npm - @aooth/auth-moost - Versions diffs - 0.1.19 → 0.1.21 - Mend

@aooth/auth-moost 0.1.19 → 0.1.21

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (4) hide show

package/dist/atscript/index.d.mts +449 -1
package/dist/index.d.mts +183 -6
package/dist/index.mjs +228 -47
package/package.json +19 -19

package/dist/atscript/index.d.mts CHANGED Viewed

@@ -1,2 +1,450 @@
-import { C as Select2faForm, D as WithInlineConsentForm, E as TermsBumpForm, S as RemoveMfaConfirmForm, T as SignupForm, _ as PincodeForm, a as ConcurrencyLimitForm, b as RecoveryFactorForm, c as EnrollConfirmForm, d as InviteForm, f as LoginCredentialsForm, g as PasswordReauthForm, h as MfaCodeForm, i as ChangePasswordForm, l as EnrollPickMethodForm, m as ManageMfaForm, n as AskPhoneForm, o as EmailIdentifierForm, p as MagicLinkRequestForm, r as AuthorizeConsentForm, s as EnrollAddressForm, t as AskEmailForm, u as EnrollTotpQrForm, v as ProveControlForm, w as SetPasswordForm, x as RecoveryModeSelectForm, y as ProveControlOtpForm } from "../forms-uqegc32h.mjs";
+import { TAtscriptAnnotatedType, TAtscriptTypeObject, TMetadataMap, TValidatorOptions, Validator } from "@atscript/typescript/utils";
+//#region src/atscript/models/forms.as.d.ts
+/**
+ * Atscript interface **WithInlineConsentForm**
+ * @see {@link ./forms.as:34:18}
+ */
+declare class WithInlineConsentForm {
+  consents: string[];
+  static __is_atscript_annotated_type: true;
+  static type: TAtscriptTypeObject<keyof WithInlineConsentForm, WithInlineConsentForm>;
+  static metadata: TMetadataMap<AtscriptMetadata>;
+  static validator: (opts?: Partial<TValidatorOptions>) => Validator<typeof WithInlineConsentForm>;
+  /** @deprecated JSON Schema support is disabled. Calling this method will throw a runtime error. To enable, set `jsonSchema: 'lazy'` or `jsonSchema: 'bundle'` in tsPlugin options, or add `@emit.jsonSchema` annotation to individual interfaces. */
+  static toJsonSchema: () => any;
+  /** @deprecated Example Data support is disabled. To enable, set `exampleData: true` in tsPlugin options. */
+  static toExampleData?: () => any;
+}
+/**
+ * Atscript interface **LoginCredentialsForm**
+ * @see {@link ./forms.as:61:18}
+ */
+declare class LoginCredentialsForm {
+  username: string;
+  password: string; // signup: ui.action
+  // magicLink: ui.action
+  ssoProvider?: string;
+  static __is_atscript_annotated_type: true;
+  static type: TAtscriptTypeObject<keyof LoginCredentialsForm, LoginCredentialsForm>;
+  static metadata: TMetadataMap<AtscriptMetadata>;
+  static validator: (opts?: Partial<TValidatorOptions>) => Validator<typeof LoginCredentialsForm>;
+  /** @deprecated JSON Schema support is disabled. Calling this method will throw a runtime error. To enable, set `jsonSchema: 'lazy'` or `jsonSchema: 'bundle'` in tsPlugin options, or add `@emit.jsonSchema` annotation to individual interfaces. */
+  static toJsonSchema: () => any;
+  /** @deprecated Example Data support is disabled. To enable, set `exampleData: true` in tsPlugin options. */
+  static toExampleData?: () => any;
+}
+/**
+ * Atscript interface **MfaCodeForm**
+ * @see {@link ./forms.as:136:18}
+ */
+declare class MfaCodeForm {
+  // transportHint: ui.paragraph
+  code: string; // useDifferentMethod: ui.action
+  rememberDevice: boolean;
+  static __is_atscript_annotated_type: true;
+  static type: TAtscriptTypeObject<keyof MfaCodeForm, MfaCodeForm>;
+  static metadata: TMetadataMap<AtscriptMetadata>;
+  static validator: (opts?: Partial<TValidatorOptions>) => Validator<typeof MfaCodeForm>;
+  /** @deprecated JSON Schema support is disabled. Calling this method will throw a runtime error. To enable, set `jsonSchema: 'lazy'` or `jsonSchema: 'bundle'` in tsPlugin options, or add `@emit.jsonSchema` annotation to individual interfaces. */
+  static toJsonSchema: () => any;
+  /** @deprecated Example Data support is disabled. To enable, set `exampleData: true` in tsPlugin options. */
+  static toExampleData?: () => any;
+}
+/**
+ * Atscript interface **EmailIdentifierForm**
+ * @see {@link ./forms.as:173:18}
+ */
+declare class EmailIdentifierForm {
+  email: string;
+  /* email */
+  // backToLogin: ui.action
+  static __is_atscript_annotated_type: true;
+  static type: TAtscriptTypeObject<keyof EmailIdentifierForm, EmailIdentifierForm>;
+  static metadata: TMetadataMap<AtscriptMetadata>;
+  static validator: (opts?: Partial<TValidatorOptions>) => Validator<typeof EmailIdentifierForm>;
+  /** @deprecated JSON Schema support is disabled. Calling this method will throw a runtime error. To enable, set `jsonSchema: 'lazy'` or `jsonSchema: 'bundle'` in tsPlugin options, or add `@emit.jsonSchema` annotation to individual interfaces. */
+  static toJsonSchema: () => any;
+  /** @deprecated Example Data support is disabled. To enable, set `exampleData: true` in tsPlugin options. */
+  static toExampleData?: () => any;
+}
+/**
+ * Atscript interface **SignupForm**
+ * @see {@link ./forms.as:205:18}
+ */
+declare class SignupForm {
+  email: string;
+  /* email */
+  // backToLogin: ui.action
+  static __is_atscript_annotated_type: true;
+  static type: TAtscriptTypeObject<keyof SignupForm, SignupForm>;
+  static metadata: TMetadataMap<AtscriptMetadata>;
+  static validator: (opts?: Partial<TValidatorOptions>) => Validator<typeof SignupForm>;
