kavachos 0.4.1 → 0.4.2

package/dist/auth/index.js

@@ -5356,15 +5356,110 @@ function mergeScopes(defaults, extras) {
   return [...merged];
 }
 
+// src/auth/oauth/providers/atlassian.ts
+var AUTHORIZATION_URL2 = "https://auth.atlassian.com/authorize";
+var TOKEN_URL2 = "https://auth.atlassian.com/oauth/token";
+var USER_INFO_URL = "https://api.atlassian.com/me";
+var ATLASSIAN_AUDIENCE = "api.atlassian.com";
+var DEFAULT_ATLASSIAN_SCOPES = ["read:me"];
+function normalizeProfile(raw) {
+  const data = raw;
+  if (!data.account_id) {
+    throw new Error("Atlassian user response missing required field: account_id");
+  }
+  return {
+    id: data.account_id,
+    email: data.email,
+    name: data.name,
+    avatar: data.picture,
+    raw
+  };
+}
+function createAtlassianProvider(config) {
+  const scopes = mergeScopes2(DEFAULT_ATLASSIAN_SCOPES, config.scopes);
+  async function getAuthorizationUrl(state, codeVerifier, redirectUri) {
+    const codeChallenge = await deriveCodeChallenge(codeVerifier);
+    const effectiveRedirectUri = config.redirectUri ?? redirectUri;
+    const params = new URLSearchParams({
+      client_id: config.clientId,
+      redirect_uri: effectiveRedirectUri,
+      response_type: "code",
+      scope: scopes.join(" "),
+      state,
+      code_challenge: codeChallenge,
+      code_challenge_method: "S256",
+      // Required: instructs Atlassian which API audience to issue tokens for.
+      audience: ATLASSIAN_AUDIENCE,
+      prompt: "consent"
+    });
+    return `${AUTHORIZATION_URL2}?${params.toString()}`;
+  }
+  async function exchangeCode(code, codeVerifier, redirectUri) {
+    const effectiveRedirectUri = config.redirectUri ?? redirectUri;
+    const response = await fetch(TOKEN_URL2, {
+      method: "POST",
+      headers: { "Content-Type": "application/json" },
+      body: JSON.stringify({
+        grant_type: "authorization_code",
+        client_id: config.clientId,
+        client_secret: config.clientSecret,
+        code,
+        code_verifier: codeVerifier,
+        redirect_uri: effectiveRedirectUri
+      })
+    });
+    if (!response.ok) {
+      const text3 = await response.text();
+      throw new Error(`Atlassian token exchange failed (${response.status}): ${text3}`);
+    }
+    const raw = await response.json();
+    const data = raw;
+    return {
+      accessToken: data.access_token,
+      refreshToken: data.refresh_token,
+      expiresIn: data.expires_in,
+      tokenType: data.token_type ?? "Bearer",
+      raw
+    };
+  }
+  async function getUserInfo(accessToken) {
+    const response = await fetch(USER_INFO_URL, {
+      headers: { Authorization: `Bearer ${accessToken}` }
+    });
+    if (!response.ok) {
+      const text3 = await response.text();
+      throw new Error(`Atlassian /me fetch failed (${response.status}): ${text3}`);
+    }
+    const raw = await response.json();
+    return normalizeProfile(raw);
+  }
+  return {
+    id: "atlassian",
+    name: "Atlassian",
+    authorizationUrl: AUTHORIZATION_URL2,
+    tokenUrl: TOKEN_URL2,
+    userInfoUrl: USER_INFO_URL,
+    scopes,
+    getAuthorizationUrl,
+    exchangeCode,
+    getUserInfo
+  };
+}
+function mergeScopes2(defaults, extras) {
+  if (!extras || extras.length === 0) return defaults;
+  const merged = /* @__PURE__ */ new Set([...defaults, ...extras]);
+  return [...merged];
+}
+
 // src/auth/oauth/providers/discord.ts
-var AUTHORIZATION_URL2 = "https://discord.com/api/oauth2/authorize";
-var TOKEN_URL2 = "https://discord.com/api/oauth2/token";
-var USER_INFO_URL = "https://discord.com/api/users/@me";
+var AUTHORIZATION_URL3 = "https://discord.com/api/oauth2/authorize";
+var TOKEN_URL3 = "https://discord.com/api/oauth2/token";
+var USER_INFO_URL2 = "https://discord.com/api/users/@me";
 var CDN_BASE = "https://cdn.discordapp.com";
 var DEFAULT_DISCORD_SCOPES = ["identify", "email"];
 var DEFAULT_SCOPES2 = DEFAULT_DISCORD_SCOPES;
 function createDiscordProvider(config) {
-  const scopes = mergeScopes2(DEFAULT_SCOPES2, config.scopes);
+  const scopes = mergeScopes3(DEFAULT_SCOPES2, config.scopes);
   async function getAuthorizationUrl(state, codeVerifier, redirectUri) {
     const codeChallenge = await deriveCodeChallenge(codeVerifier);
     const effectiveRedirectUri = config.redirectUri ?? redirectUri;
@@ -5377,7 +5472,7 @@ function createDiscordProvider(config) {
       code_challenge: codeChallenge,
       code_challenge_method: "S256"
     });
-    return `${AUTHORIZATION_URL2}?${params.toString()}`;
+    return `${AUTHORIZATION_URL3}?${params.toString()}`;
   }
   async function exchangeCode(code, codeVerifier, redirectUri) {
     const effectiveRedirectUri = config.redirectUri ?? redirectUri;
@@ -5389,7 +5484,7 @@ function createDiscordProvider(config) {
       code_verifier: codeVerifier,
       redirect_uri: effectiveRedirectUri
     });
-    const response = await fetch(TOKEN_URL2, {
+    const response = await fetch(TOKEN_URL3, {
       method: "POST",
       headers: { "Content-Type": "application/x-www-form-urlencoded" },
       body: body.toString()
@@ -5409,7 +5504,7 @@ function createDiscordProvider(config) {
     };
   }
   async function getUserInfo(accessToken) {
-    const response = await fetch(USER_INFO_URL, {
+    const response = await fetch(USER_INFO_URL2, {
       headers: { Authorization: `Bearer ${accessToken}` }
     });
     if (!response.ok) {
@@ -5437,15 +5532,33 @@ function createDiscordProvider(config) {
   return {
     id: "discord",
     name: "Discord",
-    authorizationUrl: AUTHORIZATION_URL2,
-    tokenUrl: TOKEN_URL2,
-    userInfoUrl: USER_INFO_URL,
+    authorizationUrl: AUTHORIZATION_URL3,
+    tokenUrl: TOKEN_URL3,
+    userInfoUrl: USER_INFO_URL2,
     scopes,
     getAuthorizationUrl,
     exchangeCode,
     getUserInfo
   };
 }
+function normalizeProfile2(raw) {
+  const data = raw;
+  if (!data.id) {
+    throw new Error("Discord user response missing required field: id");
+  }
+  if (!data.email) {
+    throw new Error("Discord user response has no email. Ensure the `email` scope is granted.");
+  }
+  const avatar = buildAvatarUrl(data.id, data.avatar);
+  const name = data.global_name ?? buildLegacyName(data.username, data.discriminator);
+  return {
+    id: data.id,
+    email: data.email,
+    name,
+    avatar,
+    raw
+  };
+}
 function buildAvatarUrl(userId, avatarHash) {
   if (!avatarHash) return void 0;
   const ext = avatarHash.startsWith("a_") ? "gif" : "png";
@@ -5457,135 +5570,138 @@ function buildLegacyName(username, discriminator) {
   }
   return username;
 }
-function mergeScopes2(defaults, extras) {
+function mergeScopes3(defaults, extras) {
   if (!extras || extras.length === 0) return defaults;
   const merged = /* @__PURE__ */ new Set([...defaults, ...extras]);
   return [...merged];
 }
 
-// src/auth/oauth/providers/github.ts
-var AUTHORIZATION_URL3 = "https://github.com/login/oauth/authorize";
-var TOKEN_URL3 = "https://github.com/login/oauth/access_token";
-var USER_URL = "https://api.github.com/user";
-var USER_EMAILS_URL = "https://api.github.com/user/emails";
-var DEFAULT_SCOPES3 = ["user:email"];
-function createGithubProvider(config) {
-  const scopes = mergeScopes3(DEFAULT_SCOPES3, config.scopes);
+// src/auth/oauth/providers/dropbox.ts
+var AUTHORIZATION_URL4 = "https://www.dropbox.com/oauth2/authorize";
+var TOKEN_URL4 = "https://api.dropboxapi.com/oauth2/token";
+var USER_INFO_URL3 = "https://api.dropboxapi.com/2/users/get_current_account";
+var DEFAULT_DROPBOX_SCOPES = ["account_info.read"];
+function normalizeProfile3(raw) {
+  const data = raw;
+  if (!data.account_id) {
+    throw new Error("Dropbox user response missing required field: account_id");
+  }
+  if (!data.email) {
+    throw new Error("Dropbox user response missing required field: email");
+  }
+  return {
+    id: data.account_id,
+    email: data.email,
+    name: data.name?.display_name,
+    avatar: data.profile_photo_url ?? data.profile_photo?.url,
+    raw
+  };
+}
+function createDropboxProvider(config) {
+  const scopes = mergeScopes4(DEFAULT_DROPBOX_SCOPES, config.scopes);
   async function getAuthorizationUrl(state, codeVerifier, redirectUri) {
     const codeChallenge = await deriveCodeChallenge(codeVerifier);
     const effectiveRedirectUri = config.redirectUri ?? redirectUri;
     const params = new URLSearchParams({
       client_id: config.clientId,
       redirect_uri: effectiveRedirectUri,
+      response_type: "code",
       scope: scopes.join(" "),
       state,
-      // Included for symmetry; GitHub ignores unknown parameters.
       code_challenge: codeChallenge,
-      code_challenge_method: "S256"
+      code_challenge_method: "S256",
+      token_access_type: "offline"
     });
-    return `${AUTHORIZATION_URL3}?${params.toString()}`;
+    return `${AUTHORIZATION_URL4}?${params.toString()}`;
   }
   async function exchangeCode(code, codeVerifier, redirectUri) {
     const effectiveRedirectUri = config.redirectUri ?? redirectUri;
     const body = new URLSearchParams({
+      grant_type: "authorization_code",
       client_id: config.clientId,
       client_secret: config.clientSecret,
       code,
-      redirect_uri: effectiveRedirectUri,
-      code_verifier: codeVerifier
+      code_verifier: codeVerifier,
+      redirect_uri: effectiveRedirectUri
     });
-    const response = await fetch(TOKEN_URL3, {
+    const response = await fetch(TOKEN_URL4, {
       method: "POST",
-      headers: {
-        "Content-Type": "application/x-www-form-urlencoded",
-        Accept: "application/json"
-      },
+      headers: { "Content-Type": "application/x-www-form-urlencoded" },
       body: body.toString()
     });
     if (!response.ok) {
       const text3 = await response.text();
-      throw new Error(`GitHub token exchange failed (${response.status}): ${text3}`);
+      throw new Error(`Dropbox token exchange failed (${response.status}): ${text3}`);
     }
     const raw = await response.json();
     const data = raw;
-    if (data.error) {
-      throw new Error(
-        `GitHub token exchange error: ${data.error} \u2014 ${data.error_description ?? ""}`
-      );
-    }
-    if (!data.access_token) {
-      throw new Error("GitHub token exchange returned no access_token");
-    }
     return {
       accessToken: data.access_token,
       refreshToken: data.refresh_token,
       expiresIn: data.expires_in,
-      tokenType: data.token_type ?? "bearer",
+      tokenType: data.token_type ?? "Bearer",
       raw
     };
   }
   async function getUserInfo(accessToken) {
-    const headers = {
-      Authorization: `Bearer ${accessToken}`,
-      Accept: "application/vnd.github+json",
-      "X-GitHub-Api-Version": "2022-11-28"
-    };
-    const profileResponse = await fetch(USER_URL, { headers });
-    if (!profileResponse.ok) {
-      const text3 = await profileResponse.text();
-      throw new Error(`GitHub user fetch failed (${profileResponse.status}): ${text3}`);
-    }
-    const raw = await profileResponse.json();
-    const profile = raw;
-    let email = typeof profile.email === "string" ? profile.email : null;
-    if (!email) {
-      email = await fetchPrimaryEmail(accessToken, headers);
-    }
-    if (!email) {
+    const response = await fetch(USER_INFO_URL3, {
+      method: "POST",
+      headers: {
+        Authorization: `Bearer ${accessToken}`,
+        "Content-Type": "application/json"
+      },
+      body: "null"
+    });
+    if (!response.ok) {
+      const text3 = await response.text();
       throw new Error(
-        "GitHub user has no accessible email. Ensure the user:email scope is granted."
