@uipath/auth 1.1.0 → 1.196.0

package/dist/interactive.d.ts

@@ -0,0 +1,102 @@
+import { getFileSystem } from "@uipath/filesystem";
+import { clientCredentialsLogin } from "./clientCredentials";
+import { resolveConfigAsync } from "./config";
+import { authenticate } from "./index";
+import { type SelectFromList } from "./selectTenant";
+import type { BaseCredentials } from "./types";
+import { loadEnvFileAsync, saveEnvFileAsync } from "./utils/envFile";
+import { assertIssuerMatchesAuthority, parseJWT } from "./utils/jwt";
+/**
+ * Structured progress events emitted during interactive login. Auth has no
+ * logger of its own (see `refactor(auth): remove common dependency`), so the
+ * CLI subscribes to these events and routes them to its logger / output sink.
+ */
+export type InteractiveLoginEvent = {
+    type: "info";
+    message: string;
+} | {
+    type: "warn";
+    message: string;
+} | {
+    type: "saved";
+    path: string;
+    locality: "local" | "global";
+} | {
+    type: "tenant-fetch-failed";
+    message: string;
+};
+interface InteractiveLoginOptions {
+    envFilePath?: string;
+    scope?: string[];
+    authority?: string;
+    clientId?: string;
+    clientSecret?: string;
+    tenant?: string;
+    organization?: string;
+    interactive?: boolean;
+    /**
+     * Callback used when interactive tenant selection is required (multiple
+     * tenants and `interactive` is true). Auth has no UI dependency of its
+     * own — the host (e.g. the CLI) supplies the prompt implementation.
+     */
+    selectFromList?: SelectFromList;
+    /** Optional subscriber for user-facing progress events. */
+    onEvent?: (event: InteractiveLoginEvent) => void;
+    /**
+     * Max ms to wait for the browser callback before the local server closes
+     * itself and the login rejects with `AUTH_TIMEOUT_ERROR_CODE`. Lets an
+     * in-process host (e.g. the VS Code extension) bound a stuck login and
+     * free the callback port — parity with the CLI killing its `uip`
+     * subprocess on timeout. Defaults to the server's 5-min cap. Only the
+     * authorization-code (browser) path uses it.
+     */
+    timeoutMs?: number;
+}
+export interface InteractiveLoginDependencies {
+    resolveConfig?: typeof resolveConfigAsync;
+    clientCredentials?: typeof clientCredentialsLogin;
+    auth?: typeof authenticate;
+    saveEnvFile?: typeof saveEnvFileAsync;
+    loadEnvFile?: typeof loadEnvFileAsync;
+    getFs?: typeof getFileSystem;
+    jwtParser?: typeof parseJWT;
+    issuerAsserter?: typeof assertIssuerMatchesAuthority;
+    tenantSelector?: (baseUrl: string, accessToken: string, organizationId: string, tenantName?: string, interactive?: boolean) => Promise<[string, string, string]>;
+}
+/**
+ * Perform interactive login to UiPath Cloud using either Client Credentials or Authorization Code flow.
+ *
+ * This function automatically selects the appropriate authentication flow:
+ * - If clientSecret is provided: Uses Client Credentials (silent)
+ * - Otherwise: Uses Authorization Code with PKCE (opens browser)
+ *
+ * After successful authentication, credentials are saved to the specified credentials file and
+ * the organization ID is extracted from the JWT token.
+ *
+ * @param options - Login configuration options
+ * @param options.envFilePath - Path to save credentials (default: ".uipath/.auth")
+ * @param options.scope - OAuth scopes to request (optional)
+ * @param options.authority - Custom authority URL (optional)
+ * @param options.clientId - Custom client ID (optional)
+ * @param options.clientSecret - Client secret for Client Credentials flow (optional)
+ * @returns Promise resolving to the saved credentials including access token and organization ID
+ *
+ * @example
+ * ```typescript
+ * // Interactive browser-based login
+ * const creds = await interactiveLogin({
+ *   envFilePath: '.uipath/.auth',
+ *   scope: ['OR.Machines', 'OR.Robots']
+ * });
+ *
+ * // Client Credentials login
+ * const creds = await interactiveLogin({
+ *   envFilePath: '.uipath/.auth',
+ *   clientId: 'my-app',
+ *   clientSecret: 'secret-key'
+ * });
+ * ```
+ */
+export declare const interactiveLoginWithDeps: (options: InteractiveLoginOptions, deps: InteractiveLoginDependencies) => Promise<BaseCredentials>;
+export declare const interactiveLogin: (options: InteractiveLoginOptions) => Promise<BaseCredentials>;
+export {};

