npm - @enterprisestandard/core - Versions diffs - 0.0.17-beta.20260423.1 → 0.0.17 - Mend

@enterprisestandard/core 0.0.17-beta.20260423.1 → 0.0.17

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (7) hide show

package/dist/index.d.ts +310 -263
package/dist/index.js +1 -1
package/dist/server.d.ts +160 -74
package/dist/server.js +1 -1
package/dist/shared/core-1x31ar7h.js +12 -0
package/package.json +3 -3
package/dist/shared/core-wpy88bze.js +0 -12

package/dist/index.d.ts CHANGED Viewed

@@ -39,7 +39,7 @@ declare const consoleLogger: Logger;
 /**
 * Result of a paginated list operation.
 *
-* @template T - Item type (e.g. StoredGroup, StoredUser, StoredTenant)
+* @template T - Item type (e.g. StoredGroup, StoredUser, BaseTenant)
 */
 interface ListResult<T> {
 	/** Total number of records matching (before pagination). */
@@ -642,7 +642,6 @@ interface GroupStore<TExtended = Record<string, never>> {
 	removeMember(groupId: string, memberId: string): Promise<void>;
 }
 import { StandardSchemaV1 as StandardSchemaV16 } from "@standard-schema/spec";
-import { StandardSchemaV1 as StandardSchemaV13 } from "@standard-schema/spec";
 import { StandardSchemaV1 as StandardSchemaV12 } from "@standard-schema/spec";
 /**
 * OIDC Code Flow Callback URL Parameters
@@ -884,7 +883,7 @@ interface SessionStore<TExtended = object> {
 }
 /**
 * Base user with simple, developer-friendly attributes.
-* Extended by User (SSO) and EnterpriseUser (SCIM).
+* Extended by WorkforceUser/Customer and EnterpriseUser (SCIM).
 */
 interface BaseUser {
 	/**
@@ -914,10 +913,10 @@ interface BaseUser {
 	userType?: string;
 }
 /**
-* Primary user type for SSO/OIDC applications.
-* Extends BaseUser with SSO-specific data.
+* Workforce user type for SSO/OIDC and IAM-backed applications.
+* Carries the SSO/OIDC context used by server helpers and user stores.
 */
-interface User2 extends BaseUser {
+interface WorkforceUser extends BaseUser {
 	/**
 	* SSO/OIDC authentication data
 	*/
@@ -951,6 +950,93 @@ interface User2 extends BaseUser {
 		expires: Date;
 	};
 }
+/**
+* Customer user type for CIAM-backed applications.
+*/
+interface Customer extends BaseUser {
+	ciam: {
+		/**
+		* ID token-like claims for CIAM sessions.
+		*/
+		profile: IdTokenClaims;
+		/**
+		* OAuth scopes granted for this customer session.
+		*/
+		scope?: string;
+		/**
+		* Token type (typically "Bearer").
+		*/
+		tokenType: string;
+		/**
+		* Session expiration time.
+		*/
+		expires: Date;
+	};
+}
+/**
+* Union of currently authenticated user domains.
+*/
+type AuthenticatedUser = WorkforceUser | Customer;
+import { StandardSchemaV1 as StandardSchemaV13 } from "@standard-schema/spec";
+/**
+* Result type for Standard Schema validation (success or failure).
+*/
+type ValidateResult<T> = StandardSchemaV13.Result<T>;
+/**
+* A Standard Schema with a top-level `validate()` method for a cleaner API.
+* Use this so callers can call `schema.validate(value)` instead of `schema['~standard'].validate(value)`.
+*/
+type StandardSchemaWithValidate<T> = StandardSchemaV13<unknown, T> & {
+	validate(value: unknown): Promise<StandardSchemaV13.Result<T>>;
+};
+/**
+* Wraps a Standard Schema so it has a top-level `validate(value)` method.
+* Use when creating or modifying validators so application code can call
+* `validators.ciam.baseUser.validate(raw)` instead of `validators.ciam.baseUser['~standard'].validate(raw)`.
+*
+* @example
+* const baseUser = withValidate(createBaseUserValidator());
+* const result = await baseUser.validate(requestBody);
+*/
+declare function withValidate<T>(schema: StandardSchemaV13<unknown, T>): StandardSchemaWithValidate<T>;
+declare function must<T>(value: T | undefined | null, message?: string): T;
+/**
+* Returns a 400 Response with the issues if there are any.
+* @param issues - Any validation issues.
+* @param message - The message to include in the response.
+* @returns A 400 Response with the issues if it does, otherwise null.
+*/
+declare function validationFailureResponse(issues: unknown, message: string): Response;
+/**
+* Merges two config objects, ensuring critical fields from vault take precedence.
+*
+* @param fromVault - Configuration from vault (takes precedence for critical fields)
+* @param fromCode - Configuration from code (used as fallback)
+* @param criticalFields - Array of field names that should prefer vault values
+* @returns Merged configuration object
+*/
+declare function mergeConfig<T extends Record<string, unknown>>(fromVault: T | undefined, fromCode: T | undefined, criticalFields?: string[]): T;
+/**
+* Strips // and /* *\/ comments from JSONC, respecting string literals.
+*/
+declare function stripJsonComments(content: string): string;
+declare function parseJsonc<T>(content: string): T;
+/**
+* Deep equality for JSON-like values used in config snapshots.
+* Treats object key order as irrelevant and treats missing and `undefined`
+* object properties as equal by ignoring `undefined` keys on both sides.
+*/
+declare function deepEqualPlain(a: unknown, b: unknown): boolean;
+/**
+* Waits for a HTTP service to be ready by polling its URL.
+* Connection errors (e.g. connection refused) are treated as "not ready" and retried.
+* @param url - The URL to poll.
+* @param pingInterval - The interval in milliseconds to poll the URL.
+* @param warnInterval - The interval in milliseconds to warn about the status. Set warnInterval to 0 to disable warnings.
+* @param timeout - The timeout in milliseconds to reject the promise.
+* @returns A promise that resolves when the service is ready.
