@pattern-stack/codegen 0.15.0 → 0.15.2

package/dist/runtime/subsystems/auth/backends/state-store.drizzle-backend.js.map

@@ -1 +1 @@
-{"version":3,"sources":["../../../../../runtime/subsystems/auth/backends/state-store.drizzle-backend.ts","../../../../../runtime/subsystems/auth/auth-oauth-state.schema.ts","../../../../../runtime/subsystems/auth/protocols/oauth-state-store.ts"],"sourcesContent":["/**\n * Drizzle-backed `IOAuthStateStore`.\n *\n * Uses the `auth_oauth_state` table (see `auth-oauth-state.schema.ts`).\n * Single-use semantics enforced via `DELETE ... RETURNING`: the consume\n * path atomically deletes and returns the row, so a concurrent /callback\n * with the same state cannot replay.\n *\n * Behaviour:\n *   - `generate(record)` mints a 256-bit base64url token, INSERTs the row\n *     with `expires_at = now() + ttlMs`.\n *   - `consume(state)` runs `DELETE ... WHERE state = $1 RETURNING ...`\n *     once. Throws `OAuthStateError('missing')` if no row was deleted\n *     (unknown or already consumed) and `OAuthStateError('expired')` if\n *     the deleted row was past its `expires_at`.\n */\nimport { randomBytes } from 'node:crypto';\nimport { eq } from 'drizzle-orm';\nimport type { DrizzleClient } from '../../../types/drizzle';\nimport { authOAuthState } from '../auth-oauth-state.schema';\nimport {\n  type IOAuthStateStore,\n  type OAuthStateRecord,\n  OAuthStateError,\n} from '../protocols/oauth-state-store';\n\nexport interface DrizzleOAuthStateStoreOptions {\n  /** TTL in ms. Default 10 minutes. */\n  ttlMs?: number;\n  /** Injectable clock for tests. Default `Date.now`. */\n  now?: () => number;\n  /** Injectable token generator for tests. Default 32-byte base64url. */\n  generateToken?: () => string;\n}\n\nexport class DrizzleOAuthStateStore implements IOAuthStateStore {\n  private readonly ttlMs: number;\n  private readonly now: () => number;\n  private readonly generateToken: () => string;\n\n  constructor(\n    private readonly db: DrizzleClient,\n    opts: DrizzleOAuthStateStoreOptions = {},\n  ) {\n    this.ttlMs = opts.ttlMs ?? 10 * 60 * 1000;\n    this.now = opts.now ?? (() => Date.now());\n    this.generateToken =\n      opts.generateToken ?? (() => randomBytes(32).toString('base64url'));\n  }\n\n  async generate(record: OAuthStateRecord): Promise<string> {\n    const state = this.generateToken();\n    const expiresAt = new Date(this.now() + this.ttlMs);\n    await this.db.insert(authOAuthState).values({\n      state,\n      userId: record.userId,\n      redirect: record.redirect ?? null,\n      expiresAt,\n    });\n    return state;\n  }\n\n  async consume(state: string): Promise<OAuthStateRecord> {\n    const rows = await this.db\n      .delete(authOAuthState)\n      .where(eq(authOAuthState.state, state))\n      .returning();\n    const row = rows[0];\n    if (!row) {\n      throw new OAuthStateError(\n        `OAuth state token unknown or already consumed`,\n        'missing',\n      );\n    }\n    if (row.expiresAt.getTime() <= this.now()) {\n      throw new OAuthStateError(`OAuth state token expired`, 'expired');\n    }\n    return {\n      userId: row.userId,\n      redirect: row.redirect ?? undefined,\n    };\n  }\n}\n","/**\n * Drizzle schema for the `auth_oauth_state` table — backs the\n * `DrizzleOAuthStateStore` (`state-store.drizzle-backend.ts`).\n *\n * One row per outstanding /connect → /callback dance. Single-use; rows are\n * deleted on consume. A periodic sweep (or a `WHERE expires_at < now()`\n * filter on read) clears abandoned rows.\n *\n * Columns:\n *   - `state`       — opaque random token, primary key.\n *   - `user_id`     — text (matches the consumer-defined user-id shape;\n *                     the auth subsystem doesn't constrain this to UUID\n *                     because some apps key users by external id).\n *   - `redirect`    — optional post-callback redirect path.