package/dist/loginStatus.d.ts

@@ -0,0 +1,80 @@
+import { getFileSystem } from "@uipath/filesystem";
+import { resolveConfigAsync } from "./config";
+import { tryRobotClientFallback } from "./robotClientFallback";
+import { refreshAccessToken } from "./tokenRefresh";
+import { loadEnvFileAsync, resolveEnvFilePathAsync, saveEnvFileAsync } from "./utils/envFile";
+/**
+ * `"Expired"` means no refresh was attempted (no refresh token on file);
+ * recovery may be as cheap as copying a file. `"Refresh Failed"` means
+ * refresh was tried and could not complete with a usable token.
+ */
+export type LoginStatusValue = "Logged in" | "Not logged in" | "Expired" | "Refresh Failed";
+export declare enum LoginStatusSource {
+    File = "file",
+    Robot = "robot"
+}
+export interface TokenRefreshTelemetry {
+    attempted: boolean;
+    success: boolean;
+    errorMessage?: string;
+}
+export interface LoginStatus {
+    loginStatus: LoginStatusValue;
+    accessToken?: string;
+    refreshToken?: string;
+    baseUrl?: string;
+    organizationName?: string;
+    organizationId?: string;
+    tenantName?: string;
+    tenantId?: string;
+    /**
+     * Identity authority derived from the access token's `iss` claim.
+     * Authoritative for both cloud (`…/identity_`) and on-prem (`…/identity`),
+     * so consumers should build identity URLs from this rather than hardcoding
+     * the gateway path. Currently populated only on the Robot-borrow path.
+     */
+    issuer?: string;
+    expiration?: Date;
+    hint?: string;
+    source?: LoginStatusSource;
+    /**
+     * True when a refresh rotated successfully at the identity server but
+     * persisting the new pair to disk failed. The returned `accessToken` is
+     * valid for THIS call; the next invocation will fail until the on-disk
+     * pair can be updated.
+     */
+    persistenceFailed?: boolean;
+    /**
+     * True when the advisory file lock was acquired during refresh but its
+     * release rejected. The refresh outcome itself is unaffected — peers
+     * reclaim the leftover lock as stale on their next attempt. Carried as
+     * a structured signal so consumers can branch on it without parsing
+     * the user-facing `hint`.
+     */
+    lockReleaseFailed?: boolean;
+    tokenRefresh?: TokenRefreshTelemetry;
+}
+export interface GetLoginStatusOptions {
+    envFilePath?: string;
+    ensureTokenValidityMinutes?: number;
+}
+export interface LoginStatusDependencies {
+    resolveEnvFilePath?: typeof resolveEnvFilePathAsync;
+    loadEnvFile?: typeof loadEnvFileAsync;
+    saveEnvFile?: typeof saveEnvFileAsync;
+    getFs?: typeof getFileSystem;
+    refreshToken?: typeof refreshAccessToken;
+    resolveConfig?: typeof resolveConfigAsync;
+    robotFallback?: typeof tryRobotClientFallback;
+}
+/**
+ * Get the current login status by reading credentials from the credentials file (with DI for testing)
+ */
+export declare const getLoginStatusWithDeps: (options?: GetLoginStatusOptions, deps?: LoginStatusDependencies) => Promise<LoginStatus>;
+/**
+ * Get the current login status by reading credentials from the credentials file
+ * @param envFilePath - Path to the credentials file (defaults to ".uipath/.auth")
+ * @param ensureTokenValidityMinutes - If provided, refreshes the token when it expires within this many minutes
+ * @returns LoginStatus object with authentication information
+ */
+export declare const getLoginStatusAsync: (options?: GetLoginStatusOptions) => Promise<LoginStatus>;

