import { type TokenChainResult } from "../../confluent/oauth/token-chain.js"; import type { Auth0Config } from "../../confluent/oauth/types.js"; /** Maximum time to wait for the user to complete the browser PKCE flow. */ export declare const PKCE_LOGIN_TIMEOUT_MS = 120000; /** Path the success page POSTs to when the user copies the install hint. */ export declare const SKILLS_HINT_COPIED_PATH = "/skills-hint-copied"; /** * Path the success page opens an EventSource to. The open connection is what * keeps the callback server alive past the OAuth redirect: as long as the page * is in a tab, the stream is connected and beacons land on a live listener. * When the tab closes, the stream disconnects and the server tears down. */ export declare const SKILLS_HINT_STREAM_PATH = "/skills-hint-stream"; /** * Safety cap on how long the callback server can stay bound after a successful * auth. The stream-disconnect path is the normal closer; this is just the * "user left the tab open and walked away" backstop. Kept tight (60s) because * a lingering listener will collide with the next PKCE attempt — if a token * refresh fails non-transiently inside this window and triggers a fresh login, * the second attempt errors with `port_in_use` when in fact it's this same * session's leftover listener still holding the port. */ export declare const SUCCESS_PAGE_MAX_LIFETIME_MS = 60000; /** Reasons a PKCE login can fail. Carried on {@link PkceLoginError}. */ export type PkceLoginFailureReason = "timeout" | "user_aborted" | "port_in_use" | "auth0_unreachable" | "callback_server_error" | "configuration"; /** Structured error so callers can react to the cause of a failed PKCE login. */ export declare class PkceLoginError extends Error { readonly reason: PkceLoginFailureReason; constructor(reason: PkceLoginFailureReason, message: string); } /** * Runs the PKCE flow end-to-end: * - generates verifier / challenge / state * - binds a one-shot HTTP listener on {@link OAUTH_CALLBACK_PORT} * - opens the browser to the Auth0 authorization endpoint * - waits for the redirect carrying the auth code * - exchanges the code for the full Confluent token chain * * Bounded by {@link PKCE_LOGIN_TIMEOUT_MS}. Throws {@link PkceLoginError} on * failure with a structured `reason`. If `signal` aborts before the auth * code arrives, throws `PkceLoginError("user_aborted", ...)` and the finally * block tears down the timer + HTTP server. */ export declare function runPkceLogin(auth0Config: Auth0Config, signal?: AbortSignal): Promise; //# sourceMappingURL=pkce-login.d.ts.map