@pattern-stack/codegen 0.6.3 → 0.6.5

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@pattern-stack/codegen",
-  "version": "0.6.3",
+  "version": "0.6.5",
   "description": "Entity-driven code generation for full-stack TypeScript applications",
   "license": "MIT",
   "type": "module",
@@ -33,6 +33,7 @@
     }
   },
   "bin": {
+    "codegen": "dist/src/cli/index.js",
     "cdp": "dist/src/cli/index.js"
   },
   "files": [

package/runtime/subsystems/auth/auth-oauth-state.schema.ts

@@ -0,0 +1,30 @@
+/**
+ * Drizzle schema for the `auth_oauth_state` table — backs the
+ * `DrizzleOAuthStateStore` (`state-store.drizzle-backend.ts`).
+ *
+ * One row per outstanding /connect → /callback dance. Single-use; rows are
+ * deleted on consume. A periodic sweep (or a `WHERE expires_at < now()`
+ * filter on read) clears abandoned rows.
+ *
+ * Columns:
+ *   - `state`       — opaque random token, primary key.
+ *   - `user_id`     — text (matches the consumer-defined user-id shape;
+ *                     the auth subsystem doesn't constrain this to UUID
+ *                     because some apps key users by external id).
+ *   - `redirect`    — optional post-callback redirect path.
+ *   - `expires_at`  — TTL boundary; entries past this are treated as absent.
+ *
+ * Convention: schema files live at the root of the subsystem dir
+ * (mirrors `cache.schema.ts`, `sync-audit.schema.ts`, `domain-events.schema.ts`).
+ */
+import { pgTable, text, timestamp } from 'drizzle-orm/pg-core';
+import type { InferSelectModel } from 'drizzle-orm';
+
+export const authOAuthState = pgTable('auth_oauth_state', {
+  state: text('state').primaryKey(),
+  userId: text('user_id').notNull(),
+  redirect: text('redirect'),
+  expiresAt: timestamp('expires_at', { withTimezone: true }).notNull(),
+});
+
+export type AuthOAuthState = InferSelectModel<typeof authOAuthState>;

package/runtime/subsystems/auth/auth.module.ts

@@ -1,58 +1,82 @@
 /**
  * AuthModule — DynamicModule factory for the auth subsystem.
  *
- * Wires the two pluggable backends the subsystem ships with:
- *   - `ENCRYPTION_KEY`       → `EnvEncryptionKey` (AES-256-GCM from env)
- *   - `OAUTH_STATE_STORE`    → `InMemoryOAuthStateStore` (dev) / custom Redis impl (prod)
+ * Wires the pluggable backends the subsystem ships with:
+ *   - `ENCRYPTION_KEY`      → `EnvEncryptionKey` (AES-256-GCM from env)
+ *   - `OAUTH_STATE_STORE`   → `MemoryOAuthStateStore` (dev/tests) or
+ *                             `DrizzleOAuthStateStore` (prod, requires
+ *                             DRIZZLE provider).
+ *   - `AUTH_OPTIONS`        → resolved options bag (used by AuthController
+ *                             for `redirectUriBase`).
  *
- * The two integration-store ports (`AUTH_INTEGRATION_READER`,
- * `AUTH_INTEGRATION_TOKEN_WRITER`) are deliberately **not** wired by this
- * module — they are always consumer-specific (adapters over the app's own
- * integrations entity/service). Consumers provide them in the module that
- * owns the integrations domain, not here.
+ * The integration-store ports (`AUTH_INTEGRATION_READER`,
+ * `AUTH_INTEGRATION_TOKEN_WRITER`, `AUTH_INTEGRATION_GRANT_SINK`),
+ * `AUTH_USER_CONTEXT`, and `STRATEGY_REGISTRY` are deliberately **not**
+ * wired here — they are always consumer-specific:
+ *   - integration-store ports adapt the consumer's `integrations` storage;
+ *   - `IUserContext` adapts the app's session/JWT scheme;
+ *   - `STRATEGY_REGISTRY` is populated from the per-provider strategy
+ *     classes the consumer maintains.
