@kya-os/provider-registry 0.1.0

package/dist/registry.d.ts

@@ -0,0 +1,291 @@
+/**
+ * Provider Registry Implementation
+ *
+ * Single source of truth for provider definitions and provider-type mapping.
+ * Implements IProviderRegistry interface for dependency injection and testing.
+ *
+ * Key features:
+ * - Provider lookup by ID and oauthProviderId
+ * - Authentication mode to consent provider type mapping
+ * - oauthProviderId uniqueness enforcement
+ * - Seal capability to prevent runtime modifications
+ * - Consistent fallback behavior with logging
+ */
+import type { ProviderDefinition, ConsentProviderType, AuthMode } from './types';
+/**
+ * Logger interface for deprecation and warning messages
+ *
+ * Allows injection of custom loggers for production metrics/alerting.
+ */
+export interface RegistryLogger {
+    warn(message: string, context?: Record<string, unknown>): void;
+}
+/**
+ * Provider Registry Interface
+ *
+ * Defines the contract for provider registry implementations.
+ * Allows dependency injection and testability.
+ */
+export interface IProviderRegistry {
+    /**
+     * Get a provider definition by ID
+     *
+     * @param id - Provider identifier
+     * @returns Provider definition or undefined if not found
+     */
+    getProvider(id: string): ProviderDefinition | undefined;
+    /**
+     * Find a provider by its oauthProviderId
+     *
+     * This is useful when you have an OAuth identity provider field
+     * that may differ from the provider's primary ID.
+     *
+     * @param oauthProviderId - OAuth provider identifier
+     * @returns Provider definition or undefined if not found
+     */
+    findByOauthProviderId(oauthProviderId: string): ProviderDefinition | undefined;
+    /**
+     * Check if a provider is known (registered)
+     *
+     * @param id - Provider identifier
+     * @returns True if provider is registered
+     */
+    isKnownProvider(id: string): boolean;
+    /**
+     * Check if a provider is an OAuth provider
+     *
+     * @param id - Provider identifier
+     * @returns True if provider exists and is OAuth category
+     */
+    isOAuthProvider(id: string): boolean;
+    /**
+     * Check if a provider is a credential provider
+     *
+     * @param id - Provider identifier
+     * @returns True if provider exists and is credential category
+     */
+    isCredentialProvider(id: string): boolean;
+    /**
+     * Map auth mode and OAuth provider ID to consent provider type
+     *
+     * Deterministic precedence rules with explicit mapping logic.
+     *
+     * @param authMode - Authentication mode (UI/flow level)
+     * @param oauthProviderId - OAuth provider identifier (if OAuth flow)
+     * @returns Consent provider type (backend routing vocabulary)
+     */
+    mapAuthModeToConsentProvider(authMode?: AuthMode | string, oauthProviderId?: string): ConsentProviderType;
+    /**
+     * Map provider ID directly to consent provider type
+     *
+     * @param providerId - Provider identifier
+     * @returns Consent provider type
+     */
+    mapProviderToConsentProvider(providerId: string): ConsentProviderType;
+    /**
+     * Determine provider type from auth mode and OAuth identity provider
+     *
+     * @deprecated Use mapAuthModeToConsentProvider instead
+     */
+    determineProviderTypeFromAuthMode(authMode?: string, oauthIdentityProvider?: string): ConsentProviderType;
+    /**
+     * Register a new provider
+     *
+     * @param def - Provider definition to register
+     * @param opts - Registration options
+     * @throws Error if provider already exists and overwrite is false
+     * @throws Error if registry is sealed
+     */
+    registerProvider(def: ProviderDefinition, opts?: {
+        overwrite?: boolean;
+    }): void;
+    /**
+     * List all registered providers
+     *
+     * @returns Array of all provider definitions
+     */
+    listProviders(): ProviderDefinition[];
+    /**
+     * Load providers from configuration
+     *
+     * Validates and registers providers from a configuration object.
+     * Useful for loading custom providers from JSON config or environment variables.
+     *
+     * @param config - Configuration object (will be validated via zod)
+     * @throws ZodError if configuration is invalid
+     * @throws Error if registry is sealed
+     */
+    loadFromConfig(config: unknown): void;
+    /**
+     * Seal the registry to prevent further modifications
+     *
+     * Once sealed, registerProvider() and loadFromConfig() will throw.
+     * Useful for long-running workers to prevent accidental runtime modifications.
+     */
+    seal(): void;
+    /**
+     * Check if the registry is sealed
+     *
+     * @returns True if the registry is sealed
+     */
+    isSealed(): boolean;
+}
+/**
+ * Provider Registry Implementation
+ *
+ * Maintains a registry of provider definitions and provides lookup/mapping methods.
+ *
+ * ## Fallback Behavior
+ *
+ * This registry implements consistent fallback behavior:
+ *
+ * - `mapAuthModeToConsentProvider`:
+ *   - Unknown oauthProviderId with explicit presence → 'oauth2' (logs warning)
+ *   - No oauthProviderId → 'none'
+ *
+ * - `mapProviderToConsentProvider`:
+ *   - Unknown providerId → 'none' (logs warning)
+ *
+ * The difference is intentional:
+ * - If caller provides an oauthProviderId, they expect OAuth behavior
+ * - If caller provides a providerId that's unknown, fall back safely
+ */
+export declare class ProviderRegistry implements IProviderRegistry {
+    private providers;
+    private oauthProviderIdIndex;
+    private sealed;
+    private logger;
+    /**
+     * Create a new ProviderRegistry
+     *
+     * @param initial - Initial providers to register (defaults to common providers)
+     * @param logger - Optional logger for warnings (defaults to console.warn)
+     */
+    constructor(initial?: ProviderDefinition[], logger?: RegistryLogger);
+    /**
+     * Register a provider definition
+     *
+     * Provider IDs are normalized to lowercase.
