npm - kavachos - Versions diffs - 0.4.0 → 0.4.2 - Mend

kavachos 0.4.0 → 0.4.2

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (10) hide show

package/dist/auth/index.d.ts +583 -32
package/dist/auth/index.js +1673 -272
package/dist/auth/index.js.map +1 -1
package/dist/index.d.ts +2 -1
package/dist/index.js +1672 -271
package/dist/index.js.map +1 -1
package/dist/standards/index.d.ts +139 -0
package/dist/standards/index.js +72 -0
package/dist/standards/index.js.map +1 -0
package/package.json +6 -1

package/dist/auth/index.d.ts CHANGED Viewed

@@ -2,6 +2,7 @@ import { z } from 'zod';
 import { a5 as AuthAdapter, o as ResolvedUser, X as KavachPlugin, D as Database, _ as AdminConfig, p as SessionManager, a2 as ApiKeyManagerConfig, aa as EmailOtpConfig, P as Permission, ae as MagicLinkConfig, aj as OrgConfig, ao as PasskeyConfig, N as PluginEndpoint, aF as TotpConfig } from '../types-RJPOU4un.js';
 export { u as AdminModule, $ as AdminUser, a1 as ApiKey, v as ApiKeyManagerModule, a6 as CaptchaConfig, G as CaptchaModule, a7 as CaptchaVerifyResult, a8 as CreateTokenInput, E as EmailOtpModule, ab as EmailVerificationConfig, y as EmailVerificationModule, r as MagicLinkModule, ag as OidcProvider, ah as OneTimeTokenConfig, z as OneTimeTokenModule, ai as OneTimeTokenPurpose, ak as OrgInvitation, al as OrgMember, O as OrgModule, am as OrgRole, an as Organization, ap as PasskeyCredential, s as PasskeyModule, aq as PasswordResetConfig, x as PasswordResetModule, as as PhoneAuthConfig, F as PhoneAuthModule, av as RevokeTokensResult, aw as SSO_ERROR, ax as SamlProvider, aA as SsoAuditEvent, aB as SsoConfig, aC as SsoConnection, aD as SsoError, t as SsoModule, T as TotpModule, aG as TotpSetup, aH as UsernameAuthConfig, w as UsernameAuthModule, aI as ValidateTokenResult, bu as WebhookConfig, bv as WebhookEvent, W as WebhookModule, aS as createAdminModule, aT as createApiKeyManagerModule, aV as createCaptchaModule, aY as createEmailOtpModule, aZ as createEmailVerificationModule, a_ as createMagicLinkModule, a$ as createOneTimeTokenModule, b0 as createOrgModule, b1 as createPasskeyModule, b2 as createPasswordResetModule, b3 as createPhoneAuthModule, b6 as createSsoModule, b7 as createTotpModule, b8 as createUsernameAuthModule, bw as createWebhookModule } from '../types-RJPOU4un.js';
 import { R as Result } from '../types-BiUe9e8u.js';
+import { AgentType, TrustTier } from '../standards/index.js';
 import * as jose from 'jose';
 import 'drizzle-orm/sqlite-core';
 import '../redirect/index.js';
@@ -982,37 +983,6 @@ declare class HibpApiError extends Error {
     constructor(message: string);
 }
-/**
- * IETF agentic JWT claim name constants.
- *
- * Sources:
- *   - draft-goswami-agentic-jwt-00
- *   - draft-liu-agent-operation-authorization-01
- *
- * These constants are off by default. Set `emitAgenticJwtClaims: true` in
- * KavachConfig to include them in issued tokens.
- */
-/**
- * Operational mode of an agent within a delegation chain.
- *
- * - `autonomous`  — no human-in-the-loop; the agent acts on its own behalf.
- * - `delegated`   — the agent is acting under explicit delegation from another principal.
- * - `supervised`  — the agent acts autonomously but requires human approval for sensitive ops.
- */
-type AgentType = "autonomous" | "delegated" | "supervised";
-/**
- * Trust tier band assigned at token issuance, derived from the numeric trust
- * score. Matches the five-level model in KavachOS trust scoring.
- *
- * Mapping (inclusive lower bound):
- *   score 0–19  → "unverified"
- *   score 20–39 → "low"
- *   score 40–59 → "standard"
- *   score 60–79 → "elevated"
- *   score 80+   → "high"
- */
-type TrustTier = "unverified" | "low" | "standard" | "elevated" | "high";
 /**
  * JWT session plugin for KavachOS.
  *
@@ -1510,6 +1480,41 @@ declare function oauth(config: OAuthPluginConfig): KavachPlugin;
  */
 declare function createAppleProvider(config: OAuthProviderConfig): OAuthProvider;
+/**
+ * Atlassian OAuth 2.0 (3LO) provider.
+ *
+ * Endpoints:
+ * - Authorization: https://auth.atlassian.com/authorize
+ * - Token:         https://auth.atlassian.com/oauth/token
+ * - UserInfo:      https://api.atlassian.com/me
+ *
+ * Notes:
+ * - PKCE S256 is supported by Atlassian's OAuth 2.0 implementation.
+ * - The `audience` parameter (`api.atlassian.com`) is required on the
+ *   authorization URL. Without it, tokens will not be accepted by the
+ *   Atlassian APIs.
+ * - The `read:me` scope grants access to the user's identity (account ID,
+ *   email, name, avatar). Add `offline_access` if refresh tokens are needed.
