npm - vidspotai-shared - Versions diffs - 1.0.82-dev.0 → 1.0.83 - Mend

vidspotai-shared 1.0.82-dev.0 → 1.0.83

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (468) hide show

package/lib/services/socialOAuth/tiktok.oauth.js ADDED Viewed

@@ -0,0 +1,151 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.TikTokOAuthProvider = void 0;
+const types_1 = require("../../globals/types");
+const logger_1 = require("../../utils/logger");
+/**
+ * TikTok (Login Kit v2) OAuth provider. Phase 6 — TikTok publish.
+ *
+ * Config (env):
+ *   TIKTOK_CLIENT_KEY     — app client key
+ *   TIKTOK_CLIENT_SECRET  — app client secret
+ *
+ * Notes / gates (plan §3, §G):
+ * - Access token lives 24h; refresh token 365d WITH rotation (a refresh returns
+ *   a NEW refresh token — we persist it). The refresh daemon is mandatory.
+ * - `video.publish` (direct post) + `video.upload` (draft) require the Content
+ *   Posting API audit; until approved, posts are forced SELF_ONLY/draft and only
+ *   test users can connect.
+ * - PULL_FROM_URL publishing needs the media domain (our CDN) verified in the
+ *   TikTok developer portal.
+ */
+const AUTH_ENDPOINT = "https://www.tiktok.com/v2/auth/authorize/";
+const TOKEN_ENDPOINT = "https://open.tiktokapis.com/v2/oauth/token/";
+const REVOKE_ENDPOINT = "https://open.tiktokapis.com/v2/oauth/revoke/";
+const USERINFO_ENDPOINT = "https://open.tiktokapis.com/v2/user/info/?fields=open_id,union_id,avatar_url,display_name,username";
+/** Basic scopes: identity + publish. `video.list` (read) gates metrics. */
+const BASE_SCOPES = ["user.info.basic", "video.publish", "video.upload"];
+const BUSINESS_SCOPES = ["video.list"];
+class TikTokOAuthProvider {
+    constructor() {
+        this.provider = types_1.ESocialProvider.TIKTOK;
+    }
+    clientKey() {
+        const k = process.env.TIKTOK_CLIENT_KEY;
+        if (!k)
+            throw new Error("TikTokOAuth: TIKTOK_CLIENT_KEY not set");
+        return k;
+    }
+    clientSecret() {
+        const s = process.env.TIKTOK_CLIENT_SECRET;
+        if (!s)
+            throw new Error("TikTokOAuth: TIKTOK_CLIENT_SECRET not set");
+        return s;
+    }
+    getAuthUrl({ state, redirectUri, requestBusinessScopes, }) {
+        const scopes = requestBusinessScopes
+            ? [...BASE_SCOPES, ...BUSINESS_SCOPES]
+            : BASE_SCOPES;
+        const params = new URLSearchParams({
+            client_key: this.clientKey(),
+            scope: scopes.join(","),
+            response_type: "code",
+            redirect_uri: redirectUri,
+            state,
+        });
+        return `${AUTH_ENDPOINT}?${params.toString()}`;
+    }
+    async exchangeCode({ code, redirectUri, }) {
+        const body = new URLSearchParams({
+            client_key: this.clientKey(),
+            client_secret: this.clientSecret(),
+            code,
+            grant_type: "authorization_code",
+            redirect_uri: redirectUri,
+        });
+        const token = await this.postToken(body);
+        if (!token.access_token) {
+            throw new Error("TikTokOAuth: token exchange returned no access_token");
+        }
+        const tokens = this.toTokens(token);
+        const account = await this.resolveAccount(token.access_token);
+        return { account, tokens };
+    }
+    async refresh(refreshToken) {
+        const body = new URLSearchParams({
+            client_key: this.clientKey(),
+            client_secret: this.clientSecret(),
+            grant_type: "refresh_token",
+            refresh_token: refreshToken,
+        });
+        const token = await this.postToken(body);
+        if (!token.access_token) {
+            throw new Error("TikTokOAuth: refresh returned no access_token");
+        }
+        // TikTok ROTATES the refresh token — keep whatever it returned.
+        return this.toTokens(token);
+    }
+    async revoke(token) {
+        try {
+            await fetch(REVOKE_ENDPOINT, {
+                method: "POST",
+                headers: { "Content-Type": "application/x-www-form-urlencoded" },
+                body: new URLSearchParams({
+                    client_key: this.clientKey(),
+                    client_secret: this.clientSecret(),
+                    token,
+                }).toString(),
+            });
+        }
+        catch (err) {
+            logger_1.logger.warn("TikTokOAuth.revoke: failed (non-fatal)", {
+                error: err instanceof Error ? err.message : String(err),
+            });
+        }
+    }
+    async postToken(body) {
+        const resp = await fetch(TOKEN_ENDPOINT, {
+            method: "POST",
+            headers: {
+                "Content-Type": "application/x-www-form-urlencoded",
+                "Cache-Control": "no-cache",
+            },
+            body: body.toString(),
+        });
+        const json = (await resp.json());
+        if (!resp.ok || json.error) {
+            throw new Error(`TikTokOAuth: token endpoint ${resp.status} ${json.error ?? ""} ${json.error_description ?? ""}`.trim());
+        }
+        return json;
+    }
+    toTokens(token) {
+        const now = Date.now();
+        return {
+            accessToken: token.access_token,
+            refreshToken: token.refresh_token,
+            expiresAt: now + (token.expires_in ?? 86400) * 1000,
+            refreshExpiresAt: token.refresh_expires_in
+                ? now + token.refresh_expires_in * 1000
+                : undefined,
+            scopes: token.scope ? token.scope.split(",").filter(Boolean) : [],
+        };
+    }
+    async resolveAccount(accessToken) {
+        const resp = await fetch(USERINFO_ENDPOINT, {
+            headers: { Authorization: `Bearer ${accessToken}` },
+        });
+        const json = (await resp.json());
+        const user = json.data?.user;
+        if (!resp.ok || json.error?.code || !user?.open_id) {
+            throw new Error(`TikTokOAuth: user info ${resp.status} ${json.error?.message ?? ""}`.trim());
+        }
+        return {
+            providerAccountId: user.open_id,
+            displayName: user.display_name ?? "TikTok account",
+            handle: user.username,
+            avatarUrl: user.avatar_url,
+            kind: types_1.ESocialAccountKind.CREATOR,
+        };
+    }
+}
+exports.TikTokOAuthProvider = TikTokOAuthProvider;

