authhero 5.8.1 → 5.9.0

package/dist/types/helpers/client-assertion.d.ts

@@ -0,0 +1,49 @@
+import { LoadClientKeysOptions, ClientWithKeys } from "./client-keys";
+declare const ASSERTION_TYPE = "urn:ietf:params:oauth:client-assertion-type:jwt-bearer";
+export type ClientAssertionMethod = "private_key_jwt" | "client_secret_jwt";
+export declare class ClientAssertionError extends Error {
+    code: "invalid_client" | "invalid_request" | "unsupported_alg" | "missing_keys";
+    constructor(code: "invalid_client" | "invalid_request" | "unsupported_alg" | "missing_keys", message: string);
+}
+export interface ClientAssertionClient extends ClientWithKeys {
+    client_id: string;
+    client_secret?: string | undefined;
+}
+export interface VerifyClientAssertionOptions extends LoadClientKeysOptions {
+    /**
+     * Acceptable values for the `aud` claim. Per RFC 7523 §3 the assertion's
+     * audience MUST identify the authorization server, typically as the token
+     * endpoint URL or the issuer. We accept either.
+     */
+    acceptedAudiences: string[];
+    /** Clock-skew leeway in seconds. Defaults to 30. */
+    leewaySeconds?: number;
+    /** Override Date.now() for tests. */
+    now?: () => number;
+}
+export interface VerifiedClientAssertion {
+    /** The authenticated client_id (extracted from the assertion's `sub`). */
+    clientId: string;
+    /** Which authentication method was actually used. */
+    method: ClientAssertionMethod;
+    /** Optional jti claim — useful if callers want to enforce replay protection. */
+    jti?: string;
+    /** The full verified payload, in case callers need other claims. */
+    payload: Record<string, unknown>;
+}
+/**
+ * Verify an RFC 7523 client assertion JWT. Used by the `/oauth/token` endpoint
+ * to authenticate clients that registered with `token_endpoint_auth_method`
+ * = `private_key_jwt` or `client_secret_jwt`.
+ *
+ * The caller has already resolved the client (typically via the assertion's
+ * `iss`/`sub` claim or an explicit `client_id` form param). This function
+ * verifies that the assertion is signed by a key the client owns and that the
+ * standard claims are correct.
+ *
+ * @throws ClientAssertionError when the assertion is malformed, signed with
+ *   an unsupported alg, signed with a key the client doesn't own, or fails
+ *   any of the iss/sub/aud/exp checks.
+ */
+export declare function verifyClientAssertion(assertion: string, client: ClientAssertionClient, opts: VerifyClientAssertionOptions): Promise<VerifiedClientAssertion>;
+export { ASSERTION_TYPE as CLIENT_ASSERTION_TYPE };

package/dist/types/helpers/client-keys.d.ts

@@ -0,0 +1,27 @@
+import { Jwk } from "@authhero/adapter-interfaces";
+import { SsrfFetchOptions } from "../utils/ssrf-fetch";
+export interface LoadClientKeysOptions {
+    fetch?: SsrfFetchOptions;
+}
+/**
+ * Subset of Client fields the JWKS loader actually reads. Narrower than
+ * `Client` so callers can pass `EnrichedClient` (which redefines the
+ * `connections` field shape) without structural mismatch.
+ */
+export interface ClientWithKeys {
+    client_metadata?: Record<string, string> | undefined;
+    registration_metadata?: Record<string, unknown> | undefined;
+}
+/**
+ * Resolve a client's JWS verification keys. Per RFC 7591 §2 a client may
+ * publish keys inline (`jwks`) or by reference (`jwks_uri`). Inline takes
+ * precedence when both are present.
+ *
+ * jwks is stored on `client.registration_metadata.jwks` (DCR forward-compat
+ * field); jwks_uri is stored on `client.client_metadata.jwks_uri`.
+ *
+ * Returns an empty array when the client has neither — callers must decide
+ * whether that's allowed for the alg in question (HS* algs don't need it;
+ * asymmetric algs do).
+ */
+export declare function loadClientJwks(client: ClientWithKeys, opts?: LoadClientKeysOptions): Promise<Jwk[]>;

package/dist/types/helpers/client.d.ts

@@ -0,0 +1,496 @@
+import { z } from "@hono/zod-openapi";
+import { Bindings } from "../types";
+/**
+ * EnrichedClient combines a Client with its associated Tenant and Connections.
+ *
+ * Instead of fetching this combined data through a special adapter,
+ * use the getEnrichedClient helper function which fetches the entities
+ * separately and composes them.
