@faable/sdk-base 1.3.0 → 1.5.0

package/README.md

@@ -16,3 +16,75 @@
 ```bash
  npm install @faable/sdk-base
 ```
+
+## Building an API client
+
+Extend `FaableApi` and call the static `create` factory:
+
+```ts
+import { FaableApi } from "@faable/sdk-base";
+import type { ApiParams } from "@faable/sdk-base";
+
+export class MyApi extends FaableApi {
+  constructor(params?: ApiParams) {
+    super({ baseURL: "https://api.example.com", ...params });
+  }
+  getThing(id: string) {
+    return this.fetcher.get(`/thing/${id}`);
+  }
+}
+```
+
+## Authentication (pluggable, Octokit-style)
+
+Auth is **explicit** — strategies never read environment variables. You pick an
+`authStrategy` and pass its config in `auth`; the chosen strategy drives the
+type of `auth`, so the editor autocompletes the right fields and rejects the
+wrong ones.
+
+```ts
+import { authClientCredentials, authApikey } from "@faable/sdk-base";
+
+// client_credentials — the DEFAULT strategy. `auth` requires
+// { client_id, client_secret }.
+const api = MyApi.create({
+  baseURL: "https://my-account.auth.faable.link",
+  authStrategy: authClientCredentials,
+  auth: { client_id: "...", client_secret: "..." },
+});
+
+// api key — `auth` requires { apikey }.
+const api2 = MyApi.create({
+  baseURL: "https://api.example.com",
+  authStrategy: authApikey,
+  auth: { apikey: "fak_xxx" },
+});
+```
+
+`authClientCredentials` requests its token from `<baseURL>/oauth/token` by
+default. When the API host is **not** the auth server, point the token request
+at the right host with `auth.domain`:
+
+```ts
+auth: { client_id: "...", client_secret: "...", domain: "https://auth.example.com" }
+```
+
+### Writing a custom strategy
+
+A strategy is a builder `(config, context) => { headers() }`:
+
+```ts
+import type { AuthStrategyBuilder } from "@faable/sdk-base";
+
+type BearerConfig = { token: string };
+
+export const authBearer: AuthStrategyBuilder<BearerConfig> = (config) => {
+  if (!config?.token) throw new Error("authBearer: `auth.token` is required");
+  return {
+    headers: async () => ({ authorization: `Bearer ${config.token}` }),
+  };
+};
+```
+
+`context` carries the api's `domain` (its `baseURL`) and `debug` flag, so a
+token-minting strategy can reach the auth server without extra config.

package/dist/FaableApi.d.ts

@@ -1,10 +1,18 @@
-import type { AuthInterface } from "./types/AuthInterface.js";
 import type { Fetcher, FetcherCreateParams } from "./fetcher/Fetcher.js";
 import type { Paginator, PaginatorOptions } from "./helpers/paginator.js";
-export type ApiParams = {
+import type { AuthStrategyBuilder } from "./types/AuthStrategy.js";
+import { type ClientCredentialsConfig } from "./auth/client_credentials/client_credentials.js";
+export type RequestObserver = (info: {
+    method: string;
+    url: string;
+    status: number;
+    durationMs: number;
+}) => void;
+export type ApiParams<TAuth = ClientCredentialsConfig> = {
     baseURL?: string;
     fetcher?: FetcherCreateParams;
-    auth?: AuthInterface<any, any>;
+    authStrategy?: AuthStrategyBuilder<TAuth>;
+    auth?: TAuth;
     debug?: boolean;
     paginator?: Partial<PaginatorOptions>;
     /**
@@ -12,21 +20,30 @@ export type ApiParams = {
      * remembers each GET's `ETag` and replays it as `If-None-Match`; a `304 Not
      * Modified` reuses the previously parsed body instead of re-downloading it.
      * Correctness relies on the server changing the ETag whenever the resource
-     * changes (no client-side invalidation needed — a write bumps the server
-     * ETag, so the next GET gets a fresh `200`). Off by default.
+     * changes (no client-side invalidation needed). Off by default.
      *
      * `true` uses the default cap; pass `{ maxEntries }` to size the bounded LRU
-     * for the client's key cardinality (e.g. a controller polling many apps +
-     * deployments wants a larger cap than a one-shot script).
+     * for the client's key cardinality.
      */
     etagCache?: boolean | {
         maxEntries?: number;
     };
+    /**
+     * Pluggable per-response observer. Called once per completed HTTP response
+     * with `{ method, url, status, durationMs }`. Errors thrown by the observer
+     * are swallowed so instrumentation can never break a request.
+     */
+    requestObserver?: RequestObserver;
+};
+type CreateParams<Cls extends abstract new (params?: any) => any, TAuth> = Omit<NonNullable<ConstructorParameters<Cls>[0]>, "auth" | "authStrategy"> & {
+    authStrategy?: AuthStrategyBuilder<TAuth>;
+    auth?: TAuth;
 };
 export declare abstract class FaableApi<Params extends ApiParams = ApiParams> {
     fetcher: Fetcher;
     protected paginator: Paginator;
     protected constructor(params?: Params);
-    static create<T extends abstract new (args: Params) => any, Params = any>(this: T, params?: Params): InstanceType<T>;
+    static create<Cls extends abstract new (params?: any) => any, TAuth = ClientCredentialsConfig>(this: Cls, params?: CreateParams<Cls, TAuth>): InstanceType<Cls>;
 }
+export {};
 //# sourceMappingURL=FaableApi.d.ts.map