+     * oauthProviderId must be unique across the registry.
+     *
+     * @param def - Provider definition (will be validated)
+     * @param opts - Registration options
+     * @throws Error if provider already exists and overwrite is false
+     * @throws Error if oauthProviderId already exists for another provider
+     * @throws Error if registry is sealed
+     */
+    registerProvider(def: ProviderDefinition, opts?: {
+        overwrite?: boolean;
+    }): void;
+    /**
+     * Get a provider definition by ID (case-insensitive)
+     *
+     * @param id - Provider identifier
+     * @returns Provider definition or undefined if not found
+     */
+    getProvider(id: string): ProviderDefinition | undefined;
+    /**
+     * Find a provider by its oauthProviderId (case-insensitive)
+     *
+     * This is useful when you have an OAuth identity provider field
+     * that may differ from the provider's primary ID.
+     *
+     * @param oauthProviderId - OAuth provider identifier to look up
+     * @returns Provider definition or undefined if not found
+     */
+    findByOauthProviderId(oauthProviderId: string): ProviderDefinition | undefined;
+    /**
+     * Check if a provider is known (registered)
+     *
+     * @param id - Provider identifier
+     * @returns True if provider is registered
+     */
+    isKnownProvider(id: string): boolean;
+    /**
+     * Check if a provider is an OAuth provider
+     *
+     * @param id - Provider identifier
+     * @returns True if provider exists and has oauth2 authType
+     */
+    isOAuthProvider(id: string): boolean;
+    /**
+     * Check if a provider is a credential provider
+     *
+     * @param id - Provider identifier
+     * @returns True if provider exists and has password authType
+     */
+    isCredentialProvider(id: string): boolean;
+    /**
+     * Map auth mode and OAuth provider ID to consent provider type
+     *
+     * Deterministic precedence rules:
+     * 1. Explicit authMode (non-oauth) → direct mapping
+     * 2. If authMode === 'oauth' or no explicit authMode but oauthProviderId present → consult registry
+     * 3. Unknown oauthProviderId → 'oauth2' (with warning log)
+     * 4. Fallback → 'none'
+     *
+     * @param authMode - Authentication mode (UI/flow level)
+     * @param oauthProviderId - OAuth provider identifier (if OAuth flow)
+     * @returns Consent provider type (backend routing vocabulary)
+     */
+    mapAuthModeToConsentProvider(authMode?: AuthMode | string, oauthProviderId?: string): ConsentProviderType;
+    /**
+     * Map provider ID directly to consent provider type
+     *
+     * Thin wrapper that looks up provider.authType and maps it to consent provider type.
+     * For unknown providers, returns 'none' and logs a warning.
+     *
+     * @param providerId - Provider identifier
+     * @returns Consent provider type
+     */
+    mapProviderToConsentProvider(providerId: string): ConsentProviderType;
+    /**
+     * Map provider auth type to consent provider type
+     *
+     * @internal
+     */
+    private mapAuthTypeToConsentProvider;
+    /**
+     * Determine provider type from auth mode and OAuth identity provider
+     *
+     * @deprecated Use mapAuthModeToConsentProvider instead. This method is kept for backward compatibility.
+     *
+     * @param authMode - Authentication mode
+     * @param oauthIdentityProvider - OAuth provider identifier
+     * @returns Consent provider type
+     */
+    determineProviderTypeFromAuthMode(authMode?: string, oauthIdentityProvider?: string): ConsentProviderType;
+    /**
+     * List all registered providers
+     *
+     * @returns Array of all provider definitions
+     */
+    listProviders(): ProviderDefinition[];
+    /**
+     * Load providers from configuration
+     *
+     * Validates configuration via zod and registers all providers.
+     * Existing providers with same ID will be overwritten.
+     *
+     * @param config - Configuration object (will be validated)
+     * @throws ZodError if configuration is invalid
+     * @throws Error if registry is sealed
+     */
+    loadFromConfig(config: unknown): void;
+    /**
+     * Seal the registry to prevent further modifications
+     *
+     * Once sealed, registerProvider() and loadFromConfig() will throw.
+     * Useful for long-running workers to prevent accidental runtime modifications.
+     *
+     * This operation is irreversible.
