@hotmeshio/long-tail 0.1.0

package/build/services/oauth/db.js

@@ -0,0 +1,140 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.upsertOAuthToken = upsertOAuthToken;
+exports.getOAuthToken = getOAuthToken;
+exports.getFreshAccessToken = getFreshAccessToken;
+exports.listOAuthConnections = listOAuthConnections;
+exports.deleteOAuthConnection = deleteOAuthConnection;
+exports.getUserByOAuthProvider = getUserByOAuthProvider;
+const db_1 = require("../db");
+const crypto_1 = require("./crypto");
+const providers_1 = require("./providers");
+const crud_1 = require("../user/crud");
+// ── SQL ──────────────────────────────────────────────────────────────────────
+const UPSERT_TOKEN = `
+  INSERT INTO lt_oauth_tokens
+    (user_id, provider, label, access_token_enc, refresh_token_enc, token_type, scopes,
+     expires_at, provider_user_id, provider_email, metadata)
+  VALUES ($1, $2, $3, $4, $5, $6, $7, $8, $9, $10, $11)
+  ON CONFLICT (user_id, provider, label) DO UPDATE SET
+    access_token_enc = EXCLUDED.access_token_enc,
+    refresh_token_enc = COALESCE(EXCLUDED.refresh_token_enc, lt_oauth_tokens.refresh_token_enc),
+    token_type = EXCLUDED.token_type,
+    scopes = EXCLUDED.scopes,
+    expires_at = EXCLUDED.expires_at,
+    provider_user_id = EXCLUDED.provider_user_id,
+    provider_email = COALESCE(EXCLUDED.provider_email, lt_oauth_tokens.provider_email),
+    metadata = COALESCE(EXCLUDED.metadata, lt_oauth_tokens.metadata)
+  RETURNING id`;
+const GET_TOKEN = `
+  SELECT * FROM lt_oauth_tokens WHERE user_id = $1 AND provider = $2 AND label = $3`;
+const GET_TOKEN_DEFAULT = `
+  SELECT * FROM lt_oauth_tokens WHERE user_id = $1 AND provider = $2 AND label = 'default'`;
+const LIST_CONNECTIONS = `
+  SELECT provider, label, provider_email, scopes, expires_at, metadata
+  FROM lt_oauth_tokens WHERE user_id = $1 ORDER BY provider, label`;
+const DELETE_TOKEN = `
+  DELETE FROM lt_oauth_tokens WHERE user_id = $1 AND provider = $2 AND label = $3`;
+const DELETE_TOKEN_DEFAULT = `
+  DELETE FROM lt_oauth_tokens WHERE user_id = $1 AND provider = $2 AND label = 'default'`;
+const GET_USER_BY_OAUTH = `
+  SELECT * FROM lt_users WHERE oauth_provider = $1 AND oauth_provider_id = $2`;
+// ── Database operations ──────────────────────────────────────────────────────
+async function upsertOAuthToken(userId, provider, tokens, scopes, providerUserId, providerEmail, metadata, label = 'default') {
+    const pool = await (0, db_1.getPool)();
+    const result = await pool.query(UPSERT_TOKEN, [
+        userId,
+        provider,
+        label,
+        (0, crypto_1.encrypt)(tokens.accessToken),
+        tokens.refreshToken ? (0, crypto_1.encrypt)(tokens.refreshToken) : null,
+        'bearer',
+        scopes,
+        tokens.accessTokenExpiresAt,
+        providerUserId,
+        providerEmail,
+        metadata ? JSON.stringify(metadata) : null,
+    ]);
+    return result.rows[0].id;
+}
+async function getOAuthToken(userId, provider, label) {
+    const pool = await (0, db_1.getPool)();
+    const { rows } = label
+        ? await pool.query(GET_TOKEN, [userId, provider, label])
