@aooth/auth-moost 0.1.1

package/dist/index.mjs

@@ -0,0 +1,3347 @@
+import { AuthCredential, AuthError, generateMagicLinkToken } from "@aooth/auth";
+import { current, defineWook, eventTypeKey, key } from "@wooksjs/event-core";
+import { HttpError, useAuthorization, useCookies, useRequest, useResponse, useUrlParams } from "@wooksjs/event-http";
+import { Controller, Injectable, Intercept, Resolve, TInterceptorPriority, defineAfterInterceptor, defineBeforeInterceptor, getMoostMate, useControllerContext } from "moost";
+import { ArbacAction, ArbacResource, getArbacMate } from "@aooth/arbac-moost";
+import { Body, Get, HttpError as HttpError$1, Post } from "@moostjs/event-http";
+import { createAsHttpOutlet, extractPassContext, finishWfAborted, finishWfWithChoice, finishWfWithData, finishWfWithRedirect, handleAsOutletRequest, serializeFormSchema } from "@atscript/moost-wf";
+import { HandleStateStrategy, MoostWf, Step, WfStateStoreMemory, Workflow, WorkflowParam, WorkflowSchema, createEmailOutlet, outletEmail, outletHttp, useWfFinished } from "@moostjs/event-wf";
+import { UserAuthError, UserService, maskEmail, maskPhone, verifyTotpCode } from "@aooth/user";
+import { defineAnnotatedType, throwFeatureDisabled } from "@atscript/typescript/utils";
+//#region src/auth.config.ts
+/**
+* Resolve `AuthOptions` to its `ResolvedAuthOptions` form, applying the same
+* defaults the legacy `MoostAuthConfig` constructor did. Pure — call once per
+* `authGuardInterceptor` factory invocation; the resolved value is stashed in
+* a wook slot for the event chain.
+*/
+function resolveAuthOptions(opts = {}) {
+	const cookie = {
+		name: "aooth_session",
+		secure: true,
+		sameSite: "lax",
+		httpOnly: true,
+		path: "/",
+		...opts.cookie
+	};
+	return {
+		cookie,
+		refreshCookie: {
+			name: "aooth_refresh",
+			secure: cookie.secure,
+			sameSite: cookie.sameSite,
+			httpOnly: cookie.httpOnly,
+			...cookie.domain !== void 0 && { domain: cookie.domain },
+			path: "/auth/refresh",
+			...opts.refreshCookie
+		},
+		enableCookie: opts.enableCookie ?? true,
+		enableBearer: opts.enableBearer ?? true
+	};
+}
+//#endregion
+//#region src/auth.composables.ts
+const authContextKey = key("auth.context");
+/**
+* Slot populated by `authGuardInterceptor(opts)` on the HTTP event. Workflow
+* step events started with `start({ eventContext: current() })` inherit the
+* HTTP parent chain — `useAuth()` reads the slot transparently from inside
+* step bodies. Exported only for `auth.guard.ts`.
+*/
+const authOptionsKey = key("auth.options");
+/**
+* `sameSite` is upper-cased because wooks accepts `'Lax' | 'Strict' | 'None'`
+* while `ResolvedAuthCookieConfig` stores lower-case for ergonomics.
+*/
+function cookieAttrsFrom(c, extra) {
+	return {
+		httpOnly: c.httpOnly,
+		secure: c.secure,
+		sameSite: c.sameSite.charAt(0).toUpperCase() + c.sameSite.slice(1),
+		path: c.path,
+		domain: c.domain,
+		...extra
+	};
+}
+/**
+* Composable for accessing the current event's auth state + transport helpers.
+*
+* `defineWook` memoizes the bindings object per event so multiple calls share
+* one closure. Identity bindings (`getAuthContext`/`getUserId`/`isAuthenticated`)
+* read the `authContextKey` slot populated by `authGuardInterceptor`. The
+* remaining closures read the `authOptionsKey` slot stashed by that same
+* interceptor; calling them outside an HTTP-or-HTTP-parented event throws
+* `HttpError(500)` loudly — that's a configuration error, not a runtime
+* fallback case.
+*/
+const useAuth = defineWook((ctx) => {
+	const getAuthContext = () => {
+		if (!ctx.has(authContextKey)) return null;
+		return ctx.get(authContextKey);
+	};
+	const getUserId = () => {
+		const auth = getAuthContext();
+		if (!auth) throw new HttpError(401, "Not authenticated");
+		return auth.userId;
+	};
+	const isAuthenticated = () => getAuthContext() !== null;
+	let cachedOptions;
+	const requireOptions = () => {
+		if (cachedOptions !== void 0) return cachedOptions;
+		if (!ctx.has(authOptionsKey)) throw new HttpError(500, "useAuth(): authGuardInterceptor(opts) must be installed on the HTTP event chain");
+		cachedOptions = ctx.get(authOptionsKey);
+		return cachedOptions;
+	};
+	const extractToken = () => {
+		const options = requireOptions();
+		let token;
+		if (options.enableBearer) {
+			const auth = useAuthorization(ctx);
+			if (auth.is("bearer")) token = auth.credentials() ?? void 0;
+		}
+		if (!token && options.enableCookie) token = useCookies(ctx).getCookie(options.cookie.name) ?? void 0;
+		return token;
+	};
+	const writeCookies = (issue) => {
+		const options = requireOptions();
+		if (!options.enableCookie) return;
+		const response = useResponse(current());
+		response.setCookie(options.cookie.name, issue.accessToken, cookieAttrsFrom(options.cookie));
+		if (issue.refreshToken) response.setCookie(options.refreshCookie.name, issue.refreshToken, cookieAttrsFrom(options.refreshCookie));
+	};
+	const clearCookies = () => {
+		const options = requireOptions();
+		if (!options.enableCookie) return;
+		const response = useResponse(current());
+		response.setCookie(options.cookie.name, "", cookieAttrsFrom(options.cookie, { maxAge: 0 }));
+		response.setCookie(options.refreshCookie.name, "", cookieAttrsFrom(options.refreshCookie, { maxAge: 0 }));
+	};
+	/**
+	* With `enableBearer === false` the response shape still carries `userId` +
+	* `accessExpiresAt` so clients can schedule a silent refresh, but the tokens
+	* themselves travel only via the cookies set by `writeCookies`.
+	*/
+	const buildLoginResponseFn = (userId, issue) => {
+		const options = requireOptions();
+		return {
+			userId,
+			accessExpiresAt: issue.accessExpiresAt,
+			...issue.refreshExpiresAt !== void 0 && { refreshExpiresAt: issue.refreshExpiresAt },
+			...options.enableBearer && {
+				accessToken: issue.accessToken,
+				...issue.refreshToken && { refreshToken: issue.refreshToken }
+			}
+		};
+	};
+	/**
+	* Build the `cookies` map for `useWfFinished({ cookies })`. The outlet
+	* trigger's HTTP layer turns the entries into `Set-Cookie` headers, mirroring
+	* what `writeCookies()` does for the REST controller.
+	*/
+	const buildFinishedCookies = (issue) => {
+		const options = requireOptions();
+		if (!options.enableCookie) return void 0;
+		const cookies = { [options.cookie.name]: {
+			value: issue.accessToken,
+			options: cookieAttrsFrom(options.cookie)
+		} };
+		if (issue.refreshToken) cookies[options.refreshCookie.name] = {
+			value: issue.refreshToken,
+			options: cookieAttrsFrom(options.refreshCookie)
+		};
+		return cookies;
+	};
+	const cookieAttrs = (extra) => {
+		return cookieAttrsFrom(requireOptions().cookie, extra);
+	};
+	return {
+		getAuthContext,
+		getUserId,
+		isAuthenticated,
+		get options() {
+			return requireOptions();
+		},
+		extractToken,
+		writeCookies,
+		clearCookies,
+		buildLoginResponse: buildLoginResponseFn,
+		buildFinishedCookies,
+		cookieAttrs
+	};
+});
+/** Internal: only `authGuardInterceptor` writes the slot. */
+function setAuthContext(ctx, value) {
+	ctx.set(authContextKey, value);
+}
+//#endregion
+//#region src/auth.guard.ts
+/**
+* `GUARD`-priority interceptor factory that authenticates incoming requests.
+*
+* Returns a configured `TInterceptorDef`. Each invocation captures its own
+* resolved options and stashes them onto the HTTP event context's
+* `authOptionsKey` slot so `useAuth()` (and the workflows that depend on it)
+* can read the same transport config.
+*
+* Token extraction precedence: `Authorization: Bearer ...` wins over cookie
+* when both transports are enabled. On `@Public()` routes a missing or
+* invalid token leaves AuthContext as `null` and the handler runs anyway;
+* on protected routes it throws `HttpError(401)`.
+*
+* Never auto-refreshes — refresh is a separate REST endpoint.
+*
+* No-ops on non-HTTP event contexts (workflow steps, CLI, WS messages). The
+* guard reads tokens from HTTP headers/cookies; nothing to read elsewhere.
+* Authorization for workflow steps is the step's own responsibility (e.g.
+* an admin-only invite endpoint protects its outlet HTTP route, not the
+* step handler).
+*/
+function authGuardInterceptor(opts) {
+	const resolved = resolveAuthOptions(opts);
+	return defineBeforeInterceptor(async () => {
+		const ctx = current();
+		if (ctx.get(eventTypeKey) !== "http") return;
+		ctx.set(authOptionsKey, resolved);
+		const cc = useControllerContext(ctx);
+		const cMeta = cc.getControllerMeta();
+		const isPublic = cc.getMethodMeta()?.authPublic ?? cMeta?.authPublic ?? false;
+		const token = useAuth().extractToken();
+		if (!token) {
+			if (isPublic) {
+				setAuthContext(ctx, null);
+				return;
+			}
+			throw new HttpError(401, "Unauthorized");
+		}
+		const authContext = await (await cc.instantiate(AuthCredential)).validate(token);
+		if (!authContext) {
+			if (isPublic) {
+				setAuthContext(ctx, null);
+				return;
+			}
+			throw new HttpError(401, "Invalid credential");
+		}
+		setAuthContext(ctx, authContext);
+	}, TInterceptorPriority.GUARD);
+}
+/**
+* Decorator-factory sugar for attaching `authGuardInterceptor(opts)` to a
+* specific controller or method instead of globally. Equivalent to
+* `@Intercept(authGuardInterceptor(opts))`.
+*/
+function AuthGuarded(opts) {
+	return Intercept(authGuardInterceptor(opts));
+}
+//#endregion
+//#region src/auth.mate.ts
+function getAuthMate() {
+	return getMoostMate();
+}
+//#endregion
+//#region src/auth.decorator.ts
+/**
+* Marks a route or controller as fully public — opts out of BOTH
+* authentication (auth-moost's bearer guard) AND authorization
+* (arbac-moost's `arbacAuthorizeInterceptor`).
+*
+* `authGuardInterceptor` still runs on `@Public()` handlers — it populates the
+* AuthContext when a valid credential is presented, but does NOT throw when
+* the token is missing or invalid (the handler runs with a `null` AuthContext).
+* The ARBAC interceptor short-circuits entirely via its `isPublic` check.
+*
+* Method-level decoration overrides class-level.
+*/
+const Public = () => {
+	const auth = getAuthMate().decorate("authPublic", true);
+	const arbac = getArbacMate().decorate("arbacPublic", true);
+	return ((target, key, descriptor) => {
+		auth(target, key, descriptor);
+		arbac(target, key, descriptor);
+	});
+};
+/**
+* Resolves the authenticated user's id (string) for a handler parameter.
+*
+* Delegates to `useAuth().getUserId()`, which throws `HttpError(401)` when no
+* `AuthContext` is present in the event. There is no `@User()` counterpart —
+* `AuthContext` is credential context, not user profile data, and this library
+* does not own a user profile type.
+*/
+const UserId = () => Resolve(() => useAuth().getUserId());
+//#endregion
+//#region \0@oxc-project+runtime@0.129.0/helpers/decorateMetadata.js
+function __decorateMetadata(k, v) {
+	if (typeof Reflect === "object" && typeof Reflect.metadata === "function") return Reflect.metadata(k, v);
+}
+//#endregion
+//#region \0@oxc-project+runtime@0.129.0/helpers/decorate.js
+function __decorate(decorators, target, key, desc) {
+	var c = arguments.length, r = c < 3 ? target : desc === null ? desc = Object.getOwnPropertyDescriptor(target, key) : desc, d;
+	if (typeof Reflect === "object" && typeof Reflect.decorate === "function") r = Reflect.decorate(decorators, target, key, desc);
+	else for (var i = decorators.length - 1; i >= 0; i--) if (d = decorators[i]) r = (c < 3 ? d(r) : c > 3 ? d(target, key, r) : d(target, key)) || r;
+	return c > 3 && r && Object.defineProperty(target, key, r), r;
+}
+//#endregion
+//#region src/wf-trigger/provider.ts
+var _ref$4;
+let WfTriggerProvider = class WfTriggerProvider {
+	state = new HandleStateStrategy({ store: new WfStateStoreMemory() });
+	outlets = [createAsHttpOutlet()];
+	token = {
+		read: [
+			"body",
+			"query",
+			"cookie"
+		],
+		write: "body",
+		name: "wfs"
+	};
+	constructor(wf) {
+		this.wf = wf;
+	}
+	async handle(opts = {}) {
+		const wfApp = this.wf.getWfApp();
+		const deps = {
+			start: (schemaId, context, o) => wfApp.start(schemaId, context, {
+				input: o?.input,
+				eventContext: o?.eventContext ?? current()
+			}),
+			resume: (state, o) => wfApp.resume(state, {
+				input: o?.input,
+				eventContext: o?.eventContext ?? current()
+			})
+		};
+		return handleAsOutletRequest({
+			...opts.allow && { allow: opts.allow },
+			state: this.state,
+			outlets: this.outlets,
+			token: opts.token ?? this.token
+		}, deps);
+	}
+};
+WfTriggerProvider = __decorate([Injectable(), __decorateMetadata("design:paramtypes", [typeof (_ref$4 = typeof MoostWf !== "undefined" && MoostWf) === "function" ? _ref$4 : Object])], WfTriggerProvider);
+//#endregion
+//#region src/wf-trigger/decorator.ts
+/**
+* Method decorator that turns a handler into a workflow trigger.
+*
+* The handler may have an empty body — the interceptor's after-phase invokes
+* `WfTriggerProvider.handle()` when the handler returns `undefined`. Subclasses
+* that need to short-circuit (e.g. emit a custom error response) just return a
+* non-undefined value from the overridden handler and the trigger is skipped.
+*
+* The single `useControllerContext().instantiate(...)` call is the one
+* documented escape hatch: interceptors are functions, not classes, so there's
+* no ctor to inject into. Every class still uses constructor injection.
