@enterprisestandard/react 0.0.4 → 0.0.5-beta.20260114.1

package/dist/server.d.ts

@@ -1,7 +1,9 @@
-import type { ESConfig, LoginConfig, SSOHandlerConfig } from './sso';
-export declare function getUser(request: Request, config?: ESConfig): Promise<import("./enterprise-user").EnterpriseUser | undefined>;
-export declare function getRequiredUser(request: Request, config?: ESConfig): Promise<import("./enterprise-user").EnterpriseUser>;
+import type { ESConfig, LoginConfig } from './sso';
+export declare function getUser(request: Request, config?: ESConfig): Promise<import(".").User | undefined>;
+export declare function getRequiredUser(request: Request, config?: ESConfig): Promise<import(".").User>;
 export declare function initiateLogin(config: LoginConfig): Promise<Response>;
 export declare function callback(request: Request, config?: ESConfig): Promise<Response>;
-export declare function handler(request: Request, config?: SSOHandlerConfig): Promise<Response>;
+export declare function handler(request: Request, config?: ESConfig): Promise<Response>;
+export * from './tenant-server';
+export * from './workload-server';
 //# sourceMappingURL=server.d.ts.map

package/dist/server.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"server.d.ts","sourceRoot":"","sources":["../src/server.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,QAAQ,EAAE,WAAW,EAAE,gBAAgB,EAAE,MAAM,OAAO,CAAC;AAoBrE,wBAAsB,OAAO,CAAC,OAAO,EAAE,OAAO,EAAE,MAAM,CAAC,EAAE,QAAQ,mEAEhE;AAED,wBAAsB,eAAe,CAAC,OAAO,EAAE,OAAO,EAAE,MAAM,CAAC,EAAE,QAAQ,uDAIxE;AAED,wBAAsB,aAAa,CAAC,MAAM,EAAE,WAAW,qBAItD;AAED,wBAAsB,QAAQ,CAAC,OAAO,EAAE,OAAO,EAAE,MAAM,CAAC,EAAE,QAAQ,qBAIjE;AAED,wBAAsB,OAAO,CAAC,OAAO,EAAE,OAAO,EAAE,MAAM,CAAC,EAAE,gBAAgB,qBAIxE"}
+{"version":3,"file":"server.d.ts","sourceRoot":"","sources":["../src/server.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,QAAQ,EAAE,WAAW,EAAoB,MAAM,OAAO,CAAC;AAoBrE,wBAAsB,OAAO,CAAC,OAAO,EAAE,OAAO,EAAE,MAAM,CAAC,EAAE,QAAQ,yCAEhE;AAED,wBAAsB,eAAe,CAAC,OAAO,EAAE,OAAO,EAAE,MAAM,CAAC,EAAE,QAAQ,6BAIxE;AAED,wBAAsB,aAAa,CAAC,MAAM,EAAE,WAAW,qBAItD;AAED,wBAAsB,QAAQ,CAAC,OAAO,EAAE,OAAO,EAAE,MAAM,CAAC,EAAE,QAAQ,qBAIjE;AAED,wBAAsB,OAAO,CAAC,OAAO,EAAE,OAAO,EAAE,MAAM,CAAC,EAAE,QAAQ,qBAIhE;AAGD,cAAc,iBAAiB,CAAC;AAEhC,cAAc,mBAAmB,CAAC"}