package/lib/services/socialOAuth/types.d.ts ADDED Viewed

@@ -0,0 +1,67 @@
+import { ESocialAccountKind, ESocialProvider } from "../../globals/types";
+/**
+ * X8 Social Suite — OAuth provider abstraction. One implementation per platform
+ * behind a single interface so the connect/callback controllers and the token
+ * refresh daemon are provider-agnostic. See notes/SOCIAL_SUITE_PLAN.md §4.
+ *
+ * IMPORTANT: this layer deals in CLEARTEXT tokens. Encryption (tokenVault) is
+ * applied by the persistence layer right before writing to Firestore, and
+ * decryption right after reading — providers never see ciphertext.
+ */
+/** Cleartext OAuth credential bundle returned by exchange/refresh. */
+export interface OAuthTokens {
+    accessToken: string;
+    refreshToken?: string;
+    /** Unix ms when the access token expires. */
+    expiresAt: number;
+    /** Unix ms when the refresh token expires, if applicable. */
+    refreshExpiresAt?: number;
+    /** Scopes actually granted (may differ from requested). */
+    scopes: string[];
+}
+/** Identity of the connected account, resolved after token exchange. */
+export interface ResolvedSocialAccount {
+    providerAccountId: string;
+    displayName: string;
+    handle?: string;
+    avatarUrl?: string;
+    kind: ESocialAccountKind;
+}
+export interface AuthUrlParams {
+    /** Opaque CSRF state we generate + verify on callback. */
+    state: string;
+    /** The OAuth redirect URI registered with the provider. */
+    redirectUri: string;
+    /** Ask for premium/business scopes (G-features) where supported. */
+    requestBusinessScopes?: boolean;
+}
+export interface ExchangeCodeParams {
+    code: string;
+    redirectUri: string;
+}
+/** Result of a successful connect: who they are + their (cleartext) tokens. */
+export interface ConnectResult {
+    account: ResolvedSocialAccount;
+    tokens: OAuthTokens;
+}
+/** Abstract OAuth provider. Implementations are stateless + config-driven. */
+export interface ISocialOAuthProvider {
+    readonly provider: ESocialProvider;
+    /** Build the provider authorization URL to redirect the user to. */
+    getAuthUrl(params: AuthUrlParams): string;
+    /** Exchange the callback `code` for tokens + resolve the account identity. */
+    exchangeCode(params: ExchangeCodeParams): Promise<ConnectResult>;
+    /**
+     * Multi-account variant: a single OAuth grant can yield several accounts (e.g.
+     * Meta returns every FB Page + linked IG Business account the user manages).
+     * When present, the callback upserts ALL returned accounts. Providers that map
+     * one grant → one account (YouTube) leave this undefined and the callback uses
+     * `exchangeCode`. See notes/SOCIAL_SUITE_PLAN.md §4.
+     */
+    exchangeCodeMulti?(params: ExchangeCodeParams): Promise<ConnectResult[]>;
+    /** Refresh an expiring access token using the stored refresh token. */
+    refresh(refreshToken: string): Promise<OAuthTokens>;
+    /** Best-effort revoke at the provider (called on disconnect). */
+    revoke?(token: string): Promise<void>;
+}
+//# sourceMappingURL=types.d.ts.map