+*/
+const WfTrigger = (opts = {}) => Intercept(defineAfterInterceptor(async (response, reply) => {
+	if (await response !== void 0) return;
+	reply(await (await useControllerContext().instantiate(WfTriggerProvider)).handle(opts));
+}, TInterceptorPriority.INTERCEPTOR));
+//#endregion
+//#region \0@oxc-project+runtime@0.129.0/helpers/decorateParam.js
+function __decorateParam(paramIndex, decorator) {
+	return function(target, key) {
+		decorator(target, key, paramIndex);
+	};
+}
+//#endregion
+//#region src/auth.controller.ts
+var _ref$3;
+/** Workflows allowed by the bundled `/auth/trigger` endpoint. Subclasses override `triggerWf()` to extend. */
+const DEFAULT_AUTH_WORKFLOWS = [
+	"auth.login",
+	"auth.recovery",
+	"auth.invite"
+];
+/** Prefer an explicit body field, fall back to the refresh cookie when enabled. */
+function resolveRefreshToken(auth, body) {
+	if (typeof body?.refreshToken === "string") return body.refreshToken;
+	if (!auth.options.enableCookie) return void 0;
+	return useCookies(current()).getCookie(auth.options.refreshCookie.name) ?? void 0;
+}
+let AuthController = class AuthController {
+	constructor(auth) {
+		this.auth = auth;
+	}
+	async logout(body) {
+		const auth = useAuth();
+		if (!auth.getAuthContext()) throw new HttpError$1(401, "Not authenticated");
+		const accessToken = auth.extractToken();
+		const refreshToken = resolveRefreshToken(auth, body);
+		if (accessToken) try {
+			await this.auth.revoke(accessToken);
+		} catch {}
+		if (refreshToken) try {
+			await this.auth.revoke(refreshToken);
+		} catch {}
+		auth.clearCookies();
+		return { ok: true };
+	}
+	async refresh(body) {
+		const auth = useAuth();
+		const refreshToken = resolveRefreshToken(auth, body);
+		if (!refreshToken) throw new HttpError$1(401, "Missing refresh token");
+		let issue;
+		try {
+			issue = await this.auth.refresh(refreshToken);
+		} catch (err) {
+			if (err instanceof AuthError) throw new HttpError$1(401, "Invalid refresh token");
+			throw err;
+		}
+		auth.writeCookies(issue);
+		const validated = await this.auth.validate(issue.accessToken);
+		return auth.buildLoginResponse(validated?.userId ?? "", issue);
+	}
+	status() {
+		const auth = useAuth().getAuthContext();
+		if (!auth) throw new HttpError$1(401, "Not authenticated");
+		return auth;
+	}
+	triggerWf() {}
+};
+__decorate([
+	Post("logout"),
+	Public(),
+	__decorateParam(0, Body()),
+	__decorateMetadata("design:type", Function),
+	__decorateMetadata("design:paramtypes", [Object]),
+	__decorateMetadata("design:returntype", Promise)
+], AuthController.prototype, "logout", null);
+__decorate([
+	Post("refresh"),
+	Public(),
+	__decorateParam(0, Body()),
+	__decorateMetadata("design:type", Function),
+	__decorateMetadata("design:paramtypes", [Object]),
+	__decorateMetadata("design:returntype", Promise)
+], AuthController.prototype, "refresh", null);
+__decorate([
+	Get("status"),
+	Public(),
+	__decorateMetadata("design:type", Function),
+	__decorateMetadata("design:paramtypes", []),
+	__decorateMetadata("design:returntype", Object)
+], AuthController.prototype, "status", null);
+__decorate([
+	Post("trigger"),
+	Public(),
+	WfTrigger({ allow: [...DEFAULT_AUTH_WORKFLOWS] }),
+	__decorateMetadata("design:type", Function),
+	__decorateMetadata("design:paramtypes", []),
+	__decorateMetadata("design:returntype", void 0)
+], AuthController.prototype, "triggerWf", null);
+AuthController = __decorate([
+	Controller("auth"),
+	ArbacResource("auth"),
+	__decorateMetadata("design:paramtypes", [typeof (_ref$3 = typeof AuthCredential !== "undefined" && AuthCredential) === "function" ? _ref$3 : Object])
+], AuthController);
+//#endregion
+//#region src/atscript/models/forms.as.js
+var LoginCredentialsForm = class {
+	static __is_atscript_annotated_type = true;
+	static type = {};
+	static metadata = /* @__PURE__ */ new Map();
+	static id = "LoginCredentialsForm";
+	static toJsonSchema() {
+		throwFeatureDisabled("JSON Schema", "jsonSchema", "emit.jsonSchema");
+	}
+};
+var MfaCodeForm = class {
+	static __is_atscript_annotated_type = true;
+	static type = {};
+	static metadata = /* @__PURE__ */ new Map();
+	static id = "MfaCodeForm";
+	static toJsonSchema() {
+		throwFeatureDisabled("JSON Schema", "jsonSchema", "emit.jsonSchema");
+	}
+};
+var BackupCodeForm = class {
+	static __is_atscript_annotated_type = true;
+	static type = {};
+	static metadata = /* @__PURE__ */ new Map();
+	static id = "BackupCodeForm";
+	static toJsonSchema() {
+		throwFeatureDisabled("JSON Schema", "jsonSchema", "emit.jsonSchema");
+	}
+};
+var EmailIdentifierForm = class {
+	static __is_atscript_annotated_type = true;
+	static type = {};
+	static metadata = /* @__PURE__ */ new Map();
+	static id = "EmailIdentifierForm";
+	static toJsonSchema() {
+		throwFeatureDisabled("JSON Schema", "jsonSchema", "emit.jsonSchema");
+	}
+};
+var SetPasswordForm = class {
+	static __is_atscript_annotated_type = true;
+	static type = {};
+	static metadata = /* @__PURE__ */ new Map();
+	static id = "SetPasswordForm";
+	static toJsonSchema() {
+		throwFeatureDisabled("JSON Schema", "jsonSchema", "emit.jsonSchema");
+	}
+};
+var InviteForm = class {
+	static __is_atscript_annotated_type = true;
+	static type = {};
+	static metadata = /* @__PURE__ */ new Map();
+	static id = "InviteForm";
+	static toJsonSchema() {
+		throwFeatureDisabled("JSON Schema", "jsonSchema", "emit.jsonSchema");
+	}
+};
+var InviteEmailForm = class {
+	static __is_atscript_annotated_type = true;
+	static type = {};
+	static metadata = /* @__PURE__ */ new Map();
+	static id = "InviteEmailForm";
+	static toJsonSchema() {
+		throwFeatureDisabled("JSON Schema", "jsonSchema", "emit.jsonSchema");
+	}
+};
+var InviteSendModeForm = class {
+	static __is_atscript_annotated_type = true;
+	static type = {};
+	static metadata = /* @__PURE__ */ new Map();
+	static id = "InviteSendModeForm";
+	static toJsonSchema() {
+		throwFeatureDisabled("JSON Schema", "jsonSchema", "emit.jsonSchema");
+	}
+};
+var Select2faForm = class {
+	static __is_atscript_annotated_type = true;
+	static type = {};
+	static metadata = /* @__PURE__ */ new Map();
+	static id = "Select2faForm";
+	static toJsonSchema() {
+		throwFeatureDisabled("JSON Schema", "jsonSchema", "emit.jsonSchema");
+	}
+};
+var PincodeForm = class {
+	static __is_atscript_annotated_type = true;
+	static type = {};
+	static metadata = /* @__PURE__ */ new Map();
+	static id = "PincodeForm";
+	static toJsonSchema() {
+		throwFeatureDisabled("JSON Schema", "jsonSchema", "emit.jsonSchema");
+	}
+};
+var AskEmailForm = class {
+	static __is_atscript_annotated_type = true;
+	static type = {};
+	static metadata = /* @__PURE__ */ new Map();
+	static id = "AskEmailForm";
+	static toJsonSchema() {
+		throwFeatureDisabled("JSON Schema", "jsonSchema", "emit.jsonSchema");
+	}
+};
+var AskPhoneForm = class {
+	static __is_atscript_annotated_type = true;
+	static type = {};
+	static metadata = /* @__PURE__ */ new Map();
+	static id = "AskPhoneForm";
+	static toJsonSchema() {
+		throwFeatureDisabled("JSON Schema", "jsonSchema", "emit.jsonSchema");
+	}
+};
+var TermsAcceptForm = class {
+	static __is_atscript_annotated_type = true;
+	static type = {};
+	static metadata = /* @__PURE__ */ new Map();
+	static id = "TermsAcceptForm";
+	static toJsonSchema() {
+		throwFeatureDisabled("JSON Schema", "jsonSchema", "emit.jsonSchema");
+	}
+};
+var ProfileCompleteForm = class {
+	static __is_atscript_annotated_type = true;
+	static type = {};
+	static metadata = /* @__PURE__ */ new Map();
+	static id = "ProfileCompleteForm";
+	static toJsonSchema() {
+		throwFeatureDisabled("JSON Schema", "jsonSchema", "emit.jsonSchema");
+	}
+};
+var ConsentMarketingForm = class {
+	static __is_atscript_annotated_type = true;
+	static type = {};
+	static metadata = /* @__PURE__ */ new Map();
+	static id = "ConsentMarketingForm";
+	static toJsonSchema() {
+		throwFeatureDisabled("JSON Schema", "jsonSchema", "emit.jsonSchema");
+	}
+};
+var TenantSelectForm = class {
+	static __is_atscript_annotated_type = true;
+	static type = {};
+	static metadata = /* @__PURE__ */ new Map();
+	static id = "TenantSelectForm";
+	static toJsonSchema() {
+		throwFeatureDisabled("JSON Schema", "jsonSchema", "emit.jsonSchema");
+	}
+};
+var PersonaSelectForm = class {
+	static __is_atscript_annotated_type = true;
+	static type = {};
+	static metadata = /* @__PURE__ */ new Map();
+	static id = "PersonaSelectForm";
+	static toJsonSchema() {
+		throwFeatureDisabled("JSON Schema", "jsonSchema", "emit.jsonSchema");
+	}
+};
+var ConcurrencyLimitForm = class {
+	static __is_atscript_annotated_type = true;
+	static type = {};
+	static metadata = /* @__PURE__ */ new Map();
+	static id = "ConcurrencyLimitForm";
+	static toJsonSchema() {
+		throwFeatureDisabled("JSON Schema", "jsonSchema", "emit.jsonSchema");
+	}
+};
+var MagicLinkRequestForm = class {
+	static __is_atscript_annotated_type = true;
+	static type = {};
+	static metadata = /* @__PURE__ */ new Map();
+	static id = "MagicLinkRequestForm";
+	static toJsonSchema() {
+		throwFeatureDisabled("JSON Schema", "jsonSchema", "emit.jsonSchema");
+	}
+};
+var RecoveryModeSelectForm = class {
+	static __is_atscript_annotated_type = true;
+	static type = {};
+	static metadata = /* @__PURE__ */ new Map();
+	static id = "RecoveryModeSelectForm";
+	static toJsonSchema() {
+		throwFeatureDisabled("JSON Schema", "jsonSchema", "emit.jsonSchema");
+	}
+};
+var RecoveryFactorForm = class {
+	static __is_atscript_annotated_type = true;
+	static type = {};
+	static metadata = /* @__PURE__ */ new Map();
+	static id = "RecoveryFactorForm";
+	static toJsonSchema() {
+		throwFeatureDisabled("JSON Schema", "jsonSchema", "emit.jsonSchema");
+	}
+};
+defineAnnotatedType("object", LoginCredentialsForm).prop("username", defineAnnotatedType().designType("string").tags("string").annotate("ui.form.type", "text").annotate("meta.label", "Username").annotate("ui.form.autocomplete", "username").annotate("meta.required", {}).annotate("expect.minLength", { length: 1 }).$type).prop("password", defineAnnotatedType().designType("string").tags("string").annotate("ui.form.type", "password").annotate("meta.label", "Password").annotate("ui.form.autocomplete", "current-password").annotate("meta.sensitive", true).annotate("meta.required", {}).annotate("expect.minLength", { length: 1 }).$type);
+defineAnnotatedType("object", MfaCodeForm).prop("code", defineAnnotatedType().designType("string").tags("string").annotate("ui.form.type", "text").annotate("meta.label", "Verification code").annotate("ui.form.autocomplete", "one-time-code").annotate("meta.required", {}).annotate("expect.minLength", { length: 4 }).annotate("expect.maxLength", { length: 12 }).annotate("expect.pattern", { pattern: "^[0-9]+$" }, true).$type);
+defineAnnotatedType("object", BackupCodeForm).prop("code", defineAnnotatedType().designType("string").tags("string").annotate("ui.form.type", "text").annotate("meta.label", "Backup code").annotate("ui.form.autocomplete", "one-time-code").annotate("meta.required", {}).annotate("expect.minLength", { length: 4 }).annotate("expect.maxLength", { length: 32 }).annotate("expect.pattern", { pattern: "^[A-Z2-9-]+$" }, true).$type);
+defineAnnotatedType("object", EmailIdentifierForm).prop("email", defineAnnotatedType().designType("string").tags("email", "string").annotate("ui.form.type", "text").annotate("meta.label", "Email").annotate("ui.form.autocomplete", "email").annotate("meta.required", {}).annotate("expect.pattern", {
+	pattern: "^[^\\s@]+@[^\\s@]+\\.[^\\s@]+$",
+	flags: "",
+	message: "Invalid email format."
+}, true).$type).annotate("wf.context.pass", "defaults", true);
+defineAnnotatedType("object", SetPasswordForm).prop("newPassword", defineAnnotatedType().designType("string").tags("string").annotate("ui.form.type", "password").annotate("meta.label", "New password").annotate("ui.form.autocomplete", "new-password").annotate("meta.sensitive", true).annotate("meta.required", {}).annotate("expect.minLength", { length: 8 }).$type).prop("confirmPassword", defineAnnotatedType().designType("string").tags("string").annotate("ui.form.type", "password").annotate("meta.label", "Confirm password").annotate("ui.form.autocomplete", "new-password").annotate("meta.sensitive", true).annotate("meta.required", {}).annotate("expect.minLength", { length: 8 }).$type);
+defineAnnotatedType("object", InviteForm).prop("email", defineAnnotatedType().designType("string").tags("email", "string").annotate("ui.form.type", "text").annotate("meta.label", "Email").annotate("ui.form.autocomplete", "email").annotate("meta.required", {}).annotate("expect.pattern", {
+	pattern: "^[^\\s@]+@[^\\s@]+\\.[^\\s@]+$",
+	flags: "",
+	message: "Invalid email format."
+}, true).$type).prop("firstName", defineAnnotatedType().designType("string").tags("string").annotate("ui.form.type", "text").annotate("meta.label", "First name").optional().$type).prop("lastName", defineAnnotatedType().designType("string").tags("string").annotate("ui.form.type", "text").annotate("meta.label", "Last name").optional().$type).prop("roles", defineAnnotatedType("array").of(defineAnnotatedType().designType("string").tags("string").$type).annotate("ui.form.type", "select").annotate("ui.form.fn.options", "(_, _data, context) => Array.isArray(context.availableRoles) ? context.availableRoles.map(r => ({ value: r, label: r })) : []").annotate("meta.label", "Roles").optional().$type).annotate("wf.context.pass", "availableRoles", true);
+defineAnnotatedType("object", InviteEmailForm).prop("email", defineAnnotatedType().designType("string").tags("email", "string").annotate("ui.form.type", "text").annotate("meta.label", "Email").annotate("ui.form.autocomplete", "email").annotate("meta.required", {}).annotate("expect.pattern", {
+	pattern: "^[^\\s@]+@[^\\s@]+\\.[^\\s@]+$",
+	flags: "",
+	message: "Invalid email format."
+}, true).$type);
+defineAnnotatedType("object", InviteSendModeForm).prop("mode", defineAnnotatedType().designType("string").tags("string").annotate("ui.form.type", "text").annotate("meta.label", "Delivery mode").annotate("meta.required", {}).annotate("expect.pattern", { pattern: "^(email|shareableLink)$" }, true).$type);
+defineAnnotatedType("object", Select2faForm).prop("methodName", defineAnnotatedType().designType("string").tags("string").annotate("ui.form.type", "text").annotate("meta.label", "MFA method").annotate("meta.required", {}).$type).prop("saveAsDefault", defineAnnotatedType().designType("boolean").tags("boolean").annotate("ui.form.type", "checkbox").annotate("meta.label", "Save as default").optional().$type);
+defineAnnotatedType("object", PincodeForm).prop("code", defineAnnotatedType().designType("string").tags("string").annotate("ui.form.type", "text").annotate("meta.label", "Verification code").annotate("ui.form.autocomplete", "one-time-code").annotate("meta.required", {}).annotate("expect.minLength", { length: 4 }).annotate("expect.maxLength", { length: 12 }).annotate("expect.pattern", { pattern: "^[0-9]+$" }, true).$type).prop("rememberDevice", defineAnnotatedType().designType("boolean").tags("boolean").annotate("ui.form.type", "checkbox").annotate("meta.label", "Remember this device").optional().$type);
+defineAnnotatedType("object", AskEmailForm).prop("email", defineAnnotatedType().designType("string").tags("email", "string").annotate("ui.form.type", "text").annotate("meta.label", "Email").annotate("ui.form.autocomplete", "email").annotate("meta.required", {}).annotate("expect.pattern", {
+	pattern: "^[^\\s@]+@[^\\s@]+\\.[^\\s@]+$",
+	flags: "",
+	message: "Invalid email format."
+}, true).$type);
+defineAnnotatedType("object", AskPhoneForm).prop("phone", defineAnnotatedType().designType("string").tags("string").annotate("ui.form.type", "text").annotate("meta.label", "Phone (E.164)").annotate("ui.form.autocomplete", "tel").annotate("meta.required", {}).$type);
+defineAnnotatedType("object", TermsAcceptForm).prop("acceptedVersion", defineAnnotatedType().designType("string").tags("string").annotate("ui.form.type", "text").annotate("meta.label", "Accepted version").annotate("meta.required", {}).$type).prop("accepted", defineAnnotatedType().designType("boolean").tags("boolean").annotate("ui.form.type", "checkbox").annotate("meta.label", "I accept the Terms & Conditions").annotate("meta.required", {}).$type);
+defineAnnotatedType("object", ProfileCompleteForm).prop("firstName", defineAnnotatedType().designType("string").tags("string").annotate("ui.form.type", "text").annotate("meta.label", "First name").optional().$type).prop("lastName", defineAnnotatedType().designType("string").tags("string").annotate("ui.form.type", "text").annotate("meta.label", "Last name").optional().$type);
+defineAnnotatedType("object", ConsentMarketingForm).prop("optIn", defineAnnotatedType().designType("boolean").tags("boolean").annotate("ui.form.type", "checkbox").annotate("meta.label", "I would like to receive marketing emails").optional().$type);
+defineAnnotatedType("object", TenantSelectForm).prop("tenantId", defineAnnotatedType().designType("string").tags("string").annotate("ui.form.type", "text").annotate("meta.label", "Tenant").annotate("meta.required", {}).$type);
+defineAnnotatedType("object", PersonaSelectForm).prop("personaId", defineAnnotatedType().designType("string").tags("string").annotate("ui.form.type", "text").annotate("meta.label", "Persona").annotate("meta.required", {}).$type);
+defineAnnotatedType("object", ConcurrencyLimitForm).prop("action", defineAnnotatedType().designType("string").tags("string").annotate("ui.form.type", "text").annotate("meta.label", "Action").annotate("meta.required", {}).annotate("expect.pattern", { pattern: "^(logoutOthers|cancel)$" }, true).$type);
+defineAnnotatedType("object", MagicLinkRequestForm).prop("identifier", defineAnnotatedType().designType("string").tags("string").annotate("ui.form.type", "text").annotate("meta.label", "Email or username").annotate("ui.form.autocomplete", "username").annotate("meta.required", {}).$type);
+defineAnnotatedType("object", RecoveryModeSelectForm).prop("mode", defineAnnotatedType().designType("string").tags("string").annotate("ui.form.type", "text").annotate("meta.label", "Recovery method").annotate("meta.required", {}).annotate("expect.pattern", { pattern: "^(magicLink|otp)$" }, true).$type);
+defineAnnotatedType("object", RecoveryFactorForm).prop("factor", defineAnnotatedType().designType("string").tags("string").annotate("ui.form.type", "text").annotate("meta.label", "Factor").annotate("meta.required", {}).annotate("expect.pattern", { pattern: "^(phone|totp)$" }, true).$type).prop("value", defineAnnotatedType().designType("string").tags("string").annotate("ui.form.type", "text").annotate("meta.label", "Value").annotate("meta.required", {}).annotate("expect.minLength", { length: 4 }).annotate("expect.maxLength", { length: 12 }).$type);
+//#endregion
+//#region src/workflows/login.workflow.options.ts
+const DEFAULT_MFA_CODE_TTL_MS = 300 * 1e3;
+/**
+* Deep-merge defaults with the user-supplied nested pojo. Each group has its
+* own `{ ...defaults, ...input }` line — small enough that pulling in lodash
+* would be silly.
+*/
+function mergeLoginOpts(opts = {}) {
+	return {
+		alternateCredentials: {
+			forgotPassword: true,
+			signup: false,
+			magicLink: false,
+			magicLinkSkipsMfa: false,
+			magicLinkTtlMs: 30 * 6e4,
+			ssoProviders: [],
+			recoveryUrl: "/recover",
+			signupUrl: "/signup",
+			embedRecovery: false,
+			...opts.alternateCredentials
+		},
+		guards: {
+			emailVerifiedRequired: false,
+			passwordExpiry: true,
+			passwordInitial: true,
+			...opts.guards
+		},
+		enrollment: {
+			ensureEmail: false,
+			ensurePhone: false,
+			...opts.enrollment
+		},
+		mfa: {
+			enabled: true,
+			transports: [
+				"sms",
+				"email",
+				"totp"
+			],
+			backupCodes: true,
+			enrollRequired: false,
+			pincodeTtlMs: DEFAULT_MFA_CODE_TTL_MS,
+			pincodeResendTimeoutMs: 6e4,
+			pincodeLength: 6,
+			...opts.mfa
+		},
+		deviceTrust: {
+			enabled: false,
+			optIn: true,
+			cookieName: "aooth_trusted_device",
+			ttlMs: 1440 * 6e4,
+			skipsMfa: true,
+			bindsTo: "cookie",
+			...opts.deviceTrust
+		},
+		acceptance: {
+			profileCompleteRequired: false,
+			consentMarketing: false,
+			...opts.acceptance
+		},
+		multiContext: {
+			tenantSelect: false,
+			personaSelect: false,
+			...opts.multiContext
+		},
+		sessionPolicy: { ...opts.sessionPolicy },
+		finalize: {
+			auditLogin: true,
+			notifyNewDevice: false,
+			redirect: false,
+			...opts.finalize
+		},
+		forms: {
+			askEmail: AskEmailForm,
+			askPhone: AskPhoneForm,
+			backupCode: BackupCodeForm,
+			concurrencyLimit: ConcurrencyLimitForm,
+			consentMarketing: ConsentMarketingForm,
+			loginCredentials: LoginCredentialsForm,
+			mfaCode: MfaCodeForm,
+			personaSelect: PersonaSelectForm,
+			pincode: PincodeForm,
+			profileComplete: ProfileCompleteForm,
+			select2fa: Select2faForm,
+			setPassword: SetPasswordForm,
+			tenantSelect: TenantSelectForm,
+			termsAccept: TermsAcceptForm,
+			...opts.forms
+		}
+	};
+}
+//#endregion
+//#region src/workflows/wf-helpers.ts
+/**
+* Internal helpers for the three auth workflows.