package/dist/FaableApi.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"FaableApi.d.ts","sourceRoot":"","sources":["../src/FaableApi.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,aAAa,EAAE,MAAM,0BAA0B,CAAC;AAC9D,OAAO,KAAK,EAAE,OAAO,EAAE,mBAAmB,EAAE,MAAM,sBAAsB,CAAC;AAGzE,OAAO,KAAK,EAAE,SAAS,EAAE,gBAAgB,EAAE,MAAM,wBAAwB,CAAC;AAE1E,MAAM,MAAM,SAAS,GAAG;IACtB,OAAO,CAAC,EAAE,MAAM,CAAC;IACjB,OAAO,CAAC,EAAE,mBAAmB,CAAC;IAC9B,IAAI,CAAC,EAAE,aAAa,CAAC,GAAG,EAAE,GAAG,CAAC,CAAC;IAC/B,KAAK,CAAC,EAAE,OAAO,CAAC;IAChB,SAAS,CAAC,EAAE,OAAO,CAAC,gBAAgB,CAAC,CAAC;IACtC;;;;;;;;;;;OAWG;IACH,SAAS,CAAC,EAAE,OAAO,GAAG;QAAE,UAAU,CAAC,EAAE,MAAM,CAAA;KAAE,CAAC;CAC/C,CAAC;AAEF,8BAAsB,SAAS,CAAC,MAAM,SAAS,SAAS,GAAG,SAAS;IAClE,OAAO,EAAE,OAAO,CAAC;IACjB,SAAS,CAAC,SAAS,EAAE,SAAS,CAAC;IAC/B,SAAS,aAAa,MAAM,CAAC,EAAE,MAAM;IAMrC,MAAM,CAAC,MAAM,CAAC,CAAC,SAAS,QAAQ,MAAM,IAAI,EAAE,MAAM,KAAK,GAAG,EAAE,MAAM,GAAG,GAAG,EACtE,IAAI,EAAE,CAAC,EACP,MAAM,CAAC,EAAE,MAAM,GACd,YAAY,CAAC,CAAC,CAAC;CAInB"}
+{"version":3,"file":"FaableApi.d.ts","sourceRoot":"","sources":["../src/FaableApi.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,OAAO,EAAE,mBAAmB,EAAE,MAAM,sBAAsB,CAAC;AAGzE,OAAO,KAAK,EAAE,SAAS,EAAE,gBAAgB,EAAE,MAAM,wBAAwB,CAAC;AAC1E,OAAO,KAAK,EAEV,mBAAmB,EACpB,MAAM,yBAAyB,CAAC;AACjC,OAAO,EAEL,KAAK,uBAAuB,EAC7B,MAAM,iDAAiD,CAAC;AAQzD,MAAM,MAAM,eAAe,GAAG,CAAC,IAAI,EAAE;IACnC,MAAM,EAAE,MAAM,CAAC;IACf,GAAG,EAAE,MAAM,CAAC;IACZ,MAAM,EAAE,MAAM,CAAC;IACf,UAAU,EAAE,MAAM,CAAC;CACpB,KAAK,IAAI,CAAC;AAMX,MAAM,MAAM,SAAS,CAAC,KAAK,GAAG,uBAAuB,IAAI;IACvD,OAAO,CAAC,EAAE,MAAM,CAAC;IACjB,OAAO,CAAC,EAAE,mBAAmB,CAAC;IAI9B,YAAY,CAAC,EAAE,mBAAmB,CAAC,KAAK,CAAC,CAAC;IAC1C,IAAI,CAAC,EAAE,KAAK,CAAC;IACb,KAAK,CAAC,EAAE,OAAO,CAAC;IAChB,SAAS,CAAC,EAAE,OAAO,CAAC,gBAAgB,CAAC,CAAC;IACtC;;;;;;;;;OASG;IACH,SAAS,CAAC,EAAE,OAAO,GAAG;QAAE,UAAU,CAAC,EAAE,MAAM,CAAA;KAAE,CAAC;IAC9C;;;;OAIG;IACH,eAAe,CAAC,EAAE,eAAe,CAAC;CACnC,CAAC;AAKF,KAAK,YAAY,CACf,GAAG,SAAS,QAAQ,MAAM,MAAM,CAAC,EAAE,GAAG,KAAK,GAAG,EAC9C,KAAK,IACH,IAAI,CAAC,WAAW,CAAC,qBAAqB,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,CAAC,EAAE,MAAM,GAAG,cAAc,CAAC,GAAG;IAC9E,YAAY,CAAC,EAAE,mBAAmB,CAAC,KAAK,CAAC,CAAC;IAC1C,IAAI,CAAC,EAAE,KAAK,CAAC;CACd,CAAC;AAEF,8BAAsB,SAAS,CAAC,MAAM,SAAS,SAAS,GAAG,SAAS;IAClE,OAAO,EAAE,OAAO,CAAC;IACjB,SAAS,CAAC,SAAS,EAAE,SAAS,CAAC;IAE/B,SAAS,aAAa,MAAM,CAAC,EAAE,MAAM;IAmBrC,MAAM,CAAC,MAAM,CACX,GAAG,SAAS,QAAQ,MAAM,MAAM,CAAC,EAAE,GAAG,KAAK,GAAG,EAC9C,KAAK,GAAG,uBAAuB,EAC/B,IAAI,EAAE,GAAG,EAAE,MAAM,CAAC,EAAE,YAAY,CAAC,GAAG,EAAE,KAAK,CAAC,GAAG,YAAY,CAAC,GAAG,CAAC;CAInE"}