\n *   - `expires_at`  — TTL boundary; entries past this are treated as absent.\n *\n * Convention: schema files live at the root of the subsystem dir\n * (mirrors `cache.schema.ts`, `integration-audit.schema.ts`, `domain-events.schema.ts`).\n */\nimport { pgTable, text, timestamp } from 'drizzle-orm/pg-core';\nimport type { InferSelectModel } from 'drizzle-orm';\n\nexport const authOAuthState = pgTable('auth_oauth_state', {\n  state: text('state').primaryKey(),\n  userId: text('user_id').notNull(),\n  redirect: text('redirect'),\n  expiresAt: timestamp('expires_at', { withTimezone: true }).notNull(),\n});\n\nexport type AuthOAuthState = InferSelectModel<typeof authOAuthState>;\n","/**\n * Auth subsystem — `IOAuthStateStore` port.\n *\n * CSRF protection for the OAuth2 authorize-code callback. Generic across\n * providers. The store mints opaque state tokens at /connect time and\n * single-use consumes them at /callback time, returning the original\n * record (userId + optional post-callback redirect path).\n *\n * Concrete backends live under `../backends/`:\n *   - `state-store.memory-backend.ts` — in-process Map (tests/dev).\n *   - `state-store.drizzle-backend.ts` — Postgres (prod).\n *\n * Semantics:\n *   - `generate(record)` → returns an opaque state token; record is stored\n *     under that token until consumed or until TTL expires.\n *   - `consume(state)`   → atomically deletes the entry and returns the\n *     record. Throws on missing, expired, or replayed state. Never returns\n *     null — a missing/expired state is a CSRF signal.\n */\nexport interface OAuthStateRecord {\n  userId: string;\n  /** Optional post-callback redirect path (relative URL). */\n  redirect?: string;\n}\n\nexport interface IOAuthStateStore {\n  /** Mint an opaque state token bound to `record`. Single-use. */\n  generate(record: OAuthStateRecord): Promise<string>;\n  /**\n   * Atomically consume `state`, returning the bound record. Throws on\n   * missing / expired / replayed state.\n   */\n  consume(state: string): Promise<OAuthStateRecord>;\n}\n\n/**\n * Thrown by `IOAuthStateStore.consume` when the state token is unknown,\n * expired, or has already been consumed (replay attempt).\n */\nexport class OAuthStateError extends Error {\n  constructor(\n    message: string,\n    public readonly reason: 'missing' | 'expired',\n  ) {\n    super(message);\n    this.name = 'OAuthStateError';\n  }\n}\n"],"mappings":";AAgBA,SAAS,mBAAmB;AAC5B,SAAS,UAAU;;;ACEnB,SAAS,SAAS,MAAM,iBAAiB;AAGlC,IAAM,iBAAiB,QAAQ,oBAAoB;AAAA,EACxD,OAAO,KAAK,OAAO,EAAE,WAAW;AAAA,EAChC,QAAQ,KAAK,SAAS,EAAE,QAAQ;AAAA,EAChC,UAAU,KAAK,UAAU;AAAA,EACzB,WAAW,UAAU,cAAc,EAAE,cAAc,KAAK,CAAC,EAAE,QAAQ;AACrE,CAAC;;;ACYM,IAAM,kBAAN,cAA8B,MAAM;AAAA,EACzC,YACE,SACgB,QAChB;AACA,UAAM,OAAO;AAFG;AAGhB,SAAK,OAAO;AAAA,EACd;AAAA,EAJkB;AAKpB;;;AFZO,IAAM,yBAAN,MAAyD;AAAA,EAK9D,YACmB,IACjB,OAAsC,CAAC,GACvC;AAFiB;AAGjB,SAAK,QAAQ,KAAK,SAAS,KAAK,KAAK;AACrC,SAAK,MAAM,KAAK,QAAQ,MAAM,KAAK,IAAI;AACvC,SAAK,gBACH,KAAK,kBAAkB,MAAM,YAAY,EAAE,EAAE,SAAS,WAAW;AAAA,EACrE;AAAA,EAPmB;AAAA,EALF;AAAA,EACA;AAAA,EACA;AAAA,EAYjB,MAAM,SAAS,QAA2C;AACxD,UAAM,QAAQ,KAAK,cAAc;AACjC,UAAM,YAAY,IAAI,KAAK,KAAK,IAAI,IAAI,KAAK,KAAK;AAClD,UAAM,KAAK,GAAG,OAAO,cAAc,EAAE,OAAO;AAAA,MAC1C;AAAA,MACA,QAAQ,OAAO;AAAA,MACf,UAAU,OAAO,YAAY;AAAA,MAC7B;AAAA,IACF,CAAC;AACD,WAAO;AAAA,EACT;AAAA,EAEA,MAAM,QAAQ,OAA0C;AACtD,UAAM,OAAO,MAAM,KAAK,GACrB,OAAO,cAAc,EACrB,MAAM,GAAG,eAAe,OAAO,KAAK,CAAC,EACrC,UAAU;AACb,UAAM,MAAM,KAAK,CAAC;AAClB,QAAI,CAAC,KAAK;AACR,YAAM,IAAI;AAAA,QACR;AAAA,QACA;AAAA,MACF;AAAA,IACF;AACA,QAAI,IAAI,UAAU,QAAQ,KAAK,KAAK,IAAI,GAAG;AACzC,YAAM,IAAI,gBAAgB,6BAA6B,SAAS;AAAA,IAClE;AACA,WAAO;AAAA,MACL,QAAQ,IAAI;AAAA,MACZ,UAAU,IAAI,YAAY;AAAA,IAC5B;AAAA,EACF;AACF;","names":[]}
+{"version":3,"sources":[],"sourcesContent":[],"mappings":"","names":[]}

package/dist/runtime/subsystems/auth/backends/state-store.memory-backend.js

@@ -1,50 +1,8 @@
-// runtime/subsystems/auth/backends/state-store.memory-backend.ts