+ * - Atlassian account IDs are in the format `557058:xxxxxxxx-xxxx-...`.
+ *
+ * Docs: https://developer.atlassian.com/cloud/jira/platform/oauth-2-3lo-apps/
+ */
+declare const DEFAULT_ATLASSIAN_SCOPES: string[];
+declare function normalizeProfile$9(raw: Record<string, unknown>): OAuthUserInfo;
+/**
+ * Create an Atlassian OAuth provider instance.
+ *
+ * @example
+ * ```typescript
+ * const atlassian = createAtlassianProvider({
+ *   clientId: process.env.ATLASSIAN_CLIENT_ID,
+ *   clientSecret: process.env.ATLASSIAN_CLIENT_SECRET,
+ * });
+ * ```
+ */
+declare function createAtlassianProvider(config: OAuthProviderConfig): OAuthProvider;
 /**
  * Discord OAuth 2.0 provider.
  *
@@ -1530,6 +1535,7 @@ declare function createAppleProvider(config: OAuthProviderConfig): OAuthProvider
  * Docs: https://discord.com/developers/docs/topics/oauth2
  */
+declare const DEFAULT_DISCORD_SCOPES: string[];
 /**
  * Create a Discord OAuth provider instance.
  *
@@ -1542,6 +1548,141 @@ declare function createAppleProvider(config: OAuthProviderConfig): OAuthProvider
  * ```
  */
 declare function createDiscordProvider(config: OAuthProviderConfig): OAuthProvider;
+declare function normalizeProfile$8(raw: Record<string, unknown>): OAuthUserInfo;
+/**
+ * Dropbox OAuth 2.0 provider.
+ *
+ * Endpoints:
+ * - Authorization: https://www.dropbox.com/oauth2/authorize
+ * - Token:         https://api.dropboxapi.com/oauth2/token
+ * - UserInfo:      https://api.dropboxapi.com/2/users/get_current_account (POST)
+ *
+ * Notes:
+ * - PKCE S256 is supported by Dropbox's OAuth 2.0 implementation (since 2021).
+ * - The userinfo endpoint is a POST with an empty body (JSON null is the
+ *   documented request body). No query params are needed.
+ * - The `account_info.read` scope grants access to basic account info including
+ *   email, name, and account ID.
+ * - Dropbox account IDs start with "dbid:" and are stable across sessions.
+ * - The `name` object contains `display_name`, `given_name`, `surname`, etc.
+ *
+ * Docs: https://developers.dropbox.com/oauth-guide
+ */
+declare const DEFAULT_DROPBOX_SCOPES: string[];
+declare function normalizeProfile$7(raw: Record<string, unknown>): OAuthUserInfo;
+/**
+ * Create a Dropbox OAuth provider instance.
+ *
+ * @example
+ * ```typescript
+ * const dropbox = createDropboxProvider({
+ *   clientId: process.env.DROPBOX_CLIENT_ID,
+ *   clientSecret: process.env.DROPBOX_CLIENT_SECRET,
+ * });
+ * ```
+ */
+declare function createDropboxProvider(config: OAuthProviderConfig): OAuthProvider;
+/**
+ * Figma OAuth 2.0 provider.
+ *
+ * Endpoints:
+ * - Authorization: https://www.figma.com/oauth
+ * - Token:         https://api.figma.com/v1/oauth/token
+ * - UserInfo:      https://api.figma.com/v1/me
+ *
+ * Notes:
+ * - PKCE S256 is supported by Figma's OAuth implementation.
+ * - The `file_read` scope is the minimum required for sign-in; it grants
+ *   read access to files, projects, and user information.
+ * - The email address is always returned; Figma accounts always have one.
+ *
+ * Docs: https://www.figma.com/developers/api#authentication
+ */
+declare const DEFAULT_FIGMA_SCOPES: string[];
+declare function normalizeProfile$6(raw: Record<string, unknown>): OAuthUserInfo;
+/**
+ * Create a Figma OAuth provider instance.
+ *
+ * @example
+ * ```typescript
+ * const figma = createFigmaProvider({
+ *   clientId: process.env.FIGMA_CLIENT_ID,
+ *   clientSecret: process.env.FIGMA_CLIENT_SECRET,
+ * });
+ * ```
+ */
+declare function createFigmaProvider(config: OAuthProviderConfig): OAuthProvider;
+/**
+ * Generic OIDC provider factory.
+ *
+ * Builds a fully functional OAuthProvider from a minimal config. When an
+ * OIDC issuer URL is supplied the factory constructs the standard
+ * `/.well-known/openid-configuration` discovery URL. Explicit endpoint
+ * overrides take precedence over discovery, so the factory works with
+ * providers that do not implement RFC 8414.
+ *
+ * Spec references:
+ * - OIDC Discovery: https://openid.net/specs/openid-connect-discovery-1_0.html
+ * - RFC 8414 (OAuth 2.0 Authorization Server Metadata)
+ */
+interface GenericOIDCConfig {
+    /** Machine-readable provider ID, e.g. `'okta'`, `'auth0'`. */
+    id: string;
+    /** Human-readable display name, e.g. `'Okta'`. */
+    name: string;
+    /**
+     * OIDC issuer URL. Used to derive the discovery document URL as
+     * `${issuer}/.well-known/openid-configuration` when explicit endpoint
+     * overrides are not provided.