package/lib/services/socialOAuth/types.d.ts.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"types.d.ts","sourceRoot":"","sources":["../../../src/services/socialOAuth/types.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,kBAAkB,EAAE,eAAe,EAAE,MAAM,qBAAqB,CAAC;AAE1E;;;;;;;;GAQG;AAEH,sEAAsE;AACtE,MAAM,WAAW,WAAW;IAC1B,WAAW,EAAE,MAAM,CAAC;IACpB,YAAY,CAAC,EAAE,MAAM,CAAC;IACtB,6CAA6C;IAC7C,SAAS,EAAE,MAAM,CAAC;IAClB,6DAA6D;IAC7D,gBAAgB,CAAC,EAAE,MAAM,CAAC;IAC1B,2DAA2D;IAC3D,MAAM,EAAE,MAAM,EAAE,CAAC;CAClB;AAED,wEAAwE;AACxE,MAAM,WAAW,qBAAqB;IACpC,iBAAiB,EAAE,MAAM,CAAC;IAC1B,WAAW,EAAE,MAAM,CAAC;IACpB,MAAM,CAAC,EAAE,MAAM,CAAC;IAChB,SAAS,CAAC,EAAE,MAAM,CAAC;IACnB,IAAI,EAAE,kBAAkB,CAAC;CAC1B;AAED,MAAM,WAAW,aAAa;IAC5B,0DAA0D;IAC1D,KAAK,EAAE,MAAM,CAAC;IACd,2DAA2D;IAC3D,WAAW,EAAE,MAAM,CAAC;IACpB,oEAAoE;IACpE,qBAAqB,CAAC,EAAE,OAAO,CAAC;CACjC;AAED,MAAM,WAAW,kBAAkB;IACjC,IAAI,EAAE,MAAM,CAAC;IACb,WAAW,EAAE,MAAM,CAAC;CACrB;AAED,+EAA+E;AAC/E,MAAM,WAAW,aAAa;IAC5B,OAAO,EAAE,qBAAqB,CAAC;IAC/B,MAAM,EAAE,WAAW,CAAC;CACrB;AAED,8EAA8E;AAC9E,MAAM,WAAW,oBAAoB;IACnC,QAAQ,CAAC,QAAQ,EAAE,eAAe,CAAC;IACnC,oEAAoE;IACpE,UAAU,CAAC,MAAM,EAAE,aAAa,GAAG,MAAM,CAAC;IAC1C,8EAA8E;IAC9E,YAAY,CAAC,MAAM,EAAE,kBAAkB,GAAG,OAAO,CAAC,aAAa,CAAC,CAAC;IACjE;;;;;;OAMG;IACH,iBAAiB,CAAC,CAAC,MAAM,EAAE,kBAAkB,GAAG,OAAO,CAAC,aAAa,EAAE,CAAC,CAAC;IACzE,uEAAuE;IACvE,OAAO,CAAC,YAAY,EAAE,MAAM,GAAG,OAAO,CAAC,WAAW,CAAC,CAAC;IACpD,iEAAiE;IACjE,MAAM,CAAC,CAAC,KAAK,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC,CAAC;CACvC"}

package/lib/services/socialOAuth/types.js ADDED Viewed

	@@ -0,0 +1,2 @@
1	+ "use strict";
2	+ Object.defineProperty(exports, "__esModule", { value: true });

package/lib/services/socialOAuth/x.oauth.d.ts ADDED Viewed

@@ -0,0 +1,17 @@
+import { ESocialProvider } from "../../globals/types";
+import { AuthUrlParams, ConnectResult, ExchangeCodeParams, ISocialOAuthProvider, OAuthTokens } from "./types";
+export declare class XOAuthProvider implements ISocialOAuthProvider {
+    readonly provider = ESocialProvider.X;
+    private clientId;
+    private clientSecret;
+    /** Deterministic PKCE verifier (base64url, 43 chars) — see header note. */
+    private codeVerifier;
+    private basicAuth;
+    getAuthUrl({ state, redirectUri }: AuthUrlParams): string;
+    exchangeCode({ code, redirectUri, }: ExchangeCodeParams): Promise<ConnectResult>;
+    refresh(refreshToken: string): Promise<OAuthTokens>;
+    private postToken;
+    private toTokens;
+    private resolveAccount;
+}
+//# sourceMappingURL=x.oauth.d.ts.map

