@enterprisestandard/core 0.0.6

package/dist/index.d.ts

@@ -0,0 +1,2431 @@
+import { StandardSchemaV1 as StandardSchemaV15 } from "@standard-schema/spec";
+import { StandardSchemaV1 } from "@standard-schema/spec";
+/**
+* SCIM 2.0 User Resource
+* @see https://datatracker.ietf.org/doc/html/rfc7643#section-4.1
+*/
+/**
+* SCIM Name sub-attribute
+*/
+interface Name {
+	/**
+	* The full name, including all middle names, titles, and suffixes as appropriate
+	*/
+	formatted?: string;
+	/**
+	* The family name of the User, or last name
+	*/
+	familyName?: string;
+	/**
+	* The given name of the User, or first name
+	*/
+	givenName?: string;
+	/**
+	* The middle name(s) of the User
+	*/
+	middleName?: string;
+	/**
+	* The honorific prefix(es) of the User, or title
+	*/
+	honorificPrefix?: string;
+	/**
+	* The honorific suffix(es) of the User, or suffix
+	*/
+	honorificSuffix?: string;
+}
+/**
+* SCIM Email sub-attribute
+*/
+interface Email {
+	/**
+	* The email address value
+	*/
+	value: string;
+	/**
+	* A human-readable name, primarily used for display purposes
+	*/
+	display?: string;
+	/**
+	* A label indicating the attribute's function (e.g., "work" or "home")
+	*/
+	type?: string;
+	/**
+	* A Boolean value indicating the 'primary' or preferred attribute value
+	*/
+	primary?: boolean;
+}
+/**
+* SCIM Phone Number sub-attribute
+*/
+interface PhoneNumber {
+	/**
+	* The phone number value
+	*/
+	value: string;
+	/**
+	* A human-readable name, primarily used for display purposes
+	*/
+	display?: string;
+	/**
+	* A label indicating the attribute's function (e.g., "work", "home", "mobile")
+	*/
+	type?: string;
+	/**
+	* A Boolean value indicating the 'primary' or preferred attribute value
+	*/
+	primary?: boolean;
+}
+/**
+* SCIM Address sub-attribute
+*/
+interface Address {
+	/**
+	* The full mailing address, formatted for display
+	*/
+	formatted?: string;
+	/**
+	* The full street address component
+	*/
+	streetAddress?: string;
+	/**
+	* The city or locality component
+	*/
+	locality?: string;
+	/**
+	* The state or region component
+	*/
+	region?: string;
+	/**
+	* The zip code or postal code component
+	*/
+	postalCode?: string;
+	/**
+	* The country name component
+	*/
+	country?: string;
+	/**
+	* A label indicating the attribute's function (e.g., "work" or "home")
+	*/
+	type?: string;
+	/**
+	* A Boolean value indicating the 'primary' or preferred attribute value
+	*/
+	primary?: boolean;
+}
+/**
+* SCIM Group reference (used within User resources)
+*/
+interface Group {
+	/**
+	* The identifier of the User's group
+	*/
+	value: string;
+	/**
+	* The URI of the corresponding 'Group' resource
+	*/
+	$ref?: string;
+	/**
+	* A human-readable name, primarily used for display purposes
+	*/
+	display?: string;
+	/**
+	* A label indicating the attribute's function (e.g., "direct" or "indirect")
+	*/
+	type?: string;
+}
+/**
+* SCIM Group Member reference
+*/
+interface GroupMember {
+	/**
+	* The identifier of the member (User or Group)
+	*/
+	value: string;
+	/**
+	* The URI of the corresponding member resource
+	*/
+	$ref?: string;
+	/**
+	* A human-readable name of the member
+	*/
+	display?: string;
+	/**
+	* The type of the member (e.g., "User" or "Group")
+	*/
+	type?: "User" | "Group";
+}
+/**
+* SCIM 2.0 Group Resource
+* @see https://datatracker.ietf.org/doc/html/rfc7643#section-4.2
+*/
+interface GroupResource {
+	/**
+	* REQUIRED. The schemas attribute
+	*/
+	schemas?: string[];
+	/**
+	* Unique identifier for the Group, assigned by the service provider
+	*/
+	id?: string;
+	/**
+	* External identifier from the provisioning client
+	*/
+	externalId?: string;
+	/**
+	* Resource metadata
+	*/
+	meta?: {
+		resourceType?: string;
+		created?: string;
+		lastModified?: string;
+		location?: string;
+		version?: string;
+	};
+	/**
+	* REQUIRED. A human-readable name for the Group
+	*/
+	displayName: string;
+	/**
+	* A list of members of the Group
+	*/
+	members?: GroupMember[];
+}
+/**
+* SCIM Role
+*/
+interface Role {
+	/**
+	* The value of the role
+	*/
+	value: string;
+	/**
+	* A human-readable name, primarily used for display purposes
+	*/
+	display?: string;
+	/**
+	* A label indicating the attribute's function
+	*/
+	type?: string;
+	/**
+	* A Boolean value indicating the 'primary' or preferred attribute value
+	*/
+	primary?: boolean;
+}
+/**
+* SCIM X509 Certificate
+*/
+interface X509Certificate {
+	/**
+	* The value of the X.509 certificate
+	*/
+	value: string;
+	/**
+	* A human-readable name, primarily used for display purposes
+	*/
+	display?: string;
+	/**
+	* A label indicating the attribute's function
+	*/
+	type?: string;
+	/**
+	* A Boolean value indicating the 'primary' or preferred attribute value
+	*/
+	primary?: boolean;
+}
+/**
+* SCIM Enterprise User Extension
+* @see https://datatracker.ietf.org/doc/html/rfc7643#section-4.3
+*/
+interface EnterpriseExtension {
+	/**
+	* Numeric or alphanumeric identifier assigned to a person
+	*/
+	employeeNumber?: string;
+	/**
+	* Identifies the name of a cost center
+	*/
+	costCenter?: string;
+	/**
+	* Identifies the name of an organization
+	*/
+	organization?: string;
+	/**
+	* Identifies the name of a division
+	*/
+	division?: string;
+	/**
+	* Identifies the name of a department
+	*/
+	department?: string;
+	/**
+	* The user's manager
+	*/
+	manager?: {
+		/**
+		* The "id" of the SCIM resource representing the User's manager
+		*/
+		value?: string;
+		/**
+		* The URI of the SCIM resource representing the User's manager
+		*/
+		$ref?: string;
+		/**
+		* The displayName of the User's manager
+		*/
+		displayName?: string;
+	};
+}
+/**
+* SCIM User Resource
+*/
+interface User {
+	/**
+	* REQUIRED. Unique identifier for the User, typically from the provider
+	*/
+	id?: string;
+	/**
+	* REQUIRED. A unique identifier for a SCIM resource as defined by the service provider
+	*/
+	externalId?: string;
+	/**
+	* Resource metadata
+	*/
+	meta?: {
+		resourceType?: string;
+		created?: string;
+		lastModified?: string;
+		location?: string;
+		version?: string;
+	};
+	/**
+	* REQUIRED. Unique identifier for the User, typically used for login
+	*/
+	userName: string;
+	/**
+	* The components of the user's name
+	*/
+	name?: Name;
+	/**
+	* The name of the User, suitable for display to end-users
+	*/
+	displayName?: string;
+	/**
+	* The casual way to address the user
+	*/
+	nickName?: string;
+	/**
+	* A fully qualified URL pointing to a page representing the User's online profile
+	*/
+	profileUrl?: string;
+	/**
+	* The user's title, such as "Vice President"
+	*/
+	title?: string;
+	/**
+	* Used to identify the relationship between the organization and the user
+	*/
+	userType?: string;
+	/**
+	* Indicates the User's preferred written or spoken language
+	*/
+	preferredLanguage?: string;
+	/**
+	* Used to indicate the User's default location for purposes of localizing items such as currency
+	*/
+	locale?: string;
+	/**
+	* The User's time zone in the "Olson" time zone database format
+	*/
+	timezone?: string;
+	/**
+	* A Boolean value indicating the User's administrative status
+	*/
+	active?: boolean;
+	/**
+	* The User's cleartext password
+	*/
+	password?: string;
+	/**
+	* Email addresses for the user
+	*/
+	emails?: Email[];
+	/**
+	* Phone numbers for the User
+	*/
+	phoneNumbers?: PhoneNumber[];
+	/**
+	* Instant messaging addresses for the User
+	*/
+	ims?: Array<{
+		value: string;
+		display?: string;
+		type?: string;
+		primary?: boolean;
+	}>;
+	/**
+	* URLs of photos of the User
+	*/
+	photos?: Array<{
+		value: string;
+		display?: string;
+		type?: string;
+		primary?: boolean;
+	}>;
+	/**
+	* Physical mailing addresses for this User
+	*/
+	addresses?: Address[];
+	/**
+	* A list of groups to which the user belongs
+	*/
+	groups?: Group[];
+	/**
+	* A list of entitlements for the User
+	*/
+	entitlements?: Array<{
+		value: string;
+		display?: string;
+		type?: string;
+		primary?: boolean;
+	}>;
+	/**
+	* A list of roles for the User
+	*/
+	roles?: Role[];
+	/**
+	* A list of certificates issued to the User
+	*/
+	x509Certificates?: X509Certificate[];
+	/**
+	* Enterprise User Extension
+	*/
+	"urn:ietf:params:scim:schemas:extension:enterprise:2.0:User"?: EnterpriseExtension;
+	/**
+	* REQUIRED. The schemas attribute is an array of Strings which allows introspection of the supported schema version
+	*/
+	schemas?: string[];
+}
+/**
+* Creates a StandardSchemaV1 for validating SCIM User resources.