package/dist/FaableApi.js

@@ -1,15 +1,27 @@
 import { fetcher_axios } from "./fetcher/fetcher_axios.js";
 import { buildPaginator } from "./helpers/paginator.js";
+import { authClientCredentials, } from "./auth/client_credentials/client_credentials.js";
 export class FaableApi {
     fetcher;
     paginator;
     constructor(params) {
-        const options = params || {};
-        this.fetcher = fetcher_axios(options);
+        const options = (params ?? {});
+        // Resolve the auth strategy: explicit `authStrategy`, else default to
+        // client_credentials when `auth` is given, else anonymous (no headers).
+        const builder = options.authStrategy ?? (options.auth ? authClientCredentials : undefined);
+        const strategy = builder
+            ? builder(options.auth ?? {}, {
+                domain: options.baseURL,
+                debug: options.debug,
+            })
+            : undefined;
+        this.fetcher = fetcher_axios({ ...options, strategy });
         this.paginator = buildPaginator(this.fetcher, options.paginator);
     }
+    // Octokit-style factory. Infers `TAuth` from the passed `authStrategy` so
+    // `auth` is typed (and autocompleted) accordingly.
     static create(params) {
-        let Cns = this;
+        const Cns = this;
         return new Cns(params);
     }
 }

package/dist/auth/apikey.d.ts

@@ -1,4 +1,6 @@
-import type { StrategyInterface } from "../types/StrategyInterface.js";
-export type ApikeyAuthParams = Partial<[apikey: string]>;
-export declare const createApikeyAuth: StrategyInterface<ApikeyAuthParams>;
+import type { AuthStrategyBuilder } from "../types/AuthStrategy.js";
+export type ApikeyConfig = {
+    apikey: string;
+};
+export declare const authApikey: AuthStrategyBuilder<ApikeyConfig>;
 //# sourceMappingURL=apikey.d.ts.map

package/dist/auth/apikey.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"apikey.d.ts","sourceRoot":"","sources":["../../src/auth/apikey.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,iBAAiB,EAAE,MAAM,+BAA+B,CAAC;AAGvE,MAAM,MAAM,gBAAgB,GAAG,OAAO,CAAC,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC,CAAC;AAEzD,eAAO,MAAM,gBAAgB,EAAE,iBAAiB,CAAC,gBAAgB,CAoBhE,CAAC"}
+{"version":3,"file":"apikey.d.ts","sourceRoot":"","sources":["../../src/auth/apikey.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,mBAAmB,EAAE,MAAM,0BAA0B,CAAC;AAIpE,MAAM,MAAM,YAAY,GAAG;IACzB,MAAM,EAAE,MAAM,CAAC;CAChB,CAAC;AAEF,eAAO,MAAM,UAAU,EAAE,mBAAmB,CAAC,YAAY,CAUxD,CAAC"}

package/dist/auth/apikey.js

@@ -1,16 +1,11 @@
-const APIKEY_ENV_NAME = "FAABLE_APIKEY";
-export const createApikeyAuth = (apikey) => {
-    // Default to environment variable
-    apikey = apikey || process.env[APIKEY_ENV_NAME];
+export const authApikey = (config) => {
+    const apikey = config?.apikey;
     if (!apikey) {
-        throw new Error(`[@faable/deploy-sdk] No apikey passed to createApikeyAuth. Pass an apikey or use ${APIKEY_ENV_NAME} environment variable`);
+        throw new Error("authApikey: `auth.apikey` is required (no env fallback)");
     }
-    const auth = async () => {
-        return {
-            headers: {
-                authorization: `basic ${btoa(`${apikey}:${apikey}`)}`,
-            },
-        };
+    return {
+        headers: async () => ({
+            authorization: `basic ${btoa(`${apikey}:${apikey}`)}`,
+        }),
     };
-    return Object.assign(auth, { hook: auth });
 };

package/dist/auth/client_credentials/client_credentials.d.ts

@@ -1,11 +1,8 @@
-import type { StrategyInterface } from "../../types/StrategyInterface.js";
-type Params = {
+import type { AuthStrategyBuilder } from "../../types/AuthStrategy.js";
+export type ClientCredentialsConfig = {
     client_id: string;
     client_secret: string;
-    domain: string;
-    debug?: boolean;
+    domain?: string;
 };
-export type ClientCredentialsAuthParams = Partial<[Partial<Params>]>;
-export declare const createClientCredentials: StrategyInterface<ClientCredentialsAuthParams>;
-export {};
+export declare const authClientCredentials: AuthStrategyBuilder<ClientCredentialsConfig>;
 //# sourceMappingURL=client_credentials.d.ts.map

