@softactivate/adk 1.1.0

package/dist/cjs/auth/oauth2/oauth2_credential_exchanger.js

@@ -0,0 +1,198 @@
+/**
+  * @license
+  * Copyright 2026 Google LLC
+  * SPDX-License-Identifier: Apache-2.0
+  */
+
+"use strict";
+var __defProp = Object.defineProperty;
+var __getOwnPropDesc = Object.getOwnPropertyDescriptor;
+var __getOwnPropNames = Object.getOwnPropertyNames;
+var __hasOwnProp = Object.prototype.hasOwnProperty;
+var __export = (target, all) => {
+  for (var name in all)
+    __defProp(target, name, { get: all[name], enumerable: true });
+};
+var __copyProps = (to, from, except, desc) => {
+  if (from && typeof from === "object" || typeof from === "function") {
+    for (let key of __getOwnPropNames(from))
+      if (!__hasOwnProp.call(to, key) && key !== except)
+        __defProp(to, key, { get: () => from[key], enumerable: !(desc = __getOwnPropDesc(from, key)) || desc.enumerable });
+  }
+  return to;
+};
+var __toCommonJS = (mod) => __copyProps(__defProp({}, "__esModule", { value: true }), mod);
+var oauth2_credential_exchanger_exports = {};
+__export(oauth2_credential_exchanger_exports, {
+  OAuth2CredentialExchanger: () => OAuth2CredentialExchanger,
+  determineGrantType: () => determineGrantType,
+  exchangeAuthorizationCode: () => exchangeAuthorizationCode,
+  exchangeClientCredentials: () => exchangeClientCredentials
+});
+module.exports = __toCommonJS(oauth2_credential_exchanger_exports);
+var import_logger = require("../../utils/logger.js");
+var import_auth_schemes = require("../auth_schemes.js");
+var import_base_credential_exchanger = require("../exchanger/base_credential_exchanger.js");
+var import_oauth2_utils = require("./oauth2_utils.js");
+/**
+ * @license
+ * Copyright 2026 Google LLC
+ * SPDX-License-Identifier: Apache-2.0
+ */
+class OAuth2CredentialExchanger {
+  async exchange({
+    authCredential,
+    authScheme
+  }) {
+    var _a;
+    if (!authScheme) {
+      throw new import_base_credential_exchanger.CredentialExchangeError(
+        "authScheme is required for OAuth2 credential exchange"
+      );
+    }
+    if ((_a = authCredential.oauth2) == null ? void 0 : _a.accessToken) {
+      return {
+        credential: authCredential,
+        wasExchanged: false
+      };
+    }
+    const grantType = determineGrantType(authScheme);
+    if (grantType === import_auth_schemes.OAuthGrantType.CLIENT_CREDENTIALS) {
+      return exchangeClientCredentials({ authCredential, authScheme });
+    }
+    if (grantType === import_auth_schemes.OAuthGrantType.AUTHORIZATION_CODE) {
+      return exchangeAuthorizationCode({ authCredential, authScheme });
+    }
+    import_logger.logger.warn(`Unsupported OAuth2 grant type: ${grantType}`);
+    return {
+      credential: authCredential,
+      wasExchanged: false
+    };
+  }
+}
+function determineGrantType(authScheme) {
+  var _a;
+  if ("flows" in authScheme && authScheme.flows) {
+    return (0, import_auth_schemes.getOAuthGrantTypeFromFlow)(authScheme.flows);
+  }
+  if (authScheme.grantTypesSupported) {
+    const oidcScheme = authScheme;
+    if ((_a = oidcScheme.grantTypesSupported) == null ? void 0 : _a.includes("client_credentials")) {
+      return import_auth_schemes.OAuthGrantType.CLIENT_CREDENTIALS;
+    }
+    return import_auth_schemes.OAuthGrantType.AUTHORIZATION_CODE;
+  }
+  return void 0;
+}
+async function exchangeClientCredentials({
+  authCredential,
+  authScheme
+}) {
+  var _a, _b;
+  const tokenEndpoint = (0, import_oauth2_utils.getTokenEndpoint)(authScheme);
+  if (!tokenEndpoint) {
+    throw new import_base_credential_exchanger.CredentialExchangeError(
+      "Token endpoint not found in auth scheme."