-import { randomBytes } from "crypto";
-
-// runtime/subsystems/auth/protocols/oauth-state-store.ts
-var OAuthStateError = class extends Error {
-  constructor(message, reason) {
-    super(message);
-    this.reason = reason;
-    this.name = "OAuthStateError";
-  }
-  reason;
-};
-
-// runtime/subsystems/auth/backends/state-store.memory-backend.ts
-var MemoryOAuthStateStore = class {
-  store = /* @__PURE__ */ new Map();
-  ttlMs;
-  now;
-  generateToken;
-  constructor(opts = {}) {
-    this.ttlMs = opts.ttlMs ?? 10 * 60 * 1e3;
-    this.now = opts.now ?? (() => Date.now());
-    this.generateToken = opts.generateToken ?? (() => randomBytes(32).toString("base64url"));
-  }
-  async generate(record) {
-    const state = this.generateToken();
-    this.store.set(state, {
-      record: { ...record },
-      expiresAt: this.now() + this.ttlMs
-    });
-    return state;
-  }
-  async consume(state) {
-    const slot = this.store.get(state);
-    if (!slot) {
-      throw new OAuthStateError(
-        `OAuth state token unknown or already consumed`,
-        "missing"
-      );
-    }
-    this.store.delete(state);
-    if (slot.expiresAt <= this.now()) {
-      throw new OAuthStateError(`OAuth state token expired`, "expired");
-    }
-    return slot.record;
-  }
-};
+import {
+  MemoryOAuthStateStore
+} from "../../../../chunk-QLTJSCE6.js";
+import "../../../../chunk-BPARRK6F.js";
+import "../../../../chunk-2E224ZSN.js";
 export {
   MemoryOAuthStateStore
 };

package/dist/runtime/subsystems/auth/backends/state-store.memory-backend.js.map

@@ -1 +1 @@
-{"version":3,"sources":["../../../../../runtime/subsystems/auth/backends/state-store.memory-backend.ts","../../../../../runtime/subsystems/auth/protocols/oauth-state-store.ts"],"sourcesContent":["/**\n * In-memory `IOAuthStateStore` backend.\n *\n * Single-process store — Map<state, { record, expiresAt }>. Suitable for\n * tests and single-worker dev. Production deployments select the drizzle\n * backend so state survives restarts and is shared across workers.\n *\n * Single-use semantics:\n *   - `generate(record)` mints a 256-bit random token (base64url, opaque).\n *   - `consume(state)` deletes the entry on read. A second call with the\n *     same state throws `OAuthStateError('replay')`.\n *   - Expired entries also throw (`'expired'`); the entry is deleted as a\n *     side effect so a later replay still surfaces correctly.\n *\n * TTL defaults to 10 minutes — long enough for a user to complete the\n * provider's consent screen, short enough that abandoned states age out.\n */\nimport { randomBytes } from 'node:crypto';\nimport {\n  type IOAuthStateStore,\n  type OAuthStateRecord,\n  OAuthStateError,\n} from '../protocols/oauth-state-store';\n\nexport interface MemoryOAuthStateStoreOptions {\n  /** TTL in ms. Default 10 minutes. */\n  ttlMs?: number;\n  /** Injectable clock for tests. Default `Date.now`. */\n  now?: () => number;\n  /** Injectable token generator for tests. Default 32-byte base64url. */\n  generateToken?: () => string;\n}\n\ninterface Slot {\n  record: OAuthStateRecord;\n  expiresAt: number;\n}\n\nexport class MemoryOAuthStateStore implements IOAuthStateStore {\n  private readonly store = new Map<string, Slot>();\n  private readonly ttlMs: number;\n  private readonly now: () => number;\n  private readonly generateToken: () => string;\n\n  constructor(opts: MemoryOAuthStateStoreOptions = {}) {\n    this.ttlMs = opts.ttlMs ?? 10 * 60 * 1000;\n    this.now = opts.now ?? (() => Date.now());\n    this.generateToken =\n      opts.generateToken ?? (() => randomBytes(32).toString('base64url'));\n  }\n\n  async generate(record: OAuthStateRecord): Promise<string> {\n    const state = this.generateToken();\n    this.store.set(state, {\n      record: { ...record },\n      expiresAt: this.now() + this.ttlMs,\n    });\n    return state;\n  }\n\n  async consume(state: string): Promise<OAuthStateRecord> {\n    const slot = this.store.get(state);\n    if (!slot) {\n      throw new OAuthStateError(\n        `OAuth state token unknown or already consumed`,\n        'missing',\n      );\n    }\n    // Delete first so a concurrent consume can't replay.