@aooth/auth-moost 0.1.18 → 0.1.20

package/dist/index.mjs

@@ -1,16 +1,16 @@
-import { C as Select2faForm, E as TermsBumpForm, S as RemoveMfaConfirmForm, T as SignupForm, _ as PincodeForm, a as ConcurrencyLimitForm, c as EnrollConfirmForm, d as InviteForm, f as LoginCredentialsForm, g as PasswordReauthForm, h as MfaCodeForm, i as ChangePasswordForm, l as EnrollPickMethodForm, m as ManageMfaForm, n as AskPhoneForm, o as EmailIdentifierForm, r as AuthorizeConsentForm, s as EnrollAddressForm, t as AskEmailForm, u as EnrollTotpQrForm, v as ProveControlForm, w as SetPasswordForm, y as ProveControlOtpForm } from "./forms-D7ZfanKT.mjs";
+import { C as Select2faForm, E as TermsBumpForm, S as RemoveMfaConfirmForm, T as SignupForm, _ as PincodeForm, a as ConcurrencyLimitForm, c as EnrollConfirmForm, d as InviteForm, f as LoginCredentialsForm, g as PasswordReauthForm, h as MfaCodeForm, i as ChangePasswordForm, l as EnrollPickMethodForm, m as ManageMfaForm, n as AskPhoneForm, o as EmailIdentifierForm, r as AuthorizeConsentForm, s as EnrollAddressForm, t as AskEmailForm, u as EnrollTotpQrForm, v as ProveControlForm, w as SetPasswordForm, y as ProveControlOtpForm } from "./forms-uqegc32h.mjs";
 import { Controller, HandlerPaths, Inherit, Inject, InjectMoostLogger, Injectable, Intercept, MoostInit, Optional, Param, Resolve, TInterceptorPriority, defineAfterInterceptor, defineBeforeInterceptor, getMoostMate, useControllerContext } from "moost";
 import { AuthCredential, AuthError, generateMagicLinkToken } from "@aooth/auth";
 import { current, defineWook, eventTypeKey, key } from "@wooksjs/event-core";
 import { HttpError, useAuthorization, useCookies, useHeaders, useRequest, useResponse, useUrlParams } from "@wooksjs/event-http";
 import { ArbacAction, ArbacResource, getArbacMate } from "@aooth/arbac-moost";
-import { FederatedIdentityStore, UserAuthError, UserService, generateMfaCode, generateTotpSecret, generateTotpUri, maskEmail, maskPhone, pickDefinedProfile, verifyTotpCode } from "@aooth/user";
+import { FederatedIdentityStore, SEEN_DEVICES_DEFAULT_CAP, UserAuthError, UserService, generateMfaCode, generateTotpSecret, generateTotpUri, maskEmail, maskPhone, pickDefinedProfile, verifyTotpCode } from "@aooth/user";
 import { Body, Delete, Get, HttpError as HttpError$1, Post, Query } from "@moostjs/event-http";
 import { createHash, randomBytes, timingSafeEqual } from "node:crypto";
 import { createAsHttpOutlet, finishWf, handleAsOutletRequest, useAtscriptWf } from "@atscript/moost-wf";
 import { EncapsulatedStateStrategy, MoostWf, Step, StepRetriableError, StepTTL, Workflow, WorkflowParam, WorkflowSchema, createEmailOutlet, outletEmail, swapStrategy, useWfFinished, useWfState } from "@moostjs/event-wf";
 import { FederatedLoginService, OAuthError, OAuthProviderRegistry, generateRandomState, pkceChallengeFor } from "@aooth/idp";
-import { AuthorizeError, NoopOidcClaimsResolver } from "@aooth/auth/authz";
+import { ClientRegistrationError, DynamicClientRegistration, NoopOidcClaimsResolver, buildAuthorizationServerMetadata, buildAuthorizationServerMetadata as buildAuthorizationServerMetadata$1, buildProtectedResourceMetadata, buildWwwAuthenticateBearerChallenge, canonicalizeIssuer, canonicalizeIssuer as canonicalizeIssuer$1 } from "@aooth/auth/authz";
 //#region \0@oxc-project+runtime@0.133.0/helpers/esm/decorate.js
 function __decorate(decorators, target, key, desc) {
 	var c = arguments.length, r = c < 3 ? target : desc === null ? desc = Object.getOwnPropertyDescriptor(target, key) : desc, d;
@@ -705,6 +705,17 @@ const AUTH_CODE_STORE_TOKEN = "aooth:AuthCodeStore";
 * `CompositeClientPolicy` of both) under this string.
 */
 const CLIENT_REDIRECT_POLICY_TOKEN = "aooth:ClientRedirectPolicy";
+/**
+* DI token for the {@link import("@aooth/auth/authz").DynamicClientStore}
+* (RFC 7591 dynamic registrations) — an abstract class, same auto-instantiation
+* hazard as the store tokens above. The BASE `AuthorizeController` never
+* injects it (DCR is optional, and an optional `@Inject` panics in moost's
+* route-table pass): a consumer subclass that enables DCR adds it as a
+* REQUIRED ctor param, builds a `DynamicClientRegistration` around it, and
+* overrides `getDynamicClientRegistration()`. The same store instance also
+* backs the `DynamicClientPolicy` composed into the redirect policy.
