@enterprisestandard/react 0.0.5-beta.20260115.3 → 0.0.5-beta.20260115.4

package/dist/index.d.ts

@@ -1,8 +1,2573 @@
-import { type IAM, type IAMConfig } from './iam';
-import { type SSO, type SSOConfig, type SSOHandlerConfig } from './sso';
-import { type Vault } from './vault';
-import { type Workload, type WorkloadConfig } from './workload';
-export type EnterpriseStandard = ESConfig & {
+import * as react_jsx_runtime from 'react/jsx-runtime';
+import { PropsWithChildren, ReactNode } from 'react';
+
+/** The Standard Schema interface. @see https://standardschema.dev/ */
+interface StandardSchemaV1<Input = unknown, Output = Input> {
+    /** The Standard Schema properties. */
+    readonly '~standard': StandardSchemaV1.Props<Input, Output>;
+}
+declare namespace StandardSchemaV1 {
+    /** The Standard Schema properties interface. */
+    interface Props<Input = unknown, Output = Input> {
+        /** The version number of the standard. */
+        readonly version: 1;
+        /** The vendor name of the schema library. */
+        readonly vendor: string;
+        /** Validates unknown input values. */
+        readonly validate: (value: unknown) => Result<Output> | Promise<Result<Output>>;
+        /** Inferred types associated with the schema. */
+        readonly types?: Types<Input, Output> | undefined;
+    }
+    /** The result interface of the validate function. */
+    type Result<Output> = SuccessResult<Output> | FailureResult;
+    /** The result interface if validation succeeds. */
+    interface SuccessResult<Output> {
+        /** The typed output value. */
+        readonly value: Output;
+        /** The non-existent issues. */
+        readonly issues?: undefined;
+    }
+    /** The result interface if validation fails. */
+    interface FailureResult {
+        /** The issues of failed validation. */
+        readonly issues: ReadonlyArray<Issue>;
+    }
+    /** The issue interface of the failure output. */
+    interface Issue {
+        /** The error message of the issue. */
+        readonly message: string;
+        /** The path of the issue, if any. */
+        readonly path?: ReadonlyArray<PropertyKey | PathSegment> | undefined;
+    }
+    /** The path segment interface of the issue. */
+    interface PathSegment {
+        /** The key representing a path segment. */
+        readonly key: PropertyKey;
+    }
+    /** The Standard Schema types interface. */
+    interface Types<Input = unknown, Output = Input> {
+        /** The input type of the schema. */
+        readonly input: Input;
+        /** The output type of the schema. */
+        readonly output: Output;
+    }
+    /** Infers the input type of a Standard Schema. */
+    type InferInput<Schema extends StandardSchemaV1> = NonNullable<Schema['~standard']['types']>['input'];
+    /** Infers the output type of a Standard Schema. */
+    type InferOutput<Schema extends StandardSchemaV1> = NonNullable<Schema['~standard']['types']>['output'];
+}
+
+/**
+ * SCIM 2.0 User Resource
+ * @see https://datatracker.ietf.org/doc/html/rfc7643#section-4.1
+ */
+/**
+ * SCIM Name sub-attribute
+ */
+interface Name {
+    /**
+     * The full name, including all middle names, titles, and suffixes as appropriate
+     */
+    formatted?: string;
+    /**
+     * The family name of the User, or last name
+     */
+    familyName?: string;
+    /**
+     * The given name of the User, or first name
+     */
+    givenName?: string;
+    /**
+     * The middle name(s) of the User
+     */
+    middleName?: string;
+    /**
+     * The honorific prefix(es) of the User, or title
+     */
+    honorificPrefix?: string;
+    /**
+     * The honorific suffix(es) of the User, or suffix
+     */
+    honorificSuffix?: string;
+}
+/**
+ * SCIM Email sub-attribute
+ */
+interface Email {
+    /**
+     * The email address value
+     */
+    value: string;
+    /**
+     * A human-readable name, primarily used for display purposes
+     */
+    display?: string;
+    /**
+     * A label indicating the attribute's function (e.g., "work" or "home")
+     */
+    type?: string;
+    /**
+     * A Boolean value indicating the 'primary' or preferred attribute value
+     */
+    primary?: boolean;
+}
+/**
+ * SCIM Phone Number sub-attribute
+ */
+interface PhoneNumber {
+    /**
+     * The phone number value
+     */
+    value: string;
+    /**
+     * A human-readable name, primarily used for display purposes
+     */
+    display?: string;
+    /**
+     * A label indicating the attribute's function (e.g., "work", "home", "mobile")
+     */
+    type?: string;
+    /**
+     * A Boolean value indicating the 'primary' or preferred attribute value
+     */
+    primary?: boolean;
+}
+/**
+ * SCIM Address sub-attribute
+ */
+interface Address {
+    /**
+     * The full mailing address, formatted for display
+     */
+    formatted?: string;
+    /**
+     * The full street address component
+     */
+    streetAddress?: string;
+    /**
+     * The city or locality component
+     */
+    locality?: string;
+    /**
+     * The state or region component
+     */
+    region?: string;
+    /**
+     * The zip code or postal code component
+     */
+    postalCode?: string;
+    /**
+     * The country name component
+     */
+    country?: string;
+    /**
+     * A label indicating the attribute's function (e.g., "work" or "home")
+     */
+    type?: string;
+    /**
+     * A Boolean value indicating the 'primary' or preferred attribute value
+     */
+    primary?: boolean;
+}
+/**
+ * SCIM Group reference (used within User resources)
+ */
+interface Group {
+    /**
+     * The identifier of the User's group
+     */
+    value: string;
+    /**
+     * The URI of the corresponding 'Group' resource
+     */
+    $ref?: string;
+    /**
+     * A human-readable name, primarily used for display purposes
+     */
+    display?: string;
+    /**
+     * A label indicating the attribute's function (e.g., "direct" or "indirect")
+     */
+    type?: string;
+}
+/**
+ * SCIM Group Member reference
+ */
+interface GroupMember {
+    /**
+     * The identifier of the member (User or Group)
+     */
+    value: string;
+    /**
+     * The URI of the corresponding member resource
+     */
+    $ref?: string;
+    /**
+     * A human-readable name of the member
+     */
+    display?: string;
+    /**
+     * The type of the member (e.g., "User" or "Group")
+     */
+    type?: 'User' | 'Group';
+}
+/**
+ * SCIM 2.0 Group Resource
+ * @see https://datatracker.ietf.org/doc/html/rfc7643#section-4.2
+ */
+interface GroupResource {
+    /**
+     * REQUIRED. The schemas attribute
+     */
+    schemas?: string[];
+    /**
+     * Unique identifier for the Group, assigned by the service provider
+     */
+    id?: string;
+    /**
+     * External identifier from the provisioning client
+     */
+    externalId?: string;
+    /**
+     * Resource metadata
+     */
+    meta?: {
+        resourceType?: string;
+        created?: string;
+        lastModified?: string;
+        location?: string;
+        version?: string;
+    };
+    /**
+     * REQUIRED. A human-readable name for the Group
+     */
+    displayName: string;
+    /**
+     * A list of members of the Group
+     */
+    members?: GroupMember[];
+}
+/**
+ * SCIM Role
+ */
+interface Role {
+    /**
+     * The value of the role
+     */
+    value: string;
+    /**
+     * A human-readable name, primarily used for display purposes
+     */
+    display?: string;
+    /**
+     * A label indicating the attribute's function
+     */
+    type?: string;
+    /**
+     * A Boolean value indicating the 'primary' or preferred attribute value
+     */
+    primary?: boolean;
+}
+/**
+ * SCIM X509 Certificate
+ */
+interface X509Certificate {
+    /**
+     * The value of the X.509 certificate
+     */
+    value: string;
+    /**
+     * A human-readable name, primarily used for display purposes
+     */
+    display?: string;
+    /**
+     * A label indicating the attribute's function
+     */
+    type?: string;
+    /**
+     * A Boolean value indicating the 'primary' or preferred attribute value
+     */
+    primary?: boolean;
+}
+/**
+ * SCIM Enterprise User Extension
+ * @see https://datatracker.ietf.org/doc/html/rfc7643#section-4.3
+ */
+interface EnterpriseExtension {
+    /**
+     * Numeric or alphanumeric identifier assigned to a person
+     */
+    employeeNumber?: string;
+    /**
+     * Identifies the name of a cost center
+     */
+    costCenter?: string;
+    /**
+     * Identifies the name of an organization
+     */
+    organization?: string;
+    /**
+     * Identifies the name of a division
+     */
+    division?: string;
+    /**
+     * Identifies the name of a department
+     */
+    department?: string;
+    /**
+     * The user's manager
+     */
+    manager?: {
+        /**
+         * The "id" of the SCIM resource representing the User's manager
+         */
+        value?: string;
+        /**
+         * The URI of the SCIM resource representing the User's manager
+         */
+        $ref?: string;
+        /**
+         * The displayName of the User's manager
+         */
+        displayName?: string;
+    };
+}
+/**
+ * SCIM User Resource
+ */
+interface User$1 {
+    /**
+     * REQUIRED. Unique identifier for the User, typically from the provider
+     */
+    id?: string;
+    /**
+     * REQUIRED. A unique identifier for a SCIM resource as defined by the service provider
+     */
+    externalId?: string;
+    /**
+     * Resource metadata
+     */
+    meta?: {
+        resourceType?: string;
+        created?: string;
+        lastModified?: string;
+        location?: string;
+        version?: string;
+    };
+    /**
+     * REQUIRED. Unique identifier for the User, typically used for login
+     */
+    userName: string;
+    /**
+     * The components of the user's name
+     */
+    name?: Name;
+    /**
+     * The name of the User, suitable for display to end-users
+     */
+    displayName?: string;
+    /**
+     * The casual way to address the user
+     */
+    nickName?: string;
+    /**
+     * A fully qualified URL pointing to a page representing the User's online profile
+     */
+    profileUrl?: string;
+    /**
+     * The user's title, such as "Vice President"
+     */
+    title?: string;
+    /**
+     * Used to identify the relationship between the organization and the user
+     */
+    userType?: string;
+    /**
+     * Indicates the User's preferred written or spoken language
+     */
+    preferredLanguage?: string;
+    /**
+     * Used to indicate the User's default location for purposes of localizing items such as currency
+     */
+    locale?: string;
+    /**
+     * The User's time zone in the "Olson" time zone database format
+     */
+    timezone?: string;
+    /**
+     * A Boolean value indicating the User's administrative status
+     */
+    active?: boolean;
+    /**
+     * The User's cleartext password
+     */
+    password?: string;
+    /**
+     * Email addresses for the user
+     */
+    emails?: Email[];
+    /**
+     * Phone numbers for the User
+     */
+    phoneNumbers?: PhoneNumber[];
+    /**
+     * Instant messaging addresses for the User
+     */
+    ims?: Array<{
+        value: string;
+        display?: string;
+        type?: string;
+        primary?: boolean;
+    }>;
+    /**
+     * URLs of photos of the User
+     */
+    photos?: Array<{
+        value: string;
+        display?: string;
+        type?: string;
+        primary?: boolean;
+    }>;
+    /**
+     * Physical mailing addresses for this User
+     */
+    addresses?: Address[];
+    /**
+     * A list of groups to which the user belongs
+     */
+    groups?: Group[];
+    /**
+     * A list of entitlements for the User
+     */
+    entitlements?: Array<{
+        value: string;
+        display?: string;
+        type?: string;
+        primary?: boolean;
+    }>;
+    /**
+     * A list of roles for the User
+     */
+    roles?: Role[];
+    /**
+     * A list of certificates issued to the User
+     */
+    x509Certificates?: X509Certificate[];
+    /**
+     * Enterprise User Extension
+     */
+    'urn:ietf:params:scim:schemas:extension:enterprise:2.0:User'?: EnterpriseExtension;
+    /**
+     * REQUIRED. The schemas attribute is an array of Strings which allows introspection of the supported schema version
+     */
+    schemas?: string[];
+}
+/**
+ * Creates a StandardSchemaV1 for validating SCIM User resources.