+*
+* Co-locates two patterns the @atscript/moost-wf reference docs tell consumers
+* to copy into their own projects (`httpInputRequired` + `validateFormInput`)
+* with auth-specific glue for the password-set error translation.
+*
+* Cookie + finished-response building lives on `useAuth()` (see
+* `auth.composables.ts`) so it shares the same resolved options the guard
+* stashed onto the HTTP event chain.
+*/
+/**
+* Special error keys:
+*   - `__form` — top-level form-wide error (e.g. "Invalid credentials").
+*   - everything else — keyed by field path.
+*/
+function httpInputRequired(type, wfContext, errors) {
+	const context = { ...extractPassContext(type, wfContext) };
+	if (errors) context.errors = errors;
+	return outletHttp(serializeFormSchema(type), context);
+}
+/**
+* Returns `null` when valid, or a flat `field → message` map. Top-level errors
+* land on `__form`. `partial: 'deep'` validates only the fields the caller
+* supplied (action-with-data submits).
+*/
+function validateFormInput(type, input, opts = {}) {
+	const validator = type.validator({
+		unknownProps: "strip",
+		...opts.partial === "deep" && { partial: "deep" }
+	});
+	try {
+		validator.validate(input);
+		return null;
+	} catch (err) {
+		if (err !== null && typeof err === "object" && "errors" in err && Array.isArray(err.errors)) {
+			const out = {};
+			for (const e of err.errors) out[e.path || "__form"] = e.message;
+			return out;
+		}
+		throw err;
+	}
+}
+/**
+* Translate password-mutation errors from `UserService.setPassword` /
+* `createUser` into the matching HTTP status. Mirrors `translatePasswordError`
+* in `auth.controller.ts`; kept here so workflow steps don't import from the
+* controller module. All `UserAuthError` shapes from a set-password call are
+* client-side (policy / history / mismatch), so they collapse to 400.
+*/
+function translatePasswordSetError(err) {
+	if (err instanceof UserAuthError) throw new HttpError$1(400, err.message);
+	throw err;
+}
+/**
+* Asserts `ctx.username` is populated. Workflow steps reach for `ctx.username`
+* after `credentials`/`init` has set it; losing it indicates a workflow-state
+* bug, not a client error. Throws `HttpError(500)` on miss; otherwise narrows
+* the field to `string` for the caller via `asserts`.
+*/
+function requireUsername(ctx) {
+	if (!ctx.username) throw new HttpError$1(500, "Workflow state corrupted: missing username");
+}
+/** Mint a numeric pincode of the requested length using Math.random — fine for OTPs. */
+function generatePincode$1(length) {
+	let out = "";
+	for (let i = 0; i < length; i++) out += Math.floor(Math.random() * 10).toString();
+	return out;
+}
+/**
+* Mint a pincode + its expiry onto `ctx.pin` / `ctx.pinExpire`. Returns the
+* code so the caller can hand it to the delivery transport.
+*/
+function mintPin$1(ctx, length, ttlMs) {
+	const code = generatePincode$1(length);
+	ctx.pin = code;
+	ctx.pinExpire = Date.now() + ttlMs;
+	return code;
+}
+/**
+* Verify a submitted pincode against `ctx.pin`. Returns a `{ code: '…' }`
+* error map on expired/invalid, or `null` on success. Callers wrap with
+* `httpInputRequired(PincodeForm, ctx, …)` to render.
+*/
+function verifyPin$1(ctx, submitted) {
+	if (!ctx.pin || !ctx.pinExpire || Date.now() > ctx.pinExpire) return { code: "Code expired" };
+	if (submitted !== ctx.pin) return { code: "Invalid code" };
+	return null;
+}
+/**
+* Resolve the client IP from the active HTTP request, swallowing the case
+* where there is no HTTP context (unit tests that hand-roll the wf runtime).
+*/
+function resolveClientIp() {
+	try {
+		return useRequest(current()).getIp?.() || void 0;
+	} catch {
+		return;
+	}
+}
+//#endregion
+//#region src/workflows/login.workflow.ts
+/**
+* LoginWorkflow — `wfid = 'auth.login'`.
+*
+* Full step catalog per `WF_LOGIN.md`. Every advanced step is gated by the
+* matching `LoginWorkflowOpts` flag so the default-opts flow matches today's
+* "credentials → optional totp MFA → issue tokens" behaviour with no surprise
+* prompts.
+*
+* **Step routing model.** Phase 1's `credentials` step is the main happy
+* path. Alternate credential paths (`magicLink*`, `passkey`, `ssoCallback`)
+* are stubs that throw `HttpError(501)` — the brief allows ships-as-stub for
+* these. Channel-enrollment loops (`ensureEmail` / `ensurePhone`) are a
+* single-pass ask-and-verify per the brief, since moost-wf does not provide
+* a clean "loop while" primitive at the @WorkflowSchema level.
+*
+* **Alt-action delivery.** Form payloads carry `action?: string` alongside
+* the regular form fields. Each form-bearing step inspects `input.action`
+* for routing rather than wiring `@AltAction()` (the existing trigger
+* controller does not call `useWfAction().setAction()`).
+*
+* **Consumer subclass pattern (Phase 2 reshape).** Consumers subclass
+* `LoginWorkflow` to override `protected` hook methods. The subclass MUST
+* re-apply `@Inherit() @Injectable('FOR_EVENT') @Controller()` and re-declare
+* the constructor signature (TS emits fresh design-paramtypes per class).
+*
+* **Side-effect deps as protected methods (this reshape).** The four
+* optional sender/store/emitter DI providers (EmailSender, SmsSender,
+* DeviceTrustStore, AuditEmitter) have been DROPPED from the constructor.
+* Side-effecting hooks live as `protected` methods consumers override:
+*
+*   - `deliver(payload)` — unified email + SMS dispatch. Default throws
+*     `Error("deliver() not configured …")`; override to wire your senders.
+*   - `audit(event)` — fire audit events. Default: no-op.
+*   - `loadTrustedDevice(userId, token, ip?)` — return `true` to grant
+*     trust. Default: delegates to `UserService.verifyTrustedDevice`.
+*   - `storeTrustedDevice(userId, record)` — persist a freshly issued trust
+*     record. Default: delegates to `UserService.addTrustedDevice`.
+*   - `revokeTrustedDevice(userId, token)` — remove a trust record.
+*     Default: delegates to `UserService.revokeTrustedDevice`.
+*
+* Validation of senders is now INHERENT — the first `deliver()` invocation
+* without an override throws. Boot-time "X required when Y enabled" checks
+* are gone for sender/store/emitter; only data-validity checks remain.
+*/
+var _ref$2, _ref2$2;
+function mfaKindOf(methodName) {
+	if (methodName === "sms" || methodName === "email" || methodName === "totp") return methodName;
+	return null;
+}
+/**
+* Sentinel returned by alt-action handlers that have already short-circuited
+* the step (via `useWfFinished().set(...)` or by mutating ctx to drive the
+* next iteration). The step body re-returns `undefined` after seeing this so
+* the schema advances without running form validation against the alt-action
+* payload (which lacks the form's required fields).
+*/
+const ALT_HANDLED$2 = Symbol("ALT_HANDLED");
+/** Mint a numeric pincode of the requested length using Math.random — fine for OTPs. */
+function generatePincode(length) {
+	let out = "";
+	for (let i = 0; i < length; i++) out += Math.floor(Math.random() * 10).toString();
+	return out;
+}
+/**
+* Mint and stash a fresh pincode + its expiry on `ctx`. Returns the code so
+* the caller can hand it to the delivery transport.
+*/
+function mintPin(ctx, length, ttlMs) {
+	const code = generatePincode(length);
+	ctx.pin = code;
+	ctx.pinExpire = Date.now() + ttlMs;
+	return code;
+}
+/**
+* Verify a submitted pincode against the one stashed on `ctx`. Returns a
+* `{ code: '…' }` error map when expired/invalid, or `null` on success.
+* Callers wrap with `httpInputRequired(PincodeForm, ctx, …)` to render.
+*/
+function verifyPin(ctx, submitted) {
+	if (!ctx.pin || !ctx.pinExpire || Date.now() > ctx.pinExpire) return { code: "Code expired" };
+	if (submitted !== ctx.pin) return { code: "Invalid code" };
+	return null;
+}
+/**
+* Construction-time invariants for DATA validity only. Sender/store/emitter
+* absence is no longer checked — those default to fail-loud (`deliver()`) or
+* no-op (`audit()`, `loadTrustedDevice()`) protected methods that consumers
+* override.
+*/
+function validateOpts$1(opts) {
+	if (opts.mfa.enabled && opts.mfa.transports.length === 0) throw new Error("LoginWorkflow: mfa.transports cannot be empty when mfa.enabled is true");
+}
+let LoginWorkflow = class LoginWorkflow {
+	opts;
+	users;
+	auth;
+	constructor(opts, users, auth) {
+		this.opts = mergeLoginOpts(opts);
+		this.users = users;
+		this.auth = auth;
+		validateOpts$1(this.opts);
+	}
+	/**
+	* Dispatch an email or SMS event. Default throws — consumers MUST override
+	* if any feature that emits is enabled (MFA pincode, ensureEmail/Phone OTP,
+	* notifyNewDevice). The throw surfaces at the HTTP layer as 500 on the
+	* first event that triggers a send, which is the fail-loud signal.
+	*/
+	async deliver(_payload) {
+		throw new Error("LoginWorkflow.deliver() not configured — override to wire your email/sms sender");
+	}
+	/**
+	* Emit an audit event. Default: no-op. Consumers override to fan out to
+	* their audit sink (DB table, log file, Kafka topic, …).
+	*/
+	async audit(_event) {}
+	/**
+	* Verify whether a presented trust-cookie token belongs to `userId` and is
+	* still valid. Default: delegates to `UserService.verifyTrustedDevice`
+	* (HMAC + persisted record + expiry + IP-binding). Override to use a
+	* different trust backend.
+	*/
+	async loadTrustedDevice(userId, token, ip) {
+		return this.users.verifyTrustedDevice(userId, token, ip);
+	}
+	/**
+	* Persist a freshly-issued trust record. Default: delegates to
+	* `UserService.addTrustedDevice` — the record is appended to the user's
+	* `trustedDevices` array on the user store. `userId` is the username the
+	* record belongs to (passed alongside since `TrustedDeviceRecord` itself
+	* carries no user identifier).
+	*/
+	async storeTrustedDevice(userId, record) {
+		await this.users.addTrustedDevice(userId, record);
+	}
+	/**
+	* Revoke a trust record. Default: delegates to
+	* `UserService.revokeTrustedDevice`. Currently unused by the workflow's own
+	* happy path but exposed so consumers can call it from their own "sign out
+	* everywhere" flows for symmetry with `storeTrustedDevice`.
+	*/
+	async revokeTrustedDevice(userId, token) {
+		await this.users.revokeTrustedDevice(userId, token);
+	}
+	/**
+	* Mint a new device-trust record + cookie value. Default: delegates to
+	* `UserService.issueTrustedDevice` — produces an HMAC-signed token bound to
+	* `userId` (+ `ip` when `bindsTo === 'cookie+ip'`). Consumers running
+	* multiple instances typically override `loadTrustedDevice`/
+	* `storeTrustedDevice` against Redis but keep this default.
+	*/
+	async issueTrustedDevice(userId, ip, ttlMs) {
+		return this.users.issueTrustedDevice(userId, {
+			ttlMs,
+			...ip !== void 0 && { ip }
+		});
+	}
+	flow() {}
+	init(ctx) {
+		ctx.opts = this.snapshotOpts(this.opts);
+	}
+	/**
+	* Returns the JSON-safe projection of `opts` stashed onto `ctx` for schema
+	* conditions to read. Default: drop the `forms` group (atscript form classes
+	* are not plain JSON) so `AsWfStore`'s plain-JSON persistence doesn't choke.
+	* Step bodies still consult the form classes via `this.opts.forms.*`.
+	*
+	* Consumers who put non-JSON values on `opts` (e.g. by extending the type)
+	* can override this to strip them.
+	*/
+	snapshotOpts(opts) {
+		const { forms: _forms, ...rest } = opts;
+		return rest;
+	}
+	async credentials(input, ctx) {
+		if (!input) return httpInputRequired(this.opts.forms.loginCredentials, ctx);
+		if (input.action) {
+			if (this.handleCredentialsAlt(input.action, input.username) === ALT_HANDLED$2) return void 0;
+		}
+		const errors = validateFormInput(this.opts.forms.loginCredentials, input);
+		if (errors) return httpInputRequired(this.opts.forms.loginCredentials, ctx, errors);
+		try {
+			const result = await this.users.login(input.username, input.password);
+			ctx.username = result.user.username;
+			ctx.mfaRequired = result.mfaRequired;
+			if (this.opts.guards.passwordInitial && result.user.password.isInitial) ctx.isPasswordInitial = true;
+			const email = result.user.mfa.methods.find((m) => m.name === "email" && m.confirmed);
+			if (email) {
+				ctx.email = email.value;
+				ctx.emailConfirmed = true;
+			}
+			const phone = result.user.mfa.methods.find((m) => m.name === "sms" && m.confirmed);
+			if (phone) {
+				ctx.phone = phone.value;
+				ctx.phoneConfirmed = true;
+			}
+		} catch (err) {
+			if (err instanceof UserAuthError) {
+				if (err.type === "LOCKED") throw new HttpError$1(423, "Account locked");
+				return httpInputRequired(this.opts.forms.loginCredentials, ctx, { __form: "Invalid credentials" });
+			}
+			throw err;
+		}
+	}
+	handleCredentialsAlt(action, typedUsername) {
+		const alt = this.opts.alternateCredentials;
+		if (action === "forgotPassword" && alt.forgotPassword) {
+			finishWfWithRedirect(this.buildRecoveryUrl(typedUsername), { reason: "forgot-password" });
+			return ALT_HANDLED$2;
+		}
+		if (action === "signup" && alt.signup) {
+			finishWfWithRedirect(alt.signupUrl, { reason: "signup" });
+			return ALT_HANDLED$2;
+		}
+		if (action === "magicLink" && alt.magicLink) throw new HttpError$1(501, "Magic-link login path not implemented in this version");
+		const sso = alt.ssoProviders.find((p) => p.id === action);
+		if (sso) {
+			finishWfWithRedirect(sso.url, { reason: `sso-${sso.id}` });
+			return ALT_HANDLED$2;
+		}
+	}
+	/**
+	* Builds the redirect URL the `forgotPassword` alt-action navigates to.
+	* Receives whatever the user typed into the username field so the recovery
+	* page can pre-fill it. Default:
+	* `${alternateCredentials.recoveryUrl}?username=${encodeURIComponent(username ?? '')}`.