package/dist/logout.d.ts

@@ -0,0 +1,44 @@
+import { getFileSystem } from "@uipath/filesystem";
+import { resolveEnvFilePathAsync } from "./utils/envFile";
+export interface LogoutOptions {
+    file?: string;
+}
+export interface LogoutResult {
+    success: boolean;
+    message: string;
+    removedPath?: string;
+    reason?: "no_credentials_file";
+}
+/**
+ * File system interface for logout operations
+ */
+export interface LogoutFileSystem {
+    exists: (path: string) => Promise<boolean>;
+    rm: (path: string) => Promise<void>;
+}
+/**
+ * Dependency injection interface for testing
+ */
+export interface LogoutDependencies {
+    resolveEnvFilePath?: typeof resolveEnvFilePathAsync;
+    getFileSystem?: typeof getFileSystem;
+}
+/**
+ * Logout from UiPath Cloud by removing the credentials file.
+ *
+ * This function removes the credentials file containing authentication credentials.
+ * It uses dependency injection for testability.
+ *
+ * @param options - Logout configuration options
+ * @param options.file - Path to credentials file (optional, uses default resolution if not provided)
+ * @param deps - Injected dependencies for testing
+ * @returns Promise resolving to the logout result
+ */
+export declare function logoutWithDeps(options: LogoutOptions, deps?: LogoutDependencies): Promise<LogoutResult>;
+/**
+ * Logout from UiPath Cloud by removing the credentials file.
+ *
+ * @param options - Logout configuration options
+ * @returns Promise resolving to the logout result
+ */
+export declare function logout(options: LogoutOptions): Promise<LogoutResult>;

package/dist/oidc.d.ts

@@ -0,0 +1,5 @@
+export declare const getOidcParams: () => Promise<{
+    code_verifier: string;
+    code_challenge: string;
+    state: string;
+}>;

package/dist/robotClientFallback.d.ts

@@ -0,0 +1,64 @@
+/**
+ * Minimal structural view of `@uipath/robot-client` — covers only the two
+ * methods we consume. Defined locally so that this file compiles even when
+ * the package is absent (it is loaded via dynamic `import()` at runtime).
+ */
+interface IInteractiveConnectFlow {
+    IsEnabled(): Promise<boolean>;
+}
+interface IAccessProvider {
+    GetResourceUrl(scope: "Orchestrator"): Promise<string>;
+    GetAccessToken(scope: "Orchestrator", refresh: boolean): Promise<string>;
+}
+interface IRobotAgentProxy {
+    readonly interactiveConnectFlow: IInteractiveConnectFlow;
+    readonly accessProvider: IAccessProvider;
+    CloseAsync(): Promise<void>;
+}
+interface RobotClientModule {
+    RobotProxyConstructor: new () => IRobotAgentProxy;
+}
+export interface RobotClientFallbackResult {
+    accessToken: string;
+    baseUrl: string;
+    organizationName?: string;
+    organizationId?: string;
+    tenantName?: string;
+    tenantId?: string;
+    issuer?: string;
+}
+export interface RobotClientFallbackOptions {
+    timeoutMs?: number;
+    /** Test seam: report whether the Robot IPC endpoint exists. */
+    isRobotIpcAvailable?: () => Promise<boolean>;
+    /** Test seam: provide a stubbed module loader. */
+    loadModule?: () => Promise<RobotClientModule | undefined>;
+    /**
+     * When true, skip the soft guards that protect the *default* fallback
+     * path: the `UIPATH_URL`-set short-circuit and the CI heuristic. Used by
+     * `UIPATH_CLI_ENFORCE_ROBOT_AUTH=true` callers who have explicitly opted
+     * into Robot-only auth and accept the IPC handshake cost. Browser is still
+     * skipped (no IPC there structurally).
+     */
+    force?: boolean;
+}
+/**
+ * Read credentials from the running UiPath Robot/Assistant via its local IPC.
+ *
+ * Returns `undefined` — and falls back to the standard "Not logged in" path —
+ * when any of the following is true:
+ *   - running in a browser
+ *   - `UIPATH_URL` is set (explicit user override takes precedence) — unless
+ *     `options.force === true`
+ *   - the process looks like a CI runner (`CI`/`GITHUB_ACTIONS` set) — unless
+ *     `options.force === true`
+ *   - `@uipath/robot-client` is not installed or fails to load
+ *   - Robot is not running, or sign-in is disabled
+ *   - an IPC call exceeds the timeout
+ *   - the returned resource URL or access token is malformed/empty
+ *
+ * Credentials returned by this function are ephemeral: the caller MUST NOT
+ * persist them to the auth file.
+ */
+export declare const tryRobotClientFallback: (options?: RobotClientFallbackOptions) => Promise<RobotClientFallbackResult | undefined>;
+export {};