+*/
+const DYNAMIC_CLIENT_STORE_TOKEN = "aooth:DynamicClientStore";
 //#endregion
 //#region \0@oxc-project+runtime@0.133.0/helpers/esm/decorateParam.js
 function __decorateParam(paramIndex, decorator) {
@@ -953,6 +964,12 @@ const DEFAULT_FORMS = {
 	authzConsent: AuthorizeConsentForm
 };
 function mergeAuthWorkflowOpts(opts) {
+	const deviceTrust = {
+		cookieName: "aooth_trusted_device",
+		ttlMs: 1440 * 6e4,
+		bindsTo: "cookie",
+		...opts.deviceTrust
+	};
 	return {
 		autoLoginOnInvite: opts.autoLoginOnInvite ?? true,
 		autoLoginOnRecover: opts.autoLoginOnRecover ?? false,
@@ -965,11 +982,11 @@ function mergeAuthWorkflowOpts(opts) {
 		recoveryStateTtlMs: opts.recoveryStateTtlMs ?? 3600 * 1e3,
 		loginUrl: opts.loginUrl ?? "/login",
 		totpIssuer: opts.totpIssuer ?? "aooth",
-		deviceTrust: {
-			cookieName: "aooth_trusted_device",
-			ttlMs: 1440 * 6e4,
-			bindsTo: "cookie",
-			...opts.deviceTrust
+		deviceTrust,
+		deviceRecognition: {
+			cookieName: opts.deviceRecognition?.cookieName ?? `${deviceTrust.cookieName}_seen`,
+			ttlMs: opts.deviceRecognition?.ttlMs ?? 4320 * 60 * 6e4,
+			maxDevices: opts.deviceRecognition?.maxDevices ?? SEEN_DEVICES_DEFAULT_CAP
 		},
 		forms: {
 			...DEFAULT_FORMS,
@@ -995,6 +1012,7 @@ const RESERVED_USER_KEYS = new Set([
 	"passwordHistory",
 	"mfa",
 	"trustedDevices",
+	"seenDevices",
 	"pendingInvitation"
 ]);
 /**
@@ -1006,6 +1024,50 @@ function stripReservedUserKeys(profile) {
 	for (const key of Object.keys(profile)) if (!RESERVED_USER_KEYS.has(key)) out[key] = profile[key];
 	return out;
 }
+const UA_BROWSERS = [
+	["Edg", "Edge"],
+	["Chrome", "Chrome"],
+	["Firefox", "Firefox"],
+	["Safari", "Safari"]
+];
+const UA_OSES = [
+	[/iPhone|iPad|iPod/, "iOS"],
+	[/Android/, "Android"],
+	[/Mac OS X|Macintosh/, "macOS"],
+	[/Windows/, "Windows"],
+	[/Linux/, "Linux"]
+];
+/**
+* Best-effort "Browser on OS" label from a raw User-Agent string — feeds the
+* `name` field of `seenDevices` records so a device list reads "Chrome on
+* Windows" instead of a token. Deliberately tiny (no UA-parser dependency);
+* detection order lives in the `UA_BROWSERS` / `UA_OSES` tables above.
+* Returns just the browser or just the OS when only one side is detected;
+* `undefined` for empty / fully unrecognized input.
+*/
+function humanizeUserAgent(ua) {
+	if (!ua) return void 0;
+	const browser = UA_BROWSERS.find(([token]) => ua.includes(token))?.[1];
+	const os = UA_OSES.find(([pattern]) => pattern.test(ua))?.[1];
+	if (browser && os) return `${browser} on ${os}`;
+	return browser ?? os;
+}
+/**
+* Great-circle distance in kilometres between two coordinates (haversine,
+* WGS84 mean radius 6371 km) — for impossible-travel thresholds against
+* per-session geo metadata captured via `resolveIssueMetadata`. Pure and
+* dependency-free; aooth ships no geo resolution or default thresholds —
+* feeding coordinates in (and deciding what distance is "impossible") is
+* consumer policy.
+*/
+const toRad = (deg) => deg * Math.PI / 180;
+function haversineKm(a, b) {
+	const R = 6371;
+	const dLat = toRad(b.lat - a.lat);
+	const dLon = toRad(b.lon - a.lon);
+	const h = Math.sin(dLat / 2) ** 2 + Math.cos(toRad(a.lat)) * Math.cos(toRad(b.lat)) * Math.sin(dLon / 2) ** 2;
+	return 2 * R * Math.asin(Math.sqrt(h));
+}
 /** Trim + de-duplicate role identifiers submitted via the admin invite form. */
 function parseInviteRoles(input) {
 	if (!Array.isArray(input)) return [];
@@ -1142,6 +1204,27 @@ let AuthWorkflow = class AuthWorkflow {
 	*/
 	deliver(_payload) {}
 	/**
+	* The blessed one-call alert path for risk overrides — emit a
+	* `security-alert` delivery (e.g. from an impossible-travel
+	* `resolveRiskStepUp` override). Recipient comes from `ctx.notice.email`,
+	* the proven-first correspondence chain seeded by `credentials` /
+	* `seedChannelState` and refreshed by `verify/email`. No recipient →
+	* SILENT no-op (a user with no provable inbox simply can't be alerted —
+	* mirrors `notifyNewDevice`'s posture). Never called by the base class.
+	*/
+	async sendSecurityAlert(ctx, reason, context) {
+		const recipient = ctx.notice?.email;
+		if (!recipient) return;
+		await this.deliver({
+			kind: "security-alert",
+			channel: "email",
+			recipient,
+			reason,
+			loginAt: Date.now(),
+			...context && { context }
+		});
+	}
+	/**
 	* Return the list of selectable role identifiers for the admin invite form.
 	* Mirrors the prior `InviteWorkflow.getAvailableRoles()` consumer hook —
 	* `undefined` (default) means no whitelist is enforced. Read by
@@ -1170,11 +1253,19 @@ let AuthWorkflow = class AuthWorkflow {
 		return [];
 	}
 	/**
-	* Override the structural duplicate rule for `admin-form`. Default: any
-	* existing row → `'reject'`; nothing → `'allow'`. Multi-tenant apps that
-	* allow re-inviting the same email into a different tenant override.
+	* Override the structural duplicate rule for `admin-form`. Default: a row
+	* still parked on `account.pendingInvitation` → `'reuse'` (re-invite:
+	* `create-user` refreshes the existing record in place and `send-email`
+	* mints a fresh magic link — see `createUser`); any other existing row →
+	* `'reject'`; nothing → `'allow'`.
+	*
+	* Multi-tenant apps that allow re-inviting the same email into a different
+	* tenant override to `'allow'`. Apps that want the strict legacy behavior
+	* ("Invite already pending" error on a duplicate invite of a pending user)
+	* return `'reject'` for pending rows.