+     *
+     * @example "https://dev-12345678.okta.com"
+     */
+    issuer: string;
+    /** OAuth application client ID. */
+    clientId: string;
+    /** OAuth application client secret. */
+    clientSecret: string;
+    /**
+     * Scopes to request. Defaults to `['openid', 'email', 'profile']`.
+     */
+    scopes?: string[];
+    /**
+     * Override the redirect URI registered with the provider.
+     * When omitted the URI passed at call time is used.
+     */
+    redirectUri?: string;
+    /** Authorization endpoint. Overrides discovery. */
+    authorizationUrl?: string;
+    /** Token endpoint. Overrides discovery. */
+    tokenUrl?: string;
+    /** UserInfo endpoint. Overrides discovery. */
+    userinfoUrl?: string;
+}
+/**
+ * Create an OAuthProvider backed by a standard OIDC issuer.
+ *
+ * Endpoints are resolved from the issuer's discovery document on first use
+ * and cached in memory for the lifetime of the process. Pass explicit
+ * `authorizationUrl`, `tokenUrl`, and `userinfoUrl` to bypass discovery.
+ *
+ * @example
+ * ```typescript
+ * const okta = genericOIDC({
+ *   id: "okta",
+ *   name: "Okta",
+ *   issuer: "https://dev-12345678.okta.com",
+ *   clientId: process.env.OKTA_CLIENT_ID,
+ *   clientSecret: process.env.OKTA_CLIENT_SECRET,
+ * });
+ * ```
+ */
+declare function genericOIDC(config: GenericOIDCConfig): OAuthProvider;
 /**
  * GitHub OAuth 2.0 provider.
@@ -1702,6 +1843,309 @@ declare function createLinkedInProvider(config: OAuthProviderConfig): OAuthProvi
  */
 declare function createMicrosoftProvider(config: OAuthProviderConfig): OAuthProvider;
+/**
+ * Notion OAuth 2.0 provider.
+ *
+ * Endpoints:
+ * - Authorization: https://api.notion.com/v1/oauth/authorize
+ * - Token:         https://api.notion.com/v1/oauth/token
+ * - UserInfo:      embedded in the token response (`owner` field)
+ *
+ * Notes:
+ * - Notion does not have a separate UserInfo endpoint. User identity is
+ *   returned as part of the token exchange response inside `owner.user`.
+ *   The provider captures the token response in a closure so that
+ *   `getUserInfo` can extract it without a redundant network call.
+ * - The token endpoint uses HTTP Basic auth (client_id:client_secret).
+ * - All Notion API requests require the `Notion-Version` header.
+ * - Notion uses integration-level permissions rather than OAuth scopes.
+ *   Workspaces a user authorizes appear in `workspace_id` / `workspace_name`
+ *   in the token response.
+ * - The `owner.user.person.email` field is present only when the integration
+ *   is authorized by a person (not a bot). For bot authorizations
+ *   `owner.type` is `"workspace"` and `email` may be absent.
+ * - PKCE is not documented by Notion; the code_challenge is omitted for
+ *   compatibility with their authorization server.
+ *
+ * Docs: https://developers.notion.com/docs/authorization
+ */
+declare const DEFAULT_NOTION_SCOPES: string[];
+declare function normalizeProfile$5(raw: Record<string, unknown>): OAuthUserInfo;
+/**
+ * Create a Notion OAuth provider instance.
+ *
+ * @example
+ * ```typescript
+ * const notion = createNotionProvider({
+ *   clientId: process.env.NOTION_CLIENT_ID,
+ *   clientSecret: process.env.NOTION_CLIENT_SECRET,
+ * });
+ * ```
+ */
+declare function createNotionProvider(config: OAuthProviderConfig): OAuthProvider;
+/**
+ * Preset OAuth provider configs.
+ *
+ * Each export is a factory function that takes `(clientId, clientSecret)`
+ * and returns a config accepted by `genericOIDC` or usable directly as a
+ * plain provider when the provider does not support OIDC discovery.
+ *
+ * OIDC-capable providers (Auth0, Okta) use `genericOIDC` and require the
+ * caller to supply their tenant/domain as a third argument.
+ *
+ * All other presets return a `GenericOIDCConfig`-compatible object with
+ * explicit endpoints so they work without any network discovery call.
+ */
+/**
+ * Facebook (Meta) OAuth 2.0.
+ *
+ * Docs: https://developers.facebook.com/docs/facebook-login/guides/advanced/manual-flow
+ */
+declare function facebookProvider(clientId: string, clientSecret: string, scopes?: string[]): OAuthProvider;
+/**
+ * Spotify OAuth 2.0.
+ *
+ * Docs: https://developer.spotify.com/documentation/web-api/concepts/authorization
+ */
+declare function spotifyProvider(clientId: string, clientSecret: string, scopes?: string[]): OAuthProvider;
+/**
+ * Twitch OAuth 2.0 / OIDC.
+ *
+ * Docs: https://dev.twitch.tv/docs/authentication
+ */
+declare function twitchProvider(clientId: string, clientSecret: string, scopes?: string[]): OAuthProvider;
+/**
+ * Reddit OAuth 2.0.
+ *
+ * Docs: https://github.com/reddit-archive/reddit/wiki/OAuth2
+ */
+declare function redditProvider(clientId: string, clientSecret: string, scopes?: string[]): OAuthProvider;
+/**
+ * Dropbox OAuth 2.0.