+ * @param vendor - The name of the vendor creating this schema
+ * @returns A StandardSchemaV1 instance for SCIM User resources
+ */
+declare function userSchema(vendor: string): StandardSchemaV1<Record<string, unknown>, User$1>;
+/**
+ * Creates a StandardSchemaV1 for validating SCIM Group resources.
+ * @param vendor - The name of the vendor creating this schema
+ * @returns A StandardSchemaV1 instance for SCIM Group resources
+ */
+declare function groupResourceSchema(vendor: string): StandardSchemaV1<Record<string, unknown>, GroupResource>;
+
+/**
+ * Group storage for persisting group data.
+ *
+ * Group stores are an optional extension for the IAM Groups functionality.
+ * They enable:
+ * - Caching group data locally for fast lookups
+ * - Receiving group provisioning from external IAM providers (SCIM server)
+ * - Storing groups close to your application (in-memory, Redis, database)
+ *
+ * ## Example Usage
+ *
+ * ```typescript
+ * import { InMemoryGroupStore } from '@enterprisestandard/react';
+ *
+ * const groupStore = new InMemoryGroupStore();
+ *
+ * // Store a group
+ * await groupStore.upsert({
+ *   id: 'group-123',
+ *   displayName: 'Administrators',
+ *   createdAt: new Date(),
+ *   updatedAt: new Date(),
+ * });
+ *
+ * // Look up groups
+ * const group = await groupStore.get('group-123');
+ * const allGroups = await groupStore.list();
+ * ```
+ */
+
+/**
+ * Stored group data with required id and tracking metadata.
+ *
+ * @template TExtended - Type-safe custom data that consumers can add to groups
+ */
+type StoredGroup<TExtended = {}> = {
+    /**
+     * Required unique identifier for the group.
+     * This is the primary key for group storage.
+     */
+    id: string;
+    /**
+     * Required human-readable name for the group.
+     */
+    displayName: string;
+    /**
+     * Optional external identifier from provisioning client.
+     */
+    externalId?: string;
+    /**
+     * List of members in the group.
+     */
+    members?: GroupMember[];
+    /**
+     * Timestamp when the group was first stored.
+     */
+    createdAt: Date;
+    /**
+     * Timestamp when the group was last updated.
+     */
+    updatedAt: Date;
+} & TExtended;
+/**
+ * Abstract interface for group storage backends.
+ *
+ * Consumers can implement this interface to use different storage backends:
+ * - In-memory (for development/testing)
+ * - Redis (for production with fast lookups)
+ * - Database (PostgreSQL, MySQL, etc.)
+ *
+ * @template TExtended - Type-safe custom data that consumers can add to groups
+ */
+interface GroupStore<TExtended = {}> {
+    /**
+     * Retrieve a group by its unique identifier.
+     *
+     * @param id - The group's unique identifier
+     * @returns The group if found, null otherwise
+     */
+    get(id: string): Promise<StoredGroup<TExtended> | null>;
+    /**
+     * Retrieve a group by its external identifier.
+     *
+     * @param externalId - The external identifier from the provisioning client
+     * @returns The group if found, null otherwise
+     */
+    getByExternalId(externalId: string): Promise<StoredGroup<TExtended> | null>;
+    /**
+     * Retrieve a group by its display name.
+     *
+     * @param displayName - The group's display name
+     * @returns The group if found, null otherwise
+     */
+    getByDisplayName(displayName: string): Promise<StoredGroup<TExtended> | null>;
+    /**
+     * List all groups in the store.
+     *
+     * @returns Array of all stored groups
+     */
+    list(): Promise<StoredGroup<TExtended>[]>;
+    /**
+     * Create or update a group in the store.
+     *
+     * If a group with the same `id` exists, it will be updated.
+     * Otherwise, a new group will be created.
+     *
+     * @param group - The group data to store
+     */
+    upsert(group: StoredGroup<TExtended>): Promise<void>;
+    /**
+     * Delete a group by its unique identifier.
+     *
+     * @param id - The group's unique identifier to delete
+     */
+    delete(id: string): Promise<void>;
+    /**
+     * Add a member to a group.
+     *
+     * @param groupId - The group's unique identifier
+     * @param member - The member to add
+     */
+    addMember(groupId: string, member: GroupMember): Promise<void>;
+    /**
+     * Remove a member from a group.
+     *
+     * @param groupId - The group's unique identifier
+     * @param memberId - The member's value/id to remove
+     */
+    removeMember(groupId: string, memberId: string): Promise<void>;
+}
+/**
+ * In-memory group store implementation using Maps.
+ *
+ * Suitable for:
+ * - Development and testing
+ * - Single-server deployments
+ * - Applications without high availability requirements
+ *
+ * NOT suitable for:
+ * - Multi-server deployments (groups not shared)
+ * - High availability scenarios (groups lost on restart)
+ * - Production applications with distributed architecture
+ *
+ * For production, implement GroupStore with Redis or a database.
+ *
+ * @template TExtended - Type-safe custom data that consumers can add to groups
+ */
+declare class InMemoryGroupStore<TExtended = {}> implements GroupStore<TExtended> {
+    /** Primary storage: id -> group */
+    private groups;
+    /** Secondary index: externalId -> id */
+    private externalIdIndex;
+    /** Secondary index: displayName (lowercase) -> id */
+    private displayNameIndex;
+    get(id: string): Promise<StoredGroup<TExtended> | null>;
+    getByExternalId(externalId: string): Promise<StoredGroup<TExtended> | null>;
+    getByDisplayName(displayName: string): Promise<StoredGroup<TExtended> | null>;
+    list(): Promise<StoredGroup<TExtended>[]>;
+    upsert(group: StoredGroup<TExtended>): Promise<void>;
+    delete(id: string): Promise<void>;
+    addMember(groupId: string, member: GroupMember): Promise<void>;
+    removeMember(groupId: string, memberId: string): Promise<void>;
+}
+
+/**
+ * Base user with simple, developer-friendly attributes.
+ * Extended by User (SSO) and EnterpriseUser (SCIM).
+ */
+interface BaseUser {
+    /**
+     * Unique identifier for the user
+     */
+    id?: string;
+    /**
+     * REQUIRED. Unique identifier for login
+     */
+    userName: string;
+    /**
+     * REQUIRED. Simple display name
+     */
+    name: string;
+    /**
+     * REQUIRED. Primary email address
+     */
+    email: string;
+    /**
+     * URL to user's avatar/profile picture
+     */
+    avatarUrl?: string;
+}
+
+/**
+ * OIDC Code Flow Callback URL Parameters
+ * @see https://openid.net/specs/openid-connect-core-1_0.html#CodeFlowAuth
+ */
+interface OidcCallbackParams {
+    /**
+     * REQUIRED. The authorization code returned from the authorization server.
+     */
+    code: string;
+    /**
+     * REQUIRED if the "state" parameter was present in the client authorization request.
+     * The exact value received from the client.
+     */
+    state?: string;
+    /**
+     * RECOMMENDED. The session state value. Clients should use this to verify the session state.
+     */
+    session_state?: string;
+    /**
+     * OAuth 2.0 error code if the authorization request failed.
+     */
+    error?: string;
+    /**
+     * Human-readable ASCII text providing additional information for the error.
+     */
+    error_description?: string;
+    /**
+     * A URI identifying a human-readable web page with information about the error.
+     */
+    error_uri?: string;
+    /**
+     * The "iss" (issuer) parameter identifies the principal that issued the response.
+     * This is typically used in the implicit flow.
+     */
+    iss?: string;
+}
+/**
+ * Creates a StandardSchemaV1 for validating OIDC callback URL parameters.
+ * @param vendor - The name of the vendor creating this schema
+ * @returns A StandardSchemaV1 instance for OIDC callback parameters
+ */
+declare function oidcCallbackSchema(vendor: string): StandardSchemaV1<Record<string, unknown>, OidcCallbackParams>;
+/**
+ * Token Response from IdP
+ */
+interface TokenResponse {
+    access_token: string;
+    id_token: string;
+    refresh_token?: string;
+    token_type: string;
+    expires_in?: number;
+    scope?: string;
+    refresh_expires_in?: number;
+    session_state?: string;
+    expires?: string;
+}
+/**
+ * Creates a StandardSchemaV1 for validating OIDC Token Responses.
+ * @param vendor - The name of the vendor creating this schema
+ * @returns A StandardSchemaV1 instance for Token Response validation
+ */
+declare function tokenResponseSchema(vendor: string): StandardSchemaV1<Record<string, unknown>, TokenResponse>;
+/**
+ * ID Token Claims
+ */
+interface IdTokenClaims {
+    iss?: string;
+    aud?: string;
+    exp?: number;
+    iat?: number;
+    sub?: string;
+    sid?: string;
+    name?: string;
+    email?: string;
+    preferred_username?: string;
+    picture?: string;
+    [key: string]: unknown;
+}
+/**
+ * Creates a StandardSchemaV1 for validating ID Token Claims.
+ * @param vendor - The name of the vendor creating this schema
+ * @returns A StandardSchemaV1 instance for ID Token Claims validation
+ */
+declare function idTokenClaimsSchema(vendor: string): StandardSchemaV1<Record<string, unknown>, IdTokenClaims>;
+
+/**
+ * Primary user type for SSO/OIDC applications.
+ * Extends BaseUser with SSO-specific data.