+* @param vendor - The name of the vendor creating this schema
+* @returns A StandardSchemaV1 instance for SCIM User resources
+*/
+declare function userSchema(vendor: string): StandardSchemaV1<Record<string, unknown>, User>;
+/**
+* Creates a StandardSchemaV1 for validating SCIM Group resources.
+* @param vendor - The name of the vendor creating this schema
+* @returns A StandardSchemaV1 instance for SCIM Group resources
+*/
+declare function groupResourceSchema(vendor: string): StandardSchemaV1<Record<string, unknown>, GroupResource>;
+/**
+* Stored group data with required id and tracking metadata.
+*
+* @template TExtended - Type-safe custom data that consumers can add to groups
+*/
+type StoredGroup<TExtended = {}> = {
+	/**
+	* Required unique identifier for the group.
+	* This is the primary key for group storage.
+	*/
+	id: string;
+	/**
+	* Required human-readable name for the group.
+	*/
+	displayName: string;
+	/**
+	* Optional external identifier from provisioning client.
+	*/
+	externalId?: string;
+	/**
+	* List of members in the group.
+	*/
+	members?: GroupMember[];
+	/**
+	* Timestamp when the group was first stored.
+	*/
+	createdAt: Date;
+	/**
+	* Timestamp when the group was last updated.
+	*/
+	updatedAt: Date;
+} & TExtended;
+/**
+* Abstract interface for group storage backends.
+*
+* Consumers can implement this interface to use different storage backends:
+* - In-memory (for development/testing)
+* - Redis (for production with fast lookups)
+* - Database (PostgreSQL, MySQL, etc.)
+*
+* @template TExtended - Type-safe custom data that consumers can add to groups
+*/
+interface GroupStore<TExtended = {}> {
+	/**
+	* Retrieve a group by its unique identifier.
+	*
+	* @param id - The group's unique identifier
+	* @returns The group if found, null otherwise
+	*/
+	get(id: string): Promise<StoredGroup<TExtended> | null>;
+	/**
+	* Retrieve a group by its external identifier.
+	*
+	* @param externalId - The external identifier from the provisioning client
+	* @returns The group if found, null otherwise
+	*/
+	getByExternalId(externalId: string): Promise<StoredGroup<TExtended> | null>;
+	/**
+	* Retrieve a group by its display name.
+	*
+	* @param displayName - The group's display name
+	* @returns The group if found, null otherwise
+	*/
+	getByDisplayName(displayName: string): Promise<StoredGroup<TExtended> | null>;
+	/**
+	* List all groups in the store.
+	*
+	* @returns Array of all stored groups
+	*/
+	list(): Promise<StoredGroup<TExtended>[]>;
+	/**
+	* Create or update a group in the store.
+	*
+	* If a group with the same `id` exists, it will be updated.
+	* Otherwise, a new group will be created.
+	*
+	* @param group - The group data to store
+	*/
+	upsert(group: StoredGroup<TExtended>): Promise<void>;
+	/**
+	* Delete a group by its unique identifier.
+	*
+	* @param id - The group's unique identifier to delete
+	*/
+	delete(id: string): Promise<void>;
+	/**
+	* Add a member to a group.
+	*
+	* @param groupId - The group's unique identifier
+	* @param member - The member to add
+	*/
+	addMember(groupId: string, member: GroupMember): Promise<void>;
+	/**
+	* Remove a member from a group.
+	*
+	* @param groupId - The group's unique identifier
+	* @param memberId - The member's value/id to remove
+	*/
+	removeMember(groupId: string, memberId: string): Promise<void>;
+}
+/**
+* In-memory group store implementation using Maps.
+*
+* Suitable for:
+* - Development and testing
+* - Single-server deployments
+* - Applications without high availability requirements
+*
+* NOT suitable for:
+* - Multi-server deployments (groups not shared)
+* - High availability scenarios (groups lost on restart)
+* - Production applications with distributed architecture
+*
+* For production, implement GroupStore with Redis or a database.
+*
+* @template TExtended - Type-safe custom data that consumers can add to groups
+*/
+declare class InMemoryGroupStore<TExtended = {}> implements GroupStore<TExtended> {
+	/** Primary storage: id -> group */
+	private groups;
+	/** Secondary index: externalId -> id */
+	private externalIdIndex;
+	/** Secondary index: displayName (lowercase) -> id */
+	private displayNameIndex;
+	get(id: string): Promise<StoredGroup<TExtended> | null>;
+	getByExternalId(externalId: string): Promise<StoredGroup<TExtended> | null>;
+	getByDisplayName(displayName: string): Promise<StoredGroup<TExtended> | null>;
+	list(): Promise<StoredGroup<TExtended>[]>;
+	upsert(group: StoredGroup<TExtended>): Promise<void>;
+	delete(id: string): Promise<void>;
+	addMember(groupId: string, member: GroupMember): Promise<void>;
+	removeMember(groupId: string, memberId: string): Promise<void>;
+}
+/**
+* Base user with simple, developer-friendly attributes.
+* Extended by User (SSO) and EnterpriseUser (SCIM).
+*/
+interface BaseUser {
+	/**
+	* Unique identifier for the user
+	*/
+	id?: string;
+	/**
+	* REQUIRED. Unique identifier for login
+	*/
+	userName: string;
+	/**
+	* REQUIRED. Simple display name
+	*/
+	name: string;
+	/**
+	* REQUIRED. Primary email address
+	*/
+	email: string;
+	/**
+	* URL to user's avatar/profile picture
+	*/
+	avatarUrl?: string;
+}
+import { StandardSchemaV1 as StandardSchemaV12 } from "@standard-schema/spec";
+/**
+* OIDC Code Flow Callback URL Parameters
+* @see https://openid.net/specs/openid-connect-core-1_0.html#CodeFlowAuth
+*/
+interface OidcCallbackParams {
+	/**
+	* REQUIRED. The authorization code returned from the authorization server.
+	*/
+	code: string;
+	/**
+	* REQUIRED if the "state" parameter was present in the client authorization request.
+	* The exact value received from the client.
+	*/
+	state?: string;
+	/**
+	* RECOMMENDED. The session state value. Clients should use this to verify the session state.
+	*/
+	session_state?: string;
+	/**
+	* OAuth 2.0 error code if the authorization request failed.
+	*/
+	error?: string;
+	/**
+	* Human-readable ASCII text providing additional information for the error.
+	*/
+	error_description?: string;
+	/**
+	* A URI identifying a human-readable web page with information about the error.
+	*/
+	error_uri?: string;
+	/**
+	* The "iss" (issuer) parameter identifies the principal that issued the response.
+	* This is typically used in the implicit flow.
+	*/
+	iss?: string;
+}
+/**
+* Creates a StandardSchemaV1 for validating OIDC callback URL parameters.
+* @param vendor - The name of the vendor creating this schema
+* @returns A StandardSchemaV1 instance for OIDC callback parameters
+*/
+declare function oidcCallbackSchema(vendor: string): StandardSchemaV12<Record<string, unknown>, OidcCallbackParams>;
+/**
+* Token Response from IdP
+*/
+interface TokenResponse {
+	access_token: string;
+	id_token: string;
+	refresh_token?: string;
+	token_type: string;
+	expires_in?: number;
+	scope?: string;
+	refresh_expires_in?: number;
+	session_state?: string;
+	expires?: string;
+}
+/**
+* Creates a StandardSchemaV1 for validating OIDC Token Responses.
+* @param vendor - The name of the vendor creating this schema
+* @returns A StandardSchemaV1 instance for Token Response validation
+*/
+declare function tokenResponseSchema(vendor: string): StandardSchemaV12<Record<string, unknown>, TokenResponse>;
+/**
+* ID Token Claims
+*/
+interface IdTokenClaims {
+	iss?: string;
+	aud?: string;
+	exp?: number;
+	iat?: number;
+	sub?: string;
+	sid?: string;
+	name?: string;
+	email?: string;
+	preferred_username?: string;
+	picture?: string;
+	[key: string]: unknown;
+}
+/**
+* Creates a StandardSchemaV1 for validating ID Token Claims.
+* @param vendor - The name of the vendor creating this schema
+* @returns A StandardSchemaV1 instance for ID Token Claims validation
+*/
+declare function idTokenClaimsSchema(vendor: string): StandardSchemaV12<Record<string, unknown>, IdTokenClaims>;
+/**
+* Primary user type for SSO/OIDC applications.
+* Extends BaseUser with SSO-specific data.
+*/
+interface User2 extends BaseUser {
+	/**
+	* SSO/OIDC authentication data
+	*/
+	sso: {
+		/**
+		* ID Token claims from the identity provider
+		*/
+		profile: IdTokenClaims;
+		/**
+		* Tenant/organization information
+		*/
+		tenant: {
+			id: string;
+			name: string;
+		};
+		/**
+		* OAuth scopes granted
+		*/
+		scope?: string;
+		/**
+		* Token type (typically "Bearer")
+		*/
+		tokenType: string;
+		/**
+		* Session state from the identity provider
+		*/
+		sessionState?: string;
+		/**
+		* Token expiration time
+		*/
+		expires: Date;
+	};
+}
+/**
+* Stored user data with required id and tracking metadata.
+*
+* Extends the SSO User type with:
+* - Required `id` (the `sub` claim from the IdP)
+* - Timestamps for tracking when users were first seen and last updated
+* - Optional custom extended data
+*
+* @template TExtended - Type-safe custom data that consumers can add to users
+*/
+type StoredUser<TExtended = {}> = User2 & {
+	/**
+	* Required unique identifier (the `sub` claim from the IdP).
+	* This is the primary key for user storage.
