@payez/next-mvp 3.0.0

package/dist/lib/jwt-decode-client.js

@@ -0,0 +1,46 @@
+"use strict";
+/**
+ * Client-safe JWT decode (no Node.js dependencies)
+ * This is a lightweight version for browser usage
+ */
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.jwtDecode = jwtDecode;
+// Decode base64url
+function base64urlDecode(base64url) {
+    try {
+        // Convert base64url to base64
+        let base64 = base64url.replace(/-/g, '+').replace(/_/g, '/');
+        // Add padding if needed
+        while (base64.length % 4) {
+            base64 += '=';
+        }
+        return atob(base64);
+    }
+    catch (e) {
+        throw new Error('Invalid base64url encoding');
+    }
+}
+/**
+ * Simple JWT decode for client-side use (no signature verification)
+ * @param token - JWT token string
+ * @returns Decoded payload or null if invalid
+ */
+function jwtDecode(token) {
+    if (!token)
+        return null;
+    try {
+        const parts = token.split('.');
+        if (parts.length < 2) {
+            console.error('[JWT] Invalid token format');
+            return null;
+        }
+        const payload = parts[1];
+        const decoded = base64urlDecode(payload);
+        const parsedPayload = JSON.parse(decoded);
+        return parsedPayload;
+    }
+    catch (e) {
+        console.error('[JWT] Decode failed:', e instanceof Error ? e.message : 'Unknown error');
+        return null;
+    }
+}

package/dist/lib/jwt-decode.d.ts

@@ -0,0 +1,48 @@
+export interface JwtPayload {
+    iss?: string;
+    sub?: string;
+    aud?: string[] | string;
+    exp?: number;
+    nbf?: number;
+    iat?: number;
+    jti?: string;
+}
+/**
+ * JWT Header structure.
+ * Contains metadata about the token including the signing key ID.
+ */
+export interface JwtHeader {
+    /** Algorithm used to sign the token (e.g., 'RS256', 'HS256') */
+    alg: string;
+    /** Token type (typically 'JWT') */
+    typ?: string;
+    /** Key ID - identifies which key was used to sign this token */
+    kid?: string;
+    /** Content type */
+    cty?: string;
+}
+/**
+ * Decode JWT payload (standard claims).
+ * This is a thin wrapper around jwt-decode library.
+ */
+export declare function jwtDecode<T = JwtPayload>(token: string): T;
+/**
+ * Decode JWT header to extract kid, alg, and other header claims.
+ *
+ * The JWT header contains critical information:
+ * - kid: Key ID used to sign the token (needed for key governance)
+ * - alg: Algorithm used for signing
+ * - typ: Token type
+ *
+ * @param token - The JWT token string
+ * @returns Decoded header or null if decoding fails
+ */
+export declare function decodeJwtHeader(token: string): JwtHeader | null;
+/**
+ * Extract just the kid (Key ID) from a JWT token.
+ * Convenience function for when you only need the key ID.
+ *
+ * @param token - The JWT token string
+ * @returns The kid value or undefined if not present/decodable
+ */
+export declare function extractKidFromToken(token: string): string | undefined;

package/dist/lib/jwt-decode.js

@@ -0,0 +1,57 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.jwtDecode = jwtDecode;
+exports.decodeJwtHeader = decodeJwtHeader;
+exports.extractKidFromToken = extractKidFromToken;
+const jwt_decode_1 = require("jwt-decode");
+/**
+ * Decode JWT payload (standard claims).
+ * This is a thin wrapper around jwt-decode library.
+ */
+function jwtDecode(token) {
+    return (0, jwt_decode_1.jwtDecode)(token);
+}
+/**
+ * Decode JWT header to extract kid, alg, and other header claims.
+ *
+ * The JWT header contains critical information:
+ * - kid: Key ID used to sign the token (needed for key governance)
+ * - alg: Algorithm used for signing
+ * - typ: Token type
+ *
+ * @param token - The JWT token string
+ * @returns Decoded header or null if decoding fails
+ */
+function decodeJwtHeader(token) {
+    try {
+        if (!token || typeof token !== 'string') {
+            return null;
+        }
+        const parts = token.split('.');
+        if (parts.length !== 3) {
+            console.warn('[JWT_DECODE] Invalid JWT structure - expected 3 parts, got', parts.length);
+            return null;
+        }
+        // Decode base64url header (part 0)
+        const headerB64 = parts[0].replace(/-/g, '+').replace(/_/g, '/');
+        const headerJson = typeof atob !== 'undefined'
+            ? atob(headerB64)
+            : Buffer.from(headerB64, 'base64').toString('utf-8');
+        return JSON.parse(headerJson);
+    }
+    catch (error) {
+        console.error('[JWT_DECODE] Failed to decode JWT header:', error);
+        return null;
+    }
+}
+/**
+ * Extract just the kid (Key ID) from a JWT token.
+ * Convenience function for when you only need the key ID.
+ *
+ * @param token - The JWT token string
+ * @returns The kid value or undefined if not present/decodable
+ */
+function extractKidFromToken(token) {
+    const header = decodeJwtHeader(token);
+    return header?.kid;
+}

