@lanonasis/oauth-client 1.2.8 → 2.0.3

package/README.md

@@ -1,16 +1,32 @@
 # @lanonasis/oauth-client
 
-Drop-in OAuth + API Key authentication client for the Lanonasis ecosystem. Supports dual authentication modes: OAuth2 PKCE flow for pre-registered clients and direct API key authentication for dashboard users. Handles browser/desktop/terminal flows, token lifecycle, secure storage, and MCP WebSocket/SSE connections.
+**THE single authentication package** for the Lanonasis ecosystem. Consolidates all auth patterns: OAuth2 PKCE, API keys, magic links, React hooks, and Express middleware.
+
+> **v2.0**: Now includes `/react` and `/server` exports! Migrating from `@lanonasis/shared-auth`? See [Migration Guide](#migration-from-lanonasisshared-auth).
 
 ## Features
-- **Dual Authentication**: OAuth2 PKCE flow OR direct API key authentication
-- OAuth flows for terminal and desktop (Electron-friendly) environments
-- API key authentication for new users with dashboard-generated keys
-- Token storage with secure backends (Keytar, encrypted files, Electron secure store, mobile secure storage, WebCrypto in browsers); browser builds auto-use web storage
-- API key storage that normalizes to SHA-256 digests before persisting
-- MCP client that connects over WebSocket (`/ws`) or SSE (`/sse`) with auto-refreshing tokens
-- Automatic auth mode detection based on configuration
-- ESM + CJS bundles with a dedicated browser export to avoid Node-only deps
+
+### Core Authentication
+- **OAuth2 PKCE Flow**: Terminal and desktop (Electron) environments
+- **API Key Authentication**: Dashboard-generated keys for instant access
+- **Magic Link / OTP Flow**: Passwordless email authentication
+- **Token Storage**: Secure backends (Keytar, encrypted files, WebCrypto)
+
+### React Integration (`/react`)
+- **`useSSO()`**: React hook for SSO authentication state
+- **`useSSOSync()`**: Cross-subdomain session synchronization
+- **Cookie utilities**: `parseUserCookie`, `hasSessionCookie`, `clearUserCookie`
+
+### Server Integration (`/server`)
+- **`requireAuth()`**: Express middleware enforcing authentication
+- **`optionalAuth()`**: Attach user if authenticated, allow anonymous
+- **`requireRole(role)`**: Role-based access control middleware
+- **Cookie parsing**: `getSSOUserFromRequest`, `getSessionTokenFromRequest`
+
+### Additional Features
+- MCP client (WebSocket/SSE) with auto-refreshing tokens
+- ESM + CJS bundles with dedicated browser export
+- TypeScript types included
 
 ## Installation
 ```bash
@@ -76,6 +92,82 @@ const flow = new DesktopOAuthFlow({
 const tokens = await flow.authenticate();
 ```
 
+### Magic Link / OTP Flow (Passwordless)
+```ts
+import { MagicLinkFlow } from '@lanonasis/oauth-client';
+
+const flow = new MagicLinkFlow({
+  authBaseUrl: 'https://auth.lanonasis.com'
+});
+
+// Send OTP to user's email
+await flow.sendOTP('user@example.com');
+
+// User enters the code they received
+const tokens = await flow.verifyOTP('user@example.com', '123456');
+```
+
+### React Hooks (`/react`)
+```tsx
+import { useSSO, useSSOSync } from '@lanonasis/oauth-client/react';
+
+function MyComponent() {
+  const { user, isAuthenticated, isLoading, error } = useSSO({
+    authGatewayUrl: 'https://auth.lanonasis.com',
+    projectScope: 'my-app'
+  });
+
+  if (isLoading) return <div>Loading...</div>;
+  if (!isAuthenticated) return <div>Please log in</div>;
+
+  return <div>Hello, {user.email}!</div>;
+}
+
+// For cross-subdomain session sync
+function App() {
+  useSSOSync({ pollInterval: 30000 });
+  return <MyComponent />;
+}
+```
+
+### Server Middleware (`/server`)
+```ts
+import express from 'express';
+import {
+  requireAuth,
+  optionalAuth,
+  requireRole,
+  getSSOUserFromRequest
+} from '@lanonasis/oauth-client/server';
+
+const app = express();
+
+// Require authentication
+app.get('/api/profile', requireAuth(), (req, res) => {
+  res.json({ user: req.user });
+});
+
+// Optional authentication (attach user if present)
+app.get('/api/public', optionalAuth(), (req, res) => {
+  if (req.user) {
+    res.json({ message: `Hello ${req.user.email}` });
+  } else {
+    res.json({ message: 'Hello guest' });
+  }
+});
+
+// Role-based access control
+app.delete('/api/admin/users/:id', requireAuth(), requireRole('admin'), (req, res) => {
+  // Only admins can reach here
+});
+
+// Manual user extraction
+app.get('/api/check', (req, res) => {
+  const user = getSSOUserFromRequest(req);
+  res.json({ authenticated: !!user });
+});
+```
+
 ### Token storage
 ```ts
 import { TokenStorage } from '@lanonasis/oauth-client';
@@ -85,15 +177,20 @@ await storage.store(tokens);
 const restored = await storage.retrieve();
 ```
 
