@julr/sesame 0.0.0

package/build/src/controllers/authorize_controller.d.ts

@@ -0,0 +1,53 @@
+import type { HttpContext } from '@adonisjs/core/http';
+/**
+ * Handles the OAuth 2.0 Authorization Endpoint (RFC 6749 §3.1).
+ *
+ * Implements the authorization code flow with PKCE support (RFC 7636).
+ * Validates the client, requested scopes, and PKCE parameters, then
+ * either redirects the user to the login/consent page or directly
+ * issues an authorization code if consent was already granted.
+ *
+ * The `iss` response parameter is included per RFC 9207 to prevent
+ * mix-up attacks.
+ *
+ * @see https://datatracker.ietf.org/doc/html/rfc6749#section-3.1
+ * @see https://datatracker.ietf.org/doc/html/rfc7636
+ * @see https://datatracker.ietf.org/doc/html/rfc9207
+ */
+export default class AuthorizeController {
+    #private;
+    static validator: import("@vinejs/vine").VineValidator<import("@vinejs/vine").VineObject<{
+        client_id: import("@vinejs/vine").VineString;
+        response_type: import("@vinejs/vine").VineString;
+        redirect_uri: import("@vinejs/vine").VineString;
+        scope: import("@vinejs/vine/schema/base/literal").OptionalModifier<import("@vinejs/vine").VineString>;
+        state: import("@vinejs/vine/schema/base/literal").OptionalModifier<import("@vinejs/vine").VineString>;
+        code_challenge: import("@vinejs/vine/schema/base/literal").OptionalModifier<import("@vinejs/vine").VineString>;
+        code_challenge_method: import("@vinejs/vine/schema/base/literal").OptionalModifier<import("@vinejs/vine").VineString>;
+    }, {
+        scope?: string | null | undefined;
+        state?: string | null | undefined;
+        code_challenge?: string | null | undefined;
+        code_challenge_method?: string | null | undefined;
+        redirect_uri: string;
+        client_id: string;
+        response_type: string;
+    }, {
+        scope?: string | undefined;
+        state?: string | undefined;
+        code_challenge?: string | undefined;
+        code_challenge_method?: string | undefined;
+        redirect_uri: string;
+        client_id: string;
+        response_type: string;
+    }, {
+        scope?: string | undefined;
+        state?: string | undefined;
+        code_challenge?: string | undefined;
+        code_challenge_method?: string | undefined;
+        redirect_uri: string;
+        client_id: string;
+        response_type: string;
+    }>, Record<string, any> | undefined>;
+    handle(ctx: HttpContext): Promise<void>;
+}

package/build/src/controllers/client_info_controller.d.ts

@@ -0,0 +1,22 @@
+import type { HttpContext } from '@adonisjs/core/http';
+/**
+ * Returns public information about an OAuth client.
+ * Used by the consent page to display the client's name
+ * from server-side data rather than query parameters
+ * (RFC 6819 §4.4.1.4 — prevent client identity spoofing).
+ */
+export default class ClientInfoController {
+    static validator: import("@vinejs/vine").VineValidator<import("@vinejs/vine").VineObject<{
+        client_id: import("@vinejs/vine").VineString;
+    }, {
+        client_id: string;
+    }, {
+        client_id: string;
+    }, {
+        client_id: string;
+    }>, Record<string, any> | undefined>;
+    handle(ctx: HttpContext): Promise<{
+        client_id: string;
+        client_name: string;
+    }>;
+}

package/build/src/controllers/consent_controller.d.ts

@@ -0,0 +1,27 @@
+import type { HttpContext } from '@adonisjs/core/http';
+/**
+ * Handles user consent submission for the OAuth authorization flow.
+ *
+ * When a user approves access, this controller stores or updates
+ * the consent record and issues an authorization code via redirect.
+ * When the user denies access, it redirects back to the client
+ * with an `access_denied` error.
+ *
+ * Consent records are persisted so that returning users are not
+ * prompted again for previously approved scopes.
+ *
+ * @see https://datatracker.ietf.org/doc/html/rfc6749#section-4.1.1
+ */
+export default class ConsentController {
+    #private;
+    static validator: import("@vinejs/vine").VineValidator<import("@vinejs/vine").VineObject<{
+        auth_token: import("@vinejs/vine").VineString;
+    }, {
+        auth_token: string;
+    }, {
+        auth_token: string;
+    }, {
+        auth_token: string;
+    }>, Record<string, any> | undefined>;
+    handle(ctx: HttpContext): Promise<void>;
+}