+ */
+export declare const enrichedClientSchema: z.ZodObject<{
+    created_at: z.ZodString;
+    updated_at: z.ZodString;
+    name: z.ZodString;
+    description: z.ZodOptional<z.ZodString>;
+    global: z.ZodDefault<z.ZodBoolean>;
+    client_secret: z.ZodOptional<z.ZodDefault<z.ZodString>>;
+    app_type: z.ZodOptional<z.ZodDefault<z.ZodEnum<{
+        native: "native";
+        spa: "spa";
+        regular_web: "regular_web";
+        non_interactive: "non_interactive";
+        resource_server: "resource_server";
+        express_configuration: "express_configuration";
+        rms: "rms";
+        box: "box";
+        cloudbees: "cloudbees";
+        concur: "concur";
+        dropbox: "dropbox";
+        mscrm: "mscrm";
+        echosign: "echosign";
+        egnyte: "egnyte";
+        newrelic: "newrelic";
+        office365: "office365";
+        salesforce: "salesforce";
+        sentry: "sentry";
+        sharepoint: "sharepoint";
+        slack: "slack";
+        springcm: "springcm";
+        zendesk: "zendesk";
+        zoom: "zoom";
+        sso_integration: "sso_integration";
+        oag: "oag";
+    }>>>;
+    logo_uri: z.ZodOptional<z.ZodString>;
+    is_first_party: z.ZodDefault<z.ZodBoolean>;
+    oidc_conformant: z.ZodDefault<z.ZodBoolean>;
+    auth0_conformant: z.ZodDefault<z.ZodBoolean>;
+    callbacks: z.ZodOptional<z.ZodDefault<z.ZodArray<z.ZodString>>>;
+    allowed_origins: z.ZodOptional<z.ZodDefault<z.ZodArray<z.ZodString>>>;
+    web_origins: z.ZodOptional<z.ZodDefault<z.ZodArray<z.ZodString>>>;
+    client_aliases: z.ZodOptional<z.ZodDefault<z.ZodArray<z.ZodString>>>;
+    allowed_clients: z.ZodOptional<z.ZodDefault<z.ZodArray<z.ZodString>>>;
+    allowed_logout_urls: z.ZodOptional<z.ZodDefault<z.ZodArray<z.ZodString>>>;
+    session_transfer: z.ZodOptional<z.ZodDefault<z.ZodRecord<z.ZodString, z.ZodAny>>>;
+    oidc_logout: z.ZodOptional<z.ZodDefault<z.ZodRecord<z.ZodString, z.ZodAny>>>;
+    grant_types: z.ZodOptional<z.ZodDefault<z.ZodArray<z.ZodString>>>;
+    jwt_configuration: z.ZodOptional<z.ZodDefault<z.ZodRecord<z.ZodString, z.ZodAny>>>;
+    signing_keys: z.ZodOptional<z.ZodDefault<z.ZodArray<z.ZodRecord<z.ZodString, z.ZodAny>>>>;
+    encryption_key: z.ZodOptional<z.ZodDefault<z.ZodRecord<z.ZodString, z.ZodAny>>>;
+    sso: z.ZodDefault<z.ZodBoolean>;
+    sso_disabled: z.ZodDefault<z.ZodBoolean>;
+    cross_origin_authentication: z.ZodDefault<z.ZodBoolean>;
+    cross_origin_loc: z.ZodOptional<z.ZodString>;
+    custom_login_page_on: z.ZodDefault<z.ZodBoolean>;
+    custom_login_page: z.ZodOptional<z.ZodString>;
+    custom_login_page_preview: z.ZodOptional<z.ZodString>;
+    form_template: z.ZodOptional<z.ZodString>;
+    addons: z.ZodOptional<z.ZodDefault<z.ZodRecord<z.ZodString, z.ZodAny>>>;
+    token_endpoint_auth_method: z.ZodOptional<z.ZodDefault<z.ZodEnum<{
+        none: "none";
+        client_secret_post: "client_secret_post";
+        client_secret_basic: "client_secret_basic";
+        client_secret_jwt: "client_secret_jwt";
+        private_key_jwt: "private_key_jwt";
+    }>>>;
+    client_metadata: z.ZodOptional<z.ZodDefault<z.ZodRecord<z.ZodString, z.ZodString>>>;
+    hide_sign_up_disabled_error: z.ZodOptional<z.ZodDefault<z.ZodBoolean>>;
+    mobile: z.ZodOptional<z.ZodDefault<z.ZodRecord<z.ZodString, z.ZodAny>>>;
+    initiate_login_uri: z.ZodOptional<z.ZodString>;
+    native_social_login: z.ZodOptional<z.ZodDefault<z.ZodRecord<z.ZodString, z.ZodAny>>>;
+    refresh_token: z.ZodOptional<z.ZodDefault<z.ZodObject<{
+        rotation_type: z.ZodOptional<z.ZodEnum<{
+            rotating: "rotating";
+            "non-rotating": "non-rotating";
+        }>>;
+        leeway: z.ZodOptional<z.ZodNumber>;
+        expiration_type: z.ZodOptional<z.ZodEnum<{
+            expiring: "expiring";