+    );
+  }
+  if (!((_a = authCredential.oauth2) == null ? void 0 : _a.clientId) || !((_b = authCredential.oauth2) == null ? void 0 : _b.clientSecret)) {
+    throw new import_base_credential_exchanger.CredentialExchangeError(
+      "clientId and clientSecret are required for client credentials exchange."
+    );
+  }
+  const body = (0, import_oauth2_utils.createOAuth2TokenRequestBody)({
+    grantType: "client_credentials",
+    clientId: authCredential.oauth2.clientId,
+    clientSecret: authCredential.oauth2.clientSecret
+  });
+  try {
+    const oauth2Auth = await (0, import_oauth2_utils.fetchOAuth2Tokens)(tokenEndpoint, body);
+    return {
+      credential: {
+        ...authCredential,
+        oauth2: {
+          ...authCredential.oauth2,
+          ...oauth2Auth
+        }
+      },
+      wasExchanged: true
+    };
+  } catch (error) {
+    throw new import_base_credential_exchanger.CredentialExchangeError(
+      `Failed to exchange tokens: ${error instanceof Error ? error.message : String(error)}`
+    );
+  }
+}
+async function exchangeAuthorizationCode({
+  authCredential,
+  authScheme
+}) {
+  var _a, _b, _c, _d;
+  const tokenEndpoint = (0, import_oauth2_utils.getTokenEndpoint)(authScheme);
+  if (!tokenEndpoint) {
+    throw new import_base_credential_exchanger.CredentialExchangeError(
+      "Token endpoint not found in auth scheme."
+    );
+  }
+  if (!((_a = authCredential.oauth2) == null ? void 0 : _a.clientId) || !((_b = authCredential.oauth2) == null ? void 0 : _b.clientSecret) || !((_c = authCredential.oauth2) == null ? void 0 : _c.authCode) && !((_d = authCredential.oauth2) == null ? void 0 : _d.authResponseUri)) {
+    throw new import_base_credential_exchanger.CredentialExchangeError(
+      "clientId, clientSecret, and either authCode or authResponseUri are required for authorization code exchange."
+    );
+  }
+  let code = authCredential.oauth2.authCode;
+  if (!code && authCredential.oauth2.authResponseUri) {
+    code = (0, import_oauth2_utils.parseAuthorizationCode)(authCredential.oauth2.authResponseUri);
+  }
+  if (authCredential.oauth2.authResponseUri && authCredential.oauth2.state) {
+    try {
+      const url = new URL(authCredential.oauth2.authResponseUri);
+      const receivedState = url.searchParams.get("state") || void 0;
+      if (authCredential.oauth2.state !== receivedState) {
+        throw new import_base_credential_exchanger.CredentialExchangeError(
+          "State mismatch detected. Potential CSRF attack."
+        );
+      }
+    } catch (e) {
+      throw new import_base_credential_exchanger.CredentialExchangeError(
+        `Failed to parse authResponseUri for state validation: ${e instanceof Error ? e.message : String(e)}`
+      );
+    }
+  }
+  if (!code) {
+    throw new import_base_credential_exchanger.CredentialExchangeError(
+      "Authorization code not found in auth response."