+  /** @deprecated JSON Schema support is disabled. Calling this method will throw a runtime error. To enable, set `jsonSchema: 'lazy'` or `jsonSchema: 'bundle'` in tsPlugin options, or add `@emit.jsonSchema` annotation to individual interfaces. */
+  static toJsonSchema: () => any;
+  /** @deprecated Example Data support is disabled. To enable, set `exampleData: true` in tsPlugin options. */
+  static toExampleData?: () => any;
+}
+/**
+ * Atscript interface **SetPasswordForm**
+ * @see {@link ./forms.as:263:18}
+ */
+declare class SetPasswordForm extends WithInlineConsentForm {
+  // intro: ui.paragraph
+  newPassword: string;
+  confirmPassword: string; // passwordRules: ui.paragraph
+  static __is_atscript_annotated_type: true;
+  static type: TAtscriptTypeObject<keyof SetPasswordForm, SetPasswordForm>;
+  static metadata: TMetadataMap<AtscriptMetadata>;
+  static validator: (opts?: Partial<TValidatorOptions>) => Validator<typeof SetPasswordForm>;
+  /** @deprecated JSON Schema support is disabled. Calling this method will throw a runtime error. To enable, set `jsonSchema: 'lazy'` or `jsonSchema: 'bundle'` in tsPlugin options, or add `@emit.jsonSchema` annotation to individual interfaces. */
+  static toJsonSchema: () => any;
+  /** @deprecated Example Data support is disabled. To enable, set `exampleData: true` in tsPlugin options. */
+  static toExampleData?: () => any;
+}
+/**
+ * Atscript interface **InviteForm**
+ * @see {@link ./forms.as:341:18}
+ */
+declare class InviteForm {
+  email: string;
+  /* email */
+  roles: string[];
+  static __is_atscript_annotated_type: true;
+  static type: TAtscriptTypeObject<keyof InviteForm, InviteForm>;
+  static metadata: TMetadataMap<AtscriptMetadata>;
+  static validator: (opts?: Partial<TValidatorOptions>) => Validator<typeof InviteForm>;
+  /** @deprecated JSON Schema support is disabled. Calling this method will throw a runtime error. To enable, set `jsonSchema: 'lazy'` or `jsonSchema: 'bundle'` in tsPlugin options, or add `@emit.jsonSchema` annotation to individual interfaces. */
+  static toJsonSchema: () => any;
+  /** @deprecated Example Data support is disabled. To enable, set `exampleData: true` in tsPlugin options. */
+  static toExampleData?: () => any;
+}
+/**
+ * Atscript interface **Select2faForm**
+ * @see {@link ./forms.as:371:18}
+ */
+declare class Select2faForm {
+  methodName: string;
+  saveAsDefault: boolean;
+  rememberDevice: boolean;
+  static __is_atscript_annotated_type: true;
+  static type: TAtscriptTypeObject<keyof Select2faForm, Select2faForm>;
+  static metadata: TMetadataMap<AtscriptMetadata>;
+  static validator: (opts?: Partial<TValidatorOptions>) => Validator<typeof Select2faForm>;
+  /** @deprecated JSON Schema support is disabled. Calling this method will throw a runtime error. To enable, set `jsonSchema: 'lazy'` or `jsonSchema: 'bundle'` in tsPlugin options, or add `@emit.jsonSchema` annotation to individual interfaces. */
+  static toJsonSchema: () => any;
+  /** @deprecated Example Data support is disabled. To enable, set `exampleData: true` in tsPlugin options. */
+  static toExampleData?: () => any;
+}
+/**
+ * Atscript interface **PincodeForm**
+ * @see {@link ./forms.as:417:18}
+ */
+declare class PincodeForm {
+  // transportHint: ui.paragraph
+  code: string;
+  rememberDevice: boolean; // resend: ui.action
+  // useDifferentMethod: ui.action
+  // useDifferentTransport: ui.action
+  static __is_atscript_annotated_type: true;
+  static type: TAtscriptTypeObject<keyof PincodeForm, PincodeForm>;
+  static metadata: TMetadataMap<AtscriptMetadata>;
+  static validator: (opts?: Partial<TValidatorOptions>) => Validator<typeof PincodeForm>;
+  /** @deprecated JSON Schema support is disabled. Calling this method will throw a runtime error. To enable, set `jsonSchema: 'lazy'` or `jsonSchema: 'bundle'` in tsPlugin options, or add `@emit.jsonSchema` annotation to individual interfaces. */
+  static toJsonSchema: () => any;
+  /** @deprecated Example Data support is disabled. To enable, set `exampleData: true` in tsPlugin options. */
+  static toExampleData?: () => any;
+}
+/**
+ * Atscript interface **AskEmailForm**
+ * @see {@link ./forms.as:456:18}
+ */
+declare class AskEmailForm extends WithInlineConsentForm {
+  // disclosure: ui.paragraph
+  email: string;
+  /* email */
+  static __is_atscript_annotated_type: true;
+  static type: TAtscriptTypeObject<keyof AskEmailForm, AskEmailForm>;
+  static metadata: TMetadataMap<AtscriptMetadata>;
+  static validator: (opts?: Partial<TValidatorOptions>) => Validator<typeof AskEmailForm>;
+  /** @deprecated JSON Schema support is disabled. Calling this method will throw a runtime error. To enable, set `jsonSchema: 'lazy'` or `jsonSchema: 'bundle'` in tsPlugin options, or add `@emit.jsonSchema` annotation to individual interfaces. */
+  static toJsonSchema: () => any;
+  /** @deprecated Example Data support is disabled. To enable, set `exampleData: true` in tsPlugin options. */
+  static toExampleData?: () => any;
+}
+/**
+ * Atscript interface **AskPhoneForm**
+ * @see {@link ./forms.as:486:18}
+ */
+declare class AskPhoneForm extends WithInlineConsentForm {
+  // disclosure: ui.paragraph
+  phone: string;
+  static __is_atscript_annotated_type: true;
+  static type: TAtscriptTypeObject<keyof AskPhoneForm, AskPhoneForm>;
+  static metadata: TMetadataMap<AtscriptMetadata>;
