@pattern-stack/codegen 0.6.4 → 0.6.5

package/dist/runtime/subsystems/auth/protocols/provider-strategy.d.ts

@@ -0,0 +1,47 @@
+import { OAuth2RefreshStrategy } from '../runtime/oauth2-refresh.strategy.js';
+import './auth-strategy.js';
+import './integration-store.js';
+
+/**
+ * Auth subsystem — `ProviderStrategy` contract.
+ *
+ * Extension of `OAuth2RefreshStrategy` (which already covers the refresh
+ * path) that adds the two methods needed by the connect/callback dance:
+ *
+ *   - `buildAuthorizeUrl({ state, redirectUri })` → consent-page URL.
+ *   - `exchangeCodeForTokens({ code, redirectUri })` → tokens after consent.
+ *
+ * Concrete per-provider strategies (HubSpot, SFDC, Google, Gong, Fathom, …)
+ * stay consumer-side per ADR-031 ("every app has different combinations").
+ * They typically subclass `OAuth2RefreshStrategy` for the refresh path and
+ * implement these two methods structurally — that satisfies
+ * `ProviderStrategy` because TS lets interfaces extend classes by type.
+ *
+ * AuthController never imports a concrete strategy — it injects the
+ * `STRATEGY_REGISTRY` (a `ReadonlyMap<provider-slug, ProviderStrategy>`)
+ * and dispatches by slug.
+ */
+
+interface ExchangedTokens {
+    accessToken: string;
+    refreshToken?: string;
+    expiresAt?: Date;
+    scope?: string[];
+    externalAccountId?: string;
+    /** Provider-specific bag (SFDC `instance_url`, Google `sub`, …). */
+    providerMetadata?: Record<string, unknown>;
+}
+interface ProviderStrategy extends OAuth2RefreshStrategy {
+    buildAuthorizeUrl(args: {
+        state: string;
+        redirectUri: string;
+    }): string;
+    exchangeCodeForTokens(args: {
+        code: string;
+        redirectUri: string;
+    }): Promise<ExchangedTokens>;
+}
+/** The DI value type behind the `STRATEGY_REGISTRY` token. */
+type ProviderStrategyRegistry = ReadonlyMap<string, ProviderStrategy>;
+
+export type { ExchangedTokens, ProviderStrategy, ProviderStrategyRegistry };

package/dist/runtime/subsystems/auth/protocols/provider-strategy.js

@@ -0,0 +1 @@
+//# sourceMappingURL=provider-strategy.js.map

package/dist/runtime/subsystems/auth/protocols/provider-strategy.js.map

@@ -0,0 +1 @@
+{"version":3,"sources":[],"sourcesContent":[],"mappings":"","names":[]}

package/dist/runtime/subsystems/auth/protocols/user-context.d.ts

@@ -0,0 +1,24 @@
+/**
+ * Auth subsystem — `IUserContext` port.
+ *
+ * Resolves "who is the current user" from a request. The shape is
+ * universal; the implementation is always app-specific:
+ *
+ *   - WorkOS session:   `req.session.user.id`
+ *   - JWT bearer:       `decode(req.headers.authorization).sub`
+ *   - Test fixture:     hardcoded UUID
+ *
+ * The auth subsystem cannot ship a default — every app does auth differently —
+ * but the port is universal, so the contract ships here. Consumers bind a
+ * concrete implementation under the `AUTH_USER_CONTEXT` token in their app
+ * module.
+ *
+ * `req` is typed as `unknown` deliberately: this protocol must not pull a
+ * dependency on `express` / `fastify` / NestJS request types. The concrete
+ * adapter narrows it (e.g. via a `Request` import).
+ */
+interface IUserContext {
+    getCurrentUserId(req: unknown): Promise<string>;
+}
+
+export type { IUserContext };

package/dist/runtime/subsystems/auth/protocols/user-context.js

@@ -0,0 +1 @@
+//# sourceMappingURL=user-context.js.map

package/dist/runtime/subsystems/auth/protocols/user-context.js.map

@@ -0,0 +1 @@
+{"version":3,"sources":[],"sourcesContent":[],"mappings":"","names":[]}