+            "non-expiring": "non-expiring";
+        }>>;
+        token_lifetime: z.ZodOptional<z.ZodNumber>;
+        infinite_token_lifetime: z.ZodOptional<z.ZodBoolean>;
+        idle_token_lifetime: z.ZodOptional<z.ZodNumber>;
+        infinite_idle_token_lifetime: z.ZodOptional<z.ZodBoolean>;
+    }, z.core.$strip>>>;
+    default_organization: z.ZodOptional<z.ZodDefault<z.ZodRecord<z.ZodString, z.ZodAny>>>;
+    organization_usage: z.ZodOptional<z.ZodDefault<z.ZodEnum<{
+        deny: "deny";
+        allow: "allow";
+        require: "require";
+    }>>>;
+    organization_require_behavior: z.ZodOptional<z.ZodDefault<z.ZodEnum<{
+        no_prompt: "no_prompt";
+        pre_login_prompt: "pre_login_prompt";
+        post_login_prompt: "post_login_prompt";
+    }>>>;
+    client_authentication_methods: z.ZodOptional<z.ZodDefault<z.ZodRecord<z.ZodString, z.ZodAny>>>;
+    require_pushed_authorization_requests: z.ZodDefault<z.ZodBoolean>;
+    require_proof_of_possession: z.ZodDefault<z.ZodBoolean>;
+    signed_request_object: z.ZodOptional<z.ZodDefault<z.ZodRecord<z.ZodString, z.ZodAny>>>;
+    compliance_level: z.ZodOptional<z.ZodEnum<{
+        none: "none";
+        fapi1_adv_pkj_par: "fapi1_adv_pkj_par";
+        fapi1_adv_mtls_par: "fapi1_adv_mtls_par";
+        fapi2_sp_pkj_mtls: "fapi2_sp_pkj_mtls";
+        fapi2_sp_mtls_mtls: "fapi2_sp_mtls_mtls";
+    }>>;
+    par_request_expiry: z.ZodOptional<z.ZodNumber>;
+    token_quota: z.ZodOptional<z.ZodDefault<z.ZodRecord<z.ZodString, z.ZodAny>>>;
+    owner_user_id: z.ZodOptional<z.ZodString>;
+    registration_type: z.ZodOptional<z.ZodEnum<{
+        manual: "manual";
+        open_dcr: "open_dcr";
+        iat_dcr: "iat_dcr";
+    }>>;
+    registration_metadata: z.ZodOptional<z.ZodDefault<z.ZodRecord<z.ZodString, z.ZodAny>>>;
+    user_linking_mode: z.ZodOptional<z.ZodEnum<{
+        builtin: "builtin";
+        off: "off";
+    }>>;
+    client_id: z.ZodString;
+    tenant: z.ZodObject<{
+        created_at: z.ZodPipe<z.ZodNullable<z.ZodString>, z.ZodTransform<string, string | null>>;
+        updated_at: z.ZodPipe<z.ZodNullable<z.ZodString>, z.ZodTransform<string, string | null>>;
+        audience: z.ZodString;
+        friendly_name: z.ZodString;
+        picture_url: z.ZodOptional<z.ZodString>;
+        support_email: z.ZodOptional<z.ZodString>;
+        support_url: z.ZodOptional<z.ZodString>;
+        sender_email: z.ZodString;
+        sender_name: z.ZodString;
+        session_lifetime: z.ZodOptional<z.ZodNumber>;
+        idle_session_lifetime: z.ZodOptional<z.ZodNumber>;
+        ephemeral_session_lifetime: z.ZodOptional<z.ZodNumber>;
+        idle_ephemeral_session_lifetime: z.ZodOptional<z.ZodNumber>;
+        session_cookie: z.ZodOptional<z.ZodObject<{
+            mode: z.ZodOptional<z.ZodEnum<{
+                persistent: "persistent";
+                "non-persistent": "non-persistent";
+            }>>;
+        }, z.core.$strip>>;
+        allowed_logout_urls: z.ZodOptional<z.ZodArray<z.ZodString>>;
+        default_redirection_uri: z.ZodOptional<z.ZodString>;
+        default_client_id: z.ZodOptional<z.ZodString>;
+        enabled_locales: z.ZodOptional<z.ZodArray<z.ZodString>>;
+        default_directory: z.ZodOptional<z.ZodString>;
+        error_page: z.ZodOptional<z.ZodNullable<z.ZodObject<{
+            html: z.ZodOptional<z.ZodString>;
+            show_log_link: z.ZodOptional<z.ZodBoolean>;
+            url: z.ZodOptional<z.ZodString>;
+        }, z.core.$strip>>>;
+        flags: z.ZodOptional<z.ZodObject<{
+            allow_changing_enable_sso: z.ZodOptional<z.ZodBoolean>;
+            allow_legacy_delegation_grant_types: z.ZodOptional<z.ZodBoolean>;
+            allow_legacy_ro_grant_types: z.ZodOptional<z.ZodBoolean>;