package/dist/session-store.d.ts

@@ -0,0 +1,179 @@
+/**
+ * Session management for tracking user sessions and enabling backchannel logout.
+ *
+ * Session stores are optional - the package works with JWT cookies alone.
+ * Sessions are only required for backchannel logout functionality.
+ *
+ * ## Session Validation Strategies
+ *
+ * When using a session store, you can configure when sessions are validated:
+ *
+ * ### 'always' (default)
+ * Validates session on every authenticated request.
+ * - **Security**: Maximum - immediate session revocation
+ * - **Performance**: InMemory ~0.00005ms, Redis ~1-2ms per request
+ * - **Backchannel Logout**: Takes effect immediately
+ * - **Use when**: Security is paramount, using InMemory or Redis backend
+ *
+ * ### 'refresh-only'
+ * Validates session only during token refresh (typically every 5-15 minutes).
+ * - **Security**: Good - 5-15 minute revocation window
+ * - **Performance**: 99% reduction in session lookups
+ * - **Backchannel Logout**: Takes effect within token TTL (5-15 min)
+ * - **Use when**: Performance is critical AND delayed revocation is acceptable
+ * - **WARNING**: Compromised sessions remain valid until next refresh
+ *
+ * ### 'disabled'
+ * Never validates sessions against the store.
+ * - **Security**: None - backchannel logout doesn't work
+ * - **Performance**: No overhead
+ * - **Use when**: Cookie-only mode without session store
+ * - **WARNING**: Do not use with session_store configured
+ *
+ * ## Performance Characteristics
+ *
+ * | Backend      | Lookup Time | Impact on Request | Recommendation         |
+ * |--------------|-------------|-------------------|------------------------|
+ * | InMemory     | <0.00005ms  | Negligible        | Use 'always'           |
+ * | Redis        | 1-2ms       | 2-4% increase     | Use 'always' or test   |
+ * | Database     | 5-20ms      | 10-40% increase   | Use Redis cache layer  |
+ *
+ * ## Example Usage
+ *
+ * ```typescript
+ * import { sso, InMemorySessionStore } from '@enterprisestandard/react/server';
+ *
+ * // Maximum security (default)
+ * const secure = sso({
+ *   // ... other config
+ *   session_store: new InMemorySessionStore(),
+ *   session_validation: 'always', // Immediate revocation
+ * });
+ *
+ * // High performance
+ * const fast = sso({
+ *   // ... other config
+ *   session_store: new InMemorySessionStore(),
+ *   session_validation: {
+ *     strategy: 'refresh-only' // 5-15 min revocation delay
+ *   }
+ * });
+ * ```
+ */
+/**
+ * Core session data tracked for each authenticated user session.
+ *
+ * @template TExtended - Type-safe custom data that consumers can add to sessions
+ */
+export type Session<TExtended = {}> = {
+    /**
+     * Session ID from the Identity Provider (from `sid` claim in ID token).
+     * This is the unique identifier for the session.
+     */
+    sid: string;
+    /**
+     * Subject identifier (user ID) from the Identity Provider.
+     * From the `sub` claim in the ID token.
+     */
+    sub: string;
+    /**
+     * Timestamp when the session was created.
+     */
+    createdAt: Date;
+    /**
+     * Timestamp of the last activity in this session.
+     * Can be updated to track session activity.
+     */
+    lastActivityAt: Date;
+    /**
+     * Allow consumers to add runtime data to sessions.
+     */
+    [key: string]: unknown;
+} & TExtended;
+/**
+ * Abstract interface for session storage backends.
+ *
+ * Consumers can implement this interface to use different storage backends:
+ * - Redis
+ * - Database (PostgreSQL, MySQL, etc.)
+ * - Distributed cache
+ * - Custom solutions
+ *
+ * @template TExtended - Type-safe custom data that consumers can add to sessions
+ *
+ * @example
+ * ```typescript
+ * // Custom session data
+ * type MySessionData = {
+ *   ipAddress: string;
+ *   userAgent: string;
+ * };
+ *
+ * // Implement custom store
+ * class RedisSessionStore implements SessionStore<MySessionData> {
+ *   async create(session: Session<MySessionData>): Promise<void> {
+ *     await redis.set(`session:${session.sid}`, JSON.stringify(session));
+ *   }
+ *   // ... other methods
+ * }
+ * ```
+ */
+export interface SessionStore<TExtended = {}> {
+    /**
+     * Create a new session in the store.
+     *
+     * @param session - The session data to store
+     * @throws Error if session with same sid already exists
+     */
+    create(session: Session<TExtended>): Promise<void>;
+    /**
+     * Retrieve a session by its IdP session ID (sid).
+     *
+     * @param sid - The session.sid from the Identity Provider
+     * @returns The session if found, null otherwise
+     */
+    get(sid: string): Promise<Session<TExtended> | null>;
+    /**
+     * Update an existing session with partial data.
+     *
+     * Commonly used to update lastActivityAt or add custom fields.
+     *
+     * @param sid - The session.sid to update
+     * @param data - Partial session data to merge
+     * @throws Error if session not found
+     */
+    update(sid: string, data: Partial<Session<TExtended>>): Promise<void>;
+    /**
+     * Delete a session by its IdP session ID (sid).
+     *
+     * Used for both normal logout and backchannel logout flows.
+     *
+     * @param sid - The session.sid to delete
+     */
+    delete(sid: string): Promise<void>;
+}
+/**
+ * In-memory session store implementation using Maps.
+ *
+ * Suitable for:
+ * - Development and testing
+ * - Single-server deployments
+ * - Applications without high availability requirements
+ *
+ * NOT suitable for:
+ * - Multi-server deployments (sessions not shared)
+ * - High availability scenarios (sessions lost on restart)
+ * - Production applications with distributed architecture
+ *
+ * For production, implement SessionStore with Redis or a database.
+ *
+ * @template TExtended - Type-safe custom data that consumers can add to sessions
+ */
+export declare class InMemorySessionStore<TExtended = {}> implements SessionStore<TExtended> {
+    private sessions;
+    create(session: Session<TExtended>): Promise<void>;
+    get(sid: string): Promise<Session<TExtended> | null>;
+    update(sid: string, data: Partial<Session<TExtended>>): Promise<void>;
+    delete(sid: string): Promise<void>;
+}
+//# sourceMappingURL=session-store.d.ts.map

package/dist/session-store.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"session-store.d.ts","sourceRoot":"","sources":["../src/session-store.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GA6DG;AAEH;;;;GAIG;AACH,MAAM,MAAM,OAAO,CAAC,SAAS,GAAG,EAAE,IAAI;IACpC;;;OAGG;IACH,GAAG,EAAE,MAAM,CAAC;IAEZ;;;OAGG;IACH,GAAG,EAAE,MAAM,CAAC;IAEZ;;OAEG;IACH,SAAS,EAAE,IAAI,CAAC;IAEhB;;;OAGG;IACH,cAAc,EAAE,IAAI,CAAC;IAErB;;OAEG;IACH,CAAC,GAAG,EAAE,MAAM,GAAG,OAAO,CAAC;CACxB,GAAG,SAAS,CAAC;AAEd;;;;;;;;;;;;;;;;;;;;;;;;;;;GA2BG;AACH,MAAM,WAAW,YAAY,CAAC,SAAS,GAAG,EAAE;IAC1C;;;;;OAKG;IACH,MAAM,CAAC,OAAO,EAAE,OAAO,CAAC,SAAS,CAAC,GAAG,OAAO,CAAC,IAAI,CAAC,CAAC;IAEnD;;;;;OAKG;IACH,GAAG,CAAC,GAAG,EAAE,MAAM,GAAG,OAAO,CAAC,OAAO,CAAC,SAAS,CAAC,GAAG,IAAI,CAAC,CAAC;IAErD;;;;;;;;OAQG;IACH,MAAM,CAAC,GAAG,EAAE,MAAM,EAAE,IAAI,EAAE,OAAO,CAAC,OAAO,CAAC,SAAS,CAAC,CAAC,GAAG,OAAO,CAAC,IAAI,CAAC,CAAC;IAEtE;;;;;;OAMG;IACH,MAAM,CAAC,GAAG,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC,CAAC;CACpC;AAED;;;;;;;;;;;;;;;;GAgBG;AACH,qBAAa,oBAAoB,CAAC,SAAS,GAAG,EAAE,CAAE,YAAW,YAAY,CAAC,SAAS,CAAC;IAClF,OAAO,CAAC,QAAQ,CAAyC;IAEnD,MAAM,CAAC,OAAO,EAAE,OAAO,CAAC,SAAS,CAAC,GAAG,OAAO,CAAC,IAAI,CAAC;IAQlD,GAAG,CAAC,GAAG,EAAE,MAAM,GAAG,OAAO,CAAC,OAAO,CAAC,SAAS,CAAC,GAAG,IAAI,CAAC;IAIpD,MAAM,CAAC,GAAG,EAAE,MAAM,EAAE,IAAI,EAAE,OAAO,CAAC,OAAO,CAAC,SAAS,CAAC,CAAC,GAAG,OAAO,CAAC,IAAI,CAAC;IAWrE,MAAM,CAAC,GAAG,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC;CAGzC"}