+        : await pool.query(GET_TOKEN_DEFAULT, [userId, provider]);
+    if (rows.length === 0)
+        return null;
+    const row = rows[0];
+    return {
+        accessToken: (0, crypto_1.decrypt)(row.access_token_enc),
+        refreshToken: row.refresh_token_enc ? (0, crypto_1.decrypt)(row.refresh_token_enc) : null,
+        expiresAt: row.expires_at ? new Date(row.expires_at) : null,
+        scopes: row.scopes || [],
+        provider: row.provider,
+        label: row.label,
+    };
+}
+/**
+ * Get a fresh access token, refreshing if expired.
+ * Returns the access token string ready for use in API calls.
+ */
+async function getFreshAccessToken(userId, provider, label) {
+    const token = await getOAuthToken(userId, provider, label);
+    if (!token) {
+        const suffix = label && label !== 'default' ? ` (label: "${label}")` : '';
+        throw new Error(`No OAuth connection for provider "${provider}"${suffix} and user "${userId}"`);
+    }
+    // If not expired (with 60s buffer), return as-is
+    if (token.expiresAt && token.expiresAt.getTime() > Date.now() + 60_000) {
+        return token;
+    }
+    // If no expiry set (e.g., GitHub, Anthropic API keys), return as-is
+    if (!token.expiresAt) {
+        return token;
+    }
+    // Refresh the token
+    if (!token.refreshToken) {
+        throw new Error(`Token expired for provider "${provider}" and no refresh token available`);
+    }
+    const handler = (0, providers_1.getProvider)(provider);
+    if (!handler) {
+        throw new Error(`OAuth provider "${provider}" not configured`);
+    }
+    const refreshed = await handler.refreshAccessToken(token.refreshToken);
+    await upsertOAuthToken(userId, provider, refreshed, token.scopes, '', // providerUserId unchanged (ON CONFLICT UPDATE keeps existing)
+    null, undefined, token.label);
+    return {
+        accessToken: refreshed.accessToken,
+        refreshToken: refreshed.refreshToken,
+        expiresAt: refreshed.accessTokenExpiresAt,
+        scopes: token.scopes,
+        provider,
+        label: token.label,
+    };
+}
+async function listOAuthConnections(userId) {
+    const pool = await (0, db_1.getPool)();
+    const { rows } = await pool.query(LIST_CONNECTIONS, [userId]);
+    return rows.map((r) => ({
+        provider: r.provider,
+        label: r.label,
+        email: r.provider_email,
+        scopes: r.scopes || [],
+        expires_at: r.expires_at ? new Date(r.expires_at).toISOString() : null,
+        credential_type: r.metadata?.credential_type ?? null,
+    }));
+}
+async function deleteOAuthConnection(userId, provider, label) {
+    const pool = await (0, db_1.getPool)();
+    const result = label
+        ? await pool.query(DELETE_TOKEN, [userId, provider, label])
+        : await pool.query(DELETE_TOKEN_DEFAULT, [userId, provider]);
+    return (result.rowCount ?? 0) > 0;
+}
+async function getUserByOAuthProvider(provider, providerUserId) {
+    const pool = await (0, db_1.getPool)();
+    const { rows } = await pool.query(GET_USER_BY_OAUTH, [provider, providerUserId]);
+    if (!rows[0])
+        return null;
+    return (0, crud_1.attachRoles)(rows[0]);
+}