package/lib/services/socialOAuth/x.oauth.d.ts.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"x.oauth.d.ts","sourceRoot":"","sources":["../../../src/services/socialOAuth/x.oauth.ts"],"names":[],"mappings":"AACA,OAAO,EAAsB,eAAe,EAAE,MAAM,qBAAqB,CAAC;AAC1E,OAAO,EACL,aAAa,EACb,aAAa,EACb,kBAAkB,EAClB,oBAAoB,EACpB,WAAW,EACZ,MAAM,SAAS,CAAC;AAuCjB,qBAAa,cAAe,YAAW,oBAAoB;IACzD,QAAQ,CAAC,QAAQ,qBAAqB;IAEtC,OAAO,CAAC,QAAQ;IAKhB,OAAO,CAAC,YAAY;IAKpB,2EAA2E;IAC3E,OAAO,CAAC,YAAY;IAKpB,OAAO,CAAC,SAAS;IAMjB,UAAU,CAAC,EAAE,KAAK,EAAE,WAAW,EAAE,EAAE,aAAa,GAAG,MAAM;IAenD,YAAY,CAAC,EACjB,IAAI,EACJ,WAAW,GACZ,EAAE,kBAAkB,GAAG,OAAO,CAAC,aAAa,CAAC;IAkBxC,OAAO,CAAC,YAAY,EAAE,MAAM,GAAG,OAAO,CAAC,WAAW,CAAC;YAiB3C,SAAS;IAoBvB,OAAO,CAAC,QAAQ;YASF,cAAc;CAkB7B"}

package/lib/services/socialOAuth/x.oauth.js ADDED Viewed

@@ -0,0 +1,134 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.XOAuthProvider = void 0;
+const crypto_1 = require("crypto");
+const types_1 = require("../../globals/types");
+/**
+ * X (Twitter) OAuth 2.0 provider with PKCE. Phase 6 — fast-follow adapter.
+ *
+ * Config (env):
+ *   X_CLIENT_ID
+ *   X_CLIENT_SECRET   — confidential client (sent via HTTP Basic on token calls)
+ *
+ * PKCE note: X mandates PKCE even for confidential clients, but the OAuth
+ * callback hands `exchangeCode` only {code, redirectUri} — not the per-session
+ * `state`. So we use a DETERMINISTIC app-level verifier derived from the client
+ * secret (method=plain): `getAuthUrl` and `exchangeCode` both recompute the same
+ * value with no shared session storage. With a confidential client the secret
+ * (Basic auth) is the real protection; the static verifier just satisfies the
+ * PKCE requirement. `offline.access` is required to receive a refresh token.
+ */
+const AUTH_ENDPOINT = "https://twitter.com/i/oauth2/authorize";
+const TOKEN_ENDPOINT = "https://api.twitter.com/2/oauth2/token";
+const ME_ENDPOINT = "https://api.twitter.com/2/users/me?user.fields=profile_image_url,username,name";
+const BASE_SCOPES = ["tweet.read", "tweet.write", "users.read", "offline.access"];
+class XOAuthProvider {
+    constructor() {
+        this.provider = types_1.ESocialProvider.X;
+    }
+    clientId() {
+        const v = process.env.X_CLIENT_ID;
+        if (!v)
+            throw new Error("XOAuth: X_CLIENT_ID not set");
+        return v;
+    }
+    clientSecret() {
+        const v = process.env.X_CLIENT_SECRET;
+        if (!v)
+            throw new Error("XOAuth: X_CLIENT_SECRET not set");
+        return v;
+    }
+    /** Deterministic PKCE verifier (base64url, 43 chars) — see header note. */
+    codeVerifier() {
+        return (0, crypto_1.createHash)("sha256")
+            .update(`${this.clientSecret()}:vidspot-x-pkce`)
+            .digest("base64url");
+    }
+    basicAuth() {
+        return Buffer.from(`${this.clientId()}:${this.clientSecret()}`).toString("base64");
+    }
+    getAuthUrl({ state, redirectUri }) {
+        const verifier = this.codeVerifier();
+        const params = new URLSearchParams({
+            response_type: "code",
+            client_id: this.clientId(),