package/dist/runtime/subsystems/index.d.ts

@@ -21,15 +21,20 @@ export { ObservabilityModule, ObservabilityModuleOptions } from './observability
 export { ObservabilityError } from './observability/observability-errors.js';
 export { AuthCredentials, AuthResolveOptions, IAuthStrategy } from './auth/protocols/auth-strategy.js';
 export { IEncryptionKey } from './auth/protocols/encryption-key.js';
-export { IOAuthStateStore, OAuthStateEntry } from './auth/protocols/oauth-state-store.js';
-export { DecryptedIntegration, IIntegrationReader, IIntegrationTokenWriter, IntegrationTokenUpdate } from './auth/protocols/integration-store.js';
-export { AUTH_INTEGRATION_READER, AUTH_INTEGRATION_TOKEN_WRITER, ENCRYPTION_KEY, OAUTH_STATE_STORE } from './auth/auth.tokens.js';
+export { IOAuthStateStore, OAuthStateError, OAuthStateRecord } from './auth/protocols/oauth-state-store.js';
+export { DecryptedIntegration, IIntegrationGrantSink, IIntegrationReader, IIntegrationTokenWriter, IntegrationGrantInput, IntegrationTokenUpdate } from './auth/protocols/integration-store.js';
+export { IUserContext } from './auth/protocols/user-context.js';
+export { ExchangedTokens, ProviderStrategy, ProviderStrategyRegistry } from './auth/protocols/provider-strategy.js';
+export { AUTH_INTEGRATION_GRANT_SINK, AUTH_INTEGRATION_READER, AUTH_INTEGRATION_TOKEN_WRITER, AUTH_OPTIONS, AUTH_USER_CONTEXT, ENCRYPTION_KEY, OAUTH_STATE_STORE, STRATEGY_REGISTRY } from './auth/auth.tokens.js';
 export { OAuth2RefreshStrategy, ParsedRefreshResponse } from './auth/runtime/oauth2-refresh.strategy.js';
 export { withAuthRetry } from './auth/runtime/with-auth-retry.js';
 export { IntegrationBrokenError } from './auth/runtime/integration-broken.error.js';
 export { SessionExpiredError, isSessionExpiredError } from './auth/runtime/session-expired.error.js';
+export { AuthOAuthState, authOAuthState } from './auth/auth-oauth-state.schema.js';
 export { EnvEncryptionKey } from './auth/backends/encryption-key/env.js';
-export { InMemoryOAuthStateStore } from './auth/backends/oauth-state-store/in-memory.js';
+export { MemoryOAuthStateStore } from './auth/backends/state-store.memory-backend.js';
+export { DrizzleOAuthStateStore } from './auth/backends/state-store.drizzle-backend.js';
+export { AuthController } from './auth/controllers/auth.controller.js';
 export { AuthModule } from './auth/auth.module.js';
 export { CursorSnapshot } from './sync/sync-cursor-store.protocol.js';
 export { StatusHistogram } from './bridge/bridge.protocol.js';

package/dist/runtime/subsystems/index.js

@@ -3971,11 +3971,25 @@ var ObservabilityError = class extends Error {
   cause;
 };
 
+// runtime/subsystems/auth/protocols/oauth-state-store.ts
+var OAuthStateError = class extends Error {
+  constructor(message, reason) {
+    super(message);
+    this.reason = reason;
+    this.name = "OAuthStateError";
+  }
+  reason;
+};
+
 // runtime/subsystems/auth/auth.tokens.ts
 var ENCRYPTION_KEY = /* @__PURE__ */ Symbol("ENCRYPTION_KEY");
 var OAUTH_STATE_STORE = /* @__PURE__ */ Symbol("OAUTH_STATE_STORE");
 var AUTH_INTEGRATION_READER = /* @__PURE__ */ Symbol("AUTH_INTEGRATION_READER");
 var AUTH_INTEGRATION_TOKEN_WRITER = /* @__PURE__ */ Symbol("AUTH_INTEGRATION_TOKEN_WRITER");
+var AUTH_INTEGRATION_GRANT_SINK = /* @__PURE__ */ Symbol("AUTH_INTEGRATION_GRANT_SINK");
+var AUTH_USER_CONTEXT = /* @__PURE__ */ Symbol("AUTH_USER_CONTEXT");
+var STRATEGY_REGISTRY = /* @__PURE__ */ Symbol("STRATEGY_REGISTRY");
+var AUTH_OPTIONS = /* @__PURE__ */ Symbol("AUTH_OPTIONS");
 
