npm - @enterprisestandard/core - Versions diffs - 0.0.15-beta.20260420.1 → 0.0.16 - Mend

@enterprisestandard/core 0.0.15-beta.20260420.1 → 0.0.16

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (7) hide show

package/dist/index.d.ts +1321 -1349
package/dist/index.js +1 -1
package/dist/server.d.ts +1127 -1241
package/dist/server.js +1 -1
package/dist/shared/core-wpy88bze.js +12 -0
package/package.json +3 -3
package/dist/shared/core-assxr5dn.js +0 -12

package/dist/index.d.ts CHANGED Viewed

@@ -1,6 +1,6 @@
 import { version } from "../package.json";
 import { StandardSchemaV1 as StandardSchemaV18 } from "@standard-schema/spec";
-import { StandardSchemaV1 as StandardSchemaV15 } from "@standard-schema/spec";
+import { StandardSchemaV1 as StandardSchemaV17 } from "@standard-schema/spec";
 /**
 * Minimal logger interface compatible with common patterns (console, pino, winston, etc.)
 */
@@ -641,37 +641,8 @@ interface GroupStore<TExtended = Record<string, never>> {
 	*/
 	removeMember(groupId: string, memberId: string): Promise<void>;
 }
-/**
-* Base user with simple, developer-friendly attributes.
-* Extended by User (SSO) and EnterpriseUser (SCIM).
-*/
-interface BaseUser {
-	/**
-	* Unique identifier for the user
-	*/
-	id?: string;
-	/**
-	* REQUIRED. Unique identifier for login
-	*/
-	userName: string;
-	/**
-	* REQUIRED. Simple display name
-	*/
-	name: string;
-	/**
-	* REQUIRED. Primary email address
-	*/
-	email: string;
-	/**
-	* URL to user's avatar/profile picture
-	*/
-	avatar?: string;
-	/**
-	* User type (e.g., "employee", "contractor", "customer").
-	* Shared by SSO/CIAM and enterprise/SCIM user representations.
-	*/
-	userType?: string;
-}
+import { StandardSchemaV1 as StandardSchemaV16 } from "@standard-schema/spec";
+import { StandardSchemaV1 as StandardSchemaV13 } from "@standard-schema/spec";
 import { StandardSchemaV1 as StandardSchemaV12 } from "@standard-schema/spec";
 /**
 * OIDC Code Flow Callback URL Parameters
@@ -758,6 +729,191 @@ interface IdTokenClaims {
 */
 declare function idTokenClaimsSchema(vendor: string): StandardSchemaV12<Record<string, unknown>, IdTokenClaims>;
 /**
+* Session management for tracking user sessions and enabling backchannel logout.
+*
+* Session stores are optional - the package works with JWT cookies alone.
+* Sessions are only required for backchannel logout functionality.
+*
+* ## Session Validation Strategies
+*
+* When using a session store, you can configure when sessions are validated:
+*
+* ### 'always' (default)
+* Validates session on every authenticated request.
+* - **Security**: Maximum - immediate session revocation
+* - **Performance**: InMemory ~0.00005ms, Redis ~1-2ms per request
+* - **Backchannel Logout**: Takes effect immediately
+* - **Use when**: Security is paramount, using InMemory or Redis backend
+*
+* ### 'refresh-only'
+* Validates session only during token refresh (typically every 5-15 minutes).
+* - **Security**: Good - 5-15 minute revocation window
+* - **Performance**: 99% reduction in session lookups
+* - **Backchannel Logout**: Takes effect within token TTL (5-15 min)
+* - **Use when**: Performance is critical AND delayed revocation is acceptable
+* - **WARNING**: Compromised sessions remain valid until next refresh
+*
+* ### 'disabled'
+* Never validates sessions against the store.
+* - **Security**: None - backchannel logout doesn't work
+* - **Performance**: No overhead
+* - **Use when**: Cookie-only mode without session store
+* - **WARNING**: Do not use with sessionStore configured
+*
+* ## Performance Characteristics
+*
+* | Backend      | Lookup Time | Impact on Request | Recommendation         |
+* |--------------|-------------|-------------------|------------------------|
+* | InMemory     | <0.00005ms  | Negligible        | Use 'always'           |
+* | Redis        | 1-2ms       | 2-4% increase     | Use 'always' or test   |
+* | Database     | 5-20ms      | 10-40% increase   | Use Redis cache layer  |
+*
+* ## Example Usage
+*
+* ```typescript
+* import { sso, InMemorySessionStore } from '@enterprisestandard/server';
+*
+* // Maximum security (default)
+* const secure = sso({
+*   // ... other config
+*   sessionStore: new InMemorySessionStore(),
+*   session_validation: 'always', // Immediate revocation
+* });
+*
+* // High performance
+* const fast = sso({
+*   // ... other config
+*   sessionStore: new InMemorySessionStore(),
+*   session_validation: {
+*     strategy: 'refresh-only' // 5-15 min revocation delay
+*   }
+* });
+* ```
+*/
+/**
+* Core session data tracked for each authenticated user session.
+*
+* @template TExtended - Type-safe custom data that consumers can add to sessions
+*/
+type Session<TExtended = object> = {
+	/**
+	* Session ID from the Identity Provider (from `sid` claim in ID token).
+	* This is the unique identifier for the session.
+	*/
+	sid: string;
+	/**
+	* Subject identifier (user ID) from the Identity Provider.
+	* From the `sub` claim in the ID token.
+	*/
+	sub: string;
+	/**
+	* Timestamp when the session was created.
+	*/
+	createdAt: Date;
+	/**
+	* Timestamp of the last activity in this session.
+	* Can be updated to track session activity.
+	*/
+	lastActivityAt: Date;
+	/**
+	* Allow consumers to add runtime data to sessions.
+	*/
+	[key: string]: unknown;
+} & TExtended;
+/**
+* Abstract interface for session storage backends.
+*
+* Consumers can implement this interface to use different storage backends:
+* - Redis
+* - Database (PostgreSQL, MySQL, etc.)
+* - Distributed cache
+* - Custom solutions
+*
+* @template TExtended - Type-safe custom data that consumers can add to sessions
+*
+* @example
+* ```typescript
+* // Custom session data
+* type MySessionData = {
+*   ipAddress: string;
+*   userAgent: string;
+* };
+*
+* // Implement custom store
+* class RedisSessionStore implements SessionStore<MySessionData> {
+*   async create(session: Session<MySessionData>): Promise<void> {
+*     await redis.set(`session:${session.sid}`, JSON.stringify(session));
+*   }
+*   // ... other methods
+* }
+* ```
+*/
+interface SessionStore<TExtended = object> {
+	/**
+	* Create a new session in the store.
+	*
+	* @param session - The session data to store
+	* @throws Error if session with same sid already exists
+	*/
+	create(session: Session<TExtended>): Promise<void>;
+	/**
+	* Retrieve a session by its IdP session ID (sid).
+	*
+	* @param sid - The session.sid from the Identity Provider
+	* @returns The session if found, null otherwise
+	*/
+	get(sid: string): Promise<Session<TExtended> | null>;
+	/**
+	* Update an existing session with partial data.
+	*
+	* Commonly used to update lastActivityAt or add custom fields.
+	*
+	* @param sid - The session.sid to update
+	* @param data - Partial session data to merge
+	* @throws Error if session not found
+	*/
+	update(sid: string, data: Partial<Session<TExtended>>): Promise<void>;
+	/**
+	* Delete a session by its IdP session ID (sid).
+	*
+	* Used for both normal logout and backchannel logout flows.
+	*
+	* @param sid - The session.sid to delete
+	*/
+	delete(sid: string): Promise<void>;
+}
+/**
+* Base user with simple, developer-friendly attributes.
+* Extended by User (SSO) and EnterpriseUser (SCIM).
+*/
+interface BaseUser {
+	/**
+	* Unique identifier for the user
+	*/
+	id?: string;
+	/**
+	* REQUIRED. Unique identifier for login
+	*/
+	userName: string;
+	/**
+	* REQUIRED. Simple display name
+	*/
+	name: string;
+	/**
+	* REQUIRED. Primary email address
+	*/
+	email: string;
+	/**
+	* URL to user's avatar/profile picture
+	*/
+	avatar?: string;
+	/**
+	* User type (e.g., "employee", "contractor", "customer").
+	* Shared by SSO/CIAM and enterprise/SCIM user representations.
+	*/
+	userType?: string;
+}
+/**
 * Primary user type for SSO/OIDC applications.
 * Extends BaseUser with SSO-specific data.
 */
@@ -795,229 +951,111 @@ interface User2 extends BaseUser {
 		expires: Date;
 	};
 }
-/**
-* Stored user data with required id and tracking metadata.
-*
-* Extends the SSO User type with:
-* - Required `id` (the `sub` claim from the IdP)
-* - Timestamps for tracking when users were first seen and last updated
-* - Optional custom extended data
-*
-* @template TExtended - Type-safe custom data that consumers can add to users
-*/
-type StoredUser<TExtended = object> = User2 & {
+type SSOConfig<
+	TSessionData = Record<string, never>,
+	TUserData = Record<string, never>
+> = {
+	authority?: string;
+	tokenUrl?: string;
+	authorizationUrl?: string;
+	clientId?: string;
+	clientSecret?: string;
+	redirectUri?: string;
+	responseType?: "code";
+	scope?: string;
+	silentRedirectUri?: string;
+	jwksUri?: string;
+	cookiesPrefix?: string;
+	cookiesPath?: string;
+	cookiesSecure?: boolean;
+	cookiesSameSite?: "Strict" | "Lax";
 	/**
-	* Required unique identifier (the `sub` claim from the IdP).
-	* This is the primary key for user storage.
+	* Optional cookie name for tracking the active session across tenants.
+	* Defaults to 'es.active_session' when using the helper utilities.
 	*/
-	id: string;
-	/**
-	* Optional Enterprise Standard tenant identifier for tenant-aware apps.
-	* Built-in user stores can use this when registering HRD mappings.
-	*/
-	tenantId?: string;
-	/**
-	* Optional external identifier from the provisioning client.
-	* Commonly set by IAM inbound SCIM provisioning flows.
-	*/
-	externalId?: string;
-	/**
-	* Optional SCIM display name distinct from the simple `name` field.
-	* Commonly set by IAM inbound SCIM provisioning flows.
-	*/
-	displayName?: string;
-	/**
-	* Optional structured SCIM name.
-	* Commonly set by IAM inbound SCIM provisioning flows.
-	*/
-	scimName?: Name;
-	/**
-	* Optional SCIM email collection.
-	* The simple `email` field still stores the primary email for quick lookup.
-	*/
-	emails?: Email[];
-	/**
-	* Optional SCIM nickname.
-	* Commonly set by IAM inbound SCIM provisioning flows.
-	*/
-	nickName?: string;
-	/**
-	* Optional SCIM account state.
-	* Commonly set by IAM inbound SCIM provisioning flows.
-	*/
-	active?: boolean;
-	/**
-	* Optional SCIM job title.
-	* Commonly set by IAM inbound SCIM provisioning flows.
-	*/
-	title?: string;
-	/**
-	* Optional SCIM preferred language.
-	* Commonly set by IAM inbound SCIM provisioning flows.
-	*/
-	preferredLanguage?: string;
-	/**
-	* Optional SCIM locale.
-	* Commonly set by IAM inbound SCIM provisioning flows.
-	*/
-	locale?: string;
-	/**
-	* Optional SCIM timezone.
-	* Commonly set by IAM inbound SCIM provisioning flows.
-	*/
-	timezone?: string;
-	/**
-	* Optional SCIM phone numbers.
-	* Commonly set by IAM inbound SCIM provisioning flows.
-	*/
-	phoneNumbers?: PhoneNumber[];
-	/**
-	* Optional SCIM instant messaging addresses.
-	* Commonly set by IAM inbound SCIM provisioning flows.
-	*/
-	ims?: Array<{
-		value: string;
-		display?: string;
-		type?: string;
-		primary?: boolean;
-	}>;
-	/**
-	* Optional SCIM photos.
-	* Commonly set by IAM inbound SCIM provisioning flows.
-	*/
-	photos?: Photo[];
-	/**
-	* Optional SCIM addresses.
-	* Commonly set by IAM inbound SCIM provisioning flows.
-	*/
-	addresses?: Address[];
-	/**
-	* Optional SCIM roles.
-	* Commonly set by IAM inbound SCIM provisioning flows.
-	*/
-	roles?: Role[];
-	/**
-	* Optional SCIM groups.
-	* Commonly set by IAM inbound SCIM provisioning flows.
-	*/
-	groups?: Group[];
-	/**
-	* Optional SCIM entitlements.
-	* Commonly set by IAM inbound SCIM provisioning flows.
-	*/
-	entitlements?: Array<{
-		value: string;
-		display?: string;
-		type?: string;
-		primary?: boolean;
-	}>;
-	/**
-	* Optional SCIM X.509 certificates.
-	* Commonly set by IAM inbound SCIM provisioning flows.
-	*/
-	x509Certificates?: X509Certificate[];
-	/**
-	* Optional SCIM enterprise extension.
-	* Mirrors `urn:ietf:params:scim:schemas:extension:enterprise:2.0:User`.
-	* Commonly set by IAM inbound SCIM provisioning flows.
-	*/
-	scimEnterprise?: EnterpriseExtension;
-	/**
-	* Optional pass-through SCIM schema extensions keyed by full URN.
-	* Use this when your validator accepts custom top-level SCIM extensions and
-	* you want them to round-trip through a `UserStore` implementation.
-	*/
-	scimSchemaExtensions?: Record<string, unknown>;
-	/**
-	* Timestamp when the user was first stored.
-	*/
-	createdAt: Date;
-	/**
-	* Timestamp when the user was last updated (e.g., on re-login).
-	*/
-	updatedAt: Date;
-} & TExtended;
-/**
-* Abstract interface for user storage backends.
-*
-* Consumers can implement this interface to use different storage backends:
-* - In-memory (for development/testing)
-* - Redis (for production with fast lookups)
-* - Database (PostgreSQL, MySQL, etc.)
-*
-* @template TExtended - Type-safe custom data that consumers can add to users
-*
-* @example
-* ```typescript
-* // Custom user data
-* type MyUserData = {
-*   department: string;
-*   roles: string[];
-* };
-*
-* // Implement custom store
-* class RedisUserStore implements UserStore<MyUserData> {
-*   async get(sub: string): Promise<StoredUser<MyUserData> | null> {
-*     const data = await redis.get(`user:${sub}`);
-*     return data ? JSON.parse(data) : null;
-*   }
-*   // ... other methods
-* }
-* ```
-*/
-interface UserStore<TExtended = object> {
-	/**
-	* Retrieve a user by their subject identifier (sub).
-	*
-	* @param sub - The user's unique identifier from the IdP
-	* @returns The user if found, null otherwise
-	*/
-	get(sub: string): Promise<StoredUser<TExtended> | null>;
-	/**
-	* Retrieve a user by their email address.
-	*
-	* @param email - The user's email address
-	* @returns The user if found, null otherwise
-	*/
-	getByEmail(email: string): Promise<StoredUser<TExtended> | null>;
-	/**
-	* Retrieve a user by their username.
-	*
-	* @param userName - The user's username
-	* @returns The user if found, null otherwise
-	*/
-	getByUserName(userName: string): Promise<StoredUser<TExtended> | null>;
-	/**
-	* Create or update a user in the store.
-	*
-	* If a user with the same `id` (sub) exists, it will be updated.
-	* Otherwise, a new user will be created.
-	*
-	* @param user - The user data to store
-	*/
-	upsert(user: StoredUser<TExtended>): Promise<void>;
+	activeSessionCookieName?: string;
+	endSessionEndpoint?: string;
+	revocationEndpoint?: string;
+	sessionStore?: SessionStore<TSessionData>;
 	/**
-	* Delete a user by their subject identifier (sub).
-	*
-	* @param sub - The user's unique identifier to delete
+	* Optional user store for persisting user profiles from SSO authentication.
+	* When configured, users are automatically stored/updated on each login.