+	*/
+	buildRecoveryUrl(username) {
+		return `${this.opts.alternateCredentials.recoveryUrl}?username=${encodeURIComponent(username ?? "")}`;
+	}
+	magicLinkRequest() {
+		throw new HttpError$1(501, "magicLinkRequest step not implemented");
+	}
+	magicLinkSend() {
+		throw new HttpError$1(501, "magicLinkSend step not implemented");
+	}
+	magicLinkVerified() {
+		throw new HttpError$1(501, "magicLinkVerified step not implemented");
+	}
+	passkey() {
+		throw new HttpError$1(501, "passkey step not implemented");
+	}
+	ssoCallback() {
+		throw new HttpError$1(501, "ssoCallback step not implemented");
+	}
+	async ensureEmail(input, ctx) {
+		requireUsername(ctx);
+		if (!ctx.email) {
+			if (!input?.email) return httpInputRequired(this.opts.forms.askEmail, ctx);
+			const errors = validateFormInput(this.opts.forms.askEmail, input);
+			if (errors) return httpInputRequired(this.opts.forms.askEmail, ctx, errors);
+			await this.users.addMfaMethod(ctx.username, {
+				name: "email",
+				value: input.email,
+				confirmed: false
+			});
+			ctx.email = input.email;
+			const code = mintPin(ctx, this.opts.mfa.pincodeLength, this.opts.mfa.pincodeTtlMs);
+			await this.deliver({
+				channel: "email",
+				kind: "login.pincode",
+				recipient: input.email,
+				code,
+				expiresAt: ctx.pinExpire
+			});
+			return httpInputRequired(this.opts.forms.pincode, ctx);
+		}
+		if (!input?.code) return httpInputRequired(this.opts.forms.pincode, ctx);
+		const errors = validateFormInput(this.opts.forms.pincode, input);
+		if (errors) return httpInputRequired(this.opts.forms.pincode, ctx, errors);
+		const pinErr = verifyPin(ctx, input.code);
+		if (pinErr) return httpInputRequired(this.opts.forms.pincode, ctx, pinErr);
+		await this.users.confirmMfaMethod(ctx.username, "email");
+		ctx.emailConfirmed = true;
+		ctx.pin = void 0;
+		ctx.pinExpire = void 0;
+	}
+	async ensurePhone(input, ctx) {
+		requireUsername(ctx);
+		if (!ctx.phone) {
+			if (!input?.phone) return httpInputRequired(this.opts.forms.askPhone, ctx);
+			const errors = validateFormInput(this.opts.forms.askPhone, input);
+			if (errors) return httpInputRequired(this.opts.forms.askPhone, ctx, errors);
+			await this.users.addMfaMethod(ctx.username, {
+				name: "sms",
+				value: input.phone,
+				confirmed: false
+			});
+			ctx.phone = input.phone;
+			const code = mintPin(ctx, this.opts.mfa.pincodeLength, this.opts.mfa.pincodeTtlMs);
+			await this.deliver({
+				channel: "sms",
+				kind: "login.pincode",
+				recipient: input.phone,
+				code,
+				ttlMs: this.opts.mfa.pincodeTtlMs,
+				userId: ctx.username
+			});
+			return httpInputRequired(this.opts.forms.pincode, ctx);
+		}
+		if (!input?.code) return httpInputRequired(this.opts.forms.pincode, ctx);
+		const errors = validateFormInput(this.opts.forms.pincode, input);
+		if (errors) return httpInputRequired(this.opts.forms.pincode, ctx, errors);
+		const pinErr = verifyPin(ctx, input.code);
+		if (pinErr) return httpInputRequired(this.opts.forms.pincode, ctx, pinErr);
+		await this.users.confirmMfaMethod(ctx.username, "sms");
+		ctx.phoneConfirmed = true;
+		ctx.pin = void 0;
+		ctx.pinExpire = void 0;
+	}
+	async checkTrustedDevice(ctx) {
+		if (!ctx.username) return void 0;
+		const cookieValue = useCookies(current()).getCookie(this.opts.deviceTrust.cookieName);
+		if (!cookieValue) {
+			ctx.newDevice = true;
+			return;
+		}
+		const ip = this.opts.deviceTrust.bindsTo === "cookie+ip" ? this.resolveClientIp() : void 0;
+		if (await this.loadTrustedDevice(ctx.username, cookieValue, ip)) {
+			ctx.mfaChecked = true;
+			ctx.deviceTrustToken = cookieValue;
+		} else ctx.newDevice = true;
+	}
+	async prepareMfaOptions(ctx) {
+		if (!ctx.username) return void 0;
+		const user = await this.users.getUser(ctx.username);
+		const allowed = new Set(this.opts.mfa.transports);
+		const summary = this.users.getAvailableMfaMethods(user.mfa).filter((m) => {
+			const kind = mfaKindOf(m.name);
+			return kind !== null && allowed.has(kind);
+		}).map((m) => {
+			return {
+				kind: mfaKindOf(m.name),
+				methodName: m.name,
+				masked: m.masked,
+				isDefault: m.isDefault
+			};
+		});
+		ctx.mfaEnrolledMethods = summary;
+		if (summary.length === 0) {
+			ctx.mfaChecked = true;
+			return;
+		}
+		if (summary.length === 1) {
+			ctx.mfaMethod = summary[0].kind;
+			return;
+		}
+		if (!ctx.ignoreMfaDefault) {
+			const def = summary.find((m) => m.isDefault);
+			if (def) ctx.mfaMethod = def.kind;
+		}
+	}
+	async select2fa(input, ctx) {
+		if (!input) return httpInputRequired(this.opts.forms.select2fa, ctx);
+		if (input.action === "useBackupCode" && this.opts.mfa.backupCodes) return this.handleBackupCode(input.code ? { code: input.code } : void 0, ctx);
+		const errors = validateFormInput(this.opts.forms.select2fa, input);
+		if (errors) return httpInputRequired(this.opts.forms.select2fa, ctx, errors);
+		const picked = (ctx.mfaEnrolledMethods ?? []).find((m) => m.methodName === input.methodName);
+		if (!picked) return httpInputRequired(this.opts.forms.select2fa, ctx, { methodName: "Unknown MFA method" });
+		ctx.mfaMethod = picked.kind;
+		ctx.mfaSaveAsDefault = Boolean(input.saveAsDefault);
+		if (ctx.mfaSaveAsDefault && ctx.username) await this.users.setDefaultMfaMethod(ctx.username, picked.methodName);
+	}
+	async pincodeSendLogin(ctx) {
+		if (!ctx.username || !ctx.mfaMethod) return void 0;
+		const summary = (ctx.mfaEnrolledMethods ?? []).find((m) => m.kind === ctx.mfaMethod);
+		if (!summary) throw new HttpError$1(500, "Workflow state corrupted: missing mfa method");
+		const method = (await this.users.getUser(ctx.username)).mfa.methods.find((m) => m.name === summary.methodName && m.confirmed);
+		if (!method) throw new HttpError$1(500, "MFA method no longer present");
+		const code = mintPin(ctx, this.opts.mfa.pincodeLength, this.opts.mfa.pincodeTtlMs);
+		ctx.pinTimeout = Date.now() + this.opts.mfa.pincodeResendTimeoutMs;
+		if (ctx.mfaMethod === "email") {
+			ctx.pinSentTo = maskEmail(method.value);
+			await this.deliver({
+				channel: "email",
+				kind: "login.pincode",
+				recipient: method.value,
+				code,
+				expiresAt: ctx.pinExpire,
+				userId: ctx.username
+			});
+		} else if (ctx.mfaMethod === "sms") {
+			ctx.pinSentTo = maskPhone(method.value);
+			await this.deliver({
+				channel: "sms",
+				kind: "login.pincode",
+				recipient: method.value,
+				code,
+				ttlMs: this.opts.mfa.pincodeTtlMs,
+				userId: ctx.username
+			});
+		}
+	}
+	async pincodeCheckLogin(input, ctx) {
+		if (!input) return httpInputRequired(this.opts.forms.pincode, ctx);
+		if (input.action === "resend") {
+			if (ctx.pinTimeout && Date.now() < ctx.pinTimeout) {
+				const waitSec = Math.ceil((ctx.pinTimeout - Date.now()) / 1e3);
+				return httpInputRequired(this.opts.forms.pincode, ctx, { __form: `Please wait ${waitSec}s` });
+			}
+			ctx.pin = void 0;
+			ctx.pinExpire = void 0;
+			return httpInputRequired(this.opts.forms.pincode, ctx, { __form: "Code resent" });
+		}
+		if (input.action === "useDifferentMethod") {
+			ctx.ignoreMfaDefault = true;
+			ctx.mfaMethod = void 0;
+			ctx.pin = void 0;
+			ctx.pinExpire = void 0;
+			return;
+		}
+		if (input.action === "useBackupCode" && this.opts.mfa.backupCodes) return this.handleBackupCode(input.code ? { code: input.code } : void 0, ctx);
+		const errors = validateFormInput(this.opts.forms.pincode, input);
+		if (errors) return httpInputRequired(this.opts.forms.pincode, ctx, errors);
+		const pinErr = verifyPin(ctx, input.code);
+		if (pinErr) return httpInputRequired(this.opts.forms.pincode, ctx, pinErr);
+		ctx.mfaChecked = true;
+		ctx.riskStepUpEvaluated = false;
+		if (this.opts.deviceTrust.enabled && this.opts.deviceTrust.optIn) ctx.rememberDevice = Boolean(input.rememberDevice);
+	}
+	async mfaTotp(input, ctx) {
+		if (!input) return httpInputRequired(this.opts.forms.mfaCode, ctx);
+		if (input.action === "useDifferentMethod") {
+			ctx.ignoreMfaDefault = true;
+			ctx.mfaMethod = void 0;
+			return;
+		}
+		if (input.action === "useBackupCode" && this.opts.mfa.backupCodes) return this.handleBackupCode(input.code ? { code: input.code } : void 0, ctx);
+		const errors = validateFormInput(this.opts.forms.mfaCode, input);
+		if (errors) return httpInputRequired(this.opts.forms.mfaCode, ctx, errors);
+		requireUsername(ctx);
+		try {
+			await this.users.verifyMfa(ctx.username, input.code);
+			ctx.mfaChecked = true;
+			ctx.riskStepUpEvaluated = false;
+			if (this.opts.deviceTrust.enabled && this.opts.deviceTrust.optIn) ctx.rememberDevice = Boolean(input.rememberDevice);
+		} catch (err) {
+			if (err instanceof UserAuthError) {
+				if (err.type === "LOCKED") throw new HttpError$1(423, "Account locked");
+				if (err.type === "INACTIVE") throw new HttpError$1(401, "Invalid credentials");
+				if (err.type === "MFA_NOT_CONFIGURED") throw new HttpError$1(400, "No TOTP MFA configured");
+				if (err.type === "MFA_INVALID") {
+					if (err.details?.lockEnds !== void 0) throw new HttpError$1(423, "Account locked");
+					return httpInputRequired(this.opts.forms.mfaCode, ctx, { code: "Invalid code" });
+				}
+			}
+			throw err;
+		}
+	}
+	/**
+	* Backup-code alt-action handler shared by `select2fa`, `pincode-check-login`,
+	* and `mfa-totp`. Validates against `BackupCodeForm` (alphanumeric +
+	* hyphen-grouped — `MfaCodeForm` is digits-only and rejects backup codes
+	* produced by `UserService.generateBackupCodes`).
+	*/
+	async handleBackupCode(input, ctx) {
+		if (!input) return httpInputRequired(this.opts.forms.backupCode, ctx);
+		const errors = validateFormInput(this.opts.forms.backupCode, input);
+		if (errors) return httpInputRequired(this.opts.forms.backupCode, ctx, errors);
+		requireUsername(ctx);
+		if (!await this.users.consumeBackupCode(ctx.username, input.code)) return httpInputRequired(this.opts.forms.backupCode, ctx, { code: "Invalid backup code" });
+		ctx.mfaChecked = true;
+		ctx.riskStepUpEvaluated = false;
+	}
+	mfaEnrollRequired() {
+		throw new HttpError$1(501, "mfa-enroll-required step not implemented");
+	}
+	async deviceTrust(ctx) {
+		if (!ctx.username) return void 0;
+		const ip = this.opts.deviceTrust.bindsTo === "cookie+ip" ? this.resolveClientIp() : void 0;
+		const record = await this.issueTrustedDevice(ctx.username, ip, this.opts.deviceTrust.ttlMs);
+		await this.storeTrustedDevice(ctx.username, record);
+		ctx.deviceTrustToken = record.token;
+		useResponse(current()).setCookie(this.opts.deviceTrust.cookieName, record.token, useAuth().cookieAttrs({ maxAge: this.opts.deviceTrust.ttlMs / 1e3 }));
+	}
+	preparePasswordRules(ctx) {
+		ctx.passwordPolicies = this.users.getTransferablePolicies();
+	}
+	async createPasswordForm(input, ctx) {
+		if (!input) return httpInputRequired(this.opts.forms.setPassword, ctx);
+		if (input.action === "logout") {
+			finishWfAborted("logout", { message: {
+				level: "info",
+				text: "Signed out."
+			} });
+			ctx.aborted = true;
+			return;
+		}
+		const errors = validateFormInput(this.opts.forms.setPassword, input);
+		if (errors) return httpInputRequired(this.opts.forms.setPassword, ctx, errors);
+		if (input.newPassword !== input.confirmPassword) return httpInputRequired(this.opts.forms.setPassword, ctx, { confirmPassword: "Passwords do not match" });
+		requireUsername(ctx);
+		try {
+			await this.users.setPassword(ctx.username, input.newPassword);
+		} catch (err) {
+			translatePasswordSetError(err);
+		}
+		ctx.passwordChanged = true;
+		ctx.isPasswordInitial = false;
+	}
+	async termsAccept(input, ctx) {
+		if (!input) return httpInputRequired(this.opts.forms.termsAccept, ctx);
+		if (input.action === "decline") {
+			finishWfAborted("termsDeclined", { message: {
+				level: "info",
+				text: "You must accept to continue"
+			} });
+			ctx.aborted = true;
+			return;
+		}
+		const errors = validateFormInput(this.opts.forms.termsAccept, input);
+		if (errors) return httpInputRequired(this.opts.forms.termsAccept, ctx, errors);
+		if (input.accepted !== true) return httpInputRequired(this.opts.forms.termsAccept, ctx, { accepted: "You must accept the terms" });
+		if (input.acceptedVersion !== this.opts.acceptance.termsVersion) return httpInputRequired(this.opts.forms.termsAccept, ctx, { acceptedVersion: "Version mismatch — please retry" });
+		ctx.termsAcceptedVersion = input.acceptedVersion;
+		ctx.termsAcceptedDone = true;
+	}
+	async profileComplete(input, ctx) {
+		const form = this.opts.forms.profileComplete;
+		if (!input) return httpInputRequired(form, ctx);
+		const errors = validateFormInput(form, input, { partial: "deep" });
+		if (errors) return httpInputRequired(form, ctx, errors);
+		requireUsername(ctx);
+		await this.applyProfile(ctx.username, input);
+		ctx.profileApplied = true;
+	}
+	/**
+	* Persists the profile-complete payload onto the user record. Default:
+	* no-op (the workflow records the form was submitted but writes nothing).
+	* Consumers override to write into their user store.
+	*/
+	async applyProfile(_username, _payload) {}
+	async consentMarketing(input, ctx) {
+		if (!input) return httpInputRequired(this.opts.forms.consentMarketing, ctx);
+		requireUsername(ctx);
+		await this.applyConsentMarketing(ctx.username, Boolean(input.optIn));
+		ctx.consentApplied = true;
+	}
+	/**
+	* Persists the marketing consent decision. Default: no-op.
+	*/
+	async applyConsentMarketing(_username, _optIn) {}
+	async tenantSelect(input, ctx) {
+		if (!ctx.availableTenants && ctx.username) ctx.availableTenants = await this.loadTenants(ctx.username);
+		if (!input) return httpInputRequired(this.opts.forms.tenantSelect, ctx);
+		const errors = validateFormInput(this.opts.forms.tenantSelect, input);
+		if (errors) return httpInputRequired(this.opts.forms.tenantSelect, ctx, errors);
+		if (!(ctx.availableTenants ?? []).some((t) => t.id === input.tenantId)) return httpInputRequired(this.opts.forms.tenantSelect, ctx, { tenantId: "Unknown tenant" });
+		ctx.selectedTenantId = input.tenantId;
+	}
+	/**
+	* Resolves the user's available tenants. Default: empty array. Consumers
+	* who enable `multiContext.tenantSelect` must override this to return the
+	* tenants the user belongs to.
+	*/
+	async loadTenants(_username) {
+		return [];
+	}
+	async personaSelect(input, ctx) {
+		if (!ctx.availablePersonas && ctx.username) ctx.availablePersonas = await this.loadPersonas(ctx.username);
+		if (!input) return httpInputRequired(this.opts.forms.personaSelect, ctx);
+		const errors = validateFormInput(this.opts.forms.personaSelect, input);
+		if (errors) return httpInputRequired(this.opts.forms.personaSelect, ctx, errors);
+		if (!(ctx.availablePersonas ?? []).some((p) => p.id === input.personaId)) return httpInputRequired(this.opts.forms.personaSelect, ctx, { personaId: "Unknown persona" });
+		ctx.selectedPersonaId = input.personaId;
+	}
+	/**
+	* Resolves the user's available personas. Default: empty array. Consumers
+	* who enable `multiContext.personaSelect` must override this.
+	*/
+	async loadPersonas(_username) {
+		return [];
+	}
+	async concurrencyLimit(input, ctx) {
+		const cfg = this.opts.sessionPolicy.concurrencyLimit;
+		if (!cfg) return void 0;
+		if (cfg.onLimit === "reject") throw new HttpError$1(429, "Session limit reached");
+		if (!input) return httpInputRequired(this.opts.forms.concurrencyLimit, ctx);
+		if (input.action === "cancel") {
+			finishWfAborted("sessionLimit", { message: {
+				level: "warn",
+				text: "Concurrent session limit reached."
+			} });
+			ctx.aborted = true;
+			return;
+		}
+		const errors = validateFormInput(this.opts.forms.concurrencyLimit, input);
+		if (errors) return httpInputRequired(this.opts.forms.concurrencyLimit, ctx, errors);
+		if (input.action === "logoutOthers" && ctx.username) await this.logoutOtherSessions(ctx.username);
+	}
+	/**
+	* Implements the "log out other sessions" branch of `sessionPolicy.concurrencyLimit`.
+	* Default: no-op. Consumers override to revoke sessions in their auth store.
+	*/
+	async logoutOtherSessions(_username) {}
+	async riskStepUp(ctx) {
+		ctx.riskStepUpEvaluated = true;
+		const res = await this.assessRiskStepUp(ctx);
+		if (res.require) {
+			ctx.riskStepUpReason = res.reason ?? "additional verification required";
+			ctx.mfaChecked = false;
+			delete ctx.pin;
+			delete ctx.pinExpire;
+		} else delete ctx.riskStepUpReason;
+	}
+	/**
+	* Risk-step-up assessor. Default: never requires an extra factor. Consumers
+	* override to inspect ctx (IP, geo, time since last login, etc.) and return
+	* `{require: true, reason: '…'}` to force an additional MFA round.
+	*/
+	async assessRiskStepUp(_ctx) {
+		return { require: false };
+	}
+	async issue(ctx) {
+		requireUsername(ctx);
+		const issue = await this.auth.issue(ctx.username);
+		ctx.tokensIssued = true;
+		const auth = useAuth();
+		const envelope = {
+			finished: true,
+			data: auth.buildLoginResponse(ctx.username, issue)
+		};
+		useWfFinished().set({
+			type: "data",
+			value: envelope,
+			cookies: auth.buildFinishedCookies(issue)
+		});
+	}
+	async auditLogin(ctx) {
+		await this.audit({
+			kind: "login.success",
+			userId: ctx.username,
+			workflow: "auth.login",
+			method: ctx.mfaMethod ?? (ctx.mfaChecked ? "mfa.skipped" : "password"),
+			ip: this.resolveClientIp(),
+			...ctx.selectedTenantId && { tenantId: ctx.selectedTenantId }
+		});
+	}
+	async notifyNewDevice(ctx) {
+		if (!ctx.email) return void 0;
+		await this.deliver({
+			channel: "email",
+			kind: "notifyNewDevice",
+			recipient: ctx.email,
+			expiresAt: Date.now(),
+			userId: ctx.username,
+			metadata: { ip: this.resolveClientIp() ?? "" }
+		});
+	}
+	redirect(ctx) {
+		const url = this.resolveRedirect(ctx);
+		if (!url) return void 0;
+		const existing = useWfFinished().get();
+		const envelope = {
+			finished: true,
+			end: {
+				mode: "immediate",
+				action: {
+					type: "redirect",
+					target: url,
+					reason: "finalize-redirect"
+				}
+			}
+		};
+		useWfFinished().set({
+			type: "data",
+			value: envelope,
+			...existing?.cookies && { cookies: existing.cookies }
+		});
+		ctx.redirectUrl = url;
+	}
+	/**
+	* Resolves the post-login redirect URL. Default reads
+	* `finalize.redirect`: `false` / `null` (the default) → no redirect, the
+	* `issue` step's data response stands (typical for SPAs/API clients);
+	* `'home'` → `/`; `'referer'` → request `Referer` header (undefined when
+	* absent, falling back to the data response).
+	*
+	* Consumers who want a computed redirect override this method.
