@juspay/neurolink 9.31.2 → 9.32.0

package/dist/client/neurolink.js

@@ -246,6 +246,10 @@ export class NeuroLink {
     conversationMemoryConfig;
     // Add orchestration property
     enableOrchestration;
+    // Authentication provider for secure access control
+    authProvider;
+    pendingAuthConfig;
+    authInitPromise;
     // HITL (Human-in-the-Loop) support
     hitlManager;
     // Accumulated cost in USD across all generate() calls on this instance
@@ -451,6 +455,10 @@ export class NeuroLink {
         this.initializeLangfuse(constructorId, constructorStartTime, constructorHrTimeStart);
         this.initializeMetricsListeners();
         this.logConstructorComplete(constructorId, constructorStartTime, constructorHrTimeStart);
+        // Store auth config for lazy initialization
+        if (config?.auth) {
+            this.pendingAuthConfig = config.auth;
+        }
     }
     /**
      * Initialize provider registry with security settings
@@ -2225,6 +2233,61 @@ Current user's request: ${currentInput}`;
                             },
                         };
                     }
+                    // Handle per-call auth token validation
+                    if (options.auth?.token) {
+                        const { AuthError } = await import("./auth/errors.js");
+                        await this.ensureAuthProvider();
+                        if (!this.authProvider) {
+                            throw AuthError.create("PROVIDER_ERROR", "No auth provider configured. Set auth in constructor or via setAuthProvider() before using auth: { token }.");
+                        }
+                        let authResult;
+                        try {
+                            authResult = await withTimeout(this.authProvider.authenticateToken(options.auth.token), 5000, AuthError.create("PROVIDER_ERROR", "Auth token validation timed out after 5000ms"));
+                        }
+                        catch (err) {
+                            // Rethrow auth errors as-is; wrap anything else
+                            if (err instanceof Error &&
+                                "feature" in err &&
+                                err.feature === "Auth") {
+                                throw err;
+                            }
+                            throw AuthError.create("PROVIDER_ERROR", `Auth token validation failed: ${err instanceof Error ? err.message : String(err)}`);
+                        }
+                        if (!authResult.valid) {
+                            throw AuthError.create("INVALID_TOKEN", authResult.error || "Token validation failed");
+                        }
+                        // Fail closed: token valid but no user identity is a provider bug
+                        if (!authResult.user) {
+                            throw AuthError.create("INVALID_TOKEN", "Token validated but no user identity returned");
+                        }
+                        if (!authResult.user.id) {
+                            throw AuthError.create("INVALID_TOKEN", "Token validated but user identity missing required 'id' field");
+                        }
+                        // Merge validated user into context
+                        options.context = {
+                            ...(options.context || {}),
+                            userId: authResult.user.id,
+                            userEmail: authResult.user.email,
+                            userRoles: authResult.user.roles,
+                        };
+                    }
+                    // Handle pre-validated requestContext
+                    if (options.requestContext) {
+                        // When auth token was validated, token-derived identity fields
+                        // MUST take precedence over requestContext to prevent privilege escalation.
+                        const tokenDerivedFields = options.auth?.token && this.authProvider
+                            ? {
+                                userId: options.context?.userId,
+                                userEmail: options.context?.userEmail,
+                                userRoles: options.context?.userRoles,
+                            }
+                            : {};
+                        options.context = {
+                            ...(options.context || {}),
+                            ...options.requestContext,
+                            ...tokenDerivedFields,
+                        };
+                    }
                     // Check if workflow is requested
                     if (options.workflow || options.workflowConfig) {
                         return await this.generateWithWorkflow(options);
@@ -3997,6 +4060,61 @@ Current user's request: ${currentInput}`;
                         },
                     });
                 }
+                // Handle per-call auth token validation
+                if (options.auth?.token) {
+                    const { AuthError } = await import("./auth/errors.js");
+                    await this.ensureAuthProvider();
+                    if (!this.authProvider) {
+                        throw AuthError.create("PROVIDER_ERROR", "No auth provider configured. Set auth in constructor or via setAuthProvider() before using auth: { token }.");
+                    }
+                    let authResult;
+                    try {
+                        authResult = await withTimeout(this.authProvider.authenticateToken(options.auth.token), 5000, AuthError.create("PROVIDER_ERROR", "Auth token validation timed out after 5000ms"));
+                    }
+                    catch (err) {
+                        // Rethrow auth errors as-is; wrap anything else
+                        if (err instanceof Error &&
+                            "feature" in err &&
+                            err.feature === "Auth") {
+                            throw err;
+                        }
+                        throw AuthError.create("PROVIDER_ERROR", `Auth token validation failed: ${err instanceof Error ? err.message : String(err)}`);
+                    }
+                    if (!authResult.valid) {
+                        throw AuthError.create("INVALID_TOKEN", authResult.error || "Token validation failed");
