@absolutejs/auth 0.27.0-beta.7 → 0.27.0-beta.9

package/dist/adaptive/config.d.ts

@@ -1,9 +1,13 @@
-import type { KnownDeviceStore, LoginHistoryStore, RiskAction, RiskAssessment, RiskContext, RiskSignal } from './types';
+import type { KnownDeviceStore, LoginHistoryStore, RiskAction, RiskAssessment, RiskContext, RiskSignal, RiskThresholds, RiskWeights, WeightedRiskAssessment } from './types';
 export type AdaptiveConfig = {
     historyLimit?: number;
     knownDeviceStore: KnownDeviceStore;
     loginHistoryStore: LoginHistoryStore;
     maxTravelKmh?: number;
+    offHours?: {
+        end: number;
+        start: number;
+    };
     rules?: Partial<Record<RiskSignal, RiskAction>>;
     velocityMaxAttempts?: number;
     velocityWindowMs?: number;
@@ -14,9 +18,17 @@ export declare const createRiskEngine: (config: AdaptiveConfig) => {
     recordAttempt: (context: RiskContext & {
         outcome: RiskAction;
     }) => Promise<void>;
+    scoreRisk: (context: RiskContext, options?: {
+        thresholds?: RiskThresholds;
+        weights?: RiskWeights;
+    }) => Promise<WeightedRiskAssessment>;
     trustDevice: (userId: string, deviceId: string, label?: string) => Promise<void>;
 };
 export declare const recordLoginAttempt: (config: AdaptiveConfig, context: RiskContext & {
     outcome: RiskAction;
 }) => Promise<void>;
+export declare const scoreRisk: (config: AdaptiveConfig & {
+    thresholds?: RiskThresholds;
+    weights?: RiskWeights;
+}, context: RiskContext) => Promise<WeightedRiskAssessment>;
 export declare const trustDevice: (config: AdaptiveConfig, userId: string, deviceId: string, label?: string) => Promise<void>;

package/dist/adaptive/fingerprint.d.ts

@@ -0,0 +1,2 @@
+export type DeviceSignals = Record<string, unknown>;
+export declare const fingerprintDevice: (signals: DeviceSignals) => Promise<string>;

package/dist/adaptive/types.d.ts

@@ -1,5 +1,5 @@
 export type RiskAction = 'allow' | 'deny' | 'step_up';
-export type RiskSignal = 'impossible_travel' | 'new_country' | 'new_device' | 'velocity';
+export type RiskSignal = 'impossible_travel' | 'new_country' | 'new_device' | 'off_hours' | 'proxy' | 'velocity';
 export type GeoPoint = {
     country?: string;
     latitude?: number;
@@ -9,6 +9,8 @@ export type RiskContext = {
     deviceId: string;
     geo?: GeoPoint;
     ipAddress?: string;
+    isProxy?: boolean;
+    localHour?: number;
     now?: number;
     userId: string;
 };
@@ -20,6 +22,16 @@ export type RiskAssessment = {
     action: RiskAction;
     reasons: RiskReason[];
 };
+export type RiskWeights = Partial<Record<RiskSignal, number>>;
+export type RiskThresholds = {
+    deny: number;
+    stepUp: number;
+};
+export type WeightedRiskAssessment = {
+    action: RiskAction;
+    reasons: RiskReason[];
+    score: number;
+};
 export type KnownDevice = {
     deviceId: string;
     firstSeenAt: number;

package/dist/audit/export.d.ts

@@ -0,0 +1,2 @@
+import type { AuditEvent } from './types';
+export declare const exportAuditCsv: (events: AuditEvent[]) => string;

