@agentlensai/server 0.10.0 → 0.13.0

package/dist/cloud/auth/audit-log.js

@@ -0,0 +1,92 @@
+/**
+ * Audit Log Service (S-2.6)
+ *
+ * Append-only, immutable audit log for security-relevant events.
+ * Supports: auth events, API key ops, member management, settings changes,
+ * data exports, billing events.
+ */
+export class AuditLogService {
+    db;
+    constructor(db) {
+        this.db = db;
+    }
+    /**
+     * Write an audit log entry. Append-only — no updates or deletes.
+     */
+    async write(entry) {
+        const result = await this.db.query(`INSERT INTO audit_log (org_id, actor_type, actor_id, action, resource_type, resource_id, details, ip_address, result)
+       VALUES ($1, $2, $3, $4, $5, $6, $7, $8::inet, $9)
+       RETURNING *`, [
+            entry.org_id,
+            entry.actor_type,
+            entry.actor_id,
+            entry.action,
+            entry.resource_type,
+            entry.resource_id ?? null,
+            entry.details ? JSON.stringify(entry.details) : null,
+            entry.ip_address ?? null,
+            entry.result,
+        ]);
+        return result.rows[0];
+    }
+    /**
+     * Query audit log with filters. Results ordered by created_at DESC.
+     */
+    async query(filters) {
+        const conditions = ['org_id = $1'];
+        const params = [filters.org_id];
+        let paramIdx = 2;
+        if (filters.action) {
+            conditions.push(`action = $${paramIdx++}`);
+            params.push(filters.action);
+        }
+        if (filters.actor_id) {
+            conditions.push(`actor_id = $${paramIdx++}`);
+            params.push(filters.actor_id);
+        }
+        if (filters.resource_type) {
+            conditions.push(`resource_type = $${paramIdx++}`);
+            params.push(filters.resource_type);
+        }
+        if (filters.from) {
+            conditions.push(`created_at >= $${paramIdx++}`);
+            params.push(filters.from.toISOString());
+        }
+        if (filters.to) {
+            conditions.push(`created_at <= $${paramIdx++}`);
+            params.push(filters.to.toISOString());
+        }
+        const where = conditions.join(' AND ');
+        const limit = filters.limit ?? 50;
+        const offset = filters.offset ?? 0;
+        const [dataResult, countResult] = await Promise.all([
+            this.db.query(`SELECT * FROM audit_log WHERE ${where} ORDER BY created_at DESC LIMIT $${paramIdx++} OFFSET $${paramIdx++}`, [...params, limit, offset]),
+            this.db.query(`SELECT COUNT(*)::int as total FROM audit_log WHERE ${where}`, params),
+        ]);
+        return {
+            entries: dataResult.rows,
+            total: countResult.rows[0].total,
+        };
+    }
+    /**
+     * Export all audit log entries for an org within a time range.
+     * Returns JSON array (for download).
+     */
+    async export(org_id, from, to) {
+        const conditions = ['org_id = $1'];
+        const params = [org_id];
+        let paramIdx = 2;
+        if (from) {
+            conditions.push(`created_at >= $${paramIdx++}`);
+            params.push(from.toISOString());
+        }
+        if (to) {
+            conditions.push(`created_at <= $${paramIdx++}`);
+            params.push(to.toISOString());
+        }
+        const where = conditions.join(' AND ');
+        const result = await this.db.query(`SELECT * FROM audit_log WHERE ${where} ORDER BY created_at ASC`, params);
+        return result.rows;
+    }
+}
+//# sourceMappingURL=audit-log.js.map

package/dist/cloud/auth/audit-log.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"audit-log.js","sourceRoot":"","sources":["../../../src/cloud/auth/audit-log.ts"],"names":[],"mappings":"AAAA;;;;;;GAMG;AAuEH,MAAM,OAAO,eAAe;IACN;IAApB,YAAoB,EAAmB;QAAnB,OAAE,GAAF,EAAE,CAAiB;IAAG,CAAC;IAE3C;;OAEG;IACH,KAAK,CAAC,KAAK,CAAC,KAAsB;QAChC,MAAM,MAAM,GAAG,MAAM,IAAI,CAAC,EAAE,CAAC,KAAK,CAChC;;mBAEa,EACb;YACE,KAAK,CAAC,MAAM;YACZ,KAAK,CAAC,UAAU;YAChB,KAAK,CAAC,QAAQ;YACd,KAAK,CAAC,MAAM;YACZ,KAAK,CAAC,aAAa;YACnB,KAAK,CAAC,WAAW,IAAI,IAAI;YACzB,KAAK,CAAC,OAAO,CAAC,CAAC,CAAC,IAAI,CAAC,SAAS,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC,CAAC,CAAC,IAAI;YACpD,KAAK,CAAC,UAAU,IAAI,IAAI;YACxB,KAAK,CAAC,MAAM;SACb,CACF,CAAC;QACF,OAAQ,MAAM,CAAC,IAAqB,CAAC,CAAC,CAAC,CAAC;IAC1C,CAAC;IAED;;OAEG;IACH,KAAK,CAAC,KAAK,CAAC,OAA0B;QACpC,MAAM,UAAU,GAAa,CAAC,aAAa,CAAC,CAAC;QAC7C,MAAM,MAAM,GAAc,CAAC,OAAO,CAAC,MAAM,CAAC,CAAC;QAC3C,IAAI,QAAQ,GAAG,CAAC,CAAC;QAEjB,IAAI,OAAO,CAAC,MAAM,EAAE,CAAC;YACnB,UAAU,CAAC,IAAI,CAAC,aAAa,QAAQ,EAAE,EAAE,CAAC,CAAC;YAC3C,MAAM,CAAC,IAAI,CAAC,OAAO,CAAC,MAAM,CAAC,CAAC;QAC9B,CAAC;QACD,IAAI,OAAO,CAAC,QAAQ,EAAE,CAAC;YACrB,UAAU,CAAC,IAAI,CAAC,eAAe,QAAQ,EAAE,EAAE,CAAC,CAAC;YAC7C,MAAM,CAAC,IAAI,CAAC,OAAO,CAAC,QAAQ,CAAC,CAAC;QAChC,CAAC;QACD,IAAI,OAAO,CAAC,aAAa,EAAE,CAAC;YAC1B,UAAU,CAAC,IAAI,CAAC,oBAAoB,QAAQ,EAAE,EAAE,CAAC,CAAC;YAClD,MAAM,CAAC,IAAI,CAAC,OAAO,CAAC,aAAa,CAAC,CAAC;QACrC,CAAC;QACD,IAAI,OAAO,CAAC,IAAI,EAAE,CAAC;YACjB,UAAU,CAAC,IAAI,CAAC,kBAAkB,QAAQ,EAAE,EAAE,CAAC,CAAC;YAChD,MAAM,CAAC,IAAI,CAAC,OAAO,CAAC,IAAI,CAAC,WAAW,EAAE,CAAC,CAAC;QAC1C,CAAC;QACD,IAAI,OAAO,CAAC,EAAE,EAAE,CAAC;YACf,UAAU,CAAC,IAAI,CAAC,kBAAkB,QAAQ,EAAE,EAAE,CAAC,CAAC;YAChD,MAAM,CAAC,IAAI,CAAC,OAAO,CAAC,EAAE,CAAC,WAAW,EAAE,CAAC,CAAC;QACxC,CAAC;QAED,MAAM,KAAK,GAAG,UAAU,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC;QACvC,MAAM,KAAK,GAAG,OAAO,CAAC,KAAK,IAAI,EAAE,CAAC;QAClC,MAAM,MAAM,GAAG,OAAO,CAAC,MAAM,IAAI,CAAC,CAAC;QAEnC,MAAM,CAAC,UAAU,EAAE,WAAW,CAAC,GAAG,MAAM,OAAO,CAAC,GAAG,CAAC;YAClD,IAAI,CAAC,EAAE,CAAC,KAAK,CACX,iCAAiC,KAAK,oCAAoC,QAAQ,EAAE,YAAY,QAAQ,EAAE,EAAE,EAC5G,CAAC,GAAG,MAAM,EAAE,KAAK,EAAE,MAAM,CAAC,CAC3B;YACD,IAAI,CAAC,EAAE,CAAC,KAAK,CACX,sDAAsD,KAAK,EAAE,EAC7D,MAAM,CACP;SACF,CAAC,CAAC;QAEH,OAAO;YACL,OAAO,EAAE,UAAU,CAAC,IAAoB;YACxC,KAAK,EAAG,WAAW,CAAC,IAAc,CAAC,CAAC,CAAC,CAAC,KAAK;SAC5C,CAAC;IACJ,CAAC;IAED;;;OAGG;IACH,KAAK,CAAC,MAAM,CAAC,MAAc,EAAE,IAAW,EAAE,EAAS;QACjD,MAAM,UAAU,GAAa,CAAC,aAAa,CAAC,CAAC;QAC7C,MAAM,MAAM,GAAc,CAAC,MAAM,CAAC,CAAC;QACnC,IAAI,QAAQ,GAAG,CAAC,CAAC;QAEjB,IAAI,IAAI,EAAE,CAAC;YACT,UAAU,CAAC,IAAI,CAAC,kBAAkB,QAAQ,EAAE,EAAE,CAAC,CAAC;YAChD,MAAM,CAAC,IAAI,CAAC,IAAI,CAAC,WAAW,EAAE,CAAC,CAAC;QAClC,CAAC;QACD,IAAI,EAAE,EAAE,CAAC;YACP,UAAU,CAAC,IAAI,CAAC,kBAAkB,QAAQ,EAAE,EAAE,CAAC,CAAC;YAChD,MAAM,CAAC,IAAI,CAAC,EAAE,CAAC,WAAW,EAAE,CAAC,CAAC;QAChC,CAAC;QAED,MAAM,KAAK,GAAG,UAAU,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC;QACvC,MAAM,MAAM,GAAG,MAAM,IAAI,CAAC,EAAE,CAAC,KAAK,CAChC,iCAAiC,KAAK,0BAA0B,EAChE,MAAM,CACP,CAAC;QACF,OAAO,MAAM,CAAC,IAAoB,CAAC;IACrC,CAAC;CACF"}

