u-foo 1.9.8 → 2.2.0

package/src/agent/credentials/claude.js

@@ -0,0 +1,324 @@
+"use strict";
+
+const fs = require("fs");
+const os = require("os");
+const path = require("path");
+const {
+  buildCredentialDescriptor,
+  parseTimestamp,
+} = require("./index");
+
+const DEFAULT_REFRESH_WINDOW_MS = 5 * 60 * 1000;
+const DEFAULT_LOCK_TIMEOUT_MS = 3000;
+const DEFAULT_LOCK_RETRY_MS = 25;
+const DEFAULT_STALE_LOCK_MS = 30 * 1000;
+
+function sleep(ms) {
+  return new Promise((resolve) => setTimeout(resolve, ms));
+}
+
+function defaultClaudeConfigDir() {
+  return path.join(os.homedir(), ".claude");
+}
+
+function resolveClaudeOauthPaths(options = {}) {
+  const configDir = String(options.configDir || defaultClaudeConfigDir()).trim() || defaultClaudeConfigDir();
+  const profile = String(options.profile || "").trim();
+  const explicitTokenPath = String(options.tokenPath || "").trim();
+  const profileDir = profile ? path.join(configDir, "profiles", profile) : configDir;
+  const tokenPath = explicitTokenPath || path.join(profileDir, "oauth.json");
+  return {
+    configDir,
+    profile,
+    profileDir,
+    tokenPath,
+    lockPath: `${tokenPath}.lock`,
+  };
+}
+
+function classifyTokenState(expiresAtMs, nowMs, refreshWindowMs) {
+  if (!Number.isFinite(expiresAtMs)) return "invalid";
+  if (expiresAtMs <= nowMs) return "expired";
+  if ((expiresAtMs - nowMs) <= refreshWindowMs) return "near_expiry";
+  return "fresh";
+}
+
+function parseClaudeOauthFile(raw = {}) {
+  if (!raw || typeof raw !== "object" || Array.isArray(raw)) {
+    const err = new Error("Claude OAuth token payload must be a JSON object");
+    err.code = "CLAUDE_OAUTH_INVALID";
+    throw err;
+  }
+
+  if (
+    raw.version === "claude-code-oauth-v1"
+    && typeof raw.accessToken === "string"
+    && typeof raw.refreshToken === "string"
+  ) {
+    return {
+      schemaVersion: "claude-code-oauth-v1",
+      raw,
+      accessToken: raw.accessToken,
+      refreshToken: raw.refreshToken,
+      expiresAt: typeof raw.expiresAt === "string" ? raw.expiresAt : "",
+      tokenType: typeof raw.tokenType === "string" ? raw.tokenType : "Bearer",
+      refreshUrl: typeof raw.refreshUrl === "string" ? raw.refreshUrl : "",
+    };
+  }
+
+  if (
+    raw.version === 2
+    && raw.oauth
+    && typeof raw.oauth === "object"
+    && typeof raw.oauth.access_token === "string"
+    && typeof raw.oauth.refresh_token === "string"
+  ) {
+    return {
+      schemaVersion: "claude-code-oauth-v2",
+      raw,
+      accessToken: raw.oauth.access_token,
+      refreshToken: raw.oauth.refresh_token,
+      expiresAt: typeof raw.oauth.expires_at === "string" ? raw.oauth.expires_at : "",
+      tokenType: typeof raw.oauth.token_type === "string" ? raw.oauth.token_type : "Bearer",
+      refreshUrl: typeof raw.oauth.refresh_url === "string" ? raw.oauth.refresh_url : "",
+    };
+  }
+
+  const err = new Error("Unsupported Claude OAuth token schema");
+  err.code = "CLAUDE_OAUTH_SCHEMA_UNSUPPORTED";
+  throw err;
+}
+
+function serializeClaudeOauthToken(parsedToken, updates = {}) {
+  const accessToken = typeof updates.accessToken === "string" ? updates.accessToken : parsedToken.accessToken;
+  const refreshToken = typeof updates.refreshToken === "string" ? updates.refreshToken : parsedToken.refreshToken;
+  const expiresAt = typeof updates.expiresAt === "string" ? updates.expiresAt : parsedToken.expiresAt;
+  const tokenType = typeof updates.tokenType === "string" ? updates.tokenType : parsedToken.tokenType;
+  const refreshUrl = typeof updates.refreshUrl === "string" ? updates.refreshUrl : parsedToken.refreshUrl;
+
