@m1a0rz/agent-identity 0.5.1 → 0.5.2-cs

package/dist/src/services/identity-client.js

@@ -16,6 +16,8 @@
 import { loadIdentityCredentials } from "./identity-credentials.js";
 import { canonicalQueryString, signRequest } from "../utils/sts-signer.js";
 import { resolveIdentityApiEndpoint, signingRegionFromIdentityEndpoint, } from "../utils/resolve-identity-endpoint.js";
+import { randomUUID } from "node:crypto";
+import { getfreshTrustAnchorToken } from "../utils/trust-anchor.js";
 export { loadIdentityCredentials } from "./identity-credentials.js";
 function isWorkloadNotFoundError(err) {
     const msg = err instanceof Error ? err.message : String(err);
@@ -152,7 +154,42 @@ export class IdentityClient {
             }
             return {
                 workloadAccessToken: result.WorkloadAccessToken,
-                expiresAt: result.ExpiresAt ?? new Date(Date.now() + 3600 * 1000).toISOString(),
+                expiresAt: Number.isFinite(Date.parse(result.ExpiresAt ?? "")) ? Date.parse(result.ExpiresAt) : (Date.now() + 3600 * 1000),
+            };
+        };
+        try {
+            return await doFetch();
+        }
+        catch (err) {
+            // When workload (agent) does not exist (404), create it and retry. Only when Name was passed.
+            if (params.name && isWorkloadNotFoundError(err)) {
+                await this.createWorkloadIdentity({
+                    workloadPoolName: params.workloadPoolName ?? "default",
+                    name: params.name,
+                    category: "Agent",
+                });
+                return doFetch();
+            }
+            throw err;
+        }
+    }
+    async getWorkloadAccessToken(params) {
+        const doFetch = async () => {
+            const body = {
+                WorkloadPoolName: params.workloadPoolName ?? "default",
+                DurationSeconds: params.durationSeconds ?? 3600,
+            };
+            if (params.name)
+                body.Name = params.name;
+            if (params.audience?.length)
+                body.Audience = params.audience;
+            const result = (await this.signedPost("GetWorkloadAccessToken", body, "2025-10-30"));
+            if (!result?.WorkloadAccessToken) {
+                throw new Error("Identity API: missing WorkloadAccessToken in response");
+            }
+            return {
+                workloadAccessToken: result.WorkloadAccessToken,
+                expiresAt: Number.isFinite(Date.parse(result.ExpiresAt ?? "")) ? Date.parse(result.ExpiresAt) : (Date.now() + 3600 * 1000),
             };
         };
         try {
@@ -573,110 +610,700 @@ export class IdentityClient {
         return toUserPoolClientResult(r);
     }
 }
-/**
- * Resolve OIDC config from UserPool and Client names (from_veidentity style).
- * If pool/client not found and autoCreate=true, creates them.
- * Also fetches the first identity provider from ListIdentityProviders and caches poolUid —
- * callers should cache the result to avoid repeated API calls.