 	*/
-	delete(sub: string): Promise<void>;
+	userStore?: UserStore<TUserData>;
 	/**
-	* List users in the store with optional pagination and sort.
-	*
-	* @param options - Optional start (0-based), limit (page size), and sort
-	* @returns ListResult with total, count, items, size, page, pages
+	* Enable Just-In-Time (JIT) user provisioning.
+	* When enabled, new users are automatically created in the userStore on their first login.
+	* When disabled (default), only existing users in the userStore are updated on login.
+	* Requires userStore to be configured.
+	* @default false
 	*/
-	list(options?: UserListOptions): Promise<ListResult<StoredUser<TExtended>>>;
-}
-import { StandardSchemaV1 as StandardSchemaV14 } from "@standard-schema/spec";
+	enableJitUserProvisioning?: boolean;
+	validators?: SSOValidators;
+} & SSOHandlerConfig;
+type StateCookie = {
+	state: string;
+	codeVerifier: string;
+	landingUrl: string;
+	errorUrl?: string;
+};
+type CookieOptions = {
+	cookieName?: string;
+	path?: string;
+	maxAge?: number;
+	secure?: boolean;
+	sameSite?: "Strict" | "Lax";
+};
+declare function getActiveSession(request: Request, options?: CookieOptions): string | undefined;
+declare function setActiveSession(clientId: string, options?: CookieOptions): string;
+declare function clearActiveSession(options?: CookieOptions): string;
+declare function listSsoClientIdsFromCookies(requestOrCookieHeader: Request | string | null | undefined, options?: {
+	cookiePrefix?: string;
+}): string[];
+declare function findTenantFromStateParam(cookieHeader: string | null | undefined, stateParam: string): {
+	clientId: string;
+	stateCookie: StateCookie;
+} | undefined;
+type LoginConfig = {
+	landingUrl: string;
+	errorUrl?: string;
+};
+type SSOHandlerConfig = {
+	loginUrl?: string;
+	userUrl?: string;
+	errorUrl?: string;
+	landingUrl?: string;
+	tokenUrl?: string;
+	refreshUrl?: string;
+	jwksUrl?: string;
+	logoutUrl?: string;
+	logoutBackChannelUrl?: string;
+};
+type SSOValidators = {
+	callbackParams: StandardSchemaV13<unknown, OidcCallbackParams>;
+	idTokenClaims: StandardSchemaV13<unknown, IdTokenClaims>;
+	tokenResponse: StandardSchemaV13<unknown, TokenResponse>;
+};
+type SSO<
+	TSessionData = Record<string, never>,
+	TUserData = Record<string, never>
+> = SSOConfig<TSessionData, TUserData> & {
+	getUser: (request: Request) => Promise<User2 | undefined>;
+	getRequiredUser: (request: Request) => Promise<User2>;
+	getJwt: (request: Request) => Promise<string | undefined>;
+	initiateLogin: (config: LoginConfig, requestUrl?: string) => Promise<Response>;
+	logout: (request: Request, config?: LoginConfig) => Promise<Response>;
+	logoutBackChannel2: (request: Request) => Promise<Response>;
+	callbackHandler: (request: Request) => Promise<Response>;
+	handler: (request: Request) => Promise<Response>;
+};
+import { StandardSchemaV1 as StandardSchemaV15 } from "@standard-schema/spec";
 type ChangeListener = () => void;
 type ReactiveHandle = {
 	beforeChange?(listener: ChangeListener): () => void;
 	afterChange?(listener: ChangeListener): () => void;
 	isAvailable?(): boolean;
 };
-import { StandardSchemaV1 as StandardSchemaV13 } from "@standard-schema/spec";
+import { StandardSchemaV1 as StandardSchemaV14 } from "@standard-schema/spec";
 /**
 * JWT Assertion Claims for OAuth2 JWT Bearer Grant (RFC 7523) and OAuth2 Access Tokens
 * @see https://datatracker.ietf.org/doc/html/rfc7523
@@ -1064,7 +1102,7 @@ interface JWTAssertionClaims {
 * @param vendor - The name of the vendor creating this schema
 * @returns A StandardSchemaV1 instance for JWT Assertion Claims validation
 */
-declare function jwtAssertionClaimsSchema(vendor: string): StandardSchemaV13<Record<string, unknown>, JWTAssertionClaims>;
+declare function jwtAssertionClaimsSchema(vendor: string): StandardSchemaV14<Record<string, unknown>, JWTAssertionClaims>;
 /**
 * Workload Token Response from OAuth2 token endpoint
 * @see https://datatracker.ietf.org/doc/html/rfc6749#section-5.1
@@ -1100,7 +1138,7 @@ interface WorkloadTokenResponse {
 * @param vendor - The name of the vendor creating this schema
 * @returns A StandardSchemaV1 instance for Workload Token Response validation
 */
-declare function workloadTokenResponseSchema(vendor: string): StandardSchemaV13<Record<string, unknown>, WorkloadTokenResponse>;
+declare function workloadTokenResponseSchema(vendor: string): StandardSchemaV14<Record<string, unknown>, WorkloadTokenResponse>;
 /**
 * Token Validation Result
 */
@@ -1347,8 +1385,8 @@ type WorkloadConfigBase = {
 	validators?: WorkloadValidators;
 };
 type WorkloadValidators = {
-	jwtAssertionClaims: StandardSchemaV14<unknown, JWTAssertionClaims>;
-	tokenResponse: StandardSchemaV14<unknown, WorkloadTokenResponse>;
+	jwtAssertionClaims: StandardSchemaV15<unknown, JWTAssertionClaims>;
+	tokenResponse: StandardSchemaV15<unknown, WorkloadTokenResponse>;
 };
 /**
 * JWT Bearer Grant (RFC 7523) Configuration
@@ -1528,951 +1566,545 @@ type Workload = WorkloadConfig & ReactiveHandle & {
 };
 type WorkloadClient = Pick<Workload, "getToken" | "refreshToken" | "generateJWTAssertion" | "revokeToken" | "beforeChange" | "afterChange" | "isAvailable">;
 /**
-* SCIM Error response structure
-*/
-interface ScimError {
-	schemas: string[];
-	status: string;
-	scimType?: string;
-	detail?: string;
-}
-/**
-* SCIM List Response for bulk operations
-*/
-interface ScimListResponse<T> {
-	schemas: string[];
-	totalResults: number;
-	startIndex?: number;
-	itemsPerPage?: number;
-	Resources: T[];
-}
-/**
-* Result of a SCIM operation
-*/
-interface ScimResult<T> {
-	success: boolean;
-	data?: T;
-	error?: ScimError;
-	status: number;
-}
-/**
-* Handler configuration for IAM
+* Magic link data stored in the store.
+*
+* @template TExtended - Type-safe custom data that consumers can add to magic links
 */
-interface IAMHandlerConfig {
+type MagicLink<TExtended = object> = {
 	/**
-	* Base path for the SCIM Users endpoints (e.g., '/api/iam/Users')
+	* The magic link token (unique identifier)
 	*/
-	usersUrl?: string;
+	token: string;
 	/**
-	* Base path for the SCIM Groups endpoints (e.g., '/api/iam/Groups')
+	* User information associated with this magic link
 	*/
-	groupsUrl?: string;
+	user: BaseUser;
 	/**
-	* Handler overrides for SCIM discovery endpoints (e.g., '/api/iam/ServiceProviderConfig')
+	* Timestamp when the magic link was created
 	*/
-	discovery?: IAMDiscoveryHandlerConfig;
-}
+	createdAt: Date;
+	/**
+	* Timestamp when the magic link expires
+	*/
+	expiresAt: Date;
+	/**
+	* Allow consumers to add runtime data to magic links
+	*/
+	[key: string]: unknown;
+} & TExtended;
 /**
-* IAM configuration
+* Abstract interface for magic link storage backends.
 *
-* - If `url` is provided, groups_outbound is enabled (app calls external IAM)
-* - If `groupStore` is provided, groups_inbound is enabled (external IAM calls app)
-* - If `userStore` is provided, users_inbound is enabled (external IAM calls app)
+* Consumers can implement this interface to use different storage backends:
+* - In-memory (for development/testing)
+* - Redis (for production with fast lookups and automatic expiration)
+* - Database (PostgreSQL, MySQL, etc.)
+*
+* @template TExtended - Type-safe custom data that consumers can add to magic links
+*
+* @example
+* ```typescript
+* // Custom magic link data
+* type MyMagicLinkData = {
+*   source: string;
+*   metadata: Record<string, unknown>;
+* };
+*
+* // Implement custom store
+* class RedisMagicLinkStore implements MagicLinkStore<MyMagicLinkData> {
+*   async create(token: string, user: BaseUser, expiresAt: Date): Promise<void> {
+*     const magicLink: MagicLink<MyMagicLinkData> = {
+*       token,
+*       user,
+*       createdAt: new Date(),
+*       expiresAt,
+*       source: 'api',
+*       metadata: {},
+*     };
+*     const ttl = Math.floor((expiresAt.getTime() - Date.now()) / 1000);
+*     await redis.setex(`magic-link:${token}`, ttl, JSON.stringify(magicLink));
+*   }
+*   // ... other methods
+* }
+* ```
 */
-type IAMConfig = {
+interface MagicLinkStore<TExtended = object> {
 	/**
-	* Base URL of the external SCIM endpoint (e.g., https://sailpoint.example.com/scim/v2)
-	* If provided, enables outbound SCIM operations (app -> external IAM)
+	* Create a new magic link in the store.
+	*
+	* @param token - The magic link token (unique identifier)
+	* @param user - The user information to associate with this magic link
+	* @param expiresAt - When the magic link expires
+	* @throws Error if magic link with same token already exists
 	*/
-	url?: string;
+	create(token: string, user: BaseUser, expiresAt: Date): Promise<void>;
 	/**
-	* Store for inbound user provisioning from external IAM providers.
-	* When configured, the app can receive user CRUD operations via SCIM.
+	* Retrieve a magic link by its token.
+	*
+	* @param token - The magic link token
+	* @returns The magic link if found and not expired, null otherwise
 	*/
-	userStore?: UserStore;
+	get(token: string): Promise<MagicLink<TExtended> | null>;
 	/**
-	* Optional inbound user mapping hooks for SCIM provisioning.
-	* Use these when the default StoredUser <-> SCIM mapping is not a direct fit
-	* for your application's database model.
+	* Delete a magic link by its token.
+	*
+	* Used after a magic link has been consumed (one-time use).
+	*
+	* @param token - The magic link token to delete
 	*/
-	inboundUsers?: IAMInboundUsersConfig;
+	delete(token: string): Promise<void>;
+}
+type Secret<T> = {
+	data: T;
+	metadata: MetaData;
+};
+type MetaData = {
+	path: string;
+	version: number;
+	created: Date;
+};
+type SecretsSourceType = "vault" | "azure" | "aws" | "gcp" | "dev";
+type SecretRequestSeverity = "low" | "medium" | "high" | "critical";
+type SecretLifecycleRequest = {
+	reason?: string;
+	severity?: SecretRequestSeverity;
+	incidentRef?: string;
+};
+type SecretsOperationOptions = {
+	/** Optional timeout in milliseconds for this secrets operation. */
+	timeout?: number;
+};
+type SecretsSource = ReactiveHandle & {
+	type: SecretsSourceType;
+	getFullSecret: <T>(path: string, options?: SecretsOperationOptions) => Promise<Secret<T>>;
+	getSecret: <T>(path: string, options?: SecretsOperationOptions) => Promise<T>;
 	/**
-	* Store for inbound group provisioning from external IAM providers.
-	* When configured, enables groups_inbound (external IAM -> app).
+	* Write a secret at the given path.
+	* Implementations may throw for read-only or unsupported secret sources.
 	*/
-	groupStore?: GroupStore;
+	putSecret: (path: string, value: Record<string, unknown>, options?: SecretsOperationOptions) => Promise<void>;
 	/**
-	* Optional handler defaults. These are merged with per-call overrides in
-	* `iam.handler`, with per-call values taking precedence.
+	* When set, the secret source supports change detection and will call onChange when the secret changes.
+	* Implementations must only invoke onChange when the secret version has changed from the last time
+	* that subscription was notified (same version must not trigger a second call).
+	* @returns a unsubscribe/cleanup function.
 	*/
-	usersUrl?: string;
-	groupsUrl?: string;
-	discovery?: IAMDiscoveryConfig;
-};
-type IAMValidators = {
-	user: StandardSchemaV15<unknown, User>;
-	group: StandardSchemaV15<unknown, GroupResource>;
-};
-interface IAMInboundUserContext {
+	subscribe<T>(path: string, onChange: (fullSecret: Secret<T>) => void): () => void;
 	/**
-	* Current stored user when replacing or patching an existing resource.
+	* Deletes a secret at the given path.
 	*/
-	existing?: StoredUser;
+	deleteSecret(path: string, options?: SecretsOperationOptions): Promise<void>;
 	/**
-	* Operation mode for the inbound mapper.
+	* Lists child paths under the given base path.
 	*/
-	mode: "create" | "replace" | "patch";
-}
-interface IAMInboundUsersConfig {
+	listPaths(path: string, options?: SecretsOperationOptions): Promise<string[]>;
 	/**
-	* Replace the default validated SCIM -> StoredUser mapper.
+	* Returns true when a secret path exists.
 	*/
-	mapValidatedScimToStoredUser?: (validated: User, context: IAMInboundUserContext) => StoredUser | Promise<StoredUser>;
+	exists(path: string, options?: SecretsOperationOptions): Promise<boolean>;
 	/**
-	* Replace the default StoredUser -> SCIM response mapper.
+	* Requests secret rotation for the given path.
 	*/
-	mapStoredUserToScim?: (stored: StoredUser) => User | Promise<User>;
-}
-interface ScimAuthenticationScheme {
-	type: string;
-	name: string;
-	description?: string;
-	specUri?: string;
-	documentationUri?: string;
-	primary?: boolean;
-}
-interface ScimServiceProviderConfig {
-	schemas: string[];
-	documentationUri?: string;
-	patch: {
-		supported: boolean;
-	};
-	bulk: {
-		supported: boolean;
-		maxOperations?: number;
-		maxPayloadSize?: number;
-	};
-	filter: {
-		supported: boolean;
-		maxResults?: number;
-	};
-	changePassword: {
-		supported: boolean;
-	};
-	sort: {
-		supported: boolean;
-	};
-	etag: {
-		supported: boolean;
-	};
-	authenticationSchemes?: ScimAuthenticationScheme[];
-	meta?: {
-		resourceType?: string;
-		location?: string;
-	};
-}
-interface ScimResourceTypeSchemaExtension {
-	schema: string;
-	required: boolean;
-}
-interface ScimResourceType {
-	schemas: string[];
-	id: string;
-	name: string;
-	description?: string;
-	endpoint: string;
-	schema: string;
-	schemaExtensions?: ScimResourceTypeSchemaExtension[];
-	meta?: {
-		resourceType?: string;
-		location?: string;
-	};
-}
-interface ScimSchemaAttributeDefinition {
-	name: string;
-	type: "string" | "boolean" | "complex" | "reference" | "dateTime";
-	multiValued: boolean;
-	description?: string;
-	required?: boolean;
-	caseExact?: boolean;
-	mutability?: "readOnly" | "readWrite" | "immutable" | "writeOnly";
-	returned?: "always" | "never" | "default" | "request";
-	uniqueness?: "none" | "server" | "global";
-	referenceTypes?: string[];
-	subAttributes?: ScimSchemaAttributeDefinition[];
-}
-interface ScimSchemaDefinition {
-	schemas: string[];
-	id: string;
-	name: string;
-	description?: string;
-	attributes: ScimSchemaAttributeDefinition[];
-	meta?: {
-		resourceType?: string;
-		location?: string;
-	};
-}
-interface IAMDiscoveryContext {
-	request: Request;
-	basePath: string;
-	usersUrl: string;
-	groupsUrl: string;
-	supportsUsers: boolean;
-	supportsGroups: boolean;
-}
-interface IAMDiscoveryConfig {
-	/**
-	* Public IAM base path used for SCIM discovery. When omitted, the SDK derives
-	* it from `usersUrl` or `groupsUrl`.