+  static validator: (opts?: Partial<TValidatorOptions>) => Validator<typeof AskPhoneForm>;
+  /** @deprecated JSON Schema support is disabled. Calling this method will throw a runtime error. To enable, set `jsonSchema: 'lazy'` or `jsonSchema: 'bundle'` in tsPlugin options, or add `@emit.jsonSchema` annotation to individual interfaces. */
+  static toJsonSchema: () => any;
+  /** @deprecated Example Data support is disabled. To enable, set `exampleData: true` in tsPlugin options. */
+  static toExampleData?: () => any;
+}
+/**
+ * Atscript interface **EnrollPickMethodForm**
+ * @see {@link ./forms.as:510:18}
+ */
+declare class EnrollPickMethodForm {
+  method: string; // skip: ui.action
+  // cancel: ui.action
+  static __is_atscript_annotated_type: true;
+  static type: TAtscriptTypeObject<keyof EnrollPickMethodForm, EnrollPickMethodForm>;
+  static metadata: TMetadataMap<AtscriptMetadata>;
+  static validator: (opts?: Partial<TValidatorOptions>) => Validator<typeof EnrollPickMethodForm>;
+  /** @deprecated JSON Schema support is disabled. Calling this method will throw a runtime error. To enable, set `jsonSchema: 'lazy'` or `jsonSchema: 'bundle'` in tsPlugin options, or add `@emit.jsonSchema` annotation to individual interfaces. */
+  static toJsonSchema: () => any;
+  /** @deprecated Example Data support is disabled. To enable, set `exampleData: true` in tsPlugin options. */
+  static toExampleData?: () => any;
+}
+/**
+ * Atscript interface **EnrollAddressForm**
+ * @see {@link ./forms.as:544:18}
+ */
+declare class EnrollAddressForm {
+  address: string; // skip: ui.action
+  // cancel: ui.action
+  // useDifferentMethod: ui.action
+  static __is_atscript_annotated_type: true;
+  static type: TAtscriptTypeObject<keyof EnrollAddressForm, EnrollAddressForm>;
+  static metadata: TMetadataMap<AtscriptMetadata>;
+  static validator: (opts?: Partial<TValidatorOptions>) => Validator<typeof EnrollAddressForm>;
+  /** @deprecated JSON Schema support is disabled. Calling this method will throw a runtime error. To enable, set `jsonSchema: 'lazy'` or `jsonSchema: 'bundle'` in tsPlugin options, or add `@emit.jsonSchema` annotation to individual interfaces. */
+  static toJsonSchema: () => any;
+  /** @deprecated Example Data support is disabled. To enable, set `exampleData: true` in tsPlugin options. */
+  static toExampleData?: () => any;
+}
+/**
+ * Atscript interface **EnrollConfirmForm**
+ * @see {@link ./forms.as:590:18}
+ */
+declare class EnrollConfirmForm {
+  // transportHint: ui.paragraph
+  code: string; // resend: ui.action
+  // useDifferentMethod: ui.action
+  // cancel: ui.action
+  // skip: ui.action
+  static __is_atscript_annotated_type: true;
+  static type: TAtscriptTypeObject<keyof EnrollConfirmForm, EnrollConfirmForm>;
+  static metadata: TMetadataMap<AtscriptMetadata>;
+  static validator: (opts?: Partial<TValidatorOptions>) => Validator<typeof EnrollConfirmForm>;
+  /** @deprecated JSON Schema support is disabled. Calling this method will throw a runtime error. To enable, set `jsonSchema: 'lazy'` or `jsonSchema: 'bundle'` in tsPlugin options, or add `@emit.jsonSchema` annotation to individual interfaces. */
+  static toJsonSchema: () => any;
+  /** @deprecated Example Data support is disabled. To enable, set `exampleData: true` in tsPlugin options. */
+  static toExampleData?: () => any;
+}
+/**
+ * Atscript interface **EnrollTotpQrForm**
+ * @see {@link ./forms.as:640:18}
+ */
+declare class EnrollTotpQrForm {
+  // qrCode: ui.paragraph
+  // useDifferentMethod: ui.action
+  // cancel: ui.action
+  // skip: ui.action
+  static __is_atscript_annotated_type: true;
+  static type: TAtscriptTypeObject<keyof EnrollTotpQrForm, EnrollTotpQrForm>;
+  static metadata: TMetadataMap<AtscriptMetadata>;
+  static validator: (opts?: Partial<TValidatorOptions>) => Validator<typeof EnrollTotpQrForm>;
+  /** @deprecated JSON Schema support is disabled. Calling this method will throw a runtime error. To enable, set `jsonSchema: 'lazy'` or `jsonSchema: 'bundle'` in tsPlugin options, or add `@emit.jsonSchema` annotation to individual interfaces. */
+  static toJsonSchema: () => any;
+  /** @deprecated Example Data support is disabled. To enable, set `exampleData: true` in tsPlugin options. */
+  static toExampleData?: () => any;
+}
+/**
+ * Atscript interface **ManageMfaForm**
+ * @see {@link ./forms.as:679:18}
+ */
+declare class ManageMfaForm {
+  // lockedNote: ui.paragraph
+  operation: string; // cancel: ui.action
+  static __is_atscript_annotated_type: true;
+  static type: TAtscriptTypeObject<keyof ManageMfaForm, ManageMfaForm>;
+  static metadata: TMetadataMap<AtscriptMetadata>;
+  static validator: (opts?: Partial<TValidatorOptions>) => Validator<typeof ManageMfaForm>;
+  /** @deprecated JSON Schema support is disabled. Calling this method will throw a runtime error. To enable, set `jsonSchema: 'lazy'` or `jsonSchema: 'bundle'` in tsPlugin options, or add `@emit.jsonSchema` annotation to individual interfaces. */
+  static toJsonSchema: () => any;
+  /** @deprecated Example Data support is disabled. To enable, set `exampleData: true` in tsPlugin options. */
+  static toExampleData?: () => any;
+}
+/**
+ * Atscript interface **RemoveMfaConfirmForm**
+ * @see {@link ./forms.as:708:18}
+ */
+declare class RemoveMfaConfirmForm {
+  // notice: ui.paragraph
+  // cancel: ui.action
+  static __is_atscript_annotated_type: true;