\n    this.store.delete(state);\n    if (slot.expiresAt <= this.now()) {\n      throw new OAuthStateError(`OAuth state token expired`, 'expired');\n    }\n    return slot.record;\n  }\n}\n","/**\n * Auth subsystem — `IOAuthStateStore` port.\n *\n * CSRF protection for the OAuth2 authorize-code callback. Generic across\n * providers. The store mints opaque state tokens at /connect time and\n * single-use consumes them at /callback time, returning the original\n * record (userId + optional post-callback redirect path).\n *\n * Concrete backends live under `../backends/`:\n *   - `state-store.memory-backend.ts` — in-process Map (tests/dev).\n *   - `state-store.drizzle-backend.ts` — Postgres (prod).\n *\n * Semantics:\n *   - `generate(record)` → returns an opaque state token; record is stored\n *     under that token until consumed or until TTL expires.\n *   - `consume(state)`   → atomically deletes the entry and returns the\n *     record. Throws on missing, expired, or replayed state. Never returns\n *     null — a missing/expired state is a CSRF signal.\n */\nexport interface OAuthStateRecord {\n  userId: string;\n  /** Optional post-callback redirect path (relative URL). */\n  redirect?: string;\n}\n\nexport interface IOAuthStateStore {\n  /** Mint an opaque state token bound to `record`. Single-use. */\n  generate(record: OAuthStateRecord): Promise<string>;\n  /**\n   * Atomically consume `state`, returning the bound record. Throws on\n   * missing / expired / replayed state.\n   */\n  consume(state: string): Promise<OAuthStateRecord>;\n}\n\n/**\n * Thrown by `IOAuthStateStore.consume` when the state token is unknown,\n * expired, or has already been consumed (replay attempt).\n */\nexport class OAuthStateError extends Error {\n  constructor(\n    message: string,\n    public readonly reason: 'missing' | 'expired',\n  ) {\n    super(message);\n    this.name = 'OAuthStateError';\n  }\n}\n"],"mappings":";AAiBA,SAAS,mBAAmB;;;ACsBrB,IAAM,kBAAN,cAA8B,MAAM;AAAA,EACzC,YACE,SACgB,QAChB;AACA,UAAM,OAAO;AAFG;AAGhB,SAAK,OAAO;AAAA,EACd;AAAA,EAJkB;AAKpB;;;ADTO,IAAM,wBAAN,MAAwD;AAAA,EAC5C,QAAQ,oBAAI,IAAkB;AAAA,EAC9B;AAAA,EACA;AAAA,EACA;AAAA,EAEjB,YAAY,OAAqC,CAAC,GAAG;AACnD,SAAK,QAAQ,KAAK,SAAS,KAAK,KAAK;AACrC,SAAK,MAAM,KAAK,QAAQ,MAAM,KAAK,IAAI;AACvC,SAAK,gBACH,KAAK,kBAAkB,MAAM,YAAY,EAAE,EAAE,SAAS,WAAW;AAAA,EACrE;AAAA,EAEA,MAAM,SAAS,QAA2C;AACxD,UAAM,QAAQ,KAAK,cAAc;AACjC,SAAK,MAAM,IAAI,OAAO;AAAA,MACpB,QAAQ,EAAE,GAAG,OAAO;AAAA,MACpB,WAAW,KAAK,IAAI,IAAI,KAAK;AAAA,IAC/B,CAAC;AACD,WAAO;AAAA,EACT;AAAA,EAEA,MAAM,QAAQ,OAA0C;AACtD,UAAM,OAAO,KAAK,MAAM,IAAI,KAAK;AACjC,QAAI,CAAC,MAAM;AACT,YAAM,IAAI;AAAA,QACR;AAAA,QACA;AAAA,MACF;AAAA,IACF;AAEA,SAAK,MAAM,OAAO,KAAK;AACvB,QAAI,KAAK,aAAa,KAAK,IAAI,GAAG;AAChC,YAAM,IAAI,gBAAgB,6BAA6B,SAAS;AAAA,IAClE;AACA,WAAO,KAAK;AAAA,EACd;AACF;","names":[]}
+{"version":3,"sources":[],"sourcesContent":[],"mappings":"","names":[]}

package/dist/runtime/subsystems/auth/controllers/auth.controller.js

@@ -1,143 +1,9 @@
-var __defProp = Object.defineProperty;
-var __getOwnPropDesc = Object.getOwnPropertyDescriptor;
-var __decorateClass = (decorators, target, key, kind) => {
-  var result = kind > 1 ? void 0 : kind ? __getOwnPropDesc(target, key) : target;
-  for (var i = decorators.length - 1, decorator; i >= 0; i--)
-    if (decorator = decorators[i])
-      result = (kind ? decorator(target, key, result) : decorator(result)) || result;
-  if (kind && result) __defProp(target, key, result);
-  return result;
-};
-var __decorateParam = (index, decorator) => (target, key) => decorator(target, key, index);
-
-// runtime/subsystems/auth/controllers/auth.controller.ts
 import {
-  Controller,
-  Get,
-  Inject,