-	*/
-	basePath?: string;
-	/**
-	* Optional documentation URI advertised in ServiceProviderConfig.
-	*/
-	documentationUri?: string;
+	requestRotate(path: string, request?: SecretLifecycleRequest, options?: SecretsOperationOptions): Promise<void>;
 	/**
-	* Override the default ServiceProviderConfig response.
+	* Requests secret revocation for the given path.
 	*/
-	buildServiceProviderConfig?: (context: IAMDiscoveryContext, defaults: ScimServiceProviderConfig) => ScimServiceProviderConfig | Promise<ScimServiceProviderConfig>;
+	requestRevoke(path: string, request?: SecretLifecycleRequest, options?: SecretsOperationOptions): Promise<void>;
 	/**
-	* Override the default ResourceTypes response.
+	* Reads metadata for the given path.
 	*/
-	buildResourceTypes?: (context: IAMDiscoveryContext, defaults: ScimResourceType[]) => ScimResourceType[] | Promise<ScimResourceType[]>;
+	getMetadata(path: string, options?: SecretsOperationOptions): Promise<Record<string, unknown>>;
+};
+type SecretsValidators = {
 	/**
-	* Override the default Schemas response.
+	* Optional hook to validate merged source configs before they are resolved.
+	* Throw from this callback to reject invalid secrets source configuration.
 	*/
-	buildSchemas?: (context: IAMDiscoveryContext, defaults: ScimSchemaDefinition[]) => ScimSchemaDefinition[] | Promise<ScimSchemaDefinition[]>;
-}
+	validateSourceConfig?(sourceName: string, config: SecretsSourceConfig): void;
+};
+type Secrets = ReactiveHandle & {
+	/** Named secrets sources client configurations from RemoteConfig. */
+	config: SecretsSourceMap;
+	/** Returns configured secrets source names/keys. */
+	listSecretsSources(): string[];
+	/** Gets a named secrets source client. Throws when missing. */
+	getSecretsSource(sourceName: string): SecretsSource;
+	/** Reads a secret from a named secrets source client. */
+	getSecret<T>(sourceName: string, path: string, options?: SecretsOperationOptions): Promise<T>;
+	/** Reads full secret data + metadata from a named secrets source client. */
+	getFullSecret<T>(sourceName: string, path: string, options?: SecretsOperationOptions): Promise<Secret<T>>;
+	/** Writes a secret to a named secrets source client. */
+	putSecret(sourceName: string, path: string, value: Record<string, unknown>, options?: SecretsOperationOptions): Promise<void>;
+	/** Deletes a secret from a named secrets source client. */
+	deleteSecret(sourceName: string, path: string, options?: SecretsOperationOptions): Promise<void>;
+	/** Lists child paths under a base path for a named secrets source client. */
+	listPaths(sourceName: string, path: string, options?: SecretsOperationOptions): Promise<string[]>;
+	/** Returns true when a path exists for a named secrets source client. */
+	exists(sourceName: string, path: string, options?: SecretsOperationOptions): Promise<boolean>;
+	/** Requests rotation for a secret path in a named secrets source client. */
+	requestRotate(sourceName: string, path: string, request?: SecretLifecycleRequest, options?: SecretsOperationOptions): Promise<void>;
+	/** Requests revocation for a secret path in a named secrets source client. */
+	requestRevoke(sourceName: string, path: string, request?: SecretLifecycleRequest, options?: SecretsOperationOptions): Promise<void>;
+	/** Reads metadata for a secret path in a named secrets source client. */
+	getMetadata(sourceName: string, path: string, options?: SecretsOperationOptions): Promise<Record<string, unknown>>;
+	/** Subscribes to secret changes on a named secrets source client. */
+	subscribe<T>(sourceName: string, path: string, onChange: (fullSecret: Secret<T>) => void): () => void;
+	/** Returns true when request matches any configured LFV delivery path. */
+	isLfvDeliveryRequest?(request: Request): boolean;
+	/** Returns true when request matches any configured LFV events path. */
+	isLfvEventsRequest?(request: Request): boolean;
+	/** Handles LFV delivery callbacks for configured LFV sources. */
+	handleLfvDelivery?(request: Request): Promise<Response>;
+	/** Handles LFV events callbacks for configured LFV sources. */
+	handleLfvEvents?(request: Request): Promise<Response>;
+};
 /**
-* Options for creating a user
+* Partial secrets source config used in framework/app code to declare expected source names.
+* ConfigSource-backed values may still provide the actual source details at runtime.
 */
-interface CreateUserOptions {
-	/**
-	* External identifier for the user
-	*/
-	externalId?: string;
-}
+type FrameworkSecretsSourceConfig = Partial<SecretsSourceConfig>;
 /**
-* Options for creating a group
+* Framework-level named secrets source declarations keyed by source name.
+* Values may be partial or empty when the app only wants to declare expected names/types.
 */
-interface CreateGroupOptions {
-	/**
-	* External identifier for the group
-	*/
-	externalId?: string;
-	/**
-	* Initial members to add to the group
-	*/
-	members?: GroupMember[];
-}
+type FrameworkSecretsModuleConfig = Record<string, FrameworkSecretsSourceConfig>;
 /**
-* Handler configuration for groups_inbound
+* TODO: Let's see if we can do some clean inference and remove this!!!
 */
-interface GroupsInboundHandlerConfig {
-	/**
-	* Base path for the SCIM Groups endpoints (e.g., '/api/iam/Groups')
-	*/
-	basePath?: string;
-}
+type SecretsSourceMap = Record<string, SecretsSource>;
+type SecretsSourceConfig = DevSecretsConfig | GcpSecretsConfig | VaultSecretsConfig | AwsSecretsConfig | AzureSecretsConfig;
 /**
-* Handler configuration for users_inbound
+* Raw module config keyed by source name.
+* The secrets module resolves this into a runtime SecretsSourceMap.
 */
-interface UsersInboundHandlerConfig {
+type SecretsModuleConfig = Record<string, SecretsSourceConfig>;
+type DevSecretsConfig = {
+	type: "dev";
+	ioniteUrl: string;
+};
+type GcpSecretsConfig = {
+	type: "gcp";
+};
+type VaultLfvSecretsConfig = {
+	/** LFV server base URL for OTP/action endpoints. */
+	lfvServerUrl?: string;
+	/** LFV client id used for OTP issuance. */
+	clientId?: string;
+	/** Signature value for X-LFV-Signature header. */
+	signature?: string;
+	deliveryEndpoint: string;
 	/**
-	* Base path for the SCIM Users endpoints (e.g., '/api/iam/Users')
+	* Optional LFV signature verification key.
+	* When omitted, LFV callbacks are accepted without signature verification.
 	*/
-	basePath?: string;
-}
-interface IAMDiscoveryHandlerConfig {
+	verifyPublicKey?: string;
+	eventsEndpoint: string;
+	path?: string;
 	/**
-	* Base path for the IAM discovery endpoints (e.g., '/api/iam')
+	* Timeout in milliseconds when waiting for a LFV delivery payload after a read request.
+	* After this duration, an error is thrown.
 	*/
-	basePath?: string;
-}
-/**
-* Groups Outbound extension - for creating groups in external IAM providers.
-* Enabled when `url` is configured in IAMConfig.
-*/
-type IAMGroupsOutbound = {
+	deliveryTimeout?: number;
+	/** Retry interval in milliseconds between LFV transport retry attempts. */
+	retryInterval?: number;
+	/** Warning interval in milliseconds for LFV retry logs. Set to 0 to disable warnings. */
+	warnInterval?: number;
 	/**
-	* Create a new group in the external IAM provider
-	* @param displayName - The display name for the group
-	* @param options - Optional configuration for the group creation
-	* @returns The created group resource from the provider
+	* Optional logger for request/response tracing. Use `debugLogger` from `@enterprisestandard/core`
+	* to get debug output with request_id for LFV operations.
 	*/
-	createGroup: (displayName: string, options?: CreateGroupOptions) => Promise<ScimResult<GroupResource>>;
+	log?: Logger;
 };
 /**
-* Groups Inbound extension - for receiving group provisioning from external IAM providers.
-* Enabled when `groupStore` is configured in IAMConfig.
+* Runtime-ready LFV source config.
+* Input config can be partially declared/merged, but LFV operations require these fields.
 */
-type IAMGroupsInbound = {
-	/**
-	* Handle inbound SCIM requests for group management.
-	* Routes: GET/POST /Groups, GET/PUT/PATCH/DELETE /Groups/:id
-	*/
-	handler: (request: Request, config?: GroupsInboundHandlerConfig) => Promise<Response>;
+type ResolvedVaultLfvSecretsConfig = Omit<VaultLfvSecretsConfig, "lfvServerUrl" | "clientId" | "path"> & {
+	lfvServerUrl: string;
+	clientId: string;
+	path: string;
 };
-/**
-* Users Inbound extension - for receiving user provisioning from external IAM providers.
-* Enabled when `userStore` is configured in IAMConfig.
-*/
-type IAMUsersInbound = {
+type VaultWebSocketAuthHeader = "X-Vault-Token" | "Authorization";
+type VaultWebSocketSecretsConfig = {
+	/** Websocket URL for vault command execution and live secret subscriptions. */
+	url?: string;
+	/** Token used during websocket connect/auth. */
+	token?: string;
+	/** Header name used to send the websocket token. Defaults to X-Vault-Token. */
+	header?: VaultWebSocketAuthHeader;
+};
+type VaultSecretsConfig = {
+	type: "vault";
+	url?: string;
+	token?: string;
+	/** Optional LFV transport capability for reads/lifecycle operations. */
+	lfv?: VaultLfvSecretsConfig;
+	/** Optional websocket capability for vault commands and live subscriptions. */
+	websocket?: VaultWebSocketSecretsConfig;
 	/**
-	* Handle inbound SCIM requests for user management.
-	* Routes: GET/POST /Users, GET/PUT/PATCH/DELETE /Users/:id
+	* MINIMUM: 600_000 milliseconds (10 minutes). Polls the path every ttl milliseconds and calls onConfig when config changes.
 	*/
-	handler: (request: Request, config?: UsersInboundHandlerConfig) => Promise<Response>;
+	ttl?: number;
 };
-/**
-* Core IAM service interface.
-*
-* - Core functions are user-related (outbound to external IAM)
-* - `groups_outbound` is available when `url` is configured
-* - `groups_inbound` is available when `groupStore` is configured
-* - `users_inbound` is available when `userStore` is configured
-*/
-type IAM = IAMConfig & {
+type AwsSecretsConfig = {
+	type: "aws";
+	webhookUrl: string;
+};
+type AwsAuthMethod = "client_secret" | "workload_identity" | "managed_identity";
+type AzureSecretsConfig = {
+	type: "azure";
 	/**
-	* Create a new user/account in the external IAM provider
-	* Only available when `url` is configured.
+	* How to authenticate to Azure to fetch Key Vault access tokens.
+	*
+	* - client_secret: Entra app client secret (client credentials)
+	* - workload_identity: AKS Workload Identity (federated token file)
+	* - managed_identity: Azure Managed Identity via IMDS
+	*
+	* If omitted, we auto-detect:
+	* - workload_identity if a federated token file is present
+	* - else client_secret if a clientSecret is present
+	* - else managed_identity
+	*
+	* Env: ES_AZURE_AUTH_METHOD
 	*/
-	createUser?: (user: User, options?: CreateUserOptions) => Promise<ScimResult<User>>;
+	authMethod?: AwsAuthMethod;
 	/**
-	* Get the configured external SCIM base URL
+	* Azure Entra tenant id (GUID), used for OAuth2 token exchange.
+	* Env: ES_AZURE_TENANT_ID
 	*/
-	getBaseUrl: () => string | undefined;
+	tenantId?: string;
 	/**
-	* Groups Outbound extension - create groups in external IAM provider.
-	* Available when `url` is configured in IAMConfig.
+	* Azure app registration client id (GUID).
+	* Env: ES_AZURE_CLIENT_ID
 	*/
-	groups_outbound?: IAMGroupsOutbound;
+	clientId?: string;
 	/**
-	* Groups Inbound extension - receive group provisioning from external IAM.
-	* Available when `groupStore` is configured in IAMConfig.
+	* Azure app registration client secret.
+	* Env: ES_AZURE_CLIENT_SECRET
 	*/
-	groups_inbound?: IAMGroupsInbound;
+	clientSecret?: string;
 	/**
-	* Users Inbound extension - receive user provisioning from external IAM.
-	* Available when `userStore` is configured in IAMConfig.
-	*/
-	users_inbound?: IAMUsersInbound;
-	/**
-	* Framework-agnostic request handler for the IAM module.
-	* Routes to discovery, users_inbound, or groups_inbound based on the request path.
-	*/
-	handler: (request: Request, config?: IAMHandlerConfig) => Promise<Response>;
-};
-import { StandardSchemaV1 as StandardSchemaV16 } from "@standard-schema/spec";
-/**
-* Session management for tracking user sessions and enabling backchannel logout.
-*
-* Session stores are optional - the package works with JWT cookies alone.
-* Sessions are only required for backchannel logout functionality.
-*
-* ## Session Validation Strategies
-*
-* When using a session store, you can configure when sessions are validated:
-*
-* ### 'always' (default)
-* Validates session on every authenticated request.
-* - **Security**: Maximum - immediate session revocation
-* - **Performance**: InMemory ~0.00005ms, Redis ~1-2ms per request
-* - **Backchannel Logout**: Takes effect immediately
-* - **Use when**: Security is paramount, using InMemory or Redis backend
-*
-* ### 'refresh-only'
-* Validates session only during token refresh (typically every 5-15 minutes).
-* - **Security**: Good - 5-15 minute revocation window
-* - **Performance**: 99% reduction in session lookups
-* - **Backchannel Logout**: Takes effect within token TTL (5-15 min)
-* - **Use when**: Performance is critical AND delayed revocation is acceptable
-* - **WARNING**: Compromised sessions remain valid until next refresh
-*
-* ### 'disabled'
-* Never validates sessions against the store.
-* - **Security**: None - backchannel logout doesn't work
-* - **Performance**: No overhead
-* - **Use when**: Cookie-only mode without session store
-* - **WARNING**: Do not use with sessionStore configured
-*
-* ## Performance Characteristics
-*
-* | Backend      | Lookup Time | Impact on Request | Recommendation         |
-* |--------------|-------------|-------------------|------------------------|
-* | InMemory     | <0.00005ms  | Negligible        | Use 'always'           |
-* | Redis        | 1-2ms       | 2-4% increase     | Use 'always' or test   |
-* | Database     | 5-20ms      | 10-40% increase   | Use Redis cache layer  |
-*
-* ## Example Usage
-*
-* ```typescript
-* import { sso, InMemorySessionStore } from '@enterprisestandard/server';
-*
-* // Maximum security (default)
-* const secure = sso({
-*   // ... other config
-*   sessionStore: new InMemorySessionStore(),
-*   session_validation: 'always', // Immediate revocation
-* });
-*
-* // High performance
-* const fast = sso({
-*   // ... other config
-*   sessionStore: new InMemorySessionStore(),
-*   session_validation: {
-*     strategy: 'refresh-only' // 5-15 min revocation delay
-*   }
-* });
-* ```
-*/
-/**
-* Core session data tracked for each authenticated user session.
-*
-* @template TExtended - Type-safe custom data that consumers can add to sessions
-*/
-type Session<TExtended = object> = {
-	/**
-	* Session ID from the Identity Provider (from `sid` claim in ID token).
-	* This is the unique identifier for the session.
+	* Path to the projected federated token file (AKS Workload Identity).
+	* Env: ES_AZURE_FEDERATED_TOKEN_FILE or AZURE_FEDERATED_TOKEN_FILE
 	*/
-	sid: string;
+	federatedTokenFile?: string;
 	/**
-	* Subject identifier (user ID) from the Identity Provider.
-	* From the `sub` claim in the ID token.
+	* Managed Identity client id (user-assigned), optional.