package/build/src/controllers/introspect_controller.d.ts

@@ -0,0 +1,28 @@
+import type { HttpContext } from '@adonisjs/core/http';
+/**
+ * Handles the OAuth 2.0 Token Introspection Endpoint (RFC 7662).
+ *
+ * Allows an authenticated client to determine the active state and
+ * metadata of a token (access token or refresh token). The response
+ * always includes at least `{ active: boolean }`.
+ *
+ * Supports the `token_type_hint` parameter to optimize lookup order.
+ * Both access tokens and refresh tokens are opaque values looked up
+ * by their SHA-256 hash in the database.
+ *
+ * @see https://datatracker.ietf.org/doc/html/rfc7662
+ */
+export default class IntrospectController {
+    handle(ctx: HttpContext): Promise<{
+        active: boolean;
+    } | {
+        active: boolean;
+        token_type: string;
+        client_id: string;
+        sub: string | undefined;
+        scope: string;
+        iss: string;
+        iat: number;
+        exp: number;
+    }>;
+}

package/build/src/controllers/metadata_controller.d.ts

@@ -0,0 +1,64 @@
+import type { HttpContext } from '@adonisjs/core/http';
+import type { AuthServerMetadata, ResourceServerMetadata } from '../types.ts';
+/**
+ * Serves OAuth 2.0 discovery metadata documents.
+ *
+ * Exposes three well-known endpoints:
+ * - `authServer()` — OAuth Authorization Server Metadata (RFC 8414)
+ * - `oidc()` — OpenID Connect Discovery 1.0 (extends authServer metadata)
+ * - `protectedResource()` — OAuth Protected Resource Metadata (RFC 9728)
+ *
+ * @see https://datatracker.ietf.org/doc/html/rfc8414
+ * @see https://datatracker.ietf.org/doc/html/rfc9728
+ * @see https://openid.net/specs/openid-connect-discovery-1_0.html
+ */
+export default class MetadataController {
+    /**
+     * OAuth 2.0 Authorization Server Metadata (RFC 8414).
+     *
+     * Returns a JSON document describing the server's endpoints,
+     * supported grant types, response types, authentication methods,
+     * and PKCE support.
+     *
+     * @see https://datatracker.ietf.org/doc/html/rfc8414#section-2
+     */
+    authServer(ctx: HttpContext): Promise<AuthServerMetadata>;
+    /**
+     * OpenID Connect Discovery 1.0 metadata.
+     *
+     * Extends the authorization server metadata with OIDC-specific
+     * fields like `subject_types_supported` and
+     * `id_token_signing_alg_values_supported`.
+     *
+     * @see https://openid.net/specs/openid-connect-discovery-1_0.html#ProviderMetadata
+     */
+    oidc(ctx: HttpContext): Promise<{
+        subject_types_supported: string[];
+        scopes_supported: string[];
+        issuer: string;
+        authorization_endpoint: string;
+        token_endpoint: string;
+        registration_endpoint?: string;
+        introspection_endpoint?: string;
+        revocation_endpoint?: string;
+        response_types_supported: string[];
+        response_modes_supported: string[];
+        grant_types_supported: string[];
+        token_endpoint_auth_methods_supported: string[];
+        introspection_endpoint_auth_methods_supported?: string[];
+        revocation_endpoint_auth_methods_supported?: string[];
+        code_challenge_methods_supported: string[];
+        authorization_response_iss_parameter_supported: boolean;
+    }>;
+    /**
+     * OAuth 2.0 Protected Resource Metadata (RFC 9728).
+     *
+     * Returns a JSON document that tells clients which authorization
+     * servers protect this resource, which scopes are available, and
+     * how to present bearer tokens. Used by MCP clients to discover
+     * the authorization server.
+     *
+     * @see https://datatracker.ietf.org/doc/html/rfc9728
+     */
+    protectedResource(ctx: HttpContext): Promise<ResourceServerMetadata>;
+}