+  if (parsedToken.schemaVersion === "claude-code-oauth-v1") {
+    return {
+      ...parsedToken.raw,
+      accessToken,
+      refreshToken,
+      expiresAt,
+      tokenType,
+      refreshUrl,
+    };
+  }
+
+  if (parsedToken.schemaVersion === "claude-code-oauth-v2") {
+    return {
+      ...parsedToken.raw,
+      oauth: {
+        ...parsedToken.raw.oauth,
+        access_token: accessToken,
+        refresh_token: refreshToken,
+        expires_at: expiresAt,
+        token_type: tokenType,
+        refresh_url: refreshUrl,
+      },
+    };
+  }
+
+  const err = new Error(`Unsupported Claude OAuth schema version: ${parsedToken.schemaVersion}`);
+  err.code = "CLAUDE_OAUTH_SCHEMA_UNSUPPORTED";
+  throw err;
+}
+
+async function withLockFile(lockPath, options = {}, fn) {
+  const fsModule = options.fsModule || fs;
+  const timeoutMs = Number.isFinite(options.timeoutMs) ? options.timeoutMs : DEFAULT_LOCK_TIMEOUT_MS;
+  const retryMs = Number.isFinite(options.retryMs) ? options.retryMs : DEFAULT_LOCK_RETRY_MS;
+  const staleMs = Number.isFinite(options.staleMs) ? options.staleMs : DEFAULT_STALE_LOCK_MS;
+  const sleepFn = typeof options.sleep === "function" ? options.sleep : sleep;
+  const startedAt = Date.now();
+
+  fsModule.mkdirSync(path.dirname(lockPath), { recursive: true, mode: 0o700 });
+
+  while ((Date.now() - startedAt) <= timeoutMs) {
+    let fd = null;
+    try {
+      fd = fsModule.openSync(lockPath, "wx", 0o600);
+      try {
+        return await fn();
+      } finally {
+        try { fsModule.closeSync(fd); } catch {}
+        try { fsModule.unlinkSync(lockPath); } catch {}
+      }
+    } catch (err) {
+      if (!err || err.code !== "EEXIST") throw err;
+      try {
+        const stat = fsModule.statSync(lockPath);
+        if ((Date.now() - stat.mtimeMs) > staleMs) {
+          fsModule.unlinkSync(lockPath);
+          continue;
+        }
+      } catch {}
+      // eslint-disable-next-line no-await-in-loop
+      await sleepFn(retryMs);
+    }
+  }
+
+  const err = new Error(`Timed out waiting for Claude OAuth lock: ${lockPath}`);
+  err.code = "CLAUDE_OAUTH_LOCK_TIMEOUT";
+  throw err;
+}
+
+function atomicWriteJson(filePath, value, options = {}) {
+  const fsModule = options.fsModule || fs;
+  const dir = path.dirname(filePath);
+  const tmpPath = path.join(dir, `.tmp-${path.basename(filePath)}.${process.pid}.${Date.now()}`);
+  fsModule.mkdirSync(dir, { recursive: true, mode: 0o700 });
+  fsModule.writeFileSync(tmpPath, `${JSON.stringify(value, null, 2)}\n`, { encoding: "utf8", mode: 0o600 });
+  fsModule.renameSync(tmpPath, filePath);
+}
+
+class ClaudeUpstreamCredentialResolver {
+  constructor(options = {}) {
+    this.fs = options.fsModule || fs;
+    this.env = options.env || process.env;
+    this.now = typeof options.now === "function" ? options.now : () => Date.now();
+    this.refreshAccessToken = typeof options.refreshAccessToken === "function"
+      ? options.refreshAccessToken
+      : null;
+    this.sleep = typeof options.sleep === "function" ? options.sleep : sleep;
+    this.lockTimeoutMs = Number.isFinite(options.lockTimeoutMs) ? options.lockTimeoutMs : DEFAULT_LOCK_TIMEOUT_MS;
+    this.lockRetryMs = Number.isFinite(options.lockRetryMs) ? options.lockRetryMs : DEFAULT_LOCK_RETRY_MS;
+    this.lockStaleMs = Number.isFinite(options.lockStaleMs) ? options.lockStaleMs : DEFAULT_STALE_LOCK_MS;
+    this.refreshWindowMs = Number.isFinite(options.refreshWindowMs)
+      ? options.refreshWindowMs
+      : DEFAULT_REFRESH_WINDOW_MS;
+    this.paths = resolveClaudeOauthPaths(options);
+  }
+
+  resolvePaths() {
+    return { ...this.paths };
+  }
+
+  readTokenFile() {