-### API key storage (hashes to SHA-256)
+In Node and Electron environments, secure storage now lazy-loads `keytar` so the ESM bundle can still use the native OS keychain when available. If native keychain access is unavailable, storage falls back to the encrypted local file backend automatically.
+
+### API key storage
 ```ts
 import { ApiKeyStorage } from '@lanonasis/oauth-client';
 
 const apiKeys = new ApiKeyStorage();
 await apiKeys.store({ apiKey: 'lns_abc123', environment: 'production' });
-const hashed = await apiKeys.getApiKey(); // returns sha256 hex digest
+const apiKey = await apiKeys.getApiKey(); // returns the original key for outbound auth headers
 ```
 
+Node/Electron secure storage preserves the original secret value so clients can send it back
+in `X-API-Key` or `Authorization` headers when talking to remote services.
+
 ## Configuration
 
 ### API Key Mode
@@ -116,15 +213,86 @@ const hashed = await apiKeys.getApiKey(); // returns sha256 hex digest
 - The terminal/device code flow remains Node-only; in browser previews use API key or desktop flow.
 
 ## Publishing (maintainers)
-1) Build artifacts: `npm install && npm run build`
-2) Verify contents: ensure `dist`, `README.md`, `LICENSE` are present.
-3) Publish: `npm publish --access public` (registry must have 2FA as configured).
-4) Tag in git (optional): `git tag oauth-client-v1.0.0 && git push --tags`
+1) Install and verify: `npm install && npm test && npm run build`
+2) Audit release deps: `bun audit`
+3) Verify contents: ensure `dist`, `README.md`, and `LICENSE` are present.
+4) Publish: `npm publish --access public` (registry must have 2FA as configured).
+5) Tag in git (optional): `git tag oauth-client-v2.0.3 && git push --tags`
 
 ## Files shipped
 - `dist/*` compiled CJS/ESM bundles + types
 - `README.md`
 - `LICENSE`
 
+## Auth-Gateway Compatibility
+
+This SDK implements client-side equivalents of the auth-gateway's authentication methods:
+
+| Auth-Gateway Endpoint | SDK Class | Use Case |
+|-----------------------|-----------|----------|
+| `POST /oauth/device` | `TerminalOAuthFlow` | CLI/terminal apps |
+| `GET /oauth/authorize` | `DesktopOAuthFlow` | Desktop apps (Electron) |
+| `POST /v1/auth/otp/*` | `MagicLinkFlow` | Mobile/passwordless |
+| `X-API-Key` header | `APIKeyFlow` | Server-to-server |
+| `MCPClient` | Combined | Auto-detects best method |
+
+### Methods NOT Exposed (Security)
+- Email/Password: Server-rendered form only
+- Admin Bypass: Internal emergency access
+- Supabase OAuth 2.1: Internal Supabase integration
+
+See [auth-gateway/AUTHENTICATION-METHODS.md](../../apps/onasis-core/services/auth-gateway/AUTHENTICATION-METHODS.md) for complete server-side documentation.
+
+## Exports
+
+| Export | Description | Use Case |
+|--------|-------------|----------|
+| `@lanonasis/oauth-client` | Main entry - OAuth flows, MCP client, storage | Node.js CLI, servers |
+| `@lanonasis/oauth-client/browser` | Browser-safe bundle (no Node deps) | Web apps, SPAs |
+| `@lanonasis/oauth-client/react` | React hooks + browser cookie utils | React/Next.js apps |
+| `@lanonasis/oauth-client/server` | Express middleware + server cookie utils | Express/Node servers |
+
+## Migration from @lanonasis/shared-auth
+
+`@lanonasis/shared-auth` is now **deprecated**. All functionality has been consolidated into `@lanonasis/oauth-client`.
+
+### Import Changes
+
+```typescript
+// ❌ BEFORE (deprecated)
+import { useSSO, useSSOSync } from '@lanonasis/shared-auth';
+import { getSSOUserFromRequest } from '@lanonasis/shared-auth/server';
+
+// ✅ AFTER (recommended)
+import { useSSO, useSSOSync } from '@lanonasis/oauth-client/react';
+import { getSSOUserFromRequest, requireAuth } from '@lanonasis/oauth-client/server';
+```
+
+### Package.json Changes
+
+```json
+{
+  "dependencies": {
+    // ❌ Remove
+    "@lanonasis/shared-auth": "^1.x.x",
+
+    // ✅ Add/Update
+    "@lanonasis/oauth-client": "^2.0.0"
+  }
+}
+```
+
+### New Middleware (Bonus!)
+
+The migration gives you access to new middleware that wasn't in shared-auth:
+
+```ts
+import { requireAuth, optionalAuth, requireRole } from '@lanonasis/oauth-client/server';
+
+// These are new! Replace manual auth checks
+app.get('/api/protected', requireAuth(), handler);
+app.delete('/api/admin/*', requireAuth(), requireRole('admin'), handler);
+```
+
 ## License
 MIT © Lan Onasis

