(sourceName: string, path: string, options?: SecretsOperationOptions): Promise<Secret<T>>;
-	/** Writes a secret to a named secrets source client. */
-	putSecret(sourceName: string, path: string, value: Record<string, unknown>, options?: SecretsOperationOptions): Promise<void>;
-	/** Deletes a secret from a named secrets source client. */
-	deleteSecret(sourceName: string, path: string, options?: SecretsOperationOptions): Promise<void>;
-	/** Lists child paths under a base path for a named secrets source client. */
-	listPaths(sourceName: string, path: string, options?: SecretsOperationOptions): Promise<string[]>;
-	/** Returns true when a path exists for a named secrets source client. */
-	exists(sourceName: string, path: string, options?: SecretsOperationOptions): Promise<boolean>;
-	/** Requests rotation for a secret path in a named secrets source client. */
-	requestRotate(sourceName: string, path: string, request?: SecretLifecycleRequest, options?: SecretsOperationOptions): Promise<void>;
-	/** Requests revocation for a secret path in a named secrets source client. */
-	requestRevoke(sourceName: string, path: string, request?: SecretLifecycleRequest, options?: SecretsOperationOptions): Promise<void>;
-	/** Reads metadata for a secret path in a named secrets source client. */
-	getMetadata(sourceName: string, path: string, options?: SecretsOperationOptions): Promise<Record<string, unknown>>;
-	/** Subscribes to secret changes on a named secrets source client. */
-	subscribe<T>(sourceName: string, path: string, onChange: (fullSecret: Secret<T>) => void): () => void;
-	/** Returns true when request matches any configured LFV delivery path. */
-	isLfvDeliveryRequest?(request: Request): boolean;
-	/** Returns true when request matches any configured LFV events path. */
-	isLfvEventsRequest?(request: Request): boolean;
-	/** Handles LFV delivery callbacks for configured LFV sources. */
-	handleLfvDelivery?(request: Request): Promise<Response>;
-	/** Handles LFV events callbacks for configured LFV sources. */
-	handleLfvEvents?(request: Request): Promise<Response>;
-};
-/**
-* Partial secrets source config used in framework/app code to declare expected source names.
-* ConfigSource-backed values may still provide the actual source details at runtime.
-*/
-type FrameworkSecretsSourceConfig = Partial<SecretsSourceConfig>;
-/**
-* Framework-level named secrets source declarations keyed by source name.
-* Values may be partial or empty when the app only wants to declare expected names/types.
-*/
-type FrameworkSecretsModuleConfig = Record<string, FrameworkSecretsSourceConfig>;
-/**
-* TODO: Let's see if we can do some clean inference and remove this!!!
-*/
-type SecretsSourceMap = Record<string, SecretsSource>;
-type SecretsSourceConfig = DevSecretsConfig | GcpSecretsConfig | VaultSecretsConfig | AwsSecretsConfig | AzureSecretsConfig;
-/**
-* Raw module config keyed by source name.
-* The secrets module resolves this into a runtime SecretsSourceMap.
-*/
-type SecretsModuleConfig = Record<string, SecretsSourceConfig>;
-type DevSecretsConfig = {
-	type: "dev";
-	ioniteUrl: string;
-};
-type GcpSecretsConfig = {
-	type: "gcp";
-};
-type VaultLfvSecretsConfig = {
-	/** LFV server base URL for OTP/action endpoints. */
-	lfvServerUrl?: string;
-	/** LFV client id used for OTP issuance. */
-	clientId?: string;
-	/** Signature value for X-LFV-Signature header. */
-	signature?: string;
-	deliveryEndpoint: string;
+	ims?: Array<{
+		value: string;
+		display?: string;
+		type?: string;
+		primary?: boolean;
+	}>;
 	/**
-	* Optional LFV signature verification key.
-	* When omitted, LFV callbacks are accepted without signature verification.
+	* Optional SCIM photos.
+	* Commonly set by IAM inbound SCIM provisioning flows.
 	*/
-	verifyPublicKey?: string;
-	eventsEndpoint: string;
-	path?: string;
+	photos?: Photo[];
 	/**
-	* Timeout in milliseconds when waiting for a LFV delivery payload after a read request.
-	* After this duration, an error is thrown.
+	* Optional SCIM addresses.
+	* Commonly set by IAM inbound SCIM provisioning flows.
 	*/
-	deliveryTimeout?: number;
-	/** Retry interval in milliseconds between LFV transport retry attempts. */
-	retryInterval?: number;
-	/** Warning interval in milliseconds for LFV retry logs. Set to 0 to disable warnings. */
-	warnInterval?: number;
+	addresses?: Address[];
 	/**
-	* Optional logger for request/response tracing. Use `debugLogger` from `@enterprisestandard/core`
-	* to get debug output with request_id for LFV operations.
+	* Optional SCIM roles.
+	* Commonly set by IAM inbound SCIM provisioning flows.
+	*/
+	roles?: Role[];
+	/**
+	* Optional SCIM groups.
+	* Commonly set by IAM inbound SCIM provisioning flows.
 	*/
-	logger?: Logger;
+	groups?: Group[];
+	/**
+	* Optional SCIM entitlements.
+	* Commonly set by IAM inbound SCIM provisioning flows.
+	*/
+	entitlements?: Array<{
+		value: string;
+		display?: string;
+		type?: string;
+		primary?: boolean;
+	}>;
+	/**
+	* Optional SCIM X.509 certificates.
+	* Commonly set by IAM inbound SCIM provisioning flows.
+	*/
+	x509Certificates?: X509Certificate[];
+	/**
+	* Optional SCIM enterprise extension.
+	* Mirrors `urn:ietf:params:scim:schemas:extension:enterprise:2.0:User`.
+	* Commonly set by IAM inbound SCIM provisioning flows.
+	*/
+	scimEnterprise?: EnterpriseExtension;
+	/**
+	* Optional pass-through SCIM schema extensions keyed by full URN.
+	* Use this when your validator accepts custom top-level SCIM extensions and
+	* you want them to round-trip through a `UserStore` implementation.
+	*/
+	scimSchemaExtensions?: Record<string, unknown>;
+	/**
+	* Timestamp when the user was first stored.
+	*/
+	createdAt?: Date;
+	/**
+	* Timestamp when the user was last updated (e.g., on re-login).
+	*/
+	updatedAt?: Date;
+	/**
+	* Optional SSO envelope for stores that persist full auth profile data.
+	* Simple app stores MAY omit this field.
+	*/
+	sso?: User2["sso"];
+} & TExtended;
+type UserStoreOptions = {
+	tenantId: string;
+	tenants: TenantStore;
 };
 /**
-* Runtime-ready LFV source config.
-* Input config can be partially declared/merged, but LFV operations require these fields.
+* Abstract interface for user storage backends.
+*
+* Consumers can implement this interface to use different storage backends:
+* - In-memory (for development/testing)
+* - Redis (for production with fast lookups)
+* - Database (PostgreSQL, MySQL, etc.)