package/dist/lib/nextauth-secret.d.ts

@@ -0,0 +1,10 @@
+import 'server-only';
+/**
+ * Resolve the NextAuth secret (server-only).
+ *
+ * Priority:
+ * 1) Use process.env.NEXTAUTH_SECRET if present (allows overrides/production)
+ * 2) Fetch from IDP broker endpoint - IDP handles all Key Vault/signing
+ * 3) Cache result in-memory and set process.env.NEXTAUTH_SECRET for subsequent calls
+ */
+export declare function resolveNextAuthSecret(): Promise<string>;

package/dist/lib/nextauth-secret.js

@@ -0,0 +1,104 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.resolveNextAuthSecret = resolveNextAuthSecret;
+require("server-only");
+const secret_validation_1 = require("./secret-validation");
+const crypto_1 = require("crypto");
+let cachedSecret = null;
+let lastFetchedAt = 0;
+/**
+ * Resolve the NextAuth secret (server-only).
+ *
+ * Priority:
+ * 1) Use process.env.NEXTAUTH_SECRET if present (allows overrides/production)
+ * 2) Fetch from IDP broker endpoint - IDP handles all Key Vault/signing
+ * 3) Cache result in-memory and set process.env.NEXTAUTH_SECRET for subsequent calls
+ */
+async function resolveNextAuthSecret() {
+    // Check if already in environment
+    if (process.env.NEXTAUTH_SECRET && process.env.NEXTAUTH_SECRET.trim() !== '') {
+        // Silent - already configured
+        return process.env.NEXTAUTH_SECRET;
+    }
+    // Check if cached and fresh (within 5 minutes)
+    if (cachedSecret && Date.now() - lastFetchedAt < 5 * 60 * 1000) {
+        return cachedSecret;
+    }
+    // Broker mode: fetch from IDP (IDP handles all Key Vault/signing)
+    const base = process.env.IDP_URL;
+    if (!base)
+        throw new Error('IDP_URL environment variable is required');
+    const clientIdStr = process.env.CLIENT_ID;
+    if (!clientIdStr || clientIdStr.trim() === '')
+        throw new Error('CLIENT_ID is required (e.g., "ideal_resume_website")');
+    // Determine if clientId is numeric or string
+    const isNumeric = /^[0-9]+$/.test(clientIdStr);
+    const clientId = isNumeric ? parseInt(clientIdStr, 10) : clientIdStr;
+    // Step 1: Request IDP to sign a client assertion (IDP has the keys, not us)
+    const signingUrl = new URL(`${base.replace(/\/$/, '')}/api/ExternalAuth/sign-client-assertion`);
+    // Client ID passed via X-Client-Id header, not query string
+    const signingPayload = {
+        issuer: clientIdStr,
+        subject: clientIdStr,
+        audience: 'urn:payez:externalauth:nextauthsecret',
+        expires_in: 60
+    };
+    const signingResp = await fetch(signingUrl.toString(), {
+        method: 'POST',
+        headers: {
+            'Accept': 'application/json',
+            'Content-Type': 'application/json',
+            'X-Client-Id': clientIdStr,
+            'X-Correlation-Id': (0, crypto_1.randomUUID)().replace(/-/g, ''),
+        },
+        body: JSON.stringify(signingPayload),
+        cache: 'no-store'
+    });
+    if (!signingResp.ok) {
+        const txt = await signingResp.text().catch(() => 'Unknown error');
+        throw new Error(`Failed to sign client assertion: ${signingResp.status} ${signingResp.statusText} - ${txt}`);
+    }
+    const signingBody = await signingResp.json().catch(() => ({}));
+    const client_assertion = (signingBody?.data?.client_assertion ??
+        signingBody?.data?.clientAssertion ??
+        signingBody?.client_assertion ??
+        signingBody?.clientAssertion ??
+        signingBody?.data?.ClientAssertion ??
+        signingBody?.ClientAssertion);
+    if (!client_assertion || typeof client_assertion !== 'string') {
+        throw new Error('IDP did not return a valid signed client assertion');
+    }
+    // Step 2: Use the signed assertion to fetch the NextAuth secret
+    const proxyUrl = new URL(`${base.replace(/\/$/, '')}/api/ExternalAuth/next-auth/secret`);
+    const proxyResp = await fetch(proxyUrl.toString(), {
+        method: 'POST',
+        headers: {
+            'Accept': 'application/json',
+            'Content-Type': 'application/json',
+            'X-Client-Id': clientIdStr,
+            'X-Correlation-Id': (0, crypto_1.randomUUID)().replace(/-/g, ''),
+        },
+        body: JSON.stringify({ client_assertion }),
+        cache: 'no-store'
+    });
+    if (!proxyResp.ok) {
+        const txt = await proxyResp.text().catch(() => 'Unknown error');
+        throw new Error(`Proxy error: ${proxyResp.status} ${proxyResp.statusText} - ${txt}`);
+    }
+    const proxyBody = await proxyResp.json().catch(() => ({}));
+    const secret = (proxyBody?.data?.secret ?? proxyBody?.secret);
+    const configuration = (proxyBody?.data?.configuration ?? proxyBody?.configuration);
+    // Configuration is available but we don't log it verbosely
+    if (!secret || typeof secret !== 'string') {
+        throw new Error('Proxy did not return a valid NextAuth secret');
+    }
+    const validation = (0, secret_validation_1.validateNextAuthSecret)(secret);
+    if (!validation.valid) {
+        throw new Error(`Fetched NextAuth secret failed validation: ${validation.reason}`);
+    }
+    cachedSecret = secret;
+    lastFetchedAt = Date.now();
+    process.env.NEXTAUTH_SECRET = secret;
+    console.log('[NEXTAUTH-SECRET] Resolved from IDP (length:', secret.length + ')');
+    return secret;
+}