+    const raw = JSON.parse(this.fs.readFileSync(this.paths.tokenPath, "utf8"));
+    const parsed = parseClaudeOauthFile(raw);
+    const nowMs = this.now();
+    const expiresAtMs = parseTimestamp(parsed.expiresAt);
+    return {
+      ...parsed,
+      expiresAtMs,
+      state: classifyTokenState(expiresAtMs, nowMs, this.refreshWindowMs),
+    };
+  }
+
+  buildResolvedCredential(tokenRecord) {
+    return buildCredentialDescriptor({
+      provider: "claude",
+      credentialKind: "oauth",
+      source: "oauth",
+      accessToken: tokenRecord.accessToken,
+      refreshToken: tokenRecord.refreshToken,
+      tokenType: tokenRecord.tokenType || "Bearer",
+      state: tokenRecord.state,
+      expiresAt: tokenRecord.expiresAt,
+      expiresAtMs: tokenRecord.expiresAtMs,
+      refreshable: Boolean(tokenRecord.refreshToken),
+      profile: this.paths.profile,
+      credentialPath: this.paths.tokenPath,
+      schemaVersion: tokenRecord.schemaVersion,
+      refreshWindowMs: this.refreshWindowMs,
+      nowMs: this.now(),
+      metadata: {
+        tokenPath: this.paths.tokenPath,
+        refreshUrl: tokenRecord.refreshUrl || "",
+      },
+    });
+  }
+
+  async refreshIfNeeded(initialRecord) {
+    if (!this.refreshAccessToken) {
+      return this.buildResolvedCredential(initialRecord);
+    }
+
+    return withLockFile(this.paths.lockPath, {
+      fsModule: this.fs,
+      timeoutMs: this.lockTimeoutMs,
+      retryMs: this.lockRetryMs,
+      staleMs: this.lockStaleMs,
+      sleep: this.sleep,
+    }, async () => {
+      const currentRecord = this.readTokenFile();
+      if (currentRecord.state === "fresh") {
+        return this.buildResolvedCredential(currentRecord);
+      }
+
+      const refreshed = await this.refreshAccessToken({
+        profile: this.paths.profile,
+        tokenPath: this.paths.tokenPath,
+        refreshToken: currentRecord.refreshToken,
+        accessToken: currentRecord.accessToken,
+        expiresAt: currentRecord.expiresAt,
+        refreshUrl: currentRecord.refreshUrl,
+        tokenType: currentRecord.tokenType,
+        schemaVersion: currentRecord.schemaVersion,
+      });
+
+      const nextRaw = serializeClaudeOauthToken(currentRecord, refreshed || {});
+      atomicWriteJson(this.paths.tokenPath, nextRaw, { fsModule: this.fs });
+
+      const nextRecord = this.readTokenFile();
+      return this.buildResolvedCredential(nextRecord);
+    });
+  }
+
+  async resolveCredentials() {
+    const apiKey = typeof this.env.ANTHROPIC_API_KEY === "string" ? this.env.ANTHROPIC_API_KEY.trim() : "";
+    if (apiKey) {
+      return buildCredentialDescriptor({
+        provider: "claude",
+        credentialKind: "api-key",
+        source: "api-key",
+        apiKey,
+        tokenType: "Bearer",
+        state: "fresh",
+        refreshable: false,
+        profile: this.paths.profile,
+        credentialPath: "",
+        nowMs: this.now(),
+        refreshWindowMs: this.refreshWindowMs,
+      });
+    }
+
+    let tokenRecord;
+    try {
+      tokenRecord = this.readTokenFile();
+    } catch (err) {
+      if (err && err.code === "ENOENT") {
+        const missing = new Error("Claude OAuth token not found and ANTHROPIC_API_KEY is unset");
+        missing.code = "CLAUDE_AUTH_UNAVAILABLE";
+        throw missing;
+      }
+      throw err;
+    }
+
+    if (tokenRecord.state === "fresh") {
+      return this.buildResolvedCredential(tokenRecord);
+    }
+
+    return this.refreshIfNeeded(tokenRecord);
+  }
+}
+
+async function resolveClaudeUpstreamCredentials(options = {}) {
+  const resolver = new ClaudeUpstreamCredentialResolver(options);