+    );
+  }
+  const body = (0, import_oauth2_utils.createOAuth2TokenRequestBody)({
+    grantType: "authorization_code",
+    clientId: authCredential.oauth2.clientId,
+    clientSecret: authCredential.oauth2.clientSecret,
+    code,
+    redirectUri: authCredential.oauth2.redirectUri,
+    codeVerifier: authCredential.oauth2.codeVerifier
+  });
+  try {
+    const oauth2Auth = await (0, import_oauth2_utils.fetchOAuth2Tokens)(tokenEndpoint, body);
+    return {
+      credential: {
+        ...authCredential,
+        oauth2: {
+          ...authCredential.oauth2,
+          ...oauth2Auth
+        }
+      },
+      wasExchanged: true
+    };
+  } catch (error) {
+    throw new import_base_credential_exchanger.CredentialExchangeError(
+      `Failed to exchange tokens: ${error instanceof Error ? error.message : String(error)}`
+    );
+  }
+}
+// Annotate the CommonJS export names for ESM import in node:
+0 && (module.exports = {
+  OAuth2CredentialExchanger,
+  determineGrantType,
+  exchangeAuthorizationCode,
+  exchangeClientCredentials
+});

package/dist/cjs/auth/oauth2/oauth2_credential_refresher.js

@@ -0,0 +1,109 @@
+/**
+  * @license
+  * Copyright 2026 Google LLC
+  * SPDX-License-Identifier: Apache-2.0
+  */
+
+"use strict";
+var __defProp = Object.defineProperty;
+var __getOwnPropDesc = Object.getOwnPropertyDescriptor;
+var __getOwnPropNames = Object.getOwnPropertyNames;
+var __hasOwnProp = Object.prototype.hasOwnProperty;
+var __export = (target, all) => {
+  for (var name in all)
+    __defProp(target, name, { get: all[name], enumerable: true });
+};
+var __copyProps = (to, from, except, desc) => {
+  if (from && typeof from === "object" || typeof from === "function") {
+    for (let key of __getOwnPropNames(from))
+      if (!__hasOwnProp.call(to, key) && key !== except)
+        __defProp(to, key, { get: () => from[key], enumerable: !(desc = __getOwnPropDesc(from, key)) || desc.enumerable });
+  }
+  return to;
+};
+var __toCommonJS = (mod) => __copyProps(__defProp({}, "__esModule", { value: true }), mod);
+var oauth2_credential_refresher_exports = {};
+__export(oauth2_credential_refresher_exports, {
+  OAuth2CredentialRefresher: () => OAuth2CredentialRefresher
+});
+module.exports = __toCommonJS(oauth2_credential_refresher_exports);
+var import_logger = require("../../utils/logger.js");
+var import_oauth2_utils = require("./oauth2_utils.js");
+/**
+ * @license
+ * Copyright 2026 Google LLC
+ * SPDX-License-Identifier: Apache-2.0
+ */
+class OAuth2CredentialRefresher {
+  /**
+   * Check if the OAuth2 credential needs to be refreshed.
+   *
+   * @param authCredential The OAuth2 credential to check.
+   * @param authScheme The OAuth2 authentication scheme (optional).
+   * @returns True if the credential needs to be refreshed, False otherwise.
+   */
+  async isRefreshNeeded(authCredential) {
+    if (!authCredential.oauth2) {
+      return false;
+    }
+    if (authCredential.oauth2 && authCredential.oauth2.expiresAt) {
+      return (0, import_oauth2_utils.isTokenExpired)(authCredential.oauth2);
+    }
+    return false;
+  }
+  /**
+   * Refresh the OAuth2 credential.
+   *
+   * @param authCredential The OAuth2 credential to refresh.
+   * @param authScheme The OAuth2 authentication scheme.
+   * @returns The refreshed credential.