+            redirect_uri: redirectUri,
+            scope: BASE_SCOPES.join(" "),
+            state,
+            // method=plain → challenge equals verifier verbatim.
+            code_challenge: verifier,
+            code_challenge_method: "plain",
+        });
+        return `${AUTH_ENDPOINT}?${params.toString()}`;
+    }
+    async exchangeCode({ code, redirectUri, }) {
+        const token = await this.postToken(new URLSearchParams({
+            grant_type: "authorization_code",
+            code,
+            redirect_uri: redirectUri,
+            client_id: this.clientId(),
+            code_verifier: this.codeVerifier(),
+        }));
+        if (!token.access_token) {
+            throw new Error("XOAuth: token exchange returned no access_token");
+        }
+        const tokens = this.toTokens(token);
+        const account = await this.resolveAccount(token.access_token);
+        return { account, tokens };
+    }
+    async refresh(refreshToken) {
+        const token = await this.postToken(new URLSearchParams({
+            grant_type: "refresh_token",
+            refresh_token: refreshToken,
+            client_id: this.clientId(),
+        }));
+        if (!token.access_token) {
+            throw new Error("XOAuth: refresh returned no access_token");
+        }
+        const tokens = this.toTokens(token);
+        // X rotates refresh tokens; keep the old one only if none came back.
+        if (!tokens.refreshToken)
+            tokens.refreshToken = refreshToken;
+        return tokens;
+    }
+    async postToken(body) {
+        const resp = await fetch(TOKEN_ENDPOINT, {
+            method: "POST",
+            headers: {
+                "Content-Type": "application/x-www-form-urlencoded",
+                Authorization: `Basic ${this.basicAuth()}`,
+            },
+            body: body.toString(),
+        });
+        const json = (await resp.json());
+        if (!resp.ok || json.error) {
+            throw new Error(`XOAuth: token endpoint ${resp.status} ${json.error ?? ""} ${json.error_description ?? ""}`.trim());
+        }
+        return json;
+    }
+    toTokens(token) {
+        return {
+            accessToken: token.access_token,
+            refreshToken: token.refresh_token,
+            expiresAt: Date.now() + (token.expires_in ?? 7200) * 1000,
+            scopes: token.scope ? token.scope.split(" ").filter(Boolean) : [],
+        };
+    }
+    async resolveAccount(accessToken) {
+        const resp = await fetch(ME_ENDPOINT, {
+            headers: { Authorization: `Bearer ${accessToken}` },
+        });
+        const json = (await resp.json());
+        if (!resp.ok || !json.data?.id) {
+            throw new Error(`XOAuth: /users/me ${resp.status} ${json.errors?.[0]?.detail ?? ""}`.trim());
+        }
+        return {
+            providerAccountId: json.data.id,
+            displayName: json.data.name ?? "X account",
+            handle: json.data.username,
+            avatarUrl: json.data.profile_image_url,
+            kind: types_1.ESocialAccountKind.PERSONAL,
+        };
+    }
+}
+exports.XOAuthProvider = XOAuthProvider;