+	* Env: ES_AZURE_MANAGED_IDENTITY_CLIENT_ID
 	*/
-	sub: string;
+	managedIdentityClientId?: string;
 	/**
-	* Timestamp when the session was created.
+	* IMDS API version (managed identity).
+	* Env: ES_AZURE_IMDS_API_VERSION
+	* Default: 2018-02-01
 	*/
-	createdAt: Date;
+	imdsApiVersion?: string;
 	/**
-	* Timestamp of the last activity in this session.
-	* Can be updated to track session activity.
+	* Key Vault URL, e.g. https://myvault.vault.azure.net
+	* Env: ES_AZURE_KEY_VAULT_URL
 	*/
-	lastActivityAt: Date;
+	vaultUrl?: string;
 	/**
-	* Allow consumers to add runtime data to sessions.
+	* Alternative to vaultUrl. If provided, vaultUrl is derived as:
+	* https://${vaultName}.vault.azure.net
+	* Env: ES_AZURE_KEY_VAULT_NAME
 	*/
-	[key: string]: unknown;
-} & TExtended;
-/**
-* Abstract interface for session storage backends.
-*
-* Consumers can implement this interface to use different storage backends:
-* - Redis
-* - Database (PostgreSQL, MySQL, etc.)
-* - Distributed cache
-* - Custom solutions
-*
-* @template TExtended - Type-safe custom data that consumers can add to sessions
-*
-* @example
-* ```typescript
-* // Custom session data
-* type MySessionData = {
-*   ipAddress: string;
-*   userAgent: string;
-* };
-*
-* // Implement custom store
-* class RedisSessionStore implements SessionStore<MySessionData> {
-*   async create(session: Session<MySessionData>): Promise<void> {
-*     await redis.set(`session:${session.sid}`, JSON.stringify(session));
-*   }
-*   // ... other methods
-* }
-* ```
-*/
-interface SessionStore<TExtended = object> {
+	vaultName?: string;
 	/**
-	* Create a new session in the store.
-	*
-	* @param session - The session data to store
-	* @throws Error if session with same sid already exists
+	* Key Vault API version.
+	* Env: ES_AZURE_KEY_VAULT_API_VERSION
+	* Default: 7.4
 	*/
-	create(session: Session<TExtended>): Promise<void>;
+	apiVersion?: string;
 	/**
-	* Retrieve a session by its IdP session ID (sid).
-	*
-	* @param sid - The session.sid from the Identity Provider
-	* @returns The session if found, null otherwise
+	* Maps vault "path" to a Key Vault secret name.
+	* Default: replaces `/` with `--` and trims leading/trailing `/`.
 	*/
-	get(sid: string): Promise<Session<TExtended> | null>;
+	secretNameTransform?: (path: string) => string;
 	/**
-	* Update an existing session with partial data.
-	*
-	* Commonly used to update lastActivityAt or add custom fields.
-	*
-	* @param sid - The session.sid to update
-	* @param data - Partial session data to merge
-	* @throws Error if session not found
+	* Optional prefix added to all computed secret names.
+	* Useful to namespace secrets by app/environment.
 	*/
-	update(sid: string, data: Partial<Session<TExtended>>): Promise<void>;
+	secretNamePrefix?: string;
 	/**
-	* Delete a session by its IdP session ID (sid).
-	*
-	* Used for both normal logout and backchannel logout flows.
-	*
-	* @param sid - The session.sid to delete
+	* OAuth2 scope; default is Key Vault resource scope.
+	* Default: https://vault.azure.net/.default
 	*/
-	delete(sid: string): Promise<void>;
-}
-type SSOConfig<
-	TSessionData = Record<string, never>,
-	TUserData = Record<string, never>
-> = {
-	authority?: string;
-	tokenUrl?: string;
-	authorizationUrl?: string;
-	clientId?: string;
-	clientSecret?: string;
-	redirectUri?: string;
-	responseType?: "code";
 	scope?: string;
-	silentRedirectUri?: string;
-	jwksUri?: string;
-	cookiesPrefix?: string;
-	cookiesPath?: string;
-	cookiesSecure?: boolean;
-	cookiesSameSite?: "Strict" | "Lax";
 	/**
-	* Optional cookie name for tracking the active session across tenants.
-	* Defaults to 'es.active_session' when using the helper utilities.
-	*/
-	activeSessionCookieName?: string;
-	endSessionEndpoint?: string;
-	revocationEndpoint?: string;
-	sessionStore?: SessionStore<TSessionData>;
-	/**
-	* Optional user store for persisting user profiles from SSO authentication.
-	* When configured, users are automatically stored/updated on each login.
-	*/
-	userStore?: UserStore<TUserData>;
-	/**
-	* Enable Just-In-Time (JIT) user provisioning.
-	* When enabled, new users are automatically created in the userStore on their first login.
-	* When disabled (default), only existing users in the userStore are updated on login.
-	* Requires userStore to be configured.
-	* @default false
+	* When set, the vault implements subscribe: poll this path every ttl seconds and call onConfig when config changes.
 	*/
-	enableJitUserProvisioning?: boolean;
-	validators?: SSOValidators;
-} & SSOHandlerConfig;
-type StateCookie = {
-	state: string;
-	codeVerifier: string;
-	landingUrl: string;
-	errorUrl?: string;
+	ttl?: number;
 };
-type CookieOptions = {
-	cookieName?: string;
-	path?: string;
-	maxAge?: number;
-	secure?: boolean;
-	sameSite?: "Strict" | "Lax";
+type ConfigSourceType = "vault" | "azure" | "aws" | "gcp";
+type ESValidators = {
+	sso: SSOValidators;
+	iam: IAMValidators;
+	workload: WorkloadValidators;
+	ciam: CIAMValidators;
+	secrets?: SecretsValidators;
 };
-declare function getActiveSession(request: Request, options?: CookieOptions): string | undefined;
-declare function setActiveSession(clientId: string, options?: CookieOptions): string;
-declare function clearActiveSession(options?: CookieOptions): string;
-declare function listSsoClientIdsFromCookies(requestOrCookieHeader: Request | string | null | undefined, options?: {
-	cookiePrefix?: string;
-}): string[];
-declare function findTenantFromStateParam(cookieHeader: string | null | undefined, stateParam: string): {
-	clientId: string;
-	stateCookie: StateCookie;
-} | undefined;
-type LoginConfig = {
-	landingUrl: string;
-	errorUrl?: string;
+type ApplicationValidators<TTenantValidators extends TenantValidators = TenantValidators> = ESValidators & {
+	tenant: TTenantValidators;
 };
-type SSOHandlerConfig = {
-	loginUrl?: string;
-	userUrl?: string;
-	errorUrl?: string;
-	landingUrl?: string;
-	tokenUrl?: string;
-	refreshUrl?: string;
-	jwksUrl?: string;
-	logoutUrl?: string;
-	logoutBackChannelUrl?: string;
-};
-type SSOValidators = {
-	callbackParams: StandardSchemaV16<unknown, OidcCallbackParams>;
-	idTokenClaims: StandardSchemaV16<unknown, IdTokenClaims>;
-	tokenResponse: StandardSchemaV16<unknown, TokenResponse>;
+/**
+* Configuration supplied by the framework/application when creating an Enterprise Standard instance.
+* Merged with RemoteConfig from the ConfigSource (framework config wins). Pass as the second
+* argument to enterpriseStandard(source, config).
+* Set a module to `null` to explicitly disable it; then the corresponding property on the
+* EnterpriseStandard instance is typed as `never`. Omit a module to allow it to be supplied
+* from ConfigSource / adaptive (typed as the module type, non-optional).
+*/
+type FrameworkConfig = {
+	/** Optional `Logger` implementation (e.g. `consoleLogger`); exposed on the instance as `log`. */
+	log?: Logger;
+	sso?: SSOConfig | null;
+	iam?: IAMConfig | null;
+	workload?: FrameworkWorkloadConfig | null;
+	secrets?: FrameworkSecretsModuleConfig | null;
+	ciam?: CIAMConfig | null;
+	validators: ESValidators;
 };
-type SSO<
-	TSessionData = Record<string, never>,
-	TUserData = Record<string, never>
-> = SSOConfig<TSessionData, TUserData> & {
-	getUser: (request: Request) => Promise<User2 | undefined>;
+/**
+* Final configuration after merging ConfigSource (RemoteConfig) and FrameworkConfig.
+* Same shape as FrameworkConfig; each module (SSO, IAM, etc.) resolves its config from
+* both sources at runtime. Use this type when referring to the effective/merged config.
+*/
+type ESConfig = FrameworkConfig;
+/**
+* Remote config read from a config source (vault, lfv, etc.).
+*/
+type RemoteConfig = {
+	/** Optional app/tenant identifier for this ESA (e.g. from vault path or config). */
+	tenantId?: string;
+	sso?: SSOConfig;
+	iam?: IAMConfig;
 	/**
-	* Read the SSO user from cookies without ever issuing an IdP refresh-token round
-	* trip. Returns `undefined` when access cookies are missing, the control cookie
-	* reports expiry in the past, or JWT verification fails. Intended for multi-session
-	* listing paths where N candidates must not silently fan out N IdP requests.
+	* Workload: single config, or incoming/outgoing (server vs client roles), or flat map of named clients.
+	* Preferred: { incoming: { jwksUri, issuer }, outgoing: { TNT_*: { clientId, ... } } }.
+	* Legacy: { default: { jwksUri, issuer }, TNT_*: { ... } } (flat map).
+	* TODO: Let's see if we can do some clean inference here!!!
 	*/
-	getUserNoRefresh: (request: Request) => Promise<User2 | undefined>;
-	getRequiredUser: (request: Request) => Promise<User2>;
-	getJwt: (request: Request) => Promise<string | undefined>;
-	initiateLogin: (config: LoginConfig, requestUrl?: string) => Promise<Response>;
-	logout: (request: Request, config?: LoginConfig) => Promise<Response>;
-	logoutBackChannel2: (request: Request) => Promise<Response>;
-	callbackHandler: (request: Request) => Promise<Response>;
-	handler: (request: Request) => Promise<Response>;
-};
-import { StandardSchemaV1 as StandardSchemaV17 } from "@standard-schema/spec";
-type Secret<T> = {
-	data: T;
-	metadata: MetaData;
+	workload?: WorkloadConfig | WorkloadConfigMap | WorkloadIncomingOutgoing;
+	/** Optional named secrets-source configs available to this ESA instance. */
+	secrets?: SecretsModuleConfig;
+	ciam?: CIAMConfig;
 };
-type MetaData = {
-	path: string;
-	version: number;
-	created: Date;
+/**
+* Stores supplied by the framework/application when creating an Enterprise Standard instance.
+*/
+type FrameworkStores = {
+	sessionStore?: SessionStore<unknown>;
+	userStore?: UserStore<unknown>;
+	groupStore?: GroupStore<unknown>;
+	magicLinkStore?: MagicLinkStore<unknown>;
+	workloadTokenStore?: WorkloadTokenStore;
 };
-type SecretsSourceType = "vault" | "azure" | "aws" | "gcp" | "dev";
-type SecretRequestSeverity = "low" | "medium" | "high" | "critical";
-type SecretLifecycleRequest = {
-	reason?: string;
-	severity?: SecretRequestSeverity;
-	incidentRef?: string;
+type ModifiableFrameworkConfig = FrameworkConfig & {
+	setStores(stores: FrameworkStores): void;
 };
-type SecretsOperationOptions = {
-	/** Optional timeout in milliseconds for this secrets operation. */
-	timeout?: number;
+/** Return type from the beforeChange hook passed to enterpriseStandard(). */
+type ESConfigChangeResult = {
+	config?: RemoteConfig;
+	frameworkConfig?: FrameworkConfig;
 };
-type SecretsSource = ReactiveHandle & {
-	type: SecretsSourceType;
-	getFullSecret: <T>(path: string, options?: SecretsOperationOptions) => Promise<Secret<T>>;
-	getSecret: <T>(path: string, options?: SecretsOperationOptions) => Promise<T>;
-	/**
-	* Write a secret at the given path.
-	* Implementations may throw for read-only or unsupported secret sources.
-	*/
-	putSecret: (path: string, value: Record<string, unknown>, options?: SecretsOperationOptions) => Promise<void>;
-	/**
-	* When set, the secret source supports change detection and will call onChange when the secret changes.
-	* Implementations must only invoke onChange when the secret version has changed from the last time
-	* that subscription was notified (same version must not trigger a second call).
-	* @returns a unsubscribe/cleanup function.
-	*/
-	subscribe<T>(path: string, onChange: (fullSecret: Secret<T>) => void): () => void;
-	/**
-	* Deletes a secret at the given path.
-	*/
-	deleteSecret(path: string, options?: SecretsOperationOptions): Promise<void>;
-	/**
-	* Lists child paths under the given base path.
-	*/
-	listPaths(path: string, options?: SecretsOperationOptions): Promise<string[]>;
+/** beforeChange callback invoked on every config application (initial load and updates). */
+type ESConfigChangeCallback = (config: RemoteConfig, frameworkConfig: ModifiableFrameworkConfig, oldConfig: RemoteConfig | undefined) => ESConfigChangeResult | void;
+type ConfigSource = {
+	load(): Promise<RemoteConfig>;
 	/**
-	* Returns true when a secret path exists.
+	* Called when the config changes.
+	* @param onConfig - The callback to call when the config changes.
+	* @return an unsubscribe/cleanup function.
 	*/
-	exists(path: string, options?: SecretsOperationOptions): Promise<boolean>;
+	subscribe(onConfig: (config: RemoteConfig) => void): undefined | (() => void);
 	/**
-	* Requests secret rotation for the given path.
+	* Default secret client for the config source itself.
+	* For vault-backed sources this is the vault used to read RemoteConfig.
 	*/
-	requestRotate(path: string, request?: SecretLifecycleRequest, options?: SecretsOperationOptions): Promise<void>;
+	secret: SecretsSource;
 	/**
-	* Requests secret revocation for the given path.
+	* Optional. If not set by the creator, the framework may set this before calling load/subscribe
+	* so the source can use the same logger as the Enterprise Standard instance (`log`).
 	*/
-	requestRevoke(path: string, request?: SecretLifecycleRequest, options?: SecretsOperationOptions): Promise<void>;
+	log?: Logger;
 	/**
-	* Reads metadata for the given path.
+	* Optional. If not set by the creator, the framework may set this before calling load/subscribe
+	* so the source can use the same validators.
 	*/
-	getMetadata(path: string, options?: SecretsOperationOptions): Promise<Record<string, unknown>>;
+	validators?: ESValidators;
 };
-type SecretsValidators = {
-	/**
-	* Optional hook to validate merged source configs before they are resolved.
-	* Throw from this callback to reject invalid secrets source configuration.
