@enterprisestandard/react 0.0.5-beta.20251125.1 → 0.0.5-beta.20260114.2

package/dist/{scim-schema.d.ts → types/scim-schema.d.ts}

@@ -112,7 +112,7 @@ export interface Address {
     primary?: boolean;
 }
 /**
- * SCIM Group reference
+ * SCIM Group reference (used within User resources)
  */
 export interface Group {
     /**
@@ -132,6 +132,63 @@ export interface Group {
      */
     type?: string;
 }
+/**
+ * SCIM Group Member reference
+ */
+export interface GroupMember {
+    /**
+     * The identifier of the member (User or Group)
+     */
+    value: string;
+    /**
+     * The URI of the corresponding member resource
+     */
+    $ref?: string;
+    /**
+     * A human-readable name of the member
+     */
+    display?: string;
+    /**
+     * The type of the member (e.g., "User" or "Group")
+     */
+    type?: 'User' | 'Group';
+}
+/**
+ * SCIM 2.0 Group Resource
+ * @see https://datatracker.ietf.org/doc/html/rfc7643#section-4.2
+ */
+export interface GroupResource {
+    /**
+     * REQUIRED. The schemas attribute
+     */
+    schemas?: string[];
+    /**
+     * Unique identifier for the Group, assigned by the service provider
+     */
+    id?: string;
+    /**
+     * External identifier from the provisioning client
+     */
+    externalId?: string;
+    /**
+     * Resource metadata
+     */
+    meta?: {
+        resourceType?: string;
+        created?: string;
+        lastModified?: string;
+        location?: string;
+        version?: string;
+    };
+    /**
+     * REQUIRED. A human-readable name for the Group
+     */
+    displayName: string;
+    /**
+     * A list of members of the Group
+     */
+    members?: GroupMember[];
+}
 /**
  * SCIM Role
  */
@@ -178,7 +235,7 @@ export interface X509Certificate {
  * SCIM Enterprise User Extension
  * @see https://datatracker.ietf.org/doc/html/rfc7643#section-4.3
  */
-export interface EnterpriseUser {
+export interface EnterpriseExtension {
     /**
      * Numeric or alphanumeric identifier assigned to a person
      */
@@ -341,7 +398,7 @@ export interface User {
     /**
      * Enterprise User Extension
      */
-    'urn:ietf:params:scim:schemas:extension:enterprise:2.0:User'?: EnterpriseUser;
+    'urn:ietf:params:scim:schemas:extension:enterprise:2.0:User'?: EnterpriseExtension;
     /**
      * REQUIRED. The schemas attribute is an array of Strings which allows introspection of the supported schema version
      */
@@ -353,4 +410,10 @@ export interface User {
  * @returns A StandardSchemaV1 instance for SCIM User resources
  */
 export declare function userSchema(vendor: string): StandardSchemaV1<Record<string, unknown>, User>;
+/**
+ * Creates a StandardSchemaV1 for validating SCIM Group resources.
+ * @param vendor - The name of the vendor creating this schema
+ * @returns A StandardSchemaV1 instance for SCIM Group resources
+ */
+export declare function groupResourceSchema(vendor: string): StandardSchemaV1<Record<string, unknown>, GroupResource>;
 //# sourceMappingURL=scim-schema.d.ts.map