+   */
+  async refresh(authCredential, authScheme) {
+    if (!authCredential.oauth2 || !authScheme) {
+      return authCredential;
+    }
+    if (!authCredential.oauth2.refreshToken) {
+      import_logger.logger.warn("No refresh token available to refresh credential");
+      return authCredential;
+    }
+    const isNeeded = await this.isRefreshNeeded(authCredential);
+    if (!isNeeded) {
+      return authCredential;
+    }
+    const tokenEndpoint = (0, import_oauth2_utils.getTokenEndpoint)(authScheme);
+    if (!tokenEndpoint) {
+      import_logger.logger.warn("Token endpoint not found in auth scheme.");
+      return authCredential;
+    }
+    if (!authCredential.oauth2.clientId || !authCredential.oauth2.clientSecret) {
+      import_logger.logger.warn("clientId and clientSecret are required for token refresh.");
+      return authCredential;
+    }
+    const body = new URLSearchParams();
+    body.set("grant_type", "refresh_token");
+    body.set("refresh_token", authCredential.oauth2.refreshToken);
+    body.set("client_id", authCredential.oauth2.clientId);
+    body.set("client_secret", authCredential.oauth2.clientSecret);
+    try {
+      const data = await (0, import_oauth2_utils.fetchOAuth2Tokens)(tokenEndpoint, body);
+      const updatedOAuth2 = {
+        ...authCredential.oauth2,
+        accessToken: data.accessToken || authCredential.oauth2.accessToken,
+        refreshToken: data.refreshToken || authCredential.oauth2.refreshToken,
+        expiresIn: data.expiresIn,
+        expiresAt: data.expiresAt || authCredential.oauth2.expiresAt
+      };
+      return {
+        ...authCredential,
+        oauth2: updatedOAuth2
+      };
+    } catch (error) {
+      import_logger.logger.error("Failed to refresh tokens:", error);
+      return authCredential;
+    }
+  }
+}
+// Annotate the CommonJS export names for ESM import in node:
+0 && (module.exports = {
+  OAuth2CredentialRefresher
+});

package/dist/cjs/auth/oauth2/oauth2_discovery.js

@@ -0,0 +1,186 @@
+/**
+  * @license
+  * Copyright 2026 Google LLC
+  * SPDX-License-Identifier: Apache-2.0
+  */
+
+"use strict";
+var __defProp = Object.defineProperty;
+var __getOwnPropDesc = Object.getOwnPropertyDescriptor;
+var __getOwnPropNames = Object.getOwnPropertyNames;
+var __hasOwnProp = Object.prototype.hasOwnProperty;
+var __export = (target, all) => {
+  for (var name in all)
+    __defProp(target, name, { get: all[name], enumerable: true });
+};
+var __copyProps = (to, from, except, desc) => {
+  if (from && typeof from === "object" || typeof from === "function") {
+    for (let key of __getOwnPropNames(from))
+      if (!__hasOwnProp.call(to, key) && key !== except)
+        __defProp(to, key, { get: () => from[key], enumerable: !(desc = __getOwnPropDesc(from, key)) || desc.enumerable });
+  }
+  return to;
+};
+var __toCommonJS = (mod) => __copyProps(__defProp({}, "__esModule", { value: true }), mod);
+var oauth2_discovery_exports = {};
+__export(oauth2_discovery_exports, {
+  AuthorizationServerMetadataSchema: () => AuthorizationServerMetadataSchema,
+  OAuth2DiscoveryManager: () => OAuth2DiscoveryManager,
+  ProtectedResourceMetadataSchema: () => ProtectedResourceMetadataSchema
+});
+module.exports = __toCommonJS(oauth2_discovery_exports);
+var import_zod = require("zod");
+var import_logger = require("../../utils/logger.js");
+/**
+ * @license
+ * Copyright 2026 Google LLC
+ * SPDX-License-Identifier: Apache-2.0
+ */
+const AuthorizationServerMetadataSchema = import_zod.z.object({
+  issuer: import_zod.z.string(),
+  authorization_endpoint: import_zod.z.string(),
+  token_endpoint: import_zod.z.string(),
+  scopes_supported: import_zod.z.array(import_zod.z.string()).optional(),
+  registration_endpoint: import_zod.z.string().optional()
+});
+const ProtectedResourceMetadataSchema = import_zod.z.object({
+  resource: import_zod.z.string(),
+  authorization_servers: import_zod.z.array(import_zod.z.string()).default([])
+});
+class OAuth2DiscoveryManager {
+  /**
+   * Discovers the OAuth2 authorization server metadata.