+*
+* @template TExtended - Type-safe custom data that consumers can add to users
+*
+* @example
+* ```typescript
+* // Custom user data
+* type MyUserData = {
+*   department: string;
+*   roles: string[];
+* };
+*
+* // Implement custom store
+* class RedisUserStore implements UserStore<MyUserData> {
+*   async get(sub: string): Promise<StoredUser<MyUserData> | null> {
+*     const data = await redis.get(`user:${sub}`);
+*     return data ? JSON.parse(data) : null;
+*   }
+*   // ... other methods
+* }
+* ```
 */
-type ResolvedVaultLfvSecretsConfig = Omit<VaultLfvSecretsConfig, "lfvServerUrl" | "clientId" | "path"> & {
-	lfvServerUrl: string;
-	clientId: string;
-	path: string;
-};
-type VaultWebSocketAuthHeader = "X-Vault-Token" | "Authorization";
-type VaultWebSocketSecretsConfig = {
-	/** Websocket URL for vault command execution and live secret subscriptions. */
-	url?: string;
-	/** Token used during websocket connect/auth. */
-	token?: string;
-	/** Header name used to send the websocket token. Defaults to X-Vault-Token. */
-	header?: VaultWebSocketAuthHeader;
-};
-type VaultSecretsConfig = {
-	type: "vault";
-	url?: string;
-	token?: string;
-	/** Optional LFV transport capability for reads/lifecycle operations. */
-	lfv?: VaultLfvSecretsConfig;
-	/** Optional websocket capability for vault commands and live subscriptions. */
-	websocket?: VaultWebSocketSecretsConfig;
+interface UserStore<TExtended = object> {
 	/**
-	* MINIMUM: 600_000 milliseconds (10 minutes). Polls the path every ttl milliseconds and calls onConfig when config changes.
+	* Retrieve a user by their subject identifier (sub).
+	*
+	* This is the canonical lookup used by SDK flows whenever possible.
+	* Other lookup methods (userName) are secondary convenience indexes.
+	*
+	* @param sub - The user's unique identifier from the IdP
+	* @returns The user if found, undefined otherwise
 	*/
-	ttl?: number;
-};
-type AwsSecretsConfig = {
-	type: "aws";
-	webhookUrl: string;
-};
-type AwsAuthMethod = "client_secret" | "workload_identity" | "managed_identity";
-type AzureSecretsConfig = {
-	type: "azure";
+	get(sub: string): Promise<StoredUser<TExtended> | undefined>;
 	/**
-	* How to authenticate to Azure to fetch Key Vault access tokens.
+	* Retrieve a user by their username.
 	*
-	* - client_secret: Entra app client secret (client credentials)
-	* - workload_identity: AKS Workload Identity (federated token file)
-	* - managed_identity: Azure Managed Identity via IMDS
+	* @param userName - The user's username
+	* @returns The user if found, undefined otherwise
+	*/
+	getByUserName(userName: string): Promise<StoredUser<TExtended> | undefined>;
+	/**
+	* Create or update a user in the store.
 	*
-	* If omitted, we auto-detect:
-	* - workload_identity if a federated token file is present
-	* - else client_secret if a clientSecret is present
-	* - else managed_identity
+	* If a user with the same `id` (sub) exists, it will be updated.
+	* Otherwise, a new user will be created.
 	*
-	* Env: ES_AZURE_AUTH_METHOD
+	* @param user - The user data to store
 	*/
-	authMethod?: AwsAuthMethod;
+	upsert(user: StoredUser<TExtended>): Promise<StoredUser<TExtended>>;
 	/**
-	* Azure Entra tenant id (GUID), used for OAuth2 token exchange.
-	* Env: ES_AZURE_TENANT_ID
+	* Delete a user by their subject identifier (sub).
+	*
+	* @param sub - The user's unique identifier to delete
 	*/
-	tenantId?: string;
+	delete(sub: string): Promise<number>;
+	/**
+	* List users in the store with optional pagination and sort.
+	*
+	* @param options - Optional start (0-based), limit (page size), and sort
+	* @returns ListResult with total, count, items, size, page, pages
+	*/
+	list(options?: UserListOptions): Promise<ListResult<StoredUser<TExtended>>>;
+}
+/**
+* SCIM Error response structure
+*/
+interface ScimError {
+	schemas: string[];
+	status: string;
+	scimType?: string;
+	detail?: string;
+}
+/**
+* SCIM List Response for bulk operations
+*/
+interface ScimListResponse<T> {
+	schemas: string[];
+	totalResults: number;
+	startIndex?: number;
+	itemsPerPage?: number;
+	Resources: T[];
+}
+/**
+* Result of a SCIM operation
+*/
+interface ScimResult<T> {
+	success: boolean;
+	data?: T;
+	error?: ScimError;
+	status: number;
+}
+/**
+* Handler configuration for IAM
+*/
+interface IAMHandlerConfig {
 	/**
-	* Azure app registration client id (GUID).
-	* Env: ES_AZURE_CLIENT_ID
+	* Base path for the SCIM Users endpoints (e.g., '/api/iam/Users')
 	*/
-	clientId?: string;
+	usersUrl?: string;
 	/**
-	* Azure app registration client secret.
-	* Env: ES_AZURE_CLIENT_SECRET
+	* Base path for the SCIM Groups endpoints (e.g., '/api/iam/Groups')
 	*/
-	clientSecret?: string;
+	groupsUrl?: string;
 	/**
-	* Path to the projected federated token file (AKS Workload Identity).
-	* Env: ES_AZURE_FEDERATED_TOKEN_FILE or AZURE_FEDERATED_TOKEN_FILE
+	* Handler overrides for SCIM discovery endpoints (e.g., '/api/iam/ServiceProviderConfig')
 	*/
-	federatedTokenFile?: string;
+	discovery?: IAMDiscoveryHandlerConfig;
+}
+/**
+* IAM configuration
+*
+* - If `url` is provided, groups_outbound is enabled (app calls external IAM)
+* - If `groupStore` is provided, groups_inbound is enabled (external IAM calls app)
+* - If `userStore` is provided, users_inbound is enabled (external IAM calls app)
+*/
+type IAMConfig = {
 	/**
-	* Managed Identity client id (user-assigned), optional.
-	* Env: ES_AZURE_MANAGED_IDENTITY_CLIENT_ID
+	* Base URL of the external SCIM endpoint (e.g., https://sailpoint.example.com/scim/v2)
+	* If provided, enables outbound SCIM operations (app -> external IAM)
 	*/
-	managedIdentityClientId?: string;
+	url?: string;
 	/**
-	* IMDS API version (managed identity).
-	* Env: ES_AZURE_IMDS_API_VERSION
-	* Default: 2018-02-01
+	* Store for inbound user provisioning from external IAM providers.
+	* When configured, the app can receive user CRUD operations via SCIM.
