@hearth-auth/sdk 0.0.1 → 1.0.1

package/dist/admin.d.ts

@@ -0,0 +1,43 @@
+import type { CreateRealmParams, CreateUserParams, PageResponse, Realm, UpdateRealmParams, UpdateUserParams, User } from "./types.js";
+/**
+ * Admin API client for Hearth.
+ *
+ * Requires a valid admin access token. All operations go through
+ * the /admin/* endpoints which enforce RBAC admin role checks.
+ */
+export declare class AdminClient {
+    private readonly baseUrl;
+    private readonly realmId;
+    private readonly accessToken;
+    constructor(baseUrl: string, realmId: string, accessToken: string);
+    /** POST /admin/users — create a user. */
+    createUser(params: CreateUserParams): Promise<User>;
+    /** GET /admin/users — list users with pagination. */
+    listUsers(options?: {
+        limit?: number;
+        cursor?: string;
+    }): Promise<PageResponse<User>>;
+    /** GET /admin/users/:id — get a user by ID. */
+    getUser(userId: string): Promise<User>;
+    /** PUT /admin/users/:id — update a user. */
+    updateUser(userId: string, params: UpdateUserParams): Promise<User>;
+    /** DELETE /admin/users/:id — delete a user. */
+    deleteUser(userId: string): Promise<void>;
+    /** POST /admin/realms — create a realm. */
+    createRealm(params: CreateRealmParams): Promise<Realm>;
+    /** GET /admin/realms — list realms with pagination. */
+    listRealms(options?: {
+        limit?: number;
+        cursor?: string;
+    }): Promise<PageResponse<Realm>>;
+    /** GET /admin/realms/:id — get a realm by ID. */
+    getRealm(realmId: string): Promise<Realm>;
+    /** PUT /admin/realms/:id — update a realm. */
+    updateRealm(realmId: string, params: UpdateRealmParams): Promise<Realm>;
+    /** DELETE /admin/realms/:id — delete a realm. */
+    deleteRealm(realmId: string): Promise<void>;
+    private headers;
+    private get;
+    private post;
+    private request;
+}

package/dist/admin.js

@@ -0,0 +1,126 @@
+import { HearthError } from "./client.js";
+/**
+ * Admin API client for Hearth.
+ *
+ * Requires a valid admin access token. All operations go through
+ * the /admin/* endpoints which enforce RBAC admin role checks.
+ */
+export class AdminClient {
+    baseUrl;
+    realmId;
+    accessToken;
+    constructor(baseUrl, realmId, accessToken) {
+        this.baseUrl = baseUrl;
+        this.realmId = realmId;
+        this.accessToken = accessToken;
+    }
+    // === Users ===
+    /** POST /admin/users — create a user. */
+    async createUser(params) {
+        return this.post("/admin/users", {
+            email: params.email,
+            display_name: params.displayName,
+        });
+    }
+    /** GET /admin/users — list users with pagination. */
+    async listUsers(options) {
+        const q = new URLSearchParams();
+        if (options?.limit)
+            q.set("limit", String(options.limit));
+        if (options?.cursor)
+            q.set("cursor", options.cursor);
+        return this.get(`/admin/users?${q}`);
+    }
+    /** GET /admin/users/:id — get a user by ID. */
+    async getUser(userId) {
+        return this.get(`/admin/users/${userId}`);
+    }
+    /** PUT /admin/users/:id — update a user. */
+    async updateUser(userId, params) {
+        return this.request("PATCH", `/admin/users/${userId}`, {
+            email: params.email,
+            display_name: params.displayName,
+            status: params.status,
+        });
+    }
+    /** DELETE /admin/users/:id — delete a user. */
+    async deleteUser(userId) {
+        const resp = await fetch(`${this.baseUrl}/admin/users/${userId}`, {
+            method: "DELETE",
+            headers: this.headers(),
+        });
+        if (!resp.ok) {
+            throw new HearthError(resp.status, await resp.json());
+        }
+    }
+    // === Realms ===
+    /** POST /admin/realms — create a realm. */
+    async createRealm(params) {
+        return this.post("/admin/realms", {
+            name: params.name,
+            config: params.config,
+        });
+    }
+    /** GET /admin/realms — list realms with pagination. */
+    async listRealms(options) {
+        const q = new URLSearchParams();
+        if (options?.limit)
+            q.set("limit", String(options.limit));
+        if (options?.cursor)
+            q.set("cursor", options.cursor);
+        return this.get(`/admin/realms?${q}`);
+    }
+    /** GET /admin/realms/:id — get a realm by ID. */
+    async getRealm(realmId) {
+        return this.get(`/admin/realms/${realmId}`);
+    }
+    /** PUT /admin/realms/:id — update a realm. */
+    async updateRealm(realmId, params) {
+        return this.request("PATCH", `/admin/realms/${realmId}`, {
+            name: params.name,
+            status: params.status,
+            config: params.config,
+        });
+    }
+    /** DELETE /admin/realms/:id — delete a realm. */
+    async deleteRealm(realmId) {
+        const resp = await fetch(`${this.baseUrl}/admin/realms/${realmId}`, {
+            method: "DELETE",
+            headers: this.headers(),
+        });
+        if (!resp.ok) {
+            throw new HearthError(resp.status, await resp.json());
+        }
+    }
+    headers() {
+        return {
+            "X-Realm-ID": this.realmId,
+            Authorization: `Bearer ${this.accessToken}`,
+            "Content-Type": "application/json",
+        };
+    }
+    async get(path) {
+        const resp = await fetch(`${this.baseUrl}${path}`, {
+            headers: this.headers(),
+        });
+        if (!resp.ok) {
+            throw new HearthError(resp.status, await resp.json());
+        }
+        return resp.json();
+    }
+    async post(path, body) {
+        return this.request("POST", path, body);
+    }
+    async request(method, path, body) {
+        const resp = await fetch(`${this.baseUrl}${path}`, {
+            method,
+            headers: this.headers(),
+            body: JSON.stringify(body),
+        });
+        if (!resp.ok) {
+            throw new HearthError(resp.status, await resp.json());
+        }
+        return resp.json();
+    }
+}
+//# sourceMappingURL=admin.js.map