  *
- * `IAuthStrategy` implementations are also per-provider and live in the
- * integration module that uses them (`SalesforceModule`, `HubSpotModule`, …).
- * The subsystem provides the abstract base class
- * (`OAuth2RefreshStrategy`) — binding concrete strategies is an app concern.
+ * Consumers provide them in their app module (or by importing the
+ * `auth-integrations` starter, which binds the three integration-store
+ * ports off a single canonical entity).
  *
  * Usage in AppModule:
  * ```typescript
  * AuthModule.forRoot({
  *   encryptionKey: 'env',
- *   oauthStateStore: 'in-memory',
- * });
- * ```
- *
- * Or inject custom providers directly:
- * ```typescript
- * AuthModule.forRoot({
- *   encryptionKey: { useClass: MyKmsEncryptionKey },
- *   oauthStateStore: { useClass: RedisOAuthStateStore },
+ *   oauthStateStore: 'memory',          // or 'drizzle'
+ *   enableController: true,
+ *   redirectUriBase: 'http://localhost:3000',
  * });
  * ```
  *
  * `global: true` means other modules don't need to re-import AuthModule to
- * inject `ENCRYPTION_KEY` / `OAUTH_STATE_STORE`.
+ * inject the auth tokens.
  */
 import { Module, type DynamicModule, type Provider } from '@nestjs/common';
-import { ENCRYPTION_KEY, OAUTH_STATE_STORE } from './auth.tokens';
+import {
+  AUTH_OPTIONS,
+  ENCRYPTION_KEY,
+  OAUTH_STATE_STORE,
+} from './auth.tokens';
 import { EnvEncryptionKey } from './backends/encryption-key/env';
-import { InMemoryOAuthStateStore } from './backends/oauth-state-store/in-memory';
+import { MemoryOAuthStateStore } from './backends/state-store.memory-backend';
+import { DrizzleOAuthStateStore } from './backends/state-store.drizzle-backend';
+import { AuthController } from './controllers/auth.controller';
+import { DRIZZLE } from '../../constants/tokens';
+import type { DrizzleClient } from '../../types/drizzle';
 
 type EncryptionKeyChoice =
   | 'env'
   | Omit<Provider, 'provide'>;
 
 type OAuthStateStoreChoice =
-  | 'in-memory'
+  | 'memory'
+  | 'drizzle'
   | Omit<Provider, 'provide'>;
 
 export interface AuthModuleOptions {
   /** `'env'` (default) or a full provider definition (e.g. `{ useClass: MyKmsEncryptionKey }`). */
   encryptionKey?: EncryptionKeyChoice;
-  /** `'in-memory'` (default) or a full provider definition for a Redis/DB impl. */
+  /**
+   * `'memory'` (default — tests/dev) or `'drizzle'` (prod, requires DRIZZLE
+   * provider) or a full provider definition for a custom impl.
+   */
   oauthStateStore?: OAuthStateStoreChoice;
+  /**
+   * Mount `AuthController` (`/auth/:provider/connect` + `/callback`).
+   * Default `false` — apps that hand-roll connect/callback (rare) or that
+   * use the subsystem only for the refresh path can opt out.
+   */
+  enableController?: boolean;
+  /**
+   * Public base URL of the API server. Used to construct per-provider
+   * callback URIs as `${redirectUriBase}/auth/:provider/callback`.
+   * Required when `enableController: true`.