+   */
+  async discoverAuthServerMetadata(issuerUrl) {
+    if (!validateDiscoveryUrl(issuerUrl)) {
+      return void 0;
+    }
+    let baseUrl;
+    let path;
+    try {
+      const url = new URL(issuerUrl);
+      baseUrl = `${url.protocol}//${url.host}`;
+      path = url.pathname;
+    } catch (e) {
+      import_logger.logger.warn(`Failed to parse issuerUrl ${issuerUrl}: ${e}`);
+      return void 0;
+    }
+    const endpointsToTry = [];
+    if (path && path !== "/") {
+      endpointsToTry.push(
+        `${baseUrl}/.well-known/oauth-authorization-server${path}`,
+        `${baseUrl}/.well-known/openid-configuration${path}`,
+        `${baseUrl}${path}/.well-known/openid-configuration`
+      );
+    } else {
+      endpointsToTry.push(
+        `${baseUrl}/.well-known/oauth-authorization-server`,
+        `${baseUrl}/.well-known/openid-configuration`
+      );
+    }
+    for (const endpoint of endpointsToTry) {
+      try {
+        const response = await fetch(endpoint, {
+          method: "GET",
+          headers: {
+            Accept: "application/json"
+          }
+        });
+        if (!response.ok) {
+          continue;
+        }
+        const data = await response.json();
+        const metadata = AuthorizationServerMetadataSchema.parse(data);
+        if (metadata.issuer.replace(/\/$/, "") === issuerUrl.replace(/\/$/, "")) {
+          return metadata;
+        } else {
+          import_logger.logger.warn(
+            `Issuer in metadata ${metadata.issuer} does not match issuerUrl ${issuerUrl}`
+          );
+        }
+      } catch (e) {
+        import_logger.logger.debug(`Failed to fetch metadata from ${endpoint}: ${e}`);
+      }
+    }
+    return void 0;
+  }
+  /**
+   * Discovers the OAuth2 protected resource metadata.
+   */
+  async discoverResourceMetadata(resourceUrl) {
+    if (!validateDiscoveryUrl(resourceUrl)) {
+      return void 0;
+    }
+    let baseUrl;
+    let path;
+    try {
+      const url = new URL(resourceUrl);
+      baseUrl = `${url.protocol}//${url.host}`;
+      path = url.pathname;
+    } catch (e) {
+      import_logger.logger.warn(`Failed to parse resourceUrl ${resourceUrl}: ${e}`);
+      return void 0;
+    }
+    let wellKnownEndpoint;
+    if (path && path !== "/") {
+      wellKnownEndpoint = `${baseUrl}/.well-known/oauth-protected-resource${path}`;
+    } else {
+      wellKnownEndpoint = `${baseUrl}/.well-known/oauth-protected-resource`;
+    }
+    try {
+      const response = await fetch(wellKnownEndpoint, {
+        method: "GET",
+        headers: {
+          Accept: "application/json"
+        }
+      });
+      if (!response.ok) {
+        return void 0;
+      }
+      const data = await response.json();
+      const metadata = ProtectedResourceMetadataSchema.parse(data);
+      if (metadata.resource.replace(/\/$/, "") === resourceUrl.replace(/\/$/, "")) {
+        return metadata;
+      } else {
+        import_logger.logger.warn(
+          `Resource in metadata ${metadata.resource} does not match resourceUrl ${resourceUrl}`
+        );
+      }
+    } catch (e) {
+      import_logger.logger.debug(`Failed to fetch metadata from ${wellKnownEndpoint}: ${e}`);
+    }
+    return void 0;
+  }
+}
+function validateDiscoveryUrl(urlStr) {
+  try {
+    const url = new URL(urlStr);
+    if (url.protocol !== "https:") {