+            allow_legacy_tokeninfo_endpoint: z.ZodOptional<z.ZodBoolean>;
+            change_pwd_flow_v1: z.ZodOptional<z.ZodBoolean>;
+            custom_domains_provisioning: z.ZodOptional<z.ZodBoolean>;
+            dashboard_insights_view: z.ZodOptional<z.ZodBoolean>;
+            dashboard_log_streams_next: z.ZodOptional<z.ZodBoolean>;
+            disable_clickjack_protection_headers: z.ZodOptional<z.ZodBoolean>;
+            disable_fields_map_fix: z.ZodOptional<z.ZodBoolean>;
+            disable_impersonation: z.ZodOptional<z.ZodBoolean>;
+            disable_management_api_sms_obfuscation: z.ZodOptional<z.ZodBoolean>;
+            enable_adfs_waad_email_verification: z.ZodOptional<z.ZodBoolean>;
+            enable_apis_section: z.ZodOptional<z.ZodBoolean>;
+            enable_client_connections: z.ZodOptional<z.ZodBoolean>;
+            enable_custom_domain_in_emails: z.ZodOptional<z.ZodBoolean>;
+            enable_dynamic_client_registration: z.ZodOptional<z.ZodBoolean>;
+            dcr_require_initial_access_token: z.ZodOptional<z.ZodBoolean>;
+            dcr_allowed_grant_types: z.ZodOptional<z.ZodArray<z.ZodString>>;
+            allow_http_return_to: z.ZodOptional<z.ZodArray<z.ZodString>>;
+            enable_idtoken_api2: z.ZodOptional<z.ZodBoolean>;
+            enable_legacy_logs_search_v2: z.ZodOptional<z.ZodBoolean>;
+            enable_legacy_profile: z.ZodOptional<z.ZodBoolean>;
+            enable_pipeline2: z.ZodOptional<z.ZodBoolean>;
+            enable_public_signup_user_exists_error: z.ZodOptional<z.ZodBoolean>;
+            enable_sso: z.ZodOptional<z.ZodBoolean>;
+            enforce_client_authentication_on_passwordless_start: z.ZodOptional<z.ZodBoolean>;
+            genai_trial: z.ZodOptional<z.ZodBoolean>;
+            improved_signup_bot_detection_in_classic: z.ZodOptional<z.ZodBoolean>;
+            mfa_show_factor_list_on_enrollment: z.ZodOptional<z.ZodBoolean>;
+            no_disclose_enterprise_connections: z.ZodOptional<z.ZodBoolean>;
+            remove_alg_from_jwks: z.ZodOptional<z.ZodBoolean>;
+            revoke_refresh_token_grant: z.ZodOptional<z.ZodBoolean>;
+            trust_azure_adfs_email_verified_connection_property: z.ZodOptional<z.ZodBoolean>;
+            use_scope_descriptions_for_consent: z.ZodOptional<z.ZodBoolean>;
+            inherit_global_permissions_in_organizations: z.ZodOptional<z.ZodBoolean>;
+        }, z.core.$strip>>;
+        sandbox_version: z.ZodOptional<z.ZodString>;
+        legacy_sandbox_version: z.ZodOptional<z.ZodString>;
+        sandbox_versions_available: z.ZodOptional<z.ZodArray<z.ZodString>>;
+        change_password: z.ZodOptional<z.ZodObject<{
+            enabled: z.ZodOptional<z.ZodBoolean>;
+            html: z.ZodOptional<z.ZodString>;
+        }, z.core.$strip>>;
+        guardian_mfa_page: z.ZodOptional<z.ZodObject<{
+            enabled: z.ZodOptional<z.ZodBoolean>;
+            html: z.ZodOptional<z.ZodString>;
+        }, z.core.$strip>>;
+        device_flow: z.ZodOptional<z.ZodObject<{
+            charset: z.ZodOptional<z.ZodEnum<{
+                base20: "base20";
+                digits: "digits";
+            }>>;
+            mask: z.ZodOptional<z.ZodString>;
+        }, z.core.$strip>>;
+        default_token_quota: z.ZodOptional<z.ZodNullable<z.ZodObject<{
+            clients: z.ZodOptional<z.ZodObject<{
+                client_credentials: z.ZodOptional<z.ZodRecord<z.ZodString, z.ZodAny>>;
+            }, z.core.$strip>>;
+            organizations: z.ZodOptional<z.ZodObject<{
+                client_credentials: z.ZodOptional<z.ZodRecord<z.ZodString, z.ZodAny>>;
+            }, z.core.$strip>>;
+        }, z.core.$strip>>>;
+        default_audience: z.ZodOptional<z.ZodString>;
+        default_organization: z.ZodOptional<z.ZodString>;
