/** * @license * Copyright 2025 Vybestack LLC * SPDX-License-Identifier: Apache-2.0 */ import type { SettingsService } from '../settings/SettingsService.js'; export interface AuthPrecedenceConfig { apiKey?: string; envKeyNames?: string[]; isOAuthEnabled?: boolean; supportsOAuth?: boolean; oauthProvider?: string; providerId?: string; } import { type OAuthToken } from './types.js'; export interface OAuthTokenRequestMetadata { runtimeAuthScopeId?: string; providerId?: string; profileId?: string; cliScope?: Record; runtimeMetadata?: Record; } export interface OAuthManager { getToken(provider: string, metadata?: OAuthTokenRequestMetadata): Promise; isAuthenticated(provider: string): Promise; getOAuthToken?(provider: string, metadata?: OAuthTokenRequestMetadata): Promise; } interface ResolveAuthOptions { settingsService?: SettingsService | null; includeOAuth?: boolean; } export interface RuntimeAuthScopeCacheEntrySummary { key: string; providerId: string; profileId: string; runtimeAuthScopeId: string; preview: string; createdAt: number; expiresAt?: number; stale: boolean; reason?: string; } export interface RuntimeAuthScopeFlushResult { runtimeId: string; revokedTokens: RuntimeAuthScopeCacheEntrySummary[]; } /** * @plan PLAN-20251018-STATELESSPROVIDER2.P18 * @requirement REQ-SP2-004 * @pseudocode auth-runtime-scope.md lines 7-7 * Flush scoped credentials for a runtime and return revocation metadata. */ export declare function flushRuntimeAuthScope(runtimeId: string): RuntimeAuthScopeFlushResult; export declare class AuthPrecedenceResolver { private config; private oauthManager?; private settingsService?; constructor(config: AuthPrecedenceConfig, oauthManager?: OAuthManager, settingsService?: SettingsService); /** * @plan PLAN-20251018-STATELESSPROVIDER2.P06 * @requirement REQ-SP2-001 * @pseudocode base-provider-call-contract.md lines 1-2 */ setSettingsService(settingsService: SettingsService | null | undefined): void; /** * @plan PLAN-20251018-STATELESSPROVIDER2.P06 * @requirement REQ-SP2-001 * @pseudocode base-provider-call-contract.md lines 1-2 */ private resolveSettingsService; /** * @plan PLAN-20251018-STATELESSPROVIDER2.P06 * @requirement REQ-SP2-001 * @pseudocode base-provider-call-contract.md lines 1-3 * Resolves authentication using the full precedence chain * Returns the first available authentication method or null if none found */ resolveAuthentication(options?: ResolveAuthOptions): Promise; /** * @plan PLAN-20251018-STATELESSPROVIDER2.P06 * @requirement REQ-SP2-001 * @pseudocode base-provider-call-contract.md lines 1-3 * Check if any authentication method is available without triggering OAuth */ hasNonOAuthAuthentication(options?: ResolveAuthOptions): Promise; /** * @plan PLAN-20251018-STATELESSPROVIDER2.P06 * @requirement REQ-SP2-001 * @pseudocode base-provider-call-contract.md lines 1-3 * Check if OAuth is the only available authentication method */ isOAuthOnlyAvailable(options?: ResolveAuthOptions): Promise; /** * @plan PLAN-20251018-STATELESSPROVIDER2.P06 * @requirement REQ-SP2-001 * @pseudocode base-provider-call-contract.md lines 1-3 * Get authentication method name for debugging/logging */ getAuthMethodName(options?: ResolveAuthOptions): Promise; private normalizeAuthValue; private normalizeProviderId; private resolveProviderIdentifier; private shouldUseGlobalAuth; private resolveNamedKey; /** * Reads API key from a file path, handling tilde expansion, absolute and relative paths */ private readKeyFile; /** * Updates the configuration */ updateConfig(newConfig: Partial): void; /** * Updates the OAuth manager */ updateOAuthManager(oauthManager: OAuthManager): void; /** * Invalidates the cached OAuth tokens for this resolver. * This should be called during logout to ensure fresh tokens are fetched * on the next authentication attempt. * * @plan PLAN-20251023-STATELESS-HARDENING * @requirement Issue #975 - OAuth logout cache invalidation */ invalidateCache(): void; } export {};