+  static type: TAtscriptTypeObject<keyof RemoveMfaConfirmForm, RemoveMfaConfirmForm>;
+  static metadata: TMetadataMap<AtscriptMetadata>;
+  static validator: (opts?: Partial<TValidatorOptions>) => Validator<typeof RemoveMfaConfirmForm>;
+  /** @deprecated JSON Schema support is disabled. Calling this method will throw a runtime error. To enable, set `jsonSchema: 'lazy'` or `jsonSchema: 'bundle'` in tsPlugin options, or add `@emit.jsonSchema` annotation to individual interfaces. */
+  static toJsonSchema: () => any;
+  /** @deprecated Example Data support is disabled. To enable, set `exampleData: true` in tsPlugin options. */
+  static toExampleData?: () => any;
+}
+/**
+ * Atscript interface **PasswordReauthForm**
+ * @see {@link ./forms.as:731:18}
+ */
+declare class PasswordReauthForm {
+  password: string; // cancel: ui.action
+  static __is_atscript_annotated_type: true;
+  static type: TAtscriptTypeObject<keyof PasswordReauthForm, PasswordReauthForm>;
+  static metadata: TMetadataMap<AtscriptMetadata>;
+  static validator: (opts?: Partial<TValidatorOptions>) => Validator<typeof PasswordReauthForm>;
+  /** @deprecated JSON Schema support is disabled. Calling this method will throw a runtime error. To enable, set `jsonSchema: 'lazy'` or `jsonSchema: 'bundle'` in tsPlugin options, or add `@emit.jsonSchema` annotation to individual interfaces. */
+  static toJsonSchema: () => any;
+  /** @deprecated Example Data support is disabled. To enable, set `exampleData: true` in tsPlugin options. */
+  static toExampleData?: () => any;
+}
+/**
+ * Atscript interface **TermsBumpForm**
+ * @see {@link ./forms.as:760:18}
+ */
+declare class TermsBumpForm extends WithInlineConsentForm {
+  static __is_atscript_annotated_type: true;
+  static type: TAtscriptTypeObject<keyof TermsBumpForm, TermsBumpForm>;
+  static metadata: TMetadataMap<AtscriptMetadata>;
+  static validator: (opts?: Partial<TValidatorOptions>) => Validator<typeof TermsBumpForm>;
+  /** @deprecated JSON Schema support is disabled. Calling this method will throw a runtime error. To enable, set `jsonSchema: 'lazy'` or `jsonSchema: 'bundle'` in tsPlugin options, or add `@emit.jsonSchema` annotation to individual interfaces. */
+  static toJsonSchema: () => any;
+  /** @deprecated Example Data support is disabled. To enable, set `exampleData: true` in tsPlugin options. */
+  static toExampleData?: () => any;
+}
+/**
+ * Atscript interface **ConcurrencyLimitForm**
+ * @see {@link ./forms.as:773:18}
+ */
+declare class ConcurrencyLimitForm {
+  static __is_atscript_annotated_type: true;
+  static type: TAtscriptTypeObject<keyof ConcurrencyLimitForm, ConcurrencyLimitForm>;
+  static metadata: TMetadataMap<AtscriptMetadata>;
+  static validator: (opts?: Partial<TValidatorOptions>) => Validator<typeof ConcurrencyLimitForm>;
+  /** @deprecated JSON Schema support is disabled. Calling this method will throw a runtime error. To enable, set `jsonSchema: 'lazy'` or `jsonSchema: 'bundle'` in tsPlugin options, or add `@emit.jsonSchema` annotation to individual interfaces. */
+  static toJsonSchema: () => any;
+  /** @deprecated Example Data support is disabled. To enable, set `exampleData: true` in tsPlugin options. */
+  static toExampleData?: () => any;
+}
+/**
+ * Atscript interface **MagicLinkRequestForm**
+ * @see {@link ./forms.as:783:18}
+ */
+declare class MagicLinkRequestForm {
+  identifier: string;
+  static __is_atscript_annotated_type: true;
+  static type: TAtscriptTypeObject<keyof MagicLinkRequestForm, MagicLinkRequestForm>;
+  static metadata: TMetadataMap<AtscriptMetadata>;
+  static validator: (opts?: Partial<TValidatorOptions>) => Validator<typeof MagicLinkRequestForm>;
+  /** @deprecated JSON Schema support is disabled. Calling this method will throw a runtime error. To enable, set `jsonSchema: 'lazy'` or `jsonSchema: 'bundle'` in tsPlugin options, or add `@emit.jsonSchema` annotation to individual interfaces. */
+  static toJsonSchema: () => any;
+  /** @deprecated Example Data support is disabled. To enable, set `exampleData: true` in tsPlugin options. */
+  static toExampleData?: () => any;
+}
+/**
+ * Atscript interface **RecoveryModeSelectForm**
+ * @see {@link ./forms.as:798:18}
+ */
+declare class RecoveryModeSelectForm {
+  mode: string;
+  static __is_atscript_annotated_type: true;
+  static type: TAtscriptTypeObject<keyof RecoveryModeSelectForm, RecoveryModeSelectForm>;
+  static metadata: TMetadataMap<AtscriptMetadata>;
+  static validator: (opts?: Partial<TValidatorOptions>) => Validator<typeof RecoveryModeSelectForm>;
+  /** @deprecated JSON Schema support is disabled. Calling this method will throw a runtime error. To enable, set `jsonSchema: 'lazy'` or `jsonSchema: 'bundle'` in tsPlugin options, or add `@emit.jsonSchema` annotation to individual interfaces. */
+  static toJsonSchema: () => any;
+  /** @deprecated Example Data support is disabled. To enable, set `exampleData: true` in tsPlugin options. */
+  static toExampleData?: () => any;
+}
+/**
+ * Atscript interface **RecoveryFactorForm**
+ * @see {@link ./forms.as:821:18}
+ */
+declare class RecoveryFactorForm {
+  factor: string;
+  value: string;
+  static __is_atscript_annotated_type: true;
+  static type: TAtscriptTypeObject<keyof RecoveryFactorForm, RecoveryFactorForm>;
+  static metadata: TMetadataMap<AtscriptMetadata>;
