@pattern-stack/codegen 0.6.4 → 0.6.6

package/dist/runtime/subsystems/auth/protocols/oauth-state-store.js.map

@@ -1 +1 @@
-{"version":3,"sources":[],"sourcesContent":[],"mappings":"","names":[]}
+{"version":3,"sources":["../../../../../runtime/subsystems/auth/protocols/oauth-state-store.ts"],"sourcesContent":["/**\n * Auth subsystem — `IOAuthStateStore` port.\n *\n * CSRF protection for the OAuth2 authorize-code callback. Generic across\n * providers. The store mints opaque state tokens at /connect time and\n * single-use consumes them at /callback time, returning the original\n * record (userId + optional post-callback redirect path).\n *\n * Concrete backends live under `../backends/`:\n *   - `state-store.memory-backend.ts` — in-process Map (tests/dev).\n *   - `state-store.drizzle-backend.ts` — Postgres (prod).\n *\n * Semantics:\n *   - `generate(record)` → returns an opaque state token; record is stored\n *     under that token until consumed or until TTL expires.\n *   - `consume(state)`   → atomically deletes the entry and returns the\n *     record. Throws on missing, expired, or replayed state. Never returns\n *     null — a missing/expired state is a CSRF signal.\n */\nexport interface OAuthStateRecord {\n  userId: string;\n  /** Optional post-callback redirect path (relative URL). */\n  redirect?: string;\n}\n\nexport interface IOAuthStateStore {\n  /** Mint an opaque state token bound to `record`. Single-use. */\n  generate(record: OAuthStateRecord): Promise<string>;\n  /**\n   * Atomically consume `state`, returning the bound record. Throws on\n   * missing / expired / replayed state.\n   */\n  consume(state: string): Promise<OAuthStateRecord>;\n}\n\n/**\n * Thrown by `IOAuthStateStore.consume` when the state token is unknown,\n * expired, or has already been consumed (replay attempt).\n */\nexport class OAuthStateError extends Error {\n  constructor(\n    message: string,\n    public readonly reason: 'missing' | 'expired',\n  ) {\n    super(message);\n    this.name = 'OAuthStateError';\n  }\n}\n"],"mappings":";AAuCO,IAAM,kBAAN,cAA8B,MAAM;AAAA,EACzC,YACE,SACgB,QAChB;AACA,UAAM,OAAO;AAFG;AAGhB,SAAK,OAAO;AAAA,EACd;AAAA,EAJkB;AAKpB;","names":[]}

package/dist/runtime/subsystems/auth/protocols/provider-strategy.d.ts

@@ -0,0 +1,54 @@
+import { OAuth2RefreshStrategy } from '../runtime/oauth2-refresh.strategy.js';
+import './auth-strategy.js';
+import './integration-store.js';
+
+/**
+ * Auth subsystem — `IProviderStrategy` contract.
+ *
+ * Extension of `OAuth2RefreshStrategy` (which already covers the refresh
+ * path) that adds the two methods needed by the connect/callback dance:
+ *
+ *   - `buildAuthorizeUrl({ state, redirectUri })` → consent-page URL.
+ *   - `exchangeCodeForTokens({ code, redirectUri })` → tokens after consent.
+ *
+ * Concrete per-provider strategies (HubSpot, SFDC, Google, Gong, Fathom, …)
+ * stay consumer-side per ADR-031 ("every app has different combinations").
+ * They typically subclass `OAuth2RefreshStrategy` for the refresh path and
+ * implement these two methods structurally — that satisfies
+ * `IProviderStrategy` because TS lets interfaces extend classes by type.
+ *
+ * AuthController never imports a concrete strategy — it injects the
+ * `STRATEGY_REGISTRY` (a `ReadonlyMap<provider-slug, IProviderStrategy>`)
+ * and dispatches by slug.
+ *
+ * **Naming convention:** interfaces that describe behavioral ports use the
+ * `I` prefix (`IProviderStrategy`, `IIntegrationReader`, `IUserContext`,
+ * `IOAuthStateStore`, `IEncryptionKey`). Plain data types / DTOs (e.g.
+ * `ExchangedTokens`, `DecryptedIntegration`, `IntegrationGrantInput`) do
+ * not. Abstract template-method classes (e.g. `OAuth2RefreshStrategy`) also
+ * do not — the `I` is for interfaces only.
+ */
+
+interface ExchangedTokens {
+    accessToken: string;
+    refreshToken?: string;
+    expiresAt?: Date;
+    scope?: string[];
+    externalAccountId?: string;
+    /** Provider-specific bag (SFDC `instance_url`, Google `sub`, …). */
+    providerMetadata?: Record<string, unknown>;
+}
+interface IProviderStrategy extends OAuth2RefreshStrategy {
+    buildAuthorizeUrl(args: {
+        state: string;
+        redirectUri: string;
+    }): string;
+    exchangeCodeForTokens(args: {
+        code: string;
+        redirectUri: string;
+    }): Promise<ExchangedTokens>;
+}
+/** The DI value type behind the `STRATEGY_REGISTRY` token. */
+type ProviderStrategyRegistry = ReadonlyMap<string, IProviderStrategy>;
+
+export type { ExchangedTokens, IProviderStrategy, ProviderStrategyRegistry };

package/dist/runtime/subsystems/auth/protocols/provider-strategy.js

@@ -0,0 +1 @@
+//# sourceMappingURL=provider-strategy.js.map

package/dist/runtime/subsystems/auth/protocols/provider-strategy.js.map

@@ -0,0 +1 @@
+{"version":3,"sources":[],"sourcesContent":[],"mappings":"","names":[]}

package/dist/runtime/subsystems/auth/protocols/user-context.d.ts

@@ -0,0 +1,24 @@
+/**
+ * Auth subsystem — `IUserContext` port.
+ *
+ * Resolves "who is the current user" from a request. The shape is
+ * universal; the implementation is always app-specific:
+ *
+ *   - WorkOS session:   `req.session.user.id`
+ *   - JWT bearer:       `decode(req.headers.authorization).sub`
+ *   - Test fixture:     hardcoded UUID
+ *
+ * The auth subsystem cannot ship a default — every app does auth differently —
+ * but the port is universal, so the contract ships here. Consumers bind a
+ * concrete implementation under the `AUTH_USER_CONTEXT` token in their app
+ * module.
+ *
+ * `req` is typed as `unknown` deliberately: this protocol must not pull a
+ * dependency on `express` / `fastify` / NestJS request types. The concrete
+ * adapter narrows it (e.g. via a `Request` import).
+ */
+interface IUserContext {
+    getCurrentUserId(req: unknown): Promise<string>;
+}
+
+export type { IUserContext };

package/dist/runtime/subsystems/auth/protocols/user-context.js

@@ -0,0 +1 @@
+//# sourceMappingURL=user-context.js.map

package/dist/runtime/subsystems/auth/protocols/user-context.js.map

@@ -0,0 +1 @@
+{"version":3,"sources":[],"sourcesContent":[],"mappings":"","names":[]}

package/dist/runtime/subsystems/auth/runtime/oauth2-refresh.strategy.d.ts

@@ -5,8 +5,8 @@ import { IIntegrationReader, IIntegrationTokenWriter, DecryptedIntegration } fro
  * Abstract base class for OAuth2 refresh-token strategies.
  *
  * Template-method pattern: `resolve()` is concrete; four small hooks inject
- * provider specifics. Validated across two providers in dealbrain-v2
- * (SalesforceAuthStrategy, HubSpotAuthStrategy) before extraction here — see
+ * provider specifics. Validated across two providers (Salesforce, HubSpot)
+ * in the extraction-source app before being extracted here — see
  * `docs/gate-1-auth-extraction-findings.md` for the "build first, extract
  * later" evidence.
  *