package/dist/admin.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"admin.js","sourceRoot":"","sources":["../src/admin.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,WAAW,EAAE,MAAM,aAAa,CAAC;AAW1C;;;;;GAKG;AACH,MAAM,OAAO,WAAW;IAEH;IACA;IACA;IAHnB,YACmB,OAAe,EACf,OAAe,EACf,WAAmB;QAFnB,YAAO,GAAP,OAAO,CAAQ;QACf,YAAO,GAAP,OAAO,CAAQ;QACf,gBAAW,GAAX,WAAW,CAAQ;IACnC,CAAC;IAEJ,gBAAgB;IAEhB,yCAAyC;IACzC,KAAK,CAAC,UAAU,CAAC,MAAwB;QACvC,OAAO,IAAI,CAAC,IAAI,CAAC,cAAc,EAAE;YAC/B,KAAK,EAAE,MAAM,CAAC,KAAK;YACnB,YAAY,EAAE,MAAM,CAAC,WAAW;SACjC,CAAC,CAAC;IACL,CAAC;IAED,qDAAqD;IACrD,KAAK,CAAC,SAAS,CAAC,OAGf;QACC,MAAM,CAAC,GAAG,IAAI,eAAe,EAAE,CAAC;QAChC,IAAI,OAAO,EAAE,KAAK;YAAE,CAAC,CAAC,GAAG,CAAC,OAAO,EAAE,MAAM,CAAC,OAAO,CAAC,KAAK,CAAC,CAAC,CAAC;QAC1D,IAAI,OAAO,EAAE,MAAM;YAAE,CAAC,CAAC,GAAG,CAAC,QAAQ,EAAE,OAAO,CAAC,MAAM,CAAC,CAAC;QACrD,OAAO,IAAI,CAAC,GAAG,CAAC,gBAAgB,CAAC,EAAE,CAAC,CAAC;IACvC,CAAC;IAED,+CAA+C;IAC/C,KAAK,CAAC,OAAO,CAAC,MAAc;QAC1B,OAAO,IAAI,CAAC,GAAG,CAAC,gBAAgB,MAAM,EAAE,CAAC,CAAC;IAC5C,CAAC;IAED,4CAA4C;IAC5C,KAAK,CAAC,UAAU,CAAC,MAAc,EAAE,MAAwB;QACvD,OAAO,IAAI,CAAC,OAAO,CAAC,OAAO,EAAE,gBAAgB,MAAM,EAAE,EAAE;YACrD,KAAK,EAAE,MAAM,CAAC,KAAK;YACnB,YAAY,EAAE,MAAM,CAAC,WAAW;YAChC,MAAM,EAAE,MAAM,CAAC,MAAM;SACtB,CAAC,CAAC;IACL,CAAC;IAED,+CAA+C;IAC/C,KAAK,CAAC,UAAU,CAAC,MAAc;QAC7B,MAAM,IAAI,GAAG,MAAM,KAAK,CAAC,GAAG,IAAI,CAAC,OAAO,gBAAgB,MAAM,EAAE,EAAE;YAChE,MAAM,EAAE,QAAQ;YAChB,OAAO,EAAE,IAAI,CAAC,OAAO,EAAE;SACxB,CAAC,CAAC;QACH,IAAI,CAAC,IAAI,CAAC,EAAE,EAAE,CAAC;YACb,MAAM,IAAI,WAAW,CAAC,IAAI,CAAC,MAAM,EAAE,MAAM,IAAI,CAAC,IAAI,EAAE,CAAC,CAAC;QACxD,CAAC;IACH,CAAC;IAED,iBAAiB;IAEjB,2CAA2C;IAC3C,KAAK,CAAC,WAAW,CAAC,MAAyB;QACzC,OAAO,IAAI,CAAC,IAAI,CAAC,eAAe,EAAE;YAChC,IAAI,EAAE,MAAM,CAAC,IAAI;YACjB,MAAM,EAAE,MAAM,CAAC,MAAM;SACtB,CAAC,CAAC;IACL,CAAC;IAED,uDAAuD;IACvD,KAAK,CAAC,UAAU,CAAC,OAGhB;QACC,MAAM,CAAC,GAAG,IAAI,eAAe,EAAE,CAAC;QAChC,IAAI,OAAO,EAAE,KAAK;YAAE,CAAC,CAAC,GAAG