@executor-js/sdk 0.0.1-beta.6 → 0.0.2

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (96) hide show
  1. package/README.md +125 -107
  2. package/dist/blob.d.ts +48 -0
  3. package/dist/blob.d.ts.map +1 -0
  4. package/dist/blob.test.d.ts +2 -0
  5. package/dist/blob.test.d.ts.map +1 -0
  6. package/dist/chunk-6LMMN2GP.js +4396 -0
  7. package/dist/chunk-6LMMN2GP.js.map +1 -0
  8. package/dist/config.d.ts +14 -0
  9. package/dist/config.d.ts.map +1 -0
  10. package/dist/connections.d.ts +107 -0
  11. package/dist/connections.d.ts.map +1 -0
  12. package/dist/connections.test.d.ts +2 -0
  13. package/dist/connections.test.d.ts.map +1 -0
  14. package/dist/core-schema.d.ts +372 -0
  15. package/dist/core-schema.d.ts.map +1 -0
  16. package/dist/core.js +273 -57
  17. package/dist/core.js.map +1 -1
  18. package/dist/elicitation.d.ts +18 -34
  19. package/dist/elicitation.d.ts.map +1 -1
  20. package/dist/error-handling.test.d.ts +2 -0
  21. package/dist/error-handling.test.d.ts.map +1 -0
  22. package/dist/errors.d.ts +95 -24
  23. package/dist/errors.d.ts.map +1 -1
  24. package/dist/executor.d.ts +107 -48
  25. package/dist/executor.d.ts.map +1 -1
  26. package/dist/executor.test.d.ts +2 -0
  27. package/dist/executor.test.d.ts.map +1 -0
  28. package/dist/ids.d.ts +6 -4
  29. package/dist/ids.d.ts.map +1 -1
  30. package/dist/index.d.ts +22 -16
  31. package/dist/index.d.ts.map +1 -1
  32. package/dist/index.js +80 -308
  33. package/dist/index.js.map +1 -1
  34. package/dist/oauth-discovery.d.ts +138 -0
  35. package/dist/oauth-discovery.d.ts.map +1 -0
  36. package/dist/oauth-discovery.test.d.ts +2 -0
  37. package/dist/oauth-discovery.test.d.ts.map +1 -0
  38. package/dist/oauth-helpers.d.ts +89 -0
  39. package/dist/oauth-helpers.d.ts.map +1 -0
  40. package/dist/oauth-helpers.test.d.ts +2 -0
  41. package/dist/oauth-helpers.test.d.ts.map +1 -0
  42. package/dist/oauth-popup-types.d.ts +14 -0
  43. package/dist/oauth-popup-types.d.ts.map +1 -0
  44. package/dist/oauth-service.d.ts +33 -0
  45. package/dist/oauth-service.d.ts.map +1 -0
  46. package/dist/oauth.d.ts +275 -0
  47. package/dist/oauth.d.ts.map +1 -0
  48. package/dist/plugin.d.ts +261 -27
  49. package/dist/plugin.d.ts.map +1 -1
  50. package/dist/policies.d.ts +56 -64
  51. package/dist/policies.d.ts.map +1 -1
  52. package/dist/policies.test.d.ts +2 -0
  53. package/dist/policies.test.d.ts.map +1 -0
  54. package/dist/promise-executor.d.ts +26 -128
  55. package/dist/promise-executor.d.ts.map +1 -1
  56. package/dist/promise.d.ts +12 -6
  57. package/dist/promise.d.ts.map +1 -1
  58. package/dist/promise.test.d.ts +2 -0
  59. package/dist/promise.test.d.ts.map +1 -0
  60. package/dist/schema-types.d.ts +6 -5
  61. package/dist/schema-types.d.ts.map +1 -1
  62. package/dist/scope.d.ts +5 -15
  63. package/dist/scope.d.ts.map +1 -1
  64. package/dist/scoped-adapter.d.ts +13 -0
  65. package/dist/scoped-adapter.d.ts.map +1 -0
  66. package/dist/scoped-adapter.test.d.ts +2 -0
  67. package/dist/scoped-adapter.test.d.ts.map +1 -0
  68. package/dist/secret-backed-value.d.ts +27 -0
  69. package/dist/secret-backed-value.d.ts.map +1 -0
  70. package/dist/secrets.d.ts +52 -106
  71. package/dist/secrets.d.ts.map +1 -1
  72. package/dist/testing.d.ts +5 -3
  73. package/dist/testing.d.ts.map +1 -1
  74. package/dist/types.d.ts +84 -0
  75. package/dist/types.d.ts.map +1 -0
  76. package/package.json +7 -4
  77. package/dist/chunk-CJY7TT3J.js +0 -1384
  78. package/dist/chunk-CJY7TT3J.js.map +0 -1
  79. package/dist/in-memory/policy-engine.d.ts +0 -10
  80. package/dist/in-memory/policy-engine.d.ts.map +0 -1
  81. package/dist/in-memory/secret-store.d.ts +0 -16
  82. package/dist/in-memory/secret-store.d.ts.map +0 -1
  83. package/dist/in-memory/tool-registry.d.ts +0 -35
  84. package/dist/in-memory/tool-registry.d.ts.map +0 -1
  85. package/dist/index.test.d.ts +0 -2
  86. package/dist/index.test.d.ts.map +0 -1
  87. package/dist/plugin-kv.d.ts +0 -48
  88. package/dist/plugin-kv.d.ts.map +0 -1
  89. package/dist/plugins/in-memory-tools.d.ts +0 -42
  90. package/dist/plugins/in-memory-tools.d.ts.map +0 -1
  91. package/dist/runtime-tools.d.ts +0 -41
  92. package/dist/runtime-tools.d.ts.map +0 -1
  93. package/dist/sources.d.ts +0 -124
  94. package/dist/sources.d.ts.map +0 -1
  95. package/dist/tools.d.ts +0 -219
  96. package/dist/tools.d.ts.map +0 -1
@@ -0,0 +1,138 @@
1
+ import { Effect, Schema } from "effect";
2
+ import { createPkceCodeChallenge } from "./oauth-helpers";
3
+ declare const OAuthDiscoveryError_base: new <A extends Record<string, any> = {}>(args: import("effect/Types").VoidIfEmpty<{ readonly [P in keyof A as P extends "_tag" ? never : P]: A[P]; }>) => import("effect/Cause").YieldableError & {
4
+ readonly _tag: "OAuthDiscoveryError";
5
+ } & Readonly<A>;
6
+ /** Separate tag from `OAuth2Error` so callers can distinguish discovery
7
+ * / DCR failures (happen once, before any token round-trips) from
8
+ * token-endpoint failures. A plugin's refresh path should never have
9
+ * to inspect error messages to tell "metadata drifted, re-discover"
10
+ * apart from "refresh token is no longer honoured". */
11
+ export declare class OAuthDiscoveryError extends OAuthDiscoveryError_base<{
12
+ readonly message: string;
13
+ readonly status?: number;
14
+ readonly cause?: unknown;
15
+ }> {
16
+ }
17
+ export declare const OAuthProtectedResourceMetadataSchema: Schema.Struct<{
18
+ readonly resource: Schema.optional<Schema.String>;
19
+ readonly authorization_servers: Schema.optional<Schema.$Array<Schema.String>>;
20
+ readonly scopes_supported: Schema.optional<Schema.$Array<Schema.String>>;
21
+ readonly bearer_methods_supported: Schema.optional<Schema.$Array<Schema.String>>;
22