+  static validator: (opts?: Partial<TValidatorOptions>) => Validator<typeof RecoveryFactorForm>;
+  /** @deprecated JSON Schema support is disabled. Calling this method will throw a runtime error. To enable, set `jsonSchema: 'lazy'` or `jsonSchema: 'bundle'` in tsPlugin options, or add `@emit.jsonSchema` annotation to individual interfaces. */
+  static toJsonSchema: () => any;
+  /** @deprecated Example Data support is disabled. To enable, set `exampleData: true` in tsPlugin options. */
+  static toExampleData?: () => any;
+}
+/**
+ * Atscript interface **ChangePasswordForm**
+ * @see {@link ./forms.as:855:18}
+ */
+declare class ChangePasswordForm {
+  // intro: ui.paragraph
+  currentPassword: string;
+  newPassword: string;
+  confirmPassword: string; // passwordRules: ui.paragraph
+  static __is_atscript_annotated_type: true;
+  static type: TAtscriptTypeObject<keyof ChangePasswordForm, ChangePasswordForm>;
+  static metadata: TMetadataMap<AtscriptMetadata>;
+  static validator: (opts?: Partial<TValidatorOptions>) => Validator<typeof ChangePasswordForm>;
+  /** @deprecated JSON Schema support is disabled. Calling this method will throw a runtime error. To enable, set `jsonSchema: 'lazy'` or `jsonSchema: 'bundle'` in tsPlugin options, or add `@emit.jsonSchema` annotation to individual interfaces. */
+  static toJsonSchema: () => any;
+  /** @deprecated Example Data support is disabled. To enable, set `exampleData: true` in tsPlugin options. */
+  static toExampleData?: () => any;
+}
+/**
+ * Atscript interface **ProveControlForm**
+ * @see {@link ./forms.as:920:18}
+ */
+declare class ProveControlForm {
+  // intro: ui.paragraph
+  password: string; // cancel: ui.action
+  static __is_atscript_annotated_type: true;
+  static type: TAtscriptTypeObject<keyof ProveControlForm, ProveControlForm>;
+  static metadata: TMetadataMap<AtscriptMetadata>;
+  static validator: (opts?: Partial<TValidatorOptions>) => Validator<typeof ProveControlForm>;
+  /** @deprecated JSON Schema support is disabled. Calling this method will throw a runtime error. To enable, set `jsonSchema: 'lazy'` or `jsonSchema: 'bundle'` in tsPlugin options, or add `@emit.jsonSchema` annotation to individual interfaces. */
+  static toJsonSchema: () => any;
+  /** @deprecated Example Data support is disabled. To enable, set `exampleData: true` in tsPlugin options. */
+  static toExampleData?: () => any;
+}
+/**
+ * Atscript interface **ProveControlOtpForm**
+ * @see {@link ./forms.as:955:18}
+ */
+declare class ProveControlOtpForm {
+  // intro: ui.paragraph
+  code: string; // resend: ui.action
+  // cancel: ui.action
+  static __is_atscript_annotated_type: true;
+  static type: TAtscriptTypeObject<keyof ProveControlOtpForm, ProveControlOtpForm>;
+  static metadata: TMetadataMap<AtscriptMetadata>;
+  static validator: (opts?: Partial<TValidatorOptions>) => Validator<typeof ProveControlOtpForm>;
+  /** @deprecated JSON Schema support is disabled. Calling this method will throw a runtime error. To enable, set `jsonSchema: 'lazy'` or `jsonSchema: 'bundle'` in tsPlugin options, or add `@emit.jsonSchema` annotation to individual interfaces. */
+  static toJsonSchema: () => any;
+  /** @deprecated Example Data support is disabled. To enable, set `exampleData: true` in tsPlugin options. */
+  static toExampleData?: () => any;
+}
+/**
+ * Atscript interface **AuthorizeConsentForm**
+ * @see {@link ./forms.as:1005:18}
+ */
+declare class AuthorizeConsentForm {
+  // notice: ui.paragraph
+  // deny: ui.action
+  static __is_atscript_annotated_type: true;
+  static type: TAtscriptTypeObject<keyof AuthorizeConsentForm, AuthorizeConsentForm>;
+  static metadata: TMetadataMap<AtscriptMetadata>;
+  static validator: (opts?: Partial<TValidatorOptions>) => Validator<typeof AuthorizeConsentForm>;
+  /** @deprecated JSON Schema support is disabled. Calling this method will throw a runtime error. To enable, set `jsonSchema: 'lazy'` or `jsonSchema: 'bundle'` in tsPlugin options, or add `@emit.jsonSchema` annotation to individual interfaces. */
+  static toJsonSchema: () => any;
+  /** @deprecated Example Data support is disabled. To enable, set `exampleData: true` in tsPlugin options. */
+  static toExampleData?: () => any;
+}
+//#endregion
 export { AskEmailForm, AskPhoneForm, AuthorizeConsentForm, ChangePasswordForm, ConcurrencyLimitForm, EmailIdentifierForm, EnrollAddressForm, EnrollConfirmForm, EnrollPickMethodForm, EnrollTotpQrForm, InviteForm, LoginCredentialsForm, MagicLinkRequestForm, ManageMfaForm, MfaCodeForm, PasswordReauthForm, PincodeForm, ProveControlForm, ProveControlOtpForm, RecoveryFactorForm, RecoveryModeSelectForm, RemoveMfaConfirmForm, Select2faForm, SetPasswordForm, SignupForm, TermsBumpForm, WithInlineConsentForm };

package/dist/index.d.mts CHANGED Viewed

@@ -1230,17 +1230,52 @@ interface AuthWfMfaState {
 }
 /** Channel-onboarding state (login Phase 3). */
 interface AuthWfChannelState {
+  /**
+   * The email address `ask/email` collected and sent the enrollment code to —
+   * the sole enrollment ask→verify target, mirroring `phone`. The enrollment
+   * gates key on it. Deliberately SEPARATE from `notice.email` (the
+   * security-notice recipient): that slot may be seeded from
+   * `getCorrespondenceEmail` / a federated profile without any code ever
+   * being sent, so the enrollment gates must never key on it.