 	*/
-	imdsApiVersion?: string;
+	userStore?: UserStore;
 	/**
-	* Key Vault URL, e.g. https://myvault.vault.azure.net
-	* Env: ES_AZURE_KEY_VAULT_URL
+	* Optional inbound user mapping hooks for SCIM provisioning.
+	* Use these when the default StoredUser <-> SCIM mapping is not a direct fit
+	* for your application's database model.
 	*/
-	vaultUrl?: string;
+	inboundUsers?: IAMInboundUsersConfig;
 	/**
-	* Alternative to vaultUrl. If provided, vaultUrl is derived as:
-	* https://${vaultName}.vault.azure.net
-	* Env: ES_AZURE_KEY_VAULT_NAME
+	* Store for inbound group provisioning from external IAM providers.
+	* When configured, enables groups_inbound (external IAM -> app).
 	*/
-	vaultName?: string;
+	groupStore?: GroupStore;
 	/**
-	* Key Vault API version.
-	* Env: ES_AZURE_KEY_VAULT_API_VERSION
-	* Default: 7.4
+	* Optional handler defaults. These are merged with per-call overrides in
+	* `iam.handler`, with per-call values taking precedence.
 	*/
-	apiVersion?: string;
+	usersUrl?: string;
+	groupsUrl?: string;
+	discovery?: IAMDiscoveryConfig;
+};
+type IAMValidators = {
+	user: StandardSchemaV17<unknown, User>;
+	group: StandardSchemaV17<unknown, GroupResource>;
+};
+interface IAMInboundUserContext {
 	/**
-	* Maps vault "path" to a Key Vault secret name.
-	* Default: replaces `/` with `--` and trims leading/trailing `/`.
+	* Current stored user when replacing or patching an existing resource.
 	*/
-	secretNameTransform?: (path: string) => string;
+	existing?: StoredUser;
 	/**
-	* Optional prefix added to all computed secret names.
-	* Useful to namespace secrets by app/environment.
+	* Operation mode for the inbound mapper.
 	*/
-	secretNamePrefix?: string;
+	mode: "create" | "replace" | "patch";
+}
+interface IAMInboundUsersConfig {
 	/**
-	* OAuth2 scope; default is Key Vault resource scope.
-	* Default: https://vault.azure.net/.default
+	* Replace the default validated SCIM -> StoredUser mapper.
 	*/
-	scope?: string;
+	mapValidatedScimToStoredUser?: (validated: User, context: IAMInboundUserContext) => StoredUser | Promise<StoredUser>;
 	/**
-	* When set, the vault implements subscribe: poll this path every ttl seconds and call onConfig when config changes.
+	* Replace the default StoredUser -> SCIM response mapper.
 	*/
-	ttl?: number;
-};
-type EnvironmentType = "POC" | "DEV" | "QA" | "PROD";
-type TenantStatus = "pending" | "processing" | "completed" | "failed" | "action_required";
-interface UpsertTenantRequest {
-	tenantId: string;
-	companyId: string;
-	companyName: string;
-	environmentType: EnvironmentType;
-	email?: string;
-	webhookUrl?: string;
-	callbackUrl?: string;
-	configSource: TenantSecretsConfig;
-}
-type UpsertTenantResponse = {
-	tenantUrl?: string;
-	status: Exclude<TenantStatus, "action_required">;
-	error?: string;
-	refs?: RefUrls[];
-} | {
-	status: "action_required";
-	actionUrl: string;
-	requestToken: string;
-	expiresAt: string;
-	refs?: RefUrls[];
-};
-type CreateTenantRequest = UpsertTenantRequest;
-type CreateTenantResponse = UpsertTenantResponse;
-/**
-* The audience of the reference URL.
-* - 'human' for human-readable documentation such as user guides, documentation, etc.
-* - 'ai' for AI-generated reference such as llms.txt, AI-optimized markdown, etc.
-* - 'spec' for specifications and code-gen ready docs such as OpenAPI, GraphQL, etc.
-*/
-type Audience = "human" | "ai" | "spec";
-interface RefUrls {
-	audience: Audience;
-	url: string;
-	description: string;
-	createdAt: Date;
-	updatedAt: Date;
+	mapStoredUserToScim?: (stored: StoredUser) => User | Promise<User>;
 }
-interface TenantWebhookPayload {
-	tenantId: string;
-	companyId: string;
-	status: TenantStatus;
-	tenantUrl?: string;
-	actionUrl?: string;
-	requestToken?: string;
-	expiresAt?: string;
-	error?: string;
+interface ScimAuthenticationScheme {
+	type: string;
+	name: string;
+	description?: string;
+	specUri?: string;
+	documentationUri?: string;
+	primary?: boolean;
 }
-declare class TenantRequestError extends Error {
-	constructor(message: string, options?: ErrorOptions);
+interface ScimServiceProviderConfig {
+	schemas: string[];
+	documentationUri?: string;
+	patch: {
+		supported: boolean;
+	};
+	bulk: {
+		supported: boolean;
+		maxOperations?: number;
+		maxPayloadSize?: number;
+	};
+	filter: {
+		supported: boolean;
+		maxResults?: number;
+	};
+	changePassword: {
+		supported: boolean;
+	};
+	sort: {
+		supported: boolean;
+	};
+	etag: {
+		supported: boolean;
+	};
+	authenticationSchemes?: ScimAuthenticationScheme[];
+	meta?: {
+		resourceType?: string;
+		location?: string;
+	};
 }
-declare class MultipleTenantsForUserError extends Error {
-	readonly userId: string;
-	readonly tenantIds: string[];
-	constructor(userId: string, tenantIds: string[], options?: ErrorOptions);
+interface ScimResourceTypeSchemaExtension {
+	schema: string;
+	required: boolean;
 }
-type UserMode = "singleTenantOnly" | "multipleTenantsPerUser";
-type TenantValidators = {
-	upsertTenantRequest: StandardSchemaV17<unknown, UpsertTenantRequest>;
-	upsertTenantResponse?: StandardSchemaV17<unknown, UpsertTenantResponse>;
-	createTenantRequest?: StandardSchemaV17<unknown, UpsertTenantRequest>;
-	createTenantResponse?: StandardSchemaV17<unknown, UpsertTenantResponse>;
-};
-/**
-* Env-like tenant config variables used to build a ConfigSource at runtime.
-* These mirror the ES_* variables read by envConfig().