-	*/
-	validateSourceConfig?(sourceName: string, config: SecretsSourceConfig): void;
+type EnvironmentType = "POC" | "DEV" | "QA" | "PROD";
+type TenantStatus = "pending" | "processing" | "completed" | "failed" | "action_required";
+type UpsertTenantRequestBase = {
+	tenantId: string;
+	companyId: string;
+	companyName: string;
+	environmentType: EnvironmentType;
+	email?: string;
+	webhookUrl?: string;
+	callbackUrl?: string;
+	configSource: TenantSecretsConfig;
 };
-type Secrets = ReactiveHandle & {
-	/** Named secrets sources client configurations from RemoteConfig. */
-	config: SecretsSourceMap;
-	/** Returns configured secrets source names/keys. */
-	listSecretsSources(): string[];
-	/** Gets a named secrets source client. Throws when missing. */
-	getSecretsSource(sourceName: string): SecretsSource;
-	/** Reads a secret from a named secrets source client. */
-	getSecret<T>(sourceName: string, path: string, options?: SecretsOperationOptions): Promise<T>;
-	/** Reads full secret data + metadata from a named secrets source client. */
-	getFullSecret<T>(sourceName: string, path: string, options?: SecretsOperationOptions): Promise<Secret<T>>;
-	/** Writes a secret to a named secrets source client. */
-	putSecret(sourceName: string, path: string, value: Record<string, unknown>, options?: SecretsOperationOptions): Promise<void>;
-	/** Deletes a secret from a named secrets source client. */
-	deleteSecret(sourceName: string, path: string, options?: SecretsOperationOptions): Promise<void>;
-	/** Lists child paths under a base path for a named secrets source client. */
-	listPaths(sourceName: string, path: string, options?: SecretsOperationOptions): Promise<string[]>;
-	/** Returns true when a path exists for a named secrets source client. */
-	exists(sourceName: string, path: string, options?: SecretsOperationOptions): Promise<boolean>;
-	/** Requests rotation for a secret path in a named secrets source client. */
-	requestRotate(sourceName: string, path: string, request?: SecretLifecycleRequest, options?: SecretsOperationOptions): Promise<void>;
-	/** Requests revocation for a secret path in a named secrets source client. */
-	requestRevoke(sourceName: string, path: string, request?: SecretLifecycleRequest, options?: SecretsOperationOptions): Promise<void>;
-	/** Reads metadata for a secret path in a named secrets source client. */
-	getMetadata(sourceName: string, path: string, options?: SecretsOperationOptions): Promise<Record<string, unknown>>;
-	/** Subscribes to secret changes on a named secrets source client. */
-	subscribe<T>(sourceName: string, path: string, onChange: (fullSecret: Secret<T>) => void): () => void;
-	/** Returns true when request matches any configured LFV delivery path. */
-	isLfvDeliveryRequest?(request: Request): boolean;
-	/** Returns true when request matches any configured LFV events path. */
-	isLfvEventsRequest?(request: Request): boolean;
-	/** Handles LFV delivery callbacks for configured LFV sources. */
-	handleLfvDelivery?(request: Request): Promise<Response>;
-	/** Handles LFV events callbacks for configured LFV sources. */
-	handleLfvEvents?(request: Request): Promise<Response>;
+type UpsertTenantRequest<TExtended extends object = object> = UpsertTenantRequestBase & TExtended;
+type UpsertTenantResponse = {
+	tenantUrl?: string;
+	status: Exclude<TenantStatus, "action_required">;
+	error?: string;
+	refs?: RefUrls[];
+} | {
+	status: "action_required";
+	actionUrl: string;
+	requestToken: string;
+	expiresAt: string;
+	refs?: RefUrls[];
 };
+type CreateTenantRequest = UpsertTenantRequest;
+type CreateTenantResponse = UpsertTenantResponse;
 /**
-* Partial secrets source config used in framework/app code to declare expected source names.
-* ConfigSource-backed values may still provide the actual source details at runtime.
-*/
-type FrameworkSecretsSourceConfig = Partial<SecretsSourceConfig>;
-/**
-* Framework-level named secrets source declarations keyed by source name.
-* Values may be partial or empty when the app only wants to declare expected names/types.
-*/
-type FrameworkSecretsModuleConfig = Record<string, FrameworkSecretsSourceConfig>;
-/**
-* TODO: Let's see if we can do some clean inference and remove this!!!
+* The audience of the reference URL.
+* - 'human' for human-readable documentation such as user guides, documentation, etc.
+* - 'ai' for AI-generated reference such as llms.txt, AI-optimized markdown, etc.
+* - 'spec' for specifications and code-gen ready docs such as OpenAPI, GraphQL, etc.
 */
-type SecretsSourceMap = Record<string, SecretsSource>;
-type SecretsSourceConfig = DevSecretsConfig | GcpSecretsConfig | VaultSecretsConfig | AwsSecretsConfig | AzureSecretsConfig;
+type Audience = "human" | "ai" | "spec";
+interface RefUrls {
+	audience: Audience;
+	url: string;
+	description: string;
+	createdAt: Date;
+	updatedAt: Date;
+}
+interface TenantWebhookPayload {
+	tenantId: string;
+	companyId: string;
+	status: TenantStatus;
+	tenantUrl?: string;
+	actionUrl?: string;
+	requestToken?: string;
+	expiresAt?: string;
+	error?: string;
+}
+declare class TenantRequestError extends Error {
+	constructor(message: string, options?: ErrorOptions);
+}
+declare class MultipleTenantsForUserError extends Error {
+	readonly userId: string;
+	readonly tenantIds: string[];
+	constructor(userId: string, tenantIds: string[], options?: ErrorOptions);
+}
+type TenantValidators<
+	TUpsertTenantRequest extends UpsertTenantRequest = UpsertTenantRequest,
+	TUpsertTenantResponse extends UpsertTenantResponse = UpsertTenantResponse
+> = {
+	upsertTenantRequest: StandardSchemaV16<unknown, TUpsertTenantRequest>;
+	upsertTenantResponse?: StandardSchemaV16<unknown, TUpsertTenantResponse>;
+	createTenantRequest?: StandardSchemaV16<unknown, TUpsertTenantRequest>;
+	createTenantResponse?: StandardSchemaV16<unknown, TUpsertTenantResponse>;
+};
 /**
-* Raw module config keyed by source name.
-* The secrets module resolves this into a runtime SecretsSourceMap.
-*/
-type SecretsModuleConfig = Record<string, SecretsSourceConfig>;
-type DevSecretsConfig = {
-	type: "dev";
-	ioniteUrl: string;
-};
-type GcpSecretsConfig = {
-	type: "gcp";
-};
-type VaultLfvSecretsConfig = {
-	/** LFV server base URL for OTP/action endpoints. */
-	lfvServerUrl?: string;
-	/** LFV client id used for OTP issuance. */
-	clientId?: string;
-	/** Signature value for X-LFV-Signature header. */
-	signature?: string;
-	deliveryEndpoint: string;
-	/**
-	* Optional LFV signature verification key.
-	* When omitted, LFV callbacks are accepted without signature verification.
-	*/
-	verifyPublicKey?: string;
-	eventsEndpoint: string;
-	path?: string;
-	/**
-	* Timeout in milliseconds when waiting for a LFV delivery payload after a read request.
-	* After this duration, an error is thrown.
-	*/
-	deliveryTimeout?: number;
-	/** Retry interval in milliseconds between LFV transport retry attempts. */
-	retryInterval?: number;
-	/** Warning interval in milliseconds for LFV retry logs. Set to 0 to disable warnings. */
-	warnInterval?: number;
-	/**
-	* Optional logger for request/response tracing. Use `debugLogger` from `@enterprisestandard/core`
-	* to get debug output with request_id for LFV operations.
-	*/
-	log?: Logger;
-};
-/**
-* Runtime-ready LFV source config.
-* Input config can be partially declared/merged, but LFV operations require these fields.
-*/
-type ResolvedVaultLfvSecretsConfig = Omit<VaultLfvSecretsConfig, "lfvServerUrl" | "clientId" | "path"> & {
-	lfvServerUrl: string;
-	clientId: string;
-	path: string;
-};
-type VaultWebSocketAuthHeader = "X-Vault-Token" | "Authorization";
-type VaultWebSocketSecretsConfig = {
-	/** Websocket URL for vault command execution and live secret subscriptions. */
-	url?: string;
-	/** Token used during websocket connect/auth. */
-	token?: string;
-	/** Header name used to send the websocket token. Defaults to X-Vault-Token. */
-	header?: VaultWebSocketAuthHeader;
-};
-type VaultSecretsConfig = {
-	type: "vault";
-	url?: string;
-	token?: string;
-	/** Optional LFV transport capability for reads/lifecycle operations. */
-	lfv?: VaultLfvSecretsConfig;
-	/** Optional websocket capability for vault commands and live subscriptions. */
-	websocket?: VaultWebSocketSecretsConfig;
-	/**
-	* MINIMUM: 600_000 milliseconds (10 minutes). Polls the path every ttl milliseconds and calls onConfig when config changes.
-	*/
-	ttl?: number;
-};
-type AwsSecretsConfig = {
-	type: "aws";
-	webhookUrl: string;
-};
-type AwsAuthMethod = "client_secret" | "workload_identity" | "managed_identity";
-type AzureSecretsConfig = {
-	type: "azure";
-	/**
-	* How to authenticate to Azure to fetch Key Vault access tokens.
-	*
-	* - client_secret: Entra app client secret (client credentials)
-	* - workload_identity: AKS Workload Identity (federated token file)
-	* - managed_identity: Azure Managed Identity via IMDS
-	*
-	* If omitted, we auto-detect:
-	* - workload_identity if a federated token file is present
-	* - else client_secret if a clientSecret is present
-	* - else managed_identity
-	*
-	* Env: ES_AZURE_AUTH_METHOD
-	*/
-	authMethod?: AwsAuthMethod;
-	/**
-	* Azure Entra tenant id (GUID), used for OAuth2 token exchange.
-	* Env: ES_AZURE_TENANT_ID
-	*/
-	tenantId?: string;
-	/**
-	* Azure app registration client id (GUID).
-	* Env: ES_AZURE_CLIENT_ID
-	*/
-	clientId?: string;
-	/**
-	* Azure app registration client secret.
-	* Env: ES_AZURE_CLIENT_SECRET
-	*/
-	clientSecret?: string;
-	/**
-	* Path to the projected federated token file (AKS Workload Identity).
-	* Env: ES_AZURE_FEDERATED_TOKEN_FILE or AZURE_FEDERATED_TOKEN_FILE
-	*/
-	federatedTokenFile?: string;
-	/**
-	* Managed Identity client id (user-assigned), optional.
-	* Env: ES_AZURE_MANAGED_IDENTITY_CLIENT_ID
-	*/
-	managedIdentityClientId?: string;
-	/**
-	* IMDS API version (managed identity).
-	* Env: ES_AZURE_IMDS_API_VERSION
-	* Default: 2018-02-01
-	*/
-	imdsApiVersion?: string;
-	/**
-	* Key Vault URL, e.g. https://myvault.vault.azure.net
-	* Env: ES_AZURE_KEY_VAULT_URL
-	*/
-	vaultUrl?: string;
-	/**
-	* Alternative to vaultUrl. If provided, vaultUrl is derived as:
-	* https://${vaultName}.vault.azure.net
-	* Env: ES_AZURE_KEY_VAULT_NAME
-	*/
-	vaultName?: string;
-	/**
-	* Key Vault API version.
-	* Env: ES_AZURE_KEY_VAULT_API_VERSION
-	* Default: 7.4
-	*/
-	apiVersion?: string;
-	/**
-	* Maps vault "path" to a Key Vault secret name.
-	* Default: replaces `/` with `--` and trims leading/trailing `/`.
-	*/
-	secretNameTransform?: (path: string) => string;
-	/**
-	* Optional prefix added to all computed secret names.
-	* Useful to namespace secrets by app/environment.
-	*/
-	secretNamePrefix?: string;
-	/**
-	* OAuth2 scope; default is Key Vault resource scope.
-	* Default: https://vault.azure.net/.default
-	*/
-	scope?: string;
-	/**
-	* When set, the vault implements subscribe: poll this path every ttl seconds and call onConfig when config changes.
-	*/
-	ttl?: number;
-};
-type EnvironmentType = "POC" | "DEV" | "QA" | "PROD";
-type TenantStatus = "pending" | "processing" | "completed" | "failed" | "action_required";
-interface UpsertTenantRequest {
-	tenantId: string;
-	companyId: string;
-	companyName: string;
-	environmentType: EnvironmentType;
-	email?: string;
-	webhookUrl?: string;
-	callbackUrl?: string;
-	configSource: TenantSecretsConfig;
-}
-type UpsertTenantResponse = {
-	tenantUrl?: string;
-	status: Exclude<TenantStatus, "action_required">;
-	error?: string;
-	refs?: RefUrls[];
-} | {
-	status: "action_required";
-	actionUrl: string;
-	requestToken: string;
-	expiresAt: string;
-	refs?: RefUrls[];
-};
-type CreateTenantRequest = UpsertTenantRequest;
-type CreateTenantResponse = UpsertTenantResponse;
-/**
-* The audience of the reference URL.
-* - 'human' for human-readable documentation such as user guides, documentation, etc.
-* - 'ai' for AI-generated reference such as llms.txt, AI-optimized markdown, etc.
-* - 'spec' for specifications and code-gen ready docs such as OpenAPI, GraphQL, etc.
-*/
-type Audience = "human" | "ai" | "spec";
-interface RefUrls {
-	audience: Audience;
-	url: string;
-	description: string;
-	createdAt: Date;
-	updatedAt: Date;
-}
-interface TenantWebhookPayload {
-	tenantId: string;
-	companyId: string;
-	status: TenantStatus;
-	tenantUrl?: string;
-	actionUrl?: string;
-	requestToken?: string;
-	expiresAt?: string;
-	error?: string;
-}
-declare class TenantRequestError extends Error {
-	constructor(message: string, options?: ErrorOptions);
-}
-declare class MultipleTenantsForUserError extends Error {
-	readonly userId: string;
-	readonly tenantIds: string[];
-	constructor(userId: string, tenantIds: string[], options?: ErrorOptions);
-}
-type UserMode = "singleTenantOnly" | "multipleTenantsPerUser";
-type TenantValidators = {
-	upsertTenantRequest: StandardSchemaV17<unknown, UpsertTenantRequest>;
-	upsertTenantResponse?: StandardSchemaV17<unknown, UpsertTenantResponse>;
-	createTenantRequest?: StandardSchemaV17<unknown, UpsertTenantRequest>;
-	createTenantResponse?: StandardSchemaV17<unknown, UpsertTenantResponse>;
-};
-/**
-* Env-like tenant config variables used to build a ConfigSource at runtime.
-* These mirror the ES_* variables read by envConfig().
+* Env-like tenant config variables used to build a ConfigSource at runtime.
+* These mirror the ES_* variables read by envConfig().
 */
 type TenantConfigEnv = {
 	ES_CONFIG_TYPE?: ConfigSourceType;
@@ -2554,317 +2186,657 @@ type TenantBaseRecord = {
 	/** Persisted tenant config metadata, or a runtime ConfigSource for internal-only tenants. */
 	configSource: TenantConfigSourceInput;
 	/** Runtime helper that returns a ConfigSource for this tenant. */
-	config: (source?: SecretsSource) => ConfigSource;
-};
-type StoredTenant<TExtended extends object = Record<string, never>> = TenantBaseRecord & TExtended;
-type StoredTenantRecord<TExtended extends object = Record<string, never>> = Omit<StoredTenant<TExtended>, "config">;
-type TenantEsFactory<TExtended extends object = Record<string, never>> = (tenant: StoredTenant<TExtended>) => EnterpriseStandard;
-type TenantConfigStoreRequest<TExtended extends object = Record<string, never>> = {
+	config?: (source?: SecretsSource) => ConfigSource;
+};
+type TenantBaseConstraint = Omit<TenantBaseRecord, "configSource"> & {
+	configSource?: TenantConfigSourceInput;
+};
+type TenantRecordBase = TenantBaseConstraint;
+type StoredTenant<TTenant extends TenantRecordBase = TenantRecordBase> = TTenant;
+type StoredTenantRecord<TTenant extends TenantRecordBase = TenantRecordBase> = Omit<StoredTenant<TTenant>, "config">;
+type TenantEsFactory<TTenant extends TenantRecordBase = TenantRecordBase> = (tenant: StoredTenant<TTenant>) => EnterpriseStandard;
+type TenantConfigStoreRequest<
+	TTenant extends TenantRecordBase = TenantRecordBase,
+	TRequest extends UpsertTenantRequest = UpsertTenantRequest
+> = {
 	es: EnterpriseStandard;
 	tenantId: string;
-	request: UpsertTenantRequest;
+	request: TRequest;
 	configData: TenantSecretsConfig;
-	existingTenant: StoredTenant<TExtended> | null;
+	existingTenant: StoredTenant<TTenant> | undefined;
+};
+type TenantStoreWithESOptions<TTenant extends TenantRecordBase = TenantRecordBase> = {
+	/**
+	* TTL for cached per-tenant EnterpriseStandard instances, in milliseconds.
+	* Default is forever; set to 0 to recreate ES on every getEs() call.
+	*/
+	ttl?: number;
+	/**
+	* Optional factory used to create an ES instance for a tenant.
+	* If omitted, getEs() throws.