package/dist/selectTenant.d.ts

@@ -0,0 +1,8 @@
+import { type TenantsAndOrganizations } from "./tenantSelection";
+export type SelectFromList = (options: string[], message: string) => Promise<number>;
+interface TenantSelectionDependencies {
+    fetchTenantsAndOrgs?: (baseUrl: string, accessToken: string, organizationId: string) => Promise<TenantsAndOrganizations>;
+    selectFromList?: SelectFromList;
+}
+export declare const selectTenantWithDeps: (baseUrl: string, accessToken: string, organizationId: string, targetTenantName?: string, interactive?: boolean, deps?: TenantSelectionDependencies) => Promise<[string, string, string]>;
+export {};

package/dist/server.d.ts

@@ -0,0 +1,8 @@
+export declare const AUTH_TIMEOUT_ERROR_CODE = "EAUTHTIMEOUT";
+interface StartCallbackServerProps {
+    redirectUri: URL;
+    timeoutMs?: number;
+    onListening?: () => Promise<void>;
+}
+export declare const startServer: ({ redirectUri, timeoutMs, onListening, }: StartCallbackServerProps) => Promise<URL>;
+export {};

package/dist/strategies/auth-strategy.d.ts

@@ -0,0 +1,7 @@
+export interface IAuthStrategy {
+    execute(url: string, redirectUri: URL, expectedState: string, 
+    /** Optional controls; `timeoutMs` bounds the wait for the callback. */
+    opts?: {
+        timeoutMs?: number;
+    }): Promise<string>;
+}

package/dist/strategies/browser-strategy.d.ts

@@ -0,0 +1,6 @@
+import type { IAuthStrategy } from "./auth-strategy";
+export declare class BrowserAuthStrategy implements IAuthStrategy {
+    execute(url: string, _redirectUri: URL, expectedState: string, _opts?: {
+        timeoutMs?: number;
+    }): Promise<string>;
+}

package/dist/strategies/node-strategy.d.ts

@@ -0,0 +1,6 @@
+import type { IAuthStrategy } from "./auth-strategy";
+export declare class NodeAuthStrategy implements IAuthStrategy {
+    execute(url: string, redirectUri: URL, expectedState: string, opts?: {
+        timeoutMs?: number;
+    }): Promise<string>;
+}

package/dist/tenantSelection.d.ts

@@ -0,0 +1,17 @@
+export interface Tenant {
+    id: string;
+    name: string;
+    [key: string]: unknown;
+}
+interface Organization {
+    id: string;
+    name: string;
+    [key: string]: unknown;
+}
+export interface TenantsAndOrganizations {
+    tenants: Tenant[];
+    organization: Organization;
+}
+/** Fetch tenants and organizations from UiPath Cloud. */
+export declare const fetchTenantsAndOrganizations: (baseUrl: string, accessToken: string, organizationId: string) => Promise<TenantsAndOrganizations>;
+export {};

package/dist/tokenExchange.d.ts

@@ -0,0 +1,13 @@
+interface ExchangeCodeForTokensProps {
+    code: string;
+    codeVerifier: string;
+    redirectUri: URL;
+    clientId: string;
+    clientSecret?: string;
+    tokenEndpoint: string;
+}
+export declare const exchangeCodeForTokens: ({ code, codeVerifier, redirectUri, clientId, clientSecret, tokenEndpoint, }: ExchangeCodeForTokensProps) => Promise<{
+    accessToken: string;
+    refreshToken: string;
+}>;
+export {};

package/dist/tokenRefresh.d.ts

@@ -0,0 +1,27 @@
+interface RefreshTokenParams {
+    refreshToken: string;
+    tokenEndpoint: string;
+    clientId: string;
+    /**
+     * The authority that originally minted the token (e.g.
+     * `https://cloud.uipath.com`). When provided, the refreshed access
+     * token's `iss` claim is validated against `<authority>/identity_`
+     * to defend against a token endpoint that has been swapped or
+     * MITM'd between sessions to issue tokens from a foreign IdP.
+     */
+    expectedAuthority?: string;
+}
+interface TokenResponse {
+    accessToken: string;
+    refreshToken: string;
+}
+export declare class TokenRefreshOAuthError extends Error {
+    readonly __brand = "TokenRefreshOAuthError";
+    constructor();
+}
+export declare function isTokenRefreshOAuthFailure(error: unknown): boolean;
+/**
+ * Refresh an access token using a refresh token
+ */
+export declare const refreshAccessToken: ({ refreshToken, tokenEndpoint, clientId, expectedAuthority, }: RefreshTokenParams) => Promise<TokenResponse>;
+export {};