package/build/services/oauth/index.d.ts

@@ -0,0 +1,12 @@
+import type { LTOAuthStartConfig } from '../../types/oauth';
+export { encrypt, decrypt, getEncryptionKey, setEncryptionKey } from './crypto';
+export { createOAuthState, consumeOAuthState } from './state';
+export { registerProvider, getProvider, listProviders } from './providers';
+export type { ProviderHandler, OAuthTokens } from './providers';
+export { upsertOAuthToken, getOAuthToken, getFreshAccessToken, listOAuthConnections, deleteOAuthConnection, getUserByOAuthProvider, } from './db';
+/**
+ * Initialize the OAuth service.
+ * Called from start.ts when auth.oauth is configured.
+ * Also scans environment variables for provider credentials.
+ */
+export declare function initializeOAuth(config?: LTOAuthStartConfig): void;

package/build/services/oauth/index.js

@@ -0,0 +1,77 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.getUserByOAuthProvider = exports.deleteOAuthConnection = exports.listOAuthConnections = exports.getFreshAccessToken = exports.getOAuthToken = exports.upsertOAuthToken = exports.listProviders = exports.getProvider = exports.registerProvider = exports.consumeOAuthState = exports.createOAuthState = exports.setEncryptionKey = exports.getEncryptionKey = exports.decrypt = exports.encrypt = void 0;
+exports.initializeOAuth = initializeOAuth;
+const crypto_1 = require("./crypto");
+const providers_1 = require("./providers");
+const logger_1 = require("../logger");
+var crypto_2 = require("./crypto");
+Object.defineProperty(exports, "encrypt", { enumerable: true, get: function () { return crypto_2.encrypt; } });
+Object.defineProperty(exports, "decrypt", { enumerable: true, get: function () { return crypto_2.decrypt; } });
+Object.defineProperty(exports, "getEncryptionKey", { enumerable: true, get: function () { return crypto_2.getEncryptionKey; } });
+Object.defineProperty(exports, "setEncryptionKey", { enumerable: true, get: function () { return crypto_2.setEncryptionKey; } });
+var state_1 = require("./state");
+Object.defineProperty(exports, "createOAuthState", { enumerable: true, get: function () { return state_1.createOAuthState; } });
+Object.defineProperty(exports, "consumeOAuthState", { enumerable: true, get: function () { return state_1.consumeOAuthState; } });
+var providers_2 = require("./providers");
+Object.defineProperty(exports, "registerProvider", { enumerable: true, get: function () { return providers_2.registerProvider; } });
+Object.defineProperty(exports, "getProvider", { enumerable: true, get: function () { return providers_2.getProvider; } });
+Object.defineProperty(exports, "listProviders", { enumerable: true, get: function () { return providers_2.listProviders; } });
+var db_1 = require("./db");
+Object.defineProperty(exports, "upsertOAuthToken", { enumerable: true, get: function () { return db_1.upsertOAuthToken; } });
+Object.defineProperty(exports, "getOAuthToken", { enumerable: true, get: function () { return db_1.getOAuthToken; } });