+	*/
+	resolveRedirect(_ctx) {
+		const r = this.opts.finalize.redirect;
+		if (r === false || r === null) return void 0;
+		if (r === "home") return "/";
+		if (r === "referer") try {
+			const headers = useRequest(current()).headers;
+			const ref = headers?.referer ?? headers?.referrer;
+			const first = Array.isArray(ref) ? ref[0] : ref;
+			return typeof first === "string" && first.length > 0 ? first : void 0;
+		} catch {
+			return;
+		}
+	}
+	resolveClientIp() {
+		try {
+			return useRequest(current()).getIp?.() || void 0;
+		} catch {
+			return;
+		}
+	}
+};
+__decorate([
+	Workflow("auth.login"),
+	WorkflowSchema([
+		{ id: "init" },
+		{ id: "credentials" },
+		{
+			id: "magicLinkRequest",
+			condition: () => false
+		},
+		{
+			id: "magicLinkSend",
+			condition: () => false
+		},
+		{
+			id: "magicLinkVerified",
+			condition: () => false
+		},
+		{
+			id: "passkey",
+			condition: () => false
+		},
+		{
+			id: "ssoCallback",
+			condition: () => false
+		},
+		{
+			id: "ensureEmail",
+			condition: (ctx) => !!ctx.username && (ctx.opts.enrollment.ensureEmail || ctx.opts.guards.emailVerifiedRequired) && !ctx.emailConfirmed && !ctx.aborted
+		},
+		{
+			id: "ensurePhone",
+			condition: (ctx) => !!ctx.username && ctx.opts.enrollment.ensurePhone && !ctx.phoneConfirmed && !ctx.aborted
+		},
+		{
+			while: (ctx) => !!(ctx.username && ctx.opts.mfa.enabled && !ctx.mfaChecked && !ctx.aborted),
+			steps: [
+				{
+					id: "check-trusted-device",
+					condition: (ctx) => ctx.opts.deviceTrust.enabled && ctx.opts.deviceTrust.skipsMfa && !ctx.mfaChecked
+				},
+				{
+					id: "prepare-mfa-options",
+					condition: (ctx) => !ctx.mfaChecked
+				},
+				{
+					id: "select2fa",
+					condition: (ctx) => !ctx.mfaChecked && !ctx.mfaMethod && (ctx.mfaEnrolledMethods?.length ?? 0) > 1
+				},
+				{
+					id: "pincode-send-login",
+					condition: (ctx) => !ctx.mfaChecked && (ctx.mfaMethod === "sms" || ctx.mfaMethod === "email") && !ctx.pin
+				},
+				{
+					id: "pincode-check-login",
+					condition: (ctx) => !ctx.mfaChecked && (ctx.mfaMethod === "sms" || ctx.mfaMethod === "email")
+				},
+				{
+					id: "mfa-totp",
+					condition: (ctx) => !ctx.mfaChecked && ctx.mfaMethod === "totp"
+				},
+				{
+					id: "mfa-enroll-required",
+					condition: (ctx) => ctx.opts.mfa.enrollRequired && !ctx.mfaChecked && (ctx.mfaEnrolledMethods?.length ?? 0) === 0
+				},
+				{
+					id: "risk-step-up",
+					condition: (ctx) => !!(ctx.mfaChecked && !ctx.riskStepUpEvaluated)
+				}
+			]
+		},
+		{
+			id: "device-trust",
+			condition: (ctx) => !!ctx.username && ctx.opts.deviceTrust.enabled && !!ctx.mfaChecked && !!ctx.newDevice && (!ctx.opts.deviceTrust.optIn || !!ctx.rememberDevice) && !ctx.aborted
+		},
+		{
+			id: "prepare-password-rules",
+			condition: (ctx) => !!ctx.isPasswordInitial && !ctx.passwordChanged && !ctx.aborted
+		},
+		{
+			id: "create-password-form",
+			condition: (ctx) => !!ctx.isPasswordInitial && !ctx.passwordChanged && !ctx.aborted
+		},
+		{
+			id: "terms-accept",
+			condition: (ctx) => !!ctx.username && !!ctx.opts.acceptance.termsVersion && ctx.termsAcceptedVersion !== ctx.opts.acceptance.termsVersion && !ctx.termsAcceptedDone && !ctx.aborted
+		},
+		{
+			id: "profile-complete",
+			condition: (ctx) => !!ctx.username && ctx.opts.acceptance.profileCompleteRequired && !ctx.profileApplied && (ctx.profileMissingFields?.length ?? 0) > 0 && !ctx.aborted
+		},
+		{
+			id: "consent-marketing",
+			condition: (ctx) => !!ctx.username && ctx.opts.acceptance.consentMarketing && !ctx.consentApplied && !ctx.aborted
+		},
+		{
+			id: "tenant-select",
+			condition: (ctx) => !!ctx.username && ctx.opts.multiContext.tenantSelect && !ctx.selectedTenantId && (ctx.availableTenants?.length ?? 0) > 1 && !ctx.aborted
+		},
+		{
+			id: "persona-select",
+			condition: (ctx) => !!ctx.username && ctx.opts.multiContext.personaSelect && !ctx.selectedPersonaId && (ctx.availablePersonas?.length ?? 0) > 1 && !ctx.aborted
+		},
+		{
+			id: "concurrency-limit",
+			condition: (ctx) => !!ctx.username && !!ctx.opts.sessionPolicy.concurrencyLimit && (ctx.activeSessions ?? 0) >= ctx.opts.sessionPolicy.concurrencyLimit.max && !ctx.aborted
+		},
+		{
+			id: "issue",
+			condition: (ctx) => !!ctx.username && !ctx.tokensIssued && !ctx.aborted
+		},
+		{
+			id: "audit-login",
+			condition: (ctx) => !!ctx.username && ctx.opts.finalize.auditLogin && !!ctx.tokensIssued && !ctx.aborted
+		},
+		{
+			id: "notify-new-device",
+			condition: (ctx) => !!ctx.username && ctx.opts.finalize.notifyNewDevice && !!ctx.newDevice && !!ctx.tokensIssued && !ctx.aborted
+		},
+		{
+			id: "redirect",
+			condition: (ctx) => !!ctx.username && !!ctx.tokensIssued && !ctx.aborted
+		}
+	]),
+	__decorateMetadata("design:type", Function),
+	__decorateMetadata("design:paramtypes", []),
+	__decorateMetadata("design:returntype", void 0)
+], LoginWorkflow.prototype, "flow", null);
+__decorate([
+	Step("init"),
+	__decorateParam(0, WorkflowParam("context")),
+	__decorateMetadata("design:type", Function),
+	__decorateMetadata("design:paramtypes", [Object]),
+	__decorateMetadata("design:returntype", void 0)
+], LoginWorkflow.prototype, "init", null);
+__decorate([
+	Step("credentials"),
+	__decorateParam(0, WorkflowParam("input")),
+	__decorateParam(1, WorkflowParam("context")),
+	__decorateMetadata("design:type", Function),
+	__decorateMetadata("design:paramtypes", [Object, Object]),
+	__decorateMetadata("design:returntype", Promise)
+], LoginWorkflow.prototype, "credentials", null);
+__decorate([
+	Step("magicLinkRequest"),
+	__decorateMetadata("design:type", Function),
+	__decorateMetadata("design:paramtypes", []),
+	__decorateMetadata("design:returntype", void 0)
+], LoginWorkflow.prototype, "magicLinkRequest", null);
+__decorate([
+	Step("magicLinkSend"),
+	__decorateMetadata("design:type", Function),
+	__decorateMetadata("design:paramtypes", []),
+	__decorateMetadata("design:returntype", void 0)
+], LoginWorkflow.prototype, "magicLinkSend", null);
+__decorate([
+	Step("magicLinkVerified"),
+	__decorateMetadata("design:type", Function),
+	__decorateMetadata("design:paramtypes", []),
+	__decorateMetadata("design:returntype", void 0)
+], LoginWorkflow.prototype, "magicLinkVerified", null);
+__decorate([
+	Step("passkey"),
+	__decorateMetadata("design:type", Function),
+	__decorateMetadata("design:paramtypes", []),
+	__decorateMetadata("design:returntype", void 0)
+], LoginWorkflow.prototype, "passkey", null);
+__decorate([
+	Step("ssoCallback"),
+	__decorateMetadata("design:type", Function),
+	__decorateMetadata("design:paramtypes", []),
+	__decorateMetadata("design:returntype", void 0)
+], LoginWorkflow.prototype, "ssoCallback", null);
+__decorate([
+	Step("ensureEmail"),
+	__decorateParam(0, WorkflowParam("input")),
+	__decorateParam(1, WorkflowParam("context")),
+	__decorateMetadata("design:type", Function),
+	__decorateMetadata("design:paramtypes", [Object, Object]),
+	__decorateMetadata("design:returntype", Promise)
+], LoginWorkflow.prototype, "ensureEmail", null);
+__decorate([
+	Step("ensurePhone"),
+	__decorateParam(0, WorkflowParam("input")),
+	__decorateParam(1, WorkflowParam("context")),
+	__decorateMetadata("design:type", Function),
+	__decorateMetadata("design:paramtypes", [Object, Object]),
+	__decorateMetadata("design:returntype", Promise)
+], LoginWorkflow.prototype, "ensurePhone", null);
+__decorate([
+	Step("check-trusted-device"),
+	__decorateParam(0, WorkflowParam("context")),
+	__decorateMetadata("design:type", Function),
+	__decorateMetadata("design:paramtypes", [Object]),
+	__decorateMetadata("design:returntype", Promise)
+], LoginWorkflow.prototype, "checkTrustedDevice", null);
+__decorate([
+	Step("prepare-mfa-options"),
+	__decorateParam(0, WorkflowParam("context")),
+	__decorateMetadata("design:type", Function),
+	__decorateMetadata("design:paramtypes", [Object]),
+	__decorateMetadata("design:returntype", Promise)
+], LoginWorkflow.prototype, "prepareMfaOptions", null);
+__decorate([
+	Step("select2fa"),
+	__decorateParam(0, WorkflowParam("input")),
+	__decorateParam(1, WorkflowParam("context")),
+	__decorateMetadata("design:type", Function),
+	__decorateMetadata("design:paramtypes", [Object, Object]),
+	__decorateMetadata("design:returntype", Promise)
+], LoginWorkflow.prototype, "select2fa", null);
+__decorate([
+	Step("pincode-send-login"),
+	__decorateParam(0, WorkflowParam("context")),
+	__decorateMetadata("design:type", Function),
+	__decorateMetadata("design:paramtypes", [Object]),
+	__decorateMetadata("design:returntype", Promise)
+], LoginWorkflow.prototype, "pincodeSendLogin", null);
+__decorate([
+	Step("pincode-check-login"),
+	__decorateParam(0, WorkflowParam("input")),
+	__decorateParam(1, WorkflowParam("context")),
+	__decorateMetadata("design:type", Function),
+	__decorateMetadata("design:paramtypes", [Object, Object]),
+	__decorateMetadata("design:returntype", Promise)
+], LoginWorkflow.prototype, "pincodeCheckLogin", null);
+__decorate([
+	Step("mfa-totp"),
+	__decorateParam(0, WorkflowParam("input")),
+	__decorateParam(1, WorkflowParam("context")),
+	__decorateMetadata("design:type", Function),
+	__decorateMetadata("design:paramtypes", [Object, Object]),
+	__decorateMetadata("design:returntype", Promise)
+], LoginWorkflow.prototype, "mfaTotp", null);
+__decorate([
+	Step("mfa-enroll-required"),
+	__decorateMetadata("design:type", Function),
+	__decorateMetadata("design:paramtypes", []),
+	__decorateMetadata("design:returntype", void 0)
+], LoginWorkflow.prototype, "mfaEnrollRequired", null);
+__decorate([
+	Step("device-trust"),
+	__decorateParam(0, WorkflowParam("context")),
+	__decorateMetadata("design:type", Function),
+	__decorateMetadata("design:paramtypes", [Object]),
+	__decorateMetadata("design:returntype", Promise)
+], LoginWorkflow.prototype, "deviceTrust", null);
+__decorate([
+	Step("prepare-password-rules"),
+	__decorateParam(0, WorkflowParam("context")),
+	__decorateMetadata("design:type", Function),
+	__decorateMetadata("design:paramtypes", [Object]),
+	__decorateMetadata("design:returntype", void 0)
+], LoginWorkflow.prototype, "preparePasswordRules", null);
+__decorate([
+	Step("create-password-form"),
+	__decorateParam(0, WorkflowParam("input")),
+	__decorateParam(1, WorkflowParam("context")),
+	__decorateMetadata("design:type", Function),
+	__decorateMetadata("design:paramtypes", [Object, Object]),
+	__decorateMetadata("design:returntype", Promise)
+], LoginWorkflow.prototype, "createPasswordForm", null);
+__decorate([
+	Step("terms-accept"),
+	__decorateParam(0, WorkflowParam("input")),
+	__decorateParam(1, WorkflowParam("context")),
+	__decorateMetadata("design:type", Function),
+	__decorateMetadata("design:paramtypes", [Object, Object]),
+	__decorateMetadata("design:returntype", Promise)
+], LoginWorkflow.prototype, "termsAccept", null);
+__decorate([
+	Step("profile-complete"),
+	__decorateParam(0, WorkflowParam("input")),
+	__decorateParam(1, WorkflowParam("context")),
+	__decorateMetadata("design:type", Function),
+	__decorateMetadata("design:paramtypes", [Object, Object]),
+	__decorateMetadata("design:returntype", Promise)
+], LoginWorkflow.prototype, "profileComplete", null);
+__decorate([
+	Step("consent-marketing"),
+	__decorateParam(0, WorkflowParam("input")),
+	__decorateParam(1, WorkflowParam("context")),
+	__decorateMetadata("design:type", Function),
+	__decorateMetadata("design:paramtypes", [Object, Object]),
+	__decorateMetadata("design:returntype", Promise)
+], LoginWorkflow.prototype, "consentMarketing", null);
+__decorate([
+	Step("tenant-select"),
+	__decorateParam(0, WorkflowParam("input")),
+	__decorateParam(1, WorkflowParam("context")),
+	__decorateMetadata("design:type", Function),
+	__decorateMetadata("design:paramtypes", [Object, Object]),
+	__decorateMetadata("design:returntype", Promise)
+], LoginWorkflow.prototype, "tenantSelect", null);
+__decorate([
+	Step("persona-select"),
+	__decorateParam(0, WorkflowParam("input")),
+	__decorateParam(1, WorkflowParam("context")),
+	__decorateMetadata("design:type", Function),
+	__decorateMetadata("design:paramtypes", [Object, Object]),
+	__decorateMetadata("design:returntype", Promise)
+], LoginWorkflow.prototype, "personaSelect", null);
+__decorate([
+	Step("concurrency-limit"),
+	__decorateParam(0, WorkflowParam("input")),
+	__decorateParam(1, WorkflowParam("context")),
+	__decorateMetadata("design:type", Function),
+	__decorateMetadata("design:paramtypes", [Object, Object]),
+	__decorateMetadata("design:returntype", Promise)
+], LoginWorkflow.prototype, "concurrencyLimit", null);
+__decorate([
+	Step("risk-step-up"),
+	__decorateParam(0, WorkflowParam("context")),
+	__decorateMetadata("design:type", Function),
+	__decorateMetadata("design:paramtypes", [Object]),
+	__decorateMetadata("design:returntype", Promise)
+], LoginWorkflow.prototype, "riskStepUp", null);
+__decorate([
+	Step("issue"),
+	__decorateParam(0, WorkflowParam("context")),
+	__decorateMetadata("design:type", Function),
+	__decorateMetadata("design:paramtypes", [Object]),
+	__decorateMetadata("design:returntype", Promise)
+], LoginWorkflow.prototype, "issue", null);
+__decorate([
+	Step("audit-login"),
+	__decorateParam(0, WorkflowParam("context")),
+	__decorateMetadata("design:type", Function),
+	__decorateMetadata("design:paramtypes", [Object]),
+	__decorateMetadata("design:returntype", Promise)
+], LoginWorkflow.prototype, "auditLogin", null);
+__decorate([
+	Step("notify-new-device"),
+	__decorateParam(0, WorkflowParam("context")),
+	__decorateMetadata("design:type", Function),
+	__decorateMetadata("design:paramtypes", [Object]),
+	__decorateMetadata("design:returntype", Promise)
+], LoginWorkflow.prototype, "notifyNewDevice", null);
+__decorate([
+	Step("redirect"),
+	__decorateParam(0, WorkflowParam("context")),
+	__decorateMetadata("design:type", Function),
+	__decorateMetadata("design:paramtypes", [Object]),
+	__decorateMetadata("design:returntype", void 0)
+], LoginWorkflow.prototype, "redirect", null);
+LoginWorkflow = __decorate([
+	Public(),
+	Injectable("FOR_EVENT"),
+	Controller(),
+	__decorateMetadata("design:paramtypes", [
+		Object,
+		typeof (_ref$2 = typeof UserService !== "undefined" && UserService) === "function" ? _ref$2 : Object,
+		typeof (_ref2$2 = typeof AuthCredential !== "undefined" && AuthCredential) === "function" ? _ref2$2 : Object
+	])
+], LoginWorkflow);
+//#endregion
+//#region src/workflows/recovery.workflow.options.ts
+/** Magic-link TTL default — also used as the persisted wf-state token TTL. */
+const DEFAULT_RECOVERY_TOKEN_TTL_MS = 3600 * 1e3;
+/**
+* Deep-merge defaults with the user-supplied nested pojo. Each group has its
+* own `{ ...defaults, ...input }` line — small enough that pulling in lodash
+* would be silly.
+*/
+function mergeRecoveryOpts(opts = {}) {
+	const inputDelivery = opts.delivery ?? {};
+	const inputOtp = inputDelivery.otp ?? {};
+	return {
+		delivery: {
+			mode: "magicLink",
+			magicLinkTtlMs: DEFAULT_RECOVERY_TOKEN_TTL_MS,
+			...inputDelivery,
+			otp: {
+				transports: ["email"],
+				codeLength: 6,
+				ttlMs: 5 * 6e4,
+				resendCooldownMs: 6e4,
+				...inputOtp
+			}
+		},
+		preReset: {
+			requireKnownFactor: false,
+			...opts.preReset
+		},
+		postReset: {
+			revokeAllSessions: true,
+			freshLoginRequired: false,
+			loginUrl: "/login",
+			...opts.postReset
+		},
+		altActions: {
+			backToLogin: true,
+			...opts.altActions
+		},
+		audit: {
+			enabled: true,
+			...opts.audit
+		},
+		forms: {
+			emailIdentifier: EmailIdentifierForm,
+			pincode: PincodeForm,
+			recoveryFactor: RecoveryFactorForm,
+			recoveryModeSelect: RecoveryModeSelectForm,
+			setPassword: SetPasswordForm,
+			...opts.forms
+		}
+	};
+}
+//#endregion
+//#region src/workflows/recovery.workflow.ts
+/**
+* RecoveryWorkflow — `wfid = 'auth.recovery'`.
+*
+* Full step catalog per `WF_RECOVERY.md`. Defaults give today's 3-step
+* magic-link flow (`request` → `sendMagicLink` → `setPassword`); consumers
+* turn on OTP delivery, pre-reset factor verification, fresh-login redirect
+* etc. via `RecoveryWorkflowOpts`.
+*
+* **Step routing model.** Mirrors `LoginWorkflow`: alt-action handlers run
+* BEFORE form validation (so `backToLogin` works without filling fields) and
+* return the `ALT_HANDLED` sentinel after short-circuiting via
+* `useWfFinished().set(...)`. The step body then returns `undefined` so the
+* schema advances cleanly, with terminal steps gated on `!ctx.aborted` so the
+* abort response set via `useWfFinished()` is not overwritten.
+*
+* **Consumer subclass pattern (Phase 3 reshape).** Consumers subclass
+* `RecoveryWorkflow` to override `protected` hook methods. The subclass MUST
+* re-apply `@Inherit() @Injectable('FOR_EVENT') @Controller()` and re-declare
+* the constructor signature (TS emits fresh design-paramtypes per class).
+*
+* **Side-effect deps as protected methods.** The optional sender/emitter DI
+* providers have been DROPPED from the constructor. The hooks live as
+* `protected` methods consumers override:
+*
+*   - `deliver(payload)` — unified email + SMS dispatch (see `DeliverPayload`).
+*     Default throws; override to wire your senders.
+*   - `audit(event)` — fire audit events. Default: no-op.
+*   - `emailToUserId(email)` — resolve recovery email to canonical username.
+*   - `verifyRecoveryFactor(...)` — phone last-4 / TOTP / custom factors.
+*
+* Rate-limiting is intentionally NOT part of this workflow — consumers who
+* want a cap wire it themselves at the HTTP / trigger layer.
+*/
+var _ref$1, _ref2$1;
+/**
+* Sentinel returned by alt-action handlers that have already short-circuited
+* via `useWfFinished().set(...)`. The step body returns `undefined` after
+* seeing this so the schema advances without running form validation on the
+* alt-action payload (which lacks the form's required fields).
+*/
+const ALT_HANDLED$1 = Symbol("ALT_HANDLED");
+/**
+* Construction-time invariants for DATA validity only. Sender/emitter absence
+* is no longer checked — those default to fail-loud (`deliver()`) or safe
+* (`audit()` no-op) protected methods that consumers override.