+*/
+declare function waitOn(url: string, test?: (resp: Response) => boolean | Promise<boolean>, pingInterval?: number, warnInterval?: number, timeout?: number): Promise<void>;
 type SSOConfig<
 	TSessionData = Record<string, never>,
 	TUserData = Record<string, never>
@@ -1031,16 +1117,16 @@ type SSOHandlerConfig = {
 	logoutBackChannelUrl?: string;
 };
 type SSOValidators = {
-	callbackParams: StandardSchemaV13<unknown, OidcCallbackParams>;
-	idTokenClaims: StandardSchemaV13<unknown, IdTokenClaims>;
-	tokenResponse: StandardSchemaV13<unknown, TokenResponse>;
+	callbackParams: StandardSchemaWithValidate<OidcCallbackParams>;
+	idTokenClaims: StandardSchemaWithValidate<IdTokenClaims>;
+	tokenResponse: StandardSchemaWithValidate<TokenResponse>;
 };
 type SSO<
 	TSessionData = Record<string, never>,
 	TUserData = Record<string, never>
 > = SSOConfig<TSessionData, TUserData> & {
-	getUser: (request: Request) => Promise<User2 | undefined>;
-	getRequiredUser: (request: Request) => Promise<User2>;
+	getUser: (request: Request) => Promise<WorkforceUser | undefined>;
+	getRequiredUser: (request: Request) => Promise<WorkforceUser>;
 	getJwt: (request: Request) => Promise<string | undefined>;
 	initiateLogin: (config: LoginConfig, requestUrl?: string) => Promise<Response>;
 	logout: (request: Request, config?: LoginConfig) => Promise<Response>;
@@ -1833,10 +1919,22 @@ type VaultWebSocketSecretsConfig = {
 	/** Header name used to send the websocket token. Defaults to X-Vault-Token. */
 	header?: VaultWebSocketAuthHeader;
 };
+type VaultWorkloadAuthConfig = {
+	/** OAuth2 token endpoint used to mint workload access tokens for vault calls. */
+	idpTokenUrl?: string;
+	/** OAuth2 client id for this workload. */
+	clientId?: string;
+	/** OAuth2 client secret for this workload. */
+	clientSecret?: string;
+	/** Optional OAuth2 scope for the workload token request. */
+	scope?: string;
+};
 type VaultSecretsConfig = {
 	type: "vault";
 	url?: string;
 	token?: string;
+	/** Optional workload identity used to authenticate vault HTTP and websocket requests. */
+	workload?: VaultWorkloadAuthConfig;
 	/** Optional LFV transport capability for reads/lifecycle operations. */
 	lfv?: VaultLfvSecretsConfig;
 	/** Optional websocket capability for vault commands and live subscriptions. */
@@ -1937,6 +2035,97 @@ type AzureSecretsConfig = {
 	ttl?: number;
 };
 type ConfigSourceType = "vault" | "azure" | "aws" | "gcp";
+type ConfigSourceEnv = {
+	ES_CONFIG_TYPE?: ConfigSourceType;
+	ES_VAULT_URL?: string;
+	ES_VAULT_TOKEN?: string;
+	ES_VAULT_PATH?: string;
+	ES_VAULT_TTL?: string;
+	ES_VAULT_WORKLOAD_TOKEN_URL?: string;
+	ES_VAULT_WORKLOAD_CLIENT_ID?: string;
+	ES_VAULT_WORKLOAD_CLIENT_SECRET?: string;
+	ES_VAULT_WORKLOAD_SCOPE?: string;
+	ES_VAULT_LFV_SERVER_URL?: string;
+	ES_VAULT_LFV_CLIENT_ID?: string;
+	ES_VAULT_LFV_SIGNATURE?: string;
+	ES_VAULT_LFV_DELIVERY_ENDPOINT?: string;
+	ES_VAULT_LFV_VERIFY_PUBLIC_KEY?: string;
+	ES_VAULT_LFV_EVENTS_ENDPOINT?: string;
+	ES_VAULT_LFV_DELIVERY_TIMEOUT?: string;
+	ES_VAULT_LFV_RETRY_INTERVAL?: string;
+	ES_VAULT_LFV_WARN_INTERVAL?: string;
+	ES_VAULT_WEBSOCKET_URL?: string;
+	ES_VAULT_WEBSOCKET_TOKEN?: string;
+	ES_VAULT_WEBSOCKET_HEADER?: "X-Vault-Token" | "Authorization";
+	ES_AZURE_API_VERSION?: string;
+	ES_AZURE_SCOPE?: string;
+	ES_AZURE_SECRET_NAME_PREFIX?: string;
+	ES_AZURE_AUTH_METHOD?: AwsAuthMethod;
+	ES_AZURE_TENANT_ID?: string;
+	ES_AZURE_CLIENT_ID?: string;
+	ES_AZURE_CLIENT_SECRET?: string;
+	ES_AZURE_FEDERATED_TOKEN_FILE?: string;
+	ES_AZURE_MANAGED_IDENTITY_CLIENT_ID?: string;
+	ES_AZURE_IMDS_API_VERSION?: string;
+	ES_AZURE_PATH?: string;
+	ES_AZURE_VAULT_URL?: string;
+	ES_AZURE_VAULT_NAME?: string;
+	ES_AZURE_TTL?: string;
+	ES_AWS_WEBHOOK_URL?: string;
+	ES_AWS_TTL?: string;
+	ES_GCP_TTL?: string;
+};
+type VaultConfigLocator = {
+	type: "vault";
+	vaultUrl?: string;
+	vaultToken?: string;
+	vaultPath: string;
+	vaultTtl?: number;
+	vaultWorkloadTokenUrl?: string;
+	vaultWorkloadClientId?: string;
+	vaultWorkloadClientSecret?: string;
+	vaultWorkloadScope?: string;
+	vaultLfvServerUrl?: string;
+	vaultLfvClientId?: string;
+	vaultLfvSignature?: string;
+	vaultLfvDeliveryEndpoint?: string;
+	vaultLfvVerifyPublicKey?: string;
+	vaultLfvEventsEndpoint?: string;
+	vaultLfvPath?: string;
+	vaultLfvDeliveryTimeout?: number;
+	vaultLfvRetryInterval?: number;
+	vaultLfvWarnInterval?: number;
+	vaultWebsocketUrl?: string;
+	vaultWebsocketToken?: string;
+	vaultWebsocketHeader?: VaultWebSocketAuthHeader;
+};
+type AwsConfigLocator = {
+	type: "aws";
+	awsWebhookUrl: string;
+	awsTtl?: number;
+};
+type AzureConfigLocator = {
+	type: "azure";
+	azureAuthMethod?: AwsAuthMethod;
+	azureTenantId?: string;
+	azureClientId?: string;
+	azureClientSecret?: string;
+	azureFederatedTokenFile?: string;
+	azureManagedIdentityClientId?: string;
+	azureImdsApiVersion?: string;
+	azurePath?: string;
+	azureVaultUrl?: string;
+	azureVaultName?: string;
+	azureApiVersion?: string;
+	azureScope?: string;
+	azureSecretNamePrefix?: string;
+	azureTtl?: number;
+};
+type GcpConfigLocator = {
+	type: "gcp";
+	gcpTtl?: number;
+};
+type ConfigLocator = VaultConfigLocator | AwsConfigLocator | AzureConfigLocator | GcpConfigLocator;
 type ESValidators = {
 	sso: SSOValidators;
 	iam: IAMValidators;