+ readonly resource_documentation: Schema.optional<Schema.String>;
23
+ }>;
24
+ export type OAuthProtectedResourceMetadata = typeof OAuthProtectedResourceMetadataSchema.Type;
25
+ export declare const OAuthAuthorizationServerMetadataSchema: Schema.Struct<{
26
+ readonly issuer: Schema.String;
27
+ readonly authorization_endpoint: Schema.String;
28
+ readonly token_endpoint: Schema.String;
29
+ readonly registration_endpoint: Schema.optional<Schema.String>;
30
+ readonly scopes_supported: Schema.optional<Schema.$Array<Schema.String>>;
31
+ readonly response_types_supported: Schema.optional<Schema.$Array<Schema.String>>;
32
+ readonly grant_types_supported: Schema.optional<Schema.$Array<Schema.String>>;
33
+ readonly code_challenge_methods_supported: Schema.optional<Schema.$Array<Schema.String>>;
34
+ readonly token_endpoint_auth_methods_supported: Schema.optional<Schema.$Array<Schema.String>>;
35
+ readonly revocation_endpoint: Schema.optional<Schema.String>;
36
+ readonly introspection_endpoint: Schema.optional<Schema.String>;
37
+ readonly userinfo_endpoint: Schema.optional<Schema.String>;
38
+ readonly id_token_signing_alg_values_supported: Schema.optional<Schema.$Array<Schema.String>>;
39
+ }>;
40
+ export type OAuthAuthorizationServerMetadata = typeof OAuthAuthorizationServerMetadataSchema.Type;
41
+ export type DynamicClientMetadata = {
42
+ readonly client_name?: string;
43
+ readonly redirect_uris: readonly string[];
44
+ readonly grant_types?: readonly string[];
45
+ readonly response_types?: readonly string[];
46
+ readonly token_endpoint_auth_method?: "none" | "client_secret_basic" | "client_secret_post" | "private_key_jwt";
47
+ readonly scope?: string;
48
+ readonly application_type?: "web" | "native";
49
+ readonly client_uri?: string;
50
+ readonly logo_uri?: string;
51
+ readonly contacts?: readonly string[];
52
+ readonly software_id?: string;
53
+ readonly software_version?: string;
54
+ /** Escape hatch for provider-specific extensions; merged last. */
55
+ readonly extra?: Readonly<Record<string, unknown>>;
56
+ };
57
+ export declare const OAuthClientInformationSchema: Schema.Struct<{
58
+ readonly client_id: Schema.String;
59
+ readonly client_secret: Schema.optional<Schema.String>;
60
+ readonly client_id_issued_at: Schema.optional<Schema.Number>;
61
+ readonly client_secret_expires_at: Schema.optional<Schema.Number>;
62
+ readonly registration_access_token: Schema.optional<Schema.String>;
63
+ readonly registration_client_uri: Schema.optional<Schema.String>;
64
+ readonly token_endpoint_auth_method: Schema.optional<Schema.String>;
65
+ readonly grant_types: Schema.optional<Schema.$Array<Schema.String>>;
66
+ readonly response_types: Schema.optional<Schema.$Array<Schema.String>>;
67
+ readonly redirect_uris: Schema.optional<Schema.$Array<Schema.String>>;
68
+ readonly client_name: Schema.optional<Schema.String>;
69
+ readonly scope: Schema.optional<Schema.String>;
70
+ }>;
71
+ export type OAuthClientInformation = typeof OAuthClientInformationSchema.Type;
72
+ export interface DiscoveryRequestOptions {
73
+ /** Injected for tests. Defaults to the global `fetch`. */
74
+ readonly fetch?: typeof fetch;
75
+ /** Abort the request after this many ms. Default 20000. */
76
+ readonly timeoutMs?: number;
77
+ /** Send `MCP-Protocol-Version: <value>` on every request. Harmless
78
+ * for non-MCP servers; required by the MCP authorization spec. */
79
+ readonly mcpProtocolVersion?: string;
80
+ /** Credentials needed to reach the protected resource itself. These
81
+ * are intentionally used only for resource-side probes, never for
82
+ * authorization-server metadata, DCR, authorization, or token calls. */
83
+ readonly resourceHeaders?: Readonly<Record<string, string>>;
84
+ readonly resourceQueryParams?: Readonly<Record<string, string>>;
85
+ }
86
+ export declare const discoverProtectedResourceMetadata: (resourceUrl: string, options?: DiscoveryRequestOptions) => Effect.Effect<{
87
+ readonly metadataUrl: string;
88
+ readonly metadata: OAuthProtectedResourceMetadata;
89
+ } | null, OAuthDiscoveryError>;
90
+ export declare const discoverAuthorizationServerMetadata: (issuer: string, options?: DiscoveryRequestOptions) => Effect.Effect<{
91
+ readonly metadataUrl: string;
92
+ readonly metadata: OAuthAuthorizationServerMetadata;
93
+ } | null, OAuthDiscoveryError>;
94
+ export interface RegisterDynamicClientInput {
95
+ readonly registrationEndpoint: string;
96
+ readonly metadata: DynamicClientMetadata;
97
+ readonly initialAccessToken?: string | null;
98
+ }
99
+ export declare const registerDynamicClient: (input: RegisterDynamicClientInput, options?: DiscoveryRequestOptions) => Effect.Effect<OAuthClientInformation, OAuthDiscoveryError>;
100
+ export interface DynamicAuthorizationState {
101
+ readonly resourceMetadata: OAuthProtectedResourceMetadata | null;
102
+ readonly resourceMetadataUrl: string | null;
103
+ readonly authorizationServerUrl: string;
104
+ readonly authorizationServerMetadataUrl: string;
105
+ readonly authorizationServerMetadata: OAuthAuthorizationServerMetadata;
106
+ readonly clientInformation: OAuthClientInformation;
107
+ }
108
+ export interface DynamicAuthorizationStartResult {
109
+ readonly authorizationUrl: string;
110
+ readonly codeVerifier: string;
111
+ readonly state: DynamicAuthorizationState;
112
+ }
113
+ export interface BeginDynamicAuthorizationInput {
114
+ readonly endpoint: string;
115
+ readonly redirectUrl: string;
116
+ /** RFC 6749 `state` — callers typically pass a per-session random id. */
117
+ readonly state: string;
118
+ /** Defaults: `redirect_uris=[redirectUrl]`, `token_endpoint_auth_method="none"`
119
+ * (public client + PKCE). */
120
+ readonly clientMetadata?: Partial<DynamicClientMetadata>;
121
