@actuate-media/cms-core 0.11.2 → 0.13.0

package/dist/auth/oauth.d.ts

@@ -74,6 +74,14 @@ export declare function generateCodeChallenge(codeVerifier: string): Promise<str
 export declare function generateState(provider: string, codeVerifier: string, returnTo: string, secret: string, nonce?: string): Promise<string>;
 /** Generate a random base64url nonce suitable for binding state to a browser cookie. */
 export declare function generateOAuthNonce(): string;
+/**
+ * Thrown when an OAuth state token verifies cryptographically but its decoded
+ * payload doesn't match the expected `OAuthState` shape. Mapped to a 400 by
+ * the callback handler — the user is then bounced back to the login page.
+ */
+export declare class InvalidOAuthStateError extends Error {
+    constructor(reason: string);
+}
 export declare function verifyState(stateToken: string, secret: string): Promise<OAuthState>;
 export declare function getAuthorizationUrl(provider: OAuthProviderType, config: OAuthProviderConfig, state: string, codeChallenge: string): string;
 export declare function exchangeCodeForTokens(provider: OAuthProviderType, code: string, codeVerifier: string, config: OAuthProviderConfig): Promise<{

package/dist/auth/oauth.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"oauth.d.ts","sourceRoot":"","sources":["../../src/auth/oauth.ts"],"names":[],"mappings":"AAGA,OAAO,KAAK,EAAE,kBAAkB,EAAE,MAAM,oBAAoB,CAAA;AAE5D,MAAM,WAAW,mBAAmB;IAClC,QAAQ,EAAE,MAAM,CAAA;IAChB,YAAY,EAAE,MAAM,CAAA;IACpB,WAAW,EAAE,MAAM,CAAA;CACpB;AAED,MAAM,WAAW,cAAc;IAC7B,MAAM,CAAC,EAAE,mBAAmB,CAAA;IAC5B,MAAM,CAAC,EAAE,mBAAmB,CAAA;IAC5B,SAAS,CAAC,EAAE,mBAAmB,CAAA;CAChC;AAED,MAAM,WAAW,UAAU;IACzB,QAAQ,EAAE,MAAM,CAAA;IAChB,YAAY,EAAE,MAAM,CAAA;IACpB,QAAQ,EAAE,MAAM,CAAA;IAChB,gGAAgG;IAChG,KAAK,CAAC,EAAE,MAAM,CAAA;CACf;AAED,MAAM,WAAW,oBAAoB;IACnC;;;;;;;OAOG;IACH,eAAe,CAAC,EAAE,OAAO,CAAA;IACzB;;;OAGG;IACH,WAAW,CAAC,EAAE,CAAC,OAAO,EAAE,gBAAgB,EAAE,QAAQ,EAAE,MAAM,KAAK,OAAO,CAAC,IAAI,CAAC,GAAG,IAAI,CAAA;CACpF;AAED,MAAM,WAAW,mBAAmB;IAClC,QAAQ,EAAE,MAAM,CAAA;IAChB,iBAAiB,EAAE,MAAM,CAAA;IACzB,KAAK,EAAE,MAAM,CAAA;IACb,IAAI,CAAC,EAAE,MAAM,CAAA;IACb,SAAS,CAAC,EAAE,MAAM,CAAA;IAClB,WAAW,EAAE,MAAM,CAAA;IACnB,YAAY,CAAC,EAAE,MAAM,CAAA;IACrB,SAAS,CAAC,EAAE,IAAI,CAAA;CACjB;AAED,MAAM,WAAW,gBAAgB;IAC/B,EAAE,EAAE,MAAM,CAAA;IACV,KAAK,EAAE,MAAM,CAAA;IACb,IAAI,EAAE,MAAM,CAAA;IACZ,MAAM,CAAC,EAAE,MAAM,CAAA;CAChB;AAED,QAAA,MAAM,aAAa;;;;;;;;;;;;;;;;;;;CAmBT,CAAA;AAEV,MAAM,MAAM,iBAAiB,GAAG,MAAM,OAAO,aAAa,CAAA;AAW1D,wBAAgB,oBAAoB,IAAI,MAAM,CAG7C;AAED,wBAAsB,qBAAqB,CAAC,YAAY,EAAE,MAAM,GAAG,OAAO,CAAC,MAAM,CAAC,CAIjF;AAED,wBAAsB,aAAa,CACjC,QAAQ,EAAE,MAAM,EAChB,YAAY,EAAE,MAAM,EACpB,QAAQ,EAAE,MAAM,EAChB,MAAM,EAAE,MAAM,EACd,KAAK,CAAC,EAAE,MAAM,GACb,OAAO,CAAC,MAAM,CAAC,CAWjB;AAED,wFAAwF;AACxF,wBAAgB,kBAAkB,IAAI,MAAM,CAG3C;AAED,wBAAsB,WAAW,CAAC,UAAU,EAAE,MAAM,EAAE,MAAM,EAAE,MAAM,GAAG,OAAO,CAAC,UAAU,CAAC,CAIzF;AAED,wBAAgB,mBAAmB,CACjC,QAAQ,EAAE,iBAAiB,EAC3B,MAAM,EAAE,mBAAmB,EAC3B,KAAK,EAAE,MAAM,EACb,aAAa,EAAE,MAAM,GACpB,MAAM,CAaR;AAED,wBAAsB,qBAAqB,CACzC,QAAQ,EAAE,iBAAiB,EAC3B,IAAI,EAAE,MAAM,EACZ,YAAY,EAAE,MAAM,EACpB,MAAM,EAAE,mBAAmB,GAC1B,OAAO,CAAC;IAAE,YAAY,EAAE,MAAM,CAAC;IAAC,QAAQ,CAAC,EAAE,MAAM,CAAC;IAAC,aAAa,CAAC,EAAE,MAAM,CAAA;CAAE,CAAC,CA2B9E;AAED,wBAAsB,cAAc,CAClC,QAAQ,EAAE,iBAAiB,EAC3B,WAAW,EAAE,MAAM,GAClB,OAAO,CAAC,gBAAgB,CAAC,CAwD3B;AAED,wBAAsB,mBAAmB,CACvC,QAAQ,EAAE,MAAM,EAChB,IAAI,EAAE,MAAM,EACZ,UAAU,EAAE,MAAM,EAClB,SAAS,EAAE,cAAc,EACzB,MAAM,EAAE,MAAM,EACd,EAAE,EAAE,GAAG,EACP,OAAO,GAAE,oBAAoB,GAAG;IAAE,aAAa,CAAC,EAAE,MAAM,GAAG,IAAI,CAAA;CAAO,GACrE,OAAO,CAAC;IAAE,KAAK,EAAE,MAAM,CAAC;IAAC,IAAI,EAAE;QAAE,EAAE,EAAE,MAAM,CAAC;QAAC,KAAK,EAAE,MAAM,CAAC;QAAC,IAAI,EAAE,MAAM,CAAC;QAAC,IAAI,EAAE,MAAM,CAAA;KAAE,CAAA;CAAE,CAAC,CA4I7F;AAED,uGAAuG;AACvG,wBAAsB,aAAa,CACjC,eAAe,EAAE,kBAAkB,EACnC,YAAY,EAAE,MAAM,GACnB,OAAO,CAAC;IAAE,WAAW,EAAE,MAAM,CAAC;IAAC,KAAK,EAAE,UAAU,CAAA;CAAE,CAAC,CAErD;AAED,qGAAqG;AACrG,wBAAsB,cAAc,CAClC,eAAe,EAAE,kBAAkB,EACnC,KAAK,EAAE,MAAM,EACb,MAAM,EAAE,UAAU,GACjB,OAAO,CAAC,mBAAmB,CAAC,CAE9B;AAED,wEAAwE;AACxE,wBAAsB,WAAW,CAC/B,MAAM,EAAE,MAAM,EACd,MAAM,EAAE,mBAAmB,EAC3B,EAAE,EAAE,OAAO,GACV,OAAO,CAAC,IAAI,CAAC,CA6Bf"}
+{"version":3,"file":"oauth.d.ts","sourceRoot":"","sources":["../../src/auth/oauth.ts"],"names":[],"mappings":"AAGA,OAAO,KAAK,EAAE,kBAAkB,EAAE,MAAM,oBAAoB,CAAA;AAK5D,MAAM,WAAW,mBAAmB;IAClC,QAAQ,EAAE,MAAM,CAAA;IAChB,YAAY,EAAE,MAAM,CAAA;IACpB,WAAW,EAAE,MAAM,CAAA;CACpB;AAED,MAAM,WAAW,cAAc;IAC7B,MAAM,CAAC,EAAE,mBAAmB,CAAA;IAC5B,MAAM,CAAC,EAAE,mBAAmB,CAAA;IAC5B,SAAS,CAAC,EAAE,mBAAmB,CAAA;CAChC;AAED,MAAM,WAAW,UAAU;IACzB,QAAQ,EAAE,MAAM,CAAA;IAChB,YAAY,EAAE,MAAM,CAAA;IACpB,QAAQ,EAAE,MAAM,CAAA;IAChB,gGAAgG;IAChG,KAAK,CAAC,EAAE,MAAM,CAAA;CACf;AAED,MAAM,WAAW,oBAAoB;IACnC;;;;;;;OAOG;IACH,eAAe,CAAC,EAAE,OAAO,CAAA;IACzB;;;OAGG;IACH,WAAW,CAAC,EAAE,CAAC,OAAO,EAAE,gBAAgB,EAAE,QAAQ,EAAE,MAAM,KAAK,OAAO,CAAC,IAAI,CAAC,GAAG,IAAI,CAAA;CACpF;AAED,MAAM,WAAW,mBAAmB;IAClC,QAAQ,EAAE,MAAM,CAAA;IAChB,iBAAiB,EAAE,MAAM,CAAA;IACzB,KAAK,EAAE,MAAM,CAAA;IACb,IAAI,CAAC,EAAE,MAAM,CAAA;IACb,SAAS,CAAC,EAAE,MAAM,CAAA;IAClB,WAAW,EAAE,MAAM,CAAA;IACnB,YAAY,CAAC,EAAE,MAAM,CAAA;IACrB,SAAS,CAAC,EAAE,IAAI,CAAA;CACjB;AAED,MAAM,WAAW,gBAAgB;IAC/B,EAAE,EAAE,MAAM,CAAA;IACV,KAAK,EAAE,MAAM,CAAA;IACb,IAAI,EAAE,MAAM,CAAA;IACZ,MAAM,CAAC,EAAE,MAAM,CAAA;CAChB;AAED,QAAA,MAAM,aAAa;;;;;;;;;;;;;;;;;;;CAmBT,CAAA;AAEV,MAAM,MAAM,iBAAiB,GAAG,MAAM,OAAO,aAAa,CAAA;AAW1D,wBAAgB,oBAAoB,IAAI,MAAM,CAG7C;AAED,wBAAsB,qBAAqB,CAAC,YAAY,EAAE,MAAM,GAAG,OAAO,CAAC,MAAM,CAAC,CAIjF;AAED,wBAAsB,aAAa,CACjC,QAAQ,EAAE,MAAM,EAChB,YAAY,EAAE,MAAM,EACpB,QAAQ,EAAE,MAAM,EAChB,MAAM,EAAE,MAAM,EACd,KAAK,CAAC,EAAE,MAAM,GACb,OAAO,CAAC,MAAM,CAAC,CAWjB;AAED,wFAAwF;AACxF,wBAAgB,kBAAkB,IAAI,MAAM,CAG3C;AAED;;;;GAIG;AACH,qBAAa,sBAAuB,SAAQ,KAAK;gBACnC,MAAM,EAAE,MAAM;CAI3B;AAqBD,wBAAsB,WAAW,CAAC,UAAU,EAAE,MAAM,EAAE,MAAM,EAAE,MAAM,GAAG,OAAO,CAAC,UAAU,CAAC,CAYzF;AAED,wBAAgB,mBAAmB,CACjC,QAAQ,EAAE,iBAAiB,EAC3B,MAAM,EAAE,mBAAmB,EAC3B,KAAK,EAAE,MAAM,EACb,aAAa,EAAE,MAAM,GACpB,MAAM,CAaR;AAED,wBAAsB,qBAAqB,CACzC,QAAQ,EAAE,iBAAiB,EAC3B,IAAI,EAAE,MAAM,EACZ,YAAY,EAAE,MAAM,EACpB,MAAM,EAAE,mBAAmB,GAC1B,OAAO,CAAC;IAAE,YAAY,EAAE,MAAM,CAAC;IAAC,QAAQ,CAAC,EAAE,MAAM,CAAC;IAAC,aAAa,CAAC,EAAE,MAAM,CAAA;CAAE,CAAC,CA2B9E;AAED,wBAAsB,cAAc,CAClC,QAAQ,EAAE,iBAAiB,EAC3B,WAAW,EAAE,MAAM,GAClB,OAAO,CAAC,gBAAgB,CAAC,CAwD3B;AAED,wBAAsB,mBAAmB,CACvC,QAAQ,EAAE,MAAM,EAChB,IAAI,EAAE,MAAM,EACZ,UAAU,EAAE,MAAM,EAClB,SAAS,EAAE,cAAc,EACzB,MAAM,EAAE,MAAM,EACd,EAAE,EAAE,GAAG,EACP,OAAO,GAAE,oBAAoB,GAAG;IAAE,aAAa,CAAC,EAAE,MAAM,GAAG,IAAI,CAAA;CAAO,GACrE,OAAO,CAAC;IAAE,KAAK,EAAE,MAAM,CAAC;IAAC,IAAI,EAAE;QAAE,EAAE,EAAE,MAAM,CAAC;QAAC,KAAK,EAAE,MAAM,CAAC;QAAC,IAAI,EAAE,MAAM,CAAC;QAAC,IAAI,EAAE,MAAM,CAAA;KAAE,CAAA;CAAE,CAAC,CA2I7F;AAED,uGAAuG;AACvG,wBAAsB,aAAa,CACjC,eAAe,EAAE,kBAAkB,EACnC,YAAY,EAAE,MAAM,GACnB,OAAO,CAAC;IAAE,WAAW,EAAE,MAAM,CAAC;IAAC,KAAK,EAAE,UAAU,CAAA;CAAE,CAAC,CAErD;AAED,qGAAqG;AACrG,wBAAsB,cAAc,CAClC,eAAe,EAAE,kBAAkB,EACnC,KAAK,EAAE,MAAM,EACb,MAAM,EAAE,UAAU,GACjB,OAAO,CAAC,mBAAmB,CAAC,CAE9B;AAED,wEAAwE;AACxE,wBAAsB,WAAW,CAC/B,MAAM,EAAE,MAAM,EACd,MAAM,EAAE,mBAAmB,EAC3B,EAAE,EAAE,OAAO,GACV,OAAO,CAAC,IAAI,CAAC,CA6Bf"}

package/dist/auth/oauth.js

@@ -1,6 +1,8 @@
 import { SignJWT, jwtVerify } from 'jose';
 import { createSession } from './session.js';
 import { encryptSecret } from '../security/secret-storage.js';
+import { createLogger } from '../diagnostics/logger.js';
+const logger = createLogger('oauth');
 const PROVIDER_URLS = {
     google: {
         authorize: 'https://accounts.google.com/o/oauth2/v2/auth',
@@ -55,10 +57,48 @@ export function generateOAuthNonce() {
     const bytes = crypto.getRandomValues(new Uint8Array(16));
     return base64url(bytes.buffer);
 }
+/**
+ * Thrown when an OAuth state token verifies cryptographically but its decoded
+ * payload doesn't match the expected `OAuthState` shape. Mapped to a 400 by
+ * the callback handler — the user is then bounced back to the login page.
+ */
+export class InvalidOAuthStateError extends Error {
+    constructor(reason) {
+        super(`OAuth state is malformed: ${reason}`);
+        this.name = 'InvalidOAuthStateError';
+    }
+}
+function assertOAuthState(payload) {
+    if (typeof payload !== 'object' || payload === null) {
+        throw new InvalidOAuthStateError('payload is not an object');
+    }
+    const p = payload;
+    if (typeof p.provider !== 'string' || p.provider.length === 0) {
+        throw new InvalidOAuthStateError('missing or invalid `provider`');
+    }
+    if (typeof p.codeVerifier !== 'string' || p.codeVerifier.length === 0) {
+        throw new InvalidOAuthStateError('missing or invalid `codeVerifier`');
+    }
+    if (typeof p.returnTo !== 'string') {
+        throw new InvalidOAuthStateError('missing or invalid `returnTo`');
+    }
+    if (p.nonce !== undefined && typeof p.nonce !== 'string') {
+        throw new InvalidOAuthStateError('`nonce`, when present, must be a string');
+    }
+}
 export async function verifyState(stateToken, secret) {
     const secretKey = new TextEncoder().encode(secret);
     const { payload } = await jwtVerify(stateToken, secretKey, { issuer: 'actuate-cms' });
-    return payload;
+    assertOAuthState(payload);
+    // Return only the validated fields; strip extras (jose injects iat/exp/iss).
+    const safe = {
+        provider: payload.provider,
+        codeVerifier: payload.codeVerifier,
+        returnTo: payload.returnTo,
+    };
+    if (payload.nonce !== undefined)
+        safe.nonce = payload.nonce;
+    return safe;
 }
 export function getAuthorizationUrl(provider, config, state, codeChallenge) {
     const urls = PROVIDER_URLS[provider];
@@ -242,7 +282,9 @@ export async function handleOAuthCallback(provider, code, stateToken, providers,
             },
         })
             .catch((err) => {
-            console.error('[actuate][oauth] Failed to persist OAuthAccount:', err instanceof Error ? err.message : err);
+            logger.error('Failed to persist OAuthAccount', {
+                reason: err instanceof Error ? err.message : String(err),
+            });
         });
     }
     const oauthSession = await db.session.create({