package/dist/audit/integrity.d.ts

@@ -2,14 +2,18 @@ import type { AuditEvent, AuditSink } from './types';
 export type AuditIntegrity = {
     hash: string;
     previousHash: string;
+    writerId?: string;
 };
 export type AuditChainResult = {
     brokenAt?: number;
     ok: boolean;
 };
-export declare const createTamperEvidentSink: ({ secret, sink }: {
+export declare const createTamperEvidentSink: ({ loadWriterHead, secret, seedScanLimit, sink, writerId }: {
+    loadWriterHead?: (writerId: string) => Promise<string | undefined> | string | undefined;
     secret?: string;
+    seedScanLimit?: number;
     sink: AuditSink;
+    writerId?: string;
 }) => AuditSink;
 export declare const hashAuditEvent: (event: AuditEvent, previousHash: string, secret?: string) => Promise<string>;
 export declare const verifyAuditChain: (events: AuditEvent[], secret?: string) => Promise<AuditChainResult>;

package/dist/audit/types.d.ts

@@ -15,4 +15,5 @@ export type AuditEventFilter = {
 export type AuditSink = {
     append: (event: AuditEvent) => Promise<void>;
     list?: (filter?: AuditEventFilter) => Promise<AuditEvent[]>;
+    prune?: (before: number) => Promise<number>;
 };

package/dist/fga/config.d.ts

@@ -15,10 +15,17 @@ export type Subject = {
     subjectId: string;
     subjectType: string;
 };
+export type ObjectQuery = {
+    relation: string;
+    resourceType: string;
+    subjectId: string;
+    subjectType: string;
+};
 export declare const check: (config: FgaConfig, query: CheckQuery) => Promise<boolean>;
 export declare const createFgaEngine: (config: FgaConfig) => {
     check: (query: CheckQuery) => Promise<boolean>;
     deleteWarrant: (warrant: Warrant) => Promise<void>;
+    listObjects: (query: ObjectQuery) => Promise<string[]>;
     listSubjects: (query: {
         relation: string;
         resourceId: string;
@@ -27,6 +34,7 @@ export declare const createFgaEngine: (config: FgaConfig) => {
     writeWarrant: (warrant: Warrant) => Promise<void>;
 };
 export declare const deleteWarrant: (config: FgaConfig, warrant: Warrant) => Promise<void>;
+export declare const listObjects: (config: FgaConfig, query: ObjectQuery) => Promise<string[]>;
 export declare const listSubjects: (config: FgaConfig, query: {
     relation: string;
     resourceId: string;

package/dist/fga/schema.d.ts

@@ -0,0 +1,2 @@
+import type { FgaSchema } from './types';
+export declare const parseSchema: (dsl: string) => FgaSchema;

package/dist/fga/types.d.ts

@@ -9,6 +9,7 @@ export type Warrant = {
 export type WarrantStore = {
     deleteWarrant: (warrant: Warrant) => Promise<void>;
     listForResource: (resourceType: string, resourceId: string, relation: string) => Promise<Warrant[]>;
+    listResourceIds: (resourceType: string) => Promise<string[]>;
     saveWarrant: (warrant: Warrant) => Promise<void>;
 };
 export type RelationRule = {

package/dist/index.d.ts

@@ -14712,6 +14712,7 @@ export { createInMemoryLockoutStore } from './lockout/inMemoryLockoutStore';
 export { createNeonLockoutStore, createPostgresLockoutStore, lockoutsTable } from './lockout/postgresLockoutStore';
 export { createRedisLockoutStore } from './lockout/redisLockoutStore';
 export type { RedisLike } from './stores/redis';
+export { exportAuditCsv } from './audit/export';
 export { createInMemoryAuditSink } from './audit/inMemoryAuditStore';
 export { auditEventsTable, createNeonAuditSink, createPostgresAuditSink } from './audit/postgresAuditStore';
 export * from './sso/types';
@@ -14736,10 +14737,12 @@ export type { DpopResult } from './oidc/dpop';
 export { createInMemoryAuthorizationCodeStore, createInMemoryOAuthClientStore, createInMemoryOidcRefreshTokenStore } from './oidc/inMemoryStores';
 export { createNeonAuthorizationCodeStore, createNeonOAuthClientStore, createNeonOidcRefreshTokenStore, createPostgresAuthorizationCodeStore, createPostgresOAuthClientStore, createPostgresOidcRefreshTokenStore, oauthClientsTable, oauthCodesTable, oauthRefreshTokensTable } from './oidc/postgresStores';
 export * from './adaptive/config';
+export * from './adaptive/fingerprint';
 export * from './adaptive/types';
 export { createInMemoryKnownDeviceStore, createInMemoryLoginHistoryStore } from './adaptive/inMemoryStores';
 export { createNeonKnownDeviceStore, createNeonLoginHistoryStore, createPostgresKnownDeviceStore, createPostgresLoginHistoryStore, knownDevicesTable, loginHistoryTable } from './adaptive/postgresStores';
 export * from './fga/config';
+export * from './fga/schema';
 export * from './fga/types';
 export { createInMemoryWarrantStore, warrantKey } from './fga/inMemoryStores';
 export { createNeonWarrantStore, createPostgresWarrantStore, warrantsTable } from './fga/postgresStores';

