@@ -269,15 +269,59 @@ export interface ManagedAuth {
269269 browser_session_id ?: string | null ;
270270
271271 /**
272- * Whether automatic re-authentication is possible (has credential, selectors, and
273- * login_url)
272+ * Whether Kernel can automatically re-authenticate this connection when the
273+ * session expires. Requires a prior successful login plus either a Kernel
274+ * credential or an external credential reference. See `can_reauth_reason` for the
275+ * specific outcome.
274276 */
275277 can_reauth ?: boolean ;
276278
277279 /**
278- * Reason why automatic re-authentication is or is not possible
279- */
280- can_reauth_reason ?: string ;
280+ * Machine-readable reason for the current value of `can_reauth`. Affirmative
281+ * values (re-auth is possible):
282+ *
283+ * - `external_credential` — an external credential provider is attached
284+ * - `cua_has_credential` — CUA flow with a stored credential
285+ * - `has_credential` — Kernel credential is attached (optimistic; plan viability
286+ * not checked)
287+ * - `viable_plans_found` — at least one stored login plan can be replayed
288+ * - `no_requirements_recorded` — no recorded credential requirements to fail
289+ * against
290+ * - `requirements_satisfiable` — recorded requirements can be met by the attached
291+ * credential
292+ *
293+ * Negative values (a human must complete the login flow):
294+ *
295+ * - `no_prior_successful_login` — connection has never completed a successful
296+ * login
297+ * - `no_credential` — no Kernel or external credential attached
298+ * - `no_viable_plans` — credential attached but no replayable login plan exists
299+ * yet
300+ * - `viable_plans_require_external_action` — stored plans need an external step
301+ * (email link, push, etc.)
302+ * - `requires_external_action` — recorded requirements include an external step
303+ * - `requires_totp_without_secret` — flow needs a TOTP code but no TOTP secret is
304+ * stored
305+ * - `requires_sms_code` — flow needs an SMS code that cannot be received
306+ * automatically
307+ * - `requires_email_code` — flow needs an email code that cannot be received
308+ * automatically
309+ */
310+ can_reauth_reason ?:
311+ | 'external_credential'
312+ | 'cua_has_credential'
313+ | 'has_credential'
314+ | 'viable_plans_found'
315+ | 'no_requirements_recorded'
316+ | 'requirements_satisfiable'
317+ | 'no_prior_successful_login'
318+ | 'no_credential'
319+ | 'no_viable_plans'
320+ | 'viable_plans_require_external_action'
321+ | 'requires_external_action'
322+ | 'requires_totp_without_secret'
323+ | 'requires_sms_code'
324+ | 'requires_email_code' ;
281325
282326 /**
283327 * Reference to credentials for the auth connection. Use one of:
0 commit comments