@airdraft/plugin-auth 0.1.0

package/dist/UserStore.js

@@ -0,0 +1,220 @@
+import { scrypt as scryptCallback, randomBytes, timingSafeEqual, } from 'node:crypto';
+import { readFile, writeFile, mkdir, access } from 'node:fs/promises';
+import { join, dirname } from 'node:path';
+// ---------------------------------------------------------------------------
+// Scrypt helpers  (C5)
+// ---------------------------------------------------------------------------
+const SCRYPT_PARAMS = { N: 16384, r: 8, p: 1 };
+const KEY_LEN = 64;
+function scrypt(password, salt) {
+    return new Promise((resolve, reject) => {
+        scryptCallback(password, salt, KEY_LEN, SCRYPT_PARAMS, (err, key) => (err ? reject(err) : resolve(key)));
+    });
+}
+async function hashPassword(password) {
+    const salt = randomBytes(16);
+    const key = await scrypt(password, salt);
+    return `${salt.toString('hex')}:${key.toString('hex')}`;
+}
+async function checkPassword(password, stored) {
+    const [saltHex, keyHex] = stored.split(':');
+    if (!saltHex || !keyHex)
+        return false;
+    const salt = Buffer.from(saltHex, 'hex');
+    const expected = Buffer.from(keyHex, 'hex');
+    const actual = await scrypt(password, salt);
+    if (expected.length !== actual.length)
+        return false;
+    return timingSafeEqual(expected, actual);
+}
+// ---------------------------------------------------------------------------
+// UserStore  (C4)
+// ---------------------------------------------------------------------------
+const GITIGNORE_CONTENT = '# Airdraft — local secrets\nusers.json\ntokens.json\n';
+const INVITE_TTL_SECONDS = 48 * 60 * 60;
+/**
+ * Persistent user store backed by `.airdraft/users.json`.
+ *
+ * - Passwords are hashed with `scrypt` (N=16384, r=8, p=1) — OWASP compliant.
+ * - On first write, auto-creates `.airdraft/.gitignore` to prevent accidental commits.
+ * - Emits a console.warn on serverless runtimes (no persistent filesystem).
+ *
+ * ```ts
+ * const store = UserStore.json() // uses .airdraft/users.json relative to cwd
+ * await store.create('alice@example.com', 'hunter2', 'admin', 'Alice')
+ * ```
+ */
+export class UserStore {
+    filePath;
+    data = null;
+    constructor(filePath) {
+        this.filePath = filePath;
+        this.warnIfServerless();
+    }
+    /** Creates a UserStore backed by `.airdraft/users.json` (or custom path). */
+    static json(path) {
+        const p = path ?? join(process.cwd(), '.airdraft', 'users.json');
+        return new UserStore(p);
+    }
+    // -------------------------------------------------------------------------
+    // Private I/O
+    // -------------------------------------------------------------------------
+    async load() {
+        if (this.data)
+            return this.data;
+        try {
+            const raw = await readFile(this.filePath, 'utf8');
+            this.data = JSON.parse(raw);
+        }
+        catch (err) {
+            if (err.code === 'ENOENT') {
+                this.data = { users: [], invites: [] };
+            }
+            else {
+                throw err;
+            }
+        }
+        return this.data;
+    }
+    async save(data) {
+        this.data = data;
+        const dir = dirname(this.filePath);
+        await mkdir(dir, { recursive: true });
+        // Auto-write .gitignore on first use (C4)
+        const gitignorePath = join(dir, '.gitignore');
+        const hasGitignore = await access(gitignorePath).then(() => true).catch(() => false);
+        if (!hasGitignore) {
+            await writeFile(gitignorePath, GITIGNORE_CONTENT, 'utf8');
+        }
+        await writeFile(this.filePath, JSON.stringify(data, null, 2), 'utf8');
+    }
+    warnIfServerless() {
+        const platform = process.env['VERCEL'] ?? process.env['AWS_LAMBDA_FUNCTION_NAME'];
+        if (platform) {
+            console.warn('[airdraft/plugin-auth] UserStore uses a local JSON file which may not persist ' +
+                'on serverless platforms. Consider an alternative persistence layer for production.');
+        }
+    }
+    // -------------------------------------------------------------------------
+    // User operations
+    // -------------------------------------------------------------------------
+    async findByEmail(email) {
+        const data = await this.load();
+        return data.users.find((u) => u.email.toLowerCase() === email.toLowerCase()) ?? null;
+    }
+    async list() {
+        const data = await this.load();
+        return data.users.map(({ passwordHash: _, ...u }) => ({ ...u, passwordHash: '***' }));
+    }
+    /**
+     * Creates a new user with a scrypt-hashed password.
+     * Throws if a user with the same email already exists.
+     */
+    async create(email, password, role, name) {
+        const data = await this.load();
+        const existing = data.users.find((u) => u.email.toLowerCase() === email.toLowerCase());
+        if (existing)
+            throw new Error(`User '${email}' already exists`);
+        const passwordHash = await hashPassword(password);
+        const user = {
+            id: randomBytes(12).toString('hex'),
+            email: email.toLowerCase(),
+            name,
+            role,
+            passwordHash,
+            createdAt: Math.floor(Date.now() / 1000),
+        };
+        data.users.push(user);
+        await this.save(data);
+        const { passwordHash: _, ...safeUser } = user;
+        return safeUser;
+    }
+    /**
+     * Verifies email + password and returns the user record (without hash) on success.
+     * Returns null if the user doesn't exist or the password is wrong.
+     */
+    async verifyPassword(email, password) {
+        const data = await this.load();
+        const user = data.users.find((u) => u.email.toLowerCase() === email.toLowerCase());
+        if (!user)
+            return null;
+        const ok = await checkPassword(password, user.passwordHash);
+        if (!ok)
+            return null;
+        const { passwordHash: _, ...safeUser } = user;
+        return safeUser;
+    }
+    /**
+     * Updates the role of an existing user. Config-level roles take precedence
+     * over the store at runtime (C3), but this persists the base role.
+     */
+    async updateRole(email, role) {
+        const data = await this.load();
+        const idx = data.users.findIndex((u) => u.email.toLowerCase() === email.toLowerCase());
+        if (idx === -1)
+            return null;
+        data.users[idx].role = role;
+        await this.save(data);
+        const { passwordHash: _, ...safeUser } = data.users[idx];
+        return safeUser;
+    }
+    /** Removes a user. Returns true if the user existed. */
+    async remove(email) {
+        const data = await this.load();
+        const before = data.users.length;
+        data.users = data.users.filter((u) => u.email.toLowerCase() !== email.toLowerCase());
+        if (data.users.length === before)
+            return false;
+        await this.save(data);
+        return true;
+    }
+    // -------------------------------------------------------------------------
+    // Invite operations  (C11)
+    // -------------------------------------------------------------------------
+    /**
+     * Creates an admin-generated invite token for the given email + role.
+     * The invite link is: `{basePath}/auth/invite/{token}` — displayed to the admin.
+     * Expiry: 48 hours.
+     */
+    async createInvite(email, role) {
+        const data = await this.load();
+        // Invalidate any existing invites for this email
+        data.invites = data.invites.filter((i) => i.email.toLowerCase() !== email.toLowerCase());
+        const invite = {
+            token: randomBytes(32).toString('hex'),
+            email: email.toLowerCase(),
+            role,
+            expiresAt: Math.floor(Date.now() / 1000) + INVITE_TTL_SECONDS,
+        };
+        data.invites.push(invite);
+        await this.save(data);
+        return invite;
+    }
+    /** Returns all stored invites (including expired ones). */
+    async listInvites() {
+        const data = await this.load();
+        return [...data.invites];
+    }
+    /** Removes an invite by token. No-op if the token doesn't exist. */
+    async revokeInvite(token) {
+        const data = await this.load();
+        data.invites = data.invites.filter((i) => i.token !== token);
+        await this.save(data);
+    }
+    /**
+     * Accepts an invite: sets the user's password and creates the account.
+     * Returns the new user record, or throws if the token is invalid/expired.
+     */
+    async acceptInvite(token, password, name) {
+        const data = await this.load();
+        const now = Math.floor(Date.now() / 1000);
+        const invite = data.invites.find((i) => i.token === token && i.expiresAt > now);
+        if (!invite)
+            throw new Error('Invalid or expired invite token');
+        // Remove the invite
+        data.invites = data.invites.filter((i) => i.token !== token);
+        await this.save(data);
+        return this.create(invite.email, password, invite.role, name);
+    }
+}
+//# sourceMappingURL=UserStore.js.map