+  return resolver.resolveCredentials();
+}
+
+module.exports = {
+  ClaudeUpstreamCredentialResolver,
+  DEFAULT_REFRESH_WINDOW_MS,
+  resolveClaudeUpstreamCredentials,
+  resolveClaudeOauthPaths,
+  parseClaudeOauthFile,
+  serializeClaudeOauthToken,
+  classifyTokenState,
+  withLockFile,
+  atomicWriteJson,
+};

package/src/agent/credentials/codex.js

@@ -0,0 +1,203 @@
+"use strict";
+
+const fs = require("fs");
+const os = require("os");
+const path = require("path");
+const {
+  buildCredentialDescriptor,
+  parseTimestamp,
+} = require("./index");
+
+function defaultCodexConfigDir() {
+  return path.join(os.homedir(), ".codex");
+}
+
+function resolveCodexAuthPaths(options = {}) {
+  const configDir = String(options.configDir || defaultCodexConfigDir()).trim() || defaultCodexConfigDir();
+  const explicitAuthPath = String(options.authPath || "").trim();
+  const authPath = explicitAuthPath || path.join(configDir, "auth.json");
+  return {
+    configDir,
+    authPath,
+  };
+}
+
+function decodeJwtPayload(token = "") {
+  const parts = String(token || "").split(".");
+  if (parts.length < 2) return {};
+  try {
+    const payload = parts[1].replace(/-/g, "+").replace(/_/g, "/");
+    const padded = payload.padEnd(Math.ceil(payload.length / 4) * 4, "=");
+    return JSON.parse(Buffer.from(padded, "base64").toString("utf8"));
+  } catch {
+    return {};
+  }
+}
+
+function parseCodexAuthFile(raw = {}) {
+  if (!raw || typeof raw !== "object" || Array.isArray(raw)) {
+    const err = new Error("Codex auth payload must be a JSON object");
+    err.code = "CODEX_AUTH_INVALID";
+    throw err;
+  }
+
+  const tokens = raw.tokens && typeof raw.tokens === "object" ? raw.tokens : null;
+  const apiKey = typeof raw.OPENAI_API_KEY === "string" ? raw.OPENAI_API_KEY : "";
+  const accessToken = tokens && typeof tokens.access_token === "string"
+    ? tokens.access_token
+    : (typeof raw.access_token === "string" ? raw.access_token : "");
+  const refreshToken = tokens && typeof tokens.refresh_token === "string"
+    ? tokens.refresh_token
+    : (typeof raw.refresh_token === "string" ? raw.refresh_token : "");
+  const idToken = tokens && typeof tokens.id_token === "string"
+    ? tokens.id_token
+    : (typeof raw.id_token === "string" ? raw.id_token : "");
+  const accountId = tokens && typeof tokens.account_id === "string"
+    ? tokens.account_id
+    : (typeof raw.account_id === "string" ? raw.account_id : "");
+  const expiresAt = typeof raw.expired === "string"
+    ? raw.expired
+    : (typeof raw.expire === "string" ? raw.expire : "");
+  const email = typeof raw.email === "string" ? raw.email : "";
+
+  if (!apiKey && !accessToken) {
+    const err = new Error("Unsupported Codex auth schema");
+    err.code = "CODEX_AUTH_SCHEMA_UNSUPPORTED";
+    throw err;
+  }
+
+  return {
+    schemaVersion: "codex-auth-v1",
+    raw,
+    apiKey,
+    accessToken,
+    refreshToken,
+    idToken,
+    accountId,
+    email,
+    expiresAt,
+    lastRefresh: typeof raw.last_refresh === "string" ? raw.last_refresh : "",
+    authMode: typeof raw.auth_mode === "string" ? raw.auth_mode : "",
+  };
+}
+
+class CodexUpstreamCredentialResolver {
+  constructor(options = {}) {
+    this.fs = options.fsModule || fs;
+    this.env = options.env || process.env;
+    this.now = typeof options.now === "function" ? options.now : () => Date.now();
+    this.paths = resolveCodexAuthPaths(options);
+    this.refreshWindowMs = Number.isFinite(options.refreshWindowMs) ? options.refreshWindowMs : 0;
+  }
+
+  resolvePaths() {
+    return { ...this.paths };
+  }
+
+  readAuthFile() {
+    const raw = JSON.parse(this.fs.readFileSync(this.paths.authPath, "utf8"));