+ */
+interface User extends BaseUser {
+    /**
+     * SSO/OIDC authentication data
+     */
+    sso: {
+        /**
+         * ID Token claims from the identity provider
+         */
+        profile: IdTokenClaims;
+        /**
+         * Tenant/organization information
+         */
+        tenant: {
+            id: string;
+            name: string;
+        };
+        /**
+         * OAuth scopes granted
+         */
+        scope?: string;
+        /**
+         * Token type (typically "Bearer")
+         */
+        tokenType: string;
+        /**
+         * Session state from the identity provider
+         */
+        sessionState?: string;
+        /**
+         * Token expiration time
+         */
+        expires: Date;
+    };
+}
+
+/**
+ * User storage for persisting user profiles from SSO authentication.
+ *
+ * User stores are optional - the package works with JWT cookies alone.
+ * User stores are useful when you want to:
+ * - Cache user profiles for fast lookup
+ * - Store users close to your application (in-memory, Redis, etc.)
+ * - Avoid custom IAM/SCIM integration for simple use cases
+ *
+ * ## When to Use UserStore vs IAM
+ *
+ * **Use UserStore when:**
+ * - You just need fast user lookups without external systems
+ * - Users are managed by an external IdP and you just cache them locally
+ * - You want simple in-memory or Redis storage
+ *
+ * **Use IAM (SCIM) when:**
+ * - You need to provision users to an external identity provider
+ * - You need custom user attributes beyond what SSO provides
+ * - You need to sync users with enterprise directories
+ *
+ * ## Example Usage
+ *
+ * ```typescript
+ * import { sso, InMemoryUserStore } from '@enterprisestandard/react/server';
+ *
+ * const userStore = new InMemoryUserStore();
+ *
+ * const auth = sso({
+ *   // ... other config
+ *   user_store: userStore,
+ * });
+ *
+ * // Later, look up users
+ * const user = await userStore.get('user-sub-id');
+ * const userByEmail = await userStore.getByEmail('user@example.com');
+ * ```
+ */
+
+/**
+ * Stored user data with required id and tracking metadata.
+ *
+ * Extends the SSO User type with:
+ * - Required `id` (the `sub` claim from the IdP)
+ * - Timestamps for tracking when users were first seen and last updated
+ * - Optional custom extended data
+ *
+ * @template TExtended - Type-safe custom data that consumers can add to users
+ */
+type StoredUser<TExtended = {}> = User & {
+    /**
+     * Required unique identifier (the `sub` claim from the IdP).
+     * This is the primary key for user storage.
+     */
+    id: string;
+    /**
+     * Timestamp when the user was first stored.
+     */
+    createdAt: Date;
+    /**
+     * Timestamp when the user was last updated (e.g., on re-login).
+     */
+    updatedAt: Date;
+} & TExtended;
+/**
+ * Abstract interface for user storage backends.
+ *
+ * Consumers can implement this interface to use different storage backends:
+ * - In-memory (for development/testing)
+ * - Redis (for production with fast lookups)
+ * - Database (PostgreSQL, MySQL, etc.)
+ *
+ * @template TExtended - Type-safe custom data that consumers can add to users
+ *
+ * @example
+ * ```typescript
+ * // Custom user data
+ * type MyUserData = {
+ *   department: string;
+ *   roles: string[];
+ * };
+ *
+ * // Implement custom store
+ * class RedisUserStore implements UserStore<MyUserData> {
+ *   async get(sub: string): Promise<StoredUser<MyUserData> | null> {
+ *     const data = await redis.get(`user:${sub}`);
+ *     return data ? JSON.parse(data) : null;
+ *   }
+ *   // ... other methods
+ * }
+ * ```
+ */
+interface UserStore<TExtended = {}> {
+    /**
+     * Retrieve a user by their subject identifier (sub).
+     *
+     * @param sub - The user's unique identifier from the IdP
+     * @returns The user if found, null otherwise
+     */
+    get(sub: string): Promise<StoredUser<TExtended> | null>;
+    /**
+     * Retrieve a user by their email address.
+     *
+     * @param email - The user's email address
+     * @returns The user if found, null otherwise
+     */
+    getByEmail(email: string): Promise<StoredUser<TExtended> | null>;
+    /**
+     * Retrieve a user by their username.
+     *
+     * @param userName - The user's username
+     * @returns The user if found, null otherwise
+     */
+    getByUserName(userName: string): Promise<StoredUser<TExtended> | null>;
+    /**
+     * Create or update a user in the store.
+     *
+     * If a user with the same `id` (sub) exists, it will be updated.
+     * Otherwise, a new user will be created.
+     *
+     * @param user - The user data to store
+     */
+    upsert(user: StoredUser<TExtended>): Promise<void>;
+    /**
+     * Delete a user by their subject identifier (sub).
+     *
+     * @param sub - The user's unique identifier to delete
+     */
+    delete(sub: string): Promise<void>;
+}
+/**
+ * In-memory user store implementation using Maps.
+ *
+ * Suitable for:
+ * - Development and testing
+ * - Single-server deployments
+ * - Applications without high availability requirements
+ *
+ * NOT suitable for:
+ * - Multi-server deployments (users not shared)
+ * - High availability scenarios (users lost on restart)
+ * - Production applications with distributed architecture
+ *
+ * For production, implement UserStore with Redis or a database.
+ *
+ * @template TExtended - Type-safe custom data that consumers can add to users
+ */
+declare class InMemoryUserStore<TExtended = {}> implements UserStore<TExtended> {
+    /** Primary storage: sub -> user */
+    private users;
+    /** Secondary index: email -> sub */
+    private emailIndex;
+    /** Secondary index: userName -> sub */
+    private userNameIndex;
+    get(sub: string): Promise<StoredUser<TExtended> | null>;
+    getByEmail(email: string): Promise<StoredUser<TExtended> | null>;
+    getByUserName(userName: string): Promise<StoredUser<TExtended> | null>;
+    upsert(user: StoredUser<TExtended>): Promise<void>;
+    delete(sub: string): Promise<void>;
+}
+
+/**
+ * JWT Assertion Claims for OAuth2 JWT Bearer Grant (RFC 7523) and OAuth2 Access Tokens
+ * @see https://datatracker.ietf.org/doc/html/rfc7523
+ * @see https://datatracker.ietf.org/doc/html/rfc9068
+ */
+interface JWTAssertionClaims {
+    /**
+     * REQUIRED. Issuer - the workload identity (e.g., SPIFFE ID) or authorization server
+     */
+    iss: string;
+    /**
+     * REQUIRED. Subject - the workload identity or service account
+     */
+    sub: string;
+    /**
+     * OPTIONAL. Audience - may be a string or array of strings
+     * Note: Required for JWT assertions, but may be absent in OAuth2 access tokens
+     */
+    aud?: string | string[];
+    /**
+     * REQUIRED. Expiration time (Unix timestamp)
+     */
+    exp: number;
+    /**
+     * REQUIRED. Issued at time (Unix timestamp)
+     */
+    iat: number;
+    /**
+     * OPTIONAL. JWT ID - unique identifier for this token
+     * Note: Required for JWT assertions, optional for access tokens
+     */
+    jti?: string;
+    /**
+     * OPTIONAL. Requested OAuth scopes (space-delimited)
+     */
+    scope?: string;
+    /**
+     * Allow additional claims for extensibility
+     */
+    [key: string]: unknown;
+}
+/**
+ * Creates a StandardSchemaV1 for validating JWT Assertion Claims.
+ * @param vendor - The name of the vendor creating this schema
+ * @returns A StandardSchemaV1 instance for JWT Assertion Claims validation
+ */
+declare function jwtAssertionClaimsSchema(vendor: string): StandardSchemaV1<Record<string, unknown>, JWTAssertionClaims>;
+/**
+ * Workload Token Response from OAuth2 token endpoint
+ * @see https://datatracker.ietf.org/doc/html/rfc6749#section-5.1
+ */
+interface WorkloadTokenResponse {
+    /**
+     * REQUIRED. The access token issued by the authorization server.
+     */
+    access_token: string;
+    /**
+     * REQUIRED. The type of the token (typically "Bearer").
+     */
+    token_type: string;
+    /**
+     * RECOMMENDED. The lifetime in seconds of the access token.
+     */
+    expires_in?: number;
+    /**
+     * OPTIONAL. The scope of the access token.
+     */
+    scope?: string;
+    /**
+     * OPTIONAL. The refresh token (rarely used for workload identities).
+     */
+    refresh_token?: string;
+    /**
+     * OPTIONAL. The expiration time as an ISO 8601 string.
+     */
+    expires?: string;
+}
+/**
+ * Creates a StandardSchemaV1 for validating Workload Token Responses.
+ * @param vendor - The name of the vendor creating this schema
+ * @returns A StandardSchemaV1 instance for Workload Token Response validation
+ */
+declare function workloadTokenResponseSchema(vendor: string): StandardSchemaV1<Record<string, unknown>, WorkloadTokenResponse>;
+/**
+ * Token Validation Result
+ */
+interface TokenValidationResult {
+    /**
+     * Whether the token is valid
+     */
+    valid: boolean;
+    /**
+     * The decoded and validated claims (if valid)
+     */
+    claims?: JWTAssertionClaims;
+    /**
+     * Error message (if invalid)
+     */
+    error?: string;
+    /**
+     * Token expiration time (if valid)
+     */
+    expiresAt?: Date;
+}
+
+/**
+ * Token caching for workload identity authentication.
+ *
+ * Token stores are optional but recommended for performance - they enable:
+ * - Token caching to avoid repeated token acquisition
+ * - Automatic token refresh before expiration
+ * - Reduced load on authorization servers
+ *
+ * ## Token Caching Strategy
+ *
+ * Unlike session stores for user authentication, workload token stores cache
+ * short-lived access tokens (typically 5 minutes) for service-to-service calls.
+ *
+ * **Default Behavior:**
+ * - Tokens cached with 5-minute TTL
+ * - Auto-refresh 60 seconds before expiration
+ * - Expired tokens automatically removed
+ *
+ * ## Performance Characteristics
+ *
+ * | Backend      | Lookup Time | Use Case                    |
+ * |--------------|-------------|----------------------------|
+ * | InMemory     | <0.00005ms  | Single-server deployments  |
+ * | Redis        | 1-2ms       | Multi-server deployments   |
+ * | Database     | 5-20ms      | Persistent token storage   |
+ *
+ * ## Example Usage
+ *
+ * ```typescript
+ * import { workload, InMemoryWorkloadTokenStore } from '@enterprisestandard/react/server';
+ *
+ * // With token caching
+ * const workloadAuth = workload({
+ *   // ... other config
+ *   token_store: new InMemoryWorkloadTokenStore(),
+ *   auto_refresh: true,  // Refresh before expiry
+ * });
+ *
+ * // Without token caching (fetch new token each time)
+ * const workloadAuth = workload({
+ *   // ... config without token_store
+ * });
+ * ```
+ */
+/**
+ * Cached workload token data.