-  Param,
-  Query,
-  Req,
-  Res,
-  HttpException,
-  HttpStatus
-} from "@nestjs/common";
-
-// runtime/subsystems/token-key.ts
-var PKG = "@pattern-stack/codegen";
-var tokenKey = (area, name) => `${PKG}.${area}.${name}`;
-
-// runtime/subsystems/auth/auth.tokens.ts
-var ENCRYPTION_KEY = Symbol.for(tokenKey("auth", "encryption-key"));
-var OAUTH_STATE_STORE = Symbol.for(tokenKey("auth", "oauth-state-store"));
-var AUTH_CONNECTION_READER = Symbol.for(tokenKey("auth", "connection-reader"));
-var AUTH_CONNECTION_TOKEN_WRITER = Symbol.for(tokenKey("auth", "connection-token-writer"));
-var AUTH_CONNECTION_GRANT_SINK = Symbol.for(tokenKey("auth", "connection-grant-sink"));
-var AUTH_USER_CONTEXT = Symbol.for(tokenKey("auth", "user-context"));
-var STRATEGY_REGISTRY = Symbol.for(tokenKey("auth", "strategy-registry"));
-var AUTH_OPTIONS = Symbol.for(tokenKey("auth", "options"));
-
-// runtime/subsystems/auth/controllers/auth.controller.ts
-var AuthController = class {
-  constructor(registry, userContext, stateStore, grantSink, options) {
-    this.registry = registry;
-    this.userContext = userContext;
-    this.stateStore = stateStore;
-    this.grantSink = grantSink;
-    this.options = options;
-  }
-  registry;
-  userContext;
-  stateStore;
-  grantSink;
-  options;
-  async connect(slug, redirect, req, res) {
-    const strategy = this.requireStrategy(slug);
-    const userId = await this.userContext.getCurrentUserId(req);
-    const state = await this.stateStore.generate({ userId, redirect });
-    const url = strategy.buildAuthorizeUrl({
-      state,
-      redirectUri: this.redirectUriFor(slug)
-    });
-    return res.redirect(HttpStatus.FOUND, url);
-  }
-  async callback(slug, code, state, res) {
-    const strategy = this.requireStrategy(slug);
-    if (!code) {
-      throw new HttpException(
-        `Missing 'code' query param`,
-        HttpStatus.BAD_REQUEST
-      );
-    }
-    if (!state) {
-      throw new HttpException(
-        `Missing 'state' query param`,
-        HttpStatus.BAD_REQUEST
-      );
-    }
-    const { userId, redirect } = await this.stateStore.consume(state);
-    const tokens = await strategy.exchangeCodeForTokens({
-      code,
-      redirectUri: this.redirectUriFor(slug)
-    });
-    await this.grantSink.createOrUpdateFromOAuthGrant({
-      userId,
-      provider: slug,
-      accessToken: tokens.accessToken,
-      refreshToken: tokens.refreshToken,
-      expiresAt: tokens.expiresAt,
-      scope: tokens.scope,
-      externalAccountId: tokens.externalAccountId,
-      providerMetadata: tokens.providerMetadata
-    });
-    return res.redirect(
-      HttpStatus.FOUND,
-      redirect ?? `/settings/connections?connected=${encodeURIComponent(slug)}`
-    );
-  }
-  requireStrategy(slug) {
-    const strategy = this.registry.get(slug);
-    if (!strategy) {
-      throw new HttpException(
-        `Unknown provider '${slug}'`,
-        HttpStatus.NOT_FOUND
-      );
-    }
-    return strategy;
-  }
-  redirectUriFor(slug) {
-    const base = this.options.redirectUriBase;
-    if (!base) {
-      throw new Error(
-        `AuthModule.forRoot: redirectUriBase is required when AuthController is enabled`
-      );
-    }
-    const trimmed = base.replace(/\/+$/, "");
-    return `${trimmed}/auth/${encodeURIComponent(slug)}/callback`;
-  }
-};
-__decorateClass([
-  Get(":provider/connect"),
-  __decorateParam(0, Param("provider")),
-  __decorateParam(1, Query("redirect")),
-  __decorateParam(2, Req()),
-  __decorateParam(3, Res())
-], AuthController.prototype, "connect", 1);
-__decorateClass([
-  Get(":provider/callback"),
-  __decorateParam(0, Param("provider")),
-  __decorateParam(1, Query("code")),
-  __decorateParam(2, Query("state")),
-  __decorateParam(3, Res())
-], AuthController.prototype, "callback", 1);
-AuthController = __decorateClass([
-  Controller("auth"),
-  __decorateParam(0, Inject(STRATEGY_REGISTRY)),