@@ -2008,6 +2197,40 @@ type ESConfigChangeResult = {
 	config?: RemoteConfig;
 	frameworkConfig?: FrameworkConfig;
 };
+type RemoteConfigLoadErrorKind = "auth" | "connection" | "invalid_payload" | "invalid_status" | "not_found" | "timeout" | "unknown";
+type RemoteConfigRetryContext = {
+	/** 1-based retry attempt count for the current unavailable period. */
+	attempt: number;
+	/** Original error thrown by the ConfigSource. */
+	error: unknown;
+	/** Best-effort error classification for logging and policy decisions. */
+	errorKind: RemoteConfigLoadErrorKind;
+	/** Human-readable single-line error detail. */
+	message: string;
+	/** Retry delay selected by the policy. */
+	nextDelayMs: number;
+	/** Maximum delay allowed by the policy. */
+	maxDelayMs: number;
+	/** Config source transport when known, such as "vault", "azure", or "aws". */
+	sourceType?: ConfigSourceType | string;
+	/** Config path when known. */
+	path?: string;
+};
+type RemoteConfigRetryHook = (context: RemoteConfigRetryContext) => void | Promise<void>;
+type RemoteConfigRetryOptions = {
+	/** Initial retry delay. Defaults to 2000ms. */
+	initialDelayMs?: number;
+	/** Maximum retry delay. Defaults to 600000ms. */
+	maxDelayMs?: number;
+	/** Exponential multiplier applied after each failed attempt. Defaults to 2. */
+	multiplier?: number;
+	/** Jitter ratio applied to retry delays. Defaults to 0.2. */
+	jitterRatio?: number;
+	/** Timeout for each ConfigSource load attempt. Defaults to 30000ms. */
+	loadTimeoutMs?: number;
+	/** Called before each retry is scheduled. Throw to stop retrying and reject ready(). */
+	onRetry?: RemoteConfigRetryHook;
+};
 /** beforeChange callback invoked on every config application (initial load and updates). */
 type ESConfigChangeCallback = (config: RemoteConfig, frameworkConfig: ModifiableFrameworkConfig, oldConfig: RemoteConfig | undefined) => ESConfigChangeResult | void;
 type ConfigSource = {
@@ -2044,7 +2267,7 @@ type UpsertTenantRequestBase = {
 	email?: string;
 	webhookUrl?: string;
 	callbackUrl?: string;
-	configSource: TenantSecretsConfig;
+	configSource: ConfigLocator;
 };
 type UpsertTenantRequest<TExtended extends object = object> = UpsertTenantRequestBase & TExtended;
 type UpsertTenantResponse = {
@@ -2059,8 +2282,6 @@ type UpsertTenantResponse = {
 	expiresAt: string;
 	refs?: RefUrls[];
 };
-type CreateTenantRequest = UpsertTenantRequest;
-type CreateTenantResponse = UpsertTenantResponse;
 /**
 * The audience of the reference URL.
 * - 'human' for human-readable documentation such as user guides, documentation, etc.
@@ -2099,78 +2320,9 @@ type TenantValidators<
 > = {
 	upsertTenantRequest: StandardSchemaV16<unknown, TUpsertTenantRequest>;
 	upsertTenantResponse?: StandardSchemaV16<unknown, TUpsertTenantResponse>;
-	createTenantRequest?: StandardSchemaV16<unknown, TUpsertTenantRequest>;
-	createTenantResponse?: StandardSchemaV16<unknown, TUpsertTenantResponse>;
 };
-/**
-* Env-like tenant config variables used to build a ConfigSource at runtime.
-* These mirror the ES_* variables read by envConfig().
-*/
-type TenantConfigEnv = {
-	ES_CONFIG_TYPE?: ConfigSourceType;
-	ES_VAULT_URL?: string;
-	ES_VAULT_TOKEN?: string;
-	ES_VAULT_PATH?: string;
-	ES_VAULT_TTL?: string;
-	ES_VAULT_LFV_SERVER_URL?: string;
-	ES_VAULT_LFV_CLIENT_ID?: string;
-	ES_VAULT_LFV_SIGNATURE?: string;
-	ES_VAULT_LFV_DELIVERY_ENDPOINT?: string;
-	ES_VAULT_LFV_VERIFY_PUBLIC_KEY?: string;
-	ES_VAULT_LFV_EVENTS_ENDPOINT?: string;
-	ES_VAULT_LFV_DELIVERY_TIMEOUT?: string;
-	ES_VAULT_LFV_RETRY_INTERVAL?: string;
-	ES_VAULT_LFV_WARN_INTERVAL?: string;
-	ES_VAULT_WEBSOCKET_URL?: string;
-	ES_VAULT_WEBSOCKET_TOKEN?: string;
-	ES_VAULT_WEBSOCKET_HEADER?: "X-Vault-Token" | "Authorization";
-	ES_AZURE_API_VERSION?: string;
-	ES_AZURE_SCOPE?: string;
-	ES_AZURE_SECRET_NAME_PREFIX?: string;
-	ES_AZURE_AUTH_METHOD?: AwsAuthMethod;
-	ES_AZURE_TENANT_ID?: string;
-	ES_AZURE_CLIENT_ID?: string;
-	ES_AZURE_CLIENT_SECRET?: string;
-	ES_AZURE_FEDERATED_TOKEN_FILE?: string;
-	ES_AZURE_MANAGED_IDENTITY_CLIENT_ID?: string;
-	ES_AZURE_IMDS_API_VERSION?: string;
-	ES_AZURE_PATH?: string;
-	ES_AZURE_VAULT_URL?: string;
-	ES_AZURE_VAULT_NAME?: string;
-	ES_AZURE_TTL?: string;
-	ES_AWS_WEBHOOK_URL?: string;
-	ES_AWS_TTL?: string;
-	ES_GCP_TTL?: string;
-};
-type TenantSecretsConfig = (VaultSecretsConfig & {
-	path: string;
-	retryInterval?: number;
-}) | (AwsSecretsConfig & {
-	ttl?: number;
-}) | (AzureSecretsConfig & {
-	path?: string;
-}) | (GcpSecretsConfig & {
-	ttl?: number;
-});
-type TenantStoredConfigLocator = {
-	/** Indicates that the tenant config descriptor is stored securely outside the tenant record. */
-	type: "stored";
-	/** Root secure source type used to fetch the stored tenant config descriptor. */
-	sourceType: "vault";
-	/** Path to the stored tenant config descriptor. */
-	path: string;
-};
-type TenantRemoteConfigLocator = {
-	/** Indicates that the tenant RemoteConfig already exists at this secure source path. */
-	type: "remoteConfig";
-	/** Secure source type used to load the RemoteConfig document directly. */
-	sourceType: "vault";
-	/** Path to the tenant RemoteConfig document. */
-	path: string;
-};
-type TenantConfigLocator = TenantStoredConfigLocator | TenantRemoteConfigLocator;
-type TenantConfigSourceInput = TenantConfigLocator | ConfigSource;