package/dist/runtime/subsystems/auth/runtime/oauth2-refresh.strategy.js.map

@@ -1 +1 @@
-{"version":3,"sources":["../../../../../runtime/subsystems/auth/runtime/integration-broken.error.ts","../../../../../runtime/subsystems/auth/runtime/oauth2-refresh.strategy.ts"],"sourcesContent":["/**\n * Thrown when an OAuth2 provider returns `400 invalid_grant`/`invalid_token`\n * on refresh — the refresh token itself is dead (user revoked, org\n * deactivated, token expired beyond the provider's rotation window). The\n * integration should be marked broken so background sync stops picking it\n * up; the user re-initiates OAuth.\n *\n * Shared across every OAuth2 strategy.\n */\nexport class IntegrationBrokenError extends Error {\n  constructor(\n    readonly integrationId: string,\n    readonly errorCode: string,\n    readonly errorDescription: string,\n  ) {\n    super(\n      `Integration ${integrationId} broken: ${errorCode} - ${errorDescription}`,\n    );\n    this.name = 'IntegrationBrokenError';\n  }\n}\n","/**\n * Abstract base class for OAuth2 refresh-token strategies.\n *\n * Template-method pattern: `resolve()` is concrete; four small hooks inject\n * provider specifics. Validated across two providers in dealbrain-v2\n * (SalesforceAuthStrategy, HubSpotAuthStrategy) before extraction here — see\n * `docs/gate-1-auth-extraction-findings.md` for the \"build first, extract\n * later\" evidence.\n *\n * Subclass contract:\n *   - `provider`                — slug matched against `integrations.provider`\n *   - `defaultExpiresInSec`     — fallback when refresh response omits `expires_in`\n *   - `tokenEndpoint()`         — URL to POST the refresh grant\n *   - `refreshBodyExtras()`     — provider-specific body params\n *   - `parseRefreshResponse()`  — raw JSON → ParsedRefreshResponse\n *   - `buildCredentials()`      — stored or freshly-refreshed access token +\n *                                 integration + optional raw refresh response\n *                                 → provider credentials\n *\n * Base handles: expiry check w/ 5-min safety window, `forceRefresh` escape\n * hatch, POST form-urlencoded body, OAuth2 error mapping to\n * `IntegrationBrokenError`, refresh-token rotation persistence, fetch +\n * clock injection for tests.\n */\nimport type {\n  AuthCredentials,\n  AuthResolveOptions,\n  IAuthStrategy,\n} from '../protocols/auth-strategy';\nimport type {\n  DecryptedIntegration,\n  IIntegrationReader,\n  IIntegrationTokenWriter,\n} from '../protocols/integration-store';\nimport { IntegrationBrokenError } from './integration-broken.error';\n\nexport type FetchLike = (\n  input: string | URL | Request,\n  init?: RequestInit,\n) => Promise<Response>;\n\n/** Safety window before expiry that triggers a refresh. */\nconst REFRESH_SAFETY_MS = 5 * 60 * 1000;\n\nexport interface OAuth2RefreshStrategyOptions {\n  integrationReader: IIntegrationReader;\n  tokenWriter: IIntegrationTokenWriter;\n  /** Injectable fetch for tests. Defaults to the global `fetch`. */\n  fetch?: FetchLike;\n  /** Injectable clock for tests. Defaults to `Date.now`. */\n  now?: () => number;\n}\n\nexport interface ParsedRefreshResponse {\n  accessToken: string;\n  /**\n   * New refresh token if the provider rotated it (HubSpot: always, Salesforce:\n   * sometimes). Omit when the provider reused the old refresh token.\n   */\n  refreshToken?: string;\n  /** Seconds from now. If omitted, subclass `defaultExpiresInSec` applies. */\n  expiresInSec?: number;\n}\n\nexport abstract class OAuth2RefreshStrategy implements IAuthStrategy {\n  protected abstract readonly provider: string;\n  protected abstract readonly defaultExpiresInSec: number;\n\n  protected readonly integrationReader: IIntegrationReader;\n  protected readonly tokenWriter: IIntegrationTokenWriter;\n  protected readonly fetchImpl: FetchLike;\n  protected readonly now: () => number;\n\n  constructor(opts: OAuth2RefreshStrategyOptions) {\n    this.integrationReader = opts.integrationReader;\n    this.tokenWriter = opts.tokenWriter;\n    this.fetchImpl = opts.fetch ?? fetch;\n    this.now = opts.now ?? Date.now;\n  }\n\n  async resolve(\n    integrationId: string,\n    opts: AuthResolveOptions = {},\n  ): Promise<AuthCredentials> {\n    const integration =\n      await this.integrationReader.findByIdDecrypted(integrationId);\n    if (!integration) {\n      throw new Error(`Integration ${integrationId} not found`);\n    }\n    if (integration.provider !== this.provider) {\n      throw new Error(\n        `${this.constructor.name} called for non-${this.provider} integration ${integrationId} (provider=${integration.provider})`,\n      );\n    }\n\n    const needsRefresh =\n      opts.forceRefresh ||\n      this.isExpiring(integration.expiresAt) ||\n      !integration.accessToken;\n\n    if (!needsRefresh) {\n      return this.buildCredentials(integration.accessToken, integration);\n    }\n\n    if (!integration.refreshToken) {\n      throw new IntegrationBrokenError(\n        integrationId,\n        'no_refresh_token',\n        'Integration has no refresh token; user must reconnect',\n      );\n    }\n\n    const { parsed, raw } = await this.executeRefresh(\n      integrationId,\n      integration.refreshToken,\n    );\n    const newExpiresAt = new Date(\n      this.now() + (parsed.expiresInSec ?? this.defaultExpiresInSec) * 1000,\n    );\n    await this.tokenWriter.persistRefresh({\n      integrationId,\n      accessToken: parsed.accessToken,\n      refreshToken: parsed.refreshToken ?? undefined,\n      expiresAt: newExpiresAt,\n    });\n\n    return this.buildCredentials(parsed.accessToken, integration, raw);\n  }\n\n  protected abstract tokenEndpoint(): string;\n  protected abstract refreshBodyExtras(): Record<string, string>;\n  protected abstract parseRefreshResponse(raw: unknown): ParsedRefreshResponse;\n  protected abstract buildCredentials(\n    accessToken: string,\n    integration: DecryptedIntegration,\n    refreshRaw?: unknown,\n  ): AuthCredentials;\n\n  private async executeRefresh(\n    integrationId: string,\n    refreshToken: string,\n  ): Promise<{ parsed: ParsedRefreshResponse; raw: unknown }> {\n    const body = new URLSearchParams({\n      grant_type: 'refresh_token',\n      refresh_token: refreshToken,\n      ...this.refreshBodyExtras(),\n    });\n    const response = await this.fetchImpl(this.tokenEndpoint(), {\n      method: 'POST',\n      headers: { 'Content-Type': 'application/x-www-form-urlencoded' },\n      body: body.toString(),\n    });\n    if (!response.ok) {\n      const err = (await safeJson(response)) as Partial<{\n        error: string;\n        error_description: string;\n        message: string;\n      }>;\n      if (\n        response.status === 400 &&\n        (err.error === 'invalid_grant' || err.error === 'invalid_token')\n      ) {\n        throw new IntegrationBrokenError(\n          integrationId,\n          err.error ?? 