@stdiobus/workers-registry 1.4.14 → 1.5.0-beta.2

package/out/tsc/workers-registry/registry-launcher/src/auth/flows/terminal-auth-flow.d.ts

@@ -0,0 +1,252 @@
+import type { AuthProviderId, AuthResult, ProviderEndpoints } from '../types.js';
+import type { ICredentialStore } from '../storage/types.js';
+/**
+ * Authentication mode selected by the user.
+ * Requirements: 3.1, 4.2
+ */
+export type AuthenticationMode = 'browser-oauth' | 'manual-api-key';
+/**
+ * Result indicating browser OAuth flow should be used.
+ * This is returned when the user selects "Browser OAuth" mode.
+ */
+export interface BrowserOAuthResult {
+    /** Indicates browser OAuth flow should be used */
+    useBrowserOAuth: true;
+    /** The selected provider ID */
+    providerId: AuthProviderId;
+}
+/**
+ * Result indicating manual credential flow completed.
+ */
+export interface ManualCredentialResult {
+    /** Indicates manual credential flow was used */
+    useBrowserOAuth: false;
+    /** The authentication result from manual flow */
+    authResult: AuthResult;
+}
+/**
+ * Combined result type for terminal auth flow execution.
+ */
+export type TerminalAuthFlowResult = BrowserOAuthResult | ManualCredentialResult;
+/**
+ * Provider display information for the selection menu.
+ */
+interface ProviderInfo {
+    id: AuthProviderId;
+    name: string;
+    requiresClientSecret: boolean;
+    requiresCustomEndpoints: boolean;
+    /** Whether this provider supports simple API key authentication */
+    supportsApiKey: boolean;
+    /** Whether this provider supports browser-based OAuth flow */
+    supportsOAuth: boolean;
+    /** Label for the API key (e.g., "API Key", "Personal Access Token") */
+    apiKeyLabel?: string;
+    /** Environment variable name for the API key */
+    apiKeyEnvVar?: string;
+}
+/**
+ * Collected credentials from user input.
+ */
+export interface CollectedCredentials {
+    clientId: string;
+    clientSecret?: string;
+    customEndpoints?: ProviderEndpoints;
+}
+/**
+ * Dependencies for the terminal auth flow.
+ */
+export interface TerminalAuthFlowDependencies {
+    /** Credential store for persisting credentials */
+    credentialStore: ICredentialStore;
+    /** Function to validate credentials (attempts token request) */
+    validateCredentials: (providerId: AuthProviderId, credentials: CollectedCredentials) => Promise<{
+        valid: boolean;
+        error?: string;
+        accessToken?: string;
+    }>;
+    /** Optional custom input/output streams (for testing) */
+    input?: NodeJS.ReadableStream;
+    output?: NodeJS.WritableStream;
+}
+/**
+ * Terminal auth flow - interactive CLI setup.
+ *
+ * Provides an interactive terminal interface for configuring OAuth credentials
+ * in headless environments. The flow:
+ * 1. Prompts user to select a provider
+ * 2. Prompts for required credentials
+ * 3. Validates credentials by attempting a token request
+ * 4. Stores credentials securely on success
+ * 5. Prompts for re-entry on validation failure
+ */
+export declare class TerminalAuthFlow {
+    private readonly credentialStore;
+    private readonly validateCredentials;
+    private readonly input;
+    private readonly output;
+    private rl;
+    /**
+     * Create a new terminal auth flow.
+     *
+     * @param dependencies - Flow dependencies
+     */
+    constructor(dependencies: TerminalAuthFlowDependencies);
+    /**
+     * Execute the terminal auth flow.
+     *
+     * Runs the interactive setup wizard to configure OAuth credentials.
+     * For providers supporting OAuth, offers a choice between browser OAuth
+     * and manual API key entry.
+     *
+     * Requirements: 3.1, 4.2
+     *
+     * @param providerId - Optional pre-selected provider (skips provider selection)
+     * @returns Terminal auth flow result indicating mode selection and outcome
+     */
+    execute(providerId?: AuthProviderId): Promise<TerminalAuthFlowResult>;
+    /**
+     * Select authentication mode for providers supporting OAuth.
+     * Offers choice between browser OAuth (recommended) and manual API key.
+     *
+     * Requirements: 3.1, 4.2
+     *
+     * @param providerInfo - Provider information
+     * @returns Selected authentication mode
+     */
+    private selectAuthenticationMode;
+    /**
+     * Collect and validate credentials with retry loop.
+     * Requirements: 4.3, 4.4, 4.5, 4.6
+     *