package/dist/types.d.ts

@@ -0,0 +1,5 @@
+export interface BaseCredentials {
+    UIPATH_ACCESS_TOKEN: string;
+    UIPATH_REFRESH_TOKEN?: string;
+    [key: string]: string | undefined;
+}

package/dist/utils/envFile.d.ts

@@ -0,0 +1,106 @@
+export declare const DEFAULT_AUTH_FILENAME = ".auth";
+export declare const DEFAULT_ENV_FILENAME = ".uipath/.auth";
+interface LoadEnvFileProps {
+    envPath: string;
+}
+interface SaveEnvFileProps {
+    envPath: string;
+    data: Record<string, string | undefined>;
+    merge?: boolean;
+}
+interface ResolveEnvFilePathResult {
+    absolutePath: string | undefined;
+    errorMessage?: string;
+}
+export type EnvFileSource = "absolute" | "cwd" | "ancestor" | "home" | "default";
+/**
+ * Why the candidate at {@link EnvFileLocation.absolutePath} is not a usable
+ * credentials file. Surfaced so callers can tell "file is missing" (run
+ * `uip login`) apart from "file exists but cannot be read" (fix permissions
+ * or unblock the path) — the older `exists: boolean` API silently collapsed
+ * both into `false` and made permission errors look like a fresh install.
+ */
+export type EnvFileUnusableReason = 
+/** stat() threw — typically EACCES, EPERM, ELOOP, broken symlink. */
+"unreadable"
+/** Path resolves to a directory, not a regular file. */
+ | "not-a-file";
+/**
+ * Bounded set of `unusable.code` values the resolver can produce. Errno
+ * codes from filesystem rejections that fall outside this list are
+ * narrowed to `"EUNKNOWN"` rather than passed through verbatim — that
+ * keeps the public surface stable as new POSIX errnos appear.
+ */
+export type EnvFileErrorCode = "EISDIR" | "EACCES" | "EPERM" | "ELOOP" | "ENOTDIR" | "EUNKNOWN";
+export interface EnvFileUnusable {
+    readonly reason: EnvFileUnusableReason;
+    readonly code: EnvFileErrorCode;
+    readonly message: string;
+}
+/**
+ * Discriminated on `exists`. The `exists: true` branch can never carry an
+ * `unusable` block, and `source: "default"` only appears on the
+ * `exists: false` branch — both invariants are codified in the type so a
+ * buggy producer cannot construct an impossible state.
+ */
+export type EnvFileLocation = {
+    readonly exists: true;
+    readonly absolutePath: string;
+    readonly source: Exclude<EnvFileSource, "default">;
+} | {
+    readonly exists: false;
+    readonly absolutePath: string;
+    readonly source: EnvFileSource;
+    /**
+     * Set when the resolver picked this candidate but it is not a
+     * usable regular file. Absent when the file is simply missing
+     * (ENOENT). When set, `code`/`message` are the underlying
+     * filesystem error.
+     */
+    readonly unusable?: EnvFileUnusable;
+};
+/**
+ * Locate the credentials file the CLI would use, without requiring it to
+ * exist. Search order: absolute path → walk up from cwd → ~/ fallback.
+ * Designed for tools that need to register watchers, cache keys, or status
+ * displays before the user has authenticated. Never reads file contents.
+ *
+ * Uses `fs.stat` (not `fs.exists`) so a candidate that exists but is
+ * unreadable (EACCES) or is a directory is reported with `exists: false`
+ * **and** an `unusable` block — callers can branch on `unusable.reason`
+ * to distinguish "fresh install" from "permissions broken".
+ *
+ * During cwd walk-up an unreadable/directory candidate is treated as
+ * "not found" and the search continues; only the final candidate (the
+ * one actually returned) carries the `unusable` block.
+ */
+export declare const resolveEnvFileLocationAsync: (envFilePath?: string, opts?: {
+    cwd?: string;
+}) => Promise<EnvFileLocation>;
+/**
+ * Resolve the absolute path to an environment file, returning an
+ * `errorMessage` if no existing usable file was found. Delegates the
+ * search (absolute → cwd walk-up → ~/ fallback) and the regular-file
+ * check to {@link resolveEnvFileLocationAsync}; see there for full
+ * semantics including the unreadable-vs-missing distinction.
+ *
+ * @param envFilePath - Path to the credentials file (defaults to ".uipath/.auth")
+ * @param opts.cwd - Directory to start the relative-path walk-up from (defaults to the process cwd)
+ */
+export declare const resolveEnvFilePathAsync: (envFilePath?: string, opts?: {
+    cwd?: string;
+}) => Promise<ResolveEnvFilePathResult>;
+/**
+ * Load environment variables from a credentials file
+ * @param envPath - Path to the credentials file (relative to cwd or absolute)
+ * @returns Object with environment variables
+ */
+export declare const loadEnvFileAsync: ({ envPath }: LoadEnvFileProps) => Promise<Record<string, string>>;
+/**
+ * Save environment variables to a credentials file atomically
+ * @param envPath - Path to the credentials file (relative to cwd or absolute)
+ * @param data - Object with environment variables to save
+ * @param merge - If true, merge with existing file, otherwise overwrite
+ */
+export declare const saveEnvFileAsync: ({ envPath, data, merge, }: SaveEnvFileProps) => Promise<void>;
+export {};