package/dist/sso.d.ts

@@ -1,12 +1,18 @@
-import type { EnterpriseStandard, EnterpriseUser } from '.';
-export type SSOConfig = {
-    authority: string;
-    token_url: string;
-    authorization_url: string;
-    client_id: string;
-    redirect_uri: string;
-    response_type: string;
-    scope: string;
+import type { EnterpriseStandard } from '.';
+import type { SessionStore } from './session-store';
+import type { IdTokenClaims, OidcCallbackParams, TokenResponse } from './types/oidc-schema';
+import type { StandardSchemaV1 } from './types/standard-schema';
+import type { User } from './types/user';
+import type { UserStore } from './user-store';
+export type SSOConfig<TSessionData = {}, TUserData = {}> = {
+    authority?: string;
+    token_url?: string;
+    authorization_url?: string;
+    client_id?: string;
+    client_secret?: string;
+    redirect_uri?: string;
+    response_type?: 'code';
+    scope?: string;
     silent_redirect_uri?: string;
     jwks_uri?: string;
     cookies_prefix?: string;
@@ -14,6 +20,52 @@ export type SSOConfig = {
     cookies_secure?: boolean;
     cookies_same_site?: 'Strict' | 'Lax';
     end_session_endpoint?: string;
+    revocation_endpoint?: string;
+    session_store?: SessionStore<TSessionData>;
+    /**
+     * Optional handler defaults. These are merged with per-call overrides in
+     * `sso.handler`, with per-call values taking precedence.
+     */
+    loginUrl?: string;
+    userUrl?: string;
+    errorUrl?: string;
+    landingUrl?: string;
+    tokenUrl?: string;
+    refreshUrl?: string;
+    jwksUrl?: string;
+    logoutUrl?: string;
+    logoutBackChannelUrl?: string;
+    validation?: {
+        callbackParams?: StandardSchemaV1<unknown, OidcCallbackParams>;
+        idTokenClaims?: StandardSchemaV1<unknown, IdTokenClaims>;
+        tokenResponse?: StandardSchemaV1<unknown, TokenResponse>;
+    };
+    /**
+     * Optional user store for persisting user profiles from SSO authentication.
+     * When configured, users are automatically stored/updated on each login.
+     */
+    user_store?: UserStore<TUserData>;
+    /**
+     * Enable Just-In-Time (JIT) user provisioning.
+     * When enabled, new users are automatically created in the user_store on their first login.
+     * When disabled (default), only existing users in the user_store are updated on login.
+     * Requires user_store to be configured.
+     * @default false
+     */
+    enable_jit_user_provisioning?: boolean;
+};
+type SSOConfigWithDefaults<TSessionData = {}, TUserData = {}> = SSOConfig<TSessionData, TUserData> & {
+    authority: string;
+    token_url: string;
+    authorization_url: string;
+    client_id: string;
+    redirect_uri: string;
+    response_type: 'code';
+    scope: string;
+    cookies_secure: boolean;
+    cookies_same_site: string;
+    cookies_prefix: string;
+    cookies_path: string;
 };
 export type ESConfig = {
     es?: EnterpriseStandard;
@@ -31,16 +83,22 @@ export type SSOHandlerConfig = {
     refreshUrl?: string;
     jwksUrl?: string;
     logoutUrl?: string;
-    logoutCallbackUrl?: string;
+    logoutBackChannelUrl?: string;
+    validation?: {
+        callbackParams?: StandardSchemaV1<unknown, OidcCallbackParams>;
+        idTokenClaims?: StandardSchemaV1<unknown, IdTokenClaims>;
+        tokenResponse?: StandardSchemaV1<unknown, TokenResponse>;
+    };
 } & ESConfig;
-export type SSO = {
-    getUser: (request: Request) => Promise<EnterpriseUser | undefined>;
-    getRequiredUser: (request: Request) => Promise<EnterpriseUser>;
+export type SSO<TSessionData = {}, TUserData = {}> = SSOConfigWithDefaults<TSessionData, TUserData> & {
+    getUser: (request: Request) => Promise<User | undefined>;
+    getRequiredUser: (request: Request) => Promise<User>;
     getJwt: (request: Request) => Promise<string | undefined>;
-    initiateLogin: (config: LoginConfig) => Promise<Response>;
+    initiateLogin: (config: LoginConfig, requestUrl?: string) => Promise<Response>;
     logout: (request: Request, config?: LoginConfig) => Promise<Response>;
     callbackHandler: (request: Request) => Promise<Response>;
-    handler: (request: Request, handlerConfig?: SSOHandlerConfig) => Promise<Response>;
+    handler: (request: Request) => Promise<Response>;
 };
-export declare function sso(config: SSOConfig): SSO;
+export declare function sso<TSessionData = {}, TUserData = {}>(config?: SSOConfig<TSessionData, TUserData>): SSO<TSessionData, TUserData>;
+export {};
 //# sourceMappingURL=sso.d.ts.map

