import type { AuthCredential } from "../auth-storage"; import type { CredentialDisableResponse, CredentialRefreshResponse, CredentialUploadResponse, HealthzResponse, SnapshotResponse, SnapshotStreamEvent, UsageResponse } from "./types"; export interface AuthBrokerClientOptions { /** Base URL (e.g. `https://broker.tailnet:8765`). Trailing slashes are trimmed. */ url: string; /** Bearer token used for everything except `healthz`. */ token: string; /** Per-request timeout in milliseconds. Default 10s. */ timeoutMs?: number; /** Retry connection errors this many times. Default 1. */ maxRetries?: number; /** Override fetch (used in tests). Default global `fetch`. */ fetchImpl?: typeof fetch; } export declare class AuthBrokerError extends Error { readonly status: number | undefined; readonly body: string | undefined; constructor(message: string, opts?: { status?: number; body?: string; cause?: unknown; }); } /** * Thrown when a broker responds 404 to `GET /v1/snapshot/stream` — old * brokers that predate the SSE endpoint. Callers (`RemoteAuthCredentialStore`) * detect this sentinel to fall back to long-polling permanently. */ export declare class AuthBrokerStreamUnsupportedError extends AuthBrokerError { constructor(message?: string); } export interface FetchSnapshotOptions { ifGenerationGt?: number; waitMs?: number; signal?: AbortSignal; } export type FetchSnapshotResult = { status: 200; snapshot: SnapshotResponse; generation: number; } | { status: 304; generation: number; }; export declare class AuthBrokerClient { #private; constructor(opts: AuthBrokerClientOptions); healthz(signal?: AbortSignal): Promise; fetchSnapshot(opts?: FetchSnapshotOptions): Promise; /** * Subscribe to the broker's SSE snapshot stream. The first frame is always * a full `snapshot`; subsequent frames are `entry` upserts / refreshes or * `removed` deletes. Caller controls lifecycle via `opts.signal`. * * Throws {@link AuthBrokerStreamUnsupportedError} when the broker responds * 404 — older brokers predate this endpoint and the caller should fall back * to long-polling for the remainder of its lifetime. */ openSnapshotStream(opts?: { signal?: AbortSignal; }): AsyncGenerator; fetchUsage(signal?: AbortSignal): Promise; refreshCredential(id: number, signal?: AbortSignal): Promise; disableCredential(id: number, cause: string, signal?: AbortSignal): Promise; uploadCredential(provider: string, credential: AuthCredential, signal?: AbortSignal): Promise; }