@pattern-stack/codegen 0.4.1 → 0.4.2

package/runtime/subsystems/analytics/analytics-query.protocol.ts

@@ -0,0 +1,37 @@
+/**
+ * Analytics subsystem — protocol (port)
+ *
+ * IAnalyticsQuery is the hexagonal port. Services inject this interface via
+ * the ANALYTICS_QUERY token. They never depend on a specific backend
+ * implementation (cube.js, noop, etc.).
+ */
+
+export interface ResultRow {
+  [key: string]: any;
+}
+
+export interface AnalyticsQueryOpts {
+  /** Include raw entity IDs in the result set. */
+  withIds?: boolean;
+  /** Maximum number of rows to return. */
+  limit?: number;
+}
+
+export interface IAnalyticsQuery {
+  /**
+   * Execute an analytics query against the semantic layer.
+   *
+   * @param cube - Cube name (e.g., 'Orders')
+   * @param measures - Measure names (e.g., ['totalRevenue'])
+   * @param dimensions - Dimension names (e.g., ['status', 'createdAt'])
+   * @param where - Optional filter conditions
+   * @param opts - Query options (limit, withIds)
+   */
+  execute(
+    cube: string,
+    measures: string[],
+    dimensions: string[],
+    where?: Record<string, any>,
+    opts?: AnalyticsQueryOpts,
+  ): Promise<ResultRow[]>;
+}

package/runtime/subsystems/analytics/analytics.module.ts

@@ -0,0 +1,64 @@
+/**
+ * AnalyticsModule — DynamicModule factory for the analytics query subsystem.
+ *
+ * Register once in AppModule:
+ * ```typescript
+ * @Module({
+ *   imports: [
+ *     AnalyticsModule.forRoot({ backend: 'cube' }),
+ *   ],
+ * })
+ * export class AppModule {}
+ * ```
+ *
+ * Tests swap to the noop backend without touching application code:
+ * ```typescript
+ * Test.createTestingModule({
+ *   imports: [AnalyticsModule.forRoot({ backend: 'noop' })],
+ * });
+ * ```
+ *
+ * `global: true` means entity modules do not need to import AnalyticsModule
+ * individually — the ANALYTICS_QUERY token is available project-wide.
+ */
+import { Module, type DynamicModule } from '@nestjs/common';
+import { ANALYTICS_QUERY, CUBE_API_URL, CUBE_API_SECRET } from './analytics.tokens';
+import { CubeAnalyticsBackend } from './cube-backend';
+import { NoopAnalyticsBackend } from './noop-backend';
+
+export interface AnalyticsModuleOptions {
+  backend: 'cube' | 'noop';
+}
+
+@Module({})
+export class AnalyticsModule {
+  static forRoot(
+    options: AnalyticsModuleOptions = { backend: 'noop' },
+  ): DynamicModule {
+    if (options.backend === 'cube') {
+      return {
+        module: AnalyticsModule,
+        global: true,
+        providers: [
+          {
+            provide: CUBE_API_URL,
+            useValue: process.env['CUBE_API_URL'] ?? 'http://localhost:4000/cubejs-api/v1',
+          },
+          {
+            provide: CUBE_API_SECRET,
+            useValue: process.env['CUBE_API_SECRET'] ?? '',
+          },
+          { provide: ANALYTICS_QUERY, useClass: CubeAnalyticsBackend },
+        ],
+        exports: [ANALYTICS_QUERY],
+      };
+    }
+
+    return {
+      module: AnalyticsModule,
+      global: true,
+      providers: [{ provide: ANALYTICS_QUERY, useClass: NoopAnalyticsBackend }],
+      exports: [ANALYTICS_QUERY],
+    };
+  }
+}

package/runtime/subsystems/analytics/analytics.tokens.ts

@@ -0,0 +1,24 @@
+/**
+ * Injection tokens for the analytics subsystem.
+ *
+ * String constants (not Symbols) so they match by value across import
+ * boundaries — same convention as events.tokens.ts.
+ *
+ * Usage in services:
+ * ```typescript
+ * constructor(@Inject(ANALYTICS_QUERY) private readonly analytics: IAnalyticsQuery) {}
+ * ```
+ */
+export const ANALYTICS_QUERY = 'ANALYTICS_QUERY' as const;
+
+/**
+ * Injection token for the cube.js API URL.
+ * Provided automatically by AnalyticsModule.forRoot({ backend: 'cube' }).
+ */
+export const CUBE_API_URL = Symbol('CUBE_API_URL');
+
+/**
+ * Injection token for the cube.js API secret.
+ * Provided automatically by AnalyticsModule.forRoot({ backend: 'cube' }).
+ */
+export const CUBE_API_SECRET = Symbol('CUBE_API_SECRET');