package/build/src/controllers/register_controller.d.ts

@@ -0,0 +1,91 @@
+import type { HttpContext } from '@adonisjs/core/http';
+/**
+ * Handles the OAuth 2.0 Dynamic Client Registration Endpoint (RFC 7591).
+ *
+ * Allows clients to register themselves with the authorization server
+ * by providing metadata such as `redirect_uris`, `grant_types`, and
+ * `token_endpoint_auth_method`. Returns the assigned `client_id` and
+ * optionally a `client_secret` for confidential clients.
+ *
+ * Can be configured to require authentication or allow public
+ * registration (useful for MCP where clients self-register).
+ *
+ * @see https://datatracker.ietf.org/doc/html/rfc7591
+ */
+export default class RegisterController {
+    static validator: import("@vinejs/vine").VineValidator<import("@vinejs/vine").VineObject<{
+        redirect_uris: import("@vinejs/vine").VineArray<import("@vinejs/vine").VineString>;
+        token_endpoint_auth_method: import("@vinejs/vine/schema/base/literal").OptionalModifier<import("@vinejs/vine").VineString>;
+        grant_types: import("@vinejs/vine").OptionalModifier<import("@vinejs/vine").VineArray<import("@vinejs/vine").VineString>>;
+        response_types: import("@vinejs/vine").OptionalModifier<import("@vinejs/vine").VineArray<import("@vinejs/vine").VineString>>;
+        scope: import("@vinejs/vine/schema/base/literal").OptionalModifier<import("@vinejs/vine").VineString>;
+        client_name: import("@vinejs/vine/schema/base/literal").OptionalModifier<import("@vinejs/vine").VineString>;
+        client_uri: import("@vinejs/vine/schema/base/literal").OptionalModifier<import("@vinejs/vine").VineString>;
+        logo_uri: import("@vinejs/vine/schema/base/literal").OptionalModifier<import("@vinejs/vine").VineString>;
+        tos_uri: import("@vinejs/vine/schema/base/literal").OptionalModifier<import("@vinejs/vine").VineString>;
+        policy_uri: import("@vinejs/vine/schema/base/literal").OptionalModifier<import("@vinejs/vine").VineString>;
+        contacts: import("@vinejs/vine").OptionalModifier<import("@vinejs/vine").VineArray<import("@vinejs/vine").VineString>>;
+        software_id: import("@vinejs/vine/schema/base/literal").OptionalModifier<import("@vinejs/vine").VineString>;
+        software_version: import("@vinejs/vine/schema/base/literal").OptionalModifier<import("@vinejs/vine").VineString>;
+    }, {
+        scope?: string | null | undefined;
+        token_endpoint_auth_method?: string | null | undefined;
+        grant_types?: string[] | null | undefined;
+        response_types?: string[] | null | undefined;
+        client_name?: string | null | undefined;
+        client_uri?: string | null | undefined;
+        logo_uri?: string | null | undefined;
+        tos_uri?: string | null | undefined;
+        policy_uri?: string | null | undefined;
+        contacts?: string[] | null | undefined;
+        software_id?: string | null | undefined;
+        software_version?: string | null | undefined;
+        redirect_uris: string[];
+    }, {
+        scope?: string | undefined;
+        token_endpoint_auth_method?: string | undefined;
+        grant_types?: string[] | undefined;
+        response_types?: string[] | undefined;
+        client_name?: string | undefined;
+        client_uri?: string | undefined;
+        logo_uri?: string | undefined;
+        tos_uri?: string | undefined;
+        policy_uri?: string | undefined;
+        contacts?: string[] | undefined;
+        software_id?: string | undefined;
+        software_version?: string | undefined;
+        redirect_uris: string[];
+    }, {
+        scope?: string | undefined;
+        token_endpoint_auth_method?: string | undefined;
+        grant_types?: string[] | undefined;
+        response_types?: string[] | undefined;
+        client_name?: string | undefined;
+        client_uri?: string | undefined;
+        logo_uri?: string | undefined;
+        tos_uri?: string | undefined;
+        policy_uri?: string | undefined;
+        contacts?: string[] | undefined;
+        software_id?: string | undefined;
+        software_version?: string | undefined;
+        redirect_uris: string[];
+    }>, Record<string, any> | undefined>;
+    handle(ctx: HttpContext): Promise<{
+        software_version?: string | undefined;
+        software_id?: string | undefined;
+        policy_uri?: string | undefined;
+        tos_uri?: string | undefined;
+        contacts?: string[] | undefined;
+        logo_uri?: string | undefined;
+        client_uri?: string | undefined;
+        token_endpoint_auth_method: string;
+        response_types: string[];
+        client_secret_expires_at: number;
+        client_name: string;
+        redirect_uris: string[];
+        grant_types: string[];
+        scope: string;
+        client_secret?: string | undefined;
+        client_id: string;
+    }>;
+}

