npm - @enterprisestandard/core - Versions diffs - 0.0.9-beta.20260303.7 → 0.0.9 - Mend

@enterprisestandard/core 0.0.9-beta.20260303.7 → 0.0.9

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (6) hide show

package/dist/index.d.ts +269 -430
package/dist/index.js +1 -1
package/dist/server.d.ts +60 -181
package/dist/server.js +1 -1
package/dist/shared/{core-5zzt9q6h.js → core-q2xp5jrk.js} +1 -1
package/package.json +3 -3

package/dist/index.d.ts CHANGED Viewed

@@ -1,6 +1,6 @@
 import { version } from "../package.json";
-import { ESValidators } from "@enterprisestandard/server";
-import { StandardSchemaV1 } from "@standard-schema/spec";
+import { StandardSchemaV1 as StandardSchemaV17 } from "@standard-schema/spec";
+import { StandardSchemaV1 as StandardSchemaV15 } from "@standard-schema/spec";
 /**
 * Minimal logger interface compatible with common patterns (console, pino, winston, etc.)
 */
@@ -89,389 +89,7 @@ interface UserListOptions {
 	/** Sort order (applied in array order). */
 	sort?: UserSortOptions[];
 }
-/** Allowed sort fields for tenants (no config). */
-type TenantSortField = "tenantId" | "companyId" | "companyName" | "environmentType" | "email" | "webhookUrl" | "callbackUrl" | "tenantUrl" | "status" | "error" | "createdAt" | "updatedAt";
-/** Single sort option for tenant list. */
-interface TenantSortOptions {
-	field: TenantSortField;
-	direction: SortDirection;
-}
-/** Options for TenantStore.list() and getByCompanyId(). */
-interface TenantListOptions {
-	/** 0-based index of first item. Default 0. */
-	start?: number;
-	/** Max items to return. Omitted = implementation-defined (InMemory: no limit). */
-	limit?: number;
-	/** Sort order (applied in array order). */
-	sort?: TenantSortOptions[];
-}
-/**
-* Environment type for tenant creation
-*/
-type EnvironmentType = "POC" | "DEV" | "QA" | "PROD";
-/**
-* Status of tenant creation process
-*/
-type TenantStatus = "pending" | "processing" | "completed" | "failed" | "action_required";
-/**
-* Request payload sent by a TMR (e.g. ESV or control plane) for creating a tenant
-*/
-interface CreateTenantRequest {
-	/**
-	* Required app identifier to use when initializing EnterpriseStandard for this tenant.
-	* This is the primary identifier for tenant management. A company can have multiple
-	* applications (e.g., one instance on the east coast, one on the west coast).
-	*/
-	tenantId: string;
-	/**
-	* Company ID (used for reporting purposes only, not for tenant identification)
-	*/
-	companyId: string;
-	/**
-	* Company Name
-	*/
-	companyName: string;
-	/**
-	* Environment Type (POC, DEV, QA, PROD)
-	*/
-	environmentType: EnvironmentType;
-	/**
-	* Email (The email or distribution list used to communicate to the team)
-	*/
-	email: string;
-	/**
-	* Webhook URL where the application can send updates concerning the creation of the tenant
-	*/
-	webhookUrl: string;
-	/**
-	* Callback URL where the customer should be redirected after completing TMS steps
-	*/
-	callbackUrl: string;
-	/**
-	* URL that the tenant will be available at (optional; deployer may allocate)
-	*/
-	tenantUrl?: string;
-}
-/**
-* Response payload for tenant creation
-*/
-type CreateTenantResponse = {
-	/**
-	* URL that the tenant will be available at
-	*/
-	tenantUrl: string;
-	/**
-	* Current status of tenant creation
-	*/
-	status: Exclude<TenantStatus, "action_required">;
-} | {
-	/**
-	* Current status of tenant creation
-	*/
-	status: "action_required";
-	/**
-	* URL where the customer should provide additional information
-	*/
-	actionUrl: string;
-	/**
-	* Signed request token for the action flow
-	*/
-	requestToken: string;
-	/**
-	* ISO timestamp when the request token expires
-	*/
-	expiresAt: string;
-};
-/**
-* Payload sent to webhook URL for status updates
-*/
-interface TenantWebhookPayload {
-	/**
-	* Tenant ID (primary identifier)
-	*/
-	tenantId: string;
-	/**
-	* Company ID
-	*/
-	companyId: string;
-	/**
-	* Current status of tenant creation
-	*/
-	status: TenantStatus;
-	/**
-	* URL that the tenant will be available at (provided once creation completes)
-	*/
-	tenantUrl?: string;
-	/**
-	* URL where the customer should provide additional information
-	*/
-	actionUrl?: string;
-	/**
-	* Signed request token for the action flow
-	*/
-	requestToken?: string;
-	/**
-	* ISO timestamp when the request token expires
-	*/
-	expiresAt?: string;
-	/**
-	* Error message (only present if status is "failed")
-	*/
-	error?: string;
-}
-/**
-* Error thrown when tenant request validation or processing fails.
-*/
-declare class TenantRequestError extends Error {
-	constructor(message: string, options?: ErrorOptions);
-}
-/**
-* Validators for tenant management
-*/
-type TenantValidators = {
-	createTenantRequest: StandardSchemaV1<unknown, CreateTenantRequest>;
-};
-/**
-* Configuration for tenant management
-*/
-type TenantConfig = {
-	/**
-	* Vault-only signing key used for request token signing
-	*/
-	signingKey?: string;
-	/**
-	* Default TTL (seconds) for request tokens
-	*/
-	requestTokenTtl?: number;
-};
-/** Tenant config that code may provide; excludes signingKey (vault-only). */
-type TenantConfigFromCode = Omit<TenantConfig, "signingKey">;
-type TenantRequestTokenPayload = {
-	tenantId: string;
-	callbackUrl: string;
-	exp: number;
-	iat: number;
-};
-/**
-* Tenant service interface
-*/
-type Tenant = TenantConfig & {
-	/**
-	* Parse and validate a tenant creation request from an HTTP request.
-	* Returns a validation result object with either `issues` (if validation fails) or `value` (if validation succeeds).