+        `Dropbox /2/users/get_current_account fetch failed (${response.status}): ${text3}`
       );
     }
-    return {
-      id: String(profile.id),
-      email,
-      name: profile.name ?? profile.login,
-      avatar: profile.avatar_url,
-      raw
-    };
+    const raw = await response.json();
+    return normalizeProfile3(raw);
   }
   return {
-    id: "github",
-    name: "GitHub",
-    authorizationUrl: AUTHORIZATION_URL3,
-    tokenUrl: TOKEN_URL3,
-    userInfoUrl: USER_URL,
+    id: "dropbox",
+    name: "Dropbox",
+    authorizationUrl: AUTHORIZATION_URL4,
+    tokenUrl: TOKEN_URL4,
+    userInfoUrl: USER_INFO_URL3,
     scopes,
     getAuthorizationUrl,
     exchangeCode,
     getUserInfo
   };
 }
-async function fetchPrimaryEmail(_accessToken, headers) {
-  const response = await fetch(USER_EMAILS_URL, { headers });
-  if (!response.ok) return null;
-  const emails = await response.json();
-  const primary = emails.find((e) => e.primary && e.verified);
-  return primary?.email ?? null;
-}
-function mergeScopes3(defaults, extras) {
+function mergeScopes4(defaults, extras) {
   if (!extras || extras.length === 0) return defaults;
   const merged = /* @__PURE__ */ new Set([...defaults, ...extras]);
   return [...merged];
 }
 
-// src/auth/oauth/providers/gitlab.ts
-var AUTHORIZATION_URL4 = "https://gitlab.com/oauth/authorize";
-var TOKEN_URL4 = "https://gitlab.com/oauth/token";
-var USER_INFO_URL2 = "https://gitlab.com/api/v4/user";
-var DEFAULT_SCOPES4 = ["read_user"];
-function createGitlabProvider(config) {
-  const scopes = mergeScopes4(DEFAULT_SCOPES4, config.scopes);
+// src/auth/oauth/providers/figma.ts
+var AUTHORIZATION_URL5 = "https://www.figma.com/oauth";
+var TOKEN_URL5 = "https://api.figma.com/v1/oauth/token";
+var USER_INFO_URL4 = "https://api.figma.com/v1/me";
+var DEFAULT_FIGMA_SCOPES = ["file_read"];
+function normalizeProfile4(raw) {
+  const data = raw;
+  if (!data.id) {
+    throw new Error("Figma user response missing required field: id");
+  }
+  if (!data.email) {
+    throw new Error("Figma user response missing required field: email");
+  }
+  return {
+    id: data.id,
+    email: data.email,
+    name: data.handle,
+    avatar: data.img_url,
+    raw
+  };
+}
+function createFigmaProvider(config) {
+  const scopes = mergeScopes5(DEFAULT_FIGMA_SCOPES, config.scopes);
   async function getAuthorizationUrl(state, codeVerifier, redirectUri) {
     const codeChallenge = await deriveCodeChallenge(codeVerifier);
     const effectiveRedirectUri = config.redirectUri ?? redirectUri;
@@ -5598,26 +5714,26 @@ function createGitlabProvider(config) {
       code_challenge: codeChallenge,
       code_challenge_method: "S256"
     });
-    return `${AUTHORIZATION_URL4}?${params.toString()}`;
+    return `${AUTHORIZATION_URL5}?${params.toString()}`;
   }
   async function exchangeCode(code, codeVerifier, redirectUri) {
     const effectiveRedirectUri = config.redirectUri ?? redirectUri;
     const body = new URLSearchParams({
-      grant_type: "authorization_code",
       client_id: config.clientId,
       client_secret: config.clientSecret,
+      redirect_uri: effectiveRedirectUri,
       code,
       code_verifier: codeVerifier,
-      redirect_uri: effectiveRedirectUri
+      grant_type: "authorization_code"
     });
-    const response = await fetch(TOKEN_URL4, {
+    const response = await fetch(TOKEN_URL5, {
       method: "POST",
       headers: { "Content-Type": "application/x-www-form-urlencoded" },
       body: body.toString()
     });
     if (!response.ok) {
       const text3 = await response.text();
-      throw new Error(`GitLab token exchange failed (${response.status}): ${text3}`);
+      throw new Error(`Figma token exchange failed (${response.status}): ${text3}`);
     }
     const raw = await response.json();
     const data = raw;
@@ -5630,58 +5746,84 @@ function createGitlabProvider(config) {
     };
   }
   async function getUserInfo(accessToken) {
-    const response = await fetch(USER_INFO_URL2, {
+    const response = await fetch(USER_INFO_URL4, {
       headers: { Authorization: `Bearer ${accessToken}` }
     });
     if (!response.ok) {
       const text3 = await response.text();
-      throw new Error(`GitLab /api/v4/user fetch failed (${response.status}): ${text3}`);
+      throw new Error(`Figma /v1/me fetch failed (${response.status}): ${text3}`);
     }
     const raw = await response.json();
-    const data = raw;
-    if (!data.id) {
-      throw new Error("GitLab user response missing required field: id");
-    }
-    const email = data.email ?? data.public_email;
-    if (!email) {
-      throw new Error(
-        "GitLab user response has no email. The account may have restricted email visibility."
-      );
-    }
-    return {
-      id: String(data.id),
-      email,
-      name: data.name ?? data.username,
-      avatar: data.avatar_url,
-      raw
-    };
+    return normalizeProfile4(raw);
   }
   return {
-    id: "gitlab",
-    name: "GitLab",
-    authorizationUrl: AUTHORIZATION_URL4,
-    tokenUrl: TOKEN_URL4,
-    userInfoUrl: USER_INFO_URL2,
+    id: "figma",
+    name: "Figma",
+    authorizationUrl: AUTHORIZATION_URL5,
+    tokenUrl: TOKEN_URL5,
+    userInfoUrl: USER_INFO_URL4,
     scopes,
     getAuthorizationUrl,
     exchangeCode,
     getUserInfo
   };
 }
-function mergeScopes4(defaults, extras) {
+function mergeScopes5(defaults, extras) {
   if (!extras || extras.length === 0) return defaults;
   const merged = /* @__PURE__ */ new Set([...defaults, ...extras]);
   return [...merged];
 }
 
-// src/auth/oauth/providers/google.ts
-var AUTHORIZATION_URL5 = "https://accounts.google.com/o/oauth2/v2/auth";
-var TOKEN_URL5 = "https://oauth2.googleapis.com/token";
-var USER_INFO_URL3 = "https://www.googleapis.com/oauth2/v3/userinfo";
-var DEFAULT_SCOPES5 = ["openid", "email", "profile"];
-function createGoogleProvider(config) {
-  const scopes = mergeScopes5(DEFAULT_SCOPES5, config.scopes);
+// src/auth/oauth/providers/generic.ts
+var discoveryCache = /* @__PURE__ */ new Map();
+async function discoverEndpoints(issuer) {
+  const cached = discoveryCache.get(issuer);
+  if (cached) return cached;
+  const url = `${issuer.replace(/\/$/, "")}/.well-known/openid-configuration`;
+  const response = await fetch(url);
+  if (!response.ok) {
+    throw new Error(
+      `OIDC discovery failed for issuer "${issuer}" (${response.status}). Provide explicit authorizationUrl / tokenUrl / userinfoUrl to skip discovery.`
+    );
+  }
+  const doc = await response.json();
+  const authorizationUrl = assertString(
+    doc.authorization_endpoint,
+    "authorization_endpoint",
+    issuer
+  );
+  const tokenUrl = assertString(doc.token_endpoint, "token_endpoint", issuer);
+  const userinfoUrl = assertString(doc.userinfo_endpoint, "userinfo_endpoint", issuer);
+  const endpoints = { authorizationUrl, tokenUrl, userinfoUrl };
+  discoveryCache.set(issuer, endpoints);
+  return endpoints;
+}
+function assertString(value, field, issuer) {
+  if (typeof value !== "string" || value.length === 0) {
+    throw new Error(`OIDC discovery for "${issuer}" returned no "${field}" field.`);
+  }
+  return value;
+}
+function genericOIDC(config) {
+  const defaultScopes = ["openid", "email", "profile"];
+  const scopes = mergeScopes6(defaultScopes, config.scopes);
+  async function resolveEndpoints() {
+    if (config.authorizationUrl && config.tokenUrl && config.userinfoUrl) {
+      return {
+        authorizationUrl: config.authorizationUrl,
+        tokenUrl: config.tokenUrl,
+        userinfoUrl: config.userinfoUrl
+      };
+    }
+    const discovered = await discoverEndpoints(config.issuer);
+    return {
+      authorizationUrl: config.authorizationUrl ?? discovered.authorizationUrl,
+      tokenUrl: config.tokenUrl ?? discovered.tokenUrl,
+      userinfoUrl: config.userinfoUrl ?? discovered.userinfoUrl
+    };
+  }
   async function getAuthorizationUrl(state, codeVerifier, redirectUri) {
+    const endpoints = await resolveEndpoints();
     const codeChallenge = await deriveCodeChallenge(codeVerifier);
     const effectiveRedirectUri = config.redirectUri ?? redirectUri;
     const params = new URLSearchParams({
@@ -5691,15 +5833,12 @@ function createGoogleProvider(config) {
       scope: scopes.join(" "),
       state,
       code_challenge: codeChallenge,
-      code_challenge_method: "S256",
-      access_type: "offline",
-      // request refresh token
-      prompt: "consent"
-      // always show consent to get refresh token reliably
+      code_challenge_method: "S256"
     });
-    return `${AUTHORIZATION_URL5}?${params.toString()}`;
+    return `${endpoints.authorizationUrl}?${params.toString()}`;
   }
   async function exchangeCode(code, codeVerifier, redirectUri) {
+    const endpoints = await resolveEndpoints();
     const effectiveRedirectUri = config.redirectUri ?? redirectUri;
     const body = new URLSearchParams({
       grant_type: "authorization_code",
@@ -5709,14 +5848,1104 @@ function createGoogleProvider(config) {
       code_verifier: codeVerifier,
       redirect_uri: effectiveRedirectUri
     });
-    const response = await fetch(TOKEN_URL5, {
+    const response = await fetch(endpoints.tokenUrl, {
       method: "POST",
       headers: { "Content-Type": "application/x-www-form-urlencoded" },
       body: body.toString()
     });
     if (!response.ok) {
       const text3 = await response.text();
-      throw new Error(`Google token exchange failed (${response.status}): ${text3}`);
+      throw new Error(`${config.name} token exchange failed (${response.status}): ${text3}`);
+    }
+    const raw = await response.json();
+    const data = raw;
+    return {
+      accessToken: data.access_token,
+      refreshToken: data.refresh_token,
+      expiresIn: data.expires_in,
+      tokenType: data.token_type ?? "Bearer",
+      raw
+    };
+  }
+  async function getUserInfo(accessToken) {
+    const endpoints = await resolveEndpoints();
+    const response = await fetch(endpoints.userinfoUrl, {
+      headers: { Authorization: `Bearer ${accessToken}` }
+    });
+    if (!response.ok) {
+      const text3 = await response.text();
+      throw new Error(`${config.name} userinfo fetch failed (${response.status}): ${text3}`);
+    }
+    const raw = await response.json();
+    const data = raw;
+    if (!data.sub) {
+      throw new Error(`${config.name} userinfo response missing required "sub" field.`);
+    }
+    const email = data.email ?? "";
+    if (!email) {
+      throw new Error(
+        `${config.name} userinfo response missing "email". Ensure the 'email' scope is included.`
+      );
+    }
+    return {
+      id: data.sub,
+      email,
+      name: data.name,
+      avatar: data.picture,
+      raw
+    };
+  }
+  const staticAuthUrl = config.authorizationUrl ?? `${config.issuer.replace(/\/$/, "")}/.well-known/openid-configuration`;
+  return {
+    id: config.id,
+    name: config.name,
+    authorizationUrl: staticAuthUrl,
+    tokenUrl: config.tokenUrl ?? config.issuer,
+    userInfoUrl: config.userinfoUrl ?? config.issuer,
+    scopes,
+    getAuthorizationUrl,
+    exchangeCode,
+    getUserInfo
+  };
+}
+function mergeScopes6(defaults, extras) {
+  if (!extras || extras.length === 0) return defaults;
+  return [.../* @__PURE__ */ new Set([...defaults, ...extras])];
+}
+
+// src/auth/oauth/providers/github.ts
+var AUTHORIZATION_URL6 = "https://github.com/login/oauth/authorize";
+var TOKEN_URL6 = "https://github.com/login/oauth/access_token";
+var USER_URL = "https://api.github.com/user";
+var USER_EMAILS_URL = "https://api.github.com/user/emails";
+var DEFAULT_SCOPES3 = ["user:email"];
+function createGithubProvider(config) {
+  const scopes = mergeScopes7(DEFAULT_SCOPES3, config.scopes);
+  async function getAuthorizationUrl(state, codeVerifier, redirectUri) {
+    const codeChallenge = await deriveCodeChallenge(codeVerifier);
+    const effectiveRedirectUri = config.redirectUri ?? redirectUri;
+    const params = new URLSearchParams({
+      client_id: config.clientId,
+      redirect_uri: effectiveRedirectUri,
+      scope: scopes.join(" "),
+      state,
+      // Included for symmetry; GitHub ignores unknown parameters.