package/dist/cloud/auth/auth-service.d.ts

@@ -0,0 +1,77 @@
+/**
+ * Auth Service — orchestrates user creation, login, OAuth, and sessions.
+ *
+ * Uses MigrationClient (pg Pool) for database operations.
+ * In-memory brute-force protection (replaceable with Redis in prod).
+ */
+import type { MigrationClient } from '../migrate.js';
+import { BruteForceProtection } from './brute-force.js';
+import type { OAuthUserProfile } from './oauth.js';
+export interface AuthServiceConfig {
+    jwtSecret: string;
+    jwtExpiresInSeconds?: number;
+}
+export interface AuthUser {
+    id: string;
+    email: string;
+    email_verified: boolean;
+    password_hash: string | null;
+    display_name: string | null;
+    avatar_url: string | null;
+    oauth_provider: string | null;
+    oauth_provider_id: string | null;
+}
+export interface AuthResult {
+    token: string;
+    user: {
+        id: string;
+        email: string;
+        name: string | null;
+    };
+}
+export declare class AuthService {
+    private db;
+    private config;
+    private bruteForce;
+    constructor(db: MigrationClient, config: AuthServiceConfig, bruteForce?: BruteForceProtection);
+    /**
+     * Handle OAuth callback: find or create user, return JWT.
+     */
+    oauthLogin(profile: OAuthUserProfile): Promise<AuthResult>;
+    private createOAuthUser;
+    /**
+     * Register a new user with email and password.
+     * Returns verification token (to be sent via email).
+     */
+    register(email: string, password: string, displayName?: string): Promise<{
+        user: AuthUser;
+        verificationToken: string;
+    }>;
+    /**
+     * Verify email address with token.
+     */
+    verifyEmail(token: string): Promise<boolean>;
+    /**
+     * Login with email and password.
+     */
+    login(email: string, password: string): Promise<AuthResult>;
+    /**
+     * Request password reset. Returns token to be sent via email.
+     * Always succeeds (even if email not found) to prevent enumeration.
+     */
+    requestPasswordReset(email: string): Promise<string | null>;
+    /**
+     * Reset password using token.
+     */
+    resetPassword(token: string, newPassword: string): Promise<boolean>;
+    private issueToken;
+    private findUserByEmail;
+    private findUserById;
+    private findUserByOAuth;
+    private createDefaultOrg;
+}
+export declare class AuthError extends Error {
+    code: string;
+    constructor(code: string, message: string);
+}
+//# sourceMappingURL=auth-service.d.ts.map

package/dist/cloud/auth/auth-service.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"auth-service.d.ts","sourceRoot":"","sources":["../../../src/cloud/auth/auth-service.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AAEH,OAAO,KAAK,EAAE,eAAe,EAAE,MAAM,eAAe,CAAC;AAIrD,OAAO,EAAE,oBAAoB,EAAE,MAAM,kBAAkB,CAAC;AACxD,OAAO,KAAK,EAAE,gBAAgB,EAAE,MAAM,YAAY,CAAC;AAEnD,MAAM,WAAW,iBAAiB;IAChC,SAAS,EAAE,MAAM,CAAC;IAClB,mBAAmB,CAAC,EAAE,MAAM,CAAC;CAC9B;AAED,MAAM,WAAW,QAAQ;IACvB,EAAE,EAAE,MAAM,CAAC;IACX,KAAK,EAAE,MAAM,CAAC;IACd,cAAc,EAAE,OAAO,CAAC;IACxB,aAAa,EAAE,MAAM,GAAG,IAAI,CAAC;IAC7B,YAAY,EAAE,MAAM,GAAG,IAAI,CAAC;IAC5B,UAAU,EAAE,MAAM,GAAG,IAAI,CAAC;IAC1B,cAAc,EAAE,MAAM,GAAG,IAAI,CAAC;IAC9B,iBAAiB,EAAE,MAAM,GAAG,IAAI,CAAC;CAClC;AAED,MAAM,WAAW,UAAU;IACzB,KAAK,EAAE,MAAM,CAAC;IACd,IAAI,EAAE;QAAE,EAAE,EAAE,MAAM,CAAC;QAAC,KAAK,EAAE,MAAM,CAAC;QAAC,IAAI,EAAE,MAAM,GAAG,IAAI,CAAA;KAAE,CAAC;CAC1D;AAED,qBAAa,WAAW;IAEpB,OAAO,CAAC,EAAE;IACV,OAAO,CAAC,MAAM;IACd,OAAO,CAAC,UAAU;gBAFV,EAAE,EAAE,eAAe,EACnB,MAAM,EAAE,iBAAiB,EACzB,UAAU,uBAA6B;IAOjD;;OAEG;IACG,UAAU,CAAC,OAAO,EAAE,gBAAgB,GAAG,OAAO,CAAC,UAAU,CAAC;YA6BlD,eAAe;IAmB7B;;;OAGG;IACG,QAAQ,CACZ,KAAK,EAAE,MAAM,EACb,QAAQ,EAAE,MAAM,EAChB,WAAW,CAAC,EAAE,MAAM,GACnB,OAAO,CAAC;QAAE,IAAI,EAAE,QAAQ,CAAC;QAAC,iBAAiB,EAAE,MAAM,CAAA;KAAE,CAAC;IAqCzD;;OAEG;IACG,WAAW,CAAC,KAAK,EAAE,MAAM,GAAG,OAAO,CAAC,OAAO,CAAC;IAwBlD;;OAEG;IACG,KAAK,CAAC,KAAK,EAAE,MAAM,EAAE,QAAQ,EAAE,MAAM,GAAG,OAAO,CAAC,UAAU,CAAC;IAmCjE;;;OAGG;IACG,oBAAoB,CAAC,KAAK,EAAE,MAAM,GAAG,OAAO,CAAC,MAAM,GAAG,IAAI,CAAC;IAsBjE;;OAEG;IACG,aAAa,CAAC,KAAK,EAAE,MAAM,EAAE,WAAW,EAAE,MAAM,GAAG,OAAO,CAAC,OAAO,CAAC;YAkC3D,UAAU;YAsBV,eAAe;YAKf,YAAY;YAKZ,eAAe;YAQf,gBAAgB;CAsB/B;AAED,qBAAa,SAAU,SAAQ,KAAK;IAEzB,IAAI,EAAE,MAAM;gBAAZ,IAAI,EAAE,MAAM,EACnB,OAAO,EAAE,MAAM;CAKlB"}