- */
-export async function resolveOIDCConfig(client, params) {
-    const { userPoolName, userPoolUid, clientName, clientUid, redirectUri, scope = "openid profile email offline_access", autoCreate = true, clientType = "WEB_APPLICATION", } = params;
-    if (!userPoolName && !userPoolUid) {
-        throw new Error("Either userPoolName or userPoolUid must be provided");
-    }
-    if (!clientName && !clientUid) {
-        throw new Error("Either clientName or clientUid must be provided");
+export class IdentityDataPlaneClient {
+    config;
+    lazyResolvedEndpoint = null;
+    cachedWorkloadToken;
+    constructor(config) {
+        this.config = config;
     }
-    let poolUid;
-    let poolDomain;
-    if (userPoolUid) {
-        const pool = await client.getUserPool({ userPoolUid });
-        poolUid = pool.uid;
-        poolDomain = pool.domain;
+    getJwtExpMs(token) {
+        try {
+            const parts = token.split(".");
+            if (parts.length < 2)
+                return null;
+            const b64 = parts[1].replace(/-/g, "+").replace(/_/g, "/");
+            const payloadStr = Buffer.from(b64, "base64").toString("utf8");
+            const payload = JSON.parse(payloadStr);
+            if (typeof payload.exp === "number")
+                return payload.exp * 1000;
+            return null;
+        }
+        catch {
+            return null;
+        }
     }
-    else {
-        const list = await client.listUserPools({
-            pageSize: 50,
-            filter: { name: userPoolName },
+    async getRefreshWorkloadToken() {
+        try {
+            if (this.cachedWorkloadToken?.token && this.cachedWorkloadToken?.expiresAt) {
+                const remainingMs = this.cachedWorkloadToken.expiresAt - Date.now();
+                if (remainingMs > 10 * 60 * 1000) {
+                    return {
+                        workloadAccessToken: this.cachedWorkloadToken.token,
+                        expiresAt: this.cachedWorkloadToken.expiresAt,
+                    };
+                }
+            }
+        }
+        catch {
+            // ignore cache parse errors and fall through to refresh
+        }
+        const res = await this.getWorkloadAccessToken({
+            trustAnchorName: this.config.trustAnchorName,
+            name: this.config.workloadName,
+            durationSeconds: 3600,
+            audience: this.config.audience,
         });
-        const found = list.data.find((p) => p.name === userPoolName);
-        if (found) {
-            poolUid = found.uid;
-            poolDomain = found.domain;
+        this.cachedWorkloadToken = {
+            token: res.workloadAccessToken,
+            expiresAt: res.expiresAt,
+        };
+        return res;
+    }
+    getResolvedEndpoint() {
+        if (!this.lazyResolvedEndpoint) {
+            this.lazyResolvedEndpoint = resolveIdentityApiEndpoint({
+                endpoint: this.config.endpoint,
+                regionMetadataUrl: this.config.regionMetadataUrl,
+            });
+        }
+        return this.lazyResolvedEndpoint;
+    }
+    async resolveSigningRegion(baseUrl) {
+        const explicit = this.config.region?.trim();
+        if (explicit)
+            return explicit;
+        return signingRegionFromIdentityEndpoint(baseUrl) ?? "cn-beijing";
+    }
+    async resolveCredentials() {
+        if (this.config.credentialsGetter) {
+            return this.config.credentialsGetter();
         }
-        else if (autoCreate && userPoolName) {
-            const created = await client.createUserPool({ name: userPoolName });
-            poolUid = created.uid;
-            poolDomain = created.domain;
+        return {
+            workloadToken: await this.getRefreshWorkloadToken().then((r) => r.workloadAccessToken),
+            accessKeyId: this.config.accessKeyId ?? "",
+            secretAccessKey: this.config.secretAccessKey ?? "",
+            sessionToken: this.config.sessionToken ?? "",
+        };
+    }
+    async getWorkloadAccessTokenForJWT(params) {
+        const doFetch = async () => {
+            const body = {
+                UserToken: params.userToken,
+                WorkloadPoolName: params.workloadPoolName ?? "default",
+                DurationSeconds: params.durationSeconds ?? 3600,
+                TrustAnchorName: params.trustAnchorName ?? "",
+            };
+            body.Credentials = (this.config.storeDir ? getfreshTrustAnchorToken(this.config.storeDir) : undefined) ?? "";
+            if (params.name)
+                body.Name = params.name;
+            if (params.audience?.length)
+                body.Audience = params.audience;
+            const result = (await this.workloadPoolSignedPost("getworkloadaccesstokenforjwt", body, "2025-10-30", this.config.workloadEndpoint));
+            if (!result?.WorkloadAccessToken) {
+                throw new Error("Identity API: missing WorkloadAccessToken in response");
+            }
+            return {
+                workloadAccessToken: result.WorkloadAccessToken,
+                expiresAt: (() => {
+                    const fromJwt = this.getJwtExpMs(result.WorkloadAccessToken);
+                    if (fromJwt != null)
+                        return fromJwt;
+                    const parsed = Date.parse(result.ExpiresAt ?? "");
+                    return Number.isFinite(parsed) ? parsed : (Date.now() + 3600 * 1000);
+                })(),
+            };
+        };
+        try {
+            return await doFetch();
         }
-        else {
-            throw new Error(`User pool '${userPoolName}' not found (autoCreate=false or only UID provided)`);
+        catch (err) {
+            // When workload (agent) does not exist (404), create it and retry. Only when Name was passed.