package/dist/index.js

@@ -18710,6 +18710,7 @@ var INTEGRITY_KEY = "__integrity";
 var GENESIS = "";
 var HEX_RADIX2 = 16;
 var HEX_PAD = 2;
+var DEFAULT_SEED_SCAN_LIMIT = 1000;
 var encoder = new TextEncoder;
 var toHex = (buffer) => [...new Uint8Array(buffer)].map((byte) => byte.toString(HEX_RADIX2).padStart(HEX_PAD, "0")).join("");
 var sha256Hex = async (message) => toHex(await crypto.subtle.digest("SHA-256", encoder.encode(message)));
@@ -18740,24 +18741,45 @@ var brokenAt = (index) => {
   return result;
 };
 var createTamperEvidentSink = ({
+  loadWriterHead,
   secret,
-  sink
+  seedScanLimit = DEFAULT_SEED_SCAN_LIMIT,
+  sink,
+  writerId
 }) => {
+  const chainWriterId = writerId ?? crypto.randomUUID();
+  const isResuming = writerId !== undefined;
   let lastHash;
+  let seeded = false;
   const seed = async () => {
-    if (lastHash !== undefined)
+    if (seeded)
       return;
-    const [recent] = await sink.list?.({ limit: 1 }) ?? [];
-    lastHash = recent ? readIntegrity(recent)?.hash ?? GENESIS : GENESIS;
+    seeded = true;
+    if (!isResuming) {
+      lastHash = GENESIS;
+      return;
+    }
+    if (loadWriterHead) {
+      lastHash = await loadWriterHead(chainWriterId) ?? GENESIS;
+      return;
+    }
+    const recent = await sink.list?.({ limit: seedScanLimit }) ?? [];
+    const head = recent.find((event) => readIntegrity(event)?.writerId === chainWriterId);
+    lastHash = head ? readIntegrity(head)?.hash ?? GENESIS : GENESIS;
   };
   return {
     list: sink.list,
+    prune: sink.prune,
     append: async (event) => {
       await seed();
       const previousHash = lastHash ?? GENESIS;
       const hash = await hashAuditEvent(event, previousHash, secret);
       lastHash = hash;
-      const integrity = { hash, previousHash };
+      const integrity = {
+        hash,
+        previousHash,
+        writerId: chainWriterId
+      };
       await sink.append({
         ...event,
         metadata: { ...event.metadata, [INTEGRITY_KEY]: integrity }
@@ -18773,17 +18795,19 @@ var hashAuditEvent = async (event, previousHash, secret) => {
   return secret === undefined ? sha256Hex(message) : hmacSha256Hex(secret, message);
 };
 var verifyAuditChain = async (events, secret) => {
-  let previousHash = GENESIS;
+  const heads = new Map;
   for (let index = 0;index < events.length; index += 1) {
     const event = events[index];
     if (event === undefined)
       return brokenAt(index);
     const integrity = readIntegrity(event);
+    const chain = integrity?.writerId ?? GENESIS;
+    const previousHash = heads.get(chain) ?? GENESIS;
     const expected = await hashAuditEvent(event, previousHash, secret);
     if (integrity === undefined || integrity.previousHash !== previousHash || integrity.hash !== expected) {
       return brokenAt(index);
     }
-    previousHash = integrity.hash;
+    heads.set(chain, integrity.hash);
   }
   const valid = { ok: true };
   return valid;
@@ -19061,6 +19085,19 @@ var createRedisLockoutStore = (redis, keyPrefix = DEFAULT_PREFIX) => {
     }
   };
 };
+// src/audit/export.ts
+var CSV_HEADER = "at,type,userId,ip,organizationId,metadata";
+var escapeCsv = (value) => /[",\n\r]/u.test(value) ? `"${value.replace(/"/gu, '""')}"` : value;
+var toRow = (event) => [