+      code_challenge: codeChallenge,
+      code_challenge_method: "S256"
+    });
+    return `${AUTHORIZATION_URL6}?${params.toString()}`;
+  }
+  async function exchangeCode(code, codeVerifier, redirectUri) {
+    const effectiveRedirectUri = config.redirectUri ?? redirectUri;
+    const body = new URLSearchParams({
+      client_id: config.clientId,
+      client_secret: config.clientSecret,
+      code,
+      redirect_uri: effectiveRedirectUri,
+      code_verifier: codeVerifier
+    });
+    const response = await fetch(TOKEN_URL6, {
+      method: "POST",
+      headers: {
+        "Content-Type": "application/x-www-form-urlencoded",
+        Accept: "application/json"
+      },
+      body: body.toString()
+    });
+    if (!response.ok) {
+      const text3 = await response.text();
+      throw new Error(`GitHub token exchange failed (${response.status}): ${text3}`);
+    }
+    const raw = await response.json();
+    const data = raw;
+    if (data.error) {
+      throw new Error(
+        `GitHub token exchange error: ${data.error} \u2014 ${data.error_description ?? ""}`
+      );
+    }
+    if (!data.access_token) {
+      throw new Error("GitHub token exchange returned no access_token");
+    }
+    return {
+      accessToken: data.access_token,
+      refreshToken: data.refresh_token,
+      expiresIn: data.expires_in,
+      tokenType: data.token_type ?? "bearer",
+      raw
+    };
+  }
+  async function getUserInfo(accessToken) {
+    const headers = {
+      Authorization: `Bearer ${accessToken}`,
+      Accept: "application/vnd.github+json",
+      "X-GitHub-Api-Version": "2022-11-28"
+    };
+    const profileResponse = await fetch(USER_URL, { headers });
+    if (!profileResponse.ok) {
+      const text3 = await profileResponse.text();
+      throw new Error(`GitHub user fetch failed (${profileResponse.status}): ${text3}`);
+    }
+    const raw = await profileResponse.json();
+    const profile = raw;
+    let email = typeof profile.email === "string" ? profile.email : null;
+    if (!email) {
+      email = await fetchPrimaryEmail(accessToken, headers);
+    }
+    if (!email) {
+      throw new Error(
+        "GitHub user has no accessible email. Ensure the user:email scope is granted."
+      );
+    }
+    return {
+      id: String(profile.id),
+      email,
+      name: profile.name ?? profile.login,
+      avatar: profile.avatar_url,
+      raw
+    };
+  }
+  return {
+    id: "github",
+    name: "GitHub",
+    authorizationUrl: AUTHORIZATION_URL6,
+    tokenUrl: TOKEN_URL6,
+    userInfoUrl: USER_URL,
+    scopes,
+    getAuthorizationUrl,
+    exchangeCode,
+    getUserInfo
+  };
+}
+async function fetchPrimaryEmail(_accessToken, headers) {
+  const response = await fetch(USER_EMAILS_URL, { headers });
+  if (!response.ok) return null;
+  const emails = await response.json();
+  const primary = emails.find((e) => e.primary && e.verified);
+  return primary?.email ?? null;
+}
+function mergeScopes7(defaults, extras) {
+  if (!extras || extras.length === 0) return defaults;
+  const merged = /* @__PURE__ */ new Set([...defaults, ...extras]);
+  return [...merged];
+}
+
+// src/auth/oauth/providers/gitlab.ts
+var AUTHORIZATION_URL7 = "https://gitlab.com/oauth/authorize";
+var TOKEN_URL7 = "https://gitlab.com/oauth/token";
+var USER_INFO_URL5 = "https://gitlab.com/api/v4/user";
+var DEFAULT_SCOPES4 = ["read_user"];
+function createGitlabProvider(config) {
+  const scopes = mergeScopes8(DEFAULT_SCOPES4, config.scopes);
+  async function getAuthorizationUrl(state, codeVerifier, redirectUri) {
+    const codeChallenge = await deriveCodeChallenge(codeVerifier);
+    const effectiveRedirectUri = config.redirectUri ?? redirectUri;
+    const params = new URLSearchParams({
+      client_id: config.clientId,
+      redirect_uri: effectiveRedirectUri,
+      response_type: "code",
+      scope: scopes.join(" "),
+      state,
+      code_challenge: codeChallenge,
+      code_challenge_method: "S256"
+    });
+    return `${AUTHORIZATION_URL7}?${params.toString()}`;
+  }
+  async function exchangeCode(code, codeVerifier, redirectUri) {
+    const effectiveRedirectUri = config.redirectUri ?? redirectUri;
+    const body = new URLSearchParams({
+      grant_type: "authorization_code",
+      client_id: config.clientId,
+      client_secret: config.clientSecret,
+      code,
+      code_verifier: codeVerifier,
+      redirect_uri: effectiveRedirectUri
+    });
+    const response = await fetch(TOKEN_URL7, {
+      method: "POST",
+      headers: { "Content-Type": "application/x-www-form-urlencoded" },
+      body: body.toString()
+    });
+    if (!response.ok) {
+      const text3 = await response.text();
+      throw new Error(`GitLab token exchange failed (${response.status}): ${text3}`);
+    }
+    const raw = await response.json();
+    const data = raw;
+    return {
+      accessToken: data.access_token,
+      refreshToken: data.refresh_token,
+      expiresIn: data.expires_in,
+      tokenType: data.token_type ?? "Bearer",
+      raw
+    };
+  }
+  async function getUserInfo(accessToken) {
+    const response = await fetch(USER_INFO_URL5, {
+      headers: { Authorization: `Bearer ${accessToken}` }
+    });
+    if (!response.ok) {
+      const text3 = await response.text();
+      throw new Error(`GitLab /api/v4/user fetch failed (${response.status}): ${text3}`);
+    }
+    const raw = await response.json();
+    const data = raw;
+    if (!data.id) {
+      throw new Error("GitLab user response missing required field: id");
+    }
+    const email = data.email ?? data.public_email;
+    if (!email) {
+      throw new Error(
+        "GitLab user response has no email. The account may have restricted email visibility."
+      );
+    }
+    return {
+      id: String(data.id),
+      email,
+      name: data.name ?? data.username,
+      avatar: data.avatar_url,
+      raw
+    };
+  }
+  return {
+    id: "gitlab",
+    name: "GitLab",
+    authorizationUrl: AUTHORIZATION_URL7,
+    tokenUrl: TOKEN_URL7,
+    userInfoUrl: USER_INFO_URL5,
+    scopes,
+    getAuthorizationUrl,
+    exchangeCode,
+    getUserInfo
+  };
+}
+function mergeScopes8(defaults, extras) {
+  if (!extras || extras.length === 0) return defaults;
+  const merged = /* @__PURE__ */ new Set([...defaults, ...extras]);
+  return [...merged];
+}
+
+// src/auth/oauth/providers/google.ts
+var AUTHORIZATION_URL8 = "https://accounts.google.com/o/oauth2/v2/auth";
+var TOKEN_URL8 = "https://oauth2.googleapis.com/token";
+var USER_INFO_URL6 = "https://www.googleapis.com/oauth2/v3/userinfo";
+var DEFAULT_SCOPES5 = ["openid", "email", "profile"];
+function createGoogleProvider(config) {
+  const scopes = mergeScopes9(DEFAULT_SCOPES5, config.scopes);
+  async function getAuthorizationUrl(state, codeVerifier, redirectUri) {
+    const codeChallenge = await deriveCodeChallenge(codeVerifier);
+    const effectiveRedirectUri = config.redirectUri ?? redirectUri;
+    const params = new URLSearchParams({
+      client_id: config.clientId,
+      redirect_uri: effectiveRedirectUri,
+      response_type: "code",
+      scope: scopes.join(" "),
+      state,
+      code_challenge: codeChallenge,
+      code_challenge_method: "S256",
+      access_type: "offline",
+      // request refresh token
+      prompt: "consent"
+      // always show consent to get refresh token reliably
+    });
+    return `${AUTHORIZATION_URL8}?${params.toString()}`;
+  }
+  async function exchangeCode(code, codeVerifier, redirectUri) {
+    const effectiveRedirectUri = config.redirectUri ?? redirectUri;
+    const body = new URLSearchParams({
+      grant_type: "authorization_code",
+      client_id: config.clientId,
+      client_secret: config.clientSecret,
+      code,
+      code_verifier: codeVerifier,
+      redirect_uri: effectiveRedirectUri
+    });
+    const response = await fetch(TOKEN_URL8, {
+      method: "POST",
+      headers: { "Content-Type": "application/x-www-form-urlencoded" },
+      body: body.toString()
+    });
+    if (!response.ok) {
+      const text3 = await response.text();
+      throw new Error(`Google token exchange failed (${response.status}): ${text3}`);
+    }
+    const raw = await response.json();
+    const data = raw;
+    return {
+      accessToken: data.access_token,
+      refreshToken: data.refresh_token,
+      expiresIn: data.expires_in,
+      tokenType: data.token_type ?? "Bearer",
+      raw
+    };
+  }
+  async function getUserInfo(accessToken) {
+    const response = await fetch(USER_INFO_URL6, {
+      headers: { Authorization: `Bearer ${accessToken}` }
+    });
+    if (!response.ok) {
+      const text3 = await response.text();
+      throw new Error(`Google userinfo fetch failed (${response.status}): ${text3}`);
+    }
+    const raw = await response.json();
+    const data = raw;
+    if (!data.sub || !data.email) {
+      throw new Error("Google userinfo response missing required fields: sub, email");
+    }
+    return {
+      id: data.sub,
+      email: data.email,
+      name: data.name,
+      avatar: data.picture,
+      raw
+    };
+  }
+  return {
+    id: "google",
+    name: "Google",
+    authorizationUrl: AUTHORIZATION_URL8,
+    tokenUrl: TOKEN_URL8,
+    userInfoUrl: USER_INFO_URL6,
+    scopes,
+    getAuthorizationUrl,
+    exchangeCode,
+    getUserInfo
+  };
+}
+function mergeScopes9(defaults, extras) {
+  if (!extras || extras.length === 0) return defaults;
+  const merged = /* @__PURE__ */ new Set([...defaults, ...extras]);
+  return [...merged];
+}
+
+// src/auth/oauth/providers/linkedin.ts
+var AUTHORIZATION_URL9 = "https://www.linkedin.com/oauth/v2/authorization";
+var TOKEN_URL9 = "https://www.linkedin.com/oauth/v2/accessToken";
+var USER_INFO_URL7 = "https://api.linkedin.com/v2/userinfo";
+var DEFAULT_SCOPES6 = ["openid", "profile", "email"];
+function createLinkedInProvider(config) {
+  const scopes = mergeScopes10(DEFAULT_SCOPES6, config.scopes);
+  async function getAuthorizationUrl(state, codeVerifier, redirectUri) {
+    const codeChallenge = await deriveCodeChallenge(codeVerifier);
+    const effectiveRedirectUri = config.redirectUri ?? redirectUri;
+    const params = new URLSearchParams({
+      response_type: "code",
+      client_id: config.clientId,
+      redirect_uri: effectiveRedirectUri,
+      scope: scopes.join(" "),
+      state,
+      code_challenge: codeChallenge,
+      code_challenge_method: "S256"
+    });
+    return `${AUTHORIZATION_URL9}?${params.toString()}`;
+  }
+  async function exchangeCode(code, codeVerifier, redirectUri) {
+    const effectiveRedirectUri = config.redirectUri ?? redirectUri;
+    const body = new URLSearchParams({
+      grant_type: "authorization_code",
+      client_id: config.clientId,
+      client_secret: config.clientSecret,
+      code,
+      redirect_uri: effectiveRedirectUri,
+      code_verifier: codeVerifier
+    });
+    const response = await fetch(TOKEN_URL9, {
+      method: "POST",
+      headers: { "Content-Type": "application/x-www-form-urlencoded" },
+      body: body.toString()
+    });
+    if (!response.ok) {
+      const text3 = await response.text();
+      throw new Error(`LinkedIn token exchange failed (${response.status}): ${text3}`);
+    }
+    const raw = await response.json();
+    const data = raw;
+    return {
+      accessToken: data.access_token,
+      refreshToken: data.refresh_token,
+      expiresIn: data.expires_in,
+      tokenType: data.token_type ?? "Bearer",
+      raw
+    };
+  }
+  async function getUserInfo(accessToken) {
+    const response = await fetch(USER_INFO_URL7, {
+      headers: { Authorization: `Bearer ${accessToken}` }
+    });
+    if (!response.ok) {
+      const text3 = await response.text();
+      throw new Error(`LinkedIn /v2/userinfo fetch failed (${response.status}): ${text3}`);
+    }
+    const raw = await response.json();
+    const data = raw;
+    if (!data.sub) {
+      throw new Error("LinkedIn userinfo response missing required field: sub");
+    }
+    if (!data.email) {
+      throw new Error(
+        "LinkedIn userinfo response has no email. Ensure the `email` and `openid` scopes are granted."