+            if (params.name && isWorkloadNotFoundError(err)) {
+                await this.createWorkloadIdentity({
+                    workloadPoolName: params.workloadPoolName ?? "default",
+                    name: params.name,
+                    category: "Agent",
+                });
+                return doFetch();
+            }
+            throw err;
         }
     }
-    let clientId;
-    let clientSecret;
-    if (clientUid) {
-        const c = await client.getUserPoolClient({
-            userPoolUid: poolUid,
-            clientUid,
-        });
-        clientId = c.uid;
-        clientSecret = c.clientSecret;
+    async getWorkloadAccessToken(params) {
+        const doFetch = async () => {
+            const body = {
+                WorkloadPoolName: params.workloadPoolName ?? "default",
+                TrustAnchorName: params.trustAnchorName ?? "",
+                DurationSeconds: params.durationSeconds ?? 3600,
+            };
+            body.Credentials = (this.config.storeDir ? getfreshTrustAnchorToken(this.config.storeDir) : undefined) ?? "";
+            if (params.audience?.length)
+                body.Audience = params.audience;
+            if (params.name)
+                body.Name = params.name;
+            const result = (await this.workloadPoolSignedPost("getworkloadaccesstoken", body, "2025-10-30", this.config.workloadEndpoint));
+            if (!result?.WorkloadAccessToken) {
+                throw new Error("Identity API: missing WorkloadAccessToken in response");
+            }
+            return {
+                workloadAccessToken: result.WorkloadAccessToken,
+                expiresAt: (() => {
+                    const fromJwt = this.getJwtExpMs(result.WorkloadAccessToken);
+                    if (fromJwt != null)
+                        return fromJwt;
+                    const parsed = Date.parse(result.ExpiresAt ?? "");
+                    return Number.isFinite(parsed) ? parsed : (Date.now() + 3600 * 1000);
+                })(),
+            };
+        };
+        try {
+            return await doFetch();
+        }
+        catch (err) {
+            // When workload (agent) does not exist (404), create it and retry. Only when Name was passed.
+            if (params.name && isWorkloadNotFoundError(err)) {
+                await this.createWorkloadIdentity({
+                    workloadPoolName: params.workloadPoolName ?? "default",
+                    name: params.name,
+                    category: "Agent",
+                });
+                return doFetch();
+            }
+            throw err;
+        }
     }
-    else {
-        const list = await client.listUserPoolClients({
-            userPoolUid: poolUid,
-            pageSize: 50,
-            filter: { name: clientName },
+    async createWorkloadIdentity(params) {
+        const body = {
+            WorkloadPoolName: params.workloadPoolName,
+            Name: params.name,
+        };
+        if (params.category)
+            body.Category = params.category;
+        if (params.description)
+            body.Description = params.description;
+        try {
+            await this.signedPost("CreateWorkloadIdentity", body, "2025-10-30");
+        }
+        catch (err) {
+            // Duplicated (409): workload already exists, e.g. race with another process. Retry will succeed.
+            const msg = err instanceof Error ? err.message : String(err);
+            if (/409|Duplicated/i.test(msg))
+                return;
+            throw err;
+        }
+    }
+    /**
+     * Signed POST using sts-signer (same encoding as volcengine-nodejs-sdk).
+     * Service: id (Identity API), method: POST.