'invalid_grant',\n          err.error_description ?? err.message ?? 'refresh token rejected',\n        );\n      }\n      throw new Error(\n        `${this.provider} token refresh failed: ${response.status} ${err.error ?? ''} ${err.error_description ?? err.message ?? ''}`.trim(),\n      );\n    }\n    const raw = await response.json();\n    return { parsed: this.parseRefreshResponse(raw), raw };\n  }\n\n  private isExpiring(expiresAt: Date | null): boolean {\n    if (!expiresAt) return true;\n    return expiresAt.getTime() - this.now() < REFRESH_SAFETY_MS;\n  }\n}\n\nasync function safeJson(response: Response): Promise<unknown> {\n  try {\n    return await response.clone().json();\n  } catch {\n    return {};\n  }\n}\n"],"mappings":";AASO,IAAM,yBAAN,cAAqC,MAAM;AAAA,EAChD,YACW,eACA,WACA,kBACT;AACA;AAAA,MACE,eAAe,aAAa,YAAY,SAAS,MAAM,gBAAgB;AAAA,IACzE;AANS;AACA;AACA;AAKT,SAAK,OAAO;AAAA,EACd;AAAA,EARW;AAAA,EACA;AAAA,EACA;AAOb;;;ACsBA,IAAM,oBAAoB,IAAI,KAAK;AAsB5B,IAAe,wBAAf,MAA8D;AAAA,EAIhD;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EAEnB,YAAY,MAAoC;AAC9C,SAAK,oBAAoB,KAAK;AAC9B,SAAK,cAAc,KAAK;AACxB,SAAK,YAAY,KAAK,SAAS;AAC/B,SAAK,MAAM,KAAK,OAAO,KAAK;AAAA,EAC9B;AAAA,EAEA,MAAM,QACJ,eACA,OAA2B,CAAC,GACF;AAC1B,UAAM,cACJ,MAAM,KAAK,kBAAkB,kBAAkB,aAAa;AAC9D,QAAI,CAAC,aAAa;AAChB,YAAM,IAAI,MAAM,eAAe,aAAa,YAAY;AAAA,IAC1D;AACA,QAAI,YAAY,aAAa,KAAK,UAAU;AAC1C,YAAM,IAAI;AAAA,QACR,GAAG,KAAK,YAAY,IAAI,mBAAmB,KAAK,QAAQ,gBAAgB,aAAa,cAAc,YAAY,QAAQ;AAAA,MACzH;AAAA,IACF;AAEA,UAAM,eACJ,KAAK,gBACL,KAAK,WAAW,YAAY,SAAS,KACrC,CAAC,YAAY;AAEf,QAAI,CAAC,cAAc;AACjB,aAAO,KAAK,iBAAiB,YAAY,aAAa,WAAW;AAAA,IACnE;AAEA,QAAI,CAAC,YAAY,cAAc;AAC7B,YAAM,IAAI;AAAA,QACR;AAAA,QACA;AAAA,QACA;AAAA,MACF;AAAA,IACF;AAEA,UAAM,EAAE,QAAQ,IAAI,IAAI,MAAM,KAAK;AAAA,MACjC;AAAA,MACA,YAAY;AAAA,IACd;AACA,UAAM,eAAe,IAAI;AAAA,MACvB,KAAK,IAAI,KAAK,OAAO,gBAAgB,KAAK,uBAAuB;AAAA,IACnE;AACA,UAAM,KAAK,YAAY,eAAe;AAAA,MACpC;AAAA,MACA,aAAa,OAAO;AAAA,MACpB,cAAc,OAAO,gBAAgB;AAAA,MACrC,WAAW;AAAA,IACb,CAAC;AAED,WAAO,KAAK,iBAAiB,OAAO,aAAa,aAAa,GAAG;AAAA,EACnE;AAAA,EAWA,MAAc,eACZ,eACA,cAC0D;AAC1D,UAAM,OAAO,IAAI,gBAAgB;AAAA,MAC/B,YAAY;AAAA,MACZ,eAAe;AAAA,MACf,GAAG,KAAK,kBAAkB;AAAA,IAC5B,CAAC;AACD,UAAM,WAAW,MAAM,KAAK,UAAU,KAAK,cAAc,GAAG;AAAA,MAC1D,QAAQ;AAAA,MACR,SAAS,EAAE,gBAAgB,oCAAoC;AAAA,MAC/D,MAAM,KAAK,SAAS;AAAA,IACtB,CAAC;AACD,QAAI,CAAC,SAAS,IAAI;AAChB,YAAM,MAAO,MAAM,SAAS,QAAQ;AAKpC,UACE,SAAS,WAAW,QACnB,IAAI,UAAU,mBAAmB,IAAI,UAAU,kBAChD;AACA,cAAM,IAAI;AAAA,UACR;AAAA,UACA,IAAI,SAAS;AAAA,UACb,IAAI,qBAAqB,IAAI,WAAW;AAAA,QAC1C;AAAA,MACF;AACA,YAAM,IAAI;AAAA,QACR,GAAG,KAAK,QAAQ,0BAA0B,SAAS,MAAM,IAAI,IAAI,SAAS,EAAE,IAAI,IAAI,qBAAqB,IAAI,WAAW,EAAE,GAAG,KAAK;AAAA,MACpI;AAAA,IACF;AACA,UAAM,MAAM,MAAM,SAAS,KAAK;AAChC,WAAO,EAAE,QAAQ,KAAK,qBAAqB,GAAG,GAAG,IAAI;AAAA,EACvD;AAAA,EAEQ,WAAW,WAAiC;AAClD,QAAI,CAAC,UAAW,QAAO;AACvB,WAAO,UAAU,QAAQ,IAAI,KAAK,IAAI,IAAI;AAAA,EAC5C;AACF;AAEA,eAAe,SAAS,UAAsC;AAC5D,MAAI;AACF,WAAO,MAAM,SAAS,MAAM,EAAE,KAAK;AAAA,EACrC,QAAQ;AACN,WAAO,CAAC;AAAA,EACV;AACF;","names":[]}
+{"version":3,"sources":["../../../../../runtime/subsystems/auth/runtime/integration-broken.error.ts","../../../../../runtime/subsystems/auth/runtime/oauth2-refresh.strategy.ts"],"sourcesContent":["/**\n * Thrown when an OAuth2 provider returns `400 invalid_grant`/`invalid_token`\n * on refresh — the refresh token itself is dead (user revoked, org\n * deactivated, token expired beyond the provider's rotation window). The\n * integration should be marked broken so background sync stops picking it\n * up; the user re-initiates OAuth.\n *\n * Shared across every OAuth2 strategy.\n */\nexport class IntegrationBrokenError extends Error {\n  constructor(\n    readonly integrationId: string,\n    readonly errorCode: string,\n    readonly errorDescription: string,\n  ) {\n    super(\n      `Integration ${integrationId} broken: ${errorCode} - ${errorDescription}`,\n    );\n    this.name = 'IntegrationBrokenError';\n  }\n}\n","/**\n * Abstract base class for OAuth2 refresh-token strategies.\n *\n * Template-method pattern: `resolve()` is concrete; four small hooks inject\n * provider specifics. Validated across two providers (Salesforce, HubSpot)\n * in the extraction-source app before being extracted here — see\n * `docs/gate-1-auth-extraction-findings.md` for the \"build first, extract\n * later\" evidence.\n *\n * Subclass contract:\n *   - `provider`                — slug matched against `integrations.provider`\n *   - `defaultExpiresInSec`     — fallback when refresh response omits `expires_in`\n *   - `tokenEndpoint()`         — URL to POST the refresh grant\n *   - `refreshBodyExtras()`     — provider-specific body params\n *   - `parseRefreshResponse()`  — raw JSON → ParsedRefreshResponse\n *   - `buildCredentials()`      — stored or freshly-refreshed access token +\n *                                 integration + optional raw refresh response\n *                                 → provider credentials\n *\n * Base handles: expiry check w/ 5-min safety window, `forceRefresh` escape\n * hatch, POST form-urlencoded body, OAuth2 error mapping to\n * `IntegrationBrokenError`, refresh-token rotation persistence, fetch +\n * clock injection for tests.\n */\nimport type {\n  AuthCredentials,\n  AuthResolveOptions,\n  IAuthStrategy,\n} from '../protocols/auth-strategy';\nimport type {\n  DecryptedIntegration,\n  IIntegrationReader,\n  IIntegrationTokenWriter,\n} from '../protocols/integration-store';\nimport { IntegrationBrokenError } from './integration-broken.error';\n\nexport type FetchLike = (\n  input: string | URL | Request,\n  init?: RequestInit,\n) => Promise<Response>;\n\n/** Safety window before expiry that triggers a refresh. */\nconst REFRESH_SAFETY_MS = 5 * 60 * 1000;\n\nexport interface OAuth2RefreshStrategyOptions {\n  integrationReader: IIntegrationReader;\n  tokenWriter: IIntegrationTokenWriter;\n  /** Injectable fetch for tests. Defaults to the global `fetch`. */\n  fetch?: FetchLike;\n  /** Injectable clock for tests. Defaults to `Date.now`. */\n  now?: () => number;\n}\n\nexport interface ParsedRefreshResponse {\n  accessToken: string;\n  /**\n   * New refresh token if the provider rotated it (HubSpot: always, Salesforce:\n   * sometimes). Omit when the provider reused the old refresh token.