,CAAC,OAAO,EAAE,MAAM,CAAC,OAAO,CAAC,KAAK,CAAC,CAAC,CAAC;QAC1D,IAAI,OAAO,EAAE,MAAM;YAAE,CAAC,CAAC,GAAG,CAAC,QAAQ,EAAE,OAAO,CAAC,MAAM,CAAC,CAAC;QACrD,OAAO,IAAI,CAAC,GAAG,CAAC,iBAAiB,CAAC,EAAE,CAAC,CAAC;IACxC,CAAC;IAED,iDAAiD;IACjD,KAAK,CAAC,QAAQ,CAAC,OAAe;QAC5B,OAAO,IAAI,CAAC,GAAG,CAAC,iBAAiB,OAAO,EAAE,CAAC,CAAC;IAC9C,CAAC;IAED,8CAA8C;IAC9C,KAAK,CAAC,WAAW,CACf,OAAe,EACf,MAAyB;QAEzB,OAAO,IAAI,CAAC,OAAO,CAAC,OAAO,EAAE,iBAAiB,OAAO,EAAE,EAAE;YACvD,IAAI,EAAE,MAAM,CAAC,IAAI;YACjB,MAAM,EAAE,MAAM,CAAC,MAAM;YACrB,MAAM,EAAE,MAAM,CAAC,MAAM;SACtB,CAAC,CAAC;IACL,CAAC;IAED,iDAAiD;IACjD,KAAK,CAAC,WAAW,CAAC,OAAe;QAC/B,MAAM,IAAI,GAAG,MAAM,KAAK,CAAC,GAAG,IAAI,CAAC,OAAO,iBAAiB,OAAO,EAAE,EAAE;YAClE,MAAM,EAAE,QAAQ;YAChB,OAAO,EAAE,IAAI,CAAC,OAAO,EAAE;SACxB,CAAC,CAAC;QACH,IAAI,CAAC,IAAI,CAAC,EAAE,EAAE,CAAC;YACb,MAAM,IAAI,WAAW,CAAC,IAAI,CAAC,MAAM,EAAE,MAAM,IAAI,CAAC,IAAI,EAAE,CAAC,CAAC;QACxD,CAAC;IACH,CAAC;IAEO,OAAO;QACb,OAAO;YACL,YAAY,EAAE,IAAI,CAAC,OAAO;YAC1B,aAAa,EAAE,UAAU,IAAI,CAAC,WAAW,EAAE;YAC3C,cAAc,EAAE,kBAAkB;SACnC,CAAC;IACJ,CAAC;IAEO,KAAK,CAAC,GAAG,CAAI,IAAY;QAC/B,MAAM,IAAI,GAAG,MAAM,KAAK,CAAC,GAAG,IAAI,CAAC,OAAO,GAAG,IAAI,EAAE,EAAE;YACjD,OAAO,EAAE,IAAI,CAAC,OAAO,EAAE;SACxB,CAAC,CAAC;QACH,IAAI,CAAC,IAAI,CAAC,EAAE,EAAE,CAAC;YACb,MAAM,IAAI,WAAW,CAAC,IAAI,CAAC,MAAM,EAAE,MAAM,IAAI,CAAC,IAAI,EAAE,CAAC,CAAC;QACxD,CAAC;QACD,OAAO,IAAI,CAAC,IAAI,EAAgB,CAAC;IACnC,CAAC;IAEO,KAAK,CAAC,IAAI,CAAI,IAAY,EAAE,IAAa;QAC/C,OAAO,IAAI,CAAC,OAAO,CAAC,MAAM,EAAE,IAAI,EAAE,IAAI,CAAC,CAAC;IAC1C,CAAC;IAEO,KAAK,CAAC,OAAO,CACnB,MAAc,EACd,IAAY,EACZ,IAAa;QAEb,MAAM,IAAI,GAAG,MAAM,KAAK,CAAC,GAAG,IAAI,CAAC,OAAO,GAAG,IAAI,EAAE,EAAE;YACjD,MAAM;YACN,OAAO,EAAE,IAAI,CAAC,OAAO,EAAE;YACvB,IAAI,EAAE,IAAI,CAAC,SAAS,CAAC,IAAI,CAAC;SAC3B,CAAC,CAAC;QACH,IAAI,CAAC,IAAI,CAAC,EAAE,EAAE,CAAC;YACb,MAAM,IAAI,WAAW,CAAC,IAAI,CAAC,MAAM,EAAE,MAAM,IAAI,CAAC,IAAI,EAAE,CAAC,CAAC;QACxD,CAAC;QACD,OAAO,IAAI,CAAC,IAAI,EAAgB,CAAC;IACnC,CAAC;CACF"}