+      );
+    }
+    const name = data.name ?? ([data.given_name, data.family_name].filter(Boolean).join(" ") || void 0);
+    return {
+      id: data.sub,
+      email: data.email,
+      name,
+      avatar: data.picture,
+      raw
+    };
+  }
+  return {
+    id: "linkedin",
+    name: "LinkedIn",
+    authorizationUrl: AUTHORIZATION_URL9,
+    tokenUrl: TOKEN_URL9,
+    userInfoUrl: USER_INFO_URL7,
+    scopes,
+    getAuthorizationUrl,
+    exchangeCode,
+    getUserInfo
+  };
+}
+function mergeScopes10(defaults, extras) {
+  if (!extras || extras.length === 0) return defaults;
+  const merged = /* @__PURE__ */ new Set([...defaults, ...extras]);
+  return [...merged];
+}
+
+// src/auth/oauth/providers/microsoft.ts
+var AUTHORIZATION_URL10 = "https://login.microsoftonline.com/common/oauth2/v2.0/authorize";
+var TOKEN_URL10 = "https://login.microsoftonline.com/common/oauth2/v2.0/token";
+var USER_INFO_URL8 = "https://graph.microsoft.com/v1.0/me";
+var DEFAULT_SCOPES7 = ["openid", "profile", "email", "User.Read"];
+function createMicrosoftProvider(config) {
+  const scopes = mergeScopes11(DEFAULT_SCOPES7, config.scopes);
+  async function getAuthorizationUrl(state, codeVerifier, redirectUri) {
+    const codeChallenge = await deriveCodeChallenge(codeVerifier);
+    const effectiveRedirectUri = config.redirectUri ?? redirectUri;
+    const params = new URLSearchParams({
+      client_id: config.clientId,
+      redirect_uri: effectiveRedirectUri,
+      response_type: "code",
+      scope: scopes.join(" "),
+      state,
+      code_challenge: codeChallenge,
+      code_challenge_method: "S256"
+    });
+    return `${AUTHORIZATION_URL10}?${params.toString()}`;
+  }
+  async function exchangeCode(code, codeVerifier, redirectUri) {
+    const effectiveRedirectUri = config.redirectUri ?? redirectUri;
+    const body = new URLSearchParams({
+      grant_type: "authorization_code",
+      client_id: config.clientId,
+      client_secret: config.clientSecret,
+      code,
+      code_verifier: codeVerifier,
+      redirect_uri: effectiveRedirectUri
+    });
+    const response = await fetch(TOKEN_URL10, {
+      method: "POST",
+      headers: { "Content-Type": "application/x-www-form-urlencoded" },
+      body: body.toString()
+    });
+    if (!response.ok) {
+      const text3 = await response.text();
+      throw new Error(`Microsoft token exchange failed (${response.status}): ${text3}`);
+    }
+    const raw = await response.json();
+    const data = raw;
+    return {
+      accessToken: data.access_token,
+      refreshToken: data.refresh_token,
+      expiresIn: data.expires_in,
+      tokenType: data.token_type ?? "Bearer",
+      raw
+    };
+  }
+  async function getUserInfo(accessToken) {
+    const response = await fetch(USER_INFO_URL8, {
+      headers: { Authorization: `Bearer ${accessToken}` }
+    });
+    if (!response.ok) {
+      const text3 = await response.text();
+      throw new Error(`Microsoft Graph /me fetch failed (${response.status}): ${text3}`);
+    }
+    const raw = await response.json();
+    const data = raw;
+    if (!data.id) {
+      throw new Error("Microsoft Graph /me response missing required field: id");
+    }
+    const email = data.mail ?? data.userPrincipalName;
+    if (!email) {
+      throw new Error(
+        "Microsoft Graph /me response has no email or userPrincipalName. Ensure the `email` and `User.Read` scopes are granted."
+      );
+    }
+    const name = data.displayName ?? ([data.givenName, data.surname].filter(Boolean).join(" ") || void 0);
+    return {
+      id: data.id,
+      email,
+      name,
+      avatar: void 0,
+      // Graph photo requires a separate /me/photo/$value call
+      raw
+    };
+  }
+  return {
+    id: "microsoft",
+    name: "Microsoft",
+    authorizationUrl: AUTHORIZATION_URL10,
+    tokenUrl: TOKEN_URL10,
+    userInfoUrl: USER_INFO_URL8,
+    scopes,
+    getAuthorizationUrl,
+    exchangeCode,
+    getUserInfo
+  };
+}
+function mergeScopes11(defaults, extras) {
+  if (!extras || extras.length === 0) return defaults;
+  const merged = /* @__PURE__ */ new Set([...defaults, ...extras]);
+  return [...merged];
+}
+
+// src/auth/oauth/providers/notion.ts
+var AUTHORIZATION_URL11 = "https://api.notion.com/v1/oauth/authorize";
+var TOKEN_URL11 = "https://api.notion.com/v1/oauth/token";
+var NOTION_VERSION = "2022-06-28";
+var DEFAULT_NOTION_SCOPES = [];
+function normalizeProfile5(raw) {
+  const tokenData = raw;
+  const user = tokenData?.owner?.user;
+  if (!user?.id) {
+    throw new Error(
+      "Notion token response missing owner.user.id. Ensure the integration is authorized by a person, not a workspace bot."
+    );
+  }
+  return {
+    id: user.id,
+    email: user.person?.email,
+    name: user.name,
+    avatar: user.avatar_url ?? void 0,
+    raw
+  };
+}
+function createNotionProvider(config) {
+  const scopes = [];
+  let lastTokenRaw = null;
+  async function getAuthorizationUrl(state, _codeVerifier, redirectUri) {
+    const effectiveRedirectUri = config.redirectUri ?? redirectUri;
+    const params = new URLSearchParams({
+      client_id: config.clientId,
+      redirect_uri: effectiveRedirectUri,
+      response_type: "code",
+      owner: "user",
+      state
+    });
+    return `${AUTHORIZATION_URL11}?${params.toString()}`;
+  }
+  async function exchangeCode(code, _codeVerifier, redirectUri) {
+    const effectiveRedirectUri = config.redirectUri ?? redirectUri;
+    const credentials = btoa(`${config.clientId}:${config.clientSecret}`);
+    const response = await fetch(TOKEN_URL11, {
+      method: "POST",
+      headers: {
+        "Content-Type": "application/json",
+        Authorization: `Basic ${credentials}`,
+        "Notion-Version": NOTION_VERSION
+      },
+      body: JSON.stringify({
+        grant_type: "authorization_code",
+        code,
+        redirect_uri: effectiveRedirectUri
+      })
+    });
+    if (!response.ok) {
+      const text3 = await response.text();
+      throw new Error(`Notion token exchange failed (${response.status}): ${text3}`);
+    }
+    const raw = await response.json();
+    const data = raw;
+    lastTokenRaw = raw;
+    return {
+      accessToken: data.access_token,
+      tokenType: data.token_type ?? "Bearer",
+      raw
+    };
+  }
+  async function getUserInfo(_accessToken) {
+    if (!lastTokenRaw) {
+      throw new Error(
+        "Notion getUserInfo called before exchangeCode. Call exchangeCode first to obtain the token response."
+      );
+    }
+    const tokenData = lastTokenRaw;
+    const user = tokenData?.owner?.user;
+    if (!user?.id) {
+      throw new Error(
+        "Notion token response missing owner.user.id. Ensure the integration is authorized by a person, not a workspace bot."
+      );
+    }
+    const email = user.person?.email;
+    const avatar = user.avatar_url ?? void 0;
+    return {
+      id: user.id,
+      email,
+      name: user.name,
+      avatar,
+      raw: lastTokenRaw
+    };
+  }
+  return {
+    id: "notion",
+    name: "Notion",
+    authorizationUrl: AUTHORIZATION_URL11,
+    tokenUrl: TOKEN_URL11,
+    // No separate UserInfo URL; identity comes from the token response.