+ /** Scopes to request. Defaults to `scopes_supported`; omitted if
122
+ * neither is set. */
123
+ readonly scopes?: readonly string[];
124
+ /** Pre-existing state from a previous flow. When provided, the
125
+ * matching discovery / DCR step is skipped so multi-user sign-ins
126
+ * against the same source don't re-pay those costs. */
127
+ readonly previousState?: {
128
+ readonly authorizationServerUrl?: string | null;
129
+ readonly authorizationServerMetadata?: OAuthAuthorizationServerMetadata | null;
130
+ readonly authorizationServerMetadataUrl?: string | null;
131
+ readonly resourceMetadata?: OAuthProtectedResourceMetadata | null;
132
+ readonly resourceMetadataUrl?: string | null;
133
+ readonly clientInformation?: OAuthClientInformation | null;
134
+ };
135
+ }
136
+ export declare const beginDynamicAuthorization: (input: BeginDynamicAuthorizationInput, options?: DiscoveryRequestOptions) => Effect.Effect<DynamicAuthorizationStartResult, OAuthDiscoveryError>;
137
+ export { createPkceCodeChallenge };
138
+ //# sourceMappingURL=oauth-discovery.d.ts.map
@@ -0,0 +1 @@
1
+ {"version":3,"file":"oauth-discovery.d.ts","sourceRoot":"","sources":["../src/oauth-discovery.ts"],"names":[],"mappings":"AAoBA,OAAO,EAAQ,MAAM,EAAU,MAAM,EAAE,MAAM,QAAQ,CAAC;AAGtD,OAAO,EAGL,uBAAuB,EAExB,MAAM,iBAAiB,CAAC;;;;AAMzB;;;;wDAIwD;AACxD,qBAAa,mBAAoB,SAAQ,yBAEvC;IACA,QAAQ,CAAC,OAAO,EAAE,MAAM,CAAC;IACzB,QAAQ,CAAC,MAAM,CAAC,EAAE,MAAM,CAAC;IACzB,QAAQ,CAAC,KAAK,CAAC,EAAE,OAAO,CAAC;CAC1B,CAAC;CAAG;AAmBL,eAAO,MAAM,oCAAoC;;;;;;EAMY,CAAC;AAC9D,MAAM,MAAM,8BAA8B,GACxC,OAAO,oCAAoC,CAAC,IAAI,CAAC;AAEnD,eAAO,MAAM,sCAAsC;;;;;;;;;;;;;;EAcY,CAAC;AAChE,MAAM,MAAM,gCAAgC,GAC1C,OAAO,sCAAsC,CAAC,IAAI,CAAC;AAErD,MAAM,MAAM,qBAAqB,GAAG;IAClC,QAAQ,CAAC,WAAW,CAAC,EAAE,MAAM,CAAC;IAC9B,QAAQ,CAAC,aAAa,EAAE,SAAS,MAAM,EAAE,CAAC;IAC1C,QAAQ,CAAC,WAAW,CAAC,EAAE,SAAS,MAAM,EAAE,CAAC;IACzC,QAAQ,CAAC,cAAc,CAAC,EAAE,SAAS,MAAM,EAAE,CAAC;IAC5C,QAAQ,CAAC,0BAA0B,CAAC,EAChC,MAAM,GACN,qBAAqB,GACrB,oBAAoB,GACpB,iBAAiB,CAAC;IACtB,QAAQ,CAAC,KAAK,CAAC,EAAE,MAAM,CAAC;IACxB,QAAQ,CAAC,gBAAgB,CAAC,EAAE,KAAK,GAAG,QAAQ,CAAC;IAC7C,QAAQ,CAAC,UAAU,CAAC,EAAE,MAAM,CAAC;IAC7B,QAAQ,CAAC,QAAQ,CAAC,EAAE,MAAM,CAAC;IAC3B,QAAQ,CAAC,QAAQ,CAAC,EAAE,SAAS,MAAM,EAAE,CAAC;IACtC,QAAQ,CAAC,WAAW,CAAC,EAAE,MAAM,CAAC;IAC9B,QAAQ,CAAC,gBAAgB,CAAC,EAAE,MAAM,CAAC;IACnC,kEAAkE;IAClE,QAAQ,CAAC,KAAK,CAAC,EAAE,QAAQ,CAAC,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC,CAAC;CACpD,CAAC;AAEF,eAAO,MAAM,4BAA4B;;;;;;;;;;;;;EAaY,CAAC;AACtD,MAAM,MAAM,sBAAsB,GAAG,OAAO,4BAA4B,CAAC,IAAI,CAAC;AAY9E,MAAM,WAAW,uBAAuB;IACtC,0DAA0D;IAC1D,QAAQ,CAAC,KAAK,CAAC,EAAE,OAAO,KAAK,CAAC;IAC9B,2DAA2D;IAC3D,QAAQ,CAAC,SAAS,CAAC,EAAE,MAAM,CAAC;IAC5B;uEACmE;IACnE,QAAQ,CAAC,kBAAkB,CAAC,EAAE,MAAM,CAAC;IACrC;;6EAEyE;IACzE,QAAQ,CAAC,eAAe,CAAC,EAAE,QAAQ,CAAC,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC,CAAC;IAC5D,QAAQ,CAAC,mBAAmB,CAAC,EAAE,QAAQ,CAAC,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC,CAAC;CACjE;AA6ED,eAAO,MAAM,iCAAiC,GAC5C,aAAa,MAAM,EACnB,UAAS,uBAA4B,KACpC,MAAM,CAAC,MAAM,CACZ;IAAE,QAAQ,CAAC,WAAW,EAAE,MAAM,CAAC;IAAC,QAAQ,CAAC,QAAQ,EAAE,8BAA8B,CAAA;CAAE,GACnF,IAAI,EACN,mBAAmB,CA0DjB,CAAC;AAyBL,eAAO,MAAM,mCAAmC,GAC9C,QAAQ,MAAM,EACd,UAAS,uBAA4B,KACpC,MAAM,CAAC,MAAM,CACZ;IACE,QAAQ,CAAC,WAAW,EAAE,MAAM,CAAC;IAC7B,QAAQ,CAAC,QAAQ,EAAE,gCAAgC,CAAC;CACrD,GACD,IAAI,EACN,mBAAmB,CAuDjB,CAAC;AASL,MAAM,WAAW,0BAA0B;IACzC,QAAQ,CAAC,oBAAoB,EAAE,MAAM,CAAC;IACtC,QAAQ,CAAC,QAAQ,EAAE,qBAAqB,CAAC;IACzC,QAAQ,CAAC,kBAAkB,CAAC,EAAE,MAAM,GAAG,IAAI,CAAC;CAC7C;AAYD,eAAO,MAAM,qBAAqB,GAChC,OAAO,0BAA0B,EACjC,UAAS,uBAA4B,KACpC,MAAM,CAAC,MAAM,CAAC,sBAAsB,EAAE,mBAAmB,CA4EzD,CAAC;AAMJ,MAAM,WAAW,yBAAyB;IACxC,QAAQ,CAAC,gBAAgB,EAAE,8BAA8B,GAAG,IAAI,CAAC;IACjE,QAAQ,CAAC,mBAAmB,EAAE,MAAM,GAAG,IAAI,CAAC;IAC5C,QAAQ,CAAC,sBAAsB,EAAE,MAAM,CAAC;IACxC,QAAQ,CAAC,8BAA8B,EAAE,MAAM,CAAC;IAChD,QAAQ,CAAC,2BAA2B,EAAE,gCAAgC,CAAC;IACvE,QAAQ,CAAC,iBAAiB,EAAE,sBAAsB,CAAC;CACpD;AAED,MAAM,WAAW,+BAA+B;IAC9C,QAAQ,CAAC,gBAAgB,EAAE,MAAM,CAAC;IAClC,QAAQ,CAAC,YAAY,EAAE,MAAM,CAAC;IAC9B,QAAQ,CAAC,KAAK,EAAE,yBAAyB,CAAC;CAC3C;AAED,MAAM,WAAW,8BAA8B;IAC7C,QAAQ,CAAC,QAAQ,EAAE,MAAM,CAAC;IAC1B,QAAQ,CAAC,WAAW,EAAE,MAAM,CAAC;IAC7B,yEAAyE;IACzE,QAAQ,CAAC,KAAK,EAAE,MAAM,CAAC;IACvB;kCAC8B;IAC9B,QAAQ,CAAC,cAAc,CAAC,EAAE,OAAO,CAAC,qBAAqB,CAAC,CAAC;IACzD;0BACsB;IACtB,QAAQ,CAAC,MAAM,CAAC,EAAE,SAAS,MAAM,EAAE,CAAC;IACpC;;4DAEwD;IACxD,QAAQ,CAAC,aAAa,CAAC,EAAE;QACvB,QAAQ,CAAC,sBAAsB,CAAC,EAAE,MAAM,GAAG,IAAI,CAAC;QAChD,QAAQ,CAAC,2BAA2B,CAAC,EAAE,gCAAgC,GAAG,IAAI,CAAC;QAC/E,QAAQ,CAAC,8BAA8B,CAAC,EAAE,MAAM,GAAG,IAAI,CAAC;QACxD,QAAQ,CAAC,gBAAgB,CAAC,EAAE,8BAA8B,GAAG,IAAI,CAAC;QAClE,QAAQ,CAAC,mBAAmB,CAAC,EAAE,MAAM,GAAG,IAAI,CAAC;QAC7C,QAAQ,CAAC,iBAAiB,CAAC,EAAE,sBAAsB,GAAG,IAAI,CAAC;KAC5D,CAAC;CACH;AAED,eAAO,MAAM,yBAAyB,GACpC,OAAO,8BAA8B,EACrC,UAAS,uBAA4B,KACpC,MAAM,CAAC,MAAM,CAAC,+BAA+B,EAAE,mBAAmB,CAwHjE,CAAC;AAEL,OAAO,EAAE,uBAAuB,EAAE,CAAC"}
@@ -0,0 +1,2 @@
1
+ export {};
2
+ //# sourceMappingURL=oauth-discovery.test.d.ts.map
@@ -0,0 +1 @@
1
+ {"version":3,"file":"oauth-discovery.test.d.ts","sourceRoot":"","sources":["../src/oauth-discovery.test.ts"],"names":[],"mappings":""}
@@ -0,0 +1,89 @@
1
+ import { Effect } from "effect";
2
+ declare const OAuth2Error_base: new <A extends Record<string, any> = {}>(args: import("effect/Types").VoidIfEmpty<{ readonly [P in keyof A as P extends "_tag" ? never : P]: A[P]; }>) => import("effect/Cause").YieldableError & {
3
+ readonly _tag: "OAuth2Error";
4
+ } & Readonly<A>;
5
+ export declare class OAuth2Error extends OAuth2Error_base<{
6
+ readonly message: string;
7
+ /**
8
+ * RFC 6749 §5.2 error code, when the token endpoint returned one
9
+ * (`invalid_grant`, `invalid_client`, `unauthorized_client`, ...).
10
+ * Callers use this to distinguish terminal failures (a refresh token
11
+ * the AS no longer honours → re-auth required) from transient ones.