+                    }
+                    // Fail closed: token valid but no user identity is a provider bug
+                    if (!authResult.user) {
+                        throw AuthError.create("INVALID_TOKEN", "Token validated but no user identity returned");
+                    }
+                    if (!authResult.user.id) {
+                        throw AuthError.create("INVALID_TOKEN", "Token validated but user identity missing required 'id' field");
+                    }
+                    // Merge validated user into context
+                    options.context = {
+                        ...(options.context || {}),
+                        userId: authResult.user.id,
+                        userEmail: authResult.user.email,
+                        userRoles: authResult.user.roles,
+                    };
+                }
+                // Handle pre-validated requestContext
+                if (options.requestContext) {
+                    // When auth token was validated, token-derived identity fields
+                    // MUST take precedence over requestContext to prevent privilege escalation.
+                    const tokenDerivedFields = options.auth?.token && this.authProvider
+                        ? {
+                            userId: options.context?.userId,
+                            userEmail: options.context?.userEmail,
+                            userRoles: options.context?.userRoles,
+                        }
+                        : {};
+                    options.context = {
+                        ...(options.context || {}),
+                        ...options.requestContext,
+                        ...tokenDerivedFields,
+                    };
+                }
                 this.emitStreamStartEvents(options, startTime);
                 // Auto-inject lifecycle middleware when callbacks are provided
                 // (must happen before workflow early return so that path gets middleware too)
@@ -8001,6 +8119,106 @@ Current user's request: ${currentInput}`;
         });
         return budgetResult.shouldCompact;
     }
+    // ============================================================================
+    // Authentication Methods
+    // ============================================================================
+    /**
+     * Set the authentication provider for the NeuroLink instance
+     *
+     * @param config - Auth provider or configuration to create one
+     */
+    async setAuthProvider(config) {
+        // Clear any pending lazy-init promise so it does not race with this call.
+        this.authInitPromise = undefined;
+        // Duck-type check: direct MastraAuthProvider instance
+        if ("authenticateToken" in config &&
+            typeof config.authenticateToken === "function") {
+            this.authProvider = config;
+            logger.info(`Auth provider set: ${this.authProvider.type}`);
+        }
+        else if ("provider" in config) {
+            this.authProvider = config.provider;
+            logger.info(`Auth provider set: ${this.authProvider.type}`);
+        }
+        else {
+            const typedConfig = config;
+            const { AuthProviderFactory } = await import("./auth/AuthProviderFactory.js");
+            this.authProvider = await AuthProviderFactory.createProvider(typedConfig.type, typedConfig.config);
+            logger.info(`Auth provider created and set: ${typedConfig.type}`);
+        }
+        if (this.authProvider) {
+            this.emitter.emit("auth:provider:set", {
+                type: this.authProvider.type,
+                timestamp: Date.now(),
+            });
+        }
+    }
+    /**
+     * Get the currently configured authentication provider
+     */
+    getAuthProvider() {
+        return this.authProvider;
+    }
+    /**
+     * Lazily initialize the auth provider from pendingAuthConfig.
+     * Called on first use (generate/stream with auth token) to avoid
+     * async work in the synchronous constructor.
+     */
+    async ensureAuthProvider() {
+        if (this.authProvider || !this.pendingAuthConfig) {
+            return;
+        }
+        this.authInitPromise ??= (async () => {
+            try {
+                await this.setAuthProvider(this.pendingAuthConfig);
+                this.pendingAuthConfig = undefined;
+            }
+            catch (err) {
+                this.authInitPromise = undefined;
+                throw err;
+            }
+        })();
+        await this.authInitPromise;
+    }
+    /**
+     * Set the current authentication context for request handling.
+     *
+     * Delegates to the global AuthContextHolder so that auth state is NOT
+     * stored as an instance field (which would leak between concurrent requests
+     * sharing the same NeuroLink singleton). Prefer `runWithAuthContext()` from
+     * `authContext.ts` for proper request-scoped context via AsyncLocalStorage.
+     *
+     * @param context - The authenticated user context
+     */
+    async setAuthContext(context) {
+        const { globalAuthContext } = await import("./auth/authContext.js");
+        globalAuthContext.set(context);
+        logger.debug("Auth context set", {
+            userId: context.user.id,
+            provider: context.provider,
+            sessionId: context.session?.id,
+        });
+    }
+    /**
+     * Get the current authentication context.
+     *
+     * Checks AsyncLocalStorage first, then falls back to the global holder.
+     */
+    async getAuthContext() {
+        const { getAuthContext: getCtx } = await import("./auth/authContext.js");
+        return getCtx();
+    }
+    /**
+     * Clear the current authentication context
+     */
+    async clearAuthContext() {
+        const { globalAuthContext } = await import("./auth/authContext.js");
+        const userId = globalAuthContext.get()?.user.id;
+        globalAuthContext.clear();
+        if (userId) {
+            logger.debug(`Auth context cleared for user: ${userId}`);
+        }
+    }
     /**
      * Get the external server manager instance
      * Used internally by server adapters for external MCP server management