package/dist/cloud/auth/auth-service.js

@@ -0,0 +1,229 @@
+/**
+ * Auth Service — orchestrates user creation, login, OAuth, and sessions.
+ *
+ * Uses MigrationClient (pg Pool) for database operations.
+ * In-memory brute-force protection (replaceable with Redis in prod).
+ */
+import { hashPassword, verifyPassword, validatePasswordComplexity } from './passwords.js';
+import { signJwt, verifyJwt } from './jwt.js';
+import { generateToken, hashToken, verifyToken } from './tokens.js';
+import { BruteForceProtection } from './brute-force.js';
+export class AuthService {
+    db;
+    config;
+    bruteForce;
+    constructor(db, config, bruteForce = new BruteForceProtection()) {
+        this.db = db;
+        this.config = config;
+        this.bruteForce = bruteForce;
+    }
+    // ═══════════════════════════════════════════
+    // OAuth Login / Registration
+    // ═══════════════════════════════════════════
+    /**
+     * Handle OAuth callback: find or create user, return JWT.
+     */
+    async oauthLogin(profile) {
+        // 1. Try to find by OAuth provider + ID
+        let user = await this.findUserByOAuth(profile.provider, profile.providerId);
+        if (!user) {
+            // 2. Try to find by email (link OAuth to existing account)
+            user = await this.findUserByEmail(profile.email);
+            if (user) {
+                // Link OAuth to existing user
+                await this.db.query(`UPDATE users SET oauth_provider = $1, oauth_provider_id = $2, 
+           email_verified = TRUE, avatar_url = COALESCE(avatar_url, $3), 
+           display_name = COALESCE(display_name, $4), updated_at = now()
+           WHERE id = $5`, [profile.provider, profile.providerId, profile.avatarUrl, profile.name, user.id]);
+                user.email_verified = true;
+            }
+            else {
+                // 3. Create new user
+                user = await this.createOAuthUser(profile);
+            }
+        }
+        // Issue JWT
+        const token = await this.issueToken(user);
+        return { token, user: { id: user.id, email: user.email, name: user.display_name } };
+    }
+    async createOAuthUser(profile) {
+        // Create user
+        const result = await this.db.query(`INSERT INTO users (email, email_verified, display_name, avatar_url, oauth_provider, oauth_provider_id)
+       VALUES ($1, TRUE, $2, $3, $4, $5)
+       RETURNING *`, [profile.email, profile.name, profile.avatarUrl, profile.provider, profile.providerId]);
+        const user = result.rows[0];
+        // Create default personal org
+        await this.createDefaultOrg(user);
+        return user;
+    }
+    // ═══════════════════════════════════════════
+    // Email/Password Registration
+    // ═══════════════════════════════════════════
+    /**
+     * Register a new user with email and password.
+     * Returns verification token (to be sent via email).
+     */
+    async register(email, password, displayName) {
+        // Validate password
+        const complexity = validatePasswordComplexity(password);
+        if (!complexity.valid) {
+            throw new AuthError('invalid_password', complexity.errors.join('; '));
+        }
+        // Check if email already exists
+        const existing = await this.findUserByEmail(email);
+        if (existing) {
+            throw new AuthError('email_exists', 'An account with this email already exists');
+        }
+        // Hash password & create user
+        const passwordHash = await hashPassword(password);
+        const verificationToken = generateToken();
+        const tokenHash = hashToken(verificationToken);
+        const result = await this.db.query(`INSERT INTO users (email, email_verified, password_hash, display_name)
+       VALUES ($1, FALSE, $2, $3)
+       RETURNING *`, [email, passwordHash, displayName ?? null]);
+        const user = result.rows[0];
+        // Store verification token (using a simple approach: store in users table or a tokens table)
+        // For simplicity, we'll use the email_verification_token approach
+        await this.db.query(`INSERT INTO _email_tokens (user_id, token_hash, type, expires_at)
+       VALUES ($1, $2, 'verification', now() + interval '24 hours')`, [user.id, tokenHash]);
+        return { user, verificationToken };
+    }
+    /**
+     * Verify email address with token.
+     */
+    async verifyEmail(token) {
+        const tokenHash = hashToken(token);
+        const result = await this.db.query(`SELECT user_id FROM _email_tokens 
+       WHERE token_hash = $1 AND type = 'verification' AND expires_at > now()`, [tokenHash]);
+        if (result.rows.length === 0)
+            return false;
+        const userId = result.rows[0].user_id;
+        await this.db.query(`UPDATE users SET email_verified = TRUE, updated_at = now() WHERE id = $1`, [userId]);
+        await this.db.query(`DELETE FROM _email_tokens WHERE token_hash = $1`, [tokenHash]);
+        // Create default org after verification
+        const user = await this.findUserById(userId);
+        if (user)
+            await this.createDefaultOrg(user);
+        return true;
+    }
+    // ═══════════════════════════════════════════
+    // Email/Password Login
+    // ═══════════════════════════════════════════
+    /**
+     * Login with email and password.
+     */
+    async login(email, password) {
+        // Check brute-force lock
+        if (this.bruteForce.isLocked(email)) {
+            throw new AuthError('account_locked', 'Account temporarily locked due to too many failed attempts');
+        }
+        const user = await this.findUserByEmail(email);
+        if (!user || !user.password_hash) {
+            this.bruteForce.recordFailure(email);
+            throw new AuthError('invalid_credentials', 'Invalid email or password');
+        }
+        if (!user.email_verified) {
+            throw new AuthError('email_not_verified', 'Please verify your email before logging in');
+        }
+        const valid = await verifyPassword(password, user.password_hash);
+        if (!valid) {
+            const locked = this.bruteForce.recordFailure(email);
+            if (locked) {
+                throw new AuthError('account_locked', 'Account temporarily locked due to too many failed attempts');
+            }
+            throw new AuthError('invalid_credentials', 'Invalid email or password');
+        }
+        this.bruteForce.recordSuccess(email);
+        const token = await this.issueToken(user);
+        return { token, user: { id: user.id, email: user.email, name: user.display_name } };
+    }
+    // ═══════════════════════════════════════════
+    // Password Reset
+    // ═══════════════════════════════════════════
+    /**
+     * Request password reset. Returns token to be sent via email.
+     * Always succeeds (even if email not found) to prevent enumeration.
+     */
+    async requestPasswordReset(email) {
+        const user = await this.findUserByEmail(email);
+        if (!user)
+            return null; // Don't reveal whether email exists
+        const token = generateToken();
+        const tokenHash = hashToken(token);
+        // Delete old reset tokens for this user
+        await this.db.query(`DELETE FROM _email_tokens WHERE user_id = $1 AND type = 'reset'`, [user.id]);
+        await this.db.query(`INSERT INTO _email_tokens (user_id, token_hash, type, expires_at)
+       VALUES ($1, $2, 'reset', now() + interval '1 hour')`, [user.id, tokenHash]);
+        return token;
+    }
+    /**
+     * Reset password using token.
+     */
+    async resetPassword(token, newPassword) {
+        const complexity = validatePasswordComplexity(newPassword);
+        if (!complexity.valid) {
+            throw new AuthError('invalid_password', complexity.errors.join('; '));
+        }
+        const tokenHash = hashToken(token);
+        const result = await this.db.query(`SELECT user_id FROM _email_tokens 
+       WHERE token_hash = $1 AND type = 'reset' AND expires_at > now()`, [tokenHash]);
+        if (result.rows.length === 0)
+            return false;
+        const userId = result.rows[0].user_id;
+        const passwordHash = await hashPassword(newPassword);
+        await this.db.query(`UPDATE users SET password_hash = $1, updated_at = now() WHERE id = $2`, [passwordHash, userId]);
+        await this.db.query(`DELETE FROM _email_tokens WHERE token_hash = $1`, [tokenHash]);
+        // Clear brute-force records for this user's email
+        const user = await this.findUserById(userId);
+        if (user)
+            this.bruteForce.recordSuccess(user.email);
+        return true;
+    }
+    // ═══════════════════════════════════════════
+    // Token Issuance
+    // ═══════════════════════════════════════════
+    async issueToken(user) {
+        // Fetch user's org memberships
+        const orgsResult = await this.db.query(`SELECT om.org_id, om.role FROM org_members om WHERE om.user_id = $1`, [user.id]);
+        const orgs = orgsResult.rows.map((r) => ({
+            org_id: r.org_id,
+            role: r.role,
+        }));
+        return signJwt({ sub: user.id, email: user.email, name: user.display_name, orgs }, this.config.jwtSecret, this.config.jwtExpiresInSeconds ?? 7 * 24 * 3600);
+    }
+    // ═══════════════════════════════════════════
+    // Helpers
+    // ═══════════════════════════════════════════
+    async findUserByEmail(email) {
+        const result = await this.db.query(`SELECT * FROM users WHERE email = $1`, [email]);
+        return result.rows[0] ?? null;
+    }
+    async findUserById(id) {
+        const result = await this.db.query(`SELECT * FROM users WHERE id = $1`, [id]);
+        return result.rows[0] ?? null;
+    }
+    async findUserByOAuth(provider, providerId) {
+        const result = await this.db.query(`SELECT * FROM users WHERE oauth_provider = $1 AND oauth_provider_id = $2`, [provider, providerId]);
+        return result.rows[0] ?? null;
+    }
+    async createDefaultOrg(user) {
+        // Check if user already has an org
+        const existing = await this.db.query(`SELECT 1 FROM org_members WHERE user_id = $1 LIMIT 1`, [user.id]);
+        if (existing.rows.length > 0)
+            return;
+        const displayName = user.display_name || user.email.split('@')[0];
+        const slug = `${displayName.toLowerCase().replace(/[^a-z0-9]/g, '-')}-${user.id.slice(0, 8)}`;
+        const orgResult = await this.db.query(`INSERT INTO orgs (name, slug) VALUES ($1, $2) RETURNING id`, [`${displayName}'s Org`, slug]);
+        const orgId = orgResult.rows[0].id;
+        await this.db.query(`INSERT INTO org_members (org_id, user_id, role) VALUES ($1, $2, 'owner')`, [orgId, user.id]);
+    }
+}
+export class AuthError extends Error {
+    code;
+    constructor(code, message) {
+        super(message);
+        this.code = code;
+        this.name = 'AuthError';
+    }
+}
+//# sourceMappingURL=auth-service.js.map