12
+ */
13
+ readonly error?: string;
14
+ readonly cause?: unknown;
15
+ }> {
16
+ }
17
+ export type OAuth2TokenResponse = {
18
+ readonly access_token: string;
19
+ readonly token_type?: string;
20
+ readonly refresh_token?: string;
21
+ readonly expires_in?: number;
22
+ readonly scope?: string;
23
+ };
24
+ /** Refresh tokens this many ms before expiry to avoid mid-request expiration. */
25
+ export declare const OAUTH2_REFRESH_SKEW_MS = 60000;
26
+ /** Default token-endpoint timeout. */
27
+ export declare const OAUTH2_DEFAULT_TIMEOUT_MS = 20000;
28
+ export declare const createPkceCodeVerifier: () => string;
29
+ export declare const createPkceCodeChallenge: (verifier: string) => Promise<string>;
30
+ export type BuildAuthorizationUrlInput = {
31
+ readonly authorizationUrl: string;
32
+ readonly clientId: string;
33
+ readonly redirectUrl: string;
34
+ readonly scopes: readonly string[];
35
+ readonly state: string;
36
+ /** Pre-computed base64url S256 challenge (from `createPkceCodeChallenge`). */
37
+ readonly codeChallenge: string;
38
+ /** Separator between scopes. RFC 6749 says space; some providers use comma. */
39
+ readonly scopeSeparator?: string;
40
+ /** Provider-specific extras (e.g. Google's `access_type=offline`). */
41
+ readonly extraParams?: Readonly<Record<string, string>>;
42
+ };
43
+ /** Build an RFC 6749 §4.1.1 authorization URL. Sync; pre-computed
44
+ * challenge lets this stay out of the Promise world. */
45
+ export declare const buildAuthorizationUrl: (input: BuildAuthorizationUrlInput) => string;
46
+ export type ClientAuthMethod = "body" | "basic";
47
+ export type ExchangeAuthorizationCodeInput = {
48
+ readonly tokenUrl: string;
49
+ readonly issuerUrl?: string | null;
50
+ readonly clientId: string;
51
+ readonly clientSecret?: string | null;
52
+ readonly redirectUrl: string;
53
+ readonly codeVerifier: string;
54
+ readonly code: string;
55
+ readonly clientAuth?: ClientAuthMethod;
56
+ readonly idTokenSigningAlgValuesSupported?: readonly string[];
57
+ readonly timeoutMs?: number;
58
+ };
59
+ export declare const exchangeAuthorizationCode: (input: ExchangeAuthorizationCodeInput) => Effect.Effect<OAuth2TokenResponse, OAuth2Error>;
60
+ export type ExchangeClientCredentialsInput = {
61
+ readonly tokenUrl: string;
62
+ readonly clientId: string;
63
+ readonly clientSecret: string;
64
+ readonly scopes?: readonly string[];
65
+ readonly scopeSeparator?: string;
66
+ readonly clientAuth?: ClientAuthMethod;
67
+ readonly timeoutMs?: number;
68
+ };
69
+ export declare const exchangeClientCredentials: (input: ExchangeClientCredentialsInput) => Effect.Effect<OAuth2TokenResponse, OAuth2Error>;
70
+ export type RefreshAccessTokenInput = {
71
+ readonly tokenUrl: string;
72
+ readonly issuerUrl?: string | null;
73
+ readonly clientId: string;
74
+ readonly clientSecret?: string | null;
75
+ readonly refreshToken: string;
76
+ readonly scopes?: readonly string[];
77
+ readonly scopeSeparator?: string;
78
+ readonly clientAuth?: ClientAuthMethod;
79
+ readonly idTokenSigningAlgValuesSupported?: readonly string[];
80
+ readonly timeoutMs?: number;
81
+ };
82
+ export declare const refreshAccessToken: (input: RefreshAccessTokenInput) => Effect.Effect<OAuth2TokenResponse, OAuth2Error>;
83
+ export declare const shouldRefreshToken: (input: {
84
+ readonly expiresAt: number | null;
85
+ readonly now?: number;
86
+ readonly skewMs?: number;
87
+ }) => boolean;
88
+ export {};
89
+ //# sourceMappingURL=oauth-helpers.d.ts.map
@@ -0,0 +1 @@
1
+ {"version":3,"file":"oauth-helpers.d.ts","sourceRoot":"","sources":["../src/oauth-helpers.ts"],"names":[],"mappings":"AAkBA,OAAO,EAAQ,MAAM,EAAE,MAAM,QAAQ,CAAC;;;;AAOtC,qBAAa,WAAY,SAAQ,iBAAgC;IAC/D,QAAQ,CAAC,OAAO,EAAE,MAAM,CAAC;IACzB;;;;;OAKG;IACH,QAAQ,CAAC,KAAK,CAAC,EAAE,MAAM,CAAC;IACxB,QAAQ,CAAC,KAAK,CAAC,EAAE,OAAO,CAAC;CAC1B,CAAC;CAAG;AAML,MAAM,MAAM,mBAAmB,GAAG;IAChC,QAAQ,CAAC,YAAY,EAAE,MAAM,CAAC;IAC9B,QAAQ,CAAC,UAAU,CAAC,EAAE,MAAM,CAAC;IAC7B,QAAQ,CAAC,aAAa,CAAC,EAAE,MAAM,CAAC;IAChC,QAAQ,CAAC,UAAU,CAAC,EAAE,MAAM,CAAC;IAC7B,QAAQ,CAAC,KAAK,CAAC,EAAE,MAAM,CAAC;CACzB,CAAC;AAMF,iFAAiF;AACjF,eAAO,MAAM,sBAAsB,QAAS,CAAC;AAE7C,sCAAsC;AACtC,eAAO,MAAM,yBAAyB,QAAS,CAAC;AAMhD,eAAO,MAAM,sBAAsB,QAAO,MACN,CAAC;AAErC,eAAO,MAAM,uBAAuB,GAAI,UAAU,MAAM,KAAG,OAAO,CAAC,MAAM,CAC7B,CAAC;AAM7C,MAAM,MAAM,0BAA0B,GAAG;IACvC,QAAQ,CAAC,gBAAgB,EAAE,MAAM,CAAC;IAClC,QAAQ,CAAC,QAAQ,EAAE,MAAM,CAAC;IAC1B,QAAQ,CAAC,WAAW,EAAE,MAAM,CAAC;IAC7B,QAAQ,CAAC,MAAM,EAAE,SAAS,MAAM,EAAE,CAAC;IACnC,QAAQ,CAAC,KAAK,EAAE,MAAM,CAAC;IACvB,8EAA8E;IAC9E,QAAQ,CAAC,aAAa,EAAE,MAAM,CAAC;IAC/B,+EAA+E;IAC/E,QAAQ,CAAC,cAAc,CAAC,EAAE,MAAM,CAAC;IACjC,sEAAsE;IACtE,QAAQ,CAAC,WAAW,CAAC,EAAE,QAAQ,CAAC,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC,CAAC;CACzD,CAAC;AAEF;yDACyD;AACzD,eAAO,MAAM,qBAAqB,GAAI,OAAO,0BAA0B,KAAG,MAgBzE,CAAC;AAwCF,MAAM,MAAM,gBAAgB,GAAG,MAAM,GAAG,OAAO,CAAC;AA2IhD,MAAM,MAAM,8BAA8B,GAAG;IAC3C,QAAQ,CAAC,QAAQ,EAAE,MAAM,CAAC;IAC1B,QAAQ,CAAC,SAAS,CAAC,EAAE,MAAM,GAAG,IAAI,CAAC;IACnC,QAAQ,CAAC,QAAQ,EAAE,MAAM,CAAC;IAC1B,QAAQ,CAAC,YAAY,CAAC,EAAE,MAAM,GAAG,IAAI,CAAC;IACtC,QAAQ,CAAC,WAAW,EAAE,MAAM,CAAC;IAC7B,QAAQ,CAAC,YAAY,EAAE,MAAM,CAAC;IAC9B,QAAQ,CAAC,IAAI,EAAE,MAAM,CAAC;IACtB,QAAQ,CAAC,UAAU,CAAC,EAAE,gBAAgB,CAAC;IACvC,QAAQ,CAAC,gCAAgC,CAAC,EAAE,SAAS,MAAM,EAAE,CAAC;IAC9D,QAAQ,CAAC,SAAS,CAAC,EAAE,MAAM,CAAC;CAC7B,CAAC;AAEF,eAAO,MAAM,yBAAyB,GACpC,OAAO,8BAA8B,KACpC,MAAM,CAAC,MAAM,CAAC,mBAAmB,EAAE,WAAW,CAiC7C,CAAC;AAML,MAAM,MAAM,8BAA8B,GAAG;IAC3C,QAAQ,CAAC,QAAQ,EAAE,MAAM,CAAC;IAC1B,QAAQ,CAAC,QAAQ,EAAE,MAAM,CAAC;IAC1B,QAAQ,CAAC,YAAY,EAAE,MAAM,CAAC;IAC9B,QAAQ,CAAC,MAAM,CAAC,EAAE,SAAS,MAAM,EAAE,CAAC;IACpC,QAAQ,CAAC,cAAc,CAAC,EAAE,MAAM,CAAC;IACjC,QAAQ,CAAC,UAAU,CAAC,EAAE,gBAAgB,CAAC;IACvC,QAAQ,CAAC,SAAS,CAAC,EAAE,MAAM,CAAC;CAC7B,CAAC;AAEF,eAAO,MAAM,yBAAyB,GACpC,OAAO,8BAA8B,KACpC,MAAM,CAAC,MAAM,CAAC,mBAAmB,EAAE,WAAW,CA4B7C,CAAC;AAML,MAAM,MAAM,uBAAuB,GAAG;IACpC,QAAQ,CAAC,QAAQ,EAAE,MAAM,CAAC;IAC1B,QAAQ,CAAC,SAAS,CAAC,EAAE,MAAM,GAAG,IAAI,CAAC;IACnC,QAAQ,CAAC,QAAQ,EAAE,MAAM,CAAC;IAC1B,QAAQ,CAAC,YAAY,CAAC,EAAE,MAAM,GAAG,IAAI,CAAC;IACtC,QAAQ,CAAC,YAAY,EAAE,MAAM,CAAC;IAC9B,QAAQ,CAAC,MAAM,CAAC,EAAE,SAAS,MAAM,EAAE,CAAC;IACpC,QAAQ,CAAC,cAAc,CAAC,EAAE,MAAM,CAAC;IACjC,QAAQ,CAAC,UAAU,CAAC,EAAE,gBAAgB,CAAC;IACvC,QAAQ,CAAC,gCAAgC,CAAC,EAAE,SAAS,MAAM,EAAE,CAAC;IAC9D,QAAQ,CAAC,SAAS,CAAC,EAAE,MAAM,CAAC;CAC7B,CAAC;AAEF,eAAO,MAAM,kBAAkB,GAC7B,OAAO,uBAAuB,KAC7B,MAAM,CAAC,MAAM,CAAC,mBAAmB,EAAE,WAAW,CA0C7C,CAAC;AAML,eAAO,MAAM,kBAAkB,GAAI,OAAO;IACxC,QAAQ,CAAC,SAAS,EAAE,MAAM,GAAG,IAAI,CAAC;IAClC,QAAQ,CAAC,GAAG,CAAC,EAAE,MAAM,CAAC;IACtB,QAAQ,CAAC,MAAM,CAAC,EAAE,MAAM,CAAC;CAC1B,KAAG,OAKH,CAAC"}