 	*/
 	duplicateInviteCheck(input) {
+		if (input.existingUser?.account?.pendingInvitation) return "reuse";
 		return input.existingUser ? "reject" : "allow";
 	}
 	/**
@@ -1642,6 +1733,19 @@ let AuthWorkflow = class AuthWorkflow {
 	*/
 	resolvePromoteHandleField(_ctx, _channel) {}
 	/**
+	* Decide whether a verified federated profile's email claim counts as inbox
+	* proof for the CORRESPONDENCE address (`users.setVerifiedEmail`). Default
+	* trusts the provider's `email_verified` claim — a provider trusted to
+	* AUTHENTICATE the user is strictly more trusted than its email claim. The
+	* capture is correspondence-only: it never promotes the address to a login
+	* handle and never resolves accounts by it. Override to exclude providers
+	* whose claim should not be taken at face value (e.g. an internal OIDC
+	* issuer that stamps `email_verified` on unverified directory entries).
+	*/
+	resolveFederatedEmailTrust(_ctx, profile) {
+		return profile.emailVerified === true;
+	}
+	/**
 	* Route a form alt-action click to a canonical outcome. Defaults match the
 	* action ids the bundled `PincodeForm` declares; customers override per
 	* form when adding new actions or remapping the canonical ones.
@@ -1751,7 +1855,11 @@ let AuthWorkflow = class AuthWorkflow {
 		}
 		if (ctx.newPasswordRequired !== void 0) pub.newPasswordRequired = ctx.newPasswordRequired;
 		if (ctx.authz) {
-			const sub = pickDefined(ctx.authz, ["clientName", "scope"]);
+			const sub = pickDefined(ctx.authz, [
+				"clientName",
+				"scope",
+				"redirectHost"
+			]);
 			if (sub) pub.authz = sub;
 		}
 		ctx.public = pub;
@@ -2093,7 +2201,7 @@ let AuthWorkflow = class AuthWorkflow {
 			else if (ctx.isPasswordExpired) (ctx.password ??= {}).changeReason = "expired";
 			const email = result.user.mfa.methods.find((m) => m.name === "email" && m.confirmed);
 			if (email) {
-				ctx.email = email.value;
+				(ctx.notice ??= {}).email = email.value;
 				(ctx.channel ??= {}).emailConfirmed = true;
 			}
 			const phone = result.user.mfa.methods.find((m) => m.name === "sms" && m.confirmed);
@@ -2102,6 +2210,7 @@ let AuthWorkflow = class AuthWorkflow {
 				channel.phone = phone.value;
 				channel.phoneConfirmed = true;
 			}
+			if (!ctx.notice?.email) await this.seedCorrespondenceEmail(ctx, result.user);
 		} catch (err) {
 			if (err instanceof UserAuthError) {
 				if (err.type === "LOCKED") throw this.throwPublic(ctx, wf, { formMessage: "Account locked, please try again later" });
@@ -2430,14 +2539,16 @@ let AuthWorkflow = class AuthWorkflow {
 			if (parsed.find((r) => !allowed.has(r)) !== void 0) throw this.throwPublic(ctx, wf, { errors: { roles: "Invalid role" } });
 		}
 		const existing = await this.users.findByHandle(email);
-		if (await this.duplicateInviteCheck({
+		const action = await this.duplicateInviteCheck({
 			email,
 			existingUser: existing
-		}) === "reject") {
+		});
+		if (action === "reject") {
 			if (existing?.account?.pendingInvitation) throw this.throwPublic(ctx, wf, { errors: { email: "Invite already pending" } });
 			if (existing) throw this.throwPublic(ctx, wf, { errors: { email: "User already exists" } });
 			throw this.throwPublic(ctx, wf, { errors: { email: "Duplicate invite rejected" } });
 		}
+		if (action === "reuse") (ctx.admin ??= {}).reuseExisting = true;
 		ctx.email = email;
 		if (parsed.length > 0) (ctx.admin ??= {}).roles = parsed;
 	}
@@ -2473,6 +2584,19 @@ let AuthWorkflow = class AuthWorkflow {
 	* Create the user row from `ctx.admin.userExtras` (plus the admin-supplied
 	* `ctx.admin.roles`), then stamp `pendingInvitation = true` via a follow-up
 	* deep-merge update so `createUser`-applied account defaults survive.
+	*
+	* Re-invite (`ctx.admin.reuseExisting`, stamped by `admin-form` on a
+	* `'reuse'` verdict): REFRESH the existing row instead of creating — apply
+	* the freshly-picked roles + `prepareUser` extras, re-assert
+	* `pendingInvitation`, and leave password/MFA state untouched (a pending
+	* record never had usable credentials). `send-email` downstream then mints
+	* a fresh durable handle, i.e. a new full-TTL magic link. Guarded by a
+	* FRESH `pendingInvitation` read: a `'reuse'` verdict for an accepted
+	* account 409s as a logic error rather than silently re-pending a live
+	* user; a row that vanished since `admin-form` falls through to the normal
+	* create path. The refresh is a deep-merge update: arrays (`roles`)
+	* replace wholesale, but extras keys the current `prepareUser` no longer
+	* returns linger from the original invite.