package/lib/services/socialOAuth/youtube.oauth.d.ts ADDED Viewed

@@ -0,0 +1,15 @@
+import { ESocialProvider } from "../../globals/types";
+import { AuthUrlParams, ConnectResult, ExchangeCodeParams, ISocialOAuthProvider, OAuthTokens } from "./types";
+export declare class YouTubeOAuthProvider implements ISocialOAuthProvider {
+    readonly provider = ESocialProvider.YOUTUBE;
+    private clientId;
+    private clientSecret;
+    getAuthUrl({ state, redirectUri, requestBusinessScopes, }: AuthUrlParams): string;
+    exchangeCode({ code, redirectUri, }: ExchangeCodeParams): Promise<ConnectResult>;
+    refresh(refreshToken: string): Promise<OAuthTokens>;
+    revoke(token: string): Promise<void>;
+    private postToken;
+    private toTokens;
+    private resolveAccount;
+}
+//# sourceMappingURL=youtube.oauth.d.ts.map

package/lib/services/socialOAuth/youtube.oauth.d.ts.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"youtube.oauth.d.ts","sourceRoot":"","sources":["../../../src/services/socialOAuth/youtube.oauth.ts"],"names":[],"mappings":"AAAA,OAAO,EAAsB,eAAe,EAAE,MAAM,qBAAqB,CAAC;AAE1E,OAAO,EACL,aAAa,EACb,aAAa,EACb,kBAAkB,EAClB,oBAAoB,EACpB,WAAW,EACZ,MAAM,SAAS,CAAC;AAoDjB,qBAAa,oBAAqB,YAAW,oBAAoB;IAC/D,QAAQ,CAAC,QAAQ,2BAA2B;IAE5C,OAAO,CAAC,QAAQ;IAMhB,OAAO,CAAC,YAAY;IAOpB,UAAU,CAAC,EACT,KAAK,EACL,WAAW,EACX,qBAAqB,GACtB,EAAE,aAAa,GAAG,MAAM;IAiBnB,YAAY,CAAC,EACjB,IAAI,EACJ,WAAW,GACZ,EAAE,kBAAkB,GAAG,OAAO,CAAC,aAAa,CAAC;IAiBxC,OAAO,CAAC,YAAY,EAAE,MAAM,GAAG,OAAO,CAAC,WAAW,CAAC;IAiBnD,MAAM,CAAC,KAAK,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC;YAc5B,SAAS;IAmBvB,OAAO,CAAC,QAAQ;YAUF,cAAc;CAwB7B"}