+     * Note: When this method is called, the user has already selected "Manual API Key"
+     * in the authentication mode selection. For providers that support simple API key
+     * authentication (OpenAI, Anthropic, GitHub), we collect the API key directly.
+     * For providers that don't support simple API key (Google, Cognito, Azure),
+     * we collect OAuth client credentials.
+     */
+    private collectAndValidateWithRetry;
+    /**
+     * Prompt for a numeric selection within a range.
+     * Supports an optional default value that is used when user presses Enter without input.
+     *
+     * @param message - The prompt message
+     * @param min - Minimum valid selection
+     * @param max - Maximum valid selection
+     * @param defaultValue - Optional default value used when input is empty
+     * @returns The selected number
+     */
+    private promptSelection;
+    /**
+     * Collect API key credentials (simple mode for OpenAI, Anthropic, GitHub).
+     */
+    private collectApiKeyCredentials;
+    /**
+     * Prompt user to select a provider from the supported list.
+     * Requirement 4.2
+     */
+    private selectProvider;
+    /**
+     * Collect credentials from user input.
+     * Requirement 4.3
+     */
+    private collectCredentials;
+    /**
+     * Collect custom endpoints for providers that require them (Cognito/Azure/OIDC).
+     * Validates all endpoints to ensure HTTPS and no embedded credentials.
+     */
+    private collectCustomEndpoints;
+    /**
+     * Prompt for a validated HTTPS URL.
+     * Ensures the URL is valid, uses HTTPS, and has no embedded credentials.
+     */
+    private promptValidatedUrl;
+    /**
+     * Validate that a URL is a valid HTTPS URL without embedded credentials.
+     */
+    private validateHttpsUrl;
+    /**
+     * Collect Cognito-specific endpoint configuration.
+     * Validates input to prevent URL injection attacks.
+     */
+    private collectCognitoEndpoints;
+    /**
+     * Collect Azure AD-specific endpoint configuration.
+     * Validates input to prevent URL injection attacks.
+     */
+    private collectAzureEndpoints;
+    /**
+     * Collect Generic OIDC endpoint configuration.
+     * Supports issuer-based discovery or manual endpoint entry.
+     * Validates input to prevent URL injection attacks.
+     *
+     * Requirements: 7a.1, 7a.2
+     */
+    private collectOidcEndpoints;
+    /**
+     * Validate Cognito user pool domain.
+     * Must be alphanumeric with hyphens, no URL injection characters.
+     */
+    private validateCognitoDomain;
+    /**
+     * Validate AWS region format.
+     * Must match pattern like us-east-1, eu-west-2.
+     */
+    private validateAwsRegion;
+    /**
+     * Validate Azure tenant ID.
+     * Must be 'common', 'organizations', 'consumers', a valid GUID, or a domain name.
+     */
+    private validateAzureTenantId;
+    /**
+     * Prompt for input with validation.
+     */
+    private promptValidated;
+    /**
+     * Prompt for required input (non-empty).
+     */
+    private promptRequired;
+    /**
+     * Prompt for secret input (hidden if possible).
+     * Note: In a real implementation, this would hide input.
+     * For headless environments, we accept visible input.
+     */
+    private promptSecret;
+    /**
+     * Prompt for yes/no confirmation.
+     */
+    private promptYesNo;
+    /**
+     * Prompt for user input.
+     */
+    private prompt;
+    /**
+     * Write a line to output.
+     */
+    private writeLine;
+    /**
+     * Clean up resources.
+     */
+    private cleanup;
+}
+/**
+ * Create a terminal auth flow with the given dependencies.
+ *
+ * @param dependencies - Flow dependencies
+ * @returns A new TerminalAuthFlow instance
+ */
+export declare function createTerminalAuthFlow(dependencies: TerminalAuthFlowDependencies): TerminalAuthFlow;
+/**
+ * Get provider information by ID.
+ *
+ * @param providerId - The provider identifier
+ * @returns Provider info or undefined if not found
+ */
+export declare function getProviderInfo(providerId: AuthProviderId): ProviderInfo | undefined;
+/**
+ * Get all supported provider information.
+ *
+ * @returns Array of provider information
+ */
+export declare function getAllProviderInfo(): readonly ProviderInfo[];
+export {};

package/out/tsc/workers-registry/registry-launcher/src/auth/flows/terminal-auth-flow.test.d.ts