package/runtime/subsystems/analytics/cube-backend.ts

@@ -0,0 +1,75 @@
+/**
+ * CubeAnalyticsBackend — cube.js backend for the analytics query port.
+ *
+ * Connects to a running cube.js instance via @cubejs-client/core and
+ * translates IAnalyticsQuery calls into cube.js query objects.
+ *
+ * @cubejs-client/core is an optional peer dependency; lazy-imported so
+ * the module loads even if the package isn't installed. Consumers who
+ * use the cube backend must install it separately:
+ *   bun add @cubejs-client/core
+ *
+ * Provided by AnalyticsModule.forRoot({ backend: 'cube' }).
+ */
+import { Inject, Injectable, OnModuleInit, Logger } from '@nestjs/common';
+import { CUBE_API_URL, CUBE_API_SECRET } from './analytics.tokens';
+import type {
+  AnalyticsQueryOpts,
+  IAnalyticsQuery,
+  ResultRow,
+} from './analytics-query.protocol';
+
+@Injectable()
+export class CubeAnalyticsBackend implements IAnalyticsQuery, OnModuleInit {
+  private readonly logger = new Logger(CubeAnalyticsBackend.name);
+  private cubejsApi: any;
+
+  constructor(
+    @Inject(CUBE_API_URL) private readonly apiUrl: string,
+    @Inject(CUBE_API_SECRET) private readonly apiSecret: string,
+  ) {}
+
+  async onModuleInit(): Promise<void> {
+    try {
+      const { default: cubejs } = await import('@cubejs-client/core');
+      this.cubejsApi = cubejs(this.apiSecret, { apiUrl: this.apiUrl });
+    } catch {
+      throw new Error(
+        'CubeAnalyticsBackend requires @cubejs-client/core. Install it: bun add @cubejs-client/core',
+      );
+    }
+  }
+
+  async execute(
+    cube: string,
+    measures: string[],
+    dimensions: string[],
+    where?: Record<string, any>,
+    opts?: AnalyticsQueryOpts,
+  ): Promise<ResultRow[]> {
+    if (!this.cubejsApi) {
+      this.logger.warn('Cube.js client not initialized — returning empty result');
+      return [];
+    }
+
+    const query: Record<string, any> = {
+      measures: measures.map((m) => cube + '.' + m),
+      dimensions: dimensions.map((d) => cube + '.' + d),
+    };
+
+    if (where && Object.keys(where).length > 0) {
+      query.filters = Object.entries(where).map(([member, value]) => ({
+        member: cube + '.' + member,
+        operator: 'equals',
+        values: Array.isArray(value) ? value : [String(value)],
+      }));
+    }
+
+    if (opts?.limit) {
+      query.limit = opts.limit;
+    }
+
+    const resultSet = await this.cubejsApi.load(query);
+    return resultSet.tablePivot() as ResultRow[];
+  }
+}

package/runtime/subsystems/analytics/index.ts

@@ -0,0 +1,15 @@
+/**
+ * Analytics subsystem — public API
+ *
+ * Import the module in AppModule, inject the query port via ANALYTICS_QUERY token.
+ */
+export type {
+  ResultRow,
+  AnalyticsQueryOpts,
+  IAnalyticsQuery,
+} from './analytics-query.protocol';
+export { ANALYTICS_QUERY, CUBE_API_URL, CUBE_API_SECRET } from './analytics.tokens';
+export { AnalyticsModule } from './analytics.module';
+export type { AnalyticsModuleOptions } from './analytics.module';
+export { CubeAnalyticsBackend } from './cube-backend';
+export { NoopAnalyticsBackend } from './noop-backend';