+   */
+  email?: string;
   emailConfirmed?: boolean;
   phone?: string;
   phoneConfirmed?: boolean;
   otpDisclosure?: string;
 }
+/**
+ * Security-notice recipient state (login flow). `email` is the address
+ * `notify-new-device` (and any future security notice) delivers to — owned
+ * by the `credentials` / `seedChannelState` seeding (confirmed email-MFA →
+ * `getCorrespondenceEmail` → provider display email) and refreshed by
+ * `verify/email` once a freshly-proven inbox confirms. Server-only — never
+ * `@wf.context.pass`'d, not mirrored into `ctx.public`. Deliberately
+ * distinct from `channel.email` (the enrollment ask→verify target) and from
+ * the flow-subject `ctx.email` that recovery / invite / signup use.
+ */
+interface AuthWfNoticeState {
+  email?: string;
+}
 /** Device-trust state (login). */
 interface AuthWfTrustState {
   deviceTrustToken?: string;
   newDevice?: boolean;
   rememberDevice?: boolean;
   optIn?: boolean;
+  /**
+   * The ARRIVING request presented a valid recognition cookie (stamped by
+   * `device-recognition` BEFORE any mint — pre-mint arrival state). This is
+   * what the notify-new-device gate reads: recognition suppresses the
+   * notification; it never affects MFA (that's `newDevice` / trust).
+   */
+  recognized?: boolean;
+  /**
+   * Recognition token `issue` must set as a cookie on the finish envelope —
+   * either the re-validated arriving cookie (re-issued with a fresh maxAge)
+   * or a freshly minted one.
+   */
+  seenDeviceToken?: string;
 }
 /** Session-policy state (login). */
 interface AuthWfSessionState {
@@ -1372,6 +1407,16 @@ interface AuthWfRecoveryAltActions {
  */
 interface AuthWfOtpState {
   verified?: boolean;
+  /**
+   * The address the last `pincode-send` ACTUALLY delivered to — login MFA
+   * email/SMS challenge, recovery M1 (typed identifier) / M2 (registered
+   * method), and signup's reuse of the recovery pair. Server-only — never
+   * `@wf.context.pass`'d. The email-channel case is consumed by
+   * `pincode-check` as inbox proof (`users.setVerifiedEmail`).
+   */
+  deliveredTo?: string;
+  /** Wire channel of that delivery — only `email` constitutes an inbox proof. */
+  deliveredChannel?: "email" | "sms";
 }
 /** Invite admin-side (Phase A) state. */
 interface AuthWfAdminState {
@@ -1684,6 +1729,12 @@ interface AuthWfPublicState {
 /** Unified workflow context shape — one type for all three flows. */
 interface AuthWfCtx {
   subject?: string;
+  /**
+   * Flow-subject address — the typed recovery identifier, the invite target,
+   * or the signup email. The LOGIN flow does NOT use this slot: its
+   * security-notice recipient is `notice.email` and its enrollment
+   * ask→verify target is `channel.email`.
+   */
   email?: string;
   defaults?: AuthWfDefaults;
   pin?: string;
@@ -1725,6 +1776,7 @@ interface AuthWfCtx {
   recoveryAltActions?: AuthWfRecoveryAltActions;
   mfa?: AuthWfMfaState;
   channel?: AuthWfChannelState;
+  notice?: AuthWfNoticeState;
   trust?: AuthWfTrustState;
   session?: AuthWfSessionState;
   altActions?: AuthWfAltActionsState;
@@ -1796,6 +1848,24 @@ interface AuthWorkflowOpts {
     ttlMs?: number;
     bindsTo?: "cookie" | "cookie+ip";
   };
+  /**
+   * Device RECOGNITION infra — the always-on `seenDevices` ledger + cookie
+   * that suppress the "new sign-in" notification on devices the user has
+   * already logged in from. Strictly a notification suppressor, NOT an MFA
+   * bypass (that is `deviceTrust`, which stays opt-in and strict).
+   * Cookie-only binding by design — recognition is pure noise control, so it
+   * never binds to IP (IP churn must not re-trigger the email).
+   *
+   * `cookieName` defaults to `<deviceTrust.cookieName>_seen` so a consumer
+   * renaming the trust cookie gets a matching recognition name for free.
+   * No policy flags here — the on/off gate is the existing
+   * `resolveFinalize().notifyNewDevice` policy.