package/dist/auth/client_credentials/client_credentials.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"client_credentials.d.ts","sourceRoot":"","sources":["../../../src/auth/client_credentials/client_credentials.ts"],"names":[],"mappings":"AACA,OAAO,KAAK,EAAE,iBAAiB,EAAE,MAAM,kCAAkC,CAAC;AAK1E,KAAK,MAAM,GAAG;IACZ,SAAS,EAAE,MAAM,CAAC;IAClB,aAAa,EAAE,MAAM,CAAC;IACtB,MAAM,EAAE,MAAM,CAAC;IACf,KAAK,CAAC,EAAE,OAAO,CAAC;CACjB,CAAC;AAEF,MAAM,MAAM,2BAA2B,GAAG,OAAO,CAAC,CAAC,OAAO,CAAC,MAAM,CAAC,CAAC,CAAC,CAAC;AAWrE,eAAO,MAAM,uBAAuB,EAAE,iBAAiB,CACrD,2BAA2B,CAgG5B,CAAC"}
+{"version":3,"file":"client_credentials.d.ts","sourceRoot":"","sources":["../../../src/auth/client_credentials/client_credentials.ts"],"names":[],"mappings":"AACA,OAAO,KAAK,EAAE,mBAAmB,EAAE,MAAM,6BAA6B,CAAC;AASvE,MAAM,MAAM,uBAAuB,GAAG;IACpC,SAAS,EAAE,MAAM,CAAC;IAClB,aAAa,EAAE,MAAM,CAAC;IAMtB,MAAM,CAAC,EAAE,MAAM,CAAC;CACjB,CAAC;AAOF,eAAO,MAAM,qBAAqB,EAAE,mBAAmB,CACrD,uBAAuB,CA+ExB,CAAC"}

package/dist/auth/client_credentials/client_credentials.js

@@ -1,57 +1,50 @@
 import { fetcher_axios } from "../../fetcher/fetcher_axios.js";
 import { createTokenStore } from "./store.js";
 import PQueue from "p-queue";
-const CLIENT_ID_ENV = "FAABLEAUTH_CLIENT_ID";
-const CLIENT_SECRET_ENV = "FAABLEAUTH_CLIENT_SECRET";
-const AUTH_DOMAIN = "FAABLEAUTH_DOMAIN";
 // Refresh the cached token this many seconds before its real expiry, so a
 // request that starts just before the boundary doesn't ship a token that
 // expires mid-flight.
 const EXPIRY_SKEW_SECONDS = 60;
-export const createClientCredentials = (params) => {
-    const client_id = params?.client_id || process.env[CLIENT_ID_ENV];
-    const client_secret = params?.client_secret || process.env[CLIENT_SECRET_ENV];
-    const auth_domain = params?.domain || process.env[AUTH_DOMAIN];
-    const debug = params?.debug;
+export const authClientCredentials = (config, context) => {
+    const client_id = config?.client_id;
+    const client_secret = config?.client_secret;
+    // `domain` (the auth host whose /oauth/token we hit) defaults to the api's
+    // own `domain` (injected via context), so for auth-sdk the SDK and the token
+    // endpoint always agree. An explicit `config.domain` overrides it for apis
+    // whose baseURL is not the auth server (e.g. the deploy api).
+    const auth_domain = config?.domain ?? context?.domain;
+    const debug = context?.debug;
     if (!client_id) {
-        throw new Error(`No client_id set in createClientCredentials. Use ${CLIENT_ID_ENV} environment variable`);
+        throw new Error("authClientCredentials: `auth.client_id` is required (no env fallback)");
     }
     if (!client_secret) {
-        throw new Error(`No client_secret set in createClientCredentials. Use ${CLIENT_SECRET_ENV} environment variable`);
+        throw new Error("authClientCredentials: `auth.client_secret` is required (no env fallback)");
     }
     if (!auth_domain) {