-*/
-type TenantConfigEnv = {
-	ES_CONFIG_TYPE?: ConfigSourceType;
-	ES_VAULT_URL?: string;
-	ES_VAULT_TOKEN?: string;
-	ES_VAULT_PATH?: string;
-	ES_VAULT_TTL?: string;
-	ES_VAULT_LFV_SERVER_URL?: string;
-	ES_VAULT_LFV_CLIENT_ID?: string;
-	ES_VAULT_LFV_SIGNATURE?: string;
-	ES_VAULT_LFV_DELIVERY_ENDPOINT?: string;
-	ES_VAULT_LFV_VERIFY_PUBLIC_KEY?: string;
-	ES_VAULT_LFV_EVENTS_ENDPOINT?: string;
-	ES_VAULT_LFV_DELIVERY_TIMEOUT?: string;
-	ES_VAULT_LFV_RETRY_INTERVAL?: string;
-	ES_VAULT_LFV_WARN_INTERVAL?: string;
-	ES_VAULT_WEBSOCKET_URL?: string;
-	ES_VAULT_WEBSOCKET_TOKEN?: string;
-	ES_VAULT_WEBSOCKET_HEADER?: "X-Vault-Token" | "Authorization";
-	ES_AZURE_API_VERSION?: string;
-	ES_AZURE_SCOPE?: string;
-	ES_AZURE_SECRET_NAME_PREFIX?: string;
-	ES_AZURE_AUTH_METHOD?: AwsAuthMethod;
-	ES_AZURE_TENANT_ID?: string;
-	ES_AZURE_CLIENT_ID?: string;
-	ES_AZURE_CLIENT_SECRET?: string;
-	ES_AZURE_FEDERATED_TOKEN_FILE?: string;
-	ES_AZURE_MANAGED_IDENTITY_CLIENT_ID?: string;
-	ES_AZURE_IMDS_API_VERSION?: string;
-	ES_AZURE_VAULT_URL?: string;
-	ES_AZURE_VAULT_NAME?: string;
-	ES_AZURE_TTL?: string;
-	ES_AWS_WEBHOOK_URL?: string;
-	ES_AWS_TTL?: string;
-	ES_GCP_TTL?: string;
-};
-type TenantSecretsConfig = (VaultSecretsConfig & {
-	path: string;
-	retryInterval?: number;
-}) | (AwsSecretsConfig & {
-	ttl?: number;
-}) | AzureSecretsConfig | (GcpSecretsConfig & {
-	ttl?: number;
-});
-type TenantStoredConfigLocator = {
-	/** Indicates that the tenant config descriptor is stored securely outside the tenant record. */
-	type: "stored";
-	/** Root secure source type used to fetch the stored tenant config descriptor. */
-	sourceType: "vault";
-	/** Path to the stored tenant config descriptor. */
-	path: string;
-};
-type TenantRemoteConfigLocator = {
-	/** Indicates that the tenant RemoteConfig already exists at this secure source path. */
-	type: "remoteConfig";
-	/** Secure source type used to load the RemoteConfig document directly. */
-	sourceType: "vault";
-	/** Path to the tenant RemoteConfig document. */
-	path: string;
-};
-type TenantConfigLocator = TenantStoredConfigLocator | TenantRemoteConfigLocator;
-type TenantConfigSourceInput = TenantConfigLocator | ConfigSource;
-type TenantBaseRecord = {
-	tenantId: string;
-	companyId: string;
-	companyName: string;
-	environmentType: EnvironmentType;
-	email?: string;
-	webhookUrl?: string;
-	callbackUrl?: string;
-	tenantUrl?: string;
-	status: TenantStatus;
-	error?: string;
-	actionUrl?: string;
-	requestToken?: string;
-	expiresAt?: string;
-	createdAt: Date;
-	updatedAt: Date;
-	/** Persisted tenant config metadata, or a runtime ConfigSource for internal-only tenants. */
-	configSource: TenantConfigSourceInput;
-	/** Runtime helper that returns a ConfigSource for this tenant. */
-	config: (source?: SecretsSource) => ConfigSource;
-};
-type StoredTenant<TExtended extends object = Record<string, never>> = TenantBaseRecord & TExtended;
-type StoredTenantRecord<TExtended extends object = Record<string, never>> = Omit<StoredTenant<TExtended>, "config">;
-type TenantEsFactory<TExtended extends object = Record<string, never>> = (tenant: StoredTenant<TExtended>) => EnterpriseStandard;
-type TenantConfigStoreRequest<TExtended extends object = Record<string, never>> = {
-	es: EnterpriseStandard;
-	tenantId: string;
-	request: UpsertTenantRequest;
-	configData: TenantSecretsConfig;
-	existingTenant: StoredTenant<TExtended> | null;
-};
-type TenantStoreWithESOptions<TExtended extends object = Record<string, never>> = {
+interface ScimResourceType {
+	schemas: string[];
+	id: string;
+	name: string;
+	description?: string;
+	endpoint: string;
+	schema: string;
+	schemaExtensions?: ScimResourceTypeSchemaExtension[];
+	meta?: {
+		resourceType?: string;
+		location?: string;
+	};
+}
+interface ScimSchemaAttributeDefinition {
+	name: string;
+	type: "string" | "boolean" | "complex" | "reference" | "dateTime";
+	multiValued: boolean;
+	description?: string;
+	required?: boolean;
+	caseExact?: boolean;
+	mutability?: "readOnly" | "readWrite" | "immutable" | "writeOnly";
+	returned?: "always" | "never" | "default" | "request";
+	uniqueness?: "none" | "server" | "global";
+	referenceTypes?: string[];
+	subAttributes?: ScimSchemaAttributeDefinition[];
+}
+interface ScimSchemaDefinition {
+	schemas: string[];
+	id: string;
+	name: string;
+	description?: string;
+	attributes: ScimSchemaAttributeDefinition[];
+	meta?: {
+		resourceType?: string;
+		location?: string;
+	};
+}
+interface IAMDiscoveryContext {
+	request: Request;
+	basePath: string;
+	usersUrl: string;
+	groupsUrl: string;
+	supportsUsers: boolean;
+	supportsGroups: boolean;
+}
+interface IAMDiscoveryConfig {
 	/**
-	* TTL for cached per-tenant EnterpriseStandard instances, in milliseconds.
-	* Default is forever; set to 0 to recreate ES on every getEs() call.
+	* Public IAM base path used for SCIM discovery. When omitted, the SDK derives
+	* it from `usersUrl` or `groupsUrl`.
 	*/
-	ttl?: number;
+	basePath?: string;
 	/**
-	* Optional factory used to create an ES instance for a tenant.
-	* If omitted, getEs() throws.
+	* Optional documentation URI advertised in ServiceProviderConfig.