-type TenantBaseRecord = {
+declare function isConfigLocator(value: unknown): value is ConfigLocator;
+type BaseTenant = {
 	tenantId: string;
 	companyId: string;
 	companyName: string;
@@ -2186,121 +2338,60 @@ type TenantBaseRecord = {
 	expiresAt?: string;
 	createdAt: Date;
 	updatedAt: Date;
-	/** Persisted tenant config metadata, or a runtime ConfigSource for internal-only tenants. */
-	configSource: TenantConfigSourceInput;
+	/** Serializable metadata used to materialize this tenant's ConfigSource. */
+	configSource: ConfigLocator;
 	/** Runtime helper that returns a ConfigSource for this tenant. */
 	config?: (source?: SecretsSource) => ConfigSource;
 };
-type TenantBaseConstraint = Omit<TenantBaseRecord, "configSource"> & {
-	configSource?: TenantConfigSourceInput;
-};
-type TenantRecordBase = TenantBaseConstraint;
-type StoredTenant<TTenant extends TenantRecordBase = TenantRecordBase> = TTenant;
-type StoredTenantRecord<TTenant extends TenantRecordBase = TenantRecordBase> = Omit<StoredTenant<TTenant>, "config">;
-type TenantEsFactory<TTenant extends TenantRecordBase = TenantRecordBase> = (tenant: StoredTenant<TTenant>) => EnterpriseStandard;
-type TenantConfigStoreRequest<
-	TTenant extends TenantRecordBase = TenantRecordBase,
-	TRequest extends UpsertTenantRequest = UpsertTenantRequest
-> = {
-	es: EnterpriseStandard;
-	tenantId: string;
-	request: TRequest;
-	configData: TenantSecretsConfig;
-	existingTenant: StoredTenant<TTenant> | undefined;
-};
-type TenantStoreWithESOptions<TTenant extends TenantRecordBase = TenantRecordBase> = {
-	/**
-	* TTL for cached per-tenant EnterpriseStandard instances, in milliseconds.
-	* Default is forever; set to 0 to recreate ES on every getEs() call.
-	*/
-	ttl?: number;
-	/**
-	* Optional factory used to create an ES instance for a tenant.
-	* If omitted, getEs() throws.
-	*/
-	createEs?: TenantEsFactory<TTenant>;
-};
-type TenantUserRegistration = {
-	registerUserTenantId(userId: string, tenantId: string | null | undefined): void | Promise<void>;
-	registerUserToTenant?(userId: string, tenantId: string): void | Promise<void>;
-};
-declare abstract class TenantStore<TTenant extends TenantRecordBase = TenantRecordBase> implements TenantUserRegistration {
-	storeConfig?(config: TenantConfigStoreRequest<TTenant>): Promise<TenantConfigSourceInput>;
-	abstract get(tenantId: string): Promise<StoredTenant<TTenant> | undefined>;
-	abstract list(options?: TenantListOptions): Promise<ListResult<StoredTenant<TTenant>>>;
-	abstract upsert(tenant: StoredTenant<TTenant>): Promise<StoredTenant<TTenant>>;
-	abstract delete(tenantId: string): Promise<number>;
-	abstract registerUserTenantId(userId: string, tenantId: string | null | undefined): void | Promise<void>;
-	registerUserToTenant?(userId: string, tenantId: string): void | Promise<void>;
-	abstract findTenantsByUser(user: User2): Promise<StoredTenant<TTenant>[]>;
-	findTenantByUser(user: User2): Promise<StoredTenant<TTenant> | undefined>;
-}
-type TenantManagerStore<TTenant extends TenantRecordBase = TenantRecordBase> = Pick<TenantStoreWithES<TTenant>, "get" | "list" | "upsert" | "delete" | "getEs" | "findTenantByUser" | "findTenantsByUser"> & {
-	storeConfig?: TenantStoreWithES<TTenant>["storeConfig"];
-};
-type InMemoryTenantStoreOptions<TTenant extends TenantRecordBase = TenantRecordBase> = TenantStoreWithESOptions<TTenant>;
-type TenantStoreWithRequiredEsOptions<TTenant extends TenantRecordBase = TenantRecordBase> = Omit<TenantStoreWithESOptions<TTenant>, "createEs"> & {
-	createEs: TenantEsFactory<TTenant>;
-};
-type SingleTenantStoreOptions<TTenant extends TenantRecordBase = TenantRecordBase> = TenantStoreWithRequiredEsOptions<TTenant>;
-type MultiTenantStoreOptions<TTenant extends TenantRecordBase = TenantRecordBase> = TenantStoreWithRequiredEsOptions<TTenant>;
-declare abstract class TenantStoreWithEsCache<TTenant extends TenantRecordBase = TenantRecordBase> extends TenantStore<TTenant> {
-	readonly ttl: number;
-	private readonly createEs?;
-	private readonly tenantEsMap;
-	constructor(options: TenantStoreWithESOptions<TTenant>);
-	registerUserTenantId(userId: string, tenantId: string | null | undefined): Promise<void>;
-	registerUserToTenant(_userId: string, _tenantId: string): Promise<void>;
-	protected prepareTenantForCreateEs(tenant: StoredTenant<TTenant>): StoredTenant<TTenant>;
-	protected invalidateTenantEsCache(tenantId: string): void;
-	getEs(tenantId: string): Promise<EnterpriseStandard | undefined>;
-	getCachedTenantIds(): string[];
-}
-declare abstract class SingleTenantStore<TTenant extends TenantRecordBase = TenantRecordBase> extends TenantStoreWithEsCache<TTenant> {
-	abstract findTenantByUser(user: User2): Promise<StoredTenant<TTenant> | undefined>;
-	findTenantsByUser(user: User2): Promise<StoredTenant<TTenant>[]>;
-}
-declare abstract class MultiTenantStore<TTenant extends TenantRecordBase = TenantRecordBase> extends TenantStoreWithEsCache<TTenant> {}
-type TenantStoreWithES<TTenant extends TenantRecordBase = TenantRecordBase> = TenantStoreWithEsCache<TTenant>;
-type InMemorySingleTenantStoreOptions<TTenant extends TenantRecordBase = TenantRecordBase> = InMemoryTenantStoreOptions<TTenant>;
-type InMemoryMultiTenantStoreOptions<TTenant extends TenantRecordBase = TenantRecordBase> = InMemoryTenantStoreOptions<TTenant>;