-	*
-	* @param request - The HTTP request containing the tenant creation data
-	* @returns Validation result with either `issues` array or `value` containing the validated request
-	*
-	* @example
-	* ```typescript
-	* app.post('/api/tenant', async (c) => {
-	*   const result = await tenantService.parseTenantRequest(c.req.raw);
-	*   if (result.issues) {
-	*     return validationFailureResponse(result.issues, 'Tenant request validation failed');
-	*   }
-	*   // Use result.value as CreateTenantRequest
-	* });
-	* ```
-	*/
-	parseTenantRequest: (request: Request) => Promise<StandardSchemaV1.Result<CreateTenantRequest>>;
-	/**
-	* Send a webhook update to ESVS with tenant creation status.
-	*
-	* @param webhookUrl - The webhook URL provided in the tenant creation request
-	* @param payload - The webhook payload with status and tenant information
-	*/
-	sendTenantWebhook: (webhookUrl: string, payload: TenantWebhookPayload) => Promise<void>;
-	/**
-	* Create a signed request token for the action_required flow
-	*/
-	createRequestToken: (tenantId: string, callbackUrl: string, ttlSeconds?: number) => Promise<{
-		token: string;
-		expiresAt: Date;
-		payload: TenantRequestTokenPayload;
-	}>;
-	/**
-	* Verify a signed request token and return its payload
-	*/
-	verifyRequestToken: (token: string) => Promise<TenantRequestTokenPayload>;
-};
-/**
-* Creates a tenant service instance.
-*
-* @param validators - Validators for tenant request validation
-* @param fromVault - Configuration from vault (optional)
-* @param fromCode - Configuration from code (optional)
-* @returns Tenant service instance or undefined if no config provided
-*/
-declare function tenant(validators: TenantValidators, log: Logger, fromVault?: Partial<TenantConfig>, fromCode?: Partial<TenantConfigFromCode>): Tenant | undefined;
-/**
-* Parse and validate a tenant creation request from an HTTP request using default validators.
-* Use this when you do not have a tenant service instance (e.g. in a standalone tenant creation endpoint).
-*
-* @param request - The HTTP request containing the tenant creation data
-* @returns Validation result with either `issues` array or `value` containing the validated request
-*/
-declare function parseTenantRequest(request: Request): Promise<StandardSchemaV1.Result<CreateTenantRequest>>;
-declare function sendTenantWebhook(webhookUrl: string, payload: TenantWebhookPayload, log: Logger): Promise<void>;
-/**
-* Stored tenant data with required tenantId and tracking metadata.
-*
-* @template TExtended - Type-safe custom data that consumers can add to tenants
-*/
-type StoredTenant<TExtended = {}> = {
-	/**
-	* Required app identifier used to initialize EnterpriseStandard for this tenant.
-	* This is the primary key for tenant storage. A company can have multiple
-	* applications (e.g., one instance on the east coast, one on the west coast).
-	*/
-	tenantId: string;
-	/**
-	* Company ID (used for reporting purposes only, not for tenant identification)
-	*/
-	companyId: string;
-	/**
-	* Company Name
-	*/
-	companyName: string;
-	/**
-	* Environment Type (POC, DEV, QA, PROD)
-	*/
-	environmentType: EnvironmentType;
-	/**
-	* Email (The email or distribution list used to communicate to the team)
-	*/
-	email: string;
-	/**
-	* Webhook URL where the application can send updates around the creation of the tenant
-	*/
-	webhookUrl: string;
-	/**
-	* Callback URL where the customer should be redirected after completing TMS steps
-	*/
-	callbackUrl: string;
-	/**
-	* URL that the tenant will be available at
-	*/
-	tenantUrl?: string;
-	/**
-	* Current status of tenant creation
-	*/
-	status: TenantStatus;
-	/**
-	* Error message (only present if status is "failed")
-	*/
-	error?: string;
-	/**
-	* Timestamp when the tenant was first stored.
-	*/
-	createdAt: Date;
-	/**
-	* Timestamp when the tenant was last updated.
-	*/
-	updatedAt: Date;
-	/**
-	* Serialized Enterprise Standard configuration.
-	* This is a JSON-serializable version of the FrameworkConfig with non-serializable items excluded.
-	*/
-	config?: unknown;
-} & TExtended;
-/**
-* Abstract interface for tenant storage backends.
-*
-* Consumers can implement this interface to use different storage backends:
-* - In-memory (for development/testing)
-* - Redis (for production with fast lookups)
-* - Database (PostgreSQL, MySQL, etc.)
-*
-* @template TExtended - Type-safe custom data that consumers can add to tenants
-*/
-interface TenantStore<TExtended = {}> {
-	/**
-	* Retrieve a tenant by its app identifier.
-	*
-	* @param tenantId - The tenant's identifier (primary key) - matches an ionite Application ID
-	* @returns The tenant if found, null otherwise
-	*/
-	get(tenantId: string): Promise<StoredTenant<TExtended> | null>;
-	/**
-	* Retrieve tenants for a company ID with optional pagination and sort.
-	*
-	* @param companyId - The company ID (used for reporting, not primary identification)
-	* @param options - Optional start (0-based), limit (page size), and sort
-	* @returns ListResult with total, count, items, size, page, pages
-	*/
-	getByCompanyId(companyId: string, options?: TenantListOptions): Promise<ListResult<StoredTenant<TExtended>>>;
-	/**
-	* List tenants in the store with optional pagination and sort.
-	*
-	* @param options - Optional start (0-based), limit (page size), and sort
-	* @returns ListResult with total, count, items, size, page, pages
-	*/
-	list(options?: TenantListOptions): Promise<ListResult<StoredTenant<TExtended>>>;
-	/**
-	* Create or update a tenant in the store.
-	*
-	* If a tenant with the same `tenantId` exists, it will be updated.
-	* Otherwise, a new tenant will be created.
-	*
-	* @param tenant - The tenant data to store
-	* @returns The stored tenant
-	*/
-	upsert(tenant: StoredTenant<TExtended>): Promise<StoredTenant<TExtended>>;
-	/**
-	* Delete a tenant by its app identifier.