+*/
+function validateOpts(opts) {
+	if (opts.delivery.mode !== "magicLink" && opts.delivery.otp.transports.length === 0) throw new Error("RecoveryWorkflow: delivery.otp.transports cannot be empty when delivery.mode includes OTP");
+}
+let RecoveryWorkflow = class RecoveryWorkflow {
+	opts;
+	users;
+	auth;
+	constructor(opts, users, auth) {
+		this.opts = mergeRecoveryOpts(opts);
+		this.users = users;
+		this.auth = auth;
+		validateOpts(this.opts);
+	}
+	/**
+	* Dispatch an email or SMS event. Default throws — consumers MUST override
+	* if `delivery.mode` ever drives email/SMS (i.e. for any non-`magicLink`
+	* mode AND for `magicLink` mode the `outletEmail` outlet still runs the
+	* email through `createAuthEmailOutlet`'s `EmailSender` — see the trigger
+	* controller wiring; this method covers OTP code dispatch).
+	*/
+	async deliver(_payload) {
+		throw new Error("RecoveryWorkflow.deliver() not configured — override to wire your email/sms sender");
+	}
+	/**
+	* Emit an audit event. Default: no-op. Consumers override to fan out to
+	* their audit sink.
+	*/
+	async audit(_event) {}
+	flow() {}
+	init(ctx) {
+		ctx.opts = this.snapshotOpts(this.opts);
+		if (this.opts.delivery.mode !== "choice") ctx.resolvedMode = this.opts.delivery.mode;
+	}
+	/**
+	* Returns the JSON-safe projection of `opts` stashed onto `ctx` for schema
+	* conditions to read. Default: drop the `forms` group (atscript form classes
+	* are not plain JSON) so `AsWfStore`'s plain-JSON persistence doesn't choke.
+	* Step bodies still consult the form classes via `this.opts.forms.*`.
+	*
+	* Consumers who extend the opts type with non-JSON values can override this
+	* to strip them so `AsWfStore`'s plain-JSON persistence doesn't choke.
+	*/
+	snapshotOpts(opts) {
+		const { forms: _forms, ...rest } = opts;
+		return rest;
+	}
+	async request(input, ctx) {
+		if (!input) {
+			const prefilled = readUsernameQueryParam();
+			const formCtx = { ...ctx };
+			if (prefilled) formCtx.defaults = { email: prefilled };
+			return httpInputRequired(this.opts.forms.emailIdentifier, formCtx);
+		}
+		if (input.action === "backToLogin" && this.opts.altActions.backToLogin) {
+			this.abortToLogin(ctx);
+			return;
+		}
+		const errors = validateFormInput(this.opts.forms.emailIdentifier, input);
+		if (errors) return httpInputRequired(this.opts.forms.emailIdentifier, ctx, errors);
+		const email = input.email;
+		ctx.email = email;
+		let username;
+		try {
+			const userId = await this.emailToUserId(email);
+			if (userId) username = (await this.users.getUser(userId)).username;
+		} catch (err) {
+			if (!(err instanceof UserAuthError) || err.type !== "NOT_FOUND") throw err;
+		}
+		await this.emitRequested(ctx, username);
+		if (!username) {
+			this.finishGeneric();
+			return;
+		}
+		ctx.username = username;
+		if (ctx.resolvedMode === "otp" && !ctx.otpTransport) ctx.otpTransport = this.opts.delivery.otp.transports[0];
+	}
+	/**
+	* Resolves the recovery-step `email` input to the `username` (user-id) that
+	* `UserService.getUser` expects. Default: returns the email unchanged (treats
+	* email as username). Apps whose user model separates `username` from
+	* `email` MUST override this; return `null` when no user matches.
+	*/
+	async emailToUserId(email) {
+		return email;
+	}
+	selectMode(input, ctx) {
+		if (!input) return httpInputRequired(this.opts.forms.recoveryModeSelect, ctx);
+		if (input.action === "backToLogin" && this.opts.altActions.backToLogin) {
+			this.abortToLogin(ctx);
+			return;
+		}
+		const errors = validateFormInput(this.opts.forms.recoveryModeSelect, input);
+		if (errors) return httpInputRequired(this.opts.forms.recoveryModeSelect, ctx, errors);
+		const mode = input.mode;
+		ctx.selectedMode = mode;
+		ctx.resolvedMode = mode;
+		if (mode === "otp" && !ctx.otpTransport) ctx.otpTransport = this.opts.delivery.otp.transports[0];
+	}
+	sendMagicLink(ctx) {
+		if (ctx.linkSent) return void 0;
+		ctx.linkSent = true;
+		return {
+			...outletEmail(ctx.email, "recovery.magicLink", {
+				username: ctx.username,
+				expiresAtMs: this.opts.delivery.magicLinkTtlMs
+			}),
+			expires: Date.now() + this.opts.delivery.magicLinkTtlMs
+		};
+	}
+	async sendOtp(ctx) {
+		requireUsername(ctx);
+		const transport = ctx.otpTransport ?? this.opts.delivery.otp.transports[0] ?? "email";
+		ctx.otpTransport = transport;
+		ctx.otpCodeLength = this.opts.delivery.otp.codeLength;
+		const code = mintPin$1(ctx, this.opts.delivery.otp.codeLength, this.opts.delivery.otp.ttlMs);
+		ctx.pinResendAllowedAt = Date.now() + this.opts.delivery.otp.resendCooldownMs;
+		if (transport === "email") await this.deliver({
+			channel: "email",
+			kind: "recovery.pincode",
+			recipient: ctx.email,
+			code,
+			expiresAt: ctx.pinExpire,
+			userId: ctx.username
+		});
+		else {
+			const phone = await this.resolveUserPhone(ctx.username);
+			await this.deliver({
+				channel: "sms",
+				kind: "recovery.pincode",
+				recipient: phone ?? ctx.email,
+				code,
+				ttlMs: this.opts.delivery.otp.ttlMs,
+				userId: ctx.username
+			});
+		}
+	}
+	async checkOtp(input, ctx) {
+		if (!input) return httpInputRequired(this.opts.forms.pincode, ctx);
+		if (input.action === "backToLogin" && this.opts.altActions.backToLogin) {
+			this.abortToLogin(ctx);
+			return;
+		}
+		if (input.action === "resend") {
+			if (ctx.pinResendAllowedAt && Date.now() < ctx.pinResendAllowedAt) {
+				const waitSec = Math.ceil((ctx.pinResendAllowedAt - Date.now()) / 1e3);
+				return httpInputRequired(this.opts.forms.pincode, ctx, { __form: `Please wait ${waitSec}s` });
+			}
+			delete ctx.pin;
+			delete ctx.pinExpire;
+			return;
+		}
+		if (input.action === "useDifferentTransport") {
+			const transports = this.opts.delivery.otp.transports;
+			if (transports.length < 2) return httpInputRequired(this.opts.forms.pincode, ctx, { __form: "Only one transport configured" });
+			const current = ctx.otpTransport ?? transports[0];
+			ctx.otpTransport = transports.find((t) => t !== current) ?? transports[0];
+			delete ctx.pin;
+			delete ctx.pinExpire;
+			return;
+		}
+		const errors = validateFormInput(this.opts.forms.pincode, input);
+		if (errors) return httpInputRequired(this.opts.forms.pincode, ctx, errors);
+		const pinErr = verifyPin$1(ctx, input.code);
+		if (pinErr) return httpInputRequired(this.opts.forms.pincode, ctx, pinErr);
+		ctx.pinVerified = true;
+		delete ctx.pin;
+		delete ctx.pinExpire;
+	}
+	async verifyFactor(input, ctx) {
+		if (!input) return httpInputRequired(this.opts.forms.recoveryFactor, ctx);
+		if (input.action === "backToLogin" && this.opts.altActions.backToLogin) {
+			this.abortToLogin(ctx);
+			return;
+		}
+		const errors = validateFormInput(this.opts.forms.recoveryFactor, input);
+		if (errors) return httpInputRequired(this.opts.forms.recoveryFactor, ctx, errors);
+		requireUsername(ctx);
+		const factor = input.factor;
+		const value = input.value;
+		if (!await this.verifyRecoveryFactor({
+			factor,
+			value,
+			ctx
+		})) return httpInputRequired(this.opts.forms.recoveryFactor, ctx, { value: "Invalid factor" });
+		ctx.factorVerified = true;
+	}
+	/**
+	* Verifies a recovery factor against the user's enrolled MFA methods.
+	* Default: supports `'phone'` (phone last-4 match) and `'totp'` (current
+	* TOTP code). Returns `true` when the factor matches.
+	*
+	* Consumers extend by overriding to support additional factors (e.g.
+	* security questions); call `super.verifyRecoveryFactor(...)` to keep
+	* the built-in checks.
+	*/
+	async verifyRecoveryFactor(input) {
+		const { factor, value, ctx } = input;
+		if (!ctx.username) return false;
+		const user = await this.users.getUser(ctx.username);
+		if (factor === "phone") {
+			const phoneMethod = user.mfa.methods.find((m) => m.name === "sms" && m.confirmed);
+			if (!phoneMethod) return false;
+			return value === phoneMethod.value.slice(-4);
+		}
+		if (factor === "totp") {
+			const totpMethod = user.mfa.methods.find((m) => m.name === "totp" && m.confirmed);
+			if (!totpMethod) return false;
+			return verifyTotpCode(totpMethod.value, value);
+		}
+		return false;
+	}
+	async setPassword(input, ctx) {
+		if (!input) {
+			const formCtx = { ...ctx };
+			formCtx.passwordPolicies = this.users.getTransferablePolicies();
+			return httpInputRequired(this.opts.forms.setPassword, formCtx);
+		}
+		if (input.action === "backToLogin" && this.opts.altActions.backToLogin) {
+			this.abortToLogin(ctx);
+			return;
+		}
+		const errors = validateFormInput(this.opts.forms.setPassword, input);
+		if (errors) return httpInputRequired(this.opts.forms.setPassword, ctx, errors);
+		if (input.newPassword !== input.confirmPassword) return httpInputRequired(this.opts.forms.setPassword, ctx, { confirmPassword: "Passwords do not match" });
+		if (!ctx.username) return httpInputRequired(this.opts.forms.setPassword, ctx, { __form: "Recovery session expired" });
+		try {
+			await this.users.setPassword(ctx.username, input.newPassword);
+		} catch (err) {
+			translatePasswordSetError(err);
+		}
+		ctx.passwordChanged = true;
+	}
+	async revokeSessions(ctx) {
+		if (!ctx.username) return void 0;
+		await this.auth.revokeAllForUser(ctx.username);
+		ctx.sessionsRevoked = true;
+	}
+	async auditStep(ctx) {
+		await this.audit({
+			kind: "recovery.completed",
+			userId: ctx.username,
+			workflow: "auth.recovery",
+			deliveryMode: ctx.resolvedMode ?? this.opts.delivery.mode,
+			ip: resolveClientIp(),
+			...ctx.sessionsRevoked && { sessionsRevoked: true }
+		});
+	}
+	freshLoginFinish(_ctx) {
+		finishWfWithRedirect(this.opts.postReset.loginUrl, {
+			autoMs: 5e3,
+			skipLabel: "Go now",
+			message: {
+				level: "success",
+				text: "Password updated. Redirecting to sign-in…"
+			},
+			reason: "reset-success"
+		});
+	}
+	async autoLoginFinish(ctx) {
+		requireUsername(ctx);
+		const issue = await this.auth.issue(ctx.username);
+		ctx.tokensIssued = true;
+		const auth = useAuth();
+		const envelope = {
+			finished: true,
+			data: auth.buildLoginResponse(ctx.username, issue)
+		};
+		useWfFinished().set({
+			type: "data",
+			value: envelope,
+			cookies: auth.buildFinishedCookies(issue)
+		});
+	}
+	/**
+	* Send the generic "if an account exists, you'll receive instructions"
+	* finished response. Used for unknown emails so a known/unknown lookup is
+	* indistinguishable to the client (anti-enumeration).
+	*/
+	finishGeneric() {
+		finishWfWithData({ sent: true }, {
+			level: "info",
+			text: "If an account exists, you will receive instructions."
+		});
+	}
+	abortToLogin(ctx) {
+		finishWfWithRedirect(this.opts.postReset.loginUrl, { reason: "user-cancelled" });
+		ctx.aborted = true;
+		return ALT_HANDLED$1;
+	}
+	async emitRequested(ctx, username) {
+		if (!this.opts.audit.enabled) return;
+		await this.audit({
+			kind: "recovery.requested",
+			workflow: "auth.recovery",
+			userId: username,
+			email: ctx.email,
+			ip: resolveClientIp()
+		});
+	}
+	async resolveUserPhone(username) {
+		try {
+			return (await this.users.getUser(username)).mfa.methods.find((m) => m.name === "sms" && m.confirmed)?.value;
+		} catch {
+			return;
+		}
+	}
+};
+__decorate([
+	Workflow("auth.recovery"),
+	WorkflowSchema([
+		{ id: "recoveryInit" },
+		{ id: "recoveryRequest" },
+		{
+			id: "recoverySelectMode",
+			condition: (ctx) => !!(ctx.username && ctx.opts.delivery.mode === "choice" && !ctx.selectedMode && !ctx.aborted)
+		},
+		{
+			id: "recoverySendMagicLink",
+			condition: (ctx) => !!(ctx.username && ctx.resolvedMode === "magicLink" && !ctx.aborted)
+		},
+		{
+			while: (ctx) => !!(ctx.username && ctx.resolvedMode === "otp" && !ctx.pinVerified && !ctx.aborted),
+			steps: [{
+				id: "recoverySendOtp",
+				condition: (ctx) => !ctx.pin
+			}, { id: "recoveryCheckOtp" }]
+		},
+		{
+			id: "recoveryVerifyFactor",
+			condition: (ctx) => !!(ctx.username && ctx.opts.preReset.requireKnownFactor && !ctx.factorVerified && (ctx.linkSent || ctx.pinVerified) && !ctx.aborted)
+		},
+		{
+			id: "recoverySetPassword",
+			condition: (ctx) => !!(ctx.username && (ctx.linkSent || ctx.pinVerified) && (!ctx.opts.preReset.requireKnownFactor || ctx.factorVerified) && !ctx.aborted)
+		},
+		{
+			id: "recoveryRevokeSessions",
+			condition: (ctx) => !!(ctx.opts.postReset.revokeAllSessions && ctx.passwordChanged && !ctx.aborted)
+		},
+		{
+			id: "recoveryAudit",
+			condition: (ctx) => !!(ctx.opts.audit.enabled && ctx.passwordChanged && !ctx.aborted)
+		},
+		{
+			id: "recoveryFreshLoginFinish",
+			condition: (ctx) => !!(ctx.opts.postReset.freshLoginRequired && ctx.passwordChanged && !ctx.aborted)
+		},
+		{
+			id: "recoveryAutoLoginFinish",
+			condition: (ctx) => !!(!ctx.opts.postReset.freshLoginRequired && ctx.passwordChanged && !ctx.tokensIssued && !ctx.aborted)
+		}
+	]),
+	__decorateMetadata("design:type", Function),
+	__decorateMetadata("design:paramtypes", []),
+	__decorateMetadata("design:returntype", void 0)
+], RecoveryWorkflow.prototype, "flow", null);
+__decorate([
+	Step("recoveryInit"),
+	__decorateParam(0, WorkflowParam("context")),
+	__decorateMetadata("design:type", Function),
+	__decorateMetadata("design:paramtypes", [Object]),
+	__decorateMetadata("design:returntype", void 0)
+], RecoveryWorkflow.prototype, "init", null);
+__decorate([
+	Step("recoveryRequest"),
+	__decorateParam(0, WorkflowParam("input")),
+	__decorateParam(1, WorkflowParam("context")),
+	__decorateMetadata("design:type", Function),
+	__decorateMetadata("design:paramtypes", [Object, Object]),
+	__decorateMetadata("design:returntype", Promise)
+], RecoveryWorkflow.prototype, "request", null);
+__decorate([
+	Step("recoverySelectMode"),
+	__decorateParam(0, WorkflowParam("input")),
+	__decorateParam(1, WorkflowParam("context")),
+	__decorateMetadata("design:type", Function),
+	__decorateMetadata("design:paramtypes", [Object, Object]),
+	__decorateMetadata("design:returntype", Object)
+], RecoveryWorkflow.prototype, "selectMode", null);
+__decorate([
+	Step("recoverySendMagicLink"),
+	__decorateParam(0, WorkflowParam("context")),
+	__decorateMetadata("design:type", Function),
+	__decorateMetadata("design:paramtypes", [Object]),
+	__decorateMetadata("design:returntype", Object)
+], RecoveryWorkflow.prototype, "sendMagicLink", null);
+__decorate([
+	Step("recoverySendOtp"),
+	__decorateParam(0, WorkflowParam("context")),
+	__decorateMetadata("design:type", Function),
+	__decorateMetadata("design:paramtypes", [Object]),
+	__decorateMetadata("design:returntype", Promise)
+], RecoveryWorkflow.prototype, "sendOtp", null);
+__decorate([
+	Step("recoveryCheckOtp"),
+	__decorateParam(0, WorkflowParam("input")),
+	__decorateParam(1, WorkflowParam("context")),
+	__decorateMetadata("design:type", Function),
+	__decorateMetadata("design:paramtypes", [Object, Object]),
+	__decorateMetadata("design:returntype", Promise)
+], RecoveryWorkflow.prototype, "checkOtp", null);
+__decorate([
+	Step("recoveryVerifyFactor"),
+	__decorateParam(0, WorkflowParam("input")),
+	__decorateParam(1, WorkflowParam("context")),
+	__decorateMetadata("design:type", Function),
+	__decorateMetadata("design:paramtypes", [Object, Object]),
+	__decorateMetadata("design:returntype", Promise)
+], RecoveryWorkflow.prototype, "verifyFactor", null);
+__decorate([
+	Step("recoverySetPassword"),
+	__decorateParam(0, WorkflowParam("input")),
+	__decorateParam(1, WorkflowParam("context")),
+	__decorateMetadata("design:type", Function),
+	__decorateMetadata("design:paramtypes", [Object, Object]),
+	__decorateMetadata("design:returntype", Promise)
+], RecoveryWorkflow.prototype, "setPassword", null);
+__decorate([
+	Step("recoveryRevokeSessions"),
+	__decorateParam(0, WorkflowParam("context")),
+	__decorateMetadata("design:type", Function),
+	__decorateMetadata("design:paramtypes", [Object]),
+	__decorateMetadata("design:returntype", Promise)
+], RecoveryWorkflow.prototype, "revokeSessions", null);
+__decorate([
+	Step("recoveryAudit"),
+	__decorateParam(0, WorkflowParam("context")),
+	__decorateMetadata("design:type", Function),
+	__decorateMetadata("design:paramtypes", [Object]),
+	__decorateMetadata("design:returntype", Promise)
+], RecoveryWorkflow.prototype, "auditStep", null);
+__decorate([
+	Step("recoveryFreshLoginFinish"),
+	__decorateParam(0, WorkflowParam("context")),
+	__decorateMetadata("design:type", Function),
+	__decorateMetadata("design:paramtypes", [Object]),
+	__decorateMetadata("design:returntype", void 0)
+], RecoveryWorkflow.prototype, "freshLoginFinish", null);
+__decorate([
+	Step("recoveryAutoLoginFinish"),
+	__decorateParam(0, WorkflowParam("context")),
+	__decorateMetadata("design:type", Function),
+	__decorateMetadata("design:paramtypes", [Object]),
+	__decorateMetadata("design:returntype", Promise)
+], RecoveryWorkflow.prototype, "autoLoginFinish", null);
+RecoveryWorkflow = __decorate([
+	Public(),
+	Injectable("FOR_EVENT"),
+	Controller(),
+	__decorateMetadata("design:paramtypes", [
+		Object,
+		typeof (_ref$1 = typeof UserService !== "undefined" && UserService) === "function" ? _ref$1 : Object,
+		typeof (_ref2$1 = typeof AuthCredential !== "undefined" && AuthCredential) === "function" ? _ref2$1 : Object
+	])
+], RecoveryWorkflow);
+/**
+* Reads the `?username=` query parameter when the workflow is triggered (e.g.