package/build/src/controllers/revoke_controller.d.ts

@@ -0,0 +1,16 @@
+import type { HttpContext } from '@adonisjs/core/http';
+/**
+ * Handles the OAuth 2.0 Token Revocation Endpoint (RFC 7009).
+ *
+ * Allows an authenticated client to revoke an access token or
+ * refresh token. Always responds with HTTP 200, even if the token
+ * was already revoked or not found (to prevent information leakage).
+ *
+ * When revoking a refresh token, the associated access token is
+ * also revoked as recommended by RFC 7009 §2.1.
+ *
+ * @see https://datatracker.ietf.org/doc/html/rfc7009
+ */
+export default class RevokeController {
+    handle(ctx: HttpContext): Promise<void>;
+}

package/build/src/controllers/token_controller.d.ts

@@ -0,0 +1,24 @@
+import type { HttpContext } from '@adonisjs/core/http';
+/**
+ * Handles the OAuth 2.0 Token Endpoint (RFC 6749 §3.2).
+ *
+ * Dispatches to the appropriate grant handler based on the
+ * `grant_type` parameter. Sets `Cache-Control: no-store` and
+ * `Pragma: no-cache` headers on all token responses as required
+ * by the spec.
+ *
+ * @see https://datatracker.ietf.org/doc/html/rfc6749#section-3.2
+ * @see https://datatracker.ietf.org/doc/html/rfc6749#section-5.1
+ */
+export default class TokenController {
+    static validator: import("@vinejs/vine").VineValidator<import("@vinejs/vine").VineObject<{
+        grant_type: import("@vinejs/vine").VineString;
+    }, {
+        grant_type: string;
+    }, {
+        grant_type: string;
+    }, {
+        grant_type: string;
+    }>, Record<string, any> | undefined>;
+    handle(ctx: HttpContext): Promise<any>;
+}

package/build/src/decorators.d.ts

@@ -0,0 +1,10 @@
+import { column } from '@adonisjs/lucid/orm';
+/**
+ * Column decorator for JSON values (arrays, objects).
+ *
+ * Lucid ORM doesn't handle JSON serialization automatically —
+ * `prepare` stringifies before INSERT/UPDATE, `consume` parses
+ * after SELECT. The typeof check in consume handles both drivers
+ * that return strings (SQLite, MySQL) and parsed objects (PostgreSQL JSONB).
+ */
+export declare function json(options?: Parameters<typeof column>[0]): import("@adonisjs/lucid/types/model").DecoratorFn;

package/build/src/define_config.d.ts

@@ -0,0 +1,16 @@
+import type { SesameConfig, ResolvedSesameConfig } from './types.ts';
+/**
+ * Resolve user-supplied `SesameConfig` into a `ResolvedSesameConfig`
+ * by applying sensible defaults for all optional fields.
+ *
+ * Defaults:
+ * - `scopes`: `{}`
+ * - `defaultScopes`: `[]`
+ * - `grantTypes`: `['authorization_code', 'refresh_token']`
+ * - `accessTokenTtl`: `'1h'`
+ * - `refreshTokenTtl`: `'30d'`
+ * - `authorizationCodeTtl`: `'10m'`
+ * - `allowDynamicRegistration`: `false`
+ * - `allowPublicRegistration`: `false`
+ */
+export declare function defineConfig(config: SesameConfig): ResolvedSesameConfig;