-	*
-	* @param tenantId - The tenant's app identifier to delete
-	*/
-	delete(tenantId: string): Promise<void>;
-}
-/**
-* In-memory tenant store implementation using Maps.
-*
-* Suitable for:
-* - Development and testing
-* - Single-server deployments
-* - Applications without high availability requirements
-*
-* NOT suitable for:
-* - Multi-server deployments (tenants not shared)
-* - High availability scenarios (tenants lost on restart)
-* - Production applications with distributed architecture
-*
-* For production, implement TenantStore with Redis or a database.
-*
-* @template TExtended - Type-safe custom data that consumers can add to tenants
-*/
-declare class InMemoryTenantStore<TExtended = {}> implements TenantStore<TExtended> {
-	private tenants;
-	/** Secondary index: companyId -> Set of tenantId (since one company can have multiple apps) */
-	private companyIdIndex;
-	get(tenantId: string): Promise<StoredTenant<TExtended> | null>;
-	getByCompanyId(companyId: string, options?: TenantListOptions): Promise<ListResult<StoredTenant<TExtended>>>;
-	list(options?: TenantListOptions): Promise<ListResult<StoredTenant<TExtended>>>;
-	upsert(tenant: StoredTenant<TExtended>): Promise<StoredTenant<TExtended>>;
-	delete(tenantId: string): Promise<void>;
-}
-/**
-* Validator for CreateTenantResponse (tenant creation API response).
-* Used by ESV and other consumers that need to validate tenant response shape.
-*/
-declare function createTenantResponseValidator(): {
-	"~standard": {
-		validate(value: unknown): {
-			value: CreateTenantResponse;
-		} | {
-			issues: Array<{
-				message: string;
-				path?: ReadonlyArray<PropertyKey>;
-			}>;
-		};
-	};
-};
-declare function basicValidators(): ESValidators;
-import { StandardSchemaV1 as StandardSchemaV18 } from "@standard-schema/spec";
-import { StandardSchemaV1 as StandardSchemaV16 } from "@standard-schema/spec";
-import { StandardSchemaV1 as StandardSchemaV12 } from "@standard-schema/spec";
+import { StandardSchemaV1 } from "@standard-schema/spec";
 /**
 * SCIM 2.0 User Resource
 * @see https://datatracker.ietf.org/doc/html/rfc7643#section-4.1
@@ -899,13 +517,13 @@ interface User {
 * @param vendor - The name of the vendor creating this schema
 * @returns A StandardSchemaV1 instance for SCIM User resources
 */
-declare function userSchema(vendor: string): StandardSchemaV12<Record<string, unknown>, User>;
+declare function userSchema(vendor: string): StandardSchemaV1<Record<string, unknown>, User>;
 /**
 * Creates a StandardSchemaV1 for validating SCIM Group resources.
 * @param vendor - The name of the vendor creating this schema
 * @returns A StandardSchemaV1 instance for SCIM Group resources
 */
-declare function groupResourceSchema(vendor: string): StandardSchemaV12<Record<string, unknown>, GroupResource>;
+declare function groupResourceSchema(vendor: string): StandardSchemaV1<Record<string, unknown>, GroupResource>;
 /**
 * Stored group data with required id and tracking metadata.
 *
@@ -1038,7 +656,7 @@ interface BaseUser {
 	*/
 	userType?: string;
 }
-import { StandardSchemaV1 as StandardSchemaV13 } from "@standard-schema/spec";
+import { StandardSchemaV1 as StandardSchemaV12 } from "@standard-schema/spec";
 /**
 * OIDC Code Flow Callback URL Parameters
 * @see https://openid.net/specs/openid-connect-core-1_0.html#CodeFlowAuth
@@ -1080,7 +698,7 @@ interface OidcCallbackParams {
 * @param vendor - The name of the vendor creating this schema
 * @returns A StandardSchemaV1 instance for OIDC callback parameters
 */
-declare function oidcCallbackSchema(vendor: string): StandardSchemaV13<Record<string, unknown>, OidcCallbackParams>;
+declare function oidcCallbackSchema(vendor: string): StandardSchemaV12<Record<string, unknown>, OidcCallbackParams>;
 /**
 * Token Response from IdP
 */
@@ -1100,7 +718,7 @@ interface TokenResponse {
 * @param vendor - The name of the vendor creating this schema
 * @returns A StandardSchemaV1 instance for Token Response validation
 */
-declare function tokenResponseSchema(vendor: string): StandardSchemaV13<Record<string, unknown>, TokenResponse>;
+declare function tokenResponseSchema(vendor: string): StandardSchemaV12<Record<string, unknown>, TokenResponse>;
 /**
 * ID Token Claims
 */
@@ -1122,7 +740,7 @@ interface IdTokenClaims {
 * @param vendor - The name of the vendor creating this schema
 * @returns A StandardSchemaV1 instance for ID Token Claims validation
 */
-declare function idTokenClaimsSchema(vendor: string): StandardSchemaV13<Record<string, unknown>, IdTokenClaims>;
+declare function idTokenClaimsSchema(vendor: string): StandardSchemaV12<Record<string, unknown>, IdTokenClaims>;
 /**
 * Primary user type for SSO/OIDC applications.
 * Extends BaseUser with SSO-specific data.
@@ -1171,7 +789,7 @@ interface User2 extends BaseUser {
 *
 * @template TExtended - Type-safe custom data that consumers can add to users
 */
-type StoredUser<TExtended = {}> = User2 & {
+type StoredUser<TExtended = object> = User2 & {
 	/**
 	* Required unique identifier (the `sub` claim from the IdP).
 	* This is the primary key for user storage.
@@ -1214,7 +832,7 @@ type StoredUser<TExtended = {}> = User2 & {
 * }
 * ```
 */
-interface UserStore<TExtended = {}> {
+interface UserStore<TExtended = object> {
 	/**
 	* Retrieve a user by their subject identifier (sub).