+     */
+    async signedPost(action, body, versionOverride) {
+        const baseUrl = await this.getResolvedEndpoint() + "/" + action;
+        ;
+        const creds = await this.resolveCredentials();
+        const { accessKeyId, secretAccessKey, sessionToken, workloadToken } = creds;
+        const version = versionOverride ?? this.config.version ?? "2025-10-30";
+        const url = new URL(baseUrl);
+        const query = { Action: action, Version: version };
+        const bodyStr = JSON.stringify(body);
+        const qs = canonicalQueryString(query);
+        url.search = qs ? `?${qs}` : "";
+        const headers = {
+            "Content-Type": "application/json; charset=UTF-8",
+            "X-Asi-Token": workloadToken ?? "",
+        };
+        const res = await fetch(url.toString(), {
+            method: "POST",
+            headers,
+            body: bodyStr,
         });
-        const found = list.data.find((c) => c.name === clientName);
-        if (found) {
-            const full = await client.getUserPoolClient({
-                userPoolUid: poolUid,
-                clientUid: found.uid,
-            });
-            clientId = full.uid;
-            clientSecret = full.clientSecret;
+        if (!res.ok) {
+            const text = await res.text();
+            throw new Error(`Identity API error ${res.status}: ${text}`);
         }
-        else if (autoCreate && clientName) {
-            const created = await client.createUserPoolClient({
-                userPoolUid: poolUid,
-                name: clientName,
-                clientType,
-                allowedCallbackUrls: [redirectUri],
-            });
-            clientId = created.uid;
-            clientSecret = created.clientSecret;
+        const json = (await res.json());
+        if (json.Error) {
+            throw new Error(`Identity API error: ${json.Error.Code ?? "Unknown"} - ${json.Error.Message ?? ""}`);
         }
-        else {
-            throw new Error(`Client '${clientName}' not found (autoCreate=false or only UID provided)`);
-        }
-    }
-    const discoveryBase = poolDomain.startsWith("http") ? poolDomain : `https://${poolDomain}`;
-    const discoveryUrl = discoveryBase.endsWith("/")
-        ? `${discoveryBase}.well-known/openid-configuration`
-        : `${discoveryBase}/.well-known/openid-configuration`;
-    // Fetch first identity provider at resolve time so callers don't need a
-    // separate ListIdentityProviders call. Failure is non-fatal.
-    let identityProvider;
-    try {
-        const providers = await client.listIdentityProviders({
-            userPoolUid: poolUid,
-            pageNumber: 1,
-            pageSize: 1,
+        return json.Result ?? {};
+    }
+    async workloadPoolSignedPost(action, body, versionOverride, endpoint) {
+        const baseUrl = endpoint + "/" + action;
+        const version = versionOverride ?? this.config.version ?? "2025-10-30";
+        const url = new URL(baseUrl);
+        const query = { Action: action, Version: version };
+        const bodyStr = JSON.stringify(body);
+        const qs = canonicalQueryString(query);
+        url.search = qs ? `?${qs}` : "";
+        const headers = {
+            "Content-Type": "application/json; charset=UTF-8",
+            "X-Asi-Request-Id": randomUUID(),
+        };
+        const res = await fetch(url.toString(), {
+            method: "POST",
+            headers,
+            body: bodyStr,
         });
-        identityProvider = providers.data[0]?.name;
+        if (!res.ok) {
+            const text = await res.text();
+            throw new Error(`Identity API error ${res.status}: ${text}`);
+        }
+        const json = (await res.json());
+        if (json.Error) {
+            throw new Error(`Identity API error: ${json.Error.Code ?? "Unknown"} - ${json.Error.Message ?? ""}`);
+        }
+        return json.Result ?? {};
+    }
+    async getResourceOauth2Token(params) {
+        const body = {
+            ProviderName: params.providerName,
+            IdentityToken: params.identityToken,
+        };
+        if (params.flow)
+            body.Flow = params.flow;
+        if (params.scopes?.length)
+            body.Scopes = params.scopes;
+        if (params.redirectUrl)
+            body.RedirectUrl = params.redirectUrl;
+        if (params.forceAuthentication !== undefined)
+            body.ForceAuthentication = params.forceAuthentication ? 1 : 0;