+    userInfoUrl: void 0,
+    scopes,
+    getAuthorizationUrl,
+    exchangeCode,
+    getUserInfo
+  };
+}
+
+// src/auth/oauth/providers/presets.ts
+function facebookProvider(clientId, clientSecret, scopes) {
+  return genericOIDC({
+    id: "facebook",
+    name: "Facebook",
+    issuer: "https://www.facebook.com",
+    clientId,
+    clientSecret,
+    scopes: scopes ?? ["email", "public_profile"],
+    authorizationUrl: "https://www.facebook.com/v18.0/dialog/oauth",
+    tokenUrl: "https://graph.facebook.com/v18.0/oauth/access_token",
+    userinfoUrl: "https://graph.facebook.com/me?fields=id,email,name,picture"
+  });
+}
+function spotifyProvider(clientId, clientSecret, scopes) {
+  return genericOIDC({
+    id: "spotify",
+    name: "Spotify",
+    issuer: "https://accounts.spotify.com",
+    clientId,
+    clientSecret,
+    scopes: scopes ?? ["user-read-email", "user-read-private"],
+    authorizationUrl: "https://accounts.spotify.com/authorize",
+    tokenUrl: "https://accounts.spotify.com/api/token",
+    userinfoUrl: "https://api.spotify.com/v1/me"
+  });
+}
+function twitchProvider(clientId, clientSecret, scopes) {
+  return genericOIDC({
+    id: "twitch",
+    name: "Twitch",
+    issuer: "https://id.twitch.tv/oauth2",
+    clientId,
+    clientSecret,
+    scopes: scopes ?? ["openid", "user:read:email"],
+    authorizationUrl: "https://id.twitch.tv/oauth2/authorize",
+    tokenUrl: "https://id.twitch.tv/oauth2/token",
+    userinfoUrl: "https://id.twitch.tv/oauth2/userinfo"
+  });
+}
+function redditProvider(clientId, clientSecret, scopes) {
+  return genericOIDC({
+    id: "reddit",
+    name: "Reddit",
+    issuer: "https://www.reddit.com",
+    clientId,
+    clientSecret,
+    scopes: scopes ?? ["identity"],
+    authorizationUrl: "https://www.reddit.com/api/v1/authorize",
+    tokenUrl: "https://www.reddit.com/api/v1/access_token",
+    userinfoUrl: "https://oauth.reddit.com/api/v1/me"
+  });
+}
+function dropboxProvider(clientId, clientSecret, scopes) {
+  return genericOIDC({
+    id: "dropbox",
+    name: "Dropbox",
+    issuer: "https://www.dropbox.com",
+    clientId,
+    clientSecret,
+    scopes: scopes ?? ["account_info.read"],
+    authorizationUrl: "https://www.dropbox.com/oauth2/authorize",
+    tokenUrl: "https://api.dropboxapi.com/oauth2/token",
+    userinfoUrl: "https://api.dropboxapi.com/2/users/get_current_account"
+  });
+}
+function zoomProvider(clientId, clientSecret, scopes) {
+  return genericOIDC({
+    id: "zoom",
+    name: "Zoom",
+    issuer: "https://zoom.us",
+    clientId,
+    clientSecret,
+    scopes: scopes ?? ["openid", "profile", "email"],
+    authorizationUrl: "https://zoom.us/oauth/authorize",
+    tokenUrl: "https://zoom.us/oauth/token",
+    userinfoUrl: "https://api.zoom.us/v2/users/me"
+  });
+}
+function notionProvider(clientId, clientSecret, scopes) {
+  return genericOIDC({
+    id: "notion",
+    name: "Notion",
+    issuer: "https://api.notion.com",
+    clientId,
+    clientSecret,
+    scopes: scopes ?? [],
+    authorizationUrl: "https://api.notion.com/v1/oauth/authorize",
+    tokenUrl: "https://api.notion.com/v1/oauth/token",
+    userinfoUrl: "https://api.notion.com/v1/users/me"
+  });
+}
+function figmaProvider(clientId, clientSecret, scopes) {
+  return genericOIDC({
+    id: "figma",
+    name: "Figma",
+    issuer: "https://www.figma.com",
+    clientId,
+    clientSecret,
+    scopes: scopes ?? ["file_read"],
+    authorizationUrl: "https://www.figma.com/oauth",
+    tokenUrl: "https://api.figma.com/v1/oauth/token",
+    userinfoUrl: "https://api.figma.com/v1/me"
+  });
+}
+function bitbucketProvider(clientId, clientSecret, scopes) {
+  return genericOIDC({
+    id: "bitbucket",
+    name: "Bitbucket",
+    issuer: "https://bitbucket.org",
+    clientId,
+    clientSecret,
+    scopes: scopes ?? ["account", "email"],
+    authorizationUrl: "https://bitbucket.org/site/oauth2/authorize",
+    tokenUrl: "https://bitbucket.org/site/oauth2/access_token",
+    userinfoUrl: "https://api.bitbucket.org/2.0/user"
+  });
+}
+function atlassianProvider(clientId, clientSecret, scopes) {
+  return genericOIDC({
+    id: "atlassian",
+    name: "Atlassian",
+    issuer: "https://auth.atlassian.com",
+    clientId,
+    clientSecret,
+    scopes: scopes ?? ["read:me", "offline_access"],
+    authorizationUrl: "https://auth.atlassian.com/authorize",
+    tokenUrl: "https://auth.atlassian.com/oauth/token",
+    userinfoUrl: "https://api.atlassian.com/me"
+  });
+}
+function yahooProvider(clientId, clientSecret, scopes) {
+  return genericOIDC({
+    id: "yahoo",
+    name: "Yahoo",
+    issuer: "https://api.login.yahoo.com",
+    clientId,
+    clientSecret,
+    scopes: scopes ?? ["openid", "profile", "email"],
+    authorizationUrl: "https://api.login.yahoo.com/oauth2/request_auth",
+    tokenUrl: "https://api.login.yahoo.com/oauth2/get_token",
+    userinfoUrl: "https://api.login.yahoo.com/openid/v1/userinfo"
+  });
+}
+function lineProvider(clientId, clientSecret, scopes) {
+  return genericOIDC({
+    id: "line",
+    name: "LINE",
+    issuer: "https://access.line.me",
+    clientId,
+    clientSecret,
+    scopes: scopes ?? ["openid", "profile", "email"],
+    authorizationUrl: "https://access.line.me/oauth2/v2.1/authorize",
+    tokenUrl: "https://api.line.me/oauth2/v2.1/token",
+    userinfoUrl: "https://api.line.me/v2/profile"
+  });
+}
+function coinbaseProvider(clientId, clientSecret, scopes) {
+  return genericOIDC({
+    id: "coinbase",
+    name: "Coinbase",
+    issuer: "https://login.coinbase.com",
+    clientId,
+    clientSecret,
+    scopes: scopes ?? ["wallet:user:read", "wallet:user:email"],
+    authorizationUrl: "https://login.coinbase.com/oauth2/auth",
+    tokenUrl: "https://login.coinbase.com/oauth2/token",
+    userinfoUrl: "https://api.coinbase.com/v2/user"
+  });
+}
+function tiktokProvider(clientId, clientSecret, scopes) {
+  return genericOIDC({
+    id: "tiktok",
+    name: "TikTok",
+    issuer: "https://www.tiktok.com",
+    clientId,
+    clientSecret,
+    scopes: scopes ?? ["user.info.basic"],
+    authorizationUrl: "https://www.tiktok.com/v2/auth/authorize/",
+    tokenUrl: "https://open.tiktokapis.com/v2/oauth/token/",
+    userinfoUrl: "https://open.tiktokapis.com/v2/user/info/"
+  });
+}
+function paypalProvider(clientId, clientSecret, scopes) {
+  return genericOIDC({
+    id: "paypal",
+    name: "PayPal",
+    issuer: "https://www.paypal.com",
+    clientId,
+    clientSecret,
+    scopes: scopes ?? ["openid", "email"],
+    authorizationUrl: "https://www.paypal.com/signin/authorize",
+    tokenUrl: "https://api-m.paypal.com/v1/oauth2/token",
+    userinfoUrl: "https://api-m.paypal.com/v1/identity/openidconnect/userinfo?schema=openid"
+  });
+}
+function salesforceProvider(clientId, clientSecret, scopes) {
+  return genericOIDC({
+    id: "salesforce",
+    name: "Salesforce",
+    issuer: "https://login.salesforce.com",
+    clientId,
+    clientSecret,
+    scopes: scopes ?? ["openid", "email", "profile"],
+    authorizationUrl: "https://login.salesforce.com/services/oauth2/authorize",
+    tokenUrl: "https://login.salesforce.com/services/oauth2/token",
+    userinfoUrl: "https://login.salesforce.com/services/oauth2/userinfo"
+  });
+}
+function vkProvider(clientId, clientSecret, scopes) {
+  return genericOIDC({
+    id: "vk",
+    name: "VK",
+    issuer: "https://id.vk.com",
+    clientId,
+    clientSecret,
+    scopes: scopes ?? ["email"],
+    authorizationUrl: "https://id.vk.com/authorize",
+    tokenUrl: "https://id.vk.com/oauth2/auth",
+    userinfoUrl: "https://id.vk.com/oauth2/user_info"
+  });
+}
+function kakaoProvider(clientId, clientSecret, scopes) {
+  return genericOIDC({
+    id: "kakao",
+    name: "Kakao",
+    issuer: "https://kauth.kakao.com",
+    clientId,
+    clientSecret,
+    scopes: scopes ?? ["account_email", "profile_nickname"],
+    authorizationUrl: "https://kauth.kakao.com/oauth/authorize",
+    tokenUrl: "https://kauth.kakao.com/oauth/token",
+    userinfoUrl: "https://kapi.kakao.com/v2/user/me"
+  });
+}
+function naverProvider(clientId, clientSecret, scopes) {
+  return genericOIDC({
+    id: "naver",
+    name: "Naver",
+    issuer: "https://nid.naver.com",
+    clientId,
+    clientSecret,
+    scopes: scopes ?? ["email", "profile"],
+    authorizationUrl: "https://nid.naver.com/oauth2.0/authorize",
+    tokenUrl: "https://nid.naver.com/oauth2.0/token",
+    userinfoUrl: "https://openapi.naver.com/v1/nid/me"
+  });
+}
+function huggingfaceProvider(clientId, clientSecret, scopes) {
+  return genericOIDC({
+    id: "huggingface",
+    name: "Hugging Face",
+    issuer: "https://huggingface.co",
+    clientId,
+    clientSecret,
+    scopes: scopes ?? ["openid", "profile", "email"],
+    authorizationUrl: "https://huggingface.co/oauth/authorize",
+    tokenUrl: "https://huggingface.co/oauth/token",
+    userinfoUrl: "https://huggingface.co/oauth/userinfo"
+  });
+}
+function robloxProvider(clientId, clientSecret, scopes) {
+  return genericOIDC({
+    id: "roblox",
+    name: "Roblox",
+    issuer: "https://apis.roblox.com/oauth",
+    clientId,
+    clientSecret,
+    scopes: scopes ?? ["openid", "profile"],
+    authorizationUrl: "https://apis.roblox.com/oauth/v1/authorize",
+    tokenUrl: "https://apis.roblox.com/oauth/v1/token",
+    userinfoUrl: "https://apis.roblox.com/oauth/v1/userinfo"
+  });
+}
+function vercelProvider(clientId, clientSecret, scopes) {
+  return genericOIDC({
+    id: "vercel",
+    name: "Vercel",
+    issuer: "https://vercel.com",
+    clientId,
+    clientSecret,
+    scopes: scopes ?? ["openid", "email", "profile"],
+    authorizationUrl: "https://vercel.com/integrations/oauth/authorize",
+    tokenUrl: "https://api.vercel.com/v2/oauth/access_token",
+    userinfoUrl: "https://api.vercel.com/v2/user"
+  });
+}
+function linearProvider(clientId, clientSecret, scopes) {
+  return genericOIDC({
+    id: "linear",
+    name: "Linear",
+    issuer: "https://linear.app",
+    clientId,
+    clientSecret,
+    scopes: scopes ?? ["read"],
+    authorizationUrl: "https://linear.app/oauth/authorize",
+    tokenUrl: "https://api.linear.app/oauth/token",
+    userinfoUrl: "https://api.linear.app/graphql"
+  });
+}
+function railwayProvider(clientId, clientSecret, scopes) {
+  return genericOIDC({
+    id: "railway",
+    name: "Railway",
+    issuer: "https://railway.com",
+    clientId,
+    clientSecret,
+    scopes: scopes ?? ["read:user", "read:project"],
+    authorizationUrl: "https://railway.com/oauth/authorize",
+    tokenUrl: "https://railway.com/oauth/token",
+    userinfoUrl: "https://backboard.railway.com/graphql/v2"
+  });
+}
+function kickProvider(clientId, clientSecret, scopes) {
+  return genericOIDC({
+    id: "kick",
+    name: "Kick",
+    issuer: "https://id.kick.com",
+    clientId,
+    clientSecret,
+    scopes: scopes ?? ["user:read"],
+    authorizationUrl: "https://id.kick.com/oauth/authorize",
+    tokenUrl: "https://id.kick.com/oauth/token",
+    userinfoUrl: "https://id.kick.com/oauth/userinfo"
+  });
+}
+function wechatProvider(clientId, clientSecret, scopes) {
+  return genericOIDC({
+    id: "wechat",
+    name: "WeChat",
+    issuer: "https://open.weixin.qq.com",
+    clientId,
+    clientSecret,
+    scopes: scopes ?? ["snsapi_login"],
+    authorizationUrl: "https://open.weixin.qq.com/connect/qrconnect",
+    tokenUrl: "https://api.weixin.qq.com/sns/oauth2/access_token",
+    userinfoUrl: "https://api.weixin.qq.com/sns/userinfo"
+  });
+}
+function polarProvider(clientId, clientSecret, scopes) {
+  return genericOIDC({
+    id: "polar",
+    name: "Polar",
+    issuer: "https://polar.sh",
+    clientId,
+    clientSecret,
+    scopes: scopes ?? ["openid", "email", "profile"],
+    authorizationUrl: "https://polar.sh/oauth2/authorize",
+    tokenUrl: "https://api.polar.sh/v1/oauth2/token",
+    userinfoUrl: "https://api.polar.sh/v1/oauth2/userinfo"
+  });
+}
+function auth0Provider(domain, clientId, clientSecret, scopes) {
+  const issuer = `https://${domain.replace(/^https?:\/\//, "")}`;
+  return genericOIDC({
+    id: "auth0",
+    name: "Auth0",
+    issuer,
+    clientId,
+    clientSecret,
+    scopes
+  });
+}
+function oktaProvider(domain, clientId, clientSecret, scopes) {
+  const issuer = `https://${domain.replace(/^https?:\/\//, "")}/oauth2/default`;
+  return genericOIDC({
+    id: "okta",
+    name: "Okta",
+    issuer,
+    clientId,
+    clientSecret,
+    scopes
+  });
+}
+function cognitoProvider(domain, clientId, clientSecret, scopes) {
+  const host = domain.replace(/^https?:\/\//, "").replace(/\/$/, "");
+  const issuer = `https://${host}`;
+  return genericOIDC({
+    id: "cognito",
+    name: "AWS Cognito",
+    issuer,
+    clientId,
+    clientSecret,
+    scopes: scopes ?? ["openid", "email", "profile"],
+    authorizationUrl: `${issuer}/oauth2/authorize`,
+    tokenUrl: `${issuer}/oauth2/token`,
+    userinfoUrl: `${issuer}/oauth2/userInfo`
+  });
+}
+
+// src/auth/oauth/providers/reddit.ts
+var AUTHORIZATION_URL12 = "https://www.reddit.com/api/v1/authorize";
+var TOKEN_URL12 = "https://www.reddit.com/api/v1/access_token";
+var USER_INFO_URL9 = "https://oauth.reddit.com/api/v1/me";
+var DEFAULT_USER_AGENT = "web:kavachos-oauth:v1 (by /u/kavachos)";
+var DEFAULT_REDDIT_SCOPES = ["identity"];
+var DEFAULT_SCOPES8 = DEFAULT_REDDIT_SCOPES;
+function createRedditProvider(config) {
+  const scopes = mergeScopes12(DEFAULT_SCOPES8, config.scopes);
+  async function getAuthorizationUrl(state, codeVerifier, redirectUri) {
+    const codeChallenge = await deriveCodeChallenge(codeVerifier);
+    const effectiveRedirectUri = config.redirectUri ?? redirectUri;
+    const params = new URLSearchParams({
+      client_id: config.clientId,
+      redirect_uri: effectiveRedirectUri,
+      response_type: "code",
+      scope: scopes.join(" "),
+      state,
+      code_challenge: codeChallenge,
+      code_challenge_method: "S256",
+      // Reddit requires duration=permanent to receive a refresh token.