package/build/src/grants/authorization_code_grant.d.ts

@@ -0,0 +1,27 @@
+import type { HttpContext } from '@adonisjs/core/http';
+import type { SesameManager } from '../sesame_manager.ts';
+/**
+ * Handle the Authorization Code Grant (RFC 6749 §4.1.3).
+ *
+ * Exchanges an authorization code for an access token (and optionally
+ * a refresh token if the `offline_access` scope was granted).
+ *
+ * Performs the following validations:
+ * - Client authentication (Basic header or POST body credentials)
+ * - Authorization code existence, expiration, and single-use enforcement
+ * - Redirect URI matching against the original authorization request
+ * - PKCE code_verifier verification using S256 (RFC 7636 §4.6)
+ *
+ * All tokens (access tokens, refresh tokens, authorization codes)
+ * are opaque values stored as SHA-256 hashes.
+ *
+ * @see https://datatracker.ietf.org/doc/html/rfc6749#section-4.1.3
+ * @see https://datatracker.ietf.org/doc/html/rfc7636#section-4.6
+ */
+export declare function handleAuthorizationCodeGrant(ctx: HttpContext, manager: SesameManager): Promise<{
+    refresh_token?: string | undefined;
+    access_token: string;
+    token_type: string;
+    expires_in: number;
+    scope: string;
+}>;

package/build/src/grants/refresh_token_grant.d.ts

@@ -0,0 +1,27 @@
+import type { HttpContext } from '@adonisjs/core/http';
+import type { SesameManager } from '../sesame_manager.ts';
+/**
+ * Handle the Refresh Token Grant (RFC 6749 §6).
+ *
+ * Exchanges a refresh token for a new access token and a new
+ * refresh token (rotation). The old refresh token is revoked
+ * immediately after use.
+ *
+ * Implements replay detection: if a revoked refresh token is
+ * presented, all tokens for that client+user pair are nuked
+ * (both access and refresh tokens) to mitigate stolen token
+ * reuse attacks.
+ *
+ * Scope narrowing is supported: the client may request a subset
+ * of the originally granted scopes, but cannot request new ones.
+ *
+ * @see https://datatracker.ietf.org/doc/html/rfc6749#section-6
+ * @see https://datatracker.ietf.org/doc/html/draft-ietf-oauth-security-topics#section-4.14.2
+ */
+export declare function handleRefreshTokenGrant(ctx: HttpContext, manager: SesameManager): Promise<{
+    access_token: string;
+    token_type: string;
+    expires_in: number;
+    scope: string;
+    refresh_token: string;
+}>;

package/build/src/guard/guard.d.ts

@@ -0,0 +1,30 @@
+import type { HttpContext } from '@adonisjs/core/http';
+import type { EmitterLike } from '@adonisjs/core/types/events';
+import { symbols } from '@adonisjs/auth';
+import type { AuthClientResponse, GuardContract } from '@adonisjs/auth/types';
+import type { SesameManager } from '../sesame_manager.ts';
+import type { OAuthGuardEvents, OAuthUserProviderContract } from './types.ts';
+/**
+ * OAuth 2.0 guard for `@adonisjs/auth`.
+ *
+ * Verifies opaque Bearer tokens against the database,
+ * checks revocation and expiry, loads the real User model
+ * via the provider, and exposes OAuth-specific data (scopes, clientId).
+ */
+export declare class OAuthGuard<UserProvider extends OAuthUserProviderContract<unknown>> implements GuardContract<UserProvider[typeof symbols.PROVIDER_REAL_USER]> {
+    #private;
+    [symbols.GUARD_KNOWN_EVENTS]: OAuthGuardEvents<UserProvider[typeof symbols.PROVIDER_REAL_USER]>;
+    driverName: "oauth";
+    authenticationAttempted: boolean;
+    isAuthenticated: boolean;
+    user?: UserProvider[typeof symbols.PROVIDER_REAL_USER];
+    scopes: string[];
+    clientId?: string;
+    constructor(name: string, ctx: HttpContext, emitter: EmitterLike<OAuthGuardEvents<UserProvider[typeof symbols.PROVIDER_REAL_USER]>>, userProvider: UserProvider, manager: SesameManager, resource?: string);
+    getUserOrFail(): UserProvider[typeof symbols.PROVIDER_REAL_USER];
+    authenticate(): Promise<UserProvider[typeof symbols.PROVIDER_REAL_USER]>;
+    check(): Promise<boolean>;
+    hasScope(...scopes: string[]): boolean;
+    hasAnyScope(...scopes: string[]): boolean;
+    authenticateAsClient(user: UserProvider[typeof symbols.PROVIDER_REAL_USER]): Promise<AuthClientResponse>;
+}