+  new Date(event.at).toISOString(),
+  event.type,
+  event.userId ?? "",
+  event.ip ?? "",
+  event.organizationId ?? "",
+  event.metadata ? JSON.stringify(event.metadata) : ""
+].map(escapeCsv).join(",");
+var exportAuditCsv = (events) => [CSV_HEADER, ...events.map(toRow)].join(`
+`);
 // src/audit/inMemoryAuditStore.ts
 var createInMemoryAuditSink = () => {
   const events = [];
@@ -19073,6 +19110,13 @@ var createInMemoryAuditSink = () => {
       const ordered = [...matched].sort((left, right) => right.at - left.at);
       const limited = filter?.limit === undefined ? ordered : ordered.slice(0, filter.limit);
       return limited.map((event) => ({ ...event }));
+    },
+    prune: async (before) => {
+      const kept = events.filter((event) => event.at >= before);
+      const removed = events.length - kept.length;
+      events.length = 0;
+      events.push(...kept);
+      return removed;
     }
   };
 };
@@ -19114,6 +19158,10 @@ var createPostgresAuditSink = (db) => ({
   list: async (filter) => {
     const rows = await db.select().from(auditEventsTable).where(filter?.userId ? eq(auditEventsTable.user_id, filter.userId) : undefined).orderBy(desc(auditEventsTable.at_ms)).limit(filter?.limit ?? DEFAULT_AUDIT_LIMIT);
     return rows.map(toEvent);
+  },
+  prune: async (before) => {
+    const deleted = await db.delete(auditEventsTable).where(lt(auditEventsTable.at_ms, before)).returning({ id: auditEventsTable.id });
+    return deleted.length;
   }
 });
 // src/scim/inMemoryScimTokenStore.ts
@@ -19550,8 +19598,22 @@ var DEFAULT_RULE_ACTIONS = {
   impossible_travel: "deny",
   new_country: "step_up",
   new_device: "step_up",
+  off_hours: "allow",
+  proxy: "step_up",
   velocity: "deny"
 };
+var DEFAULT_RISK_WEIGHTS = {
+  impossible_travel: 80,
+  new_country: 25,
+  new_device: 20,
+  off_hours: 10,
+  proxy: 30,
+  velocity: 80
+};
+var DEFAULT_OFF_HOURS_START = 0;
+var DEFAULT_OFF_HOURS_END = 6;
+var DEFAULT_DENY_SCORE = 80;
+var DEFAULT_STEP_UP_SCORE = 40;
 var toRadians = (degrees) => degrees * Math.PI / DEGREES_PER_HALF_TURN;
 var haversineKm = (start, end) => {
   if (start.latitude === undefined || start.longitude === undefined || end.latitude === undefined || end.longitude === undefined) {
@@ -19565,32 +19627,44 @@ var haversineKm = (start, end) => {
   return HALF * EARTH_RADIUS_KM * Math.asin(Math.sqrt(factor));
 };
 var mostSevere2 = (reasons) => reasons.reduce((worst, reason) => ACTION_SEVERITY2[reason.action] > ACTION_SEVERITY2[worst] ? reason.action : worst, "allow");
-var assessRisk = async (config, context) => {
+var isWithinOffHours = (hour, range) => {
+  const start = range?.start ?? DEFAULT_OFF_HOURS_START;
+  const end = range?.end ?? DEFAULT_OFF_HOURS_END;
+  if (start <= end)
+    return hour >= start && hour < end;
+  return hour >= start || hour < end;
+};
+var actionForScore = (score, thresholds) => {
+  const deny = "deny";
+  const stepUp = "step_up";
+  const allow = "allow";
+  if (score >= thresholds.deny)
+    return deny;
+  if (score >= thresholds.stepUp)
+    return stepUp;
+  return allow;
+};
+var detectSignals = async (config, context) => {
   const {
     historyLimit = DEFAULT_HISTORY_LIMIT,
     knownDeviceStore,
     loginHistoryStore,
     maxTravelKmh = DEFAULT_MAX_TRAVEL_KMH,