+	*/
+	createEs?: TenantEsFactory<TTenant>;
+};
+type TenantUserRegistration = {
+	registerUserTenantId(userId: string, tenantId: string | null | undefined): void | Promise<void>;
+	registerUserToTenant?(userId: string, tenantId: string): void | Promise<void>;
+};
+declare abstract class TenantStore<TTenant extends TenantRecordBase = TenantRecordBase> implements TenantUserRegistration {
+	storeConfig?(config: TenantConfigStoreRequest<TTenant>): Promise<TenantConfigSourceInput>;
+	abstract get(tenantId: string): Promise<StoredTenant<TTenant> | undefined>;
+	abstract list(options?: TenantListOptions): Promise<ListResult<StoredTenant<TTenant>>>;
+	abstract upsert(tenant: StoredTenant<TTenant>): Promise<StoredTenant<TTenant>>;
+	abstract delete(tenantId: string): Promise<number>;
+	abstract registerUserTenantId(userId: string, tenantId: string | null | undefined): void | Promise<void>;
+	registerUserToTenant?(userId: string, tenantId: string): void | Promise<void>;
+	abstract findTenantsByUser(user: User2): Promise<StoredTenant<TTenant>[]>;
+	findTenantByUser(user: User2): Promise<StoredTenant<TTenant> | undefined>;
+}
+type TenantManagerStore<TTenant extends TenantRecordBase = TenantRecordBase> = Pick<TenantStoreWithES<TTenant>, "get" | "list" | "upsert" | "delete" | "getEs" | "findTenantByUser" | "findTenantsByUser"> & {
+	storeConfig?: TenantStoreWithES<TTenant>["storeConfig"];
 };
-type TenantStoreWithESOptions<TExtended extends object = Record<string, never>> = {
+type InMemoryTenantStoreOptions<TTenant extends TenantRecordBase = TenantRecordBase> = TenantStoreWithESOptions<TTenant>;
+type TenantStoreWithRequiredEsOptions<TTenant extends TenantRecordBase = TenantRecordBase> = Omit<TenantStoreWithESOptions<TTenant>, "createEs"> & {
+	createEs: TenantEsFactory<TTenant>;
+};
+type SingleTenantStoreOptions<TTenant extends TenantRecordBase = TenantRecordBase> = TenantStoreWithRequiredEsOptions<TTenant>;
+type MultiTenantStoreOptions<TTenant extends TenantRecordBase = TenantRecordBase> = TenantStoreWithRequiredEsOptions<TTenant>;
+declare abstract class TenantStoreWithEsCache<TTenant extends TenantRecordBase = TenantRecordBase> extends TenantStore<TTenant> {
+	readonly ttl: number;
+	private readonly createEs?;
+	private readonly tenantEsMap;
+	constructor(options: TenantStoreWithESOptions<TTenant>);
+	registerUserTenantId(userId: string, tenantId: string | null | undefined): Promise<void>;
+	registerUserToTenant(_userId: string, _tenantId: string): Promise<void>;
+	protected prepareTenantForCreateEs(tenant: StoredTenant<TTenant>): StoredTenant<TTenant>;
+	protected invalidateTenantEsCache(tenantId: string): void;
+	getEs(tenantId: string): Promise<EnterpriseStandard | undefined>;
+	getCachedTenantIds(): string[];
+}
+declare abstract class SingleTenantStore<TTenant extends TenantRecordBase = TenantRecordBase> extends TenantStoreWithEsCache<TTenant> {
+	abstract findTenantByUser(user: User2): Promise<StoredTenant<TTenant> | undefined>;
+	findTenantsByUser(user: User2): Promise<StoredTenant<TTenant>[]>;
+}
+declare abstract class MultiTenantStore<TTenant extends TenantRecordBase = TenantRecordBase> extends TenantStoreWithEsCache<TTenant> {}
+type TenantStoreWithES<TTenant extends TenantRecordBase = TenantRecordBase> = TenantStoreWithEsCache<TTenant>;
+type InMemorySingleTenantStoreOptions<TTenant extends TenantRecordBase = TenantRecordBase> = InMemoryTenantStoreOptions<TTenant>;
+type InMemoryMultiTenantStoreOptions<TTenant extends TenantRecordBase = TenantRecordBase> = InMemoryTenantStoreOptions<TTenant>;
+declare class InMemorySingleTenantStore<TTenant extends TenantRecordBase = TenantRecordBase> extends SingleTenantStore<TTenant> {
+	private readonly store;
+	constructor(options?: InMemorySingleTenantStoreOptions<TTenant>);
+	get(tenantId: string): Promise<StoredTenant<TTenant> | undefined>;
+	list(options?: TenantListOptions): Promise<ListResult<StoredTenant<TTenant>>>;
+	upsert(tenant: StoredTenant<TTenant>): Promise<StoredTenant<TTenant>>;
+	delete(tenantId: string): Promise<number>;
+	registerUserTenantId(userId: string, tenantId: string | null | undefined): Promise<void>;
+	findTenantByUser(user: User2): Promise<StoredTenant<TTenant> | undefined>;
+}
+declare class InMemoryMultiTenantStore<TTenant extends TenantRecordBase = TenantRecordBase> extends MultiTenantStore<TTenant> {
+	private readonly store;
+	constructor(options?: InMemoryMultiTenantStoreOptions<TTenant>);
+	get(tenantId: string): Promise<StoredTenant<TTenant> | undefined>;
+	list(options?: TenantListOptions): Promise<ListResult<StoredTenant<TTenant>>>;
+	upsert(tenant: StoredTenant<TTenant>): Promise<StoredTenant<TTenant>>;
+	delete(tenantId: string): Promise<number>;
+	registerUserTenantId(userId: string, tenantId: string | null | undefined): Promise<void>;
+	findTenantsByUser(user: User2): Promise<StoredTenant<TTenant>[]>;
+}
+declare function sendTenantWebhook(webhookUrl: string, payload: TenantWebhookPayload, log: Logger): Promise<void>;
+/**
+* Stored user data with required id and tracking metadata.
+*
+* Extends the SSO User type with:
+* - Required `id` (the `sub` claim from the IdP)
+* - Timestamps for tracking when users were first seen and last updated
+* - Optional custom extended data
+*
+* @template TExtended - Type-safe custom data that consumers can add to users
+*/
+type StoredUser<TExtended = object> = Omit<User2, "sso"> & {
+	/**
+	* Required unique identifier (the `sub` claim from the IdP).
+	* This is the primary key for user storage.
+	*/
+	id?: string;
+	/**
+	* Optional Enterprise Standard tenant identifier for tenant-aware apps.
+	* Built-in user stores can use this when registering HRD mappings.
+	*/
+	tenantId?: string;
+	/**
+	* Optional external identifier from the provisioning client.
+	* Commonly set by IAM inbound SCIM provisioning flows.
+	*/
+	externalId?: string;
+	/**
+	* Optional SCIM display name distinct from the simple `name` field.
+	* Commonly set by IAM inbound SCIM provisioning flows.
+	*/
+	displayName?: string;
+	/**
+	* Optional structured SCIM name.
+	* Commonly set by IAM inbound SCIM provisioning flows.
+	*/
+	scimName?: Name;
+	/**
+	* Optional SCIM email collection.
+	* The simple `email` field still stores the primary email for convenience.
+	*/
+	emails?: Email[];
+	/**
+	* Optional SCIM nickname.
+	* Commonly set by IAM inbound SCIM provisioning flows.
+	*/
+	nickName?: string;
+	/**
+	* Optional SCIM account state.
+	* Commonly set by IAM inbound SCIM provisioning flows.
+	*/
+	active?: boolean;
+	/**
+	* Optional SCIM job title.
+	* Commonly set by IAM inbound SCIM provisioning flows.
+	*/
+	title?: string;
+	/**
+	* Optional SCIM preferred language.
+	* Commonly set by IAM inbound SCIM provisioning flows.
+	*/
+	preferredLanguage?: string;
+	/**
+	* Optional SCIM locale.
+	* Commonly set by IAM inbound SCIM provisioning flows.
+	*/
+	locale?: string;
+	/**
+	* Optional SCIM timezone.
+	* Commonly set by IAM inbound SCIM provisioning flows.
+	*/
+	timezone?: string;
+	/**
+	* Optional SCIM phone numbers.
+	* Commonly set by IAM inbound SCIM provisioning flows.
+	*/
+	phoneNumbers?: PhoneNumber[];
+	/**
+	* Optional SCIM instant messaging addresses.
+	* Commonly set by IAM inbound SCIM provisioning flows.
+	*/
+	ims?: Array<{
+		value: string;
+		display?: string;
+		type?: string;
+		primary?: boolean;
+	}>;
+	/**
+	* Optional SCIM photos.
+	* Commonly set by IAM inbound SCIM provisioning flows.
+	*/
+	photos?: Photo[];
+	/**
+	* Optional SCIM addresses.
+	* Commonly set by IAM inbound SCIM provisioning flows.
+	*/
+	addresses?: Address[];
+	/**
+	* Optional SCIM roles.
+	* Commonly set by IAM inbound SCIM provisioning flows.
+	*/
+	roles?: Role[];
+	/**
+	* Optional SCIM groups.
+	* Commonly set by IAM inbound SCIM provisioning flows.
+	*/
+	groups?: Group[];
+	/**
+	* Optional SCIM entitlements.
+	* Commonly set by IAM inbound SCIM provisioning flows.
+	*/
+	entitlements?: Array<{
+		value: string;
+		display?: string;
+		type?: string;
+		primary?: boolean;
+	}>;
+	/**
+	* Optional SCIM X.509 certificates.
+	* Commonly set by IAM inbound SCIM provisioning flows.
+	*/
+	x509Certificates?: X509Certificate[];
+	/**
+	* Optional SCIM enterprise extension.
+	* Mirrors `urn:ietf:params:scim:schemas:extension:enterprise:2.0:User`.
+	* Commonly set by IAM inbound SCIM provisioning flows.
+	*/
+	scimEnterprise?: EnterpriseExtension;
+	/**
+	* Optional pass-through SCIM schema extensions keyed by full URN.
+	* Use this when your validator accepts custom top-level SCIM extensions and
+	* you want them to round-trip through a `UserStore` implementation.
+	*/
+	scimSchemaExtensions?: Record<string, unknown>;
+	/**
+	* Timestamp when the user was first stored.
+	*/
+	createdAt?: Date;
+	/**
+	* Timestamp when the user was last updated (e.g., on re-login).
+	*/
+	updatedAt?: Date;
+	/**
+	* Optional SSO envelope for stores that persist full auth profile data.
+	* Simple app stores MAY omit this field.
+	*/
+	sso?: User2["sso"];
+} & TExtended;
+type UserStoreOptions = {
+	tenantId: string;
+	tenants: TenantStore;
+};
+/**
+* Abstract interface for user storage backends.
+*
+* Consumers can implement this interface to use different storage backends:
+* - In-memory (for development/testing)
+* - Redis (for production with fast lookups)
+* - Database (PostgreSQL, MySQL, etc.)
+*
+* @template TExtended - Type-safe custom data that consumers can add to users
+*
+* @example
+* ```typescript
+* // Custom user data
+* type MyUserData = {
+*   department: string;
+*   roles: string[];
+* };
+*
+* // Implement custom store
+* class RedisUserStore implements UserStore<MyUserData> {
+*   async get(sub: string): Promise<StoredUser<MyUserData> | null> {
+*     const data = await redis.get(`user:${sub}`);
+*     return data ? JSON.parse(data) : null;
+*   }
+*   // ... other methods
+* }
+* ```
+*/
+interface UserStore<TExtended = object> {
+	/**
+	* Retrieve a user by their subject identifier (sub).
+	*
+	* This is the canonical lookup used by SDK flows whenever possible.
+	* Other lookup methods (userName) are secondary convenience indexes.
+	*
+	* @param sub - The user's unique identifier from the IdP
+	* @returns The user if found, undefined otherwise
+	*/
+	get(sub: string): Promise<StoredUser<TExtended> | undefined>;
+	/**
+	* Retrieve a user by their username.
+	*
+	* @param userName - The user's username
+	* @returns The user if found, undefined otherwise
+	*/
+	getByUserName(userName: string): Promise<StoredUser<TExtended> | undefined>;
+	/**
+	* Create or update a user in the store.
+	*
+	* If a user with the same `id` (sub) exists, it will be updated.
+	* Otherwise, a new user will be created.
+	*
+	* @param user - The user data to store
+	*/
+	upsert(user: StoredUser<TExtended>): Promise<StoredUser<TExtended>>;
+	/**
+	* Delete a user by their subject identifier (sub).
+	*
+	* @param sub - The user's unique identifier to delete
+	*/
+	delete(sub: string): Promise<number>;
+	/**
+	* List users in the store with optional pagination and sort.
+	*
+	* @param options - Optional start (0-based), limit (page size), and sort
+	* @returns ListResult with total, count, items, size, page, pages
+	*/
+	list(options?: UserListOptions): Promise<ListResult<StoredUser<TExtended>>>;
+}
+/**
+* SCIM Error response structure
+*/
+interface ScimError {
+	schemas: string[];
+	status: string;
+	scimType?: string;
+	detail?: string;
+}
+/**
+* SCIM List Response for bulk operations
+*/
+interface ScimListResponse<T> {
+	schemas: string[];
+	totalResults: number;
+	startIndex?: number;
+	itemsPerPage?: number;
+	Resources: T[];
+}
+/**
+* Result of a SCIM operation
+*/
+interface ScimResult<T> {
+	success: boolean;
+	data?: T;
+	error?: ScimError;
+	status: number;
+}
+/**
+* Handler configuration for IAM
+*/
+interface IAMHandlerConfig {
+	/**
+	* Base path for the SCIM Users endpoints (e.g., '/api/iam/Users')
+	*/
+	usersUrl?: string;
+	/**
+	* Base path for the SCIM Groups endpoints (e.g., '/api/iam/Groups')
+	*/
+	groupsUrl?: string;
+	/**
+	* Handler overrides for SCIM discovery endpoints (e.g., '/api/iam/ServiceProviderConfig')
+	*/
+	discovery?: IAMDiscoveryHandlerConfig;
+}
+/**
+* IAM configuration
+*
+* - If `url` is provided, groups_outbound is enabled (app calls external IAM)
+* - If `groupStore` is provided, groups_inbound is enabled (external IAM calls app)
+* - If `userStore` is provided, users_inbound is enabled (external IAM calls app)
+*/
+type IAMConfig = {
+	/**
+	* Base URL of the external SCIM endpoint (e.g., https://sailpoint.example.com/scim/v2)
+	* If provided, enables outbound SCIM operations (app -> external IAM)
+	*/
+	url?: string;
+	/**
+	* Store for inbound user provisioning from external IAM providers.
+	* When configured, the app can receive user CRUD operations via SCIM.
+	*/
+	userStore?: UserStore;
+	/**
+	* Optional inbound user mapping hooks for SCIM provisioning.
+	* Use these when the default StoredUser <-> SCIM mapping is not a direct fit
+	* for your application's database model.
+	*/
+	inboundUsers?: IAMInboundUsersConfig;
+	/**
+	* Store for inbound group provisioning from external IAM providers.
+	* When configured, enables groups_inbound (external IAM -> app).
+	*/
+	groupStore?: GroupStore;
+	/**
+	* Optional handler defaults. These are merged with per-call overrides in
+	* `iam.handler`, with per-call values taking precedence.
+	*/
+	usersUrl?: string;
+	groupsUrl?: string;
+	discovery?: IAMDiscoveryConfig;
+};
+type IAMValidators = {
+	user: StandardSchemaV17<unknown, User>;
+	group: StandardSchemaV17<unknown, GroupResource>;
+};
+interface IAMInboundUserContext {
+	/**
+	* Current stored user when replacing or patching an existing resource.
+	*/
+	existing?: StoredUser;
+	/**
+	* Operation mode for the inbound mapper.
+	*/
+	mode: "create" | "replace" | "patch";
+}
+interface IAMInboundUsersConfig {
+	/**
+	* Replace the default validated SCIM -> StoredUser mapper.