+ *
+ * @template TExtended - Type-safe custom data that consumers can add to cached tokens
+ */
+type CachedWorkloadToken<TExtended = object> = {
+    /**
+     * Workload identifier (typically SPIFFE ID).
+     * Used as the primary key for token lookup.
+     */
+    workload_id: string;
+    /**
+     * OAuth2 access token (Bearer token)
+     */
+    access_token: string;
+    /**
+     * Token type (always "Bearer" for OAuth2)
+     */
+    token_type: string;
+    /**
+     * OAuth2 scopes granted for this token
+     */
+    scope?: string;
+    /**
+     * Timestamp when the token expires.
+     * Used for automatic cleanup and refresh logic.
+     */
+    expires_at: Date;
+    /**
+     * Timestamp when the token was created/cached.
+     */
+    created_at: Date;
+    /**
+     * Optional refresh token (rarely used for workload identities)
+     */
+    refresh_token?: string;
+} & TExtended;
+/**
+ * Abstract interface for workload token storage backends.
+ *
+ * Consumers can implement this interface to use different storage backends:
+ * - Redis (recommended for multi-server deployments)
+ * - Database (PostgreSQL, MySQL, etc. for persistence)
+ * - Distributed cache (Memcached, etc.)
+ * - Custom solutions
+ *
+ * @template TExtended - Type-safe custom data that consumers can add to cached tokens
+ *
+ * @example
+ * ```typescript
+ * // Custom token cache data
+ * type MyTokenData = {
+ *   environment: string;
+ *   region: string;
+ * };
+ *
+ * // Implement custom store with Redis
+ * class RedisWorkloadTokenStore implements WorkloadTokenStore<MyTokenData> {
+ *   async set(token: CachedWorkloadToken<MyTokenData>): Promise<void> {
+ *     const ttl = Math.floor((token.expires_at.getTime() - Date.now()) / 1000);
+ *     await redis.setex(
+ *       `workload:token:${token.workload_id}`,
+ *       ttl,
+ *       JSON.stringify(token)
+ *     );
+ *   }
+ *
+ *   async get(workload_id: string): Promise<CachedWorkloadToken<MyTokenData> | null> {
+ *     const data = await redis.get(`workload:token:${workload_id}`);
+ *     if (!data) return null;
+ *     const token = JSON.parse(data);
+ *     // Convert date strings back to Date objects
+ *     token.expires_at = new Date(token.expires_at);
+ *     token.created_at = new Date(token.created_at);
+ *     return token;
+ *   }
+ *
+ *   // ... other methods
+ * }
+ * ```
+ */
+interface WorkloadTokenStore<TExtended = object> {
+    /**
+     * Store or update a workload token in the cache.
+     *
+     * @param token - The token data to cache
+     */
+    set(token: CachedWorkloadToken<TExtended>): Promise<void>;
+    /**
+     * Retrieve a cached token by workload ID.
+     *
+     * @param workload_id - The workload identifier (e.g., SPIFFE ID)
+     * @returns The cached token if found and not expired, null otherwise
+     */
+    get(workload_id: string): Promise<CachedWorkloadToken<TExtended> | null>;
+    /**
+     * Delete a cached token by workload ID.
+     *
+     * Used when explicitly revoking tokens or clearing cache.
+     *
+     * @param workload_id - The workload identifier to remove
+     */
+    delete(workload_id: string): Promise<void>;
+    /**
+     * Check if a valid (non-expired) token exists for a workload.
+     *
+     * @param workload_id - The workload identifier to check
+     * @returns true if a valid token exists, false otherwise
+     */
+    isValid(workload_id: string): Promise<boolean>;
+    /**
+     * Remove all expired tokens from the cache.
+     *
+     * Should be called periodically to prevent memory leaks.
+     */
+    cleanup(): Promise<void>;
+}
+/**
+ * In-memory workload token store implementation using Maps.
+ *
+ * Suitable for:
+ * - Development and testing
+ * - Single-server deployments
+ * - Applications without high availability requirements
+ *
+ * NOT suitable for:
+ * - Multi-server deployments (tokens not shared across instances)
+ * - High availability scenarios (tokens lost on restart)
+ * - Production applications with distributed architecture
+ *
+ * For production multi-server deployments, implement WorkloadTokenStore with Redis.
+ *
+ * @template TExtended - Type-safe custom data that consumers can add to cached tokens
+ */
+declare class InMemoryWorkloadTokenStore<TExtended = object> implements WorkloadTokenStore<TExtended> {
+    private tokens;
+    set(token: CachedWorkloadToken<TExtended>): Promise<void>;
+    get(workload_id: string): Promise<CachedWorkloadToken<TExtended> | null>;
+    delete(workload_id: string): Promise<void>;
+    isValid(workload_id: string): Promise<boolean>;
+    cleanup(): Promise<void>;
+}
+
+/**
+ * Common fields shared across all workload authentication modes
+ */
+type WorkloadConfigBase = {
+    /**
+     * OAuth2 token endpoint URL
+     * REQUIRED for client role (token acquisition)
+     */
+    token_url?: string;
+    /**
+     * JWKS endpoint URL for public key retrieval
+     * REQUIRED for server role (token validation)
+     */
+    jwks_uri?: string;
+    /**
+     * Expected token issuer URL for validation
+     * RECOMMENDED for server role (token validation)
+     */
+    issuer?: string;
+    /**
+     * Target audience for tokens
+     */
+    audience?: string;
+    /**
+     * Default OAuth2 scopes (space-delimited)
+     */
+    scope?: string;
+    /**
+     * JWT assertion/token lifetime in seconds
+     * @default 300 (5 minutes)
+     */
+    token_lifetime?: number;
+    /**
+     * Refresh threshold in seconds (refresh token this many seconds before expiry)
+     * @default 60
+     */
+    refresh_threshold?: number;
+    /**
+     * Optional token store for caching access tokens
+     */
+    token_store?: WorkloadTokenStore;
+    /**
+     * Automatically refresh tokens before expiration
+     * @default true
+     */
+    auto_refresh?: boolean;
+    /**
+     * Optional RFC 7009 token revocation endpoint
+     */
+    revocation_endpoint?: string;
+    /**
+     * Optional handler defaults (merged with per-call overrides in `handler`)
+     */
+    tokenUrl?: string;
+    validateUrl?: string;
+    jwksUrl?: string;
+    refreshUrl?: string;
+    validation?: {
+        jwtAssertionClaims?: StandardSchemaV1<unknown, JWTAssertionClaims>;
+        tokenResponse?: StandardSchemaV1<unknown, WorkloadTokenResponse>;
+    };
+};
+/**
+ * JWT Bearer Grant (RFC 7523) Configuration
+ *
+ * Used for SPIFFE-style workload identities where services have their own
+ * cryptographic identity and sign their own JWT assertions.
+ *
+ * @example
+ * ```json
+ * {
+ *   "token_url": "https://auth.example.com/oauth/token",
+ *   "jwks_uri": "https://auth.example.com/.well-known/jwks.json",
+ *   "workload_id": "spiffe://trust-domain/ns/service",
+ *   "audience": "https://auth.example.com/oauth/token",
+ *   "private_key": "-----BEGIN PRIVATE KEY-----...",
+ *   "algorithm": "RS256"
+ * }
+ * ```
+ */
+type JwtBearerWorkloadConfig = WorkloadConfigBase & {
+    /**
+     * Workload identifier (e.g., SPIFFE ID: spiffe://trust-domain/namespace/service)
+     * REQUIRED for JWT Bearer Grant mode
+     */
+    workload_id?: string;
+    /**
+     * PEM-encoded private key for signing JWT assertions
+     * REQUIRED for client role in JWT Bearer Grant mode
+     */
+    private_key?: string;
+    /**
+     * Key ID (kid) to include in JWT header for key rotation support
+     */
+    key_id?: string;
+    /**
+     * JWT signing algorithm
+     * @default 'RS256'
+     */
+    algorithm?: 'RS256' | 'RS384' | 'RS512' | 'ES256' | 'ES384' | 'ES512';
+};
+/**
+ * OAuth2 Client Credentials Configuration
+ *
+ * Standard OAuth2 Client Credentials Grant (RFC 6749 Section 4.4).
+ * Used with identity providers like Keycloak for service-to-service authentication.
+ *
+ * @example
+ * ```json
+ * {
+ *   "token_url": "https://sso.example.com/realms/myrealm/protocol/openid-connect/token",
+ *   "jwks_uri": "https://sso.example.com/realms/myrealm/protocol/openid-connect/certs",
+ *   "client_id": "my-service",
+ *   "client_secret": "secret-from-idp",
+ *   "issuer": "https://sso.example.com/realms/myrealm",
+ *   "scope": "api:read api:write"
+ * }
+ * ```
+ */
+type ClientCredentialsWorkloadConfig = WorkloadConfigBase & {
+    /**
+     * OAuth2 client identifier registered with the authorization server
+     * REQUIRED for Client Credentials mode
+     */
+    client_id?: string;
+    /**
+     * OAuth2 client secret
+     * REQUIRED for Client Credentials mode
+     */
+    client_secret?: string;
+};
+/**
+ * Server-Only Workload Configuration
+ *
+ * Used when a service only needs to validate incoming workload tokens,
+ * not acquire tokens for outbound calls. Requires only jwks_uri for
+ * public key retrieval.
+ *
+ * @example
+ * ```json
+ * {
+ *   "jwks_uri": "https://sso.example.com/realms/myrealm/protocol/openid-connect/certs",
+ *   "issuer": "https://sso.example.com/realms/myrealm"
+ * }
+ * ```
+ */
+type ServerOnlyWorkloadConfig = WorkloadConfigBase;
+/**
+ * Workload Identity Authentication Configuration
+ *
+ * Union type supporting multiple authentication modes. The mode is automatically
+ * detected based on which fields are present:
+ *
+ * - **JWT Bearer Grant**: Requires `workload_id` + `private_key`
+ * - **Client Credentials**: Requires `client_id` + `client_secret`
+ * - **Server-Only**: Only `jwks_uri` (and optionally `issuer`) for token validation
+ *
+ * The developer uses the same API regardless of mode - the library handles the details.