\n   */\n  refreshToken?: string;\n  /** Seconds from now. If omitted, subclass `defaultExpiresInSec` applies. */\n  expiresInSec?: number;\n}\n\nexport abstract class OAuth2RefreshStrategy implements IAuthStrategy {\n  protected abstract readonly provider: string;\n  protected abstract readonly defaultExpiresInSec: number;\n\n  protected readonly integrationReader: IIntegrationReader;\n  protected readonly tokenWriter: IIntegrationTokenWriter;\n  protected readonly fetchImpl: FetchLike;\n  protected readonly now: () => number;\n\n  constructor(opts: OAuth2RefreshStrategyOptions) {\n    this.integrationReader = opts.integrationReader;\n    this.tokenWriter = opts.tokenWriter;\n    this.fetchImpl = opts.fetch ?? fetch;\n    this.now = opts.now ?? Date.now;\n  }\n\n  async resolve(\n    integrationId: string,\n    opts: AuthResolveOptions = {},\n  ): Promise<AuthCredentials> {\n    const integration =\n      await this.integrationReader.findByIdDecrypted(integrationId);\n    if (!integration) {\n      throw new Error(`Integration ${integrationId} not found`);\n    }\n    if (integration.provider !== this.provider) {\n      throw new Error(\n        `${this.constructor.name} called for non-${this.provider} integration ${integrationId} (provider=${integration.provider})`,\n      );\n    }\n\n    const needsRefresh =\n      opts.forceRefresh ||\n      this.isExpiring(integration.expiresAt) ||\n      !integration.accessToken;\n\n    if (!needsRefresh) {\n      return this.buildCredentials(integration.accessToken, integration);\n    }\n\n    if (!integration.refreshToken) {\n      throw new IntegrationBrokenError(\n        integrationId,\n        'no_refresh_token',\n        'Integration has no refresh token; user must reconnect',\n      );\n    }\n\n    const { parsed, raw } = await this.executeRefresh(\n      integrationId,\n      integration.refreshToken,\n    );\n    const newExpiresAt = new Date(\n      this.now() + (parsed.expiresInSec ?? this.defaultExpiresInSec) * 1000,\n    );\n    await this.tokenWriter.persistRefresh({\n      integrationId,\n      accessToken: parsed.accessToken,\n      refreshToken: parsed.refreshToken ?? undefined,\n      expiresAt: newExpiresAt,\n    });\n\n    return this.buildCredentials(parsed.accessToken, integration, raw);\n  }\n\n  protected abstract tokenEndpoint(): string;\n  protected abstract refreshBodyExtras(): Record<string, string>;\n  protected abstract parseRefreshResponse(raw: unknown): ParsedRefreshResponse;\n  protected abstract buildCredentials(\n    accessToken: string,\n    integration: DecryptedIntegration,\n    refreshRaw?: unknown,\n  ): AuthCredentials;\n\n  private async executeRefresh(\n    integrationId: string,\n    refreshToken: string,\n  ): Promise<{ parsed: ParsedRefreshResponse; raw: unknown }> {\n    const body = new URLSearchParams({\n      grant_type: 'refresh_token',\n      refresh_token: refreshToken,\n      ...this.refreshBodyExtras(),\n    });\n    const response = await this.fetchImpl(this.tokenEndpoint(), {\n      method: 'POST',\n      headers: { 'Content-Type': 'application/x-www-form-urlencoded' },\n      body: body.toString(),\n    });\n    if (!response.ok) {\n      const err = (await safeJson(response)) as Partial<{\n        error: string;\n        error_description: string;\n        message: string;\n      }>;\n      if (\n        response.status === 400 &&\n        (err.error === 'invalid_grant' || err.error === 'invalid_token')\n      ) {\n        throw new IntegrationBrokenError(\n          integrationId,\n          err.error ?? 'invalid_grant',\n          err.error_description ?? err.message ?? 'refresh token rejected',\n        );\n      }\n      throw new Error(\n        `${this.provider} token refresh failed: ${response.status} ${err.error ?? ''} ${err.error_description ?? err.message ?? ''}`.trim(),\n      );\n    }\n    const raw = await response.json();\n    return { parsed: this.parseRefreshResponse(raw), raw };\n  }\n\n  private isExpiring(expiresAt: Date | null): boolean {\n    if (!expiresAt) return true;\n    return expiresAt.getTime() - this.now() < REFRESH_SAFETY_MS;\n  }\n}\n\nasync function safeJson(response: Response): Promise<unknown> {\n  try {\n    return await response.clone().json();\n  } catch {\n    return {};\n  }\n}\n"],"mappings":";AASO,IAAM,yBAAN,cAAqC,MAAM;AAAA,EAChD,YACW,eACA,WACA,kBACT;AACA;AAAA,MACE,eAAe,aAAa,YAAY,SAAS,MAAM,gBAAgB;AAAA,IACzE;AANS;AACA;AACA;AAKT,SAAK,OAAO;AAAA,EACd;AAAA,EARW;AAAA,EACA;AAAA,EACA;AAOb;;;ACsBA,IAAM,oBAAoB,IAAI,KAAK;AAsB5B,IAAe,wBAAf,MAA8D;AAAA,EAIhD;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EAEnB,YAAY,MAAoC;AAC9C,SAAK,oBAAoB,KAAK;AAC9B,SAAK,cAAc,KAAK;AACxB,SAAK,YAAY,KAAK,SAAS;AAC/B,SAAK,MAAM,KAAK,OAAO,KAAK;AAAA,EAC9B;AAAA,EAEA,MAAM,QACJ,eACA,OAA2B,CAAC,GACF;AAC1B,UAAM,cACJ,MAAM,KAAK,kBAAkB,kBAAkB,aAAa;AAC9D,QAAI,CAAC,aAAa;AAChB,YAAM,IAAI,MAAM,eAAe,aAAa,YAAY;AAAA,IAC1D;AACA,QAAI,YAAY,aAAa,KAAK,UAAU;AAC1C,YAAM,IAAI;AAAA,QACR,GAAG,KAAK,YAAY,IAAI,mBAAmB,KAAK,QAAQ,gBAAgB,aAAa,cAAc,YAAY,QAAQ;AAAA,MACzH;AAAA,IACF;AAEA,UAAM,eACJ,KAAK,gBACL,KAAK,WAAW,YAAY,SAAS,KACrC,CAAC,YAAY;AAEf,QAAI,CAAC,cAAc;AACjB,aAAO,KAAK,iBAAiB,YAAY,aAAa,WAAW;AAAA,IACnE;AAEA,QAAI,CAAC,YAAY,cAAc;AAC7B,YAAM,IAAI;AAAA,QACR;AAAA,QACA;AAAA,QACA;AAAA,MACF;AAAA,IACF;AAEA,UAAM,EAAE,QAAQ,IAAI,IAAI,MAAM,KAAK;AAAA,MACjC;AAAA,MACA,YAAY;AAAA,IACd;AACA,UAAM,eAAe,IAAI;AAAA,MACvB,KAAK,IAAI,KAAK,OAAO,gBAAgB,KAAK,uBAAuB;AAAA,IACnE;AACA,UAAM,KAAK,YAAY,eAAe;AAAA,MACpC;AAAA,MACA,aAAa,OAAO;AAAA,MACpB,cAAc,OAAO,gBAAgB;AAAA,MACrC,WAAW;AAAA,IACb,CAAC;AAED,WAAO,KAAK,iBAAiB,OAAO,aAAa,aAAa,GAAG;AAAA,EACnE;AAAA,EAWA,MAAc,eACZ,eACA,cAC0D;AAC1D,UAAM,OAAO,IAAI,gBAAgB;AAAA,MAC/B,YAAY;AAAA,MACZ,eAAe;AAAA,MACf,GAAG,KAAK,kBAAkB;AAAA,IAC5B,CAAC;AACD,UAAM,WAAW,MAAM,KAAK,UAAU,KAAK,cAAc,GAAG;AAAA,MAC1D,QAAQ;AAAA,MACR,SAAS,EAAE,gBAAgB,oCAAoC;AAAA,MAC/D,MAAM,KAAK,SAAS;AAAA,IACtB,CAAC;AACD,QAAI,CAAC,SAAS,IAAI;AAChB,YAAM,MAAO,MAAM,SAAS,QAAQ;AAKpC,UACE,SAAS,WAAW,QACnB,IAAI,UAAU,mBAAmB,IAAI,UAAU,kBAChD;AACA,cAAM,IAAI;AAAA,UACR;AAAA,UACA,IAAI,SAAS;AAAA,UACb,IAAI,qBAAqB,IAAI,WAAW;AAAA,QAC1C;AAAA,MACF;AACA,YAAM,IAAI;AAAA,QACR,GAAG,KAAK,QAAQ,0BAA0B,SAAS,MAAM,IAAI,IAAI,SAAS,EAAE,IAAI,IAAI,qBAAqB,IAAI,WAAW,EAAE,GAAG,KAAK;AAAA,MACpI;AAAA,IACF;AACA,UAAM,MAAM,MAAM,SAAS,KAAK;AAChC,WAAO,EAAE,QAAQ,KAAK,qBAAqB,GAAG,GAAG,IAAI;AAAA,EACvD;AAAA,EAEQ,WAAW,WAAiC;AAClD,QAAI,CAAC,UAAW,QAAO;AACvB,WAAO,UAAU,QAAQ,IAAI,KAAK,IAAI,IAAI;AAAA,EAC5C;AACF;AAEA,eAAe,SAAS,UAAsC;AAC5D,MAAI;AACF,WAAO,MAAM,SAAS,MAAM,EAAE,KAAK;AAAA,EACrC,QAAQ;AACN,WAAO,CAAC;AAAA,EACV;AACF;","names":[]}