package/dist/sso.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"sso.d.ts","sourceRoot":"","sources":["../src/sso.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,kBAAkB,EAAE,cAAc,EAAiB,MAAM,GAAG,CAAC;AAG3E,MAAM,MAAM,SAAS,GAAG;IACtB,SAAS,EAAE,MAAM,CAAC;IAClB,SAAS,EAAE,MAAM,CAAC;IAClB,iBAAiB,EAAE,MAAM,CAAC;IAC1B,SAAS,EAAE,MAAM,CAAC;IAClB,YAAY,EAAE,MAAM,CAAC;IACrB,aAAa,EAAE,MAAM,CAAC;IACtB,KAAK,EAAE,MAAM,CAAC;IACd,mBAAmB,CAAC,EAAE,MAAM,CAAC;IAC7B,QAAQ,CAAC,EAAE,MAAM,CAAC;IAClB,cAAc,CAAC,EAAE,MAAM,CAAC;IACxB,YAAY,CAAC,EAAE,MAAM,CAAC;IACtB,cAAc,CAAC,EAAE,OAAO,CAAC;IACzB,iBAAiB,CAAC,EAAE,QAAQ,GAAG,KAAK,CAAC;IACrC,oBAAoB,CAAC,EAAE,MAAM,CAAC;CAC/B,CAAC;AAqCF,MAAM,MAAM,QAAQ,GAAG;IACrB,EAAE,CAAC,EAAE,kBAAkB,CAAC;CACzB,CAAC;AAEF,MAAM,MAAM,WAAW,GAAG;IACxB,UAAU,EAAE,MAAM,CAAC;IACnB,QAAQ,CAAC,EAAE,MAAM,CAAC;CACnB,GAAG,QAAQ,CAAC;AAEb,MAAM,MAAM,gBAAgB,GAAG;IAC7B,QAAQ,CAAC,EAAE,MAAM,CAAC;IAClB,OAAO,CAAC,EAAE,MAAM,CAAC;IACjB,QAAQ,CAAC,EAAE,MAAM,CAAC;IAClB,UAAU,CAAC,EAAE,MAAM,CAAC;IACpB,QAAQ,CAAC,EAAE,MAAM,CAAC;IAClB,UAAU,CAAC,EAAE,MAAM,CAAC;IACpB,OAAO,CAAC,EAAE,MAAM,CAAC;IACjB,SAAS,CAAC,EAAE,MAAM,CAAC;IACnB,iBAAiB,CAAC,EAAE,MAAM,CAAC;CAC5B,GAAG,QAAQ,CAAC;AAEb,MAAM,MAAM,GAAG,GAAG;IAChB,OAAO,EAAE,CAAC,OAAO,EAAE,OAAO,KAAK,OAAO,CAAC,cAAc,GAAG,SAAS,CAAC,CAAC;IACnE,eAAe,EAAE,CAAC,OAAO,EAAE,OAAO,KAAK,OAAO,CAAC,cAAc,CAAC,CAAC;IAC/D,MAAM,EAAE,CAAC,OAAO,EAAE,OAAO,KAAK,OAAO,CAAC,MAAM,GAAG,SAAS,CAAC,CAAC;IAC1D,aAAa,EAAE,CAAC,MAAM,EAAE,WAAW,KAAK,OAAO,CAAC,QAAQ,CAAC,CAAC;IAC1D,MAAM,EAAE,CAAC,OAAO,EAAE,OAAO,EAAE,MAAM,CAAC,EAAE,WAAW,KAAK,OAAO,CAAC,QAAQ,CAAC,CAAC;IACtE,eAAe,EAAE,CAAC,OAAO,EAAE,OAAO,KAAK,OAAO,CAAC,QAAQ,CAAC,CAAC;IACzD,OAAO,EAAE,CAAC,OAAO,EAAE,OAAO,EAAE,aAAa,CAAC,EAAE,gBAAgB,KAAK,OAAO,CAAC,QAAQ,CAAC,CAAC;CACpF,CAAC;AAKF,wBAAgB,GAAG,CAAC,MAAM,EAAE,SAAS,GAAG,GAAG,CAunB1C"}
+{"version":3,"file":"sso.d.ts","sourceRoot":"","sources":["../src/sso.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,kBAAkB,EAAE,MAAM,GAAG,CAAC;AAC5C,OAAO,KAAK,EAAW,YAAY,EAAE,MAAM,iBAAiB,CAAC;AAC7D,OAAO,KAAK,EAAE,aAAa,EAAE,kBAAkB,EAAE,aAAa,EAAE,MAAM,qBAAqB,CAAC;AAE5F,OAAO,KAAK,EAAE,gBAAgB,EAAE,MAAM,yBAAyB,CAAC;AAChE,OAAO,KAAK,EAAE,IAAI,EAAE,MAAM,cAAc,CAAC;AACzC,OAAO,KAAK,EAAc,SAAS,EAAE,MAAM,cAAc,CAAC;AAG1D,MAAM,MAAM,SAAS,CAAC,YAAY,GAAG,EAAE,EAAE,SAAS,GAAG,EAAE,IAAI;IACzD,SAAS,CAAC,EAAE,MAAM,CAAC;IACnB,SAAS,CAAC,EAAE,MAAM,CAAC;IACnB,iBAAiB,CAAC,EAAE,MAAM,CAAC;IAC3B,SAAS,CAAC,EAAE,MAAM,CAAC;IACnB,aAAa,CAAC,EAAE,MAAM,CAAC;IACvB,YAAY,CAAC,EAAE,MAAM,CAAC;IACtB,aAAa,CAAC,EAAE,MAAM,CAAC;IACvB,KAAK,CAAC,EAAE,MAAM,CAAC;IACf,mBAAmB,CAAC,EAAE,MAAM,CAAC;IAC7B,QAAQ,CAAC,EAAE,MAAM,CAAC;IAClB,cAAc,CAAC,EAAE,MAAM,CAAC;IACxB,YAAY,CAAC,EAAE,MAAM,CAAC;IACtB,cAAc,CAAC,EAAE,OAAO,CAAC;