package/dist/types/scim-schema.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"scim-schema.d.ts","sourceRoot":"","sources":["../../src/types/scim-schema.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,gBAAgB,EAAE,MAAM,mBAAmB,CAAC;AAE1D;;;GAGG;AAEH;;GAEG;AACH,MAAM,WAAW,IAAI;IACnB;;OAEG;IACH,SAAS,CAAC,EAAE,MAAM,CAAC;IACnB;;OAEG;IACH,UAAU,CAAC,EAAE,MAAM,CAAC;IACpB;;OAEG;IACH,SAAS,CAAC,EAAE,MAAM,CAAC;IACnB;;OAEG;IACH,UAAU,CAAC,EAAE,MAAM,CAAC;IACpB;;OAEG;IACH,eAAe,CAAC,EAAE,MAAM,CAAC;IACzB;;OAEG;IACH,eAAe,CAAC,EAAE,MAAM,CAAC;CAC1B;AAED;;GAEG;AACH,MAAM,WAAW,KAAK;IACpB;;OAEG;IACH,KAAK,EAAE,MAAM,CAAC;IACd;;OAEG;IACH,OAAO,CAAC,EAAE,MAAM,CAAC;IACjB;;OAEG;IACH,IAAI,CAAC,EAAE,MAAM,CAAC;IACd;;OAEG;IACH,OAAO,CAAC,EAAE,OAAO,CAAC;CACnB;AAED;;GAEG;AACH,MAAM,WAAW,WAAW;IAC1B;;OAEG;IACH,KAAK,EAAE,MAAM,CAAC;IACd;;OAEG;IACH,OAAO,CAAC,EAAE,MAAM,CAAC;IACjB;;OAEG;IACH,IAAI,CAAC,EAAE,MAAM,CAAC;IACd;;OAEG;IACH,OAAO,CAAC,EAAE,OAAO,CAAC;CACnB;AAED;;GAEG;AACH,MAAM,WAAW,OAAO;IACtB;;OAEG;IACH,SAAS,CAAC,EAAE,MAAM,CAAC;IACnB;;OAEG;IACH,aAAa,CAAC,EAAE,MAAM,CAAC;IACvB;;OAEG;IACH,QAAQ,CAAC,EAAE,MAAM,CAAC;IAClB;;OAEG;IACH,MAAM,CAAC,EAAE,MAAM,CAAC;IAChB;;OAEG;IACH,UAAU,CAAC,EAAE,MAAM,CAAC;IACpB;;OAEG;IACH,OAAO,CAAC,EAAE,MAAM,CAAC;IACjB;;OAEG;IACH,IAAI,CAAC,EAAE,MAAM,CAAC;IACd;;OAEG;IACH,OAAO,CAAC,EAAE,OAAO,CAAC;CACnB;AAED;;GAEG;AACH,MAAM,WAAW,KAAK;IACpB;;OAEG;IACH,KAAK,EAAE,MAAM,CAAC;IACd;;OAEG;IACH,IAAI,CAAC,EAAE,MAAM,CAAC;IACd;;OAEG;IACH,OAAO,CAAC,EAAE,MAAM,CAAC;IACjB;;OAEG;IACH,IAAI,CAAC,EAAE,MAAM,CAAC;CACf;AAED;;GAEG;AACH,MAAM,WAAW,WAAW;IAC1B;;OAEG;IACH,KAAK,EAAE,MAAM,CAAC;IACd;;OAEG;IACH,IAAI,CAAC,EAAE,MAAM,CAAC;IACd;;OAEG;IACH,OAAO,CAAC,EAAE,MAAM,CAAC;IACjB;;OAEG;IACH,IAAI,CAAC,EAAE,MAAM,GAAG,OAAO,CAAC;CACzB;AAED;;;GAGG;AACH,MAAM,WAAW,aAAa;IAC5B;;OAEG;IACH,OAAO,CAAC,EAAE,MAAM,EAAE,CAAC;IACnB;;OAEG;IACH,EAAE,CAAC,EAAE,MAAM,CAAC;IACZ;;OAEG;IACH,UAAU,CAAC,EAAE,MAAM,CAAC;IACpB;;OAEG;IACH,IAAI,CAAC,EAAE;QACL,YAAY,CAAC,EAAE,MAAM,CAAC;QACtB,OAAO,CAAC,EAAE,MAAM,CAAC;QACjB,YAAY,CAAC,EAAE,MAAM,CAAC;QACtB,QAAQ,CAAC,EAAE,MAAM,CAAC;QAClB,OAAO,CAAC,EAAE,MAAM,CAAC;KAClB,CAAC;IACF;;OAEG;IACH,WAAW,EAAE,MAAM,CAAC;IACpB;;OAEG;IACH,OAAO,CAAC,EAAE,WAAW,EAAE,CAAC;CACzB;AAED;;GAEG;AACH,MAAM,WAAW,IAAI;IACnB;;OAEG;IACH,KAAK,EAAE,MAAM,CAAC;IACd;;OAEG;IACH,OAAO,CAAC,EAAE,MAAM,CAAC;IACjB;;OAEG;IACH,IAAI,CAAC,EAAE,MAAM,CAAC;IACd;;OAEG;IACH,OAAO,CAAC,EAAE,OAAO,CAAC;CACnB;AAED;;GAEG;AACH,MAAM,WAAW,eAAe;IAC9B;;OAEG;IACH,KAAK,EAAE,MAAM,CAAC;IACd;;OAEG;IACH,OAAO,CAAC,EAAE,MAAM,CAAC;IACjB;;OAEG;IACH,IAAI,CAAC,EAAE,MAAM,CAAC;IACd;;OAEG;IACH,OAAO,CAAC,EAAE,OAAO,CAAC;CACnB;AAED;;;GAGG;AACH,MAAM,WAAW,mBAAmB;IAClC;;OAEG;IACH,cAAc,CAAC,EAAE,MAAM,CAAC;IACxB;;OAEG;IACH,UAAU,CAAC,EAAE,MAAM,CAAC;IACpB;;OAEG;IACH,YAAY,CAAC,EAAE,MAAM,CAAC;IACtB;;OAEG;IACH,QAAQ,CAAC,EAAE,MAAM,CAAC;IAClB;;OAEG;IACH,UAAU,CAAC,EAAE,MAAM,CAAC;IACpB;;OAEG;IACH,OAAO,CAAC,EAAE;QACR;;WAEG;QACH,KAAK,CAAC,EAAE,MAAM,CAAC;QACf;;WAEG;QACH,IAAI,CAAC,EAAE,MAAM,CAAC;QACd;;WAEG;QACH,WAAW,CAAC,EAAE,MAAM,CAAC;KACtB,CAAC;CACH;AAED;;GAEG;AACH,MAAM,WAAW,IAAI;IACnB;;OAEG;IACH,EAAE,CAAC,EAAE,MAAM,CAAC;IACZ;;OAEG;IACH,UAAU,CAAC,EAAE,MAAM,CAAC;IACpB;;OAEG;IACH,IAAI,CAAC,EAAE;QACL,YAAY,CAAC,EAAE,MAAM,CAAC;QACtB,OAAO,CAAC,EAAE,MAAM,CAAC;QACjB,YAAY,CAAC,EAAE,MAAM,CAAC;QACtB,QAAQ,CAAC,EAAE,MAAM,CAAC;QAClB,OAAO,CAAC,EAAE,MAAM,CAAC;KAClB,CAAC;IACF;;OAEG;IACH,QAAQ,EAAE,MAAM,CAAC;IACjB;;OAEG;IACH,IAAI,CAAC,EAAE,IAAI,CAAC;IACZ;;OAEG;IACH,WAAW,CAAC,EAAE,MAAM,CAAC;IACrB;;OAEG;IACH,QAAQ,CAAC,EAAE,MAAM,CAAC;IAClB;;OAEG;IACH,UAAU,CAAC,EAAE,MAAM,CAAC;IACpB;;OAEG;IACH,KAAK,CAAC,EAAE,MAAM,CAAC;IACf;;OAEG;IACH,QAAQ,CAAC,EAAE,MAAM,CAAC;IAClB;;OAEG;IACH,iBAAiB,CAAC,EAAE,MAAM,CAAC;IAC3B;;OAEG;IACH,MAAM,CAAC,EAAE,MAAM,CAAC;IAChB;;OAEG;IACH,QAAQ,CAAC,EAAE,MAAM,CAAC;IAClB;;OAEG;IACH,MAAM,CAAC,EAAE,OAAO,CAAC;IACjB;;OAEG;IACH,QAAQ,CAAC,EAAE,MAAM,CAAC;IAClB;;OAEG;IACH,MAAM,CAAC,EAAE,KAAK,EAAE,CAAC;IACjB;;OAEG;IACH,YAAY,CAAC,EAAE,WAAW,EAAE,CAAC;IAC7B;;OAEG;IACH,GAAG,CAAC,EAAE,KAAK,CAAC;QACV,KAAK,EAAE,MAAM,CAAC;QACd,OAAO,CAAC,EAAE,MAAM,CAAC;QACjB,IAAI,CAAC,EAAE,MAAM,CAAC;QACd,OAAO,CAAC,EAAE,OAAO,CAAC;KACnB,CAAC,CAAC;IACH;;OAEG;IACH,MAAM,CAAC,EAAE,KAAK,CAAC;QACb,KAAK,EAAE,MAAM,CAAC;QACd,OAAO,CAAC,EAAE,MAAM,CAAC;QACjB,IAAI,CAAC,EAAE,MAAM,CAAC;QACd,OAAO,CAAC,EAAE,OAAO,CAAC;KACnB,CAAC,CAAC;IACH;;OAEG;IACH,SAAS,CAAC,EAAE,OAAO,EAAE,CAAC;IACtB;;OAEG;IACH,MAAM,CAAC,EAAE,KAAK,EAAE,CAAC;IACjB;;OAEG;IACH,YAAY,CAAC,EAAE,KAAK,CAAC;QACnB,KAAK,EAAE,MAAM,CAAC;QACd,OAAO,CAAC,EAAE,MAAM,CAAC;QACjB,IAAI,CAAC,EAAE,MAAM,CAAC;QACd,OAAO,CAAC,EAAE,OAAO,CAAC;KACnB,CAAC,CAAC;IACH;;OAEG;IACH,KAAK,CAAC,EAAE,IAAI,EAAE,CAAC;IACf;;OAEG;IACH,gBAAgB,CAAC,EAAE,eAAe,EAAE,CAAC;IACrC;;OAEG;IACH,4DAA4D,CAAC,EAAE,mBAAmB,CAAC;IACnF;;OAEG;IACH,OAAO,CAAC,EAAE,MAAM,EAAE,CAAC;CACpB;AAgZD;;;;GAIG;AACH,wBAAgB,UAAU,CAAC,MAAM,EAAE,MAAM,GAAG,gBAAgB,CAAC,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,EAAE,IAAI,CAAC,CAkG1F;AAqDD;;;;GAIG;AACH,wBAAgB,mBAAmB,CAAC,MAAM,EAAE,MAAM,GAAG,gBAAgB,CAAC,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,EAAE,aAAa,CAAC,CAyE5G"}