+ *
+ * Docs: https://developers.dropbox.com/oauth-guide
+ */
+declare function dropboxProvider(clientId: string, clientSecret: string, scopes?: string[]): OAuthProvider;
+/**
+ * Zoom OAuth 2.0 / OIDC.
+ *
+ * Docs: https://developers.zoom.us/docs/integrations/oauth/
+ */
+declare function zoomProvider(clientId: string, clientSecret: string, scopes?: string[]): OAuthProvider;
+/**
+ * Notion OAuth 2.0.
+ *
+ * Docs: https://developers.notion.com/docs/authorization
+ */
+declare function notionProvider(clientId: string, clientSecret: string, scopes?: string[]): OAuthProvider;
+/**
+ * Figma OAuth 2.0.
+ *
+ * Docs: https://www.figma.com/developers/api#authentication
+ */
+declare function figmaProvider(clientId: string, clientSecret: string, scopes?: string[]): OAuthProvider;
+/**
+ * Bitbucket OAuth 2.0.
+ *
+ * Docs: https://developer.atlassian.com/cloud/bitbucket/oauth-2/
+ */
+declare function bitbucketProvider(clientId: string, clientSecret: string, scopes?: string[]): OAuthProvider;
+/**
+ * Atlassian OAuth 2.0 (Jira, Confluence, etc.).
+ *
+ * Docs: https://developer.atlassian.com/cloud/jira/platform/oauth-2-3lo-apps/
+ */
+declare function atlassianProvider(clientId: string, clientSecret: string, scopes?: string[]): OAuthProvider;
+/**
+ * Yahoo OAuth 2.0 / OIDC.
+ *
+ * Docs: https://developer.yahoo.com/oauth2/guide/
+ */
+declare function yahooProvider(clientId: string, clientSecret: string, scopes?: string[]): OAuthProvider;
+/**
+ * LINE Login OAuth 2.0 / OIDC.
+ *
+ * Docs: https://developers.line.biz/en/docs/line-login/integrate-line-login/
+ */
+declare function lineProvider(clientId: string, clientSecret: string, scopes?: string[]): OAuthProvider;
+/**
+ * Coinbase OAuth 2.0.
+ *
+ * Docs: https://docs.cdp.coinbase.com/coinbase-app/docs/coinbase-connect-reference
+ */
+declare function coinbaseProvider(clientId: string, clientSecret: string, scopes?: string[]): OAuthProvider;
+/**
+ * TikTok OAuth 2.0.
+ *
+ * Docs: https://developers.tiktok.com/doc/oauth-user-access-token-management
+ */
+declare function tiktokProvider(clientId: string, clientSecret: string, scopes?: string[]): OAuthProvider;
+/**
+ * PayPal OAuth 2.0 / OIDC.
+ *
+ * Docs: https://developer.paypal.com/api/rest/authentication/
+ */
+declare function paypalProvider(clientId: string, clientSecret: string, scopes?: string[]): OAuthProvider;
+/**
+ * Salesforce OAuth 2.0 / OIDC.
+ *
+ * Docs: https://help.salesforce.com/s/articleView?id=sf.remoteaccess_oauth_flows.htm
+ */
+declare function salesforceProvider(clientId: string, clientSecret: string, scopes?: string[]): OAuthProvider;
+/**
+ * VK ID OAuth 2.0.
+ *
+ * Docs: https://id.vk.com/about/business/go/docs/ru/vkid/latest/vkid/sdk/web/get-started
+ */
+declare function vkProvider(clientId: string, clientSecret: string, scopes?: string[]): OAuthProvider;
+/**
+ * Kakao OAuth 2.0.
+ *
+ * Docs: https://developers.kakao.com/docs/latest/en/kakaologin/rest-api
+ */
+declare function kakaoProvider(clientId: string, clientSecret: string, scopes?: string[]): OAuthProvider;
+/**
+ * Naver OAuth 2.0.
+ *
+ * Docs: https://developers.naver.com/docs/login/api/api.md
+ */
+declare function naverProvider(clientId: string, clientSecret: string, scopes?: string[]): OAuthProvider;
+/**
+ * Hugging Face OAuth 2.0 / OIDC.
+ *
+ * Docs: https://huggingface.co/docs/hub/en/oauth
+ */
+declare function huggingfaceProvider(clientId: string, clientSecret: string, scopes?: string[]): OAuthProvider;
+/**
+ * Roblox OAuth 2.0 / OIDC.
+ *
+ * Docs: https://create.roblox.com/docs/cloud/open-cloud/oauth2-overview
+ */
+declare function robloxProvider(clientId: string, clientSecret: string, scopes?: string[]): OAuthProvider;
+/**
+ * Vercel OAuth 2.0.
+ *
+ * Docs: https://vercel.com/docs/integrations/create-integration/submit-integration#oauth2
+ */
+declare function vercelProvider(clientId: string, clientSecret: string, scopes?: string[]): OAuthProvider;
+/**
+ * Linear OAuth 2.0.
+ *
+ * Docs: https://developers.linear.app/docs/oauth/authentication
+ */
+declare function linearProvider(clientId: string, clientSecret: string, scopes?: string[]): OAuthProvider;
+/**
+ * Railway OAuth 2.0.