@@ -0,0 +1,2 @@
1
+ export {};
2
+ //# sourceMappingURL=oauth-helpers.test.d.ts.map
@@ -0,0 +1 @@
1
+ {"version":3,"file":"oauth-helpers.test.d.ts","sourceRoot":"","sources":["../src/oauth-helpers.test.ts"],"names":[],"mappings":""}
@@ -0,0 +1,14 @@
1
+ /** Message type literal used to identify our popup results. */
2
+ export declare const OAUTH_POPUP_MESSAGE_TYPE: "executor:oauth-result";
3
+ export type OAuthPopupResult<TAuth> = ({
4
+ readonly type: typeof OAUTH_POPUP_MESSAGE_TYPE;
5
+ readonly ok: true;
6
+ readonly sessionId: string;
7
+ } & TAuth) | {
8
+ readonly type: typeof OAUTH_POPUP_MESSAGE_TYPE;
9
+ readonly ok: false;
10
+ readonly sessionId: string | null;
11
+ readonly error: string;
12
+ };
13
+ export declare const isOAuthPopupResult: <TAuth>(value: unknown) => value is OAuthPopupResult<TAuth>;
14
+ //# sourceMappingURL=oauth-popup-types.d.ts.map
@@ -0,0 +1 @@
1
+ {"version":3,"file":"oauth-popup-types.d.ts","sourceRoot":"","sources":["../src/oauth-popup-types.ts"],"names":[],"mappings":"AAQA,+DAA+D;AAC/D,eAAO,MAAM,wBAAwB,EAAG,uBAAgC,CAAC;AAEzE,MAAM,MAAM,gBAAgB,CAAC,KAAK,IAC9B,CAAC;IACC,QAAQ,CAAC,IAAI,EAAE,OAAO,wBAAwB,CAAC;IAC/C,QAAQ,CAAC,EAAE,EAAE,IAAI,CAAC;IAClB,QAAQ,CAAC,SAAS,EAAE,MAAM,CAAC;CAC5B,GAAG,KAAK,CAAC,GACV;IACE,QAAQ,CAAC,IAAI,EAAE,OAAO,wBAAwB,CAAC;IAC/C,QAAQ,CAAC,EAAE,EAAE,KAAK,CAAC;IACnB,QAAQ,CAAC,SAAS,EAAE,MAAM,GAAG,IAAI,CAAC;IAClC,QAAQ,CAAC,KAAK,EAAE,MAAM,CAAC;CACxB,CAAC;AAEN,eAAO,MAAM,kBAAkB,GAAI,KAAK,EACtC,OAAO,OAAO,KACb,KAAK,IAAI,gBAAgB,CAAC,KAAK,CAG+B,CAAC"}
@@ -0,0 +1,33 @@
1
+ import { Effect } from "effect";
2
+ import type { DBAdapter, StorageFailure, TypedAdapter } from "@executor-js/storage-core";
3
+ import { CreateConnectionInput, type ConnectionProvider, type ConnectionRef } from "./connections";
4
+ import type { ConnectionProviderNotRegisteredError } from "./errors";
5
+ import type { CoreSchema } from "./core-schema";
6
+ import { SetSecretInput, type SecretRef } from "./secrets";
7
+ import { type OAuthService } from "./oauth";
8
+ export interface OAuthServiceDeps {
9
+ /** Typed core-schema adapter. Already scope-wrapped upstream so reads
10
+ * fall through the scope stack; writes stamp the scope the caller
11
+ * named (`tokenScope` on start input). */
12
+ readonly adapter: TypedAdapter<CoreSchema>;
13
+ /** Raw adapter for opening transactions — the typed one doesn't expose
14
+ * `.transaction` directly. */
15
+ readonly rawAdapter: DBAdapter;
16
+ /** Resolves client-id / client-secret refs at start + refresh time.
17
+ * A `null` return means "secret row is gone" and aborts the flow. */
18
+ readonly secretsGet: (id: string) => Effect.Effect<string | null, StorageFailure>;
19
+ readonly secretsSet: (input: SetSecretInput) => Effect.Effect<SecretRef, StorageFailure>;
20
+ /** Mints the Connection row + backing secret rows. Called from
21
+ * `complete` (and from `start` for `client-credentials`). */
22
+ readonly connectionsCreate: (input: CreateConnectionInput) => Effect.Effect<ConnectionRef, ConnectionProviderNotRegisteredError | StorageFailure>;
23
+ /** Random session id generator. Tests override to make outputs
24
+ * deterministic. */
25
+ readonly newSessionId?: () => string;
26
+ /** `Date.now()` substitute — tests override to drive TTL behavior. */
27
+ readonly now?: () => number;
28
+ }
29
+ export declare const makeOAuth2Service: (deps: OAuthServiceDeps) => {
30
+ readonly service: OAuthService;
31
+ readonly connectionProvider: ConnectionProvider;
32
+ };
33
+ //# sourceMappingURL=oauth-service.d.ts.map
@@ -0,0 +1 @@
1
+ {"version":3,"file":"oauth-service.d.ts","sourceRoot":"","sources":["../src/oauth-service.ts"],"names":[],"mappings":"AAqCA,OAAO,EAAE,MAAM,EAAU,MAAM,QAAQ,CAAC;AAExC,OAAO,KAAK,EACV,SAAS,EACT,cAAc,EACd,YAAY,EACb,MAAM,2BAA2B,CAAC;AAEnC,OAAO,EAEL,qBAAqB,EAErB,KAAK,kBAAkB,EAGvB,KAAK,aAAa,EACnB,MAAM,eAAe,CAAC;AACvB,OAAO,KAAK,EACV,oCAAoC,EACrC,MAAM,UAAU,CAAC;AAClB,OAAO,KAAK,EAAE,UAAU,EAAE,MAAM,eAAe,CAAC;AAEhD,OAAO,EAAE,cAAc,EAAE,KAAK,SAAS,EAAE,MAAM,WAAW,CAAC;AAC3D,OAAO,EAgBL,KAAK,YAAY,EAGlB,MAAM,SAAS,CAAC;AAmMjB,MAAM,WAAW,gBAAgB;IAC/B;;+CAE2C;IAC3C,QAAQ,CAAC,OAAO,EAAE,YAAY,CAAC,UAAU,CAAC,CAAC;IAC3C;mCAC+B;IAC/B,QAAQ,CAAC,UAAU,EAAE,SAAS,CAAC;IAC/B;0EACsE;IACtE,QAAQ,CAAC,UAAU,EAAE,CAAC,EAAE,EAAE,MAAM,KAAK,MAAM,CAAC,MAAM,CAAC,MAAM,GAAG,IAAI,EAAE,cAAc,CAAC,CAAC;IAClF,QAAQ,CAAC,UAAU,EAAE,CAAC,KAAK,EAAE,cAAc,KAAK,MAAM,CAAC,MAAM,CAAC,SAAS,EAAE,cAAc,CAAC,CAAC;IACzF;kEAC8D;IAC9D,QAAQ,CAAC,iBAAiB,EAAE,CAC1B,KAAK,EAAE,qBAAqB,KACzB,MAAM,CAAC,MAAM,CAChB,aAAa,EACb,oCAAoC,GAAG,cAAc,CACtD,CAAC;IACF;yBACqB;IACrB,QAAQ,CAAC,YAAY,CAAC,EAAE,MAAM,MAAM,CAAC;IACrC,sEAAsE;IACtE,QAAQ,CAAC,GAAG,CAAC,EAAE,MAAM,MAAM,CAAC;CAC7B;AAyCD,eAAO,MAAM,iBAAiB,GAC5B,MAAM,gBAAgB,KACrB;IAAE,QAAQ,CAAC,OAAO,EAAE,YAAY,CAAC;IAAC,QAAQ,CAAC,kBAAkB,EAAE,kBAAkB,CAAA;CAq7BnF,CAAC"}
@@ -0,0 +1,275 @@
1
+ import { Effect, Schema } from "effect";
2
+ import type { StorageFailure } from "@executor-js/storage-core";
3
+ import { ConnectionId } from "./ids";
4
+ /** RFC 9728 + RFC 8414 + RFC 7591 + PKCE: discover protected-resource
5
+ * metadata, discover the authorization server, dynamically register a
6
+ * client, then PKCE-encode the authorization URL. Zero pre-configured
7
+ * credentials — the user just pastes a resource URL. */
8
+ export declare const OAuthDynamicDcrStrategy: Schema.Struct<{
9
+ readonly kind: Schema.Literal<"dynamic-dcr">;
10
+ /** Scopes to request. Defaults to whatever `scopes_supported`
11
+ * advertises; caller can narrow or extend. */
12
+ readonly scopes: Schema.optional<Schema.$Array<Schema.String>>;
13
+ }>;
14
+ export type OAuthDynamicDcrStrategy = typeof OAuthDynamicDcrStrategy.Type;
15
+ /** RFC 6749 authorization code + PKCE with pre-configured endpoints +
16
+ * client_id. Used when the caller has out-of-band-registered an OAuth
17
+ * app (Google via Cloud Console, GitHub via developer portal, etc.) or
18
+ * when the auth-server URL is declared in an OpenAPI `securityScheme`. */
19
+ export declare const OAuthAuthorizationCodeStrategy: Schema.Struct<{
20
+ readonly kind: Schema.Literal<"authorization-code">;
21
+ readonly authorizationEndpoint: Schema.String;
22
+ readonly tokenEndpoint: Schema.String;
23