package/dist/auth/oauth.js.map

@@ -1 +1 @@
-{"version":3,"file":"oauth.js","sourceRoot":"","sources":["../../src/auth/oauth.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,OAAO,EAAE,SAAS,EAAE,MAAM,MAAM,CAAA;AACzC,OAAO,EAAE,aAAa,EAAE,MAAM,cAAc,CAAA;AAC5C,OAAO,EAAE,aAAa,EAAE,MAAM,+BAA+B,CAAA;AA0D7D,MAAM,aAAa,GAAG;IACpB,MAAM,EAAE;QACN,SAAS,EAAE,8CAA8C;QACzD,KAAK,EAAE,qCAAqC;QAC5C,QAAQ,EAAE,+CAA+C;QACzD,MAAM,EAAE,sBAAsB;KAC/B;IACD,MAAM,EAAE;QACN,SAAS,EAAE,0CAA0C;QACrD,KAAK,EAAE,6CAA6C;QACpD,QAAQ,EAAE,6BAA6B;QACvC,MAAM,EAAE,sBAAsB;KAC/B;IACD,SAAS,EAAE;QACT,SAAS,EAAE,gEAAgE;QAC3E,KAAK,EAAE,4DAA4D;QACnE,QAAQ,EAAE,qCAAqC;QAC/C,MAAM,EAAE,sBAAsB;KAC/B;CACO,CAAA;AAIV,SAAS,SAAS,CAAC,MAAmB;IACpC,MAAM,KAAK,GAAG,IAAI,UAAU,CAAC,MAAM,CAAC,CAAA;IACpC,IAAI,MAAM,GAAG,EAAE,CAAA;IACf,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,KAAK,CAAC,MAAM,EAAE,CAAC,EAAE,EAAE,CAAC;QACtC,MAAM,IAAI,MAAM,CAAC,YAAY,CAAC,KAAK,CAAC,CAAC,CAAE,CAAC,CAAA;IAC1C,CAAC;IACD,OAAO,IAAI,CAAC,MAAM,CAAC,CAAC,OAAO,CAAC,KAAK,EAAE,GAAG,CAAC,CAAC,OAAO,CAAC,KAAK,EAAE,GAAG,CAAC,CAAC,OAAO,CAAC,KAAK,EAAE,EAAE,CAAC,CAAA;AAChF,CAAC;AAED,MAAM,UAAU,oBAAoB;IAClC,MAAM,KAAK,GAAG,MAAM,CAAC,eAAe,CAAC,IAAI,UAAU,CAAC,EAAE,CAAC,CAAC,CAAA;IACxD,OAAO,SAAS,CAAC,KAAK,CAAC,MAAM,CAAC,CAAA;AAChC,CAAC;AAED,MAAM,CAAC,KAAK,UAAU,qBAAqB,CAAC,YAAoB;IAC9D,MAAM,OAAO,GAAG,IAAI,WAAW,EAAE,CAAC,MAAM,CAAC,YAAY,CAAC,CAAA;IACtD,MAAM,MAAM,GAAG,MAAM,MAAM,CAAC,MAAM,CAAC,MAAM,CAAC,SAAS,EAAE,OAAO,CAAC,CAAA;IAC7D,OAAO,SAAS,CAAC,MAAM,CAAC,CAAA;AAC1B,CAAC;AAED,MAAM,CAAC,KAAK,UAAU,aAAa,CACjC,QAAgB,EAChB,YAAoB,EACpB,QAAgB,EAChB,MAAc,EACd,KAAc;IAEd,MAAM,SAAS,GAAG,IAAI,WAAW,EAAE,CAAC,MAAM,CAAC,MAAM,CAAC,CAAA;IAClD,MAAM,OAAO,GAAe,KAAK;QAC/B,CAAC,CAAC,EAAE,QAAQ,EAAE,YAAY,EAAE,QAAQ,EAAE,KAAK,EAAE;QAC7C,CAAC,CAAC,EAAE,QAAQ,EAAE,YAAY,EAAE,QAAQ,EAAE,CAAA;IACxC,OAAO,IAAI,OAAO,CAAC,EAAE,GAAG,OAAO,EAAE,CAAC;SAC/B,kBAAkB,CAAC,EAAE,GAAG,EAAE,OAAO,EAAE,CAAC;SACpC,WAAW,EAAE;SACb,iBAAiB,CAAC,KAAK,CAAC;SACxB,SAAS,CAAC,aAAa,CAAC;SACxB,IAAI,CAAC,SAAS,CAAC,CAAA;AACpB,CAAC;AAED,wFAAwF;AACxF,MAAM,UAAU,kBAAkB;IAChC,MAAM,KAAK,GAAG,MAAM,CAAC,eAAe,CAAC,IAAI,UAAU,CAAC,EAAE,CAAC,CAAC,CAAA;IACxD,OAAO,SAAS,CAAC,KAAK,CAAC,MAAM,CAAC,CAAA;AAChC,CAAC;AAED,MAAM,CAAC,KAAK,UAAU,WAAW,CAAC,UAAkB,EAAE,MAAc;IAClE,MAAM,SAAS,GAAG,IAAI,WAAW,EAAE,CAAC,MAAM,CAAC,MAAM,CAAC,CAAA;IAClD,MAAM,EAAE,OAAO,EAAE,GAAG,MAAM,SAAS,CAAC,UAAU,EAAE,SAAS,EAAE,EAAE,MAAM,EAAE,aAAa,EAAE,CAAC,CAAA;IACrF,OAAO,OAAgC,CAAA;AACzC,CAAC;AAED,MAAM,UAAU,mBAAmB,CACjC,QAA2B,EAC3B,MAA2B,EAC3B,KAAa,EACb,aAAqB;IAErB,MAAM,IAAI,GAAG,aAAa,CAAC,QAAQ,CAAC,CAAA;IACpC,MAAM,MAAM,GAAG,IAAI,eAAe,CAAC;QACjC,aAAa,EAAE,MAAM;QACrB,SAAS,EAAE,MAAM,CAAC,QAAQ;QAC1B,YAAY,EAAE,MAAM,CAAC,WAAW;QAChC,KAAK,EAAE,IAAI,CAAC,MAAM;QAClB,KAAK;QACL,cAAc,EAAE,aAAa;QAC7B,qBAAqB,EAAE,MAAM;KAC9B,CAAC,CAAA;IAEF,OAAO,GAAG,IAAI,CAAC,SAAS,IAAI,MAAM,CAAC,QAAQ,EAAE,EAAE,CAAA;AACjD,CAAC;AAED,MAAM,CAAC,KAAK,UAAU,qBAAqB,CACzC,QAA2B,EAC3B,IAAY,EACZ,YAAoB,EACpB,MAA2B;IAE3B,MAAM,IAAI,GAAG,aAAa,CAAC,QAAQ,CAAC,CAAA;IAEpC,MAAM,IAAI,GAAG,IAAI,eAAe,CAAC;QAC/B,UAAU,EAAE,oBAAoB;QAChC,IAAI;QACJ,YAAY,EAAE,MAAM,CAAC,WAAW;QAChC,SAAS,EAAE,MAAM,CAAC,QAAQ;QAC1B,aAAa,EAAE,MAAM,CAAC,YAAY;QAClC,aAAa,EAAE,YAAY;KAC5B,CAAC,CAAA;IAEF,MAAM,OAAO,GAA2B;QACtC,cAAc,EAAE,mCAAmC;KACpD,CAAA;IACD,IAAI,QAAQ,KAAK,QAAQ,EAAE,CAAC;QAC1B,OAAO,CAAC,QAAQ,CAAC,GAAG,kBAAkB,CAAA;IACxC,CAAC;IAED,MAAM,QAAQ,GAAG,MAAM,KAAK,CAAC,IAAI,CAAC,KAAK,EAAE,EAAE,MAAM,EAAE,MAAM,EAAE,OAAO,EAAE,IAAI,EAAE,IAAI,CAAC,QAAQ,EAAE,EAAE,CAAC,CAAA;IAE5F,IAAI,CAAC,QAAQ,CAAC,EAAE,EAAE,CAAC;QACjB,MAAM,IAAI,GAAG,MAAM,QAAQ,CAAC,IAAI,EAAE,CAAA;QAClC,MAAM,IAAI,KAAK,CAAC,0BAA0B,QAAQ,CAAC,MAAM,MAAM,IAAI,EAAE,CAAC,CAAA;IACxE,CAAC;IAED,OAAO,QAAQ,CAAC,IAAI,EAAE,CAAA;AACxB,CAAC;AAED,MAAM,CAAC,KAAK,UAAU,cAAc,CAClC,QAA2B,EAC3B,WAAmB;IAEnB,MAAM,IAAI,GAAG,aAAa,CAAC,QAAQ,CAAC,CAAA;IAEpC,MAAM,QAAQ,GAAG,MAAM,KAAK,CAAC,IAAI,CAAC,QAAQ,EAAE;QAC1C,OAAO,EAAE,EAAE,aAAa,EAAE,UAAU,WAAW,EAAE,EAAE;KACpD,CAAC,CAAA;IAEF,IAAI,CAAC,QAAQ,CAAC,EAAE,EAAE,CAAC;QACjB,MAAM,IAAI,KAAK,CAAC,iCAAiC,QAAQ,CAAC,MAAM,GAAG,CAAC,CAAA;IACtE,CAAC;IAED,MAAM,IAAI,GAAG,MAAM,QAAQ,CAAC,IAAI,EAAE,CAAA;IAElC,IAAI,QAAQ,KAAK,QAAQ,EAAE,CAAC;QAC1B,IAAI,KAAK,GAAW,IAAI,CAAC,KAAK,IAAI,EAAE,CAAA;QACpC,IAAI,CAAC,KAAK,EAAE,CAAC;YACX,MAAM,QAAQ,GAAG,MAAM,KAAK,CAAC,oCAAoC,EAAE;gBACjE,OAAO,EAAE;oBACP,aAAa,EAAE,UAAU,WAAW,EAAE;oBACtC,MAAM,EAAE,6BAA6B;iBACtC;aACF,CAAC,CAAA;YACF,IAAI,QAAQ,CAAC,EAAE,EAAE,CAAC;gBAChB,MAAM,MAAM,GAAG,CAAC,MAAM,QAAQ,CAAC,IAAI,EAAE,CAInC,CAAA;gBACF,MAAM,OAAO,GACX,MAAM,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,OAAO,IAAI,CAAC,CAAC,QAAQ,CAAC,IAAI,MAAM,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,QAAQ,CAAC,CAAA;gBAC/E,IAAI,OAAO;oBAAE,KAAK,GAAG,OAAO,CAAC,KAAK,CAAA;YACpC,CAAC;QACH,CAAC;QACD,OAAO;YACL,EAAE,EAAE,MAAM,CAAC,IAAI,CAAC,EAAE,CAAC;YACnB,KAAK;YACL,IAAI,EAAE,IAAI,CAAC,IAAI,IAAI,IAAI,CAAC,KAAK,IAAI,EAAE;YACnC,MAAM,EAAE,IAAI,CAAC,UAAU;SACxB,CAAA;IACH,CAAC;IAED,IAAI,QAAQ,KAAK,WAAW,EAAE,CAAC;QAC7B,OAAO;YACL,EAAE,EAAE,IAAI,CAAC,EAAE;YACX,KAAK,EAAE,IAAI,CAAC,IAAI,IAAI,IAAI,CAAC,iBAAiB,IAAI,EAAE;YAChD,IAAI,EAAE,IAAI,CAAC,WAAW,IAAI,EAAE;SAC7B,CAAA;IACH,CAAC;IAED,SAAS;IACT,OAAO;QACL,EAAE,EAAE,IAAI,CAAC,GAAG;QACZ,KAAK,EAAE,IAAI,CAAC,KAAK,IAAI,EAAE;QACvB,IAAI,EAAE,IAAI,CAAC,IAAI,IAAI,EAAE;QACrB,MAAM,EAAE,IAAI,CAAC,OAAO;KACrB,CAAA;AACH,CAAC;AAED,MAAM,CAAC,KAAK,UAAU,mBAAmB,CACvC,QAAgB,EAChB,IAAY,EACZ,UAAkB,EAClB,SAAyB,EACzB,MAAc,EACd,EAAO,EACP,UAAoE,EAAE;IAEtE,MAAM,KAAK,GAAG,MAAM,WAAW,CAAC,UAAU,EAAE,MAAM,CAAC,CAAA;IAEnD,IAAI,KAAK,CAAC,QAAQ,KAAK,QAAQ,EAAE,CAAC;QAChC,MAAM,IAAI,KAAK,CAAC,kCAAkC,CAAC,CAAA;IACrD,CAAC;IAED,0EAA0E;IAC1E,4EAA4E;IAC5E,qCAAqC;IACrC,IAAI,KAAK,CAAC,KAAK,EAAE,CAAC;QAChB,IAAI,CAAC,OAAO,CAAC,aAAa,IAAI,OAAO,CAAC,aAAa,KAAK,KAAK,CAAC,KAAK,EAAE,CAAC;YACpE,MAAM,IAAI,KAAK,CAAC,iEAAiE,CAAC,CAAA;QACpF,CAAC;IACH,CAAC;IAED,MAAM,YAAY,GAAG,QAA6B,CAAA;IAClD,MAAM,cAAc,GAAG,SAAS,CAAC,YAAY,CAAC,CAAA;IAC9C,IAAI,CAAC,cAAc,EAAE,CAAC;QACpB,MAAM,IAAI,KAAK,CAAC,mBAAmB,QAAQ,qBAAqB,CAAC,CAAA;IACnE,CAAC;IAED,MAAM,MAAM,GAAG,MAAM,qBAAqB,CAAC,YAAY,EAAE,IAAI,EAAE,KAAK,CAAC,YAAY,EAAE,cAAc,CAAC,CAAA;IAClG,MAAM,OAAO,GAAG,MAAM,cAAc,CAAC,YAAY,EAAE,MAAM,CAAC,YAAY,CAAC,CAAA;IAEvE,IAAI,CAAC,OAAO,CAAC,KAAK,EAAE,CAAC;QACnB,MAAM,IAAI,KAAK,CAAC,gDAAgD,CAAC,CAAA;IACnE,CAAC;IAED,MAAM,eAAe,GAAG,OAAO,CAAC,KAAK,CAAC,WAAW,EAAE,CAAC,IAAI,EAAE,CAAA;IAE1D,qBAAqB;IACrB,8EAA8E;IAC9E,2EAA2E;IAC3E,gEAAgE;IAChE,2EAA2E;IAC3E,4EAA4E;IAC5E,qEAAqE;IACrE,kEAAkE;IAClE,0DAA0D;IAC1D,8EAA8E;IAC9E,MAAM,YAAY,GAAG,MAAM,EAAE,CAAC,YAAY;QACxC,EAAE,UAAU,EAAE,CAAC;QACb,KAAK,EAAE,EAAE,0BAA0B,EAAE,EAAE,QAAQ,EAAE,iBAAiB,EAAE,OAAO,CAAC,EAAE,EAAE,EAAE;QAClF,OAAO,EAAE,EAAE,IAAI,EAAE,IAAI,EAAE;KACxB,CAAC;SACD,KAAK,CAAC,GAAG,EAAE,CAAC,IAAI,CAAC,CAAA;IAEpB,IAAI,IAAI,GAAG,YAAY,EAAE,IAAI,IAAI,IAAI,CAAA;IAErC,IAAI,CAAC,IAAI,EAAE,CAAC;QACV,MAAM,SAAS,GAAG,MAAM,EAAE,CAAC,IAAI,CAAC,SAAS,CAAC;YACxC,KAAK,EAAE,EAAE,KAAK,EAAE,EAAE,MAAM,EAAE,eAAe,EAAE,IAAI,EAAE,aAAa,EAAE,EAAE;SACnE,CAAC,CAAA;QAEF,IAAI,SAAS,EAAE,CAAC;YACd,MAAM,WAAW,GACf,OAAO,SAAS,CAAC,YAAY,KAAK,QAAQ,IAAI,SAAS,CAAC,YAAY,CAAC,MAAM,GAAG,CAAC,CAAA;YACjF,IAAI,WAAW,EAAE,CAAC;gBAChB,uEAAuE;gBACvE,kEAAkE;gBAClE,4DAA4D;gBAC5D,MAAM,IAAI,KAAK,CACb,2HAA2H,CAC5H,CAAA;YACH,CAAC;YACD,IAAI,GAAG,SAAS,CAAA;QAClB,CAAC;IACH,CAAC;IAED,IAAI,CAAC,IAAI,EAAE,CAAC;QACV,IAAI,CAAC,OAAO,CAAC,eAAe,EAAE,CAAC;YAC7B,MAAM,IAAI,KAAK,CACb,mGAAmG,CACpG,CAAA;QACH,CAAC;QACD,IAAI,OAAO,CAAC,WAAW,EAAE,CAAC;YACxB,MAAM,OAAO,CAAC,WAAW,CAAC,OAAO,EAAE,QAAQ,CAAC,CAAA;QAC9C,CAAC;QACD,IAAI,GAAG,MAAM,EAAE,CAAC,IAAI,CAAC,MAAM,CAAC;YAC1B,IAAI,EAAE;gBACJ,KAAK,EAAE,eAAe;gBACtB,IAAI,EAAE,OAAO,CAAC,IAAI;gBAClB,IAAI,EAAE,QAAQ;gBACd,QAAQ,EAAE,IAAI;gBACd,YAAY,EAAE,IAAI;aACnB;SACF,CAAC,CAAA;IACJ,CAAC;IAED,2EAA2E;IAC3E,4EAA4E;IAC5E,2EAA2E;IAC3E,IAAI,EAAE,CAAC,YAAY,EAAE,MAAM,EAAE,CAAC;QAC5B,MAAM,oBAAoB,GAAG,MAAM,CAAC,YAAY;YAC9C,CAAC,CAAC,MAAM,aAAa,CAAC,MAAM,CAAC,YAAY,CAAC;YAC1C,CAAC,CAAC,IAAI,CAAA;QACR,MAAM,qBAAqB,GAAG,MAAM,CAAC,aAAa;YAChD,CAAC,CAAC,MAAM,aAAa,CAAC,MAAM,CAAC,aAAa,CAAC;YAC3C,CAAC,CAAC,IAAI,CAAA;QAER,MAAM,EAAE,CAAC,YAAY;aAClB,MAAM,CAAC;YACN,KAAK,EAAE,EAAE,0BAA0B,EAAE,EAAE,QAAQ,EAAE,iBAAiB,EAAE,OAAO,CAAC,EAAE,EAAE,EAAE;YAClF,MAAM,EAAE;gBACN,MAAM,EAAE,IAAI,CAAC,EAAE;gBACf,QAAQ;gBACR,iBAAiB,EAAE,OAAO,CAAC,EAAE;gBAC7B,WAAW,EAAE,oBAAoB;gBACjC,YAAY,EAAE,qBAAqB;aACpC;YACD,MAAM,EAAE;gBACN,WAAW,EAAE,oBAAoB;gBACjC,YAAY,EAAE,qBAAqB;aACpC;SACF,CAAC;aACD,KAAK,CAAC,CAAC,GAAY,EAAE,EAAE;YACtB,OAAO,CAAC,KAAK,CACX,kDAAkD,EAClD,GAAG,YAAY,KAAK,CAAC,CAAC,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC,CAAC,GAAG,CACzC,CAAA;QACH,CAAC,CAAC,CAAA;IACN,CAAC;IAED,MAAM,YAAY,GAAG,MAAM,EAAE,CAAC,OAAO,CAAC,MAAM,CAAC;QAC3C,IAAI,EAAE;YACJ,MAAM,EAAE,IAAI,CAAC,EAAE;YACf,SAAS,EAAE,IAAI,IAAI,CAAC,IAAI,CAAC,GAAG,EAAE,GAAG,CAAC,GAAG,EAAE,GAAG,EAAE,GAAG,EAAE,GAAG,IAAI,CAAC;SAC1D;KACF,CAAC,CAAA;IAEF,MAAM,KAAK,GAAG,MAAM,aAAa,CAC/B,EAAE,MAAM,EAAE,IAAI,CAAC,EAAE,EAAE,IAAI,EAAE,IAAI,CAAC,IAAI,EAAE,SAAS,EAAE,YAAY,CAAC,EAAE,EAAE,EAChE,EAAE,MAAM,EAAE,CACX,CAAA;IAED,OAAO;QACL,KAAK;QACL,IAAI,EAAE,EAAE,EAAE,EAAE,IAAI,CAAC,EAAE,EAAE,KAAK,EAAE,IAAI,CAAC,KAAK,EAAE,IAAI,EAAE,IAAI,CAAC,IAAI,EAAE,IAAI,EAAE,IAAI,CAAC,IAAI,EAAE;KAC3E,CAAA;AACH,CAAC;AAED,uGAAuG;AACvG,MAAM,CAAC,KAAK,UAAU,aAAa,CACjC,eAAmC,EACnC,YAAoB;IAEpB,MAAM,IAAI,KAAK,CAAC,iDAAiD,CAAC,CAAA;AACpE,CAAC;AAED,qGAAqG;AACrG,MAAM,CAAC,KAAK,UAAU,cAAc,CAClC,eAAmC,EACnC,KAAa,EACb,MAAkB;IAElB,MAAM,IAAI,KAAK,CAAC,iCAAiC,CAAC,CAAA;AACpD,CAAC;AAED,wEAAwE;AACxE,MAAM,CAAC,KAAK,UAAU,WAAW,CAC/B,MAAc,EACd,MAA2B,EAC3B,EAAW;IAEX,MAAM,CAAC,GAAG,EAAS,CAAA;IACnB,MAAM,WAAW,GAAG,MAAM,CAAC,WAAW,CAAC,CAAC,CAAC,MAAM,aAAa,CAAC,MAAM,CAAC,WAAW,CAAC,CAAC,CAAC,CAAC,IAAI,CAAA;IACvF,MAAM,YAAY,GAAG,MAAM,CAAC,YAAY,CAAC,CAAC,CAAC,MAAM,aAAa,CAAC,MAAM,CAAC,YAAY,CAAC,CAAC,CAAC,CAAC,IAAI,CAAA;IAE1F,IAAI,CAAC,CAAC,YAAY,EAAE,MAAM,EAAE,CAAC;QAC3B,MAAM,CAAC,CAAC,YAAY,CAAC,MAAM,CAAC;YAC1B,KAAK,EAAE;gBACL,0BAA0B,EAAE;oBAC1B,QAAQ,EAAE,MAAM,CAAC,QAAQ;oBACzB,iBAAiB,EAAE,MAAM,CAAC,iBAAiB;iBAC5C;aACF;YACD,MAAM,EAAE;gBACN,MAAM;gBACN,QAAQ,EAAE,MAAM,CAAC,QAAQ;gBACzB,iBAAiB,EAAE,MAAM,CAAC,iBAAiB;gBAC3C,WAAW;gBACX,YAAY;gBACZ,SAAS,EAAE,MAAM,CAAC,SAAS,IAAI,IAAI;aACpC;YACD,MAAM,EAAE;gBACN,MAAM;gBACN,WAAW;gBACX,YAAY;gBACZ,SAAS,EAAE,MAAM,CAAC,SAAS,IAAI,IAAI;aACpC;SACF,CAAC,CAAA;IACJ,CAAC;AACH,CAAC"}