package/dist/{api-key-storage-web-J3W8nQi2.d.cts → api-key-storage-web-DUyiN9mC.d.cts}

@@ -106,7 +106,8 @@ declare class TokenStorage implements TokenStorageAdapter {
     private readonly storageKey;
     private readonly webEncryptionKeyStorage;
     private keytar;
-    constructor();
+    private keytarLoadAttempted;
+    private getKeytar;
     store(tokens: TokenResponse): Promise<void>;
     retrieve(): Promise<TokenResponse | null>;
     clear(): Promise<void>;
@@ -182,8 +183,9 @@ declare class ApiKeyStorage {
     private readonly legacyConfigKey;
     private readonly webEncryptionKeyStorage;
     private keytar;
+    private keytarLoadAttempted;
     private migrationCompleted;
-    constructor();
+    private getKeytar;
     /**
      * Initialize and migrate from legacy storage if needed
      */
@@ -235,8 +237,12 @@ declare class ApiKeyStorage {
     private base64Encode;
     private base64Decode;
     /**
-     * Normalize API keys to a SHA-256 hex digest.
-     * Accepts pre-hashed input and lowercases it to prevent double hashing.
+     * Normalize stored credentials without transforming their value.
+     *
+     * These secrets are stored in encrypted local storage/keychains and must remain
+     * usable for outbound authentication headers (for example X-API-Key or Bearer).
+     * Hashing here would make the original credential unrecoverable and break
+     * clients that need to send the raw key/token back to a remote service.
      */
     private normalizeApiKey;
 }
@@ -257,4 +263,4 @@ declare class ApiKeyStorageWeb {
     private base64Decode;
 }
 
-export { AuthGatewayClient as A, BaseOAuthFlow as B, DesktopOAuthFlow as D, type GrantType as G, type OAuthConfig as O, type PKCEChallenge as P, type TokenStorageAdapter as T, TokenStorageWeb as a, ApiKeyStorageWeb as b, type TokenResponse as c, type DeviceCodeResponse as d, type AuthError as e, type AuthTokenType as f, type AuthValidationResult as g, type AuthGatewayClientConfig as h, type TokenExchangeOptions as i, type TokenExchangeResponse as j, TokenStorage as k, type ApiKeyData as l, ApiKeyStorage as m };
+export { ApiKeyStorageWeb as A, BaseOAuthFlow as B, DesktopOAuthFlow as D, type GrantType as G, type OAuthConfig as O, type PKCEChallenge as P, type TokenStorageAdapter as T, type AuthError as a, AuthGatewayClient as b, type AuthGatewayClientConfig as c, type AuthTokenType as d, type AuthValidationResult as e, type DeviceCodeResponse as f, type TokenExchangeOptions as g, type TokenExchangeResponse as h, type TokenResponse as i, TokenStorageWeb as j, type ApiKeyData as k, ApiKeyStorage as l, TokenStorage as m };

package/dist/{api-key-storage-web-J3W8nQi2.d.ts → api-key-storage-web-DUyiN9mC.d.ts}