+    const parsed = parseCodexAuthFile(raw);
+    const claims = decodeJwtPayload(parsed.idToken);
+    const derivedEmail = typeof claims.email === "string" ? claims.email : "";
+    const derivedExpiresAt = Number.isFinite(Number(claims.exp))
+      ? new Date(Number(claims.exp) * 1000).toISOString()
+      : "";
+    const expiresAt = parsed.expiresAt || derivedExpiresAt;
+    return {
+      ...parsed,
+      accountEmail: parsed.email || derivedEmail,
+      expiresAt,
+      expiresAtMs: parseTimestamp(expiresAt),
+    };
+  }
+
+  buildResolvedCredential(record) {
+    if (record.apiKey) {
+      return buildCredentialDescriptor({
+        provider: "codex",
+        credentialKind: "api-key",
+        source: "auth-file",
+        apiKey: record.apiKey,
+        tokenType: "Bearer",
+        state: "fresh",
+        refreshable: false,
+        credentialPath: this.paths.authPath,
+        accountId: record.accountId,
+        accountEmail: record.accountEmail,
+        schemaVersion: record.schemaVersion,
+        nowMs: this.now(),
+        refreshWindowMs: this.refreshWindowMs,
+        metadata: {
+          authMode: record.authMode,
+          lastRefresh: record.lastRefresh,
+        },
+      });
+    }
+
+    return buildCredentialDescriptor({
+      provider: "codex",
+      credentialKind: "oauth",
+      source: "auth-file",
+      accessToken: record.accessToken,
+      refreshToken: record.refreshToken,
+      tokenType: "Bearer",
+      expiresAt: record.expiresAt,
+      expiresAtMs: record.expiresAtMs,
+      refreshable: Boolean(record.refreshToken),
+      credentialPath: this.paths.authPath,
+      accountId: record.accountId,
+      accountEmail: record.accountEmail,
+      schemaVersion: record.schemaVersion,
+      nowMs: this.now(),
+      refreshWindowMs: this.refreshWindowMs,
+      metadata: {
+        authMode: record.authMode,
+        idTokenPresent: Boolean(record.idToken),
+        lastRefresh: record.lastRefresh,
+      },
+    });
+  }
+
+  async resolveCredentials() {
+    const apiKey = typeof this.env.OPENAI_API_KEY === "string" ? this.env.OPENAI_API_KEY.trim() : "";
+    if (apiKey) {
+      return buildCredentialDescriptor({
+        provider: "codex",
+        credentialKind: "api-key",
+        source: "env:OPENAI_API_KEY",
+        apiKey,
+        tokenType: "Bearer",
+        state: "fresh",
+        refreshable: false,
+        credentialPath: "",
+        nowMs: this.now(),
+      });
+    }
+
+    let authRecord;
+    try {
+      authRecord = this.readAuthFile();
+    } catch (err) {
+      if (err && err.code === "ENOENT") {
+        const missing = new Error("Codex auth file not found and OPENAI_API_KEY is unset");
+        missing.code = "CODEX_AUTH_UNAVAILABLE";
+        throw missing;
+      }
+      throw err;
+    }
+    return this.buildResolvedCredential(authRecord);
+  }
+}
+
+async function resolveCodexUpstreamCredentials(options = {}) {
+  const resolver = new CodexUpstreamCredentialResolver(options);
+  return resolver.resolveCredentials();
+}
+
+module.exports = {
+  CodexUpstreamCredentialResolver,
+  resolveCodexUpstreamCredentials,
+  resolveCodexAuthPaths,
+  parseCodexAuthFile,
+  decodeJwtPayload,
+};

package/src/agent/credentials/index.js

@@ -0,0 +1,106 @@
+"use strict";
+
+function normalizeString(value) {
+  return typeof value === "string" ? value.trim() : "";
+}
+
+function normalizeScopes(scopes) {
+  if (!Array.isArray(scopes)) return [];
+  return scopes
+    .map((scope) => normalizeString(scope))
+    .filter(Boolean);
+}
+
+function parseTimestamp(value) {
+  const normalized = normalizeString(value);