+ /** Expected authorization-server issuer for ID token validation. Some
24
+ * providers use a token endpoint host that differs from issuer, or a
25
+ * path-scoped issuer such as Okta custom authorization servers. */
26
+ readonly issuerUrl: Schema.optional<Schema.NullOr<Schema.String>>;
27
+ /** Secret id holding the `client_id`. Using a secret row rather than
28
+ * an inline string so the value lives at the scope where the caller
29
+ * configured it and shadowing behaves consistently. */
30
+ readonly clientIdSecretId: Schema.String;
31
+ /** Secret id for `client_secret`. Null for public clients using
32
+ * PKCE without a confidential secret. */
33
+ readonly clientSecretSecretId: Schema.NullOr<Schema.String>;
34
+ readonly scopes: Schema.$Array<Schema.String>;
35
+ /** Separator between scopes. RFC 6749 says space; some providers
36
+ * (GitHub classic) use comma. */
37
+ readonly scopeSeparator: Schema.optional<Schema.String>;
38
+ /** Provider-specific params injected at authorization URL build time
39
+ * (Google's `access_type=offline`, `prompt=consent`, ...). */
40
+ readonly extraAuthorizationParams: Schema.optional<Schema.$Record<Schema.String, Schema.String>>;
41
+ /** `"body"` (default) sends client creds in the form body; `"basic"`
42
+ * uses HTTP Basic auth. Stripe-style servers require basic. */
43
+ readonly clientAuth: Schema.optional<Schema.Literals<readonly ["body", "basic"]>>;
44
+ }>;
45
+ export type OAuthAuthorizationCodeStrategy = typeof OAuthAuthorizationCodeStrategy.Type;
46
+ /** RFC 6749 §4.4 client credentials — no user redirect, no PKCE. Used
47
+ * for server-to-server integrations where the plugin has both
48
+ * `client_id` and `client_secret` and the server will mint tokens
49
+ * directly on the token endpoint. */
50
+ export declare const OAuthClientCredentialsStrategy: Schema.Struct<{
51
+ readonly kind: Schema.Literal<"client-credentials">;
52
+ readonly tokenEndpoint: Schema.String;
53
+ readonly clientIdSecretId: Schema.String;
54
+ readonly clientSecretSecretId: Schema.String;
55
+ readonly scopes: Schema.optional<Schema.$Array<Schema.String>>;
56
+ readonly scopeSeparator: Schema.optional<Schema.String>;
57
+ readonly clientAuth: Schema.optional<Schema.Literals<readonly ["body", "basic"]>>;
58
+ }>;
59
+ export type OAuthClientCredentialsStrategy = typeof OAuthClientCredentialsStrategy.Type;
60
+ /** Tagged union of every start-time strategy shape. A new strategy (e.g.
61
+ * device-code) is added here; the service's start/complete routes on
62
+ * `kind`. */
63
+ export declare const OAuthStrategy: Schema.Union<readonly [Schema.Struct<{
64
+ readonly kind: Schema.Literal<"dynamic-dcr">;
65
+ /** Scopes to request. Defaults to whatever `scopes_supported`
66
+ * advertises; caller can narrow or extend. */
67
+ readonly scopes: Schema.optional<Schema.$Array<Schema.String>>;
68
+ }>, Schema.Struct<{
69
+ readonly kind: Schema.Literal<"authorization-code">;
70
+ readonly authorizationEndpoint: Schema.String;
71
+ readonly tokenEndpoint: Schema.String;
72
+ /** Expected authorization-server issuer for ID token validation. Some
73
+ * providers use a token endpoint host that differs from issuer, or a
74
+ * path-scoped issuer such as Okta custom authorization servers. */
75
+ readonly issuerUrl: Schema.optional<Schema.NullOr<Schema.String>>;
76
+ /** Secret id holding the `client_id`. Using a secret row rather than
77
+ * an inline string so the value lives at the scope where the caller
78
+ * configured it and shadowing behaves consistently. */
79
+ readonly clientIdSecretId: Schema.String;
80
+ /** Secret id for `client_secret`. Null for public clients using
81
+ * PKCE without a confidential secret. */
82
+ readonly clientSecretSecretId: Schema.NullOr<Schema.String>;
83
+ readonly scopes: Schema.$Array<Schema.String>;
84
+ /** Separator between scopes. RFC 6749 says space; some providers
85
+ * (GitHub classic) use comma. */
86
+ readonly scopeSeparator: Schema.optional<Schema.String>;
87
+ /** Provider-specific params injected at authorization URL build time
88
+ * (Google's `access_type=offline`, `prompt=consent`, ...). */
89
+ readonly extraAuthorizationParams: Schema.optional<Schema.$Record<Schema.String, Schema.String>>;
90
+ /** `"body"` (default) sends client creds in the form body; `"basic"`
91
+ * uses HTTP Basic auth. Stripe-style servers require basic. */
92
+ readonly clientAuth: Schema.optional<Schema.Literals<readonly ["body", "basic"]>>;
93
+ }>, Schema.Struct<{
94
+ readonly kind: Schema.Literal<"client-credentials">;
95
+ readonly tokenEndpoint: Schema.String;
96
+ readonly clientIdSecretId: Schema.String;
97
+ readonly clientSecretSecretId: Schema.String;
98
+ readonly scopes: Schema.optional<Schema.$Array<Schema.String>>;
99
+ readonly scopeSeparator: Schema.optional<Schema.String>;
100
+ readonly clientAuth: Schema.optional<Schema.Literals<readonly ["body", "basic"]>>;
101
+ }>]>;
102
+ export type OAuthStrategy = typeof OAuthStrategy.Type;
103
+ /** Discriminator mirrors `OAuthStrategy["kind"]`. Refresh reads
104
+ * `tokenEndpoint` + `clientAuth` + client id/secret refs directly and
105
+ * never re-runs discovery. */
106
+ export declare const OAuthProviderState: Schema.Union<readonly [Schema.Struct<{
107
+ readonly kind: Schema.Literal<"dynamic-dcr">;
108
+ readonly tokenEndpoint: Schema.String;
109
+ readonly issuerUrl: Schema.optional<Schema.NullOr<Schema.String>>;
110
+ readonly authorizationServerUrl: Schema.optional<Schema.NullOr<Schema.String>>;
111
+ readonly authorizationServerMetadataUrl: Schema.NullOr<Schema.String>;
112
+ readonly idTokenSigningAlgValuesSupported: Schema.optional<Schema.$Array<Schema.String>>;
113
+ /** DCR-minted client_id. Embedded inline (not a secret) — DCR
114
+ * clients are public-ish by design; the secret part (if the AS
115
+ * issued one) is a separate secret row. */
116
+ readonly clientId: Schema.String;
117
+ readonly clientSecretSecretId: Schema.NullOr<Schema.String>;
118
+ readonly clientAuth: Schema.Literals<readonly ["body", "basic"]>;
119
+ readonly scopes: Schema.withDecodingDefaultType<Schema.$Array<Schema.String>>;
120
+ readonly scopeSeparator: Schema.optional<Schema.String>;
121
+ readonly scope: Schema.NullOr<Schema.String>;
122
+ }>, Schema.Struct<{
123
+ readonly kind: Schema.Literal<"authorization-code">;
124
+ readonly tokenEndpoint: Schema.String;