+{"version":3,"file":"oauth.js","sourceRoot":"","sources":["../../src/auth/oauth.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,OAAO,EAAE,SAAS,EAAE,MAAM,MAAM,CAAA;AACzC,OAAO,EAAE,aAAa,EAAE,MAAM,cAAc,CAAA;AAC5C,OAAO,EAAE,aAAa,EAAE,MAAM,+BAA+B,CAAA;AAE7D,OAAO,EAAE,YAAY,EAAE,MAAM,0BAA0B,CAAA;AAEvD,MAAM,MAAM,GAAG,YAAY,CAAC,OAAO,CAAC,CAAA;AAyDpC,MAAM,aAAa,GAAG;IACpB,MAAM,EAAE;QACN,SAAS,EAAE,8CAA8C;QACzD,KAAK,EAAE,qCAAqC;QAC5C,QAAQ,EAAE,+CAA+C;QACzD,MAAM,EAAE,sBAAsB;KAC/B;IACD,MAAM,EAAE;QACN,SAAS,EAAE,0CAA0C;QACrD,KAAK,EAAE,6CAA6C;QACpD,QAAQ,EAAE,6BAA6B;QACvC,MAAM,EAAE,sBAAsB;KAC/B;IACD,SAAS,EAAE;QACT,SAAS,EAAE,gEAAgE;QAC3E,KAAK,EAAE,4DAA4D;QACnE,QAAQ,EAAE,qCAAqC;QAC/C,MAAM,EAAE,sBAAsB;KAC/B;CACO,CAAA;AAIV,SAAS,SAAS,CAAC,MAAmB;IACpC,MAAM,KAAK,GAAG,IAAI,UAAU,CAAC,MAAM,CAAC,CAAA;IACpC,IAAI,MAAM,GAAG,EAAE,CAAA;IACf,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,KAAK,CAAC,MAAM,EAAE,CAAC,EAAE,EAAE,CAAC;QACtC,MAAM,IAAI,MAAM,CAAC,YAAY,CAAC,KAAK,CAAC,CAAC,CAAE,CAAC,CAAA;IAC1C,CAAC;IACD,OAAO,IAAI,CAAC,MAAM,CAAC,CAAC,OAAO,CAAC,KAAK,EAAE,GAAG,CAAC,CAAC,OAAO,CAAC,KAAK,EAAE,GAAG,CAAC,CAAC,OAAO,CAAC,KAAK,EAAE,EAAE,CAAC,CAAA;AAChF,CAAC;AAED,MAAM,UAAU,oBAAoB;IAClC,MAAM,KAAK,GAAG,MAAM,CAAC,eAAe,CAAC,IAAI,UAAU,CAAC,EAAE,CAAC,CAAC,CAAA;IACxD,OAAO,SAAS,CAAC,KAAK,CAAC,MAAM,CAAC,CAAA;AAChC,CAAC;AAED,MAAM,CAAC,KAAK,UAAU,qBAAqB,CAAC,YAAoB;IAC9D,MAAM,OAAO,GAAG,IAAI,WAAW,EAAE,CAAC,MAAM,CAAC,YAAY,CAAC,CAAA;IACtD,MAAM,MAAM,GAAG,MAAM,MAAM,CAAC,MAAM,CAAC,MAAM,CAAC,SAAS,EAAE,OAAO,CAAC,CAAA;IAC7D,OAAO,SAAS,CAAC,MAAM,CAAC,CAAA;AAC1B,CAAC;AAED,MAAM,CAAC,KAAK,UAAU,aAAa,CACjC,QAAgB,EAChB,YAAoB,EACpB,QAAgB,EAChB,MAAc,EACd,KAAc;IAEd,MAAM,SAAS,GAAG,IAAI,WAAW,EAAE,CAAC,MAAM,CAAC,MAAM,CAAC,CAAA;IAClD,MAAM,OAAO,GAAe,KAAK;QAC/B,CAAC,CAAC,EAAE,QAAQ,EAAE,YAAY,EAAE,QAAQ,EAAE,KAAK,EAAE;QAC7C,CAAC,CAAC,EAAE,QAAQ,EAAE,YAAY,EAAE,QAAQ,EAAE,CAAA;IACxC,OAAO,IAAI,OAAO,CAAC,EAAE,GAAG,OAAO,EAAE,CAAC;SAC/B,kBAAkB,CAAC,EAAE,GAAG,EAAE,OAAO,EAAE,CAAC;SACpC,WAAW,EAAE;SACb,iBAAiB,CAAC,KAAK,CAAC;SACxB,SAAS,CAAC,aAAa,CAAC;SACxB,IAAI,CAAC,SAAS,CAAC,CAAA;AACpB,CAAC;AAED,wFAAwF;AACxF,MAAM,UAAU,kBAAkB;IAChC,MAAM,KAAK,GAAG,MAAM,CAAC,eAAe,CAAC,IAAI,UAAU,CAAC,EAAE,CAAC,CAAC,CAAA;IACxD,OAAO,SAAS,CAAC,KAAK,CAAC,MAAM,CAAC,CAAA;AAChC,CAAC;AAED;;;;GAIG;AACH,MAAM,OAAO,sBAAuB,SAAQ,KAAK;IAC/C,YAAY,MAAc;QACxB,KAAK,CAAC,6BAA6B,MAAM,EAAE,CAAC,CAAA;QAC5C,IAAI,CAAC,IAAI,GAAG,wBAAwB,CAAA;IACtC,CAAC;CACF;AAED,SAAS,gBAAgB,CAAC,OAAgB;IACxC,IAAI,OAAO,OAAO,KAAK,QAAQ,IAAI,OAAO,KAAK,IAAI,EAAE,CAAC;QACpD,MAAM,IAAI,sBAAsB,CAAC,0BAA0B,CAAC,CAAA;IAC9D,CAAC;IACD,MAAM,CAAC,GAAG,OAAkC,CAAA;IAC5C,IAAI,OAAO,CAAC,CAAC,QAAQ,KAAK,QAAQ,IAAI,CAAC,CAAC,QAAQ,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;QAC9D,MAAM,IAAI,sBAAsB,CAAC,+BAA+B,CAAC,CAAA;IACnE,CAAC;IACD,IAAI,OAAO,CAAC,CAAC,YAAY,KAAK,QAAQ,IAAI,CAAC,CAAC,YAAY,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;QACtE,MAAM,IAAI,sBAAsB,CAAC,mCAAmC,CAAC,CAAA;IACvE,CAAC;IACD,IAAI,OAAO,CAAC,CAAC,QAAQ,KAAK,QAAQ,EAAE,CAAC;QACnC,MAAM,IAAI,sBAAsB,CAAC,+BAA+B,CAAC,CAAA;IACnE,CAAC;IACD,IAAI,CAAC,CAAC,KAAK,KAAK,SAAS,IAAI,OAAO,CAAC,CAAC,KAAK,KAAK,QAAQ,EAAE,CAAC;QACzD,MAAM,IAAI,sBAAsB,CAAC,yCAAyC,CAAC,CAAA;IAC7E,CAAC;AACH,CAAC;AAED,MAAM,CAAC,KAAK,UAAU,WAAW,CAAC,UAAkB,EAAE,MAAc;IAClE,MAAM,SAAS,GAAG,IAAI,WAAW,EAAE,CAAC,MAAM,CAAC,MAAM,CAAC,CAAA;IAClD,MAAM,EAAE,OAAO,EAAE,GAAG,MAAM,SAAS,CAAC,UAAU,EAAE,SAAS,EAAE,EAAE,MAAM,EAAE,aAAa,EAAE,CAAC,CAAA;IACrF,gBAAgB,CAAC,OAAO,CAAC,CAAA;IACzB,6EAA6E;IAC7E,MAAM,IAAI,GAAe;QACvB,QAAQ,EAAE,OAAO,CAAC,QAAQ;QAC1B,YAAY,EAAE,OAAO,CAAC,YAAY;QAClC,QAAQ,EAAE,OAAO,CAAC,QAAQ;KAC3B,CAAA;IACD,IAAI,OAAO,CAAC,KAAK,KAAK,SAAS;QAAE,IAAI,CAAC,KAAK,GAAG,OAAO,CAAC,KAAK,CAAA;IAC3D,OAAO,IAAI,CAAA;AACb,CAAC;AAED,MAAM,UAAU,mBAAmB,CACjC,QAA2B,EAC3B,MAA2B,EAC3B,KAAa,EACb,aAAqB;IAErB,MAAM,IAAI,GAAG,aAAa,CAAC,QAAQ,CAAC,CAAA;IACpC,MAAM,MAAM,GAAG,IAAI,eAAe,CAAC;QACjC,aAAa,EAAE,MAAM;QACrB,SAAS,EAAE,MAAM,CAAC,QAAQ;QAC1B,YAAY,EAAE,MAAM,CAAC,WAAW;QAChC,KAAK,EAAE,IAAI,CAAC,MAAM;QAClB,KAAK;QACL,cAAc,EAAE,aAAa;QAC7B,qBAAqB,EAAE,MAAM;KAC9B,CAAC,CAAA;IAEF,OAAO,GAAG,IAAI,CAAC,SAAS,IAAI,MAAM,CAAC,QAAQ,EAAE,EAAE,CAAA;AACjD,CAAC;AAED,MAAM,CAAC,KAAK,UAAU,qBAAqB,CACzC,QAA2B,EAC3B,IAAY,EACZ,YAAoB,EACpB,MAA2B;IAE3B,MAAM,IAAI,GAAG,aAAa,CAAC,QAAQ,CAAC,CAAA;IAEpC,MAAM,IAAI,GAAG,IAAI,eAAe,CAAC;QAC/B,UAAU,EAAE,oBAAoB;QAChC,IAAI;QACJ,YAAY,EAAE,MAAM,CAAC,WAAW;QAChC,SAAS,EAAE,MAAM,CAAC,QAAQ;QAC1B,aAAa,EAAE,MAAM,CAAC,YAAY;QAClC,aAAa,EAAE,YAAY;KAC5B,CAAC,CAAA;IAEF,MAAM,OAAO,GAA2B;QACtC,cAAc,EAAE,mCAAmC;KACpD,CAAA;IACD,IAAI,QAAQ,KAAK,QAAQ,EAAE,CAAC;QAC1B,OAAO,CAAC,QAAQ,CAAC,GAAG,kBAAkB,CAAA;IACxC,CAAC;IAED,MAAM,QAAQ,GAAG,MAAM,KAAK,CAAC,IAAI,CAAC,KAAK,EAAE,EAAE,MAAM,EAAE,MAAM,EAAE,OAAO,EAAE,IAAI,EAAE,IAAI,CAAC,QAAQ,EAAE,EAAE,CAAC,CAAA;IAE5F,IAAI,CAAC,QAAQ,CAAC,EAAE,EAAE,CAAC;QACjB,MAAM,IAAI,GAAG,MAAM,QAAQ,CAAC,IAAI,EAAE,CAAA;QAClC,MAAM,IAAI,KAAK,CAAC,0BAA0B,QAAQ,CAAC,MAAM,MAAM,IAAI,EAAE,CAAC,CAAA;IACxE,CAAC;IAED,OAAO,QAAQ,CAAC,IAAI,EAAE,CAAA;AACxB,CAAC;AAED,MAAM,CAAC,KAAK,UAAU,cAAc,CAClC,QAA2B,EAC3B,WAAmB;IAEnB,MAAM,IAAI,GAAG,aAAa,CAAC,QAAQ,CAAC,CAAA;IAEpC,MAAM,QAAQ,GAAG,MAAM,KAAK,CAAC,IAAI,CAAC,QAAQ,EAAE;QAC1C,OAAO,EAAE,EAAE,aAAa,EAAE,UAAU,WAAW,EAAE,EAAE;KACpD,CAAC,CAAA;IAEF,IAAI,CAAC,QAAQ,CAAC,EAAE,EAAE,CAAC;QACjB,MAAM,IAAI,KAAK,CAAC,iCAAiC,QAAQ,CAAC,MAAM,GAAG,CAAC,CAAA;IACtE,CAAC;IAED,MAAM,IAAI,GAAG,MAAM,QAAQ,CAAC,IAAI,EAAE,CAAA;IAElC,IAAI,QAAQ,KAAK,QAAQ,EAAE,CAAC;QAC1B,IAAI,KAAK,GAAW,IAAI,CAAC,KAAK,IAAI,EAAE,CAAA;QACpC,IAAI,CAAC,KAAK,EAAE,CAAC;YACX,MAAM,QAAQ,GAAG,MAAM,KAAK,CAAC,oCAAoC,EAAE;gBACjE,OAAO,EAAE;oBACP,aAAa,EAAE,UAAU,WAAW,EAAE;oBACtC,MAAM,EAAE,6BAA6B;iBACtC;aACF,CAAC,CAAA;YACF,IAAI,QAAQ,CAAC,EAAE,EAAE,CAAC;gBAChB,MAAM,MAAM,GAAG,CAAC,MAAM,QAAQ,CAAC,IAAI,EAAE,CAInC,CAAA;gBACF,MAAM,OAAO,GACX,MAAM,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,OAAO,IAAI,CAAC,CAAC,QAAQ,CAAC,IAAI,MAAM,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,QAAQ,CAAC,CAAA;gBAC/E,IAAI,OAAO;oBAAE,KAAK,GAAG,OAAO,CAAC,KAAK,CAAA;YACpC,CAAC;QACH,CAAC;QACD,OAAO;YACL,EAAE,EAAE,MAAM,CAAC,IAAI,CAAC,EAAE,CAAC;YACnB,KAAK;YACL,IAAI,EAAE,IAAI,CAAC,IAAI,IAAI,IAAI,CAAC,KAAK,IAAI,EAAE;YACnC,MAAM,EAAE,IAAI,CAAC,UAAU;SACxB,CAAA;IACH,CAAC;IAED,IAAI,QAAQ,KAAK,WAAW,EAAE,CAAC;QAC7B,OAAO;YACL,EAAE,EAAE,IAAI,CAAC,EAAE;YACX,KAAK,EAAE,IAAI,CAAC,IAAI,IAAI,IAAI,CAAC,iBAAiB,IAAI,EAAE;YAChD,IAAI,EAAE,IAAI,CAAC,WAAW,IAAI,EAAE;SAC7B,CAAA;IACH,CAAC;IAED,SAAS;IACT,OAAO;QACL,EAAE,EAAE,IAAI,CAAC,GAAG;QACZ,KAAK,EAAE,IAAI,CAAC,KAAK,IAAI,EAAE;QACvB,IAAI,EAAE,IAAI,CAAC,IAAI,IAAI,EAAE;QACrB,MAAM,EAAE,IAAI,CAAC,OAAO;KACrB,CAAA;AACH,CAAC;AAED,MAAM,CAAC,KAAK,UAAU,mBAAmB,CACvC,QAAgB,EAChB,IAAY,EACZ,UAAkB,EAClB,SAAyB,EACzB,MAAc,EACd,EAAO,EACP,UAAoE,EAAE;IAEtE,MAAM,KAAK,GAAG,MAAM,WAAW,CAAC,UAAU,EAAE,MAAM,CAAC,CAAA;IAEnD,IAAI,KAAK,CAAC,QAAQ,KAAK,QAAQ,EAAE,CAAC;QAChC,MAAM,IAAI,KAAK,CAAC,kCAAkC,CAAC,CAAA;IACrD,CAAC;IAED,0EAA0E;IAC1E,4EAA4E;IAC5E,qCAAqC;IACrC,IAAI,KAAK,CAAC,KAAK,EAAE,CAAC;QAChB,IAAI,CAAC,OAAO,CAAC,aAAa,IAAI,OAAO,CAAC,aAAa,KAAK,KAAK,CAAC,KAAK,EAAE,CAAC;YACpE,MAAM,IAAI,KAAK,CAAC,iEAAiE,CAAC,CAAA;QACpF,CAAC;IACH,CAAC;IAED,MAAM,YAAY,GAAG,QAA6B,CAAA;IAClD,MAAM,cAAc,GAAG,SAAS,CAAC,YAAY,CAAC,CAAA;IAC9C,IAAI,CAAC,cAAc,EAAE,CAAC;QACpB,MAAM,IAAI,KAAK,CAAC,mBAAmB,QAAQ,qBAAqB,CAAC,CAAA;IACnE,CAAC;IAED,MAAM,MAAM,GAAG,MAAM,qBAAqB,CAAC,YAAY,EAAE,IAAI,EAAE,KAAK,CAAC,YAAY,EAAE,cAAc,CAAC,CAAA;IAClG,MAAM,OAAO,GAAG,MAAM,cAAc,CAAC,YAAY,EAAE,MAAM,CAAC,YAAY,CAAC,CAAA;IAEvE,IAAI,CAAC,OAAO,CAAC,KAAK,EAAE,CAAC;QACnB,MAAM,IAAI,KAAK,CAAC,gDAAgD,CAAC,CAAA;IACnE,CAAC;IAED,MAAM,eAAe,GAAG,OAAO,CAAC,KAAK,CAAC,WAAW,EAAE,CAAC,IAAI,EAAE,CAAA;IAE1D,qBAAqB;IACrB,8EAA8E;IAC9E,2EAA2E;IAC3E,gEAAgE;IAChE,2EAA2E;IAC3E,4EAA4E;IAC5E,qEAAqE;IACrE,kEAAkE;IAClE,0DAA0D;IAC1D,8EAA8E;IAC9E,MAAM,YAAY,GAAG,MAAM,EAAE,CAAC,YAAY;QACxC,EAAE,UAAU,EAAE,CAAC;QACb,KAAK,EAAE,EAAE,0BAA0B,EAAE,EAAE,QAAQ,EAAE,iBAAiB,EAAE,OAAO,CAAC,EAAE,EAAE,EAAE;QAClF,OAAO,EAAE,EAAE,IAAI,EAAE,IAAI,EAAE;KACxB,CAAC;SACD,KAAK,CAAC,GAAG,EAAE,CAAC,IAAI,CAAC,CAAA;IAEpB,IAAI,IAAI,GAAG,YAAY,EAAE,IAAI,IAAI,IAAI,CAAA;IAErC,IAAI,CAAC,IAAI,EAAE,CAAC;QACV,MAAM,SAAS,GAAG,MAAM,EAAE,CAAC,IAAI,CAAC,SAAS,CAAC;YACxC,KAAK,EAAE,EAAE,KAAK,EAAE,EAAE,MAAM,EAAE,eAAe,EAAE,IAAI,EAAE,aAAa,EAAE,EAAE;SACnE,CAAC,CAAA;QAEF,IAAI,SAAS,EAAE,CAAC;YACd,MAAM,WAAW,GACf,OAAO,SAAS,CAAC,YAAY,KAAK,QAAQ,IAAI,SAAS,CAAC,YAAY,CAAC,MAAM,GAAG,CAAC,CAAA;YACjF,IAAI,WAAW,EAAE,CAAC;gBAChB,uEAAuE;gBACvE,kEAAkE;gBAClE,4DAA4D;gBAC5D,MAAM,IAAI,KAAK,CACb,2HAA2H,CAC5H,CAAA;YACH,CAAC;YACD,IAAI,GAAG,SAAS,CAAA;QAClB,CAAC;IACH,CAAC;IAED,IAAI,CAAC,IAAI,EAAE,CAAC;QACV,IAAI,CAAC,OAAO,CAAC,eAAe,EAAE,CAAC;YAC7B,MAAM,IAAI,KAAK,CACb,mGAAmG,CACpG,CAAA;QACH,CAAC;QACD,IAAI,OAAO,CAAC,WAAW,EAAE,CAAC;YACxB,MAAM,OAAO,CAAC,WAAW,CAAC,OAAO,EAAE,QAAQ,CAAC,CAAA;QAC9C,CAAC;QACD,IAAI,GAAG,MAAM,EAAE,CAAC,IAAI,CAAC,MAAM,CAAC;YAC1B,IAAI,EAAE;gBACJ,KAAK,EAAE,eAAe;gBACtB,IAAI,EAAE,OAAO,CAAC,IAAI;gBAClB,IAAI,EAAE,QAAQ;gBACd,QAAQ,EAAE,IAAI;gBACd,YAAY,EAAE,IAAI;aACnB;SACF,CAAC,CAAA;IACJ,CAAC;IAED,2EAA2E;IAC3E,4EAA4E;IAC5E,2EAA2E;IAC3E,IAAI,EAAE,CAAC,YAAY,EAAE,MAAM,EAAE,CAAC;QAC5B,MAAM,oBAAoB,GAAG,MAAM,CAAC,YAAY;YAC9C,CAAC,CAAC,MAAM,aAAa,CAAC,MAAM,CAAC,YAAY,CAAC;YAC1C,CAAC,CAAC,IAAI,CAAA;QACR,MAAM,qBAAqB,GAAG,MAAM,CAAC,aAAa;YAChD,CAAC,CAAC,MAAM,aAAa,CAAC,MAAM,CAAC,aAAa,CAAC;YAC3C,CAAC,CAAC,IAAI,CAAA;QAER,MAAM,EAAE,CAAC,YAAY;aAClB,MAAM,CAAC;YACN,KAAK,EAAE,EAAE,0BAA0B,EAAE,EAAE,QAAQ,EAAE,iBAAiB,EAAE,OAAO,CAAC,EAAE,EAAE,EAAE;YAClF,MAAM,EAAE;gBACN,MAAM,EAAE,IAAI,CAAC,EAAE;gBACf,QAAQ;gBACR,iBAAiB,EAAE,OAAO,CAAC,EAAE;gBAC7B,WAAW,EAAE,oBAAoB;gBACjC,YAAY,EAAE,qBAAqB;aACpC;YACD,MAAM,EAAE;gBACN,WAAW,EAAE,oBAAoB;gBACjC,YAAY,EAAE,qBAAqB;aACpC;SACF,CAAC;aACD,KAAK,CAAC,CAAC,GAAY,EAAE,EAAE;YACtB,MAAM,CAAC,KAAK,CAAC,gCAAgC,EAAE;gBAC7C,MAAM,EAAE,GAAG,YAAY,KAAK,CAAC,CAAC,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,GAAG,CAAC;aACzD,CAAC,CAAA;QACJ,CAAC,CAAC,CAAA;IACN,CAAC;IAED,MAAM,YAAY,GAAG,MAAM,EAAE,CAAC,OAAO,CAAC,MAAM,CAAC;QAC3C,IAAI,EAAE;YACJ,MAAM,EAAE,IAAI,CAAC,EAAE;YACf,SAAS,EAAE,IAAI,IAAI,CAAC,IAAI,CAAC,GAAG,EAAE,GAAG,CAAC,GAAG,EAAE,GAAG,EAAE,GAAG,EAAE,GAAG,IAAI,CAAC;SAC1D;KACF,CAAC,CAAA;IAEF,MAAM,KAAK,GAAG,MAAM,aAAa,CAC/B,EAAE,MAAM,EAAE,IAAI,CAAC,EAAE,EAAE,IAAI,EAAE,IAAI,CAAC,IAAI,EAAE,SAAS,EAAE,YAAY,CAAC,EAAE,EAAE,EAChE,EAAE,MAAM,EAAE,CACX,CAAA;IAED,OAAO;QACL,KAAK;QACL,IAAI,EAAE,EAAE,EAAE,EAAE,IAAI,CAAC,EAAE,EAAE,KAAK,EAAE,IAAI,CAAC,KAAK,EAAE,IAAI,EAAE,IAAI,CAAC,IAAI,EAAE,IAAI,EAAE,IAAI,CAAC,IAAI,EAAE;KAC3E,CAAA;AACH,CAAC;AAED,uGAAuG;AACvG,MAAM,CAAC,KAAK,UAAU,aAAa,CACjC,eAAmC,EACnC,YAAoB;IAEpB,MAAM,IAAI,KAAK,CAAC,iDAAiD,CAAC,CAAA;AACpE,CAAC;AAED,qGAAqG;AACrG,MAAM,CAAC,KAAK,UAAU,cAAc,CAClC,eAAmC,EACnC,KAAa,EACb,MAAkB;IAElB,MAAM,IAAI,KAAK,CAAC,iCAAiC,CAAC,CAAA;AACpD,CAAC;AAED,wEAAwE;AACxE,MAAM,CAAC,KAAK,UAAU,WAAW,CAC/B,MAAc,EACd,MAA2B,EAC3B,EAAW;IAEX,MAAM,CAAC,GAAG,EAAS,CAAA;IACnB,MAAM,WAAW,GAAG,MAAM,CAAC,WAAW,CAAC,CAAC,CAAC,MAAM,aAAa,CAAC,MAAM,CAAC,WAAW,CAAC,CAAC,CAAC,CAAC,IAAI,CAAA;IACvF,MAAM,YAAY,GAAG,MAAM,CAAC,YAAY,CAAC,CAAC,CAAC,MAAM,aAAa,CAAC,MAAM,CAAC,YAAY,CAAC,CAAC,CAAC,CAAC,IAAI,CAAA;IAE1F,IAAI,CAAC,CAAC,YAAY,EAAE,MAAM,EAAE,CAAC;QAC3B,MAAM,CAAC,CAAC,YAAY,CAAC,MAAM,CAAC;YAC1B,KAAK,EAAE;gBACL,0BAA0B,EAAE;oBAC1B,QAAQ,EAAE,MAAM,CAAC,QAAQ;oBACzB,iBAAiB,EAAE,MAAM,CAAC,iBAAiB;iBAC5C;aACF;YACD,MAAM,EAAE;gBACN,MAAM;gBACN,QAAQ,EAAE,MAAM,CAAC,QAAQ;gBACzB,iBAAiB,EAAE,MAAM,CAAC,iBAAiB;gBAC3C,WAAW;gBACX,YAAY;gBACZ,SAAS,EAAE,MAAM,CAAC,SAAS,IAAI,IAAI;aACpC;YACD,MAAM,EAAE;gBACN,MAAM;gBACN,WAAW;gBACX,YAAY;gBACZ,SAAS,EAAE,MAAM,CAAC,SAAS,IAAI,IAAI;aACpC;SACF,CAAC,CAAA;IACJ,CAAC;AACH,CAAC"}