+        sessions: z.ZodOptional<z.ZodObject<{
+            oidc_logout_prompt_enabled: z.ZodOptional<z.ZodBoolean>;
+        }, z.core.$strip>>;
+        oidc_logout: z.ZodOptional<z.ZodObject<{
+            rp_logout_end_session_endpoint_discovery: z.ZodOptional<z.ZodBoolean>;
+        }, z.core.$strip>>;
+        allow_organization_name_in_authentication_api: z.ZodOptional<z.ZodBoolean>;
+        customize_mfa_in_postlogin_action: z.ZodOptional<z.ZodBoolean>;
+        acr_values_supported: z.ZodOptional<z.ZodArray<z.ZodString>>;
+        mtls: z.ZodOptional<z.ZodNullable<z.ZodObject<{
+            enable_endpoint_aliases: z.ZodOptional<z.ZodBoolean>;
+        }, z.core.$strip>>>;
+        pushed_authorization_requests_supported: z.ZodOptional<z.ZodBoolean>;
+        authorization_response_iss_parameter_supported: z.ZodOptional<z.ZodBoolean>;
+        attack_protection: z.ZodOptional<z.ZodObject<{
+            breached_password_detection: z.ZodOptional<z.ZodObject<{
+                enabled: z.ZodOptional<z.ZodBoolean>;
+                shields: z.ZodOptional<z.ZodArray<z.ZodString>>;
+                admin_notification_frequency: z.ZodOptional<z.ZodArray<z.ZodString>>;
+                method: z.ZodOptional<z.ZodString>;
+                stage: z.ZodOptional<z.ZodObject<{
+                    "pre-user-registration": z.ZodOptional<z.ZodObject<{
+                        shields: z.ZodOptional<z.ZodArray<z.ZodString>>;
+                    }, z.core.$strip>>;
+                    "pre-change-password": z.ZodOptional<z.ZodObject<{
+                        shields: z.ZodOptional<z.ZodArray<z.ZodString>>;
+                    }, z.core.$strip>>;
+                }, z.core.$strip>>;
+            }, z.core.$strip>>;
+            brute_force_protection: z.ZodOptional<z.ZodObject<{
+                enabled: z.ZodOptional<z.ZodBoolean>;
+                shields: z.ZodOptional<z.ZodArray<z.ZodString>>;
+                allowlist: z.ZodOptional<z.ZodArray<z.ZodString>>;
+                mode: z.ZodOptional<z.ZodString>;
+                max_attempts: z.ZodOptional<z.ZodNumber>;
+            }, z.core.$strip>>;
+            suspicious_ip_throttling: z.ZodOptional<z.ZodObject<{
+                enabled: z.ZodOptional<z.ZodBoolean>;
+                shields: z.ZodOptional<z.ZodArray<z.ZodString>>;
+                allowlist: z.ZodOptional<z.ZodArray<z.ZodString>>;
+                stage: z.ZodOptional<z.ZodObject<{
+                    "pre-login": z.ZodOptional<z.ZodObject<{
+                        max_attempts: z.ZodOptional<z.ZodNumber>;
+                        rate: z.ZodOptional<z.ZodNumber>;
+                    }, z.core.$strip>>;
+                    "pre-user-registration": z.ZodOptional<z.ZodObject<{
+                        max_attempts: z.ZodOptional<z.ZodNumber>;
+                        rate: z.ZodOptional<z.ZodNumber>;
+                    }, z.core.$strip>>;
+                }, z.core.$strip>>;
+            }, z.core.$strip>>;
+        }, z.core.$strip>>;
+        mfa: z.ZodOptional<z.ZodObject<{
+            policy: z.ZodOptional<z.ZodDefault<z.ZodEnum<{
+                never: "never";
+                always: "always";
+            }>>>;
+            factors: z.ZodOptional<z.ZodObject<{
+                sms: z.ZodDefault<z.ZodBoolean>;
+                otp: z.ZodDefault<z.ZodBoolean>;
+                email: z.ZodDefault<z.ZodBoolean>;
+                push_notification: z.ZodDefault<z.ZodBoolean>;
+                webauthn_roaming: z.ZodDefault<z.ZodBoolean>;
+                webauthn_platform: z.ZodDefault<z.ZodBoolean>;
+                recovery_code: z.ZodDefault<z.ZodBoolean>;
+                duo: z.ZodDefault<z.ZodBoolean>;
+            }, z.core.$strip>>;
+            sms_provider: z.ZodOptional<z.ZodObject<{
+                provider: z.ZodOptional<z.ZodEnum<{