+   */
+  redirectUriBase?: string;
 }
 
 function resolveEncryptionKeyProvider(choice: EncryptionKeyChoice): Provider {
@@ -65,8 +89,23 @@ function resolveEncryptionKeyProvider(choice: EncryptionKeyChoice): Provider {
 function resolveOAuthStateStoreProvider(
   choice: OAuthStateStoreChoice,
 ): Provider {
-  if (choice === 'in-memory') {
-    return { provide: OAUTH_STATE_STORE, useClass: InMemoryOAuthStateStore };
+  if (choice === 'memory') {
+    return { provide: OAUTH_STATE_STORE, useClass: MemoryOAuthStateStore };
+  }
+  if (choice === 'drizzle') {
+    return {
+      provide: OAUTH_STATE_STORE,
+      useFactory: (db: DrizzleClient | null) => {
+        if (!db) {
+          throw new Error(
+            "AuthModule.forRoot: oauthStateStore: 'drizzle' selected but DRIZZLE provider is not available. " +
+              'Ensure DatabaseModule (or another provider exposing DRIZZLE) is imported before AuthModule.forRoot.',
+          );
+        }
+        return new DrizzleOAuthStateStore(db);
+      },
+      inject: [{ token: DRIZZLE, optional: true }],
+    };
   }
   return { provide: OAUTH_STATE_STORE, ...choice } as Provider;
 }
@@ -74,18 +113,36 @@ function resolveOAuthStateStoreProvider(
 @Module({})
 export class AuthModule {
   static forRoot(options: AuthModuleOptions = {}): DynamicModule {
+    const resolved: AuthModuleOptions = {
+      encryptionKey: options.encryptionKey ?? 'env',
+      oauthStateStore: options.oauthStateStore ?? 'memory',
+      enableController: options.enableController ?? false,
+      redirectUriBase: options.redirectUriBase,
+    };
+
+    if (resolved.enableController && !resolved.redirectUriBase) {
+      throw new Error(
+        'AuthModule.forRoot: redirectUriBase is required when enableController: true',
+      );
+    }
+
     const encryptionKeyProvider = resolveEncryptionKeyProvider(
-      options.encryptionKey ?? 'env',
+      resolved.encryptionKey!,
     );
     const oauthStateStoreProvider = resolveOAuthStateStoreProvider(
-      options.oauthStateStore ?? 'in-memory',
+      resolved.oauthStateStore!,
     );
+    const optionsProvider: Provider = {
+      provide: AUTH_OPTIONS,
+      useValue: resolved,
+    };
 
     return {
       module: AuthModule,
       global: true,
-      providers: [encryptionKeyProvider, oauthStateStoreProvider],
-      exports: [ENCRYPTION_KEY, OAUTH_STATE_STORE],
+      providers: [encryptionKeyProvider, oauthStateStoreProvider, optionsProvider],
+      controllers: resolved.enableController ? [AuthController] : [],
+      exports: [ENCRYPTION_KEY, OAUTH_STATE_STORE, AUTH_OPTIONS],
     };
   }
 }

package/runtime/subsystems/auth/auth.tokens.ts

@@ -12,6 +12,9 @@
  *   @Inject(OAUTH_STATE_STORE) private readonly states: IOAuthStateStore,
  *   @Inject(AUTH_INTEGRATION_READER) private readonly reader: IIntegrationReader,
  *   @Inject(AUTH_INTEGRATION_TOKEN_WRITER) private readonly writer: IIntegrationTokenWriter,
+ *   @Inject(AUTH_INTEGRATION_GRANT_SINK) private readonly grants: IIntegrationGrantSink,
+ *   @Inject(AUTH_USER_CONTEXT) private readonly userCtx: IUserContext,
+ *   @Inject(STRATEGY_REGISTRY) private readonly registry: ProviderStrategyRegistry,
  * ) {}
  * ```
  *
@@ -19,9 +22,19 @@
  * provider-specific tokens (e.g. `SALESFORCE_AUTH_STRATEGY`,
  * `HUBSPOT_AUTH_STRATEGY`) by each integration module — this subsystem does
  * not mandate a single `AUTH_STRATEGY` token because an app typically has
- * many concurrent strategies, one per provider.
+ * many concurrent strategies, one per provider. They are dispatched through
+ * `STRATEGY_REGISTRY` (a `ReadonlyMap<slug, ProviderStrategy>`), populated
+ * by per-provider modules via a `useFactory` provider.
  */
 export const ENCRYPTION_KEY = Symbol('ENCRYPTION_KEY');
 export const OAUTH_STATE_STORE = Symbol('OAUTH_STATE_STORE');
 export const AUTH_INTEGRATION_READER = Symbol('AUTH_INTEGRATION_READER');
 export const AUTH_INTEGRATION_TOKEN_WRITER = Symbol('AUTH_INTEGRATION_TOKEN_WRITER');
+export const AUTH_INTEGRATION_GRANT_SINK = Symbol('AUTH_INTEGRATION_GRANT_SINK');
+export const AUTH_USER_CONTEXT = Symbol('AUTH_USER_CONTEXT');
+export const STRATEGY_REGISTRY = Symbol('STRATEGY_REGISTRY');
+/**
+ * Holds the resolved `AuthModuleOptions` (used by `AuthController` to read
+ * `redirectUriBase` for building per-provider callback URIs).