-declare class InMemorySingleTenantStore<TTenant extends TenantRecordBase = TenantRecordBase> extends SingleTenantStore<TTenant> {
-	private readonly store;
-	constructor(options?: InMemorySingleTenantStoreOptions<TTenant>);
-	get(tenantId: string): Promise<StoredTenant<TTenant> | undefined>;
-	list(options?: TenantListOptions): Promise<ListResult<StoredTenant<TTenant>>>;
-	upsert(tenant: StoredTenant<TTenant>): Promise<StoredTenant<TTenant>>;
+type SerializableTenant<TTenant extends BaseTenant = BaseTenant> = Omit<TTenant, "config">;
+type TenantEsFactory<TTenant extends BaseTenant = BaseTenant> = (tenant: TTenant) => EnterpriseStandard;
+interface TenantStore<
+	TTenant extends BaseTenant = BaseTenant,
+	TUser extends {
+		id?: string;
+	} = AuthenticatedUser
+> {
+	get(tenantId: string): Promise<TTenant | undefined>;
+	list(options?: TenantListOptions): Promise<ListResult<TTenant>>;
+	upsert(tenant: TTenant): Promise<TTenant>;
 	delete(tenantId: string): Promise<number>;
+	getEs(tenantId: string): Promise<EnterpriseStandard | undefined>;
+	findTenantsByUser(user: TUser): Promise<TTenant[]>;
 	registerUserTenantId(userId: string, tenantId: string | null | undefined): Promise<void>;
-	findTenantByUser(user: User2): Promise<StoredTenant<TTenant> | undefined>;
 }
-declare class InMemoryMultiTenantStore<TTenant extends TenantRecordBase = TenantRecordBase> extends MultiTenantStore<TTenant> {
+type InMemoryTenantStoreOptions<TTenant extends BaseTenant = BaseTenant> = {
+	createEs?: TenantEsFactory<TTenant>;
+};
+declare function hydrateTenantForEs<TTenant extends BaseTenant = BaseTenant>(tenant: TTenant): TTenant;
+declare class InMemoryTenantStore<
+	TTenant extends BaseTenant = BaseTenant,
+	TUser extends {
+		id?: string;
+	} = AuthenticatedUser
+> implements TenantStore<TTenant, TUser> {
 	private readonly store;
-	constructor(options?: InMemoryMultiTenantStoreOptions<TTenant>);
-	get(tenantId: string): Promise<StoredTenant<TTenant> | undefined>;
-	list(options?: TenantListOptions): Promise<ListResult<StoredTenant<TTenant>>>;
-	upsert(tenant: StoredTenant<TTenant>): Promise<StoredTenant<TTenant>>;
+	private readonly createEs?;
+	constructor(options?: InMemoryTenantStoreOptions<TTenant>);
+	get(tenantId: string): Promise<TTenant | undefined>;
+	list(options?: TenantListOptions): Promise<ListResult<TTenant>>;
+	upsert(tenant: TTenant): Promise<TTenant>;
 	delete(tenantId: string): Promise<number>;
 	registerUserTenantId(userId: string, tenantId: string | null | undefined): Promise<void>;
-	findTenantsByUser(user: User2): Promise<StoredTenant<TTenant>[]>;
+	findTenantsByUser(user: TUser): Promise<TTenant[]>;
+	getEs(tenantId: string): Promise<EnterpriseStandard | undefined>;
 }
 declare function sendTenantWebhook(webhookUrl: string, payload: TenantWebhookPayload, log: Logger): Promise<void>;
 /**
 * Stored user data with required id and tracking metadata.
 *
-* Extends the SSO User type with:
-* - Required `id` (the `sub` claim from the IdP)
+* Extends the BaseUser type with:
+* - Optional auth envelopes for workforce (`sso`) and customer (`ciam`) sessions
 * - Timestamps for tracking when users were first seen and last updated
 * - Optional custom extended data
 *
 * @template TExtended - Type-safe custom data that consumers can add to users
 */
-type StoredUser<TExtended = object> = Omit<User2, "sso"> & {
-	/**
-	* Required unique identifier (the `sub` claim from the IdP).
-	* This is the primary key for user storage.
-	*/
-	id?: string;
+type StoredUser<TExtended = object> = BaseUser & {
 	/**
 	* Optional Enterprise Standard tenant identifier for tenant-aware apps.
 	* Built-in user stores can use this when registering HRD mappings.
@@ -2430,7 +2521,11 @@ type StoredUser<TExtended = object> = Omit<User2, "sso"> & {
 	* Optional SSO envelope for stores that persist full auth profile data.
 	* Simple app stores MAY omit this field.
 	*/
-	sso?: User2["sso"];
+	sso?: WorkforceUser["sso"];
+	/**
+	* Optional CIAM envelope for stores that persist customer session profile data.
+	*/
+	ciam?: Customer["ciam"];
 } & TExtended;
 type UserStoreOptions = {
 	tenantId: string;
@@ -2466,22 +2561,19 @@ type UserStoreOptions = {
 */
 interface UserStore<TExtended = object> {
 	/**
-	* Retrieve a user by their subject identifier (sub).
-	*
-	* This is the canonical lookup used by SDK flows whenever possible.
-	* Other lookup methods (userName) are secondary convenience indexes.
+	* Retrieve a user by their unique identifier.
 	*
-	* @param sub - The user's unique identifier from the IdP
+	* @param id - The user's unique identifier as defined by the store implementation
 	* @returns The user if found, undefined otherwise
 	*/
-	get(sub: string): Promise<StoredUser<TExtended> | undefined>;
+	get(id: string): Promise<StoredUser<TExtended> | undefined>;
 	/**
-	* Retrieve a user by their username.
+	* Retrieve a user based on their SCIM attributes or SSO JWT Claims.
 	*
-	* @param userName - The user's username
+	* @param user - The user to lookup by SCIM attributes or SSO JWT Claims
 	* @returns The user if found, undefined otherwise
 	*/
-	getByUserName(userName: string): Promise<StoredUser<TExtended> | undefined>;
+	lookup(user: StoredUser<TExtended>): Promise<StoredUser<TExtended> | undefined>;
 	/**
 	* Create or update a user in the store.