package/dist/cloud/auth/auth-service.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"auth-service.js","sourceRoot":"","sources":["../../../src/cloud/auth/auth-service.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AAGH,OAAO,EAAE,YAAY,EAAE,cAAc,EAAE,0BAA0B,EAAE,MAAM,gBAAgB,CAAC;AAC1F,OAAO,EAAE,OAAO,EAAE,SAAS,EAAmB,MAAM,UAAU,CAAC;AAC/D,OAAO,EAAE,aAAa,EAAE,SAAS,EAAE,WAAW,EAAE,MAAM,aAAa,CAAC;AACpE,OAAO,EAAE,oBAAoB,EAAE,MAAM,kBAAkB,CAAC;AAwBxD,MAAM,OAAO,WAAW;IAEZ;IACA;IACA;IAHV,YACU,EAAmB,EACnB,MAAyB,EACzB,aAAa,IAAI,oBAAoB,EAAE;QAFvC,OAAE,GAAF,EAAE,CAAiB;QACnB,WAAM,GAAN,MAAM,CAAmB;QACzB,eAAU,GAAV,UAAU,CAA6B;IAC9C,CAAC;IAEJ,8CAA8C;IAC9C,6BAA6B;IAC7B,8CAA8C;IAE9C;;OAEG;IACH,KAAK,CAAC,UAAU,CAAC,OAAyB;QACxC,wCAAwC;QACxC,IAAI,IAAI,GAAG,MAAM,IAAI,CAAC,eAAe,CAAC,OAAO,CAAC,QAAQ,EAAE,OAAO,CAAC,UAAU,CAAC,CAAC;QAE5E,IAAI,CAAC,IAAI,EAAE,CAAC;YACV,2DAA2D;YAC3D,IAAI,GAAG,MAAM,IAAI,CAAC,eAAe,CAAC,OAAO,CAAC,KAAK,CAAC,CAAC;YAEjD,IAAI,IAAI,EAAE,CAAC;gBACT,8BAA8B;gBAC9B,MAAM,IAAI,CAAC,EAAE,CAAC,KAAK,CACjB;;;yBAGe,EACf,CAAC,OAAO,CAAC,QAAQ,EAAE,OAAO,CAAC,UAAU,EAAE,OAAO,CAAC,SAAS,EAAE,OAAO,CAAC,IAAI,EAAE,IAAI,CAAC,EAAE,CAAC,CACjF,CAAC;gBACF,IAAI,CAAC,cAAc,GAAG,IAAI,CAAC;YAC7B,CAAC;iBAAM,CAAC;gBACN,qBAAqB;gBACrB,IAAI,GAAG,MAAM,IAAI,CAAC,eAAe,CAAC,OAAO,CAAC,CAAC;YAC7C,CAAC;QACH,CAAC;QAED,YAAY;QACZ,MAAM,KAAK,GAAG,MAAM,IAAI,CAAC,UAAU,CAAC,IAAI,CAAC,CAAC;QAC1C,OAAO,EAAE,KAAK,EAAE,IAAI,EAAE,EAAE,EAAE,EAAE,IAAI,CAAC,EAAE,EAAE,KAAK,EAAE,IAAI,CAAC,KAAK,EAAE,IAAI,EAAE,IAAI,CAAC,YAAY,EAAE,EAAE,CAAC;IACtF,CAAC;IAEO,KAAK,CAAC,eAAe,CAAC,OAAyB;QACrD,cAAc;QACd,MAAM,MAAM,GAAG,MAAM,IAAI,CAAC,EAAE,CAAC,KAAK,CAChC;;mBAEa,EACb,CAAC,OAAO,CAAC,KAAK,EAAE,OAAO,CAAC,IAAI,EAAE,OAAO,CAAC,SAAS,EAAE,OAAO,CAAC,QAAQ,EAAE,OAAO,CAAC,UAAU,CAAC,CACvF,CAAC;QACF,MAAM,IAAI,GAAI,MAAM,CAAC,IAAmB,CAAC,CAAC,CAAC,CAAC;QAE5C,8BAA8B;QAC9B,MAAM,IAAI,CAAC,gBAAgB,CAAC,IAAI,CAAC,CAAC;QAClC,OAAO,IAAI,CAAC;IACd,CAAC;IAED,8CAA8C;IAC9C,8BAA8B;IAC9B,8CAA8C;IAE9C;;;OAGG;IACH,KAAK,CAAC,QAAQ,CACZ,KAAa,EACb,QAAgB,EAChB,WAAoB;QAEpB,oBAAoB;QACpB,MAAM,UAAU,GAAG,0BAA0B,CAAC,QAAQ,CAAC,CAAC;QACxD,IAAI,CAAC,UAAU,CAAC,KAAK,EAAE,CAAC;YACtB,MAAM,IAAI,SAAS,CAAC,kBAAkB,EAAE,UAAU,CAAC,MAAM,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC,CAAC;QACxE,CAAC;QAED,gCAAgC;QAChC,MAAM,QAAQ,GAAG,MAAM,IAAI,CAAC,eAAe,CAAC,KAAK,CAAC,CAAC;QACnD,IAAI,QAAQ,EAAE,CAAC;YACb,MAAM,IAAI,SAAS,CAAC,cAAc,EAAE,2CAA2C,CAAC,CAAC;QACnF,CAAC;QAED,8BAA8B;QAC9B,MAAM,YAAY,GAAG,MAAM,YAAY,CAAC,QAAQ,CAAC,CAAC;QAClD,MAAM,iBAAiB,GAAG,aAAa,EAAE,CAAC;QAC1C,MAAM,SAAS,GAAG,SAAS,CAAC,iBAAiB,CAAC,CAAC;QAE/C,MAAM,MAAM,GAAG,MAAM,IAAI,CAAC,EAAE,CAAC,KAAK,CAChC;;mBAEa,EACb,CAAC,KAAK,EAAE,YAAY,EAAE,WAAW,IAAI,IAAI,CAAC,CAC3C,CAAC;QACF,MAAM,IAAI,GAAI,MAAM,CAAC,IAAmB,CAAC,CAAC,CAAC,CAAC;QAE5C,6FAA6F;QAC7F,kEAAkE;QAClE,MAAM,IAAI,CAAC,EAAE,CAAC,KAAK,CACjB;oEAC8D,EAC9D,CAAC,IAAI,CAAC,EAAE,EAAE,SAAS,CAAC,CACrB,CAAC;QAEF,OAAO,EAAE,IAAI,EAAE,iBAAiB,EAAE,CAAC;IACrC,CAAC;IAED;;OAEG;IACH,KAAK,CAAC,WAAW,CAAC,KAAa;QAC7B,MAAM,SAAS,GAAG,SAAS,CAAC,KAAK,CAAC,CAAC;QACnC,MAAM,MAAM,GAAG,MAAM,IAAI,CAAC,EAAE,CAAC,KAAK,CAChC;8EACwE,EACxE,CAAC,SAAS,CAAC,CACZ,CAAC;QACF,IAAK,MAAM,CAAC,IAAc,CAAC,MAAM,KAAK,CAAC;YAAE,OAAO,KAAK,CAAC;QAEtD,MAAM,MAAM,GAAI,MAAM,CAAC,IAAc,CAAC,CAAC,CAAC,CAAC,OAAO,CAAC;QACjD,MAAM,IAAI,CAAC,EAAE,CAAC,KAAK,CAAC,0EAA0E,EAAE,CAAC,MAAM,CAAC,CAAC,CAAC;QAC1G,MAAM,IAAI,CAAC,EAAE,CAAC,KAAK,CAAC,iDAAiD,EAAE,CAAC,SAAS,CAAC,CAAC,CAAC;QAEpF,wCAAwC;QACxC,MAAM,IAAI,GAAG,MAAM,IAAI,CAAC,YAAY,CAAC,MAAM,CAAC,CAAC;QAC7C,IAAI,IAAI;YAAE,MAAM,IAAI,CAAC,gBAAgB,CAAC,IAAI,CAAC,CAAC;QAE5C,OAAO,IAAI,CAAC;IACd,CAAC;IAED,8CAA8C;IAC9C,uBAAuB;IACvB,8CAA8C;IAE9C;;OAEG;IACH,KAAK,CAAC,KAAK,CAAC,KAAa,EAAE,QAAgB;QACzC,yBAAyB;QACzB,IAAI,IAAI,CAAC,UAAU,CAAC,QAAQ,CAAC,KAAK,CAAC,EAAE,CAAC;YACpC,MAAM,IAAI,SAAS,CAAC,gBAAgB,EAAE,4DAA4D,CAAC,CAAC;QACtG,CAAC;QAED,MAAM,IAAI,GAAG,MAAM,IAAI,CAAC,eAAe,CAAC,KAAK,CAAC,CAAC;QAC/C,IAAI,CAAC,IAAI,IAAI,CAAC,IAAI,CAAC,aAAa,EAAE,CAAC;YACjC,IAAI,CAAC,UAAU,CAAC,aAAa,CAAC,KAAK,CAAC,CAAC;YACrC,MAAM,IAAI,SAAS,CAAC,qBAAqB,EAAE,2BAA2B,CAAC,CAAC;QAC1E,CAAC;QAED,IAAI,CAAC,IAAI,CAAC,cAAc,EAAE,CAAC;YACzB,MAAM,IAAI,SAAS,CAAC,oBAAoB,EAAE,4CAA4C,CAAC,CAAC;QAC1F,CAAC;QAED,MAAM,KAAK,GAAG,MAAM,cAAc,CAAC,QAAQ,EAAE,IAAI,CAAC,aAAa,CAAC,CAAC;QACjE,IAAI,CAAC,KAAK,EAAE,CAAC;YACX,MAAM,MAAM,GAAG,IAAI,CAAC,UAAU,CAAC,aAAa,CAAC,KAAK,CAAC,CAAC;YACpD,IAAI,MAAM,EAAE,CAAC;gBACX,MAAM,IAAI,SAAS,CAAC,gBAAgB,EAAE,4DAA4D,CAAC,CAAC;YACtG,CAAC;YACD,MAAM,IAAI,SAAS,CAAC,qBAAqB,EAAE,2BAA2B,CAAC,CAAC;QAC1E,CAAC;QAED,IAAI,CAAC,UAAU,CAAC,aAAa,CAAC,KAAK,CAAC,CAAC;QAErC,MAAM,KAAK,GAAG,MAAM,IAAI,CAAC,UAAU,CAAC,IAAI,CAAC,CAAC;QAC1C,OAAO,EAAE,KAAK,EAAE,IAAI,EAAE,EAAE,EAAE,EAAE,IAAI,CAAC,EAAE,EAAE,KAAK,EAAE,IAAI,CAAC,KAAK,EAAE,IAAI,EAAE,IAAI,CAAC,YAAY,EAAE,EAAE,CAAC;IACtF,CAAC;IAED,8CAA8C;IAC9C,iBAAiB;IACjB,8CAA8C;IAE9C;;;OAGG;IACH,KAAK,CAAC,oBAAoB,CAAC,KAAa;QACtC,MAAM,IAAI,GAAG,MAAM,IAAI,CAAC,eAAe,CAAC,KAAK,CAAC,CAAC;QAC/C,IAAI,CAAC,IAAI;YAAE,OAAO,IAAI,CAAC,CAAC,oCAAoC;QAE5D,MAAM,KAAK,GAAG,aAAa,EAAE,CAAC;QAC9B,MAAM,SAAS,GAAG,SAAS,CAAC,KAAK,CAAC,CAAC;QAEnC,wCAAwC;QACxC,MAAM,IAAI,CAAC,EAAE,CAAC,KAAK,CACjB,iEAAiE,EACjE,CAAC,IAAI,CAAC,EAAE,CAAC,CACV,CAAC;QAEF,MAAM,IAAI,CAAC,EAAE,CAAC,KAAK,CACjB;2DACqD,EACrD,CAAC,IAAI,CAAC,EAAE,EAAE,SAAS,CAAC,CACrB,CAAC;QAEF,OAAO,KAAK,CAAC;IACf,CAAC;IAED;;OAEG;IACH,KAAK,CAAC,aAAa,CAAC,KAAa,EAAE,WAAmB;QACpD,MAAM,UAAU,GAAG,0BAA0B,CAAC,WAAW,CAAC,CAAC;QAC3D,IAAI,CAAC,UAAU,CAAC,KAAK,EAAE,CAAC;YACtB,MAAM,IAAI,SAAS,CAAC,kBAAkB,EAAE,UAAU,CAAC,MAAM,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC,CAAC;QACxE,CAAC;QAED,MAAM,SAAS,GAAG,SAAS,CAAC,KAAK,CAAC,CAAC;QACnC,MAAM,MAAM,GAAG,MAAM,IAAI,CAAC,EAAE,CAAC,KAAK,CAChC;uEACiE,EACjE,CAAC,SAAS,CAAC,CACZ,CAAC;QACF,IAAK,MAAM,CAAC,IAAc,CAAC,MAAM,KAAK,CAAC;YAAE,OAAO,KAAK,CAAC;QAEtD,MAAM,MAAM,GAAI,MAAM,CAAC,IAAc,CAAC,CAAC,CAAC,CAAC,OAAO,CAAC;QACjD,MAAM,YAAY,GAAG,MAAM,YAAY,CAAC,WAAW,CAAC,CAAC;QAErD,MAAM,IAAI,CAAC,EAAE,CAAC,KAAK,CACjB,uEAAuE,EACvE,CAAC,YAAY,EAAE,MAAM,CAAC,CACvB,CAAC;QACF,MAAM,IAAI,CAAC,EAAE,CAAC,KAAK,CAAC,iDAAiD,EAAE,CAAC,SAAS,CAAC,CAAC,CAAC;QAEpF,kDAAkD;QAClD,MAAM,IAAI,GAAG,MAAM,IAAI,CAAC,YAAY,CAAC,MAAM,CAAC,CAAC;QAC7C,IAAI,IAAI;YAAE,IAAI,CAAC,UAAU,CAAC,aAAa,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC;QAEpD,OAAO,IAAI,CAAC;IACd,CAAC;IAED,8CAA8C;IAC9C,iBAAiB;IACjB,8CAA8C;IAEtC,KAAK,CAAC,UAAU,CAAC,IAAc;QACrC,+BAA+B;QAC/B,MAAM,UAAU,GAAG,MAAM,IAAI,CAAC,EAAE,CAAC,KAAK,CACpC,qEAAqE,EACrE,CAAC,IAAI,CAAC,EAAE,CAAC,CACV,CAAC;QACF,MAAM,IAAI,GAAI,UAAU,CAAC,IAAgD,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC;YACpF,MAAM,EAAE,CAAC,CAAC,MAAM;YAChB,IAAI,EAAE,CAAC,CAAC,IAAI;SACb,CAAC,CAAC,CAAC;QAEJ,OAAO,OAAO,CACZ,EAAE,GAAG,EAAE,IAAI,CAAC,EAAE,EAAE,KAAK,EAAE,IAAI,CAAC,KAAK,EAAE,IAAI,EAAE,IAAI,CAAC,YAAY,EAAE,IAAI,EAAE,EAClE,IAAI,CAAC,MAAM,CAAC,SAAS,EACrB,IAAI,CAAC,MAAM,CAAC,mBAAmB,IAAI,CAAC,GAAG,EAAE,GAAG,IAAI,CACjD,CAAC;IACJ,CAAC;IAED,8CAA8C;IAC9C,UAAU;IACV,8CAA8C;IAEtC,KAAK,CAAC,eAAe,CAAC,KAAa;QACzC,MAAM,MAAM,GAAG,MAAM,IAAI,CAAC,EAAE,CAAC,KAAK,CAAC,sCAAsC,EAAE,CAAC,KAAK,CAAC,CAAC,CAAC;QACpF,OAAQ,MAAM,CAAC,IAAmB,CAAC,CAAC,CAAC,IAAI,IAAI,CAAC;IAChD,CAAC;IAEO,KAAK,CAAC,YAAY,CAAC,EAAU;QACnC,MAAM,MAAM,GAAG,MAAM,IAAI,CAAC,EAAE,CAAC,KAAK,CAAC,mCAAmC,EAAE,CAAC,EAAE,CAAC,CAAC,CAAC;QAC9E,OAAQ,MAAM,CAAC,IAAmB,CAAC,CAAC,CAAC,IAAI,IAAI,CAAC;IAChD,CAAC;IAEO,KAAK,CAAC,eAAe,CAAC,QAAgB,EAAE,UAAkB;QAChE,MAAM,MAAM,GAAG,MAAM,IAAI,CAAC,EAAE,CAAC,KAAK,CAChC,0EAA0E,EAC1E,CAAC,QAAQ,EAAE,UAAU,CAAC,CACvB,CAAC;QACF,OAAQ,MAAM,CAAC,IAAmB,CAAC,CAAC,CAAC,IAAI,IAAI,CAAC;IAChD,CAAC;IAEO,KAAK,CAAC,gBAAgB,CAAC,IAAc;QAC3C,mCAAmC;QACnC,MAAM,QAAQ,GAAG,MAAM,IAAI,CAAC,EAAE,CAAC,KAAK,CAClC,sDAAsD,EACtD,CAAC,IAAI,CAAC,EAAE,CAAC,CACV,CAAC;QACF,IAAK,QAAQ,CAAC,IAAc,CAAC,MAAM,GAAG,CAAC;YAAE,OAAO;QAEhD,MAAM,WAAW,GAAG,IAAI,CAAC,YAAY,IAAI,IAAI,CAAC,KAAK,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,CAAC;QAClE,MAAM,IAAI,GAAG,GAAG,WAAW,CAAC,WAAW,EAAE,CAAC,OAAO,CAAC,YAAY,EAAE,GAAG,CAAC,IAAI,IAAI,CAAC,EAAE,CAAC,KAAK,CAAC,CAAC,EAAE,CAAC,CAAC,EAAE,CAAC;QAE9F,MAAM,SAAS,GAAG,MAAM,IAAI,CAAC,EAAE,CAAC,KAAK,CACnC,4DAA4D,EAC5D,CAAC,GAAG,WAAW,QAAQ,EAAE,IAAI,CAAC,CAC/B,CAAC;QACF,MAAM,KAAK,GAAI,SAAS,CAAC,IAAc,CAAC,CAAC,CAAC,CAAC,EAAE,CAAC;QAE9C,MAAM,IAAI,CAAC,EAAE,CAAC,KAAK,CACjB,0EAA0E,EAC1E,CAAC,KAAK,EAAE,IAAI,CAAC,EAAE,CAAC,CACjB,CAAC;IACJ,CAAC;CACF;AAED,MAAM,OAAO,SAAU,SAAQ,KAAK;IAEzB;IADT,YACS,IAAY,EACnB,OAAe;QAEf,KAAK,CAAC,OAAO,CAAC,CAAC;QAHR,SAAI,GAAJ,IAAI,CAAQ;QAInB,IAAI,CAAC,IAAI,GAAG,WAAW,CAAC;IAC1B,CAAC;CACF"}

