Optional ReadonlyauditOptional ReadonlydiscoveryCollector for discoveryMetadata contributions. Each entry is a
OidcDiscoveryContribution partial. assembleApp aggregates all entries into the
single /.well-known/openid-configuration document via
buildDiscoveryDocument (mounted only when an issuer is configured).
Optional ReadonlyfederationCollector for federationRedirectPolicies contributions.
The concrete policy type (FederationRedirectPolicy) is declared in the
session package via declare module augmentation; core stores it as
unknown to avoid a cross-package dependency.
Per A5 §8.1.
Optional ReadonlyfederationsOptional ReadonlygrantCollector for grantMiddleware contributions. Each entry is a
RequestHandler | null returned by a GrantMiddlewareFactory. Null
entries (disabled-by-config path) are filtered at consumption time in
assembleApp — they are appended to the collector for value-identity
dedup with sibling contributions but skipped when mounting on the
OAuth token endpoint (/oauth/token with the bundled oauthModule).
Per Wave 2 Token-binding Cluster spec §4.7 / Phase 2 DPoP spec §11.1.
Optional ReadonlygrantOptional ReadonlygrantsOptional ReadonlymfaOptional ReadonlyroutesOptional ReadonlytokenCollector for tokenBindingMechanisms contributions. Each entry is a
TokenBindingMechanism | null returned by a
TokenBindingMechanismFactory. Null entries (disabled-by-config) are
filtered at consumption time in assembleApp.
Unlike grantMiddleware which contributes pre-composed middleware,
this slot contributes raw mechanisms. assembleApp composes ONE
tokenBindingMw across all collected mechanisms so the configured
DispatchPolicy can arbitrate cross-module. See ADR
packages/core/docs/adr/2026-05-20-token-binding-first-class-abstraction.md
for the cross-mechanism design rationale.
Optional Readonlytoken
Declaration-merged map of contribution-kind collectors. Core seeds the built-in kinds; consumers add custom kinds via
declare moduleaugmentation.Per A2-β §6.2.