package/dist/browser-auth.d.ts

@@ -0,0 +1,32 @@
+import { HearthApiClient } from "./client.js";
+export declare function getAccessToken(): string | null;
+export declare function getRefreshToken(): string | null;
+export declare function getIdToken(): string | null;
+/** True iff an access token is present and not yet expired. */
+export declare function isAuthenticated(): boolean;
+export declare function clearTokens(): void;
+/** Configuration for {@link createHearthAuth}. */
+export interface AuthConfig {
+    /** OAuth 2.0 client ID. */
+    clientId: string;
+    /** Redirect URI registered for this client. */
+    redirectUri: string;
+    /** Hearth server base URL, e.g. `http://localhost:8420`. */
+    hearthUrl: string;
+    /** Realm name (slug), e.g. `"demo"`. */
+    realmSlug: string;
+}
+/** Auth facade returned by {@link createHearthAuth}. */
+export interface HearthBrowserAuth {
+    startLogin(): Promise<void>;
+    handleCallback(code: string, state: string): Promise<void>;
+    refreshAccessToken(): Promise<void>;
+    logout(): Promise<void>;
+}
+/**
+ * Create a browser-side Hearth auth facade backed entirely by the SDK.
+ *
+ * Handles the full PKCE login flow, token storage, silent refresh, and
+ * RP-initiated logout. No custom crypto or OIDC endpoint logic required.
+ */
+export declare function createHearthAuth(client: HearthApiClient, config: AuthConfig): HearthBrowserAuth;

package/dist/browser-auth.js

@@ -0,0 +1,99 @@
+import { startLogin } from "./pkce.js";
+// ── Token store ─────────────────────────────────────────────────────────────
+// Access token lives in memory only. Refresh + ID tokens survive page reloads
+// via localStorage. For stricter XSS safety, swap for an HttpOnly-cookie BFF.
+const REFRESH_KEY = "hearth_refresh_token";
+const ID_KEY = "hearth_id_token";
+let _accessToken = null;
+let _expiresAt = null;
+let _refreshTimer = null;
+export function getAccessToken() { return _accessToken; }
+export function getRefreshToken() { return localStorage.getItem(REFRESH_KEY); }
+export function getIdToken() { return localStorage.getItem(ID_KEY); }
+/** True iff an access token is present and not yet expired. */
+export function isAuthenticated() {
+    return _accessToken !== null && _expiresAt !== null && Date.now() / 1000 < _expiresAt;
+}
+export function clearTokens() {
+    _accessToken = null;
+    _expiresAt = null;
+    localStorage.removeItem(REFRESH_KEY);
+    localStorage.removeItem(ID_KEY);
+    if (_refreshTimer !== null) {
+        clearTimeout(_refreshTimer);
+        _refreshTimer = null;
+    }
+}
+function storeTokens(tokens, fallbackRefresh) {
+    _accessToken = tokens.access_token;
+    _expiresAt = Date.now() / 1000 + (tokens.expires_in ?? 3600);
+    const rt = tokens.refresh_token ?? fallbackRefresh;
+    if (rt)
+        localStorage.setItem(REFRESH_KEY, rt);
+    if (tokens.id_token)
+        localStorage.setItem(ID_KEY, tokens.id_token);
+}
+function scheduleRefresh(expiresIn, doRefresh) {
+    if (_refreshTimer !== null)
+        clearTimeout(_refreshTimer);
+    const delayMs = Math.max(expiresIn * 0.8, expiresIn - 60) * 1000;
+    _refreshTimer = setTimeout(() => { void doRefresh().catch(() => { }); }, delayMs);
+}
+const VERIFIER_KEY = "hearth_pkce_verifier";
+const STATE_KEY = "hearth_oauth_state";
+/**
+ * Create a browser-side Hearth auth facade backed entirely by the SDK.
+ *
+ * Handles the full PKCE login flow, token storage, silent refresh, and
+ * RP-initiated logout. No custom crypto or OIDC endpoint logic required.
+ */
+export function createHearthAuth(client, config) {
+    async function refreshAccessToken() {
+        const rt = getRefreshToken();
+        if (!rt)
+            throw new Error("No refresh token stored");
+        const tokens = await client.refreshTokens(config.clientId, rt);
+        storeTokens(tokens, rt);
+        scheduleRefresh(tokens.expires_in ?? 3600, refreshAccessToken);
+    }
+    return {
+        async startLogin() {
+            const { url, state, codeVerifier } = await startLogin(client, {
+                clientId: config.clientId,
+                redirectUri: config.redirectUri,
+            });
+            sessionStorage.setItem(VERIFIER_KEY, codeVerifier);
+            sessionStorage.setItem(STATE_KEY, state);
+            window.location.href = url;
+        },
+        async handleCallback(_code, state) {
+            const storedState = sessionStorage.getItem(STATE_KEY);
+            const codeVerifier = sessionStorage.getItem(VERIFIER_KEY) ?? undefined;
+            sessionStorage.removeItem(STATE_KEY);
+            sessionStorage.removeItem(VERIFIER_KEY);
+            if (storedState !== state)
+                throw new Error("State mismatch — possible CSRF");
+            const tokens = await client.handleCallback({
+                callbackUrl: window.location.href,
+                clientId: config.clientId,
+                redirectUri: config.redirectUri,
+                codeVerifier,
+            });
+            storeTokens(tokens);
+            scheduleRefresh(tokens.expires_in ?? 3600, refreshAccessToken);
+        },
+        refreshAccessToken,
+        async logout() {
+            const idToken = getIdToken();
+            clearTokens();
+            const doc = await client.discovery().catch(() => null);
+            const end = doc?.["end_session_endpoint"]
+                ?? `${config.hearthUrl}/realms/${config.realmSlug}/end_session`;
+            const params = new URLSearchParams({ post_logout_redirect_uri: window.location.origin });
+            if (idToken)
+                params.set("id_token_hint", idToken);
+            window.location.href = `${end}?${params}`;
+        },
+    };
+}
+//# sourceMappingURL=browser-auth.js.map