 	*
@@ -2492,11 +2584,12 @@ interface UserStore<TExtended = object> {
 	*/
 	upsert(user: StoredUser<TExtended>): Promise<StoredUser<TExtended>>;
 	/**
-	* Delete a user by their subject identifier (sub).
+	* Delete a user by their unique identifier.
 	*
-	* @param sub - The user's unique identifier to delete
+	* @param id - The user's unique identifier as defined by the store implementation
+	* @returns The number of users deleted (0 or 1)
 	*/
-	delete(sub: string): Promise<number>;
+	delete(id: string): Promise<number>;
 	/**
 	* List users in the store with optional pagination and sort.
 	*
@@ -2904,6 +2997,10 @@ type EnterpriseStandardBase = {
 	reload?(): Promise<void>;
 	/** When present (e.g. from server enterpriseStandard), merge config then reload from the config source and reapply. */
 	reconfigure?(config?: FrameworkConfig): Promise<void>;
+	/** When present (e.g. from server enterpriseStandard), release config subscriptions and background resources. */
+	close?(): void;
+	/** When present (e.g. from server enterpriseStandard), replace runtime store instances. */
+	setStores?(stores: FrameworkStores): void;
 };
 /** Config-driven module types: null in config → never; otherwise module type (non-optional). */
 type EnterpriseStandardStrict<C extends FrameworkConfig> = {
@@ -2921,6 +3018,8 @@ type EnterpriseStandardStrict<C extends FrameworkConfig> = {
 	isReady(): boolean;
 	reload?(): Promise<void>;
 	reconfigure?(config?: FrameworkConfig): Promise<void>;
+	close?(): void;
+	setStores(stores: FrameworkStores): void;
 };
 type EnterpriseStandard = EnterpriseStandardBase;
 type ESRouteModule = "sso" | "iam" | "workload" | "ciam" | "secrets";
@@ -2961,6 +3060,14 @@ type ESConfigChangeOptions = {
 	* Optional runtime routing customization for `es.handler(request)`.
 	*/
 	routing?: ESRoutingOptions;
+	/**
+	* ConfigSource retry policy for loading RemoteConfig. The default retries forever with exponential backoff.
+	*/
+	configRetry?: RemoteConfigRetryOptions;
+	/**
+	* Called before each RemoteConfig retry is scheduled. Throw to stop retrying and reject ready().
+	*/
+	onConfigLoadError?: RemoteConfigRetryHook;
 };
 /**
 * Validators for CIAM (magic link) request bodies.
@@ -3071,8 +3178,8 @@ type CIAM<
 	TMagicLinkData = Record<string, never>,
 	TUserData = Record<string, never>
 > = CIAMConfig<TMagicLinkData, TUserData> & {
-	getUser: (request: Request) => Promise<User2 | undefined>;
-	getRequiredUser: (request: Request) => Promise<User2>;
+	getUser: (request: Request) => Promise<Customer | undefined>;
+	getRequiredUser: (request: Request) => Promise<Customer>;
 	logout: (request: Request) => Promise<Response>;
 	logoutBackChannel: (request: Request) => Promise<Response>;
 	handler: (request: Request) => Promise<Response>;
@@ -3083,12 +3190,12 @@ type CIAMConfigFromCode<
 	TUserData = Record<string, never>
 > = Omit<CIAMConfig<TMagicLinkData, TUserData>, "signingKey">;
 /**
-* Maps OIDC ID token claims to the shared User type.
+* Maps OIDC ID token claims to the shared workforce user type.
 * Used by decodeUser and verifyUser; no config required (iss/exp from claims).
 */
-declare function claimsToUser(claims: IdTokenClaims): User2;
+declare function claimsToUser(claims: IdTokenClaims): WorkforceUser;
 /**
-* Decodes the JWT payload and returns a User.
+* Decodes the JWT payload and returns a workforce user.
 *
 * **This only decodes the payload.** It does not verify the signature, expiry, or
 * issuer. Do not use the result for authorization. Safe for client-side use for
@@ -3098,10 +3205,10 @@ declare function claimsToUser(claims: IdTokenClaims): User2;
 * `@enterprisestandard/core/server` or `@enterprisestandard/server`.
 *
 * @param jwt - Raw JWT string (e.g. OIDC ID token).
-* @returns User shaped from the payload.
+* @returns WorkforceUser shaped from the payload.
 * @throws If the JWT format is invalid or the payload does not match ID token claims shape.
 */
-declare function decodeUser(jwt: string): Promise<User2>;
+declare function decodeUser(jwt: string): Promise<WorkforceUser>;
 /**
 * List result from total count, sliced items, start index, and optional limit.
 * When limit is omitted, size is set to total (one logical page), page and pages are 1.
@@ -3110,7 +3217,7 @@ declare function list<T>(total: number, items: T[], start: number, limit: number
 type TenantDirectoryAccount = {
 	clientId: string;
 	active: boolean;
-	user: User2;
+	user: AuthenticatedUser;
 	valid: boolean;
 	expiresAt?: string;
 	tenantId?: string;
@@ -3448,64 +3555,4 @@ type LfvErrorResponse = {
 	error: LfvErrorCode;
 	message: string;
 };
-import { StandardSchemaV1 as StandardSchemaV110 } from "@standard-schema/spec";
-/**
-* Result type for Standard Schema validation (success or failure).
-*/
-type ValidateResult<T> = StandardSchemaV110.Result<T>;
-/**
-* A Standard Schema with a top-level `validate()` method for a cleaner API.
-* Use this so callers can call `schema.validate(value)` instead of `schema['~standard'].validate(value)`.
-*/
-type StandardSchemaWithValidate<T> = StandardSchemaV110<unknown, T> & {
-	validate(value: unknown): Promise<StandardSchemaV110.Result<T>>;
-};
-/**
-* Wraps a Standard Schema so it has a top-level `validate(value)` method.
-* Use when creating or modifying validators so application code can call
-* `validators.ciam.baseUser.validate(raw)` instead of `validators.ciam.baseUser['~standard'].validate(raw)`.
-*
-* @example
-* const baseUser = withValidate(createBaseUserValidator());
-* const result = await baseUser.validate(requestBody);
-*/
-declare function withValidate<T>(schema: StandardSchemaV110<unknown, T>): StandardSchemaWithValidate<T>;
-declare function must<T>(value: T | undefined | null, message?: string): T;
-/**
-* Returns a 400 Response with the issues if there are any.