+Object.defineProperty(exports, "getFreshAccessToken", { enumerable: true, get: function () { return db_1.getFreshAccessToken; } });
+Object.defineProperty(exports, "listOAuthConnections", { enumerable: true, get: function () { return db_1.listOAuthConnections; } });
+Object.defineProperty(exports, "deleteOAuthConnection", { enumerable: true, get: function () { return db_1.deleteOAuthConnection; } });
+Object.defineProperty(exports, "getUserByOAuthProvider", { enumerable: true, get: function () { return db_1.getUserByOAuthProvider; } });
+/** Well-known env var patterns for auto-detecting OAuth providers. */
+const ENV_PROVIDERS = [
+    { provider: 'google', idVar: 'OAUTH_GOOGLE_CLIENT_ID', secretVar: 'OAUTH_GOOGLE_CLIENT_SECRET' },
+    { provider: 'github', idVar: 'OAUTH_GITHUB_CLIENT_ID', secretVar: 'OAUTH_GITHUB_CLIENT_SECRET' },
+    { provider: 'microsoft', idVar: 'OAUTH_MICROSOFT_CLIENT_ID', secretVar: 'OAUTH_MICROSOFT_CLIENT_SECRET' },
+    { provider: 'mock', idVar: 'OAUTH_MOCK_CLIENT_ID', secretVar: 'OAUTH_MOCK_CLIENT_SECRET' },
+];
+/**
+ * Credential-only providers that register unconditionally.
+ * These don't use real OAuth (no clientId/clientSecret needed) —
+ * they store user-provided API keys via a dashboard form.
+ */
+const CREDENTIAL_PROVIDERS = [
+    { provider: 'anthropic', clientId: 'credential-flow', clientSecret: 'n/a', scopes: [] },
+];
+/**
+ * Initialize the OAuth service.
+ * Called from start.ts when auth.oauth is configured.
+ * Also scans environment variables for provider credentials.
+ */
+function initializeOAuth(config) {
+    // Set encryption key
+    const encKey = config?.encryptionKey || process.env.OAUTH_ENCRYPTION_KEY;
+    if (encKey) {
+        (0, crypto_1.setEncryptionKey)(encKey);
+    }
+    // Register providers from startup config
+    if (config?.providers) {
+        for (const p of config.providers) {
+            (0, providers_1.registerProvider)(p);
+        }
+    }
+    // Auto-detect providers from environment variables
+    for (const { provider, idVar, secretVar } of ENV_PROVIDERS) {
+        const clientId = process.env[idVar];
+        const clientSecret = process.env[secretVar];
+        if (clientId && clientSecret && !(0, providers_1.getProvider)(provider)) {
+            (0, providers_1.registerProvider)({ provider, clientId, clientSecret, scopes: [] });
+        }
+    }
+    // Register built-in credential providers (API key paste flow, no real OAuth)
+    for (const cfg of CREDENTIAL_PROVIDERS) {
+        if (!(0, providers_1.getProvider)(cfg.provider)) {
+            (0, providers_1.registerProvider)(cfg);
+        }
+    }
+    const registered = (0, providers_1.listProviders)();
+    if (registered.length > 0) {
+        logger_1.loggerRegistry.info(`[oauth] initialized with ${registered.length} provider(s): ${registered.map((p) => p.provider).join(', ')}`);
+    }
+}