package/dist/client/rag/ChunkerRegistry.js

@@ -280,8 +280,8 @@ export class ChunkerRegistry extends BaseRegistry {
      * Register a chunker with aliases
      */
     registerChunker(strategy, factory, metadata) {
-        this.register(strategy, factory, metadata);
-        // Register aliases
+        this.register(strategy, factory, metadata.aliases ?? [], { metadata });
+        // Register aliases in local alias map for strategy resolution
         if (metadata.aliases) {
             for (const alias of metadata.aliases) {
                 this.aliasMap.set(alias.toLowerCase(), strategy);

package/dist/client/rag/metadata/MetadataExtractorRegistry.js

@@ -212,8 +212,8 @@ export class MetadataExtractorRegistry extends BaseRegistry {
      * Register an extractor with aliases
      */
     registerExtractor(type, factory, metadata) {
-        this.register(type, factory, metadata);
-        // Register aliases
+        this.register(type, factory, metadata.aliases, { metadata });
+        // Register aliases in local alias map for type resolution
         for (const alias of metadata.aliases) {
             this.aliasMap.set(alias.toLowerCase(), type);
             logger.debug(`[MetadataExtractorRegistry] Registered alias '${alias}' -> '${type}'`);

package/dist/client/rag/reranker/RerankerRegistry.js

@@ -237,8 +237,8 @@ export class RerankerRegistry extends BaseRegistry {
      * Register a reranker with aliases
      */
     registerReranker(type, factory, metadata) {
-        this.register(type, factory, metadata);
-        // Register aliases
+        this.register(type, factory, metadata.aliases, { metadata });
+        // Register aliases in local alias map for type resolution
         for (const alias of metadata.aliases) {
             this.aliasMap.set(alias.toLowerCase(), type);
             logger.debug(`[RerankerRegistry] Registered alias '${alias}' -> '${type}'`);