+	*/
+	id: string;
+	/**
+	* Timestamp when the user was first stored.
+	*/
+	createdAt: Date;
+	/**
+	* Timestamp when the user was last updated (e.g., on re-login).
+	*/
+	updatedAt: Date;
+} & TExtended;
+/**
+* Abstract interface for user storage backends.
+*
+* Consumers can implement this interface to use different storage backends:
+* - In-memory (for development/testing)
+* - Redis (for production with fast lookups)
+* - Database (PostgreSQL, MySQL, etc.)
+*
+* @template TExtended - Type-safe custom data that consumers can add to users
+*
+* @example
+* ```typescript
+* // Custom user data
+* type MyUserData = {
+*   department: string;
+*   roles: string[];
+* };
+*
+* // Implement custom store
+* class RedisUserStore implements UserStore<MyUserData> {
+*   async get(sub: string): Promise<StoredUser<MyUserData> | null> {
+*     const data = await redis.get(`user:${sub}`);
+*     return data ? JSON.parse(data) : null;
+*   }
+*   // ... other methods
+* }
+* ```
+*/
+interface UserStore<TExtended = {}> {
+	/**
+	* Retrieve a user by their subject identifier (sub).
+	*
+	* @param sub - The user's unique identifier from the IdP
+	* @returns The user if found, null otherwise
+	*/
+	get(sub: string): Promise<StoredUser<TExtended> | null>;
+	/**
+	* Retrieve a user by their email address.
+	*
+	* @param email - The user's email address
+	* @returns The user if found, null otherwise
+	*/
+	getByEmail(email: string): Promise<StoredUser<TExtended> | null>;
+	/**
+	* Retrieve a user by their username.
+	*
+	* @param userName - The user's username
+	* @returns The user if found, null otherwise
+	*/
+	getByUserName(userName: string): Promise<StoredUser<TExtended> | null>;
+	/**
+	* Create or update a user in the store.
+	*
+	* If a user with the same `id` (sub) exists, it will be updated.
+	* Otherwise, a new user will be created.
+	*
+	* @param user - The user data to store
+	*/
+	upsert(user: StoredUser<TExtended>): Promise<void>;
+	/**
+	* Delete a user by their subject identifier (sub).
+	*
+	* @param sub - The user's unique identifier to delete
+	*/
+	delete(sub: string): Promise<void>;
+}
+/**
+* In-memory user store implementation using Maps.
+*
+* Suitable for:
+* - Development and testing
+* - Single-server deployments
+* - Applications without high availability requirements
+*
+* NOT suitable for:
+* - Multi-server deployments (users not shared)
+* - High availability scenarios (users lost on restart)
+* - Production applications with distributed architecture
+*
+* For production, implement UserStore with Redis or a database.
+*
+* @template TExtended - Type-safe custom data that consumers can add to users
+*/
+declare class InMemoryUserStore<TExtended = {}> implements UserStore<TExtended> {
+	/** Primary storage: sub -> user */
+	private users;
+	/** Secondary index: email -> sub */
+	private emailIndex;
+	/** Secondary index: userName -> sub */
+	private userNameIndex;
+	get(sub: string): Promise<StoredUser<TExtended> | null>;
+	getByEmail(email: string): Promise<StoredUser<TExtended> | null>;
+	getByUserName(userName: string): Promise<StoredUser<TExtended> | null>;
+	upsert(user: StoredUser<TExtended>): Promise<void>;
+	delete(sub: string): Promise<void>;
+}
+import { StandardSchemaV1 as StandardSchemaV14 } from "@standard-schema/spec";
+import { StandardSchemaV1 as StandardSchemaV13 } from "@standard-schema/spec";
+/**
+* JWT Assertion Claims for OAuth2 JWT Bearer Grant (RFC 7523) and OAuth2 Access Tokens
+* @see https://datatracker.ietf.org/doc/html/rfc7523
+* @see https://datatracker.ietf.org/doc/html/rfc9068
+*/
+interface JWTAssertionClaims {
+	/**
+	* REQUIRED. Issuer - the workload identity (e.g., SPIFFE ID) or authorization server
+	*/
+	iss: string;
+	/**
+	* REQUIRED. Subject - the workload identity or service account
+	*/
+	sub: string;
+	/**
+	* OPTIONAL. Audience - may be a string or array of strings
+	* Note: Required for JWT assertions, but may be absent in OAuth2 access tokens
+	*/
+	aud?: string | string[];
+	/**
+	* REQUIRED. Expiration time (Unix timestamp)
+	*/
+	exp: number;
+	/**
+	* REQUIRED. Issued at time (Unix timestamp)
+	*/
+	iat: number;
+	/**
+	* OPTIONAL. JWT ID - unique identifier for this token
+	* Note: Required for JWT assertions, optional for access tokens
+	*/
+	jti?: string;
+	/**
+	* OPTIONAL. Requested OAuth scopes (space-delimited)
+	*/
+	scope?: string;
+	/**
+	* Allow additional claims for extensibility
+	*/
+	[key: string]: unknown;
+}
+/**
+* Creates a StandardSchemaV1 for validating JWT Assertion Claims.
+* @param vendor - The name of the vendor creating this schema
+* @returns A StandardSchemaV1 instance for JWT Assertion Claims validation
+*/
+declare function jwtAssertionClaimsSchema(vendor: string): StandardSchemaV13<Record<string, unknown>, JWTAssertionClaims>;
+/**
+* Workload Token Response from OAuth2 token endpoint
+* @see https://datatracker.ietf.org/doc/html/rfc6749#section-5.1
+*/
+interface WorkloadTokenResponse {
+	/**
+	* REQUIRED. The access token issued by the authorization server.
+	*/
+	access_token: string;
+	/**
+	* REQUIRED. The type of the token (typically "Bearer").
+	*/
+	token_type: string;
+	/**
+	* RECOMMENDED. The lifetime in seconds of the access token.
+	*/
+	expires_in?: number;
+	/**
+	* OPTIONAL. The scope of the access token.
+	*/
+	scope?: string;
+	/**
+	* OPTIONAL. The refresh token (rarely used for workload identities).
+	*/
+	refresh_token?: string;
+	/**
+	* OPTIONAL. The expiration time as an ISO 8601 string.
+	*/
+	expires?: string;
+}
+/**
+* Creates a StandardSchemaV1 for validating Workload Token Responses.
+* @param vendor - The name of the vendor creating this schema
+* @returns A StandardSchemaV1 instance for Workload Token Response validation
+*/
+declare function workloadTokenResponseSchema(vendor: string): StandardSchemaV13<Record<string, unknown>, WorkloadTokenResponse>;
+/**
+* Token Validation Result
+*/
+interface TokenValidationResult {
+	/**
+	* Whether the token is valid
+	*/
+	valid: boolean;
+	/**
+	* The decoded and validated claims (if valid)
+	*/
+	claims?: JWTAssertionClaims;
+	/**
+	* Error message (if invalid)
+	*/
+	error?: string;
+	/**
+	* Token expiration time (if valid)
+	*/
+	expiresAt?: Date;
+}
+/**
+* Token caching for workload identity authentication.
+*
+* Token stores are optional but recommended for performance - they enable:
+* - Token caching to avoid repeated token acquisition
+* - Automatic token refresh before expiration
+* - Reduced load on authorization servers
+*
+* ## Token Caching Strategy
+*
+* Unlike session stores for user authentication, workload token stores cache
+* short-lived access tokens (typically 5 minutes) for service-to-service calls.
+*
+* **Default Behavior:**
+* - Tokens cached with 5-minute TTL
+* - Auto-refresh 60 seconds before expiration
+* - Expired tokens automatically removed
+*
+* ## Performance Characteristics
+*
+* | Backend      | Lookup Time | Use Case                    |
+* |--------------|-------------|----------------------------|
+* | InMemory     | <0.00005ms  | Single-server deployments  |
+* | Redis        | 1-2ms       | Multi-server deployments   |
+* | Database     | 5-20ms      | Persistent token storage   |
+*
+* ## Example Usage
+*
+* ```typescript
+* import { workload, InMemoryWorkloadTokenStore } from '@enterprisestandard/react/server';
+*
+* // With token caching
+* const workloadAuth = workload({
+*   // ... other config
+*   tokenStore: new InMemoryWorkloadTokenStore(),
+*   auto_refresh: true,  // Refresh before expiry
+* });
+*
+* // Without token caching (fetch new token each time)
+* const workloadAuth = workload({
+*   // ... config without tokenStore
+* });
+* ```
+*/
+/**
+* Cached workload token data.
+*
+* @template TExtended - Type-safe custom data that consumers can add to cached tokens
+*/
+type CachedWorkloadToken<TExtended = object> = {
+	/**
+	* Workload identifier (typically SPIFFE ID).
+	* Used as the primary key for token lookup.
+	*/
+	workload_id: string;
+	/**
+	* OAuth2 access token (Bearer token)
+	*/
+	access_token: string;
+	/**
+	* Token type (always "Bearer" for OAuth2)
+	*/
+	token_type: string;
+	/**
+	* OAuth2 scopes granted for this token
+	*/
+	scope?: string;
+	/**
+	* Timestamp when the token expires.
+	* Used for automatic cleanup and refresh logic.
+	*/
+	expires_at: Date;
+	/**
+	* Timestamp when the token was created/cached.
+	*/
+	created_at: Date;
+	/**
+	* Optional refresh token (rarely used for workload identities)
+	*/
+	refresh_token?: string;
+} & TExtended;
+/**
+* Abstract interface for workload token storage backends.
+*
+* Consumers can implement this interface to use different storage backends:
+* - Redis (recommended for multi-server deployments)
+* - Database (PostgreSQL, MySQL, etc. for persistence)
+* - Distributed cache (Memcached, etc.)