@@ -106,7 +106,8 @@ declare class TokenStorage implements TokenStorageAdapter {
     private readonly storageKey;
     private readonly webEncryptionKeyStorage;
     private keytar;
-    constructor();
+    private keytarLoadAttempted;
+    private getKeytar;
     store(tokens: TokenResponse): Promise<void>;
     retrieve(): Promise<TokenResponse | null>;
     clear(): Promise<void>;
@@ -182,8 +183,9 @@ declare class ApiKeyStorage {
     private readonly legacyConfigKey;
     private readonly webEncryptionKeyStorage;
     private keytar;
+    private keytarLoadAttempted;
     private migrationCompleted;
-    constructor();
+    private getKeytar;
     /**
      * Initialize and migrate from legacy storage if needed
      */
@@ -235,8 +237,12 @@ declare class ApiKeyStorage {
     private base64Encode;
     private base64Decode;
     /**
-     * Normalize API keys to a SHA-256 hex digest.
-     * Accepts pre-hashed input and lowercases it to prevent double hashing.
+     * Normalize stored credentials without transforming their value.
+     *
+     * These secrets are stored in encrypted local storage/keychains and must remain
+     * usable for outbound authentication headers (for example X-API-Key or Bearer).
+     * Hashing here would make the original credential unrecoverable and break
+     * clients that need to send the raw key/token back to a remote service.
      */
     private normalizeApiKey;
 }
@@ -257,4 +263,4 @@ declare class ApiKeyStorageWeb {
     private base64Decode;
 }
 
-export { AuthGatewayClient as A, BaseOAuthFlow as B, DesktopOAuthFlow as D, type GrantType as G, type OAuthConfig as O, type PKCEChallenge as P, type TokenStorageAdapter as T, TokenStorageWeb as a, ApiKeyStorageWeb as b, type TokenResponse as c, type DeviceCodeResponse as d, type AuthError as e, type AuthTokenType as f, type AuthValidationResult as g, type AuthGatewayClientConfig as h, type TokenExchangeOptions as i, type TokenExchangeResponse as j, TokenStorage as k, type ApiKeyData as l, ApiKeyStorage as m };
+export { ApiKeyStorageWeb as A, BaseOAuthFlow as B, DesktopOAuthFlow as D, type GrantType as G, type OAuthConfig as O, type PKCEChallenge as P, type TokenStorageAdapter as T, type AuthError as a, AuthGatewayClient as b, type AuthGatewayClientConfig as c, type AuthTokenType as d, type AuthValidationResult as e, type DeviceCodeResponse as f, type TokenExchangeOptions as g, type TokenExchangeResponse as h, type TokenResponse as i, TokenStorageWeb as j, type ApiKeyData as k, ApiKeyStorage as l, TokenStorage as m };

package/dist/browser.d.cts

@@ -1,5 +1,5 @@
-import { O as OAuthConfig, T as TokenStorageAdapter } from './api-key-storage-web-J3W8nQi2.cjs';
-export { b as ApiKeyStorageWeb, e as AuthError, A as AuthGatewayClient, h as AuthGatewayClientConfig, f as AuthTokenType, g as AuthValidationResult, B as BaseOAuthFlow, D as DesktopOAuthFlow, d as DeviceCodeResponse, G as GrantType, P as PKCEChallenge, i as TokenExchangeOptions, j as TokenExchangeResponse, c as TokenResponse, a as TokenStorageWeb } from './api-key-storage-web-J3W8nQi2.cjs';
+import { O as OAuthConfig, T as TokenStorageAdapter } from './api-key-storage-web-DUyiN9mC.cjs';
+export { A as ApiKeyStorageWeb, a as AuthError, b as AuthGatewayClient, c as AuthGatewayClientConfig, d as AuthTokenType, e as AuthValidationResult, B as BaseOAuthFlow, D as DesktopOAuthFlow, f as DeviceCodeResponse, G as GrantType, P as PKCEChallenge, g as TokenExchangeOptions, h as TokenExchangeResponse, i as TokenResponse, j as TokenStorageWeb } from './api-key-storage-web-DUyiN9mC.cjs';
 
 interface MCPClientConfig extends Partial<OAuthConfig> {
     mcpEndpoint?: string;