package/dist/types/standard-schema.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"standard-schema.d.ts","sourceRoot":"","sources":["../../src/types/standard-schema.ts"],"names":[],"mappings":"AAAA,sEAAsE;AACtE,MAAM,WAAW,gBAAgB,CAAC,KAAK,GAAG,OAAO,EAAE,MAAM,GAAG,KAAK;IAC/D,sCAAsC;IACtC,QAAQ,CAAC,WAAW,EAAE,gBAAgB,CAAC,KAAK,CAAC,KAAK,EAAE,MAAM,CAAC,CAAC;CAC7D;AAED,MAAM,CAAC,OAAO,WAAW,gBAAgB,CAAC;IACxC,gDAAgD;IAChD,UAAiB,KAAK,CAAC,KAAK,GAAG,OAAO,EAAE,MAAM,GAAG,KAAK;QACpD,0CAA0C;QAC1C,QAAQ,CAAC,OAAO,EAAE,CAAC,CAAC;QACpB,6CAA6C;QAC7C,QAAQ,CAAC,MAAM,EAAE,MAAM,CAAC;QACxB,sCAAsC;QACtC,QAAQ,CAAC,QAAQ,EAAE,CAAC,KAAK,EAAE,OAAO,KAAK,MAAM,CAAC,MAAM,CAAC,GAAG,OAAO,CAAC,MAAM,CAAC,MAAM,CAAC,CAAC,CAAC;QAChF,iDAAiD;QACjD,QAAQ,CAAC,KAAK,CAAC,EAAE,KAAK,CAAC,KAAK,EAAE,MAAM,CAAC,GAAG,SAAS,CAAC;KACnD;IAED,qDAAqD;IACrD,KAAY,MAAM,CAAC,MAAM,IAAI,aAAa,CAAC,MAAM,CAAC,GAAG,aAAa,CAAC;IAEnE,mDAAmD;IACnD,UAAiB,aAAa,CAAC,MAAM;QACnC,8BAA8B;QAC9B,QAAQ,CAAC,KAAK,EAAE,MAAM,CAAC;QACvB,+BAA+B;QAC/B,QAAQ,CAAC,MAAM,CAAC,EAAE,SAAS,CAAC;KAC7B;IAED,gDAAgD;IAChD,UAAiB,aAAa;QAC5B,uCAAuC;QACvC,QAAQ,CAAC,MAAM,EAAE,aAAa,CAAC,KAAK,CAAC,CAAC;KACvC;IAED,iDAAiD;IACjD,UAAiB,KAAK;QACpB,sCAAsC;QACtC,QAAQ,CAAC,OAAO,EAAE,MAAM,CAAC;QACzB,qCAAqC;QACrC,QAAQ,CAAC,IAAI,CAAC,EAAE,aAAa,CAAC,WAAW,GAAG,WAAW,CAAC,GAAG,SAAS,CAAC;KACtE;IAED,+CAA+C;IAC/C,UAAiB,WAAW;QAC1B,2CAA2C;QAC3C,QAAQ,CAAC,GAAG,EAAE,WAAW,CAAC;KAC3B;IAED,2CAA2C;IAC3C,UAAiB,KAAK,CAAC,KAAK,GAAG,OAAO,EAAE,MAAM,GAAG,KAAK;QACpD,oCAAoC;QACpC,QAAQ,CAAC,KAAK,EAAE,KAAK,CAAC;QACtB,qCAAqC;QACrC,QAAQ,CAAC,MAAM,EAAE,MAAM,CAAC;KACzB;IAED,kDAAkD;IAClD,KAAY,UAAU,CAAC,MAAM,SAAS,gBAAgB,IAAI,WAAW,CAAC,MAAM,CAAC,WAAW,CAAC,CAAC,OAAO,CAAC,CAAC,CAAC,OAAO,CAAC,CAAC;IAE7G,mDAAmD;IACnD,KAAY,WAAW,CAAC,MAAM,SAAS,gBAAgB,IAAI,WAAW,CAAC,MAAM,CAAC,WAAW,CAAC,CAAC,OAAO,CAAC,CAAC,CAAC,QAAQ,CAAC,CAAC;CAChH"}