 	*
@@ -1259,8 +877,8 @@ interface UserStore<TExtended = {}> {
 	*/
 	list(options?: UserListOptions): Promise<ListResult<StoredUser<TExtended>>>;
 }
-import { StandardSchemaV1 as StandardSchemaV15 } from "@standard-schema/spec";
 import { StandardSchemaV1 as StandardSchemaV14 } from "@standard-schema/spec";
+import { StandardSchemaV1 as StandardSchemaV13 } from "@standard-schema/spec";
 /**
 * JWT Assertion Claims for OAuth2 JWT Bearer Grant (RFC 7523) and OAuth2 Access Tokens
 * @see https://datatracker.ietf.org/doc/html/rfc7523
@@ -1307,7 +925,7 @@ interface JWTAssertionClaims {
 * @param vendor - The name of the vendor creating this schema
 * @returns A StandardSchemaV1 instance for JWT Assertion Claims validation
 */
-declare function jwtAssertionClaimsSchema(vendor: string): StandardSchemaV14<Record<string, unknown>, JWTAssertionClaims>;
+declare function jwtAssertionClaimsSchema(vendor: string): StandardSchemaV13<Record<string, unknown>, JWTAssertionClaims>;
 /**
 * Workload Token Response from OAuth2 token endpoint
 * @see https://datatracker.ietf.org/doc/html/rfc6749#section-5.1
@@ -1343,7 +961,7 @@ interface WorkloadTokenResponse {
 * @param vendor - The name of the vendor creating this schema
 * @returns A StandardSchemaV1 instance for Workload Token Response validation
 */
-declare function workloadTokenResponseSchema(vendor: string): StandardSchemaV14<Record<string, unknown>, WorkloadTokenResponse>;
+declare function workloadTokenResponseSchema(vendor: string): StandardSchemaV13<Record<string, unknown>, WorkloadTokenResponse>;
 /**
 * Token Validation Result
 */
@@ -1590,8 +1208,8 @@ type WorkloadConfigBase = {
 	validators?: WorkloadValidators;
 };
 type WorkloadValidators = {
-	jwtAssertionClaims: StandardSchemaV15<unknown, JWTAssertionClaims>;
-	tokenResponse: StandardSchemaV15<unknown, WorkloadTokenResponse>;
+	jwtAssertionClaims: StandardSchemaV14<unknown, JWTAssertionClaims>;
+	tokenResponse: StandardSchemaV14<unknown, WorkloadTokenResponse>;
 };
 /**
 * JWT Bearer Grant (RFC 7523) Configuration
@@ -1710,13 +1328,27 @@ type WorkloadConfigMap = Record<string, WorkloadConfig>;
 /**
 * Workload config with separate incoming (server) and outgoing (client) roles.
 * - **incoming**: Server-only config for validating tokens presented to this app (jwksUri, issuer).
-* - **outgoing**: Map of named clients for outbound calls; use getWorkloadToken(client?, es, scope?) from server (client can be omitted when only one client; pass the ES instance).
+* - **outgoing**: Map of named clients for outbound calls; use getWorkloadToken(client, es, scope?) from server (client is required and must be one of the outgoing names; pass the ES instance).
 */
 type WorkloadIncomingOutgoing = {
 	incoming?: Partial<WorkloadConfig>;
 	outgoing?: Record<string, Partial<WorkloadConfig>>;
 };
 /**
+* Framework-level workload declarations used by app code to define the expected
+* incoming/outgoing workload shape without needing all remote credentials in code.
+*/
+type FrameworkWorkloadIncomingOutgoing = {
+	incoming?: Partial<WorkloadConfig>;
+	outgoing?: Record<string, Partial<WorkloadConfig>>;
+};
+/**
+* Workload config shape accepted from framework/app code.
+* Apps may provide a partial single config or an incoming/outgoing declaration
+* to expose named outgoing clients in the type system.
+*/
+type FrameworkWorkloadConfig = Partial<WorkloadConfig> | FrameworkWorkloadIncomingOutgoing;
+/**
 * Workload Identity extracted from validated tokens
 */
 type WorkloadIdentity = {
@@ -1741,10 +1373,11 @@ type WorkloadIdentity = {
 * Workload Identity Authentication Interface
 */
 type Workload = WorkloadConfig & {
-	/** When options.client is set, returns a token for that named client (outbound to another app). */
-	getToken: (scope?: string, options?: {
-		client?: string;
-	}) => Promise<string>;
+	/**
+	* Returns a token for this workload configuration.
+	* The optional argument overrides the configured default scope.
+	*/
+	getToken: (scope?: string) => Promise<string>;
 	refreshToken: (scope?: string) => Promise<WorkloadTokenResponse>;
 	generateJWTAssertion: (scope?: string) => Promise<string>;
 	revokeToken: (token: string) => Promise<void>;
@@ -1754,6 +1387,7 @@ type Workload = WorkloadConfig & {
 	/** Framework-agnostic request handler for the Workload module (token, validate, jwks, refresh). */
 	handler: (request: Request) => Promise<Response>;
 };
+type WorkloadClient = Pick<Workload, "getToken" | "refreshToken" | "generateJWTAssertion" | "revokeToken">;
 /**
 * SCIM Error response structure
 */
@@ -1826,8 +1460,8 @@ type IAMConfig = {
 	groupsUrl?: string;
 };
 type IAMValidators = {
-	user: StandardSchemaV16<unknown, User>;
-	group: StandardSchemaV16<unknown, GroupResource>;
+	user: StandardSchemaV15<unknown, User>;
+	group: StandardSchemaV15<unknown, GroupResource>;
 };
 /**
 * Options for creating a user
@@ -1943,7 +1577,7 @@ type IAM = IAMConfig & {
 	*/
 	handler: (request: Request, config?: IAMHandlerConfig) => Promise<Response>;
 };
-import { StandardSchemaV1 as StandardSchemaV17 } from "@standard-schema/spec";
+import { StandardSchemaV1 as StandardSchemaV16 } from "@standard-schema/spec";
 /**
 * Session management for tracking user sessions and enabling backchannel logout.
 *
@@ -2011,7 +1645,7 @@ import { StandardSchemaV1 as StandardSchemaV17 } from "@standard-schema/spec";
 *
 * @template TExtended - Type-safe custom data that consumers can add to sessions
 */
-type Session<TExtended = {}> = {
+type Session<TExtended = object> = {
 	/**
 	* Session ID from the Identity Provider (from `sid` claim in ID token).
 	* This is the unique identifier for the session.