package/build/services/oauth/providers/anthropic.d.ts

@@ -0,0 +1,3 @@
+import type { LTOAuthProviderConfig } from '../../../types/oauth';
+import type { ProviderHandler } from './types';
+export declare function createAnthropicHandler(cfg: LTOAuthProviderConfig): ProviderHandler;

package/build/services/oauth/providers/anthropic.js

@@ -0,0 +1,111 @@
+"use strict";
+var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    var desc = Object.getOwnPropertyDescriptor(m, k);
+    if (!desc || ("get" in desc ? !m.__esModule : desc.writable || desc.configurable)) {
+      desc = { enumerable: true, get: function() { return m[k]; } };
+    }
+    Object.defineProperty(o, k2, desc);
+}) : (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    o[k2] = m[k];
+}));
+var __setModuleDefault = (this && this.__setModuleDefault) || (Object.create ? (function(o, v) {
+    Object.defineProperty(o, "default", { enumerable: true, value: v });
+}) : function(o, v) {
+    o["default"] = v;
+});
+var __importStar = (this && this.__importStar) || (function () {
+    var ownKeys = function(o) {
+        ownKeys = Object.getOwnPropertyNames || function (o) {
+            var ar = [];
+            for (var k in o) if (Object.prototype.hasOwnProperty.call(o, k)) ar[ar.length] = k;
+            return ar;
+        };
+        return ownKeys(o);
+    };
+    return function (mod) {
+        if (mod && mod.__esModule) return mod;
+        var result = {};
+        if (mod != null) for (var k = ownKeys(mod), i = 0; i < k.length; i++) if (k[i] !== "default") __createBinding(result, mod, k[i]);
+        __setModuleDefault(result, mod);
+        return result;
+    };
+})();
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.createAnthropicHandler = createAnthropicHandler;
+// Anthropic does not expose a standard OAuth2 authorization server.
+// Instead, users provide a credential via the Long Tail dashboard:
+//
+//   - OAuth token (sk-ant-oat01-...) from `claude setup-token`
+//     -> Uses their Claude subscription (Pro/Max/Teams) at flat rate
+//     -> Passed to subprocess as CLAUDE_CODE_OAUTH_TOKEN
+//
+//   - API key (sk-ant-api03-...) from console.anthropic.com
+//     -> Billed per-token against their API account
+//     -> Passed to subprocess as ANTHROPIC_API_KEY
+//
+// Flow:
+//   1. createAuthorizationURL -> redirects to /connect/anthropic (dashboard form)
+//   2. User pastes credential -> form redirects to callback with it as "code"
+//   3. validateAuthorizationCode -> validates against Anthropic API
+//   4. fetchUserInfo -> derives identity from the credential
+//   5. Credential stored encrypted as access_token in lt_oauth_tokens
+function createAnthropicHandler(cfg) {
+    const handler = {
+        config: { ...cfg, displayName: cfg.displayName || 'Anthropic' },
+        createAuthorizationURL(state, _codeVerifier) {
+            const baseUrl = handler.config.redirectUri?.replace(`/api/auth/oauth/anthropic/callback`, '') || '';
+            const url = new URL(`${baseUrl}/connect/anthropic`);
+            url.searchParams.set('state', state);
+            return url;
+        },
+        async validateAuthorizationCode(credential, _codeVerifier) {
+            const isOAuthToken = credential.startsWith('sk-ant-oat');
+            // Validate the credential by calling the Anthropic API.
+            // OAuth tokens use Authorization: Bearer; API keys use x-api-key.
+            const headers = {
+                'anthropic-version': '2023-06-01',
+            };
+            if (isOAuthToken) {
+                headers['Authorization'] = `Bearer ${credential}`;
+            }
+            else {
+                headers['x-api-key'] = credential;
+            }
+            const res = await fetch('https://api.anthropic.com/v1/models', { headers });
+            if (!res.ok) {
+                const body = await res.text().catch(() => '');
+                const kind = isOAuthToken ? 'OAuth token' : 'API key';
+                throw new Error(`Invalid Anthropic ${kind}: ${res.status} ${body}`);
+            }
+            return {
+                accessToken: credential,
+                refreshToken: null,
+                accessTokenExpiresAt: null,
+            };
+        },
+        async refreshAccessToken(_refreshToken) {
+            throw new Error('Anthropic credentials do not support refresh');
+        },
+        async fetchUserInfo(credential) {
+            const { createHash } = await Promise.resolve().then(() => __importStar(require('crypto')));
+            const keyHash = createHash('sha256').update(credential).digest('hex').slice(0, 16);
+            const isOAuthToken = credential.startsWith('sk-ant-oat');
+            const prefix = credential.slice(0, 14);
+            return {
+                provider: 'anthropic',
+                providerUserId: `anthropic-${keyHash}`,
+                email: null,
+                displayName: isOAuthToken
+                    ? `Claude Subscription (${prefix}...)`
+                    : `Anthropic API Key (${prefix}...)`,
+                raw: {
+                    credential_type: isOAuthToken ? 'oauth_token' : 'api_key',
+                    prefix,
+                },
+            };
+        },
+    };
+    return handler;
+}

package/build/services/oauth/providers/github.d.ts

@@ -0,0 +1,3 @@
+import type { LTOAuthProviderConfig } from '../../../types/oauth';
+import type { ProviderHandler } from './types';
+export declare function createGitHubHandler(cfg: LTOAuthProviderConfig): ProviderHandler;