@@ -0,0 +1 @@
+export {};

package/out/tsc/workers-registry/registry-launcher/src/auth/index.d.ts

@@ -0,0 +1,33 @@
+/**
+ * OAuth 2.1 Authentication Module
+ *
+ * This module provides OAuth 2.1 authentication for the Registry Launcher worker.
+ * It supports multiple OAuth providers (GitHub, Google, AWS Cognito, Azure AD)
+ * and two authentication modes:
+ * - Agent Auth: Browser-based OAuth 2.1 Authorization Code flow with PKCE
+ * - Terminal Auth: Interactive CLI setup flow for headless environments
+ *
+ * @module auth
+ */
+export type { AuthProviderId, StorageBackendType, TokenStatus, AuthErrorCode, TokenResponse, StoredCredentials, TokenInjectionMethod, ProviderEndpoints, AuthorizationParams, CallbackResult, CallbackSuccess, CallbackErrorResult, AgentAuthOptions, AuthResult, AuthResultSuccess, AuthResultFailure, AuthError, AuthStatusEntry, AuthStatusMap, ProviderConfig, AuthConfig, AcpAuthMethod, AuthMethodType, AuthMethodPrecedenceConfig, } from './types.js';
+export { isValidProviderId as isValidProviderIdFromTypes, isValidAuthMethodType, isValidAuthMethodId, resolveAuthMethodIdToProviderId, tryResolveAuthMethodIdToProviderId, UnknownAuthMethodIdError, VALID_PROVIDER_IDS, VALID_AUTH_METHOD_TYPES, VALID_AUTH_METHOD_IDS, AUTH_METHOD_ID_TO_PROVIDER_ID, DEFAULT_AUTH_METHOD_PRECEDENCE, } from './types.js';
+export { generateCodeVerifier, generateCodeChallenge, generatePKCEPair, validateCodeVerifier, PKCE_CODE_CHALLENGE_METHOD, PKCE_VERIFIER_MIN_LENGTH, PKCE_VERIFIER_MAX_LENGTH, } from './pkce.js';
+export { generateState, validateState, } from './state.js';
+export type { IAuthSession } from './session.js';
+export { AuthSession, createSession, SessionManager, DEFAULT_SESSION_TIMEOUT_MS, MAX_SESSION_TIMEOUT_MS, validateTimeout, } from './session.js';
+export type { AuthManagerOptions, AuthMethodSelectionResult, } from './auth-manager.js';
+export { AuthManager, createAuthManager, AuthMethodSelectionError, CLIENT_CREDENTIALS_MARKER, isMarkerToken, } from './auth-manager.js';
+export type { ITokenManager, TokenManagerOptions, ProviderResolver } from './token-manager.js';
+export { TokenManager, createTokenManager, DEFAULT_REFRESH_THRESHOLD_MS } from './token-manager.js';
+export type { IAuthProvider } from './providers/types.js';
+export { getProvider, getSupportedProviders, isValidProviderId, } from './providers/index.js';
+export type { ICredentialStore, IStorageBackend } from './storage/types.js';
+export { CredentialStore } from './storage/credential-store.js';
+export type { ICallbackServer } from './flows/callback-server.js';
+export { AgentAuthFlow } from './flows/agent-auth-flow.js';
+export type { AgentAuthFlowDependencies } from './flows/agent-auth-flow.js';
+export { TerminalAuthFlow, createTerminalAuthFlow, getProviderInfo, getAllProviderInfo, } from './flows/terminal-auth-flow.js';
+export type { TerminalAuthFlowDependencies, CollectedCredentials, } from './flows/terminal-auth-flow.js';
+export { runSetupCommand, runStatusCommand, runLogoutCommand, } from './cli/index.js';
+export { AuthenticationError, InvalidStateError, TimeoutError, NetworkError, InvalidCredentialsError, StorageError, ProviderError, UnsupportedProviderError, CallbackError, TokenRefreshError, parseProviderErrorResponse, parseHttpErrorResponse, isOAuthErrorResponse, formatErrorResponse, createUnsupportedProviderError, createNetworkError, createStorageError, redactSensitiveData, } from './errors.js';
+export type { OAuthErrorResponse } from './errors.js';

package/out/tsc/workers-registry/registry-launcher/src/auth/integration.test.d.ts

@@ -0,0 +1 @@
+export {};

package/out/tsc/workers-registry/registry-launcher/src/auth/model-credentials/anthropic-api-key.d.ts