-  __decorateParam(1, Inject(AUTH_USER_CONTEXT)),
-  __decorateParam(2, Inject(OAUTH_STATE_STORE)),
-  __decorateParam(3, Inject(AUTH_CONNECTION_GRANT_SINK)),
-  __decorateParam(4, Inject(AUTH_OPTIONS))
-], AuthController);
+  AuthController
+} from "../../../../chunk-SZVPIHWE.js";
+import "../../../../chunk-6XY6ZMMD.js";
+import "../../../../chunk-GYGNEQSC.js";
+import "../../../../chunk-2E224ZSN.js";
 export {
   AuthController
 };

package/dist/runtime/subsystems/auth/controllers/auth.controller.js.map

@@ -1 +1 @@
-{"version":3,"sources":["../../../../../runtime/subsystems/auth/controllers/auth.controller.ts","../../../../../runtime/subsystems/token-key.ts","../../../../../runtime/subsystems/auth/auth.tokens.ts"],"sourcesContent":["/**\n * AuthController — provider-agnostic OAuth2 connect/callback dance.\n *\n * Mounts two routes:\n *   - `GET /auth/:provider/connect?redirect=...` — generates state, builds\n *     the provider's authorize-url, 302-redirects the browser there.\n *   - `GET /auth/:provider/callback?code=...&state=...` — consumes state,\n *     exchanges the code for tokens, hands them to the grant sink, then\n *     302-redirects to the post-connect path.\n *\n * Hexagonal seams:\n *   - `STRATEGY_REGISTRY` (ReadonlyMap<slug, IProviderStrategy>) — dispatch.\n *     Concrete per-provider strategies live consumer-side and contribute\n *     entries via a `useFactory` in the consumer's app module.\n *   - `AUTH_USER_CONTEXT` (IUserContext) — resolves \"who is this request\"\n *     from the consumer's session/JWT/etc.\n *   - `OAUTH_STATE_STORE` (IOAuthStateStore) — CSRF state minting/consume.\n *   - `AUTH_CONNECTION_GRANT_SINK` (IConnectionGrantSink) — persists the\n *     freshly-minted grant. Adapter lives consumer-side (e.g. the\n *     auth-integrations starter from #285).\n *\n * The controller never imports `ConnectionsService` or any other concrete\n * consumer type — it goes through ports only.\n */\nimport {\n  Controller,\n  Get,\n  Inject,\n  Param,\n  Query,\n  Req,\n  Res,\n  HttpException,\n  HttpStatus,\n} from '@nestjs/common';\nimport {\n  AUTH_CONNECTION_GRANT_SINK,\n  AUTH_OPTIONS,\n  AUTH_USER_CONTEXT,\n  OAUTH_STATE_STORE,\n  STRATEGY_REGISTRY,\n} from '../auth.tokens';\nimport type { AuthModuleOptions } from '../auth.module';\nimport type { IOAuthStateStore } from '../protocols/oauth-state-store';\nimport type { IUserContext } from '../protocols/user-context';\nimport type {\n  IProviderStrategy,\n  ProviderStrategyRegistry,\n} from '../protocols/provider-strategy';\nimport type { IConnectionGrantSink } from '../protocols/connection-store';\n\n/**\n * Minimal response surface used by the controller — typed loosely so we\n * don't pull a hard dep on `express` or `fastify`. Both popular HTTP\n * adapters expose `redirect(status, url)`.\n */\ninterface RedirectingResponse {\n  redirect(statusCode: number, url: string): unknown;\n}\n\n@Controller('auth')\nexport class AuthController {\n  constructor(\n    @Inject(STRATEGY_REGISTRY)\n    private readonly registry: ProviderStrategyRegistry,\n    @Inject(AUTH_USER_CONTEXT)\n    private readonly userContext: IUserContext,\n    @Inject(OAUTH_STATE_STORE)\n    private readonly stateStore: IOAuthStateStore,\n    @Inject(AUTH_CONNECTION_GRANT_SINK)\n    private readonly grantSink: IConnectionGrantSink,\n    @Inject(AUTH_OPTIONS)\n    private readonly options: AuthModuleOptions,\n  ) {}\n\n  @Get(':provider/connect')\n  async connect(\n    @Param('provider') slug: string,\n    @Query('redirect') redirect: string | undefined,\n    @Req() req: unknown,\n    @Res() res: RedirectingResponse,\n  ): Promise<unknown> {\n    const strategy = this.requireStrategy(slug);\n    const userId = await this.userContext.getCurrentUserId(req);\n    const state = await this.stateStore.generate({ userId, redirect });\n    const url = strategy.buildAuthorizeUrl({\n      state,\n      redirectUri: this.redirectUriFor(slug),\n    });\n    return res.redirect(HttpStatus.FOUND, url);\n  }\n\n  @Get(':provider/callback')\n  async callback(\n    @Param('provider') slug: string,\n    @Query('code') code: string | undefined,\n    @Query('state') state: string | undefined,\n    @Res() res: RedirectingResponse,\n  ): Promise<unknown> {\n    const strategy = this.requireStrategy(slug);\n    if (!code) {\n      throw new HttpException(\n        `Missing 'code' query param`,\n        HttpStatus.BAD_REQUEST,\n      );\n    }\n    if (!state) {\n      throw new HttpException(\n        `Missing 'state' query param`,\n        HttpStatus.BAD_REQUEST,\n      );\n    }\n    const { userId, redirect } = await this.stateStore.consume(state);\n    const tokens = await strategy.exchangeCodeForTokens({\n      code,\n      redirectUri: this.redirectUriFor(slug),\n    });\n    await this.grantSink.createOrUpdateFromOAuthGrant({\n      userId,\n      provider: slug,\n      accessToken: tokens.accessToken,\n      refreshToken: tokens.refreshToken,\n      expiresAt: tokens.expiresAt,\n      scope: tokens.scope,\n      externalAccountId: tokens.externalAccountId,\n      providerMetadata: tokens.providerMetadata,\n    });\n    return res.redirect(\n      HttpStatus.FOUND,\n      redirect ?? `/settings/connections?connected=${encodeURIComponent(slug)}`,\n    );\n  }\n\n  private requireStrategy(slug: string): IProviderStrategy {\n    const strategy = this.registry.get(slug);\n    if (!strategy) {\n      throw new HttpException(\n        `Unknown provider '${slug}'`,\n        HttpStatus.NOT_FOUND,\n      );\n    }\n    return strategy;\n  }\n\n  private redirectUriFor(slug: string): string {\n    const base = this.options.redirectUriBase;\n    if (!base) {\n      throw new Error(\n        `AuthModule.forRoot: redirectUriBase is required when AuthController is enabled`,\n      );\n    }\n    const trimmed = base.replace(/\\/+$/, '');\n    return `${trimmed}/auth/${encodeURIComponent(slug)}/callback`;\n  }\n}\n","/** Canonical package namespace for cross-boundary DI token keys. MUST be a hardcoded\n *  constant (NOT derived from package.json) so a vendored copy — which lives inside the\n *  CONSUMER's package — produces the identical key and the two copies share the symbol. */\nexport const PKG = '@pattern-stack/codegen';\n// TODO(token-version): if/when a runtime contract version is adopted, inject it HERE only\n//   (e.g. `${PKG}#${ABI}.${area}.${name}`) — this helper is the single chokepoint.\nexport const tokenKey = (area: string, name: string): string => `${PKG}.${area}.${name}`;\n","/**\n * Auth subsystem — injection tokens.\n *\n * Following ADR-008 guidance: `Symbol()` tokens for type safety and collision\n * avoidance. Consumers inject these via `@Inject(...)` against the matching\n * protocol interface.\n *\n * Usage:\n * ```typescript\n * constructor(\n *   @Inject(ENCRYPTION_KEY) private readonly key: IEncryptionKey,\n *   @Inject(OAUTH_STATE_STORE) private readonly states: IOAuthStateStore,\n *   @Inject(AUTH_CONNECTION_READER) private readonly reader: IConnectionReader,\n *   @Inject(AUTH_CONNECTION_TOKEN_WRITER) private readonly writer: IConnectionTokenWriter,\n *   @Inject(AUTH_CONNECTION_GRANT_SINK) private readonly grants: IConnectionGrantSink,\n *   @Inject(AUTH_USER_CONTEXT) private readonly userCtx: IUserContext,\n *   @Inject(STRATEGY_REGISTRY) private readonly registry: ProviderStrategyRegistry,\n * ) {}\n * ```\n *\n * `IAuthStrategy` implementations are provider-specific and registered under\n * provider-specific tokens (e.g. `SALESFORCE_AUTH_STRATEGY`,\n * `HUBSPOT_AUTH_STRATEGY`) by each connection module — this subsystem does\n * not mandate a single `AUTH_STRATEGY` token because an app typically has\n * many concurrent strategies, one per provider. They are dispatched through\n * `STRATEGY_REGISTRY` (a `ReadonlyMap<slug, IProviderStrategy>`), populated\n * by per-provider modules via a `useFactory` provider.