 	*/
 	async createUser(ctx) {
 		if (!ctx.email) throw new HttpError$1(500, "Workflow state corrupted: missing email");
@@ -2481,6 +2605,18 @@ let AuthWorkflow = class AuthWorkflow {
 			...ctx.admin?.userExtras,
 			...adminRoles && adminRoles.length > 0 && { roles: adminRoles }
 		};
+		if (ctx.admin?.reuseExisting) {
+			const existing = await this.users.findByHandle(ctx.email);
+			if (existing) {
+				if (!existing.account?.pendingInvitation) throw new HttpError$1(409, "User already exists");
+				await this.users.update(existing.id, {
+					...fields,
+					account: { pendingInvitation: true }
+				});
+				ctx.subject = existing.id;
+				return;
+			}
+		}
 		let created;
 		try {
 			created = await this.users.createUser(ctx.email, void 0, fields);
@@ -2552,7 +2688,7 @@ let AuthWorkflow = class AuthWorkflow {
 	/** Activate the invited user account (flips the account status flag). */
 	async activateUser(ctx) {
 		this.requireSubject(ctx);
-		await this.users.activateAccount(ctx.subject);
+		await this.users.activateAccount(ctx.subject, ctx.email ? { verifiedEmail: ctx.email } : {});
 	}
 	/**
 	* Emit the success-confirmation envelope. The downstream `finalize-auto-
@@ -2909,7 +3045,7 @@ let AuthWorkflow = class AuthWorkflow {
 			value,
 			confirmed: false
 		}));
-		if (isEmail) ctx.email = value;
+		if (isEmail) (ctx.channel ??= {}).email = value;
 		else (ctx.channel ??= {}).phone = value;
 		const code = this.mintPin(ctx, this.opts.mfa.pincodeLength, this.opts.mfa.pincodeTtlMs);
 		await this.deliver({
@@ -2936,7 +3072,7 @@ let AuthWorkflow = class AuthWorkflow {
 				const remainingSec = Math.ceil((ctx.pincode.resendAllowedAt - Date.now()) / 1e3);
 				throw this.throwPublic(ctx, pincodeWf, { formMessage: `Please wait ${remainingSec}s before requesting a new code.` });
 			}
-			const recipient = isEmail ? ctx.email : ctx.channel?.phone;
+			const recipient = isEmail ? ctx.channel?.email : ctx.channel?.phone;
 			const code = this.mintPin(ctx, this.opts.mfa.pincodeLength, this.opts.mfa.pincodeTtlMs);
 			await this.deliver({
 				kind: "enroll-pincode",
@@ -2956,11 +3092,16 @@ let AuthWorkflow = class AuthWorkflow {
 		if (pinErr) throw this.throwPublic(ctx, pincodeWf, { errors: pinErr });
 		await this.withStoreErrorTranslation(() => this.users.confirmMfaMethod(ctx.subject, isEmail ? "email" : "sms"));
 		const channelState = ctx.channel ??= {};
-		if (isEmail) channelState.emailConfirmed = true;
-		else channelState.phoneConfirmed = true;
+		if (isEmail) {
+			channelState.emailConfirmed = true;
+			if (channelState.email) {
+				await this.users.setVerifiedEmail(ctx.subject, channelState.email);
+				(ctx.notice ??= {}).email = channelState.email;
+			}
+		} else channelState.phoneConfirmed = true;
 		if (channelState.otpDisclosure) {
 			const channelArg = isEmail ? "email" : "sms";
-			const target = isEmail ? ctx.email : channelState.phone;
+			const target = isEmail ? channelState.email : channelState.phone;
 			await this.consentStore.recordOtpChannelConsent(ctx.subject, channelArg, target, channelState.otpDisclosure);
 		}
 		delete ctx.pin;
@@ -3149,6 +3290,9 @@ let AuthWorkflow = class AuthWorkflow {
 			code,
 			expiresInMs: this.opts.mfa.pincodeTtlMs
 		});
+		const otp = ctx.otp ??= {};
+		otp.deliveredTo = target.address;
+		otp.deliveredChannel = target.channel;
 		const pincode = ctx.pincode ??= {};
 		pincode.sentTo = this.maskAddress(target.address, target.channel);
 		pincode.codeLength = this.opts.mfa.pincodeLength;
@@ -3199,7 +3343,9 @@ let AuthWorkflow = class AuthWorkflow {
 		}
 		const pinErr = this.verifyPin(ctx, input.code);
 		if (pinErr) throw this.throwPublic(ctx, wf, { errors: pinErr });
-		(ctx.otp ??= {}).verified = true;
+		const otp = ctx.otp ??= {};
+		otp.verified = true;
+		if (ctx.subject && otp.deliveredChannel === "email" && otp.deliveredTo) await this.users.setVerifiedEmail(ctx.subject, otp.deliveredTo);
 		(ctx.session ??= {}).riskStepUpEvaluated = false;
 		if (ctx.deviceTrust?.enabled && ctx.deviceTrust?.optIn) (ctx.trust ??= {}).rememberDevice = Boolean(input.rememberDevice);
 		delete ctx.pin;
@@ -3399,6 +3545,7 @@ let AuthWorkflow = class AuthWorkflow {
 			value,
 			confirmed: true
 		}));
+		if (methodName === "email") await this.users.setVerifiedEmail(username, value);
 		if (!m.keepExistingDefault) await this.users.setDefaultMfaMethod(username, methodName);
 		m.done = true;
 		(ctx.otp ??= {}).verified = true;
@@ -3495,6 +3642,47 @@ let AuthWorkflow = class AuthWorkflow {
 		(ctx.trust ??= {}).deviceTrustToken = record.token;
 	}
 	/**
+	* Always-on device RECOGNITION — verify-or-mint the long-lived recognition
+	* cookie against the `seenDevices` ledger. Recognition is a notification
+	* suppressor ONLY (the notify-new-device gate reads `trust.recognized`); it
+	* never skips MFA — that is `deviceTrust`, which stays opt-in and strict.
+	*
+	* Deliberately a SEPARATE step from `check-trusted-device`: that step is
+	* schema-gated on `deviceTrust.enabled && skipsMfa`, so recognition must
+	* not piggyback on it or recognition dies whenever trust is disabled —
+	* exactly the consumers who get the noisiest notify behaviour today.
+	* Verify-or-mint lives in ONE step so `trust.recognized` captures the
+	* PRE-MINT arrival state the notify gate needs (a freshly minted token
+	* must not mark the current login as recognized).
+	*
+	* A valid arriving cookie is verified with `slideTtlMs` (LRU bump) and
+	* re-stashed on `trust.seenDeviceToken` so `issue` re-sets it with a fresh
+	* maxAge. An unrecognized arrival mints + persists a new record (capped at
+	* `deviceRecognition.maxDevices`) and stashes the new token — `recognized`
+	* stays unset so the notification still fires for this login. Degrades
+	* gracefully to a no-op when no `deviceTrust.secret` is configured,
+	* preserving the legacy notify behaviour for those consumers.
+	*/
+	async deviceRecognition(ctx) {
+		if (!ctx.subject) return void 0;
+		if (!this.users.hasDeviceTrustSecret()) return void 0;
+		const cookieValue = useCookies(current()).getCookie(this.opts.deviceRecognition.cookieName);
+		const trust = ctx.trust ??= {};
+		if (cookieValue) {
+			if (await this.users.verifySeenDevice(ctx.subject, cookieValue, { slideTtlMs: this.opts.deviceRecognition.ttlMs })) {
+				trust.recognized = true;
+				trust.seenDeviceToken = cookieValue;
+				return;
+			}
+		}
+		const record = this.users.issueSeenDevice(ctx.subject, {
+			ttlMs: this.opts.deviceRecognition.ttlMs,
+			name: humanizeUserAgent(this.resolveUserAgent())
+		});
+		await this.users.addSeenDevice(ctx.subject, record, { cap: this.opts.deviceRecognition.maxDevices });
+		trust.seenDeviceToken = record.token;
+	}
+	/**
 	* Standalone terms-bump prompt for returning users whose accepted terms
 	* version is stale and no carrier form ran. Delegates to
 	* `processInlineConsent` for validation + ctx writes.