package/dist/auth/password.d.ts

@@ -1,8 +1,41 @@
 import type { PasswordPolicy } from '../config/types.js';
-/** Hash a password using Web Crypto API (PBKDF2). */
+/**
+ * PBKDF2 iteration count. Bumped from 100,000 (insufficient by 2026 standards)
+ * to 600,000 to align with OWASP/NIST 2023+ guidance for PBKDF2-HMAC-SHA256.
+ * The hash format embeds the iteration count, so existing 100k hashes still
+ * verify correctly — `verifyPassword` reads the count from the stored string,
+ * and `needsRehash` lets callers (login.ts) opportunistically upgrade old
+ * hashes when the user signs in with the correct password.
+ */
+export declare const PBKDF2_ITERATIONS = 600000;
+/** Hash a password using Web Crypto API (PBKDF2-HMAC-SHA256). */
 export declare function hashPassword(password: string): Promise<string>;
-/** Verify a password against its stored hash. */
+/**
+ * Verify a password against its stored hash.
+ *
+ * Reads the iteration count from the stored hash so old hashes (100k from
+ * pre-2026 deployments) and current hashes (600k) both verify. Pair with
+ * `needsRehash` at the login site to opportunistically upgrade old hashes.
+ */
 export declare function verifyPassword(password: string, storedHash: string): Promise<boolean>;
+/**
+ * Returns true when the stored hash uses fewer iterations than current policy.
+ *
+ * Login flow should: verify -> if `needsRehash` -> hash again with current
+ * params -> persist. This upgrades old hashes silently as users sign in.
+ */
+export declare function needsRehash(storedHash: string): boolean;
+/**
+ * Returns a PBKDF2 verification result against the module-level dummy hash.
+ * The hash is shared across all calls (and across all unknown emails) — it
+ * doesn't matter that it's deterministic per-process, because the comparison
+ * itself takes constant time and the attacker only learns "not the dummy
+ * hash" — which they already know.
+ *
+ * The boolean return is meaningless for callers and is intentionally always
+ * `false` in practice; it exists so the type matches `verifyPassword`.
+ */
+export declare function compareToDummyHash(password: string): Promise<boolean>;
 /** Validate a password against the configured policy rules. */
 export declare function validatePasswordPolicy(password: string, policy: PasswordPolicy): {
     valid: boolean;

package/dist/auth/password.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"password.d.ts","sourceRoot":"","sources":["../../src/auth/password.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,cAAc,EAAE,MAAM,oBAAoB,CAAA;AAGxD,qDAAqD;AACrD,wBAAsB,YAAY,CAAC,QAAQ,EAAE,MAAM,GAAG,OAAO,CAAC,MAAM,CAAC,CAiBpE;AAED,iDAAiD;AACjD,wBAAsB,cAAc,CAAC,QAAQ,EAAE,MAAM,EAAE,UAAU,EAAE,MAAM,GAAG,OAAO,CAAC,OAAO,CAAC,CAqB3F;AAED,+DAA+D;AAC/D,wBAAgB,sBAAsB,CACpC,QAAQ,EAAE,MAAM,EAChB,MAAM,EAAE,cAAc,GACrB;IAAE,KAAK,EAAE,OAAO,CAAC;IAAC,MAAM,EAAE,MAAM,EAAE,CAAA;CAAE,CAoBtC;AAED,6EAA6E;AAC7E,OAAO,EAAE,aAAa,IAAI,mBAAmB,EAAE,MAAM,6BAA6B,CAAA"}
+{"version":3,"file":"password.d.ts","sourceRoot":"","sources":["../../src/auth/password.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,cAAc,EAAE,MAAM,oBAAoB,CAAA;AAGxD;;;;;;;GAOG;AACH,eAAO,MAAM,iBAAiB,SAAU,CAAA;AAExC,iEAAiE;AACjE,wBAAsB,YAAY,CAAC,QAAQ,EAAE,MAAM,GAAG,OAAO,CAAC,MAAM,CAAC,CAiBpE;AAED;;;;;;GAMG;AACH,wBAAsB,cAAc,CAAC,QAAQ,EAAE,MAAM,EAAE,UAAU,EAAE,MAAM,GAAG,OAAO,CAAC,OAAO,CAAC,CA+B3F;AAED;;;;;GAKG;AACH,wBAAgB,WAAW,CAAC,UAAU,EAAE,MAAM,GAAG,OAAO,CAOvD;AAsCD;;;;;;;;;GASG;AACH,wBAAsB,kBAAkB,CAAC,QAAQ,EAAE,MAAM,GAAG,OAAO,CAAC,OAAO,CAAC,CAG3E;AAED,+DAA+D;AAC/D,wBAAgB,sBAAsB,CACpC,QAAQ,EAAE,MAAM,EAChB,MAAM,EAAE,cAAc,GACrB;IAAE,KAAK,EAAE,OAAO,CAAC;IAAC,MAAM,EAAE,MAAM,EAAE,CAAA;CAAE,CAoBtC;AAED,6EAA6E;AAC7E,OAAO,EAAE,aAAa,IAAI,mBAAmB,EAAE,MAAM,6BAA6B,CAAA"}