+  if (!normalized) return NaN;
+  return Date.parse(normalized);
+}
+
+function classifyCredentialState(expiresAtMs, nowMs, refreshWindowMs) {
+  if (!Number.isFinite(expiresAtMs)) return "unknown";
+  if (expiresAtMs <= nowMs) return "expired";
+  if ((expiresAtMs - nowMs) <= refreshWindowMs) return "near_expiry";
+  return "fresh";
+}
+
+function buildCredentialDescriptor(input = {}) {
+  const provider = normalizeString(input.provider);
+  const credentialKind = normalizeString(input.credentialKind) || "oauth";
+  const tokenType = normalizeString(input.tokenType) || "Bearer";
+  const expiresAt = normalizeString(input.expiresAt);
+  const nowMs = Number.isFinite(input.nowMs) ? input.nowMs : Date.now();
+  const refreshWindowMs = Number.isFinite(input.refreshWindowMs) ? input.refreshWindowMs : 0;
+  const expiresAtMs = Number.isFinite(input.expiresAtMs) ? input.expiresAtMs : parseTimestamp(expiresAt);
+  const explicitState = normalizeString(input.state);
+  return {
+    provider,
+    credentialKind,
+    source: normalizeString(input.source),
+    tokenType,
+    apiKey: normalizeString(input.apiKey),
+    accessToken: normalizeString(input.accessToken),
+    refreshToken: normalizeString(input.refreshToken),
+    expiresAt,
+    expiresAtMs,
+    state: explicitState || classifyCredentialState(expiresAtMs, nowMs, refreshWindowMs),
+    refreshable: input.refreshable === true,
+    profile: normalizeString(input.profile),
+    credentialPath: normalizeString(input.credentialPath),
+    accountId: normalizeString(input.accountId),
+    accountEmail: normalizeString(input.accountEmail),
+    schemaVersion: normalizeString(input.schemaVersion),
+    scopes: normalizeScopes(input.scopes),
+    metadata: input.metadata && typeof input.metadata === "object" && !Array.isArray(input.metadata)
+      ? { ...input.metadata }
+      : {},
+  };
+}
+
+function toLegacyResolvedAuth(descriptor = {}) {
+  const token = normalizeString(descriptor.accessToken) || normalizeString(descriptor.apiKey);
+  return {
+    source: descriptor.credentialKind === "api-key" ? "api-key" : "oauth",
+    token,
+    apiKey: normalizeString(descriptor.apiKey),
+    accessToken: normalizeString(descriptor.accessToken),
+    refreshToken: normalizeString(descriptor.refreshToken),
+    tokenType: normalizeString(descriptor.tokenType) || "Bearer",
+    state: normalizeString(descriptor.state),
+    expiresAt: normalizeString(descriptor.expiresAt),
+    schemaVersion: normalizeString(descriptor.schemaVersion),
+    profile: normalizeString(descriptor.profile),
+    tokenPath: normalizeString(descriptor.credentialPath),
+    provider: normalizeString(descriptor.provider),
+    credentialKind: normalizeString(descriptor.credentialKind),
+  };
+}
+
+function buildUpstreamAuthFromCredential(descriptor = {}) {
+  const tokenType = normalizeString(descriptor.tokenType) || "Bearer";
+  const apiKey = normalizeString(descriptor.apiKey);
+  const accessToken = normalizeString(descriptor.accessToken);
+  if (descriptor.credentialKind === "api-key" && apiKey) {
+    return { apiKey };
+  }
+  if (accessToken) {
+    return {
+      headers: {
+        authorization: `${tokenType} ${accessToken}`,
+      },
+    };
+  }
+  const err = new Error(`Unsupported upstream credential descriptor for provider ${normalizeString(descriptor.provider) || "unknown"}`);
+  err.code = "UPSTREAM_CREDENTIAL_UNSUPPORTED";
+  throw err;
+}
+
+module.exports = {
+  normalizeString,
+  normalizeScopes,
+  parseTimestamp,
+  classifyCredentialState,
+  buildCredentialDescriptor,
+  toLegacyResolvedAuth,
+  buildUpstreamAuthFromCredential,
+};