+   */
+  deviceRecognition?: {
+    cookieName?: string;
+    ttlMs?: number; /** Cap on the per-user `seenDevices` ledger — LRU-evicted beyond it. */
+    maxDevices?: number;
+  };
   forms?: {
     loginCredentials?: TAtscriptAnnotatedType;
     invite?: TAtscriptAnnotatedType;
@@ -1846,6 +1916,11 @@ interface ResolvedAuthWorkflowOpts {
     ttlMs: number;
     bindsTo: "cookie" | "cookie+ip";
   };
+  deviceRecognition: {
+    cookieName: string;
+    ttlMs: number;
+    maxDevices: number;
+  };
   forms: {
     loginCredentials: TAtscriptAnnotatedType;
     invite: TAtscriptAnnotatedType;
@@ -1917,6 +1992,22 @@ type AuthDeliveryPayload = {
   recipient: string;
   deviceLabel?: string;
   loginAt: number;
+}
+/**
+ * Consumer-triggered security notice (e.g. impossible-travel detected by a
+ * `resolveRiskStepUp` override) — routed through the same `deliver()` as
+ * every other notice. `reason` is the machine-readable trigger
+ * (e.g. `"impossible-travel"`); `context` is free-form template data
+ * (distances, cities). NEVER auto-sent by the base class — only a consumer
+ * call to `sendSecurityAlert` emits it.
+ */
+| {
+  kind: "security-alert";
+  channel: "email";
+  recipient: string;
+  reason: string;
+  loginAt: number;
+  context?: Record<string, unknown>;
 };
 /**
  * Top-level `UserCredentials` keys that workflow-collected profile payloads
@@ -1932,6 +2023,22 @@ declare const RESERVED_USER_KEYS: ReadonlySet<string>;
  * Does not mutate the input.
  */
 declare function stripReservedUserKeys(profile: Record<string, unknown>): Record<string, unknown>;
+/**
+ * Best-effort "Browser on OS" label from a raw User-Agent string — feeds the
+ * `name` field of `seenDevices` records so a device list reads "Chrome on
+ * Windows" instead of a token. Deliberately tiny (no UA-parser dependency);
+ * detection order lives in the `UA_BROWSERS` / `UA_OSES` tables above.
+ * Returns just the browser or just the OS when only one side is detected;
+ * `undefined` for empty / fully unrecognized input.
+ */
+declare function humanizeUserAgent(ua: string | undefined): string | undefined;
+declare function haversineKm(a: {
+  lat: number;
+  lon: number;
+}, b: {
+  lat: number;
+  lon: number;
+}): number;
 /** Trim + de-duplicate role identifiers submitted via the admin invite form. */
 declare function parseInviteRoles(input?: string[]): string[];
 /**
@@ -1964,6 +2071,16 @@ declare class AuthWorkflow {
    * sync-friendly: the default `void` preserves the engine's sync fast path.
    */
   protected deliver(_payload: AuthDeliveryPayload): void | Promise<void>;
+  /**
+   * The blessed one-call alert path for risk overrides — emit a
+   * `security-alert` delivery (e.g. from an impossible-travel
+   * `resolveRiskStepUp` override). Recipient comes from `ctx.notice.email`,
+   * the proven-first correspondence chain seeded by `credentials` /
+   * `seedChannelState` and refreshed by `verify/email`. No recipient →
+   * SILENT no-op (a user with no provable inbox simply can't be alerted —
+   * mirrors `notifyNewDevice`'s posture). Never called by the base class.
+   */
+  protected sendSecurityAlert(ctx: AuthWfCtx, reason: string, context?: Record<string, unknown>): Promise<void>;
   /**
    * Return the list of selectable role identifiers for the admin invite form.
    * Mirrors the prior `InviteWorkflow.getAvailableRoles()` consumer hook —
@@ -2306,6 +2423,17 @@ declare class AuthWorkflow {
    * matching `resolveOtpDisclosure` / the MFA transport.
    */
   protected resolvePromoteHandleField(_ctx: AuthWfCtx, _channel: "email" | "sms"): string | undefined | Promise<string | undefined>;
+  /**
+   * Decide whether a verified federated profile's email claim counts as inbox
+   * proof for the CORRESPONDENCE address (`users.setVerifiedEmail`). Default
+   * trusts the provider's `email_verified` claim — a provider trusted to
+   * AUTHENTICATE the user is strictly more trusted than its email claim. The
+   * capture is correspondence-only: it never promotes the address to a login
+   * handle and never resolves accounts by it. Override to exclude providers
+   * whose claim should not be taken at face value (e.g. an internal OIDC
+   * issuer that stamps `email_verified` on unverified directory entries).
+   */
+  protected resolveFederatedEmailTrust(_ctx: AuthWfCtx, profile: FederatedProfileSnapshot): boolean | Promise<boolean>;
   /**
    * Route a form alt-action click to a canonical outcome. Defaults match the
    * action ids the bundled `PincodeForm` declares; customers override per
@@ -2908,6 +3036,29 @@ declare class AuthWorkflow {
    * the MFA-form `hidden` expression on `rememberDevice`).
    */
   deviceTrust(ctx: AuthWfCtx): Promise<undefined>;
+  /**
+   * Always-on device RECOGNITION — verify-or-mint the long-lived recognition
+   * cookie against the `seenDevices` ledger. Recognition is a notification
+   * suppressor ONLY (the notify-new-device gate reads `trust.recognized`); it
+   * never skips MFA — that is `deviceTrust`, which stays opt-in and strict.
+   *
+   * Deliberately a SEPARATE step from `check-trusted-device`: that step is
+   * schema-gated on `deviceTrust.enabled && skipsMfa`, so recognition must
+   * not piggyback on it or recognition dies whenever trust is disabled —
+   * exactly the consumers who get the noisiest notify behaviour today.
+   * Verify-or-mint lives in ONE step so `trust.recognized` captures the
+   * PRE-MINT arrival state the notify gate needs (a freshly minted token
+   * must not mark the current login as recognized).
+   *
+   * A valid arriving cookie is verified with `slideTtlMs` (LRU bump) and
+   * re-stashed on `trust.seenDeviceToken` so `issue` re-sets it with a fresh
+   * maxAge. An unrecognized arrival mints + persists a new record (capped at
+   * `deviceRecognition.maxDevices`) and stashes the new token — `recognized`
+   * stays unset so the notification still fires for this login. Degrades
+   * gracefully to a no-op when no `deviceTrust.secret` is configured,
+   * preserving the legacy notify behaviour for those consumers.