+ */
+type WorkloadConfig = JwtBearerWorkloadConfig | ClientCredentialsWorkloadConfig | ServerOnlyWorkloadConfig;
+/**
+ * Workload Identity extracted from validated tokens
+ */
+type WorkloadIdentity = {
+    /**
+     * Workload identifier (for JWT Bearer Grant tokens)
+     */
+    workload_id?: string;
+    /**
+     * Client identifier (for OAuth2 Client Credentials tokens)
+     */
+    client_id?: string;
+    /**
+     * Granted scopes
+     */
+    scope?: string;
+    /**
+     * Full JWT claims from the token
+     */
+    claims: JWTAssertionClaims;
+};
+/**
+ * Workload Identity Authentication Interface
+ */
+type Workload = WorkloadConfig & {
+    getToken: (scope?: string) => Promise<string>;
+    refreshToken: () => Promise<WorkloadTokenResponse>;
+    generateJWTAssertion: (scope?: string) => Promise<string>;
+    revokeToken: (token: string) => Promise<void>;
+    validateToken: (token: string, validation?: WorkloadConfig['validation']) => Promise<TokenValidationResult>;
+    getWorkload: (request: Request) => Promise<WorkloadIdentity | undefined>;
+    parseJWT: (token: string, validation?: WorkloadConfig['validation']) => Promise<JWTAssertionClaims>;
+    handler: (request: Request) => Promise<Response>;
+};
+/**
+ * Create a workload identity authentication instance
+ *
+ * @param config - Workload authentication configuration
+ * @returns Workload authentication interface
+ *
+ * @example
+ * ```typescript
+ * import { workload } from '@enterprisestandard/react';
+ *
+ * const workloadAuth = workload({
+ *   token_url: 'https://auth.example.com/oauth/token',
+ *   jwks_uri: 'https://auth.example.com/.well-known/jwks.json',
+ *   workload_id: 'spiffe://trust-domain/ns/service',
+ *   audience: 'https://auth.example.com/oauth/token',
+ *   private_key: '-----BEGIN PRIVATE KEY-----...',
+ *   algorithm: 'RS256',
+ * });
+ *
+ * // Get access token
+ * const token = await workloadAuth.getToken('api:read api:write');
+ * ```
+ */
+declare function workload(config?: WorkloadConfig): Workload;
+
+/**
+ * SCIM Error response structure
+ */
+interface ScimError {
+    schemas: string[];
+    status: string;
+    scimType?: string;
+    detail?: string;
+}
+/**
+ * SCIM List Response for bulk operations
+ */
+interface ScimListResponse<T> {
+    schemas: string[];
+    totalResults: number;
+    startIndex?: number;
+    itemsPerPage?: number;
+    Resources: T[];
+}
+/**
+ * Result of a SCIM operation
+ */
+interface ScimResult<T> {
+    success: boolean;
+    data?: T;
+    error?: ScimError;
+    status: number;
+}
+/**
+ * Handler configuration for IAM
+ */
+interface IAMHandlerConfig {
+    /**
+     * Base path for the SCIM Users endpoints (e.g., '/api/iam/Users')
+     */
+    usersUrl?: string;
+    /**
+     * Base path for the SCIM Groups endpoints (e.g., '/api/iam/Groups')
+     */
+    groupsUrl?: string;
+}
+/**
+ * IAM configuration
+ *
+ * - If `url` is provided, groups_outbound is enabled (app calls external IAM)
+ * - If `group_store` is provided, groups_inbound is enabled (external IAM calls app)
+ * - If `user_store` is provided, users_inbound is enabled (external IAM calls app)
+ */
+type IAMConfig = {
+    /**
+     * Base URL of the external SCIM endpoint (e.g., https://sailpoint.example.com/scim/v2)
+     * If provided, enables outbound SCIM operations (app -> external IAM)
+     */
+    url?: string;
+    /**
+     * Store for inbound user provisioning from external IAM providers.
+     * When configured, the app can receive user CRUD operations via SCIM.
+     */
+    user_store?: UserStore;
+    /**
+     * Store for inbound group provisioning from external IAM providers.
+     * When configured, enables groups_inbound (external IAM -> app).
+     */
+    group_store?: GroupStore;
+    /**
+     * Optional handler defaults. These are merged with per-call overrides in
+     * `iam.handler`, with per-call values taking precedence.
+     */
+    usersUrl?: string;
+    groupsUrl?: string;
+};
+/**
+ * Options for creating a group
+ */
+interface CreateGroupOptions {
+    /**
+     * External identifier for the group
+     */
+    externalId?: string;
+    /**
+     * Initial members to add to the group
+     */
+    members?: GroupMember[];
+    /**
+     * Custom validation schema for the response
+     */
+    validation?: StandardSchemaV1<unknown, GroupResource>;
+}
+/**
+ * Options for creating a user
+ */
+interface CreateUserOptions {
+    /**
+     * Custom validation schema for the response
+     */
+    validation?: StandardSchemaV1<unknown, User$1>;
+}
+/**
+ * Handler configuration for groups_inbound
+ */
+interface GroupsInboundHandlerConfig {
+    /**
+     * Base path for the SCIM Groups endpoints (e.g., '/api/iam/Groups')
+     */
+    basePath?: string;
+}
+/**
+ * Handler configuration for users_inbound
+ */
+interface UsersInboundHandlerConfig {
+    /**
+     * Base path for the SCIM Users endpoints (e.g., '/api/iam/Users')
+     */
+    basePath?: string;
+}
+/**
+ * Groups Outbound extension - for creating groups in external IAM providers.
+ * Enabled when `url` is configured in IAMConfig.
+ */
+type IAMGroupsOutbound = {
+    /**
+     * Create a new group in the external IAM provider
+     * @param displayName - The display name for the group
+     * @param options - Optional configuration for the group creation
+     * @returns The created group resource from the provider
+     */
+    createGroup: (displayName: string, options?: CreateGroupOptions) => Promise<ScimResult<GroupResource>>;
+};
+/**
+ * Groups Inbound extension - for receiving group provisioning from external IAM providers.
+ * Enabled when `group_store` is configured in IAMConfig.
+ */
+type IAMGroupsInbound = {
+    /**
+     * Handle inbound SCIM requests for group management.
+     * Routes: GET/POST /Groups, GET/PUT/PATCH/DELETE /Groups/:id
+     */
+    handler: (request: Request, config?: GroupsInboundHandlerConfig) => Promise<Response>;
+};
+/**
+ * Users Inbound extension - for receiving user provisioning from external IAM providers.
+ * Enabled when `user_store` is configured in IAMConfig.
+ */
+type IAMUsersInbound = {
+    /**
+     * Handle inbound SCIM requests for user management.
+     * Routes: GET/POST /Users, GET/PUT/PATCH/DELETE /Users/:id
+     */
+    handler: (request: Request, config?: UsersInboundHandlerConfig) => Promise<Response>;
+};
+/**
+ * Core IAM service interface.
+ *
+ * - Core functions are user-related (outbound to external IAM)
+ * - `groups_outbound` is available when `url` is configured
+ * - `groups_inbound` is available when `group_store` is configured
+ * - `users_inbound` is available when `user_store` is configured
+ */
+type IAM = IAMConfig & {
+    /**
+     * Create a new user/account in the external IAM provider
+     * Only available when `url` is configured.
+     */
+    createUser?: (user: User$1, options?: CreateUserOptions) => Promise<ScimResult<User$1>>;
+    /**
+     * Get the configured external SCIM base URL
+     */
+    getBaseUrl: () => string | undefined;
+    /**
+     * Groups Outbound extension - create groups in external IAM provider.
+     * Available when `url` is configured in IAMConfig.
+     */
+    groups_outbound?: IAMGroupsOutbound;
+    /**
+     * Groups Inbound extension - receive group provisioning from external IAM.
+     * Available when `group_store` is configured in IAMConfig.
+     */
+    groups_inbound?: IAMGroupsInbound;
+    /**
+     * Users Inbound extension - receive user provisioning from external IAM.
+     * Available when `user_store` is configured in IAMConfig.
+     */
+    users_inbound?: IAMUsersInbound;
+    /**
+     * Framework-agnostic request handler for IAM endpoints.
+     * Routes to users_inbound or groups_inbound handlers based on the request path.
+     */
+    handler: (request: Request, config?: IAMHandlerConfig) => Promise<Response>;
+};
+/**
+ * Creates an IAM service instance.
+ *
+ * - If `url` is configured, enables outbound SCIM operations to external IAM
+ * - If `group_store` is configured, enables inbound SCIM operations from external IAM
+ *
+ * @param config - IAM configuration
+ * @param workload - Workload instance for authentication
+ * @returns IAM service instance
+ */
+declare function iam(config: IAMConfig, workload: Workload): IAM;
+
+/**
+ * Session management for tracking user sessions and enabling backchannel logout.
+ *
+ * Session stores are optional - the package works with JWT cookies alone.
+ * Sessions are only required for backchannel logout functionality.
+ *
+ * ## Session Validation Strategies
+ *
+ * When using a session store, you can configure when sessions are validated:
+ *
+ * ### 'always' (default)
+ * Validates session on every authenticated request.
+ * - **Security**: Maximum - immediate session revocation
+ * - **Performance**: InMemory ~0.00005ms, Redis ~1-2ms per request
+ * - **Backchannel Logout**: Takes effect immediately
+ * - **Use when**: Security is paramount, using InMemory or Redis backend
+ *
+ * ### 'refresh-only'
+ * Validates session only during token refresh (typically every 5-15 minutes).
+ * - **Security**: Good - 5-15 minute revocation window
+ * - **Performance**: 99% reduction in session lookups
+ * - **Backchannel Logout**: Takes effect within token TTL (5-15 min)
+ * - **Use when**: Performance is critical AND delayed revocation is acceptable
+ * - **WARNING**: Compromised sessions remain valid until next refresh
+ *
+ * ### 'disabled'
+ * Never validates sessions against the store.
+ * - **Security**: None - backchannel logout doesn't work
+ * - **Performance**: No overhead
+ * - **Use when**: Cookie-only mode without session store
+ * - **WARNING**: Do not use with session_store configured
+ *
+ * ## Performance Characteristics
+ *
+ * | Backend      | Lookup Time | Impact on Request | Recommendation         |
+ * |--------------|-------------|-------------------|------------------------|
+ * | InMemory     | <0.00005ms  | Negligible        | Use 'always'           |
+ * | Redis        | 1-2ms       | 2-4% increase     | Use 'always' or test   |
+ * | Database     | 5-20ms      | 10-40% increase   | Use Redis cache layer  |
+ *
+ * ## Example Usage
+ *
+ * ```typescript
+ * import { sso, InMemorySessionStore } from '@enterprisestandard/react/server';
+ *
+ * // Maximum security (default)
+ * const secure = sso({
+ *   // ... other config
+ *   session_store: new InMemorySessionStore(),
+ *   session_validation: 'always', // Immediate revocation
+ * });
+ *
+ * // High performance
+ * const fast = sso({
+ *   // ... other config
+ *   session_store: new InMemorySessionStore(),
+ *   session_validation: {
+ *     strategy: 'refresh-only' // 5-15 min revocation delay
+ *   }
+ * });
+ * ```
+ */
+/**
+ * Core session data tracked for each authenticated user session.