package/dist/browser-auth.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"browser-auth.js","sourceRoot":"","sources":["../src/browser-auth.ts"],"names":[],"mappings":"AACA,OAAO,EAAE,UAAU,EAAE,MAAM,WAAW,CAAC;AAGvC,+EAA+E;AAC/E,8EAA8E;AAC9E,8EAA8E;AAE9E,MAAM,WAAW,GAAG,sBAAsB,CAAC;AAC3C,MAAM,MAAM,GAAG,iBAAiB,CAAC;AAEjC,IAAI,YAAY,GAAkB,IAAI,CAAC;AACvC,IAAI,UAAU,GAAkB,IAAI,CAAC;AACrC,IAAI,aAAa,GAAyC,IAAI,CAAC;AAE/D,MAAM,UAAU,cAAc,KAAoB,OAAO,YAAY,CAAC,CAAC,CAAC;AACxE,MAAM,UAAU,eAAe,KAAoB,OAAO,YAAY,CAAC,OAAO,CAAC,WAAW,CAAC,CAAC,CAAC,CAAC;AAC9F,MAAM,UAAU,UAAU,KAAoB,OAAO,YAAY,CAAC,OAAO,CAAC,MAAM,CAAC,CAAC,CAAC,CAAC;AAEpF,+DAA+D;AAC/D,MAAM,UAAU,eAAe;IAC7B,OAAO,YAAY,KAAK,IAAI,IAAI,UAAU,KAAK,IAAI,IAAI,IAAI,CAAC,GAAG,EAAE,GAAG,IAAI,GAAG,UAAU,CAAC;AACxF,CAAC;AAED,MAAM,UAAU,WAAW;IACzB,YAAY,GAAG,IAAI,CAAC;IACpB,UAAU,GAAG,IAAI,CAAC;IAClB,YAAY,CAAC,UAAU,CAAC,WAAW,CAAC,CAAC;IACrC,YAAY,CAAC,UAAU,CAAC,MAAM,CAAC,CAAC;IAChC,IAAI,aAAa,KAAK,IAAI,EAAE,CAAC;QAAC,YAAY,CAAC,aAAa,CAAC,CAAC;QAAC,aAAa,GAAG,IAAI,CAAC;IAAC,CAAC;AACpF,CAAC;AAED,SAAS,WAAW,CAAC,MAAqB,EAAE,eAAwB;IAClE,YAAY,GAAG,MAAM,CAAC,YAAY,CAAC;IACnC,UAAU,GAAG,IAAI,CAAC,GAAG,EAAE,GAAG,IAAI,GAAG,CAAC,MAAM,CAAC,UAAU,IAAI,IAAI,CAAC,CAAC;IAC7D,MAAM,EAAE,GAAG,MAAM,CAAC,aAAa,IAAI,eAAe,CAAC;IACnD,IAAI,EAAE;QAAE,YAAY,CAAC,OAAO,CAAC,WAAW,EAAE,EAAE,CAAC,CAAC;IAC9C,IAAI,MAAM,CAAC,QAAQ;QAAE,YAAY,CAAC,OAAO,CAAC,MAAM,EAAE,MAAM,CAAC,QAAQ,CAAC,CAAC;AACrE,CAAC;AAED,SAAS,eAAe,CAAC,SAAiB,EAAE,SAA8B;IACxE,IAAI,aAAa,KAAK,IAAI;QAAE,YAAY,CAAC,aAAa,CAAC,CAAC;IACxD,MAAM,OAAO,GAAG,IAAI,CAAC,GAAG,CAAC,SAAS,GAAG,GAAG,EAAE,SAAS,GAAG,EAAE,CAAC,GAAG,IAAI,CAAC;IACjE,aAAa,GAAG,UAAU,CAAC,GAAG,EAAE,GAAG,KAAK,SAAS,EAAE,CAAC,KAAK,CAAC,GAAG,EAAE,GAAgC,CAAC,CAAC,CAAC,CAAC,CAAC,EAAE,OAAO,CAAC,CAAC;AACjH,CAAC;AAwBD,MAAM,YAAY,GAAG,sBAAsB,CAAC;AAC5C,MAAM,SAAS,GAAG,oBAAoB,CAAC;AAEvC;;;;;GAKG;AACH,MAAM,UAAU,gBAAgB,CAC9B,MAAuB,EACvB,MAAkB;IAElB,KAAK,UAAU,kBAAkB;QAC/B,MAAM,EAAE,GAAG,eAAe,EAAE,CAAC;QAC7B,IAAI,CAAC,EAAE;YAAE,MAAM,IAAI,KAAK,CAAC,yBAAyB,CAAC,CAAC;QACpD,MAAM,MAAM,GAAG,MAAM,MAAM,CAAC,aAAa,CAAC,MAAM,CAAC,QAAQ,EAAE,EAAE,CAAC,CAAC;QAC/D,WAAW,CAAC,MAAM,EAAE,EAAE,CAAC,CAAC;QACxB,eAAe,CAAC,MAAM,CAAC,UAAU,IAAI,IAAI,EAAE,kBAAkB,CAAC,CAAC;IACjE,CAAC;IAED,OAAO;QACL,KAAK,CAAC,UAAU;YACd,MAAM,EAAE,GAAG,EAAE,KAAK,EAAE,YAAY,EAAE,GAAG,MAAM,UAAU,CAAC,MAAM,EAAE;gBAC5D,QAAQ,EAAE,MAAM,CAAC,QAAQ;gBACzB,WAAW,EAAE,MAAM,CAAC,WAAW;aAChC,CAAC,CAAC;YACH,cAAc,CAAC,OAAO,CAAC,YAAY,EAAE,YAAY,CAAC,CAAC;YACnD,cAAc,CAAC,OAAO,CAAC,SAAS,EAAE,KAAK,CAAC,CAAC;YACzC,MAAM,CAAC,QAAQ,CAAC,IAAI,GAAG,GAAG,CAAC;QAC7B,CAAC;QAED,KAAK,CAAC,cAAc,CAAC,KAAa,EAAE,KAAa;YAC/C,MAAM,WAAW,GAAG,cAAc,CAAC,OAAO,CAAC,SAAS,CAAC,CAAC;YACtD,MAAM,YAAY,GAAG,cAAc,CAAC,OAAO,CAAC,YAAY,CAAC,IAAI,SAAS,CAAC;YACvE,cAAc,CAAC,UAAU,CAAC,SAAS,CAAC,CAAC;YACrC,cAAc,CAAC,UAAU,CAAC,YAAY,CAAC,CAAC;YACxC,IAAI,WAAW,KAAK,KAAK;gBAAE,MAAM,IAAI,KAAK,CAAC,gCAAgC,CAAC,CAAC;YAC7E,MAAM,MAAM,GAAG,MAAM,MAAM,CAAC,cAAc,CAAC;gBACzC,WAAW,EAAE,MAAM,CAAC,QAAQ,CAAC,IAAI;gBACjC,QAAQ,EAAE,MAAM,CAAC,QAAQ;gBACzB,WAAW,EAAE,MAAM,CAAC,WAAW;gBAC/B,YAAY;aACb,CAAC,CAAC;YACH,WAAW,CAAC,MAAM,CAAC,CAAC;YACpB,eAAe,CAAC,MAAM,CAAC,UAAU,IAAI,IAAI,EAAE,kBAAkB,CAAC,CAAC;QACjE,CAAC;QAED,kBAAkB;QAElB,KAAK,CAAC,MAAM;YACV,MAAM,OAAO,GAAG,UAAU,EAAE,CAAC;YAC7B,WAAW,EAAE,CAAC;YACd,MAAM,GAAG,GAAG,MAAM,MAAM,CAAC,SAAS,EAAE,CAAC,KAAK,CAAC,GAAG,EAAE,CAAC,IAAI,CAAC,CAAC;YACvD,MAAM,GAAG,GAAI,GAAG,EAAE,CAAC,sBAAsB,CAAwB;mBAC5D,GAAG,MAAM,CAAC,SAAS,WAAW,MAAM,CAAC,SAAS,cAAc,CAAC;YAClE,MAAM,MAAM,GAAG,IAAI,eAAe,CAAC,EAAE,wBAAwB,EAAE,MAAM,CAAC,QAAQ,CAAC,MAAM,EAAE,CAAC,CAAC;YACzF,IAAI,OAAO;gBAAE,MAAM,CAAC,GAAG,CAAC,eAAe,EAAE,OAAO,CAAC,CAAC;YAClD,MAAM,CAAC,QAAQ,CAAC,IAAI,GAAG,GAAG,GAAG,IAAI,MAAM,EAAE,CAAC;QAC5C,CAAC;KACF,CAAC;AACJ,CAAC"}