package/build/services/oauth/providers/github.js

@@ -0,0 +1,46 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.createGitHubHandler = createGitHubHandler;
+const arctic_1 = require("arctic");
+function createGitHubHandler(cfg) {
+    const redirectUri = cfg.redirectUri || null;
+    const github = new arctic_1.GitHub(cfg.clientId, cfg.clientSecret, redirectUri);
+    return {
+        config: cfg,
+        createAuthorizationURL(state, _codeVerifier) {
+            const scopes = cfg.scopes.length > 0 ? cfg.scopes : ['read:user', 'user:email'];
+            return github.createAuthorizationURL(state, scopes);
+        },
+        async validateAuthorizationCode(code, _codeVerifier) {
+            const tokens = await github.validateAuthorizationCode(code);
+            return {
+                accessToken: tokens.accessToken(),
+                refreshToken: null, // GitHub doesn't use refresh tokens for OAuth apps
+                accessTokenExpiresAt: null,
+            };
+        },
+        async refreshAccessToken(_refreshToken) {
+            throw new Error('GitHub OAuth apps do not support token refresh');
+        },
+        async fetchUserInfo(accessToken) {
+            const [userRes, emailRes] = await Promise.all([
+                fetch('https://api.github.com/user', {
+                    headers: { Authorization: `Bearer ${accessToken}`, Accept: 'application/json' },
+                }),
+                fetch('https://api.github.com/user/emails', {
+                    headers: { Authorization: `Bearer ${accessToken}`, Accept: 'application/json' },
+                }),
+            ]);
+            const user = await userRes.json();
+            const emails = await emailRes.json().catch(() => []);
+            const primary = emails.find((e) => e.primary)?.email || emails[0]?.email || null;
+            return {
+                provider: 'github',
+                providerUserId: String(user.id),
+                email: primary,
+                displayName: user.name || user.login || null,
+                raw: user,
+            };
+        },
+    };
+}

package/build/services/oauth/providers/google.d.ts

@@ -0,0 +1,3 @@
+import type { LTOAuthProviderConfig } from '../../../types/oauth';
+import type { ProviderHandler } from './types';
+export declare function createGoogleHandler(cfg: LTOAuthProviderConfig): ProviderHandler;

package/build/services/oauth/providers/google.js

@@ -0,0 +1,44 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.createGoogleHandler = createGoogleHandler;
+const arctic_1 = require("arctic");
+function createGoogleHandler(cfg) {
+    const redirectUri = cfg.redirectUri || '';
+    const google = new arctic_1.Google(cfg.clientId, cfg.clientSecret, redirectUri);
+    return {
+        config: cfg,
+        createAuthorizationURL(state, codeVerifier) {
+            const scopes = cfg.scopes.length > 0 ? cfg.scopes : ['openid', 'email', 'profile'];
+            return google.createAuthorizationURL(state, codeVerifier, scopes);
+        },
+        async validateAuthorizationCode(code, codeVerifier) {
+            const tokens = await google.validateAuthorizationCode(code, codeVerifier);
+            return {
+                accessToken: tokens.accessToken(),
+                refreshToken: tokens.hasRefreshToken() ? tokens.refreshToken() : null,
+                accessTokenExpiresAt: tokens.accessTokenExpiresAt(),
+            };
+        },
+        async refreshAccessToken(refreshToken) {
+            const tokens = await google.refreshAccessToken(refreshToken);
+            return {
+                accessToken: tokens.accessToken(),
+                refreshToken: tokens.hasRefreshToken() ? tokens.refreshToken() : refreshToken,
+                accessTokenExpiresAt: tokens.accessTokenExpiresAt(),
+            };
+        },
+        async fetchUserInfo(accessToken) {
+            const res = await fetch('https://www.googleapis.com/oauth2/v2/userinfo', {
+                headers: { Authorization: `Bearer ${accessToken}` },
+            });
+            const data = await res.json();
+            return {
+                provider: 'google',
+                providerUserId: data.id,
+                email: data.email || null,
+                displayName: data.name || null,
+                raw: data,
+            };
+        },
+    };
+}

package/build/services/oauth/providers/index.d.ts

@@ -0,0 +1,2 @@
+export { registerProvider, getProvider, listProviders } from './registry';
+export type { OAuthTokens, ProviderHandler } from './types';

package/build/services/oauth/providers/index.js

@@ -0,0 +1,7 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.listProviders = exports.getProvider = exports.registerProvider = void 0;
+var registry_1 = require("./registry");
+Object.defineProperty(exports, "registerProvider", { enumerable: true, get: function () { return registry_1.registerProvider; } });
+Object.defineProperty(exports, "getProvider", { enumerable: true, get: function () { return registry_1.getProvider; } });
+Object.defineProperty(exports, "listProviders", { enumerable: true, get: function () { return registry_1.listProviders; } });