 // runtime/subsystems/auth/runtime/integration-broken.error.ts
 var IntegrationBrokenError = class extends Error {
@@ -4112,6 +4126,15 @@ async function withAuthRetry(authStrategy, integrationId, op, options = {}) {
   }
 }
 
+// runtime/subsystems/auth/auth-oauth-state.schema.ts
+import { pgTable as pgTable4, text as text4, timestamp as timestamp4 } from "drizzle-orm/pg-core";
+var authOAuthState = pgTable4("auth_oauth_state", {
+  state: text4("state").primaryKey(),
+  userId: text4("user_id").notNull(),
+  redirect: text4("redirect"),
+  expiresAt: timestamp4("expires_at", { withTimezone: true }).notNull()
+});
+
 // runtime/subsystems/auth/backends/encryption-key/env.ts
 import { createCipheriv, createDecipheriv, randomBytes } from "crypto";
 var ALGO = "aes-256-gcm";
@@ -4162,26 +4185,198 @@ var EnvEncryptionKey = class {
   }
 };
 
-// runtime/subsystems/auth/backends/oauth-state-store/in-memory.ts
-var InMemoryOAuthStateStore = class {
+// runtime/subsystems/auth/backends/state-store.memory-backend.ts
+import { randomBytes as randomBytes2 } from "crypto";
+var MemoryOAuthStateStore = class {
   store = /* @__PURE__ */ new Map();
   ttlMs;
   now;
+  generateToken;
   constructor(opts = {}) {
     this.ttlMs = opts.ttlMs ?? 10 * 60 * 1e3;
     this.now = opts.now ?? (() => Date.now());
+    this.generateToken = opts.generateToken ?? (() => randomBytes2(32).toString("base64url"));
   }
-  async put(state, entry) {
-    this.store.set(state, { entry, expiresAt: this.now() + this.ttlMs });
+  async generate(record) {
+    const state = this.generateToken();
+    this.store.set(state, {
+      record: { ...record },
+      expiresAt: this.now() + this.ttlMs
+    });
+    return state;
   }
   async consume(state) {
     const slot = this.store.get(state);
-    if (!slot) return null;
+    if (!slot) {
+      throw new OAuthStateError(
+        `OAuth state token unknown or already consumed`,
+        "missing"
+      );
+    }
     this.store.delete(state);
-    if (slot.expiresAt <= this.now()) return null;
-    return slot.entry;
+    if (slot.expiresAt <= this.now()) {
+      throw new OAuthStateError(`OAuth state token expired`, "expired");
+    }
+    return slot.record;
+  }
+};
+
+// runtime/subsystems/auth/backends/state-store.drizzle-backend.ts
+import { randomBytes as randomBytes3 } from "crypto";
+import { eq as eq7 } from "drizzle-orm";
+var DrizzleOAuthStateStore = class {
+  constructor(db, opts = {}) {
+    this.db = db;
+    this.ttlMs = opts.ttlMs ?? 10 * 60 * 1e3;
+    this.now = opts.now ?? (() => Date.now());
+    this.generateToken = opts.generateToken ?? (() => randomBytes3(32).toString("base64url"));
+  }
+  db;
+  ttlMs;
+  now;
+  generateToken;
+  async generate(record) {
+    const state = this.generateToken();
+    const expiresAt = new Date(this.now() + this.ttlMs);
+    await this.db.insert(authOAuthState).values({
+      state,
+      userId: record.userId,
+      redirect: record.redirect ?? null,
+      expiresAt
+    });
+    return state;
+  }
+  async consume(state) {
+    const rows = await this.db.delete(authOAuthState).where(eq7(authOAuthState.state, state)).returning();
+    const row = rows[0];
+    if (!row) {
+      throw new OAuthStateError(
+        `OAuth state token unknown or already consumed`,
+        "missing"
+      );
+    }
+    if (row.expiresAt.getTime() <= this.now()) {
+      throw new OAuthStateError(`OAuth state token expired`, "expired");
+    }
+    return {
+      userId: row.userId,