+        if (params.poolName) {
+            body.PoolName = params.poolName;
+        }
+        const result = (await this.signedPost("getResourceOauth2Token", body));
+        return {
+            accessToken: result.AccessToken,
+            authorizationUrl: result.AuthorizationUrl,
+        };
     }
-    catch {
-        // best-effort; identityProvider stays undefined
+    async oauth2Callback(params) {
+        const body = {
+            Code: params.code,
+            State: params.state,
+            IdentityToken: params.identityToken,
+        };
+        if (params.error)
+            body.Error = params.error;
+        const result = (await this.signedPost("Oauth2Callback", body));
+        if (!result.AccessToken) {
+            throw new Error("Identity Oauth2Callback: missing AccessToken");
+        }
+        return { accessToken: result.AccessToken };
+    }
+    async getResourceApiKey(params) {
+        const body = {
+            ProviderName: params.providerName,
+            IdentityToken: params.identityToken,
+        };
+        if (params.poolName)
+            body.PoolName = params.poolName;
+        const result = (await this.signedPost("getresourceapikey", body));
+        if (!result.ApiKey) {
+            throw new Error("Identity GetResourceApiKey: missing ApiKey");
+        }
+        return {
+            apiKey: result.ApiKey,
+            metadata: result.Metadata,
+        };
+    }
+    async getUserCredential(params) {
+        const body = {
+            CredentialId: params.credentialId,
+            IdentityToken: params.identityToken,
+        };
+        if (params.poolName)
+            body.PoolName = params.poolName;
+        const result = (await this.signedPost("GetUserCredential", body));
+        if (!result.CredentialId) {
+            throw new Error("Identity GetUserCredential: missing CredentialId");
+        }
+        if (!result.CredentialData) {
+            throw new Error("Identity GetUserCredential: missing CredentialId");
+        }
+        return {
+            credentialId: result.CredentialId,
+            credentialData: result.CredentialData,
+        };
+    }
+    async checkPermission(params) {
+        const body = {
+            NamespaceName: params.namespaceName,
+            Principal: params.principal,
+            Operation: params.action,
+            Resource: params.resource,
+            ...(params.originalCallers?.length ? { OriginalCallers: params.originalCallers } : {}),
+        };
+        const result = (await this.signedPost("checkpermission", body));
+        return {
+            allowed: result.Allowed ?? false,
+            message: result.Message,
+        };
+    }
+    async listCredentialProviders(params) {
+        const body = {
+            PageNumber: params.PageNumber ?? 1,
+            PageSize: params.PageSize ?? 20,
+        };
+        const mergedFilter = params.Filter ? { ...params.Filter } : {};
+        if (params.PoolName) {
+            body.PoolName = params.PoolName;
+            mergedFilter.PoolName = params.PoolName;
+        }
+        if (Object.keys(mergedFilter).length > 0) {
+            body.Filter = mergedFilter;
+        }
+        const r = (await this.signedPost("listcredentialproviders", body));
+        const providers = r.CredentialProviders ?? r.Data ?? [];
+        return {
+            CredentialProviders: providers,
+            Data: providers,
+            TotalCount: r.TotalCount ?? providers.length,
+            PageNumber: r.PageNumber ?? 1,
+            PageSize: r.PageSize ?? 20,
+        };
+    }
+    async listRoleCredentialProviders(params) {
+        const body = {
+            PageNumber: params.PageNumber ?? 1,
+            PageSize: params.PageSize ?? 20,
+        };
+        const mergedFilter = params.Filter ? { ...params.Filter } : {};
+        if (params.PoolName) {
+            body.PoolName = params.PoolName;
+            mergedFilter.PoolName = params.PoolName;
+        }
+        if (Object.keys(mergedFilter).length > 0) {
+            body.Filter = mergedFilter;
+        }
+        const raw = (await this.signedPost("ListRoleCredentialProviders", body));
+        const r = raw.Result ?? raw;
+        let providers = r.RoleCredentialProviders ?? [];
+        // Client-side filter by user pool when specified
+        if (params.UserPoolId || params.UserPoolName) {