IACzB,iBAAiB,CAAC,EAAE,QAAQ,GAAG,KAAK,CAAC;IACrC,oBAAoB,CAAC,EAAE,MAAM,CAAC;IAC9B,mBAAmB,CAAC,EAAE,MAAM,CAAC;IAC7B,aAAa,CAAC,EAAE,YAAY,CAAC,YAAY,CAAC,CAAC;IAC3C;;;OAGG;IACH,QAAQ,CAAC,EAAE,MAAM,CAAC;IAClB,OAAO,CAAC,EAAE,MAAM,CAAC;IACjB,QAAQ,CAAC,EAAE,MAAM,CAAC;IAClB,UAAU,CAAC,EAAE,MAAM,CAAC;IACpB,QAAQ,CAAC,EAAE,MAAM,CAAC;IAClB,UAAU,CAAC,EAAE,MAAM,CAAC;IACpB,OAAO,CAAC,EAAE,MAAM,CAAC;IACjB,SAAS,CAAC,EAAE,MAAM,CAAC;IACnB,oBAAoB,CAAC,EAAE,MAAM,CAAC;IAC9B,UAAU,CAAC,EAAE;QACX,cAAc,CAAC,EAAE,gBAAgB,CAAC,OAAO,EAAE,kBAAkB,CAAC,CAAC;QAC/D,aAAa,CAAC,EAAE,gBAAgB,CAAC,OAAO,EAAE,aAAa,CAAC,CAAC;QACzD,aAAa,CAAC,EAAE,gBAAgB,CAAC,OAAO,EAAE,aAAa,CAAC,CAAC;KAC1D,CAAC;IACF;;;OAGG;IACH,UAAU,CAAC,EAAE,SAAS,CAAC,SAAS,CAAC,CAAC;IAClC;;;;;;OAMG;IACH,4BAA4B,CAAC,EAAE,OAAO,CAAC;CACxC,CAAC;AA0BF,KAAK,qBAAqB,CAAC,YAAY,GAAG,EAAE,EAAE,SAAS,GAAG,EAAE,IAAI,SAAS,CACvE,YAAY,EACZ,SAAS,CACV,GAAG;IACF,SAAS,EAAE,MAAM,CAAC;IAClB,SAAS,EAAE,MAAM,CAAC;IAClB,iBAAiB,EAAE,MAAM,CAAC;IAC1B,SAAS,EAAE,MAAM,CAAC;IAClB,YAAY,EAAE,MAAM,CAAC;IACrB,aAAa,EAAE,MAAM,CAAC;IACtB,KAAK,EAAE,MAAM,CAAC;IACd,cAAc,EAAE,OAAO,CAAC;IACxB,iBAAiB,EAAE,MAAM,CAAC;IAC1B,cAAc,EAAE,MAAM,CAAC;IACvB,YAAY,EAAE,MAAM,CAAC;CACtB,CAAC;AAEF,MAAM,MAAM,QAAQ,GAAG;IACrB,EAAE,CAAC,EAAE,kBAAkB,CAAC;CACzB,CAAC;AAEF,MAAM,MAAM,WAAW,GAAG;IACxB,UAAU,EAAE,MAAM,CAAC;IACnB,QAAQ,CAAC,EAAE,MAAM,CAAC;CACnB,GAAG,QAAQ,CAAC;AAEb,MAAM,MAAM,gBAAgB,GAAG;IAC7B,QAAQ,CAAC,EAAE,MAAM,CAAC;IAClB,OAAO,CAAC,EAAE,MAAM,CAAC;IACjB,QAAQ,CAAC,EAAE,MAAM,CAAC;IAClB,UAAU,CAAC,EAAE,MAAM,CAAC;IACpB,QAAQ,CAAC,EAAE,MAAM,CAAC;IAClB,UAAU,CAAC,EAAE,MAAM,CAAC;IACpB,OAAO,CAAC,EAAE,MAAM,CAAC;IACjB,SAAS,CAAC,EAAE,MAAM,CAAC;IACnB,oBAAoB,CAAC,EAAE,MAAM,CAAC;IAC9B,UAAU,CAAC,EAAE;QACX,cAAc,CAAC,EAAE,gBAAgB,CAAC,OAAO,EAAE,kBAAkB,CAAC,CAAC;QAC/D,aAAa,CAAC,EAAE,gBAAgB,CAAC,OAAO,EAAE,aAAa,CAAC,CAAC;QACzD,aAAa,CAAC,EAAE,gBAAgB,CAAC,OAAO,EAAE,aAAa,CAAC,CAAC;KAC1D,CAAC;CACH,GAAG,QAAQ,CAAC;AAEb,MAAM,MAAM,GAAG,CAAC,YAAY,GAAG,EAAE,EAAE,SAAS,GAAG,EAAE,IAC/C,qBAAqB,CAAC,YAAY,EAAE,SAAS,CAAC,GAAG;IAC/C,OAAO,EAAE,CAAC,OAAO,EAAE,OAAO,KAAK,OAAO,CAAC,IAAI,GAAG,SAAS,CAAC,CAAC;IACzD,eAAe,EAAE,CAAC,OAAO,EAAE,OAAO,KAAK,OAAO,CAAC,IAAI,CAAC,CAAC;IACrD,MAAM,EAAE,CAAC,OAAO,EAAE,OAAO,KAAK,OAAO,CAAC,MAAM,GAAG,SAAS,CAAC,CAAC;IAC1D,aAAa,EAAE,CAAC,MAAM,EAAE,WAAW,EAAE,UAAU,CAAC,EAAE,MAAM,KAAK,OAAO,CAAC,QAAQ,CAAC,CAAC;IAC/E,MAAM,EAAE,CAAC,OAAO,EAAE,OAAO,EAAE,MAAM,CAAC,EAAE,WAAW,KAAK,OAAO,CAAC,QAAQ,CAAC,CAAC;IACtE,eAAe,EAAE,CAAC,OAAO,EAAE,OAAO,KAAK,OAAO,CAAC,QAAQ,CAAC,CAAC;IACzD,OAAO,EAAE,CAAC,OAAO,EAAE,OAAO,KAAK,OAAO,CAAC,QAAQ,CAAC,CAAC;CAClD,CAAC;AAIJ,wBAAgB,GAAG,CAAC,YAAY,GAAG,EAAE,EAAE,SAAS,GAAG,EAAE,EACnD,MAAM,CAAC,EAAE,SAAS,CAAC,YAAY,EAAE,SAAS,CAAC,GAC1C,GAAG,CAAC,YAAY,EAAE,SAAS,CAAC,CA27B9B"}