package/lib/services/socialOAuth/youtube.oauth.js ADDED Viewed

@@ -0,0 +1,156 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.YouTubeOAuthProvider = void 0;
+const types_1 = require("../../globals/types");
+const logger_1 = require("../../utils/logger");
+/**
+ * YouTube (Google) OAuth 2.0 provider. Phase 1 of the Social Suite — the first
+ * end-to-end platform (cleanest API + native scheduling). See SOCIAL_SUITE_PLAN.md.
+ *
+ * Config (env):
+ *   GOOGLE_OAUTH_CLIENT_ID      — OAuth client id (Web application)
+ *   GOOGLE_OAUTH_CLIENT_SECRET  — OAuth client secret
+ *
+ * Notes:
+ * - `access_type=offline` + `prompt=consent` are required to reliably receive a
+ *   refresh token (Google only returns it on first consent unless prompted).
+ * - While the OAuth app is in "Testing", refresh tokens expire after 7 days —
+ *   publish the consent screen before production. (Plan §3.)
+ */
+const AUTH_ENDPOINT = "https://accounts.google.com/o/oauth2/v2/auth";
+const TOKEN_ENDPOINT = "https://oauth2.googleapis.com/token";
+const REVOKE_ENDPOINT = "https://oauth2.googleapis.com/revoke";
+const CHANNELS_ENDPOINT = "https://www.googleapis.com/youtube/v3/channels?part=snippet&mine=true";
+/** Scopes needed to upload + read analytics + manage comments. */
+const BASE_SCOPES = [
+    "https://www.googleapis.com/auth/youtube.upload",
+    "https://www.googleapis.com/auth/youtube.readonly",
+    "https://www.googleapis.com/auth/yt-analytics.readonly",
+];
+/** force-ssl is required for comment list/insert/moderate (premium engage). */
+const COMMENT_SCOPES = ["https://www.googleapis.com/auth/youtube.force-ssl"];
+class YouTubeOAuthProvider {
+    constructor() {
+        this.provider = types_1.ESocialProvider.YOUTUBE;
+    }
+    clientId() {
+        const id = process.env.GOOGLE_OAUTH_CLIENT_ID;
+        if (!id)
+            throw new Error("YouTubeOAuth: GOOGLE_OAUTH_CLIENT_ID not set");
+        return id;
+    }
+    clientSecret() {
+        const secret = process.env.GOOGLE_OAUTH_CLIENT_SECRET;
+        if (!secret)
+            throw new Error("YouTubeOAuth: GOOGLE_OAUTH_CLIENT_SECRET not set");
+        return secret;
+    }
+    getAuthUrl({ state, redirectUri, requestBusinessScopes, }) {
+        const scopes = requestBusinessScopes
+            ? [...BASE_SCOPES, ...COMMENT_SCOPES]
+            : BASE_SCOPES;
+        const params = new URLSearchParams({
+            client_id: this.clientId(),
+            redirect_uri: redirectUri,
+            response_type: "code",
+            scope: scopes.join(" "),
+            access_type: "offline",
+            include_granted_scopes: "true",
+            prompt: "consent",
+            state,
+        });
+        return `${AUTH_ENDPOINT}?${params.toString()}`;
+    }
+    async exchangeCode({ code, redirectUri, }) {
+        const body = new URLSearchParams({
+            code,
+            client_id: this.clientId(),
+            client_secret: this.clientSecret(),
+            redirect_uri: redirectUri,
+            grant_type: "authorization_code",
+        });
+        const token = await this.postToken(body);
+        if (!token.access_token) {
+            throw new Error("YouTubeOAuth: token exchange returned no access_token");
+        }
+        const tokens = this.toTokens(token);
+        const account = await this.resolveAccount(token.access_token);
+        return { account, tokens };
+    }
+    async refresh(refreshToken) {
+        const body = new URLSearchParams({
+            client_id: this.clientId(),
+            client_secret: this.clientSecret(),
+            refresh_token: refreshToken,
+            grant_type: "refresh_token",
+        });
+        const token = await this.postToken(body);
+        if (!token.access_token) {
+            throw new Error("YouTubeOAuth: refresh returned no access_token");
+        }
+        // Google does not re-issue a refresh token on refresh; preserve the old one.
+        const tokens = this.toTokens(token);
+        if (!tokens.refreshToken)
+            tokens.refreshToken = refreshToken;
+        return tokens;
+    }
+    async revoke(token) {
+        try {
+            await fetch(REVOKE_ENDPOINT, {
+                method: "POST",
+                headers: { "Content-Type": "application/x-www-form-urlencoded" },
+                body: new URLSearchParams({ token }).toString(),
+            });
+        }
+        catch (err) {
+            logger_1.logger.warn("YouTubeOAuth.revoke: failed (non-fatal)", {
+                error: err instanceof Error ? err.message : String(err),
+            });
+        }
+    }
+    async postToken(body) {
+        const resp = await fetch(TOKEN_ENDPOINT, {
+            method: "POST",
+            headers: { "Content-Type": "application/x-www-form-urlencoded" },
+            body: body.toString(),
+        });
+        const json = (await resp.json());
+        if (!resp.ok || json.error) {
+            throw new Error(`YouTubeOAuth: token endpoint ${resp.status} ${json.error ?? ""} ${json.error_description ?? ""}`.trim());
+        }
+        return json;
+    }
+    toTokens(token) {
+        const expiresInMs = (token.expires_in ?? 3600) * 1000;
+        return {
+            accessToken: token.access_token,
+            refreshToken: token.refresh_token,
+            expiresAt: Date.now() + expiresInMs,
+            scopes: token.scope ? token.scope.split(" ").filter(Boolean) : [],
+        };
+    }
+    async resolveAccount(accessToken) {
+        const resp = await fetch(CHANNELS_ENDPOINT, {
+            headers: { Authorization: `Bearer ${accessToken}` },
+        });
+        if (!resp.ok) {
+            throw new Error(`YouTubeOAuth: channels lookup ${resp.status}`);
+        }
+        const json = (await resp.json());
+        const channel = json.items?.[0];
+        if (!channel?.id) {
+            throw new Error("YouTubeOAuth: no channel on this Google account");
+        }
+        const thumb = channel.snippet?.thumbnails?.high?.url ??
+            channel.snippet?.thumbnails?.default?.url;
+        return {
+            providerAccountId: channel.id,
+            displayName: channel.snippet?.title ?? "YouTube channel",
+            handle: channel.snippet?.customUrl,
+            avatarUrl: thumb,
+            // YouTube has no API "business" flag; channels are creator-grade by default.
+            kind: types_1.ESocialAccountKind.CREATOR,
+        };
+    }
+}
+exports.YouTubeOAuthProvider = YouTubeOAuthProvider;