package/dist/UserStore.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"UserStore.js","sourceRoot":"","sources":["../src/UserStore.ts"],"names":[],"mappings":"AAAA,OAAO,EACL,MAAM,IAAI,cAAc,EACxB,WAAW,EACX,eAAe,GAChB,MAAM,aAAa,CAAA;AACpB,OAAO,EAAE,QAAQ,EAAE,SAAS,EAAE,KAAK,EAAE,MAAM,EAAE,MAAM,kBAAkB,CAAA;AACrE,OAAO,EAAE,IAAI,EAAE,OAAO,EAAE,MAAM,WAAW,CAAA;AA8BzC,8EAA8E;AAC9E,uBAAuB;AACvB,8EAA8E;AAE9E,MAAM,aAAa,GAAG,EAAE,CAAC,EAAE,KAAK,EAAE,CAAC,EAAE,CAAC,EAAE,CAAC,EAAE,CAAC,EAAE,CAAA;AAC9C,MAAM,OAAO,GAAG,EAAE,CAAA;AAElB,SAAS,MAAM,CAAC,QAAgB,EAAE,IAAY;IAC5C,OAAO,IAAI,OAAO,CAAC,CAAC,OAAO,EAAE,MAAM,EAAE,EAAE;QACrC,cAAc,CACZ,QAAQ,EACR,IAAI,EACJ,OAAO,EACP,aAAa,EACb,CAAC,GAAG,EAAE,GAAG,EAAE,EAAE,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,OAAO,CAAC,GAAa,CAAC,CAAC,CAC3D,CAAA;IACH,CAAC,CAAC,CAAA;AACJ,CAAC;AAED,KAAK,UAAU,YAAY,CAAC,QAAgB;IAC1C,MAAM,IAAI,GAAG,WAAW,CAAC,EAAE,CAAC,CAAA;IAC5B,MAAM,GAAG,GAAG,MAAM,MAAM,CAAC,QAAQ,EAAE,IAAI,CAAC,CAAA;IACxC,OAAO,GAAG,IAAI,CAAC,QAAQ,CAAC,KAAK,CAAC,IAAI,GAAG,CAAC,QAAQ,CAAC,KAAK,CAAC,EAAE,CAAA;AACzD,CAAC;AAED,KAAK,UAAU,aAAa,CAAC,QAAgB,EAAE,MAAc;IAC3D,MAAM,CAAC,OAAO,EAAE,MAAM,CAAC,GAAG,MAAM,CAAC,KAAK,CAAC,GAAG,CAAC,CAAA;IAC3C,IAAI,CAAC,OAAO,IAAI,CAAC,MAAM;QAAE,OAAO,KAAK,CAAA;IACrC,MAAM,IAAI,GAAG,MAAM,CAAC,IAAI,CAAC,OAAO,EAAE,KAAK,CAAC,CAAA;IACxC,MAAM,QAAQ,GAAG,MAAM,CAAC,IAAI,CAAC,MAAM,EAAE,KAAK,CAAC,CAAA;IAC3C,MAAM,MAAM,GAAG,MAAM,MAAM,CAAC,QAAQ,EAAE,IAAI,CAAC,CAAA;IAC3C,IAAI,QAAQ,CAAC,MAAM,KAAK,MAAM,CAAC,MAAM;QAAE,OAAO,KAAK,CAAA;IACnD,OAAO,eAAe,CAAC,QAAQ,EAAE,MAAM,CAAC,CAAA;AAC1C,CAAC;AAED,8EAA8E;AAC9E,kBAAkB;AAClB,8EAA8E;AAE9E,MAAM,iBAAiB,GAAG,uDAAuD,CAAA;AACjF,MAAM,kBAAkB,GAAG,EAAE,GAAG,EAAE,GAAG,EAAE,CAAA;AAEvC;;;;;;;;;;;GAWG;AACH,MAAM,OAAO,SAAS;IACH,QAAQ,CAAQ;IACzB,IAAI,GAAyB,IAAI,CAAA;IAEzC,YAAY,QAAgB;QAC1B,IAAI,CAAC,QAAQ,GAAG,QAAQ,CAAA;QACxB,IAAI,CAAC,gBAAgB,EAAE,CAAA;IACzB,CAAC;IAED,6EAA6E;IAC7E,MAAM,CAAC,IAAI,CAAC,IAAa;QACvB,MAAM,CAAC,GAAG,IAAI,IAAI,IAAI,CAAC,OAAO,CAAC,GAAG,EAAE,EAAE,WAAW,EAAE,YAAY,CAAC,CAAA;QAChE,OAAO,IAAI,SAAS,CAAC,CAAC,CAAC,CAAA;IACzB,CAAC;IAED,4EAA4E;IAC5E,cAAc;IACd,4EAA4E;IAEpE,KAAK,CAAC,IAAI;QAChB,IAAI,IAAI,CAAC,IAAI;YAAE,OAAO,IAAI,CAAC,IAAI,CAAA;QAC/B,IAAI,CAAC;YACH,MAAM,GAAG,GAAG,MAAM,QAAQ,CAAC,IAAI,CAAC,QAAQ,EAAE,MAAM,CAAC,CAAA;YACjD,IAAI,CAAC,IAAI,GAAG,IAAI,CAAC,KAAK,CAAC,GAAG,CAAkB,CAAA;QAC9C,CAAC;QAAC,OAAO,GAAY,EAAE,CAAC;YACtB,IAAK,GAA6B,CAAC,IAAI,KAAK,QAAQ,EAAE,CAAC;gBACrD,IAAI,CAAC,IAAI,GAAG,EAAE,KAAK,EAAE,EAAE,EAAE,OAAO,EAAE,EAAE,EAAE,CAAA;YACxC,CAAC;iBAAM,CAAC;gBACN,MAAM,GAAG,CAAA;YACX,CAAC;QACH,CAAC;QACD,OAAO,IAAI,CAAC,IAAI,CAAA;IAClB,CAAC;IAEO,KAAK,CAAC,IAAI,CAAC,IAAmB;QACpC,IAAI,CAAC,IAAI,GAAG,IAAI,CAAA;QAChB,MAAM,GAAG,GAAG,OAAO,CAAC,IAAI,CAAC,QAAQ,CAAC,CAAA;QAClC,MAAM,KAAK,CAAC,GAAG,EAAE,EAAE,SAAS,EAAE,IAAI,EAAE,CAAC,CAAA;QAErC,0CAA0C;QAC1C,MAAM,aAAa,GAAG,IAAI,CAAC,GAAG,EAAE,YAAY,CAAC,CAAA;QAC7C,MAAM,YAAY,GAAG,MAAM,MAAM,CAAC,aAAa,CAAC,CAAC,IAAI,CAAC,GAAG,EAAE,CAAC,IAAI,CAAC,CAAC,KAAK,CAAC,GAAG,EAAE,CAAC,KAAK,CAAC,CAAA;QACpF,IAAI,CAAC,YAAY,EAAE,CAAC;YAClB,MAAM,SAAS,CAAC,aAAa,EAAE,iBAAiB,EAAE,MAAM,CAAC,CAAA;QAC3D,CAAC;QAED,MAAM,SAAS,CAAC,IAAI,CAAC,QAAQ,EAAE,IAAI,CAAC,SAAS,CAAC,IAAI,EAAE,IAAI,EAAE,CAAC,CAAC,EAAE,MAAM,CAAC,CAAA;IACvE,CAAC;IAEO,gBAAgB;QACtB,MAAM,QAAQ,GAAG,OAAO,CAAC,GAAG,CAAC,QAAQ,CAAC,IAAI,OAAO,CAAC,GAAG,CAAC,0BAA0B,CAAC,CAAA;QACjF,IAAI,QAAQ,EAAE,CAAC;YACb,OAAO,CAAC,IAAI,CACV,gFAAgF;gBAC9E,oFAAoF,CACvF,CAAA;QACH,CAAC;IACH,CAAC;IAED,4EAA4E;IAC5E,kBAAkB;IAClB,4EAA4E;IAE5E,KAAK,CAAC,WAAW,CAAC,KAAa;QAC7B,MAAM,IAAI,GAAG,MAAM,IAAI,CAAC,IAAI,EAAE,CAAA;QAC9B,OAAO,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,KAAK,CAAC,WAAW,EAAE,KAAK,KAAK,CAAC,WAAW,EAAE,CAAC,IAAI,IAAI,CAAA;IACtF,CAAC;IAED,KAAK,CAAC,IAAI;QACR,MAAM,IAAI,GAAG,MAAM,IAAI,CAAC,IAAI,EAAE,CAAA;QAC9B,OAAO,IAAI,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC,EAAE,YAAY,EAAE,CAAC,EAAE,GAAG,CAAC,EAAE,EAAE,EAAE,CAAC,CAAC,EAAE,GAAG,CAAC,EAAE,YAAY,EAAE,KAAK,EAAE,CAAC,CAAC,CAAA;IACvF,CAAC;IAED;;;OAGG;IACH,KAAK,CAAC,MAAM,CACV,KAAa,EACb,QAAgB,EAChB,IAAU,EACV,IAAa;QAEb,MAAM,IAAI,GAAG,MAAM,IAAI,CAAC,IAAI,EAAE,CAAA;QAC9B,MAAM,QAAQ,GAAG,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,KAAK,CAAC,WAAW,EAAE,KAAK,KAAK,CAAC,WAAW,EAAE,CAAC,CAAA;QACtF,IAAI,QAAQ;YAAE,MAAM,IAAI,KAAK,CAAC,SAAS,KAAK,kBAAkB,CAAC,CAAA;QAE/D,MAAM,YAAY,GAAG,MAAM,YAAY,CAAC,QAAQ,CAAC,CAAA;QACjD,MAAM,IAAI,GAAe;YACvB,EAAE,EAAE,WAAW,CAAC,EAAE,CAAC,CAAC,QAAQ,CAAC,KAAK,CAAC;YACnC,KAAK,EAAE,KAAK,CAAC,WAAW,EAAE;YAC1B,IAAI;YACJ,IAAI;YACJ,YAAY;YACZ,SAAS,EAAE,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,GAAG,EAAE,GAAG,IAAI,CAAC;SACzC,CAAA;QACD,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,IAAI,CAAC,CAAA;QACrB,MAAM,IAAI,CAAC,IAAI,CAAC,IAAI,CAAC,CAAA;QAErB,MAAM,EAAE,YAAY,EAAE,CAAC,EAAE,GAAG,QAAQ,EAAE,GAAG,IAAI,CAAA;QAC7C,OAAO,QAAQ,CAAA;IACjB,CAAC;IAED;;;OAGG;IACH,KAAK,CAAC,cAAc,CAClB,KAAa,EACb,QAAgB;QAEhB,MAAM,IAAI,GAAG,MAAM,IAAI,CAAC,IAAI,EAAE,CAAA;QAC9B,MAAM,IAAI,GAAG,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,KAAK,CAAC,WAAW,EAAE,KAAK,KAAK,CAAC,WAAW,EAAE,CAAC,CAAA;QAClF,IAAI,CAAC,IAAI;YAAE,OAAO,IAAI,CAAA;QAEtB,MAAM,EAAE,GAAG,MAAM,aAAa,CAAC,QAAQ,EAAE,IAAI,CAAC,YAAY,CAAC,CAAA;QAC3D,IAAI,CAAC,EAAE;YAAE,OAAO,IAAI,CAAA;QAEpB,MAAM,EAAE,YAAY,EAAE,CAAC,EAAE,GAAG,QAAQ,EAAE,GAAG,IAAI,CAAA;QAC7C,OAAO,QAAQ,CAAA;IACjB,CAAC;IAED;;;OAGG;IACH,KAAK,CAAC,UAAU,CAAC,KAAa,EAAE,IAAU;QACxC,MAAM,IAAI,GAAG,MAAM,IAAI,CAAC,IAAI,EAAE,CAAA;QAC9B,