+ */
+export const AUTH_OPTIONS = Symbol('AUTH_OPTIONS');

package/runtime/subsystems/auth/backends/state-store.drizzle-backend.ts

@@ -0,0 +1,83 @@
+/**
+ * Drizzle-backed `IOAuthStateStore`.
+ *
+ * Uses the `auth_oauth_state` table (see `auth-oauth-state.schema.ts`).
+ * Single-use semantics enforced via `DELETE ... RETURNING`: the consume
+ * path atomically deletes and returns the row, so a concurrent /callback
+ * with the same state cannot replay.
+ *
+ * Behaviour:
+ *   - `generate(record)` mints a 256-bit base64url token, INSERTs the row
+ *     with `expires_at = now() + ttlMs`.
+ *   - `consume(state)` runs `DELETE ... WHERE state = $1 RETURNING ...`
+ *     once. Throws `OAuthStateError('missing')` if no row was deleted
+ *     (unknown or already consumed) and `OAuthStateError('expired')` if
+ *     the deleted row was past its `expires_at`.
+ */
+import { randomBytes } from 'node:crypto';
+import { eq } from 'drizzle-orm';
+import type { DrizzleClient } from '../../../types/drizzle';
+import { authOAuthState } from '../auth-oauth-state.schema';
+import {
+  type IOAuthStateStore,
+  type OAuthStateRecord,
+  OAuthStateError,
+} from '../protocols/oauth-state-store';
+
+export interface DrizzleOAuthStateStoreOptions {
+  /** TTL in ms. Default 10 minutes. */
+  ttlMs?: number;
+  /** Injectable clock for tests. Default `Date.now`. */
+  now?: () => number;
+  /** Injectable token generator for tests. Default 32-byte base64url. */
+  generateToken?: () => string;
+}
+
+export class DrizzleOAuthStateStore implements IOAuthStateStore {
+  private readonly ttlMs: number;
+  private readonly now: () => number;
+  private readonly generateToken: () => string;
+
+  constructor(
+    private readonly db: DrizzleClient,
+    opts: DrizzleOAuthStateStoreOptions = {},
+  ) {
+    this.ttlMs = opts.ttlMs ?? 10 * 60 * 1000;
+    this.now = opts.now ?? (() => Date.now());
+    this.generateToken =
+      opts.generateToken ?? (() => randomBytes(32).toString('base64url'));
+  }
+
+  async generate(record: OAuthStateRecord): Promise<string> {
+    const state = this.generateToken();
+    const expiresAt = new Date(this.now() + this.ttlMs);
+    await this.db.insert(authOAuthState).values({
+      state,
+      userId: record.userId,
+      redirect: record.redirect ?? null,
+      expiresAt,
+    });
+    return state;
+  }
+
+  async consume(state: string): Promise<OAuthStateRecord> {
+    const rows = await this.db
+      .delete(authOAuthState)
+      .where(eq(authOAuthState.state, state))
+      .returning();
+    const row = rows[0];
+    if (!row) {
+      throw new OAuthStateError(
+        `OAuth state token unknown or already consumed`,
+        'missing',
+      );
+    }
+    if (row.expiresAt.getTime() <= this.now()) {
+      throw new OAuthStateError(`OAuth state token expired`, 'expired');
+    }
+    return {
+      userId: row.userId,
+      redirect: row.redirect ?? undefined,
+    };
+  }
+}

package/runtime/subsystems/auth/backends/state-store.memory-backend.ts

@@ -0,0 +1,76 @@
+/**
+ * In-memory `IOAuthStateStore` backend.
+ *
+ * Single-process store — Map<state, { record, expiresAt }>. Suitable for
+ * tests and single-worker dev. Production deployments select the drizzle
+ * backend so state survives restarts and is shared across workers.