package/dist/runtime/subsystems/auth/runtime/session-expired.error.d.ts

@@ -8,8 +8,8 @@
  * the `isSessionExpiredError` predicate to decide whether to force-refresh
  * and retry once.
  *
- * This discriminator replaces the SFDC-only `instanceof` check from
- * dealbrain-v2's original `withAuthRetry`. See
+ * This discriminator replaces the SFDC-only `instanceof` check from the
+ * extraction-source app's original `withAuthRetry`. See
  * `docs/gate-1-auth-extraction-findings.md` (recommendation 4).
  */
 declare class SessionExpiredError extends Error {

package/dist/runtime/subsystems/auth/runtime/session-expired.error.js.map

@@ -1 +1 @@
-{"version":3,"sources":["../../../../../runtime/subsystems/auth/runtime/session-expired.error.ts"],"sourcesContent":["/**\n * Provider-agnostic marker for \"the access token was rejected; a forced\n * refresh may recover.\"\n *\n * Concrete provider error classes (e.g. SalesforceSessionExpiredError,\n * HubSpotUnauthorizedError) either extend `SessionExpiredError` directly or\n * set `isSessionExpired === true` on their instances. `withAuthRetry` uses\n * the `isSessionExpiredError` predicate to decide whether to force-refresh\n * and retry once.\n *\n * This discriminator replaces the SFDC-only `instanceof` check from\n * dealbrain-v2's original `withAuthRetry`. See\n * `docs/gate-1-auth-extraction-findings.md` (recommendation 4).\n */\nexport class SessionExpiredError extends Error {\n  /** Duck-type marker — works across package boundaries where `instanceof` fails. */\n  readonly isSessionExpired = true as const;\n\n  constructor(message = 'Access token rejected by provider') {\n    super(message);\n    this.name = 'SessionExpiredError';\n  }\n}\n\n/**\n * Predicate used by `withAuthRetry` by default.\n *\n * Matches any error that either `instanceof SessionExpiredError` or carries\n * the `isSessionExpired === true` marker property. Provider adapters that\n * want their existing error classes to participate can simply add the\n * marker property without touching the class hierarchy.\n */\nexport function isSessionExpiredError(err: unknown): boolean {\n  if (err instanceof SessionExpiredError) return true;\n  if (err !== null && typeof err === 'object' && 'isSessionExpired' in err) {\n    return (err as { isSessionExpired?: unknown }).isSessionExpired === true;\n  }\n  return false;\n}\n"],"mappings":";AAcO,IAAM,sBAAN,cAAkC,MAAM;AAAA;AAAA,EAEpC,mBAAmB;AAAA,EAE5B,YAAY,UAAU,qCAAqC;AACzD,UAAM,OAAO;AACb,SAAK,OAAO;AAAA,EACd;AACF;AAUO,SAAS,sBAAsB,KAAuB;AAC3D,MAAI,eAAe,oBAAqB,QAAO;AAC/C,MAAI,QAAQ,QAAQ,OAAO,QAAQ,YAAY,sBAAsB,KAAK;AACxE,WAAQ,IAAuC,qBAAqB;AAAA,EACtE;AACA,SAAO;AACT;","names":[]}
+{"version":3,"sources":["../../../../../runtime/subsystems/auth/runtime/session-expired.error.ts"],"sourcesContent":["/**\n * Provider-agnostic marker for \"the access token was rejected; a forced\n * refresh may recover.\"\n *\n * Concrete provider error classes (e.g. SalesforceSessionExpiredError,\n * HubSpotUnauthorizedError) either extend `SessionExpiredError` directly or\n * set `isSessionExpired === true` on their instances. `withAuthRetry` uses\n * the `isSessionExpiredError` predicate to decide whether to force-refresh\n * and retry once.\n *\n * This discriminator replaces the SFDC-only `instanceof` check from the\n * extraction-source app's original `withAuthRetry`. See\n * `docs/gate-1-auth-extraction-findings.md` (recommendation 4).\n */\nexport class SessionExpiredError extends Error {\n  /** Duck-type marker — works across package boundaries where `instanceof` fails. */\n  readonly isSessionExpired = true as const;\n\n  constructor(message = 'Access token rejected by provider') {\n    super(message);\n    this.name = 'SessionExpiredError';\n  }\n}\n\n/**\n * Predicate used by `withAuthRetry` by default.\n *\n * Matches any error that either `instanceof SessionExpiredError` or carries\n * the `isSessionExpired === true` marker property. Provider adapters that\n * want their existing error classes to participate can simply add the\n * marker property without touching the class hierarchy.\n */\nexport function isSessionExpiredError(err: unknown): boolean {\n  if (err instanceof SessionExpiredError) return true;\n  if (err !== null && typeof err === 'object' && 'isSessionExpired' in err) {\n    return (err as { isSessionExpired?: unknown }).isSessionExpired === true;\n  }\n  return false;\n}\n"],"mappings":";AAcO,IAAM,sBAAN,cAAkC,MAAM;AAAA;AAAA,EAEpC,mBAAmB;AAAA,EAE5B,YAAY,UAAU,qCAAqC;AACzD,UAAM,OAAO;AACb,SAAK,OAAO;AAAA,EACd;AACF;AAUO,SAAS,sBAAsB,KAAuB;AAC3D,MAAI,eAAe,oBAAqB,QAAO;AAC/C,MAAI,QAAQ,QAAQ,OAAO,QAAQ,YAAY,sBAAsB,KAAK;AACxE,WAAQ,IAAuC,qBAAqB;AAAA,EACtE;AACA,SAAO;AACT;","names":[]}

package/dist/runtime/subsystems/auth/runtime/with-auth-retry.d.ts

@@ -8,7 +8,7 @@ import { IAuthStrategy, AuthCredentials } from '../protocols/auth-strategy.js';
  * on the refreshed token propagates rather than looping, so transient
  * adapter bugs can't hang the caller.
  *
- * Generalisation over dealbrain's original SFDC-specific version: the
+ * Generalisation over the extraction source's SFDC-specific original: the
  * session-expired classifier is injected. Providers mark their session-
  * expired errors (via `instanceof` of a marker class, or by setting a known
  * property) and pass a classifier matching that shape.