MAAM,GAAG,GAAG,IAAI,CAAC,KAAK,CAAC,SAAS,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,KAAK,CAAC,WAAW,EAAE,KAAK,KAAK,CAAC,WAAW,EAAE,CAAC,CAAA;QACtF,IAAI,GAAG,KAAK,CAAC,CAAC;YAAE,OAAO,IAAI,CAAA;QAC3B,IAAI,CAAC,KAAK,CAAC,GAAG,CAAE,CAAC,IAAI,GAAG,IAAI,CAAA;QAC5B,MAAM,IAAI,CAAC,IAAI,CAAC,IAAI,CAAC,CAAA;QACrB,MAAM,EAAE,YAAY,EAAE,CAAC,EAAE,GAAG,QAAQ,EAAE,GAAG,IAAI,CAAC,KAAK,CAAC,GAAG,CAAE,CAAA;QACzD,OAAO,QAAQ,CAAA;IACjB,CAAC;IAED,wDAAwD;IACxD,KAAK,CAAC,MAAM,CAAC,KAAa;QACxB,MAAM,IAAI,GAAG,MAAM,IAAI,CAAC,IAAI,EAAE,CAAA;QAC9B,MAAM,MAAM,GAAG,IAAI,CAAC,KAAK,CAAC,MAAM,CAAA;QAChC,IAAI,CAAC,KAAK,GAAG,IAAI,CAAC,KAAK,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,KAAK,CAAC,WAAW,EAAE,KAAK,KAAK,CAAC,WAAW,EAAE,CAAC,CAAA;QACpF,IAAI,IAAI,CAAC,KAAK,CAAC,MAAM,KAAK,MAAM;YAAE,OAAO,KAAK,CAAA;QAC9C,MAAM,IAAI,CAAC,IAAI,CAAC,IAAI,CAAC,CAAA;QACrB,OAAO,IAAI,CAAA;IACb,CAAC;IAED,4EAA4E;IAC5E,2BAA2B;IAC3B,4EAA4E;IAE5E;;;;OAIG;IACH,KAAK,CAAC,YAAY,CAAC,KAAa,EAAE,IAAU;QAC1C,MAAM,IAAI,GAAG,MAAM,IAAI,CAAC,IAAI,EAAE,CAAA;QAC9B,iDAAiD;QACjD,IAAI,CAAC,OAAO,GAAG,IAAI,CAAC,OAAO,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,KAAK,CAAC,WAAW,EAAE,KAAK,KAAK,CAAC,WAAW,EAAE,CAAC,CAAA;QAExF,MAAM,MAAM,GAAiB;YAC3B,KAAK,EAAE,WAAW,CAAC,EAAE,CAAC,CAAC,QAAQ,CAAC,KAAK,CAAC;YACtC,KAAK,EAAE,KAAK,CAAC,WAAW,EAAE;YAC1B,IAAI;YACJ,SAAS,EAAE,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,GAAG,EAAE,GAAG,IAAI,CAAC,GAAG,kBAAkB;SAC9D,CAAA;QACD,IAAI,CAAC,OAAO,CAAC,IAAI,CAAC,MAAM,CAAC,CAAA;QACzB,MAAM,IAAI,CAAC,IAAI,CAAC,IAAI,CAAC,CAAA;QACrB,OAAO,MAAM,CAAA;IACf,CAAC;IAED,2DAA2D;IAC3D,KAAK,CAAC,WAAW;QACf,MAAM,IAAI,GAAG,MAAM,IAAI,CAAC,IAAI,EAAE,CAAA;QAC9B,OAAO,CAAC,GAAG,IAAI,CAAC,OAAO,CAAC,CAAA;IAC1B,CAAC;IAED,oEAAoE;IACpE,KAAK,CAAC,YAAY,CAAC,KAAa;QAC9B,MAAM,IAAI,GAAG,MAAM,IAAI,CAAC,IAAI,EAAE,CAAA;QAC9B,IAAI,CAAC,OAAO,GAAG,IAAI,CAAC,OAAO,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,KAAK,KAAK,KAAK,CAAC,CAAA;QAC5D,MAAM,IAAI,CAAC,IAAI,CAAC,IAAI,CAAC,CAAA;IACvB,CAAC;IAED;;;OAGG;IACH,KAAK,CAAC,YAAY,CAChB,KAAa,EACb,QAAgB,EAChB,IAAa;QAEb,MAAM,IAAI,GAAG,MAAM,IAAI,CAAC,IAAI,EAAE,CAAA;QAC9B,MAAM,GAAG,GAAG,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,GAAG,EAAE,GAAG,IAAI,CAAC,CAAA;QACzC,MAAM,MAAM,GAAG,IAAI,CAAC,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,KAAK,KAAK,KAAK,IAAI,CAAC,CAAC,SAAS,GAAG,GAAG,CAAC,CAAA;QAC/E,IAAI,CAAC,MAAM;YAAE,MAAM,IAAI,KAAK,CAAC,iCAAiC,CAAC,CAAA;QAE/D,oBAAoB;QACpB,IAAI,CAAC,OAAO,GAAG,IAAI,CAAC,OAAO,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,KAAK,KAAK,KAAK,CAAC,CAAA;QAC5D,MAAM,IAAI,CAAC,IAAI,CAAC,IAAI,CAAC,CAAA;QAErB,OAAO,IAAI,CAAC,MAAM,CAAC,MAAM,CAAC,KAAK,EAAE,QAAQ,EAAE,MAAM,CAAC,IAAI,EAAE,IAAI,CAAC,CAAA;IAC/D,CAAC;CACF"}