@@ -0,0 +1,154 @@
+/**
+ * Anthropic API Key Handler.
+ *
+ * Handles storage, retrieval, validation, and injection of Anthropic API keys.
+ * Anthropic uses the x-api-key header with the raw key (no Bearer prefix).
+ *
+ * Requirements: 7b.1, 7b.4, 7b.5
+ *
+ * @module model-credentials/anthropic-api-key
+ */
+import type { ModelProviderId, ModelCredentialResult, ModelCredentialStatusEntry, HeaderInjection } from './types.js';
+import type { IModelCredentialStorage } from './openai-api-key.js';
+/**
+ * The provider ID for Anthropic.
+ */
+export declare const ANTHROPIC_PROVIDER_ID: ModelProviderId;
+/**
+ * Anthropic API key prefix for validation.
+ * Anthropic API keys typically start with 'sk-ant-'.
+ */
+export declare const ANTHROPIC_API_KEY_PREFIX = "sk-ant-";
+/**
+ * Minimum length for Anthropic API keys.
+ * Anthropic keys are typically 40+ characters.
+ */
+export declare const ANTHROPIC_API_KEY_MIN_LENGTH = 20;
+/**
+ * Storage key prefix for Anthropic credentials.
+ */
+export declare const ANTHROPIC_STORAGE_KEY = "model-credential:anthropic";
+/**
+ * Anthropic API Key Handler.
+ *
+ * Provides methods for storing, retrieving, validating, and injecting
+ * Anthropic API keys. Integrates with the Credential_Store for secure storage.
+ *
+ * Requirements: 7b.1, 7b.4, 7b.5
+ */
+export declare class AnthropicApiKeyHandler {
+    private readonly storage;
+    /**
+     * Create a new Anthropic API key handler.
+     * @param storage - The credential storage backend
+     */
+    constructor(storage: IModelCredentialStorage);
+    /**
+     * Get the provider ID for this handler.
+     * @returns The Anthropic provider ID
+     */
+    getProviderId(): ModelProviderId;
+    /**
+     * Get the injection configuration for Anthropic.
+     *
+     * Anthropic uses the x-api-key header with the raw key:
+     * x-api-key: {key}
+     *
+     * Requirements: 7b.5
+     *
+     * @returns The header injection configuration
+     */
+    getInjectionConfig(): HeaderInjection;
+    /**
+     * Validate an Anthropic API key format.
+     *
+     * Performs basic format validation:
+     * - Must be a non-empty string
+     * - Must meet minimum length requirement
+     * - Optionally checks for 'sk-ant-' prefix (warning only)
+     *
+     * Note: This does not validate the key against Anthropic's API.
+     * Use validateWithApi() for full validation.
+     *
+     * @param apiKey - The API key to validate
+     * @returns Validation result with success flag and optional warning
+     */
+    validateFormat(apiKey: string): {
+        valid: boolean;
+        warning?: string;
+    };
+    /**
+     * Store an Anthropic API key in the credential store.
+     *
+     * The key is stored with encryption handled by the storage backend.
+     *
+     * Requirements: 7b.4
+     *
+     * @param apiKey - The API key to store
+     * @param label - Optional human-readable label
+     * @returns Promise that resolves when stored
+     * @throws Error if the API key format is invalid
+     */
+    store(apiKey: string, label?: string): Promise<void>;
+    /**
+     * Retrieve the stored Anthropic API key.
+     *
+     * Requirements: 7b.4
+     *
+     * @returns The credential result with the API key if found
+     */
+    retrieve(): Promise<ModelCredentialResult>;
+    /**
+     * Delete the stored Anthropic API key.
+     *
+     * @returns Promise that resolves when deleted
+     */
+    delete(): Promise<void>;
+    /**
+     * Check if an Anthropic API key is configured.
+     *
+     * @returns True if a valid API key is stored
+     */
+    isConfigured(): Promise<boolean>;
+    /**
+     * Get the status of the Anthropic API key credential.
+     *
+     * @returns The credential status entry
+     */
+    getStatus(): Promise<ModelCredentialStatusEntry>;
+    /**
+     * Inject the Anthropic API key into request headers.
+     *
+     * Creates the x-api-key header with the raw key:
+     * x-api-key: {key}
+     *
+     * Requirements: 7b.5
+     *
+     * @param headers - Existing headers object (will be modified)
+     * @returns The headers object with the x-api-key header added
+     * @throws Error if no API key is configured
+     */
+    injectHeader(headers?: Record<string, string>): Promise<Record<string, string>>;
+    /**
+     * Get the header injection for a request.
+     *
+     * Returns the header name and value for injecting the API key.
+     * This is useful when you need the header separately from the request.
+     *
+     * Requirements: 7b.5
+     *
+     * @returns Object with headerName and headerValue
+     * @throws Error if no API key is configured
+     */
+    getHeaderInjection(): Promise<{
+        headerName: string;
+        headerValue: string;
+    }>;
+}
+/**
+ * Create a new Anthropic API key handler.
+ *
+ * @param storage - The credential storage backend
+ * @returns A new Anthropic API key handler instance
+ */
+export declare function createAnthropicApiKeyHandler(storage: IModelCredentialStorage): AnthropicApiKeyHandler;