+                    twilio: "twilio";
+                    vonage: "vonage";
+                    aws_sns: "aws_sns";
+                    phone_message_hook: "phone_message_hook";
+                }>>;
+            }, z.core.$strip>>;
+            twilio: z.ZodOptional<z.ZodObject<{
+                sid: z.ZodOptional<z.ZodString>;
+                auth_token: z.ZodOptional<z.ZodString>;
+                from: z.ZodOptional<z.ZodString>;
+                messaging_service_sid: z.ZodOptional<z.ZodString>;
+            }, z.core.$strip>>;
+            phone_message: z.ZodOptional<z.ZodObject<{
+                message: z.ZodOptional<z.ZodString>;
+            }, z.core.$strip>>;
+        }, z.core.$strip>>;
+        id: z.ZodString;
+        is_control_plane: z.ZodOptional<z.ZodBoolean>;
+    }, z.core.$strip>;
+    connections: z.ZodArray<z.ZodObject<{
+        created_at: z.ZodPipe<z.ZodString, z.ZodTransform<string, string>>;
+        updated_at: z.ZodPipe<z.ZodString, z.ZodTransform<string, string>>;
+        id: z.ZodOptional<z.ZodString>;
+        name: z.ZodString;
+        display_name: z.ZodOptional<z.ZodString>;
+        strategy: z.ZodString;
+        options: z.ZodDefault<z.ZodPreprocess<z.ZodObject<{
+            kid: z.ZodOptional<z.ZodString>;
+            team_id: z.ZodOptional<z.ZodString>;
+            realms: z.ZodOptional<z.ZodString>;
+            authentication_method: z.ZodOptional<z.ZodString>;
+            client_id: z.ZodOptional<z.ZodString>;
+            client_secret: z.ZodOptional<z.ZodString>;
+            app_secret: z.ZodOptional<z.ZodString>;
+            scope: z.ZodOptional<z.ZodString>;
+            authorization_endpoint: z.ZodOptional<z.ZodString>;
+            token_endpoint: z.ZodOptional<z.ZodString>;
+            userinfo_endpoint: z.ZodOptional<z.ZodString>;
+            jwks_uri: z.ZodOptional<z.ZodString>;
+            discovery_url: z.ZodOptional<z.ZodString>;
+            issuer: z.ZodOptional<z.ZodString>;
+            token_endpoint_auth_method: z.ZodOptional<z.ZodEnum<{
+                client_secret_post: "client_secret_post";
+                client_secret_basic: "client_secret_basic";
+            }>>;
+            provider: z.ZodOptional<z.ZodString>;
+            from: z.ZodOptional<z.ZodString>;
+            twilio_sid: z.ZodOptional<z.ZodString>;
+            twilio_token: z.ZodOptional<z.ZodString>;
+            icon_url: z.ZodOptional<z.ZodString>;
+            domain_aliases: z.ZodOptional<z.ZodArray<z.ZodString>>;
+            callback_url: z.ZodOptional<z.ZodString>;
+            passwordPolicy: z.ZodOptional<z.ZodEnum<{
+                none: "none";
+                low: "low";
+                fair: "fair";
+                good: "good";
+                excellent: "excellent";
+            }>>;
+            password_complexity_options: z.ZodOptional<z.ZodObject<{
+                min_length: z.ZodOptional<z.ZodNumber>;
+            }, z.core.$strip>>;
+            password_history: z.ZodOptional<z.ZodObject<{
+                enable: z.ZodOptional<z.ZodBoolean>;
+                size: z.ZodOptional<z.ZodNumber>;
+            }, z.core.$strip>>;
+            password_no_personal_info: z.ZodOptional<z.ZodObject<{
+                enable: z.ZodOptional<z.ZodBoolean>;
+            }, z.core.$strip>>;
+            password_dictionary: z.ZodOptional<z.ZodObject<{
+                enable: z.ZodOptional<z.ZodBoolean>;
+                dictionary: z.ZodOptional<z.ZodArray<z.ZodString>>;
+            }, z.core.$strip>>;
+            disable_signup: z.ZodOptional<z.ZodBoolean>;
+            brute_force_protection: z.ZodOptional<z.ZodBoolean>;
+            import_mode: z.ZodOptional<z.ZodBoolean>;
+            configuration: z.ZodOptional<z.ZodObject<{