+* via the login workflow's `forgotPassword` alt-action). Returns undefined
+* outside of an HTTP event context (e.g. unit tests that hand-roll the wf
+* runtime). Used purely for form pre-fill.
+*/
+function readUsernameQueryParam() {
+	try {
+		const { params } = useUrlParams(current());
+		return params().get("username") ?? void 0;
+	} catch {
+		return;
+	}
+}
+//#endregion
+//#region src/workflows/invite.workflow.options.ts
+const DEFAULT_INVITE_TOKEN_TTL_MS = 10080 * 60 * 1e3;
+/**
+* Deep-merge defaults with the user-supplied nested pojo. Each group has its
+* own `{ ...defaults, ...input }` line — small enough that pulling in lodash
+* would be silly.
+*/
+function mergeInviteOpts(opts = {}) {
+	return {
+		adminForm: {
+			collectRoles: true,
+			...opts.adminForm
+		},
+		send: {
+			mode: "email",
+			tokenTtlMs: DEFAULT_INVITE_TOKEN_TTL_MS,
+			...opts.send
+		},
+		accept: {
+			alreadyAcceptedRedirectUrl: "/login",
+			freshLoginRequired: false,
+			loginUrl: "/login",
+			showConfirmation: true,
+			confirmationMessage: "Your account has been created.",
+			...opts.accept
+		},
+		cancellation: {
+			allowed: true,
+			...opts.cancellation
+		},
+		audit: {
+			enabled: true,
+			...opts.audit
+		},
+		forms: {
+			invite: InviteForm,
+			inviteEmail: InviteEmailForm,
+			inviteSendMode: InviteSendModeForm,
+			setPassword: SetPasswordForm,
+			...opts.forms
+		}
+	};
+}
+//#endregion
+//#region src/workflows/invite.workflow.ts
+/**
+* InviteWorkflow — registers three workflow ids:
+*
+*   - `auth.invite`       — admin invites a new user → user accepts (full flow)
+*   - `auth.reInvite`     — admin resends to an existing `pendingInvitation` user
+*   - `auth.cancelInvite` — admin hard-deletes a pending invite (gated by
+*                           `opts.cancellation.allowed`)
+*
+* Full step catalog per `WF_INVITE.md`. Step IDs are workflow-scoped (all
+* prefixed `invite*`) because `@moostjs/event-wf` registers `@Step('id')`
+* globally — identical IDs across login/recovery/invite would silently
+* collide and overwrite handlers. The accept tail (`inviteCheckPending…`
+* through `inviteAutoLoginFinish`) is shared between `auth.invite` and
+* `auth.reInvite` schemas by re-referencing the same step IDs.
+*
+* **Step routing model.** Same shape as `RecoveryWorkflow`: alt-action
+* handlers run BEFORE form validation (so `cancel` works without filling
+* fields) and return the `ALT_HANDLED` sentinel after short-circuiting via
+* `useWfFinished().set(...)`. Terminal steps gate on `!ctx.aborted` so the
+* abort response stays.
+*
+* **Consumer subclass pattern (Phase 4 reshape).** Consumers subclass
+* `InviteWorkflow` to override `protected` hook methods. The subclass MUST
+* re-apply `@Inherit() @Injectable('FOR_EVENT') @Controller()` and re-declare
+* the constructor signature (TS emits fresh design-paramtypes per class).
+*
+* **Side-effect deps as protected methods.** Sender/store/emitter DI
+* providers have been DROPPED from the constructor. Hooks live as `protected`
+* methods consumers override:
+*
+*   - `deliver(payload)` — unified email + SMS dispatch (see `DeliverPayload`).
+*     Default throws; override to wire your senders. The default invite send
+*     uses `outletEmail` (handled by `createAuthEmailOutlet` at the trigger
+*     route) so `deliver()` is only invoked if a consumer's accept-tail steps
+*     drive a manual send. Kept exposed for parity with login/recovery and to
+*     give consumer subclasses a single override seam for future SMS-invite
+*     work.
+*   - `audit(event)` — fire audit events. Default: no-op.
+*
+* **Replaceable behaviour as protected methods.**
+*
+*   - `prepareUser(input)` — extras merged into the freshly-created user row.
+*   - `getAvailableRoles()` — multi-select source for the admin invite form.
+*   - `inferRoles(input)` — derive roles server-side (e.g. AD lookup).
+*   - `applyProfile({username, profile})` — persist the accept-time profile.
+*   - `duplicateCheck({email, existingUser})` — override the structural
+*     duplicate rule (multi-tenant escape hatch).
+*   - `getProfileForm()` — return the consumer's `.as` profile form schema;
+*     `undefined` skips the profile-collection step.
+*
+* Rate-limiting is intentionally NOT part of this workflow — consumers who
+* want a cap wire it themselves at the HTTP / trigger layer.
+*/
+var _ref, _ref2;
+/**
+* Sentinel returned by alt-action handlers that have already short-circuited
+* via `useWfFinished().set(...)`. The step body returns `undefined` after
+* seeing this so the schema advances without running form validation on the
+* alt-action payload (which lacks the form's required fields).
+*/
+const ALT_HANDLED = Symbol("ALT_HANDLED");
+/** Audit `kind` → `wfid` reverse map. Default falls through to `auth.invite`. */
+const AUDIT_WORKFLOW_BY_KIND = {
+	"invite.cancelled": "auth.cancelInvite",
+	"invite.resent": "auth.reInvite"
+};
+/** Trim + de-duplicate role identifiers submitted via the admin invite form. */
+function parseInviteRoles(input) {
+	if (!Array.isArray(input)) return [];
+	const seen = /* @__PURE__ */ new Set();
+	for (const v of input) {
+		const trimmed = typeof v === "string" ? v.trim() : "";
+		if (trimmed) seen.add(trimmed);
+	}
+	return [...seen];
+}
+let InviteWorkflow = class InviteWorkflow {
+	opts;
+	users;
+	auth;
+	constructor(opts, users, auth) {
+		this.opts = mergeInviteOpts(opts);
+		this.users = users;
+		this.auth = auth;
+		this.opts;
+	}
+	/**
+	* Dispatch an email or SMS event. Default throws — the default invite send
+	* uses `outletEmail` (handled by `createAuthEmailOutlet`) so this method is
+	* only invoked when a consumer's accept-tail steps drive a manual send.
+	* Override to wire your senders.
+	*/
+	async deliver(_payload) {
+		throw new Error("InviteWorkflow.deliver() not configured — override to wire your email/sms sender");
+	}
+	/**
+	* Emit an audit event. Default: no-op. Consumers override to fan out to
+	* their audit sink.
+	*/
+	async audit(_event) {}
+	/**
+	* Build the extras dictionary merged into the freshly-created user row in
+	* `invitePreCreateUser`. Default: `{}`. Override to populate e.g. a
+	* required `tenantId`. This is the ONLY seam through which the admin form's
+	* `firstName` / `lastName` reach persistence — map them into your schema's
+	* own columns (e.g. `displayName`) and return them here.
+	*/
+	async prepareUser(_input) {
+		return {};
+	}
+	/**
+	* Return the list of selectable role identifiers for the admin invite form.
+	* When defined AND `adminForm.collectRoles` is true → form ships
+	* `ctx.availableRoles` so the UI renders a multi-select AND the
+	* `inviteAdminInviteForm` step rejects admin-submitted roles outside the
+	* list. When `undefined` (default) → no whitelist is enforced and any role
+	* value the admin form supplies is accepted.
+	*/
+	async getAvailableRoles() {}
+	/**
+	* Derive roles server-side from the admin-form payload (e.g. email domain
+	* → tenant role, AD lookup). Result is set-unioned with admin-supplied
+	* roles when `adminForm.collectRoles` is true. Default: `[]` (no inference).
+	*/
+	async inferRoles(_input) {
+		return [];
+	}
+	/**
+	* Persist the accept-time profile payload. Default: deep-merge into the
+	* user record via `UserService.update(username, profile)`. Override to
+	* route into a separate profile table / external CRM.
+	*/
+	async applyProfile(input) {
+		await this.users.update(input.username, input.profile);
+	}
+	/**
+	* Override the structural duplicate rule for `inviteAdminInviteForm`.
+	* Default: any existing row → `'reject'`; nothing → `'allow'`. Multi-tenant
+	* apps that allow re-inviting the same email into a different tenant
+	* override to return `'allow'` for those cases.
+	*/
+	async duplicateCheck(input) {
+		return input.existingUser ? "reject" : "allow";
+	}
+	/**
+	* Return the consumer-supplied `.as` form schema rendered in the
+	* `inviteCollectProfile` step. `undefined` (default) skips the step
+	* entirely (just password collection).
+	*/
+	getProfileForm() {}
+	/**
+	* Returns the JSON-safe projection of `opts` stashed onto `ctx` for schema
+	* conditions to read. Default: drop the `forms` group (atscript form classes
+	* are not plain JSON) so `AsWfStore`'s plain-JSON persistence doesn't choke.
+	* Step bodies still consult the form classes via `this.opts.forms.*`.
+	*
+	* Consumers who extend the opts type with non-JSON values can override this
+	* to strip them so `AsWfStore`'s plain-JSON persistence doesn't choke.
+	*/
+	snapshotOpts(opts) {
+		const { forms: _forms, ...rest } = opts;
+		return rest;
+	}
+	inviteFlow() {}
+	reInviteFlow() {}
+	cancelInviteFlow() {}
+	init(ctx) {
+		ctx.opts = this.snapshotOpts(this.opts);
+		ctx.acceptProfileFormPresent = this.getProfileForm() !== void 0;
+		if (this.opts.send.mode !== "choice") ctx.resolvedSendMode = this.opts.send.mode;
+	}
+	async prepareAvailableRoles(ctx) {
+		const roles = await this.getAvailableRoles();
+		if (roles) ctx.availableRoles = roles;
+	}
+	selectSendMode(input, ctx) {
+		if (!input) return httpInputRequired(this.opts.forms.inviteSendMode, ctx);
+		if (input.action === "cancel") return this.abort(ctx, "cancel");
+		const errors = validateFormInput(this.opts.forms.inviteSendMode, input);
+		if (errors) return httpInputRequired(this.opts.forms.inviteSendMode, ctx, errors);
+		const mode = input.mode;
+		ctx.selectedSendMode = mode;
+		ctx.resolvedSendMode = mode;
+	}
+	async adminInviteForm(input, ctx) {
+		if (!input) return httpInputRequired(this.opts.forms.invite, ctx);
+		if (input.action === "cancel") return this.abort(ctx, "cancel");
+		const errors = validateFormInput(this.opts.forms.invite, input);
+		if (errors) return httpInputRequired(this.opts.forms.invite, ctx, errors);
+		const email = input.email;
+		const parsed = parseInviteRoles(input.roles);
+		if (Array.isArray(ctx.availableRoles)) {
+			const allowed = new Set(ctx.availableRoles);
+			if (parsed.find((r) => !allowed.has(r)) !== void 0) return httpInputRequired(this.opts.forms.invite, ctx, { roles: "Invalid role" });
+		}
+		const existing = await this.loadUserOrNull(email);
+		if (await this.duplicateCheck({
+			email,
+			existingUser: existing
+		}) === "reject") {
+			if (existing?.account?.pendingInvitation) throw new HttpError$1(409, "Invite already pending, use reInvite");
+			if (existing) throw new HttpError$1(409, "User already exists");
+			throw new HttpError$1(409, "Duplicate invite rejected");
+		}
+		ctx.email = email;
+		if (input.firstName) ctx.firstName = input.firstName;
+		if (input.lastName) ctx.lastName = input.lastName;
+		if (parsed.length > 0) ctx.roles = parsed;
+	}
+	async inferRolesStep(ctx) {
+		if (!ctx.email) return void 0;
+		const inferred = await this.inferRoles({
+			email: ctx.email,
+			...ctx.firstName && { firstName: ctx.firstName },
+			...ctx.lastName && { lastName: ctx.lastName }
+		});
+		if (inferred.length === 0) return void 0;
+		const merged = new Set([...ctx.roles ?? [], ...inferred]);
+		ctx.roles = Array.from(merged);
+	}
+	async preCreateUser(ctx) {
+		if (!ctx.email) throw new HttpError$1(500, "Workflow state corrupted: missing email");
+		const invitedBy = useAuth().getAuthContext()?.userId;
+		const preparedInput = {
+			email: ctx.email,
+			...ctx.firstName && { firstName: ctx.firstName },
+			...ctx.lastName && { lastName: ctx.lastName },
+			roles: ctx.roles ?? [],
+			...invitedBy && { invitedBy }
+		};
+		const fields = {
+			...await this.prepareUser(preparedInput),
+			...ctx.roles && ctx.roles.length > 0 && { roles: ctx.roles }
+		};
+		try {
+			await this.users.createUser(ctx.email, void 0, fields);
+		} catch (err) {
+			if (err instanceof UserAuthError && err.type === "ALREADY_EXISTS") throw new HttpError$1(409, "User already exists");
+			throw err;
+		}
+		await this.users.update(ctx.email, { account: { pendingInvitation: true } });
+		ctx.username = ctx.email;
+		await this.emitAudit("invite.created", ctx);
+	}
+	sendInviteEmail(ctx) {
+		if (ctx.linkSent) return void 0;
+		ctx.linkSent = true;
+		return {
+			...outletEmail(ctx.email, "invite.magicLink", {
+				username: ctx.username,
+				...ctx.roles && { roles: ctx.roles },
+				expiresAtMs: this.opts.send.tokenTtlMs
+			}),
+			expires: Date.now() + this.opts.send.tokenTtlMs
+		};
+	}
+	returnShareableLink(ctx) {
+		if (ctx.linkSent) return void 0;
+		ctx.linkSent = true;
+		return {
+			...outletEmail(ctx.email, "invite.magicLink", {
+				username: ctx.username,
+				...ctx.roles && { roles: ctx.roles },
+				expiresAtMs: this.opts.send.tokenTtlMs,
+				shareableLink: true
+			}),
+			expires: Date.now() + this.opts.send.tokenTtlMs
+		};
+	}
+	async loadPendingUser(input, ctx) {
+		if (!input) return httpInputRequired(this.opts.forms.inviteEmail, ctx);
+		if (input.action === "cancel") return this.abort(ctx, "cancel");
+		const errors = validateFormInput(this.opts.forms.inviteEmail, input);
+		if (errors) return httpInputRequired(this.opts.forms.inviteEmail, ctx, errors);
+		const email = input.email;
+		const existing = await this.loadUserOrNull(email);
+		if (!existing) throw new HttpError$1(404, "No pending invite for this email");
+		if (!existing.account?.pendingInvitation) throw new HttpError$1(409, "User has already accepted; cannot resend");
+		ctx.email = email;
+		ctx.username = existing.username;
+		const u = existing;
+		if (u.firstName) ctx.firstName = u.firstName;
+		if (u.lastName) ctx.lastName = u.lastName;
+		if (u.roles && u.roles.length > 0) ctx.roles = u.roles;
+		await this.emitAudit("invite.resent", ctx);
+	}
+	async checkPendingInvitation(ctx) {
+		if (!ctx.username) throw new HttpError$1(500, "Workflow state corrupted: missing username at accept");
+		const existing = await this.loadUserOrNull(ctx.username);
+		if (!existing) throw new HttpError$1(410, "This invite has been cancelled");
+		if (!existing.account?.pendingInvitation) ctx.alreadyAccepted = true;
+	}
+	idempotentRedirect(ctx) {
+		const altUrl = this.opts.accept.alreadyAcceptedRedirectUrl;
+		finishWfWithChoice({
+			message: {
+				level: "info",
+				text: "This invite was already accepted."
+			},
+			primary: {
+				label: "Go to sign-in",
+				action: {
+					type: "redirect",
+					target: this.opts.accept.loginUrl,
+					reason: "already-accepted"
+				}
+			},
+			...altUrl && { options: [{
+				label: "Request a new invite",
+				action: {
+					type: "redirect",
+					target: altUrl,
+					reason: "request-new-invite"
+				}
+			}] }
+		});
+		ctx.aborted = true;
+	}
+	preparePasswordRules(ctx) {
+		ctx.passwordPolicies = this.users.getTransferablePolicies();
+	}
+	async createPasswordForm(input, ctx) {
+		if (!input) return httpInputRequired(this.opts.forms.setPassword, ctx);
+		if (input.action === "cancel") return this.abort(ctx, "cancel");
+		const errors = validateFormInput(this.opts.forms.setPassword, input);
+		if (errors) return httpInputRequired(this.opts.forms.setPassword, ctx, errors);
+		if (input.newPassword !== input.confirmPassword) return httpInputRequired(this.opts.forms.setPassword, ctx, { confirmPassword: "Passwords do not match" });
+		requireUsername(ctx);
+		try {
+			await this.users.setPassword(ctx.username, input.newPassword);
+		} catch (err) {
+			translatePasswordSetError(err);
+		}
+		ctx.passwordSet = true;
+	}
+	async collectProfile(input, ctx) {
+		const form = this.getProfileForm();
+		if (!form) return void 0;
+		if (!input) return httpInputRequired(form, ctx);
+		if (input.action === "skip") {
+			ctx.profile = {};
+			return;
+		}
+		const errors = validateFormInput(form, input, { partial: "deep" });
+		if (errors) return httpInputRequired(form, ctx, errors);
+		ctx.profile = input;
+	}
+	async applyProfileStep(ctx) {
+		requireUsername(ctx);
+		const profile = ctx.profile ?? {};
+		if (Object.keys(profile).length === 0) {
+			ctx.profileApplied = true;
+			return;
+		}
+		await this.applyProfile({
+			username: ctx.username,
+			profile
+		});
+		ctx.profileApplied = true;
+	}
+	async unsetPendingInvitation(ctx) {
+		requireUsername(ctx);
+		await this.users.update(ctx.username, { account: { pendingInvitation: false } });
+		ctx.pendingInvitationCleared = true;
+	}
+	async activateUser(ctx) {
+		requireUsername(ctx);
+		await this.users.activateAccount(ctx.username);
+		ctx.activated = true;
+		await this.emitAudit("invite.accepted", ctx);
+	}
+	confirmation(ctx) {
+		ctx.confirmationShown = true;
+		finishWfWithData({ confirmed: true }, {
+			level: "success",
+			text: this.opts.accept.confirmationMessage
+		});
+	}
+	freshLoginFinish(_ctx) {
+		finishWfWithRedirect(this.opts.accept.loginUrl, { reason: "fresh-login-required" });
+	}
+	async autoLoginFinish(ctx) {
+		requireUsername(ctx);
+		const issue = await this.auth.issue(ctx.username);
+		ctx.tokensIssued = true;
+		const auth = useAuth();
+		const envelope = {
+			finished: true,
+			data: auth.buildLoginResponse(ctx.username, issue)
+		};
+		useWfFinished().set({
+			type: "data",
+			value: envelope,
+			cookies: auth.buildFinishedCookies(issue)
+		});
+	}
+	async cancelInvite(input, ctx) {
+		if (!this.opts.cancellation.allowed) throw new HttpError$1(403, "Invite cancellation is disabled");
+		if (!input) return httpInputRequired(this.opts.forms.inviteEmail, ctx);
+		const errors = validateFormInput(this.opts.forms.inviteEmail, input);
+		if (errors) return httpInputRequired(this.opts.forms.inviteEmail, ctx, errors);
+		const email = input.email;
+		const existing = await this.loadUserOrNull(email);
+		if (!existing) throw new HttpError$1(404, "No invite to cancel for this email");
+		if (!existing.account?.pendingInvitation) throw new HttpError$1(409, "Cannot cancel: user has already accepted the invite");
+		await this.users.deleteUser(existing.username);
+		await this.emitAudit("invite.cancelled", {
+			...ctx,
+			email,
+			username: existing.username
+		});
+		finishWfWithData({
+			cancelled: true,
+			email
+		}, {
+			level: "info",
+			text: "Invite cancelled."