package/out/tsc/workers-registry/registry-launcher/src/auth/model-credentials/index.d.ts

@@ -0,0 +1,20 @@
+/**
+ * Model Credentials Module
+ *
+ * This module provides API key management for upstream model providers
+ * (OpenAI, Anthropic). These providers do NOT offer public OAuth IdP
+ * for third-party login - they use API keys instead.
+ *
+ * This module clearly separates:
+ * - User identity (OAuth/OIDC): Handled by the main auth module
+ * - Model API access (API Keys): Handled by this module
+ *
+ * Requirements: 7b.1, 7b.3
+ *
+ * @module model-credentials
+ */
+export type { ModelProviderId, ModelCredential, StoredModelCredential, ModelCredentialResult, ModelCredentialInjection, HeaderInjection, ModelCredentialStatus, ModelCredentialStatusEntry, ModelCredentialStatusMap, } from './types.js';
+export { VALID_MODEL_PROVIDER_IDS, isValidModelProviderId, MODEL_CREDENTIAL_INJECTION_CONFIG, } from './types.js';
+export type { IModelCredentialStorage } from './openai-api-key.js';
+export { OpenAIApiKeyHandler, createOpenAIApiKeyHandler, OPENAI_PROVIDER_ID, OPENAI_API_KEY_PREFIX, OPENAI_API_KEY_MIN_LENGTH, OPENAI_STORAGE_KEY, } from './openai-api-key.js';
+export { AnthropicApiKeyHandler, createAnthropicApiKeyHandler, ANTHROPIC_PROVIDER_ID, ANTHROPIC_API_KEY_PREFIX, ANTHROPIC_API_KEY_MIN_LENGTH, ANTHROPIC_STORAGE_KEY, } from './anthropic-api-key.js';

package/out/tsc/workers-registry/registry-launcher/src/auth/model-credentials/model-credentials.test.d.ts

@@ -0,0 +1 @@
+export {};

package/out/tsc/workers-registry/registry-launcher/src/auth/model-credentials/openai-api-key.d.ts