package/dist/tenant-server.d.ts

@@ -0,0 +1,8 @@
+/**
+ * Server-side helper functions for tenant management.
+ * These functions provide a convenient way to parse tenant requests
+ * and send webhook updates.
+ */
+export type { CreateTenantRequest, CreateTenantResponse, EnvironmentType, TenantStatus, TenantWebhookPayload, } from './tenant';
+export { parseTenantRequest, sendTenantWebhook, TenantRequestError } from './tenant';
+//# sourceMappingURL=tenant-server.d.ts.map

package/dist/tenant-server.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"tenant-server.d.ts","sourceRoot":"","sources":["../src/tenant-server.ts"],"names":[],"mappings":"AAAA;;;;GAIG;AAEH,YAAY,EACV,mBAAmB,EACnB,oBAAoB,EACpB,eAAe,EACf,YAAY,EACZ,oBAAoB,GACrB,MAAM,UAAU,CAAC;AAClB,OAAO,EAAE,kBAAkB,EAAE,iBAAiB,EAAE,kBAAkB,EAAE,MAAM,UAAU,CAAC"}

package/dist/tenant.d.ts

@@ -0,0 +1,280 @@
+/**
+ * Tenant Management SDK
+ *
+ * Provides helper functions for applications to implement tenant creation endpoints
+ * that ESVS can test. Supports both synchronous (201) and asynchronous (202)
+ * tenant creation with webhook-based status updates.
+ */
+/**
+ * Environment type for tenant creation
+ */
+export type EnvironmentType = 'POC' | 'DEV' | 'QA' | 'PROD';
+/**
+ * Status of tenant creation process
+ */
+export type TenantStatus = 'pending' | 'processing' | 'completed' | 'failed';
+/**
+ * Request payload from ESVS for creating a tenant
+ */
+export interface CreateTenantRequest {
+    /**
+     * Required app identifier to use when initializing EnterpriseStandard for this tenant.
+     * This is the primary identifier for tenant management. A company can have multiple
+     * applications (e.g., one instance on the east coast, one on the west coast).
+     */
+    appId: string;
+    /**
+     * Company ID (used for reporting purposes only, not for tenant identification)
+     */
+    companyId: string;
+    /**
+     * Company Name
+     */
+    companyName: string;
+    /**
+     * Environment Type (POC, DEV, QA, PROD)
+     */
+    environmentType: EnvironmentType;
+    /**
+     * Email (The email or distribution list used to communicate to the team)
+     */
+    email: string;
+    /**
+     * Webhook URL where the application can send updates around the creation of the tenant
+     */
+    webhookUrl: string;
+}
+/**
+ * Response payload for tenant creation
+ */
+export interface CreateTenantResponse {
+    /**
+     * URL that the tenant will be available at
+     */
+    tenantUrl: string;
+    /**
+     * Current status of tenant creation
+     */
+    status: TenantStatus;
+}
+/**
+ * Payload sent to webhook URL for status updates
+ */
+export interface TenantWebhookPayload {
+    /**
+     * Company ID
+     */
+    companyId: string;
+    /**
+     * Current status of tenant creation
+     */
+    status: TenantStatus;
+    /**
+     * URL that the tenant will be available at (provided once creation completes)
+     */
+    tenantUrl?: string;
+    /**
+     * Error message (only present if status is "failed")
+     */
+    error?: string;
+}
+/**
+ * Error thrown when tenant request validation fails
+ */
+export declare class TenantRequestError extends Error {
+    constructor(message: string);
+}
+/**
+ * Serializes an ESConfig or EnterpriseStandard instance to a JSON-serializable format
+ * by removing non-serializable properties like stores, validators, and functions.
+ *
+ * Since EnterpriseStandard now extends ESConfig, the config (including handler URLs)
+ * is accessible directly from the instance.
+ *
+ * @param configOrES - The ESConfig object or EnterpriseStandard instance to serialize
+ * @returns A JSON-serializable version of the config
+ */
+export declare function serializeESConfig(configOrES: any): any;
+/**
+ * Parse and validate a tenant creation request from an HTTP request.
+ *
+ * @param request - The HTTP request containing the tenant creation data
+ * @returns The validated tenant creation request
+ * @throws {TenantRequestError} If the request is invalid or missing required fields
+ *
+ * @example
+ * ```typescript
+ * app.post('/api/tenant', async (c) => {
+ *   try {
+ *     const tenantRequest = await parseTenantRequest(c.req.raw);
+ *     // Create tenant...
+ *   } catch (error) {
+ *     if (error instanceof TenantRequestError) {
+ *       return c.json({ error: error.message }, 400);
+ *     }
+ *     throw error;
+ *   }
+ * });
+ * ```
+ */
+export declare function parseTenantRequest(request: Request): Promise<CreateTenantRequest>;
+/**
+ * Send a webhook update to ESVS with tenant creation status.
+ *
+ * @param webhookUrl - The webhook URL provided in the tenant creation request
+ * @param payload - The webhook payload with status and tenant information
+ * @throws Never throws - errors are logged but not propagated to avoid breaking tenant creation
+ *
+ * @example
+ * ```typescript
+ * // Send initial status
+ * await sendTenantWebhook(tenantRequest.webhookUrl, {
+ *   companyId: tenantRequest.companyId,
+ *   status: 'processing',
+ * });
+ *
+ * // Send completion status
+ * await sendTenantWebhook(tenantRequest.webhookUrl, {
+ *   companyId: tenantRequest.companyId,
+ *   status: 'completed',
+ *   tenantUrl: 'https://app.example.com/tenants/tenant-123',
+ * });
+ * ```
+ */
+export declare function sendTenantWebhook(webhookUrl: string, payload: TenantWebhookPayload): Promise<void>;
+/**
+ * Stored tenant data with required appId and tracking metadata.
+ *
+ * @template TExtended - Type-safe custom data that consumers can add to tenants
+ */
+export type StoredTenant<TExtended = {}> = {
+    /**
+     * Required app identifier used to initialize EnterpriseStandard for this tenant.
+     * This is the primary key for tenant storage. A company can have multiple
+     * applications (e.g., one instance on the east coast, one on the west coast).
+     */
+    appId: string;
+    /**
+     * Company ID (used for reporting purposes only, not for tenant identification)
+     */
+    companyId: string;
+    /**
+     * Company Name
+     */
+    companyName: string;
+    /**
+     * Environment Type (POC, DEV, QA, PROD)
+     */
+    environmentType: EnvironmentType;
+    /**
+     * Email (The email or distribution list used to communicate to the team)
+     */
+    email: string;
+    /**
+     * Webhook URL where the application can send updates around the creation of the tenant
+     */
+    webhookUrl: string;
+    /**
+     * URL that the tenant will be available at
+     */
+    tenantUrl?: string;
+    /**
+     * Current status of tenant creation
+     */
+    status: TenantStatus;
+    /**
+     * Error message (only present if status is "failed")
+     */
+    error?: string;
+    /**
+     * Timestamp when the tenant was first stored.
+     */
+    createdAt: Date;
+    /**
+     * Timestamp when the tenant was last updated.
+     */
+    updatedAt: Date;
+    /**
+     * Serialized Enterprise Standard configuration.
+     * This is a JSON-serializable version of the ESConfig with non-serializable items excluded.
+     */
+    config?: any;
+} & TExtended;
+/**
+ * Abstract interface for tenant storage backends.
+ *
+ * Consumers can implement this interface to use different storage backends:
+ * - In-memory (for development/testing)
+ * - Redis (for production with fast lookups)
+ * - Database (PostgreSQL, MySQL, etc.)
+ *
+ * @template TExtended - Type-safe custom data that consumers can add to tenants
+ */
+export interface TenantStore<TExtended = {}> {
+    /**
+     * Retrieve a tenant by its app identifier.
+     *
+     * @param appId - The tenant's app identifier (primary key)
+     * @returns The tenant if found, null otherwise
+     */
+    get(appId: string): Promise<StoredTenant<TExtended> | null>;
+    /**
+     * Retrieve all tenants for a company ID.
+     * Since a company can have multiple applications, this returns an array.
+     *
+     * @param companyId - The company ID (used for reporting, not primary identification)
+     * @returns Array of tenants for the company, empty array if none found
+     */
+    getByCompanyId(companyId: string): Promise<StoredTenant<TExtended>[]>;
+    /**
+     * List all tenants in the store.
+     *
+     * @returns Array of all stored tenants
+     */
+    list(): Promise<StoredTenant<TExtended>[]>;
+    /**
+     * Create or update a tenant in the store.
+     *
+     * If a tenant with the same `appId` exists, it will be updated.
+     * Otherwise, a new tenant will be created.
+     *
+     * @param tenant - The tenant data to store
+     * @returns The stored tenant
+     */
+    upsert(tenant: StoredTenant<TExtended>): Promise<StoredTenant<TExtended>>;
+    /**
+     * Delete a tenant by its app identifier.
+     *
+     * @param appId - The tenant's app identifier to delete
+     */
+    delete(appId: string): Promise<void>;
+}
+/**
+ * In-memory tenant store implementation using Maps.
+ *
+ * Suitable for:
+ * - Development and testing
+ * - Single-server deployments
+ * - Applications without high availability requirements
+ *
+ * NOT suitable for:
+ * - Multi-server deployments (tenants not shared)
+ * - High availability scenarios (tenants lost on restart)
+ * - Production applications with distributed architecture
+ *
+ * For production, implement TenantStore with Redis or a database.
+ *
+ * @template TExtended - Type-safe custom data that consumers can add to tenants
+ */
+export declare class InMemoryTenantStore<TExtended = {}> implements TenantStore<TExtended> {
+    /** Primary storage: appId -> tenant */
+    private tenants;
+    /** Secondary index: companyId -> Set of appIds (since one company can have multiple apps) */
+    private companyIdIndex;
+    get(appId: string): Promise<StoredTenant<TExtended> | null>;
+    getByCompanyId(companyId: string): Promise<StoredTenant<TExtended>[]>;
+    list(): Promise<StoredTenant<TExtended>[]>;
+    upsert(tenant: StoredTenant<TExtended>): Promise<StoredTenant<TExtended>>;
+    delete(appId: string): Promise<void>;
+}
+//# sourceMappingURL=tenant.d.ts.map