package/dist/blocklist.d.ts

@@ -0,0 +1,7 @@
+export declare const refreshTokenBlocklist: {
+    add(token: string): void;
+    has(token: string): boolean;
+    /** For testing only — clears the entire blocklist. */
+    clear(): void;
+};
+//# sourceMappingURL=blocklist.d.ts.map

package/dist/blocklist.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"blocklist.d.ts","sourceRoot":"","sources":["../src/blocklist.ts"],"names":[],"mappings":"AAWA,eAAO,MAAM,qBAAqB;eACrB,MAAM,GAAG,IAAI;eAGb,MAAM,GAAG,OAAO;IAG3B,sDAAsD;aAC7C,IAAI;CAGd,CAAA"}

package/dist/blocklist.js

@@ -0,0 +1,23 @@
+/**
+ * In-memory refresh token blocklist (C8).
+ *
+ * When a refresh token is rotated or a user logs out, the old token is added
+ * here. This prevents reuse of intercepted refresh tokens.
+ *
+ * Note: this list is cleared on server restart. If you need persistence across
+ * restarts, store revoked tokens in your database or cache layer instead.
+ */
+const blocked = new Set();
+export const refreshTokenBlocklist = {
+    add(token) {
+        blocked.add(token);
+    },
+    has(token) {
+        return blocked.has(token);
+    },
+    /** For testing only — clears the entire blocklist. */
+    clear() {
+        blocked.clear();
+    },
+};
+//# sourceMappingURL=blocklist.js.map

package/dist/blocklist.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"blocklist.js","sourceRoot":"","sources":["../src/blocklist.ts"],"names":[],"mappings":"AAAA;;;;;;;;GAQG;AACH,MAAM,OAAO,GAAG,IAAI,GAAG,EAAU,CAAA;AAEjC,MAAM,CAAC,MAAM,qBAAqB,GAAG;IACnC,GAAG,CAAC,KAAa;QACf,OAAO,CAAC,GAAG,CAAC,KAAK,CAAC,CAAA;IACpB,CAAC;IACD,GAAG,CAAC,KAAa;QACf,OAAO,OAAO,CAAC,GAAG,CAAC,KAAK,CAAC,CAAA;IAC3B,CAAC;IACD,sDAAsD;IACtD,KAAK;QACH,OAAO,CAAC,KAAK,EAAE,CAAA;IACjB,CAAC;CACF,CAAA"}

package/dist/index.d.ts

@@ -0,0 +1,13 @@
+export { withAuth, getRequestUser } from './withAuth.js';
+export type { WithAuthOptions, AuthProvider, AuthUser, Role, RolePermissions, RouteHandlerDef } from './types.js';
+export { ROLE_PERMISSIONS, can } from './types.js';
+export { UserStore } from './UserStore.js';
+export type { UserRecord, InviteRecord } from './UserStore.js';
+export { CredentialsProvider } from './CredentialsProvider.js';
+export type { CredentialsProviderOptions } from './CredentialsProvider.js';
+export { GitHubOAuthProvider } from './GitHubOAuthProvider.js';
+export type { GitHubOAuthProviderOptions } from './GitHubOAuthProvider.js';
+export { GoogleOAuthProvider } from './GoogleOAuthProvider.js';
+export type { GoogleOAuthProviderOptions } from './GoogleOAuthProvider.js';
+export { refreshTokenBlocklist } from './blocklist.js';
+//# sourceMappingURL=index.d.ts.map

package/dist/index.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,QAAQ,EAAE,cAAc,EAAE,MAAM,eAAe,CAAA;AACxD,YAAY,EAAE,eAAe,EAAE,YAAY,EAAE,QAAQ,EAAE,IAAI,EAAE,eAAe,EAAE,eAAe,EAAE,MAAM,YAAY,CAAA;AACjH,OAAO,EAAE,gBAAgB,EAAE,GAAG,EAAE,MAAM,YAAY,CAAA;AAClD,OAAO,EAAE,SAAS,EAAE,MAAM,gBAAgB,CAAA;AAC1C,YAAY,EAAE,UAAU,EAAE,YAAY,EAAE,MAAM,gBAAgB,CAAA;AAC9D,OAAO,EAAE,mBAAmB,EAAE,MAAM,0BAA0B,CAAA;AAC9D,YAAY,EAAE,0BAA0B,EAAE,MAAM,0BAA0B,CAAA;AAC1E,OAAO,EAAE,mBAAmB,EAAE,MAAM,0BAA0B,CAAA;AAC9D,YAAY,EAAE,0BAA0B,EAAE,MAAM,0BAA0B,CAAA;AAC1E,OAAO,EAAE,mBAAmB,EAAE,MAAM,0BAA0B,CAAA;AAC9D,YAAY,EAAE,0BAA0B,EAAE,MAAM,0BAA0B,CAAA;AAC1E,OAAO,EAAE,qBAAqB,EAAE,MAAM,gBAAgB,CAAA"}