+* - Custom solutions
+*
+* @template TExtended - Type-safe custom data that consumers can add to cached tokens
+*
+* @example
+* ```typescript
+* // Custom token cache data
+* type MyTokenData = {
+*   environment: string;
+*   region: string;
+* };
+*
+* // Implement custom store with Redis
+* class RedisWorkloadTokenStore implements WorkloadTokenStore<MyTokenData> {
+*   async set(token: CachedWorkloadToken<MyTokenData>): Promise<void> {
+*     const ttl = Math.floor((token.expires_at.getTime() - Date.now()) / 1000);
+*     await redis.setex(
+*       `workload:token:${token.workload_id}`,
+*       ttl,
+*       JSON.stringify(token)
+*     );
+*   }
+*
+*   async get(workload_id: string): Promise<CachedWorkloadToken<MyTokenData> | null> {
+*     const data = await redis.get(`workload:token:${workload_id}`);
+*     if (!data) return null;
+*     const token = JSON.parse(data);
+*     // Convert date strings back to Date objects
+*     token.expires_at = new Date(token.expires_at);
+*     token.created_at = new Date(token.created_at);
+*     return token;
+*   }
+*
+*   // ... other methods
+* }
+* ```
+*/
+interface WorkloadTokenStore<TExtended = object> {
+	/**
+	* Store or update a workload token in the cache.
+	*
+	* @param token - The token data to cache
+	*/
+	set(token: CachedWorkloadToken<TExtended>): Promise<void>;
+	/**
+	* Retrieve a cached token by workload ID.
+	*
+	* @param workload_id - The workload identifier (e.g., SPIFFE ID)
+	* @returns The cached token if found and not expired, null otherwise
+	*/
+	get(workload_id: string): Promise<CachedWorkloadToken<TExtended> | null>;
+	/**
+	* Delete a cached token by workload ID.
+	*
+	* Used when explicitly revoking tokens or clearing cache.
+	*
+	* @param workload_id - The workload identifier to remove
+	*/
+	delete(workload_id: string): Promise<void>;
+	/**
+	* Check if a valid (non-expired) token exists for a workload.
+	*
+	* @param workload_id - The workload identifier to check
+	* @returns true if a valid token exists, false otherwise
+	*/
+	isValid(workload_id: string): Promise<boolean>;
+	/**
+	* Remove all expired tokens from the cache.
+	*
+	* Should be called periodically to prevent memory leaks.
+	*/
+	cleanup(): Promise<void>;
+}
+/**
+* In-memory workload token store implementation using Maps.
+*
+* Suitable for:
+* - Development and testing
+* - Single-server deployments
+* - Applications without high availability requirements
+*
+* NOT suitable for:
+* - Multi-server deployments (tokens not shared across instances)
+* - High availability scenarios (tokens lost on restart)
+* - Production applications with distributed architecture
+*
+* For production multi-server deployments, implement WorkloadTokenStore with Redis.
+*
+* @template TExtended - Type-safe custom data that consumers can add to cached tokens
+*/
+declare class InMemoryWorkloadTokenStore<TExtended = object> implements WorkloadTokenStore<TExtended> {
+	private tokens;
+	set(token: CachedWorkloadToken<TExtended>): Promise<void>;
+	get(workload_id: string): Promise<CachedWorkloadToken<TExtended> | null>;
+	delete(workload_id: string): Promise<void>;
+	isValid(workload_id: string): Promise<boolean>;
+	cleanup(): Promise<void>;
+}
+/**
+* Common fields shared across all workload authentication modes
+*/
+type WorkloadConfigBase = {
+	/**
+	* OAuth2 token endpoint URL
+	* REQUIRED for client role (token acquisition)
+	*/
+	tokenUrl?: string;
+	/**
+	* JWKS endpoint URL for public key retrieval
+	* REQUIRED for server role (token validation)
+	*/
+	jwksUri?: string;
+	/**
+	* Expected token issuer URL for validation
+	* RECOMMENDED for server role (token validation)
+	*/
+	issuer?: string;
+	/**
+	* Target audience for tokens
+	*/
+	audience?: string;
+	/**
+	* Default OAuth2 scopes (space-delimited)
+	*/
+	scope?: string;
+	/**
+	* JWT assertion/token lifetime in seconds
+	* @default 300 (5 minutes)
+	*/
+	tokenLifetime?: number;
+	/**
+	* Refresh threshold in seconds (refresh token this many seconds before expiry)
+	* @default 60
+	*/
+	refreshThreshold?: number;
+	/**
+	* Optional token store for caching access tokens
+	*/
+	tokenStore?: WorkloadTokenStore;
+	/**
+	* Automatically refresh tokens before expiration
+	* @default true
+	*/
+	autoRefresh?: boolean;
+	/**
+	* Optional RFC 7009 token revocation endpoint
+	*/
+	revocationEndpoint?: string;
+	/**
+	* Optional handler defaults (merged with per-call overrides in `handler`)
+	*/
+	validateUrl?: string;
+	jwksUrl?: string;
+	refreshUrl?: string;
+	validators?: WorkloadValidators;
+};
+type WorkloadValidators = {
+	jwtAssertionClaims: StandardSchemaV14<unknown, JWTAssertionClaims>;
+	tokenResponse: StandardSchemaV14<unknown, WorkloadTokenResponse>;
+};
+/**
+* JWT Bearer Grant (RFC 7523) Configuration
+*
+* Used for SPIFFE-style workload identities where services have their own
+* cryptographic identity and sign their own JWT assertions.
+*
+* @example
+* ```json
+* {
+*   "token_url": "https://auth.example.com/oauth/token",
+*   "jwks_uri": "https://auth.example.com/.well-known/jwks.json",
+*   "workload_id": "spiffe://trust-domain/ns/service",
+*   "audience": "https://auth.example.com/oauth/token",
+*   "private_key": "-----BEGIN PRIVATE KEY-----...",
+*   "algorithm": "RS256"
+* }
+* ```
+*/
+type JwtBearerWorkloadConfig = WorkloadConfigBase & {
+	/**
+	* Workload identifier (e.g., SPIFFE ID: spiffe://trust-domain/namespace/service)
+	* REQUIRED for JWT Bearer Grant mode
+	*/
+	workloadId: string;
+	/**
+	* PEM-encoded private key for signing JWT assertions
+	* REQUIRED for client role in JWT Bearer Grant mode
+	*/
+	privateKey: string;
+	/**
+	* Key ID (kid) to include in JWT header for key rotation support
+	*/
+	keyId?: string;
+	/**
+	* JWT signing algorithm
+	* @default 'RS256'
+	*/
+	algorithm?: "RS256" | "RS384" | "RS512" | "ES256" | "ES384" | "ES512";
+};
+/**
+* OAuth2 Client Credentials Configuration
+*
+* Standard OAuth2 Client Credentials Grant (RFC 6749 Section 4.4).
+* Used with identity providers like Keycloak for service-to-service authentication.
+*
+* @example
+* ```json
+* {
+*   "token_url": "https://sso.example.com/realms/myrealm/protocol/openid-connect/token",
+*   "jwks_uri": "https://sso.example.com/realms/myrealm/protocol/openid-connect/certs",
+*   "client_id": "my-service",
+*   "client_secret": "secret-from-idp",
+*   "issuer": "https://sso.example.com/realms/myrealm",
+*   "scope": "api:read api:write"
+* }
+* ```
+*/
+type ClientCredentialsWorkloadConfig = WorkloadConfigBase & {
+	/**
+	* OAuth2 client identifier registered with the authorization server
+	* REQUIRED for Client Credentials mode
+	*/
+	clientId: string;
+	/**
+	* OAuth2 client secret
+	* REQUIRED for Client Credentials mode
+	*/
+	clientSecret: string;
+};
+/**
+* Server-Only Workload Configuration
+*
+* Used when a service only needs to validate incoming workload tokens,
+* not acquire tokens for outbound calls. Requires only jwks_uri for
+* public key retrieval.
+*
+* @example
+* ```json
+* {
+*   "jwks_uri": "https://sso.example.com/realms/myrealm/protocol/openid-connect/certs",
+*   "issuer": "https://sso.example.com/realms/myrealm"
+* }
+* ```
+*/
+type ServerOnlyWorkloadConfig = WorkloadConfigBase & {
+	jwksUri: string;
+};
+/**
+* Workload Identity Authentication Configuration
+*
+* Union type supporting multiple authentication modes. The mode is automatically
+* detected based on which fields are present:
+*
+* - **JWT Bearer Grant**: Requires `workload_id` + `private_key`
+* - **Client Credentials**: Requires `client_id` + `client_secret`
+* - **Server-Only**: Only `jwks_uri` (and optionally `issuer`) for token validation
+*
+* The developer uses the same API regardless of mode - the library handles the details.