+     */
+    seal(): void;
+    /**
+     * Check if the registry is sealed
+     *
+     * @returns True if the registry is sealed
+     */
+    isSealed(): boolean;
+}
+//# sourceMappingURL=registry.d.ts.map

package/dist/registry.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"registry.d.ts","sourceRoot":"","sources":["../src/registry.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;GAYG;AAEH,OAAO,KAAK,EACV,kBAAkB,EAElB,mBAAmB,EACnB,QAAQ,EAET,MAAM,SAAS,CAAC;AAOjB;;;;GAIG;AACH,MAAM,WAAW,cAAc;IAC7B,IAAI,CAAC,OAAO,EAAE,MAAM,EAAE,OAAO,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,GAAG,IAAI,CAAC;CAChE;AAeD;;;;;GAKG;AACH,MAAM,WAAW,iBAAiB;IAChC;;;;;OAKG;IACH,WAAW,CAAC,EAAE,EAAE,MAAM,GAAG,kBAAkB,GAAG,SAAS,CAAC;IAExD;;;;;;;;OAQG;IACH,qBAAqB,CAAC,eAAe,EAAE,MAAM,GAAG,kBAAkB,GAAG,SAAS,CAAC;IAE/E;;;;;OAKG;IACH,eAAe,CAAC,EAAE,EAAE,MAAM,GAAG,OAAO,CAAC;IAErC;;;;;OAKG;IACH,eAAe,CAAC,EAAE,EAAE,MAAM,GAAG,OAAO,CAAC;IAErC;;;;;OAKG;IACH,oBAAoB,CAAC,EAAE,EAAE,MAAM,GAAG,OAAO,CAAC;IAE1C;;;;;;;;OAQG;IACH,4BAA4B,CAC1B,QAAQ,CAAC,EAAE,QAAQ,GAAG,MAAM,EAC5B,eAAe,CAAC,EAAE,MAAM,GACvB,mBAAmB,CAAC;IAEvB;;;;;OAKG;IACH,4BAA4B,CAAC,UAAU,EAAE,MAAM,GAAG,mBAAmB,CAAC;IAEtE;;;;OAIG;IACH,iCAAiC,CAC/B,QAAQ,CAAC,EAAE,MAAM,EACjB,qBAAqB,CAAC,EAAE,MAAM,GAC7B,mBAAmB,CAAC;IAEvB;;;;;;;OAOG;IACH,gBAAgB,CACd,GAAG,EAAE,kBAAkB,EACvB,IAAI,CAAC,EAAE;QAAE,SAAS,CAAC,EAAE,OAAO,CAAA;KAAE,GAC7B,IAAI,CAAC;IAER;;;;OAIG;IACH,aAAa,IAAI,kBAAkB,EAAE,CAAC;IAEtC;;;;;;;;;OASG;IACH,cAAc,CAAC,MAAM,EAAE,OAAO,GAAG,IAAI,CAAC;IAEtC;;;;;OAKG;IACH,IAAI,IAAI,IAAI,CAAC;IAEb;;;;OAIG;IACH,QAAQ,IAAI,OAAO,CAAC;CACrB;AAED;;;;;;;;;;;;;;;;;;;GAmBG;AACH,qBAAa,gBAAiB,YAAW,iBAAiB;IACxD,OAAO,CAAC,SAAS,CAAyC;IAC1D,OAAO,CAAC,oBAAoB,CAA6B;IACzD,OAAO,CAAC,MAAM,CAAS;IACvB,OAAO,CAAC,MAAM,CAAiB;IAE/B;;;;;OAKG;gBACS,OAAO,GAAE,kBAAkB,EAAO,EAAE,MAAM,GAAE,cAA8B;IAKtF;;;;;;;;;;;OAWG;IACH,gBAAgB,CACd,GAAG,EAAE,kBAAkB,EACvB,IAAI,GAAE;QAAE,SAAS,CAAC,EAAE,OAAO,CAAA;KAAO,GACjC,IAAI;IAoDP;;;;;OAKG;IACH,WAAW,CAAC,EAAE,EAAE,MAAM,GAAG,kBAAkB,GAAG,SAAS;IAIvD;;;;;;;;OAQG;IACH,qBAAqB,CAAC,eAAe,EAAE,MAAM,GAAG,kBAAkB,GAAG,SAAS;IAa9E;;;;;OAKG;IACH,eAAe,CAAC,EAAE,EAAE,MAAM,GAAG,OAAO;IAIpC;;;;;OAKG;IACH,eAAe,CAAC,EAAE,EAAE,MAAM,GAAG,OAAO;IAKpC;;;;;OAKG;IACH,oBAAoB,CAAC,EAAE,EAAE,MAAM,GAAG,OAAO;IAKzC;;;;;;;;;;;;OAYG;IACH,4BAA4B,CAC1B,QAAQ,CAAC,EAAE,QAAQ,GAAG,MAAM,EAC5B,eAAe,CAAC,EAAE,MAAM,GACvB,mBAAmB;IAmEtB;;;;;;;;OAQG;IACH,4BAA4B,CAAC,UAAU,EAAE,MAAM,GAAG,mBAAmB;IAcrE;;;;OAIG;IACH,OAAO,CAAC,4BAA4B;IAqBpC;;;;;;;;OAQG;IACH,iCAAiC,CAC/B,QAAQ,CAAC,EAAE,MAAM,EACjB,qBAAqB,CAAC,EAAE,MAAM,GAC7B,mBAAmB;IAOtB;;;;OAIG;IACH,aAAa,IAAI,kBAAkB,EAAE;IAIrC;;;;;;;;;OASG;IACH,cAAc,CAAC,MAAM,EAAE,OAAO,GAAG,IAAI;IAarC;;;;;;;OAOG;IACH,IAAI,IAAI,IAAI;IAIZ;;;;OAIG;IACH,QAAQ,IAAI,OAAO;CAGpB"}

package/dist/registry.js

@@ -0,0 +1,339 @@
+/**
+ * Provider Registry Implementation
+ *
+ * Single source of truth for provider definitions and provider-type mapping.