@@ -2064,7 +1698,7 @@ type Session<TExtended = {}> = {
 * }
 * ```
 */
-interface SessionStore<TExtended = {}> {
+interface SessionStore<TExtended = object> {
 	/**
 	* Create a new session in the store.
 	*
@@ -2174,9 +1808,9 @@ type SSOHandlerConfig = {
 	logoutBackChannelUrl?: string;
 };
 type SSOValidators = {
-	callbackParams: StandardSchemaV17<unknown, OidcCallbackParams>;
-	idTokenClaims: StandardSchemaV17<unknown, IdTokenClaims>;
-	tokenResponse: StandardSchemaV17<unknown, TokenResponse>;
+	callbackParams: StandardSchemaV16<unknown, OidcCallbackParams>;
+	idTokenClaims: StandardSchemaV16<unknown, IdTokenClaims>;
+	tokenResponse: StandardSchemaV16<unknown, TokenResponse>;
 };
 type SSO<
 	TSessionData = {},
@@ -2296,6 +1930,16 @@ type Secrets = {
 	handleLfvEvents?(request: Request): Promise<Response>;
 };
 /**
+* Partial secrets source config used in framework/app code to declare expected source names.
+* ConfigSource-backed values may still provide the actual source details at runtime.
+*/
+type FrameworkSecretsSourceConfig = Partial<SecretsSourceConfig>;
+/**
+* Framework-level named secrets source declarations keyed by source name.
+* Values may be partial or empty when the app only wants to declare expected names/types.
+*/
+type FrameworkSecretsModuleConfig = Record<string, FrameworkSecretsSourceConfig>;
+/**
 * TODO: Let's see if we can do some clean inference and remove this!!!
 */
 type SecretsSourceMap = Record<string, SecretsSource>;
@@ -2343,6 +1987,15 @@ type LfvSecretsConfig = {
 	*/
 	logger?: Logger;
 };
+/**
+* Runtime-ready LFV source config.
+* Input config can be partially declared/merged, but LFV operations require these fields.
+*/
+type ResolvedLfvSecretsConfig = Omit<LfvSecretsConfig, "lfvServerUrl" | "clientId" | "path"> & {
+	lfvServerUrl: string;
+	clientId: string;
+	path: string;
+};
 type VaultSecretsConfig = {
 	type: "vault";
 	url?: string;
@@ -2443,11 +2096,10 @@ type AzureSecretsConfig = {
 	ttl?: number;
 };
 type ConfigSourceType = "vault" | "lfv" | "azure" | "aws" | "gcp" | "dev" | "localFile";
-type ESValidators2 = {
+type ESValidators = {
 	sso: SSOValidators;
 	iam: IAMValidators;
 	workload: WorkloadValidators;
-	tenant: TenantValidators;
 	ciam: CIAMValidators;
 	secrets?: SecretsValidators;
 };
@@ -2455,16 +2107,18 @@ type ESValidators2 = {
 * Configuration supplied by the framework/application when creating an Enterprise Standard instance.
 * Merged with RemoteConfig from the ConfigSource (framework config wins). Pass as the second
 * argument to enterpriseStandard(source, config).
+* Set a module to `null` to explicitly disable it; then the corresponding property on the
+* EnterpriseStandard instance is typed as `never`. Omit a module to allow it to be supplied
+* from ConfigSource / adaptive (typed as the module type, non-optional).
 */
 type FrameworkConfig = {
 	logger?: Logger;
-	sso?: SSOConfig;
-	iam?: IAMConfig;
-	workload?: WorkloadConfig;
-	secrets?: SecretsModuleConfig;
-	tenant?: TenantConfigFromCode;
-	ciam?: CIAMConfig;
-	validators?: ESValidators2;
+	sso?: SSOConfig | null;
+	iam?: IAMConfig | null;
+	workload?: FrameworkWorkloadConfig | null;
+	secrets?: FrameworkSecretsModuleConfig | null;
+	ciam?: CIAMConfig | null;
+	validators: ESValidators;
 };
 /**
 * Final configuration after merging ConfigSource (RemoteConfig) and FrameworkConfig.
@@ -2489,7 +2143,6 @@ type RemoteConfig = {
 	workload?: WorkloadConfig | WorkloadConfigMap | WorkloadIncomingOutgoing;
 	/** Optional named secrets-source configs available to this ESA instance. */
 	secrets?: SecretsModuleConfig;
-	tenant?: TenantConfig;
 	ciam?: CIAMConfig;
 };
 /** Return type from the beforeChange hook passed to enterpriseStandard(). */
@@ -2516,14 +2169,45 @@ type ConfigSource = {
 	* Optional. If not set by the creator, the framework may set this before calling load/subscribe
 	* so the source can use the same validators.
 	*/
-	validators?: ESValidators2;
+	validators?: ESValidators;
 };
 /**
 * Serializes a FrameworkConfig (or ESConfig) to a JSON-serializable object.
 * Strips store instances and validators so the result can be sent in API responses.
 */
 declare function serializeESConfig(es: FrameworkConfig): Record<string, unknown>;
-type EnterpriseStandard = {
+/**
+* Maps a module key in config C to the corresponding property type on EnterpriseStandard.
+* - If C[K] is null (explicitly disabled), the property type is never (still appears in autocomplete).
+* - If the key is omitted or present and not null, the property type is T (non-optional, assumed available from ConfigSource/adaptive).