+      duration: "permanent"
+    });
+    return `${AUTHORIZATION_URL12}?${params.toString()}`;
+  }
+  async function exchangeCode(code, codeVerifier, redirectUri) {
+    const effectiveRedirectUri = config.redirectUri ?? redirectUri;
+    const credentials = btoa(`${config.clientId}:${config.clientSecret}`);
+    const body = new URLSearchParams({
+      grant_type: "authorization_code",
+      code,
+      redirect_uri: effectiveRedirectUri,
+      code_verifier: codeVerifier
+    });
+    const response = await fetch(TOKEN_URL12, {
+      method: "POST",
+      headers: {
+        "Content-Type": "application/x-www-form-urlencoded",
+        Authorization: `Basic ${credentials}`,
+        "User-Agent": DEFAULT_USER_AGENT
+      },
+      body: body.toString()
+    });
+    if (!response.ok) {
+      const text3 = await response.text();
+      throw new Error(`Reddit token exchange failed (${response.status}): ${text3}`);
     }
     const raw = await response.json();
     const data = raw;
@@ -5729,64 +6958,100 @@ function createGoogleProvider(config) {
     };
   }
   async function getUserInfo(accessToken) {
-    const response = await fetch(USER_INFO_URL3, {
-      headers: { Authorization: `Bearer ${accessToken}` }
+    const response = await fetch(USER_INFO_URL9, {
+      headers: {
+        Authorization: `Bearer ${accessToken}`,
+        "User-Agent": DEFAULT_USER_AGENT
+      }
     });
     if (!response.ok) {
       const text3 = await response.text();
-      throw new Error(`Google userinfo fetch failed (${response.status}): ${text3}`);
+      throw new Error(`Reddit /api/v1/me fetch failed (${response.status}): ${text3}`);
     }
     const raw = await response.json();
     const data = raw;
-    if (!data.sub || !data.email) {
-      throw new Error("Google userinfo response missing required fields: sub, email");
+    if (!data.id) {
+      throw new Error("Reddit user response missing required field: id");
     }
+    if (!data.name) {
+      throw new Error("Reddit user response missing required field: name");
+    }
+    const avatar = data.icon_img ? stripQueryParams(data.icon_img) : void 0;
     return {
-      id: data.sub,
-      email: data.email,
+      id: data.id,
+      // No email — caller must handle the undefined case.
+      email: void 0,
       name: data.name,
-      avatar: data.picture,
+      avatar,
       raw
     };
   }
   return {
-    id: "google",
-    name: "Google",
-    authorizationUrl: AUTHORIZATION_URL5,
-    tokenUrl: TOKEN_URL5,
-    userInfoUrl: USER_INFO_URL3,
+    id: "reddit",
+    name: "Reddit",
+    authorizationUrl: AUTHORIZATION_URL12,
+    tokenUrl: TOKEN_URL12,
+    userInfoUrl: USER_INFO_URL9,
     scopes,
     getAuthorizationUrl,
     exchangeCode,
     getUserInfo
   };
 }
-function mergeScopes5(defaults, extras) {
+function normalizeProfile6(raw) {
+  const data = raw;
+  if (!data.id) {
+    throw new Error("Reddit user response missing required field: id");
+  }
+  if (!data.name) {
+    throw new Error("Reddit user response missing required field: name");
+  }
+  const avatar = data.icon_img ? stripQueryParams(data.icon_img) : void 0;
+  return {
+    id: data.id,
+    // Reddit does not return email through OAuth; callers must handle this.
+    email: void 0,
+    name: data.name,
+    avatar,
+    raw
+  };
+}
+function stripQueryParams(url) {
+  try {
+    const parsed = new URL(url);
+    parsed.search = "";
+    return parsed.toString();
+  } catch {
+    return url;
+  }
+}
+function mergeScopes12(defaults, extras) {
   if (!extras || extras.length === 0) return defaults;
   const merged = /* @__PURE__ */ new Set([...defaults, ...extras]);
   return [...merged];
 }
 
-// src/auth/oauth/providers/linkedin.ts
-var AUTHORIZATION_URL6 = "https://www.linkedin.com/oauth/v2/authorization";
-var TOKEN_URL6 = "https://www.linkedin.com/oauth/v2/accessToken";
-var USER_INFO_URL4 = "https://api.linkedin.com/v2/userinfo";
-var DEFAULT_SCOPES6 = ["openid", "profile", "email"];
-function createLinkedInProvider(config) {
-  const scopes = mergeScopes6(DEFAULT_SCOPES6, config.scopes);
+// src/auth/oauth/providers/slack.ts
+var AUTHORIZATION_URL13 = "https://slack.com/oauth/v2/authorize";
+var TOKEN_URL13 = "https://slack.com/api/oauth.v2.access";
+var USER_INFO_URL10 = "https://slack.com/api/openid.connect.userInfo";
+var DEFAULT_SLACK_SCOPES = ["openid", "profile", "email"];
+var DEFAULT_SCOPES9 = DEFAULT_SLACK_SCOPES;
+function createSlackProvider(config) {
+  const scopes = mergeScopes13(DEFAULT_SCOPES9, config.scopes);
   async function getAuthorizationUrl(state, codeVerifier, redirectUri) {
     const codeChallenge = await deriveCodeChallenge(codeVerifier);
     const effectiveRedirectUri = config.redirectUri ?? redirectUri;
     const params = new URLSearchParams({
-      response_type: "code",
       client_id: config.clientId,
       redirect_uri: effectiveRedirectUri,
+      response_type: "code",
       scope: scopes.join(" "),
       state,
       code_challenge: codeChallenge,
       code_challenge_method: "S256"
     });
-    return `${AUTHORIZATION_URL6}?${params.toString()}`;
+    return `${AUTHORIZATION_URL13}?${params.toString()}`;
   }
   async function exchangeCode(code, codeVerifier, redirectUri) {
     const effectiveRedirectUri = config.redirectUri ?? redirectUri;
@@ -5798,77 +7063,120 @@ function createLinkedInProvider(config) {
       redirect_uri: effectiveRedirectUri,
       code_verifier: codeVerifier
     });
-    const response = await fetch(TOKEN_URL6, {
+    const response = await fetch(TOKEN_URL13, {
       method: "POST",
       headers: { "Content-Type": "application/x-www-form-urlencoded" },
       body: body.toString()
     });
     if (!response.ok) {
       const text3 = await response.text();
-      throw new Error(`LinkedIn token exchange failed (${response.status}): ${text3}`);
+      throw new Error(`Slack token exchange failed (${response.status}): ${text3}`);
     }
     const raw = await response.json();
     const data = raw;
+    if (!data.ok) {
+      throw new Error(`Slack token exchange error: ${data.error ?? "unknown"}`);
+    }
+    const accessToken = data.authed_user?.access_token ?? data.access_token;
+    if (!accessToken) {
+      throw new Error("Slack token exchange returned no access_token");
+    }
     return {
-      accessToken: data.access_token,
-      refreshToken: data.refresh_token,
-      expiresIn: data.expires_in,
-      tokenType: data.token_type ?? "Bearer",
+      accessToken,
+      refreshToken: void 0,
+      expiresIn: void 0,
+      tokenType: data.authed_user?.token_type ?? data.token_type ?? "Bearer",
       raw
     };
   }
   async function getUserInfo(accessToken) {
-    const response = await fetch(USER_INFO_URL4, {
+    const response = await fetch(USER_INFO_URL10, {
       headers: { Authorization: `Bearer ${accessToken}` }
     });
     if (!response.ok) {
       const text3 = await response.text();
-      throw new Error(`LinkedIn /v2/userinfo fetch failed (${response.status}): ${text3}`);
+      throw new Error(`Slack openid.connect.userInfo fetch failed (${response.status}): ${text3}`);
     }
     const raw = await response.json();
     const data = raw;
-    if (!data.sub) {
-      throw new Error("LinkedIn userinfo response missing required field: sub");
+    if (!data.ok) {
+      throw new Error(`Slack userInfo error: ${data.error ?? "unknown"}`);
+    }
+    const id = data.sub ?? data["https://slack.com/user_id"];
+    if (!id) {
+      throw new Error("Slack userInfo response missing required field: sub");
     }
     if (!data.email) {
-      throw new Error(
-        "LinkedIn userinfo response has no email. Ensure the `email` and `openid` scopes are granted."