package/build/services/oauth/providers/microsoft.d.ts

@@ -0,0 +1,3 @@
+import type { LTOAuthProviderConfig } from '../../../types/oauth';
+import type { ProviderHandler } from './types';
+export declare function createMicrosoftHandler(cfg: LTOAuthProviderConfig): ProviderHandler;

package/build/services/oauth/providers/microsoft.js

@@ -0,0 +1,46 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.createMicrosoftHandler = createMicrosoftHandler;
+const arctic_1 = require("arctic");
+function createMicrosoftHandler(cfg) {
+    const redirectUri = cfg.redirectUri || '';
+    const tenantId = process.env.OAUTH_MICROSOFT_TENANT_ID || 'common';
+    const ms = new arctic_1.MicrosoftEntraId(tenantId, cfg.clientId, cfg.clientSecret, redirectUri);
+    return {
+        config: cfg,
+        createAuthorizationURL(state, codeVerifier) {
+            const scopes = cfg.scopes.length > 0 ? cfg.scopes : ['openid', 'email', 'profile'];
+            return ms.createAuthorizationURL(state, codeVerifier, scopes);
+        },
+        async validateAuthorizationCode(code, codeVerifier) {
+            const tokens = await ms.validateAuthorizationCode(code, codeVerifier);
+            return {
+                accessToken: tokens.accessToken(),
+                refreshToken: tokens.hasRefreshToken() ? tokens.refreshToken() : null,
+                accessTokenExpiresAt: tokens.accessTokenExpiresAt(),
+            };
+        },
+        async refreshAccessToken(refreshToken) {
+            const scopes = cfg.scopes.length > 0 ? cfg.scopes : ['openid', 'email', 'profile'];
+            const tokens = await ms.refreshAccessToken(refreshToken, scopes);
+            return {
+                accessToken: tokens.accessToken(),
+                refreshToken: tokens.hasRefreshToken() ? tokens.refreshToken() : refreshToken,
+                accessTokenExpiresAt: tokens.accessTokenExpiresAt(),
+            };
+        },
+        async fetchUserInfo(accessToken) {
+            const res = await fetch('https://graph.microsoft.com/v1.0/me', {
+                headers: { Authorization: `Bearer ${accessToken}` },
+            });
+            const data = await res.json();
+            return {
+                provider: 'microsoft',
+                providerUserId: data.id,
+                email: data.mail || data.userPrincipalName || null,
+                displayName: data.displayName || null,
+                raw: data,
+            };
+        },
+    };
+}

package/build/services/oauth/providers/mock.d.ts

@@ -0,0 +1,3 @@
+import type { LTOAuthProviderConfig } from '../../../types/oauth';
+import type { ProviderHandler } from './types';
+export declare function createMockHandler(cfg: LTOAuthProviderConfig): ProviderHandler;