-    rules,
+    offHours,
     velocityMaxAttempts = DEFAULT_VELOCITY_MAX_ATTEMPTS,
     velocityWindowMs = DEFAULT_VELOCITY_WINDOW_MS
   } = config;
   const now = context.now ?? Date.now();
-  const actions = {
-    ...DEFAULT_RULE_ACTIONS,
-    ...rules
-  };
-  const reasons = [];
+  const fired = [];
   const [device, history] = await Promise.all([
     knownDeviceStore.findDevice(context.userId, context.deviceId),
     loginHistoryStore.listRecent(context.userId, historyLimit)
   ]);
-  if (device === undefined || !device.trusted) {
-    reasons.push({ action: actions.new_device, signal: "new_device" });
-  }
+  if (device === undefined || !device.trusted)
+    fired.push("new_device");
   const country = context.geo?.country;
   if (country !== undefined && history.length > 0 && !history.some((attempt) => attempt.country === country)) {
-    reasons.push({ action: actions.new_country, signal: "new_country" });
+    fired.push("new_country");
   }
   const [previous] = history;
   const traveledKm = previous !== undefined && context.geo !== undefined ? haversineKm({
@@ -19599,20 +19673,34 @@ var assessRisk = async (config, context) => {
   }, context.geo) : undefined;
   const hours = previous === undefined ? 0 : (now - previous.timestamp) / MILLISECONDS_IN_AN_HOUR;
   if (traveledKm !== undefined && hours > 0 && traveledKm / hours > maxTravelKmh) {
-    reasons.push({
-      action: actions.impossible_travel,
-      signal: "impossible_travel"
-    });
+    fired.push("impossible_travel");
   }
   const recentCount = history.filter((attempt) => now - attempt.timestamp <= velocityWindowMs).length;
-  if (recentCount >= velocityMaxAttempts) {
-    reasons.push({ action: actions.velocity, signal: "velocity" });
+  if (recentCount >= velocityMaxAttempts)
+    fired.push("velocity");
+  if (context.isProxy === true)
+    fired.push("proxy");
+  if (context.localHour !== undefined && isWithinOffHours(context.localHour, offHours)) {
+    fired.push("off_hours");
   }
+  return fired;
+};
+var assessRisk = async (config, context) => {
+  const actions = {
+    ...DEFAULT_RULE_ACTIONS,
+    ...config.rules
+  };
+  const fired = await detectSignals(config, context);
+  const reasons = fired.map((signal) => ({
+    action: actions[signal],
+    signal
+  }));
   return { action: mostSevere2(reasons), reasons };
 };
 var createRiskEngine = (config) => ({
   assessRisk: (context) => assessRisk(config, context),
   recordAttempt: (context) => recordLoginAttempt(config, context),
+  scoreRisk: (context, options) => scoreRisk({ ...config, ...options }, context),
   trustDevice: (userId, deviceId, label) => trustDevice(config, userId, deviceId, label)
 });
 var recordLoginAttempt = async (config, context) => {
@@ -19638,6 +19726,22 @@ var recordLoginAttempt = async (config, context) => {
     userId: context.userId
   });
 };
+var scoreRisk = async (config, context) => {
+  const weights = {
+    ...DEFAULT_RISK_WEIGHTS,
+    ...config.weights
+  };
+  const defaultThresholds = {
+    deny: DEFAULT_DENY_SCORE,
+    stepUp: DEFAULT_STEP_UP_SCORE
+  };
+  const thresholds = config.thresholds ?? defaultThresholds;
+  const fired = await detectSignals(config, context);
+  const score = fired.reduce((sum, signal) => sum + weights[signal], 0);