package/dist/types/user.d.ts

@@ -0,0 +1,41 @@
+import type { BaseUser } from './base-user';
+import type { IdTokenClaims } from './oidc-schema';
+/**
+ * Primary user type for SSO/OIDC applications.
+ * Extends BaseUser with SSO-specific data.
+ */
+export interface User extends BaseUser {
+    /**
+     * SSO/OIDC authentication data
+     */
+    sso: {
+        /**
+         * ID Token claims from the identity provider
+         */
+        profile: IdTokenClaims;
+        /**
+         * Tenant/organization information
+         */
+        tenant: {
+            id: string;
+            name: string;
+        };
+        /**
+         * OAuth scopes granted
+         */
+        scope?: string;
+        /**
+         * Token type (typically "Bearer")
+         */
+        tokenType: string;
+        /**
+         * Session state from the identity provider
+         */
+        sessionState?: string;
+        /**
+         * Token expiration time
+         */
+        expires: Date;
+    };
+}
+//# sourceMappingURL=user.d.ts.map

package/dist/types/user.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"user.d.ts","sourceRoot":"","sources":["../../src/types/user.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,QAAQ,EAAE,MAAM,aAAa,CAAC;AAC5C,OAAO,KAAK,EAAE,aAAa,EAAE,MAAM,eAAe,CAAC;AAEnD;;;GAGG;AACH,MAAM,WAAW,IAAK,SAAQ,QAAQ;IACpC;;OAEG;IACH,GAAG,EAAE;QACH;;WAEG;QACH,OAAO,EAAE,aAAa,CAAC;QAEvB;;WAEG;QACH,MAAM,EAAE;YACN,EAAE,EAAE,MAAM,CAAC;YACX,IAAI,EAAE,MAAM,CAAC;SACd,CAAC;QAEF;;WAEG;QACH,KAAK,CAAC,EAAE,MAAM,CAAC;QAEf;;WAEG;QACH,SAAS,EAAE,MAAM,CAAC;QAElB;;WAEG;QACH,YAAY,CAAC,EAAE,MAAM,CAAC;QAEtB;;WAEG;QACH,OAAO,EAAE,IAAI,CAAC;KACf,CAAC;CACH"}

package/dist/types/workload-schema.d.ts

@@ -0,0 +1,106 @@
+import type { StandardSchemaV1 } from './standard-schema';
+/**
+ * JWT Assertion Claims for OAuth2 JWT Bearer Grant (RFC 7523) and OAuth2 Access Tokens
+ * @see https://datatracker.ietf.org/doc/html/rfc7523
+ * @see https://datatracker.ietf.org/doc/html/rfc9068
+ */
+export interface JWTAssertionClaims {
+    /**
+     * REQUIRED. Issuer - the workload identity (e.g., SPIFFE ID) or authorization server
+     */
+    iss: string;
+    /**
+     * REQUIRED. Subject - the workload identity or service account
+     */
+    sub: string;
+    /**
+     * OPTIONAL. Audience - may be a string or array of strings
+     * Note: Required for JWT assertions, but may be absent in OAuth2 access tokens
+     */
+    aud?: string | string[];
+    /**
+     * REQUIRED. Expiration time (Unix timestamp)
+     */
+    exp: number;
+    /**
+     * REQUIRED. Issued at time (Unix timestamp)
+     */
+    iat: number;
+    /**
+     * OPTIONAL. JWT ID - unique identifier for this token
+     * Note: Required for JWT assertions, optional for access tokens
+     */
+    jti?: string;
+    /**
+     * OPTIONAL. Requested OAuth scopes (space-delimited)
+     */
+    scope?: string;
+    /**
+     * Allow additional claims for extensibility
+     */
+    [key: string]: unknown;
+}
+/**
+ * Creates a StandardSchemaV1 for validating JWT Assertion Claims.
+ * @param vendor - The name of the vendor creating this schema
+ * @returns A StandardSchemaV1 instance for JWT Assertion Claims validation
+ */
+export declare function jwtAssertionClaimsSchema(vendor: string): StandardSchemaV1<Record<string, unknown>, JWTAssertionClaims>;
+/**
+ * Workload Token Response from OAuth2 token endpoint
+ * @see https://datatracker.ietf.org/doc/html/rfc6749#section-5.1
+ */
+export interface WorkloadTokenResponse {
+    /**
+     * REQUIRED. The access token issued by the authorization server.
+     */
+    access_token: string;
+    /**
+     * REQUIRED. The type of the token (typically "Bearer").
+     */
+    token_type: string;
+    /**
+     * RECOMMENDED. The lifetime in seconds of the access token.
+     */
+    expires_in?: number;
+    /**
+     * OPTIONAL. The scope of the access token.
+     */
+    scope?: string;
+    /**
+     * OPTIONAL. The refresh token (rarely used for workload identities).
+     */
+    refresh_token?: string;
+    /**
+     * OPTIONAL. The expiration time as an ISO 8601 string.
+     */
+    expires?: string;
+}
+/**
+ * Creates a StandardSchemaV1 for validating Workload Token Responses.
+ * @param vendor - The name of the vendor creating this schema
+ * @returns A StandardSchemaV1 instance for Workload Token Response validation
+ */
+export declare function workloadTokenResponseSchema(vendor: string): StandardSchemaV1<Record<string, unknown>, WorkloadTokenResponse>;
+/**
+ * Token Validation Result
+ */
+export interface TokenValidationResult {
+    /**
+     * Whether the token is valid
+     */
+    valid: boolean;
+    /**
+     * The decoded and validated claims (if valid)
+     */
+    claims?: JWTAssertionClaims;
+    /**
+     * Error message (if invalid)
+     */
+    error?: string;
+    /**
+     * Token expiration time (if valid)
+     */
+    expiresAt?: Date;
+}
+//# sourceMappingURL=workload-schema.d.ts.map