package/build/src/guard/main.d.ts

@@ -0,0 +1,20 @@
+import type { HttpContext } from '@adonisjs/core/http';
+import type { GuardConfigProvider } from '@adonisjs/auth/types';
+import type { LucidModel } from '@adonisjs/lucid/types/model';
+import { OAuthGuard } from './guard.ts';
+import { OAuthLucidUserProvider } from './user_provider.ts';
+import type { OAuthLucidUserProviderOptions, OAuthUserProviderContract } from './types.ts';
+export { OAuthGuard } from './guard.ts';
+export { OAuthLucidUserProvider } from './user_provider.ts';
+export type { OAuthGuardUser, OAuthGuardEvents, OAuthUserProviderContract, OAuthLucidUserProviderOptions, } from './types.ts';
+/**
+ * Configure the OAuth guard for `@adonisjs/auth`.
+ */
+export declare function oauthGuard<UserProvider extends OAuthUserProviderContract<unknown>>(config: {
+    provider: UserProvider;
+    resource?: string;
+}): GuardConfigProvider<(ctx: HttpContext) => OAuthGuard<UserProvider>>;
+/**
+ * Create a Lucid-based user provider for the OAuth guard.
+ */
+export declare function oauthUserProvider<Model extends LucidModel>(options: OAuthLucidUserProviderOptions<Model>): OAuthLucidUserProvider<Model>;

package/build/src/guard/main.js

@@ -0,0 +1,17 @@
+import "../../decorate-2_8Ex77k.js";
+import "../../oauth_access_token-BpG8sq-c.js";
+import "../../oauth_client-eh0e5ql-.js";
+import "../../token_service-Czz9v5GI.js";
+import { n as OAuthGuard, t as OAuthLucidUserProvider } from "../../user_provider-B3rXEUT3.js";
+function oauthGuard(config) {
+	return { async resolver(name, app) {
+		const emitter = await app.container.make("emitter");
+		const { SesameManager } = await import("../../sesame_manager-B4tO2PLO.js").then((n) => n.n);
+		const manager = await app.container.make(SesameManager);
+		return (ctx) => new OAuthGuard(name, ctx, emitter, config.provider, manager, config.resource);
+	} };
+}
+function oauthUserProvider(options) {
+	return new OAuthLucidUserProvider(options);
+}
+export { OAuthGuard, OAuthLucidUserProvider, oauthGuard, oauthUserProvider };

package/build/src/guard/types.d.ts

@@ -0,0 +1,46 @@
+import type { HttpContext } from '@adonisjs/core/http';
+import type { Exception } from '@adonisjs/core/exceptions';
+import type { LucidModel } from '@adonisjs/lucid/types/model';
+import { symbols } from '@adonisjs/auth';
+/**
+ * Guard user adapter between the user provider and the guard.
+ */
+export type OAuthGuardUser<RealUser> = {
+    getId(): string | number | BigInt;
+    getOriginal(): RealUser;
+};
+/**
+ * Contract for user providers used by the OAuth guard.
+ */
+export interface OAuthUserProviderContract<RealUser> {
+    [symbols.PROVIDER_REAL_USER]: RealUser;
+    createUserForGuard(user: RealUser): Promise<OAuthGuardUser<RealUser>>;
+    findById(identifier: string | number | BigInt): Promise<OAuthGuardUser<RealUser> | null>;
+}
+/**
+ * Options for the Lucid-based OAuth user provider.
+ */
+export type OAuthLucidUserProviderOptions<Model extends LucidModel> = {
+    model: () => Promise<{
+        default: Model;
+    }>;
+};
+/**
+ * Events emitted by the OAuth guard during authentication.
+ */
+export type OAuthGuardEvents<RealUser> = {
+    'oauth_auth:authentication_attempted': {
+        ctx: HttpContext;
+        guardName: string;
+    };
+    'oauth_auth:authentication_succeeded': {
+        ctx: HttpContext;
+        guardName: string;
+        user: RealUser;
+    };
+    'oauth_auth:authentication_failed': {
+        ctx: HttpContext;
+        guardName: string;
+        error: Exception;
+    };
+};