+ *
+ * Single-use semantics:
+ *   - `generate(record)` mints a 256-bit random token (base64url, opaque).
+ *   - `consume(state)` deletes the entry on read. A second call with the
+ *     same state throws `OAuthStateError('replay')`.
+ *   - Expired entries also throw (`'expired'`); the entry is deleted as a
+ *     side effect so a later replay still surfaces correctly.
+ *
+ * TTL defaults to 10 minutes — long enough for a user to complete the
+ * provider's consent screen, short enough that abandoned states age out.
+ */
+import { randomBytes } from 'node:crypto';
+import {
+  type IOAuthStateStore,
+  type OAuthStateRecord,
+  OAuthStateError,
+} from '../protocols/oauth-state-store';
+
+export interface MemoryOAuthStateStoreOptions {
+  /** TTL in ms. Default 10 minutes. */
+  ttlMs?: number;
+  /** Injectable clock for tests. Default `Date.now`. */
+  now?: () => number;
+  /** Injectable token generator for tests. Default 32-byte base64url. */
+  generateToken?: () => string;
+}
+
+interface Slot {
+  record: OAuthStateRecord;
+  expiresAt: number;
+}
+
+export class MemoryOAuthStateStore implements IOAuthStateStore {
+  private readonly store = new Map<string, Slot>();
+  private readonly ttlMs: number;
+  private readonly now: () => number;
+  private readonly generateToken: () => string;
+
+  constructor(opts: MemoryOAuthStateStoreOptions = {}) {
+    this.ttlMs = opts.ttlMs ?? 10 * 60 * 1000;
+    this.now = opts.now ?? (() => Date.now());
+    this.generateToken =
+      opts.generateToken ?? (() => randomBytes(32).toString('base64url'));
+  }
+
+  async generate(record: OAuthStateRecord): Promise<string> {
+    const state = this.generateToken();
+    this.store.set(state, {
+      record: { ...record },
+      expiresAt: this.now() + this.ttlMs,
+    });
+    return state;
+  }
+
+  async consume(state: string): Promise<OAuthStateRecord> {
+    const slot = this.store.get(state);
+    if (!slot) {
+      throw new OAuthStateError(
+        `OAuth state token unknown or already consumed`,
+        'missing',
+      );
+    }
+    // Delete first so a concurrent consume can't replay.
+    this.store.delete(state);
+    if (slot.expiresAt <= this.now()) {
+      throw new OAuthStateError(`OAuth state token expired`, 'expired');
+    }
+    return slot.record;
+  }
+}

package/runtime/subsystems/auth/controllers/auth.controller.ts

@@ -0,0 +1,155 @@
+/**
+ * AuthController — provider-agnostic OAuth2 connect/callback dance.
+ *
+ * Mounts two routes:
+ *   - `GET /auth/:provider/connect?redirect=...` — generates state, builds
+ *     the provider's authorize-url, 302-redirects the browser there.
+ *   - `GET /auth/:provider/callback?code=...&state=...` — consumes state,
+ *     exchanges the code for tokens, hands them to the grant sink, then
+ *     302-redirects to the post-connect path.
+ *
+ * Hexagonal seams:
+ *   - `STRATEGY_REGISTRY` (ReadonlyMap<slug, ProviderStrategy>) — dispatch.
+ *     Concrete per-provider strategies live consumer-side and contribute
+ *     entries via a `useFactory` in the consumer's app module.
+ *   - `AUTH_USER_CONTEXT` (IUserContext) — resolves "who is this request"
+ *     from the consumer's session/JWT/etc.
+ *   - `OAUTH_STATE_STORE` (IOAuthStateStore) — CSRF state minting/consume.
+ *   - `AUTH_INTEGRATION_GRANT_SINK` (IIntegrationGrantSink) — persists the
+ *     freshly-minted grant. Adapter lives consumer-side (e.g. the
+ *     auth-integrations starter from #285).
+ *
+ * The controller never imports `IntegrationsService` or any other concrete
+ * consumer type — it goes through ports only.