+*/
+type ESModuleFromConfig<
+	C extends FrameworkConfig,
+	K extends keyof FrameworkConfig,
+	T
+> = C[K] extends null ? never : [Exclude<C[K], undefined>] extends [never] ? T : [Exclude<C[K], undefined>] extends [null] ? never : T;
+type StringKeys<T> = Extract<keyof T, string>;
+type EmptyNamedModule = Record<string, never>;
+type NamedSecretsFromConfig<C extends FrameworkConfig> = Exclude<C["secrets"], null | undefined> extends infer S ? S extends Record<string, unknown> ? { [K in Exclude<StringKeys<S>, keyof Secrets>] : SecretsSource } : EmptyNamedModule : EmptyNamedModule;
+type NamedWorkloadClientsFromConfig<C extends FrameworkConfig> = Exclude<C["workload"], null | undefined> extends infer W ? W extends {
+	outgoing?: infer O;
+} ? O extends Record<string, unknown> ? { [K in Exclude<StringKeys<O>, keyof Workload>] : WorkloadClient } : EmptyNamedModule : EmptyNamedModule : EmptyNamedModule;
+type AggregateWorkload = Omit<Workload, "getToken"> & {
+	getToken: (client: string, scope?: string) => Promise<string>;
+	getServerToken: (scope?: string) => Promise<string>;
+};
+type WorkloadModuleFromConfig<C extends FrameworkConfig> = Exclude<C["workload"], null | undefined> extends infer W ? W extends {
+	outgoing?: infer O;
+} ? O extends Record<string, unknown> ? AggregateWorkload & NamedWorkloadClientsFromConfig<C> : Workload : Workload : Workload;
+/**
+* EnterpriseStandard type driven by the config type C.
+* Module properties are:
+* - never when that module is set to null (explicitly disabled);
+* - the module type (non-optional) when omitted or present, so you can use es.module.method.
+*/
+type EnterpriseStandardFromConfig<C extends FrameworkConfig = FrameworkConfig> = EnterpriseStandardStrict<C>;
+/** Base shape shared by all EnterpriseStandard variants (modules optional for backward compatibility). */
+type EnterpriseStandardBase = {
 	logger?: Logger;
 	/** App/tenant identifier when provided by ConfigSource (e.g. vault). */
 	tenantId?: string;
@@ -2532,19 +2216,39 @@ type EnterpriseStandard = {
 	secrets?: Secrets;
 	sso?: SSO;
 	iam?: IAM;
-	workload?: Workload;
-	tenants?: Tenant;
+	workload?: Workload | AggregateWorkload;
 	ciam?: CIAM;
 	/**
 	* Framework-agnostic request handler that routes requests to the appropriate
 	* module (SSO, IAM, Workload, or CIAM) based on the configured URLs.
 	*/
 	handler: (request: Request) => Promise<Response>;
+	/** Returns a promise that resolves when configured at least once. If timeout is > 0, rejects after timeout ms. */
+	ready(timeout?: number): Promise<void>;
+	/** Returns true once config has been applied at least once, false otherwise. */
+	isReady(): boolean;
 	/** When present (e.g. from server enterpriseStandard), reload config from the config source and reapply. */
 	reload?(): Promise<void>;
 	/** When present (e.g. from server enterpriseStandard), merge config then reload from the config source and reapply. */
 	reconfigure?(config?: FrameworkConfig): Promise<void>;
 };
+/** Config-driven module types: null in config → never; otherwise module type (non-optional). */
+type EnterpriseStandardStrict<C extends FrameworkConfig> = {
+	logger?: Logger;
+	tenantId?: string;
+	config?: RemoteConfig;
+	secrets: ESModuleFromConfig<C, "secrets", Secrets & NamedSecretsFromConfig<C>>;
+	sso: ESModuleFromConfig<C, "sso", SSO>;
+	iam: ESModuleFromConfig<C, "iam", IAM>;
+	workload: ESModuleFromConfig<C, "workload", WorkloadModuleFromConfig<C>>;
+	ciam: ESModuleFromConfig<C, "ciam", CIAM>;
+	handler: (request: Request) => Promise<Response>;
+	ready(timeout?: number): Promise<void>;
+	isReady(): boolean;
+	reload?(): Promise<void>;
+	reconfigure?(config?: FrameworkConfig): Promise<void>;
+};
+type EnterpriseStandard = EnterpriseStandardBase;
 type ESRouteModule = "sso" | "iam" | "workload" | "ciam" | "secrets";
 type ESResolvedRoute = {
 	module: ESRouteModule;
@@ -2589,7 +2293,7 @@ type ESConfigChangeOptions = {
 *
 * @template TExtended - Type-safe custom data that consumers can add to magic links
 */
-type MagicLink<TExtended = {}> = {
+type MagicLink<TExtended = object> = {
 	/**
 	* The magic link token (unique identifier)
 	*/
@@ -2647,7 +2351,7 @@ type MagicLink<TExtended = {}> = {
 * }
 * ```
 */
-interface MagicLinkStore<TExtended = {}> {
+interface MagicLinkStore<TExtended = object> {
 	/**
 	* Create a new magic link in the store.
 	*
@@ -2679,8 +2383,8 @@ interface MagicLinkStore<TExtended = {}> {
 * baseUser includes a top-level .validate() for a cleaner API (see withValidate).
 */
 type CIAMValidators = {
-	baseUser: StandardSchemaV18<unknown, BaseUser> & {
-		validate(value: unknown): Promise<StandardSchemaV18.Result<BaseUser>>;
+	baseUser: StandardSchemaV17<unknown, BaseUser> & {
+		validate(value: unknown): Promise<StandardSchemaV17.Result<BaseUser>>;
 	};
 };
 type CIAMConfig<
@@ -2818,6 +2522,141 @@ declare function decodeUser(jwt: string): Promise<User2>;
 * When limit is omitted, size is set to total (one logical page), page and pages are 1.
 */
 declare function list<T>(total: number, items: T[], start: number, limit: number | undefined): ListResult<T>;
+import { StandardSchemaV1 as StandardSchemaV18 } from "@standard-schema/spec";
+type EnvironmentType = "POC" | "DEV" | "QA" | "PROD";
+type TenantStatus = "pending" | "processing" | "completed" | "failed" | "action_required";
+interface UpsertTenantRequest {
+	tenantId: string;
+	companyId: string;
+	companyName: string;
+	environmentType: EnvironmentType;
+	email: string;
+	webhookUrl: string;
+	callbackUrl: string;
+	tenantUrl?: string;
+	configSource: TenantSecretsConfig;
+}
+type UpsertTenantResponse = {
+	tenantUrl?: string;
+	status: Exclude<TenantStatus, "action_required">;
+	error?: string;
+} | {
+	status: "action_required";
+	actionUrl: string;
+	requestToken: string;
+	expiresAt: string;
+};
+type CreateTenantRequest = UpsertTenantRequest;
+type CreateTenantResponse = UpsertTenantResponse;
+interface TenantWebhookPayload {
+	tenantId: string;
+	companyId: string;
+	status: TenantStatus;
+	tenantUrl?: string;
+	actionUrl?: string;
+	requestToken?: string;
+	expiresAt?: string;
+	error?: string;
+}
+declare class TenantRequestError extends Error {
+	constructor(message: string, options?: ErrorOptions);
+}
+type TenantValidators = {
+	upsertTenantRequest: StandardSchemaV18<unknown, UpsertTenantRequest>;
+	upsertTenantResponse?: StandardSchemaV18<unknown, UpsertTenantResponse>;
+};
+/**
+* Env-like tenant config variables used to build a ConfigSource at runtime.