+ * Implements IProviderRegistry interface for dependency injection and testing.
+ *
+ * Key features:
+ * - Provider lookup by ID and oauthProviderId
+ * - Authentication mode to consent provider type mapping
+ * - oauthProviderId uniqueness enforcement
+ * - Seal capability to prevent runtime modifications
+ * - Consistent fallback behavior with logging
+ */
+import { AUTH_MODES } from './types';
+import { validateProviderDefinition, validateProviderConfig, } from './schemas';
+/**
+ * Default logger using console.warn
+ */
+const defaultLogger = {
+    warn: (message, context) => {
+        if (context) {
+            console.warn(message, context);
+        }
+        else {
+            console.warn(message);
+        }
+    },
+};
+/**
+ * Provider Registry Implementation
+ *
+ * Maintains a registry of provider definitions and provides lookup/mapping methods.
+ *
+ * ## Fallback Behavior
+ *
+ * This registry implements consistent fallback behavior:
+ *
+ * - `mapAuthModeToConsentProvider`:
+ *   - Unknown oauthProviderId with explicit presence → 'oauth2' (logs warning)
+ *   - No oauthProviderId → 'none'
+ *
+ * - `mapProviderToConsentProvider`:
+ *   - Unknown providerId → 'none' (logs warning)
+ *
+ * The difference is intentional:
+ * - If caller provides an oauthProviderId, they expect OAuth behavior
+ * - If caller provides a providerId that's unknown, fall back safely
+ */
+export class ProviderRegistry {
+    /**
+     * Create a new ProviderRegistry
+     *
+     * @param initial - Initial providers to register (defaults to common providers)
+     * @param logger - Optional logger for warnings (defaults to console.warn)
+     */
+    constructor(initial = [], logger = defaultLogger) {
+        this.providers = new Map();
+        this.oauthProviderIdIndex = new Map(); // oauthProviderId -> provider id
+        this.sealed = false;
+        this.logger = logger;
+        initial.forEach((p) => this.registerProvider(p, { overwrite: false }));
+    }
+    /**
+     * Register a provider definition
+     *
+     * Provider IDs are normalized to lowercase.
+     * oauthProviderId must be unique across the registry.
+     *
+     * @param def - Provider definition (will be validated)
+     * @param opts - Registration options
+     * @throws Error if provider already exists and overwrite is false
+     * @throws Error if oauthProviderId already exists for another provider
+     * @throws Error if registry is sealed
+     */
+    registerProvider(def, opts = {}) {
+        if (this.sealed) {
+            throw new Error('Registry is sealed. Cannot register new providers after seal() is called.');
+        }
+        const normalized = validateProviderDefinition(def);
+        const normalizedId = normalized.id.toLowerCase();
+        // Check for duplicate provider ID
+        if (this.providers.has(normalizedId) && !opts.overwrite) {
+            throw new Error(`Provider "${normalizedId}" is already registered. Use overwrite: true to replace.`);
+        }
+        // Handle oauthProviderId uniqueness
+        const normalizedOAuthProviderId = normalized.oauthProviderId?.toLowerCase();
+        if (normalizedOAuthProviderId) {
+            const existingOwnerId = this.oauthProviderIdIndex.get(normalizedOAuthProviderId);
+            // If oauthProviderId is used by a different provider, require overwrite
+            if (existingOwnerId && existingOwnerId !== normalizedId) {
+                if (!opts.overwrite) {
+                    throw new Error(`oauthProviderId "${normalizedOAuthProviderId}" is already used by provider "${existingOwnerId}". ` +
+                        `Use overwrite: true to replace or use a different oauthProviderId.`);
+                }
+                // If overwriting, remove old index entry
+                this.oauthProviderIdIndex.delete(normalizedOAuthProviderId);
+            }
+            // Update oauthProviderId index
+            this.oauthProviderIdIndex.set(normalizedOAuthProviderId, normalizedId);
+        }
+        // If we're overwriting, clean up old oauthProviderId index
+        if (opts.overwrite) {
+            const existing = this.providers.get(normalizedId);
+            if (existing?.oauthProviderId) {
+                const oldOAuthId = existing.oauthProviderId.toLowerCase();
+                if (oldOAuthId !== normalizedOAuthProviderId) {
+                    this.oauthProviderIdIndex.delete(oldOAuthId);
+                }
+            }
+        }
+        this.providers.set(normalizedId, normalized);
+    }
+    /**
+     * Get a provider definition by ID (case-insensitive)
+     *
+     * @param id - Provider identifier
+     * @returns Provider definition or undefined if not found
+     */
+    getProvider(id) {
+        return this.providers.get(id.toLowerCase());
+    }
+    /**
+     * Find a provider by its oauthProviderId (case-insensitive)
+     *
+     * This is useful when you have an OAuth identity provider field
+     * that may differ from the provider's primary ID.