 	*/
-	createEs?: TenantEsFactory<TExtended>;
-};
-type TenantMetadataRecord = Omit<TenantBaseRecord, "tenantId" | "config" | "configSource" | "status" | "createdAt" | "updatedAt">;
-type TenantExtendedUpsertFields<TExtended extends object> = string extends keyof TExtended ? unknown : Partial<TExtended>;
-type TenantStoreUpsertRecord<TExtended extends object = Record<string, never>> = Pick<TenantBaseRecord, "tenantId" | "configSource"> & Partial<TenantMetadataRecord> & Partial<Pick<TenantBaseRecord, "status" | "createdAt" | "updatedAt">> & TenantExtendedUpsertFields<TExtended>;
-type TenantUserRegistration<TMode extends UserMode = UserMode> = {
-	userMode: TMode;
-	registerUserTenantId?(userId: string, tenantId: string | null | undefined): void | Promise<void>;
-};
-type TenantStoreBase<
-	TMode extends UserMode = "singleTenantOnly",
-	TExtended extends object = Record<string, never>
-> = TenantUserRegistration<TMode> & {
-	storeConfig(config: TenantConfigStoreRequest<TExtended>): Promise<TenantConfigSourceInput>;
-	get(tenantId: string): Promise<StoredTenant<TExtended> | null>;
-	list(options?: TenantListOptions): Promise<ListResult<StoredTenant<TExtended>>>;
-	upsert(tenant: TenantStoreUpsertRecord<TExtended>): Promise<StoredTenant<TExtended>>;
-	delete(tenantId: string): Promise<void>;
-};
-type TenantLookupMethods<
-	TMode extends UserMode,
-	TExtended extends object
-> = TMode extends "singleTenantOnly" ? {
-	findTenantByUserId(userId: string): Promise<StoredTenant<TExtended> | null>;
-	findTenantsByUserId?: never;
-} : {
-	findTenantByUserId?: never;
-	findTenantsByUserId(userId: string): Promise<StoredTenant<TExtended>[]>;
-};
-type TenantStore<
-	TMode extends UserMode = "singleTenantOnly",
-	TExtended extends object = Record<string, never>
-> = TenantStoreBase<TMode, TExtended> & TenantLookupMethods<TMode, TExtended>;
-type TenantStoreWithES<
-	TMode extends UserMode = "singleTenantOnly",
-	TExtended extends object = Record<string, never>
-> = TenantStore<TMode, TExtended> & {
-	ttl: number;
-	getEs(tenantId: string): Promise<EnterpriseStandard | null>;
-	getCachedTenantIds(): string[];
-};
-type InMemoryTenantStoreOptions<
-	TMode extends UserMode = "singleTenantOnly",
-	TExtended extends object = Record<string, never>
-> = TenantStoreWithESOptions<TExtended> & {
-	userMode: TMode;
-};
-declare class InMemoryTenantStore<
-	TMode extends UserMode = "singleTenantOnly",
-	TExtended extends object = Record<string, never>
-> {
-	private tenants;
-	private tenantEsMap;
-	private userTenantIds;
-	readonly ttl: number;
-	readonly userMode: TMode;
-	private readonly createEs?;
-	readonly findTenantByUserId: TMode extends "singleTenantOnly" ? (userId: string) => Promise<StoredTenant<TExtended> | null> : never;
-	readonly findTenantsByUserId: TMode extends "multipleTenantsPerUser" ? (userId: string) => Promise<StoredTenant<TExtended>[]> : never;
-	constructor(options: InMemoryTenantStoreOptions<TMode, TExtended>);
-	get(tenantId: string): Promise<StoredTenant<TExtended> | null>;
-	list(options?: TenantListOptions): Promise<ListResult<StoredTenant<TExtended>>>;
-	upsert(tenant: TenantStoreUpsertRecord<TExtended>): Promise<StoredTenant<TExtended>>;
-	delete(tenantId: string): Promise<void>;
-	getEs(tenantId: string): Promise<EnterpriseStandard>;
-	getCachedTenantIds(): string[];
-	registerUserTenantId(userId: string, tenantId: string | null | undefined): Promise<void>;
-	private findSingleTenantByUserId;
-	private findMultipleTenantsByUserId;
-	private resolveTenantsByUserId;
-}
-declare function sendTenantWebhook(webhookUrl: string, payload: TenantWebhookPayload, log: Logger): Promise<void>;
-/**
-* Magic link data stored in the store.
-*
-* @template TExtended - Type-safe custom data that consumers can add to magic links
-*/
-type MagicLink<TExtended = object> = {
+	documentationUri?: string;
 	/**
-	* The magic link token (unique identifier)
+	* Override the default ServiceProviderConfig response.
 	*/
-	token: string;
+	buildServiceProviderConfig?: (context: IAMDiscoveryContext, defaults: ScimServiceProviderConfig) => ScimServiceProviderConfig | Promise<ScimServiceProviderConfig>;
 	/**
-	* User information associated with this magic link
+	* Override the default ResourceTypes response.
 	*/
-	user: BaseUser;
+	buildResourceTypes?: (context: IAMDiscoveryContext, defaults: ScimResourceType[]) => ScimResourceType[] | Promise<ScimResourceType[]>;
 	/**
-	* Timestamp when the magic link was created
+	* Override the default Schemas response.
 	*/
-	createdAt: Date;
+	buildSchemas?: (context: IAMDiscoveryContext, defaults: ScimSchemaDefinition[]) => ScimSchemaDefinition[] | Promise<ScimSchemaDefinition[]>;
+}
+/**
+* Options for creating a user
+*/
+interface CreateUserOptions {
 	/**
-	* Timestamp when the magic link expires
+	* External identifier for the user
 	*/
-	expiresAt: Date;
+	externalId?: string;
+}
+/**
+* Options for creating a group
+*/
+interface CreateGroupOptions {
 	/**
-	* Allow consumers to add runtime data to magic links
+	* External identifier for the group
 	*/
-	[key: string]: unknown;
-} & TExtended;
+	externalId?: string;
+	/**
+	* Initial members to add to the group
+	*/
+	members?: GroupMember[];
+}
 /**
-* Abstract interface for magic link storage backends.
-*
-* Consumers can implement this interface to use different storage backends:
-* - In-memory (for development/testing)
-* - Redis (for production with fast lookups and automatic expiration)
-* - Database (PostgreSQL, MySQL, etc.)
-*
-* @template TExtended - Type-safe custom data that consumers can add to magic links
-*
-* @example
-* ```typescript
-* // Custom magic link data
-* type MyMagicLinkData = {
-*   source: string;
-*   metadata: Record<string, unknown>;
-* };
-*
-* // Implement custom store
-* class RedisMagicLinkStore implements MagicLinkStore<MyMagicLinkData> {
-*   async create(token: string, user: BaseUser, expiresAt: Date): Promise<void> {
-*     const magicLink: MagicLink<MyMagicLinkData> = {
-*       token,
-*       user,
-*       createdAt: new Date(),
-*       expiresAt,
-*       source: 'api',
-*       metadata: {},
-*     };
-*     const ttl = Math.floor((expiresAt.getTime() - Date.now()) / 1000);
-*     await redis.setex(`magic-link:${token}`, ttl, JSON.stringify(magicLink));
-*   }
-*   // ... other methods
-* }
-* ```
+* Handler configuration for groups_inbound
 */
-interface MagicLinkStore<TExtended = object> {
+interface GroupsInboundHandlerConfig {
 	/**
-	* Create a new magic link in the store.
-	*
-	* @param token - The magic link token (unique identifier)
-	* @param user - The user information to associate with this magic link
-	* @param expiresAt - When the magic link expires
-	* @throws Error if magic link with same token already exists
+	* Base path for the SCIM Groups endpoints (e.g., '/api/iam/Groups')
 	*/
-	create(token: string, user: BaseUser, expiresAt: Date): Promise<void>;
+	basePath?: string;
+}
+/**
+* Handler configuration for users_inbound
+*/
+interface UsersInboundHandlerConfig {
 	/**
-	* Retrieve a magic link by its token.