package/dist/tenant.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"tenant.d.ts","sourceRoot":"","sources":["../src/tenant.ts"],"names":[],"mappings":"AAAA;;;;;;GAMG;AAIH;;GAEG;AACH,MAAM,MAAM,eAAe,GAAG,KAAK,GAAG,KAAK,GAAG,IAAI,GAAG,MAAM,CAAC;AAE5D;;GAEG;AACH,MAAM,MAAM,YAAY,GAAG,SAAS,GAAG,YAAY,GAAG,WAAW,GAAG,QAAQ,CAAC;AAE7E;;GAEG;AACH,MAAM,WAAW,mBAAmB;IAClC;;;;OAIG;IACH,KAAK,EAAE,MAAM,CAAC;IACd;;OAEG;IACH,SAAS,EAAE,MAAM,CAAC;IAElB;;OAEG;IACH,WAAW,EAAE,MAAM,CAAC;IAEpB;;OAEG;IACH,eAAe,EAAE,eAAe,CAAC;IAEjC;;OAEG;IACH,KAAK,EAAE,MAAM,CAAC;IAEd;;OAEG;IACH,UAAU,EAAE,MAAM,CAAC;CACpB;AAED;;GAEG;AACH,MAAM,WAAW,oBAAoB;IACnC;;OAEG;IACH,SAAS,EAAE,MAAM,CAAC;IAElB;;OAEG;IACH,MAAM,EAAE,YAAY,CAAC;CACtB;AAED;;GAEG;AACH,MAAM,WAAW,oBAAoB;IACnC;;OAEG;IACH,SAAS,EAAE,MAAM,CAAC;IAElB;;OAEG;IACH,MAAM,EAAE,YAAY,CAAC;IAErB;;OAEG;IACH,SAAS,CAAC,EAAE,MAAM,CAAC;IAEnB;;OAEG;IACH,KAAK,CAAC,EAAE,MAAM,CAAC;CAChB;AAED;;GAEG;AACH,qBAAa,kBAAmB,SAAQ,KAAK;gBAC/B,OAAO,EAAE,MAAM;CAI5B;AAED;;;;;;;;;GASG;AACH,wBAAgB,iBAAiB,CAAC,UAAU,EAAE,GAAG,GAAG,GAAG,CAmGtD;AAED;;;;;;;;;;;;;;;;;;;;;GAqBG;AACH,wBAAsB,kBAAkB,CAAC,OAAO,EAAE,OAAO,GAAG,OAAO,CAAC,mBAAmB,CAAC,CAsEvF;AAED;;;;;;;;;;;;;;;;;;;;;;GAsBG;AACH,wBAAsB,iBAAiB,CAAC,UAAU,EAAE,MAAM,EAAE,OAAO,EAAE,oBAAoB,GAAG,OAAO,CAAC,IAAI,CAAC,CAiBxG;AAED;;;;GAIG;AACH,MAAM,MAAM,YAAY,CAAC,SAAS,GAAG,EAAE,IAAI;IACzC;;;;OAIG;IACH,KAAK,EAAE,MAAM,CAAC;IAEd;;OAEG;IACH,SAAS,EAAE,MAAM,CAAC;IAElB;;OAEG;IACH,WAAW,EAAE,MAAM,CAAC;IAEpB;;OAEG;IACH,eAAe,EAAE,eAAe,CAAC;IAEjC;;OAEG;IACH,KAAK,EAAE,MAAM,CAAC;IAEd;;OAEG;IACH,UAAU,EAAE,MAAM,CAAC;IAEnB;;OAEG;IACH,SAAS,CAAC,EAAE,MAAM,CAAC;IAEnB;;OAEG;IACH,MAAM,EAAE,YAAY,CAAC;IAErB;;OAEG;IACH,KAAK,CAAC,EAAE,MAAM,CAAC;IAEf;;OAEG;IACH,SAAS,EAAE,IAAI,CAAC;IAEhB;;OAEG;IACH,SAAS,EAAE,IAAI,CAAC;IAEhB;;;OAGG;IACH,MAAM,CAAC,EAAE,GAAG,CAAC;CACd,GAAG,SAAS,CAAC;AAEd;;;;;;;;;GASG;AACH,MAAM,WAAW,WAAW,CAAC,SAAS,GAAG,EAAE;IACzC;;;;;OAKG;IACH,GAAG,CAAC,KAAK,EAAE,MAAM,GAAG,OAAO,CAAC,YAAY,CAAC,SAAS,CAAC,GAAG,IAAI,CAAC,CAAC;IAE5D;;;;;;OAMG;IACH,cAAc,CAAC,SAAS,EAAE,MAAM,GAAG,OAAO,CAAC,YAAY,CAAC,SAAS,CAAC,EAAE,CAAC,CAAC;IAEtE;;;;OAIG;IACH,IAAI,IAAI,OAAO,CAAC,YAAY,CAAC,SAAS,CAAC,EAAE,CAAC,CAAC;IAE3C;;;;;;;;OAQG;IACH,MAAM,CAAC,MAAM,EAAE,YAAY,CAAC,SAAS,CAAC,GAAG,OAAO,CAAC,YAAY,CAAC,SAAS,CAAC,CAAC,CAAC;IAE1E;;;;OAIG;IACH,MAAM,CAAC,KAAK,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC,CAAC;CACtC;AAED;;;;;;;;;;;;;;;;GAgBG;AACH,qBAAa,mBAAmB,CAAC,SAAS,GAAG,EAAE,CAAE,YAAW,WAAW,CAAC,SAAS,CAAC;IAChF,uCAAuC;IACvC,OAAO,CAAC,OAAO,CAA8C;IAE7D,6FAA6F;IAC7F,OAAO,CAAC,cAAc,CAAkC;IAElD,GAAG,CAAC,KAAK,EAAE,MAAM,GAAG,OAAO,CAAC,YAAY,CAAC,SAAS,CAAC,GAAG,IAAI,CAAC;IAI3D,cAAc,CAAC,SAAS,EAAE,MAAM,GAAG,OAAO,CAAC,YAAY,CAAC,SAAS,CAAC,EAAE,CAAC;IAcrE,IAAI,IAAI,OAAO,CAAC,YAAY,CAAC,SAAS,CAAC,EAAE,CAAC;IAI1C,MAAM,CAAC,MAAM,EAAE,YAAY,CAAC,SAAS,CAAC,GAAG,OAAO,CAAC,YAAY,CAAC,SAAS,CAAC,CAAC;IA4BzE,MAAM,CAAC,KAAK,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC;CAc3C"}