+     *
+     * @param oauthProviderId - OAuth provider identifier to look up
+     * @returns Provider definition or undefined if not found
+     */
+    findByOauthProviderId(oauthProviderId) {
+        const normalizedOAuthId = oauthProviderId.toLowerCase();
+        const providerId = this.oauthProviderIdIndex.get(normalizedOAuthId);
+        if (providerId) {
+            return this.providers.get(providerId);
+        }
+        // Fallback: check if oauthProviderId matches a provider ID directly
+        // This handles cases where id === oauthProviderId
+        return this.providers.get(normalizedOAuthId);
+    }
+    /**
+     * Check if a provider is known (registered)
+     *
+     * @param id - Provider identifier
+     * @returns True if provider is registered
+     */
+    isKnownProvider(id) {
+        return this.providers.has(id.toLowerCase());
+    }
+    /**
+     * Check if a provider is an OAuth provider
+     *
+     * @param id - Provider identifier
+     * @returns True if provider exists and has oauth2 authType
+     */
+    isOAuthProvider(id) {
+        const provider = this.getProvider(id);
+        return !!provider && provider.authType === 'oauth2';
+    }
+    /**
+     * Check if a provider is a credential provider
+     *
+     * @param id - Provider identifier
+     * @returns True if provider exists and has password authType
+     */
+    isCredentialProvider(id) {
+        const provider = this.getProvider(id);
+        return !!provider && provider.authType === 'password';
+    }
+    /**
+     * Map auth mode and OAuth provider ID to consent provider type
+     *
+     * Deterministic precedence rules:
+     * 1. Explicit authMode (non-oauth) → direct mapping
+     * 2. If authMode === 'oauth' or no explicit authMode but oauthProviderId present → consult registry
+     * 3. Unknown oauthProviderId → 'oauth2' (with warning log)
+     * 4. Fallback → 'none'
+     *
+     * @param authMode - Authentication mode (UI/flow level)
+     * @param oauthProviderId - OAuth provider identifier (if OAuth flow)
+     * @returns Consent provider type (backend routing vocabulary)
+     */
+    mapAuthModeToConsentProvider(authMode, oauthProviderId) {
+        // 1. If explicit authMode (non-oauth) → direct mapping
+        if (authMode && authMode !== AUTH_MODES.OAUTH) {
+            switch (authMode) {
+                case AUTH_MODES.CREDENTIALS:
+                case 'credentials':
+                case 'password':
+                case 'credential':
+                    return 'credential';
+                case AUTH_MODES.MAGIC_LINK:
+                case 'magic-link':
+                case 'magic_link':
+                    return 'magic_link';
+                case AUTH_MODES.OTP:
+                case 'otp':
+                    return 'otp';
+                case AUTH_MODES.PASSKEY:
+                case 'passkey':
+                    return 'passkey';
+                case 'verifiable_credential':
+                    return 'verifiable_credential';
+                case AUTH_MODES.IDV:
+                case 'idv':
+                    return 'verifiable_credential';
+                case 'mdl':
+                    return 'verifiable_credential';
+                case AUTH_MODES.CONSENT_ONLY:
+                case 'consent-only':
+                case 'none':
+                case '':
+                    return 'none';
+                default:
+                    return 'none';
+            }
+        }
+        // 2. If authMode === 'oauth' or oauthProviderId present
+        if (authMode === AUTH_MODES.OAUTH || authMode === 'oauth' || oauthProviderId) {
+            // If oauthProviderId provided, try to look up the provider
+            if (oauthProviderId) {
+                // First try findByOauthProviderId for proper lookup
+                let provider = this.findByOauthProviderId(oauthProviderId);
+                // Also check by direct ID lookup (for backward compatibility)
+                if (!provider) {
+                    provider = this.getProvider(oauthProviderId);
+                }
+                if (provider) {
+                    return this.mapAuthTypeToConsentProvider(provider.authType);
+                }
+                // Unknown oauthProviderId: log warning and return 'oauth2'
+                this.logger.warn(`Provider "${oauthProviderId}" not registered in provider registry; assuming oauth2 flow.`, { oauthProviderId, fallback: 'oauth2' });
+            }
+            // authMode === 'oauth' without oauthProviderId, or unknown oauthProviderId
+            return 'oauth2';
+        }
+        // 3. Fallback
+        return 'none';
+    }
+    /**
+     * Map provider ID directly to consent provider type
+     *
+     * Thin wrapper that looks up provider.authType and maps it to consent provider type.
+     * For unknown providers, returns 'none' and logs a warning.
+     *
+     * @param providerId - Provider identifier
+     * @returns Consent provider type
+     */
+    mapProviderToConsentProvider(providerId) {
+        const provider = this.getProvider(providerId);
+        if (!provider) {
+            this.logger.warn(`Provider "${providerId}" not found in registry; returning 'none'.`, { providerId, fallback: 'none' });
+            return 'none';
+        }
+        return this.mapAuthTypeToConsentProvider(provider.authType);
+    }
+    /**
+     * Map provider auth type to consent provider type
+     *
+     * @internal
+     */
+    mapAuthTypeToConsentProvider(authType) {
+        switch (authType) {
+            case 'oauth2':
+                return 'oauth2';
+            case 'password':
+                return 'credential';
+            case 'verifiable_credential':
+                return 'verifiable_credential';
+            case 'magic_link':
+                return 'magic_link';
+            case 'otp':
+                return 'otp';
+            case 'passkey':
+                return 'passkey';
+            case 'none':
+                return 'none';
+            default:
+                return 'none';
+        }
+    }
+    /**
+     * Determine provider type from auth mode and OAuth identity provider
+     *
+     * @deprecated Use mapAuthModeToConsentProvider instead. This method is kept for backward compatibility.