package/dist/client/server/routes/agentRoutes.js

@@ -36,8 +36,15 @@ export function createAgentRoutes(basePath = "/api") {
                         // Note: tools should be passed as Record<string, Tool> in generate options
                         // If request.tools is an array of tool names, we skip them
                         context: {
-                            sessionId: request.sessionId,
-                            userId: request.userId,
+                            // When an authenticated user context exists (set by auth middleware),
+                            // always use its IDs to prevent caller-supplied impersonation.
+                            sessionId: ctx.user
+                                ? ctx.session?.id
+                                : (ctx.session?.id ?? request.sessionId),
+                            userId: ctx.user ? ctx.user.id : request.userId,
+                            userEmail: ctx.user?.email,
+                            userRoles: ctx.user?.roles,
+                            requestId: ctx.requestId,
                         },
                     });
                     // Map tool calls from SDK format to API format
@@ -78,6 +85,17 @@ export function createAgentRoutes(basePath = "/api") {
                         systemPrompt: request.systemPrompt,
                         temperature: request.temperature,
                         maxTokens: request.maxTokens,
+                        context: {
+                            // When an authenticated user context exists (set by auth middleware),
+                            // always use its IDs to prevent caller-supplied impersonation.
+                            sessionId: ctx.user
+                                ? ctx.session?.id
+                                : (ctx.session?.id ?? request.sessionId),
+                            userId: ctx.user ? ctx.user.id : request.userId,
+                            userEmail: ctx.user?.email,
+                            userRoles: ctx.user?.roles,
+                            requestId: ctx.requestId,
+                        },
                     });
                     // Create redactor (no-op if redaction is not enabled)
                     const redactor = createStreamRedactor(ctx.redaction);

package/dist/client/types/authTypes.js

@@ -1,7 +1,8 @@
 /**
  * Auth-related type definitions for NeuroLink
  *
- * Canonical location for OAuth token storage types and token refresher contracts.
+ * Canonical location for OAuth token storage types, token refresher contracts,
+ * and multi-provider authentication types.
  * All auth type imports should reference this module (or the barrel re-export
  * via src/lib/types/index.ts).
  */

package/dist/core/infrastructure/baseRegistry.d.ts

@@ -10,7 +10,9 @@ export declare abstract class BaseRegistry<TItem, TMetadata = unknown> {
     protected initPromise: Promise<void> | null;
     protected abstract registerAll(): Promise<void>;
     ensureInitialized(): Promise<void>;
-    register(id: string, factory: () => Promise<TItem>, metadata: TMetadata): void;
+    register(id: string, factory: () => Promise<TItem>, aliases?: string[], options?: {
+        metadata: TMetadata;
+    }): void;
     get(id: string): Promise<TItem | undefined>;
     has(id: string): boolean;
     list(): Array<{

package/dist/core/infrastructure/baseRegistry.js

@@ -14,8 +14,12 @@ export class BaseRegistry {
         await this.initPromise;
         this.initialized = true;
     }
-    register(id, factory, metadata) {
+    register(id, factory, aliases = [], options) {
+        const metadata = options?.metadata ?? {};
         this.items.set(id, { factory, metadata });
+        for (const alias of aliases) {
+            this.items.set(alias.toLowerCase(), { factory, metadata });
+        }
         logger.debug(`Registered ${id} in registry`);
     }
     async get(id) {