+ *
+ * Docs: https://docs.railway.app/reference/public-api#oauth2
+ */
+declare function railwayProvider(clientId: string, clientSecret: string, scopes?: string[]): OAuthProvider;
+/**
+ * Kick OAuth 2.0.
+ *
+ * Docs: https://docs.kick.com/getting-started/authorization-oauth2-flow
+ */
+declare function kickProvider(clientId: string, clientSecret: string, scopes?: string[]): OAuthProvider;
+/**
+ * WeChat OAuth 2.0 (Web Login via QR code).
+ *
+ * Docs: https://developers.weixin.qq.com/doc/oplatform/en/Website_App/WeChat_Login/Wechat_Login.html
+ */
+declare function wechatProvider(clientId: string, clientSecret: string, scopes?: string[]): OAuthProvider;
+/**
+ * Polar OAuth 2.0 / OIDC.
+ *
+ * Docs: https://docs.polar.sh/api-reference/oauth2
+ */
+declare function polarProvider(clientId: string, clientSecret: string, scopes?: string[]): OAuthProvider;
+/**
+ * Auth0 OIDC provider.
+ *
+ * Requires the Auth0 tenant domain (e.g. `"dev-abc123.us.auth0.com"`).
+ *
+ * Docs: https://auth0.com/docs/authenticate/protocols/openid-connect-protocol
+ *
+ * @example
+ * ```typescript
+ * const auth0 = auth0Provider("dev-abc123.us.auth0.com", clientId, clientSecret);
+ * ```
+ */
+declare function auth0Provider(domain: string, clientId: string, clientSecret: string, scopes?: string[]): OAuthProvider;
+/**
+ * Okta OIDC provider.
+ *
+ * Requires the Okta domain (e.g. `"dev-12345678.okta.com"`).
+ *
+ * Docs: https://developer.okta.com/docs/guides/implement-grant-type/authcode/main/
+ *
+ * @example
+ * ```typescript
+ * const okta = oktaProvider("dev-12345678.okta.com", clientId, clientSecret);
+ * ```
+ */
+declare function oktaProvider(domain: string, clientId: string, clientSecret: string, scopes?: string[]): OAuthProvider;
+/**
+ * AWS Cognito OIDC provider.
+ *
+ * Requires the Cognito hosted UI domain (e.g. `"my-app.auth.us-east-1.amazoncognito.com"`).
+ *
+ * Docs: https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-userpools-server-contract-reference.html
+ *
+ * @example
+ * ```typescript
+ * const cognito = cognitoProvider(
+ *   "my-app.auth.us-east-1.amazoncognito.com",
+ *   clientId,
+ *   clientSecret,
+ * );
+ * ```
+ */
+declare function cognitoProvider(domain: string, clientId: string, clientSecret: string, scopes?: string[]): OAuthProvider;
+/**
+ * Reddit OAuth 2.0 provider.
+ *
+ * Endpoints:
+ * - Authorization: https://www.reddit.com/api/v1/authorize
+ * - Token:         https://www.reddit.com/api/v1/access_token
+ * - UserInfo:      https://oauth.reddit.com/api/v1/me
+ *
+ * Notes:
+ * - Reddit's token endpoint uses HTTP Basic authentication (client_id as the
+ *   username, client_secret as the password) rather than posting credentials
+ *   in the request body.
+ * - The `identity` scope grants access to the user's Reddit account info.
+ * - Reddit does not expose the user's email address via OAuth; the `name`
+ *   field (Reddit username) is the stable identifier.
+ * - The UserInfo endpoint requires a descriptive `User-Agent` header. Reddit
+ *   blocks requests with generic agents (e.g., "python-requests"). Format:
+ *   `platform:app_id:version (by /u/username)`.
+ * - Avatar URLs (`icon_img`) include query parameters; strip them when storing
+ *   to avoid caching issues.
+ * - PKCE is supported but Reddit also accepts flows without it for server-side
+ *   apps; KavachOS uses PKCE S256 consistently.
+ *
+ * Docs: https://www.reddit.com/dev/api/oauth
+ */
+declare const DEFAULT_REDDIT_SCOPES: string[];
+/**
+ * Create a Reddit OAuth provider instance.
+ *
+ * @example
+ * ```typescript
+ * const reddit = createRedditProvider({
+ *   clientId: process.env.REDDIT_CLIENT_ID,
+ *   clientSecret: process.env.REDDIT_CLIENT_SECRET,
+ * });
+ * ```
+ */
+declare function createRedditProvider(config: OAuthProviderConfig): OAuthProvider;
+declare function normalizeProfile$4(raw: Record<string, unknown>): OAuthUserInfo;
 /**
  * Slack OAuth 2.0 / OIDC provider.
  *
@@ -1725,6 +2169,7 @@ declare function createMicrosoftProvider(config: OAuthProviderConfig): OAuthProv
  * Docs: https://api.slack.com/authentication/sign-in-with-slack
  */
+declare const DEFAULT_SLACK_SCOPES: string[];
 /**
  * Create a Slack OAuth provider instance.
  *
@@ -1737,6 +2182,79 @@ declare function createMicrosoftProvider(config: OAuthProviderConfig): OAuthProv
  * ```
  */
 declare function createSlackProvider(config: OAuthProviderConfig): OAuthProvider;
+declare function normalizeProfile$3(raw: Record<string, unknown>): OAuthUserInfo;
+/**
+ * Spotify OAuth 2.0 provider.