package/dist/browser.d.ts

@@ -1,5 +1,5 @@
-import { O as OAuthConfig, T as TokenStorageAdapter } from './api-key-storage-web-J3W8nQi2.js';
-export { b as ApiKeyStorageWeb, e as AuthError, A as AuthGatewayClient, h as AuthGatewayClientConfig, f as AuthTokenType, g as AuthValidationResult, B as BaseOAuthFlow, D as DesktopOAuthFlow, d as DeviceCodeResponse, G as GrantType, P as PKCEChallenge, i as TokenExchangeOptions, j as TokenExchangeResponse, c as TokenResponse, a as TokenStorageWeb } from './api-key-storage-web-J3W8nQi2.js';
+import { O as OAuthConfig, T as TokenStorageAdapter } from './api-key-storage-web-DUyiN9mC.js';
+export { A as ApiKeyStorageWeb, a as AuthError, b as AuthGatewayClient, c as AuthGatewayClientConfig, d as AuthTokenType, e as AuthValidationResult, B as BaseOAuthFlow, D as DesktopOAuthFlow, f as DeviceCodeResponse, G as GrantType, P as PKCEChallenge, g as TokenExchangeOptions, h as TokenExchangeResponse, i as TokenResponse, j as TokenStorageWeb } from './api-key-storage-web-DUyiN9mC.js';
 
 interface MCPClientConfig extends Partial<OAuthConfig> {
     mcpEndpoint?: string;

package/dist/constants-BZPTHasL.d.cts

@@ -0,0 +1,110 @@
+/**
+ * React-specific types for SSO authentication
+ * @module @lanonasis/oauth-client/react
+ */
+/**
+ * SSO User information from the lanonasis_user cookie
+ */
+interface SSOUser {
+    id: string;
+    email: string;
+    role: string;
+    name?: string;
+    avatar_url?: string;
+}
+/**
+ * SSO authentication state
+ */
+interface SSOState {
+    /** Whether the user is authenticated */
+    isAuthenticated: boolean;
+    /** Whether the auth state is being determined */
+    isLoading: boolean;
+    /** User information if authenticated */
+    user: SSOUser | null;
+    /** Error message if auth check failed */
+    error: string | null;
+}
+/**
+ * Configuration for the SSO hook
+ */
+interface SSOConfig {
+    /** Auth gateway URL (default: https://auth.lanonasis.com) */
+    authGatewayUrl?: string;
+    /** Cookie domain (default: .lanonasis.com) */
+    cookieDomain?: string;
+    /** Callback when auth state changes */
+    onAuthChange?: (state: SSOState) => void;
+    /** Polling interval in ms for cookie changes (default: 30000) */
+    pollInterval?: number;
+}
+/**
+ * Configuration for Supabase-to-cookie sync
+ */
+interface SSOSyncConfig {
+    /** Auth gateway URL (default: https://auth.lanonasis.com) */
+    authGatewayUrl?: string;
+    /** Project scope for multi-tenant auth */
+    projectScope?: string;
+    /** Callback when sync completes */
+    onSyncComplete?: (success: boolean) => void;
+}
+/**
+ * Supabase session interface (minimal for what we need)
+ */
+interface SupabaseSession {
+    access_token: string;
+    refresh_token?: string;
+}
+/**
+ * Return type for useSSO hook
+ */
+interface UseSSOReturn extends SSOState {
+    /** Manually refresh auth state */
+    refresh: () => void;
+    /** Logout and redirect to auth gateway */
+    logout: (returnTo?: string) => void;
+    /** Get login URL with optional return URL */
+    getLoginUrl: (returnTo?: string) => string;
+}
+/**
+ * Return type for useSSOSync hook
+ */
+interface UseSSOSyncReturn {
+    /** Manually trigger sync */
+    sync: () => Promise<boolean>;
+    /** Sync with gateway directly */
+    syncWithGateway: (session: SupabaseSession) => Promise<boolean>;
+}
+
+/**
+ * Cookie constants and utilities shared between browser and server
+ * @module @lanonasis/oauth-client/cookies
+ */
+/**
+ * Cookie names used by Lan Onasis auth system
+ */
+declare const COOKIE_NAMES: {
+    /** HttpOnly JWT session token */
+    readonly SESSION: "lanonasis_session";
+    /** Readable user metadata (JSON) */
+    readonly USER: "lanonasis_user";
+};
+/**
+ * Default cookie domain for cross-subdomain SSO
+ */
+declare const DEFAULT_COOKIE_DOMAIN = ".lanonasis.com";
+/**
+ * Default auth gateway URL
+ */
+declare const DEFAULT_AUTH_GATEWAY = "https://auth.lanonasis.com";
+/**
+ * Default polling interval for cookie changes (30 seconds)
+ */
+declare const DEFAULT_POLL_INTERVAL = 30000;
+/**
+ * Default project scope for multi-tenant auth
+ */
+declare const DEFAULT_PROJECT_SCOPE = "lanonasis-maas";
+
+export { COOKIE_NAMES as C, DEFAULT_AUTH_GATEWAY as D, type SSOConfig as S, type UseSSOReturn as U, type SupabaseSession as a, type SSOSyncConfig as b, type UseSSOSyncReturn as c, type SSOUser as d, DEFAULT_COOKIE_DOMAIN as e, DEFAULT_POLL_INTERVAL as f, DEFAULT_PROJECT_SCOPE as g, type SSOState as h };