package/dist/claims.d.ts

@@ -0,0 +1,86 @@
+/**
+ * Spec §4 — Claims API.
+ *
+ * {@link Claims} wraps a decoded JWT payload and exposes typed accessors
+ * for standard OIDC and Hearth-specific claims.  All reads are local —
+ * no network call is made.  Signature verification is the caller's
+ * responsibility (e.g. via the JWKS endpoint before constructing Claims).
+ */
+/** Raw JWT payload shape used internally. */
+interface RawPayload {
+    sub?: string;
+    iss?: string;
+    aud?: string | string[];
+    exp?: number;
+    nbf?: number;
+    iat?: number;
+    jti?: string;
+    scope?: string;
+    scopes?: string[];
+    roles?: string[];
+    permissions?: string[];
+    groups?: string[];
+    oid?: string;
+    org_groups?: string[];
+    token_type?: string;
+    [key: string]: unknown;
+}
+/**
+ * Typed accessor for a decoded JWT's claims.
+ *
+ * Construct via {@link Claims.decode} (decodes without verifying signature)
+ * or pass a pre-decoded payload to the constructor.
+ */
+export declare class Claims {
+    private readonly payload;
+    constructor(payload: RawPayload);
+    /**
+     * Decode a JWT string into a {@link Claims} object.
+     * The signature is NOT verified — the caller must verify it separately.
+     *
+     * @throws {TokenInvalidError} if the string is not a valid JWT.
+     */
+    static decode(token: string): Claims;
+    /**
+     * Assert the token is temporally valid (not expired, past nbf).
+     *
+     * @throws {TokenExpiredError} if exp is in the past.
+     * @throws {TokenNotYetValidError} if nbf is in the future.
+     */
+    assertValid(clockSkewSeconds?: number): void;
+    /** The `sub` (subject) claim — identifies the principal that is the subject of the JWT. */
+    subject(): string;
+    /** The `iss` (issuer) claim — identifies the principal that issued the JWT. */
+    issuer(): string;
+    /** The `aud` (audiences) claim — normalized to an array. */
+    audiences(): string[];
+    /** The `exp` (expiry) claim as a Date, or null if absent. */
+    expiry(): Date | null;
+    /** The `iat` (issuedAt) claim as a Date, or null if absent. */
+    issuedAt(): Date | null;
+    /** The `jti` (JWT ID) claim, or null if absent. */
+    jwtID(): string | null;
+    /** The `scope` claim split into individual scopes (or `scopes` array if present). */
+    scopes(): string[];
+    /** Returns true iff the token contains the given scope. */
+    hasScope(scope: string): boolean;
+    /** Returns true iff the token's `roles` claim contains the given role. */
+    hasRole(role: string): boolean;
+    /** Returns true iff the token's `permissions` claim contains the given permission. */
+    hasPermission(permission: string): boolean;
+    /** The raw `scope` claim (space-delimited string), or empty string if absent. */
+    scope(): string;
+    /** Returns true iff the token's `groups` claim contains the given group. */
+    inGroup(groupId: string): boolean;
+    /** Returns true iff the token's `oid` claim exactly matches the given org ID. */
+    inOrg(orgId: string): boolean;
+    /** The `token_type` claim (`"access"`, `"refresh"`, `"required_action"`), or empty string. */
+    tokenType(): string;
+    /** The `oid` (organization ID) claim, or `undefined` if absent. */
+    organizationId(): string | undefined;
+    /** The `org_groups` claim (Keycloak-style org-scoped group paths), or empty array. */
+    orgGroups(): string[];
+    /** Access an arbitrary claim by key. */
+    get(key: string): unknown;
+}
+export {};

package/dist/claims.js

@@ -0,0 +1,137 @@
+/**
+ * Spec §4 — Claims API.
+ *
+ * {@link Claims} wraps a decoded JWT payload and exposes typed accessors
+ * for standard OIDC and Hearth-specific claims.  All reads are local —
+ * no network call is made.  Signature verification is the caller's
+ * responsibility (e.g. via the JWKS endpoint before constructing Claims).
+ */
+import { decodeJwt } from "jose";
+import { TokenExpiredError, TokenInvalidError, TokenNotYetValidError, } from "./errors.js";
+/**
+ * Typed accessor for a decoded JWT's claims.
+ *
+ * Construct via {@link Claims.decode} (decodes without verifying signature)
+ * or pass a pre-decoded payload to the constructor.
+ */
+export class Claims {
+    payload;
+    constructor(payload) {
+        this.payload = payload;
+    }
+    /**
+     * Decode a JWT string into a {@link Claims} object.
+     * The signature is NOT verified — the caller must verify it separately.
+     *
+     * @throws {TokenInvalidError} if the string is not a valid JWT.
+     */
+    static decode(token) {
+        try {
+            const payload = decodeJwt(token);
+            return new Claims(payload);
+        }
+        catch (err) {
+            throw new TokenInvalidError(`Failed to decode JWT: ${err instanceof Error ? err.message : String(err)}`);
+        }
+    }
+    /**
+     * Assert the token is temporally valid (not expired, past nbf).
+     *
+     * @throws {TokenExpiredError} if exp is in the past.
+     * @throws {TokenNotYetValidError} if nbf is in the future.
+     */
+    assertValid(clockSkewSeconds = 0) {
+        const now = Math.floor(Date.now() / 1000);
+        const exp = this.payload.exp;
+        if (exp !== undefined && now > exp + clockSkewSeconds) {
+            throw new TokenExpiredError(new Date(exp * 1000));
+        }
+        const nbf = this.payload.nbf;
+        if (nbf !== undefined && now < nbf - clockSkewSeconds) {
+            throw new TokenNotYetValidError(new Date(nbf * 1000));
+        }
+    }
+    /** The `sub` (subject) claim — identifies the principal that is the subject of the JWT. */
+    subject() {
+        return this.payload.sub ?? "";
+    }
+    /** The `iss` (issuer) claim — identifies the principal that issued the JWT. */
+    issuer() {
+        return this.payload.iss ?? "";
+    }
+    /** The `aud` (audiences) claim — normalized to an array. */
+    audiences() {
+        const aud = this.payload.aud;
+        if (!aud)
+            return [];
+        return Array.isArray(aud) ? aud : [aud];
+    }
+    /** The `exp` (expiry) claim as a Date, or null if absent. */
+    expiry() {
+        return this.payload.exp !== undefined
+            ? new Date(this.payload.exp * 1000)
+            : null;
+    }
+    /** The `iat` (issuedAt) claim as a Date, or null if absent. */
+    issuedAt() {
+        return this.payload.iat !== undefined
+            ? new Date(this.payload.iat * 1000)
+            : null;
+    }
+    /** The `jti` (JWT ID) claim, or null if absent. */
+    jwtID() {
+        return this.payload.jti ?? null;
+    }
+    /** The `scope` claim split into individual scopes (or `scopes` array if present). */
+    scopes() {
+        if (this.payload.scopes)
+            return this.payload.scopes;
+        const scope = this.payload.scope;
+        if (!scope)
+            return [];
+        return scope.split(/\s+/).filter(Boolean);
+    }
+    /** Returns true iff the token contains the given scope. */
+    hasScope(scope) {
+        return this.scopes().includes(scope);
+    }
+    /** Returns true iff the token's `roles` claim contains the given role. */
+    hasRole(role) {
+        return (this.payload.roles ?? []).includes(role);
+    }
+    /** Returns true iff the token's `permissions` claim contains the given permission. */
+    hasPermission(permission) {
+        return (this.payload.permissions ?? []).includes(permission);
+    }
+    /** The raw `scope` claim (space-delimited string), or empty string if absent. */
+    scope() {
+        return this.payload.scope ?? "";
+    }
+    /** Returns true iff the token's `groups` claim contains the given group. */
+    inGroup(groupId) {
+        const groups = this.payload.groups;
+        return Array.isArray(groups) && groups.includes(groupId);
+    }
+    /** Returns true iff the token's `oid` claim exactly matches the given org ID. */
+    inOrg(orgId) {
+        return typeof this.payload.oid === "string" && this.payload.oid === orgId;
+    }
+    /** The `token_type` claim (`"access"`, `"refresh"`, `"required_action"`), or empty string. */
+    tokenType() {
+        return this.payload.token_type ?? "";
+    }
+    /** The `oid` (organization ID) claim, or `undefined` if absent. */
+    organizationId() {
+        return this.payload.oid;
+    }
+    /** The `org_groups` claim (Keycloak-style org-scoped group paths), or empty array. */
+    orgGroups() {
+        const og = this.payload.org_groups;
+        return Array.isArray(og) ? og : [];
+    }
+    /** Access an arbitrary claim by key. */
+    get(key) {
+        return this.payload[key];
+    }
+}
+//# sourceMappingURL=claims.js.map