-	*
-	* @param token - The magic link token
-	* @returns The magic link if found and not expired, null otherwise
+	* Base path for the SCIM Users endpoints (e.g., '/api/iam/Users')
 	*/
-	get(token: string): Promise<MagicLink<TExtended> | null>;
+	basePath?: string;
+}
+interface IAMDiscoveryHandlerConfig {
 	/**
-	* Delete a magic link by its token.
-	*
-	* Used after a magic link has been consumed (one-time use).
-	*
-	* @param token - The magic link token to delete
+	* Base path for the IAM discovery endpoints (e.g., '/api/iam')
 	*/
-	delete(token: string): Promise<void>;
+	basePath?: string;
 }
-type ConfigSourceType = "vault" | "azure" | "aws" | "gcp";
-type ESValidators = {
-	sso: SSOValidators;
-	iam: IAMValidators;
-	workload: WorkloadValidators;
-	ciam: CIAMValidators;
-	secrets?: SecretsValidators;
-};
-type ApplicationValidators = ESValidators & {
-	tenant: TenantValidators;
-};
 /**
-* Configuration supplied by the framework/application when creating an Enterprise Standard instance.
-* Merged with RemoteConfig from the ConfigSource (framework config wins). Pass as the second
-* argument to enterpriseStandard(source, config).
-* Set a module to `null` to explicitly disable it; then the corresponding property on the
-* EnterpriseStandard instance is typed as `never`. Omit a module to allow it to be supplied
-* from ConfigSource / adaptive (typed as the module type, non-optional).
+* Groups Outbound extension - for creating groups in external IAM providers.
+* Enabled when `url` is configured in IAMConfig.
 */
-type FrameworkConfig = {
-	logger?: Logger;
-	sso?: SSOConfig | null;
-	iam?: IAMConfig | null;
-	workload?: FrameworkWorkloadConfig | null;
-	secrets?: FrameworkSecretsModuleConfig | null;
-	ciam?: CIAMConfig | null;
-	validators: ESValidators;
+type IAMGroupsOutbound = {
+	/**
+	* Create a new group in the external IAM provider
+	* @param displayName - The display name for the group
+	* @param options - Optional configuration for the group creation
+	* @returns The created group resource from the provider
+	*/
+	createGroup: (displayName: string, options?: CreateGroupOptions) => Promise<ScimResult<GroupResource>>;
 };
 /**
-* Final configuration after merging ConfigSource (RemoteConfig) and FrameworkConfig.
-* Same shape as FrameworkConfig; each module (SSO, IAM, etc.) resolves its config from
-* both sources at runtime. Use this type when referring to the effective/merged config.
+* Groups Inbound extension - for receiving group provisioning from external IAM providers.
+* Enabled when `groupStore` is configured in IAMConfig.
 */
-type ESConfig = FrameworkConfig;
+type IAMGroupsInbound = {
+	/**
+	* Handle inbound SCIM requests for group management.
+	* Routes: GET/POST /Groups, GET/PUT/PATCH/DELETE /Groups/:id
+	*/
+	handler: (request: Request, config?: GroupsInboundHandlerConfig) => Promise<Response>;
+};
 /**
-* Remote config read from a config source (vault, lfv, etc.).
+* Users Inbound extension - for receiving user provisioning from external IAM providers.
+* Enabled when `userStore` is configured in IAMConfig.
 */
-type RemoteConfig = {
-	/** Optional app/tenant identifier for this ESA (e.g. from vault path or config). */
-	tenantId?: string;
-	sso?: SSOConfig;
-	iam?: IAMConfig;
+type IAMUsersInbound = {
 	/**
-	* Workload: single config, or incoming/outgoing (server vs client roles), or flat map of named clients.
-	* Preferred: { incoming: { jwksUri, issuer }, outgoing: { TNT_*: { clientId, ... } } }.
-	* Legacy: { default: { jwksUri, issuer }, TNT_*: { ... } } (flat map).
-	* TODO: Let's see if we can do some clean inference here!!!
+	* Handle inbound SCIM requests for user management.
+	* Routes: GET/POST /Users, GET/PUT/PATCH/DELETE /Users/:id
 	*/
-	workload?: WorkloadConfig | WorkloadConfigMap | WorkloadIncomingOutgoing;
-	/** Optional named secrets-source configs available to this ESA instance. */
-	secrets?: SecretsModuleConfig;
-	ciam?: CIAMConfig;
+	handler: (request: Request, config?: UsersInboundHandlerConfig) => Promise<Response>;
 };
 /**
-* Stores supplied by the framework/application when creating an Enterprise Standard instance.
+* Core IAM service interface.
+*
+* - Core functions are user-related (outbound to external IAM)
+* - `groups_outbound` is available when `url` is configured
+* - `groups_inbound` is available when `groupStore` is configured
+* - `users_inbound` is available when `userStore` is configured
 */
-type FrameworkStores = {
-	sessionStore?: SessionStore<unknown>;
-	userStore?: UserStore<unknown>;
-	groupStore?: GroupStore<unknown>;
-	magicLinkStore?: MagicLinkStore<unknown>;
-	workloadTokenStore?: WorkloadTokenStore;
-};
-type ModifiableFrameworkConfig = FrameworkConfig & {
-	setStores(stores: FrameworkStores): void;
-};
-/** Return type from the beforeChange hook passed to enterpriseStandard(). */
-type ESConfigChangeResult = {
-	config?: RemoteConfig;
-	frameworkConfig?: FrameworkConfig;
-};
-/** beforeChange callback invoked on every config application (initial load and updates). */
-type ESConfigChangeCallback = (config: RemoteConfig, frameworkConfig: ModifiableFrameworkConfig, oldConfig: RemoteConfig | undefined) => ESConfigChangeResult | void;
-type ConfigSource = {
-	load(): Promise<RemoteConfig>;
+type IAM = IAMConfig & {
 	/**
-	* Called when the config changes.
-	* @param onConfig - The callback to call when the config changes.
-	* @return an unsubscribe/cleanup function.
+	* Create a new user/account in the external IAM provider
+	* Only available when `url` is configured.
 	*/
-	subscribe(onConfig: (config: RemoteConfig) => void): undefined | (() => void);
+	createUser?: (user: User, options?: CreateUserOptions) => Promise<ScimResult<User>>;
 	/**
-	* Default secret client for the config source itself.
-	* For vault-backed sources this is the vault used to read RemoteConfig.
+	* Get the configured external SCIM base URL
 	*/
-	secret: SecretsSource;
+	getBaseUrl: () => string | undefined;
 	/**
-	* Optional. If not set by the creator, the framework may set this before calling load/subscribe
-	* so the source can use the same logger.
+	* Groups Outbound extension - create groups in external IAM provider.
+	* Available when `url` is configured in IAMConfig.