package/dist/types/workload-schema.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"workload-schema.d.ts","sourceRoot":"","sources":["../../src/types/workload-schema.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,gBAAgB,EAAE,MAAM,mBAAmB,CAAC;AAE1D;;;;GAIG;AACH,MAAM,WAAW,kBAAkB;IACjC;;OAEG;IACH,GAAG,EAAE,MAAM,CAAC;IAEZ;;OAEG;IACH,GAAG,EAAE,MAAM,CAAC;IAEZ;;;OAGG;IACH,GAAG,CAAC,EAAE,MAAM,GAAG,MAAM,EAAE,CAAC;IAExB;;OAEG;IACH,GAAG,EAAE,MAAM,CAAC;IAEZ;;OAEG;IACH,GAAG,EAAE,MAAM,CAAC;IAEZ;;;OAGG;IACH,GAAG,CAAC,EAAE,MAAM,CAAC;IAEb;;OAEG;IACH,KAAK,CAAC,EAAE,MAAM,CAAC;IAEf;;OAEG;IACH,CAAC,GAAG,EAAE,MAAM,GAAG,OAAO,CAAC;CACxB;AAED;;;;GAIG;AACH,wBAAgB,wBAAwB,CACtC,MAAM,EAAE,MAAM,GACb,gBAAgB,CAAC,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,EAAE,kBAAkB,CAAC,CA6F/D;AAED;;;GAGG;AACH,MAAM,WAAW,qBAAqB;IACpC;;OAEG;IACH,YAAY,EAAE,MAAM,CAAC;IAErB;;OAEG;IACH,UAAU,EAAE,MAAM,CAAC;IAEnB;;OAEG;IACH,UAAU,CAAC,EAAE,MAAM,CAAC;IAEpB;;OAEG;IACH,KAAK,CAAC,EAAE,MAAM,CAAC;IAEf;;OAEG;IACH,aAAa,CAAC,EAAE,MAAM,CAAC;IAEvB;;OAEG;IACH,OAAO,CAAC,EAAE,MAAM,CAAC;CAClB;AAED;;;;GAIG;AACH,wBAAgB,2BAA2B,CACzC,MAAM,EAAE,MAAM,GACb,gBAAgB,CAAC,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,EAAE,qBAAqB,CAAC,CA4GlE;AAED;;GAEG;AACH,MAAM,WAAW,qBAAqB;IACpC;;OAEG;IACH,KAAK,EAAE,OAAO,CAAC;IAEf;;OAEG;IACH,MAAM,CAAC,EAAE,kBAAkB,CAAC;IAE5B;;OAEG;IACH,KAAK,CAAC,EAAE,MAAM,CAAC;IAEf;;OAEG;IACH,SAAS,CAAC,EAAE,IAAI,CAAC;CAClB"}

package/dist/ui/sso-provider.d.ts

@@ -1,5 +1,5 @@
 import { type ReactNode } from 'react';
-import type { EnterpriseUser } from '../enterprise-user';
+import type { User } from '../types/user';
 type StorageType = 'local' | 'session' | 'memory';
 interface SSOProviderProps {
     tenantId?: string;
@@ -12,8 +12,8 @@ interface SSOProviderProps {
     children: ReactNode;
 }
 interface SSOContext {
-    user: EnterpriseUser | null;
-    setUser: (user: EnterpriseUser | null) => void;
+    user: User | null;
+    setUser: (user: User | null) => void;
     isLoading: boolean;
     tokenUrl?: string;
     refreshUrl?: string;