package/runtime/subsystems/analytics/noop-backend.ts

@@ -0,0 +1,27 @@
+/**
+ * NoopAnalyticsBackend — no-op backend for the analytics query port.
+ *
+ * Returns empty arrays for all queries. Use this backend when analytics
+ * is disabled or in tests that don't need real analytics data.
+ *
+ * Provided by AnalyticsModule.forRoot({ backend: 'noop' }).
+ */
+import { Injectable } from '@nestjs/common';
+import type {
+  AnalyticsQueryOpts,
+  IAnalyticsQuery,
+  ResultRow,
+} from './analytics-query.protocol';
+
+@Injectable()
+export class NoopAnalyticsBackend implements IAnalyticsQuery {
+  async execute(
+    _cube: string,
+    _measures: string[],
+    _dimensions: string[],
+    _where?: Record<string, any>,
+    _opts?: AnalyticsQueryOpts,
+  ): Promise<ResultRow[]> {
+    return [];
+  }
+}

package/runtime/subsystems/auth/auth.module.ts

@@ -0,0 +1,91 @@
+/**
+ * AuthModule — DynamicModule factory for the auth subsystem.
+ *
+ * Wires the two pluggable backends the subsystem ships with:
+ *   - `ENCRYPTION_KEY`       → `EnvEncryptionKey` (AES-256-GCM from env)
+ *   - `OAUTH_STATE_STORE`    → `InMemoryOAuthStateStore` (dev) / custom Redis impl (prod)
+ *
+ * The two integration-store ports (`AUTH_INTEGRATION_READER`,
+ * `AUTH_INTEGRATION_TOKEN_WRITER`) are deliberately **not** wired by this
+ * module — they are always consumer-specific (adapters over the app's own
+ * integrations entity/service). Consumers provide them in the module that
+ * owns the integrations domain, not here.
+ *
+ * `IAuthStrategy` implementations are also per-provider and live in the
+ * integration module that uses them (`SalesforceModule`, `HubSpotModule`, …).
+ * The subsystem provides the abstract base class
+ * (`OAuth2RefreshStrategy`) — binding concrete strategies is an app concern.
+ *
+ * Usage in AppModule:
+ * ```typescript
+ * AuthModule.forRoot({
+ *   encryptionKey: 'env',
+ *   oauthStateStore: 'in-memory',
+ * });
+ * ```
+ *
+ * Or inject custom providers directly:
+ * ```typescript
+ * AuthModule.forRoot({
+ *   encryptionKey: { useClass: MyKmsEncryptionKey },
+ *   oauthStateStore: { useClass: RedisOAuthStateStore },
+ * });
+ * ```
+ *
+ * `global: true` means other modules don't need to re-import AuthModule to
+ * inject `ENCRYPTION_KEY` / `OAUTH_STATE_STORE`.
+ */
+import { Module, type DynamicModule, type Provider } from '@nestjs/common';
+import { ENCRYPTION_KEY, OAUTH_STATE_STORE } from './auth.tokens';
+import { EnvEncryptionKey } from './backends/encryption-key/env';
+import { InMemoryOAuthStateStore } from './backends/oauth-state-store/in-memory';
+
+type EncryptionKeyChoice =
+  | 'env'
+  | Omit<Provider, 'provide'>;
+
+type OAuthStateStoreChoice =
+  | 'in-memory'
+  | Omit<Provider, 'provide'>;
+
+export interface AuthModuleOptions {
+  /** `'env'` (default) or a full provider definition (e.g. `{ useClass: MyKmsEncryptionKey }`). */
+  encryptionKey?: EncryptionKeyChoice;
+  /** `'in-memory'` (default) or a full provider definition for a Redis/DB impl. */
+  oauthStateStore?: OAuthStateStoreChoice;
+}
+
+function resolveEncryptionKeyProvider(choice: EncryptionKeyChoice): Provider {
+  if (choice === 'env') {
+    return { provide: ENCRYPTION_KEY, useClass: EnvEncryptionKey };
+  }
+  return { provide: ENCRYPTION_KEY, ...choice } as Provider;
+}
+
+function resolveOAuthStateStoreProvider(
+  choice: OAuthStateStoreChoice,
+): Provider {
+  if (choice === 'in-memory') {
+    return { provide: OAUTH_STATE_STORE, useClass: InMemoryOAuthStateStore };
+  }
+  return { provide: OAUTH_STATE_STORE, ...choice } as Provider;
+}
+
+@Module({})
+export class AuthModule {
+  static forRoot(options: AuthModuleOptions = {}): DynamicModule {
+    const encryptionKeyProvider = resolveEncryptionKeyProvider(
+      options.encryptionKey ?? 'env',
+    );
+    const oauthStateStoreProvider = resolveOAuthStateStoreProvider(
+      options.oauthStateStore ?? 'in-memory',
+    );
+
+    return {
+      module: AuthModule,
+      global: true,
+      providers: [encryptionKeyProvider, oauthStateStoreProvider],
+      exports: [ENCRYPTION_KEY, OAUTH_STATE_STORE],
+    };
+  }
+}