+                token_endpoint: z.ZodOptional<z.ZodString>;
+                userinfo_endpoint: z.ZodOptional<z.ZodString>;
+                client_id: z.ZodOptional<z.ZodString>;
+                client_secret: z.ZodOptional<z.ZodString>;
+                realm: z.ZodOptional<z.ZodString>;
+            }, z.core.$strip>>;
+            attributes: z.ZodOptional<z.ZodObject<{
+                email: z.ZodOptional<z.ZodObject<{
+                    identifier: z.ZodOptional<z.ZodObject<{
+                        active: z.ZodOptional<z.ZodBoolean>;
+                    }, z.core.$strip>>;
+                    signup: z.ZodOptional<z.ZodObject<{
+                        status: z.ZodOptional<z.ZodEnum<{
+                            optional: "optional";
+                            required: "required";
+                            disabled: "disabled";
+                        }>>;
+                        verification: z.ZodOptional<z.ZodObject<{
+                            active: z.ZodOptional<z.ZodBoolean>;
+                        }, z.core.$strip>>;
+                    }, z.core.$strip>>;
+                    validation: z.ZodOptional<z.ZodObject<{
+                        allowed: z.ZodOptional<z.ZodBoolean>;
+                    }, z.core.$strip>>;
+                    unique: z.ZodOptional<z.ZodBoolean>;
+                    profile_required: z.ZodOptional<z.ZodBoolean>;
+                    verification_method: z.ZodOptional<z.ZodEnum<{
+                        code: "code";
+                        link: "link";
+                    }>>;
+                }, z.core.$strip>>;
+                username: z.ZodOptional<z.ZodObject<{
+                    identifier: z.ZodOptional<z.ZodObject<{
+                        active: z.ZodOptional<z.ZodBoolean>;
+                    }, z.core.$strip>>;
+                    signup: z.ZodOptional<z.ZodObject<{
+                        status: z.ZodOptional<z.ZodEnum<{
+                            optional: "optional";
+                            required: "required";
+                            disabled: "disabled";
+                        }>>;
+                    }, z.core.$strip>>;
+                    validation: z.ZodOptional<z.ZodObject<{
+                        max_length: z.ZodOptional<z.ZodNumber>;
+                        min_length: z.ZodOptional<z.ZodNumber>;
+                        allowed_types: z.ZodOptional<z.ZodObject<{
+                            email: z.ZodOptional<z.ZodBoolean>;
+                            phone_number: z.ZodOptional<z.ZodBoolean>;
+                        }, z.core.$strip>>;
+                    }, z.core.$strip>>;
+                    profile_required: z.ZodOptional<z.ZodBoolean>;
+                }, z.core.$strip>>;
+                phone_number: z.ZodOptional<z.ZodObject<{
+                    identifier: z.ZodOptional<z.ZodObject<{
+                        active: z.ZodOptional<z.ZodBoolean>;
+                    }, z.core.$strip>>;
+                    signup: z.ZodOptional<z.ZodObject<{
+                        status: z.ZodOptional<z.ZodEnum<{
+                            optional: "optional";
+                            required: "required";
+                            disabled: "disabled";
+                        }>>;
+                    }, z.core.$strip>>;
+                }, z.core.$strip>>;
+            }, z.core.$strip>>;
+            authentication_methods: z.ZodOptional<z.ZodObject<{
+                password: z.ZodOptional<z.ZodObject<{
+                    enabled: z.ZodOptional<z.ZodBoolean>;
+                }, z.core.$strip>>;
+                passkey: z.ZodOptional<z.ZodObject<{
+                    enabled: z.ZodOptional<z.ZodBoolean>;
+                }, z.core.$strip>>;
+            }, z.core.$strip>>;
+            passkey_options: z.ZodOptional<z.ZodObject<{