package/dist/lib/rate-limit-service.d.ts

@@ -0,0 +1,23 @@
+export interface RateLimitRule {
+    endpoint: string;
+    period: string;
+    limit: number;
+}
+export interface RateLimitResult {
+    isAllowed: boolean;
+    requestCount: number;
+    limit: number;
+    retryAfterSeconds?: number;
+    failedAttempts?: number;
+}
+export declare function createPayEzRateLimitResponse(retryAfterSeconds: number, remainingAttempts?: number): {
+    success: boolean;
+    message: string;
+    user_info: null;
+    errors: {
+        code: string;
+        message: string;
+        resolution: string;
+        remainingAttempts: number;
+    }[];
+};

package/dist/lib/rate-limit-service.js

@@ -0,0 +1,6 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.createPayEzRateLimitResponse = createPayEzRateLimitResponse;
+function createPayEzRateLimitResponse(retryAfterSeconds, remainingAttempts = 0) {
+    return { success: false, message: 'Too many failed attempts', user_info: null, errors: [{ code: 'RateLimitExceeded', message: 'Too many failed authentication attempts', resolution: `Please try again in ${retryAfterSeconds} seconds`, remainingAttempts }] };
+}

package/dist/lib/redis.d.ts

@@ -0,0 +1,5 @@
+import Redis from 'ioredis';
+export declare function getRedis(): Redis;
+declare const redis: Redis;
+export { redis };
+export default redis;

package/dist/lib/redis.js

@@ -0,0 +1,28 @@
+"use strict";
+var __importDefault = (this && this.__importDefault) || function (mod) {
+    return (mod && mod.__esModule) ? mod : { "default": mod };
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.redis = void 0;
+exports.getRedis = getRedis;
+// E:\Repos\PayEz-Next-MVP\packages\next-mvp\src\lib\redis.ts
+const ioredis_1 = __importDefault(require("ioredis"));
+let client = null;
+function createClient() {
+    const url = process.env.REDIS_URL;
+    if (url && url.trim() !== '') {
+        // Use a standard configuration for better Docker compatibility
+        return new ioredis_1.default(url);
+    }
+    // No REDIS_URL set, create a client that will fail fast.
+    return new ioredis_1.default({ lazyConnect: true });
+}
+function getRedis() {
+    if (!client) {
+        client = createClient();
+    }
+    return client;
+}
+const redis = getRedis();
+exports.redis = redis;
+exports.default = redis;