\n */\nimport { tokenKey } from '../token-key';\n\n// ADR-037: namespaced `Symbol.for(...)` keys so a token matches by VALUE across\n// import boundaries — the package copy and a (legacy) vendored copy resolve to\n// the SAME symbol, eliminating the dual-package DI-token identity hazard that\n// crashed boot once the emitter began emitting `STRATEGY_REGISTRY` as a runtime\n// value (RFC-0003 R5). Matches the convention surface packages already use.\nexport const ENCRYPTION_KEY = Symbol.for(tokenKey('auth', 'encryption-key'));\nexport const OAUTH_STATE_STORE = Symbol.for(tokenKey('auth', 'oauth-state-store'));\nexport const AUTH_CONNECTION_READER = Symbol.for(tokenKey('auth', 'connection-reader'));\nexport const AUTH_CONNECTION_TOKEN_WRITER = Symbol.for(tokenKey('auth', 'connection-token-writer'));\nexport const AUTH_CONNECTION_GRANT_SINK = Symbol.for(tokenKey('auth', 'connection-grant-sink'));\nexport const AUTH_USER_CONTEXT = Symbol.for(tokenKey('auth', 'user-context'));\nexport const STRATEGY_REGISTRY = Symbol.for(tokenKey('auth', 'strategy-registry'));\n/**\n * Holds the resolved `AuthModuleOptions` (used by `AuthController` to read\n * `redirectUriBase` for building per-provider callback URIs).\n */\nexport const AUTH_OPTIONS = Symbol.for(tokenKey('auth', 'options'));\n"],"mappings":";;;;;;;;;;;;;AAwBA;AAAA,EACE;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,OACK;;;AC/BA,IAAM,MAAM;AAGZ,IAAM,WAAW,CAAC,MAAc,SAAyB,GAAG,GAAG,IAAI,IAAI,IAAI,IAAI;;;AC6B/E,IAAM,iBAAiB,OAAO,IAAI,SAAS,QAAQ,gBAAgB,CAAC;AACpE,IAAM,oBAAoB,OAAO,IAAI,SAAS,QAAQ,mBAAmB,CAAC;AAC1E,IAAM,yBAAyB,OAAO,IAAI,SAAS,QAAQ,mBAAmB,CAAC;AAC/E,IAAM,+BAA+B,OAAO,IAAI,SAAS,QAAQ,yBAAyB,CAAC;AAC3F,IAAM,6BAA6B,OAAO,IAAI,SAAS,QAAQ,uBAAuB,CAAC;AACvF,IAAM,oBAAoB,OAAO,IAAI,SAAS,QAAQ,cAAc,CAAC;AACrE,IAAM,oBAAoB,OAAO,IAAI,SAAS,QAAQ,mBAAmB,CAAC;AAK1E,IAAM,eAAe,OAAO,IAAI,SAAS,QAAQ,SAAS,CAAC;;;AFe3D,IAAM,iBAAN,MAAqB;AAAA,EAC1B,YAEmB,UAEA,aAEA,YAEA,WAEA,SACjB;AATiB;AAEA;AAEA;AAEA;AAEA;AAAA,EAChB;AAAA,EATgB;AAAA,EAEA;AAAA,EAEA;AAAA,EAEA;AAAA,EAEA;AAAA,EAInB,MAAM,QACe,MACA,UACZ,KACA,KACW;AAClB,UAAM,WAAW,KAAK,gBAAgB,IAAI;AAC1C,UAAM,SAAS,MAAM,KAAK,YAAY,iBAAiB,GAAG;AAC1D,UAAM,QAAQ,MAAM,KAAK,WAAW,SAAS,EAAE,QAAQ,SAAS,CAAC;AACjE,UAAM,MAAM,SAAS,kBAAkB;AAAA,MACrC;AAAA,MACA,aAAa,KAAK,eAAe,IAAI;AAAA,IACvC,CAAC;AACD,WAAO,IAAI,SAAS,WAAW,OAAO,GAAG;AAAA,EAC3C;AAAA,EAGA,MAAM,SACe,MACJ,MACC,OACT,KACW;AAClB,UAAM,WAAW,KAAK,gBAAgB,IAAI;AAC1C,QAAI,CAAC,MAAM;AACT,YAAM,IAAI;AAAA,QACR;AAAA,QACA,WAAW;AAAA,MACb;AAAA,IACF;AACA,QAAI,CAAC,OAAO;AACV,YAAM,IAAI;AAAA,QACR;AAAA,QACA,WAAW;AAAA,MACb;AAAA,IACF;AACA,UAAM,EAAE,QAAQ,SAAS,IAAI,MAAM,KAAK,WAAW,QAAQ,KAAK;AAChE,UAAM,SAAS,MAAM,SAAS,sBAAsB;AAAA,MAClD;AAAA,MACA,aAAa,KAAK,eAAe,IAAI;AAAA,IACvC,CAAC;AACD,UAAM,KAAK,UAAU,6BAA6B;AAAA,MAChD;AAAA,MACA,UAAU;AAAA,MACV,aAAa,OAAO;AAAA,MACpB,cAAc,OAAO;AAAA,MACrB,WAAW,OAAO;AAAA,MAClB,OAAO,OAAO;AAAA,MACd,mBAAmB,OAAO;AAAA,MAC1B,kBAAkB,OAAO;AAAA,IAC3B,CAAC;AACD,WAAO,IAAI;AAAA,MACT,WAAW;AAAA,MACX,YAAY,mCAAmC,mBAAmB,IAAI,CAAC;AAAA,IACzE;AAAA,EACF;AAAA,EAEQ,gBAAgB,MAAiC;AACvD,UAAM,WAAW,KAAK,SAAS,IAAI,IAAI;AACvC,QAAI,CAAC,UAAU;AACb,YAAM,IAAI;AAAA,QACR,qBAAqB,IAAI;AAAA,QACzB,WAAW;AAAA,MACb;AAAA,IACF;AACA,WAAO;AAAA,EACT;AAAA,EAEQ,eAAe,MAAsB;AAC3C,UAAM,OAAO,KAAK,QAAQ;AAC1B,QAAI,CAAC,MAAM;AACT,YAAM,IAAI;AAAA,QACR;AAAA,MACF;AAAA,IACF;AACA,UAAM,UAAU,KAAK,QAAQ,QAAQ,EAAE;AACvC,WAAO,GAAG,OAAO,SAAS,mBAAmB,IAAI,CAAC;AAAA,EACpD;AACF;AA9EQ;AAAA,EADL,IAAI,mBAAmB;AAAA,EAErB,yBAAM,UAAU;AAAA,EAChB,yBAAM,UAAU;AAAA,EAChB,uBAAI;AAAA,EACJ,uBAAI;AAAA,GAnBI,eAeL;AAiBA;AAAA,EADL,IAAI,oBAAoB;AAAA,EAEtB,yBAAM,UAAU;AAAA,EAChB,yBAAM,MAAM;AAAA,EACZ,yBAAM,OAAO;AAAA,EACb,uBAAI;AAAA,GApCI,eAgCL;AAhCK,iBAAN;AAAA,EADN,WAAW,MAAM;AAAA,EAGb,0BAAO,iBAAiB;AAAA,EAExB,0BAAO,iBAAiB;AAAA,EAExB,0BAAO,iBAAiB;AAAA,EAExB,0BAAO,0BAA0B;AAAA,EAEjC,0BAAO,YAAY;AAAA,GAVX;","names":[]}
+{"version":3,"sources":[],"sourcesContent":[],"mappings":"","names":[]}