package/dist/runtime/subsystems/auth/runtime/with-auth-retry.js.map

@@ -1 +1 @@
-{"version":3,"sources":["../../../../../runtime/subsystems/auth/runtime/session-expired.error.ts","../../../../../runtime/subsystems/auth/runtime/with-auth-retry.ts"],"sourcesContent":["/**\n * Provider-agnostic marker for \"the access token was rejected; a forced\n * refresh may recover.\"\n *\n * Concrete provider error classes (e.g. SalesforceSessionExpiredError,\n * HubSpotUnauthorizedError) either extend `SessionExpiredError` directly or\n * set `isSessionExpired === true` on their instances. `withAuthRetry` uses\n * the `isSessionExpiredError` predicate to decide whether to force-refresh\n * and retry once.\n *\n * This discriminator replaces the SFDC-only `instanceof` check from\n * dealbrain-v2's original `withAuthRetry`. See\n * `docs/gate-1-auth-extraction-findings.md` (recommendation 4).\n */\nexport class SessionExpiredError extends Error {\n  /** Duck-type marker — works across package boundaries where `instanceof` fails. */\n  readonly isSessionExpired = true as const;\n\n  constructor(message = 'Access token rejected by provider') {\n    super(message);\n    this.name = 'SessionExpiredError';\n  }\n}\n\n/**\n * Predicate used by `withAuthRetry` by default.\n *\n * Matches any error that either `instanceof SessionExpiredError` or carries\n * the `isSessionExpired === true` marker property. Provider adapters that\n * want their existing error classes to participate can simply add the\n * marker property without touching the class hierarchy.\n */\nexport function isSessionExpiredError(err: unknown): boolean {\n  if (err instanceof SessionExpiredError) return true;\n  if (err !== null && typeof err === 'object' && 'isSessionExpired' in err) {\n    return (err as { isSessionExpired?: unknown }).isSessionExpired === true;\n  }\n  return false;\n}\n","/**\n * Run `op` with auth-aware retry-once on session-expired errors.\n *\n * Pattern: resolve creds → run op → if `isSessionExpired(e)` → resolve with\n * `forceRefresh: true` → retry → propagate. A second session-expired error\n * on the refreshed token propagates rather than looping, so transient\n * adapter bugs can't hang the caller.\n *\n * Generalisation over dealbrain's original SFDC-specific version: the\n * session-expired classifier is injected. Providers mark their session-\n * expired errors (via `instanceof` of a marker class, or by setting a known\n * property) and pass a classifier matching that shape.\n *\n * Default classifier recognises the marker interface `SessionExpiredError`\n * shipped in `session-expired.error.ts` — concrete provider errors that\n * extend it (or set `isSessionExpired === true`) get retried without any\n * further wiring.\n */\nimport type {\n  AuthCredentials,\n  IAuthStrategy,\n} from '../protocols/auth-strategy';\nimport { isSessionExpiredError } from './session-expired.error';\n\nexport interface WithAuthRetryOptions {\n  /**\n   * Classifier that decides whether a thrown error is a session-expired\n   * signal worth retrying once with a fresh token. Defaults to the marker-\n   * interface check in `session-expired.error.ts`.\n   */\n  isSessionExpired?: (err: unknown) => boolean;\n}\n\nexport async function withAuthRetry<T>(\n  authStrategy: IAuthStrategy,\n  integrationId: string,\n  op: (credentials: AuthCredentials) => Promise<T>,\n  options: WithAuthRetryOptions = {},\n): Promise<T> {\n  const classify = options.isSessionExpired ?? isSessionExpiredError;\n\n  let creds = await authStrategy.resolve(integrationId);\n  try {\n    return await op(creds);\n  } catch (e) {\n    if (!classify(e)) throw e;\n    creds = await authStrategy.resolve(integrationId, { forceRefresh: true });\n    return op(creds);\n  }\n}\n"],"mappings":";AAcO,IAAM,sBAAN,cAAkC,MAAM;AAAA;AAAA,EAEpC,mBAAmB;AAAA,EAE5B,YAAY,UAAU,qCAAqC;AACzD,UAAM,OAAO;AACb,SAAK,OAAO;AAAA,EACd;AACF;AAUO,SAAS,sBAAsB,KAAuB;AAC3D,MAAI,eAAe,oBAAqB,QAAO;AAC/C,MAAI,QAAQ,QAAQ,OAAO,QAAQ,YAAY,sBAAsB,KAAK;AACxE,WAAQ,IAAuC,qBAAqB;AAAA,EACtE;AACA,SAAO;AACT;;;ACLA,eAAsB,cACpB,cACA,eACA,IACA,UAAgC,CAAC,GACrB;AACZ,QAAM,WAAW,QAAQ,oBAAoB;AAE7C,MAAI,QAAQ,MAAM,aAAa,QAAQ,aAAa;AACpD,MAAI;AACF,WAAO,MAAM,GAAG,KAAK;AAAA,EACvB,SAAS,GAAG;AACV,QAAI,CAAC,SAAS,CAAC,EAAG,OAAM;AACxB,YAAQ,MAAM,aAAa,QAAQ,eAAe,EAAE,cAAc,KAAK,CAAC;AACxE,WAAO,GAAG,KAAK;AAAA,EACjB;AACF;","names":[]}
+{"version":3,"sources":["../../../../../runtime/subsystems/auth/runtime/session-expired.error.ts","../../../../../runtime/subsystems/auth/runtime/with-auth-retry.ts"],"sourcesContent":["/**\n * Provider-agnostic marker for \"the access token was rejected; a forced\n * refresh may recover.\"\n *\n * Concrete provider error classes (e.g. SalesforceSessionExpiredError,\n * HubSpotUnauthorizedError) either extend `SessionExpiredError` directly or\n * set `isSessionExpired === true` on their instances. `withAuthRetry` uses\n * the `isSessionExpiredError` predicate to decide whether to force-refresh\n * and retry once.\n *\n * This discriminator replaces the SFDC-only `instanceof` check from the\n * extraction-source app's original `withAuthRetry`. See\n * `docs/gate-1-auth-extraction-findings.md` (recommendation 4).\n */\nexport class SessionExpiredError extends Error {\n  /** Duck-type marker — works across package boundaries where `instanceof` fails. */\n  readonly isSessionExpired = true as const;\n\n  constructor(message = 'Access token rejected by provider') {\n    super(message);\n    this.name = 'SessionExpiredError';\n  }\n}\n\n/**\n * Predicate used by `withAuthRetry` by default.\n *\n * Matches any error that either `instanceof SessionExpiredError` or carries\n * the `isSessionExpired === true` marker property. Provider adapters that\n * want their existing error classes to participate can simply add the\n * marker property without touching the class hierarchy.\n */\nexport function isSessionExpiredError(err: unknown): boolean {\n  if (err instanceof SessionExpiredError) return true;\n  if (err !== null && typeof err === 'object' && 'isSessionExpired' in err) {\n    return (err as { isSessionExpired?: unknown }).isSessionExpired === true;\n  }\n  return false;\n}\n","/**\n * Run `op` with auth-aware retry-once on session-expired errors.\n *\n * Pattern: resolve creds → run op → if `isSessionExpired(e)` → resolve with\n * `forceRefresh: true` → retry → propagate. A second session-expired error\n * on the refreshed token propagates rather than looping, so transient\n * adapter bugs can't hang the caller.\n *\n * Generalisation over the extraction source's SFDC-specific original: the\n * session-expired classifier is injected. Providers mark their session-\n * expired errors (via `instanceof` of a marker class, or by setting a known\n * property) and pass a classifier matching that shape.\n *\n * Default classifier recognises the marker interface `SessionExpiredError`\n * shipped in `session-expired.error.ts` — concrete provider errors that\n * extend it (or set `isSessionExpired === true`) get retried without any\n * further wiring.\n */\nimport type {\n  AuthCredentials,\n  IAuthStrategy,\n} from '../protocols/auth-strategy';\nimport { isSessionExpiredError } from './session-expired.error';\n\nexport interface WithAuthRetryOptions {\n  /**\n   * Classifier that decides whether a thrown error is a session-expired\n   * signal worth retrying once with a fresh token. Defaults to the marker-\n   * interface check in `session-expired.error.ts`.\n   */\n  isSessionExpired?: (err: unknown) => boolean;\n}\n\nexport async function withAuthRetry<T>(\n  authStrategy: IAuthStrategy,\n  integrationId: string,\n  op: (credentials: AuthCredentials) => Promise<T>,\n  options: WithAuthRetryOptions = {},\n): Promise<T> {\n  const classify = options.isSessionExpired ?? isSessionExpiredError;\n\n  let creds = await authStrategy.resolve(integrationId);\n  try {\n    return await op(creds);\n  } catch (e) {\n    if (!classify(e)) throw e;\n    creds = await authStrategy.resolve(integrationId, { forceRefresh: true });\n    return op(creds);\n  }\n}\n"],"mappings":";AAcO,IAAM,sBAAN,cAAkC,MAAM;AAAA;AAAA,EAEpC,mBAAmB;AAAA,EAE5B,YAAY,UAAU,qCAAqC;AACzD,UAAM,OAAO;AACb,SAAK,OAAO;AAAA,EACd;AACF;AAUO,SAAS,sBAAsB,KAAuB;AAC3D,MAAI,eAAe,oBAAqB,QAAO;AAC/C,MAAI,QAAQ,QAAQ,OAAO,QAAQ,YAAY,sBAAsB,KAAK;AACxE,WAAQ,IAAuC,qBAAqB;AAAA,EACtE;AACA,SAAO;AACT;;;ACLA,eAAsB,cACpB,cACA,eACA,IACA,UAAgC,CAAC,GACrB;AACZ,QAAM,WAAW,QAAQ,oBAAoB;AAE7C,MAAI,QAAQ,MAAM,aAAa,QAAQ,aAAa;AACpD,MAAI;AACF,WAAO,MAAM,GAAG,KAAK;AAAA,EACvB,SAAS,GAAG;AACV,QAAI,CAAC,SAAS,CAAC,EAAG,OAAM;AACxB,YAAQ,MAAM,aAAa,QAAQ,eAAe,EAAE,cAAc,KAAK,CAAC;AACxE,WAAO,GAAG,KAAK;AAAA,EACjB;AACF;","names":[]}