package/dist/auth/password.js

@@ -1,27 +1,117 @@
 import { timingSafeEqual } from 'node:crypto';
-/** Hash a password using Web Crypto API (PBKDF2). */
+/**
+ * PBKDF2 iteration count. Bumped from 100,000 (insufficient by 2026 standards)
+ * to 600,000 to align with OWASP/NIST 2023+ guidance for PBKDF2-HMAC-SHA256.
+ * The hash format embeds the iteration count, so existing 100k hashes still
+ * verify correctly — `verifyPassword` reads the count from the stored string,
+ * and `needsRehash` lets callers (login.ts) opportunistically upgrade old
+ * hashes when the user signs in with the correct password.
+ */
+export const PBKDF2_ITERATIONS = 600_000;
+/** Hash a password using Web Crypto API (PBKDF2-HMAC-SHA256). */
 export async function hashPassword(password) {
     const salt = crypto.getRandomValues(new Uint8Array(16));
     const key = await crypto.subtle.importKey('raw', new TextEncoder().encode(password), 'PBKDF2', false, ['deriveBits']);
-    const derived = await crypto.subtle.deriveBits({ name: 'PBKDF2', salt, iterations: 100_000, hash: 'SHA-256' }, key, 256);
+    const derived = await crypto.subtle.deriveBits({ name: 'PBKDF2', salt, iterations: PBKDF2_ITERATIONS, hash: 'SHA-256' }, key, 256);
     const saltHex = Buffer.from(salt).toString('hex');
     const hashHex = Buffer.from(derived).toString('hex');
-    return `pbkdf2:100000:${saltHex}:${hashHex}`;
+    return `pbkdf2:${PBKDF2_ITERATIONS}:${saltHex}:${hashHex}`;
 }
-/** Verify a password against its stored hash. */
+/**
+ * Verify a password against its stored hash.
+ *
+ * Reads the iteration count from the stored hash so old hashes (100k from
+ * pre-2026 deployments) and current hashes (600k) both verify. Pair with
+ * `needsRehash` at the login site to opportunistically upgrade old hashes.
+ */
 export async function verifyPassword(password, storedHash) {
-    const [, , saltHex, hashHex] = storedHash.split(':');
-    if (!saltHex || !hashHex)
+    const parts = storedHash.split(':');
+    if (parts.length !== 4)
         return false;
+    const [, iterStr, saltHex, hashHex] = parts;
+    if (!iterStr || !saltHex || !hashHex)
+        return false;
+    const iterations = parseInt(iterStr, 10);
+    // Bound the iteration count: refuse anything below 10k (almost certainly
+    // a corrupted hash) or above 5M (DoS guard — an attacker who controls a
+    // user's stored hash could otherwise pin a worker for tens of seconds per
+    // login attempt).
+    if (!Number.isFinite(iterations) || iterations < 10_000 || iterations > 5_000_000) {
+        return false;
+    }
     const salt = Buffer.from(saltHex, 'hex');
     const key = await crypto.subtle.importKey('raw', new TextEncoder().encode(password), 'PBKDF2', false, ['deriveBits']);
-    const derived = await crypto.subtle.deriveBits({ name: 'PBKDF2', salt, iterations: 100_000, hash: 'SHA-256' }, key, 256);
+    const derived = await crypto.subtle.deriveBits({ name: 'PBKDF2', salt, iterations, hash: 'SHA-256' }, key, 256);
     const derivedBuf = Buffer.from(derived);
     const storedBuf = Buffer.from(hashHex, 'hex');
     if (derivedBuf.length !== storedBuf.length)
         return false;
     return timingSafeEqual(derivedBuf, storedBuf);
 }
+/**
+ * Returns true when the stored hash uses fewer iterations than current policy.
+ *
+ * Login flow should: verify -> if `needsRehash` -> hash again with current
+ * params -> persist. This upgrades old hashes silently as users sign in.
+ */
+export function needsRehash(storedHash) {
+    const parts = storedHash.split(':');
+    if (parts.length !== 4)
+        return false;
+    const iterStr = parts[1];
+    const iterations = iterStr ? parseInt(iterStr, 10) : 0;
+    if (!Number.isFinite(iterations))
+        return false;
+    return iterations < PBKDF2_ITERATIONS;
+}
+/**
+ * A stable dummy PBKDF2 hash used to keep login response time roughly constant
+ * regardless of whether the email exists. When the user is not found, the
+ * login handler still runs `verifyPassword(submittedPassword, dummyHash)` so
+ * the timing channel that distinguished "no user" from "wrong password"
+ * disappears.
+ *
+ * Initialised eagerly at module load via a top-level Promise. Without this,
+ * the very first call to `compareToDummyHash` after a cold start would have
+ * to run `hashPassword` (600k iterations) *and* `verifyPassword` (another
+ * 600k iterations) — roughly 2× the latency of a normal verify, which
+ * recreates the user-enumeration timing channel this defense is meant to
+ * close. The Promise is awaited inside `compareToDummyHash`, so callers
+ * never see a partial hash.
+ *
+ * Why a Promise instead of a string returned from a top-level await:
+ *   - The Web Crypto PBKDF2 derivation is asynchronous; we can't compute it
+ *     synchronously at module top level without forcing every importer to
+ *     also support top-level await.
+ *   - Storing the in-flight Promise lets the work start at module load and
+ *     overlap with the first request, rather than blocking on it.
+ */
+const _dummyHashPromise = (async () => {
+    const dummyPlaintext = Buffer.from(crypto.getRandomValues(new Uint8Array(32))).toString('hex');
+    return hashPassword(dummyPlaintext);
+})();
+// Surface uncaught rejections so that — if the eager hash ever fails — we
+// see it in logs at startup, not on the first login. Without this handler,
+// Node would emit an unhandledRejection warning the moment a request hits
+// `compareToDummyHash`.
+_dummyHashPromise.catch((err) => {
+    // eslint-disable-next-line no-console
+    console.error('[actuate][auth] failed to precompute dummy login hash:', err);
+});
+/**
+ * Returns a PBKDF2 verification result against the module-level dummy hash.
+ * The hash is shared across all calls (and across all unknown emails) — it
+ * doesn't matter that it's deterministic per-process, because the comparison
+ * itself takes constant time and the attacker only learns "not the dummy
+ * hash" — which they already know.
+ *
+ * The boolean return is meaningless for callers and is intentionally always
+ * `false` in practice; it exists so the type matches `verifyPassword`.
+ */
+export async function compareToDummyHash(password) {
+    const dummyHash = await _dummyHashPromise;
+    return verifyPassword(password, dummyHash);
+}
 /** Validate a password against the configured policy rules. */
 export function validatePasswordPolicy(password, policy) {
     const errors = [];

package/dist/auth/password.js.map

@@ -1 +1 @@
-{"version":3,"file":"password.js","sourceRoot":"","sources":["../../src/auth/password.ts"],"names":[],"mappings":"AACA,OAAO,EAAE,eAAe,EAAE,MAAM,aAAa,CAAA;AAE7C,qDAAqD;AACrD,MAAM,CAAC,KAAK,UAAU,YAAY,CAAC,QAAgB;IACjD,MAAM,IAAI,GAAG,MAAM,CAAC,eAAe,CAAC,IAAI,UAAU,CAAC,EAAE,CAAC,CAAC,CAAA;IACvD,MAAM,GAAG,GAAG,MAAM,MAAM,CAAC,MAAM,CAAC,SAAS,CACvC,KAAK,EACL,IAAI,WAAW,EAAE,CAAC,MAAM,CAAC,QAAQ,CAAC,EAClC,QAAQ,EACR,KAAK,EACL,CAAC,YAAY,CAAC,CACf,CAAA;IACD,MAAM,OAAO,GAAG,MAAM,MAAM,CAAC,MAAM,CAAC,UAAU,CAC5C,EAAE,IAAI,EAAE,QAAQ,EAAE,IAAI,EAAE,UAAU,EAAE,OAAO,EAAE,IAAI,EAAE,SAAS,EAAE,EAC9D,GAAG,EACH,GAAG,CACJ,CAAA;IACD,MAAM,OAAO,GAAG,MAAM,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC,QAAQ,CAAC,KAAK,CAAC,CAAA;IACjD,MAAM,OAAO,GAAG,MAAM,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC,QAAQ,CAAC,KAAK,CAAC,CAAA;IACpD,OAAO,iBAAiB,OAAO,IAAI,OAAO,EAAE,CAAA;AAC9C,CAAC;AAED,iDAAiD;AACjD,MAAM,CAAC,KAAK,UAAU,cAAc,CAAC,QAAgB,EAAE,UAAkB;IACvE,MAAM,CAAC,EAAE,AAAD,EAAG,OAAO,EAAE,OAAO,CAAC,GAAG,UAAU,CAAC,KAAK,CAAC,GAAG,CAAC,CAAA;IACpD,IAAI,CAAC,OAAO,IAAI,CAAC,OAAO;QAAE,OAAO,KAAK,CAAA;IAEtC,MAAM,IAAI,GAAG,MAAM,CAAC,IAAI,CAAC,OAAO,EAAE,KAAK,CAAC,CAAA;IACxC,MAAM,GAAG,GAAG,MAAM,MAAM,CAAC,MAAM,CAAC,SAAS,CACvC,KAAK,EACL,IAAI,WAAW,EAAE,CAAC,MAAM,CAAC,QAAQ,CAAC,EAClC,QAAQ,EACR,KAAK,EACL,CAAC,YAAY,CAAC,CACf,CAAA;IACD,MAAM,OAAO,GAAG,MAAM,MAAM,CAAC,MAAM,CAAC,UAAU,CAC5C,EAAE,IAAI,EAAE,QAAQ,EAAE,IAAI,EAAE,UAAU,EAAE,OAAO,EAAE,IAAI,EAAE,SAAS,EAAE,EAC9D,GAAG,EACH,GAAG,CACJ,CAAA;IACD,MAAM,UAAU,GAAG,MAAM,CAAC,IAAI,CAAC,OAAO,CAAC,CAAA;IACvC,MAAM,SAAS,GAAG,MAAM,CAAC,IAAI,CAAC,OAAO,EAAE,KAAK,CAAC,CAAA;IAC7C,IAAI,UAAU,CAAC,MAAM,KAAK,SAAS,CAAC,MAAM;QAAE,OAAO,KAAK,CAAA;IACxD,OAAO,eAAe,CAAC,UAAU,EAAE,SAAS,CAAC,CAAA;AAC/C,CAAC;AAED,+DAA+D;AAC/D,MAAM,UAAU,sBAAsB,CACpC,QAAgB,EAChB,MAAsB;IAEtB,MAAM,MAAM,GAAa,EAAE,CAAA;IAE3B,IAAI,MAAM,CAAC,SAAS,IAAI,QAAQ,CAAC,MAAM,GAAG,MAAM,CAAC,SAAS,EAAE,CAAC;QAC3D,MAAM,CAAC,IAAI,CAAC,6BAA6B,MAAM,CAAC,SAAS,aAAa,CAAC,CAAA;IACzE,CAAC;IACD,IAAI,MAAM,CAAC,gBAAgB,IAAI,CAAC,OAAO,CAAC,IAAI,CAAC,QAAQ,CAAC,EAAE,CAAC;QACvD,MAAM,CAAC,IAAI,CAAC,2CAA2C,CAAC,CAAA;IAC1D,CAAC;IACD,IAAI,MAAM,CAAC,gBAAgB,IAAI,CAAC,OAAO,CAAC,IAAI,CAAC,QAAQ,CAAC,EAAE,CAAC;QACvD,MAAM,CAAC,IAAI,CAAC,0CAA0C,CAAC,CAAA;IACzD,CAAC;IACD,IAAI,MAAM,CAAC,cAAc,IAAI,CAAC,IAAI,CAAC,IAAI,CAAC,QAAQ,CAAC,EAAE,CAAC;QAClD,MAAM,CAAC,IAAI,CAAC,+BAA+B,CAAC,CAAA;IAC9C,CAAC;IACD,IAAI,MAAM,CAAC,mBAAmB,IAAI,CAAC,cAAc,CAAC,IAAI,CAAC,QAAQ,CAAC,EAAE,CAAC;QACjE,MAAM,CAAC,IAAI,CAAC,2CAA2C,CAAC,CAAA;IAC1D,CAAC;IAED,OAAO,EAAE,KAAK,EAAE,MAAM,CAAC,MAAM,KAAK,CAAC,EAAE,MAAM,EAAE,CAAA;AAC/C,CAAC;AAED,6EAA6E;AAC7E,OAAO,EAAE,aAAa,IAAI,mBAAmB,EAAE,MAAM,6BAA6B,CAAA"}
+{"version":3,"file":"password.js","sourceRoot":"","sources":["../../src/auth/password.ts"],"names":[],"mappings":"AACA,OAAO,EAAE,eAAe,EAAE,MAAM,aAAa,CAAA;AAE7C;;;;;;;GAOG;AACH,MAAM,CAAC,MAAM,iBAAiB,GAAG,OAAO,CAAA;AAExC,iEAAiE;AACjE,MAAM,CAAC,KAAK,UAAU,YAAY,CAAC,QAAgB;IACjD,MAAM,IAAI,GAAG,MAAM,CAAC,eAAe,CAAC,IAAI,UAAU,CAAC,EAAE,CAAC,CAAC,CAAA;IACvD,MAAM,GAAG,GAAG,MAAM,MAAM,CAAC,MAAM,CAAC,SAAS,CACvC,KAAK,EACL,IAAI,WAAW,EAAE,CAAC,MAAM,CAAC,QAAQ,CAAC,EAClC,QAAQ,EACR,KAAK,EACL,CAAC,YAAY,CAAC,CACf,CAAA;IACD,MAAM,OAAO,GAAG,MAAM,MAAM,CAAC,MAAM,CAAC,UAAU,CAC5C,EAAE,IAAI,EAAE,QAAQ,EAAE,IAAI,EAAE,UAAU,EAAE,iBAAiB,EAAE,IAAI,EAAE,SAAS,EAAE,EACxE,GAAG,EACH,GAAG,CACJ,CAAA;IACD,MAAM,OAAO,GAAG,MAAM,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC,QAAQ,CAAC,KAAK,CAAC,CAAA;IACjD,MAAM,OAAO,GAAG,MAAM,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC,QAAQ,CAAC,KAAK,CAAC,CAAA;IACpD,OAAO,UAAU,iBAAiB,IAAI,OAAO,IAAI,OAAO,EAAE,CAAA;AAC5D,CAAC;AAED;;;;;;GAMG;AACH,MAAM,CAAC,KAAK,UAAU,cAAc,CAAC,QAAgB,EAAE,UAAkB;IACvE,MAAM,KAAK,GAAG,UAAU,CAAC,KAAK,CAAC,GAAG,CAAC,CAAA;IACnC,IAAI,KAAK,CAAC,MAAM,KAAK,CAAC;QAAE,OAAO,KAAK,CAAA;IACpC,MAAM,CAAC,EAAE,OAAO,EAAE,OAAO,EAAE,OAAO,CAAC,GAAG,KAAK,CAAA;IAC3C,IAAI,CAAC,OAAO,IAAI,CAAC,OAAO,IAAI,CAAC,OAAO;QAAE,OAAO,KAAK,CAAA;IAClD,MAAM,UAAU,GAAG,QAAQ,CAAC,OAAO,EAAE,EAAE,CAAC,CAAA;IACxC,yEAAyE;IACzE,wEAAwE;IACxE,0EAA0E;IAC1E,kBAAkB;IAClB,IAAI,CAAC,MAAM,CAAC,QAAQ,CAAC,UAAU,CAAC,IAAI,UAAU,GAAG,MAAM,IAAI,UAAU,GAAG,SAAS,EAAE,CAAC;QAClF,OAAO,KAAK,CAAA;IACd,CAAC;IAED,MAAM,IAAI,GAAG,MAAM,CAAC,IAAI,CAAC,OAAO,EAAE,KAAK,CAAC,CAAA;IACxC,MAAM,GAAG,GAAG,MAAM,MAAM,CAAC,MAAM,CAAC,SAAS,CACvC,KAAK,EACL,IAAI,WAAW,EAAE,CAAC,MAAM,CAAC,QAAQ,CAAC,EAClC,QAAQ,EACR,KAAK,EACL,CAAC,YAAY,CAAC,CACf,CAAA;IACD,MAAM,OAAO,GAAG,MAAM,MAAM,CAAC,MAAM,CAAC,UAAU,CAC5C,EAAE,IAAI,EAAE,QAAQ,EAAE,IAAI,EAAE,UAAU,EAAE,IAAI,EAAE,SAAS,EAAE,EACrD,GAAG,EACH,GAAG,CACJ,CAAA;IACD,MAAM,UAAU,GAAG,MAAM,CAAC,IAAI,CAAC,OAAO,CAAC,CAAA;IACvC,MAAM,SAAS,GAAG,MAAM,CAAC,IAAI,CAAC,OAAO,EAAE,KAAK,CAAC,CAAA;IAC7C,IAAI,UAAU,CAAC,MAAM,KAAK,SAAS,CAAC,MAAM;QAAE,OAAO,KAAK,CAAA;IACxD,OAAO,eAAe,CAAC,UAAU,EAAE,SAAS,CAAC,CAAA;AAC/C,CAAC;AAED;;;;;GAKG;AACH,MAAM,UAAU,WAAW,CAAC,UAAkB;IAC5C,MAAM,KAAK,GAAG,UAAU,CAAC,KAAK,CAAC,GAAG,CAAC,CAAA;IACnC,IAAI,KAAK,CAAC,MAAM,KAAK,CAAC;QAAE,OAAO,KAAK,CAAA;IACpC,MAAM,OAAO,GAAG,KAAK,CAAC,CAAC,CAAC,CAAA;IACxB,MAAM,UAAU,GAAG,OAAO,CAAC,CAAC,CAAC,QAAQ,CAAC,OAAO,EAAE,EAAE,CAAC,CAAC,CAAC,CAAC,CAAC,CAAA;IACtD,IAAI,CAAC,MAAM,CAAC,QAAQ,CAAC,UAAU,CAAC;QAAE,OAAO,KAAK,CAAA;IAC9C,OAAO,UAAU,GAAG,iBAAiB,CAAA;AACvC,CAAC;AAED;;;;;;;;;;;;;;;;;;;;;GAqBG;AACH,MAAM,iBAAiB,GAAoB,CAAC,KAAK,IAAI,EAAE;IACrD,MAAM,cAAc,GAAG,MAAM,CAAC,IAAI,CAAC,MAAM,CAAC,eAAe,CAAC,IAAI,UAAU,CAAC,EAAE,CAAC,CAAC,CAAC,CAAC,QAAQ,CAAC,KAAK,CAAC,CAAA;IAC9F,OAAO,YAAY,CAAC,cAAc,CAAC,CAAA;AACrC,CAAC,CAAC,EAAE,CAAA;AAEJ,0EAA0E;AAC1E,2EAA2E;AAC3E,0EAA0E;AAC1E,wBAAwB;AACxB,iBAAiB,CAAC,KAAK,CAAC,CAAC,GAAG,EAAE,EAAE;IAC9B,sCAAsC;IACtC,OAAO,CAAC,KAAK,CAAC,wDAAwD,EAAE,GAAG,CAAC,CAAA;AAC9E,CAAC,CAAC,CAAA;AAEF;;;;;;;;;GASG;AACH,MAAM,CAAC,KAAK,UAAU,kBAAkB,CAAC,QAAgB;IACvD,MAAM,SAAS,GAAG,MAAM,iBAAiB,CAAA;IACzC,OAAO,cAAc,CAAC,QAAQ,EAAE,SAAS,CAAC,CAAA;AAC5C,CAAC;AAED,+DAA+D;AAC/D,MAAM,UAAU,sBAAsB,CACpC,QAAgB,EAChB,MAAsB;IAEtB,MAAM,MAAM,GAAa,EAAE,CAAA;IAE3B,IAAI,MAAM,CAAC,SAAS,IAAI,QAAQ,CAAC,MAAM,GAAG,MAAM,CAAC,SAAS,EAAE,CAAC;QAC3D,MAAM,CAAC,IAAI,CAAC,6BAA6B,MAAM,CAAC,SAAS,aAAa,CAAC,CAAA;IACzE,CAAC;IACD,IAAI,MAAM,CAAC,gBAAgB,IAAI,CAAC,OAAO,CAAC,IAAI,CAAC,QAAQ,CAAC,EAAE,CAAC;QACvD,MAAM,CAAC,IAAI,CAAC,2CAA2C,CAAC,CAAA;IAC1D,CAAC;IACD,IAAI,MAAM,CAAC,gBAAgB,IAAI,CAAC,OAAO,CAAC,IAAI,CAAC,QAAQ,CAAC,EAAE,CAAC;QACvD,MAAM,CAAC,IAAI,CAAC,0CAA0C,CAAC,CAAA;IACzD,CAAC;IACD,IAAI,MAAM,CAAC,cAAc,IAAI,CAAC,IAAI,CAAC,IAAI,CAAC,QAAQ,CAAC,EAAE,CAAC;QAClD,MAAM,CAAC,IAAI,CAAC,+BAA+B,CAAC,CAAA;IAC9C,CAAC;IACD,IAAI,MAAM,CAAC,mBAAmB,IAAI,CAAC,cAAc,CAAC,IAAI,CAAC,QAAQ,CAAC,EAAE,CAAC;QACjE,MAAM,CAAC,IAAI,CAAC,2CAA2C,CAAC,CAAA;IAC1D,CAAC;IAED,OAAO,EAAE,KAAK,EAAE,MAAM,CAAC,MAAM,KAAK,CAAC,EAAE,MAAM,EAAE,CAAA;AAC/C,CAAC;AAED,6EAA6E;AAC7E,OAAO,EAAE,aAAa,IAAI,mBAAmB,EAAE,MAAM,6BAA6B,CAAA"}