@@ -3570,14 +3758,8 @@ let AuthWorkflow = class AuthWorkflow {
 	*/
 	async revokeSessions(ctx) {
 		if (!ctx.subject) return void 0;
-		if (ctx.changePassword?.revokeOtherSessions) {
-			const currentSessionId = useAuth().getSessionId();
-			if (currentSessionId) {
-				await this.auth.revokeOtherSessions(ctx.subject, currentSessionId);
-				return;
-			}
-		}
-		await this.auth.revokeAllForUser(ctx.subject);
+		const currentSessionId = ctx.changePassword?.revokeOtherSessions ? useAuth().getSessionId() : void 0;
+		await Promise.all([currentSessionId ? this.auth.revokeOtherSessions(ctx.subject, currentSessionId) : this.auth.revokeAllForUser(ctx.subject), this.users.revokeSeenDevices(ctx.subject)]);
 	}
 	/**
 	* Lift a failed-login lockout after a successful password reset. Recovery
@@ -3603,14 +3785,19 @@ let AuthWorkflow = class AuthWorkflow {
 			finished: true,
 			data: auth.buildLoginResponse(ctx.subject, issue)
 		};
-		const sessionCookies = auth.buildFinishedCookies(issue);
-		const cookies = ctx.trust?.deviceTrustToken ? {
-			...sessionCookies,
-			[this.opts.deviceTrust.cookieName]: {
-				value: ctx.trust.deviceTrustToken,
-				options: auth.cookieAttrs({ maxAge: this.opts.deviceTrust.ttlMs / 1e3 })
-			}
-		} : sessionCookies;
+		let cookies = auth.buildFinishedCookies(issue);
+		const attachDeviceCookie = (name, value, ttlMs) => {
+			if (!value) return;
+			cookies = {
+				...cookies,
+				[name]: {
+					value,
+					options: auth.cookieAttrs({ maxAge: ttlMs / 1e3 })
+				}
+			};
+		};
+		attachDeviceCookie(this.opts.deviceTrust.cookieName, ctx.trust?.deviceTrustToken, this.opts.deviceTrust.ttlMs);
+		attachDeviceCookie(this.opts.deviceRecognition.cookieName, ctx.trust?.seenDeviceToken, this.opts.deviceRecognition.ttlMs);
 		useWfFinished().set({
 			type: "data",
 			value: envelope,
@@ -3620,14 +3807,24 @@ let AuthWorkflow = class AuthWorkflow {
 	/**
 	* Notify the user of a login from a new device via the unified `deliver`
 	* hook. Gated upstream by
-	* `!ctx.isFirstLogin && !!ctx.finalize.notifyNewDevice && !!ctx.trust.newDevice`.
+	* `!ctx.isFirstLogin && !!ctx.finalize.notifyNewDevice && !ctx.trust.recognized`
+	* — "not recognized" (no valid recognition cookie on arrival), NOT "no
+	* valid trust cookie": users who decline remember-me, or whose strict trust
+	* cookie expired / failed IP binding, must not get the email on every
+	* login. Recognition is the loose always-on ledger minted by
+	* `device-recognition`; trust stays strict and drives MFA skip only.
+	*
+	* Recipient is `notice.email` — the security-notice slot owned by the
+	* `credentials` / `seedChannelState` seeding and refreshed by
+	* `verify/email`. No recipient seeded → silently skips.
 	*/
 	async notifyNewDevice(ctx) {
-		if (!ctx.email) return void 0;
+		const recipient = ctx.notice?.email;
+		if (!recipient) return void 0;
 		await this.deliver({
 			kind: "new-device-notice",
 			channel: "email",
-			recipient: ctx.email,
+			recipient,
 			loginAt: Date.now()
 		});
 	}
@@ -3696,8 +3893,12 @@ let AuthWorkflow = class AuthWorkflow {
 			} });
 			return;
 		}
-		if (req.clientId !== void 0) authz.clientName = req.clientId;
+		const clientName = req.clientName ?? req.clientId;
+		if (clientName !== void 0) authz.clientName = clientName;
 		if (req.scope !== void 0) authz.scope = req.scope;
+		try {
+			authz.redirectHost = new URL(req.redirectUri).host;
+		} catch {}
 		const wf = this.useAtscriptWfPublic(ctx, this.opts.forms.authzConsent);
 		if (wf.resolveAction() === "deny") {
 			await pending.delete(authz.handle);
@@ -3762,6 +3963,7 @@ let AuthWorkflow = class AuthWorkflow {
 			redirectUri: req.redirectUri,
 			...req.clientId !== void 0 && { clientId: req.clientId },
 			...req.scope !== void 0 && { scope: req.scope },
+			...req.resource !== void 0 && { resource: req.resource },
 			...req.nonce !== void 0 && { nonce: req.nonce },
 			...req.idToken !== void 0 && { idToken: req.idToken },
 			...req.accessToken !== void 0 && { accessToken: req.accessToken },
@@ -4094,7 +4296,7 @@ let AuthWorkflow = class AuthWorkflow {
 			});
 			if (Object.keys(extras).length > 0) await this.users.update(outcome.userId, extras);
 		}
-		this.seedChannelState(ctx, user, profile.email);
+		await this.seedChannelState(ctx, user, profile);
 		swapStrategy("store");
 	}
 	/**
@@ -4121,19 +4323,31 @@ let AuthWorkflow = class AuthWorkflow {
 		} });
 	}
 	/**
-	* Seed `ctx.email` / `ctx.channel` from a resolved user's confirmed channels —
+	* Seed `ctx.notice.email` / `ctx.channel` from a resolved user's confirmed channels —
 	* shared by `ssoCallback` (linked / created / auto-linked) and `proveControl`
 	* (interactively-linked) so the post-success channel shape can't drift between
-	* the two federated entry points. Mirrors `credentials`' post-login seeding.