 	*/
-	logger?: Logger;
+	groups_outbound?: IAMGroupsOutbound;
 	/**
-	* Optional. If not set by the creator, the framework may set this before calling load/subscribe
-	* so the source can use the same validators.
+	* Groups Inbound extension - receive group provisioning from external IAM.
+	* Available when `groupStore` is configured in IAMConfig.
 	*/
-	validators?: ESValidators;
+	groups_inbound?: IAMGroupsInbound;
+	/**
+	* Users Inbound extension - receive user provisioning from external IAM.
+	* Available when `userStore` is configured in IAMConfig.
+	*/
+	users_inbound?: IAMUsersInbound;
+	/**
+	* Framework-agnostic request handler for the IAM module.
+	* Routes to discovery, users_inbound, or groups_inbound based on the request path.
+	*/
+	handler: (request: Request, config?: IAMHandlerConfig) => Promise<Response>;
 };
 /**
 * Serializes a FrameworkConfig (or ESConfig) to a JSON-serializable object.
@@ -2599,7 +2875,8 @@ type WorkloadModuleFromConfig<C extends FrameworkConfig> = Exclude<C["workload"]
 type EnterpriseStandardFromConfig<C extends FrameworkConfig = FrameworkConfig> = EnterpriseStandardStrict<C>;
 /** Base shape shared by all EnterpriseStandard variants (modules optional for backward compatibility). */
 type EnterpriseStandardBase = {
-	logger?: Logger;
+	/** Effective framework logger for this instance (from framework `log` or `defaultLogger`). */
+	log: Logger;
 	/** App/tenant identifier when provided by ConfigSource (e.g. vault). */
 	tenantId?: string;
 	/** Most recent remote config applied to this instance (from ConfigSource, after beforeChange if any). */
@@ -2627,7 +2904,7 @@ type EnterpriseStandardBase = {
 };
 /** Config-driven module types: null in config → never; otherwise module type (non-optional). */
 type EnterpriseStandardStrict<C extends FrameworkConfig> = {
-	logger?: Logger;
+	log: Logger;
 	tenantId?: string;
 	config?: RemoteConfig;
 	secret: SecretsSource;
@@ -3213,6 +3490,12 @@ declare function mergeConfig<T extends Record<string, unknown>>(fromVault: T | u
 declare function stripJsonComments(content: string): string;
 declare function parseJsonc<T>(content: string): T;
 /**
+* Deep equality for JSON-like values used in config snapshots.
+* Treats object key order as irrelevant and treats missing and `undefined`
+* object properties as equal by ignoring `undefined` keys on both sides.
+*/
+declare function deepEqualPlain(a: unknown, b: unknown): boolean;
+/**
 * Waits for a HTTP service to be ready by polling its URL.
 * Connection errors (e.g. connection refused) are treated as "not ready" and retried.
 * @param url - The URL to poll.
@@ -3222,4 +3505,4 @@ declare function parseJsonc<T>(content: string): T;
 * @returns A promise that resolves when the service is ready.
 */
 declare function waitOn(url: string, test?: (resp: Response) => boolean | Promise<boolean>, pingInterval?: number, warnInterval?: number, timeout?: number): Promise<void>;
-export { workloadTokenResponseSchema, withValidate, waitOn, version, validationFailureResponse, userSchema, tokenResponseSchema, stripJsonComments, silentLogger, setActiveSession, serializeESConfig, sendTenantWebhook, parseJsonc, oidcCallbackSchema, normalizeTenantRoutingStrategy, normalizeTenantPathNamespace, must, mergeConfig, matchTenantPath, listSsoClientIdsFromCookies, list, jwtAssertionClaimsSchema, infoLogger, idTokenClaimsSchema, groupResourceSchema, getActiveSession, findTenantFromStateParam, defaultLogger, decodeUser, debugLogger, consoleLogger, clearActiveSession, claimsToUser, buildTenantPath, X509Certificate, WorkloadValidators, WorkloadTokenStore, WorkloadTokenResponse, WorkloadIncomingOutgoing, WorkloadIdentity, WorkloadConfigMap, WorkloadConfig, WorkloadClient, Workload, VaultWebSocketSecretsConfig, VaultWebSocketAuthHeader, VaultSecretsConfig, VaultLfvSecretsConfig, ValidateResult, UsersInboundHandlerConfig, UserStore, UserSortOptions, UserSortField, UserMode, UserListOptions, User2 as User, UpsertTenantResponse, UpsertTenantRequest, TokenValidationResult, TokenResponse, TenantWebhookPayload, TenantValidators, TenantUserRegistration, TenantStoredConfigLocator, TenantStoreWithESOptions, TenantStoreWithES, TenantStoreUpsertRecord, TenantStore, TenantStatus, TenantSortOptions, TenantSortField, TenantSecretsConfig, TenantRoutingStrategy, TenantRequestError, TenantRemoteConfigLocator, TenantPathRoutingStrategy, TenantPathNamespace, TenantPathMatch, TenantListOptions, TenantJwtRoutingStrategy, TenantEsFactory, TenantDirectoryTenant, TenantDirectoryResponse, TenantDirectoryAccount, TenantConfigStoreRequest, TenantConfigSourceInput, TenantConfigLocator, TenantConfigEnv, StoredUser, StoredTenantRecord, StoredTenant, StoredGroup, StateCookie, StandardSchemaWithValidate, SortDirection, SessionStore, Session, ServerOnlyWorkloadConfig, SecretsValidators, SecretsSourceType, SecretsSourceMap, SecretsSourceConfig, SecretsSource, SecretsOperationOptions, SecretsModuleConfig, Secrets, SecretRequestSeverity, SecretLifecycleRequest, Secret, User as