+      redirect: row.redirect ?? void 0
+    };
+  }
+};
+
+// runtime/subsystems/auth/controllers/auth.controller.ts
+import {
+  Controller,
+  Get,
+  Inject as Inject16,
+  Param,
+  Query,
+  Req,
+  Res,
+  HttpException,
+  HttpStatus
+} from "@nestjs/common";
+var AuthController = class {
+  constructor(registry, userContext, stateStore, grantSink, options) {
+    this.registry = registry;
+    this.userContext = userContext;
+    this.stateStore = stateStore;
+    this.grantSink = grantSink;
+    this.options = options;
+  }
+  registry;
+  userContext;
+  stateStore;
+  grantSink;
+  options;
+  async connect(slug, redirect, req, res) {
+    const strategy = this.requireStrategy(slug);
+    const userId = await this.userContext.getCurrentUserId(req);
+    const state = await this.stateStore.generate({ userId, redirect });
+    const url = strategy.buildAuthorizeUrl({
+      state,
+      redirectUri: this.redirectUriFor(slug)
+    });
+    return res.redirect(HttpStatus.FOUND, url);
+  }
+  async callback(slug, code, state, res) {
+    const strategy = this.requireStrategy(slug);
+    if (!code) {
+      throw new HttpException(
+        `Missing 'code' query param`,
+        HttpStatus.BAD_REQUEST
+      );
+    }
+    if (!state) {
+      throw new HttpException(
+        `Missing 'state' query param`,
+        HttpStatus.BAD_REQUEST
+      );
+    }
+    const { userId, redirect } = await this.stateStore.consume(state);
+    const tokens = await strategy.exchangeCodeForTokens({
+      code,
+      redirectUri: this.redirectUriFor(slug)
+    });
+    await this.grantSink.createOrUpdateFromOAuthGrant({
+      userId,
+      provider: slug,
+      accessToken: tokens.accessToken,
+      refreshToken: tokens.refreshToken,
+      expiresAt: tokens.expiresAt,
+      scope: tokens.scope,
+      externalAccountId: tokens.externalAccountId,
+      providerMetadata: tokens.providerMetadata
+    });
+    return res.redirect(
+      HttpStatus.FOUND,
+      redirect ?? `/settings/integrations?connected=${encodeURIComponent(slug)}`
+    );
+  }
+  requireStrategy(slug) {
+    const strategy = this.registry.get(slug);
+    if (!strategy) {
+      throw new HttpException(
+        `Unknown provider '${slug}'`,
+        HttpStatus.NOT_FOUND
+      );
+    }
+    return strategy;
+  }
+  redirectUriFor(slug) {
+    const base = this.options.redirectUriBase;
+    if (!base) {
+      throw new Error(
+        `AuthModule.forRoot: redirectUriBase is required when AuthController is enabled`
+      );
+    }
+    const trimmed = base.replace(/\/+$/, "");
+    return `${trimmed}/auth/${encodeURIComponent(slug)}/callback`;
   }
 };
+__decorateClass([
+  Get(":provider/connect"),
+  __decorateParam(0, Param("provider")),
+  __decorateParam(1, Query("redirect")),
+  __decorateParam(2, Req()),
+  __decorateParam(3, Res())
+], AuthController.prototype, "connect", 1);
+__decorateClass([
+  Get(":provider/callback"),
+  __decorateParam(0, Param("provider")),
+  __decorateParam(1, Query("code")),
+  __decorateParam(2, Query("state")),
+  __decorateParam(3, Res())
+], AuthController.prototype, "callback", 1);
+AuthController = __decorateClass([
+  Controller("auth"),
+  __decorateParam(0, Inject16(STRATEGY_REGISTRY)),
+  __decorateParam(1, Inject16(AUTH_USER_CONTEXT)),
+  __decorateParam(2, Inject16(OAUTH_STATE_STORE)),
+  __decorateParam(3, Inject16(AUTH_INTEGRATION_GRANT_SINK)),
+  __decorateParam(4, Inject16(AUTH_OPTIONS))
+], AuthController);
 