+     *
+     * @param authMode - Authentication mode
+     * @param oauthIdentityProvider - OAuth provider identifier
+     * @returns Consent provider type
+     */
+    determineProviderTypeFromAuthMode(authMode, oauthIdentityProvider) {
+        return this.mapAuthModeToConsentProvider(authMode, oauthIdentityProvider);
+    }
+    /**
+     * List all registered providers
+     *
+     * @returns Array of all provider definitions
+     */
+    listProviders() {
+        return Array.from(this.providers.values());
+    }
+    /**
+     * Load providers from configuration
+     *
+     * Validates configuration via zod and registers all providers.
+     * Existing providers with same ID will be overwritten.
+     *
+     * @param config - Configuration object (will be validated)
+     * @throws ZodError if configuration is invalid
+     * @throws Error if registry is sealed
+     */
+    loadFromConfig(config) {
+        if (this.sealed) {
+            throw new Error('Registry is sealed. Cannot load configuration after seal() is called.');
+        }
+        const validated = validateProviderConfig(config);
+        validated.providers.forEach((p) => this.registerProvider(p, { overwrite: true }));
+    }
+    /**
+     * Seal the registry to prevent further modifications
+     *
+     * Once sealed, registerProvider() and loadFromConfig() will throw.
+     * Useful for long-running workers to prevent accidental runtime modifications.
+     *
+     * This operation is irreversible.
+     */
+    seal() {
+        this.sealed = true;
+    }
+    /**
+     * Check if the registry is sealed
+     *
+     * @returns True if the registry is sealed
+     */
+    isSealed() {
+        return this.sealed;
+    }
+}
+//# sourceMappingURL=registry.js.map

package/dist/registry.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"registry.js","sourceRoot":"","sources":["../src/registry.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;GAYG;AASH,OAAO,EAAE,UAAU,EAAE,MAAM,SAAS,CAAC;AACrC,OAAO,EACL,0BAA0B,EAC1B,sBAAsB,GACvB,MAAM,WAAW,CAAC;AAWnB;;GAEG;AACH,MAAM,aAAa,GAAmB;IACpC,IAAI,EAAE,CAAC,OAAe,EAAE,OAAiC,EAAE,EAAE;QAC3D,IAAI,OAAO,EAAE,CAAC;YACZ,OAAO,CAAC,IAAI,CAAC,OAAO,EAAE,OAAO,CAAC,CAAC;QACjC,CAAC;aAAM,CAAC;YACN,OAAO,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC;QACxB,CAAC;IACH,CAAC;CACF,CAAC;AAoIF;;;;;;;;;;;;;;;;;;;GAmBG;AACH,MAAM,OAAO,gBAAgB;IAM3B;;;;;OAKG;IACH,YAAY,UAAgC,EAAE,EAAE,SAAyB,aAAa;QAX9E,cAAS,GAAG,IAAI,GAAG,EAA8B,CAAC;QAClD,yBAAoB,GAAG,IAAI,GAAG,EAAkB,CAAC,CAAC,iCAAiC;QACnF,WAAM,GAAG,KAAK,CAAC;QAUrB,IAAI,CAAC,MAAM,GAAG,MAAM,CAAC;QACrB,OAAO,CAAC,OAAO,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,IAAI,CAAC,gBAAgB,CAAC,CAAC,EAAE,EAAE,SAAS,EAAE,KAAK,EAAE,CAAC,CAAC,CAAC;IACzE,CAAC;IAED;;;;;;;;;;;OAWG;IACH,gBAAgB,CACd,GAAuB,EACvB,OAAgC,EAAE;QAElC,IAAI,IAAI,CAAC,MAAM,EAAE,CAAC;YAChB,MAAM,IAAI,KAAK,CACb,2EAA2E,CAC5E,CAAC;QACJ,CAAC;QAED,MAAM,UAAU,GAAG,0BAA0B,CAAC,GAAG,CAAC,CAAC;QACnD,MAAM,YAAY,GAAG,UAAU,CAAC,EAAE,CAAC,WAAW,EAAE,CAAC;QAEjD,kCAAkC;QAClC,IAAI,IAAI,CAAC,SAAS,CAAC,GAAG,CAAC,YAAY,CAAC,IAAI,CAAC,IAAI,CAAC,SAAS,EAAE,CAAC;YACxD,MAAM,IAAI,KAAK,CACb,aAAa,YAAY,0DAA0D,CACpF,CAAC;QACJ,CAAC;QAED,oCAAoC;QACpC,MAAM,yBAAyB,GAAG,UAAU,CAAC,eAAe,EAAE,WAAW,EAAE,CAAC;QAC5E,IAAI,yBAAyB,EAAE,CAAC;YAC9B,MAAM,eAAe,GAAG,IAAI,CAAC,oBAAoB,CAAC,GAAG,CAAC,yBAAyB,CAAC,CAAC;YAEjF,wEAAwE;YACxE,IAAI,eAAe,IAAI,eAAe,KAAK,YAAY,EAAE,CAAC;gBACxD,IAAI,CAAC,IAAI,CAAC,SAAS,EAAE,CAAC;oBACpB,MAAM,IAAI,KAAK,CACb,oBAAoB,yBAAyB,kCAAkC,eAAe,KAAK;wBACnG,oEAAoE,CACrE,CAAC;gBACJ,CAAC;gBACD,yCAAyC;gBACzC,IAAI,CAAC,oBAAoB,CAAC,MAAM,CAAC,yBAAyB,CAAC,CAAC;YAC9D,CAAC;YAED,+BAA+B;YAC/B,IAAI,CAAC,oBAAoB,CAAC,GAAG,CAAC,yBAAyB,EAAE,YAAY,CAAC,CAAC;QACzE,CAAC;QAED,2DAA2D;QAC3D,IAAI,IAAI,CAAC,SAAS,EAAE,CAAC;YACnB,MAAM,QAAQ,GAAG,IAAI,CAAC,SAAS,CAAC,GAAG,CAAC,YAAY,CAAC,CAAC;YAClD,IAAI,QAAQ,EAAE,eAAe,EAAE,CAAC;gBAC9B,MAAM,UAAU,GAAG,QAAQ,CAAC,eAAe,CAAC,WAAW,EAAE,CAAC;gBAC1D,IAAI,UAAU,KAAK,yBAAyB,EAAE,CAAC;oBAC7C,IAAI,CAAC,oBAAoB,CAAC,MAAM,CAAC,UAAU,CAAC,CAAC;gBAC/C,CAAC;YACH,CAAC;QACH,CAAC;QAED,IAAI,CAAC,SAAS,CAAC,GAAG,CAAC,YAAY,EAAE,UAAU,CAAC,CAAC;IAC/C,CAAC;IAED;;;;;OAKG;IACH,WAAW,CAAC,EAAU;QACpB,OAAO,IAAI,CAAC,SAAS,CAAC,GAAG,CAAC,EAAE,CAAC,WAAW,EAAE,CAAC,CAAC;IAC9C,CAAC;IAED;;;;;;;;OAQG;IACH,qBAAqB,CAAC,eAAuB;QAC3C,MAAM,iBAAiB,GAAG,eAAe,CAAC,WAAW,EAAE,CAAC;QACxD,MAAM,UAAU,GAAG,IAAI,CAAC,oBAAoB,CAAC,GAAG,CAAC,iBAAiB,CAAC,CAAC;QAEpE,IAAI,UAAU,EAAE,CAAC;YACf,OAAO,IAAI,CAAC,SAAS,CAAC,GAAG,CAAC,UAAU,CAAC,CAAC;QACxC,CAAC;QAED,oEAAoE;QACpE,kDAAkD;QAClD,OAAO,IAAI,CAAC,SAAS,CAAC,GAAG,CAAC,iBAAiB,CAAC,CAAC;IAC/C,CAAC;IAED;;;;;OAKG;IACH,eAAe,CAAC,EAAU;QACxB,OAAO,IAAI,CAAC,SAAS,CAAC,GAAG,CAAC,EAAE,CAAC,WAAW,EAAE,CAAC,CAAC;IAC9C,CAAC;IAED;;;;;OAKG;IACH,eAAe,CAAC,EAAU;QACxB,MAAM,QAAQ,GAAG,IAAI,CAAC,WAAW,CAAC,EAAE,CAAC,CAAC;QACtC,OAAO,CAAC,CAAC,QAAQ,IAAI,QAAQ,CAAC,QAAQ,KAAK,QAAQ,CAAC;IACtD,CAAC;IAED;;;;;OAKG;IACH,oBAAoB,CAAC,EAAU;QAC7B,MAAM,QAAQ,GAAG,IAAI,CAAC,WAAW,CAAC,EAAE,CAAC,CAAC;QACtC,OAAO,CAAC,CAAC,QAAQ,IAAI,QAAQ,CAAC,QAAQ,KAAK,UAAU,CAAC;IACxD,CAAC;IAED;;;;;;;;;;;;OAYG;IACH,4BAA4B,CAC1B,QAA4B,EAC5B,eAAwB;QAExB,uDAAuD;QACvD,IAAI,QAAQ,IAAI,QAAQ,KAAK,UAAU,CAAC,KAAK,EAAE,CAAC;YAC9C,QAAQ,QAAQ,EAAE,CAAC;gBACjB,KAAK,UAAU,CAAC,WAAW,CAAC;gBAC5B,KAAK,aAAa,CAAC;gBACnB,KAAK,