+* These mirror the ES_* variables read by envConfig().
+*/
+type TenantConfigEnv = {
+	ES_CONFIG_TYPE?: ConfigSourceType;
+	ES_APP_ID?: string;
+	ES_CONFIG_PATH?: string;
+	ES_IONITE_URL?: string;
+	ES_LFV_PATH?: string;
+	ES_LFV_SERVER_URL?: string;
+	ES_LFV_CLIENT_ID?: string;
+	ES_LFV_SIGNATURE?: string;
+	ES_LFV_DELIVERY_ENDPOINT?: string;
+	ES_LFV_VERIFY_PUBLIC_KEY?: string;
+	ES_LFV_EVENTS_ENDPOINT?: string;
+	ES_LFV_DELIVERY_TIMEOUT?: string;
+	ES_LFV_RETRY_INTERVAL?: string;
+	ES_LFV_WARN_INTERVAL?: string;
+	ES_FILE_PATH?: string;
+	ES_FILE_WATCH?: string;
+	ES_FILE_TTL?: string;
+	ES_VAULT_URL?: string;
+	ES_VAULT_TOKEN?: string;
+	ES_VAULT_PATH?: string;
+	ES_VAULT_TTL?: string;
+	ES_AZURE_API_VERSION?: string;
+	ES_AZURE_SCOPE?: string;
+	ES_AZURE_SECRET_NAME_PREFIX?: string;
+	ES_AZURE_AUTH_METHOD?: AwsAuthMethod;
+	ES_AZURE_TENANT_ID?: string;
+	ES_AZURE_CLIENT_ID?: string;
+	ES_AZURE_CLIENT_SECRET?: string;
+	ES_AZURE_FEDERATED_TOKEN_FILE?: string;
+	ES_AZURE_MANAGED_IDENTITY_CLIENT_ID?: string;
+	ES_AZURE_IMDS_API_VERSION?: string;
+	ES_AZURE_VAULT_URL?: string;
+	ES_AZURE_VAULT_NAME?: string;
+	ES_AZURE_TTL?: string;
+	ES_AWS_WEBHOOK_URL?: string;
+	ES_AWS_TTL?: string;
+	ES_GCP_TTL?: string;
+};
+type TenantSecretsConfig = LfvSecretsConfig | (VaultSecretsConfig & {
+	path: string;
+	retryInterval?: number;
+}) | (DevSecretsConfig & {
+	path?: string;
+	appId?: string;
+}) | (AwsSecretsConfig & {
+	ttl?: number;
+}) | AzureSecretsConfig | (GcpSecretsConfig & {
+	ttl?: number;
+}) | {
+	type: "localFile";
+	path?: string;
+	watch?: boolean;
+	ttl?: number;
+};
+type StoredTenant<TExtended extends object = Record<string, never>> = {
+	tenantId: string;
+	companyId: string;
+	companyName: string;
+	environmentType: EnvironmentType;
+	email: string;
+	webhookUrl: string;
+	callbackUrl: string;
+	tenantUrl?: string;
+	status: TenantStatus;
+	error?: string;
+	actionUrl?: string;
+	requestToken?: string;
+	expiresAt?: string;
+	createdAt: Date;
+	updatedAt: Date;
+	/** Persisted typed config used to construct a ConfigSource at runtime. */
+	configSource: TenantSecretsConfig;
+	/** Runtime helper that returns a ConfigSource for this tenant. */
+	config: () => ConfigSource;
+} & TExtended;
+interface TenantStore<TExtended extends object = Record<string, never>> {
+	get(tenantId: string): Promise<StoredTenant<TExtended> | null>;
+	upsert(tenant: Omit<StoredTenant<TExtended>, "config" | "status" | "createdAt" | "updatedAt"> & Partial<Pick<StoredTenant<TExtended>, "status" | "createdAt" | "updatedAt">>): Promise<StoredTenant<TExtended>>;
+	delete(tenantId: string): Promise<void>;
+}
+declare class InMemoryTenantStore<TExtended extends object = Record<string, never>> implements TenantStore<TExtended> {
+	private tenants;
+	get(tenantId: string): Promise<StoredTenant<TExtended> | null>;
+	upsert(tenant: Omit<StoredTenant<TExtended>, "config" | "status" | "createdAt" | "updatedAt"> & Partial<Pick<StoredTenant<TExtended>, "status" | "createdAt" | "updatedAt">>): Promise<StoredTenant<TExtended>>;
+	delete(tenantId: string): Promise<void>;
+}
+declare function sendTenantWebhook(webhookUrl: string, payload: TenantWebhookPayload, log: Logger): Promise<void>;
 /**
 * Enterprise user with SCIM attributes.
 * Extends BaseUser (simple fields) with optional complex SCIM fields.
@@ -3018,4 +2857,4 @@ declare function parseJsonc<T>(content: string): T;
 * @returns A promise that resolves when the service is ready.