package/dist/runtime/subsystems/index.d.ts

@@ -21,15 +21,20 @@ export { ObservabilityModule, ObservabilityModuleOptions } from './observability
 export { ObservabilityError } from './observability/observability-errors.js';
 export { AuthCredentials, AuthResolveOptions, IAuthStrategy } from './auth/protocols/auth-strategy.js';
 export { IEncryptionKey } from './auth/protocols/encryption-key.js';
-export { IOAuthStateStore, OAuthStateEntry } from './auth/protocols/oauth-state-store.js';
-export { DecryptedIntegration, IIntegrationReader, IIntegrationTokenWriter, IntegrationTokenUpdate } from './auth/protocols/integration-store.js';
-export { AUTH_INTEGRATION_READER, AUTH_INTEGRATION_TOKEN_WRITER, ENCRYPTION_KEY, OAUTH_STATE_STORE } from './auth/auth.tokens.js';
+export { IOAuthStateStore, OAuthStateError, OAuthStateRecord } from './auth/protocols/oauth-state-store.js';
+export { DecryptedIntegration, IIntegrationGrantSink, IIntegrationReader, IIntegrationTokenWriter, IntegrationGrantInput, IntegrationTokenUpdate } from './auth/protocols/integration-store.js';
+export { IUserContext } from './auth/protocols/user-context.js';
+export { ExchangedTokens, IProviderStrategy, ProviderStrategyRegistry } from './auth/protocols/provider-strategy.js';
+export { AUTH_INTEGRATION_GRANT_SINK, AUTH_INTEGRATION_READER, AUTH_INTEGRATION_TOKEN_WRITER, AUTH_OPTIONS, AUTH_USER_CONTEXT, ENCRYPTION_KEY, OAUTH_STATE_STORE, STRATEGY_REGISTRY } from './auth/auth.tokens.js';
 export { OAuth2RefreshStrategy, ParsedRefreshResponse } from './auth/runtime/oauth2-refresh.strategy.js';
 export { withAuthRetry } from './auth/runtime/with-auth-retry.js';
 export { IntegrationBrokenError } from './auth/runtime/integration-broken.error.js';
 export { SessionExpiredError, isSessionExpiredError } from './auth/runtime/session-expired.error.js';
+export { AuthOAuthState, authOAuthState } from './auth/auth-oauth-state.schema.js';
 export { EnvEncryptionKey } from './auth/backends/encryption-key/env.js';
-export { InMemoryOAuthStateStore } from './auth/backends/oauth-state-store/in-memory.js';
+export { MemoryOAuthStateStore } from './auth/backends/state-store.memory-backend.js';
+export { DrizzleOAuthStateStore } from './auth/backends/state-store.drizzle-backend.js';
+export { AuthController } from './auth/controllers/auth.controller.js';
 export { AuthModule } from './auth/auth.module.js';
 export { CursorSnapshot } from './sync/sync-cursor-store.protocol.js';
 export { StatusHistogram } from './bridge/bridge.protocol.js';

package/dist/runtime/subsystems/index.js

@@ -3971,11 +3971,25 @@ var ObservabilityError = class extends Error {
   cause;
 };
 
+// runtime/subsystems/auth/protocols/oauth-state-store.ts
+var OAuthStateError = class extends Error {
+  constructor(message, reason) {
+    super(message);
+    this.reason = reason;
+    this.name = "OAuthStateError";
+  }
+  reason;
+};
+
 // runtime/subsystems/auth/auth.tokens.ts
 var ENCRYPTION_KEY = /* @__PURE__ */ Symbol("ENCRYPTION_KEY");
 var OAUTH_STATE_STORE = /* @__PURE__ */ Symbol("OAUTH_STATE_STORE");
 var AUTH_INTEGRATION_READER = /* @__PURE__ */ Symbol("AUTH_INTEGRATION_READER");
 var AUTH_INTEGRATION_TOKEN_WRITER = /* @__PURE__ */ Symbol("AUTH_INTEGRATION_TOKEN_WRITER");
+var AUTH_INTEGRATION_GRANT_SINK = /* @__PURE__ */ Symbol("AUTH_INTEGRATION_GRANT_SINK");
+var AUTH_USER_CONTEXT = /* @__PURE__ */ Symbol("AUTH_USER_CONTEXT");
+var STRATEGY_REGISTRY = /* @__PURE__ */ Symbol("STRATEGY_REGISTRY");
+var AUTH_OPTIONS = /* @__PURE__ */ Symbol("AUTH_OPTIONS");
 
 // runtime/subsystems/auth/runtime/integration-broken.error.ts
 var IntegrationBrokenError = class extends Error {
@@ -4112,6 +4126,15 @@ async function withAuthRetry(authStrategy, integrationId, op, options = {}) {
   }
 }
 
+// runtime/subsystems/auth/auth-oauth-state.schema.ts
+import { pgTable as pgTable4, text as text4, timestamp as timestamp4 } from "drizzle-orm/pg-core";
+var authOAuthState = pgTable4("auth_oauth_state", {
+  state: text4("state").primaryKey(),
+  userId: text4("user_id").notNull(),
+  redirect: text4("redirect"),
+  expiresAt: timestamp4("expires_at", { withTimezone: true }).notNull()
+});
+
 // runtime/subsystems/auth/backends/encryption-key/env.ts
 import { createCipheriv, createDecipheriv, randomBytes } from "crypto";
 var ALGO = "aes-256-gcm";
@@ -4122,7 +4145,7 @@ var EnvEncryptionKey = class {
   key;
   constructor(opts = {}) {
     const env = opts.env ?? process.env;
-    const envVar = opts.envVar ?? "TOKEN_ENCRYPTION_KEY";
+    const envVar = opts.envVar ?? "INTEGRATION_TOKEN_ENCRYPTION_KEY";
     const raw = env[envVar];
     if (!raw) {
       throw new Error(
@@ -4162,26 +4185,198 @@ var EnvEncryptionKey = class {
   }
 };
 