+ *
+ * @template TExtended - Type-safe custom data that consumers can add to sessions
+ */
+type Session<TExtended = {}> = {
+    /**
+     * Session ID from the Identity Provider (from `sid` claim in ID token).
+     * This is the unique identifier for the session.
+     */
+    sid: string;
+    /**
+     * Subject identifier (user ID) from the Identity Provider.
+     * From the `sub` claim in the ID token.
+     */
+    sub: string;
+    /**
+     * Timestamp when the session was created.
+     */
+    createdAt: Date;
+    /**
+     * Timestamp of the last activity in this session.
+     * Can be updated to track session activity.
+     */
+    lastActivityAt: Date;
+    /**
+     * Allow consumers to add runtime data to sessions.
+     */
+    [key: string]: unknown;
+} & TExtended;
+/**
+ * Abstract interface for session storage backends.
+ *
+ * Consumers can implement this interface to use different storage backends:
+ * - Redis
+ * - Database (PostgreSQL, MySQL, etc.)
+ * - Distributed cache
+ * - Custom solutions
+ *
+ * @template TExtended - Type-safe custom data that consumers can add to sessions
+ *
+ * @example
+ * ```typescript
+ * // Custom session data
+ * type MySessionData = {
+ *   ipAddress: string;
+ *   userAgent: string;
+ * };
+ *
+ * // Implement custom store
+ * class RedisSessionStore implements SessionStore<MySessionData> {
+ *   async create(session: Session<MySessionData>): Promise<void> {
+ *     await redis.set(`session:${session.sid}`, JSON.stringify(session));
+ *   }
+ *   // ... other methods
+ * }
+ * ```
+ */
+interface SessionStore<TExtended = {}> {
+    /**
+     * Create a new session in the store.
+     *
+     * @param session - The session data to store
+     * @throws Error if session with same sid already exists
+     */
+    create(session: Session<TExtended>): Promise<void>;
+    /**
+     * Retrieve a session by its IdP session ID (sid).
+     *
+     * @param sid - The session.sid from the Identity Provider
+     * @returns The session if found, null otherwise
+     */
+    get(sid: string): Promise<Session<TExtended> | null>;
+    /**
+     * Update an existing session with partial data.
+     *
+     * Commonly used to update lastActivityAt or add custom fields.
+     *
+     * @param sid - The session.sid to update
+     * @param data - Partial session data to merge
+     * @throws Error if session not found
+     */
+    update(sid: string, data: Partial<Session<TExtended>>): Promise<void>;
+    /**
+     * Delete a session by its IdP session ID (sid).
+     *
+     * Used for both normal logout and backchannel logout flows.
+     *
+     * @param sid - The session.sid to delete
+     */
+    delete(sid: string): Promise<void>;
+}
+/**
+ * In-memory session store implementation using Maps.
+ *
+ * Suitable for:
+ * - Development and testing
+ * - Single-server deployments
+ * - Applications without high availability requirements
+ *
+ * NOT suitable for:
+ * - Multi-server deployments (sessions not shared)
+ * - High availability scenarios (sessions lost on restart)
+ * - Production applications with distributed architecture
+ *
+ * For production, implement SessionStore with Redis or a database.
+ *
+ * @template TExtended - Type-safe custom data that consumers can add to sessions
+ */
+declare class InMemorySessionStore<TExtended = {}> implements SessionStore<TExtended> {
+    private sessions;
+    create(session: Session<TExtended>): Promise<void>;
+    get(sid: string): Promise<Session<TExtended> | null>;
+    update(sid: string, data: Partial<Session<TExtended>>): Promise<void>;
+    delete(sid: string): Promise<void>;
+}
+
+type SSOConfig<TSessionData = {}, TUserData = {}> = {
+    authority?: string;
+    token_url?: string;
+    authorization_url?: string;
+    client_id?: string;
+    client_secret?: string;
+    redirect_uri?: string;
+    response_type?: 'code';
+    scope?: string;
+    silent_redirect_uri?: string;
+    jwks_uri?: string;
+    cookies_prefix?: string;
+    cookies_path?: string;
+    cookies_secure?: boolean;
+    cookies_same_site?: 'Strict' | 'Lax';
+    end_session_endpoint?: string;
+    revocation_endpoint?: string;
+    session_store?: SessionStore<TSessionData>;
+    /**
+     * Optional handler defaults. These are merged with per-call overrides in
+     * `sso.handler`, with per-call values taking precedence.
+     */
+    loginUrl?: string;
+    userUrl?: string;
+    errorUrl?: string;
+    landingUrl?: string;
+    tokenUrl?: string;
+    refreshUrl?: string;
+    jwksUrl?: string;
+    logoutUrl?: string;
+    logoutBackChannelUrl?: string;
+    validation?: {
+        callbackParams?: StandardSchemaV1<unknown, OidcCallbackParams>;
+        idTokenClaims?: StandardSchemaV1<unknown, IdTokenClaims>;
+        tokenResponse?: StandardSchemaV1<unknown, TokenResponse>;
+    };
+    /**
+     * Optional user store for persisting user profiles from SSO authentication.
+     * When configured, users are automatically stored/updated on each login.
+     */
+    user_store?: UserStore<TUserData>;
+    /**
+     * Enable Just-In-Time (JIT) user provisioning.
+     * When enabled, new users are automatically created in the user_store on their first login.
+     * When disabled (default), only existing users in the user_store are updated on login.
+     * Requires user_store to be configured.
+     * @default false
+     */
+    enable_jit_user_provisioning?: boolean;
+};
+type SSOConfigWithDefaults<TSessionData = {}, TUserData = {}> = SSOConfig<TSessionData, TUserData> & {
+    authority: string;
+    token_url: string;
+    authorization_url: string;
+    client_id: string;
+    redirect_uri: string;
+    response_type: 'code';
+    scope: string;
+    cookies_secure: boolean;
+    cookies_same_site: string;
+    cookies_prefix: string;
+    cookies_path: string;
+};
+type ESConfig$1 = {
+    es?: EnterpriseStandard;
+};
+type LoginConfig = {
+    landingUrl: string;
+    errorUrl?: string;
+} & ESConfig$1;
+type SSOHandlerConfig = {
+    loginUrl?: string;
+    userUrl?: string;
+    errorUrl?: string;
+    landingUrl?: string;
+    tokenUrl?: string;
+    refreshUrl?: string;
+    jwksUrl?: string;
+    logoutUrl?: string;
+    logoutBackChannelUrl?: string;
+    validation?: {
+        callbackParams?: StandardSchemaV1<unknown, OidcCallbackParams>;
+        idTokenClaims?: StandardSchemaV1<unknown, IdTokenClaims>;
+        tokenResponse?: StandardSchemaV1<unknown, TokenResponse>;
+    };
+} & ESConfig$1;
+type SSO<TSessionData = {}, TUserData = {}> = SSOConfigWithDefaults<TSessionData, TUserData> & {
+    getUser: (request: Request) => Promise<User | undefined>;
+    getRequiredUser: (request: Request) => Promise<User>;
+    getJwt: (request: Request) => Promise<string | undefined>;
+    initiateLogin: (config: LoginConfig, requestUrl?: string) => Promise<Response>;
+    logout: (request: Request, config?: LoginConfig) => Promise<Response>;
+    callbackHandler: (request: Request) => Promise<Response>;
+    handler: (request: Request, es?: EnterpriseStandard) => Promise<Response>;
+};
+declare function sso<TSessionData = {}, TUserData = {}>(config?: SSOConfig<TSessionData, TUserData>): SSO<TSessionData, TUserData>;
+
+type Secret<T> = {
+    data: T;
+    metadata: MetaData;
+};
+type MetaData = {
+    created_time: string;
+    deletion_time: string;
+    destroyed: boolean;
+    version: number;
+};
+type Vault = {
+    url: string;
+    getFullSecret: <T>(path: string, token: string) => Promise<Secret<T>>;
+    getSecret: <T>(path: string, token: string) => Promise<T>;
+};
+declare function vault(url: string): Vault;
+
+/**
+ * Tenant Management SDK
+ *
+ * Provides helper functions for applications to implement tenant creation endpoints
+ * that ESVS can test. Supports both synchronous (201) and asynchronous (202)
+ * tenant creation with webhook-based status updates.
+ */
+/**
+ * Environment type for tenant creation
+ */
+type EnvironmentType = 'POC' | 'DEV' | 'QA' | 'PROD';
+/**
+ * Status of tenant creation process
+ */
+type TenantStatus = 'pending' | 'processing' | 'completed' | 'failed';
+/**
+ * Request payload from ESVS for creating a tenant
+ */
+interface CreateTenantRequest {
+    /**
+     * Required app identifier to use when initializing EnterpriseStandard for this tenant.
+     * This is the primary identifier for tenant management. A company can have multiple
+     * applications (e.g., one instance on the east coast, one on the west coast).
+     */
+    appId: string;
+    /**
+     * Company ID (used for reporting purposes only, not for tenant identification)
+     */
+    companyId: string;
+    /**
+     * Company Name
+     */
+    companyName: string;
+    /**
+     * Environment Type (POC, DEV, QA, PROD)
+     */
+    environmentType: EnvironmentType;
+    /**
+     * Email (The email or distribution list used to communicate to the team)
+     */
+    email: string;
+    /**
+     * Webhook URL where the application can send updates around the creation of the tenant
+     */
+    webhookUrl: string;
+}
+/**
+ * Response payload for tenant creation
+ */
+interface CreateTenantResponse {
+    /**
+     * URL that the tenant will be available at
+     */
+    tenantUrl: string;
+    /**
+     * Current status of tenant creation
+     */
+    status: TenantStatus;
+}
+/**
+ * Payload sent to webhook URL for status updates
+ */
+interface TenantWebhookPayload {
+    /**
+     * Company ID
+     */
+    companyId: string;
+    /**
+     * Current status of tenant creation
+     */
+    status: TenantStatus;
+    /**
+     * URL that the tenant will be available at (provided once creation completes)
+     */
+    tenantUrl?: string;
+    /**
+     * Error message (only present if status is "failed")
+     */
+    error?: string;
+}
+/**
+ * Error thrown when tenant request validation fails
+ */
+declare class TenantRequestError extends Error {
+    constructor(message: string);
+}
+/**
+ * Serializes an ESConfig or EnterpriseStandard instance to a JSON-serializable format
+ * by removing non-serializable properties like stores, validators, and functions.