+ *
+ * Endpoints:
+ * - Authorization: https://accounts.spotify.com/authorize
+ * - Token:         https://accounts.spotify.com/api/token
+ * - UserInfo:      https://api.spotify.com/v1/me
+ *
+ * Notes:
+ * - PKCE S256 is supported and encouraged for public clients.
+ * - The `user-read-email` scope is required to get the user's email.
+ * - The `user-read-private` scope is required to access the user's country
+ *   and subscription type. Both are included in the defaults for sign-in.
+ * - Email may be absent from the response when the account was created without
+ *   one (e.g., via Facebook sign-up on Spotify). Handle the undefined case.
+ * - Avatar images are returned as an array of `images`; the first entry is
+ *   typically the largest.
+ *
+ * Docs: https://developer.spotify.com/documentation/web-api/concepts/authorization
+ */
+declare const DEFAULT_SPOTIFY_SCOPES: string[];
+declare function normalizeProfile$2(raw: Record<string, unknown>): OAuthUserInfo;
+/**
+ * Create a Spotify OAuth provider instance.
+ *
+ * @example
+ * ```typescript
+ * const spotify = createSpotifyProvider({
+ *   clientId: process.env.SPOTIFY_CLIENT_ID,
+ *   clientSecret: process.env.SPOTIFY_CLIENT_SECRET,
+ * });
+ * ```
+ */
+declare function createSpotifyProvider(config: OAuthProviderConfig): OAuthProvider;
+/**
+ * Twitch OAuth 2.0 provider.
+ *
+ * Endpoints:
+ * - Authorization: https://id.twitch.tv/oauth2/authorize
+ * - Token:         https://id.twitch.tv/oauth2/token
+ * - UserInfo:      https://api.twitch.tv/helix/users
+ *
+ * Notes:
+ * - PKCE S256 is supported by the Twitch OAuth 2.0 implementation.
+ * - The `user:read:email` scope is required to receive the user's email address.
+ * - The UserInfo endpoint (/helix/users) requires a `Client-ID` header in
+ *   addition to the Bearer token. Without it the request returns 400.
+ * - User data is nested under a `data` array; the authenticated user is always
+ *   the first element.
+ * - Profile image URLs are direct CDN links and may change when the user
+ *   updates their profile picture.
+ *
+ * Docs: https://dev.twitch.tv/docs/authentication/
+ */
+declare const DEFAULT_TWITCH_SCOPES: string[];
+/**
+ * Create a Twitch OAuth provider instance.
+ *
+ * @example
+ * ```typescript
+ * const twitch = createTwitchProvider({
+ *   clientId: process.env.TWITCH_CLIENT_ID,
+ *   clientSecret: process.env.TWITCH_CLIENT_SECRET,
+ * });
+ * ```
+ */
+declare function createTwitchProvider(config: OAuthProviderConfig): OAuthProvider;
+declare function normalizeProfile$1(raw: Record<string, unknown>): OAuthUserInfo;
 /**
  * Twitter / X OAuth 2.0 provider.
@@ -1778,6 +2296,39 @@ declare function createSlackProvider(config: OAuthProviderConfig): OAuthProvider
  */
 declare function createTwitterProvider(config: OAuthProviderConfig): OAuthProvider;
+/**
+ * Zoom OAuth 2.0 provider.
+ *
+ * Endpoints:
+ * - Authorization: https://zoom.us/oauth/authorize
+ * - Token:         https://zoom.us/oauth/token
+ * - UserInfo:      https://api.zoom.us/v2/users/me
+ *
+ * Notes:
+ * - PKCE S256 is supported by Zoom's OAuth implementation.
+ * - The `user:read` scope grants read access to the authenticated user's
+ *   account details including email, name, and profile picture.
+ * - Zoom user IDs are alphanumeric strings, not numeric.
+ * - The `pic_url` field may be absent when the user has not set a profile photo.
+ *
+ * Docs: https://developers.zoom.us/docs/integrations/oauth/
+ */
+declare const DEFAULT_ZOOM_SCOPES: string[];
+declare function normalizeProfile(raw: Record<string, unknown>): OAuthUserInfo;
+/**
+ * Create a Zoom OAuth provider instance.
+ *
+ * @example
+ * ```typescript
+ * const zoom = createZoomProvider({
+ *   clientId: process.env.ZOOM_CLIENT_ID,
+ *   clientSecret: process.env.ZOOM_CLIENT_SECRET,
+ * });
+ * ```
+ */
+declare function createZoomProvider(config: OAuthProviderConfig): OAuthProvider;
 /**
  * OAuth proxy module for mobile apps.