+      import_logger.logger.warn(`Unsafe protocol for discovery URL: ${url.protocol}`);
+      return false;
+    }
+    const host = url.hostname.toLowerCase();
+    if (host === "localhost" || host === "127.0.0.1" || host === "[::1]" || host.startsWith("10.") || host.startsWith("192.168.") || host.startsWith("169.254.")) {
+      import_logger.logger.warn(`Unsafe host for discovery URL: ${host}`);
+      return false;
+    }
+    const match = host.match(/^172\.(\d+)\./);
+    if (match) {
+      const secondOctet = parseInt(match[1], 10);
+      if (secondOctet >= 16 && secondOctet <= 31) {
+        import_logger.logger.warn(`Unsafe host for discovery URL: ${host}`);
+        return false;
+      }
+    }
+    return true;
+  } catch (e) {
+    import_logger.logger.warn(`Failed to parse URL for validation ${urlStr}: ${e}`);
+    return false;
+  }
+}
+// Annotate the CommonJS export names for ESM import in node:
+0 && (module.exports = {
+  AuthorizationServerMetadataSchema,
+  OAuth2DiscoveryManager,
+  ProtectedResourceMetadataSchema
+});

package/dist/cjs/auth/oauth2/oauth2_utils.js

@@ -0,0 +1,119 @@
+/**
+  * @license
+  * Copyright 2026 Google LLC
+  * SPDX-License-Identifier: Apache-2.0
+  */
+
+"use strict";
+var __defProp = Object.defineProperty;
+var __getOwnPropDesc = Object.getOwnPropertyDescriptor;
+var __getOwnPropNames = Object.getOwnPropertyNames;
+var __hasOwnProp = Object.prototype.hasOwnProperty;
+var __export = (target, all) => {
+  for (var name in all)
+    __defProp(target, name, { get: all[name], enumerable: true });
+};
+var __copyProps = (to, from, except, desc) => {
+  if (from && typeof from === "object" || typeof from === "function") {
+    for (let key of __getOwnPropNames(from))
+      if (!__hasOwnProp.call(to, key) && key !== except)
+        __defProp(to, key, { get: () => from[key], enumerable: !(desc = __getOwnPropDesc(from, key)) || desc.enumerable });
+  }
+  return to;
+};
+var __toCommonJS = (mod) => __copyProps(__defProp({}, "__esModule", { value: true }), mod);
+var oauth2_utils_exports = {};
+__export(oauth2_utils_exports, {
+  createOAuth2TokenRequestBody: () => createOAuth2TokenRequestBody,
+  fetchOAuth2Tokens: () => fetchOAuth2Tokens,
+  getTokenEndpoint: () => getTokenEndpoint,
+  isTokenExpired: () => isTokenExpired,
+  parseAuthorizationCode: () => parseAuthorizationCode
+});
+module.exports = __toCommonJS(oauth2_utils_exports);
+var import_logger = require("../../utils/logger.js");
+/**
+ * @license
+ * Copyright 2026 Google LLC
+ * SPDX-License-Identifier: Apache-2.0
+ */
+function getTokenEndpoint(authScheme) {
+  if (authScheme.type === "openIdConnect" && authScheme.tokenEndpoint) {
+    return authScheme.tokenEndpoint;
+  }
+  if (authScheme.type === "oauth2" && authScheme.flows) {
+    const flows = authScheme.flows;
+    const flow = flows.authorizationCode || flows.clientCredentials || flows.password || flows.implicit;
+    if (flow && "tokenUrl" in flow) {
+      return flow.tokenUrl;
+    }
+  }
+  return void 0;
+}
+async function fetchOAuth2Tokens(endpoint, body) {
+  try {
+    const response = await fetch(endpoint, {
+      method: "POST",
+      headers: {
+        "Content-Type": "application/x-www-form-urlencoded"
+      },
+      body: body.toString()
+    });
+    if (!response.ok) {
+      throw new Error(`Token request failed with status ${response.status}`);