package/dist/ui/sso-provider.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"sso-provider.d.ts","sourceRoot":"","sources":["../../src/ui/sso-provider.tsx"],"names":[],"mappings":"AAAA,OAAO,EAAiB,KAAK,SAAS,EAAgD,MAAM,OAAO,CAAC;AACpG,OAAO,KAAK,EAAE,cAAc,EAAE,MAAM,oBAAoB,CAAC;AAEzD,KAAK,WAAW,GAAG,OAAO,GAAG,SAAS,GAAG,QAAQ,CAAC;AAElD,UAAU,gBAAgB;IACxB,QAAQ,CAAC,EAAE,MAAM,CAAC;IAClB,OAAO,CAAC,EAAE,WAAW,CAAC;IACtB,UAAU,CAAC,EAAE,MAAM,CAAC;IACpB,OAAO,CAAC,EAAE,MAAM,CAAC;IACjB,QAAQ,CAAC,EAAE,MAAM,CAAC;IAClB,UAAU,CAAC,EAAE,MAAM,CAAC;IACpB,eAAe,CAAC,EAAE,OAAO,CAAC;IAC1B,QAAQ,EAAE,SAAS,CAAC;CACrB;AAED,UAAU,UAAU;IAClB,IAAI,EAAE,cAAc,GAAG,IAAI,CAAC;IAC5B,OAAO,EAAE,CAAC,IAAI,EAAE,cAAc,GAAG,IAAI,KAAK,IAAI,CAAC;IAC/C,SAAS,EAAE,OAAO,CAAC;IACnB,QAAQ,CAAC,EAAE,MAAM,CAAC;IAClB,UAAU,CAAC,EAAE,MAAM,CAAC;CACrB;AAWD,wBAAgB,WAAW,CAAC,EAC1B,QAAQ,EACR,OAAkB,EAClB,UAAU,EACV,OAAO,EACP,QAAQ,EACR,UAAU,EACV,eAAuB,EACvB,QAAQ,GACT,EAAE,gBAAgB,2CA8JlB;AAED,wBAAgB,OAAO,IAAI,UAAU,CAMpC;AAOD,UAAU,cAAc;IACtB,KAAK,EAAE,MAAM,GAAG,IAAI,CAAC;IACrB,SAAS,EAAE,OAAO,CAAC;IACnB,KAAK,EAAE,KAAK,GAAG,IAAI,CAAC;IACpB,OAAO,EAAE,MAAM,OAAO,CAAC,IAAI,CAAC,CAAC;CAC9B;AAED,wBAAgB,QAAQ,IAAI,cAAc,CAiGzC;AAED,wBAAsB,MAAM,CAAC,SAAS,EAAE,MAAM,GAAG,OAAO,CAAC;IAAE,OAAO,EAAE,OAAO,CAAC;IAAC,KAAK,CAAC,EAAE,MAAM,CAAA;CAAE,CAAC,CA6C7F"}
+{"version":3,"file":"sso-provider.d.ts","sourceRoot":"","sources":["../../src/ui/sso-provider.tsx"],"names":[],"mappings":"AAAA,OAAO,EAAiB,KAAK,SAAS,EAAgD,MAAM,OAAO,CAAC;AACpG,OAAO,KAAK,EAAE,IAAI,EAAE,MAAM,eAAe,CAAC;AAE1C,KAAK,WAAW,GAAG,OAAO,GAAG,SAAS,GAAG,QAAQ,CAAC;AAElD,UAAU,gBAAgB;IACxB,QAAQ,CAAC,EAAE,MAAM,CAAC;IAClB,OAAO,CAAC,EAAE,WAAW,CAAC;IACtB,UAAU,CAAC,EAAE,MAAM,CAAC;IACpB,OAAO,CAAC,EAAE,MAAM,CAAC;IACjB,QAAQ,CAAC,EAAE,MAAM,CAAC;IAClB,UAAU,CAAC,EAAE,MAAM,CAAC;IACpB,eAAe,CAAC,EAAE,OAAO,CAAC;IAC1B,QAAQ,EAAE,SAAS,CAAC;CACrB;AAED,UAAU,UAAU;IAClB,IAAI,EAAE,IAAI,GAAG,IAAI,CAAC;IAClB,OAAO,EAAE,CAAC,IAAI,EAAE,IAAI,GAAG,IAAI,KAAK,IAAI,CAAC;IACrC,SAAS,EAAE,OAAO,CAAC;IACnB,QAAQ,CAAC,EAAE,MAAM,CAAC;IAClB,UAAU,CAAC,EAAE,MAAM,CAAC;CACrB;AAWD,wBAAgB,WAAW,CAAC,EAC1B,QAAQ,EACR,OAAkB,EAClB,UAAU,EACV,OAAO,EACP,QAAQ,EACR,UAAU,EACV,eAAuB,EACvB,QAAQ,GACT,EAAE,gBAAgB,2CA8JlB;AAED,wBAAgB,OAAO,IAAI,UAAU,CAMpC;AAOD,UAAU,cAAc;IACtB,KAAK,EAAE,MAAM,GAAG,IAAI,CAAC;IACrB,SAAS,EAAE,OAAO,CAAC;IACnB,KAAK,EAAE,KAAK,GAAG,IAAI,CAAC;IACpB,OAAO,EAAE,MAAM,OAAO,CAAC,IAAI,CAAC,CAAC;CAC9B;AAED,wBAAgB,QAAQ,IAAI,cAAc,CAiGzC;AAED,wBAAsB,MAAM,CAAC,SAAS,EAAE,MAAM,GAAG,OAAO,CAAC;IAAE,OAAO,EAAE,OAAO,CAAC;IAAC,KAAK,CAAC,EAAE,MAAM,CAAA;CAAE,CAAC,CA6C7F"}

package/dist/user-store.d.ts

@@ -0,0 +1,161 @@
+/**
+ * User storage for persisting user profiles from SSO authentication.
+ *
+ * User stores are optional - the package works with JWT cookies alone.
+ * User stores are useful when you want to:
+ * - Cache user profiles for fast lookup
+ * - Store users close to your application (in-memory, Redis, etc.)
+ * - Avoid custom IAM/SCIM integration for simple use cases
+ *
+ * ## When to Use UserStore vs IAM
+ *
+ * **Use UserStore when:**
+ * - You just need fast user lookups without external systems
+ * - Users are managed by an external IdP and you just cache them locally
+ * - You want simple in-memory or Redis storage
+ *
+ * **Use IAM (SCIM) when:**
+ * - You need to provision users to an external identity provider
+ * - You need custom user attributes beyond what SSO provides
+ * - You need to sync users with enterprise directories
+ *
+ * ## Example Usage
+ *
+ * ```typescript
+ * import { sso, InMemoryUserStore } from '@enterprisestandard/react/server';
+ *
+ * const userStore = new InMemoryUserStore();
+ *
+ * const auth = sso({
+ *   // ... other config
+ *   user_store: userStore,
+ * });
+ *
+ * // Later, look up users
+ * const user = await userStore.get('user-sub-id');
+ * const userByEmail = await userStore.getByEmail('user@example.com');
+ * ```
+ */
+import type { User } from './types/user';
+/**
+ * Stored user data with required id and tracking metadata.
+ *
+ * Extends the SSO User type with:
+ * - Required `id` (the `sub` claim from the IdP)
+ * - Timestamps for tracking when users were first seen and last updated
+ * - Optional custom extended data
+ *
+ * @template TExtended - Type-safe custom data that consumers can add to users
+ */
+export type StoredUser<TExtended = {}> = User & {
+    /**
+     * Required unique identifier (the `sub` claim from the IdP).
+     * This is the primary key for user storage.
+     */
+    id: string;
+    /**
+     * Timestamp when the user was first stored.
+     */
+    createdAt: Date;
+    /**
+     * Timestamp when the user was last updated (e.g., on re-login).
+     */
+    updatedAt: Date;
+} & TExtended;
+/**
+ * Abstract interface for user storage backends.
+ *
+ * Consumers can implement this interface to use different storage backends:
+ * - In-memory (for development/testing)
+ * - Redis (for production with fast lookups)
+ * - Database (PostgreSQL, MySQL, etc.)
+ *
+ * @template TExtended - Type-safe custom data that consumers can add to users
+ *
+ * @example
+ * ```typescript
+ * // Custom user data
+ * type MyUserData = {
+ *   department: string;
+ *   roles: string[];
+ * };
+ *
+ * // Implement custom store
+ * class RedisUserStore implements UserStore<MyUserData> {
+ *   async get(sub: string): Promise<StoredUser<MyUserData> | null> {
+ *     const data = await redis.get(`user:${sub}`);
+ *     return data ? JSON.parse(data) : null;
+ *   }
+ *   // ... other methods
+ * }
+ * ```
+ */
+export interface UserStore<TExtended = {}> {
+    /**
+     * Retrieve a user by their subject identifier (sub).
+     *
+     * @param sub - The user's unique identifier from the IdP
+     * @returns The user if found, null otherwise
+     */
+    get(sub: string): Promise<StoredUser<TExtended> | null>;
+    /**
+     * Retrieve a user by their email address.
+     *
+     * @param email - The user's email address
+     * @returns The user if found, null otherwise
+     */
+    getByEmail(email: string): Promise<StoredUser<TExtended> | null>;
+    /**
+     * Retrieve a user by their username.
+     *
+     * @param userName - The user's username
+     * @returns The user if found, null otherwise
+     */
+    getByUserName(userName: string): Promise<StoredUser<TExtended> | null>;
+    /**
+     * Create or update a user in the store.
+     *
+     * If a user with the same `id` (sub) exists, it will be updated.
+     * Otherwise, a new user will be created.
+     *
+     * @param user - The user data to store
+     */
+    upsert(user: StoredUser<TExtended>): Promise<void>;
+    /**
+     * Delete a user by their subject identifier (sub).
+     *
+     * @param sub - The user's unique identifier to delete
+     */
+    delete(sub: string): Promise<void>;
+}
+/**
+ * In-memory user store implementation using Maps.
+ *
+ * Suitable for:
+ * - Development and testing
+ * - Single-server deployments
+ * - Applications without high availability requirements
+ *
+ * NOT suitable for:
+ * - Multi-server deployments (users not shared)
+ * - High availability scenarios (users lost on restart)
+ * - Production applications with distributed architecture
+ *
+ * For production, implement UserStore with Redis or a database.
+ *
+ * @template TExtended - Type-safe custom data that consumers can add to users
+ */
+export declare class InMemoryUserStore<TExtended = {}> implements UserStore<TExtended> {
+    /** Primary storage: sub -> user */
+    private users;
+    /** Secondary index: email -> sub */
+    private emailIndex;
+    /** Secondary index: userName -> sub */
+    private userNameIndex;
+    get(sub: string): Promise<StoredUser<TExtended> | null>;
+    getByEmail(email: string): Promise<StoredUser<TExtended> | null>;
+    getByUserName(userName: string): Promise<StoredUser<TExtended> | null>;
+    upsert(user: StoredUser<TExtended>): Promise<void>;
+    delete(sub: string): Promise<void>;
+}
+//# sourceMappingURL=user-store.d.ts.map