-	* `fallbackEmail` (the provider / snapshot email) is a DISPLAY fallback only —
-	* never promoted to the unique login handle (a gated, later-phase concern).
-	*/
-	seedChannelState(ctx, user, fallbackEmail) {
+	* the two federated entry points. Mirrors `credentials`' post-login seeding,
+	* including the correspondence fallback (confirmed email-MFA →
+	* `users.getCorrespondenceEmail` → provider display email).
+	*
+	* Also the single federated capture point for `users.setVerifiedEmail`: a
+	* trusted `profile.email` (per `resolveFederatedEmailTrust`) is recorded as
+	* the proven correspondence address on EVERY federated login — first-time
+	* create, returning link, and interactive link alike (the store write is
+	* skipped when the capture is already current). The profile email is
+	* otherwise a DISPLAY fallback only — never promoted to the unique login
+	* handle (a gated, later-phase concern).
+	*/
+	async seedChannelState(ctx, user, profile) {
+		if (profile?.email && user.account.verifiedEmail !== profile.email && await this.resolveFederatedEmailTrust(ctx, profile)) {
+			await this.users.setVerifiedEmail(user.id, profile.email);
+			user.account.verifiedEmail = profile.email;
+		}
 		const email = user.mfa.methods.find((m) => m.name === "email" && m.confirmed);
 		if (email) {
-			ctx.email = email.value;
+			(ctx.notice ??= {}).email = email.value;
 			(ctx.channel ??= {}).emailConfirmed = true;
-		} else if (fallbackEmail) ctx.email = fallbackEmail;
+		} else await this.seedCorrespondenceEmail(ctx, user, profile?.email);
 		const phone = user.mfa.methods.find((m) => m.name === "sms" && m.confirmed);
 		if (phone) {
 			const channel = ctx.channel ??= {};
@@ -4142,6 +4356,19 @@ let AuthWorkflow = class AuthWorkflow {
 		}
 	}
 	/**
+	* Correspondence tail of the `ctx.notice.email` seeding — shared by
+	* `credentials` (post-login) and `seedChannelState` (federated) so the
+	* fallback chain (`users.getCorrespondenceEmail` → optional display email)
+	* can't drift between the two. Does NOT set `channel.emailConfirmed` — that
+	* flag means "confirmed email-MFA channel" and gates enrolment; a
+	* correspondence address is a notice recipient, not a proven OTP channel.
+	*/
+	async seedCorrespondenceEmail(ctx, user, displayEmail) {
+		const correspondence = await this.users.getCorrespondenceEmail(user);
+		if (correspondence) (ctx.notice ??= {}).email = correspondence;
+		else if (displayEmail) (ctx.notice ??= {}).email = displayEmail;
+	}
+	/**
 	* `needs-link` setup (decision A — password, OTP fallback). Decide how the
 	* user will prove control of the matched account, stash the pending-link
 	* state, and return so the `prove-control` @Step (gated on `ctx.pendingLink`)
@@ -4296,7 +4523,7 @@ let AuthWorkflow = class AuthWorkflow {
 			isNew: false,
 			...pending.redirect ? { redirect: pending.redirect } : {}
 		};
-		this.seedChannelState(ctx, candidate, pending.snapshot?.email);
+		await this.seedChannelState(ctx, candidate, pending.snapshot);
 		delete ctx.pendingLink;
 		swapStrategy("store");
 	}
@@ -4892,6 +5119,14 @@ __decorate([
 	__decorateMetadata("design:paramtypes", [Object]),
 	__decorateMetadata("design:returntype", Promise)
 ], AuthWorkflow.prototype, "deviceTrust", null);
+__decorate([
+	Step("device-recognition"),
+	Public(),
+	__decorateParam(0, WorkflowParam("context")),
+	__decorateMetadata("design:type", Function),
+	__decorateMetadata("design:paramtypes", [Object]),
+	__decorateMetadata("design:returntype", Promise)
+], AuthWorkflow.prototype, "deviceRecognition", null);
 __decorate([
 	Step("terms-bump-prompt"),
 	Public(),
@@ -5124,11 +5359,11 @@ __decorate([
 		},
 		{
 			id: "ask/email",
-			condition: (ctx) => (!!ctx.enrollment?.ensureEmail || !!ctx.guards?.emailVerifiedRequired) && !ctx.email
+			condition: (ctx) => (!!ctx.enrollment?.ensureEmail || !!ctx.guards?.emailVerifiedRequired) && !ctx.channel?.email && !ctx.channel?.emailConfirmed
 		},
 		{
 			id: "verify/email",
-			condition: (ctx) => (!!ctx.enrollment?.ensureEmail || !!ctx.guards?.emailVerifiedRequired) && !!ctx.email && !ctx.channel?.emailConfirmed
+			condition: (ctx) => (!!ctx.enrollment?.ensureEmail || !!ctx.guards?.emailVerifiedRequired) && !!ctx.channel?.email && !ctx.channel?.emailConfirmed
 		},
 		{
 			id: "ask/phone",
@@ -5163,10 +5398,11 @@ __decorate([
 		{
 			condition: (ctx) => !ctx.authz,
 			steps: [
+				{ id: "device-recognition" },
 				{ id: "issue" },
 				{
 					id: "notify-new-device",
-					condition: (ctx) => !ctx.isFirstLogin && !!ctx.finalize?.notifyNewDevice && !!ctx.trust?.newDevice
+					condition: (ctx) => !ctx.isFirstLogin && !!ctx.finalize?.notifyNewDevice && !ctx.trust?.recognized
 				},
 				{ id: "redirect" }
 			]
@@ -5969,7 +6205,36 @@ let AuthorizeController = class AuthorizeController {
 	loginPath() {
 		return "/login";
 	}
-	async authorize(responseType, redirectUri, clientId, state, codeChallenge, codeChallengeMethod, scope, nonce) {
+	/**
+	* The issuer identifier for the RFC 8414 metadata document. Defaults to the
+	* Tier-2 signer's issuer; a SIGNER-LESS deployment that serves MCP connector
+	* clients must **override** this (return `{origin}/auth`-style, byte-exact —
+	* never derived from the Host header, which would let a request inject its
+	* host into a cacheable discovery document). `undefined` ⇒ the
+	* `oauth-authorization-server` endpoint 404s.