package/dist/index.js

@@ -0,0 +1,8 @@
+export { withAuth, getRequestUser } from './withAuth.js';
+export { ROLE_PERMISSIONS, can } from './types.js';
+export { UserStore } from './UserStore.js';
+export { CredentialsProvider } from './CredentialsProvider.js';
+export { GitHubOAuthProvider } from './GitHubOAuthProvider.js';
+export { GoogleOAuthProvider } from './GoogleOAuthProvider.js';
+export { refreshTokenBlocklist } from './blocklist.js';
+//# sourceMappingURL=index.js.map

package/dist/index.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.js","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,QAAQ,EAAE,cAAc,EAAE,MAAM,eAAe,CAAA;AAExD,OAAO,EAAE,gBAAgB,EAAE,GAAG,EAAE,MAAM,YAAY,CAAA;AAClD,OAAO,EAAE,SAAS,EAAE,MAAM,gBAAgB,CAAA;AAE1C,OAAO,EAAE,mBAAmB,EAAE,MAAM,0BAA0B,CAAA;AAE9D,OAAO,EAAE,mBAAmB,EAAE,MAAM,0BAA0B,CAAA;AAE9D,OAAO,EAAE,mBAAmB,EAAE,MAAM,0BAA0B,CAAA;AAE9D,OAAO,EAAE,qBAAqB,EAAE,MAAM,gBAAgB,CAAA"}

package/dist/types.d.ts

@@ -0,0 +1,48 @@
+import type { PluginRouteContext } from '@airdraft/core';
+import type { AuthUser, Role, RolePermissions } from '@airdraft/auth';
+export type { AuthUser, Role, RolePermissions };
+export { ROLE_PERMISSIONS, can, ACCESS_TOKEN_TTL, REFRESH_TOKEN_TTL } from '@airdraft/auth';
+export interface RouteHandlerDef {
+    /** Route key used in plugin.routes (e.g. '/auth/login'). */
+    path: string;
+    handler: (req: Request, ctx: PluginRouteContext) => Promise<Response>;
+    /**
+     * When `true` (the default), this route is added to `publicPaths` so the
+     * auth middleware bypasses it — useful for login/logout/refresh endpoints.
+     * Set to `false` for routes that must go through the middleware so the
+     * verified user is available via `getRequestUser()`.
+     */
+    public?: boolean;
+}
+/**
+ * Pluggable authentication provider interface (C2).
+ *
+ * - `verify` is called on every protected request.
+ * - `handlers` returns additional CMS routes (login, logout, refresh, me).
+ * - `refresh` issues a new access token from a valid refresh token.
+ * - `getUser` is an optional cached alternative to `verify` for middleware-to-route handoff.
+ */
+export interface AuthProvider {
+    /** Verify the request and return the authenticated user, or null to deny. */
+    verify(req: Request): Promise<AuthUser | null>;
+    /** Additional route handlers to register under the CMS base path. */
+    handlers?(): RouteHandlerDef[];
+    /** Exchange a refresh token for a refreshed AuthUser. Returns null if invalid. */
+    refresh?(refreshToken: string): Promise<AuthUser | null>;
+    /** Optional: fast user lookup for already-verified requests (avoids re-verify). */
+    getUser?(req: Request): Promise<AuthUser | null>;
+}
+export interface WithAuthOptions {
+    provider: AuthProvider;
+    /**
+     * URL path suffixes that bypass auth entirely (e.g. '/openapi.json').
+     * The provider's own route paths are always bypassed automatically.
+     */
+    publicPaths?: string[];
+    /**
+     * Email-keyed role overrides. Config takes precedence over the user store (C3).
+     * e.g. `{ 'alice@example.com': 'admin' }`
+     */
+    roles?: Record<string, Role>;
+}
+//# sourceMappingURL=types.d.ts.map

package/dist/types.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"types.d.ts","sourceRoot":"","sources":["../src/types.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,kBAAkB,EAAE,MAAM,gBAAgB,CAAA;AACxD,OAAO,KAAK,EAAE,QAAQ,EAAE,IAAI,EAAE,eAAe,EAAE,MAAM,gBAAgB,CAAA;AAGrE,YAAY,EAAE,QAAQ,EAAE,IAAI,EAAE,eAAe,EAAE,CAAA;AAC/C,OAAO,EAAE,gBAAgB,EAAE,GAAG,EAAE,gBAAgB,EAAE,iBAAiB,EAAE,MAAM,gBAAgB,CAAA;AAM3F,MAAM,WAAW,eAAe;IAC9B,4DAA4D;IAC5D,IAAI,EAAE,MAAM,CAAA;IACZ,OAAO,EAAE,CAAC,GAAG,EAAE,OAAO,EAAE,GAAG,EAAE,kBAAkB,KAAK,OAAO,CAAC,QAAQ,CAAC,CAAA;IACrE;;;;;OAKG;IACH,MAAM,CAAC,EAAE,OAAO,CAAA;CACjB;AAED;;;;;;;GAOG;AACH,MAAM,WAAW,YAAY;IAC3B,6EAA6E;IAC7E,MAAM,CAAC,GAAG,EAAE,OAAO,GAAG,OAAO,CAAC,QAAQ,GAAG,IAAI,CAAC,CAAA;IAC9C,qEAAqE;IACrE,QAAQ,CAAC,IAAI,eAAe,EAAE,CAAA;IAC9B,kFAAkF;IAClF,OAAO,CAAC,CAAC,YAAY,EAAE,MAAM,GAAG,OAAO,CAAC,QAAQ,GAAG,IAAI,CAAC,CAAA;IACxD,mFAAmF;IACnF,OAAO,CAAC,CAAC,GAAG,EAAE,OAAO,GAAG,OAAO,CAAC,QAAQ,GAAG,IAAI,CAAC,CAAA;CACjD;AAMD,MAAM,WAAW,eAAe;IAC9B,QAAQ,EAAE,YAAY,CAAA;IACtB;;;OAGG;IACH,WAAW,CAAC,EAAE,MAAM,EAAE,CAAA;IACtB;;;OAGG;IACH,KAAK,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,IAAI,CAAC,CAAA;CAC7B"}