package/dist/auth/reset.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"reset.d.ts","sourceRoot":"","sources":["../../src/auth/reset.ts"],"names":[],"mappings":"AAGA,MAAM,WAAW,UAAU;IACzB,GAAG,EAAE,MAAM,CAAA;IACX,IAAI,EAAE,MAAM,CAAA;CACb;AAID,4EAA4E;AAC5E,wBAAgB,kBAAkB,IAAI,UAAU,CAI/C;AAED,2EAA2E;AAC3E,wBAAgB,SAAS,CAAC,GAAG,EAAE,MAAM,GAAG,MAAM,CAE7C;AAED;;;;GAIG;AACH,wBAAsB,mBAAmB,CACvC,EAAE,EAAE,GAAG,EACP,KAAK,EAAE,MAAM,EACb,MAAM,EAAE;IACN,OAAO,EAAE,MAAM,CAAA;IACf,QAAQ,CAAC,EAAE;QACT,KAAK,CAAC,EAAE;YACN,IAAI,EAAE,CAAC,IAAI,EAAE;gBAAE,EAAE,EAAE,MAAM,CAAC;gBAAC,OAAO,EAAE,MAAM,CAAC;gBAAC,IAAI,EAAE,MAAM,CAAC;gBAAC,IAAI,CAAC,EAAE,MAAM,CAAA;aAAE,KAAK,OAAO,CAAC,IAAI,CAAC,CAAA;SAC5F,CAAA;KACF,CAAA;CACF,GACA,OAAO,CAAC,IAAI,CAAC,CAqCf;AAED;;;GAGG;AACH,wBAAsB,oBAAoB,CACxC,EAAE,EAAE,GAAG,EACP,QAAQ,EAAE,MAAM,EAChB,WAAW,EAAE,MAAM,GAClB,OAAO,CAAC;IAAE,OAAO,EAAE,OAAO,CAAC;IAAC,KAAK,CAAC,EAAE,MAAM,CAAA;CAAE,CAAC,CAuD/C"}
+{"version":3,"file":"reset.d.ts","sourceRoot":"","sources":["../../src/auth/reset.ts"],"names":[],"mappings":"AAIA,MAAM,WAAW,UAAU;IACzB,GAAG,EAAE,MAAM,CAAA;IACX,IAAI,EAAE,MAAM,CAAA;CACb;AAID,4EAA4E;AAC5E,wBAAgB,kBAAkB,IAAI,UAAU,CAI/C;AAED,2EAA2E;AAC3E,wBAAgB,SAAS,CAAC,GAAG,EAAE,MAAM,GAAG,MAAM,CAE7C;AAED;;;;GAIG;AACH,wBAAsB,mBAAmB,CACvC,EAAE,EAAE,GAAG,EACP,KAAK,EAAE,MAAM,EACb,MAAM,EAAE;IACN,OAAO,EAAE,MAAM,CAAA;IACf,QAAQ,CAAC,EAAE;QACT,KAAK,CAAC,EAAE;YACN,IAAI,EAAE,CAAC,IAAI,EAAE;gBAAE,EAAE,EAAE,MAAM,CAAC;gBAAC,OAAO,EAAE,MAAM,CAAC;gBAAC,IAAI,EAAE,MAAM,CAAC;gBAAC,IAAI,CAAC,EAAE,MAAM,CAAA;aAAE,KAAK,OAAO,CAAC,IAAI,CAAC,CAAA;SAC5F,CAAA;KACF,CAAA;CACF,GACA,OAAO,CAAC,IAAI,CAAC,CAqCf;AAED;;;GAGG;AACH,wBAAsB,oBAAoB,CACxC,EAAE,EAAE,GAAG,EACP,QAAQ,EAAE,MAAM,EAChB,WAAW,EAAE,MAAM,GAClB,OAAO,CAAC;IAAE,OAAO,EAAE,OAAO,CAAC;IAAC,KAAK,CAAC,EAAE,MAAM,CAAA;CAAE,CAAC,CAuD/C"}

package/dist/auth/reset.js

@@ -1,5 +1,6 @@
 import { randomBytes, createHash } from 'node:crypto';
 import { hashPassword, validatePasswordPolicy } from './password.js';
+import { getActuateConfig } from '../config/runtime.js';
 const TOKEN_EXPIRY_MS = 60 * 60 * 1000; // 1 hour
 /** Generate a cryptographically random reset token and its SHA-256 hash. */
 export function generateResetToken() {
@@ -75,7 +76,7 @@ export async function executePasswordReset(db, rawToken, newPassword) {
     // this, the reset endpoint becomes a back-door for weak passwords. We use
     // a sensible default; integrators that want stricter rules should call
     // this through their own wrapper.
-    const cmsConfig = globalThis.__actuateConfig;
+    const cmsConfig = getActuateConfig();
     const passwordPolicy = cmsConfig?.auth?.passwordPolicy ?? {
         minLength: 12,
         requireUppercase: true,