  *
@@ -2912,4 +3463,4 @@ declare function createTrustedDeviceModule(config: TrustedDeviceConfig, db: Data
  */
 declare function deviceLabelFromRequest(request: Request): string;
-export { type AccessTokenClaims, type AdditionalFieldsConfig, type AdditionalFieldsModule, AdminConfig, type AnonymousAuthConfig, type AnonymousAuthModule, ApiKeyManagerConfig, AuthAdapter, type AuthorizeParams, type BearerAuthOptions, type BudgetCheckResult, type CheckParams, type CheckResult, type CheckoutOptions, type CostAlert, type CostAttributionConfig, type CostAttributionModule, type CostReport, type CreateEphemeralSessionInput, type CustomSessionConfig, type CustomSessionModule, type DeleteOptions, type DeleteResult, type DeviceAuthConfig, type DeviceAuthModule, type DeviceAuthStatus, type DeviceCodeResponse, EVENT_TYPES, EmailOtpConfig, type EndpointGroup, type EndpointLimit, type EphemeralSession, type EphemeralSessionConfig, type EphemeralSessionModule, type EphemeralSessionValidateResult, type EventStreamConfig, type EventStreamModule, type EventType, type ExpandParams, type FederatedAgent, type FederationConfig, type FederationModule, type FederationToken, type FederationWellKnown, type FieldDefinition, type GdprModule, type GetUserClaimsFn, type GoogleUser, type HeaderAuthOptions, HibpApiError, HibpBreachedError, type HibpConfig, type HibpModule, type InstanceIdentity, type IssueFederationTokenInput, type JsonWebKeySet, type JwtSessionConfig, type JwtSessionModule, type KVNamespace, KVStore, type LastLoginConfig, type LastLoginModule, type ListObjectsParams, type ListSubjectsParams, type LoginEvent, type LoginMethod, MagicLinkConfig, MemoryStore, type OAuthAccount, type OAuthCallbackResult, type OAuthModule, type OAuthModuleConfig, type OAuthPluginConfig, type OAuthProvider, type OAuthProviderConfig, type OAuthProxyConfig, OAuthProxyError, type OAuthProxyModule, type OAuthProxyPluginConfig, type OAuthTokens, type OAuthUserInfo, type OidcClient, type OidcDiscoveryDocument, type OidcProviderConfig, type OidcProviderModule, type OneTapConfig, type OneTapModule, OneTapVerifyError, type OpenApiComponents, type OpenApiConfig, type OpenApiDocument, type OpenApiInfo, type OpenApiMediaType, type OpenApiModule, type OpenApiOperation, type OpenApiParameter, type OpenApiPathItem, type OpenApiRequestBody, type OpenApiResponse, type OpenApiSchema, type OpenApiSecurityRequirement, type OpenApiSecurityScheme, type OpenApiServer, OrgConfig, PasskeyConfig, type PermissionRuleSet, type PolarConfig, type PolarModule, type PolarSubscription, type ProxyTokens, type RateLimitConfig, type RateLimitMiddlewareOptions, type RateLimitConfig$1 as RateLimitPluginConfig, type RateLimitResult, type RateLimitStore, type RateLimiter, type ReBACConfig, type ReBACModule, type RecordCostInput, type RecordLoginInput, type RegisterClientInput, type Relationship, ResolvedUser, type ResourceNode, type ScimConfig, type ScimGroup, type ScimModule, type ScimUser, type SessionTokens, type SessionUser, type SiweConfig, type SiweModule, type SiweVerifyResult, type StreamEvent, type StripeConfig, type StripeModule, type SubscriptionInfo, type TokenParams, type TokenResponse, TotpConfig, type TrustLevel, type TrustedDevice, type TrustedDeviceConfig, type TrustedDeviceModule, type TrustedInstance, type TwoFactorConfig, type UserDataExport, type UserInfoClaims, type ValidationResult, type VerifiedSession, additionalFields, admin, anonymousAuth, apiKeys, bearerAuth, createAdditionalFieldsModule, createAnonymousAuthModule, createAppleProvider, createCostAttributionModule, createCustomSessionModule, createDeviceAuthModule, createDiscordProvider, createEphemeralSessionModule, createEventStreamModule, createFederationModule, createGdprModule, createGithubProvider, createGitlabProvider, createGoogleProvider, createHibpModule, createJwtSessionModule, createLastLoginModule, createLinkedInProvider, createMicrosoftProvider, createOAuthModule, createOAuthProxyModule, createOidcProviderModule, createOneTapModule, createOpenApiModule, createPolarModule, createRateLimiter, createReBACModule, createScimModule, createSiweModule, createSlackProvider, createStripeModule, createTrustedDeviceModule, createTwitterProvider, customAuth, customSession, deviceAuth, deviceLabelFromRequest, emailOtp, gdpr, headerAuth, kvStore, magicLink, oauth, oauthProxy, oneTap, organization, passkey, polar, rateLimit, scim, siwe, stripe, twoFactor, withRateLimit };