package/dist/types.js

@@ -0,0 +1,2 @@
+export { ROLE_PERMISSIONS, can, ACCESS_TOKEN_TTL, REFRESH_TOKEN_TTL } from '@airdraft/auth';
+//# sourceMappingURL=types.js.map

package/dist/types.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"types.js","sourceRoot":"","sources":["../src/types.ts"],"names":[],"mappings":"AAKA,OAAO,EAAE,gBAAgB,EAAE,GAAG,EAAE,gBAAgB,EAAE,iBAAiB,EAAE,MAAM,gBAAgB,CAAA"}

package/dist/withAuth.d.ts

@@ -0,0 +1,32 @@
+import type { Plugin } from '@airdraft/core';
+import type { AuthUser } from '@airdraft/auth';
+import type { WithAuthOptions } from './types.js';
+/**
+ * Returns the authenticated user attached to the request by `withAuth` middleware.
+ * Returns `undefined` if the request is unauthenticated or was a public route.
+ */
+export declare function getRequestUser(req: Request): AuthUser | undefined;
+/**
+ * Creates an Airdraft plugin that enforces authentication on all CMS routes
+ * using a pluggable `AuthProvider`.
+ *
+ * ```ts
+ * import { withAuth, CredentialsProvider, UserStore } from '@airdraft/plugin-auth'
+ *
+ * export default defineConfig({
+ *   adapter,
+ *   collections,
+ *   plugins: [
+ *     withAuth({
+ *       provider: CredentialsProvider({
+ *         userStore: UserStore.json(),
+ *         secret: process.env.AIRDRAFT_JWT_SECRET!,
+ *         roles: { 'alice@example.com': 'admin' },
+ *       }),
+ *     }),
+ *   ],
+ * })
+ * ```
+ */
+export declare function withAuth(options: WithAuthOptions): Plugin;
+//# sourceMappingURL=withAuth.d.ts.map

package/dist/withAuth.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"withAuth.d.ts","sourceRoot":"","sources":["../src/withAuth.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,MAAM,EAAE,MAAM,gBAAgB,CAAA;AAE5C,OAAO,KAAK,EAAE,QAAQ,EAAE,MAAM,gBAAgB,CAAA;AAC9C,OAAO,KAAK,EAAE,eAAe,EAAE,MAAM,YAAY,CAAA;AAQjD;;;GAGG;AACH,wBAAgB,cAAc,CAAC,GAAG,EAAE,OAAO,GAAG,QAAQ,GAAG,SAAS,CAEjE;AAMD;;;;;;;;;;;;;;;;;;;;;GAqBG;AACH,wBAAgB,QAAQ,CAAC,OAAO,EAAE,eAAe,GAAG,MAAM,CAmDzD"}

package/dist/withAuth.js

@@ -0,0 +1,84 @@
+import { UnauthorizedError } from '@airdraft/core';
+// ---------------------------------------------------------------------------
+// Request → AuthUser map  (allows downstream route handlers to read user)
+// ---------------------------------------------------------------------------
+const requestUsers = new WeakMap();
+/**
+ * Returns the authenticated user attached to the request by `withAuth` middleware.
+ * Returns `undefined` if the request is unauthenticated or was a public route.
+ */
+export function getRequestUser(req) {
+    return requestUsers.get(req);
+}
+// ---------------------------------------------------------------------------
+// withAuth  (C2, C3, C7)
+// ---------------------------------------------------------------------------
+/**
+ * Creates an Airdraft plugin that enforces authentication on all CMS routes
+ * using a pluggable `AuthProvider`.
+ *
+ * ```ts
+ * import { withAuth, CredentialsProvider, UserStore } from '@airdraft/plugin-auth'
+ *
+ * export default defineConfig({
+ *   adapter,
+ *   collections,
+ *   plugins: [
+ *     withAuth({
+ *       provider: CredentialsProvider({
+ *         userStore: UserStore.json(),
+ *         secret: process.env.AIRDRAFT_JWT_SECRET!,
+ *         roles: { 'alice@example.com': 'admin' },
+ *       }),
+ *     }),
+ *   ],
+ * })
+ * ```
+ */
+export function withAuth(options) {
+    const { provider } = options;
+    // Collect route paths that should bypass auth.
+    // Routes with public !== false are bypassed (login, logout, refresh, invite acceptance).
+    // Routes with public === false go through middleware so getRequestUser() is populated.
+    const providerRoutes = (provider.handlers?.() ?? [])
+        .filter((h) => h.public !== false)
+        .map((h) => h.path);
+    const publicPaths = [...(options.publicPaths ?? []), ...providerRoutes];
+    /** Returns true if `pathname` matches a public path pattern (supports `:param` wildcards). */
+    function isPublicPath(pathname) {
+        return publicPaths.some((p) => {
+            if (!p.includes(':'))
+                return pathname.endsWith(p);
+            // Build a regex that replaces :param segments with a non-slash wildcard
+            const escaped = p.replace(/[.*+?^${}()|[\]\\]/g, '\\$&');
+            const pattern = escaped.replace(/:[^/]+/g, '[^/]+');
+            return new RegExp(`${pattern}$`).test(pathname);
+        });
+    }
+    async function middleware(request) {
+        const { pathname } = new URL(request.url);
+        // Bypass auth for public and provider-owned paths
+        if (isPublicPath(pathname))
+            return;
+        // Verify via the provider
+        const user = await provider.verify(request);
+        if (!user)
+            throw new UnauthorizedError('Authentication required');
+        // Apply config-level role overrides (C3)
+        const role = options.roles?.[user.email.toLowerCase()] ?? user.role;
+        const enriched = { ...user, role };
+        // Attach to request for downstream consumers
+        requestUsers.set(request, enriched);
+    }
+    // Build the plugin routes map from provider handlers
+    const routes = {};
+    for (const { path, handler } of provider.handlers?.() ?? []) {
+        routes[path] = handler;
+    }
+    return {
+        name: 'auth',
+        routes: Object.keys(routes).length > 0 ? routes : undefined,
+        middleware,
+    };
+}
+//# sourceMappingURL=withAuth.js.map