package/dist/auth/reset.js.map

@@ -1 +1 @@
-{"version":3,"file":"reset.js","sourceRoot":"","sources":["../../src/auth/reset.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,WAAW,EAAE,UAAU,EAAE,MAAM,aAAa,CAAA;AACrD,OAAO,EAAE,YAAY,EAAE,sBAAsB,EAAE,MAAM,eAAe,CAAA;AAOpE,MAAM,eAAe,GAAG,EAAE,GAAG,EAAE,GAAG,IAAI,CAAA,CAAC,SAAS;AAEhD,4EAA4E;AAC5E,MAAM,UAAU,kBAAkB;IAChC,MAAM,GAAG,GAAG,WAAW,CAAC,EAAE,CAAC,CAAC,QAAQ,CAAC,KAAK,CAAC,CAAA;IAC3C,MAAM,IAAI,GAAG,UAAU,CAAC,QAAQ,CAAC,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,MAAM,CAAC,KAAK,CAAC,CAAA;IAC3D,OAAO,EAAE,GAAG,EAAE,IAAI,EAAE,CAAA;AACtB,CAAC;AAED,2EAA2E;AAC3E,MAAM,UAAU,SAAS,CAAC,GAAW;IACnC,OAAO,UAAU,CAAC,QAAQ,CAAC,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,MAAM,CAAC,KAAK,CAAC,CAAA;AACvD,CAAC;AAED;;;;GAIG;AACH,MAAM,CAAC,KAAK,UAAU,mBAAmB,CACvC,EAAO,EACP,KAAa,EACb,MAOC;IAED,4EAA4E;IAC5E,6EAA6E;IAC7E,8DAA8D;IAC9D,MAAM,UAAU,GAAG,KAAK,CAAC,WAAW,EAAE,CAAC,IAAI,EAAE,CAAA;IAC7C,IAAI,CAAC,UAAU;QAAE,OAAM;IAEvB,MAAM,IAAI,GAAG,MAAM,EAAE,CAAC,IAAI,CAAC,SAAS,CAAC;QACnC,KAAK,EAAE,EAAE,KAAK,EAAE,EAAE,MAAM,EAAE,UAAU,EAAE,IAAI,EAAE,aAAa,EAAE,EAAE;KAC9D,CAAC,CAAA;IACF,IAAI,CAAC,IAAI,IAAI,CAAC,IAAI,CAAC,QAAQ;QAAE,OAAM;IAEnC,MAAM,EAAE,CAAC,kBAAkB,CAAC,UAAU,CAAC;QACrC,KAAK,EAAE,EAAE,MAAM,EAAE,IAAI,CAAC,EAAE,EAAE,MAAM,EAAE,IAAI,EAAE;QACxC,IAAI,EAAE,EAAE,MAAM,EAAE,IAAI,IAAI,EAAE,EAAE;KAC7B,CAAC,CAAA;IAEF,MAAM,EAAE,GAAG,EAAE,IAAI,EAAE,GAAG,kBAAkB,EAAE,CAAA;IAC1C,MAAM,EAAE,CAAC,kBAAkB,CAAC,MAAM,CAAC;QACjC,IAAI,EAAE;YACJ,MAAM,EAAE,IAAI,CAAC,EAAE;YACf,SAAS,EAAE,IAAI;YACf,SAAS,EAAE,IAAI,IAAI,CAAC,IAAI,CAAC,GAAG,EAAE,GAAG,eAAe,CAAC;SAClD;KACF,CAAC,CAAA;IAEF,IAAI,MAAM,CAAC,QAAQ,EAAE,KAAK,EAAE,CAAC;QAC3B,MAAM,QAAQ,GAAG,GAAG,MAAM,CAAC,OAAO,+BAA+B,GAAG,EAAE,CAAA;QACtE,MAAM,EAAE,qBAAqB,EAAE,GAAG,MAAM,MAAM,CAAC,kBAAkB,CAAC,CAAA;QAClE,MAAM,GAAG,GAAG,qBAAqB,CAAC,EAAE,QAAQ,EAAE,QAAQ,EAAE,IAAI,CAAC,IAAI,EAAE,CAAC,CAAA;QACpE,MAAM,MAAM,CAAC,QAAQ,CAAC,KAAK,CAAC,IAAI,CAAC;YAC/B,EAAE,EAAE,IAAI,CAAC,KAAK;YACd,OAAO,EAAE,GAAG,CAAC,OAAO;YACpB,IAAI,EAAE,GAAG,CAAC,IAAI;YACd,IAAI,EAAE,GAAG,CAAC,IAAI;SACf,CAAC,CAAA;IACJ,CAAC;AACH,CAAC;AAED;;;GAGG;AACH,MAAM,CAAC,KAAK,UAAU,oBAAoB,CACxC,EAAO,EACP,QAAgB,EAChB,WAAmB;IAEnB,MAAM,SAAS,GAAG,SAAS,CAAC,QAAQ,CAAC,CAAA;IAErC,MAAM,UAAU,GAAG,MAAM,EAAE,CAAC,kBAAkB,CAAC,SAAS,CAAC;QACvD,KAAK,EAAE,EAAE,SAAS,EAAE,MAAM,EAAE,IAAI,EAAE;QAClC,OAAO,EAAE,EAAE,IAAI,EAAE,IAAI,EAAE;KACxB,CAAC,CAAA;IAEF,IAAI,CAAC,UAAU,EAAE,CAAC;QAChB,OAAO,EAAE,OAAO,EAAE,KAAK,EAAE,KAAK,EAAE,gCAAgC,EAAE,CAAA;IACpE,CAAC;IAED,IAAI,UAAU,CAAC,SAAS,GAAG,IAAI,IAAI,EAAE,EAAE,CAAC;QACtC,OAAO,EAAE,OAAO,EAAE,KAAK,EAAE,KAAK,EAAE,wDAAwD,EAAE,CAAA;IAC5F,CAAC;IAED,IAAI,CAAC,UAAU,CAAC,IAAI,CAAC,QAAQ,EAAE,CAAC;QAC9B,OAAO,EAAE,OAAO,EAAE,KAAK,EAAE,KAAK,EAAE,oCAAoC,EAAE,CAAA;IACxE,CAAC;IAED,0EAA0E;IAC1E,0EAA0E;IAC1E,uEAAuE;IACvE,kCAAkC;IAClC,MAAM,SAAS,GAAI,UAAkB,CAAC,eAAe,CAAA;IACrD,MAAM,cAAc,GAAG,SAAS,EAAE,IAAI,EAAE,cAAc,IAAI;QACxD,SAAS,EAAE,EAAE;QACb,gBAAgB,EAAE,IAAI;QACtB,gBAAgB,EAAE,IAAI;QACtB,cAAc,EAAE,IAAI;QACpB,mBAAmB,EAAE,KAAK;KAC3B,CAAA;IACD,MAAM,MAAM,GAAG,sBAAsB,CAAC,WAAW,EAAE,cAAc,CAAC,CAAA;IAClE,IAAI,CAAC,MAAM,CAAC,KAAK,EAAE,CAAC;QAClB,OAAO,EAAE,OAAO,EAAE,KAAK,EAAE,KAAK,EAAE,MAAM,CAAC,MAAM,CAAC,CAAC,CAAC,IAAI,sCAAsC,EAAE,CAAA;IAC9F,CAAC;IAED,MAAM,YAAY,GAAG,MAAM,YAAY,CAAC,WAAW,CAAC,CAAA;IAEpD,MAAM,EAAE,CAAC,YAAY,CAAC;QACpB,EAAE,CAAC,IAAI,CAAC,MAAM,CAAC;YACb,KAAK,EAAE,EAAE,EAAE,EAAE,UAAU,CAAC,MAAM,EAAE;YAChC,IAAI,EAAE,EAAE,YAAY,EAAE;SACvB,CAAC;QACF,EAAE,CAAC,kBAAkB,CAAC,MAAM,CAAC;YAC3B,KAAK,EAAE,EAAE,EAAE,EAAE,UAAU,CAAC,EAAE,EAAE;YAC5B,IAAI,EAAE,EAAE,MAAM,EAAE,IAAI,IAAI,EAAE,EAAE;SAC7B,CAAC;QACF,EAAE,CAAC,OAAO,CAAC,UAAU,CAAC;YACpB,KAAK,EAAE,EAAE,MAAM,EAAE,UAAU,CAAC,MAAM,EAAE,SAAS,EAAE,IAAI,EAAE;YACrD,IAAI,EAAE,EAAE,SAAS,EAAE,IAAI,IAAI,EAAE,EAAE;SAChC,CAAC;KACH,CAAC,CAAA;IAEF,OAAO,EAAE,OAAO,EAAE,IAAI,EAAE,CAAA;AAC1B,CAAC"}
+{"version":3,"file":"reset.js","sourceRoot":"","sources":["../../src/auth/reset.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,WAAW,EAAE,UAAU,EAAE,MAAM,aAAa,CAAA;AACrD,OAAO,EAAE,YAAY,EAAE,sBAAsB,EAAE,MAAM,eAAe,CAAA;AACpE,OAAO,EAAE,gBAAgB,EAAE,MAAM,sBAAsB,CAAA;AAOvD,MAAM,eAAe,GAAG,EAAE,GAAG,EAAE,GAAG,IAAI,CAAA,CAAC,SAAS;AAEhD,4EAA4E;AAC5E,MAAM,UAAU,kBAAkB;IAChC,MAAM,GAAG,GAAG,WAAW,CAAC,EAAE,CAAC,CAAC,QAAQ,CAAC,KAAK,CAAC,CAAA;IAC3C,MAAM,IAAI,GAAG,UAAU,CAAC,QAAQ,CAAC,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,MAAM,CAAC,KAAK,CAAC,CAAA;IAC3D,OAAO,EAAE,GAAG,EAAE,IAAI,EAAE,CAAA;AACtB,CAAC;AAED,2EAA2E;AAC3E,MAAM,UAAU,SAAS,CAAC,GAAW;IACnC,OAAO,UAAU,CAAC,QAAQ,CAAC,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,MAAM,CAAC,KAAK,CAAC,CAAA;AACvD,CAAC;AAED;;;;GAIG;AACH,MAAM,CAAC,KAAK,UAAU,mBAAmB,CACvC,EAAO,EACP,KAAa,EACb,MAOC;IAED,4EAA4E;IAC5E,6EAA6E;IAC7E,8DAA8D;IAC9D,MAAM,UAAU,GAAG,KAAK,CAAC,WAAW,EAAE,CAAC,IAAI,EAAE,CAAA;IAC7C,IAAI,CAAC,UAAU;QAAE,OAAM;IAEvB,MAAM,IAAI,GAAG,MAAM,EAAE,CAAC,IAAI,CAAC,SAAS,CAAC;QACnC,KAAK,EAAE,EAAE,KAAK,EAAE,EAAE,MAAM,EAAE,UAAU,EAAE,IAAI,EAAE,aAAa,EAAE,EAAE;KAC9D,CAAC,CAAA;IACF,IAAI,CAAC,IAAI,IAAI,CAAC,IAAI,CAAC,QAAQ;QAAE,OAAM;IAEnC,MAAM,EAAE,CAAC,kBAAkB,CAAC,UAAU,CAAC;QACrC,KAAK,EAAE,EAAE,MAAM,EAAE,IAAI,CAAC,EAAE,EAAE,MAAM,EAAE,IAAI,EAAE;QACxC,IAAI,EAAE,EAAE,MAAM,EAAE,IAAI,IAAI,EAAE,EAAE;KAC7B,CAAC,CAAA;IAEF,MAAM,EAAE,GAAG,EAAE,IAAI,EAAE,GAAG,kBAAkB,EAAE,CAAA;IAC1C,MAAM,EAAE,CAAC,kBAAkB,CAAC,MAAM,CAAC;QACjC,IAAI,EAAE;YACJ,MAAM,EAAE,IAAI,CAAC,EAAE;YACf,SAAS,EAAE,IAAI;YACf,SAAS,EAAE,IAAI,IAAI,CAAC,IAAI,CAAC,GAAG,EAAE,GAAG,eAAe,CAAC;SAClD;KACF,CAAC,CAAA;IAEF,IAAI,MAAM,CAAC,QAAQ,EAAE,KAAK,EAAE,CAAC;QAC3B,MAAM,QAAQ,GAAG,GAAG,MAAM,CAAC,OAAO,+BAA+B,GAAG,EAAE,CAAA;QACtE,MAAM,EAAE,qBAAqB,EAAE,GAAG,MAAM,MAAM,CAAC,kBAAkB,CAAC,CAAA;QAClE,MAAM,GAAG,GAAG,qBAAqB,CAAC,EAAE,QAAQ,EAAE,QAAQ,EAAE,IAAI,CAAC,IAAI,EAAE,CAAC,CAAA;QACpE,MAAM,MAAM,CAAC,QAAQ,CAAC,KAAK,CAAC,IAAI,CAAC;YAC/B,EAAE,EAAE,IAAI,CAAC,KAAK;YACd,OAAO,EAAE,GAAG,CAAC,OAAO;YACpB,IAAI,EAAE,GAAG,CAAC,IAAI;YACd,IAAI,EAAE,GAAG,CAAC,IAAI;SACf,CAAC,CAAA;IACJ,CAAC;AACH,CAAC;AAED;;;GAGG;AACH,MAAM,CAAC,KAAK,UAAU,oBAAoB,CACxC,EAAO,EACP,QAAgB,EAChB,WAAmB;IAEnB,MAAM,SAAS,GAAG,SAAS,CAAC,QAAQ,CAAC,CAAA;IAErC,MAAM,UAAU,GAAG,MAAM,EAAE,CAAC,kBAAkB,CAAC,SAAS,CAAC;QACvD,KAAK,EAAE,EAAE,SAAS,EAAE,MAAM,EAAE,IAAI,EAAE;QAClC,OAAO,EAAE,EAAE,IAAI,EAAE,IAAI,EAAE;KACxB,CAAC,CAAA;IAEF,IAAI,CAAC,UAAU,EAAE,CAAC;QAChB,OAAO,EAAE,OAAO,EAAE,KAAK,EAAE,KAAK,EAAE,gCAAgC,EAAE,CAAA;IACpE,CAAC;IAED,IAAI,UAAU,CAAC,SAAS,GAAG,IAAI,IAAI,EAAE,EAAE,CAAC;QACtC,OAAO,EAAE,OAAO,EAAE,KAAK,EAAE,KAAK,EAAE,wDAAwD,EAAE,CAAA;IAC5F,CAAC;IAED,IAAI,CAAC,UAAU,CAAC,IAAI,CAAC,QAAQ,EAAE,CAAC;QAC9B,OAAO,EAAE,OAAO,EAAE,KAAK,EAAE,KAAK,EAAE,oCAAoC,EAAE,CAAA;IACxE,CAAC;IAED,0EAA0E;IAC1E,0EAA0E;IAC1E,uEAAuE;IACvE,kCAAkC;IAClC,MAAM,SAAS,GAAG,gBAAgB,EAAE,CAAA;IACpC,MAAM,cAAc,GAAG,SAAS,EAAE,IAAI,EAAE,cAAc,IAAI;QACxD,SAAS,EAAE,EAAE;QACb,gBAAgB,EAAE,IAAI;QACtB,gBAAgB,EAAE,IAAI;QACtB,cAAc,EAAE,IAAI;QACpB,mBAAmB,EAAE,KAAK;KAC3B,CAAA;IACD,MAAM,MAAM,GAAG,sBAAsB,CAAC,WAAW,EAAE,cAAc,CAAC,CAAA;IAClE,IAAI,CAAC,MAAM,CAAC,KAAK,EAAE,CAAC;QAClB,OAAO,EAAE,OAAO,EAAE,KAAK,EAAE,KAAK,EAAE,MAAM,CAAC,MAAM,CAAC,CAAC,CAAC,IAAI,sCAAsC,EAAE,CAAA;IAC9F,CAAC;IAED,MAAM,YAAY,GAAG,MAAM,YAAY,CAAC,WAAW,CAAC,CAAA;IAEpD,MAAM,EAAE,CAAC,YAAY,CAAC;QACpB,EAAE,CAAC,IAAI,CAAC,MAAM,CAAC;YACb,KAAK,EAAE,EAAE,EAAE,EAAE,UAAU,CAAC,MAAM,EAAE;YAChC,IAAI,EAAE,EAAE,YAAY,EAAE;SACvB,CAAC;QACF,EAAE,CAAC,kBAAkB,CAAC,MAAM,CAAC;YAC3B,KAAK,EAAE,EAAE,EAAE,EAAE,UAAU,CAAC,EAAE,EAAE;YAC5B,IAAI,EAAE,EAAE,MAAM,EAAE,IAAI,IAAI,EAAE,EAAE;SAC7B,CAAC;QACF,EAAE,CAAC,OAAO,CAAC,UAAU,CAAC;YACpB,KAAK,EAAE,EAAE,MAAM,EAAE,UAAU,CAAC,MAAM,EAAE,SAAS,EAAE,IAAI,EAAE;YACrD,IAAI,EAAE,EAAE,SAAS,EAAE,IAAI,IAAI,EAAE,EAAE;SAChC,CAAC;KACH,CAAC,CAAA;IAEF,OAAO,EAAE,OAAO,EAAE,IAAI,EAAE,CAAA;AAC1B,CAAC"}

package/dist/auth/session.d.ts

@@ -4,6 +4,15 @@ export interface SessionPayload {
     sessionId: string;
     fingerprint?: string;
 }
+/**
+ * Thrown when a JWT verifies cryptographically but its decoded payload
+ * doesn't match the expected `SessionPayload` shape. We map this to a 401
+ * (not 500) because it represents a forged-but-correctly-signed-by-the-CMS
+ * token rather than a server bug.
+ */
+export declare class InvalidSessionPayloadError extends Error {
+    constructor(reason: string);
+}
 export interface SessionOptions {
     secret: string;
     maxAge?: number;

package/dist/auth/session.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"session.d.ts","sourceRoot":"","sources":["../../src/auth/session.ts"],"names":[],"mappings":"AAEA,MAAM,WAAW,cAAc;IAC7B,MAAM,EAAE,MAAM,CAAA;IACd,IAAI,EAAE,MAAM,CAAA;IACZ,SAAS,EAAE,MAAM,CAAA;IACjB,WAAW,CAAC,EAAE,MAAM,CAAA;CACrB;AAED,MAAM,WAAW,cAAc;IAC7B,MAAM,EAAE,MAAM,CAAA;IACd,MAAM,CAAC,EAAE,MAAM,CAAA;IACf,MAAM,CAAC,EAAE,MAAM,CAAA;IACf,QAAQ,CAAC,EAAE,MAAM,CAAA;CAClB;AAID,yCAAyC;AACzC,wBAAsB,aAAa,CACjC,OAAO,EAAE,cAAc,EACvB,OAAO,EAAE,cAAc,GACtB,OAAO,CAAC,MAAM,CAAC,CASjB;AAED,6CAA6C;AAC7C,wBAAsB,aAAa,CACjC,KAAK,EAAE,MAAM,EACb,OAAO,EAAE,cAAc,GACtB,OAAO,CAAC,cAAc,CAAC,CAOzB;AAED,sDAAsD;AACtD,wBAAsB,aAAa,CAAC,SAAS,EAAE,MAAM,EAAE,EAAE,EAAE,GAAG,GAAG,OAAO,CAAC,IAAI,CAAC,CAK7E;AAED;;;;;;;GAOG;AACH,wBAAsB,cAAc,CAClC,KAAK,EAAE,MAAM,EACb,OAAO,EAAE,cAAc,EACvB,EAAE,CAAC,EAAE,GAAG,GACP,OAAO,CAAC,MAAM,CAAC,CAgBjB"}
+{"version":3,"file":"session.d.ts","sourceRoot":"","sources":["../../src/auth/session.ts"],"names":[],"mappings":"AAEA,MAAM,WAAW,cAAc;IAC7B,MAAM,EAAE,MAAM,CAAA;IACd,IAAI,EAAE,MAAM,CAAA;IACZ,SAAS,EAAE,MAAM,CAAA;IACjB,WAAW,CAAC,EAAE,MAAM,CAAA;CACrB;AAED;;;;;GAKG;AACH,qBAAa,0BAA2B,SAAQ,KAAK;gBACvC,MAAM,EAAE,MAAM;CAI3B;AAgCD,MAAM,WAAW,cAAc;IAC7B,MAAM,EAAE,MAAM,CAAA;IACd,MAAM,CAAC,EAAE,MAAM,CAAA;IACf,MAAM,CAAC,EAAE,MAAM,CAAA;IACf,QAAQ,CAAC,EAAE,MAAM,CAAA;CAClB;AAID,yCAAyC;AACzC,wBAAsB,aAAa,CACjC,OAAO,EAAE,cAAc,EACvB,OAAO,EAAE,cAAc,GACtB,OAAO,CAAC,MAAM,CAAC,CASjB;AAED,6CAA6C;AAC7C,wBAAsB,aAAa,CACjC,KAAK,EAAE,MAAM,EACb,OAAO,EAAE,cAAc,GACtB,OAAO,CAAC,cAAc,CAAC,CAkBzB;AAED,sDAAsD;AACtD,wBAAsB,aAAa,CAAC,SAAS,EAAE,MAAM,EAAE,EAAE,EAAE,GAAG,GAAG,OAAO,CAAC,IAAI,CAAC,CAK7E;AAED;;;;;;;GAOG;AACH,wBAAsB,cAAc,CAClC,KAAK,EAAE,MAAM,EACb,OAAO,EAAE,cAAc,EACvB,EAAE,CAAC,EAAE,GAAG,GACP,OAAO,CAAC,MAAM,CAAC,CAgBjB"}

package/dist/auth/session.js

@@ -1,4 +1,45 @@
 import * as jose from 'jose';
+/**
+ * Thrown when a JWT verifies cryptographically but its decoded payload
+ * doesn't match the expected `SessionPayload` shape. We map this to a 401
+ * (not 500) because it represents a forged-but-correctly-signed-by-the-CMS
+ * token rather than a server bug.
+ */
+export class InvalidSessionPayloadError extends Error {
+    constructor(reason) {
+        super(`Session payload is malformed: ${reason}`);
+        this.name = 'InvalidSessionPayloadError';
+    }
+}
+/**
+ * Narrow an arbitrary JWT payload to a `SessionPayload`. Required because
+ * `jose.jwtVerify()` returns `JWTPayload`, which is `Record<string, unknown>`
+ * — without an explicit shape check, downstream code reading `payload.role`
+ * would happily evaluate `undefined` against the `WRITE_ROLES`/`ADMIN_ROLES`
+ * sets and grant `false` (deny), which is safe — but reading `payload.userId`
+ * to look up the user would crash deep in the request, after side effects.
+ *
+ * Centralizing the check keeps the failure mode crisp: the request returns
+ * 401 and the audit log shows "malformed session" instead of a 500.
+ */
+function assertSessionPayload(payload) {
+    if (typeof payload !== 'object' || payload === null) {
+        throw new InvalidSessionPayloadError('payload is not an object');
+    }
+    const p = payload;
+    if (typeof p.userId !== 'string' || p.userId.length === 0) {
+        throw new InvalidSessionPayloadError('missing or invalid `userId`');
+    }
+    if (typeof p.role !== 'string' || p.role.length === 0) {
+        throw new InvalidSessionPayloadError('missing or invalid `role`');
+    }
+    if (typeof p.sessionId !== 'string' || p.sessionId.length === 0) {
+        throw new InvalidSessionPayloadError('missing or invalid `sessionId`');
+    }
+    if (p.fingerprint !== undefined && typeof p.fingerprint !== 'string') {
+        throw new InvalidSessionPayloadError('`fingerprint`, when present, must be a string');
+    }
+}
 const DEFAULT_MAX_AGE = 60 * 60 * 24 * 7; // 7 days
 /** Create a signed JWT session token. */
 export async function createSession(payload, options) {
@@ -18,7 +59,19 @@ export async function verifySession(token, options) {
         issuer: options.issuer ?? 'actuate-cms',
         audience: options.audience ?? 'actuate-cms',
     });
-    return payload;
+    assertSessionPayload(payload);
+    // Strip standard JWT claims (iat/exp/iss/aud/etc) so the returned object
+    // is ONLY the SessionPayload fields we explicitly validated. This prevents
+    // callers (e.g. `refreshSession`) from accidentally re-signing arbitrary
+    // attacker-supplied claims.
+    const safe = {
+        userId: payload.userId,
+        role: payload.role,
+        sessionId: payload.sessionId,
+    };
+    if (payload.fingerprint !== undefined)
+        safe.fingerprint = payload.fingerprint;
+    return safe;
 }
 /** Revoke a session by marking it in the database. */
 export async function revokeSession(sessionId, db) {