+ *
+ * Since EnterpriseStandard now extends ESConfig, the config (including handler URLs)
+ * is accessible directly from the instance.
+ *
+ * @param configOrES - The ESConfig object or EnterpriseStandard instance to serialize
+ * @returns A JSON-serializable version of the config
+ */
+declare function serializeESConfig(configOrES: any): any;
+/**
+ * Parse and validate a tenant creation request from an HTTP request.
+ *
+ * @param request - The HTTP request containing the tenant creation data
+ * @returns The validated tenant creation request
+ * @throws {TenantRequestError} If the request is invalid or missing required fields
+ *
+ * @example
+ * ```typescript
+ * app.post('/api/tenant', async (c) => {
+ *   try {
+ *     const tenantRequest = await parseTenantRequest(c.req.raw);
+ *     // Create tenant...
+ *   } catch (error) {
+ *     if (error instanceof TenantRequestError) {
+ *       return c.json({ error: error.message }, 400);
+ *     }
+ *     throw error;
+ *   }
+ * });
+ * ```
+ */
+declare function parseTenantRequest(request: Request): Promise<CreateTenantRequest>;
+/**
+ * Send a webhook update to ESVS with tenant creation status.
+ *
+ * @param webhookUrl - The webhook URL provided in the tenant creation request
+ * @param payload - The webhook payload with status and tenant information
+ * @throws Never throws - errors are logged but not propagated to avoid breaking tenant creation
+ *
+ * @example
+ * ```typescript
+ * // Send initial status
+ * await sendTenantWebhook(tenantRequest.webhookUrl, {
+ *   companyId: tenantRequest.companyId,
+ *   status: 'processing',
+ * });
+ *
+ * // Send completion status
+ * await sendTenantWebhook(tenantRequest.webhookUrl, {
+ *   companyId: tenantRequest.companyId,
+ *   status: 'completed',
+ *   tenantUrl: 'https://app.example.com/tenants/tenant-123',
+ * });
+ * ```
+ */
+declare function sendTenantWebhook(webhookUrl: string, payload: TenantWebhookPayload): Promise<void>;
+/**
+ * Stored tenant data with required appId and tracking metadata.
+ *
+ * @template TExtended - Type-safe custom data that consumers can add to tenants
+ */
+type StoredTenant<TExtended = {}> = {
+    /**
+     * Required app identifier used to initialize EnterpriseStandard for this tenant.
+     * This is the primary key for tenant storage. A company can have multiple
+     * applications (e.g., one instance on the east coast, one on the west coast).
+     */
+    appId: string;
+    /**
+     * Company ID (used for reporting purposes only, not for tenant identification)
+     */
+    companyId: string;
+    /**
+     * Company Name
+     */
+    companyName: string;
+    /**
+     * Environment Type (POC, DEV, QA, PROD)
+     */
+    environmentType: EnvironmentType;
+    /**
+     * Email (The email or distribution list used to communicate to the team)
+     */
+    email: string;
+    /**
+     * Webhook URL where the application can send updates around the creation of the tenant
+     */
+    webhookUrl: string;
+    /**
+     * URL that the tenant will be available at
+     */
+    tenantUrl?: string;
+    /**
+     * Current status of tenant creation
+     */
+    status: TenantStatus;
+    /**
+     * Error message (only present if status is "failed")
+     */
+    error?: string;
+    /**
+     * Timestamp when the tenant was first stored.
+     */
+    createdAt: Date;
+    /**
+     * Timestamp when the tenant was last updated.
+     */
+    updatedAt: Date;
+    /**
+     * Serialized Enterprise Standard configuration.
+     * This is a JSON-serializable version of the ESConfig with non-serializable items excluded.
+     */
+    config?: any;
+} & TExtended;
+/**
+ * Abstract interface for tenant storage backends.
+ *
+ * Consumers can implement this interface to use different storage backends:
+ * - In-memory (for development/testing)
+ * - Redis (for production with fast lookups)
+ * - Database (PostgreSQL, MySQL, etc.)
+ *
+ * @template TExtended - Type-safe custom data that consumers can add to tenants
+ */
+interface TenantStore<TExtended = {}> {
+    /**
+     * Retrieve a tenant by its app identifier.
+     *
+     * @param appId - The tenant's app identifier (primary key)
+     * @returns The tenant if found, null otherwise
+     */
+    get(appId: string): Promise<StoredTenant<TExtended> | null>;
+    /**
+     * Retrieve all tenants for a company ID.
+     * Since a company can have multiple applications, this returns an array.
+     *
+     * @param companyId - The company ID (used for reporting, not primary identification)
+     * @returns Array of tenants for the company, empty array if none found
+     */
+    getByCompanyId(companyId: string): Promise<StoredTenant<TExtended>[]>;
+    /**
+     * List all tenants in the store.
+     *
+     * @returns Array of all stored tenants
+     */
+    list(): Promise<StoredTenant<TExtended>[]>;
+    /**
+     * Create or update a tenant in the store.
+     *
+     * If a tenant with the same `appId` exists, it will be updated.
+     * Otherwise, a new tenant will be created.
+     *
+     * @param tenant - The tenant data to store
+     * @returns The stored tenant
+     */
+    upsert(tenant: StoredTenant<TExtended>): Promise<StoredTenant<TExtended>>;
+    /**
+     * Delete a tenant by its app identifier.
+     *
+     * @param appId - The tenant's app identifier to delete
+     */
+    delete(appId: string): Promise<void>;
+}
+/**
+ * In-memory tenant store implementation using Maps.
+ *
+ * Suitable for:
+ * - Development and testing
+ * - Single-server deployments
+ * - Applications without high availability requirements
+ *
+ * NOT suitable for:
+ * - Multi-server deployments (tenants not shared)
+ * - High availability scenarios (tenants lost on restart)
+ * - Production applications with distributed architecture
+ *
+ * For production, implement TenantStore with Redis or a database.
+ *
+ * @template TExtended - Type-safe custom data that consumers can add to tenants
+ */
+declare class InMemoryTenantStore<TExtended = {}> implements TenantStore<TExtended> {
+    /** Primary storage: appId -> tenant */
+    private tenants;
+    /** Secondary index: companyId -> Set of appIds (since one company can have multiple apps) */
+    private companyIdIndex;
+    get(appId: string): Promise<StoredTenant<TExtended> | null>;
+    getByCompanyId(companyId: string): Promise<StoredTenant<TExtended>[]>;
+    list(): Promise<StoredTenant<TExtended>[]>;
+    upsert(tenant: StoredTenant<TExtended>): Promise<StoredTenant<TExtended>>;
+    delete(appId: string): Promise<void>;
+}
+
+/**
+ * Get the workload identity from an incoming request.
+ * Returns undefined if no valid workload token is present.
+ *
+ * @param request - Request with Authorization header
+ * @param config - Optional EnterpriseStandard configuration
+ * @returns WorkloadIdentity or undefined
+ *
+ * @example
+ * ```typescript
+ * import { getWorkload } from '@enterprisestandard/react';
+ *
+ * export async function handler(request: Request) {
+ *   const workload = await getWorkload(request);
+ *
+ *   if (!workload) {
+ *     return new Response('Unauthorized', { status: 401 });
+ *   }
+ *
+ *   console.log('Request from workload:', workload.workload_id);
+ *   // ... process authenticated request
+ * }
+ * ```
+ */
+declare function getWorkload(request: Request, es?: EnterpriseStandard): Promise<WorkloadIdentity | undefined>;
+/**
+ * Get an access token for the configured workload identity.
+ *
+ * @param scope - Optional OAuth2 scopes (space-delimited)
+ * @param config - Optional EnterpriseStandard configuration
+ * @returns Access token string
+ *
+ * @example
+ * ```typescript
+ * import { getWorkloadToken } from '@enterprisestandard/react/server';
+ *
+ * // Get token for API calls
+ * const token = await getWorkloadToken('api:read api:write');
+ *
+ * // Use in outbound requests
+ * const response = await fetch('https://api.example.com/data', {
+ *   headers: { 'Authorization': `Bearer ${token}` },
+ * });
+ * ```
+ */
+declare function getWorkloadToken(scope?: string, es?: EnterpriseStandard): Promise<string>;
+/**
+ * Validate a workload token from an incoming request.
+ *
+ * @param request - Request with Authorization header
+ * @param config - Optional EnterpriseStandard configuration
+ * @returns Token validation result
+ *
+ * @example
+ * ```typescript
+ * import { validateWorkloadToken } from '@enterprisestandard/react/server';
+ *
+ * export async function handler(request: Request) {
+ *   const result = await validateWorkloadToken(request);
+ *
+ *   if (!result.valid) {
+ *     return new Response(
+ *       JSON.stringify({ error: result.error }),
+ *       { status: 401 }
+ *     );
+ *   }
+ *
+ *   const workloadId = result.claims?.iss;
+ *   // ... process authenticated request
+ * }
+ * ```
+ */
+declare function validateWorkloadToken(request: Request, es?: EnterpriseStandard): Promise<TokenValidationResult>;
+/**
+ * Revoke a workload access token.
+ *
+ * @param token - The access token to revoke
+ * @param config - Optional EnterpriseStandard configuration
+ *
+ * @example
+ * ```typescript
+ * import { revokeWorkloadToken } from '@enterprisestandard/react/server';
+ *
+ * // Revoke token when workload is decommissioned
+ * await revokeWorkloadToken(accessToken);
+ * ```
+ */
+declare function revokeWorkloadToken(token: string, es?: EnterpriseStandard): Promise<void>;
+/**
+ * Framework-agnostic handler for workload authentication routes.
+ *
+ * The handler reads configuration (handler URLs, validation) directly from the
+ * EnterpriseStandard instance, so no config parameter is needed.
+ *
+ * @param request - Incoming request
+ * @param config - Optional ESConfig to specify which EnterpriseStandard instance to use
+ * @returns Response
+ *
+ * @example
+ * ```typescript
+ * import { workloadHandler } from '@enterprisestandard/react/server';
+ *
+ * // TanStack Start example
+ * export const Route = createFileRoute('/api/workload/$')({
+ *   server: {
+ *     handlers: ({ createHandlers }) =>
+ *       createHandlers({
+ *         GET: {
+ *           handler: async ({ request }) => {
+ *             return workloadHandler(request);
+ *           },
+ *         },
+ *         POST: {
+ *           handler: async ({ request }) => {
+ *             return workloadHandler(request);
+ *           },
+ *         },
+ *       }),
+ *   },
+ * });
+ * ```
+ */
+declare function workloadHandler(request: Request, es?: EnterpriseStandard): Promise<Response>;
+
+/**
+ * Helper gets the user from the Request using the supplied EnterpriseStandard or the default instance
+ */
+declare function getUser(request: Request, es?: EnterpriseStandard): Promise<User | undefined>;
+declare function getRequiredUser(request: Request, es?: EnterpriseStandard): Promise<User>;
+declare function initiateLogin(config: LoginConfig, es?: EnterpriseStandard): Promise<Response>;
+declare function callback(request: Request, es?: EnterpriseStandard): Promise<Response>;
+declare function handler(request: Request, es?: EnterpriseStandard): Promise<Response>;
+
+/**
+ * Enterprise user with SCIM attributes.