package/runtime/subsystems/auth/auth.tokens.ts

@@ -0,0 +1,27 @@
+/**
+ * Auth subsystem — injection tokens.
+ *
+ * Following ADR-008 guidance: `Symbol()` tokens for type safety and collision
+ * avoidance. Consumers inject these via `@Inject(...)` against the matching
+ * protocol interface.
+ *
+ * Usage:
+ * ```typescript
+ * constructor(
+ *   @Inject(ENCRYPTION_KEY) private readonly key: IEncryptionKey,
+ *   @Inject(OAUTH_STATE_STORE) private readonly states: IOAuthStateStore,
+ *   @Inject(AUTH_INTEGRATION_READER) private readonly reader: IIntegrationReader,
+ *   @Inject(AUTH_INTEGRATION_TOKEN_WRITER) private readonly writer: IIntegrationTokenWriter,
+ * ) {}
+ * ```
+ *
+ * `IAuthStrategy` implementations are provider-specific and registered under
+ * provider-specific tokens (e.g. `SALESFORCE_AUTH_STRATEGY`,
+ * `HUBSPOT_AUTH_STRATEGY`) by each integration module — this subsystem does
+ * not mandate a single `AUTH_STRATEGY` token because an app typically has
+ * many concurrent strategies, one per provider.
+ */
+export const ENCRYPTION_KEY = Symbol('ENCRYPTION_KEY');
+export const OAUTH_STATE_STORE = Symbol('OAUTH_STATE_STORE');
+export const AUTH_INTEGRATION_READER = Symbol('AUTH_INTEGRATION_READER');
+export const AUTH_INTEGRATION_TOKEN_WRITER = Symbol('AUTH_INTEGRATION_TOKEN_WRITER');

package/runtime/subsystems/auth/backends/encryption-key/env.ts

@@ -0,0 +1,76 @@
+/**
+ * Env-backed AES-256-GCM encryption.
+ *
+ * Framing: `base64( nonce(12B) || ciphertext || authTag(16B) )`. Random nonce
+ * per call means two encryptions of the same plaintext produce different
+ * ciphertexts — prevents replay-style inference. Auth tag enforces integrity;
+ * any tampering throws on decrypt.
+ *
+ * Key source: `TOKEN_ENCRYPTION_KEY` env var, 32 bytes base64-encoded.
+ * Generate via `openssl rand -base64 32`.
+ *
+ * Future backend: `kms.ts` (AWS/GCP KMS) for production deployments that
+ * need key rotation + audit trails.
+ */
+import { createCipheriv, createDecipheriv, randomBytes } from 'node:crypto';
+import type { IEncryptionKey } from '../../protocols/encryption-key';
+
+export interface EnvEncryptionKeyOptions {
+  /** Defaults to `process.env`. Tests inject a fixture. */
+  env?: NodeJS.ProcessEnv;
+  /** Defaults to `'TOKEN_ENCRYPTION_KEY'`. */
+  envVar?: string;
+}
+
+const ALGO = 'aes-256-gcm';
+const NONCE_BYTES = 12;
+const TAG_BYTES = 16;
+const KEY_BYTES = 32;
+
+export class EnvEncryptionKey implements IEncryptionKey {
+  private readonly key: Buffer;
+
+  constructor(opts: EnvEncryptionKeyOptions = {}) {
+    const env = opts.env ?? process.env;
+    const envVar = opts.envVar ?? 'TOKEN_ENCRYPTION_KEY';
+    const raw = env[envVar];
+    if (!raw) {
+      throw new Error(
+        `EnvEncryptionKey: ${envVar} is not set. Generate with: openssl rand -base64 32`,
+      );
+    }
+    const decoded = Buffer.from(raw, 'base64');
+    if (decoded.length !== KEY_BYTES) {
+      throw new Error(
+        `EnvEncryptionKey: ${envVar} must decode to ${KEY_BYTES} bytes (got ${decoded.length}). Use: openssl rand -base64 32`,
+      );
+    }
+    this.key = decoded;
+  }
+
+  async encrypt(plaintext: string): Promise<string> {
+    const nonce = randomBytes(NONCE_BYTES);
+    const cipher = createCipheriv(ALGO, this.key, nonce);
+    const ciphertext = Buffer.concat([
+      cipher.update(plaintext, 'utf8'),
+      cipher.final(),
+    ]);
+    const authTag = cipher.getAuthTag();
+    return Buffer.concat([nonce, ciphertext, authTag]).toString('base64');
+  }
+
+  async decrypt(ciphertext: string): Promise<string> {
+    const buf = Buffer.from(ciphertext, 'base64');
+    if (buf.length < NONCE_BYTES + TAG_BYTES) {
+      throw new Error('EnvEncryptionKey: ciphertext too short');
+    }
+    const nonce = buf.subarray(0, NONCE_BYTES);
+    const authTag = buf.subarray(buf.length - TAG_BYTES);
+    const body = buf.subarray(NONCE_BYTES, buf.length - TAG_BYTES);
+
+    const decipher = createDecipheriv(ALGO, this.key, nonce);
+    decipher.setAuthTag(authTag);
+    const plain = Buffer.concat([decipher.update(body), decipher.final()]);
+    return plain.toString('utf8');
+  }
+}