package/dist/auth/session.js.map

@@ -1 +1 @@
-{"version":3,"file":"session.js","sourceRoot":"","sources":["../../src/auth/session.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,IAAI,MAAM,MAAM,CAAA;AAgB5B,MAAM,eAAe,GAAG,EAAE,GAAG,EAAE,GAAG,EAAE,GAAG,CAAC,CAAA,CAAC,SAAS;AAElD,yCAAyC;AACzC,MAAM,CAAC,KAAK,UAAU,aAAa,CACjC,OAAuB,EACvB,OAAuB;IAEvB,MAAM,MAAM,GAAG,IAAI,WAAW,EAAE,CAAC,MAAM,CAAC,OAAO,CAAC,MAAM,CAAC,CAAA;IACvD,OAAO,IAAI,IAAI,CAAC,OAAO,CAAC,EAAE,GAAG,OAAO,EAAE,CAAC;SACpC,kBAAkB,CAAC,EAAE,GAAG,EAAE,OAAO,EAAE,CAAC;SACpC,WAAW,EAAE;SACb,iBAAiB,CAAC,GAAG,OAAO,CAAC,MAAM,IAAI,eAAe,GAAG,CAAC;SAC1D,SAAS,CAAC,OAAO,CAAC,MAAM,IAAI,aAAa,CAAC;SAC1C,WAAW,CAAC,OAAO,CAAC,QAAQ,IAAI,aAAa,CAAC;SAC9C,IAAI,CAAC,MAAM,CAAC,CAAA;AACjB,CAAC;AAED,6CAA6C;AAC7C,MAAM,CAAC,KAAK,UAAU,aAAa,CACjC,KAAa,EACb,OAAuB;IAEvB,MAAM,MAAM,GAAG,IAAI,WAAW,EAAE,CAAC,MAAM,CAAC,OAAO,CAAC,MAAM,CAAC,CAAA;IACvD,MAAM,EAAE,OAAO,EAAE,GAAG,MAAM,IAAI,CAAC,SAAS,CAAC,KAAK,EAAE,MAAM,EAAE;QACtD,MAAM,EAAE,OAAO,CAAC,MAAM,IAAI,aAAa;QACvC,QAAQ,EAAE,OAAO,CAAC,QAAQ,IAAI,aAAa;KAC5C,CAAC,CAAA;IACF,OAAO,OAAoC,CAAA;AAC7C,CAAC;AAED,sDAAsD;AACtD,MAAM,CAAC,KAAK,UAAU,aAAa,CAAC,SAAiB,EAAE,EAAO;IAC5D,MAAM,EAAE,CAAC,OAAO,CAAC,MAAM,CAAC;QACtB,KAAK,EAAE,EAAE,EAAE,EAAE,SAAS,EAAE;QACxB,IAAI,EAAE,EAAE,SAAS,EAAE,IAAI,IAAI,EAAE,EAAE;KAChC,CAAC,CAAA;AACJ,CAAC;AAED;;;;;;;GAOG;AACH,MAAM,CAAC,KAAK,UAAU,cAAc,CAClC,KAAa,EACb,OAAuB,EACvB,EAAQ;IAER,MAAM,OAAO,GAAG,MAAM,aAAa,CAAC,KAAK,EAAE,OAAO,CAAC,CAAA;IAEnD,IAAI,EAAE,EAAE,CAAC;QACP,MAAM,OAAO,GAAG,MAAM,EAAE,CAAC,OAAO,CAAC,UAAU,CAAC,EAAE,KAAK,EAAE,EAAE,EAAE,EAAE,OAAO,CAAC,SAAS,EAAE,EAAE,CAAC,CAAA;QACjF,IAAI,CAAC,OAAO,IAAI,OAAO,CAAC,SAAS,IAAI,OAAO,CAAC,SAAS,GAAG,IAAI,IAAI,EAAE,EAAE,CAAC;YACpE,MAAM,IAAI,KAAK,CAAC,6BAA6B,CAAC,CAAA;QAChD,CAAC;QACD,MAAM,MAAM,GAAG,OAAO,CAAC,MAAM,IAAI,eAAe,CAAA;QAChD,MAAM,EAAE,CAAC,OAAO,CAAC,MAAM,CAAC;YACtB,KAAK,EAAE,EAAE,EAAE,EAAE,OAAO,CAAC,SAAS,EAAE;YAChC,IAAI,EAAE,EAAE,SAAS,EAAE,IAAI,IAAI,CAAC,IAAI,CAAC,GAAG,EAAE,GAAG,MAAM,GAAG,IAAI,CAAC,EAAE;SAC1D,CAAC,CAAA;IACJ,CAAC;IAED,OAAO,aAAa,CAAC,OAAO,EAAE,OAAO,CAAC,CAAA;AACxC,CAAC"}
+{"version":3,"file":"session.js","sourceRoot":"","sources":["../../src/auth/session.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,IAAI,MAAM,MAAM,CAAA;AAS5B;;;;;GAKG;AACH,MAAM,OAAO,0BAA2B,SAAQ,KAAK;IACnD,YAAY,MAAc;QACxB,KAAK,CAAC,iCAAiC,MAAM,EAAE,CAAC,CAAA;QAChD,IAAI,CAAC,IAAI,GAAG,4BAA4B,CAAA;IAC1C,CAAC;CACF;AAED;;;;;;;;;;GAUG;AACH,SAAS,oBAAoB,CAAC,OAAgB;IAC5C,IAAI,OAAO,OAAO,KAAK,QAAQ,IAAI,OAAO,KAAK,IAAI,EAAE,CAAC;QACpD,MAAM,IAAI,0BAA0B,CAAC,0BAA0B,CAAC,CAAA;IAClE,CAAC;IACD,MAAM,CAAC,GAAG,OAAkC,CAAA;IAC5C,IAAI,OAAO,CAAC,CAAC,MAAM,KAAK,QAAQ,IAAI,CAAC,CAAC,MAAM,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;QAC1D,MAAM,IAAI,0BAA0B,CAAC,6BAA6B,CAAC,CAAA;IACrE,CAAC;IACD,IAAI,OAAO,CAAC,CAAC,IAAI,KAAK,QAAQ,IAAI,CAAC,CAAC,IAAI,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;QACtD,MAAM,IAAI,0BAA0B,CAAC,2BAA2B,CAAC,CAAA;IACnE,CAAC;IACD,IAAI,OAAO,CAAC,CAAC,SAAS,KAAK,QAAQ,IAAI,CAAC,CAAC,SAAS,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;QAChE,MAAM,IAAI,0BAA0B,CAAC,gCAAgC,CAAC,CAAA;IACxE,CAAC;IACD,IAAI,CAAC,CAAC,WAAW,KAAK,SAAS,IAAI,OAAO,CAAC,CAAC,WAAW,KAAK,QAAQ,EAAE,CAAC;QACrE,MAAM,IAAI,0BAA0B,CAAC,+CAA+C,CAAC,CAAA;IACvF,CAAC;AACH,CAAC;AASD,MAAM,eAAe,GAAG,EAAE,GAAG,EAAE,GAAG,EAAE,GAAG,CAAC,CAAA,CAAC,SAAS;AAElD,yCAAyC;AACzC,MAAM,CAAC,KAAK,UAAU,aAAa,CACjC,OAAuB,EACvB,OAAuB;IAEvB,MAAM,MAAM,GAAG,IAAI,WAAW,EAAE,CAAC,MAAM,CAAC,OAAO,CAAC,MAAM,CAAC,CAAA;IACvD,OAAO,IAAI,IAAI,CAAC,OAAO,CAAC,EAAE,GAAG,OAAO,EAAE,CAAC;SACpC,kBAAkB,CAAC,EAAE,GAAG,EAAE,OAAO,EAAE,CAAC;SACpC,WAAW,EAAE;SACb,iBAAiB,CAAC,GAAG,OAAO,CAAC,MAAM,IAAI,eAAe,GAAG,CAAC;SAC1D,SAAS,CAAC,OAAO,CAAC,MAAM,IAAI,aAAa,CAAC;SAC1C,WAAW,CAAC,OAAO,CAAC,QAAQ,IAAI,aAAa,CAAC;SAC9C,IAAI,CAAC,MAAM,CAAC,CAAA;AACjB,CAAC;AAED,6CAA6C;AAC7C,MAAM,CAAC,KAAK,UAAU,aAAa,CACjC,KAAa,EACb,OAAuB;IAEvB,MAAM,MAAM,GAAG,IAAI,WAAW,EAAE,CAAC,MAAM,CAAC,OAAO,CAAC,MAAM,CAAC,CAAA;IACvD,MAAM,EAAE,OAAO,EAAE,GAAG,MAAM,IAAI,CAAC,SAAS,CAAC,KAAK,EAAE,MAAM,EAAE;QACtD,MAAM,EAAE,OAAO,CAAC,MAAM,IAAI,aAAa;QACvC,QAAQ,EAAE,OAAO,CAAC,QAAQ,IAAI,aAAa;KAC5C,CAAC,CAAA;IACF,oBAAoB,CAAC,OAAO,CAAC,CAAA;IAC7B,yEAAyE;IACzE,2EAA2E;IAC3E,yEAAyE;IACzE,4BAA4B;IAC5B,MAAM,IAAI,GAAmB;QAC3B,MAAM,EAAE,OAAO,CAAC,MAAM;QACtB,IAAI,EAAE,OAAO,CAAC,IAAI;QAClB,SAAS,EAAE,OAAO,CAAC,SAAS;KAC7B,CAAA;IACD,IAAI,OAAO,CAAC,WAAW,KAAK,SAAS;QAAE,IAAI,CAAC,WAAW,GAAG,OAAO,CAAC,WAAW,CAAA;IAC7E,OAAO,IAAI,CAAA;AACb,CAAC;AAED,sDAAsD;AACtD,MAAM,CAAC,KAAK,UAAU,aAAa,CAAC,SAAiB,EAAE,EAAO;IAC5D,MAAM,EAAE,CAAC,OAAO,CAAC,MAAM,CAAC;QACtB,KAAK,EAAE,EAAE,EAAE,EAAE,SAAS,EAAE;QACxB,IAAI,EAAE,EAAE,SAAS,EAAE,IAAI,IAAI,EAAE,EAAE;KAChC,CAAC,CAAA;AACJ,CAAC;AAED;;;;;;;GAOG;AACH,MAAM,CAAC,KAAK,UAAU,cAAc,CAClC,KAAa,EACb,OAAuB,EACvB,EAAQ;IAER,MAAM,OAAO,GAAG,MAAM,aAAa,CAAC,KAAK,EAAE,OAAO,CAAC,CAAA;IAEnD,IAAI,EAAE,EAAE,CAAC;QACP,MAAM,OAAO,GAAG,MAAM,EAAE,CAAC,OAAO,CAAC,UAAU,CAAC,EAAE,KAAK,EAAE,EAAE,EAAE,EAAE,OAAO,CAAC,SAAS,EAAE,EAAE,CAAC,CAAA;QACjF,IAAI,CAAC,OAAO,IAAI,OAAO,CAAC,SAAS,IAAI,OAAO,CAAC,SAAS,GAAG,IAAI,IAAI,EAAE,EAAE,CAAC;YACpE,MAAM,IAAI,KAAK,CAAC,6BAA6B,CAAC,CAAA;QAChD,CAAC;QACD,MAAM,MAAM,GAAG,OAAO,CAAC,MAAM,IAAI,eAAe,CAAA;QAChD,MAAM,EAAE,CAAC,OAAO,CAAC,MAAM,CAAC;YACtB,KAAK,EAAE,EAAE,EAAE,EAAE,OAAO,CAAC,SAAS,EAAE;YAChC,IAAI,EAAE,EAAE,SAAS,EAAE,IAAI,IAAI,CAAC,IAAI,CAAC,GAAG,EAAE,GAAG,MAAM,GAAG,IAAI,CAAC,EAAE;SAC1D,CAAC,CAAA;IACJ,CAAC;IAED,OAAO,aAAa,CAAC,OAAO,EAAE,OAAO,CAAC,CAAA;AACxC,CAAC"}

package/dist/config/runtime.d.ts

@@ -0,0 +1,99 @@
+/**
+ * @file Runtime config storage.
+ *
+ * # The `globalThis.__actuateConfig` contract (audit issue M8)
+ *
+ * The Actuate handler factory stashes the resolved CMS config on
+ * `globalThis.__actuateConfig` so that every downstream module
+ * (actions, plugins, page-builder, auth) can read it without a
+ * dependency-injected handle. This is intentionally a single-process
+ * mutable global, with these constraints:
+ *
+ * 1. **One config per process.** A given Node / Edge isolate runs exactly
+ *    one Actuate CMS instance. Calling `handleActuateAPI({ config })`
+ *    twice with different configs in the same process is unsupported and
+ *    will silently overwrite. (If you need multi-tenant per-request
+ *    configs, fork at the request layer — not via `globalThis`.)
+ *
+ * 2. **Set once at boot, read everywhere after.** Plugins and feature
+ *    code MUST treat the returned object as read-only. Mutating it after
+ *    boot will change behaviour for every subsequent request and is a
+ *    common source of "phantom" bugs.
+ *
+ * 3. **Serverless cold starts re-init.** On Vercel / Lambda each cold
+ *    start invokes `handleActuateAPI()` again, which re-reads the
+ *    consumer's `actuate.config.ts` and re-stashes the global. There is
+ *    no cross-instance synchronisation — assume per-isolate isolation.
+ *
+ * 4. **Tests reset between suites.** Vitest gives each test file its own
+ *    Node worker with a fresh `globalThis`, but tests *within* a file
+ *    share state. If your test mutates the config global, restore it in
+ *    `afterEach`. The pattern is documented in
+ *    `page-builder/__tests__/blocks.test.ts`.
+ *
+ * # Why `globalThis` and not React Context / dependency injection?
+ *
+ *   - The code paths that need the config (Prisma actions, server-side
+ *     guards, plugin hooks) are not React-rendered and have no natural
+ *     prop-drilling path.
+ *   - Threading a config handle through every public API would be a
+ *     breaking change for every consumer.
+ *   - Global state is acceptable here because the config IS global per
+ *     process by definition (point 1).
+ *
+ * If we ever migrate off `globalThis` (e.g. to AsyncLocalStorage for
+ * multi-tenant), the consumer-facing `getActuateConfig()` API stays the
+ * same — only this file changes. That's why every reader goes through
+ * the helper instead of touching `globalThis` directly.
+ */
+import type { ActuateCMSConfig } from './types.js';
+/**
+ * The runtime view of an Actuate CMS config. The handler factory enriches
+ * the user's `defineConfig({...})` object with internal caches (e.g.
+ * `_pluginHooks`) and consumers may register experimental top-level fields
+ * (e.g. `redirects`, custom plugin sub-configs) before the schema is ready.
+ *
+ * We keep the public shape strongly typed via `ActuateCMSConfig` and add a
+ * permissive index signature for the runtime extras. Callers that need a
+ * field defined on `ActuateCMSConfig` get full type safety; callers reaching
+ * into runtime-only fields are forced to acknowledge they are off-schema by
+ * narrowing themselves.
+ */
+export type RuntimeActuateConfig = ActuateCMSConfig & {
+    /** Internal cache of plugin lifecycle hooks. Populated by the handler. */
+    _pluginHooks?: unknown[];
+    /** Forward-compat slot for runtime-registered extensions. */
+    [key: string]: unknown;
+};
+/**
+ * Read the per-process Actuate CMS config that `handleActuateAPI()` stashed
+ * on `globalThis`. Returns `undefined` when no config has been registered
+ * yet (e.g. during early test setup or when the API handler has never been
+ * invoked).
+ *
+ * **Why a helper instead of reading `globalThis.__actuateConfig` directly?**
+ * - Centralizes the unsafe cast so we never sprinkle `as any` across the
+ *   codebase. If the storage strategy ever moves off `globalThis` (issue M8
+ *   from the engineering audit), only this file changes.
+ * - Gives every caller the same typed handle, which makes mocking in tests
+ *   straightforward (set the global once, all readers see it).
+ *
+ * **Mutability warning:** the returned object is the *same reference* the
+ * platform handler holds. Callers must not mutate it. For mutations (e.g.
+ * a plugin registering a new collection at init time), use the platform's
+ * own plugin lifecycle — not this getter.
+ */
+export declare function getActuateConfig(): RuntimeActuateConfig | undefined;
+/**
+ * Register the running config on `globalThis`. Only the platform-level API
+ * handler should call this; plugins and feature code should read the config
+ * via `getActuateConfig()` instead.
+ */
+export declare function setActuateConfig(config: RuntimeActuateConfig | ActuateCMSConfig): void;
+/**
+ * Read the cms-core version that was stamped onto `globalThis` at handler
+ * init. Used by `/api/cms/health` and the `/updates/check` endpoint.
+ */
+export declare function getActuateCoreVersion(): string | undefined;
+export declare function setActuateCoreVersion(version: string): void;
+//# sourceMappingURL=runtime.d.ts.map

package/dist/config/runtime.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"runtime.d.ts","sourceRoot":"","sources":["../../src/config/runtime.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GA+CG;AACH,OAAO,KAAK,EAAE,gBAAgB,EAAE,MAAM,YAAY,CAAA;AAElD;;;;;;;;;;;GAWG;AACH,MAAM,MAAM,oBAAoB,GAAG,gBAAgB,GAAG;IACpD,0EAA0E;IAC1E,YAAY,CAAC,EAAE,OAAO,EAAE,CAAA;IACxB,6DAA6D;IAC7D,CAAC,GAAG,EAAE,MAAM,GAAG,OAAO,CAAA;CACvB,CAAA;AAED;;;;;;;;;;;;;;;;;GAiBG;AACH,wBAAgB,gBAAgB,IAAI,oBAAoB,GAAG,SAAS,CAEnE;AAED;;;;GAIG;AACH,wBAAgB,gBAAgB,CAAC,MAAM,EAAE,oBAAoB,GAAG,gBAAgB,GAAG,IAAI,CAGtF;AAED;;;GAGG;AACH,wBAAgB,qBAAqB,IAAI,MAAM,GAAG,SAAS,CAE1D;AAED,wBAAgB,qBAAqB,CAAC,OAAO,EAAE,MAAM,GAAG,IAAI,CAE3D"}