+ * Extends BaseUser (simple fields) with optional complex SCIM fields.
+ * For IAM/provisioning and enterprise directory integration.
+ */
+interface EnterpriseUser extends BaseUser {
+    /**
+     * External identifier from the provisioning system
+     */
+    externalId?: string;
+    /**
+     * Resource metadata
+     */
+    meta?: {
+        resourceType?: string;
+        created?: string;
+        lastModified?: string;
+        version?: string;
+        location?: string;
+    };
+    /**
+     * SCIM schemas supported by this user
+     */
+    schemas?: string[];
+    /**
+     * Structured name with family/given names, prefixes, suffixes.
+     * Use alongside the simple `name` string from BaseUser.
+     */
+    fullName?: Name;
+    /**
+     * Multiple email addresses with types (work, home, etc.).
+     * Use alongside the simple `email` string from BaseUser.
+     */
+    emails?: Email[];
+    /**
+     * Name for display purposes
+     */
+    displayName?: string;
+    /**
+     * Casual name to address the user
+     */
+    nickName?: string;
+    /**
+     * URL to user's online profile
+     */
+    profileUrl?: string;
+    /**
+     * Job title
+     */
+    title?: string;
+    /**
+     * User type (e.g., "Employee", "Contractor")
+     */
+    userType?: string;
+    /**
+     * Preferred language (e.g., "en-US")
+     */
+    preferredLanguage?: string;
+    /**
+     * Locale for localization (e.g., "en-US")
+     */
+    locale?: string;
+    /**
+     * Timezone (e.g., "America/New_York")
+     */
+    timezone?: string;
+    /**
+     * Whether the user account is active
+     */
+    active?: boolean;
+    /**
+     * Password (for provisioning only, should not be returned)
+     */
+    password?: string;
+    /**
+     * Phone numbers
+     */
+    phoneNumbers?: PhoneNumber[];
+    /**
+     * Instant messaging addresses
+     */
+    ims?: Array<{
+        value: string;
+        display?: string;
+        type?: string;
+        primary?: boolean;
+    }>;
+    /**
+     * Photo URLs
+     */
+    photos?: Array<{
+        value: string;
+        display?: string;
+        type?: string;
+        primary?: boolean;
+    }>;
+    /**
+     * Physical mailing addresses
+     */
+    addresses?: Address[];
+    /**
+     * Groups the user belongs to
+     */
+    groups?: Group[];
+    /**
+     * Entitlements
+     */
+    entitlements?: Array<{
+        value: string;
+        display?: string;
+        type?: string;
+        primary?: boolean;
+    }>;
+    /**
+     * Roles assigned to the user
+     */
+    roles?: Role[];
+    /**
+     * X.509 certificates
+     */
+    x509Certificates?: Array<{
+        value: string;
+        display?: string;
+        type?: string;
+        primary?: boolean;
+    }>;
+    /**
+     * Employee number
+     */
+    employeeNumber?: string;
+    /**
+     * Cost center
+     */
+    costCenter?: string;
+    /**
+     * Organization name
+     */
+    organization?: string;
+    /**
+     * Division name
+     */
+    division?: string;
+    /**
+     * Department name
+     */
+    department?: string;
+    /**
+     * User's manager
+     */
+    manager?: {
+        value: string;
+        $ref?: string;
+        displayName?: string;
+    };
+}
+
+declare function SignInLoading({ complete, children }: {
+    complete?: boolean;
+} & PropsWithChildren): react_jsx_runtime.JSX.Element | null;
+
+declare function SignedIn({ children }: PropsWithChildren): react_jsx_runtime.JSX.Element | null;
+
+declare function SignedOut({ children }: PropsWithChildren): react_jsx_runtime.JSX.Element | null;
+
+type StorageType = 'local' | 'session' | 'memory';
+interface SSOProviderProps {
+    tenantId?: string;
+    storage?: StorageType;
+    storageKey?: string;
+    userUrl?: string;
+    tokenUrl?: string;
+    refreshUrl?: string;
+    disableListener?: boolean;
+    children: ReactNode;
+}
+interface SSOContext {
+    user: User | null;
+    setUser: (user: User | null) => void;
+    isLoading: boolean;
+    tokenUrl?: string;
+    refreshUrl?: string;
+}
+declare function SSOProvider({ tenantId, storage, storageKey, userUrl, tokenUrl, refreshUrl, disableListener, children, }: SSOProviderProps): react_jsx_runtime.JSX.Element;
+declare function useUser(): SSOContext;
+interface UseTokenReturn {
+    token: string | null;
+    isLoading: boolean;
+    error: Error | null;
+    refresh: () => Promise<void>;
+}
+declare function useToken(): UseTokenReturn;
+declare function logout(logoutUrl: string): Promise<{
+    success: boolean;
+    error?: string;
+}>;
+
+declare function getDefaultInstance(): EnterpriseStandard | undefined;
+
+type EnterpriseStandard = ESConfig & {
     defaultInstance: boolean;
     vault: Vault;
     sso: SSO;
@@ -19,39 +2584,6 @@ type ESConfig = {
         workload?: WorkloadConfig['validation'];
     } | SSOHandlerConfig['validation'] | WorkloadConfig['validation'];
 };
-export declare function enterpriseStandard(appId?: string, initConfig?: ESConfig): Promise<EnterpriseStandard>;
-export type { GroupStore, StoredGroup } from './group-store';
-export { InMemoryGroupStore } from './group-store';
-export type { CreateGroupOptions, CreateUserOptions, GroupsInboundHandlerConfig, IAM, IAMConfig, IAMGroupsInbound, IAMGroupsOutbound, IAMHandlerConfig, IAMUsersInbound, ScimError, ScimListResponse, ScimResult, UsersInboundHandlerConfig, } from './iam';
-export { iam } from './iam';
-export type { SessionStore } from './session-store';
-export { InMemorySessionStore } from './session-store';
-export type { SSO, SSOConfig, SSOHandlerConfig } from './sso';
-export { sso } from './sso';
-export * from './sso-server';
-export type { CreateTenantRequest, CreateTenantResponse, EnvironmentType, StoredTenant, TenantStatus, TenantStore, TenantWebhookPayload, } from './tenant';
-export { InMemoryTenantStore, parseTenantRequest, sendTenantWebhook, serializeESConfig, TenantRequestError, } from './tenant';
-export type { BaseUser } from './types/base-user';
-export type { EnterpriseUser } from './types/enterprise-user';
-export type { IdTokenClaims, OidcCallbackParams, TokenResponse } from './types/oidc-schema';
-export { idTokenClaimsSchema, oidcCallbackSchema, tokenResponseSchema } from './types/oidc-schema';
-export type { Address, Email, EnterpriseExtension, Group, GroupMember, GroupResource, Name, PhoneNumber, Role, User as ScimUser, X509Certificate, } from './types/scim-schema';
-export { groupResourceSchema, userSchema } from './types/scim-schema';
-export type { StandardSchemaV1 } from './types/standard-schema';
-export type { User } from './types/user';
-export type { JWTAssertionClaims, TokenValidationResult, WorkloadTokenResponse, } from './types/workload-schema';
-export { jwtAssertionClaimsSchema, workloadTokenResponseSchema } from './types/workload-schema';
-export { SignInLoading } from './ui/sign-in-loading';
-export { SignedIn } from './ui/signed-in';
-export { SignedOut } from './ui/signed-out';
-export * from './ui/sso-provider';
-export type { StoredUser, UserStore } from './user-store';
-export { InMemoryUserStore } from './user-store';
-export { getDefaultInstance } from './utils';
-export type { Vault } from './vault';
-export { vault } from './vault';
-export type { ClientCredentialsWorkloadConfig, JwtBearerWorkloadConfig, ServerOnlyWorkloadConfig, Workload, WorkloadConfig, WorkloadIdentity, } from './workload';
-export { workload } from './workload';
-export type { CachedWorkloadToken, WorkloadTokenStore } from './workload-token-store';
-export { InMemoryWorkloadTokenStore } from './workload-token-store';
-//# sourceMappingURL=index.d.ts.map
+declare function enterpriseStandard(appId?: string, initConfig?: ESConfig): Promise<EnterpriseStandard>;
+
+export { type Address, type BaseUser, type CachedWorkloadToken, type ClientCredentialsWorkloadConfig, type CreateGroupOptions, type CreateTenantRequest, type CreateTenantResponse, type CreateUserOptions, type Email, type EnterpriseExtension, type EnterpriseStandard, type EnterpriseUser, type EnvironmentType, type Group, type GroupMember, type GroupResource, type GroupStore, type GroupsInboundHandlerConfig, type IAM, type IAMConfig, type IAMGroupsInbound, type IAMGroupsOutbound, type IAMHandlerConfig, type IAMUsersInbound, type IdTokenClaims, InMemoryGroupStore, InMemorySessionStore, InMemoryTenantStore, InMemoryUserStore, InMemoryWorkloadTokenStore, type JWTAssertionClaims, type JwtBearerWorkloadConfig, type Name, type OidcCallbackParams, type PhoneNumber, type Role, type SSO, type SSOConfig, type SSOHandlerConfig, SSOProvider, type ScimError, type ScimListResponse, type ScimResult, type User$1 as ScimUser, type ServerOnlyWorkloadConfig, type SessionStore, SignInLoading, SignedIn, SignedOut, StandardSchemaV1, type StoredGroup, type StoredTenant, type StoredUser, TenantRequestError, type TenantStatus, type TenantStore, type TenantWebhookPayload, type TokenResponse, type TokenValidationResult, type User, type UserStore, type UsersInboundHandlerConfig, type Vault, type Workload, type WorkloadConfig, type WorkloadIdentity, type WorkloadTokenResponse, type WorkloadTokenStore, type X509Certificate, callback, enterpriseStandard, getDefaultInstance, getRequiredUser, getUser, getWorkload, getWorkloadToken, groupResourceSchema, handler, iam, idTokenClaimsSchema, initiateLogin, jwtAssertionClaimsSchema, logout, oidcCallbackSchema, parseTenantRequest, revokeWorkloadToken, sendTenantWebhook, serializeESConfig, sso, tokenResponseSchema, useToken, useUser, userSchema, validateWorkloadToken, vault, workload, workloadHandler, workloadTokenResponseSchema };