package/dist/index.d.ts

@@ -374,3 +374,4 @@ export { RAGASEvaluator } from "./evaluation/ragasEvaluator.js";
 export { RetryManager } from "./evaluation/retryManager.js";
 export { mapToEvaluationData } from "./evaluation/scoring.js";
 export type { EnhancedConversationTurn, EnhancedEvaluationContext, EvaluationConfig, EvaluationResult, GetPromptFunction, QualityErrorDetails, QueryIntentAnalysis, } from "./types/evaluationTypes.js";
+export { AuthProviderFactory, createAuthProvider, AuthProviderRegistry, AuthError as AuthErrorFactory, AuthErrorCodes, BaseAuthProvider, InMemorySessionStorage, AuthProviderError, createAuthMiddleware as createAuthProviderMiddleware, createRBACMiddleware, createProtectedMiddleware, createExpressAuthMiddleware, createRequestContext, extractToken, AuthMiddlewareError, AuthMiddlewareErrorCodes, type MiddlewareHandler as AuthMiddlewareHandler, type MiddlewareResult, type NextFunction, type ExpressMiddleware, UserRateLimiter, MemoryRateLimitStorage, RedisRateLimitStorage, createRateLimitByUserMiddleware, createAuthenticatedRateLimitMiddleware, createRateLimitStorage, type RateLimitConfig as AuthRateLimitConfig, type RateLimitResult, type RateLimitMiddlewareResult, type RateLimitStorage, SessionManager, MemorySessionStorage, RedisSessionStorage, createSessionStorage, type SessionStorageInterface, AuthContextHolder, globalAuthContext, getAuthContext, getCurrentUser, getCurrentSession, isAuthenticated, hasRole, hasAnyRole, hasPermission, hasAllPermissions, requireAuth, requireRole, requirePermission, requireUser, runWithAuthContext, createAuthenticatedContext, RequestContext, NEUROLINK_RESOURCE_ID_KEY, NEUROLINK_THREAD_ID_KEY, createAuthValidatorFromProvider, } from "./auth/index.js";

package/dist/index.js

@@ -509,3 +509,28 @@ export { PromptBuilder } from "./evaluation/prompts.js";
 export { RAGASEvaluator } from "./evaluation/ragasEvaluator.js";
 export { RetryManager } from "./evaluation/retryManager.js";
 export { mapToEvaluationData } from "./evaluation/scoring.js";
+// ============================================================================
+// AUTHENTICATION PROVIDERS - Multi-provider Auth Integration
+// ============================================================================
+// Single-sourced from ./auth/index.js.  Only aliases that differ from the
+// canonical export name are listed explicitly; everything else is re-exported
+// as-is.
+export { 
+// Factory & Registry
+AuthProviderFactory, createAuthProvider, AuthProviderRegistry, 
+// Unified error factory
+AuthError as AuthErrorFactory, AuthErrorCodes, 
+// Base Provider
+BaseAuthProvider, InMemorySessionStorage, AuthProviderError, 
+// Auth Middleware (aliased to avoid conflict with server createAuthMiddleware)
+createAuthMiddleware as createAuthProviderMiddleware, createRBACMiddleware, createProtectedMiddleware, createExpressAuthMiddleware, createRequestContext, extractToken, AuthMiddlewareError, AuthMiddlewareErrorCodes, 
+// Rate Limiting Middleware
+UserRateLimiter, MemoryRateLimitStorage, RedisRateLimitStorage, createRateLimitByUserMiddleware, createAuthenticatedRateLimitMiddleware, createRateLimitStorage, 
+// Session Management
+SessionManager, MemorySessionStorage, RedisSessionStorage, createSessionStorage, 
+// Auth Context
+AuthContextHolder, globalAuthContext, getAuthContext, getCurrentUser, getCurrentSession, isAuthenticated, hasRole, hasAnyRole, hasPermission, hasAllPermissions, requireAuth, requireRole, requirePermission, requireUser, runWithAuthContext, createAuthenticatedContext, 
+// Request Context
+RequestContext, NEUROLINK_RESOURCE_ID_KEY, NEUROLINK_THREAD_ID_KEY, 
+// Server Bridge
+createAuthValidatorFromProvider, } from "./auth/index.js";