-      );
+      throw new Error("Slack userInfo response has no email. Ensure the `email` scope is granted.");
     }
-    const name = data.name ?? ([data.given_name, data.family_name].filter(Boolean).join(" ") || void 0);
     return {
-      id: data.sub,
+      id,
       email: data.email,
-      name,
+      name: data.name,
       avatar: data.picture,
       raw
     };
   }
   return {
-    id: "linkedin",
-    name: "LinkedIn",
-    authorizationUrl: AUTHORIZATION_URL6,
-    tokenUrl: TOKEN_URL6,
-    userInfoUrl: USER_INFO_URL4,
+    id: "slack",
+    name: "Slack",
+    authorizationUrl: AUTHORIZATION_URL13,
+    tokenUrl: TOKEN_URL13,
+    userInfoUrl: USER_INFO_URL10,
     scopes,
     getAuthorizationUrl,
     exchangeCode,
     getUserInfo
   };
 }
-function mergeScopes6(defaults, extras) {
+function normalizeProfile7(raw) {
+  const data = raw;
+  if (!data.ok) {
+    throw new Error(`Slack userInfo error: ${data.error ?? "unknown"}`);
+  }
+  const id = data.sub ?? data["https://slack.com/user_id"];
+  if (!id) {
+    throw new Error("Slack userInfo response missing required field: sub");
+  }
+  if (!data.email) {
+    throw new Error("Slack userInfo response has no email. Ensure the `email` scope is granted.");
+  }
+  return {
+    id,
+    email: data.email,
+    name: data.name,
+    avatar: data.picture,
+    raw
+  };
+}
+function mergeScopes13(defaults, extras) {
   if (!extras || extras.length === 0) return defaults;
   const merged = /* @__PURE__ */ new Set([...defaults, ...extras]);
   return [...merged];
 }
 
-// src/auth/oauth/providers/microsoft.ts
-var AUTHORIZATION_URL7 = "https://login.microsoftonline.com/common/oauth2/v2.0/authorize";
-var TOKEN_URL7 = "https://login.microsoftonline.com/common/oauth2/v2.0/token";
-var USER_INFO_URL5 = "https://graph.microsoft.com/v1.0/me";
-var DEFAULT_SCOPES7 = ["openid", "profile", "email", "User.Read"];
-function createMicrosoftProvider(config) {
-  const scopes = mergeScopes7(DEFAULT_SCOPES7, config.scopes);
+// src/auth/oauth/providers/spotify.ts
+var AUTHORIZATION_URL14 = "https://accounts.spotify.com/authorize";
+var TOKEN_URL14 = "https://accounts.spotify.com/api/token";
+var USER_INFO_URL11 = "https://api.spotify.com/v1/me";
+var DEFAULT_SPOTIFY_SCOPES = ["user-read-email", "user-read-private"];
+function normalizeProfile8(raw) {
+  const data = raw;
+  if (!data.id) {
+    throw new Error("Spotify user response missing required field: id");
+  }
+  const avatar = Array.isArray(data.images) && data.images.length > 0 ? data.images[0]?.url : void 0;
+  return {
+    id: data.id,
+    email: data.email,
+    // emailVerified is not provided by Spotify
+    name: data.display_name ?? void 0,
+    avatar,
+    raw
+  };
+}
+function createSpotifyProvider(config) {
+  const scopes = mergeScopes14(DEFAULT_SPOTIFY_SCOPES, config.scopes);
   async function getAuthorizationUrl(state, codeVerifier, redirectUri) {
     const codeChallenge = await deriveCodeChallenge(codeVerifier);
     const effectiveRedirectUri = config.redirectUri ?? redirectUri;
@@ -5881,7 +7189,7 @@ function createMicrosoftProvider(config) {
       code_challenge: codeChallenge,
       code_challenge_method: "S256"
     });
-    return `${AUTHORIZATION_URL7}?${params.toString()}`;
+    return `${AUTHORIZATION_URL14}?${params.toString()}`;
   }
   async function exchangeCode(code, codeVerifier, redirectUri) {
     const effectiveRedirectUri = config.redirectUri ?? redirectUri;
@@ -5893,14 +7201,14 @@ function createMicrosoftProvider(config) {
       code_verifier: codeVerifier,
       redirect_uri: effectiveRedirectUri
     });
-    const response = await fetch(TOKEN_URL7, {
+    const response = await fetch(TOKEN_URL14, {
       method: "POST",
       headers: { "Content-Type": "application/x-www-form-urlencoded" },
       body: body.toString()
     });
     if (!response.ok) {
       const text3 = await response.text();
-      throw new Error(`Microsoft token exchange failed (${response.status}): ${text3}`);
+      throw new Error(`Spotify token exchange failed (${response.status}): ${text3}`);
     }
     const raw = await response.json();
     const data = raw;
@@ -5913,60 +7221,42 @@ function createMicrosoftProvider(config) {
     };
   }
   async function getUserInfo(accessToken) {
-    const response = await fetch(USER_INFO_URL5, {
+    const response = await fetch(USER_INFO_URL11, {
       headers: { Authorization: `Bearer ${accessToken}` }
     });
     if (!response.ok) {
       const text3 = await response.text();
-      throw new Error(`Microsoft Graph /me fetch failed (${response.status}): ${text3}`);
+      throw new Error(`Spotify /v1/me fetch failed (${response.status}): ${text3}`);
     }
     const raw = await response.json();
-    const data = raw;
-    if (!data.id) {
-      throw new Error("Microsoft Graph /me response missing required field: id");
-    }
-    const email = data.mail ?? data.userPrincipalName;
-    if (!email) {
-      throw new Error(
-        "Microsoft Graph /me response has no email or userPrincipalName. Ensure the `email` and `User.Read` scopes are granted."
-      );
-    }
-    const name = data.displayName ?? ([data.givenName, data.surname].filter(Boolean).join(" ") || void 0);
-    return {
-      id: data.id,
-      email,
-      name,
-      avatar: void 0,
-      // Graph photo requires a separate /me/photo/$value call
-      raw
-    };
+    return normalizeProfile8(raw);
   }
   return {
-    id: "microsoft",
-    name: "Microsoft",
-    authorizationUrl: AUTHORIZATION_URL7,
-    tokenUrl: TOKEN_URL7,
-    userInfoUrl: USER_INFO_URL5,
+    id: "spotify",
+    name: "Spotify",
+    authorizationUrl: AUTHORIZATION_URL14,
+    tokenUrl: TOKEN_URL14,
+    userInfoUrl: USER_INFO_URL11,
     scopes,
     getAuthorizationUrl,
     exchangeCode,
     getUserInfo
   };
 }
-function mergeScopes7(defaults, extras) {
+function mergeScopes14(defaults, extras) {
   if (!extras || extras.length === 0) return defaults;
   const merged = /* @__PURE__ */ new Set([...defaults, ...extras]);
   return [...merged];
 }
 
-// src/auth/oauth/providers/slack.ts
-var AUTHORIZATION_URL8 = "https://slack.com/oauth/v2/authorize";
-var TOKEN_URL8 = "https://slack.com/api/oauth.v2.access";
-var USER_INFO_URL6 = "https://slack.com/api/openid.connect.userInfo";
-var DEFAULT_SLACK_SCOPES = ["openid", "profile", "email"];
-var DEFAULT_SCOPES8 = DEFAULT_SLACK_SCOPES;
-function createSlackProvider(config) {
-  const scopes = mergeScopes8(DEFAULT_SCOPES8, config.scopes);
+// src/auth/oauth/providers/twitch.ts
+var AUTHORIZATION_URL15 = "https://id.twitch.tv/oauth2/authorize";
+var TOKEN_URL15 = "https://id.twitch.tv/oauth2/token";
+var USER_INFO_URL12 = "https://api.twitch.tv/helix/users";
+var DEFAULT_TWITCH_SCOPES = ["user:read:email"];
+var DEFAULT_SCOPES10 = DEFAULT_TWITCH_SCOPES;
+function createTwitchProvider(config) {
+  const scopes = mergeScopes15(DEFAULT_SCOPES10, config.scopes);
   async function getAuthorizationUrl(state, codeVerifier, redirectUri) {
     const codeChallenge = await deriveCodeChallenge(codeVerifier);
     const effectiveRedirectUri = config.redirectUri ?? redirectUri;
@@ -5979,7 +7269,7 @@ function createSlackProvider(config) {
       code_challenge: codeChallenge,
       code_challenge_method: "S256"
     });
-    return `${AUTHORIZATION_URL8}?${params.toString()}`;
+    return `${AUTHORIZATION_URL15}?${params.toString()}`;
   }
   async function exchangeCode(code, codeVerifier, redirectUri) {
     const effectiveRedirectUri = config.redirectUri ?? redirectUri;
@@ -5988,89 +7278,103 @@ function createSlackProvider(config) {
       client_id: config.clientId,
       client_secret: config.clientSecret,
       code,
-      redirect_uri: effectiveRedirectUri,
-      code_verifier: codeVerifier
+      code_verifier: codeVerifier,
+      redirect_uri: effectiveRedirectUri
     });
-    const response = await fetch(TOKEN_URL8, {
+    const response = await fetch(TOKEN_URL15, {
       method: "POST",
       headers: { "Content-Type": "application/x-www-form-urlencoded" },
       body: body.toString()
     });
     if (!response.ok) {
       const text3 = await response.text();
-      throw new Error(`Slack token exchange failed (${response.status}): ${text3}`);
+      throw new Error(`Twitch token exchange failed (${response.status}): ${text3}`);
     }
     const raw = await response.json();
     const data = raw;
-    if (!data.ok) {
-      throw new Error(`Slack token exchange error: ${data.error ?? "unknown"}`);
-    }
-    const accessToken = data.authed_user?.access_token ?? data.access_token;
-    if (!accessToken) {
-      throw new Error("Slack token exchange returned no access_token");
-    }
     return {
-      accessToken,
-      refreshToken: void 0,
-      expiresIn: void 0,
-      tokenType: data.authed_user?.token_type ?? data.token_type ?? "Bearer",
+      accessToken: data.access_token,
+      refreshToken: data.refresh_token,
+      expiresIn: data.expires_in,
+      tokenType: data.token_type ?? "Bearer",
       raw
     };
   }
   async function getUserInfo(accessToken) {
-    const response = await fetch(USER_INFO_URL6, {
-      headers: { Authorization: `Bearer ${accessToken}` }
+    const response = await fetch(USER_INFO_URL12, {
+      headers: {
+        Authorization: `Bearer ${accessToken}`,
+        "Client-ID": config.clientId
+      }
     });
     if (!response.ok) {
       const text3 = await response.text();
-      throw new Error(`Slack openid.connect.userInfo fetch failed (${response.status}): ${text3}`);
+      throw new Error(`Twitch /helix/users fetch failed (${response.status}): ${text3}`);
     }
     const raw = await response.json();
-    const data = raw;
-    if (!data.ok) {
-      throw new Error(`Slack userInfo error: ${data.error ?? "unknown"}`);
-    }
-    const id = data.sub ?? data["https://slack.com/user_id"];
-    if (!id) {
-      throw new Error("Slack userInfo response missing required field: sub");
+    const body = raw;
+    const user = body.data?.[0];
+    if (!user?.id) {
+      throw new Error("Twitch user response missing required field: id");
     }
-    if (!data.email) {
-      throw new Error("Slack userInfo response has no email. Ensure the `email` scope is granted.");
+    if (!user.email) {
+      throw new Error(
+        "Twitch user response has no email. Ensure the `user:read:email` scope is granted."
+      );
     }
     return {
-      id,
-      email: data.email,
-      name: data.name,
-      avatar: data.picture,
+      id: user.id,
+      email: user.email,
+      name: user.display_name,
+      avatar: user.profile_image_url,
       raw
     };
   }
   return {
-    id: "slack",
-    name: "Slack",
-    authorizationUrl: AUTHORIZATION_URL8,
-    tokenUrl: TOKEN_URL8,
-    userInfoUrl: USER_INFO_URL6,
+    id: "twitch",
+    name: "Twitch",
+    authorizationUrl: AUTHORIZATION_URL15,
+    tokenUrl: TOKEN_URL15,
+    userInfoUrl: USER_INFO_URL12,
     scopes,
     getAuthorizationUrl,
     exchangeCode,
     getUserInfo
   };
 }
-function mergeScopes8(defaults, extras) {
+function normalizeProfile9(raw) {
+  const body = raw;
+  const user = body.data?.[0];
+  if (!user?.id) {
+    throw new Error("Twitch user response missing required field: id");
+  }
+  if (!user.email) {
+    throw new Error(
+      "Twitch user response has no email. Ensure the `user:read:email` scope is granted."