+	*/
+	getIssuer() {
+		return this.getIdTokenSigner()?.issuer;
+	}
+	/**
+	* The RFC 7591 dynamic-client-registration operation, or `undefined` (the
+	* default) to disable DCR — then `POST /auth/register` 404s and neither
+	* discovery document advertises a `registration_endpoint`. **Override** in a
+	* subclass: inject a `DynamicClientStore` (the `DYNAMIC_CLIENT_STORE_TOKEN`
+	* provider) as a required ctor param, build one `DynamicClientRegistration`
+	* around it, and return it here. Same plain-getter pattern as
+	* {@link getIdTokenSigner} (an optional `@Inject` panics in moost's
+	* route-table pass).
+	*/
+	getDynamicClientRegistration() {}
+	/**
+	* `scopes_supported` for the RFC 8414 document (optional per the RFC; omitted
+	* by default — deliberately NOT inheriting the OIDC document's hardcoded
+	* list, which describes Tier-2 sign-in scopes). Override to advertise what
+	* connector clients may request.
+	*/
+	scopesSupported() {}
+	async authorize(responseType, redirectUri, clientId, state, codeChallenge, codeChallengeMethod, scope, nonce, resource) {
 		const res = useResponse(current());
 		if (!redirectUri) {
 			res.status = 400;
@@ -5982,17 +6247,22 @@ let AuthorizeController = class AuthorizeController {
 				redirectUri,
 				...scope !== void 0 && { scope }
 			});
-		} catch (e) {
+		} catch {
 			res.status = 400;
-			return e instanceof AuthorizeError ? `invalid request: ${e.code}` : "invalid request";
+			return "invalid request";
 		}
 		if (responseType !== "code" || !codeChallenge || codeChallengeMethod !== "S256") return this.redirectError(resolved.redirectUri, "invalid_request", state);
+		if (resource !== void 0) {
+			if (useUrlParams(current()).params().getAll("resource").length > 1 || resource.length > 2e3) return this.redirectError(resolved.redirectUri, "invalid_target", state);
+		}
 		const binding = randomBytes(32).toString("base64url");
 		const { handle, expiresAt } = await this.pending.create({
 			...resolved.clientId !== void 0 && { clientId: resolved.clientId },
+			...resolved.clientName !== void 0 && { clientName: resolved.clientName },
 			redirectUri: resolved.redirectUri,
 			codeChallenge,
 			...state !== void 0 && { clientState: state },
+			...resource !== void 0 && { resource },
 			...resolved.scope !== void 0 && { scope: resolved.scope },
 			...nonce !== void 0 && { nonce },
 			...resolved.idToken !== void 0 && { idToken: resolved.idToken },
@@ -6049,6 +6319,14 @@ let AuthorizeController = class AuthorizeController {
 			res.status = 401;
 			return { error: "invalid_client" };
 		}
+		if (Array.isArray(body.resource)) {
+			res.status = 400;
+			return { error: "invalid_target" };
+		}
+		if (row.resource !== void 0 && body.resource !== void 0 && row.resource !== body.resource) {
+			res.status = 400;
+			return { error: "invalid_target" };
+		}
 		const wantIdToken = row.idToken === true;
 		const wantAccessToken = row.accessToken !== false;
 		if (!wantIdToken && !wantAccessToken) {
@@ -6100,7 +6378,10 @@ let AuthorizeController = class AuthorizeController {
 	* OIDC discovery (Tier 2). Derives every endpoint from the signer's `issuer`
 	* (configured as `{origin}/auth`), so a relying `OidcProvider` configured with
 	* the same `issuer` resolves `/authorize`, `/token`, and `/jwks` automatically.
-	* 404 when no signer is wired (Tier-1-only deployment).
+	* 404 when no signer is wired (Tier-1-only deployment). When DCR is also
+	* wired, `registration_endpoint` is advertised here too — in a combined
+	* deployment a client that prefers `openid-configuration` over the RFC 8414
+	* document must see the same capability set.
 	*/
 	discovery() {
 		const res = useResponse(current());
@@ -6115,6 +6396,7 @@ let AuthorizeController = class AuthorizeController {
 			authorization_endpoint: `${iss}/authorize`,
 			token_endpoint: `${iss}/token`,
 			jwks_uri: `${iss}/jwks`,
+			...this.getDynamicClientRegistration() && { registration_endpoint: `${iss}/register` },
 			response_types_supported: ["code"],
 			grant_types_supported: ["authorization_code"],
 			subject_types_supported: ["public"],
@@ -6128,6 +6410,81 @@ let AuthorizeController = class AuthorizeController {
 			token_endpoint_auth_methods_supported: ["none", "client_secret_post"]
 		};
 	}
+	/**
+	* RFC 8414 Authorization Server Metadata — the OAuth-flavored discovery MCP
+	* connector clients fetch (OAUTH.md R1). Served signer-INDEPENDENTLY: it
+	* needs only an issuer ({@link getIssuer} — overridable for a Tier-1-style
+	* deployment with no `IdTokenSigner`). Mounted under the controller this is
+	* the suffix form `{issuer}/.well-known/oauth-authorization-server`; the
+	* RFC-correct path-insertion form at the HTTP-server ROOT
+	* (`/.well-known/oauth-authorization-server/<issuer-path>`) cannot be
+	* registered by a prefix-mounted controller — consumers mount it themselves
+	* from the exported `buildAuthorizationServerMetadata` (re-exported by this
+	* package).