+*/
+type WorkloadConfig = JwtBearerWorkloadConfig | ClientCredentialsWorkloadConfig | ServerOnlyWorkloadConfig;
+/**
+* Workload Identity extracted from validated tokens
+*/
+type WorkloadIdentity = {
+	/**
+	* Workload identifier (for JWT Bearer Grant tokens)
+	*/
+	workloadId?: string;
+	/**
+	* Client identifier (for OAuth2 Client Credentials tokens)
+	*/
+	clientId?: string;
+	/**
+	* Granted scopes
+	*/
+	scope?: string;
+	/**
+	* Full JWT claims from the token
+	*/
+	claims: JWTAssertionClaims;
+};
+/**
+* Workload Identity Authentication Interface
+*/
+type Workload = {
+	config: WorkloadConfig;
+	getToken: (scope?: string) => Promise<string>;
+	refreshToken: (scope?: string) => Promise<WorkloadTokenResponse>;
+	generateJWTAssertion: (scope?: string) => Promise<string>;
+	revokeToken: (token: string) => Promise<void>;
+	validateToken: (token: string) => Promise<TokenValidationResult>;
+	getWorkloadIdentity: (request: Request) => Promise<WorkloadIdentity | undefined>;
+	parseJWT: (token: string) => Promise<JWTAssertionClaims>;
+	handler: (request: Request) => Promise<Response>;
+};
+declare function workload(validators: WorkloadValidators, fromVault?: Partial<WorkloadConfig>, fromCode?: Partial<WorkloadConfig>): Workload | undefined;
+/**
+* SCIM Error response structure
+*/
+interface ScimError {
+	schemas: string[];
+	status: string;
+	scimType?: string;
+	detail?: string;
+}
+/**
+* SCIM List Response for bulk operations
+*/
+interface ScimListResponse<T> {
+	schemas: string[];
+	totalResults: number;
+	startIndex?: number;
+	itemsPerPage?: number;
+	Resources: T[];
+}
+/**
+* Result of a SCIM operation
+*/
+interface ScimResult<T> {
+	success: boolean;
+	data?: T;
+	error?: ScimError;
+	status: number;
+}
+/**
+* Handler configuration for IAM
+*/
+interface IAMHandlerConfig {
+	/**
+	* Base path for the SCIM Users endpoints (e.g., '/api/iam/Users')
+	*/
+	usersUrl?: string;
+	/**
+	* Base path for the SCIM Groups endpoints (e.g., '/api/iam/Groups')
+	*/
+	groupsUrl?: string;
+}
+/**
+* IAM configuration
+*
+* - If `url` is provided, groups_outbound is enabled (app calls external IAM)
+* - If `groupStore` is provided, groups_inbound is enabled (external IAM calls app)
+* - If `userStore` is provided, users_inbound is enabled (external IAM calls app)
+*/
+type IAMConfig = {
+	/**
+	* Base URL of the external SCIM endpoint (e.g., https://sailpoint.example.com/scim/v2)
+	* If provided, enables outbound SCIM operations (app -> external IAM)
+	*/
+	url?: string;
+	/**
+	* Store for inbound user provisioning from external IAM providers.
+	* When configured, the app can receive user CRUD operations via SCIM.
+	*/
+	userStore?: UserStore;
+	/**
+	* Store for inbound group provisioning from external IAM providers.
+	* When configured, enables groups_inbound (external IAM -> app).
+	*/
+	groupStore?: GroupStore;
+	/**
+	* Optional handler defaults. These are merged with per-call overrides in
+	* `iam.handler`, with per-call values taking precedence.
+	*/
+	usersUrl?: string;
+	groupsUrl?: string;
+};
+type IAMValidators = {
+	user: StandardSchemaV15<unknown, User>;
+	group: StandardSchemaV15<unknown, GroupResource>;
+};
+/**
+* Options for creating a user
+*/
+interface CreateUserOptions {
+	/**
+	* External identifier for the user
+	*/
+	externalId?: string;
+}
+/**
+* Options for creating a group
+*/
+interface CreateGroupOptions {
+	/**
+	* External identifier for the group
+	*/
+	externalId?: string;
+	/**
+	* Initial members to add to the group
+	*/
+	members?: GroupMember[];
+}
+/**
+* Handler configuration for groups_inbound
+*/
+interface GroupsInboundHandlerConfig {
+	/**
+	* Base path for the SCIM Groups endpoints (e.g., '/api/iam/Groups')
+	*/
+	basePath?: string;
+}
+/**
+* Handler configuration for users_inbound
+*/
+interface UsersInboundHandlerConfig {
+	/**
+	* Base path for the SCIM Users endpoints (e.g., '/api/iam/Users')
+	*/
+	basePath?: string;
+}
+/**
+* Groups Outbound extension - for creating groups in external IAM providers.
+* Enabled when `url` is configured in IAMConfig.
+*/
+type IAMGroupsOutbound = {
+	/**
+	* Create a new group in the external IAM provider
+	* @param displayName - The display name for the group
+	* @param options - Optional configuration for the group creation
+	* @returns The created group resource from the provider
+	*/
+	createGroup: (displayName: string, options?: CreateGroupOptions) => Promise<ScimResult<GroupResource>>;
+};
+/**
+* Groups Inbound extension - for receiving group provisioning from external IAM providers.
+* Enabled when `groupStore` is configured in IAMConfig.
+*/
+type IAMGroupsInbound = {
+	/**
+	* Handle inbound SCIM requests for group management.
+	* Routes: GET/POST /Groups, GET/PUT/PATCH/DELETE /Groups/:id
+	*/
+	handler: (request: Request, config?: GroupsInboundHandlerConfig) => Promise<Response>;
+};
+/**
+* Users Inbound extension - for receiving user provisioning from external IAM providers.
+* Enabled when `userStore` is configured in IAMConfig.
+*/
+type IAMUsersInbound = {
+	/**
+	* Handle inbound SCIM requests for user management.
+	* Routes: GET/POST /Users, GET/PUT/PATCH/DELETE /Users/:id
+	*/
+	handler: (request: Request, config?: UsersInboundHandlerConfig) => Promise<Response>;
+};
+/**
+* Core IAM service interface.
+*
+* - Core functions are user-related (outbound to external IAM)
+* - `groups_outbound` is available when `url` is configured
+* - `groups_inbound` is available when `groupStore` is configured
+* - `users_inbound` is available when `userStore` is configured
+*/
+type IAM = IAMConfig & {
+	/**
+	* Create a new user/account in the external IAM provider
+	* Only available when `url` is configured.
+	*/
+	createUser?: (user: User, options?: CreateUserOptions) => Promise<ScimResult<User>>;
+	/**
+	* Get the configured external SCIM base URL
+	*/
+	getBaseUrl: () => string | undefined;
+	/**
+	* Groups Outbound extension - create groups in external IAM provider.
+	* Available when `url` is configured in IAMConfig.
+	*/
+	groups_outbound?: IAMGroupsOutbound;
+	/**
+	* Groups Inbound extension - receive group provisioning from external IAM.
+	* Available when `groupStore` is configured in IAMConfig.
+	*/
+	groups_inbound?: IAMGroupsInbound;
+	/**
+	* Users Inbound extension - receive user provisioning from external IAM.
+	* Available when `userStore` is configured in IAMConfig.
+	*/
+	users_inbound?: IAMUsersInbound;
+	/**
+	* Framework-agnostic request handler for IAM endpoints.
+	* Routes to users_inbound or groups_inbound handlers based on the request path.
+	*/
+	handler: (request: Request, config?: IAMHandlerConfig) => Promise<Response>;
+};
+/**
+* Creates an IAM service instance.
+*
+* - If `url` is configured, enables outbound SCIM operations to external IAM
+* - If `groupStore` is configured, enables inbound SCIM operations from external IAM
+*
+* @param config - IAM configuration
+* @param workload - Workload instance for authentication
+* @returns IAM service instance
+*/
+declare function iam(validators: IAMValidators, workload?: Workload, fromVault?: Partial<IAMConfig>, fromCode?: Partial<IAMConfig>): IAM | undefined;
+import { StandardSchemaV1 as StandardSchemaV16 } from "@standard-schema/spec";
+/**
+* Session management for tracking user sessions and enabling backchannel logout.
+*
+* Session stores are optional - the package works with JWT cookies alone.
+* Sessions are only required for backchannel logout functionality.
+*
+* ## Session Validation Strategies
+*
+* When using a session store, you can configure when sessions are validated:
+*
+* ### 'always' (default)
+* Validates session on every authenticated request.
+* - **Security**: Maximum - immediate session revocation
+* - **Performance**: InMemory ~0.00005ms, Redis ~1-2ms per request
+* - **Backchannel Logout**: Takes effect immediately
+* - **Use when**: Security is paramount, using InMemory or Redis backend
+*
+* ### 'refresh-only'
+* Validates session only during token refresh (typically every 5-15 minutes).
+* - **Security**: Good - 5-15 minute revocation window
+* - **Performance**: 99% reduction in session lookups
+* - **Backchannel Logout**: Takes effect within token TTL (5-15 min)
+* - **Use when**: Performance is critical AND delayed revocation is acceptable
+* - **WARNING**: Compromised sessions remain valid until next refresh
+*
+* ### 'disabled'
+* Never validates sessions against the store.
+* - **Security**: None - backchannel logout doesn't work
+* - **Performance**: No overhead
+* - **Use when**: Cookie-only mode without session store
+* - **WARNING**: Do not use with sessionStore configured
+*
+* ## Performance Characteristics
+*
+* | Backend      | Lookup Time | Impact on Request | Recommendation         |
+* |--------------|-------------|-------------------|------------------------|
+* | InMemory     | <0.00005ms  | Negligible        | Use 'always'           |
+* | Redis        | 1-2ms       | 2-4% increase     | Use 'always' or test   |
+* | Database     | 5-20ms      | 10-40% increase   | Use Redis cache layer  |
+*
+* ## Example Usage
+*
+* ```typescript
+* import { sso, InMemorySessionStore } from '@enterprisestandard/react/server';
+*
+* // Maximum security (default)
+* const secure = sso({
+*   // ... other config
+*   sessionStore: new InMemorySessionStore(),
+*   session_validation: 'always', // Immediate revocation
+* });
+*
+* // High performance
+* const fast = sso({
+*   // ... other config
+*   sessionStore: new InMemorySessionStore(),
+*   session_validation: {
+*     strategy: 'refresh-only' // 5-15 min revocation delay
+*   }
+* });
+* ```
+*/
+/**
+* Core session data tracked for each authenticated user session.