-        throw new Error(`No domain set in createClientCredentials. Use ${AUTH_DOMAIN} environment variable`);
+        throw new Error("authClientCredentials: `domain` is required — pass it to the api (FaableAuthApi.create({ domain, ... }))");
     }
     const store = createTokenStore({ debug });
     const queue = new PQueue({ concurrency: 1, timeout: 20 * 1000 });
     const isTokenExpired = (token, issued_at) => {
         const { expires_in } = token;
-        // `expires_in` is in SECONDS (OAuth 2.0 §5.1), but `issued_at` and
-        // `Date.now()` are in MILLISECONDS. The previous code compared
-        // `issued_at + expires_in` (ms + s) against `Date.now()` (ms), so a
-        // 24h (86400s) token was treated as expired after ~86s — causing the
-        // SDK to re-request a token ~1000× more often than needed and hammer
-        // the /oauth/token endpoint. Convert to ms and refresh a bit early
-        // (skew) so an in-flight request never ships an about-to-expire token.
+        // `expires_in` is SECONDS (OAuth 2.0 §5.1); `issued_at`/`Date.now()` are ms.
+        // Convert and refresh a bit early (skew) so an in-flight request never
+        // ships an about-to-expire token.
         const expires_at = issued_at + (expires_in - EXPIRY_SKEW_SECONDS) * 1000;
         return expires_at < Date.now();
     };
-    const fetcher = fetcher_axios({
-        baseURL: auth_domain,
-    });
+    const fetcher = fetcher_axios({ baseURL: auth_domain });
     const requestToken = async () => {
         const params = new URLSearchParams();
         params.append("grant_type", "client_credentials");
         params.append("client_id", client_id);
         params.append("client_secret", client_secret);
         const token_response = await fetcher.post("/oauth/token", params);
-        // Save token in store
         store.saveTokenResponse(token_response);
         return token_response;
     };
     const getToken = async () => {
-        let res = store.getTokenResponse();
-        // We don't have a token or it's expired
+        const res = store.getTokenResponse();
         if (!res || isTokenExpired(res.response, res.iat)) {
             return requestToken();
         }
@@ -64,16 +57,10 @@ export const createClientCredentials = (params) => {
         }
         return token;
     };
-    const auth = async () => {
-        const key = `token-${Math.floor(Math.random() * 1000).toFixed(0)}`;
-        debug && console.time(key);
-        let token = await getTokenWithLimits();
-        debug && console.timeLog(key, "completed token fetch");
-        return {
-            headers: {
-                authorization: `Bearer ${token.access_token}`,
-            },
-        };
+    return {
+        headers: async () => {
+            const token = await getTokenWithLimits();
+            return { authorization: `Bearer ${token.access_token}` };
+        },
     };
-    return Object.assign(auth, { hook: auth });
 };