package/dist/user-store.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"user-store.d.ts","sourceRoot":"","sources":["../src/user-store.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GAqCG;AAEH,OAAO,KAAK,EAAE,IAAI,EAAE,MAAM,cAAc,CAAC;AAEzC;;;;;;;;;GASG;AACH,MAAM,MAAM,UAAU,CAAC,SAAS,GAAG,EAAE,IAAI,IAAI,GAAG;IAC9C;;;OAGG;IACH,EAAE,EAAE,MAAM,CAAC;IAEX;;OAEG;IACH,SAAS,EAAE,IAAI,CAAC;IAEhB;;OAEG;IACH,SAAS,EAAE,IAAI,CAAC;CACjB,GAAG,SAAS,CAAC;AAEd;;;;;;;;;;;;;;;;;;;;;;;;;;;GA2BG;AACH,MAAM,WAAW,SAAS,CAAC,SAAS,GAAG,EAAE;IACvC;;;;;OAKG;IACH,GAAG,CAAC,GAAG,EAAE,MAAM,GAAG,OAAO,CAAC,UAAU,CAAC,SAAS,CAAC,GAAG,IAAI,CAAC,CAAC;IAExD;;;;;OAKG;IACH,UAAU,CAAC,KAAK,EAAE,MAAM,GAAG,OAAO,CAAC,UAAU,CAAC,SAAS,CAAC,GAAG,IAAI,CAAC,CAAC;IAEjE;;;;;OAKG;IACH,aAAa,CAAC,QAAQ,EAAE,MAAM,GAAG,OAAO,CAAC,UAAU,CAAC,SAAS,CAAC,GAAG,IAAI,CAAC,CAAC;IAEvE;;;;;;;OAOG;IACH,MAAM,CAAC,IAAI,EAAE,UAAU,CAAC,SAAS,CAAC,GAAG,OAAO,CAAC,IAAI,CAAC,CAAC;IAEnD;;;;OAIG;IACH,MAAM,CAAC,GAAG,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC,CAAC;CACpC;AAED;;;;;;;;;;;;;;;;GAgBG;AACH,qBAAa,iBAAiB,CAAC,SAAS,GAAG,EAAE,CAAE,YAAW,SAAS,CAAC,SAAS,CAAC;IAC5E,mCAAmC;IACnC,OAAO,CAAC,KAAK,CAA4C;IAEzD,oCAAoC;IACpC,OAAO,CAAC,UAAU,CAA6B;IAE/C,uCAAuC;IACvC,OAAO,CAAC,aAAa,CAA6B;IAE5C,GAAG,CAAC,GAAG,EAAE,MAAM,GAAG,OAAO,CAAC,UAAU,CAAC,SAAS,CAAC,GAAG,IAAI,CAAC;IAIvD,UAAU,CAAC,KAAK,EAAE,MAAM,GAAG,OAAO,CAAC,UAAU,CAAC,SAAS,CAAC,GAAG,IAAI,CAAC;IAMhE,aAAa,CAAC,QAAQ,EAAE,MAAM,GAAG,OAAO,CAAC,UAAU,CAAC,SAAS,CAAC,GAAG,IAAI,CAAC;IAMtE,MAAM,CAAC,IAAI,EAAE,UAAU,CAAC,SAAS,CAAC,GAAG,OAAO,CAAC,IAAI,CAAC;IAyBlD,MAAM,CAAC,GAAG,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC;CAazC"}