+*
+* @template TExtended - Type-safe custom data that consumers can add to sessions
+*/
+type Session<TExtended = {}> = {
+	/**
+	* Session ID from the Identity Provider (from `sid` claim in ID token).
+	* This is the unique identifier for the session.
+	*/
+	sid: string;
+	/**
+	* Subject identifier (user ID) from the Identity Provider.
+	* From the `sub` claim in the ID token.
+	*/
+	sub: string;
+	/**
+	* Timestamp when the session was created.
+	*/
+	createdAt: Date;
+	/**
+	* Timestamp of the last activity in this session.
+	* Can be updated to track session activity.
+	*/
+	lastActivityAt: Date;
+	/**
+	* Allow consumers to add runtime data to sessions.
+	*/
+	[key: string]: unknown;
+} & TExtended;
+/**
+* Abstract interface for session storage backends.
+*
+* Consumers can implement this interface to use different storage backends:
+* - Redis
+* - Database (PostgreSQL, MySQL, etc.)
+* - Distributed cache
+* - Custom solutions
+*
+* @template TExtended - Type-safe custom data that consumers can add to sessions
+*
+* @example
+* ```typescript
+* // Custom session data
+* type MySessionData = {
+*   ipAddress: string;
+*   userAgent: string;
+* };
+*
+* // Implement custom store
+* class RedisSessionStore implements SessionStore<MySessionData> {
+*   async create(session: Session<MySessionData>): Promise<void> {
+*     await redis.set(`session:${session.sid}`, JSON.stringify(session));
+*   }
+*   // ... other methods
+* }
+* ```
+*/
+interface SessionStore<TExtended = {}> {
+	/**
+	* Create a new session in the store.
+	*
+	* @param session - The session data to store
+	* @throws Error if session with same sid already exists
+	*/
+	create(session: Session<TExtended>): Promise<void>;
+	/**
+	* Retrieve a session by its IdP session ID (sid).
+	*
+	* @param sid - The session.sid from the Identity Provider
+	* @returns The session if found, null otherwise
+	*/
+	get(sid: string): Promise<Session<TExtended> | null>;
+	/**
+	* Update an existing session with partial data.
+	*
+	* Commonly used to update lastActivityAt or add custom fields.
+	*
+	* @param sid - The session.sid to update
+	* @param data - Partial session data to merge
+	* @throws Error if session not found
+	*/
+	update(sid: string, data: Partial<Session<TExtended>>): Promise<void>;
+	/**
+	* Delete a session by its IdP session ID (sid).
+	*
+	* Used for both normal logout and backchannel logout flows.
+	*
+	* @param sid - The session.sid to delete
+	*/
+	delete(sid: string): Promise<void>;
+}
+/**
+* In-memory session store implementation using Maps.
+*
+* Suitable for:
+* - Development and testing
+* - Single-server deployments
+* - Applications without high availability requirements
+*
+* NOT suitable for:
+* - Multi-server deployments (sessions not shared)
+* - High availability scenarios (sessions lost on restart)
+* - Production applications with distributed architecture
+*
+* For production, implement SessionStore with Redis or a database.
+*
+* @template TExtended - Type-safe custom data that consumers can add to sessions
+*/
+declare class InMemorySessionStore<TExtended = {}> implements SessionStore<TExtended> {
+	private sessions;
+	create(session: Session<TExtended>): Promise<void>;
+	get(sid: string): Promise<Session<TExtended> | null>;
+	update(sid: string, data: Partial<Session<TExtended>>): Promise<void>;
+	delete(sid: string): Promise<void>;
+}
+type SSOConfig<
+	TSessionData = {},
+	TUserData = {}
+> = {
+	authority?: string;
+	tokenUrl?: string;
+	authorizationUrl?: string;
+	clientId?: string;
+	clientSecret?: string;
+	redirectUri?: string;
+	responseType?: "code";
+	scope?: string;
+	silentRedirectUri?: string;
+	jwksUri?: string;
+	cookiesPrefix?: string;
+	cookiesPath?: string;
+	cookiesSecure?: boolean;
+	cookiesSameSite?: "Strict" | "Lax";
+	endSessionEndpoint?: string;
+	revocationEndpoint?: string;
+	sessionStore?: SessionStore<TSessionData>;
+	/**
+	* Optional user store for persisting user profiles from SSO authentication.
+	* When configured, users are automatically stored/updated on each login.
+	*/
+	userStore?: UserStore<TUserData>;
+	/**
+	* Enable Just-In-Time (JIT) user provisioning.
+	* When enabled, new users are automatically created in the userStore on their first login.
+	* When disabled (default), only existing users in the userStore are updated on login.
+	* Requires userStore to be configured.
+	* @default false
+	*/
+	enableJitUserProvisioning?: boolean;
+	validators?: SSOValidators;
+} & SSOHandlerConfig;
+type LoginConfig = {
+	landingUrl: string;
+	errorUrl?: string;
+};
+type SSOHandlerConfig = {
+	loginUrl?: string;
+	userUrl?: string;
+	errorUrl?: string;
+	landingUrl?: string;
+	tokenUrl?: string;
+	refreshUrl?: string;
+	jwksUrl?: string;
+	logoutUrl?: string;
+	logoutBackChannelUrl?: string;
+};
+type SSOValidators = {
+	callbackParams: StandardSchemaV16<unknown, OidcCallbackParams>;
+	idTokenClaims: StandardSchemaV16<unknown, IdTokenClaims>;
+	tokenResponse: StandardSchemaV16<unknown, TokenResponse>;
+};
+type SSO<
+	TSessionData = {},
+	TUserData = {}
+> = {
+	config: SSOConfig<TSessionData, TUserData>;
+	getUser: (request: Request) => Promise<User2 | undefined>;
+	getRequiredUser: (request: Request) => Promise<User2>;
+	getJwt: (request: Request) => Promise<string | undefined>;
+	initiateLogin: (config: LoginConfig, requestUrl?: string) => Promise<Response>;
+	logout: (request: Request, config?: LoginConfig) => Promise<Response>;
+	callbackHandler: (request: Request) => Promise<Response>;
+	handler: (request: Request) => Promise<Response>;
+};
+declare function sso<
+	TSessionData = {},
+	TUserData = {}
+>(validators: SSOValidators, fromVault?: Partial<SSOConfig<TSessionData, TUserData>>, fromCode?: Partial<SSOConfig<TSessionData, TUserData>>): SSO<TSessionData, TUserData> | undefined;
+import { StandardSchemaV1 as StandardSchemaV17 } from "@standard-schema/spec";
+/**
+* Environment type for tenant creation
+*/
+type EnvironmentType = "POC" | "DEV" | "QA" | "PROD";
+/**
+* Status of tenant creation process
+*/
+type TenantStatus = "pending" | "processing" | "completed" | "failed";
+/**
+* Request payload from ESVS for creating a tenant
+*/
+interface CreateTenantRequest {
+	/**
+	* Required app identifier to use when initializing EnterpriseStandard for this tenant.
+	* This is the primary identifier for tenant management. A company can have multiple
+	* applications (e.g., one instance on the east coast, one on the west coast).
+	*/
+	appId: string;
+	/**
+	* Company ID (used for reporting purposes only, not for tenant identification)
+	*/
+	companyId: string;
+	/**
+	* Company Name
+	*/
+	companyName: string;
+	/**
+	* Environment Type (POC, DEV, QA, PROD)
+	*/
+	environmentType: EnvironmentType;
+	/**
+	* Email (The email or distribution list used to communicate to the team)
+	*/
+	email: string;
+	/**
+	* Webhook URL where the application can send updates around the creation of the tenant
+	*/
+	webhookUrl: string;
+	/**
+	* URL that the tenant will be available at.
+	* Can be a full URL (e.g., "https://app.example.com/tenants/tenant-123")
+	* or a relative path (e.g., "/tenants/tenant-123").
+	* If relative, it will be normalized using the base URL from the request.
+	*/
+	tenantUrl: string;
+}
+/**
+* Response payload for tenant creation
+*/
+interface CreateTenantResponse {
+	/**
+	* URL that the tenant will be available at
+	*/
+	tenantUrl: string;
+	/**
+	* Current status of tenant creation
+	*/
+	status: TenantStatus;
+}
+/**
+* Payload sent to webhook URL for status updates
+*/
+interface TenantWebhookPayload {
+	/**
+	* Company ID
+	*/
+	companyId: string;
+	/**
+	* Current status of tenant creation
+	*/
+	status: TenantStatus;
+	/**
+	* URL that the tenant will be available at (provided once creation completes)
+	*/
+	tenantUrl?: string;
+	/**
+	* Error message (only present if status is "failed")
+	*/
+	error?: string;
+}
+/**
+* Validators for tenant management
+*/
+type TenantValidators = {
+	createTenantRequest: StandardSchemaV17<unknown, CreateTenantRequest>;
+};
+/**
+* Configuration for tenant management
+*/
+type TenantConfig = {};
+/**
+* Tenant service interface
+*/
+type Tenant = {
+	config: TenantConfig;
+	/**
+	* Parse and validate a tenant creation request from an HTTP request.
+	* Returns a validation result object with either `issues` (if validation fails) or `value` (if validation succeeds).
+	*
+	* @param request - The HTTP request containing the tenant creation data
+	* @returns Validation result with either `issues` array or `value` containing the validated request
+	*
+	* @example
+	* ```typescript
+	* app.post('/api/tenant', async (c) => {
+	*   const result = await tenantService.parseTenantRequest(c.req.raw);
+	*   if (result.issues) {
+	*     return validationFailureResponse(result.issues, 'Tenant request validation failed');
+	*   }
+	*   // Use result.value as CreateTenantRequest
+	* });
+	* ```
+	*/
+	parseTenantRequest: (request: Request) => Promise<StandardSchemaV17.Result<CreateTenantRequest>>;
+	/**
+	* Send a webhook update to ESVS with tenant creation status.