package/dist/types/base-user.d.ts

@@ -0,0 +1,27 @@
+/**
+ * Base user with simple, developer-friendly attributes.
+ * Extended by User (SSO) and EnterpriseUser (SCIM).
+ */
+export interface BaseUser {
+    /**
+     * Unique identifier for the user
+     */
+    id?: string;
+    /**
+     * REQUIRED. Unique identifier for login
+     */
+    userName: string;
+    /**
+     * REQUIRED. Simple display name
+     */
+    name: string;
+    /**
+     * REQUIRED. Primary email address
+     */
+    email: string;
+    /**
+     * URL to user's avatar/profile picture
+     */
+    avatarUrl?: string;
+}
+//# sourceMappingURL=base-user.d.ts.map

package/dist/types/base-user.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"base-user.d.ts","sourceRoot":"","sources":["../../src/types/base-user.ts"],"names":[],"mappings":"AAAA;;;GAGG;AACH,MAAM,WAAW,QAAQ;IACvB;;OAEG;IACH,EAAE,CAAC,EAAE,MAAM,CAAC;IAEZ;;OAEG;IACH,QAAQ,EAAE,MAAM,CAAC;IAEjB;;OAEG;IACH,IAAI,EAAE,MAAM,CAAC;IAEb;;OAEG;IACH,KAAK,EAAE,MAAM,CAAC;IAEd;;OAEG;IACH,SAAS,CAAC,EAAE,MAAM,CAAC;CACpB"}