+                challenge_ui: z.ZodOptional<z.ZodEnum<{
+                    both: "both";
+                    autofill: "autofill";
+                    button: "button";
+                }>>;
+                local_enrollment_enabled: z.ZodOptional<z.ZodBoolean>;
+                progressive_enrollment_enabled: z.ZodOptional<z.ZodBoolean>;
+            }, z.core.$strip>>;
+            requires_username: z.ZodOptional<z.ZodBoolean>;
+            validation: z.ZodOptional<z.ZodObject<{
+                username: z.ZodOptional<z.ZodObject<{
+                    min: z.ZodOptional<z.ZodNumber>;
+                    max: z.ZodOptional<z.ZodNumber>;
+                }, z.core.$strip>>;
+            }, z.core.$strip>>;
+            set_user_root_attributes: z.ZodOptional<z.ZodEnum<{
+                on_each_login: "on_each_login";
+                on_first_login: "on_first_login";
+                never_on_login: "never_on_login";
+            }>>;
+        }, z.core.$strip>>>;
+        enabled_clients: z.ZodOptional<z.ZodDefault<z.ZodArray<z.ZodString>>>;
+        response_type: z.ZodOptional<z.ZodCustom<import("@authhero/adapter-interfaces").AuthorizationResponseType, import("@authhero/adapter-interfaces").AuthorizationResponseType>>;
+        response_mode: z.ZodOptional<z.ZodCustom<import("@authhero/adapter-interfaces").AuthorizationResponseMode, import("@authhero/adapter-interfaces").AuthorizationResponseMode>>;
+        is_domain_connection: z.ZodOptional<z.ZodBoolean>;
+        show_as_button: z.ZodOptional<z.ZodBoolean>;
+        metadata: z.ZodOptional<z.ZodRecord<z.ZodString, z.ZodAny>>;
+        is_system: z.ZodOptional<z.ZodBoolean>;
+    }, z.core.$strip>>;
+}, z.core.$strip>;
+export type EnrichedClient = z.infer<typeof enrichedClientSchema>;
+/**
+ * Fetches a client along with its tenant and connections by making separate
+ * adapter calls. This composites the data into an EnrichedClient.
+ *
+ * When tenantId is provided, all fetches happen in parallel for better performance.
+ * When tenantId is not provided, we first fetch the client to get the tenant_id,
+ * then fetch tenant and connections in parallel.
+ *
+ * If no connections are explicitly enabled for the client, falls back to all
+ * connections available in the tenant.
+ *
+ * @param env - The environment bindings containing data adapters
+ * @param clientId - The client ID to fetch
+ * @param tenantId - Optional tenant ID (if known, enables parallel fetching)
+ * @returns EnrichedClient with client, tenant, and connections data
+ * @throws JSONHTTPException if client or tenant is not found
+ */
+export declare function getEnrichedClient(env: Bindings, clientId: string, tenantId?: string): Promise<EnrichedClient>;

package/dist/types/helpers/dcr/constraint-enforcement.d.ts

@@ -0,0 +1,24 @@
+export interface ConstraintViolation {
+    field: string;
+    expected: unknown;
+    got: unknown;
+}
+export interface ConstraintResult {
+    ok: boolean;
+    violation?: ConstraintViolation;
+    /**
+     * Request merged with any absent constrained fields filled in from the
+     * constraints. Returned as a loose record since constraints may include
+     * fields beyond the typed request schema (e.g. AuthHero-internal
+     * `domain`, `integration_type` for the Phase 4 /connect/start flow).
+     */
+    filled: Record<string, unknown>;
+}
+/**
+ * Enforce IAT-pre-bound metadata constraints on a registration request.
+ *
+ * Rule per plan: each constrained field must either be absent from the
+ * request (filled in from the constraint) or exactly equal. No merging,
+ * no subset matching.
+ */
+export declare function enforceConstraints(constraints: Record<string, unknown> | undefined, request: Readonly<Record<string, unknown>>): ConstraintResult;