package/dist/utils/jwt.d.ts

@@ -0,0 +1,43 @@
+interface JWTPayload {
+    exp: number;
+    iat: number;
+    iss?: string;
+    sub?: string;
+    name?: string;
+    preferred_username?: string;
+    email?: string;
+    first_name?: string;
+    last_name?: string;
+    prtId?: string;
+    organizationId?: string;
+    prt_id?: string;
+    [key: string]: unknown;
+}
+/**
+ * Error thrown when a token's `iss` claim does not identify the
+ * authority the CLI thought it was talking to. Defends against OIDC
+ * issuer mix-up (RFC 9207) and against silently accepting tokens from
+ * an unexpected identity server reached via misconfig or proxy.
+ */
+export declare class InvalidIssuerError extends Error {
+    readonly expected: string;
+    readonly actual: string | undefined;
+    constructor(expected: string, actual: string | undefined);
+}
+export declare const parseJWT: (token: string) => JWTPayload;
+/**
+ * Verify that a token was issued by the authority the caller intends
+ * to trust. Throws {@link InvalidIssuerError} on mismatch, missing
+ * claim, or malformed token.
+ *
+ * UiPath identity servers emit `iss` as `<authority>/identity_` (e.g.
+ * authority `https://cloud.uipath.com` → `iss` `https://cloud.uipath.com/identity_`).
+ * Trailing slashes on either side are tolerated; everything else is strict.
+ */
+export declare const assertIssuerMatchesAuthority: (token: string, authority: string) => void;
+/**
+ * Extract the expiration date from a JWT access token.
+ * Returns undefined if the token is malformed or has no exp claim.
+ */
+export declare const getTokenExpiration: (accessToken: string) => Date | undefined;
+export {};

package/dist/utils/platform.d.ts

@@ -0,0 +1,36 @@
+/**
+ * Platform detection utilities with proper type guards
+ * Use these instead of @ts-expect-error suppressions
+ */
+interface BrowserWindow {
+    document?: unknown;
+    screen?: {
+        width: number;
+        height: number;
+    };
+    location?: {
+        origin: string;
+    };
+    open?: (url: string, target: string, features: string) => unknown;
+    addEventListener?: (event: string, handler: (event: unknown) => void) => void;
+    removeEventListener?: (event: string, handler: (event: unknown) => void) => void;
+}
+interface BrowserDocument {
+    createElement?: (tag: string) => unknown;
+}
+/**
+ * Check if code is running in a browser environment
+ */
+export declare function isBrowser(): boolean;
+/**
+ * Check if code is running in Node.js environment
+ */
+export declare function isNode(): boolean;
+/**
+ * Get the global object safely
+ */
+export declare function getGlobalThis(): (typeof globalThis & {
+    window?: BrowserWindow;
+    document?: BrowserDocument;
+}) | undefined;
+export {};