+ */
+import {
+  Controller,
+  Get,
+  Inject,
+  Param,
+  Query,
+  Req,
+  Res,
+  HttpException,
+  HttpStatus,
+} from '@nestjs/common';
+import {
+  AUTH_INTEGRATION_GRANT_SINK,
+  AUTH_OPTIONS,
+  AUTH_USER_CONTEXT,
+  OAUTH_STATE_STORE,
+  STRATEGY_REGISTRY,
+} from '../auth.tokens';
+import type { AuthModuleOptions } from '../auth.module';
+import type { IOAuthStateStore } from '../protocols/oauth-state-store';
+import type { IUserContext } from '../protocols/user-context';
+import type {
+  ProviderStrategy,
+  ProviderStrategyRegistry,
+} from '../protocols/provider-strategy';
+import type { IIntegrationGrantSink } from '../protocols/integration-store';
+
+/**
+ * Minimal response surface used by the controller — typed loosely so we
+ * don't pull a hard dep on `express` or `fastify`. Both popular HTTP
+ * adapters expose `redirect(status, url)`.
+ */
+interface RedirectingResponse {
+  redirect(statusCode: number, url: string): unknown;
+}
+
+@Controller('auth')
+export class AuthController {
+  constructor(
+    @Inject(STRATEGY_REGISTRY)
+    private readonly registry: ProviderStrategyRegistry,
+    @Inject(AUTH_USER_CONTEXT)
+    private readonly userContext: IUserContext,
+    @Inject(OAUTH_STATE_STORE)
+    private readonly stateStore: IOAuthStateStore,
+    @Inject(AUTH_INTEGRATION_GRANT_SINK)
+    private readonly grantSink: IIntegrationGrantSink,
+    @Inject(AUTH_OPTIONS)
+    private readonly options: AuthModuleOptions,
+  ) {}
+
+  @Get(':provider/connect')
+  async connect(
+    @Param('provider') slug: string,
+    @Query('redirect') redirect: string | undefined,
+    @Req() req: unknown,
+    @Res() res: RedirectingResponse,
+  ): Promise<unknown> {
+    const strategy = this.requireStrategy(slug);
+    const userId = await this.userContext.getCurrentUserId(req);
+    const state = await this.stateStore.generate({ userId, redirect });
+    const url = strategy.buildAuthorizeUrl({
+      state,
+      redirectUri: this.redirectUriFor(slug),
+    });
+    return res.redirect(HttpStatus.FOUND, url);
+  }
+
+  @Get(':provider/callback')
+  async callback(
+    @Param('provider') slug: string,
+    @Query('code') code: string | undefined,
+    @Query('state') state: string | undefined,
+    @Res() res: RedirectingResponse,
+  ): Promise<unknown> {
+    const strategy = this.requireStrategy(slug);
+    if (!code) {
+      throw new HttpException(
+        `Missing 'code' query param`,
+        HttpStatus.BAD_REQUEST,
+      );
+    }
+    if (!state) {
+      throw new HttpException(
+        `Missing 'state' query param`,
+        HttpStatus.BAD_REQUEST,
+      );
+    }
+    const { userId, redirect } = await this.stateStore.consume(state);
+    const tokens = await strategy.exchangeCodeForTokens({
+      code,
+      redirectUri: this.redirectUriFor(slug),
+    });
+    await this.grantSink.createOrUpdateFromOAuthGrant({
+      userId,
+      provider: slug,
+      accessToken: tokens.accessToken,
+      refreshToken: tokens.refreshToken,
+      expiresAt: tokens.expiresAt,
+      scope: tokens.scope,
+      externalAccountId: tokens.externalAccountId,
+      providerMetadata: tokens.providerMetadata,
+    });
+    return res.redirect(
+      HttpStatus.FOUND,
+      redirect ?? `/settings/integrations?connected=${encodeURIComponent(slug)}`,
+    );
+  }
+