package/dist/lib/refresh-token-validator.d.ts

@@ -0,0 +1,13 @@
+export declare function isRefreshTokenValid(token: string): boolean;
+export declare function isRefreshTokenExpiring(token: string, bufferMinutes?: number): boolean;
+export declare function getRefreshTokenExpiration(token: string): number | null;
+export declare function getRefreshTokenTimeRemaining(token: string): number | null;
+export interface RefreshViabilityCheck {
+    canRefresh: boolean;
+    reason: 'valid_refresh_token' | 'no_refresh_token' | 'refresh_token_expired' | 'session_missing';
+    timeRemaining?: number;
+    expiresAt?: string;
+    accessTokenExpired?: boolean;
+    accessTokenTimeRemaining?: number;
+}
+export declare function checkRefreshViability(sessionData: any): RefreshViabilityCheck;

package/dist/lib/refresh-token-validator.js

@@ -0,0 +1,117 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.isRefreshTokenValid = isRefreshTokenValid;
+exports.isRefreshTokenExpiring = isRefreshTokenExpiring;
+exports.getRefreshTokenExpiration = getRefreshTokenExpiration;
+exports.getRefreshTokenTimeRemaining = getRefreshTokenTimeRemaining;
+exports.checkRefreshViability = checkRefreshViability;
+const jwt_decode_1 = require("./jwt-decode");
+const logger_1 = require("../config/logger");
+function isRefreshTokenValid(token) {
+    if (!token)
+        return false;
+    try {
+        const decoded = (0, jwt_decode_1.jwtDecode)(token);
+        if (!decoded)
+            return false;
+        const now = Math.floor(Date.now() / 1000);
+        if (decoded.exp < now)
+            return false;
+        if (decoded.token_type !== 'refresh_token')
+            return false;
+        return true;
+    }
+    catch {
+        return false;
+    }
+}
+function isRefreshTokenExpiring(token, bufferMinutes = 60) {
+    if (!token)
+        return true;
+    try {
+        const decoded = (0, jwt_decode_1.jwtDecode)(token);
+        if (!decoded?.exp)
+            return true;
+        const now = Math.floor(Date.now() / 1000);
+        const buffer = bufferMinutes * 60;
+        return decoded.exp <= (now + buffer);
+    }
+    catch {
+        return true;
+    }
+}
+function getRefreshTokenExpiration(token) {
+    if (!token)
+        return null;
+    try {
+        const decoded = (0, jwt_decode_1.jwtDecode)(token);
+        if (!decoded?.exp)
+            return null;
+        return decoded.exp * 1000;
+    }
+    catch {
+        return null;
+    }
+}
+function getRefreshTokenTimeRemaining(token) {
+    if (!token)
+        return null;
+    try {
+        const decoded = (0, jwt_decode_1.jwtDecode)(token);
+        if (!decoded?.exp)
+            return null;
+        const now = Math.floor(Date.now() / 1000);
+        const timeRemaining = decoded.exp - now;
+        return timeRemaining > 0 ? timeRemaining : null;
+    }
+    catch {
+        return null;
+    }
+}
+function checkRefreshViability(sessionData) {
+    if (!sessionData)
+        return { canRefresh: false, reason: 'session_missing' };
+    let accessTokenExpired = false;
+    let accessTokenTimeRemaining;
+    if (sessionData.idpAccessTokenExpires) {
+        const now = Date.now();
+        let expiresAtMs = sessionData.idpAccessTokenExpires;
+        if (typeof expiresAtMs === 'string')
+            expiresAtMs = parseInt(expiresAtMs, 10);
+        if (expiresAtMs < 1000000000000)
+            expiresAtMs = expiresAtMs * 1000;
+        accessTokenTimeRemaining = Math.floor((expiresAtMs - now) / 1000);
+        const bufferSec = 5 * 60; // 5 minutes pre-expiry buffer
+        accessTokenExpired = accessTokenTimeRemaining <= bufferSec;
+        logger_1.tokenRefreshLogger.debug('[REFRESH_VIABILITY] Access token expiration check', { now, expiresAtMs, accessTokenTimeRemaining, bufferSec, accessTokenExpired });
+    }
+    if (!sessionData.idpRefreshToken)
+        return { canRefresh: false, reason: 'no_refresh_token', accessTokenExpired, accessTokenTimeRemaining };
+    if (sessionData.idpRefreshTokenExpires) {
+        let refreshExpMs = sessionData.idpRefreshTokenExpires;
+        if (typeof refreshExpMs === 'string')
+            refreshExpMs = parseInt(refreshExpMs, 10);
+        if (refreshExpMs < 1000000000000)
+            refreshExpMs = refreshExpMs * 1000;
+        const nowMs = Date.now();
+        const timeRemainingSec = Math.floor((refreshExpMs - nowMs) / 1000);
+        if (timeRemainingSec <= 0)
+            return { canRefresh: false, reason: 'refresh_token_expired', accessTokenExpired, accessTokenTimeRemaining };
+        return { canRefresh: true, reason: 'valid_refresh_token', timeRemaining: timeRemainingSec, expiresAt: new Date(refreshExpMs).toISOString(), accessTokenExpired, accessTokenTimeRemaining };
+    }
+    try {
+        const decoded = (0, jwt_decode_1.jwtDecode)(sessionData.idpRefreshToken);
+        const nowSec = Math.floor(Date.now() / 1000);
+        if (!decoded?.exp || decoded.token_type !== 'refresh_token')
+            return { canRefresh: false, reason: 'refresh_token_expired', accessTokenExpired, accessTokenTimeRemaining };
+        const timeRemaining = decoded.exp - nowSec;
+        if (timeRemaining <= 0)
+            return { canRefresh: false, reason: 'refresh_token_expired', accessTokenExpired, accessTokenTimeRemaining };
+        const expiresAtIso = new Date(decoded.exp * 1000).toISOString();
+        return { canRefresh: true, reason: 'valid_refresh_token', timeRemaining, expiresAt: expiresAtIso, accessTokenExpired, accessTokenTimeRemaining };
+    }
+    catch (error) {
+        logger_1.tokenRefreshLogger.debug('[REFRESH_VIABILITY] Failed to decode refresh token for viability', { error: error instanceof Error ? error.message : String(error) });
+        return { canRefresh: false, reason: 'refresh_token_expired', accessTokenExpired, accessTokenTimeRemaining };
+    }
+}