package/dist/lib/auth/AuthProviderFactory.d.ts

@@ -0,0 +1,71 @@
+/**
+ * AuthProviderFactory - Static factory for authentication providers
+ *
+ * Matches the ProviderFactory pattern: all-static class, no BaseFactory
+ * extension, no singleton instance. Providers are registered by
+ * AuthProviderRegistry using dynamic imports to avoid circular dependencies.
+ */
+import type { AuthProviderConfig, AuthProviderMetadata, MastraAuthProvider } from "../types/authTypes.js";
+type AuthProviderConstructor = (config: AuthProviderConfig) => Promise<MastraAuthProvider>;
+/**
+ * AuthProviderFactory - Creates authentication provider instances
+ *
+ * Pure static factory with no hardcoded imports. All providers are
+ * registered dynamically by AuthProviderRegistry to avoid circular
+ * dependencies and enable lazy loading.
+ *
+ * @example
+ * ```typescript
+ * // Create a provider (after AuthProviderRegistry.registerAllProviders())
+ * const provider = await AuthProviderFactory.createProvider("auth0", {
+ *   type: "auth0",
+ *   domain: "your-tenant.auth0.com",
+ *   clientId: "your-client-id",
+ * });
+ * ```
+ */
+export declare class AuthProviderFactory {
+    private static readonly providers;
+    private static readonly aliasMap;
+    /**
+     * Register a provider with the factory
+     */
+    static registerProvider(type: string, factory: AuthProviderConstructor, aliases?: string[], metadata?: AuthProviderMetadata): void;
+    /**
+     * Create a provider instance
+     */
+    static createProvider(typeOrAlias: string, config: AuthProviderConfig): Promise<MastraAuthProvider>;
+    /**
+     * Check if a provider is registered
+     */
+    static hasProvider(typeOrAlias: string): boolean;
+    /**
+     * Get list of available provider types (excludes aliases)
+     */
+    static getAvailableProviders(): string[];
+    /**
+     * Get provider metadata
+     */
+    static getProviderMetadata(typeOrAlias: string): AuthProviderMetadata | undefined;
+    /**
+     * Get all registered providers with their metadata
+     */
+    static getAllProviderInfo(): Array<{
+        type: string;
+        aliases: string[];
+        metadata?: AuthProviderMetadata;
+    }>;
+    /**
+     * Clear all registrations (for testing)
+     */
+    static clearRegistrations(): void;
+    /**
+     * Resolve an alias to its canonical provider type
+     */
+    private static resolveType;
+}
+/**
+ * Create an auth provider using the factory
+ */
+export declare function createAuthProvider(type: string, config: AuthProviderConfig): Promise<MastraAuthProvider>;
+export {};