-* @param issues - Any validation issues.
-* @param message - The message to include in the response.
-* @returns A 400 Response with the issues if it does, otherwise null.
-*/
-declare function validationFailureResponse(issues: unknown, message: string): Response;
-/**
-* Merges two config objects, ensuring critical fields from vault take precedence.
-*
-* @param fromVault - Configuration from vault (takes precedence for critical fields)
-* @param fromCode - Configuration from code (used as fallback)
-* @param criticalFields - Array of field names that should prefer vault values
-* @returns Merged configuration object
-*/
-declare function mergeConfig<T extends Record<string, unknown>>(fromVault: T | undefined, fromCode: T | undefined, criticalFields?: string[]): T;
-/**
-* Strips // and /* *\/ comments from JSONC, respecting string literals.
-*/
-declare function stripJsonComments(content: string): string;
-declare function parseJsonc<T>(content: string): T;
-/**
-* Deep equality for JSON-like values used in config snapshots.
-* Treats object key order as irrelevant and treats missing and `undefined`
-* object properties as equal by ignoring `undefined` keys on both sides.
-*/
-declare function deepEqualPlain(a: unknown, b: unknown): boolean;
-/**
-* Waits for a HTTP service to be ready by polling its URL.
-* Connection errors (e.g. connection refused) are treated as "not ready" and retried.
-* @param url - The URL to poll.
-* @param pingInterval - The interval in milliseconds to poll the URL.
-* @param warnInterval - The interval in milliseconds to warn about the status. Set warnInterval to 0 to disable warnings.
-* @param timeout - The timeout in milliseconds to reject the promise.
-* @returns A promise that resolves when the service is ready.
-*/
-declare function waitOn(url: string, test?: (resp: Response) => boolean | Promise<boolean>, pingInterval?: number, warnInterval?: number, timeout?: number): Promise<void>;
-export { workloadTokenResponseSchema, withValidate, waitOn, version, validationFailureResponse, userSchema, tokenResponseSchema, stripJsonComments, silentLogger, setActiveSession, serializeESConfig, sendTenantWebhook, parseJsonc, oidcCallbackSchema, normalizeTenantRoutingStrategy, normalizeTenantPathNamespace, must, mergeConfig, matchTenantPath, listSsoClientIdsFromCookies, list, jwtAssertionClaimsSchema, infoLogger, idTokenClaimsSchema, groupResourceSchema, getActiveSession, findTenantFromStateParam, defaultLogger, deepEqualPlain, decodeUser, debugLogger, consoleLogger, clearActiveSession, claimsToUser, buildTenantPath, X509Certificate, WorkloadValidators, WorkloadTokenStore, WorkloadTokenResponse, WorkloadIncomingOutgoing, WorkloadIdentity, WorkloadConfigMap, WorkloadConfig, WorkloadClient, Workload, VaultWebSocketSecretsConfig, VaultWebSocketAuthHeader, VaultSecretsConfig, VaultLfvSecretsConfig, ValidateResult, UsersInboundHandlerConfig, UserStoreOptions, UserStore, UserSortOptions, UserSortField, UserListOptions, User2 as User, UpsertTenantResponse, UpsertTenantRequest, TokenValidationResult, TokenResponse, TenantWebhookPayload, TenantValidators, TenantUserRegistration, TenantStoredConfigLocator, TenantStoreWithEsCache, TenantStoreWithESOptions, TenantStoreWithES, TenantStore, TenantStatus, TenantSortOptions, TenantSortField, TenantSecretsConfig, TenantRoutingStrategy, TenantRequestError, TenantRemoteConfigLocator, TenantPathRoutingStrategy, TenantPathNamespace, TenantPathMatch, TenantManagerStore, TenantListOptions, TenantJwtRoutingStrategy, TenantEsFactory, TenantDirectoryTenant, TenantDirectoryResponse, TenantDirectoryAccount, TenantConfigStoreRequest, TenantConfigSourceInput, TenantConfigLocator, TenantConfigEnv, StoredUser, StoredTenantRecord, StoredTenant, StoredGroup, StateCookie, StandardSchemaWithValidate, SortDirection, SingleTenantStoreOptions, SingleTenantStore, SessionStore, Session, ServerOnlyWorkloadConfig, SecretsValidators, SecretsSourceType, SecretsSourceMap, SecretsSourceConfig, SecretsSource, SecretsOperationOptions, SecretsModuleConfig, Secrets, SecretRequestSeverity, SecretLifecycleRequest, Secret, User as ScimUser, ScimServiceProviderConfig, ScimSchemaDefinition, ScimSchemaAttributeDefinition, ScimResult, ScimResourceTypeSchemaExtension, ScimResourceType, ScimListResponse, ScimError, ScimAuthenticationScheme, SSOValidators, SSOHandlerConfig, SSOConfig, SSOAppValidators, SSOAppRegistry, SSO, Role, ResolvedVaultLfvSecretsConfig, RemoteConfig, RegisterSSOAppResult, RegisterSSOAppPayload, RegisterSSOAppError, RegisterIAMAppResult, RegisterIAMAppPayload, RegisterIAMAppError, ReactiveHandle, Photo, PhoneNumber, OidcCallbackParams, Name, MultipleTenantsForUserError, MultiTenantStoreOptions, MultiTenantStore, ModifiableFrameworkConfig, MetaData, MagicLinkStore, MagicLink, LoginConfig, Logger, ListResult, LfvOtpResponse, LfvOtpRequest, LfvErrorResponse, LfvErrorCode, LfvActionRequestBase, LfvActionName, LfvActionAcceptedResponse, JwtBearerWorkloadConfig, JWTAssertionClaims, InMemoryTenantStoreOptions, InMemorySingleTenantStoreOptions, InMemorySingleTenantStore, InMemoryMultiTenantStoreOptions, InMemoryMultiTenantStore, IdTokenClaims, IAMValidators, IAMUsersInbound, IAMInboundUsersConfig, IAMInboundUserContext, IAMHandlerConfig, IAMGroupsOutbound, IAMGroupsInbound, IAMDiscoveryHandlerConfig, IAMDiscoveryContext, IAMDiscoveryConfig, IAMConfig, IAMAppValidators, IAMAppRole, IAMAppRegistry, IAM, GroupsInboundHandlerConfig, GroupStore, GroupSortOptions, GroupSortField, GroupResource, GroupMember, GroupListOptions, Group, GcpSecretsConfig, FrameworkWorkloadIncomingOutgoing, FrameworkWorkloadConfig, FrameworkStores, FrameworkSecretsSourceConfig, FrameworkSecretsModuleConfig, FrameworkConfig, EnvironmentType, EnterpriseUser, EnterpriseStandardFromConfig, EnterpriseStandardBase, EnterpriseStandard, EnterpriseExtension, Email, ESValidators, ESRoutingOptions, ESRouteModule, ESRouteFilterResult, ESResolvedRoute, ESModuleFromConfig, ESConfigChangeResult, ESConfigChangeOptions, ESConfigChangeCallback, ESConfig, DevSecretsConfig, DEFAULT_TENANT_UI_NAMESPACE, DEFAULT_TENANT_API_NAMESPACE, CreateUserOptions, CreateTenantResponse, CreateTenantRequest, CreateGroupOptions, ConfigSourceType, ConfigSource, ClientCredentialsWorkloadConfig, ChangeListener, CachedWorkloadToken, CIAMValidators, CIAMConfigFromCode, CIAMConfig, CIAM, BaseUser, AzureSecretsConfig, AwsSecretsConfig, AwsAuthMethod, ApplicationValidators, Address };
+export { workloadTokenResponseSchema, withValidate, waitOn, version, validationFailureResponse, userSchema, tokenResponseSchema, stripJsonComments, silentLogger, setActiveSession, serializeESConfig, sendTenantWebhook, parseJsonc, oidcCallbackSchema, normalizeTenantRoutingStrategy, normalizeTenantPathNamespace, must, mergeConfig, matchTenantPath, listSsoClientIdsFromCookies, list, jwtAssertionClaimsSchema, isConfigLocator, infoLogger, idTokenClaimsSchema, hydrateTenantForEs, groupResourceSchema, getActiveSession, findTenantFromStateParam, defaultLogger, deepEqualPlain, decodeUser, debugLogger, consoleLogger, clearActiveSession, claimsToUser, buildTenantPath, X509Certificate, WorkloadValidators, WorkloadTokenStore, WorkloadTokenResponse, WorkloadIncomingOutgoing, WorkloadIdentity, WorkloadConfigMap, WorkloadConfig, WorkloadClient, Workload, WorkforceUser, VaultWorkloadAuthConfig, VaultWebSocketSecretsConfig, VaultWebSocketAuthHeader, VaultSecretsConfig, VaultLfvSecretsConfig, VaultConfigLocator, ValidateResult, UsersInboundHandlerConfig, UserStoreOptions, UserStore, UserSortOptions, UserSortField, UserListOptions, UpsertTenantResponse, UpsertTenantRequest, TokenValidationResult, TokenResponse, TenantWebhookPayload, TenantValidators, TenantStore, TenantStatus, TenantSortOptions, TenantSortField, TenantRoutingStrategy, TenantRequestError, TenantPathRoutingStrategy, TenantPathNamespace, TenantPathMatch, TenantListOptions, TenantJwtRoutingStrategy, TenantEsFactory, TenantDirectoryTenant, TenantDirectoryResponse, TenantDirectoryAccount, StoredUser, StoredGroup, StateCookie, StandardSchemaWithValidate, SortDirection, SessionStore, Session, ServerOnlyWorkloadConfig, SerializableTenant, SecretsValidators, SecretsSourceType, SecretsSourceMap, SecretsSourceConfig, SecretsSource, SecretsOperationOptions, SecretsModuleConfig, Secrets, SecretRequestSeverity, SecretLifecycleRequest, Secret, User as ScimUser, ScimServiceProviderConfig, ScimSchemaDefinition, ScimSchemaAttributeDefinition, ScimResult, ScimResourceTypeSchemaExtension, ScimResourceType, ScimListResponse, ScimError, ScimAuthenticationScheme, SSOValidators, SSOHandlerConfig, SSOConfig, SSOAppValidators, SSOAppRegistry, SSO, Role, ResolvedVaultLfvSecretsConfig, RemoteConfigRetryOptions, RemoteConfigRetryHook, RemoteConfigRetryContext, RemoteConfigLoadErrorKind, RemoteConfig, RegisterSSOAppResult, RegisterSSOAppPayload, RegisterSSOAppError, RegisterIAMAppResult, RegisterIAMAppPayload, RegisterIAMAppError, ReactiveHandle, Photo, PhoneNumber, OidcCallbackParams, Name, MultipleTenantsForUserError, ModifiableFrameworkConfig, MetaData, MagicLinkStore, MagicLink, LoginConfig, Logger, ListResult, LfvOtpResponse, LfvOtpRequest, LfvErrorResponse, LfvErrorCode, LfvActionRequestBase, LfvActionName, LfvActionAcceptedResponse, JwtBearerWorkloadConfig, JWTAssertionClaims, InMemoryTenantStoreOptions, InMemoryTenantStore, IdTokenClaims, IAMValidators, IAMUsersInbound, IAMInboundUsersConfig, IAMInboundUserContext, IAMHandlerConfig, IAMGroupsOutbound, IAMGroupsInbound, IAMDiscoveryHandlerConfig, IAMDiscoveryContext, IAMDiscoveryConfig, IAMConfig, IAMAppValidators, IAMAppRole, IAMAppRegistry, IAM, GroupsInboundHandlerConfig, GroupStore, GroupSortOptions, GroupSortField, GroupResource, GroupMember, GroupListOptions, Group, GcpSecretsConfig, GcpConfigLocator, FrameworkWorkloadIncomingOutgoing, FrameworkWorkloadConfig, FrameworkStores, FrameworkSecretsSourceConfig, FrameworkSecretsModuleConfig, FrameworkConfig, EnvironmentType, EnterpriseUser, EnterpriseStandardFromConfig, EnterpriseStandardBase, EnterpriseStandard, EnterpriseExtension, Email, ESValidators, ESRoutingOptions, ESRouteModule, ESRouteFilterResult, ESResolvedRoute, ESModuleFromConfig, ESConfigChangeResult, ESConfigChangeOptions, ESConfigChangeCallback, ESConfig, DevSecretsConfig, DEFAULT_TENANT_UI_NAMESPACE, DEFAULT_TENANT_API_NAMESPACE, Customer, CreateUserOptions, CreateGroupOptions, ConfigSourceType, ConfigSourceEnv, ConfigSource, ConfigLocator, ClientCredentialsWorkloadConfig, ChangeListener, CachedWorkloadToken, CIAMValidators, CIAMConfigFromCode, CIAMConfig, CIAM, BaseUser, BaseTenant, AzureSecretsConfig, AzureConfigLocator, AwsSecretsConfig, AwsConfigLocator, AwsAuthMethod, AuthenticatedUser, ApplicationValidators, Address };