+	*/
+	mapValidatedScimToStoredUser?: (validated: User, context: IAMInboundUserContext) => StoredUser | Promise<StoredUser>;
+	/**
+	* Replace the default StoredUser -> SCIM response mapper.
+	*/
+	mapStoredUserToScim?: (stored: StoredUser) => User | Promise<User>;
+}
+interface ScimAuthenticationScheme {
+	type: string;
+	name: string;
+	description?: string;
+	specUri?: string;
+	documentationUri?: string;
+	primary?: boolean;
+}
+interface ScimServiceProviderConfig {
+	schemas: string[];
+	documentationUri?: string;
+	patch: {
+		supported: boolean;
+	};
+	bulk: {
+		supported: boolean;
+		maxOperations?: number;
+		maxPayloadSize?: number;
+	};
+	filter: {
+		supported: boolean;
+		maxResults?: number;
+	};
+	changePassword: {
+		supported: boolean;
+	};
+	sort: {
+		supported: boolean;
+	};
+	etag: {
+		supported: boolean;
+	};
+	authenticationSchemes?: ScimAuthenticationScheme[];
+	meta?: {
+		resourceType?: string;
+		location?: string;
+	};
+}
+interface ScimResourceTypeSchemaExtension {
+	schema: string;
+	required: boolean;
+}
+interface ScimResourceType {
+	schemas: string[];
+	id: string;
+	name: string;
+	description?: string;
+	endpoint: string;
+	schema: string;
+	schemaExtensions?: ScimResourceTypeSchemaExtension[];
+	meta?: {
+		resourceType?: string;
+		location?: string;
+	};
+}
+interface ScimSchemaAttributeDefinition {
+	name: string;
+	type: "string" | "boolean" | "complex" | "reference" | "dateTime";
+	multiValued: boolean;
+	description?: string;
+	required?: boolean;
+	caseExact?: boolean;
+	mutability?: "readOnly" | "readWrite" | "immutable" | "writeOnly";
+	returned?: "always" | "never" | "default" | "request";
+	uniqueness?: "none" | "server" | "global";
+	referenceTypes?: string[];
+	subAttributes?: ScimSchemaAttributeDefinition[];
+}
+interface ScimSchemaDefinition {
+	schemas: string[];
+	id: string;
+	name: string;
+	description?: string;
+	attributes: ScimSchemaAttributeDefinition[];
+	meta?: {
+		resourceType?: string;
+		location?: string;
+	};
+}
+interface IAMDiscoveryContext {
+	request: Request;
+	basePath: string;
+	usersUrl: string;
+	groupsUrl: string;
+	supportsUsers: boolean;
+	supportsGroups: boolean;
+}
+interface IAMDiscoveryConfig {
+	/**
+	* Public IAM base path used for SCIM discovery. When omitted, the SDK derives
+	* it from `usersUrl` or `groupsUrl`.
+	*/
+	basePath?: string;
 	/**
-	* TTL for cached per-tenant EnterpriseStandard instances, in milliseconds.
-	* Default is forever; set to 0 to recreate ES on every getEs() call.
+	* Optional documentation URI advertised in ServiceProviderConfig.
 	*/
-	ttl?: number;
+	documentationUri?: string;
 	/**
-	* Optional factory used to create an ES instance for a tenant.
-	* If omitted, getEs() throws.
+	* Override the default ServiceProviderConfig response.
 	*/
-	createEs?: TenantEsFactory<TExtended>;
-};
-type TenantMetadataRecord = Omit<TenantBaseRecord, "tenantId" | "config" | "configSource" | "status" | "createdAt" | "updatedAt">;
-type TenantExtendedUpsertFields<TExtended extends object> = string extends keyof TExtended ? unknown : Partial<TExtended>;
-type TenantStoreUpsertRecord<TExtended extends object = Record<string, never>> = Pick<TenantBaseRecord, "tenantId" | "configSource"> & Partial<TenantMetadataRecord> & Partial<Pick<TenantBaseRecord, "status" | "createdAt" | "updatedAt">> & TenantExtendedUpsertFields<TExtended>;
-type TenantUserRegistration<TMode extends UserMode = UserMode> = {
-	userMode: TMode;
-	registerUserTenantId?(userId: string, tenantId: string | null | undefined): void | Promise<void>;
-};
-type TenantStoreBase<
-	TMode extends UserMode = "singleTenantOnly",
-	TExtended extends object = Record<string, never>
-> = TenantUserRegistration<TMode> & {
-	storeConfig(config: TenantConfigStoreRequest<TExtended>): Promise<TenantConfigSourceInput>;
-	get(tenantId: string): Promise<StoredTenant<TExtended> | null>;
-	list(options?: TenantListOptions): Promise<ListResult<StoredTenant<TExtended>>>;
-	upsert(tenant: TenantStoreUpsertRecord<TExtended>): Promise<StoredTenant<TExtended>>;
-	delete(tenantId: string): Promise<void>;
-};
-type TenantLookupMethods<
-	TMode extends UserMode,
-	TExtended extends object
-> = TMode extends "singleTenantOnly" ? {
-	findTenantByUserId(userId: string): Promise<StoredTenant<TExtended> | null>;
-	findTenantsByUserIds?: never;
-} : {
-	findTenantByUserId?: never;
-	/**
-	* Batched HRD lookup. Resolves the tenants associated with each user id and
-	* returns a `Map` keyed by the original `userId`. Implementations MUST handle
-	* up to {@link MAX_TENANTS_BATCH_USER_IDS} ids per call (matches
-	* `MAX_SSO_DISCOVERY_CANDIDATES`); larger inputs are a programming error.
-	*
-	* **Per-engine guidance for store authors:**
-	*
-	* - Modern engines (PostgreSQL, MySQL/MariaDB, SQLite, MS SQL Server): a single
-	*   parameterized `WHERE user_id IN (?, ?, ...)` is fine at this batch size.
-	* - PostgreSQL specifically: prefer `WHERE user_id = ANY($1::text[])` to keep
-	*   one prepared-statement plan in cache.
-	* - Oracle (≤19c with the 1000-element `IN`-list cap): 32 is well within range;
-	*   if you ever raise this cap upstream, chunk by 1000.
-	* - IBM DB2 / strict engines with low `IN`-list or 32 KB statement-text limits:
-	*   safe at 32, but if the cap is raised the implementation MUST chunk or fall
-	*   back to N+1 lookups internally — never throw and never return partial
-	*   results silently.
-	* - Always parameterize the `IN` value type to match the `user_id` column
-	*   (text vs numeric) to avoid implicit-conversion full table scans.
-	*/
-	findTenantsByUserIds(userIds: string[]): Promise<Map<string, StoredTenant<TExtended>[]>>;
-};
-/**
-* Hard upper bound on the number of user ids accepted by
-* {@link TenantStore.findTenantsByUserIds} (and the public
-* `getTenantsForUserIds`/`getSSOUsers` helpers). Tied to the SSO discovery cap so
-* a single cookie-first browser request never exceeds this value.
-*
-* Treat this as an upper bound, not a target. See per-engine implementation
-* guidance on `findTenantsByUserIds`.
-*/
-declare const MAX_TENANTS_BATCH_USER_IDS = 32;
-type TenantStore<
-	TMode extends UserMode = "singleTenantOnly",
-	TExtended extends object = Record<string, never>
-> = TenantStoreBase<TMode, TExtended> & TenantLookupMethods<TMode, TExtended>;
-type TenantStoreWithES<
-	TMode extends UserMode = "singleTenantOnly",
-	TExtended extends object = Record<string, never>
-> = TenantStore<TMode, TExtended> & {
-	ttl: number;
-	getEs(tenantId: string): Promise<EnterpriseStandard | null>;
-	getCachedTenantIds(): string[];
-};
-type InMemoryTenantStoreOptions<
-	TMode extends UserMode = "singleTenantOnly",
-	TExtended extends object = Record<string, never>
-> = TenantStoreWithESOptions<TExtended> & {
-	userMode: TMode;
-};
-declare class InMemoryTenantStore<
-	TMode extends UserMode = "singleTenantOnly",
-	TExtended extends object = Record<string, never>
-> {
-	private tenants;
-	private tenantEsMap;
-	private userTenantIds;
-	readonly ttl: number;
-	readonly userMode: TMode;
-	private readonly createEs?;
-	readonly findTenantByUserId: TMode extends "singleTenantOnly" ? (userId: string) => Promise<StoredTenant<TExtended> | null> : never;
-	readonly findTenantsByUserIds: TMode extends "multipleTenantsPerUser" ? (userIds: string[]) => Promise<Map<string, StoredTenant<TExtended>[]>> : never;
-	constructor(options: InMemoryTenantStoreOptions<TMode, TExtended>);
-	get(tenantId: string): Promise<StoredTenant<TExtended> | null>;
-	list(options?: TenantListOptions): Promise<ListResult<StoredTenant<TExtended>>>;
-	upsert(tenant: TenantStoreUpsertRecord<TExtended>): Promise<StoredTenant<TExtended>>;
-	delete(tenantId: string): Promise<void>;
-	getEs(tenantId: string): Promise<EnterpriseStandard>;
-	getCachedTenantIds(): string[];
-	registerUserTenantId(userId: string, tenantId: string | null | undefined): Promise<void>;
-	private findSingleTenantByUserId;
-	private findMultipleTenantsByUserIds;
-	private resolveTenantsByUserId;
-}
-declare function sendTenantWebhook(webhookUrl: string, payload: TenantWebhookPayload, log: Logger): Promise<void>;
-/**
-* Magic link data stored in the store.
-*
-* @template TExtended - Type-safe custom data that consumers can add to magic links
-*/
-type MagicLink<TExtended = object> = {
+	buildServiceProviderConfig?: (context: IAMDiscoveryContext, defaults: ScimServiceProviderConfig) => ScimServiceProviderConfig | Promise<ScimServiceProviderConfig>;
 	/**
-	* The magic link token (unique identifier)
+	* Override the default ResourceTypes response.
 	*/
-	token: string;
+	buildResourceTypes?: (context: IAMDiscoveryContext, defaults: ScimResourceType[]) => ScimResourceType[] | Promise<ScimResourceType[]>;
 	/**
-	* User information associated with this magic link
+	* Override the default Schemas response.
 	*/
-	user: BaseUser;
+	buildSchemas?: (context: IAMDiscoveryContext, defaults: ScimSchemaDefinition[]) => ScimSchemaDefinition[] | Promise<ScimSchemaDefinition[]>;
+}
+/**
+* Options for creating a user
+*/
+interface CreateUserOptions {
 	/**
-	* Timestamp when the magic link was created
+	* External identifier for the user
 	*/
-	createdAt: Date;
+	externalId?: string;
+}
+/**
+* Options for creating a group
+*/
+interface CreateGroupOptions {
 	/**
-	* Timestamp when the magic link expires
+	* External identifier for the group
 	*/
-	expiresAt: Date;
+	externalId?: string;
 	/**
-	* Allow consumers to add runtime data to magic links
+	* Initial members to add to the group
 	*/
-	[key: string]: unknown;
-} & TExtended;
+	members?: GroupMember[];
+}
 /**
-* Abstract interface for magic link storage backends.
-*
-* Consumers can implement this interface to use different storage backends:
-* - In-memory (for development/testing)
-* - Redis (for production with fast lookups and automatic expiration)
-* - Database (PostgreSQL, MySQL, etc.)
-*
-* @template TExtended - Type-safe custom data that consumers can add to magic links
-*
-* @example
-* ```typescript
-* // Custom magic link data
-* type MyMagicLinkData = {
-*   source: string;
-*   metadata: Record<string, unknown>;
-* };
-*
-* // Implement custom store
-* class RedisMagicLinkStore implements MagicLinkStore<MyMagicLinkData> {
-*   async create(token: string, user: BaseUser, expiresAt: Date): Promise<void> {
-*     const magicLink: MagicLink<MyMagicLinkData> = {
-*       token,
-*       user,
-*       createdAt: new Date(),
-*       expiresAt,
-*       source: 'api',
-*       metadata: {},
-*     };
-*     const ttl = Math.floor((expiresAt.getTime() - Date.now()) / 1000);
-*     await redis.setex(`magic-link:${token}`, ttl, JSON.stringify(magicLink));
-*   }
-*   // ... other methods
-* }
-* ```
+* Handler configuration for groups_inbound
 */
-interface MagicLinkStore<TExtended = object> {
+interface GroupsInboundHandlerConfig {
 	/**
-	* Create a new magic link in the store.
-	*
-	* @param token - The magic link token (unique identifier)
-	* @param user - The user information to associate with this magic link
-	* @param expiresAt - When the magic link expires
-	* @throws Error if magic link with same token already exists
+	* Base path for the SCIM Groups endpoints (e.g., '/api/iam/Groups')
 	*/
-	create(token: string, user: BaseUser, expiresAt: Date): Promise<void>;
+	basePath?: string;
+}
+/**
+* Handler configuration for users_inbound
+*/
+interface UsersInboundHandlerConfig {
 	/**
-	* Retrieve a magic link by its token.
-	*
-	* @param token - The magic link token
-	* @returns The magic link if found and not expired, null otherwise
+	* Base path for the SCIM Users endpoints (e.g., '/api/iam/Users')
 	*/
-	get(token: string): Promise<MagicLink<TExtended> | null>;
+	basePath?: string;
+}
+interface IAMDiscoveryHandlerConfig {
 	/**
-	* Delete a magic link by its token.
-	*
-	* Used after a magic link has been consumed (one-time use).
-	*
-	* @param token - The magic link token to delete
+	* Base path for the IAM discovery endpoints (e.g., '/api/iam')
 	*/
-	delete(token: string): Promise<void>;
+	basePath?: string;
 }
-type ConfigSourceType = "vault" | "azure" | "aws" | "gcp";
-type ESValidators = {
-	sso: SSOValidators;
-	iam: IAMValidators;
-	workload: WorkloadValidators;
-	ciam: CIAMValidators;
-	secrets?: SecretsValidators;
-};
-type ApplicationValidators = ESValidators & {
-	tenant: TenantValidators;
-};
 /**
-* Configuration supplied by the framework/application when creating an Enterprise Standard instance.
-* Merged with RemoteConfig from the ConfigSource (framework config wins). Pass as the second
-* argument to enterpriseStandard(source, config).
-* Set a module to `null` to explicitly disable it; then the corresponding property on the
-* EnterpriseStandard instance is typed as `never`. Omit a module to allow it to be supplied
-* from ConfigSource / adaptive (typed as the module type, non-optional).
+* Groups Outbound extension - for creating groups in external IAM providers.
+* Enabled when `url` is configured in IAMConfig.
 */
-type FrameworkConfig = {
-	/** Optional `Logger` implementation (e.g. `consoleLogger`); exposed on the instance as `log`. */
-	log?: Logger;
-	sso?: SSOConfig | null;
-	iam?: IAMConfig | null;
-	workload?: FrameworkWorkloadConfig | null;
-	secrets?: FrameworkSecretsModuleConfig | null;
-	ciam?: CIAMConfig | null;
-	validators: ESValidators;
+type IAMGroupsOutbound = {
+	/**
+	* Create a new group in the external IAM provider
+	* @param displayName - The display name for the group
+	* @param options - Optional configuration for the group creation
+	* @returns The created group resource from the provider
+	*/
+	createGroup: (displayName: string, options?: CreateGroupOptions) => Promise<ScimResult<GroupResource>>;
 };
 /**
-* Final configuration after merging ConfigSource (RemoteConfig) and FrameworkConfig.
-* Same shape as FrameworkConfig; each module (SSO, IAM, etc.) resolves its config from
-* both sources at runtime. Use this type when referring to the effective/merged config.
+* Groups Inbound extension - for receiving group provisioning from external IAM providers.
+* Enabled when `groupStore` is configured in IAMConfig.
 */
-type ESConfig = FrameworkConfig;
+type IAMGroupsInbound = {
+	/**
+	* Handle inbound SCIM requests for group management.
+	* Routes: GET/POST /Groups, GET/PUT/PATCH/DELETE /Groups/:id
+	*/
+	handler: (request: Request, config?: GroupsInboundHandlerConfig) => Promise<Response>;
+};
 /**
-* Remote config read from a config source (vault, lfv, etc.).