package/dist/claims.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"claims.js","sourceRoot":"","sources":["../src/claims.ts"],"names":[],"mappings":"AAAA;;;;;;;GAOG;AAEH,OAAO,EAAE,SAAS,EAAE,MAAM,MAAM,CAAC;AACjC,OAAO,EACL,iBAAiB,EACjB,iBAAiB,EACjB,qBAAqB,GACtB,MAAM,aAAa,CAAC;AAsBrB;;;;;GAKG;AACH,MAAM,OAAO,MAAM;IACA,OAAO,CAAa;IAErC,YAAY,OAAmB;QAC7B,IAAI,CAAC,OAAO,GAAG,OAAO,CAAC;IACzB,CAAC;IAED;;;;;OAKG;IACH,MAAM,CAAC,MAAM,CAAC,KAAa;QACzB,IAAI,CAAC;YACH,MAAM,OAAO,GAAG,SAAS,CAAC,KAAK,CAAe,CAAC;YAC/C,OAAO,IAAI,MAAM,CAAC,OAAO,CAAC,CAAC;QAC7B,CAAC;QAAC,OAAO,GAAG,EAAE,CAAC;YACb,MAAM,IAAI,iBAAiB,CACzB,yBAAyB,GAAG,YAAY,KAAK,CAAC,CAAC,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,GAAG,CAAC,EAAE,CAC5E,CAAC;QACJ,CAAC;IACH,CAAC;IAED;;;;;OAKG;IACH,WAAW,CAAC,gBAAgB,GAAG,CAAC;QAC9B,MAAM,GAAG,GAAG,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,GAAG,EAAE,GAAG,IAAI,CAAC,CAAC;QAC1C,MAAM,GAAG,GAAG,IAAI,CAAC,OAAO,CAAC,GAAG,CAAC;QAC7B,IAAI,GAAG,KAAK,SAAS,IAAI,GAAG,GAAG,GAAG,GAAG,gBAAgB,EAAE,CAAC;YACtD,MAAM,IAAI,iBAAiB,CAAC,IAAI,IAAI,CAAC,GAAG,GAAG,IAAI,CAAC,CAAC,CAAC;QACpD,CAAC;QACD,MAAM,GAAG,GAAG,IAAI,CAAC,OAAO,CAAC,GAAG,CAAC;QAC7B,IAAI,GAAG,KAAK,SAAS,IAAI,GAAG,GAAG,GAAG,GAAG,gBAAgB,EAAE,CAAC;YACtD,MAAM,IAAI,qBAAqB,CAAC,IAAI,IAAI,CAAC,GAAG,GAAG,IAAI,CAAC,CAAC,CAAC;QACxD,CAAC;IACH,CAAC;IAED,2FAA2F;IAC3F,OAAO;QACL,OAAO,IAAI,CAAC,OAAO,CAAC,GAAG,IAAI,EAAE,CAAC;IAChC,CAAC;IAED,+EAA+E;IAC/E,MAAM;QACJ,OAAO,IAAI,CAAC,OAAO,CAAC,GAAG,IAAI,EAAE,CAAC;IAChC,CAAC;IAED,4DAA4D;IAC5D,SAAS;QACP,MAAM,GAAG,GAAG,IAAI,CAAC,OAAO,CAAC,GAAG,CAAC;QAC7B,IAAI,CAAC,GAAG;YAAE,OAAO,EAAE,CAAC;QACpB,OAAO,KAAK,CAAC,OAAO,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,GAAG,CAAC,CAAC;IAC1C,CAAC;IAED,6DAA6D;IAC7D,MAAM;QACJ,OAAO,IAAI,CAAC,OAAO,CAAC,GAAG,KAAK,SAAS;YACnC,CAAC,CAAC,IAAI,IAAI,CAAC,IAAI,CAAC,OAAO,CAAC,GAAG,GAAG,IAAI,CAAC;YACnC,CAAC,CAAC,IAAI,CAAC;IACX,CAAC;IAED,+DAA+D;IAC/D,QAAQ;QACN,OAAO,IAAI,CAAC,OAAO,CAAC,GAAG,KAAK,SAAS;YACnC,CAAC,CAAC,IAAI,IAAI,CAAC,IAAI,CAAC,OAAO,CAAC,GAAG,GAAG,IAAI,CAAC;YACnC,CAAC,CAAC,IAAI,CAAC;IACX,CAAC;IAED,mDAAmD;IACnD,KAAK;QACH,OAAO,IAAI,CAAC,OAAO,CAAC,GAAG,IAAI,IAAI,CAAC;IAClC,CAAC;IAED,qFAAqF;IACrF,MAAM;QACJ,IAAI,IAAI,CAAC,OAAO,CAAC,MAAM;YAAE,OAAO,IAAI,CAAC,OAAO,CAAC,MAAM,CAAC;QACpD,MAAM,KAAK,GAAG,IAAI,CAAC,OAAO,CAAC,KAAK,CAAC;QACjC,IAAI,CAAC,KAAK;YAAE,OAAO,EAAE,CAAC;QACtB,OAAO,KAAK,CAAC,KAAK,CAAC,KAAK,CAAC,CAAC,MAAM,CAAC,OAAO,CAAC,CAAC;IAC5C,CAAC;IAED,2DAA2D;IAC3D,QAAQ,CAAC,KAAa;QACpB,OAAO,IAAI,CAAC,MAAM,EAAE,CAAC,QAAQ,CAAC,KAAK,CAAC,CAAC;IACvC,CAAC;IAED,0EAA0E;IAC1E,OAAO,CAAC,IAAY;QAClB,OAAO,CAAC,IAAI,CAAC,OAAO,CAAC,KAAK,IAAI,EAAE,CAAC,CAAC,QAAQ,CAAC,IAAI,CAAC,CAAC;IACnD,CAAC;IAED,sFAAsF;IACtF,aAAa,CAAC,UAAkB;QAC9B,OAAO,CAAC,IAAI,CAAC,OAAO,CAAC,WAAW,IAAI,EAAE,CAAC,CAAC,QAAQ,CAAC,UAAU,CAAC,CAAC;IAC/D,CAAC;IAED,iFAAiF;IACjF,KAAK;QACH,OAAO,IAAI,CAAC,OAAO,CAAC,KAAK,IAAI,EAAE,CAAC;IAClC,CAAC;IAED,4EAA4E;IAC5E,OAAO,CAAC,OAAe;QACrB,MAAM,MAAM,GAAG,IAAI,CAAC,OAAO,CAAC,MAAM,CAAC;QACnC,OAAO,KAAK,CAAC,OAAO,CAAC,MAAM,CAAC,IAAI,MAAM,CAAC,QAAQ,CAAC,OAAO,CAAC,CAAC;IAC3D,CAAC;IAED,iFAAiF;IACjF,KAAK,CAAC,KAAa;QACjB,OAAO,OAAO,IAAI,CAAC,OAAO,CAAC,GAAG,KAAK,QAAQ,IAAI,IAAI,CAAC,OAAO,CAAC,GAAG,KAAK,KAAK,CAAC;IAC5E,CAAC;IAED,8FAA8F;IAC9F,SAAS;QACP,OAAO,IAAI,CAAC,OAAO,CAAC,UAAU,IAAI,EAAE,CAAC;IACvC,CAAC;IAED,mEAAmE;IACnE,cAAc;QACZ,OAAO,IAAI,CAAC,OAAO,CAAC,GAAG,CAAC;IAC1B,CAAC;IAED,sFAAsF;IACtF,SAAS;QACP,MAAM,EAAE,GAAG,IAAI,CAAC,OAAO,CAAC,UAAU,CAAC;QACnC,OAAO,KAAK,CAAC,OAAO,CAAC,EAAE,CAAC,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC;IACrC,CAAC;IAED,wCAAwC;IACxC,GAAG,CAAC,GAAW;QACb,OAAO,IAAI,CAAC,OAAO,CAAC,GAAG,CAAC,CAAC;IAC3B,CAAC;CACF"}