 // runtime/subsystems/auth/auth.module.ts
 import { Module as Module7 } from "@nestjs/common";
@@ -4192,24 +4387,54 @@ function resolveEncryptionKeyProvider(choice) {
   return { provide: ENCRYPTION_KEY, ...choice };
 }
 function resolveOAuthStateStoreProvider(choice) {
-  if (choice === "in-memory") {
-    return { provide: OAUTH_STATE_STORE, useClass: InMemoryOAuthStateStore };
+  if (choice === "memory") {
+    return { provide: OAUTH_STATE_STORE, useClass: MemoryOAuthStateStore };
+  }
+  if (choice === "drizzle") {
+    return {
+      provide: OAUTH_STATE_STORE,
+      useFactory: (db) => {
+        if (!db) {
+          throw new Error(
+            "AuthModule.forRoot: oauthStateStore: 'drizzle' selected but DRIZZLE provider is not available. Ensure DatabaseModule (or another provider exposing DRIZZLE) is imported before AuthModule.forRoot."
+          );
+        }
+        return new DrizzleOAuthStateStore(db);
+      },
+      inject: [{ token: DRIZZLE, optional: true }]
+    };
   }
   return { provide: OAUTH_STATE_STORE, ...choice };
 }
 var AuthModule = class {
   static forRoot(options = {}) {
+    const resolved = {
+      encryptionKey: options.encryptionKey ?? "env",
+      oauthStateStore: options.oauthStateStore ?? "memory",
+      enableController: options.enableController ?? false,
+      redirectUriBase: options.redirectUriBase
+    };
+    if (resolved.enableController && !resolved.redirectUriBase) {
+      throw new Error(
+        "AuthModule.forRoot: redirectUriBase is required when enableController: true"
+      );
+    }
     const encryptionKeyProvider = resolveEncryptionKeyProvider(
-      options.encryptionKey ?? "env"
+      resolved.encryptionKey
     );
     const oauthStateStoreProvider = resolveOAuthStateStoreProvider(
-      options.oauthStateStore ?? "in-memory"
+      resolved.oauthStateStore
     );
+    const optionsProvider = {
+      provide: AUTH_OPTIONS,
+      useValue: resolved
+    };
     return {
       module: AuthModule,
       global: true,
-      providers: [encryptionKeyProvider, oauthStateStoreProvider],
-      exports: [ENCRYPTION_KEY, OAUTH_STATE_STORE]
+      providers: [encryptionKeyProvider, oauthStateStoreProvider, optionsProvider],
+      controllers: resolved.enableController ? [AuthController] : [],
+      exports: [ENCRYPTION_KEY, OAUTH_STATE_STORE, AUTH_OPTIONS]
     };
   }
 };
@@ -4217,32 +4442,40 @@ AuthModule = __decorateClass([
   Module7({})
 ], AuthModule);
 export {
+  AUTH_INTEGRATION_GRANT_SINK,
   AUTH_INTEGRATION_READER,
   AUTH_INTEGRATION_TOKEN_WRITER,
+  AUTH_OPTIONS,
+  AUTH_USER_CONTEXT,
+  AuthController,
   AuthModule,
   CACHE,
   CacheModule,
   DrizzleCacheService,
   DrizzleEventBus,
+  DrizzleOAuthStateStore,
   ENCRYPTION_KEY,
   EVENT_BUS,
   EnvEncryptionKey,
   EventsModule,
-  InMemoryOAuthStateStore,
   IntegrationBrokenError,
   LocalStorageBackend,
   MemoryCacheService,
   MemoryEventBus,
+  MemoryOAuthStateStore,
   MemoryStorageBackend,
   OAUTH_STATE_STORE,
   OAuth2RefreshStrategy,
+  OAuthStateError,
   OBSERVABILITY,
   OBSERVABILITY_MODULE_OPTIONS,
   ObservabilityError,
   ObservabilityModule,
   STORAGE,
+  STRATEGY_REGISTRY,
   SessionExpiredError,
   StorageModule,
+  authOAuthState,
   collisionModeEnum,
   isSessionExpiredError,
   jobRunStatusEnum,