125
+ readonly issuerUrl: Schema.optional<Schema.NullOr<Schema.String>>;
126
+ readonly clientIdSecretId: Schema.String;
127
+ readonly clientSecretSecretId: Schema.NullOr<Schema.String>;
128
+ readonly clientAuth: Schema.Literals<readonly ["body", "basic"]>;
129
+ readonly scopes: Schema.withDecodingDefaultType<Schema.$Array<Schema.String>>;
130
+ readonly scopeSeparator: Schema.optional<Schema.String>;
131
+ readonly scope: Schema.NullOr<Schema.String>;
132
+ }>, Schema.Struct<{
133
+ readonly kind: Schema.Literal<"client-credentials">;
134
+ readonly tokenEndpoint: Schema.String;
135
+ readonly clientIdSecretId: Schema.String;
136
+ readonly clientSecretSecretId: Schema.String;
137
+ readonly scopes: Schema.$Array<Schema.String>;
138
+ readonly scopeSeparator: Schema.optional<Schema.String>;
139
+ readonly clientAuth: Schema.Literals<readonly ["body", "basic"]>;
140
+ readonly scope: Schema.NullOr<Schema.String>;
141
+ }>]>;
142
+ export type OAuthProviderState = typeof OAuthProviderState.Type;
143
+ /** The canonical refresh handler key. Every OAuth2-minted connection
144
+ * registers under this single value; the handler switches on
145
+ * `providerState.kind`. Historical per-plugin keys (`mcp:oauth2`,
146
+ * `openapi:oauth2`, `google-discovery:google`) are aliased to this
147
+ * during migration. */
148
+ export declare const OAUTH2_PROVIDER_KEY: "oauth2";
149
+ export interface OAuthProbeInput {
150
+ readonly endpoint: string;
151
+ readonly headers?: Record<string, string>;
152
+ readonly queryParams?: Record<string, string>;
153
+ }
154
+ export interface OAuthProbeResult {
155
+ /** RFC 9728 resource metadata the server advertises, if any. */
156
+ readonly resourceMetadata: Record<string, unknown> | null;
157
+ readonly resourceMetadataUrl: string | null;
158
+ /** RFC 8414 / OIDC metadata for the authorization server tied to the
159
+ * resource, if the server advertised one and we could fetch it. */
160
+ readonly authorizationServerMetadata: Record<string, unknown> | null;
161
+ readonly authorizationServerMetadataUrl: string | null;
162
+ readonly authorizationServerUrl: string | null;
163
+ /** True iff the AS advertises `registration_endpoint` and
164
+ * `token_endpoint_auth_methods_supported` includes `"none"` (public
165
+ * client + PKCE). A `false` value here doesn't mean OAuth is
166
+ * unavailable — just that the dynamic-DCR strategy can't run and the
167
+ * caller must fall back to `authorization-code` with user-supplied
168
+ * client credentials. */
169
+ readonly supportsDynamicRegistration: boolean;
170
+ /** True iff an unauth POST to the endpoint responded with `401` and
171
+ * an MCP-shaped `WWW-Authenticate: Bearer` challenge (RFC 6750).
172
+ * MCP-only signal; non-MCP OAuth-protected APIs usually encode auth
173
+ * failures inside their own protocol envelope and never surface
174
+ * this flag. */
175
+ readonly isBearerChallengeEndpoint: boolean;
176
+ }
177
+ export interface OAuthStartInput {
178
+ /** Resource URL the caller wants a token for. For `dynamic-dcr` this
179
+ * is the probe target; for `authorization-code` it's stored only so
180
+ * the UI can display "signed in to X." */
181
+ readonly endpoint: string;
182
+ readonly headers?: Record<string, string>;
183
+ readonly queryParams?: Record<string, string>;
184
+ /** Pre-decided `Connection.id`. Writing it before the flow starts
185
+ * lets callers stamp `{kind:"oauth2", connectionId}` onto a source
186
+ * row atomically with the start call. Convention:
187
+ * `${pluginId}-oauth2-${namespace}`. */
188
+ readonly connectionId: string;
189
+ /** Scope where the resulting `Connection` + its backing secrets
190
+ * land. Innermost scope for per-user sign-ins. */
191
+ readonly tokenScope: string;
192
+ /** Redirect URL the authorization server will bounce back to. For
193
+ * strategies that don't redirect (`client-credentials`) pass a
194
+ * placeholder; it's persisted but unused. */
195
+ readonly redirectUrl: string;
196
+ readonly strategy: OAuthStrategy;
197
+ /** Which plugin is initiating the flow. Persisted on the session +
198
+ * stamped on the minted Connection's identity label for UI. */
199
+ readonly pluginId: string;
200
+ /** Optional human label for the minted Connection, e.g. "Spotify OAuth". */
201
+ readonly identityLabel?: string;
202
+ }
203
+ export interface OAuthStartResult {
204
+ readonly sessionId: string;
205
+ /** Present for user-interactive strategies. `null` for
206
+ * `client-credentials`, which skips straight to a Connection write
207
+ * inside `start`. */
208
+ readonly authorizationUrl: string | null;
209
+ /** For strategies that don't redirect, the Connection has already
210
+ * been minted. Surfaced so callers can stamp the source row
211
+ * immediately without waiting on a completion callback. */
212
+ readonly completedConnection: {
213
+ readonly connectionId: string;
214
+ } | null;
215
+ }
216
+ export interface OAuthCompleteInput {
217
+ /** RFC 6749 `state` parameter — maps to a session row id. */
218
+ readonly state: string;
219
+ readonly code?: string;
220
+ /** RFC 6749 `error` parameter — set when the AS redirected back with
221
+ * a failure. The service surfaces this as a tagged error. */
222
+ readonly error?: string;
223
+ }
224
+ export interface OAuthCompleteResult {
225
+ readonly connectionId: string;
226
+ readonly expiresAt: number | null;
227
+ readonly scope: string | null;
228
+ }
229
+ declare const OAuthProbeError_base: Schema.Class<OAuthProbeError, Schema.TaggedStruct<"OAuthProbeError", {
230
+ readonly message: Schema.String;
231
+ }>, import("effect/Cause").YieldableError>;
232
+ export declare class OAuthProbeError extends OAuthProbeError_base {
233
+ static annotations: {
234
+ httpApiStatus: number;
235
+ };
236
+ }
237
+ declare const OAuthStartError_base: Schema.Class<OAuthStartError, Schema.TaggedStruct<"OAuthStartError", {
238
+ readonly message: Schema.String;
239
+ }>, import("effect/Cause").YieldableError>;
240
+ export declare class OAuthStartError extends OAuthStartError_base {
241
+ static annotations: {
242
+ httpApiStatus: number;
243
+ };
244
+ }
245
+ declare const OAuthCompleteError_base: Schema.Class<OAuthCompleteError, Schema.TaggedStruct<"OAuthCompleteError", {
246
+ readonly message: Schema.String;
247
+ /** RFC 6749 §5.2 error code, when the token endpoint returned one.