package/build/src/guard/user_provider.d.ts

@@ -0,0 +1,14 @@
+import { symbols } from '@adonisjs/auth';
+import type { LucidModel } from '@adonisjs/lucid/types/model';
+import type { OAuthGuardUser, OAuthLucidUserProviderOptions, OAuthUserProviderContract } from './types.ts';
+/**
+ * Lucid-based user provider for the OAuth guard.
+ * Lazily loads the model and wraps instances as guard users.
+ */
+export declare class OAuthLucidUserProvider<Model extends LucidModel> implements OAuthUserProviderContract<InstanceType<Model>> {
+    #private;
+    [symbols.PROVIDER_REAL_USER]: InstanceType<Model>;
+    constructor(options: OAuthLucidUserProviderOptions<Model>);
+    createUserForGuard(user: InstanceType<Model>): Promise<OAuthGuardUser<InstanceType<Model>>>;
+    findById(identifier: string | number | BigInt): Promise<OAuthGuardUser<InstanceType<Model>> | null>;
+}

package/build/src/models/oauth_access_token.d.ts

@@ -0,0 +1,23 @@
+import { DateTime } from 'luxon';
+import { BaseModel } from '@adonisjs/lucid/orm';
+/**
+ * Database record for an issued OAuth 2.0 access token.
+ *
+ * Access tokens are opaque random values. Only the SHA-256 hash
+ * is stored so raw tokens cannot be reconstructed from a DB leak.
+ * A token is considered revoked when `revokedAt` is set.
+ *
+ * @see https://datatracker.ietf.org/doc/html/rfc7662
+ */
+export declare class OAuthAccessToken extends BaseModel {
+    static table: string;
+    id: string;
+    tokenHash: string;
+    clientId: string;
+    userId: string | null;
+    scopes: string[];
+    expiresAt: DateTime;
+    revokedAt: DateTime | null;
+    createdAt: DateTime;
+    updatedAt: DateTime;
+}

package/build/src/models/oauth_authorization_code.d.ts

@@ -0,0 +1,30 @@
+import { DateTime } from 'luxon';
+import { BaseModel } from '@adonisjs/lucid/orm';
+/**
+ * Database record for an OAuth 2.0 authorization code (RFC 6749 §4.1.2).
+ *
+ * Authorization codes are short-lived, single-use tokens issued
+ * during the authorization flow. The `code` column stores the
+ * SHA-256 hash of the raw code value sent to the client.
+ *
+ * When PKCE (RFC 7636) is used, the `codeChallenge` and
+ * `codeChallengeMethod` (always S256) are stored alongside the
+ * code for verification at the token endpoint.
+ *
+ * @see https://datatracker.ietf.org/doc/html/rfc6749#section-4.1.2
+ * @see https://datatracker.ietf.org/doc/html/rfc7636
+ */
+export declare class OAuthAuthorizationCode extends BaseModel {
+    static table: string;
+    id: string;
+    code: string;
+    clientId: string;
+    userId: string;
+    scopes: string[];
+    redirectUri: string;
+    codeChallenge: string | null;
+    codeChallengeMethod: string | null;
+    expiresAt: DateTime;
+    createdAt: DateTime;
+    updatedAt: DateTime;
+}

package/build/src/models/oauth_client.d.ts

@@ -0,0 +1,33 @@
+import { DateTime } from 'luxon';
+import { BaseModel } from '@adonisjs/lucid/orm';
+/**
+ * Represents a registered OAuth 2.0 client (RFC 6749 §2).
+ *
+ * Clients can be either confidential (with a hashed secret) or
+ * public (no secret, e.g. SPAs, native apps). Public clients must
+ * use PKCE (RFC 7636) for authorization code exchanges.
+ *
+ * Clients may be created manually or via dynamic client registration
+ * (RFC 7591) through the `/oauth/register` endpoint.
+ *
+ * @see https://datatracker.ietf.org/doc/html/rfc6749#section-2
+ * @see https://datatracker.ietf.org/doc/html/rfc7591
+ */
+export declare class OAuthClient extends BaseModel {
+    static table: string;
+    id: string;
+    clientId: string;
+    clientSecret: string | null;
+    name: string;
+    redirectUris: string[];
+    scopes: string[];
+    grantTypes: string[];
+    isPublic: boolean;
+    isDisabled: boolean;
+    requirePkce: boolean;
+    type: string | null;
+    metadata: Record<string, any> | null;
+    userId: string | null;
+    createdAt: DateTime;
+    updatedAt: DateTime;
+}