@@ -0,0 +1,182 @@
+/**
+ * OpenAI API Key Handler.
+ *
+ * Handles storage, retrieval, validation, and injection of OpenAI API keys.
+ * OpenAI uses the Authorization header with Bearer token format.
+ *
+ * Requirements: 7b.1, 7b.4, 7b.5
+ *
+ * @module model-credentials/openai-api-key
+ */
+import type { ModelProviderId, StoredModelCredential, ModelCredentialResult, ModelCredentialStatusEntry, HeaderInjection } from './types.js';
+/**
+ * The provider ID for OpenAI.
+ */
+export declare const OPENAI_PROVIDER_ID: ModelProviderId;
+/**
+ * OpenAI API key prefix for validation.
+ * OpenAI API keys typically start with 'sk-'.
+ */
+export declare const OPENAI_API_KEY_PREFIX = "sk-";
+/**
+ * Minimum length for OpenAI API keys.
+ * OpenAI keys are typically 51+ characters.
+ */
+export declare const OPENAI_API_KEY_MIN_LENGTH = 20;
+/**
+ * Storage key prefix for OpenAI credentials.
+ */
+export declare const OPENAI_STORAGE_KEY = "model-credential:openai";
+/**
+ * Interface for credential storage operations.
+ * This allows the handler to work with any storage backend.
+ */
+export interface IModelCredentialStorage {
+    /**
+     * Store a model credential.
+     * @param key - The storage key
+     * @param credential - The credential to store
+     */
+    store(key: string, credential: StoredModelCredential): Promise<void>;
+    /**
+     * Retrieve a model credential.
+     * @param key - The storage key
+     * @returns The stored credential or null if not found
+     */
+    retrieve(key: string): Promise<StoredModelCredential | null>;
+    /**
+     * Delete a model credential.
+     * @param key - The storage key
+     */
+    delete(key: string): Promise<void>;
+    /**
+     * Check if a credential exists.
+     * @param key - The storage key
+     * @returns True if the credential exists
+     */
+    exists(key: string): Promise<boolean>;
+}
+/**
+ * OpenAI API Key Handler.
+ *
+ * Provides methods for storing, retrieving, validating, and injecting
+ * OpenAI API keys. Integrates with the Credential_Store for secure storage.
+ *
+ * Requirements: 7b.1, 7b.4, 7b.5
+ */
+export declare class OpenAIApiKeyHandler {
+    private readonly storage;
+    /**
+     * Create a new OpenAI API key handler.
+     * @param storage - The credential storage backend
+     */
+    constructor(storage: IModelCredentialStorage);
+    /**
+     * Get the provider ID for this handler.
+     * @returns The OpenAI provider ID
+     */
+    getProviderId(): ModelProviderId;
+    /**
+     * Get the injection configuration for OpenAI.
+     *
+     * OpenAI uses the Authorization header with Bearer token format:
+     * Authorization: Bearer {key}
+     *
+     * Requirements: 7b.5
+     *
+     * @returns The header injection configuration
+     */
+    getInjectionConfig(): HeaderInjection;
+    /**
+     * Validate an OpenAI API key format.
+     *
+     * Performs basic format validation:
+     * - Must be a non-empty string
+     * - Must meet minimum length requirement
+     * - Optionally checks for 'sk-' prefix (warning only)
+     *
+     * Note: This does not validate the key against OpenAI's API.
+     * Use validateWithApi() for full validation.
+     *
+     * @param apiKey - The API key to validate
+     * @returns Validation result with success flag and optional warning
+     */
+    validateFormat(apiKey: string): {
+        valid: boolean;
+        warning?: string;
+    };
+    /**
+     * Store an OpenAI API key in the credential store.
+     *
+     * The key is stored with encryption handled by the storage backend.
+     *
+     * Requirements: 7b.4
+     *
+     * @param apiKey - The API key to store
+     * @param label - Optional human-readable label
+     * @returns Promise that resolves when stored
+     * @throws Error if the API key format is invalid
+     */
+    store(apiKey: string, label?: string): Promise<void>;
+    /**
+     * Retrieve the stored OpenAI API key.
+     *
+     * Requirements: 7b.4
+     *
+     * @returns The credential result with the API key if found
+     */
+    retrieve(): Promise<ModelCredentialResult>;
+    /**
+     * Delete the stored OpenAI API key.
+     *
+     * @returns Promise that resolves when deleted
+     */
+    delete(): Promise<void>;
+    /**
+     * Check if an OpenAI API key is configured.
+     *
+     * @returns True if a valid API key is stored
+     */
+    isConfigured(): Promise<boolean>;
+    /**
+     * Get the status of the OpenAI API key credential.
+     *
+     * @returns The credential status entry
+     */
+    getStatus(): Promise<ModelCredentialStatusEntry>;
+    /**
+     * Inject the OpenAI API key into request headers.
+     *
+     * Creates the Authorization header with Bearer token format:
+     * Authorization: Bearer {key}
+     *
+     * Requirements: 7b.5
+     *
+     * @param headers - Existing headers object (will be modified)
+     * @returns The headers object with the Authorization header added
+     * @throws Error if no API key is configured
+     */
+    injectHeader(headers?: Record<string, string>): Promise<Record<string, string>>;
+    /**
+     * Get the header injection for a request.
+     *
+     * Returns the header name and value for injecting the API key.
+     * This is useful when you need the header separately from the request.
+     *
+     * Requirements: 7b.5
+     *
+     * @returns Object with headerName and headerValue
+     * @throws Error if no API key is configured
+     */
+    getHeaderInjection(): Promise<{
+        headerName: string;
+        headerValue: string;
+    }>;
+}
+/**
+ * Create a new OpenAI API key handler.
+ *
+ * @param storage - The credential storage backend
+ * @returns A new OpenAI API key handler instance
+ */
+export declare function createOpenAIApiKeyHandler(storage: IModelCredentialStorage): OpenAIApiKeyHandler;