ScimUser, ScimResult, ScimListResponse, ScimError, SSOValidators, SSOHandlerConfig, SSOConfig, SSOAppValidators, SSOAppRegistry, SSO, Role, ResolvedVaultLfvSecretsConfig, RemoteConfig, RegisterSSOAppResult, RegisterSSOAppPayload, RegisterSSOAppError, RegisterIAMAppResult, RegisterIAMAppPayload, RegisterIAMAppError, Photo, PhoneNumber, OidcCallbackParams, Name, MultipleTenantsForUserError, ModifiableFrameworkConfig, MetaData, MagicLinkStore, MagicLink, LoginConfig, Logger, ListResult, LfvOtpResponse, LfvOtpRequest, LfvErrorResponse, LfvErrorCode, LfvActionRequestBase, LfvActionName, LfvActionAcceptedResponse, JwtBearerWorkloadConfig, JWTAssertionClaims, InMemoryTenantStoreOptions, InMemoryTenantStore, IdTokenClaims, IAMValidators, IAMUsersInbound, IAMHandlerConfig, IAMGroupsOutbound, IAMGroupsInbound, IAMConfig, IAMAppValidators, IAMAppRole, IAMAppRegistry, IAM, GroupsInboundHandlerConfig, GroupStore, GroupSortOptions, GroupSortField, GroupResource, GroupMember, GroupListOptions, Group, GcpSecretsConfig, FrameworkWorkloadIncomingOutgoing, FrameworkWorkloadConfig, FrameworkStores, FrameworkSecretsSourceConfig, FrameworkSecretsModuleConfig, FrameworkConfig, EnvironmentType, EnterpriseUser, EnterpriseStandardFromConfig, EnterpriseStandardBase, EnterpriseStandard, EnterpriseExtension, Email, ESValidators, ESRoutingOptions, ESRouteModule, ESRouteFilterResult, ESResolvedRoute, ESModuleFromConfig, ESConfigChangeResult, ESConfigChangeOptions, ESConfigChangeCallback, ESConfig, DevSecretsConfig, DEFAULT_TENANT_UI_NAMESPACE, DEFAULT_TENANT_API_NAMESPACE, CreateUserOptions, CreateTenantResponse, CreateTenantRequest, CreateGroupOptions, ConfigSourceType, ConfigSource, ClientCredentialsWorkloadConfig, CachedWorkloadToken, CIAMValidators, CIAMConfigFromCode, CIAMConfig, CIAM, BaseUser, AzureSecretsConfig, AwsSecretsConfig, AwsAuthMethod, ApplicationValidators, Address };
+export { workloadTokenResponseSchema, withValidate, waitOn, version, validationFailureResponse, userSchema, tokenResponseSchema, stripJsonComments, silentLogger, setActiveSession, serializeESConfig, sendTenantWebhook, parseJsonc, oidcCallbackSchema, normalizeTenantRoutingStrategy, normalizeTenantPathNamespace, must, mergeConfig, matchTenantPath, listSsoClientIdsFromCookies, list, jwtAssertionClaimsSchema, infoLogger, idTokenClaimsSchema, groupResourceSchema, getActiveSession, findTenantFromStateParam, defaultLogger, deepEqualPlain, decodeUser, debugLogger, consoleLogger, clearActiveSession, claimsToUser, buildTenantPath, X509Certificate, WorkloadValidators, WorkloadTokenStore, WorkloadTokenResponse, WorkloadIncomingOutgoing, WorkloadIdentity, WorkloadConfigMap, WorkloadConfig, WorkloadClient, Workload, VaultWebSocketSecretsConfig, VaultWebSocketAuthHeader, VaultSecretsConfig, VaultLfvSecretsConfig, ValidateResult, UsersInboundHandlerConfig, UserStoreOptions, UserStore, UserSortOptions, UserSortField, UserListOptions, User2 as User, UpsertTenantResponse, UpsertTenantRequest, TokenValidationResult, TokenResponse, TenantWebhookPayload, TenantValidators, TenantUserRegistration, TenantStoredConfigLocator, TenantStoreWithEsCache, TenantStoreWithESOptions, TenantStoreWithES, TenantStore, TenantStatus, TenantSortOptions, TenantSortField, TenantSecretsConfig, TenantRoutingStrategy, TenantRequestError, TenantRemoteConfigLocator, TenantPathRoutingStrategy, TenantPathNamespace, TenantPathMatch, TenantManagerStore, TenantListOptions, TenantJwtRoutingStrategy, TenantEsFactory, TenantDirectoryTenant, TenantDirectoryResponse, TenantDirectoryAccount, TenantConfigStoreRequest, TenantConfigSourceInput, TenantConfigLocator, TenantConfigEnv, StoredUser, StoredTenantRecord, StoredTenant, StoredGroup, StateCookie, StandardSchemaWithValidate, SortDirection, SingleTenantStoreOptions, SingleTenantStore, SessionStore, Session, ServerOnlyWorkloadConfig, SecretsValidators, SecretsSourceType, SecretsSourceMap, SecretsSourceConfig, SecretsSource, SecretsOperationOptions, SecretsModuleConfig, Secrets, SecretRequestSeverity, SecretLifecycleRequest, Secret, User as ScimUser, ScimServiceProviderConfig, ScimSchemaDefinition, ScimSchemaAttributeDefinition, ScimResult, ScimResourceTypeSchemaExtension, ScimResourceType, ScimListResponse, ScimError, ScimAuthenticationScheme, SSOValidators, SSOHandlerConfig, SSOConfig, SSOAppValidators, SSOAppRegistry, SSO, Role, ResolvedVaultLfvSecretsConfig, RemoteConfig, RegisterSSOAppResult, RegisterSSOAppPayload, RegisterSSOAppError, RegisterIAMAppResult, RegisterIAMAppPayload, RegisterIAMAppError, ReactiveHandle, Photo, PhoneNumber, OidcCallbackParams, Name, MultipleTenantsForUserError, MultiTenantStoreOptions, MultiTenantStore, ModifiableFrameworkConfig, MetaData, MagicLinkStore, MagicLink, LoginConfig, Logger, ListResult, LfvOtpResponse, LfvOtpRequest, LfvErrorResponse, LfvErrorCode, LfvActionRequestBase, LfvActionName, LfvActionAcceptedResponse, JwtBearerWorkloadConfig, JWTAssertionClaims, InMemoryTenantStoreOptions, InMemorySingleTenantStoreOptions, InMemorySingleTenantStore, InMemoryMultiTenantStoreOptions, InMemoryMultiTenantStore, IdTokenClaims, IAMValidators, IAMUsersInbound, IAMInboundUsersConfig, IAMInboundUserContext, IAMHandlerConfig, IAMGroupsOutbound, IAMGroupsInbound, IAMDiscoveryHandlerConfig, IAMDiscoveryContext, IAMDiscoveryConfig, IAMConfig, IAMAppValidators, IAMAppRole, IAMAppRegistry, IAM, GroupsInboundHandlerConfig, GroupStore, GroupSortOptions, GroupSortField, GroupResource, GroupMember, GroupListOptions, Group, GcpSecretsConfig, FrameworkWorkloadIncomingOutgoing, FrameworkWorkloadConfig, FrameworkStores, FrameworkSecretsSourceConfig, FrameworkSecretsModuleConfig, FrameworkConfig, EnvironmentType, EnterpriseUser, EnterpriseStandardFromConfig, EnterpriseStandardBase, EnterpriseStandard, EnterpriseExtension, Email, ESValidators, ESRoutingOptions, ESRouteModule, ESRouteFilterResult, ESResolvedRoute, ESModuleFromConfig, ESConfigChangeResult, ESConfigChangeOptions, ESConfigChangeCallback, ESConfig, DevSecretsConfig, DEFAULT_TENANT_UI_NAMESPACE, DEFAULT_TENANT_API_NAMESPACE, CreateUserOptions, CreateTenantResponse, CreateTenantRequest, CreateGroupOptions, ConfigSourceType, ConfigSource, ClientCredentialsWorkloadConfig, ChangeListener, CachedWorkloadToken, CIAMValidators, CIAMConfigFromCode, CIAMConfig, CIAM, BaseUser, AzureSecretsConfig, AwsSecretsConfig, AwsAuthMethod, ApplicationValidators, Address };