package/dist/lib/roles.d.ts

@@ -0,0 +1,145 @@
+/**
+ * Vibe Role Constants and Utilities
+ *
+ * Centralized role definitions for consistent authorization across the stack.
+ *
+ * @version 1.0
+ */
+/**
+ * Global platform roles (IDP-level)
+ * These roles are managed at the IDP and grant cross-client access.
+ */
+export declare const GlobalRoles: {
+    /** Platform super admin - full access to everything */
+    readonly PAYEZ_ADMIN: "payez_admin";
+    /** IDP client admin - manages IDP client configuration */
+    readonly IDP_CLIENT_ADMIN: "idp_client_admin";
+    /** Vibe platform admin - manages Vibe infrastructure globally */
+    readonly VIBE_APP_ADMIN: "vibe_app_admin";
+    /** Vibe client admin - manages Vibe for a specific tenant */
+    readonly VIBE_CLIENT_ADMIN: "vibe_client_admin";
+    /** Vibe agents user - AI agents operating via CLI/automation */
+    readonly VIBE_AGENTS_USER: "vibe_agents_user";
+};
+/**
+ * Application-level roles (per-client)
+ * These roles are scoped to a specific client/tenant.
+ */
+export declare const AppRoles: {
+    /** Standard authenticated user */
+    readonly VIBE_APP_USER: "vibe_app_user";
+};
+/**
+ * All Vibe roles combined
+ */
+export declare const VibeRoles: {
+    /** Standard authenticated user */
+    readonly VIBE_APP_USER: "vibe_app_user";
+    /** Platform super admin - full access to everything */
+    readonly PAYEZ_ADMIN: "payez_admin";
+    /** IDP client admin - manages IDP client configuration */
+    readonly IDP_CLIENT_ADMIN: "idp_client_admin";
+    /** Vibe platform admin - manages Vibe infrastructure globally */
+    readonly VIBE_APP_ADMIN: "vibe_app_admin";
+    /** Vibe client admin - manages Vibe for a specific tenant */
+    readonly VIBE_CLIENT_ADMIN: "vibe_client_admin";
+    /** Vibe agents user - AI agents operating via CLI/automation */
+    readonly VIBE_AGENTS_USER: "vibe_agents_user";
+};
+/**
+ * Roles that grant admin access to the /admin section.
+ * Any of these roles allows access to admin pages.
+ */
+export declare const ADMIN_ROLES: readonly string[];
+/**
+ * Roles that grant platform-wide admin access (not client-scoped).
+ * These can access/modify any client's data.
+ */
+export declare const PLATFORM_ADMIN_ROLES: readonly string[];
+/**
+ * Roles that grant client-scoped admin access.
+ * These can only access their own client's data.
+ */
+export declare const CLIENT_ADMIN_ROLES: readonly string[];
+/**
+ * Check if user has a specific role
+ */
+export declare function hasRole(userRoles: string[] | undefined, role: string): boolean;
+/**
+ * Check if user has any of the specified roles
+ */
+export declare function hasAnyRole(userRoles: string[] | undefined, roles: readonly string[]): boolean;
+/**
+ * Check if user has all of the specified roles
+ */
+export declare function hasAllRoles(userRoles: string[] | undefined, roles: readonly string[]): boolean;
+/**
+ * Check if user has admin access (any admin role)