+            providers = providers.filter((p) => {
+                const pool = p.Config?.IdentityPool;
+                if (!pool)
+                    return false;
+                if (params.UserPoolId && pool.UserPool?.PoolId === params.UserPoolId)
+                    return true;
+                if (params.UserPoolName && pool.UserPool?.PoolName === params.UserPoolName)
+                    return true;
+                return false;
+            });
+        }
+        return {
+            RoleCredentialProviders: providers,
+            TotalCount: params.UserPoolId || params.UserPoolName ? providers.length : (r.TotalCount ?? providers.length),
+            PageNumber: r.PageNumber ?? 1,
+            PageSize: r.PageSize ?? 20,
+        };
+    }
+    async getRoleCredentials(params) {
+        const body = {
+            IdentityToken: params.IdentityToken,
+            ProviderName: params.ProviderName,
+        };
+        if (params.PoolName) {
+            body.PoolName = params.PoolName;
+        }
+        if (params.RoleSessionName)
+            body.RoleSessionName = params.RoleSessionName;
+        if (params.RequestedRoleTrn)
+            body.RequestedRoleTrn = params.RequestedRoleTrn;
+        if (params.WithOIDC !== undefined)
+            body.WithOIDC = params.WithOIDC;
+        const r = (await this.signedPost("GetRoleCredentials", body));
+        const creds = r.VolcEngResponse?.Credentials ?? r.Credentials;
+        if (!creds?.AccessKeyId || !creds?.SecretAccessKey || !creds?.SessionToken) {
+            throw new Error("Identity GetRoleCredentials: missing Credentials in response");
+        }
+        return {
+            Credentials: {
+                AccessKeyId: creds.AccessKeyId,
+                SecretAccessKey: creds.SecretAccessKey,
+                SessionToken: creds.SessionToken,
+                CurrentTime: creds.CurrentTime,
+                Expiration: creds.Expiration,
+            },
+        };
+    }
+    async getUserPool(params) {
+        const body = { UserPoolUid: params.userPoolUid };
+        const r = (await this.signedPost("GetUserPool", body));
+        return toUserPoolResult(r);
+    }
+    async listIdentityProviders(params) {
+        const body = {
+            UserPoolUID: params.userPoolUid,
+            PageNumber: params.pageNumber ?? 1,
+            PageSize: params.pageSize ?? 10,
+        };
+        if (params.filter) {
+            const f = params.filter;
+            body.Filter = {
+                ...(f.name && { Name: f.name }),
+                ...(f.connectionType && { ConnectionType: f.connectionType }),
+            };
+        }
+        const r = (await this.signedPost("ListIdentityProviders", body));
+        const data = (r.Data ?? []).map((d) => ({
+            uid: d.Uid ?? "",
+            name: d.Name ?? "",
+            connectionType: d.ConnectionType,
+            provider: d.Provider,
+            createTime: d.CreateTime,
+            updateTime: d.UpdateTime,
+        }));
+        return {
+            pageNumber: r.PageNumber ?? 1,
+            pageSize: r.PageSize ?? 10,
+            totalCount: r.TotalCount ?? 0,
+            data,
+        };
+    }
+    async listUserPools(params) {
+        const body = {};
+        body.PageNumber = params.pageNumber ?? 1;
+        body.PageSize = params.pageSize ?? 10;
+        if (params.projectName)
+            body.ProjectName = params.projectName;
+        if (params.sortField)
+            body.SortField = params.sortField;
+        if (params.sortDirection)
+            body.SortDirection = params.sortDirection;
+        if (params.filter) {
+            const f = params.filter;
+            body.Filter = {
+                ...(f.name && { Name: f.name }),
+                ...(f.trn && { Trn: f.trn }),
+                ...(f.description && { Description: f.description }),
+                ...(f.uid && { Uid: f.uid }),
+                ...(f.tagFilters && {
+                    TagFilters: f.tagFilters.map((t) => ({
+                        Key: t.key,
+                        Values: t.values,
+                    })),
+                }),
+            };
+        }
+        const r = (await this.signedPost("ListUserPools", body));
+        const data = (r.Data ?? []).map((d) => {
+            const tags = d.Tags;
+            return {
+                uid: d.Uid ?? "",
+                name: d.Name ?? "",