+export { type AccessTokenClaims, type AdditionalFieldsConfig, type AdditionalFieldsModule, AdminConfig, type AnonymousAuthConfig, type AnonymousAuthModule, ApiKeyManagerConfig, AuthAdapter, type AuthorizeParams, type BearerAuthOptions, type BudgetCheckResult, type CheckParams, type CheckResult, type CheckoutOptions, type CostAlert, type CostAttributionConfig, type CostAttributionModule, type CostReport, type CreateEphemeralSessionInput, type CustomSessionConfig, type CustomSessionModule, DEFAULT_ATLASSIAN_SCOPES, DEFAULT_DISCORD_SCOPES, DEFAULT_DROPBOX_SCOPES, DEFAULT_FIGMA_SCOPES, DEFAULT_NOTION_SCOPES, DEFAULT_REDDIT_SCOPES, DEFAULT_SLACK_SCOPES, DEFAULT_SPOTIFY_SCOPES, DEFAULT_TWITCH_SCOPES, DEFAULT_ZOOM_SCOPES, type DeleteOptions, type DeleteResult, type DeviceAuthConfig, type DeviceAuthModule, type DeviceAuthStatus, type DeviceCodeResponse, EVENT_TYPES, EmailOtpConfig, type EndpointGroup, type EndpointLimit, type EphemeralSession, type EphemeralSessionConfig, type EphemeralSessionModule, type EphemeralSessionValidateResult, type EventStreamConfig, type EventStreamModule, type EventType, type ExpandParams, type FederatedAgent, type FederationConfig, type FederationModule, type FederationToken, type FederationWellKnown, type FieldDefinition, type GdprModule, type GenericOIDCConfig, type GetUserClaimsFn, type GoogleUser, type HeaderAuthOptions, HibpApiError, HibpBreachedError, type HibpConfig, type HibpModule, type InstanceIdentity, type IssueFederationTokenInput, type JsonWebKeySet, type JwtSessionConfig, type JwtSessionModule, type KVNamespace, KVStore, type LastLoginConfig, type LastLoginModule, type ListObjectsParams, type ListSubjectsParams, type LoginEvent, type LoginMethod, MagicLinkConfig, MemoryStore, type OAuthAccount, type OAuthCallbackResult, type OAuthModule, type OAuthModuleConfig, type OAuthPluginConfig, type OAuthProvider, type OAuthProviderConfig, type OAuthProxyConfig, OAuthProxyError, type OAuthProxyModule, type OAuthProxyPluginConfig, type OAuthTokens, type OAuthUserInfo, type OidcClient, type OidcDiscoveryDocument, type OidcProviderConfig, type OidcProviderModule, type OneTapConfig, type OneTapModule, OneTapVerifyError, type OpenApiComponents, type OpenApiConfig, type OpenApiDocument, type OpenApiInfo, type OpenApiMediaType, type OpenApiModule, type OpenApiOperation, type OpenApiParameter, type OpenApiPathItem, type OpenApiRequestBody, type OpenApiResponse, type OpenApiSchema, type OpenApiSecurityRequirement, type OpenApiSecurityScheme, type OpenApiServer, OrgConfig, PasskeyConfig, type PermissionRuleSet, type PolarConfig, type PolarModule, type PolarSubscription, type ProxyTokens, type RateLimitConfig, type RateLimitMiddlewareOptions, type RateLimitConfig$1 as RateLimitPluginConfig, type RateLimitResult, type RateLimitStore, type RateLimiter, type ReBACConfig, type ReBACModule, type RecordCostInput, type RecordLoginInput, type RegisterClientInput, type Relationship, ResolvedUser, type ResourceNode, type ScimConfig, type ScimGroup, type ScimModule, type ScimUser, type SessionTokens, type SessionUser, type SiweConfig, type SiweModule, type SiweVerifyResult, type StreamEvent, type StripeConfig, type StripeModule, type SubscriptionInfo, type TokenParams, type TokenResponse, TotpConfig, type TrustLevel, type TrustedDevice, type TrustedDeviceConfig, type TrustedDeviceModule, type TrustedInstance, type TwoFactorConfig, type UserDataExport, type UserInfoClaims, type ValidationResult, type VerifiedSession, additionalFields, admin, anonymousAuth, apiKeys, atlassianProvider, auth0Provider, bearerAuth, bitbucketProvider, cognitoProvider, coinbaseProvider, createAdditionalFieldsModule, createAnonymousAuthModule, createAppleProvider, createAtlassianProvider, createCostAttributionModule, createCustomSessionModule, createDeviceAuthModule, createDiscordProvider, createDropboxProvider, createEphemeralSessionModule, createEventStreamModule, createFederationModule, createFigmaProvider, createGdprModule, createGithubProvider, createGitlabProvider, createGoogleProvider, createHibpModule, createJwtSessionModule, createLastLoginModule, createLinkedInProvider, createMicrosoftProvider, createNotionProvider, createOAuthModule, createOAuthProxyModule, createOidcProviderModule, createOneTapModule, createOpenApiModule, createPolarModule, createRateLimiter, createReBACModule, createRedditProvider, createScimModule, createSiweModule, createSlackProvider, createSpotifyProvider, createStripeModule, createTrustedDeviceModule, createTwitchProvider, createTwitterProvider, createZoomProvider, customAuth, customSession, deviceAuth, deviceLabelFromRequest, dropboxProvider, emailOtp, facebookProvider, figmaProvider, gdpr, genericOIDC, headerAuth, huggingfaceProvider, kakaoProvider, kickProvider, kvStore, lineProvider, linearProvider, magicLink, naverProvider, normalizeProfile$9 as normalizeAtlassianProfile, normalizeProfile$8 as normalizeDiscordProfile, normalizeProfile$7 as normalizeDropboxProfile, normalizeProfile$6 as normalizeFigmaProfile, normalizeProfile$5 as normalizeNotionProfile, normalizeProfile$4 as normalizeRedditProfile, normalizeProfile$3 as normalizeSlackProfile, normalizeProfile$2 as normalizeSpotifyProfile, normalizeProfile$1 as normalizeTwitchProfile, normalizeProfile as normalizeZoomProfile, notionProvider, oauth, oauthProxy, oktaProvider, oneTap, organization, passkey, paypalProvider, polar, polarProvider, railwayProvider, rateLimit, redditProvider, robloxProvider, salesforceProvider, scim, siwe, spotifyProvider, stripe, tiktokProvider, twitchProvider, twoFactor, vercelProvider, vkProvider, wechatProvider, withRateLimit, yahooProvider, zoomProvider };