package/dist/withAuth.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"withAuth.js","sourceRoot":"","sources":["../src/withAuth.ts"],"names":[],"mappings":"AACA,OAAO,EAAE,iBAAiB,EAAE,MAAM,gBAAgB,CAAA;AAIlD,8EAA8E;AAC9E,0EAA0E;AAC1E,8EAA8E;AAE9E,MAAM,YAAY,GAAG,IAAI,OAAO,EAAqB,CAAA;AAErD;;;GAGG;AACH,MAAM,UAAU,cAAc,CAAC,GAAY;IACzC,OAAO,YAAY,CAAC,GAAG,CAAC,GAAG,CAAC,CAAA;AAC9B,CAAC;AAED,8EAA8E;AAC9E,yBAAyB;AACzB,8EAA8E;AAE9E;;;;;;;;;;;;;;;;;;;;;GAqBG;AACH,MAAM,UAAU,QAAQ,CAAC,OAAwB;IAC/C,MAAM,EAAE,QAAQ,EAAE,GAAG,OAAO,CAAA;IAE5B,+CAA+C;IAC/C,yFAAyF;IACzF,uFAAuF;IACvF,MAAM,cAAc,GAAG,CAAC,QAAQ,CAAC,QAAQ,EAAE,EAAE,IAAI,EAAE,CAAC;SACjD,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,MAAM,KAAK,KAAK,CAAC;SACjC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,IAAI,CAAC,CAAA;IACrB,MAAM,WAAW,GAAG,CAAC,GAAG,CAAC,OAAO,CAAC,WAAW,IAAI,EAAE,CAAC,EAAE,GAAG,cAAc,CAAC,CAAA;IAEvE,8FAA8F;IAC9F,SAAS,YAAY,CAAC,QAAgB;QACpC,OAAO,WAAW,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE;YAC5B,IAAI,CAAC,CAAC,CAAC,QAAQ,CAAC,GAAG,CAAC;gBAAE,OAAO,QAAQ,CAAC,QAAQ,CAAC,CAAC,CAAC,CAAA;YACjD,wEAAwE;YACxE,MAAM,OAAO,GAAG,CAAC,CAAC,OAAO,CAAC,qBAAqB,EAAE,MAAM,CAAC,CAAA;YACxD,MAAM,OAAO,GAAG,OAAO,CAAC,OAAO,CAAC,SAAS,EAAE,OAAO,CAAC,CAAA;YACnD,OAAO,IAAI,MAAM,CAAC,GAAG,OAAO,GAAG,CAAC,CAAC,IAAI,CAAC,QAAQ,CAAC,CAAA;QACjD,CAAC,CAAC,CAAA;IACJ,CAAC;IAED,KAAK,UAAU,UAAU,CAAC,OAAgB;QACxC,MAAM,EAAE,QAAQ,EAAE,GAAG,IAAI,GAAG,CAAC,OAAO,CAAC,GAAG,CAAC,CAAA;QAEzC,kDAAkD;QAClD,IAAI,YAAY,CAAC,QAAQ,CAAC;YAAE,OAAM;QAElC,0BAA0B;QAC1B,MAAM,IAAI,GAAG,MAAM,QAAQ,CAAC,MAAM,CAAC,OAAO,CAAC,CAAA;QAC3C,IAAI,CAAC,IAAI;YAAE,MAAM,IAAI,iBAAiB,CAAC,yBAAyB,CAAC,CAAA;QAEjE,yCAAyC;QACzC,MAAM,IAAI,GAAI,OAAO,CAAC,KAAK,EAAE,CAAC,IAAI,CAAC,KAAK,CAAC,WAAW,EAAE,CAAkC,IAAI,IAAI,CAAC,IAAI,CAAA;QACrG,MAAM,QAAQ,GAAa,EAAE,GAAG,IAAI,EAAE,IAAI,EAAE,CAAA;QAE5C,6CAA6C;QAC7C,YAAY,CAAC,GAAG,CAAC,OAAO,EAAE,QAAQ,CAAC,CAAA;IACrC,CAAC;IAED,qDAAqD;IACrD,MAAM,MAAM,GAAqB,EAAE,CAAA;IACnC,KAAK,MAAM,EAAE,IAAI,EAAE,OAAO,EAAE,IAAI,QAAQ,CAAC,QAAQ,EAAE,EAAE,IAAI,EAAE,EAAE,CAAC;QAC5D,MAAM,CAAC,IAAI,CAAC,GAAG,OAAO,CAAA;IACxB,CAAC;IAED,OAAO;QACL,IAAI,EAAE,MAAM;QACZ,MAAM,EAAE,MAAM,CAAC,IAAI,CAAC,MAAM,CAAC,CAAC,MAAM,GAAG,CAAC,CAAC,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC,SAAS;QAC3D,UAAU;KACX,CAAA;AACH,CAAC"}

package/package.json

@@ -0,0 +1,42 @@
+{
+  "name": "@airdraft/plugin-auth",
+  "version": "0.1.0",
+  "description": "Airdraft auth plugin — GitHub OAuth, email/password providers",
+  "type": "module",
+  "main": "./dist/index.js",
+  "types": "./dist/index.d.ts",
+  "exports": {
+    ".": {
+      "import": "./dist/index.js",
+      "types": "./dist/index.d.ts"
+    }
+  },
+  "files": ["dist", "README.md", "CHANGELOG.md"],
+  "scripts": {
+    "build": "tsc",
+    "dev": "tsc --watch",
+    "clean": "rm -rf dist",
+    "test": "vitest run",
+    "test:watch": "vitest",
+    "typecheck": "tsc --noEmit",
+    "prepublishOnly": "npm run build",
+    "release": "standard-version",
+    "release:patch": "standard-version --release-as patch",
+    "release:minor": "standard-version --release-as minor",
+    "release:major": "standard-version --release-as major"
+  },
+  "publishConfig": { "access": "public" },
+  "license": "MIT",
+  "devDependencies": {
+    "@types/node": "^20.0.0",
+    "standard-version": "^9.5.0",
+    "tsx": "^4.7.0",
+    "typescript": "^5.4.0",
+    "vitest": "^1.5.0"
+  },
+  "dependencies": {
+    "@airdraft/core": "*",
+    "@airdraft/auth": "*"
+  },
+  "engines": { "node": ">=18.0.0" }
+}