package/runtime/subsystems/auth/backends/oauth-state-store/in-memory.ts

@@ -0,0 +1,42 @@
+/**
+ * In-memory OAuth state store.
+ *
+ * Single-process dev store. Production deployments need a Redis-backed impl
+ * (follow-up) so state survives restarts + is shared across workers.
+ */
+import type {
+  IOAuthStateStore,
+  OAuthStateEntry,
+} from '../../protocols/oauth-state-store';
+
+export interface InMemoryOAuthStateStoreOptions {
+  /** TTL in ms. Entries older than this are treated as absent. Default 10min. */
+  ttlMs?: number;
+  now?: () => number;
+}
+
+export class InMemoryOAuthStateStore implements IOAuthStateStore {
+  private readonly store = new Map<
+    string,
+    { entry: OAuthStateEntry; expiresAt: number }
+  >();
+  private readonly ttlMs: number;
+  private readonly now: () => number;
+
+  constructor(opts: InMemoryOAuthStateStoreOptions = {}) {
+    this.ttlMs = opts.ttlMs ?? 10 * 60 * 1000;
+    this.now = opts.now ?? (() => Date.now());
+  }
+
+  async put(state: string, entry: OAuthStateEntry): Promise<void> {
+    this.store.set(state, { entry, expiresAt: this.now() + this.ttlMs });
+  }
+
+  async consume(state: string): Promise<OAuthStateEntry | null> {
+    const slot = this.store.get(state);
+    if (!slot) return null;
+    this.store.delete(state);
+    if (slot.expiresAt <= this.now()) return null;
+    return slot.entry;
+  }
+}