248
+ * Callers distinguish terminal failures (`invalid_grant` ⇒
249
+ * re-auth required) from transient ones. */
250
+ readonly code: Schema.optional<Schema.String>;
251
+ }>, import("effect/Cause").YieldableError>;
252
+ export declare class OAuthCompleteError extends OAuthCompleteError_base {
253
+ static annotations: {
254
+ httpApiStatus: number;
255
+ };
256
+ }
257
+ declare const OAuthSessionNotFoundError_base: Schema.Class<OAuthSessionNotFoundError, Schema.TaggedStruct<"OAuthSessionNotFoundError", {
258
+ readonly sessionId: Schema.String;
259
+ }>, import("effect/Cause").YieldableError>;
260
+ export declare class OAuthSessionNotFoundError extends OAuthSessionNotFoundError_base {
261
+ static annotations: {
262
+ httpApiStatus: number;
263
+ };
264
+ }
265
+ export interface OAuthService {
266
+ readonly probe: (input: OAuthProbeInput) => Effect.Effect<OAuthProbeResult, OAuthProbeError>;
267
+ readonly start: (input: OAuthStartInput) => Effect.Effect<OAuthStartResult, OAuthStartError | StorageFailure>;
268
+ readonly complete: (input: OAuthCompleteInput) => Effect.Effect<OAuthCompleteResult, OAuthCompleteError | OAuthSessionNotFoundError | StorageFailure>;
269
+ /** Drop an in-flight session without completing — used when the
270
+ * user cancels the popup or the source is deleted mid-onboarding. */
271
+ readonly cancel: (sessionId: string, tokenScope?: string) => Effect.Effect<void, StorageFailure>;
272
+ }
273
+ export declare const OAUTH2_SESSION_TTL_MS: number;
274
+ export { ConnectionId };
275
+ //# sourceMappingURL=oauth.d.ts.map
@@ -0,0 +1 @@
1
+ {"version":3,"file":"oauth.d.ts","sourceRoot":"","sources":["../src/oauth.ts"],"names":[],"mappings":"AAmBA,OAAO,EAAE,MAAM,EAAE,MAAM,EAAE,MAAM,QAAQ,CAAC;AAExC,OAAO,KAAK,EAAE,cAAc,EAAE,MAAM,2BAA2B,CAAC;AAEhE,OAAO,EAAE,YAAY,EAAE,MAAM,OAAO,CAAC;AAWrC;;;yDAGyD;AACzD,eAAO,MAAM,uBAAuB;;IAElC;mDAC+C;;EAE/C,CAAC;AACH,MAAM,MAAM,uBAAuB,GAAG,OAAO,uBAAuB,CAAC,IAAI,CAAC;AAE1E;;;2EAG2E;AAC3E,eAAO,MAAM,8BAA8B;;;;IAIzC;;wEAEoE;;IAEpE;;4DAEwD;;IAExD;8CAC0C;;;IAG1C;sCACkC;;IAElC;mEAC+D;;IAI/D;oEACgE;;EAEhE,CAAC;AACH,MAAM,MAAM,8BAA8B,GACxC,OAAO,8BAA8B,CAAC,IAAI,CAAC;AAE7C;;;sCAGsC;AACtC,eAAO,MAAM,8BAA8B;;;;;;;;EAQzC,CAAC;AACH,MAAM,MAAM,8BAA8B,GACxC,OAAO,8BAA8B,CAAC,IAAI,CAAC;AAE7C;;cAEc;AACd,eAAO,MAAM,aAAa;;IA5DxB;mDAC+C;;;;;;IAa/C;;wEAEoE;;IAEpE;;4DAEwD;;IAExD;8CAC0C;;;IAG1C;sCACkC;;IAElC;mEAC+D;;IAI/D;oEACgE;;;;;;;;;;IA6BhE,CAAC;AACH,MAAM,MAAM,aAAa,GAAG,OAAO,aAAa,CAAC,IAAI,CAAC;AAQtD;;+BAE+B;AAC/B,eAAO,MAAM,kBAAkB;;;;;;;IAU3B;;gDAE4C;;;;;;;;;;;;;;;;;;;;;;;;;;IA6B9C,CAAC;AACH,MAAM,MAAM,kBAAkB,GAAG,OAAO,kBAAkB,CAAC,IAAI,CAAC;AAEhE;;;;wBAIwB;AACxB,eAAO,MAAM,mBAAmB,EAAG,QAAiB,CAAC;AAMrD,MAAM,WAAW,eAAe;IAC9B,QAAQ,CAAC,QAAQ,EAAE,MAAM,CAAC;IAC1B,QAAQ,CAAC,OAAO,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;IAC1C,QAAQ,CAAC,WAAW,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;CAC/C;AAED,MAAM,WAAW,gBAAgB;IAC/B,gEAAgE;IAChE,QAAQ,CAAC,gBAAgB,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,GAAG,IAAI,CAAC;IAC1D,QAAQ,CAAC,mBAAmB,EAAE,MAAM,GAAG,IAAI,CAAC;IAC5C;wEACoE;IACpE,QAAQ,CAAC,2BAA2B,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,GAAG,IAAI,CAAC;IACrE,QAAQ,CAAC,8BAA8B,EAAE,MAAM,GAAG,IAAI,CAAC;IACvD,QAAQ,CAAC,sBAAsB,EAAE,MAAM,GAAG,IAAI,CAAC;IAC/C;;;;;8BAK0B;IAC1B,QAAQ,CAAC,2BAA2B,EAAE,OAAO,CAAC;IAC9C;;;;qBAIiB;IACjB,QAAQ,CAAC,yBAAyB,EAAE,OAAO,CAAC;CAC7C;AAMD,MAAM,WAAW,eAAe;IAC9B;;+CAE2C;IAC3C,QAAQ,CAAC,QAAQ,EAAE,MAAM,CAAC;IAC1B,QAAQ,CAAC,OAAO,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;IAC1C,QAAQ,CAAC,WAAW,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;IAC9C;;;6CAGyC;IACzC,QAAQ,CAAC,YAAY,EAAE,MAAM,CAAC;IAC9B;uDACmD;IACnD,QAAQ,CAAC,UAAU,EAAE,MAAM,CAAC;IAC5B;;kDAE8C;IAC9C,QAAQ,CAAC,WAAW,EAAE,MAAM,CAAC;IAC7B,QAAQ,CAAC,QAAQ,EAAE,aAAa,CAAC;IACjC;oEACgE;IAChE,QAAQ,CAAC,QAAQ,EAAE,MAAM,CAAC;IAC1B,4EAA4E;IAC5E,QAAQ,CAAC,aAAa,CAAC,EAAE,MAAM,CAAC;CACjC;AAED,MAAM,WAAW,gBAAgB;IAC/B,QAAQ,CAAC,SAAS,EAAE,MAAM,CAAC;IAC3B;;0BAEsB;IACtB,QAAQ,CAAC,gBAAgB,EAAE,MAAM,GAAG,IAAI,CAAC;IACzC;;gEAE4D;IAC5D,QAAQ,CAAC,mBAAmB,EAAE;QAAE,QAAQ,CAAC,YAAY,EAAE,MAAM,CAAA;KAAE,GAAG,IAAI,CAAC;CACxE;AAED,MAAM,WAAW,kBAAkB;IACjC,6DAA6D;IAC7D,QAAQ,CAAC,KAAK,EAAE,MAAM,CAAC;IACvB,QAAQ,CAAC,IAAI,CAAC,EAAE,MAAM,CAAC;IACvB;kEAC8D;IAC9D,QAAQ,CAAC,KAAK,CAAC,EAAE,MAAM,CAAC;CACzB;AAED,MAAM,WAAW,mBAAmB;IAClC,QAAQ,CAAC,YAAY,EAAE,MAAM,CAAC;IAC9B,QAAQ,CAAC,SAAS,EAAE,MAAM,GAAG,IAAI,CAAC;IAClC,QAAQ,CAAC,KAAK,EAAE,MAAM,GAAG,IAAI,CAAC;CAC/B;;;;AAWD,qBAAa,eAAgB,SAAQ,oBAKpC;IACC,MAAM,CAAC,WAAW;;MAA0B;CAC7C;;;;AAED,qBAAa,eAAgB,SAAQ,oBAKpC;IACC,MAAM,CAAC,WAAW;;MAA0B;CAC7C;;;IAMG;;iDAE6C;;;AANjD,qBAAa,kBAAmB,SAAQ,uBASvC;IACC,MAAM,CAAC,WAAW;;MAA0B;CAC7C;;;;AAED,qBAAa,yBAA0B,SAAQ,8BAK9C;IACC,MAAM,CAAC,WAAW;;MAA0B;CAC7C;AAOD,MAAM,WAAW,YAAY;IAC3B,QAAQ,CAAC,KAAK,EAAE,CACd,KAAK,EAAE,eAAe,KACnB,MAAM,CAAC,MAAM,CAAC,gBAAgB,EAAE,eAAe,CAAC,CAAC;IACtD,QAAQ,CAAC,KAAK,EAAE,CACd,KAAK,EAAE,eAAe,KACnB,MAAM,CAAC,MAAM,CAAC,gBAAgB,EAAE,eAAe,GAAG,cAAc,CAAC,CAAC;IACvE,QAAQ,CAAC,QAAQ,EAAE,CACjB,KAAK,EAAE,kBAAkB,KACtB,MAAM,CAAC,MAAM,CAChB,mBAAmB,EACnB,kBAAkB,GAAG,yBAAyB,GAAG,cAAc,CAChE,CAAC;IACF;0EACsE;IACtE,QAAQ,CAAC,MAAM,EAAE,CACf,SAAS,EAAE,MAAM,EACjB,UAAU,CAAC,EAAE,MAAM,KAChB,MAAM,CAAC,MAAM,CAAC,IAAI,EAAE,cAAc,CAAC,CAAC;CAC1C;AAOD,eAAO,MAAM,qBAAqB,QAAiB,CAAC;AAIpD,OAAO,EAAE,YAAY,EAAE,CAAC"}