package/dist/cloud/auth/brute-force.d.ts

@@ -0,0 +1,36 @@
+/**
+ * Brute-force protection: in-memory rate limiter.
+ * Locks account after 10 failed attempts in 15 minutes.
+ *
+ * In production, this would use Redis. For now, in-memory is sufficient
+ * for single-instance deployments and testing.
+ */
+export interface BruteForceConfig {
+    maxAttempts: number;
+    windowMs: number;
+    lockDurationMs: number;
+}
+export declare class BruteForceProtection {
+    private records;
+    private config;
+    constructor(config?: Partial<BruteForceConfig>);
+    /**
+     * Check if a key (email) is currently locked.
+     */
+    isLocked(key: string): boolean;
+    /**
+     * Record a failed attempt. Returns true if account is now locked.
+     */
+    recordFailure(key: string): boolean;
+    /**
+     * Clear attempts on successful login.
+     */
+    recordSuccess(key: string): void;
+    /**
+     * Reset all records (for testing).
+     */
+    reset(): void;
+}
+/** Singleton instance */
+export declare const bruteForce: BruteForceProtection;
+//# sourceMappingURL=brute-force.d.ts.map

package/dist/cloud/auth/brute-force.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"brute-force.d.ts","sourceRoot":"","sources":["../../../src/cloud/auth/brute-force.ts"],"names":[],"mappings":"AAAA;;;;;;GAMG;AAEH,MAAM,WAAW,gBAAgB;IAC/B,WAAW,EAAE,MAAM,CAAC;IACpB,QAAQ,EAAE,MAAM,CAAC;IACjB,cAAc,EAAE,MAAM,CAAC;CACxB;AAaD,qBAAa,oBAAoB;IAC/B,OAAO,CAAC,OAAO,CAAoC;IACnD,OAAO,CAAC,MAAM,CAAmB;gBAErB,MAAM,GAAE,OAAO,CAAC,gBAAgB,CAAM;IAIlD;;OAEG;IACH,QAAQ,CAAC,GAAG,EAAE,MAAM,GAAG,OAAO;IAW9B;;OAEG;IACH,aAAa,CAAC,GAAG,EAAE,MAAM,GAAG,OAAO;IAmBnC;;OAEG;IACH,aAAa,CAAC,GAAG,EAAE,MAAM,GAAG,IAAI;IAIhC;;OAEG;IACH,KAAK,IAAI,IAAI;CAGd;AAED,yBAAyB;AACzB,eAAO,MAAM,UAAU,sBAA6B,CAAC"}