+  const action = actionForScore(score, thresholds);
+  const reasons = fired.map((signal) => ({ action, signal }));
+  return { action, reasons, score };
+};
 var trustDevice = async (config, userId, deviceId, label) => {
   const now = Date.now();
   const existing = await config.knownDeviceStore.findDevice(userId, deviceId);
@@ -19650,6 +19754,9 @@ var trustDevice = async (config, userId, deviceId, label) => {
     userId
   });
 };
+// src/adaptive/fingerprint.ts
+var canonical = (signals) => JSON.stringify(signals, (_key, value) => value === null || typeof value !== "object" || Array.isArray(value) ? value : Object.fromEntries(Object.entries(value).sort((left, right) => left[0].localeCompare(right[0]))));
+var fingerprintDevice = (signals) => hashToken(canonical(signals));
 // src/adaptive/inMemoryStores.ts
 var deviceKey = (userId, deviceId) => `${userId}:${deviceId}`;
 var createInMemoryKnownDeviceStore = () => {
@@ -19849,16 +19956,95 @@ var expandRule = async (config, resourceType, resourceId, relation, rule, depth,
 var createFgaEngine = (config) => ({
   check: (query) => check(config, query),
   deleteWarrant: (warrant) => deleteWarrant(config, warrant),
+  listObjects: (query) => listObjects(config, query),
   listSubjects: (query) => listSubjects(config, query),
   writeWarrant: (warrant) => writeWarrant(config, warrant)
 });
 var deleteWarrant = (config, warrant) => config.warrantStore.deleteWarrant(warrant);
+var listObjects = async (config, query) => {
+  const candidates = await config.warrantStore.listResourceIds(query.resourceType);
+  const allowed = await Promise.all(candidates.map((resourceId) => check(config, {
+    relation: query.relation,
+    resourceId,
+    resourceType: query.resourceType,
+    subjectId: query.subjectId,
+    subjectType: query.subjectType
+  })));
+  return candidates.filter((_resourceId, index) => allowed[index] === true);
+};
 var listSubjects = async (config, query) => {
   const found = new Map;
   await expand(config, query.resourceType, query.resourceId, query.relation, config.maxDepth ?? DEFAULT_MAX_DEPTH, found, new Set);
   return [...found.values()];
 };
 var writeWarrant = (config, warrant) => config.warrantStore.saveWarrant(warrant);
+// src/fga/schema.ts
+var TYPE_PATTERN = /^type\s+(\w+)$/u;
+var DEFINE_PATTERN = /^define\s+(\w+)\s*:\s*(.+)$/u;
+var FROM_PATTERN = /^(\w+)\s+from\s+(\w+)$/u;
+var OR_SEPARATOR = /\s+or\s+/u;
+var parseTerm = (term) => {
+  const trimmed = term.trim();
+  if (trimmed.startsWith("[")) {
+    const rule2 = { kind: "self" };
+    return rule2;
+  }
+  const fromMatch = FROM_PATTERN.exec(trimmed);
+  if (fromMatch) {
+    const [, relation, viaRelation] = fromMatch;
+    const rule2 = {
+      kind: "tupleToUserset",
+      relation: relation ?? "",
+      viaRelation: viaRelation ?? ""
+    };
+    return rule2;
+  }
+  const rule = { kind: "computedUserset", relation: trimmed };
+  return rule;
+};
+var parseExpression = (expression) => {
+  const terms = expression.split(OR_SEPARATOR).map(parseTerm);
+  const [first] = terms;
+  if (terms.length === 1 && first)
+    return first;
+  const rule = { kind: "union", rules: terms };
+  return rule;
+};
+var applyType = (schema, line2) => {
+  const match = TYPE_PATTERN.exec(line2);