+ */
+export declare function isAdmin(userRoles: string[] | undefined): boolean;
+/**
+ * Check if user has platform-wide admin access
+ */
+export declare function isPlatformAdmin(userRoles: string[] | undefined): boolean;
+/**
+ * Check if user is a client-scoped admin (not platform admin)
+ */
+export declare function isClientAdmin(userRoles: string[] | undefined): boolean;
+/**
+ * Role hierarchy (higher index = more access)
+ *
+ * payez_admin (4) - IDP super admin, can do anything
+ * vibe_app_admin (3) - Platform admin, manages Vibe globally
+ * vibe_client_admin (2) - Client admin, manages their own tenant
+ * idp_client_admin (2) - IDP client admin, manages IDP config
+ * vibe_app_user (1) - Regular authenticated user
+ * (anonymous) (0) - No authentication
+ */
+export declare const ROLE_HIERARCHY: Record<string, number>;
+/**
+ * Get the highest role level for a user
+ */
+export declare function getHighestRoleLevel(userRoles: string[] | undefined): number;
+declare const _default: {
+    VibeRoles: {
+        /** Standard authenticated user */
+        readonly VIBE_APP_USER: "vibe_app_user";
+        /** Platform super admin - full access to everything */
+        readonly PAYEZ_ADMIN: "payez_admin";
+        /** IDP client admin - manages IDP client configuration */
+        readonly IDP_CLIENT_ADMIN: "idp_client_admin";
+        /** Vibe platform admin - manages Vibe infrastructure globally */
+        readonly VIBE_APP_ADMIN: "vibe_app_admin";
+        /** Vibe client admin - manages Vibe for a specific tenant */
+        readonly VIBE_CLIENT_ADMIN: "vibe_client_admin";
+        /** Vibe agents user - AI agents operating via CLI/automation */
+        readonly VIBE_AGENTS_USER: "vibe_agents_user";
+    };
+    GlobalRoles: {
+        /** Platform super admin - full access to everything */
+        readonly PAYEZ_ADMIN: "payez_admin";
+        /** IDP client admin - manages IDP client configuration */
+        readonly IDP_CLIENT_ADMIN: "idp_client_admin";
+        /** Vibe platform admin - manages Vibe infrastructure globally */
+        readonly VIBE_APP_ADMIN: "vibe_app_admin";
+        /** Vibe client admin - manages Vibe for a specific tenant */
+        readonly VIBE_CLIENT_ADMIN: "vibe_client_admin";
+        /** Vibe agents user - AI agents operating via CLI/automation */
+        readonly VIBE_AGENTS_USER: "vibe_agents_user";
+    };
+    AppRoles: {
+        /** Standard authenticated user */
+        readonly VIBE_APP_USER: "vibe_app_user";
+    };
+    ADMIN_ROLES: readonly string[];
+    PLATFORM_ADMIN_ROLES: readonly string[];
+    CLIENT_ADMIN_ROLES: readonly string[];
+    hasRole: typeof hasRole;
+    hasAnyRole: typeof hasAnyRole;
+    hasAllRoles: typeof hasAllRoles;
+    isAdmin: typeof isAdmin;
+    isPlatformAdmin: typeof isPlatformAdmin;
+    isClientAdmin: typeof isClientAdmin;
+    getHighestRoleLevel: typeof getHighestRoleLevel;
+};
+export default _default;