package/dist/fetcher/fetcher_axios.d.ts

@@ -1,4 +1,9 @@
 import type { Fetcher } from "./Fetcher.js";
 import type { ApiParams } from "../FaableApi.js";
-export declare const fetcher_axios: (params?: ApiParams) => Fetcher;
+import type { AuthStrategy } from "../types/AuthStrategy.js";
+type FetcherParams = ApiParams<any> & {
+    strategy?: AuthStrategy;
+};
+export declare const fetcher_axios: (params?: FetcherParams) => Fetcher;
+export {};
 //# sourceMappingURL=fetcher_axios.d.ts.map

package/dist/fetcher/fetcher_axios.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"fetcher_axios.d.ts","sourceRoot":"","sources":["../../src/fetcher/fetcher_axios.ts"],"names":[],"mappings":"AAGA,OAAO,KAAK,EAAE,OAAO,EAAiB,MAAM,cAAc,CAAC;AAC3D,OAAO,KAAK,EAAE,SAAS,EAAE,MAAM,iBAAiB,CAAC;AAiBjD,eAAO,MAAM,aAAa,YAAY,SAAS,KAAQ,OAkItD,CAAC"}
+{"version":3,"file":"fetcher_axios.d.ts","sourceRoot":"","sources":["../../src/fetcher/fetcher_axios.ts"],"names":[],"mappings":"AAGA,OAAO,KAAK,EAAE,OAAO,EAAiB,MAAM,cAAc,CAAC;AAC3D,OAAO,KAAK,EAAE,SAAS,EAAE,MAAM,iBAAiB,CAAC;AACjD,OAAO,KAAK,EAAE,YAAY,EAAE,MAAM,0BAA0B,CAAC;AAI7D,KAAK,aAAa,GAAG,SAAS,CAAC,GAAG,CAAC,GAAG;IAAE,QAAQ,CAAC,EAAE,YAAY,CAAA;CAAE,CAAC;AAiBlE,eAAO,MAAM,aAAa,YAAY,aAAa,KAAQ,OAqJ1D,CAAC"}