package/dist/workload-server.d.ts

@@ -0,0 +1,126 @@
+import type { TokenValidationResult } from './types/workload-schema';
+import type { ESConfig, WorkloadIdentity } from './workload';
+/**
+ * Get the workload identity from an incoming request.
+ * Returns undefined if no valid workload token is present.
+ *
+ * @param request - Request with Authorization header
+ * @param config - Optional EnterpriseStandard configuration
+ * @returns WorkloadIdentity or undefined
+ *
+ * @example
+ * ```typescript
+ * import { getWorkload } from '@enterprisestandard/react';
+ *
+ * export async function handler(request: Request) {
+ *   const workload = await getWorkload(request);
+ *
+ *   if (!workload) {
+ *     return new Response('Unauthorized', { status: 401 });
+ *   }
+ *
+ *   console.log('Request from workload:', workload.workload_id);
+ *   // ... process authenticated request
+ * }
+ * ```
+ */
+export declare function getWorkload(request: Request, config?: ESConfig): Promise<WorkloadIdentity | undefined>;
+/**
+ * Get an access token for the configured workload identity.
+ *
+ * @param scope - Optional OAuth2 scopes (space-delimited)
+ * @param config - Optional EnterpriseStandard configuration
+ * @returns Access token string
+ *
+ * @example
+ * ```typescript
+ * import { getWorkloadToken } from '@enterprisestandard/react/server';
+ *
+ * // Get token for API calls
+ * const token = await getWorkloadToken('api:read api:write');
+ *
+ * // Use in outbound requests
+ * const response = await fetch('https://api.example.com/data', {
+ *   headers: { 'Authorization': `Bearer ${token}` },
+ * });
+ * ```
+ */
+export declare function getWorkloadToken(scope?: string, config?: ESConfig): Promise<string>;
+/**
+ * Validate a workload token from an incoming request.
+ *
+ * @param request - Request with Authorization header
+ * @param config - Optional EnterpriseStandard configuration
+ * @returns Token validation result
+ *
+ * @example
+ * ```typescript
+ * import { validateWorkloadToken } from '@enterprisestandard/react/server';
+ *
+ * export async function handler(request: Request) {
+ *   const result = await validateWorkloadToken(request);
+ *
+ *   if (!result.valid) {
+ *     return new Response(
+ *       JSON.stringify({ error: result.error }),
+ *       { status: 401 }
+ *     );
+ *   }
+ *
+ *   const workloadId = result.claims?.iss;
+ *   // ... process authenticated request
+ * }
+ * ```
+ */
+export declare function validateWorkloadToken(request: Request, config?: ESConfig): Promise<TokenValidationResult>;
+/**
+ * Revoke a workload access token.
+ *
+ * @param token - The access token to revoke
+ * @param config - Optional EnterpriseStandard configuration
+ *
+ * @example
+ * ```typescript
+ * import { revokeWorkloadToken } from '@enterprisestandard/react/server';
+ *
+ * // Revoke token when workload is decommissioned
+ * await revokeWorkloadToken(accessToken);
+ * ```
+ */
+export declare function revokeWorkloadToken(token: string, config?: ESConfig): Promise<void>;
+/**
+ * Framework-agnostic handler for workload authentication routes.
+ *
+ * The handler reads configuration (handler URLs, validation) directly from the
+ * EnterpriseStandard instance, so no config parameter is needed.
+ *
+ * @param request - Incoming request
+ * @param config - Optional ESConfig to specify which EnterpriseStandard instance to use
+ * @returns Response
+ *
+ * @example
+ * ```typescript
+ * import { workloadHandler } from '@enterprisestandard/react/server';
+ *
+ * // TanStack Start example
+ * export const Route = createFileRoute('/api/workload/$')({
+ *   server: {
+ *     handlers: ({ createHandlers }) =>
+ *       createHandlers({
+ *         GET: {
+ *           handler: async ({ request }) => {
+ *             return workloadHandler(request);
+ *           },
+ *         },
+ *         POST: {
+ *           handler: async ({ request }) => {
+ *             return workloadHandler(request);
+ *           },
+ *         },
+ *       }),
+ *   },
+ * });
+ * ```
+ */
+export declare function workloadHandler(request: Request, config?: ESConfig): Promise<Response>;
+//# sourceMappingURL=workload-server.d.ts.map

package/dist/workload-server.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"workload-server.d.ts","sourceRoot":"","sources":["../src/workload-server.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,qBAAqB,EAAE,MAAM,yBAAyB,CAAC;AAErE,OAAO,KAAK,EAAE,QAAQ,EAAE,gBAAgB,EAAE,MAAM,YAAY,CAAC;AAmB7D;;;;;;;;;;;;;;;;;;;;;;;GAuBG;AACH,wBAAsB,WAAW,CAAC,OAAO,EAAE,OAAO,EAAE,MAAM,CAAC,EAAE,QAAQ,GAAG,OAAO,CAAC,gBAAgB,GAAG,SAAS,CAAC,CAM5G;AAED;;;;;;;;;;;;;;;;;;;GAmBG;AACH,wBAAsB,gBAAgB,CAAC,KAAK,CAAC,EAAE,MAAM,EAAE,MAAM,CAAC,EAAE,QAAQ,GAAG,OAAO,CAAC,MAAM,CAAC,CAIzF;AAED;;;;;;;;;;;;;;;;;;;;;;;;;GAyBG;AACH,wBAAsB,qBAAqB,CAAC,OAAO,EAAE,OAAO,EAAE,MAAM,CAAC,EAAE,QAAQ,GAAG,OAAO,CAAC,qBAAqB,CAAC,CAa/G;AAED;;;;;;;;;;;;;GAaG;AACH,wBAAsB,mBAAmB,CAAC,KAAK,EAAE,MAAM,EAAE,MAAM,CAAC,EAAE,QAAQ,GAAG,OAAO,CAAC,IAAI,CAAC,CAIzF;AAED;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GAiCG;AACH,wBAAsB,eAAe,CAAC,OAAO,EAAE,OAAO,EAAE,MAAM,CAAC,EAAE,QAAQ,GAAG,OAAO,CAAC,QAAQ,CAAC,CAI5F"}