package/dist/constants-BZPTHasL.d.ts

@@ -0,0 +1,110 @@
+/**
+ * React-specific types for SSO authentication
+ * @module @lanonasis/oauth-client/react
+ */
+/**
+ * SSO User information from the lanonasis_user cookie
+ */
+interface SSOUser {
+    id: string;
+    email: string;
+    role: string;
+    name?: string;
+    avatar_url?: string;
+}
+/**
+ * SSO authentication state
+ */
+interface SSOState {
+    /** Whether the user is authenticated */
+    isAuthenticated: boolean;
+    /** Whether the auth state is being determined */
+    isLoading: boolean;
+    /** User information if authenticated */
+    user: SSOUser | null;
+    /** Error message if auth check failed */
+    error: string | null;
+}
+/**
+ * Configuration for the SSO hook
+ */
+interface SSOConfig {
+    /** Auth gateway URL (default: https://auth.lanonasis.com) */
+    authGatewayUrl?: string;
+    /** Cookie domain (default: .lanonasis.com) */
+    cookieDomain?: string;
+    /** Callback when auth state changes */
+    onAuthChange?: (state: SSOState) => void;
+    /** Polling interval in ms for cookie changes (default: 30000) */
+    pollInterval?: number;
+}
+/**
+ * Configuration for Supabase-to-cookie sync
+ */
+interface SSOSyncConfig {
+    /** Auth gateway URL (default: https://auth.lanonasis.com) */
+    authGatewayUrl?: string;
+    /** Project scope for multi-tenant auth */
+    projectScope?: string;
+    /** Callback when sync completes */
+    onSyncComplete?: (success: boolean) => void;
+}
+/**
+ * Supabase session interface (minimal for what we need)
+ */
+interface SupabaseSession {
+    access_token: string;
+    refresh_token?: string;
+}
+/**
+ * Return type for useSSO hook
+ */
+interface UseSSOReturn extends SSOState {
+    /** Manually refresh auth state */
+    refresh: () => void;
+    /** Logout and redirect to auth gateway */
+    logout: (returnTo?: string) => void;
+    /** Get login URL with optional return URL */
+    getLoginUrl: (returnTo?: string) => string;
+}
+/**
+ * Return type for useSSOSync hook
+ */
+interface UseSSOSyncReturn {
+    /** Manually trigger sync */
+    sync: () => Promise<boolean>;
+    /** Sync with gateway directly */
+    syncWithGateway: (session: SupabaseSession) => Promise<boolean>;
+}
+
+/**
+ * Cookie constants and utilities shared between browser and server
+ * @module @lanonasis/oauth-client/cookies
+ */
+/**
+ * Cookie names used by Lan Onasis auth system
+ */
+declare const COOKIE_NAMES: {
+    /** HttpOnly JWT session token */
+    readonly SESSION: "lanonasis_session";
+    /** Readable user metadata (JSON) */
+    readonly USER: "lanonasis_user";
+};
+/**
+ * Default cookie domain for cross-subdomain SSO
+ */
+declare const DEFAULT_COOKIE_DOMAIN = ".lanonasis.com";
+/**
+ * Default auth gateway URL
+ */
+declare const DEFAULT_AUTH_GATEWAY = "https://auth.lanonasis.com";
+/**
+ * Default polling interval for cookie changes (30 seconds)
+ */
+declare const DEFAULT_POLL_INTERVAL = 30000;
+/**
+ * Default project scope for multi-tenant auth
+ */
+declare const DEFAULT_PROJECT_SCOPE = "lanonasis-maas";
+
+export { COOKIE_NAMES as C, DEFAULT_AUTH_GATEWAY as D, type SSOConfig as S, type UseSSOReturn as U, type SupabaseSession as a, type SSOSyncConfig as b, type UseSSOSyncReturn as c, type SSOUser as d, DEFAULT_COOKIE_DOMAIN as e, DEFAULT_POLL_INTERVAL as f, DEFAULT_PROJECT_SCOPE as g, type SSOState as h };