package/dist/fetcher/fetcher_axios.js

@@ -20,8 +20,13 @@ export const fetcher_axios = (params = {}) => {
         ...(params.fetcher || {}),
     });
     instance.interceptors.request.use(async (req) => {
-        const auth_data = params.auth && (await params.auth.hook());
-        req.headers.set(auth_data?.headers || {});
+        const headers = params.strategy
+            ? await params.strategy.headers()
+            : undefined;
+        req.headers.set(headers || {});
+        // Stamp a start time so the response interceptor can report latency to the
+        // pluggable observer.
+        req.__startTime = Date.now();
         return req;
     });
     // Add base interceptor
@@ -30,6 +35,21 @@ export const fetcher_axios = (params = {}) => {
             const queryparams = new URLSearchParams(res.config.params);
             console.log(`[${res.status}] ${res.config.url}${queryparams.size > 0 ? `?${queryparams.toString()}` : ""}`);
         }
+        // Pluggable per-response hook (metrics, etc.). Never let it break a request.
+        if (params.requestObserver) {
+            try {
+                const start = res.config.__startTime;
+                params.requestObserver({
+                    method: (res.config.method ?? "get").toUpperCase(),
+                    url: res.config.url ?? "",
+                    status: res.status,
+                    durationMs: start ? Date.now() - start : 0,
+                });
+            }
+            catch {
+                // ignore observer errors
+            }
+        }
         return res;
     }, handleErrorInterceptor);
     // Opt-in in-memory ETag cache (per fetcher instance). Keyed by url + params

package/dist/index.d.ts

@@ -1,4 +1,5 @@
 export * from "./FaableApi.js";
+export * from "./types/AuthStrategy.js";
 export * from "./auth/apikey.js";
 export * from "./auth/client_credentials/client_credentials.js";
 export * from "./helpers/FaableApiError.js";

package/dist/index.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":"AAAA,cAAc,gBAAgB,CAAC;AAC/B,cAAc,kBAAkB,CAAC;AACjC,cAAc,iDAAiD,CAAC;AAChE,cAAc,6BAA6B,CAAC"}
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":"AAAA,cAAc,gBAAgB,CAAC;AAC/B,cAAc,yBAAyB,CAAC;AACxC,cAAc,kBAAkB,CAAC;AACjC,cAAc,iDAAiD,CAAC;AAChE,cAAc,6BAA6B,CAAC"}

package/dist/index.js

@@ -1,4 +1,5 @@
 export * from "./FaableApi.js";
+export * from "./types/AuthStrategy.js";
 export * from "./auth/apikey.js";
 export * from "./auth/client_credentials/client_credentials.js";
 export * from "./helpers/FaableApiError.js";

package/dist/types/AuthStrategy.d.ts

@@ -0,0 +1,9 @@
+export type AuthStrategy = {
+    headers: () => Promise<Record<string, string>>;
+};
+export type AuthStrategyContext = {
+    domain?: string;
+    debug?: boolean;
+};
+export type AuthStrategyBuilder<TConfig = unknown> = (config: TConfig, context?: AuthStrategyContext) => AuthStrategy;
+//# sourceMappingURL=AuthStrategy.d.ts.map

package/dist/types/AuthStrategy.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"AuthStrategy.d.ts","sourceRoot":"","sources":["../../src/types/AuthStrategy.ts"],"names":[],"mappings":"AAaA,MAAM,MAAM,YAAY,GAAG;IAGzB,OAAO,EAAE,MAAM,OAAO,CAAC,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC,CAAC;CAChD,CAAC;AAIF,MAAM,MAAM,mBAAmB,GAAG;IAChC,MAAM,CAAC,EAAE,MAAM,CAAC;IAChB,KAAK,CAAC,EAAE,OAAO,CAAC;CACjB,CAAC;AAEF,MAAM,MAAM,mBAAmB,CAAC,OAAO,GAAG,OAAO,IAAI,CACnD,MAAM,EAAE,OAAO,EACf,OAAO,CAAC,EAAE,mBAAmB,KAC1B,YAAY,CAAC"}