package/dist/cloud/auth/brute-force.js

@@ -0,0 +1,67 @@
+/**
+ * Brute-force protection: in-memory rate limiter.
+ * Locks account after 10 failed attempts in 15 minutes.
+ *
+ * In production, this would use Redis. For now, in-memory is sufficient
+ * for single-instance deployments and testing.
+ */
+const DEFAULT_CONFIG = {
+    maxAttempts: 10,
+    windowMs: 15 * 60 * 1000,
+    lockDurationMs: 15 * 60 * 1000,
+};
+export class BruteForceProtection {
+    records = new Map();
+    config;
+    constructor(config = {}) {
+        this.config = { ...DEFAULT_CONFIG, ...config };
+    }
+    /**
+     * Check if a key (email) is currently locked.
+     */
+    isLocked(key) {
+        const record = this.records.get(key);
+        if (!record?.lockedUntil)
+            return false;
+        if (Date.now() >= record.lockedUntil) {
+            // Lock expired, clear
+            this.records.delete(key);
+            return false;
+        }
+        return true;
+    }
+    /**
+     * Record a failed attempt. Returns true if account is now locked.
+     */
+    recordFailure(key) {
+        const now = Date.now();
+        let record = this.records.get(key);
+        if (!record) {
+            record = { attempts: [], lockedUntil: null };
+            this.records.set(key, record);
+        }
+        // Prune old attempts outside the window
+        record.attempts = record.attempts.filter((t) => now - t < this.config.windowMs);
+        record.attempts.push(now);
+        if (record.attempts.length >= this.config.maxAttempts) {
+            record.lockedUntil = now + this.config.lockDurationMs;
+            return true;
+        }
+        return false;
+    }
+    /**
+     * Clear attempts on successful login.
+     */
+    recordSuccess(key) {
+        this.records.delete(key);
+    }
+    /**
+     * Reset all records (for testing).
+     */
+    reset() {
+        this.records.clear();
+    }
+}
+/** Singleton instance */
+export const bruteForce = new BruteForceProtection();
+//# sourceMappingURL=brute-force.js.map

package/dist/cloud/auth/brute-force.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"brute-force.js","sourceRoot":"","sources":["../../../src/cloud/auth/brute-force.ts"],"names":[],"mappings":"AAAA;;;;;;GAMG;AAaH,MAAM,cAAc,GAAqB;IACvC,WAAW,EAAE,EAAE;IACf,QAAQ,EAAE,EAAE,GAAG,EAAE,GAAG,IAAI;IACxB,cAAc,EAAE,EAAE,GAAG,EAAE,GAAG,IAAI;CAC/B,CAAC;AAEF,MAAM,OAAO,oBAAoB;IACvB,OAAO,GAAG,IAAI,GAAG,EAAyB,CAAC;IAC3C,MAAM,CAAmB;IAEjC,YAAY,SAAoC,EAAE;QAChD,IAAI,CAAC,MAAM,GAAG,EAAE,GAAG,cAAc,EAAE,GAAG,MAAM,EAAE,CAAC;IACjD,CAAC;IAED;;OAEG;IACH,QAAQ,CAAC,GAAW;QAClB,MAAM,MAAM,GAAG,IAAI,CAAC,OAAO,CAAC,GAAG,CAAC,GAAG,CAAC,CAAC;QACrC,IAAI,CAAC,MAAM,EAAE,WAAW;YAAE,OAAO,KAAK,CAAC;QACvC,IAAI,IAAI,CAAC,GAAG,EAAE,IAAI,MAAM,CAAC,WAAW,EAAE,CAAC;YACrC,sBAAsB;YACtB,IAAI,CAAC,OAAO,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC;YACzB,OAAO,KAAK,CAAC;QACf,CAAC;QACD,OAAO,IAAI,CAAC;IACd,CAAC;IAED;;OAEG;IACH,aAAa,CAAC,GAAW;QACvB,MAAM,GAAG,GAAG,IAAI,CAAC,GAAG,EAAE,CAAC;QACvB,IAAI,MAAM,GAAG,IAAI,CAAC,OAAO,CAAC,GAAG,CAAC,GAAG,CAAC,CAAC;QACnC,IAAI,CAAC,MAAM,EAAE,CAAC;YACZ,MAAM,GAAG,EAAE,QAAQ,EAAE,EAAE,EAAE,WAAW,EAAE,IAAI,EAAE,CAAC;YAC7C,IAAI,CAAC,OAAO,CAAC,GAAG,CAAC,GAAG,EAAE,MAAM,CAAC,CAAC;QAChC,CAAC;QAED,wCAAwC;QACxC,MAAM,CAAC,QAAQ,GAAG,MAAM,CAAC,QAAQ,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,GAAG,GAAG,CAAC,GAAG,IAAI,CAAC,MAAM,CAAC,QAAQ,CAAC,CAAC;QAChF,MAAM,CAAC,QAAQ,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC;QAE1B,IAAI,MAAM,CAAC,QAAQ,CAAC,MAAM,IAAI,IAAI,CAAC,MAAM,CAAC,WAAW,EAAE,CAAC;YACtD,MAAM,CAAC,WAAW,GAAG,GAAG,GAAG,IAAI,CAAC,MAAM,CAAC,cAAc,CAAC;YACtD,OAAO,IAAI,CAAC;QACd,CAAC;QACD,OAAO,KAAK,CAAC;IACf,CAAC;IAED;;OAEG;IACH,aAAa,CAAC,GAAW;QACvB,IAAI,CAAC,OAAO,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC;IAC3B,CAAC;IAED;;OAEG;IACH,KAAK;QACH,IAAI,CAAC,OAAO,CAAC,KAAK,EAAE,CAAC;IACvB,CAAC;CACF;AAED,yBAAyB;AACzB,MAAM,CAAC,MAAM,UAAU,GAAG,IAAI,oBAAoB,EAAE,CAAC"}

package/dist/cloud/auth/index.d.ts

@@ -0,0 +1,11 @@
+export { AuthService, AuthError, type AuthServiceConfig, type AuthResult, type AuthUser } from './auth-service.js';
+export { signJwt, verifyJwt, JWT_COOKIE_OPTIONS, type JwtPayload } from './jwt.js';
+export { hashPassword, verifyPassword, validatePasswordComplexity } from './passwords.js';
+export { generateToken, hashToken, verifyToken } from './tokens.js';
+export { BruteForceProtection } from './brute-force.js';
+export { ApiKeyService, ApiKeyError, generateApiKey, type ApiKeyRecord, type CreateApiKeyInput, type CreateApiKeyResult, type ApiKeyEnvironment, } from './api-keys.js';
+export { ApiKeyAuthMiddleware, ApiKeyAuthError, InMemoryApiKeyCache, type ApiKeyAuthContext, type ApiKeyCache, type CacheEntry, } from './api-key-middleware.js';
+export { AuditLogService, type AuditAction, type ActorType, type AuditResult, type AuditEntry, type WriteAuditEntry, type AuditQueryFilters, } from './audit-log.js';
+export { requireRole, requireActionCategory, isRoleAllowed, categorizeAction, PERMISSION_MATRIX, type Role, type ActionCategory, type RbacRequest, type RbacResult, } from './rbac.js';
+export { type OAuthConfig, type OAuthProviderConfig, type OAuthUserProfile, getGoogleAuthUrl, exchangeGoogleCode, getGoogleProfile, getGithubAuthUrl, exchangeGithubCode, getGithubProfile, } from './oauth.js';
+//# sourceMappingURL=index.d.ts.map