+                description: d.Description,
+                domain: d.Domain ?? "",
+                trn: d.Trn,
+                createTime: d.CreateTime,
+                updateTime: d.UpdateTime,
+                tags: tags?.map((t) => ({ key: t.Key ?? "", value: t.Value ?? "" })),
+                projectName: d.ProjectName,
+            };
+        });
+        return {
+            pageNumber: r.PageNumber ?? 1,
+            pageSize: r.PageSize ?? 10,
+            totalCount: r.TotalCount ?? 0,
+            data,
+        };
+    }
+    async createUserPool(params) {
+        const body = {
+            Name: params.name,
+            Description: params.description,
+            ProjectName: params.projectName ?? "default",
+            PasswordSignInEnabled: params.passwordSignInEnabled ?? true,
+            EmailPasswordlessSignInEnabled: params.emailPasswordlessSignInEnabled ?? false,
+            SelfSignUpEnabled: params.selfSignUpEnabled ?? true,
+            SignInAttributes: params.signInAttributes ?? ["email"],
+            RequiredSignUpAttributes: params.requiredSignUpAttributes ?? ["email"],
+            SignUpAutoVerificationEnabled: params.signUpAutoVerificationEnabled ?? true,
+            SmsPasswordlessSignInEnabled: params.smsPasswordlessSignInEnabled ?? false,
+            SelfAccountRecoveryEnabled: params.selfAccountRecoveryEnabled ?? true,
+            UnconfirmedUserSignInEnabled: params.unconfirmedUserSignInEnabled ?? true,
+            SmsAnonymousSignUpEnabled: params.smsAnonymousSignUpEnabled ?? false,
+            Tags: params.tags?.map((t) => ({ Key: t.key, Value: t.value })),
+            Brand: params.brand ? { Name: params.brand.name, LogoUri: params.brand.logoUri } : undefined,
+        };
+        const r = (await this.signedPost("CreateUserPool", body));
+        return toUserPoolResult(r);
+    }
+    async getUserPoolClient(params) {
+        const body = {
+            UserPoolUid: params.userPoolUid,
+            ClientUid: params.clientUid,
+        };
+        const r = (await this.signedPost("GetUserPoolClient", body));
+        return toUserPoolClientResult(r);
+    }
+    async listUserPoolClients(params) {
+        const body = { UserPoolUid: params.userPoolUid };
+        body.PageNumber = params.pageNumber ?? 1;
+        body.PageSize = params.pageSize ?? 10;
+        if (params.sortField)
+            body.SortField = params.sortField;
+        if (params.sortDirection)
+            body.SortDirection = params.sortDirection;
+        if (params.filter) {
+            const f = params.filter;
+            body.Filter = {
+                ...(f.name && { Name: f.name }),
+                ...(f.description && { Description: f.description }),
+                ...(f.clientTypes && { ClientTypes: f.clientTypes }),
+            };
+        }
+        const r = (await this.signedPost("ListUserPoolClients", body));
+        const data = (r.Data ?? []).map((d) => ({
+            uid: d.Uid ?? "",
+            name: d.Name ?? "",
+            description: d.Description,
+            clientType: d.ClientType,
+            createTime: d.CreateTime,
+            updateTime: d.UpdateTime,
+        }));
+        return {
+            pageNumber: r.PageNumber ?? 1,
+            pageSize: r.PageSize ?? 10,
+            totalCount: r.TotalCount ?? 0,
+            data,
+        };
+    }
+    async createUserPoolClient(params) {
+        const body = {
+            UserPoolUid: params.userPoolUid,
+            Name: params.name,
+            Description: params.description,
+            LogoUri: params.logoUri,
+            ClientType: params.clientType ?? "WEB_APPLICATION",
+            AllowedCallbackUrls: params.allowedCallbackUrls ?? [],
+            AllowedLogoutUrls: params.allowedLogoutUrls,
+            AllowedWebOrigins: params.allowedWebOrigins,
+            AllowedCors: params.allowedCors,
+            SkipConsentEnabled: params.skipConsentEnabled ?? true,
+        };
+        const r = (await this.signedPost("CreateUserPoolClient", body));
+        return toUserPoolClientResult(r);
+    }
+}
+/**
+ * Resolve OIDC config from UserPool and Client names (from_veidentity style).
+ * If pool/client not found and autoCreate=true, creates them.
+ * Also fetches the first identity provider from ListIdentityProviders and caches poolUid —
+ * callers should cache the result to avoid repeated API calls.