+  if (!match)
+    return;
+  const [, name] = match;
+  if (name)
+    schema[name] = {};
+  return name;
+};
+var applyDefine = (target, line2) => {
+  if (!target)
+    return;
+  const match = DEFINE_PATTERN.exec(line2);
+  if (!match)
+    return;
+  const [, relation, expression] = match;
+  if (relation && expression)
+    target[relation] = parseExpression(expression);
+};
+var parseSchema = (dsl) => {
+  const schema = {};
+  let currentType;
+  for (const rawLine of dsl.split(`
+`)) {
+    const line2 = rawLine.trim();
+    if (line2 === "" || line2.startsWith("#") || line2 === "relations")
+      continue;
+    const typeName = applyType(schema, line2);
+    currentType = typeName ?? currentType;
+    if (typeName !== undefined)
+      continue;
+    applyDefine(currentType ? schema[currentType] : undefined, line2);
+  }
+  return schema;
+};
 // src/fga/inMemoryStores.ts
 var createInMemoryWarrantStore = () => {
   const warrants = new Map;
@@ -19867,6 +20053,9 @@ var createInMemoryWarrantStore = () => {
       warrants.delete(warrantKey(warrant));
     },
     listForResource: async (resourceType, resourceId, relation) => [...warrants.values()].filter((warrant) => warrant.resourceType === resourceType && warrant.resourceId === resourceId && warrant.relation === relation),
+    listResourceIds: async (resourceType) => [
+      ...new Set([...warrants.values()].filter((warrant) => warrant.resourceType === resourceType).map((warrant) => warrant.resourceId))
+    ],
     saveWarrant: async (warrant) => {
       warrants.set(warrantKey(warrant), { ...warrant });
     }
@@ -19901,6 +20090,10 @@ var createPostgresWarrantStore = (db) => ({
     const rows = await db.select().from(warrantsTable).where(and(eq(warrantsTable.resource_type, resourceType), eq(warrantsTable.resource_id, resourceId), eq(warrantsTable.relation, relation)));
     return rows.map(toWarrant);
   },
+  listResourceIds: async (resourceType) => {
+    const rows = await db.selectDistinct({ resourceId: warrantsTable.resource_id }).from(warrantsTable).where(eq(warrantsTable.resource_type, resourceType));
+    return rows.map((row) => row.resourceId);
+  },
   saveWarrant: async (warrant) => {
     await db.insert(warrantsTable).values({
       id: warrantKey(warrant),
@@ -20728,6 +20921,7 @@ export {
   sessionStore,
   sessionRoutes,
   sessionCleanup,
+  scoreRisk,
   scopeRequiredProviderOptions,
   scimTokensTable,
   scimRoutes,
@@ -20758,6 +20952,7 @@ export {
   pkceProviderOptions,
   passwordlessTokensTable,
   passwordlessRoutes,
+  parseSchema,
   organizationsTable,
   organizationRoutes,
   organizationMembershipsTable,
@@ -20779,6 +20974,7 @@ export {
   listUserOrganizations,
   listSubjects,
   listRingSessions,
+  listObjects,
   knownDevicesTable,
   jwkThumbprint,
   issueTokenSet,
@@ -20812,7 +21008,9 @@ export {
   generateSecureToken,
   generateEncryptionKey,
   generateBackupCodes,
+  fingerprintDevice,
   extractPropFromIdentity,
+  exportAuditCsv,
   exchangeToken,
   exchangeClientCredentials,
   evaluatePassword,
@@ -20976,5 +21174,5 @@ export {
   AuthIdentityConflictError
 };
 
-//# debugId=580D3E8ACE9EF4E864756E2164756E21
+//# debugId=22C6F88FE2A9D7F764756E2164756E21
 //# sourceMappingURL=index.js.map