+	*
+	* @param webhookUrl - The webhook URL provided in the tenant creation request
+	* @param payload - The webhook payload with status and tenant information
+	*/
+	sendTenantWebhook: (webhookUrl: string, payload: TenantWebhookPayload) => Promise<void>;
+};
+/**
+* Creates a tenant service instance.
+*
+* @param validators - Validators for tenant request validation
+* @param fromVault - Configuration from vault (optional)
+* @param fromCode - Configuration from code (optional)
+* @returns Tenant service instance or undefined if no config provided
+*/
+declare function tenant(validators: TenantValidators, fromVault?: Partial<TenantConfig>, fromCode?: Partial<TenantConfig>): Tenant | undefined;
+/**
+* Stored tenant data with required appId and tracking metadata.
+*
+* @template TExtended - Type-safe custom data that consumers can add to tenants
+*/
+type StoredTenant<TExtended = {}> = {
+	/**
+	* Required app identifier used to initialize EnterpriseStandard for this tenant.
+	* This is the primary key for tenant storage. A company can have multiple
+	* applications (e.g., one instance on the east coast, one on the west coast).
+	*/
+	appId: string;
+	/**
+	* Company ID (used for reporting purposes only, not for tenant identification)
+	*/
+	companyId: string;
+	/**
+	* Company Name
+	*/
+	companyName: string;
+	/**
+	* Environment Type (POC, DEV, QA, PROD)
+	*/
+	environmentType: EnvironmentType;
+	/**
+	* Email (The email or distribution list used to communicate to the team)
+	*/
+	email: string;
+	/**
+	* Webhook URL where the application can send updates around the creation of the tenant
+	*/
+	webhookUrl: string;
+	/**
+	* URL that the tenant will be available at
+	*/
+	tenantUrl?: string;
+	/**
+	* Current status of tenant creation
+	*/
+	status: TenantStatus;
+	/**
+	* Error message (only present if status is "failed")
+	*/
+	error?: string;
+	/**
+	* Timestamp when the tenant was first stored.
+	*/
+	createdAt: Date;
+	/**
+	* Timestamp when the tenant was last updated.
+	*/
+	updatedAt: Date;
+	/**
+	* Serialized Enterprise Standard configuration.
+	* This is a JSON-serializable version of the ESConfig with non-serializable items excluded.
+	*/
+	config?: any;
+} & TExtended;
+/**
+* Abstract interface for tenant storage backends.
+*
+* Consumers can implement this interface to use different storage backends:
+* - In-memory (for development/testing)
+* - Redis (for production with fast lookups)
+* - Database (PostgreSQL, MySQL, etc.)
+*
+* @template TExtended - Type-safe custom data that consumers can add to tenants
+*/
+interface TenantStore<TExtended = {}> {
+	/**
+	* Retrieve a tenant by its app identifier.
+	*
+	* @param appId - The tenant's app identifier (primary key)
+	* @returns The tenant if found, null otherwise
+	*/
+	get(appId: string): Promise<StoredTenant<TExtended> | null>;
+	/**
+	* Retrieve all tenants for a company ID.
+	* Since a company can have multiple applications, this returns an array.
+	*
+	* @param companyId - The company ID (used for reporting, not primary identification)
+	* @returns Array of tenants for the company, empty array if none found
+	*/
+	getByCompanyId(companyId: string): Promise<StoredTenant<TExtended>[]>;
+	/**
+	* List all tenants in the store.
+	*
+	* @returns Array of all stored tenants
+	*/
+	list(): Promise<StoredTenant<TExtended>[]>;
+	/**
+	* Create or update a tenant in the store.
+	*
+	* If a tenant with the same `appId` exists, it will be updated.
+	* Otherwise, a new tenant will be created.
+	*
+	* @param tenant - The tenant data to store
+	* @returns The stored tenant
+	*/
+	upsert(tenant: StoredTenant<TExtended>): Promise<StoredTenant<TExtended>>;
+	/**
+	* Delete a tenant by its app identifier.
+	*
+	* @param appId - The tenant's app identifier to delete
+	*/
+	delete(appId: string): Promise<void>;
+}
+/**
+* In-memory tenant store implementation using Maps.
+*
+* Suitable for:
+* - Development and testing
+* - Single-server deployments
+* - Applications without high availability requirements
+*
+* NOT suitable for:
+* - Multi-server deployments (tenants not shared)
+* - High availability scenarios (tenants lost on restart)
+* - Production applications with distributed architecture
+*
+* For production, implement TenantStore with Redis or a database.
+*
+* @template TExtended - Type-safe custom data that consumers can add to tenants
+*/
+declare class InMemoryTenantStore<TExtended = {}> implements TenantStore<TExtended> {
+	/** Primary storage: appId -> tenant */
+	private tenants;
+	/** Secondary index: companyId -> Set of appIds (since one company can have multiple apps) */
+	private companyIdIndex;
+	get(appId: string): Promise<StoredTenant<TExtended> | null>;
+	getByCompanyId(companyId: string): Promise<StoredTenant<TExtended>[]>;
+	list(): Promise<StoredTenant<TExtended>[]>;
+	upsert(tenant: StoredTenant<TExtended>): Promise<StoredTenant<TExtended>>;
+	delete(appId: string): Promise<void>;
+}
+type LfvConfig = {
+	type: "lfv";
+	webhookUrl: string;
+};
+type VaultItem<T> = {
+	data: T;
+	metadata: MetaData;
+};
+type MetaData = {
+	path: string;
+	version: number;
+	created: Date;
+};
+type VaultType = "lfv" | "azure" | "aws" | "gcp" | "openbao" | "dev";
+type Vault = {
+	type: VaultType;
+	getFullSecret: <T>(path: string) => Promise<VaultItem<T>>;
+	getSecret: <T>(path: string) => Promise<T>;
+};
+type AzureConfig = {
+	type: "azure";
+};
+type AwsConfig = {
+	type: "aws";
+};
+type GcpConfig = {
+	type: "gcp";
+};
+type OpenBaoConfig = {
+	type: "openbao";
+	url?: string;
+	token?: string;
+};
+type DevConfig = {
+	type: "dev";
+};
+type VaultConfig = LfvConfig | AzureConfig | AwsConfig | GcpConfig | OpenBaoConfig | DevConfig;
+declare function vault(config?: VaultConfig): Vault;
+/**
+* Helper gets the user from the Request using the supplied EnterpriseStandard or the default instance
+*/
+declare function getUser2(request: Request, es?: EnterpriseStandard): Promise<User2 | undefined>;
+declare function getRequiredUser2(request: Request, es?: EnterpriseStandard): Promise<User2>;
+declare function initiateLogin2(config: LoginConfig, es?: EnterpriseStandard): Promise<Response>;
+declare function callback(request: Request, es?: EnterpriseStandard): Promise<Response>;
+/**
+* Enterprise user with SCIM attributes.
+* Extends BaseUser (simple fields) with optional complex SCIM fields.
+* For IAM/provisioning and enterprise directory integration.
+*/
+interface EnterpriseUser extends BaseUser {
+	/**
+	* External identifier from the provisioning system
+	*/
+	externalId?: string;
+	/**
+	* Resource metadata
+	*/
+	meta?: {
+		resourceType?: string;
+		created?: string;
+		lastModified?: string;
+		version?: string;
+		location?: string;
+	};
+	/**
+	* SCIM schemas supported by this user
+	*/
+	schemas?: string[];
+	/**
+	* Structured name with family/given names, prefixes, suffixes.
+	* Use alongside the simple `name` string from BaseUser.
+	*/
+	fullName?: Name;
+	/**
+	* Multiple email addresses with types (work, home, etc.).
+	* Use alongside the simple `email` string from BaseUser.
+	*/
+	emails?: Email[];
+	/**
+	* Name for display purposes
+	*/
+	displayName?: string;
+	/**
+	* Casual name to address the user
+	*/
+	nickName?: string;
+	/**
+	* URL to user's online profile
+	*/
+	profileUrl?: string;
+	/**
+	* Job title
+	*/
+	title?: string;
+	/**
+	* User type (e.g., "Employee", "Contractor")
+	*/
+	userType?: string;
+	/**
+	* Preferred language (e.g., "en-US")
+	*/
+	preferredLanguage?: string;
+	/**
+	* Locale for localization (e.g., "en-US")
+	*/
+	locale?: string;
+	/**
+	* Timezone (e.g., "America/New_York")
+	*/
+	timezone?: string;
+	/**
+	* Whether the user account is active
+	*/
+	active?: boolean;
+	/**
+	* Password (for provisioning only, should not be returned)
+	*/
+	password?: string;
+	/**
+	* Phone numbers
+	*/
+	phoneNumbers?: PhoneNumber[];
+	/**
+	* Instant messaging addresses
+	*/
+	ims?: Array<{
+		value: string;
+		display?: string;
+		type?: string;
+		primary?: boolean;
+	}>;
+	/**
+	* Photo URLs
+	*/
+	photos?: Array<{
+		value: string;
+		display?: string;
+		type?: string;
+		primary?: boolean;
+	}>;
+	/**
+	* Physical mailing addresses
+	*/
+	addresses?: Address[];
+	/**
+	* Groups the user belongs to
+	*/
+	groups?: Group[];
+	/**
+	* Entitlements
+	*/
+	entitlements?: Array<{
+		value: string;
+		display?: string;
+		type?: string;
+		primary?: boolean;
+	}>;
+	/**
+	* Roles assigned to the user
+	*/
+	roles?: Role[];
+	/**
+	* X.509 certificates
+	*/
+	x509Certificates?: Array<{
+		value: string;
+		display?: string;
+		type?: string;
+		primary?: boolean;
+	}>;
+	/**
+	* Employee number
+	*/
+	employeeNumber?: string;
+	/**
+	* Cost center
+	*/
+	costCenter?: string;
+	/**
+	* Organization name
+	*/
+	organization?: string;
+	/**
+	* Division name
+	*/
+	division?: string;
+	/**
+	* Department name
+	*/
+	department?: string;
+	/**
+	* User's manager
+	*/
+	manager?: {
+		value: string;
+		$ref?: string;
+		displayName?: string;
+	};
+}
+/**
+* Get the default EnterpriseStandard instance
+*/
+declare function getDefaultInstance(): EnterpriseStandard | undefined;
+/**
+* Returns a 400 Response with the issues if there are any.