+ */
+export async function resolveOIDCConfig(client, params) {
+    const { userPoolName, userPoolUid, clientName, clientUid, redirectUri, scope = "openid profile email offline_access", autoCreate = true, clientType = "WEB_APPLICATION", userPoolConfig, pluginType, } = params;
+    if (pluginType == "clawsentry") {
+        const discoveryUrl = `${userPoolConfig?.userPoolEndpoint}/.well-known/openid-configuration`;
+        return {
+            discoveryUrl: discoveryUrl,
+            clientId: userPoolConfig?.clientId ?? "",
+            clientSecret: userPoolConfig?.clientSecret ?? "",
+            scope: scope,
+            callbackUrl: redirectUri,
+            poolUid: userPoolConfig?.userPoolId ?? "",
+            identityProvider: userPoolConfig?.identityProvider ?? "",
+        };
+    }
+    else {
+        if (!userPoolName && !userPoolUid) {
+            throw new Error("Either userPoolName or userPoolUid must be provided");
+        }
+        if (!clientName && !clientUid) {
+            throw new Error("Either clientName or clientUid must be provided");
+        }
+        let poolUid;
+        let poolDomain;
+        if (userPoolUid) {
+            const pool = await client.getUserPool({ userPoolUid });
+            poolUid = pool.uid;
+            poolDomain = pool.domain;
+        }
+        else {
+            const list = await client.listUserPools({
+                pageSize: 50,
+                filter: { name: userPoolName },
+            });
+            const found = list.data.find((p) => p.name === userPoolName);
+            if (found) {
+                poolUid = found.uid;
+                poolDomain = found.domain;
+            }
+            else if (autoCreate && userPoolName) {
+                const created = await client.createUserPool({ name: userPoolName });
+                poolUid = created.uid;
+                poolDomain = created.domain;
+            }
+            else {
+                throw new Error(`User pool '${userPoolName}' not found (autoCreate=false or only UID provided)`);
+            }
+        }
+        let clientId;
+        let clientSecret;
+        if (clientUid) {
+            const c = await client.getUserPoolClient({
+                userPoolUid: poolUid,
+                clientUid,
+            });
+            clientId = c.uid;
+            clientSecret = c.clientSecret;
+        }
+        else {
+            const list = await client.listUserPoolClients({
+                userPoolUid: poolUid,
+                pageSize: 50,
+                filter: { name: clientName },
+            });
+            const found = list.data.find((c) => c.name === clientName);
+            if (found) {
+                const full = await client.getUserPoolClient({
+                    userPoolUid: poolUid,
+                    clientUid: found.uid,
+                });
+                clientId = full.uid;
+                clientSecret = full.clientSecret;
+            }
+            else if (autoCreate && clientName) {
+                const created = await client.createUserPoolClient({
+                    userPoolUid: poolUid,
+                    name: clientName,
+                    clientType,
+                    allowedCallbackUrls: [redirectUri],
+                });
+                clientId = created.uid;
+                clientSecret = created.clientSecret;
+            }
+            else {
+                throw new Error(`Client '${clientName}' not found (autoCreate=false or only UID provided)`);
+            }
+        }
+        const discoveryBase = poolDomain.startsWith("http") ? poolDomain : `https://${poolDomain}`;
+        const discoveryUrl = discoveryBase.endsWith("/")
+            ? `${discoveryBase}.well-known/openid-configuration`
+            : `${discoveryBase}/.well-known/openid-configuration`;
+        // Fetch first identity provider at resolve time so callers don't need a
+        // separate ListIdentityProviders call. Failure is non-fatal.
+        let identityProvider;
+        try {
+            const providers = await client.listIdentityProviders({
+                userPoolUid: poolUid,
+                pageNumber: 1,
+                pageSize: 1,
+            });
+            identityProvider = providers.data[0]?.name;
+        }
+        catch {
+            // best-effort; identityProvider stays undefined
+        }
+        return {
+            discoveryUrl,
+            clientId,
+            clientSecret,
+            scope,
+            callbackUrl: redirectUri,
+            poolUid,
+            identityProvider,
+        };
     }
-    return {
-        discoveryUrl,
-        clientId,
-        clientSecret,
-        scope,
-        callbackUrl: redirectUri,
-        poolUid,
-        identityProvider,
-    };
 }