UAAU,CAAC;gBAChB,KAAK,YAAY;oBACf,OAAO,YAAY,CAAC;gBACtB,KAAK,UAAU,CAAC,UAAU,CAAC;gBAC3B,KAAK,YAAY,CAAC;gBAClB,KAAK,YAAY;oBACf,OAAO,YAAY,CAAC;gBACtB,KAAK,UAAU,CAAC,GAAG,CAAC;gBACpB,KAAK,KAAK;oBACR,OAAO,KAAK,CAAC;gBACf,KAAK,UAAU,CAAC,OAAO,CAAC;gBACxB,KAAK,SAAS;oBACZ,OAAO,SAAS,CAAC;gBACnB,KAAK,uBAAuB;oBAC1B,OAAO,uBAAuB,CAAC;gBACjC,KAAK,UAAU,CAAC,GAAG,CAAC;gBACpB,KAAK,KAAK;oBACR,OAAO,uBAAuB,CAAC;gBACjC,KAAK,KAAK;oBACR,OAAO,uBAAuB,CAAC;gBACjC,KAAK,UAAU,CAAC,YAAY,CAAC;gBAC7B,KAAK,cAAc,CAAC;gBACpB,KAAK,MAAM,CAAC;gBACZ,KAAK,EAAE;oBACL,OAAO,MAAM,CAAC;gBAChB;oBACE,OAAO,MAAM,CAAC;YAClB,CAAC;QACH,CAAC;QAED,wDAAwD;QACxD,IAAI,QAAQ,KAAK,UAAU,CAAC,KAAK,IAAI,QAAQ,KAAK,OAAO,IAAI,eAAe,EAAE,CAAC;YAC7E,2DAA2D;YAC3D,IAAI,eAAe,EAAE,CAAC;gBACpB,oDAAoD;gBACpD,IAAI,QAAQ,GAAG,IAAI,CAAC,qBAAqB,CAAC,eAAe,CAAC,CAAC;gBAE3D,8DAA8D;gBAC9D,IAAI,CAAC,QAAQ,EAAE,CAAC;oBACd,QAAQ,GAAG,IAAI,CAAC,WAAW,CAAC,eAAe,CAAC,CAAC;gBAC/C,CAAC;gBAED,IAAI,QAAQ,EAAE,CAAC;oBACb,OAAO,IAAI,CAAC,4BAA4B,CAAC,QAAQ,CAAC,QAAQ,CAAC,CAAC;gBAC9D,CAAC;gBAED,2DAA2D;gBAC3D,IAAI,CAAC,MAAM,CAAC,IAAI,CACd,aAAa,eAAe,8DAA8D,EAC1F,EAAE,eAAe,EAAE,QAAQ,EAAE,QAAQ,EAAE,CACxC,CAAC;YACJ,CAAC;YAED,2EAA2E;YAC3E,OAAO,QAAQ,CAAC;QAClB,CAAC;QAED,cAAc;QACd,OAAO,MAAM,CAAC;IAChB,CAAC;IAED;;;;;;;;OAQG;IACH,4BAA4B,CAAC,UAAkB;QAC7C,MAAM,QAAQ,GAAG,IAAI,CAAC,WAAW,CAAC,UAAU,CAAC,CAAC;QAE9C,IAAI,CAAC,QAAQ,EAAE,CAAC;YACd,IAAI,CAAC,MAAM,CAAC,IAAI,CACd,aAAa,UAAU,4CAA4C,EACnE,EAAE,UAAU,EAAE,QAAQ,EAAE,MAAM,EAAE,CACjC,CAAC;YACF,OAAO,MAAM,CAAC;QAChB,CAAC;QAED,OAAO,IAAI,CAAC,4BAA4B,CAAC,QAAQ,CAAC,QAAQ,CAAC,CAAC;IAC9D,CAAC;IAED;;;;OAIG;IACK,4BAA4B,CAAC,QAA0B;QAC7D,QAAQ,QAAQ,EAAE,CAAC;YACjB,KAAK,QAAQ;gBACX,OAAO,QAAQ,CAAC;YAClB,KAAK,UAAU;gBACb,OAAO,YAAY,CAAC;YACtB,KAAK,uBAAuB;gBAC1B,OAAO,uBAAuB,CAAC;YACjC,KAAK,YAAY;gBACf,OAAO,YAAY,CAAC;YACtB,KAAK,KAAK;gBACR,OAAO,KAAK,CAAC;YACf,KAAK,SAAS;gBACZ,OAAO,SAAS,CAAC;YACnB,KAAK,MAAM;gBACT,OAAO,MAAM,CAAC;YAChB;gBACE,OAAO,MAAM,CAAC;QAClB,CAAC;IACH,CAAC;IAED;;;;;;;;OAQG;IACH,iCAAiC,CAC/B,QAAiB,EACjB,qBAA8B;QAE9B,OAAO,IAAI,CAAC,4BAA4B,CACtC,QAAoB,EACpB,qBAAqB,CACtB,CAAC;IACJ,CAAC;IAED;;;;OAIG;IACH,aAAa;QACX,OAAO,KAAK,CAAC,IAAI,CAAC,IAAI,CAAC,SAAS,CAAC,MAAM,EAAE,CAAC,CAAC;IAC7C,CAAC;IAED;;;;;;;;;OASG;IACH,cAAc,CAAC,MAAe;QAC5B,IAAI,IAAI,CAAC,MAAM,EAAE,CAAC;YAChB,MAAM,IAAI,KAAK,CACb,uEAAuE,CACxE,CAAC;QACJ,CAAC;QAED,MAAM,SAAS,GAAG,sBAAsB,CAAC,MAAM,CAAC,CAAC;QACjD,SAAS,CAAC,SAAS,CAAC,OAAO,CAAC,CAAC,CAAC,EAAE,EAAE,CAChC,IAAI,CAAC,gBAAgB,CAAC,CAAC,EAAE,EAAE,SAAS,EAAE,IAAI,EAAE,CAAC,CAC9C,CAAC;IACJ,CAAC;IAED;;;;;;;OAOG;IACH,IAAI;QACF,IAAI,CAAC,MAAM,GAAG,IAAI,CAAC;IACrB,CAAC;IAED;;;;OAIG;IACH,QAAQ;QACN,OAAO,IAAI,CAAC,MAAM,CAAC;IACrB,CAAC;CACF"}