package/dist/cloud/auth/index.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../../src/cloud/auth/index.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,WAAW,EAAE,SAAS,EAAE,KAAK,iBAAiB,EAAE,KAAK,UAAU,EAAE,KAAK,QAAQ,EAAE,MAAM,mBAAmB,CAAC;AACnH,OAAO,EAAE,OAAO,EAAE,SAAS,EAAE,kBAAkB,EAAE,KAAK,UAAU,EAAE,MAAM,UAAU,CAAC;AACnF,OAAO,EAAE,YAAY,EAAE,cAAc,EAAE,0BAA0B,EAAE,MAAM,gBAAgB,CAAC;AAC1F,OAAO,EAAE,aAAa,EAAE,SAAS,EAAE,WAAW,EAAE,MAAM,aAAa,CAAC;AACpE,OAAO,EAAE,oBAAoB,EAAE,MAAM,kBAAkB,CAAC;AACxD,OAAO,EACL,aAAa,EACb,WAAW,EACX,cAAc,EACd,KAAK,YAAY,EACjB,KAAK,iBAAiB,EACtB,KAAK,kBAAkB,EACvB,KAAK,iBAAiB,GACvB,MAAM,eAAe,CAAC;AACvB,OAAO,EACL,oBAAoB,EACpB,eAAe,EACf,mBAAmB,EACnB,KAAK,iBAAiB,EACtB,KAAK,WAAW,EAChB,KAAK,UAAU,GAChB,MAAM,yBAAyB,CAAC;AACjC,OAAO,EACL,eAAe,EACf,KAAK,WAAW,EAChB,KAAK,SAAS,EACd,KAAK,WAAW,EAChB,KAAK,UAAU,EACf,KAAK,eAAe,EACpB,KAAK,iBAAiB,GACvB,MAAM,gBAAgB,CAAC;AACxB,OAAO,EACL,WAAW,EACX,qBAAqB,EACrB,aAAa,EACb,gBAAgB,EAChB,iBAAiB,EACjB,KAAK,IAAI,EACT,KAAK,cAAc,EACnB,KAAK,WAAW,EAChB,KAAK,UAAU,GAChB,MAAM,WAAW,CAAC;AACnB,OAAO,EACL,KAAK,WAAW,EAChB,KAAK,mBAAmB,EACxB,KAAK,gBAAgB,EACrB,gBAAgB,EAChB,kBAAkB,EAClB,gBAAgB,EAChB,gBAAgB,EAChB,kBAAkB,EAClB,gBAAgB,GACjB,MAAM,YAAY,CAAC"}

package/dist/cloud/auth/index.js

@@ -0,0 +1,11 @@
+export { AuthService, AuthError } from './auth-service.js';
+export { signJwt, verifyJwt, JWT_COOKIE_OPTIONS } from './jwt.js';
+export { hashPassword, verifyPassword, validatePasswordComplexity } from './passwords.js';
+export { generateToken, hashToken, verifyToken } from './tokens.js';
+export { BruteForceProtection } from './brute-force.js';
+export { ApiKeyService, ApiKeyError, generateApiKey, } from './api-keys.js';
+export { ApiKeyAuthMiddleware, ApiKeyAuthError, InMemoryApiKeyCache, } from './api-key-middleware.js';
+export { AuditLogService, } from './audit-log.js';
+export { requireRole, requireActionCategory, isRoleAllowed, categorizeAction, PERMISSION_MATRIX, } from './rbac.js';
+export { getGoogleAuthUrl, exchangeGoogleCode, getGoogleProfile, getGithubAuthUrl, exchangeGithubCode, getGithubProfile, } from './oauth.js';
+//# sourceMappingURL=index.js.map

package/dist/cloud/auth/index.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.js","sourceRoot":"","sources":["../../../src/cloud/auth/index.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,WAAW,EAAE,SAAS,EAA0D,MAAM,mBAAmB,CAAC;AACnH,OAAO,EAAE,OAAO,EAAE,SAAS,EAAE,kBAAkB,EAAmB,MAAM,UAAU,CAAC;AACnF,OAAO,EAAE,YAAY,EAAE,cAAc,EAAE,0BAA0B,EAAE,MAAM,gBAAgB,CAAC;AAC1F,OAAO,EAAE,aAAa,EAAE,SAAS,EAAE,WAAW,EAAE,MAAM,aAAa,CAAC;AACpE,OAAO,EAAE,oBAAoB,EAAE,MAAM,kBAAkB,CAAC;AACxD,OAAO,EACL,aAAa,EACb,WAAW,EACX,cAAc,GAKf,MAAM,eAAe,CAAC;AACvB,OAAO,EACL,oBAAoB,EACpB,eAAe,EACf,mBAAmB,GAIpB,MAAM,yBAAyB,CAAC;AACjC,OAAO,EACL,eAAe,GAOhB,MAAM,gBAAgB,CAAC;AACxB,OAAO,EACL,WAAW,EACX,qBAAqB,EACrB,aAAa,EACb,gBAAgB,EAChB,iBAAiB,GAKlB,MAAM,WAAW,CAAC;AACnB,OAAO,EAIL,gBAAgB,EAChB,kBAAkB,EAClB,gBAAgB,EAChB,gBAAgB,EAChB,kBAAkB,EAClB,gBAAgB,GACjB,MAAM,YAAY,CAAC"}

package/dist/cloud/auth/jwt.d.ts

@@ -0,0 +1,34 @@
+/**
+ * JWT utilities using Node.js built-in crypto (HMAC-SHA256).
+ * No external dependencies.
+ */
+export interface JwtPayload {
+    sub: string;
+    email: string;
+    name: string | null;
+    orgs: Array<{
+        org_id: string;
+        role: string;
+    }>;
+    iat: number;
+    exp: number;
+}
+/**
+ * Sign a JWT payload. Returns a compact JWT string.
+ */
+export declare function signJwt(payload: Omit<JwtPayload, 'iat' | 'exp'>, secret: string, expiresInSeconds?: number): string;
+/**
+ * Verify and decode a JWT. Returns null if invalid or expired.
+ */
+export declare function verifyJwt(token: string, secret: string): JwtPayload | null;
+/**
+ * Cookie options for JWT storage.
+ */
+export declare const JWT_COOKIE_OPTIONS: {
+    httpOnly: boolean;
+    secure: boolean;
+    sameSite: "Strict";
+    path: string;
+    maxAge: number;
+};
+//# sourceMappingURL=jwt.d.ts.map

package/dist/cloud/auth/jwt.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"jwt.d.ts","sourceRoot":"","sources":["../../../src/cloud/auth/jwt.ts"],"names":[],"mappings":"AAAA;;;GAGG;AAIH,MAAM,WAAW,UAAU;IACzB,GAAG,EAAE,MAAM,CAAC;IACZ,KAAK,EAAE,MAAM,CAAC;IACd,IAAI,EAAE,MAAM,GAAG,IAAI,CAAC;IACpB,IAAI,EAAE,KAAK,CAAC;QAAE,MAAM,EAAE,MAAM,CAAC;QAAC,IAAI,EAAE,MAAM,CAAA;KAAE,CAAC,CAAC;IAC9C,GAAG,EAAE,MAAM,CAAC;IACZ,GAAG,EAAE,MAAM,CAAC;CACb;AAaD;;GAEG;AACH,wBAAgB,OAAO,CAAC,OAAO,EAAE,IAAI,CAAC,UAAU,EAAE,KAAK,GAAG,KAAK,CAAC,EAAE,MAAM,EAAE,MAAM,EAAE,gBAAgB,SAAgB,GAAG,MAAM,CAe1H;AAED;;GAEG;AACH,wBAAgB,SAAS,CAAC,KAAK,EAAE,MAAM,EAAE,MAAM,EAAE,MAAM,GAAG,UAAU,GAAG,IAAI,CAwB1E;AAED;;GAEG;AACH,eAAO,MAAM,kBAAkB;;;;;;CAM9B,CAAC"}