package/dist/types/AuthStrategy.js

@@ -0,0 +1,13 @@
+// Octokit-style pluggable authentication.
+//
+// An `AuthStrategyBuilder<TConfig>` is a factory the caller passes as
+// `authStrategy`. It receives the explicit `auth` config (TConfig) as its first
+// argument so TypeScript can INFER TConfig from the chosen strategy — i.e.
+// passing `authStrategy: authClientCredentials` makes the editor require/
+// autocomplete `auth: { client_id, client_secret }`. The api `domain`/`debug`
+// are injected separately as `context` (kept out of TConfig so they don't
+// pollute the inferred `auth` shape).
+//
+// Strategies are EXPLICIT: they never read environment variables. The caller
+// sources credentials (env, secret manager, …) and passes them in `auth`.
+export {};

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@faable/sdk-base",
-  "version": "1.3.0",
+  "version": "1.5.0",
   "author": "Marc Pomar <marc@faable.com>",
   "main": "dist/index.js",
   "types": "dist/index.d.ts",
@@ -34,6 +34,7 @@
     "generate-types": "openapi-typescript https://api.faable.com/docs/json -o src/api/types.ts",
     "prebuild": "rimraf dist",
     "build": "tsc",
+    "typecheck:tests": "tsc -p tsconfig.test.json",
     "test": "ava",
     "release": "semantic-release"
   },

package/tsconfig.test.json

@@ -0,0 +1,7 @@
+{
+  "extends": "./tsconfig.json",
+  "compilerOptions": {
+    "noEmit": true
+  },
+  "include": ["src/**/*"]
+}

package/dist/types/AuthInterface.d.ts

@@ -1,5 +0,0 @@
-export interface AuthInterface<AuthOptions extends any[], Authentication extends any> {
-    (...args: AuthOptions): Promise<Authentication>;
-    hook: (...args: AuthOptions) => Promise<Authentication>;
-}
-//# sourceMappingURL=AuthInterface.d.ts.map

package/dist/types/AuthInterface.d.ts.map

@@ -1 +0,0 @@
-{"version":3,"file":"AuthInterface.d.ts","sourceRoot":"","sources":["../../src/types/AuthInterface.ts"],"names":[],"mappings":"AAAA,MAAM,WAAW,aAAa,CAC5B,WAAW,SAAS,GAAG,EAAE,EACzB,cAAc,SAAS,GAAG;IAE1B,CAAC,GAAG,IAAI,EAAE,WAAW,GAAG,OAAO,CAAC,cAAc,CAAC,CAAC;IAChD,IAAI,EAAE,CAAC,GAAG,IAAI,EAAE,WAAW,KAAK,OAAO,CAAC,cAAc,CAAC,CAAC;CACzD"}

package/dist/types/AuthInterface.js

@@ -1 +0,0 @@
-export {};

package/dist/types/StrategyInterface.d.ts

@@ -1,5 +0,0 @@
-import type { AuthInterface } from "./AuthInterface.js";
-export interface StrategyInterface<StrategyOptions extends any[], AuthOptions extends any[] = any, Authentication extends any = any> {
-    (...args: StrategyOptions): AuthInterface<AuthOptions, Authentication>;
-}
-//# sourceMappingURL=StrategyInterface.d.ts.map

package/dist/types/StrategyInterface.d.ts.map

@@ -1 +0,0 @@
-{"version":3,"file":"StrategyInterface.d.ts","sourceRoot":"","sources":["../../src/types/StrategyInterface.ts"],"names":[],"mappings":"AACA,OAAO,KAAK,EAAE,aAAa,EAAE,MAAM,oBAAoB,CAAC;AACxD,MAAM,WAAW,iBAAiB,CAChC,eAAe,SAAS,GAAG,EAAE,EAC7B,WAAW,SAAS,GAAG,EAAE,GAAG,GAAG,EAC/B,cAAc,SAAS,GAAG,GAAG,GAAG;IAEhC,CAAC,GAAG,IAAI,EAAE,eAAe,GAAG,aAAa,CAAC,WAAW,EAAE,cAAc,CAAC,CAAC;CACxE"}

package/dist/types/StrategyInterface.js

@@ -1 +0,0 @@
-export {};