package/dist/client.d.ts

@@ -0,0 +1,77 @@
+import type { AuthorizeParams, AuthorizeResponse, BootstrapResponse, JwksDocument, MePermissionsResponse, RegisterClientParams, OAuthClient, TokenExchangeParams, TokenResponse, UserInfoResponse } from "./types.js";
+/** Parameters for the PKCE authorization-code callback handler (spec §7). */
+export interface HandleCallbackParams {
+    /** Full callback URL including query parameters (`code`, `state`, etc.). */
+    callbackUrl: string;
+    /** OAuth 2.0 client ID. */
+    clientId: string;
+    /** Redirect URI registered for this client. */
+    redirectUri: string;
+    /** PKCE code verifier generated during `login()` (RFC 7636). */
+    codeVerifier?: string;
+}
+/** Error thrown when the Hearth API returns an error. */
+export declare class HearthError extends Error {
+    readonly status: number;
+    readonly body: unknown;
+    constructor(status: number, body: unknown);
+}
+/** Configuration for HearthApiClient. */
+export interface HearthApiClientConfig {
+    baseUrl: string;
+    realmId: string;
+}
+/**
+ * Low-level Hearth HTTP API client for auth code flows, token management,
+ * JWKS retrieval, and live RBAC claim resolution.
+ *
+ * @deprecated Use {@link HearthClient} from `hearth-client.js` as the
+ * recommended entry point. This class is kept as a lower-level primitive.
+ */
+export declare class HearthApiClient {
+    private readonly baseUrl;
+    private readonly realmId;
+    constructor(config: HearthApiClientConfig);
+    /** POST /admin/bootstrap — create realm, admin user, tokens (dev mode only). */
+    static bootstrap(baseUrl: string): Promise<BootstrapResponse>;
+    /** POST /clients — register an OAuth 2.0 client. */
+    registerClient(params: RegisterClientParams): Promise<OAuthClient>;
+    /** POST /authorize — initiate an authorization code flow. */
+    authorize(params: AuthorizeParams): Promise<AuthorizeResponse>;
+    /** POST /token — exchange an authorization code for tokens. */
+    exchangeCode(params: TokenExchangeParams): Promise<TokenResponse>;
+    /**
+     * Handle a PKCE authorization-code callback (spec §7).
+     *
+     * Extracts the `code` from `callbackUrl`, exchanges it for tokens, then
+     * inspects the JWT's `token_type` claim before returning:
+     *
+     * - If `token_type === "required_action"`: throws {@link RequiredActionError}
+     *   with `requiredActions` populated from the JWT's `required_actions` claim.
+     * - If the callback URL contains `required_action_redirect_uri`: throws
+     *   {@link RequiredActionError} with `redirectUri` set to that value.
+     * - Otherwise: returns the token response normally.
+     */
+    handleCallback(params: HandleCallbackParams): Promise<TokenResponse>;
+    /** POST /token — refresh tokens using a refresh token. */
+    refreshTokens(clientId: string, refreshToken: string): Promise<TokenResponse>;
+    /**
+     * GET /v1/me/permissions — fetch the freshly-resolved RBAC claim set
+     * for the bearer-token user.
+     *
+     * Unlike `hasPermission()` on a `createHearth()` client (which reads
+     * the cached set from the JWT), this call queries the server and
+     * reflects any role/group assignments made since the token was issued.
+     */
+    permissions(accessToken: string): Promise<MePermissionsResponse>;
+    /** GET /userinfo — retrieve user claims using an access token. */
+    userinfo(accessToken: string): Promise<UserInfoResponse>;
+    /** GET /jwks — retrieve the JWKS document. */
+    jwks(): Promise<JwksDocument>;
+    /** GET /.well-known/openid-configuration — OIDC discovery document. */
+    discovery(): Promise<Record<string, unknown>>;
+    /** Creates an AdminClient using the given access token. */
+    admin(accessToken: string): AdminClient;
+    private post;
+}
+import { AdminClient } from "./admin.js";