package/runtime/subsystems/auth/index.ts

@@ -0,0 +1,77 @@
+/**
+ * Auth subsystem — public API.
+ *
+ * Protocol → Backend → Factory, per ADR-008 + ADR-031. Imports:
+ *
+ * ```typescript
+ * import {
+ *   AuthModule,
+ *   ENCRYPTION_KEY,
+ *   OAUTH_STATE_STORE,
+ *   AUTH_INTEGRATION_READER,
+ *   AUTH_INTEGRATION_TOKEN_WRITER,
+ *   OAuth2RefreshStrategy,
+ *   withAuthRetry,
+ *   IntegrationBrokenError,
+ *   SessionExpiredError,
+ *   type IAuthStrategy,
+ *   type IEncryptionKey,
+ *   type IOAuthStateStore,
+ *   type IIntegrationReader,
+ *   type IIntegrationTokenWriter,
+ * } from '@pattern-stack/codegen/runtime/subsystems/auth';
+ * ```
+ */
+
+// Protocols
+export type {
+  AuthCredentials,
+  AuthResolveOptions,
+  IAuthStrategy,
+} from './protocols/auth-strategy';
+export type { IEncryptionKey } from './protocols/encryption-key';
+export type {
+  IOAuthStateStore,
+  OAuthStateEntry,
+} from './protocols/oauth-state-store';
+export type {
+  DecryptedIntegration,
+  IIntegrationReader,
+  IIntegrationTokenWriter,
+  IntegrationTokenUpdate,
+} from './protocols/integration-store';
+
+// Tokens
+export {
+  ENCRYPTION_KEY,
+  OAUTH_STATE_STORE,
+  AUTH_INTEGRATION_READER,
+  AUTH_INTEGRATION_TOKEN_WRITER,
+} from './auth.tokens';
+
+// Runtime
+export {
+  OAuth2RefreshStrategy,
+  type OAuth2RefreshStrategyOptions,
+  type ParsedRefreshResponse,
+  type FetchLike,
+} from './runtime/oauth2-refresh.strategy';
+export { withAuthRetry, type WithAuthRetryOptions } from './runtime/with-auth-retry';
+export { IntegrationBrokenError } from './runtime/integration-broken.error';
+export {
+  SessionExpiredError,
+  isSessionExpiredError,
+} from './runtime/session-expired.error';
+
+// Backends
+export {
+  EnvEncryptionKey,
+  type EnvEncryptionKeyOptions,
+} from './backends/encryption-key/env';
+export {
+  InMemoryOAuthStateStore,
+  type InMemoryOAuthStateStoreOptions,
+} from './backends/oauth-state-store/in-memory';
+
+// Module
+export { AuthModule, type AuthModuleOptions } from './auth.module';

package/runtime/subsystems/auth/protocols/auth-strategy.ts

@@ -0,0 +1,46 @@
+/**
+ * Auth subsystem — `IAuthStrategy` port.
+ *
+ * The credentials-resolution seam used by every integration adapter. Adapters
+ * depend on this interface; concrete strategies (SalesforceAuthStrategy,
+ * HubSpotAuthStrategy, future Gmail/Calendar) typically extend the
+ * `OAuth2RefreshStrategy` template-method base in `../runtime/`.
+ *
+ * See `docs/adrs/ADR-031-auth-subsystem.md` and
+ * `docs/gate-1-auth-extraction-findings.md` (inbound from dealbrain-v2) for
+ * the rationale.
+ */
+
+/**
+ * Credentials the adapter consumes — opaque bag at this boundary. Provider-
+ * specific shapes (`instanceUrl` for Salesforce, no host for HubSpot) live
+ * inside as extra fields.
+ */
+export interface AuthCredentials {
+  accessToken: string;
+  /** OAuth refresh token if the adapter needs to inspect it. Usually omitted. */
+  refreshToken?: string;
+  /** Provider-specific extras (instance URL, api version, scope list, …). */
+  [extra: string]: unknown;
+}
+
+export interface AuthResolveOptions {
+  /**
+   * Force the strategy to bypass its cache and mint fresh credentials.
+   * Callers use this after catching a session-expired error; a second
+   * resolve that still returns an expired token fails hard rather than
+   * looping.
+   */
+  forceRefresh?: boolean;
+}
+
+/**
+ * Auth-strategy contract shared by every integration adapter. Implementations
+ * typically extend `OAuth2RefreshStrategy` and override four small hooks.
+ */
+export interface IAuthStrategy {
+  resolve(
+    integrationId: string,
+    opts?: AuthResolveOptions,
+  ): Promise<AuthCredentials>;
+}

package/runtime/subsystems/auth/protocols/encryption-key.ts

@@ -0,0 +1,21 @@
+/**
+ * Auth subsystem — `IEncryptionKey` port.
+ *
+ * Symmetric encryption for secrets at rest (OAuth tokens, API keys).
+ * Ciphertexts are opaque strings; implementations embed whatever framing
+ * (nonce, auth tag, key version) they need. Callers must not inspect the
+ * ciphertext format.
+ */
+export interface IEncryptionKey {
+  /**
+   * Encrypt plaintext. Output is a self-contained string that includes any
+   * nonce + auth tag the impl needs for decryption. Safe to persist.
+   */
+  encrypt(plaintext: string): Promise<string>;
+
+  /**
+   * Decrypt a ciphertext produced by this impl. Throws on tamper (auth tag
+   * mismatch) or malformed input.
+   */
+  decrypt(ciphertext: string): Promise<string>;
+}