+* Users Inbound extension - for receiving user provisioning from external IAM providers.
+* Enabled when `userStore` is configured in IAMConfig.
 */
-type RemoteConfig = {
-	/** Optional app/tenant identifier for this ESA (e.g. from vault path or config). */
-	tenantId?: string;
-	sso?: SSOConfig;
-	iam?: IAMConfig;
+type IAMUsersInbound = {
 	/**
-	* Workload: single config, or incoming/outgoing (server vs client roles), or flat map of named clients.
-	* Preferred: { incoming: { jwksUri, issuer }, outgoing: { TNT_*: { clientId, ... } } }.
-	* Legacy: { default: { jwksUri, issuer }, TNT_*: { ... } } (flat map).
-	* TODO: Let's see if we can do some clean inference here!!!
+	* Handle inbound SCIM requests for user management.
+	* Routes: GET/POST /Users, GET/PUT/PATCH/DELETE /Users/:id
 	*/
-	workload?: WorkloadConfig | WorkloadConfigMap | WorkloadIncomingOutgoing;
-	/** Optional named secrets-source configs available to this ESA instance. */
-	secrets?: SecretsModuleConfig;
-	ciam?: CIAMConfig;
+	handler: (request: Request, config?: UsersInboundHandlerConfig) => Promise<Response>;
 };
 /**
-* Stores supplied by the framework/application when creating an Enterprise Standard instance.
+* Core IAM service interface.
+*
+* - Core functions are user-related (outbound to external IAM)
+* - `groups_outbound` is available when `url` is configured
+* - `groups_inbound` is available when `groupStore` is configured
+* - `users_inbound` is available when `userStore` is configured
 */
-type FrameworkStores = {
-	sessionStore?: SessionStore<unknown>;
-	userStore?: UserStore<unknown>;
-	groupStore?: GroupStore<unknown>;
-	magicLinkStore?: MagicLinkStore<unknown>;
-	workloadTokenStore?: WorkloadTokenStore;
-};
-type ModifiableFrameworkConfig = FrameworkConfig & {
-	setStores(stores: FrameworkStores): void;
-};
-/** Return type from the beforeChange hook passed to enterpriseStandard(). */
-type ESConfigChangeResult = {
-	config?: RemoteConfig;
-	frameworkConfig?: FrameworkConfig;
-};
-/** beforeChange callback invoked on every config application (initial load and updates). */
-type ESConfigChangeCallback = (config: RemoteConfig, frameworkConfig: ModifiableFrameworkConfig, oldConfig: RemoteConfig | undefined) => ESConfigChangeResult | void;
-type ConfigSource = {
-	load(): Promise<RemoteConfig>;
+type IAM = IAMConfig & {
 	/**
-	* Called when the config changes.
-	* @param onConfig - The callback to call when the config changes.
-	* @return an unsubscribe/cleanup function.
+	* Create a new user/account in the external IAM provider
+	* Only available when `url` is configured.
 	*/
-	subscribe(onConfig: (config: RemoteConfig) => void): undefined | (() => void);
+	createUser?: (user: User, options?: CreateUserOptions) => Promise<ScimResult<User>>;
 	/**
-	* Default secret client for the config source itself.
-	* For vault-backed sources this is the vault used to read RemoteConfig.
+	* Get the configured external SCIM base URL
 	*/
-	secret: SecretsSource;
+	getBaseUrl: () => string | undefined;
 	/**
-	* Optional. If not set by the creator, the framework may set this before calling load/subscribe
-	* so the source can use the same logger as the Enterprise Standard instance (`log`).
+	* Groups Outbound extension - create groups in external IAM provider.
+	* Available when `url` is configured in IAMConfig.
 	*/
-	log?: Logger;
+	groups_outbound?: IAMGroupsOutbound;
 	/**
-	* Optional. If not set by the creator, the framework may set this before calling load/subscribe
-	* so the source can use the same validators.
+	* Groups Inbound extension - receive group provisioning from external IAM.
+	* Available when `groupStore` is configured in IAMConfig.
 	*/
-	validators?: ESValidators;
+	groups_inbound?: IAMGroupsInbound;
+	/**
+	* Users Inbound extension - receive user provisioning from external IAM.
+	* Available when `userStore` is configured in IAMConfig.
+	*/
+	users_inbound?: IAMUsersInbound;
+	/**
+	* Framework-agnostic request handler for the IAM module.
+	* Routes to discovery, users_inbound, or groups_inbound based on the request path.
+	*/
+	handler: (request: Request, config?: IAMHandlerConfig) => Promise<Response>;
 };
 /**
 * Serializes a FrameworkConfig (or ESConfig) to a JSON-serializable object.
@@ -3533,4 +3505,4 @@ declare function deepEqualPlain(a: unknown, b: unknown): boolean;
 * @returns A promise that resolves when the service is ready.
 */
 declare function waitOn(url: string, test?: (resp: Response) => boolean | Promise<boolean>, pingInterval?: number, warnInterval?: number, timeout?: number): Promise<void>;
-export { workloadTokenResponseSchema, withValidate, waitOn, version, validationFailureResponse, userSchema, tokenResponseSchema, stripJsonComments, silentLogger, setActiveSession, serializeESConfig, sendTenantWebhook, parseJsonc, oidcCallbackSchema, normalizeTenantRoutingStrategy, normalizeTenantPathNamespace, must, mergeConfig, matchTenantPath, listSsoClientIdsFromCookies, list, jwtAssertionClaimsSchema, infoLogger, idTokenClaimsSchema, groupResourceSchema, getActiveSession, findTenantFromStateParam, defaultLogger, deepEqualPlain, decodeUser, debugLogger, consoleLogger, clearActiveSession, claimsToUser, buildTenantPath, X509Certificate, WorkloadValidators, WorkloadTokenStore, WorkloadTokenResponse, WorkloadIncomingOutgoing, WorkloadIdentity, WorkloadConfigMap, WorkloadConfig, WorkloadClient, Workload, VaultWebSocketSecretsConfig, VaultWebSocketAuthHeader, VaultSecretsConfig, VaultLfvSecretsConfig, ValidateResult, UsersInboundHandlerConfig, UserStore, UserSortOptions, UserSortField, UserMode, UserListOptions, User2 as User, UpsertTenantResponse, UpsertTenantRequest, TokenValidationResult, TokenResponse, TenantWebhookPayload, TenantValidators, TenantUserRegistration, TenantStoredConfigLocator, TenantStoreWithESOptions, TenantStoreWithES, TenantStoreUpsertRecord, TenantStore, TenantStatus, TenantSortOptions, TenantSortField, TenantSecretsConfig, TenantRoutingStrategy, TenantRequestError, TenantRemoteConfigLocator, TenantPathRoutingStrategy, TenantPathNamespace, TenantPathMatch, TenantListOptions, TenantJwtRoutingStrategy, TenantEsFactory, TenantDirectoryTenant, TenantDirectoryResponse, TenantDirectoryAccount, TenantConfigStoreRequest, TenantConfigSourceInput, TenantConfigLocator, TenantConfigEnv, StoredUser, StoredTenantRecord, StoredTenant, StoredGroup, StateCookie, StandardSchemaWithValidate, SortDirection, SessionStore, Session, ServerOnlyWorkloadConfig, SecretsValidators, SecretsSourceType, SecretsSourceMap, SecretsSourceConfig, SecretsSource, SecretsOperationOptions, SecretsModuleConfig, Secrets, SecretRequestSeverity, SecretLifecycleRequest, Secret, User as ScimUser, ScimServiceProviderConfig, ScimSchemaDefinition, ScimSchemaAttributeDefinition, ScimResult, ScimResourceTypeSchemaExtension, ScimResourceType, ScimListResponse, ScimError, ScimAuthenticationScheme, SSOValidators, SSOHandlerConfig, SSOConfig, SSOAppValidators, SSOAppRegistry, SSO, Role, ResolvedVaultLfvSecretsConfig, RemoteConfig, RegisterSSOAppResult, RegisterSSOAppPayload, RegisterSSOAppError, RegisterIAMAppResult, RegisterIAMAppPayload, RegisterIAMAppError, ReactiveHandle, Photo, PhoneNumber, OidcCallbackParams, Name, MultipleTenantsForUserError, ModifiableFrameworkConfig, MetaData, MagicLinkStore, MagicLink, MAX_TENANTS_BATCH_USER_IDS, LoginConfig, Logger, ListResult, LfvOtpResponse, LfvOtpRequest, LfvErrorResponse, LfvErrorCode, LfvActionRequestBase, LfvActionName, LfvActionAcceptedResponse, JwtBearerWorkloadConfig, JWTAssertionClaims, InMemoryTenantStoreOptions, InMemoryTenantStore, IdTokenClaims, IAMValidators, IAMUsersInbound, IAMInboundUsersConfig, IAMInboundUserContext, IAMHandlerConfig, IAMGroupsOutbound, IAMGroupsInbound, IAMDiscoveryHandlerConfig, IAMDiscoveryContext, IAMDiscoveryConfig, IAMConfig, IAMAppValidators, IAMAppRole, IAMAppRegistry, IAM, GroupsInboundHandlerConfig, GroupStore, GroupSortOptions, GroupSortField, GroupResource, GroupMember, GroupListOptions, Group, GcpSecretsConfig, FrameworkWorkloadIncomingOutgoing, FrameworkWorkloadConfig, FrameworkStores, FrameworkSecretsSourceConfig, FrameworkSecretsModuleConfig, FrameworkConfig, EnvironmentType, EnterpriseUser, EnterpriseStandardFromConfig, EnterpriseStandardBase, EnterpriseStandard, EnterpriseExtension, Email, ESValidators, ESRoutingOptions, ESRouteModule, ESRouteFilterResult, ESResolvedRoute, ESModuleFromConfig, ESConfigChangeResult, ESConfigChangeOptions, ESConfigChangeCallback, ESConfig, DevSecretsConfig, DEFAULT_TENANT_UI_NAMESPACE, DEFAULT_TENANT_API_NAMESPACE, CreateUserOptions, CreateTenantResponse, CreateTenantRequest, CreateGroupOptions, ConfigSourceType, ConfigSource, ClientCredentialsWorkloadConfig, ChangeListener, CachedWorkloadToken, CIAMValidators, CIAMConfigFromCode, CIAMConfig, CIAM, BaseUser, AzureSecretsConfig, AwsSecretsConfig, AwsAuthMethod, ApplicationValidators, Address };
+export { workloadTokenResponseSchema, withValidate, waitOn, version, validationFailureResponse, userSchema, tokenResponseSchema, stripJsonComments, silentLogger, setActiveSession, serializeESConfig, sendTenantWebhook, parseJsonc, oidcCallbackSchema, normalizeTenantRoutingStrategy, normalizeTenantPathNamespace, must, mergeConfig, matchTenantPath, listSsoClientIdsFromCookies, list, jwtAssertionClaimsSchema, infoLogger, idTokenClaimsSchema, groupResourceSchema, getActiveSession, findTenantFromStateParam, defaultLogger, deepEqualPlain, decodeUser, debugLogger, consoleLogger, clearActiveSession, claimsToUser, buildTenantPath, X509Certificate, WorkloadValidators, WorkloadTokenStore, WorkloadTokenResponse, WorkloadIncomingOutgoing, WorkloadIdentity, WorkloadConfigMap, WorkloadConfig, WorkloadClient, Workload, VaultWebSocketSecretsConfig, VaultWebSocketAuthHeader, VaultSecretsConfig, VaultLfvSecretsConfig, ValidateResult, UsersInboundHandlerConfig, UserStoreOptions, UserStore, UserSortOptions, UserSortField, UserListOptions, User2 as User, UpsertTenantResponse, UpsertTenantRequest, TokenValidationResult, TokenResponse, TenantWebhookPayload, TenantValidators, TenantUserRegistration, TenantStoredConfigLocator, TenantStoreWithEsCache, TenantStoreWithESOptions, TenantStoreWithES, TenantStore, TenantStatus, TenantSortOptions, TenantSortField, TenantSecretsConfig, TenantRoutingStrategy, TenantRequestError, TenantRemoteConfigLocator, TenantPathRoutingStrategy, TenantPathNamespace, TenantPathMatch, TenantManagerStore, TenantListOptions, TenantJwtRoutingStrategy, TenantEsFactory, TenantDirectoryTenant, TenantDirectoryResponse, TenantDirectoryAccount, TenantConfigStoreRequest, TenantConfigSourceInput, TenantConfigLocator, TenantConfigEnv, StoredUser, StoredTenantRecord, StoredTenant, StoredGroup, StateCookie, StandardSchemaWithValidate, SortDirection, SingleTenantStoreOptions, SingleTenantStore, SessionStore, Session, ServerOnlyWorkloadConfig, SecretsValidators, SecretsSourceType, SecretsSourceMap, SecretsSourceConfig, SecretsSource, SecretsOperationOptions, SecretsModuleConfig, Secrets, SecretRequestSeverity, SecretLifecycleRequest, Secret, User as ScimUser, ScimServiceProviderConfig, ScimSchemaDefinition, ScimSchemaAttributeDefinition, ScimResult, ScimResourceTypeSchemaExtension, ScimResourceType, ScimListResponse, ScimError, ScimAuthenticationScheme, SSOValidators, SSOHandlerConfig, SSOConfig, SSOAppValidators, SSOAppRegistry, SSO, Role, ResolvedVaultLfvSecretsConfig, RemoteConfig, RegisterSSOAppResult, RegisterSSOAppPayload, RegisterSSOAppError, RegisterIAMAppResult, RegisterIAMAppPayload, RegisterIAMAppError, ReactiveHandle, Photo, PhoneNumber, OidcCallbackParams, Name, MultipleTenantsForUserError, MultiTenantStoreOptions, MultiTenantStore, ModifiableFrameworkConfig, MetaData, MagicLinkStore, MagicLink, LoginConfig, Logger, ListResult, LfvOtpResponse, LfvOtpRequest, LfvErrorResponse, LfvErrorCode, LfvActionRequestBase, LfvActionName, LfvActionAcceptedResponse, JwtBearerWorkloadConfig, JWTAssertionClaims, InMemoryTenantStoreOptions, InMemorySingleTenantStoreOptions, InMemorySingleTenantStore, InMemoryMultiTenantStoreOptions, InMemoryMultiTenantStore, IdTokenClaims, IAMValidators, IAMUsersInbound, IAMInboundUsersConfig, IAMInboundUserContext, IAMHandlerConfig, IAMGroupsOutbound, IAMGroupsInbound, IAMDiscoveryHandlerConfig, IAMDiscoveryContext, IAMDiscoveryConfig, IAMConfig, IAMAppValidators, IAMAppRole, IAMAppRegistry, IAM, GroupsInboundHandlerConfig, GroupStore, GroupSortOptions, GroupSortField, GroupResource, GroupMember, GroupListOptions, Group, GcpSecretsConfig, FrameworkWorkloadIncomingOutgoing, FrameworkWorkloadConfig, FrameworkStores, FrameworkSecretsSourceConfig, FrameworkSecretsModuleConfig, FrameworkConfig, EnvironmentType, EnterpriseUser, EnterpriseStandardFromConfig, EnterpriseStandardBase, EnterpriseStandard, EnterpriseExtension, Email, ESValidators, ESRoutingOptions, ESRouteModule, ESRouteFilterResult, ESResolvedRoute, ESModuleFromConfig, ESConfigChangeResult, ESConfigChangeOptions, ESConfigChangeCallback, ESConfig, DevSecretsConfig, DEFAULT_TENANT_UI_NAMESPACE, DEFAULT_TENANT_API_NAMESPACE, CreateUserOptions, CreateTenantResponse, CreateTenantRequest, CreateGroupOptions, ConfigSourceType, ConfigSource, ClientCredentialsWorkloadConfig, ChangeListener, CachedWorkloadToken, CIAMValidators, CIAMConfigFromCode, CIAMConfig, CIAM, BaseUser, AzureSecretsConfig, AwsSecretsConfig, AwsAuthMethod, ApplicationValidators, Address };