+	*/
+	oauthServerMetadata() {
+		const res = useResponse(current());
+		const rawIssuer = this.getIssuer();
+		if (!rawIssuer) {
+			res.status = 404;
+			return { error: "not_found" };
+		}
+		const issuer = canonicalizeIssuer$1(rawIssuer);
+		return buildAuthorizationServerMetadata$1({
+			issuer,
+			...this.getDynamicClientRegistration() && { registrationEndpoint: `${issuer}/register` },
+			...this.getIdTokenSigner() && { jwksUri: `${issuer}/jwks` },
+			...this.scopesSupported() && { scopesSupported: this.scopesSupported() }
+		});
+	}
+	/**
+	* RFC 7591 Dynamic Client Registration (OAUTH.md R2) — anonymous by spec;
+	* 404 unless a registration operation is wired ({@link
+	* getDynamicClientRegistration}). A thin HTTP adapter: validation, abuse
+	* knobs (guard / cap / never-used GC) and persistence live in
+	* `DynamicClientRegistration` (`@aooth/auth`). Public clients only — the
+	* response carries NO `client_secret` and NO `client_secret_expires_at`
+	* (RFC 7591 §3.2.1 requires them only when a secret is issued).
+	*/
+	async register(body) {
+		const res = useResponse(current());
+		const registration = this.getDynamicClientRegistration();
+		if (!registration) {
+			res.status = 404;
+			return { error: "not_found" };
+		}
+		if (!(useHeaders(current())["content-type"] ?? "").includes("application/json")) {
+			res.status = 400;
+			return {
+				error: "invalid_client_metadata",
+				error_description: "registration requests must be application/json"
+			};
+		}
+		try {
+			const client = await registration.register(body);
+			res.status = 201;
+			return {
+				client_id: client.clientId,
+				client_id_issued_at: Math.floor(client.createdAt / 1e3),
+				redirect_uris: client.redirectUris,
+				token_endpoint_auth_method: client.tokenEndpointAuthMethod,
+				grant_types: client.grantTypes,
+				response_types: client.responseTypes,
+				...client.clientName !== void 0 && { client_name: client.clientName },
+				...client.scope !== void 0 && { scope: client.scope }
+			};
+		} catch (e) {
+			if (e instanceof ClientRegistrationError) {
+				res.status = 400;
+				return {
+					error: e.code,
+					error_description: e.message
+				};
+			}
+			res.status = 500;
+			return { error: "server_error" };
+		}
+	}
 	/** The signer's public JWKS (Tier 2). 404 when no signer is wired. */
 	jwks() {
 		const res = useResponse(current());
@@ -6160,6 +6517,7 @@ __decorate([
 	__decorateParam(5, Query("code_challenge_method")),
 	__decorateParam(6, Query("scope")),
 	__decorateParam(7, Query("nonce")),
+	__decorateParam(8, Query("resource")),
 	__decorateMetadata("design:type", Function),
 	__decorateMetadata("design:paramtypes", [
 		Object,
@@ -6169,6 +6527,7 @@ __decorate([
 		Object,
 		Object,
 		Object,
+		Object,
 		Object
 	]),
 	__decorateMetadata("design:returntype", Promise)
@@ -6188,6 +6547,21 @@ __decorate([
 	__decorateMetadata("design:paramtypes", []),
 	__decorateMetadata("design:returntype", Object)
 ], AuthorizeController.prototype, "discovery", null);
+__decorate([
+	Get(".well-known/oauth-authorization-server"),
+	Public(),
+	__decorateMetadata("design:type", Function),
+	__decorateMetadata("design:paramtypes", []),
+	__decorateMetadata("design:returntype", Object)
+], AuthorizeController.prototype, "oauthServerMetadata", null);
+__decorate([
+	Post("register"),
+	Public(),
+	__decorateParam(0, Body()),
+	__decorateMetadata("design:type", Function),
+	__decorateMetadata("design:paramtypes", [Object]),
+	__decorateMetadata("design:returntype", Promise)
+], AuthorizeController.prototype, "register", null);
 __decorate([
 	Get("jwks"),
 	Public(),
@@ -6244,4 +6618,4 @@ function createAuthEmailOutlet(deps) {
 	});
 }
 //#endregion
-export { ADD_MFA_WORKFLOW, AUTHZ_BINDING_COOKIE, AUTH_CODE_STORE_TOKEN, AuthController, AuthGuarded, AuthWorkflow, AuthorizeController, AuthorizeRuntime, CHANGE_PASSWORD_WORKFLOW, CLIENT_REDIRECT_POLICY_TOKEN, ConsentStore, DEFAULT_AUTH_WORKFLOWS, FEDERATED_IDENTITY_STORE_TOKEN, OAUTH_CSRF_COOKIE, OAuthController, OAuthRuntime, PENDING_AUTHORIZATION_STORE_TOKEN, Public, RESERVED_USER_KEYS, SessionEnricherProvider, SessionsController, UserId, WfTrigger, WfTriggerProvider, authGuardInterceptor, authzBindingCookieAttrs, buildInviteAlreadyAcceptedEnvelope, createAuthEmailOutlet, deriveWfStateSecret, generateMagicLinkToken, getAuthMate, isSafeRelativeRedirect, oauthCsrfCookieAttrs, parseInviteRoles, resolveOAuthRedirect, stripReservedUserKeys, useAuth };
+export { ADD_MFA_WORKFLOW, AUTHZ_BINDING_COOKIE, AUTH_CODE_STORE_TOKEN, AuthController, AuthGuarded, AuthWorkflow, AuthorizeController, AuthorizeRuntime, CHANGE_PASSWORD_WORKFLOW, CLIENT_REDIRECT_POLICY_TOKEN, ConsentStore, DEFAULT_AUTH_WORKFLOWS, DYNAMIC_CLIENT_STORE_TOKEN, DynamicClientRegistration, FEDERATED_IDENTITY_STORE_TOKEN, OAUTH_CSRF_COOKIE, OAuthController, OAuthRuntime, PENDING_AUTHORIZATION_STORE_TOKEN, Public, RESERVED_USER_KEYS, SessionEnricherProvider, SessionsController, UserId, WfTrigger, WfTriggerProvider, authGuardInterceptor, authzBindingCookieAttrs, buildAuthorizationServerMetadata, buildInviteAlreadyAcceptedEnvelope, buildProtectedResourceMetadata, buildWwwAuthenticateBearerChallenge, canonicalizeIssuer, createAuthEmailOutlet, deriveWfStateSecret, generateMagicLinkToken, getAuthMate, haversineKm, humanizeUserAgent, isSafeRelativeRedirect, oauthCsrfCookieAttrs, parseInviteRoles, resolveOAuthRedirect, stripReservedUserKeys, useAuth };