/** * @fileoverview OAuth (bearer-auth) client manager. Wires Confluent Cloud * REST surfaces, native Kafka admin/producer/consumer (via `@confluentinc/kafka-javascript` + * SASL/OAUTHBEARER), and the Schema Registry SDK to bearer tokens supplied * by an {@link OAuthHolder}. REST endpoint URLs and Kafka bootstrap servers * are resolved at call time from the CCloud environment + cluster IDs the * agent supplies as tool args. * * Native Kafka clients are built fresh per call; handlers wrap usage in * `try { ... } finally { await disposeIfOAuth(...) }` for caller-owned * disposal. SASL/OAUTHBEARER is configured via librdkafka's synchronous * token-refresh callback (no kafkaJS-compat async-provider race), so no * warmup workaround is needed. * * Schema Registry serialization is supported through `produce-message` and * `consume-messages`: the manager's `getSchemaRegistrySdkClient` auto-resolves * the SR cluster id from the environment id supplied by the agent (single SR * per environment is the CCloud invariant) and builds a bearer-authenticated * SDK client per call. */ import type { KafkaJS } from "@confluentinc/kafka-javascript"; import { SchemaRegistryClient } from "@confluentinc/schemaregistry"; import { BaseClientManager } from "../confluent/base-client-manager.js"; import type { ConfluentRestClient } from "../confluent/client-manager.js"; import { OAuthHolder } from "../confluent/oauth/oauth-holder.js"; import type { Auth0Environment } from "../confluent/oauth/types.js"; /** * Bearer-auth client manager. Wires every REST surface to the OAuth holder's * tokens — control plane (cloud / tableflow / telemetry) reads * {@link OAuthHolder.getControlPlaneToken}; data plane (flink / schema-registry * REST / kafka REST) reads {@link OAuthHolder.getDataPlaneToken}. Cloud REST URL * is auto-derived from the CCloud env. Native Kafka clients (admin, producer, * consumer) are built fresh per call against bootstrap endpoints resolved * via the cmk REST API; SASL/OAUTHBEARER is configured via librdkafka's * synchronous token-refresh callback to avoid the kafkaJS-compat * async-provider race that previously required a warmup workaround. */ export declare class OAuthClientManager extends BaseClientManager { private readonly holder; private readonly kafkaDebug; /** * @param kafkaDebug Optional librdkafka `debug` contexts string, threaded * through to every native Kafka client built by this manager. Sourced * from `connections..kafka_debug` on the OAuth YAML arm; used as a * diagnostic knob when a SASL/OAUTHBEARER handshake misbehaves. */ constructor(holder: OAuthHolder, env: Auth0Environment, kafkaDebug?: string); /** @inheritdoc */ getSchemaRegistrySdkClient(envId?: string): Promise; /** @inheritdoc */ getConfluentCloudKafkaRestClient(clusterId?: string, envId?: string): Promise; /** @inheritdoc */ getSchemaRegistryRestClient(envId?: string): Promise; /** @inheritdoc */ getKafkaAdminClient(clusterId?: string, envId?: string): Promise; /** @inheritdoc */ getKafkaProducer(clusterId?: string, envId?: string): Promise; /** @inheritdoc */ buildKafkaConsumer(clusterId?: string, envId?: string, groupId?: string): Promise; /** @inheritdoc */ disconnect(): Promise; /** * Returns the current data-plane token, throwing when none is available. * Used by every OAuth-side client accessor to fail fast before * constructing a client with an empty bearer. * * The MCP tool-call gate calls `holder.ensureLoggedIn()` before any * handler that needs Confluent access, so by the time this method runs * login has already completed. A missing DPAT here means the holder was * cleared mid-call (shutdown raced with a tool call) or a non-transient * refresh error has invalidated the token between the gate check and * the client construction — both rare and surface a clear message. */ private requireDataPlaneToken; private requireClusterArgs; private buildOAuthKafkaClient; } //# sourceMappingURL=oauth-client-manager.d.ts.map