package/build/services/oauth/providers/mock.js

@@ -0,0 +1,76 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.createMockHandler = createMockHandler;
+function createMockHandler(cfg) {
+    // Browser-facing URL (user's browser redirects here — must be localhost, not Docker hostname)
+    const browserAuthUrl = process.env.MOCK_OAUTH_BROWSER_AUTH_URL || 'http://localhost:9080/authorize';
+    // Server-facing URLs (app container calls these — Docker-internal hostnames work)
+    const tokenUrl = process.env.MOCK_OAUTH_TOKEN_URL || 'http://localhost:9080/token';
+    const userinfoUrl = process.env.MOCK_OAUTH_USERINFO_URL || 'http://localhost:9080/userinfo';
+    const handler = {
+        config: { ...cfg, displayName: cfg.displayName || 'Mock (Test)' },
+        createAuthorizationURL(state, _codeVerifier) {
+            const url = new URL(browserAuthUrl);
+            url.searchParams.set('client_id', cfg.clientId);
+            url.searchParams.set('redirect_uri', handler.config.redirectUri || '');
+            url.searchParams.set('state', state);
+            url.searchParams.set('response_type', 'code');
+            url.searchParams.set('scope', cfg.scopes.join(' '));
+            return url;
+        },
+        async validateAuthorizationCode(code, _codeVerifier) {
+            const res = await fetch(tokenUrl, {
+                method: 'POST',
+                headers: { 'Content-Type': 'application/json' },
+                body: JSON.stringify({
+                    code,
+                    client_id: cfg.clientId,
+                    client_secret: cfg.clientSecret,
+                    redirect_uri: handler.config.redirectUri || '',
+                }),
+            });
+            const data = await res.json();
+            return {
+                accessToken: data.access_token,
+                refreshToken: data.refresh_token || null,
+                accessTokenExpiresAt: data.expires_in
+                    ? new Date(Date.now() + data.expires_in * 1000)
+                    : null,
+            };
+        },
+        async refreshAccessToken(refreshToken) {
+            const res = await fetch(tokenUrl, {
+                method: 'POST',
+                headers: { 'Content-Type': 'application/json' },
+                body: JSON.stringify({
+                    grant_type: 'refresh_token',
+                    refresh_token: refreshToken,
+                    client_id: cfg.clientId,
+                    client_secret: cfg.clientSecret,
+                }),
+            });
+            const data = await res.json();
+            return {
+                accessToken: data.access_token,
+                refreshToken: data.refresh_token || refreshToken,
+                accessTokenExpiresAt: data.expires_in
+                    ? new Date(Date.now() + data.expires_in * 1000)
+                    : null,
+            };
+        },
+        async fetchUserInfo(accessToken) {
+            const res = await fetch(userinfoUrl, {
+                headers: { Authorization: `Bearer ${accessToken}` },
+            });
+            const data = await res.json();
+            return {
+                provider: 'mock',
+                providerUserId: data.sub || data.id || 'mock-user',
+                email: data.email || null,
+                displayName: data.name || null,
+                raw: data,
+            };
+        },
+    };
+    return handler;
+}

package/build/services/oauth/providers/registry.d.ts

@@ -0,0 +1,8 @@
+import type { LTOAuthProviderConfig } from '../../../types/oauth';
+import type { ProviderHandler } from './types';
+export declare function registerProvider(cfg: LTOAuthProviderConfig): void;
+export declare function getProvider(name: string): ProviderHandler | null;
+export declare function listProviders(): Array<{
+    provider: string;
+    name: string;
+}>;

package/build/services/oauth/providers/registry.js

@@ -0,0 +1,46 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.registerProvider = registerProvider;
+exports.getProvider = getProvider;
+exports.listProviders = listProviders;
+const logger_1 = require("../../logger");
+const anthropic_1 = require("./anthropic");
+const github_1 = require("./github");
+const google_1 = require("./google");
+const microsoft_1 = require("./microsoft");
+const mock_1 = require("./mock");
+const providers = new Map();
+function registerProvider(cfg) {
+    const handler = createHandler(cfg);
+    providers.set(cfg.provider, handler);
+    logger_1.loggerRegistry.info(`[oauth] registered provider: ${cfg.provider}`);
+}
+function getProvider(name) {
+    return providers.get(name) ?? null;
+}
+function listProviders() {
+    return Array.from(providers.values()).map((h) => ({
+        provider: h.config.provider,
+        name: h.config.displayName || capitalize(h.config.provider),
+    }));
+}
+function createHandler(cfg) {
+    const { provider } = cfg;
+    switch (provider) {
+        case 'google':
+            return (0, google_1.createGoogleHandler)(cfg);
+        case 'github':
+            return (0, github_1.createGitHubHandler)(cfg);
+        case 'microsoft':
+            return (0, microsoft_1.createMicrosoftHandler)(cfg);
+        case 'mock':
+            return (0, mock_1.createMockHandler)(cfg);
+        case 'anthropic':
+            return (0, anthropic_1.createAnthropicHandler)(cfg);
+        default:
+            throw new Error(`Unsupported OAuth provider: ${provider}. Supported: google, github, microsoft, anthropic, mock`);
+    }
+}
+function capitalize(s) {
+    return s.charAt(0).toUpperCase() + s.slice(1);
+}