package/dist/lib/auth/AuthProviderFactory.js

@@ -0,0 +1,112 @@
+/**
+ * AuthProviderFactory - Static factory for authentication providers
+ *
+ * Matches the ProviderFactory pattern: all-static class, no BaseFactory
+ * extension, no singleton instance. Providers are registered by
+ * AuthProviderRegistry using dynamic imports to avoid circular dependencies.
+ */
+import { logger } from "../utils/logger.js";
+import { AuthError } from "./errors.js";
+// =============================================================================
+// FACTORY IMPLEMENTATION
+// =============================================================================
+/**
+ * AuthProviderFactory - Creates authentication provider instances
+ *
+ * Pure static factory with no hardcoded imports. All providers are
+ * registered dynamically by AuthProviderRegistry to avoid circular
+ * dependencies and enable lazy loading.
+ *
+ * @example
+ * ```typescript
+ * // Create a provider (after AuthProviderRegistry.registerAllProviders())
+ * const provider = await AuthProviderFactory.createProvider("auth0", {
+ *   type: "auth0",
+ *   domain: "your-tenant.auth0.com",
+ *   clientId: "your-client-id",
+ * });
+ * ```
+ */
+export class AuthProviderFactory {
+    static providers = new Map();
+    static aliasMap = new Map();
+    /**
+     * Register a provider with the factory
+     */
+    static registerProvider(type, factory, aliases = [], metadata) {
+        AuthProviderFactory.providers.set(type, { factory, aliases, metadata });
+        for (const alias of aliases) {
+            AuthProviderFactory.aliasMap.set(alias.toLowerCase(), type);
+        }
+        logger.debug(`Registered auth provider: ${type}`);
+    }
+    /**
+     * Create a provider instance
+     */
+    static async createProvider(typeOrAlias, config) {
+        const resolvedType = AuthProviderFactory.resolveType(typeOrAlias);
+        const registration = AuthProviderFactory.providers.get(resolvedType);
+        if (!registration) {
+            throw AuthError.create("PROVIDER_NOT_FOUND", `Auth provider not found: ${typeOrAlias}. Available: ${AuthProviderFactory.getAvailableProviders().join(", ")}`);
+        }
+        try {
+            return await registration.factory(config);
+        }
+        catch (error) {
+            throw AuthError.create("CREATION_FAILED", `Failed to create auth provider ${typeOrAlias}: ${error instanceof Error ? error.message : String(error)}`, { cause: error instanceof Error ? error : undefined });
+        }
+    }
+    /**
+     * Check if a provider is registered
+     */
+    static hasProvider(typeOrAlias) {
+        return (AuthProviderFactory.providers.has(typeOrAlias) ||
+            AuthProviderFactory.aliasMap.has(typeOrAlias.toLowerCase()));
+    }
+    /**
+     * Get list of available provider types (excludes aliases)
+     */
+    static getAvailableProviders() {
+        return Array.from(AuthProviderFactory.providers.keys());
+    }
+    /**
+     * Get provider metadata
+     */
+    static getProviderMetadata(typeOrAlias) {
+        const resolvedType = AuthProviderFactory.resolveType(typeOrAlias);
+        return AuthProviderFactory.providers.get(resolvedType)?.metadata;
+    }
+    /**
+     * Get all registered providers with their metadata
+     */
+    static getAllProviderInfo() {
+        return Array.from(AuthProviderFactory.providers.entries()).map(([type, reg]) => ({
+            type,
+            aliases: reg.aliases,
+            metadata: reg.metadata,
+        }));
+    }
+    /**
+     * Clear all registrations (for testing)
+     */
+    static clearRegistrations() {
+        AuthProviderFactory.providers.clear();
+        AuthProviderFactory.aliasMap.clear();
+    }
+    /**
+     * Resolve an alias to its canonical provider type
+     */
+    static resolveType(typeOrAlias) {
+        return (AuthProviderFactory.aliasMap.get(typeOrAlias.toLowerCase()) || typeOrAlias);
+    }
+}
+// =============================================================================
+// CONVENIENCE EXPORTS
+// =============================================================================
+/**
+ * Create an auth provider using the factory
+ */
+export async function createAuthProvider(type, config) {
+    return AuthProviderFactory.createProvider(type, config);
+}
+//# sourceMappingURL=AuthProviderFactory.js.map

package/dist/lib/auth/AuthProviderRegistry.d.ts

@@ -0,0 +1,33 @@
+/**
+ * AuthProviderRegistry - Static one-shot registry for authentication providers
+ *
+ * Matches the ProviderRegistry pattern: static class with a single
+ * `registerAllProviders()` entry point that registers all 11 auth
+ * providers with AuthProviderFactory using dynamic imports.
+ */
+/**
+ * AuthProviderRegistry - registers all auth providers with the factory
+ *
+ * Call `AuthProviderRegistry.registerAllProviders()` once during
+ * application startup. The method is idempotent and concurrency-safe.
+ */
+export declare class AuthProviderRegistry {
+    private static registered;
+    private static registrationPromise;
+    /**
+     * Register all auth providers with the factory
+     */
+    static registerAllProviders(): Promise<void>;
+    /**
+     * Internal registration implementation
+     */
+    private static _doRegister;
+    /**
+     * Check if providers are registered
+     */
+    static isRegistered(): boolean;
+    /**
+     * Clear registrations (for testing)
+     */
+    static clearRegistrations(): void;
+}