+    }
+    const data = await response.json();
+    return {
+      accessToken: data.access_token,
+      refreshToken: data.refresh_token,
+      idToken: data.id_token,
+      expiresIn: data.expires_in,
+      expiresAt: data.expires_in ? Date.now() + data.expires_in * 1e3 : void 0
+    };
+  } catch (e) {
+    import_logger.logger.error(`Failed to fetch OAuth2 tokens: ${e}`);
+    throw e;
+  }
+}
+function parseAuthorizationCode(uri) {
+  try {
+    const url = new URL(uri);
+    return url.searchParams.get("code") || void 0;
+  } catch (e) {
+    import_logger.logger.warn(`Failed to parse authorization URI ${uri}: ${e}`);
+    return void 0;
+  }
+}
+function createOAuth2TokenRequestBody(params) {
+  const body = new URLSearchParams();
+  body.set("grant_type", params.grantType);
+  body.set("client_id", params.clientId);
+  body.set("client_secret", params.clientSecret);
+  if (params.grantType === "authorization_code") {
+    body.set("code", params.code);
+    if (params.redirectUri) {
+      body.set("redirect_uri", params.redirectUri);
+    }
+    if (params.codeVerifier) {
+      body.set("code_verifier", params.codeVerifier);
+    }
+  } else if (params.grantType === "refresh_token") {
+    body.set("refresh_token", params.refreshToken);
+  }
+  return body;
+}
+function isTokenExpired(token, leeway = 60) {
+  if (typeof token.expiresAt !== "number") {
+    return false;
+  }
+  const expirationThreshold = token.expiresAt - leeway * 1e3;
+  return expirationThreshold < Date.now();
+}
+// Annotate the CommonJS export names for ESM import in node:
+0 && (module.exports = {
+  createOAuth2TokenRequestBody,
+  fetchOAuth2Tokens,
+  getTokenEndpoint,
+  isTokenExpired,
+  parseAuthorizationCode
+});

package/dist/cjs/auth/refresher/base_credential_refresher.js

@@ -0,0 +1,44 @@
+/**
+  * @license
+  * Copyright 2026 Google LLC
+  * SPDX-License-Identifier: Apache-2.0
+  */
+
+"use strict";
+var __defProp = Object.defineProperty;
+var __getOwnPropDesc = Object.getOwnPropertyDescriptor;
+var __getOwnPropNames = Object.getOwnPropertyNames;
+var __hasOwnProp = Object.prototype.hasOwnProperty;
+var __export = (target, all) => {
+  for (var name in all)
+    __defProp(target, name, { get: all[name], enumerable: true });
+};
+var __copyProps = (to, from, except, desc) => {
+  if (from && typeof from === "object" || typeof from === "function") {
+    for (let key of __getOwnPropNames(from))
+      if (!__hasOwnProp.call(to, key) && key !== except)
+        __defProp(to, key, { get: () => from[key], enumerable: !(desc = __getOwnPropDesc(from, key)) || desc.enumerable });
+  }
+  return to;
+};
+var __toCommonJS = (mod) => __copyProps(__defProp({}, "__esModule", { value: true }), mod);
+var base_credential_refresher_exports = {};
+__export(base_credential_refresher_exports, {
+  CredentialRefresherError: () => CredentialRefresherError
+});
+module.exports = __toCommonJS(base_credential_refresher_exports);
+/**
+ * @license
+ * Copyright 2026 Google LLC
+ * SPDX-License-Identifier: Apache-2.0
+ */
+class CredentialRefresherError extends Error {
+  constructor(message) {
+    super(message);
+    this.name = "CredentialRefresherError";
+  }
+}
+// Annotate the CommonJS export names for ESM import in node:
+0 && (module.exports = {
+  CredentialRefresherError
+});