+* @param issues - Any validation issues.
+* @param message - The message to include in the response.
+* @returns A 400 Response with the issues if it does, otherwise null.
+*/
+declare function validationFailureResponse(issues: any, message: string): Response;
+/**
+* Serializes an ESConfig or EnterpriseStandard instance to a JSON-serializable format
+* by removing non-serializable properties like stores, validators, and functions.
+*
+* Since EnterpriseStandard now extends ESConfig, the config (including handler URLs)
+* is accessible directly from the instance.
+*
+* @param configOrES - The ESConfig object or EnterpriseStandard instance to serialize
+* @returns A JSON-serializable version of the config
+*/
+declare function serializeESConfig(configOrES: any): any;
+/**
+* Get the workload identity from an incoming request.
+* Returns undefined if no valid workload token is present.
+*
+* @param request - Request with Authorization header
+* @param config - Optional EnterpriseStandard configuration
+* @returns WorkloadIdentity or undefined
+*
+* @example
+* ```typescript
+* import { getWorkload } from '@enterprisestandard/react';
+*
+* async function handler(request: Request) {
+*   const workload = await getWorkload(request);
+*
+*   if (!workload) {
+*     return new Response('Unauthorized', { status: 401 });
+*   }
+*
+*   console.log('Request from workload:', workload.workloadId);
+*   // ... process authenticated request
+* }
+* ```
+*/
+declare function getWorkload(request: Request, es?: EnterpriseStandard): Promise<WorkloadIdentity | undefined>;
+/**
+* Get an access token for the configured workload identity.
+*
+* @param scope - Optional OAuth2 scopes (space-delimited)
+* @param config - Optional EnterpriseStandard configuration
+* @returns Access token string
+*
+* @example
+* ```typescript
+* import { getWorkloadToken } from '@enterprisestandard/react/server';
+*
+* // Get token for API calls
+* const token = await getWorkloadToken('api:read api:write');
+*
+* // Use in outbound requests
+* const response = await fetch('https://api.example.com/data', {
+*   headers: { 'Authorization': `Bearer ${token}` },
+* });
+* ```
+*/
+declare function getWorkloadToken(scope?: string, es?: EnterpriseStandard): Promise<string>;
+/**
+* Validate a workload token from an incoming request.
+*
+* @param request - Request with Authorization header
+* @param config - Optional EnterpriseStandard configuration
+* @returns Token validation result
+*
+* @example
+* ```typescript
+* import { validateWorkloadToken } from '@enterprisestandard/react/server';
+*
+* async function handler(request: Request) {
+*   const result = await validateWorkloadToken(request);
+*
+*   if (!result.valid) {
+*     return new Response(
+*       JSON.stringify({ error: result.error }),
+*       { status: 401 }
+*     );
+*   }
+*
+*   const workloadId = result.claims?.iss;
+*   // ... process authenticated request
+* }
+* ```
+*/
+declare function validateWorkloadToken(request: Request, es?: EnterpriseStandard): Promise<TokenValidationResult>;
+/**
+* Revoke a workload access token.
+*
+* @param token - The access token to revoke
+* @param config - Optional EnterpriseStandard configuration
+*
+* @example
+* ```typescript
+* import { revokeWorkloadToken } from '@enterprisestandard/react/server';
+*
+* // Revoke token when workload is decommissioned
+* await revokeWorkloadToken(accessToken);
+* ```
+*/
+declare function revokeWorkloadToken(token: string, es?: EnterpriseStandard): Promise<void>;
+/**
+* Framework-agnostic handler for workload authentication routes.
+*
+* The handler reads configuration (handler URLs, validation) directly from the
+* EnterpriseStandard instance, so no config parameter is needed.
+*
+* @param request - Incoming request
+* @param config - Optional ESConfig to specify which EnterpriseStandard instance to use
+* @returns Response
+*
+* @example
+* ```typescript
+* import { workloadHandler } from '@enterprisestandard/react/server';
+*
+* // TanStack Start example
+* const Route = createFileRoute('/api/workload/$')({
+*   server: {
+*     handlers: ({ createHandlers }) =>
+*       createHandlers({
+*         GET: {
+*           handler: async ({ request }) => {
+*             return workloadHandler(request);
+*           },
+*         },
+*         POST: {
+*           handler: async ({ request }) => {
+*             return workloadHandler(request);
+*           },
+*         },
+*       }),
+*   },
+* });
+* ```
+*/
+declare function workloadHandler(request: Request, es?: EnterpriseStandard): Promise<Response>;
+import { StandardSchemaV1 as StandardSchemaV18 } from "@standard-schema/spec";
+/**
+* Parse and validate a tenant creation request.
+* Uses the default EnterpriseStandard instance's tenant service.
+*
+* @param request - The HTTP request containing the tenant creation data
+* @returns Validation result with either the parsed request or validation issues
+* @throws Error if no default EnterpriseStandard instance is available
+*/
+declare function parseTenantRequest2(request: Request): Promise<StandardSchemaV18.Result<CreateTenantRequest>>;
+/**
+* Send a webhook update to ESVS with tenant creation status.
+* Uses the default EnterpriseStandard instance's tenant service.
+*
+* @param webhookUrl - The webhook URL provided in the tenant creation request
+* @param payload - The webhook payload with status and tenant information
+* @throws Error if no default EnterpriseStandard instance is available
+*/
+declare function sendTenantWebhook2(webhookUrl: string, payload: TenantWebhookPayload): Promise<void>;
+/**
+* Error thrown when tenant request validation fails
+*/
+declare class TenantRequestError extends Error {
+	constructor(message: string);
+}
+type EnterpriseStandard = {
+	defaultInstance?: boolean;
+	vault?: Vault;
+	sso?: SSO;
+	iam?: IAM;
+	workload?: Workload;
+	tenants?: Tenant;
+	/**
+	* Framework-agnostic request handler that routes requests to the appropriate
+	* standard handler (SSO, IAM, or Workload) based on the configured URLs.
+	*/
+	handler: (request: Request) => Promise<Response>;
+};
+type ESConfig = {
+	defaultInstance?: boolean;
+	vaultPath?: string;
+	sso?: SSOConfig;
+	iam?: IAMConfig;
+	workload?: WorkloadConfig;
+	tenant?: TenantConfig;
+	validators?: ESValidators;
+};
+type ESValidators = {
+	sso: SSOValidators;
+	iam: IAMValidators;
+	workload: WorkloadValidators;
+	tenant: TenantValidators;
+};
+declare function enterpriseStandard(appId: string, initConfig?: ESConfig): Promise<EnterpriseStandard>;
+export { workloadTokenResponseSchema, workloadHandler, workload, vault, validationFailureResponse, validateWorkloadToken, userSchema, tokenResponseSchema, tenant as tenantManagement, sso, serializeESConfig, sendTenantWebhook2 as sendTenantWebhook, revokeWorkloadToken, parseTenantRequest2 as parseTenantRequest, oidcCallbackSchema, jwtAssertionClaimsSchema, initiateLogin2 as initiateLogin, idTokenClaimsSchema, iam, groupResourceSchema, getWorkloadToken, getWorkload, getUser2 as getUser, getRequiredUser2 as getRequiredUser, getDefaultInstance, enterpriseStandard, callback, X509Certificate, WorkloadValidators, WorkloadTokenStore, WorkloadTokenResponse, WorkloadIdentity, WorkloadConfig, Workload, Vault, UsersInboundHandlerConfig, UserStore, User2 as User, TokenValidationResult, TokenResponse, TenantWebhookPayload, TenantValidators, TenantStore, TenantStatus, TenantRequestError, TenantConfig, Tenant, StoredUser, StoredTenant, StoredGroup, SessionStore, ServerOnlyWorkloadConfig, User as ScimUser, ScimResult, ScimListResponse, ScimError, SSOValidators, SSOHandlerConfig, SSOConfig, SSO, Role, PhoneNumber, OidcCallbackParams, Name, JwtBearerWorkloadConfig, JWTAssertionClaims, InMemoryWorkloadTokenStore, InMemoryUserStore, InMemoryTenantStore, InMemorySessionStore, InMemoryGroupStore, IdTokenClaims, IAMValidators, IAMUsersInbound, IAMHandlerConfig, IAMGroupsOutbound, IAMGroupsInbound, IAMConfig, IAM, GroupsInboundHandlerConfig, GroupStore, GroupResource, GroupMember, Group, EnvironmentType, EnterpriseUser, EnterpriseStandard, EnterpriseExtension, Email, ESValidators, CreateUserOptions, CreateTenantResponse, CreateTenantRequest, CreateGroupOptions, ClientCredentialsWorkloadConfig, CachedWorkloadToken, BaseUser, Address };