 */
 declare function waitOn(url: string, pingInterval?: number, warnInterval?: number, timeout?: number): Promise<void>;
-export { workloadTokenResponseSchema, withValidate, waitOn, version, validationFailureResponse, userSchema, tokenResponseSchema, tenant, stripJsonComments, silentLogger, setActiveSession, serializeESConfig, sendTenantWebhook, parseTenantRequest, parseJsonc, oidcCallbackSchema, must, mergeConfig, list, jwtAssertionClaimsSchema, infoLogger, idTokenClaimsSchema, groupResourceSchema, getActiveSession, findTenantFromStateParam, defaultLogger, decodeUser, debugLogger, basicValidators as createValidators, createTenantResponseValidator, consoleLogger, claimsToUser, X509Certificate, WorkloadValidators, WorkloadTokenStore, WorkloadTokenResponse, WorkloadIncomingOutgoing, WorkloadIdentity, WorkloadConfigMap, WorkloadConfig, Workload, VaultSecretsConfig, ValidateResult, UsersInboundHandlerConfig, UserStore, UserSortOptions, UserSortField, UserListOptions, User2 as User, TokenValidationResult, TokenResponse, TenantWebhookPayload, TenantValidators, TenantStore, TenantStatus, TenantSortOptions, TenantSortField, TenantRequestTokenPayload, TenantRequestError, TenantListOptions, TenantConfigFromCode, TenantConfig, Tenant, StoredUser, StoredTenant, StoredGroup, StateCookie, StandardSchemaWithValidate, SortDirection, SessionStore, Session, ServerOnlyWorkloadConfig, SecretsValidators, SecretsSourceType, SecretsSourceMap, SecretsSourceConfig, SecretsSource, SecretsOperationOptions, SecretsModuleConfig, Secrets, SecretRequestSeverity, SecretLifecycleRequest, Secret, User as ScimUser, ScimResult, ScimListResponse, ScimError, SSOValidators, SSOHandlerConfig, SSOConfig, SSO, Role, RemoteConfig, Photo, PhoneNumber, OidcCallbackParams, Name, MetaData, MagicLinkStore, MagicLink, LoginConfig, Logger, ListResult, LfvSecretsConfig, JwtBearerWorkloadConfig, JWTAssertionClaims, InMemoryTenantStore, IdTokenClaims, IAMValidators, IAMUsersInbound, IAMHandlerConfig, IAMGroupsOutbound, IAMGroupsInbound, IAMConfig, IAM, GroupsInboundHandlerConfig, GroupStore, GroupSortOptions, GroupSortField, GroupResource, GroupMember, GroupListOptions, Group, GcpSecretsConfig, FrameworkConfig, EnvironmentType, EnterpriseUser, EnterpriseStandard, EnterpriseExtension, Email, ESValidators2 as ESValidators, ESRoutingOptions, ESRouteModule, ESRouteFilterResult, ESResolvedRoute, ESConfigChangeResult, ESConfigChangeOptions, ESConfigChangeCallback, ESConfig, DevSecretsConfig, CreateUserOptions, CreateTenantResponse, CreateTenantRequest, CreateGroupOptions, ConfigSourceType, ConfigSource, ClientCredentialsWorkloadConfig, CachedWorkloadToken, CIAMValidators, CIAMConfigFromCode, CIAMConfig, CIAM, BaseUser, AzureSecretsConfig, AwsSecretsConfig, AwsAuthMethod, Address };
+export { workloadTokenResponseSchema, withValidate, waitOn, version, validationFailureResponse, userSchema, tokenResponseSchema, stripJsonComments, silentLogger, setActiveSession, serializeESConfig, sendTenantWebhook, parseJsonc, oidcCallbackSchema, must, mergeConfig, list, jwtAssertionClaimsSchema, infoLogger, idTokenClaimsSchema, groupResourceSchema, getActiveSession, findTenantFromStateParam, defaultLogger, decodeUser, debugLogger, consoleLogger, claimsToUser, X509Certificate, WorkloadValidators, WorkloadTokenStore, WorkloadTokenResponse, WorkloadIncomingOutgoing, WorkloadIdentity, WorkloadConfigMap, WorkloadConfig, WorkloadClient, Workload, VaultSecretsConfig, ValidateResult, UsersInboundHandlerConfig, UserStore, UserSortOptions, UserSortField, UserListOptions, User2 as User, UpsertTenantResponse, UpsertTenantRequest, TokenValidationResult, TokenResponse, TenantWebhookPayload, TenantValidators, TenantStore, TenantStatus, TenantSecretsConfig, TenantRequestError, TenantConfigEnv, StoredUser, StoredTenant, StoredGroup, StateCookie, StandardSchemaWithValidate, SortDirection, SessionStore, Session, ServerOnlyWorkloadConfig, SecretsValidators, SecretsSourceType, SecretsSourceMap, SecretsSourceConfig, SecretsSource, SecretsOperationOptions, SecretsModuleConfig, Secrets, SecretRequestSeverity, SecretLifecycleRequest, Secret, User as ScimUser, ScimResult, ScimListResponse, ScimError, SSOValidators, SSOHandlerConfig, SSOConfig, SSO, Role, ResolvedLfvSecretsConfig, RemoteConfig, Photo, PhoneNumber, OidcCallbackParams, Name, MetaData, MagicLinkStore, MagicLink, LoginConfig, Logger, ListResult, LfvSecretsConfig, JwtBearerWorkloadConfig, JWTAssertionClaims, InMemoryTenantStore, IdTokenClaims, IAMValidators, IAMUsersInbound, IAMHandlerConfig, IAMGroupsOutbound, IAMGroupsInbound, IAMConfig, IAM, GroupsInboundHandlerConfig, GroupStore, GroupSortOptions, GroupSortField, GroupResource, GroupMember, GroupListOptions, Group, GcpSecretsConfig, FrameworkWorkloadIncomingOutgoing, FrameworkWorkloadConfig, FrameworkSecretsSourceConfig, FrameworkSecretsModuleConfig, FrameworkConfig, EnvironmentType, EnterpriseUser, EnterpriseStandardFromConfig, EnterpriseStandardBase, EnterpriseStandard, EnterpriseExtension, Email, ESValidators, ESRoutingOptions, ESRouteModule, ESRouteFilterResult, ESResolvedRoute, ESModuleFromConfig, ESConfigChangeResult, ESConfigChangeOptions, ESConfigChangeCallback, ESConfig, DevSecretsConfig, CreateUserOptions, CreateTenantResponse, CreateTenantRequest, CreateGroupOptions, ConfigSourceType, ConfigSource, ClientCredentialsWorkloadConfig, CachedWorkloadToken, CIAMValidators, CIAMConfigFromCode, CIAMConfig, CIAM, BaseUser, AzureSecretsConfig, AwsSecretsConfig, AwsAuthMethod, Address };