-// runtime/subsystems/auth/backends/oauth-state-store/in-memory.ts
-var InMemoryOAuthStateStore = class {
+// runtime/subsystems/auth/backends/state-store.memory-backend.ts
+import { randomBytes as randomBytes2 } from "crypto";
+var MemoryOAuthStateStore = class {
   store = /* @__PURE__ */ new Map();
   ttlMs;
   now;
+  generateToken;
   constructor(opts = {}) {
     this.ttlMs = opts.ttlMs ?? 10 * 60 * 1e3;
     this.now = opts.now ?? (() => Date.now());
+    this.generateToken = opts.generateToken ?? (() => randomBytes2(32).toString("base64url"));
   }
-  async put(state, entry) {
-    this.store.set(state, { entry, expiresAt: this.now() + this.ttlMs });
+  async generate(record) {
+    const state = this.generateToken();
+    this.store.set(state, {
+      record: { ...record },
+      expiresAt: this.now() + this.ttlMs
+    });
+    return state;
   }
   async consume(state) {
     const slot = this.store.get(state);
-    if (!slot) return null;
+    if (!slot) {
+      throw new OAuthStateError(
+        `OAuth state token unknown or already consumed`,
+        "missing"
+      );
+    }
     this.store.delete(state);
-    if (slot.expiresAt <= this.now()) return null;
-    return slot.entry;
+    if (slot.expiresAt <= this.now()) {
+      throw new OAuthStateError(`OAuth state token expired`, "expired");
+    }
+    return slot.record;
+  }
+};
+
+// runtime/subsystems/auth/backends/state-store.drizzle-backend.ts
+import { randomBytes as randomBytes3 } from "crypto";
+import { eq as eq7 } from "drizzle-orm";
+var DrizzleOAuthStateStore = class {
+  constructor(db, opts = {}) {
+    this.db = db;
+    this.ttlMs = opts.ttlMs ?? 10 * 60 * 1e3;
+    this.now = opts.now ?? (() => Date.now());
+    this.generateToken = opts.generateToken ?? (() => randomBytes3(32).toString("base64url"));
+  }
+  db;
+  ttlMs;
+  now;
+  generateToken;
+  async generate(record) {
+    const state = this.generateToken();
+    const expiresAt = new Date(this.now() + this.ttlMs);
+    await this.db.insert(authOAuthState).values({
+      state,
+      userId: record.userId,
+      redirect: record.redirect ?? null,
+      expiresAt
+    });
+    return state;
+  }
+  async consume(state) {
+    const rows = await this.db.delete(authOAuthState).where(eq7(authOAuthState.state, state)).returning();
+    const row = rows[0];
+    if (!row) {
+      throw new OAuthStateError(
+        `OAuth state token unknown or already consumed`,
+        "missing"
+      );
+    }
+    if (row.expiresAt.getTime() <= this.now()) {
+      throw new OAuthStateError(`OAuth state token expired`, "expired");
+    }
+    return {
+      userId: row.userId,
+      redirect: row.redirect ?? void 0
+    };
+  }
+};
+
+// runtime/subsystems/auth/controllers/auth.controller.ts
+import {
+  Controller,
+  Get,
+  Inject as Inject16,
+  Param,
+  Query,
+  Req,
+  Res,
+  HttpException,
+  HttpStatus
+} from "@nestjs/common";
+var AuthController = class {
+  constructor(registry, userContext, stateStore, grantSink, options) {
+    this.registry = registry;
+    this.userContext = userContext;
+    this.stateStore = stateStore;
+    this.grantSink = grantSink;
+    this.options = options;
+  }
+  registry;
+  userContext;
+  stateStore;
+  grantSink;
+  options;
+  async connect(slug, redirect, req, res) {
+    const strategy = this.requireStrategy(slug);
+    const userId = await this.userContext.getCurrentUserId(req);
+    const state = await this.stateStore.generate({ userId, redirect });
+    const url = strategy.buildAuthorizeUrl({
+      state,
+      redirectUri: this.redirectUriFor(slug)
+    });
+    return res.redirect(HttpStatus.FOUND, url);
+  }
+  async callback(slug, code, state, res) {
+    const strategy = this.requireStrategy(slug);
+    if (!code) {
+      throw new HttpException(
+        `Missing 'code' query param`,
+        HttpStatus.BAD_REQUEST
+      );
+    }
+    if (!state) {
+      throw new HttpException(
+        `Missing 'state' query param`,
+        HttpStatus.BAD_REQUEST
+      );
+    }
+    const { userId, redirect } = await this.stateStore.consume(state);
+    const tokens = await strategy.exchangeCodeForTokens({
+      code,
+      redirectUri: this.redirectUriFor(slug)
+    });
+    await this.grantSink.createOrUpdateFromOAuthGrant({
+      userId,
+      provider: slug,
+      accessToken: tokens.accessToken,
+      refreshToken: tokens.refreshToken,
+      expiresAt: tokens.expiresAt,
+      scope: tokens.scope,
+      externalAccountId: tokens.externalAccountId,
+      providerMetadata: tokens.providerMetadata
+    });
+    return res.redirect(
+      HttpStatus.FOUND,
+      redirect ?? `/settings/integrations?connected=${encodeURIComponent(slug)}`
+    );
+  }
+  requireStrategy(slug) {
+    const strategy = this.registry.get(slug);
+    if (!strategy) {
+      throw new HttpException(
+        `Unknown provider '${slug}'`,
+        HttpStatus.NOT_FOUND
+      );
+    }
+    return strategy;
+  }
+  redirectUriFor(slug) {
+    const base = this.options.redirectUriBase;
+    if (!base) {
+      throw new Error(
+        `AuthModule.forRoot: redirectUriBase is required when AuthController is enabled`
+      );
+    }
+    const trimmed = base.replace(/\/+$/, "");
+    return `${trimmed}/auth/${encodeURIComponent(slug)}/callback`;
   }
 };
+__decorateClass([
+  Get(":provider/connect"),
+  __decorateParam(0, Param("provider")),
+  __decorateParam(1, Query("redirect")),
+  __decorateParam(2, Req()),
+  __decorateParam(3, Res())
+], AuthController.prototype, "connect", 1);
+__decorateClass([
+  Get(":provider/callback"),
+  __decorateParam(0, Param("provider")),
+  __decorateParam(1, Query("code")),
+  __decorateParam(2, Query("state")),
+  __decorateParam(3, Res())
+], AuthController.prototype, "callback", 1);
+AuthController = __decorateClass([
+  Controller("auth"),
+  __decorateParam(0, Inject16(STRATEGY_REGISTRY)),
+  __decorateParam(1, Inject16(AUTH_USER_CONTEXT)),
+  __decorateParam(2, Inject16(OAUTH_STATE_STORE)),
+  __decorateParam(3, Inject16(AUTH_INTEGRATION_GRANT_SINK)),
+  __decorateParam(4, Inject16(AUTH_OPTIONS))
+], AuthController);
 
 // runtime/subsystems/auth/auth.module.ts
 import { Module as Module7 } from "@nestjs/common";
@@ -4192,24 +4387,54 @@ function resolveEncryptionKeyProvider(choice) {
   return { provide: ENCRYPTION_KEY, ...choice };
 }
 function resolveOAuthStateStoreProvider(choice) {
-  if (choice === "in-memory") {
-    return { provide: OAUTH_STATE_STORE, useClass: InMemoryOAuthStateStore };
+  if (choice === "memory") {
+    return { provide: OAUTH_STATE_STORE, useClass: MemoryOAuthStateStore };
+  }
+  if (choice === "drizzle") {
+    return {
+      provide: OAUTH_STATE_STORE,
+      useFactory: (db) => {
+        if (!db) {
+          throw new Error(
+            "AuthModule.forRoot: oauthStateStore: 'drizzle' selected but DRIZZLE provider is not available. Ensure DatabaseModule (or another provider exposing DRIZZLE) is imported before AuthModule.forRoot."
+          );
+        }
+        return new DrizzleOAuthStateStore(db);
+      },
+      inject: [{ token: DRIZZLE, optional: true }]
+    };
   }
   return { provide: OAUTH_STATE_STORE, ...choice };
 }
 var AuthModule = class {
   static forRoot(options = {}) {
+    const resolved = {
+      encryptionKey: options.encryptionKey ?? "env",
+      oauthStateStore: options.oauthStateStore ?? "memory",
+      enableController: options.enableController ?? false,
+      redirectUriBase: options.redirectUriBase
+    };
+    if (resolved.enableController && !resolved.redirectUriBase) {
+      throw new Error(
+        "AuthModule.forRoot: redirectUriBase is required when enableController: true"
+      );
+    }
     const encryptionKeyProvider = resolveEncryptionKeyProvider(
-      options.encryptionKey ?? "env"
+      resolved.encryptionKey
     );
     const oauthStateStoreProvider = resolveOAuthStateStoreProvider(
-      options.oauthStateStore ?? "in-memory"
+      resolved.oauthStateStore
     );
+    const optionsProvider = {
+      provide: AUTH_OPTIONS,
+      useValue: resolved
+    };
     return {
       module: AuthModule,
       global: true,
-      providers: [encryptionKeyProvider, oauthStateStoreProvider],
-      exports: [ENCRYPTION_KEY, OAUTH_STATE_STORE]
+      providers: [encryptionKeyProvider, oauthStateStoreProvider, optionsProvider],
+      controllers: resolved.enableController ? [AuthController] : [],
+      exports: [ENCRYPTION_KEY, OAUTH_STATE_STORE, AUTH_OPTIONS]
     };
   }
 };
@@ -4217,32 +4442,40 @@ AuthModule = __decorateClass([
   Module7({})
 ], AuthModule);
 export {
+  AUTH_INTEGRATION_GRANT_SINK,
   AUTH_INTEGRATION_READER,
   AUTH_INTEGRATION_TOKEN_WRITER,
+  AUTH_OPTIONS,
+  AUTH_USER_CONTEXT,
+  AuthController,
   AuthModule,
   CACHE,
   CacheModule,
   DrizzleCacheService,
   DrizzleEventBus,
+  DrizzleOAuthStateStore,
   ENCRYPTION_KEY,
   EVENT_BUS,
   EnvEncryptionKey,
   EventsModule,
-  InMemoryOAuthStateStore,
   IntegrationBrokenError,
   LocalStorageBackend,
   MemoryCacheService,
   MemoryEventBus,
+  MemoryOAuthStateStore,
   MemoryStorageBackend,
   OAUTH_STATE_STORE,
   OAuth2RefreshStrategy,
+  OAuthStateError,
   OBSERVABILITY,
   OBSERVABILITY_MODULE_OPTIONS,
   ObservabilityError,
   ObservabilityModule,
   STORAGE,
+  STRATEGY_REGISTRY,
   SessionExpiredError,
   StorageModule,
+  authOAuthState,
   collisionModeEnum,
   isSessionExpiredError,
   jobRunStatusEnum,