+  private requireStrategy(slug: string): ProviderStrategy {
+    const strategy = this.registry.get(slug);
+    if (!strategy) {
+      throw new HttpException(
+        `Unknown provider '${slug}'`,
+        HttpStatus.NOT_FOUND,
+      );
+    }
+    return strategy;
+  }
+
+  private redirectUriFor(slug: string): string {
+    const base = this.options.redirectUriBase;
+    if (!base) {
+      throw new Error(
+        `AuthModule.forRoot: redirectUriBase is required when AuthController is enabled`,
+      );
+    }
+    const trimmed = base.replace(/\/+$/, '');
+    return `${trimmed}/auth/${encodeURIComponent(slug)}/callback`;
+  }
+}

package/runtime/subsystems/auth/index.ts

@@ -6,19 +6,32 @@
  * ```typescript
  * import {
  *   AuthModule,
+ *   AuthController,
  *   ENCRYPTION_KEY,
  *   OAUTH_STATE_STORE,
  *   AUTH_INTEGRATION_READER,
  *   AUTH_INTEGRATION_TOKEN_WRITER,
+ *   AUTH_INTEGRATION_GRANT_SINK,
+ *   AUTH_USER_CONTEXT,
+ *   STRATEGY_REGISTRY,
+ *   AUTH_OPTIONS,
  *   OAuth2RefreshStrategy,
  *   withAuthRetry,
  *   IntegrationBrokenError,
  *   SessionExpiredError,
+ *   OAuthStateError,
  *   type IAuthStrategy,
  *   type IEncryptionKey,
  *   type IOAuthStateStore,
+ *   type OAuthStateRecord,
  *   type IIntegrationReader,
  *   type IIntegrationTokenWriter,
+ *   type IIntegrationGrantSink,
+ *   type IntegrationGrantInput,
+ *   type IUserContext,
+ *   type ProviderStrategy,
+ *   type ProviderStrategyRegistry,
+ *   type ExchangedTokens,
  * } from '@pattern-stack/codegen/runtime/subsystems/auth';
  * ```
  */
@@ -32,14 +45,23 @@ export type {
 export type { IEncryptionKey } from './protocols/encryption-key';
 export type {
   IOAuthStateStore,
-  OAuthStateEntry,
+  OAuthStateRecord,
 } from './protocols/oauth-state-store';
+export { OAuthStateError } from './protocols/oauth-state-store';
 export type {
   DecryptedIntegration,
   IIntegrationReader,
   IIntegrationTokenWriter,
   IntegrationTokenUpdate,
+  IIntegrationGrantSink,
+  IntegrationGrantInput,
 } from './protocols/integration-store';
+export type { IUserContext } from './protocols/user-context';
+export type {
+  ProviderStrategy,
+  ProviderStrategyRegistry,
+  ExchangedTokens,
+} from './protocols/provider-strategy';
 
 // Tokens
 export {
@@ -47,6 +69,10 @@ export {
   OAUTH_STATE_STORE,
   AUTH_INTEGRATION_READER,
   AUTH_INTEGRATION_TOKEN_WRITER,
+  AUTH_INTEGRATION_GRANT_SINK,
+  AUTH_USER_CONTEXT,
+  STRATEGY_REGISTRY,
+  AUTH_OPTIONS,
 } from './auth.tokens';
 
 // Runtime
@@ -63,15 +89,28 @@ export {
   isSessionExpiredError,
 } from './runtime/session-expired.error';
 
+// Schema (drizzle backend)
+export {
+  authOAuthState,
+  type AuthOAuthState,
+} from './auth-oauth-state.schema';
+
 // Backends
 export {
   EnvEncryptionKey,
   type EnvEncryptionKeyOptions,
 } from './backends/encryption-key/env';
 export {
-  InMemoryOAuthStateStore,
-  type InMemoryOAuthStateStoreOptions,
-} from './backends/oauth-state-store/in-memory';
+  MemoryOAuthStateStore,
+  type MemoryOAuthStateStoreOptions,
+} from './backends/state-store.memory-backend';
+export {
+  DrizzleOAuthStateStore,
+  type DrizzleOAuthStateStoreOptions,
+} from './backends/state-store.drizzle-backend';
+
+// Controller
+export { AuthController } from './controllers/auth.controller';
 
 // Module
 export { AuthModule, type AuthModuleOptions } from './auth.module';