+		});
+	}
+	abort(ctx, reason) {
+		finishWfAborted(reason, { message: {
+			level: "info",
+			text: "Invite cancelled."
+		} });
+		ctx.aborted = true;
+		return ALT_HANDLED;
+	}
+	async loadUserOrNull(username) {
+		try {
+			return await this.users.getUser(username);
+		} catch (err) {
+			if (err instanceof UserAuthError && err.type === "NOT_FOUND") return null;
+			throw err;
+		}
+	}
+	async emitAudit(kind, ctx) {
+		if (!this.opts.audit.enabled) return;
+		const invitedBy = useAuth().getAuthContext()?.userId;
+		await this.audit({
+			kind,
+			workflow: AUDIT_WORKFLOW_BY_KIND[kind] ?? "auth.invite",
+			...ctx.username && { userId: ctx.username },
+			...invitedBy && { invitedBy },
+			...ctx.email && { email: ctx.email },
+			ip: resolveClientIp()
+		});
+	}
+};
+__decorate([
+	Workflow("auth.invite"),
+	WorkflowSchema([
+		{ id: "inviteInit" },
+		{
+			id: "invitePrepareAvailableRoles",
+			condition: (ctx) => ctx.opts.adminForm.collectRoles && !ctx.aborted
+		},
+		{
+			id: "inviteSelectSendMode",
+			condition: (ctx) => ctx.opts.send.mode === "choice" && !ctx.resolvedSendMode && !ctx.aborted
+		},
+		{
+			id: "inviteAdminInviteForm",
+			condition: (ctx) => !ctx.email && !ctx.aborted
+		},
+		{
+			id: "inviteInferRolesStep",
+			condition: (ctx) => !!(ctx.email && !ctx.aborted)
+		},
+		{
+			id: "invitePreCreateUser",
+			condition: (ctx) => !!(ctx.email && !ctx.username && !ctx.aborted)
+		},
+		{
+			id: "inviteSendInviteEmail",
+			condition: (ctx) => !!(ctx.username && ctx.resolvedSendMode === "email" && !ctx.aborted)
+		},
+		{
+			id: "inviteReturnShareableLink",
+			condition: (ctx) => !!(ctx.username && ctx.resolvedSendMode === "shareableLink" && !ctx.aborted)
+		},
+		{
+			id: "inviteCheckPendingInvitation",
+			condition: (ctx) => !!(ctx.linkSent && !ctx.aborted)
+		},
+		{
+			id: "inviteIdempotentRedirect",
+			condition: (ctx) => !!(ctx.alreadyAccepted && !ctx.aborted)
+		},
+		{
+			id: "invitePreparePasswordRules",
+			condition: (ctx) => !!(ctx.linkSent && !ctx.alreadyAccepted && !ctx.aborted)
+		},
+		{
+			id: "inviteCreatePasswordForm",
+			condition: (ctx) => !!(ctx.linkSent && !ctx.alreadyAccepted && !ctx.passwordSet && !ctx.aborted)
+		},
+		{
+			id: "inviteCollectProfile",
+			condition: (ctx) => !!(ctx.passwordSet && ctx.acceptProfileFormPresent && !ctx.profile && !ctx.aborted)
+		},
+		{
+			id: "inviteApplyProfile",
+			condition: (ctx) => !!(ctx.passwordSet && ctx.acceptProfileFormPresent && ctx.profile && !ctx.profileApplied && !ctx.aborted)
+		},
+		{
+			id: "inviteUnsetPendingInvitation",
+			condition: (ctx) => !!(ctx.passwordSet && !ctx.pendingInvitationCleared && !ctx.aborted)
+		},
+		{
+			id: "inviteActivateUser",
+			condition: (ctx) => !!(ctx.pendingInvitationCleared && !ctx.activated && !ctx.aborted)
+		},
+		{
+			id: "inviteConfirmation",
+			condition: (ctx) => !!(ctx.activated && ctx.opts.accept.showConfirmation && !ctx.confirmationShown && !ctx.aborted)
+		},
+		{
+			id: "inviteFreshLoginFinish",
+			condition: (ctx) => !!(ctx.activated && ctx.opts.accept.freshLoginRequired && !ctx.aborted)
+		},
+		{
+			id: "inviteAutoLoginFinish",
+			condition: (ctx) => !!(ctx.activated && !ctx.opts.accept.freshLoginRequired && !ctx.tokensIssued && !ctx.aborted)
+		}
+	]),
+	Public(),
+	__decorateMetadata("design:type", Function),
+	__decorateMetadata("design:paramtypes", []),
+	__decorateMetadata("design:returntype", void 0)
+], InviteWorkflow.prototype, "inviteFlow", null);
+__decorate([
+	Workflow("auth.reInvite"),
+	WorkflowSchema([
+		{ id: "inviteInit" },
+		{
+			id: "inviteLoadPendingUser",
+			condition: (ctx) => !ctx.aborted
+		},
+		{
+			id: "inviteSendInviteEmail",
+			condition: (ctx) => !!(ctx.username && ctx.resolvedSendMode === "email" && !ctx.aborted)
+		},
+		{
+			id: "inviteReturnShareableLink",
+			condition: (ctx) => !!(ctx.username && ctx.resolvedSendMode === "shareableLink" && !ctx.aborted)
+		},
+		{
+			id: "inviteCheckPendingInvitation",
+			condition: (ctx) => !!(ctx.linkSent && !ctx.aborted)
+		},
+		{
+			id: "inviteIdempotentRedirect",
+			condition: (ctx) => !!(ctx.alreadyAccepted && !ctx.aborted)
+		},
+		{
+			id: "invitePreparePasswordRules",
+			condition: (ctx) => !!(ctx.linkSent && !ctx.alreadyAccepted && !ctx.aborted)
+		},
+		{
+			id: "inviteCreatePasswordForm",
+			condition: (ctx) => !!(ctx.linkSent && !ctx.alreadyAccepted && !ctx.passwordSet && !ctx.aborted)
+		},
+		{
+			id: "inviteCollectProfile",
+			condition: (ctx) => !!(ctx.passwordSet && ctx.acceptProfileFormPresent && !ctx.profile && !ctx.aborted)
+		},
+		{
+			id: "inviteApplyProfile",
+			condition: (ctx) => !!(ctx.passwordSet && ctx.acceptProfileFormPresent && ctx.profile && !ctx.profileApplied && !ctx.aborted)
+		},
+		{
+			id: "inviteUnsetPendingInvitation",
+			condition: (ctx) => !!(ctx.passwordSet && !ctx.pendingInvitationCleared && !ctx.aborted)
+		},
+		{
+			id: "inviteActivateUser",
+			condition: (ctx) => !!(ctx.pendingInvitationCleared && !ctx.activated && !ctx.aborted)
+		},
+		{
+			id: "inviteConfirmation",
+			condition: (ctx) => !!(ctx.activated && ctx.opts.accept.showConfirmation && !ctx.confirmationShown && !ctx.aborted)
+		},
+		{
+			id: "inviteFreshLoginFinish",
+			condition: (ctx) => !!(ctx.activated && ctx.opts.accept.freshLoginRequired && !ctx.aborted)
+		},
+		{
+			id: "inviteAutoLoginFinish",
+			condition: (ctx) => !!(ctx.activated && !ctx.opts.accept.freshLoginRequired && !ctx.tokensIssued && !ctx.aborted)
+		}
+	]),
+	Public(),
+	__decorateMetadata("design:type", Function),
+	__decorateMetadata("design:paramtypes", []),
+	__decorateMetadata("design:returntype", void 0)
+], InviteWorkflow.prototype, "reInviteFlow", null);
+__decorate([
+	Workflow("auth.cancelInvite"),
+	WorkflowSchema([{ id: "inviteInit" }, {
+		id: "inviteCancelInvite",
+		condition: (ctx) => !ctx.aborted
+	}]),
+	Public(),
+	__decorateMetadata("design:type", Function),
+	__decorateMetadata("design:paramtypes", []),
+	__decorateMetadata("design:returntype", void 0)
+], InviteWorkflow.prototype, "cancelInviteFlow", null);
+__decorate([
+	Step("inviteInit"),
+	__decorateParam(0, WorkflowParam("context")),
+	__decorateMetadata("design:type", Function),
+	__decorateMetadata("design:paramtypes", [Object]),
+	__decorateMetadata("design:returntype", void 0)
+], InviteWorkflow.prototype, "init", null);
+__decorate([
+	Step("invitePrepareAvailableRoles"),
+	__decorateParam(0, WorkflowParam("context")),
+	__decorateMetadata("design:type", Function),
+	__decorateMetadata("design:paramtypes", [Object]),
+	__decorateMetadata("design:returntype", Promise)
+], InviteWorkflow.prototype, "prepareAvailableRoles", null);
+__decorate([
+	Step("inviteSelectSendMode"),
+	__decorateParam(0, WorkflowParam("input")),
+	__decorateParam(1, WorkflowParam("context")),
+	__decorateMetadata("design:type", Function),
+	__decorateMetadata("design:paramtypes", [Object, Object]),
+	__decorateMetadata("design:returntype", Object)
+], InviteWorkflow.prototype, "selectSendMode", null);
+__decorate([
+	Step("inviteAdminInviteForm"),
+	__decorateParam(0, WorkflowParam("input")),
+	__decorateParam(1, WorkflowParam("context")),
+	__decorateMetadata("design:type", Function),
+	__decorateMetadata("design:paramtypes", [Object, Object]),
+	__decorateMetadata("design:returntype", Promise)
+], InviteWorkflow.prototype, "adminInviteForm", null);
+__decorate([
+	Step("inviteInferRolesStep"),
+	__decorateParam(0, WorkflowParam("context")),
+	__decorateMetadata("design:type", Function),
+	__decorateMetadata("design:paramtypes", [Object]),
+	__decorateMetadata("design:returntype", Promise)
+], InviteWorkflow.prototype, "inferRolesStep", null);
+__decorate([
+	Step("invitePreCreateUser"),
+	__decorateParam(0, WorkflowParam("context")),
+	__decorateMetadata("design:type", Function),
+	__decorateMetadata("design:paramtypes", [Object]),
+	__decorateMetadata("design:returntype", Promise)
+], InviteWorkflow.prototype, "preCreateUser", null);
+__decorate([
+	Step("inviteSendInviteEmail"),
+	Public(),
+	__decorateParam(0, WorkflowParam("context")),
+	__decorateMetadata("design:type", Function),
+	__decorateMetadata("design:paramtypes", [Object]),
+	__decorateMetadata("design:returntype", Object)
+], InviteWorkflow.prototype, "sendInviteEmail", null);
+__decorate([
+	Step("inviteReturnShareableLink"),
+	Public(),
+	__decorateParam(0, WorkflowParam("context")),
+	__decorateMetadata("design:type", Function),
+	__decorateMetadata("design:paramtypes", [Object]),
+	__decorateMetadata("design:returntype", Object)
+], InviteWorkflow.prototype, "returnShareableLink", null);
+__decorate([
+	Step("inviteLoadPendingUser"),
+	__decorateParam(0, WorkflowParam("input")),
+	__decorateParam(1, WorkflowParam("context")),
+	__decorateMetadata("design:type", Function),
+	__decorateMetadata("design:paramtypes", [Object, Object]),
+	__decorateMetadata("design:returntype", Promise)
+], InviteWorkflow.prototype, "loadPendingUser", null);
+__decorate([
+	Step("inviteCheckPendingInvitation"),
+	Public(),
+	__decorateParam(0, WorkflowParam("context")),
+	__decorateMetadata("design:type", Function),
+	__decorateMetadata("design:paramtypes", [Object]),
+	__decorateMetadata("design:returntype", Promise)
+], InviteWorkflow.prototype, "checkPendingInvitation", null);
+__decorate([
+	Step("inviteIdempotentRedirect"),
+	Public(),
+	__decorateParam(0, WorkflowParam("context")),
+	__decorateMetadata("design:type", Function),
+	__decorateMetadata("design:paramtypes", [Object]),
+	__decorateMetadata("design:returntype", void 0)
+], InviteWorkflow.prototype, "idempotentRedirect", null);
+__decorate([
+	Step("invitePreparePasswordRules"),
+	Public(),
+	__decorateParam(0, WorkflowParam("context")),
+	__decorateMetadata("design:type", Function),
+	__decorateMetadata("design:paramtypes", [Object]),
+	__decorateMetadata("design:returntype", void 0)
+], InviteWorkflow.prototype, "preparePasswordRules", null);
+__decorate([
+	Step("inviteCreatePasswordForm"),
+	Public(),
+	__decorateParam(0, WorkflowParam("input")),
+	__decorateParam(1, WorkflowParam("context")),
+	__decorateMetadata("design:type", Function),
+	__decorateMetadata("design:paramtypes", [Object, Object]),
+	__decorateMetadata("design:returntype", Promise)
+], InviteWorkflow.prototype, "createPasswordForm", null);
+__decorate([
+	Step("inviteCollectProfile"),
+	Public(),
+	__decorateParam(0, WorkflowParam("input")),
+	__decorateParam(1, WorkflowParam("context")),
+	__decorateMetadata("design:type", Function),
+	__decorateMetadata("design:paramtypes", [Object, Object]),
+	__decorateMetadata("design:returntype", Promise)
+], InviteWorkflow.prototype, "collectProfile", null);
+__decorate([
+	Step("inviteApplyProfile"),
+	Public(),
+	__decorateParam(0, WorkflowParam("context")),
+	__decorateMetadata("design:type", Function),
+	__decorateMetadata("design:paramtypes", [Object]),
+	__decorateMetadata("design:returntype", Promise)
+], InviteWorkflow.prototype, "applyProfileStep", null);
+__decorate([
+	Step("inviteUnsetPendingInvitation"),
+	Public(),
+	__decorateParam(0, WorkflowParam("context")),
+	__decorateMetadata("design:type", Function),
+	__decorateMetadata("design:paramtypes", [Object]),
+	__decorateMetadata("design:returntype", Promise)
+], InviteWorkflow.prototype, "unsetPendingInvitation", null);
+__decorate([
+	Step("inviteActivateUser"),
+	Public(),
+	__decorateParam(0, WorkflowParam("context")),
+	__decorateMetadata("design:type", Function),
+	__decorateMetadata("design:paramtypes", [Object]),
+	__decorateMetadata("design:returntype", Promise)
+], InviteWorkflow.prototype, "activateUser", null);
+__decorate([
+	Step("inviteConfirmation"),
+	Public(),
+	__decorateParam(0, WorkflowParam("context")),
+	__decorateMetadata("design:type", Function),
+	__decorateMetadata("design:paramtypes", [Object]),
+	__decorateMetadata("design:returntype", void 0)
+], InviteWorkflow.prototype, "confirmation", null);
+__decorate([
+	Step("inviteFreshLoginFinish"),
+	Public(),
+	__decorateParam(0, WorkflowParam("context")),
+	__decorateMetadata("design:type", Function),
+	__decorateMetadata("design:paramtypes", [Object]),
+	__decorateMetadata("design:returntype", void 0)
+], InviteWorkflow.prototype, "freshLoginFinish", null);
+__decorate([
+	Step("inviteAutoLoginFinish"),
+	Public(),
+	__decorateParam(0, WorkflowParam("context")),
+	__decorateMetadata("design:type", Function),
+	__decorateMetadata("design:paramtypes", [Object]),
+	__decorateMetadata("design:returntype", Promise)
+], InviteWorkflow.prototype, "autoLoginFinish", null);
+__decorate([
+	Step("inviteCancelInvite"),
+	__decorateParam(0, WorkflowParam("input")),
+	__decorateParam(1, WorkflowParam("context")),
+	__decorateMetadata("design:type", Function),
+	__decorateMetadata("design:paramtypes", [Object, Object]),
+	__decorateMetadata("design:returntype", Promise)
+], InviteWorkflow.prototype, "cancelInvite", null);
+InviteWorkflow = __decorate([
+	ArbacResource("auth.invite"),
+	ArbacAction("start"),
+	Injectable("FOR_EVENT"),
+	Controller(),
+	__decorateMetadata("design:paramtypes", [
+		Object,
+		typeof (_ref = typeof UserService !== "undefined" && UserService) === "function" ? _ref : Object,
+		typeof (_ref2 = typeof AuthCredential !== "undefined" && AuthCredential) === "function" ? _ref2 : Object
+	])
+], InviteWorkflow);
+//#endregion
+//#region src/workflows/auth-email-outlet.ts
+/**
+* Build the email outlet that delivers magic links via the consumer's
+* `EmailSender`. Single-use: pass the same instance into one
+* `handleWfOutletRequest({ outlets })`.
+*/
+function createAuthEmailOutlet(deps) {
+	return createEmailOutlet(async (opts) => {
+		const template = opts.template;
+		const ttlHint = typeof opts.context?.expiresAtMs === "number" ? opts.context.expiresAtMs : 0;
+		const expiresAt = Date.now() + (ttlHint || deps.magicLinkTtlMs(template));
+		const url = deps.buildMagicLinkUrl(template, opts.token);
+		const event = {
+			kind: template,
+			recipient: opts.target,
+			url,
+			expiresAt
+		};
+		if (typeof opts.context?.username === "string") event.username = opts.context.username;
+		const rolesRaw = opts.context?.roles;
+		if (Array.isArray(rolesRaw)) {
+			const roles = rolesRaw.filter((r) => typeof r === "string");
+			if (roles.length > 0) event.metadata = { roles };
+		}
+		await deps.emailSender.send(event);
+	});
+}
+//#endregion
+export { AuthController, AuthGuarded, DEFAULT_AUTH_WORKFLOWS, InviteWorkflow, LoginWorkflow, Public, RecoveryWorkflow, UserId, WfTrigger, WfTriggerProvider, authGuardInterceptor, createAuthEmailOutlet, generateMagicLinkToken, getAuthMate, mergeInviteOpts, mergeLoginOpts, mergeRecoveryOpts, parseInviteRoles, useAuth };