+    );
+  }
+  return {
+    id: user.id,
+    email: user.email,
+    name: user.display_name,
+    avatar: user.profile_image_url,
+    raw
+  };
+}
+function mergeScopes15(defaults, extras) {
   if (!extras || extras.length === 0) return defaults;
   const merged = /* @__PURE__ */ new Set([...defaults, ...extras]);
   return [...merged];
 }
 
 // src/auth/oauth/providers/twitter.ts
-var AUTHORIZATION_URL9 = "https://twitter.com/i/oauth2/authorize";
-var TOKEN_URL9 = "https://api.twitter.com/2/oauth2/token";
-var USER_INFO_URL7 = "https://api.twitter.com/2/users/me";
+var AUTHORIZATION_URL16 = "https://twitter.com/i/oauth2/authorize";
+var TOKEN_URL16 = "https://api.twitter.com/2/oauth2/token";
+var USER_INFO_URL13 = "https://api.twitter.com/2/users/me";
 var USER_FIELDS = "id,name,username,profile_image_url";
-var DEFAULT_SCOPES9 = ["users.read", "tweet.read"];
+var DEFAULT_SCOPES11 = ["users.read", "tweet.read"];
 function createTwitterProvider(config) {
-  const scopes = mergeScopes9(DEFAULT_SCOPES9, config.scopes);
+  const scopes = mergeScopes16(DEFAULT_SCOPES11, config.scopes);
   async function getAuthorizationUrl(state, codeVerifier, redirectUri) {
     const codeChallenge = await deriveCodeChallenge(codeVerifier);
     const effectiveRedirectUri = config.redirectUri ?? redirectUri;
@@ -6083,7 +7387,7 @@ function createTwitterProvider(config) {
       code_challenge: codeChallenge,
       code_challenge_method: "S256"
     });
-    return `${AUTHORIZATION_URL9}?${params.toString()}`;
+    return `${AUTHORIZATION_URL16}?${params.toString()}`;
   }
   async function exchangeCode(code, codeVerifier, redirectUri) {
     const effectiveRedirectUri = config.redirectUri ?? redirectUri;
@@ -6094,7 +7398,7 @@ function createTwitterProvider(config) {
       redirect_uri: effectiveRedirectUri
     });
     const credentials = btoa(`${config.clientId}:${config.clientSecret}`);
-    const response = await fetch(TOKEN_URL9, {
+    const response = await fetch(TOKEN_URL16, {
       method: "POST",
       headers: {
         "Content-Type": "application/x-www-form-urlencoded",
@@ -6117,7 +7421,7 @@ function createTwitterProvider(config) {
     };
   }
   async function getUserInfo(accessToken) {
-    const url = `${USER_INFO_URL7}?user.fields=${USER_FIELDS}`;
+    const url = `${USER_INFO_URL13}?user.fields=${USER_FIELDS}`;
     const response = await fetch(url, {
       headers: { Authorization: `Bearer ${accessToken}` }
     });
@@ -6149,16 +7453,113 @@ function createTwitterProvider(config) {
   return {
     id: "twitter",
     name: "Twitter",
-    authorizationUrl: AUTHORIZATION_URL9,
-    tokenUrl: TOKEN_URL9,
-    userInfoUrl: USER_INFO_URL7,
+    authorizationUrl: AUTHORIZATION_URL16,
+    tokenUrl: TOKEN_URL16,
+    userInfoUrl: USER_INFO_URL13,
     scopes,
     getAuthorizationUrl,
     exchangeCode,
     getUserInfo
   };
 }
-function mergeScopes9(defaults, extras) {
+function mergeScopes16(defaults, extras) {
+  if (!extras || extras.length === 0) return defaults;
+  const merged = /* @__PURE__ */ new Set([...defaults, ...extras]);
+  return [...merged];
+}
+
+// src/auth/oauth/providers/zoom.ts
+var AUTHORIZATION_URL17 = "https://zoom.us/oauth/authorize";
+var TOKEN_URL17 = "https://zoom.us/oauth/token";
+var USER_INFO_URL14 = "https://api.zoom.us/v2/users/me";
+var DEFAULT_ZOOM_SCOPES = ["user:read"];
+function normalizeProfile10(raw) {
+  const data = raw;
+  if (!data.id) {
+    throw new Error("Zoom user response missing required field: id");
+  }
+  if (!data.email) {
+    throw new Error("Zoom user response missing required field: email");
+  }
+  const joinedName = [data.first_name, data.last_name].filter(Boolean).join(" ");
+  const name = data.display_name ?? (joinedName.length > 0 ? joinedName : void 0);
+  return {
+    id: data.id,
+    email: data.email,
+    name,
+    avatar: data.pic_url,
+    raw
+  };
+}
+function createZoomProvider(config) {
+  const scopes = mergeScopes17(DEFAULT_ZOOM_SCOPES, config.scopes);
+  async function getAuthorizationUrl(state, codeVerifier, redirectUri) {
+    const codeChallenge = await deriveCodeChallenge(codeVerifier);
+    const effectiveRedirectUri = config.redirectUri ?? redirectUri;
+    const params = new URLSearchParams({
+      client_id: config.clientId,
+      redirect_uri: effectiveRedirectUri,
+      response_type: "code",
+      scope: scopes.join(" "),
+      state,
+      code_challenge: codeChallenge,
+      code_challenge_method: "S256"
+    });
+    return `${AUTHORIZATION_URL17}?${params.toString()}`;
+  }
+  async function exchangeCode(code, codeVerifier, redirectUri) {
+    const effectiveRedirectUri = config.redirectUri ?? redirectUri;
+    const body = new URLSearchParams({
+      grant_type: "authorization_code",
+      client_id: config.clientId,
+      client_secret: config.clientSecret,
+      code,
+      code_verifier: codeVerifier,
+      redirect_uri: effectiveRedirectUri
+    });
+    const response = await fetch(TOKEN_URL17, {
+      method: "POST",
+      headers: { "Content-Type": "application/x-www-form-urlencoded" },
+      body: body.toString()
+    });
+    if (!response.ok) {
+      const text3 = await response.text();
+      throw new Error(`Zoom token exchange failed (${response.status}): ${text3}`);
+    }
+    const raw = await response.json();
+    const data = raw;
+    return {
+      accessToken: data.access_token,
+      refreshToken: data.refresh_token,
+      expiresIn: data.expires_in,
+      tokenType: data.token_type ?? "Bearer",
+      raw
+    };
+  }
+  async function getUserInfo(accessToken) {
+    const response = await fetch(USER_INFO_URL14, {
+      headers: { Authorization: `Bearer ${accessToken}` }
+    });
+    if (!response.ok) {
+      const text3 = await response.text();
+      throw new Error(`Zoom /v2/users/me fetch failed (${response.status}): ${text3}`);
+    }
+    const raw = await response.json();
+    return normalizeProfile10(raw);
+  }
+  return {
+    id: "zoom",
+    name: "Zoom",
+    authorizationUrl: AUTHORIZATION_URL17,
+    tokenUrl: TOKEN_URL17,
+    userInfoUrl: USER_INFO_URL14,
+    scopes,
+    getAuthorizationUrl,
+    exchangeCode,
+    getUserInfo
+  };
+}
+function mergeScopes17(defaults, extras) {
   if (!extras || extras.length === 0) return defaults;
   const merged = /* @__PURE__ */ new Set([...defaults, ...extras]);
   return [...merged];
@@ -6433,7 +7834,7 @@ var DEFAULT_REFRESH_TOKEN_TTL = 86400 * 30;
 var DEFAULT_AUTH_CODE_TTL = 600;
 var DEFAULT_ID_TOKEN_TTL = 3600;
 var DEFAULT_SIGNING_ALG = "RS256";
-var DEFAULT_SCOPES10 = ["openid", "profile", "email"];
+var DEFAULT_SCOPES12 = ["openid", "profile", "email"];
 var CLIENT_ID_BYTE_LENGTH = 16;
 var CLIENT_SECRET_BYTE_LENGTH = 32;
 var AUTH_CODE_BYTE_LENGTH = 32;
@@ -6460,7 +7861,7 @@ function createOidcProviderModule(config, db, getUserClaims) {
   const refreshTokenTtl = config.refreshTokenTtl ?? DEFAULT_REFRESH_TOKEN_TTL;
   const authCodeTtl = config.authCodeTtl ?? DEFAULT_AUTH_CODE_TTL;
   const idTokenTtl = config.idTokenTtl ?? DEFAULT_ID_TOKEN_TTL;
-  const supportedScopes = config.supportedScopes ?? DEFAULT_SCOPES10;
+  const supportedScopes = config.supportedScopes ?? DEFAULT_SCOPES12;
   let signingKeyPromise;
   let publicJwkPromise;
   async function getSigningKey() {
@@ -14733,6 +16134,6 @@ function createWebhookModule(configs) {
   return { emit, addEndpoint, listEndpoints };
 }
 
-export { EVENT_TYPES, HibpApiError, HibpBreachedError, KVStore, MemoryStore, OAuthProxyError, OneTapVerifyError, SSO_ERROR, SsoError, additionalFields, admin, anonymousAuth, apiKeys2 as apiKeys, bearerAuth, createAdditionalFieldsModule, createAdminModule, createAnonymousAuthModule, createApiKeyManagerModule, createAppleProvider, createCaptchaModule, createCostAttributionModule, createCustomSessionModule, createDeviceAuthModule, createDiscordProvider, createEmailOtpModule, createEmailVerificationModule, createEphemeralSessionModule, createEventStreamModule, createFederationModule, createGdprModule, createGithubProvider, createGitlabProvider, createGoogleProvider, createHibpModule, createJwtSessionModule, createLastLoginModule, createLinkedInProvider, createMagicLinkModule, createMicrosoftProvider, createOAuthModule, createOAuthProxyModule, createOidcProviderModule, createOneTapModule, createOneTimeTokenModule, createOpenApiModule, createOrgModule, createPasskeyModule, createPasswordResetModule, createPhoneAuthModule, createPolarModule, createRateLimiter, createReBACModule, createScimModule, createSiweModule, createSlackProvider, createSsoModule, createStripeModule, createTotpModule, createTrustedDeviceModule, createTwitterProvider, createUsernameAuthModule, createWebhookModule, customAuth, customSession, deviceAuth, deviceLabelFromRequest, emailOtp, gdpr, headerAuth, kvStore, magicLink, oauth, oauthProxy, oneTap, organization, passkey, polar, rateLimit, scim, siwe, stripe, twoFactor, withRateLimit };
+export { DEFAULT_ATLASSIAN_SCOPES, DEFAULT_DISCORD_SCOPES, DEFAULT_DROPBOX_SCOPES, DEFAULT_FIGMA_SCOPES, DEFAULT_NOTION_SCOPES, DEFAULT_REDDIT_SCOPES, DEFAULT_SLACK_SCOPES, DEFAULT_SPOTIFY_SCOPES, DEFAULT_TWITCH_SCOPES, DEFAULT_ZOOM_SCOPES, EVENT_TYPES, HibpApiError, HibpBreachedError, KVStore, MemoryStore, OAuthProxyError, OneTapVerifyError, SSO_ERROR, SsoError, additionalFields, admin, anonymousAuth, apiKeys2 as apiKeys, atlassianProvider, auth0Provider, bearerAuth, bitbucketProvider, cognitoProvider, coinbaseProvider, createAdditionalFieldsModule, createAdminModule, createAnonymousAuthModule, createApiKeyManagerModule, createAppleProvider, createAtlassianProvider, createCaptchaModule, createCostAttributionModule, createCustomSessionModule, createDeviceAuthModule, createDiscordProvider, createDropboxProvider, createEmailOtpModule, createEmailVerificationModule, createEphemeralSessionModule, createEventStreamModule, createFederationModule, createFigmaProvider, createGdprModule, createGithubProvider, createGitlabProvider, createGoogleProvider, createHibpModule, createJwtSessionModule, createLastLoginModule, createLinkedInProvider, createMagicLinkModule, createMicrosoftProvider, createNotionProvider, createOAuthModule, createOAuthProxyModule, createOidcProviderModule, createOneTapModule, createOneTimeTokenModule, createOpenApiModule, createOrgModule, createPasskeyModule, createPasswordResetModule, createPhoneAuthModule, createPolarModule, createRateLimiter, createReBACModule, createRedditProvider, createScimModule, createSiweModule, createSlackProvider, createSpotifyProvider, createSsoModule, createStripeModule, createTotpModule, createTrustedDeviceModule, createTwitchProvider, createTwitterProvider, createUsernameAuthModule, createWebhookModule, createZoomProvider, customAuth, customSession, deviceAuth, deviceLabelFromRequest, dropboxProvider, emailOtp, facebookProvider, figmaProvider, gdpr, genericOIDC, headerAuth, huggingfaceProvider, kakaoProvider, kickProvider, kvStore, lineProvider, linearProvider, magicLink, naverProvider, normalizeProfile as normalizeAtlassianProfile, normalizeProfile2 as normalizeDiscordProfile, normalizeProfile3 as normalizeDropboxProfile, normalizeProfile4 as normalizeFigmaProfile, normalizeProfile5 as normalizeNotionProfile, normalizeProfile6 as normalizeRedditProfile, normalizeProfile7 as normalizeSlackProfile, normalizeProfile8 as normalizeSpotifyProfile, normalizeProfile9 as normalizeTwitchProfile, normalizeProfile10 as normalizeZoomProfile, notionProvider, oauth, oauthProxy, oktaProvider, oneTap, organization, passkey, paypalProvider, polar, polarProvider, railwayProvider, rateLimit, redditProvider, robloxProvider, salesforceProvider, scim, siwe, spotifyProvider, stripe, tiktokProvider, twitchProvider, twoFactor, vercelProvider, vkProvider, wechatProvider, withRateLimit, yahooProvider, zoomProvider };
 //# sourceMappingURL=index.js.map
 //# sourceMappingURL=index.js.map