package/lib/services/socialPublish/factory.d.ts ADDED Viewed

@@ -0,0 +1,5 @@
+import { ESocialProvider } from "../../globals/types";
+import { ISocialPublisher } from "./types";
+export declare function getSocialPublisher(provider: ESocialProvider): ISocialPublisher;
+export declare function isSocialPublishSupported(provider: ESocialProvider): boolean;
+//# sourceMappingURL=factory.d.ts.map

package/lib/services/socialPublish/factory.d.ts.map ADDED Viewed

	@@ -0,0 +1 @@
1	+ {"version":3,"file":"factory.d.ts","sourceRoot":"","sources":["../../../src/services/socialPublish/factory.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,eAAe,EAAE,MAAM,qBAAqB,CAAC;AAMtD,OAAO,EAAE,gBAAgB,EAAE,MAAM,SAAS,CAAC;AAe3C,wBAAgB,kBAAkB,CAChC,QAAQ,EAAE,eAAe,GACxB,gBAAgB,CAMlB;AAED,wBAAgB,wBAAwB,CAAC,QAAQ,EAAE,eAAe,GAAG,OAAO,CAE3E"}

package/lib/services/socialPublish/factory.js ADDED Viewed

@@ -0,0 +1,32 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.getSocialPublisher = getSocialPublisher;
+exports.isSocialPublishSupported = isSocialPublishSupported;
+const types_1 = require("../../globals/types");
+const linkedin_publish_1 = require("./linkedin.publish");
+const meta_publish_1 = require("./meta.publish");
+const pinterest_publish_1 = require("./pinterest.publish");
+const threads_publish_1 = require("./threads.publish");
+const tiktok_publish_1 = require("./tiktok.publish");
+const x_publish_1 = require("./x.publish");
+const youtube_publish_1 = require("./youtube.publish");
+const registry = {
+    [types_1.ESocialProvider.YOUTUBE]: () => new youtube_publish_1.YouTubePublisher(),
+    [types_1.ESocialProvider.INSTAGRAM]: () => new meta_publish_1.InstagramPublisher(),
+    [types_1.ESocialProvider.FACEBOOK]: () => new meta_publish_1.FacebookPublisher(),
+    [types_1.ESocialProvider.TIKTOK]: () => new tiktok_publish_1.TikTokPublisher(),
+    [types_1.ESocialProvider.THREADS]: () => new threads_publish_1.ThreadsPublisher(),
+    [types_1.ESocialProvider.LINKEDIN]: () => new linkedin_publish_1.LinkedInPublisher(),
+    [types_1.ESocialProvider.X]: () => new x_publish_1.XPublisher(),
+    [types_1.ESocialProvider.PINTEREST]: () => new pinterest_publish_1.PinterestPublisher(),
+};
+function getSocialPublisher(provider) {
+    const make = registry[provider];
+    if (!make) {
+        throw new Error(`Social publishing not implemented for '${provider}'`);
+    }
+    return make();
+}
+function isSocialPublishSupported(provider) {
+    return Boolean(registry[provider]);
+}

package/lib/services/socialPublish/index.d.ts ADDED Viewed

@@ -0,0 +1,10 @@
+export * from "./types";
+export * from "./youtube.publish";
+export * from "./meta.publish";
+export * from "./tiktok.publish";
+export * from "./threads.publish";
+export * from "./linkedin.publish";
+export * from "./x.publish";
+export * from "./pinterest.publish";
+export * from "./factory";
+//# sourceMappingURL=index.d.ts.map

package/lib/services/socialPublish/index.d.ts.map ADDED Viewed

	@@ -0,0 +1 @@
1	+ {"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../../src/services/socialPublish/index.ts"],"names":[],"mappings":"AAAA,cAAc,SAAS,CAAC;AACxB,cAAc,mBAAmB,CAAC;AAClC,cAAc,gBAAgB,CAAC;AAC/B,cAAc,kBAAkB,CAAC;AACjC,cAAc,mBAAmB,CAAC;AAClC,cAAc,oBAAoB,CAAC;AACnC,cAAc,aAAa,CAAC;AAC5B,cAAc,qBAAqB,CAAC;AACpC,cAAc,WAAW,CAAC"}

package/lib/services/socialPublish/index.js ADDED Viewed

@@ -0,0 +1,25 @@
+"use strict";
+var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    var desc = Object.getOwnPropertyDescriptor(m, k);
+    if (!desc || ("get" in desc ? !m.__esModule : desc.writable || desc.configurable)) {
+      desc = { enumerable: true, get: function() { return m[k]; } };
+    }
+    Object.defineProperty(o, k2, desc);
+}) : (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    o[k2] = m[k];
+}));
+var __exportStar = (this && this.__exportStar) || function(m, exports) {
+    for (var p in m) if (p !== "default" && !Object.prototype.hasOwnProperty.call(exports, p)) __createBinding(exports, m, p);
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+__exportStar(require("./types"), exports);
+__exportStar(require("./youtube.publish"), exports);
+__exportStar(require("./meta.publish"), exports);
+__exportStar(require("./tiktok.publish"), exports);
+__exportStar(require("./threads.publish"), exports);
+__exportStar(require("./linkedin.publish"), exports);
+__exportStar(require("./x.publish"), exports);
+__exportStar(require("./pinterest.publish"), exports);
+__exportStar(require("./factory"), exports);

package/lib/services/socialPublish/linkedin.publish.d.ts ADDED Viewed

@@ -0,0 +1,9 @@
+import { ESocialProvider } from "../../globals/types";
+import { ISocialPublisher, PublishInput, PublishResult } from "./types";
+export declare class LinkedInPublisher implements ISocialPublisher {
+    readonly provider = ESocialProvider.LINKEDIN;
+    publish(input: PublishInput): Promise<PublishResult>;
+    private resolveVisibility;
+    private buildCommentary;
+}
+//# sourceMappingURL=linkedin.publish.d.ts.map

package/lib/services/socialPublish/linkedin.publish.d.ts.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"linkedin.publish.d.ts","sourceRoot":"","sources":["../../../src/services/socialPublish/linkedin.publish.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,eAAe,EAAE,MAAM,qBAAqB,CAAC;AAEtD,OAAO,EAAE,gBAAgB,EAAE,YAAY,EAAE,aAAa,EAAE,MAAM,SAAS,CAAC;AA0CxE,qBAAa,iBAAkB,YAAW,gBAAgB;IACxD,QAAQ,CAAC,QAAQ,4BAA4B;IAEvC,OAAO,CAAC,KAAK,EAAE,YAAY,GAAG,OAAO,CAAC,aAAa,CAAC;IAwG1D,OAAO,CAAC,iBAAiB;IAKzB,OAAO,CAAC,eAAe;CAQxB"}