+   */
+  deviceRecognition(ctx: AuthWfCtx): Promise<undefined>;
   /**
    * Standalone terms-bump prompt for returning users whose accepted terms
    * version is stale and no carrier form ran. Delegates to
@@ -2968,7 +3119,16 @@ declare class AuthWorkflow {
   /**
    * Notify the user of a login from a new device via the unified `deliver`
    * hook. Gated upstream by
-   * `!ctx.isFirstLogin && !!ctx.finalize.notifyNewDevice && !!ctx.trust.newDevice`.
+   * `!ctx.isFirstLogin && !!ctx.finalize.notifyNewDevice && !ctx.trust.recognized`
+   * — "not recognized" (no valid recognition cookie on arrival), NOT "no
+   * valid trust cookie": users who decline remember-me, or whose strict trust
+   * cookie expired / failed IP binding, must not get the email on every
+   * login. Recognition is the loose always-on ledger minted by
+   * `device-recognition`; trust stays strict and drives MFA skip only.
+   *
+   * Recipient is `notice.email` — the security-notice slot owned by the
+   * `credentials` / `seedChannelState` seeding and refreshed by
+   * `verify/email`. No recipient seeded → silently skips.
    */
   notifyNewDevice(ctx: AuthWfCtx): Promise<undefined>;
   /**
@@ -3132,14 +3292,31 @@ declare class AuthWorkflow {
    */
   private finishOAuth;
   /**
-   * Seed `ctx.email` / `ctx.channel` from a resolved user's confirmed channels —
+   * Seed `ctx.notice.email` / `ctx.channel` from a resolved user's confirmed channels —
    * shared by `ssoCallback` (linked / created / auto-linked) and `proveControl`
    * (interactively-linked) so the post-success channel shape can't drift between
-   * the two federated entry points. Mirrors `credentials`' post-login seeding.
-   * `fallbackEmail` (the provider / snapshot email) is a DISPLAY fallback only —
-   * never promoted to the unique login handle (a gated, later-phase concern).
+   * the two federated entry points. Mirrors `credentials`' post-login seeding,
+   * including the correspondence fallback (confirmed email-MFA →
+   * `users.getCorrespondenceEmail` → provider display email).
+   *
+   * Also the single federated capture point for `users.setVerifiedEmail`: a
+   * trusted `profile.email` (per `resolveFederatedEmailTrust`) is recorded as
+   * the proven correspondence address on EVERY federated login — first-time
+   * create, returning link, and interactive link alike (the store write is
+   * skipped when the capture is already current). The profile email is
+   * otherwise a DISPLAY fallback only — never promoted to the unique login
+   * handle (a gated, later-phase concern).
    */
   private seedChannelState;
+  /**
+   * Correspondence tail of the `ctx.notice.email` seeding — shared by
+   * `credentials` (post-login) and `seedChannelState` (federated) so the
+   * fallback chain (`users.getCorrespondenceEmail` → optional display email)
+   * can't drift between the two. Does NOT set `channel.emailConfirmed` — that
+   * flag means "confirmed email-MFA channel" and gates enrolment; a
+   * correspondence address is a notice recipient, not a proven OTP channel.
+   */
+  private seedCorrespondenceEmail;
   /**
    * `needs-link` setup (decision A — password, OTP fallback). Decide how the
    * user will prove control of the matched account, stash the pending-link
@@ -3304,4 +3481,4 @@ interface AuditEmitter {
   emit(event: AuditEvent): Promise<void> | void;
 }
 //#endregion
-export { ADD_MFA_WORKFLOW, AUTHZ_BINDING_COOKIE, AUTH_CODE_STORE_TOKEN, type AuditEmitter, type AuditEvent, type AuthBindings, type AuthContext, AuthController, type AuthDeliveryPayload, type AuthEmailEvent, type AuthEmailKind, type AuthEmailOutletDeps, AuthGuarded, type AuthLoginResponse, type AuthLogoutBody, type AuthOkResponse, type AuthOptions, type AuthRefreshBody, type AuthSmsEvent, type AuthSmsKind, type AuthWfCompletionState, type AuthWfConsentsState, type AuthWfCtx, type AuthWfMfaEnrollState, type AuthWfOAuthState, type AuthWfPasswordUiState, type AuthWfPincodeUiState, AuthWorkflow, type AuthWorkflowOpts, type AuthorizationServerMetadata, AuthorizeController, AuthorizeRuntime, type BuildAuthorizationServerMetadataOptions, type BuildMagicLinkUrl, type BuildProtectedResourceMetadataOptions, CHANGE_PASSWORD_WORKFLOW, CLIENT_REDIRECT_POLICY_TOKEN, type ConcurrencyLimitOptions, type ConnectedAccount, type ConsentDescriptor, type ConsentDescriptorLike, type ConsentEvent, ConsentStore, DEFAULT_AUTH_WORKFLOWS, DYNAMIC_CLIENT_STORE_TOKEN, DynamicClientRegistration, type DynamicClientRegistrationOptions, type EmailSender, type EnrichedSession, FEDERATED_IDENTITY_STORE_TOKEN, type IssueResult, type LoginRedirect, type MfaSummary, type MfaTransport, OAUTH_CSRF_COOKIE, OAuthController, OAuthRuntime, PENDING_AUTHORIZATION_STORE_TOKEN, type ProtectedResourceMetadata, Public, RESERVED_USER_KEYS, type ResolvedAuthCookieConfig, type ResolvedAuthOptions, type ResolvedAuthWorkflowOpts, type SessionEnricher, SessionEnricherProvider, type SessionInfo, SessionsController, type SmsSender, type SsoProvider, type TAuthMeta, UserId, WfTrigger, type WfTriggerOpts, WfTriggerProvider, type WwwAuthenticateBearerChallengeOptions, authGuardInterceptor, authzBindingCookieAttrs, buildAuthorizationServerMetadata, buildInviteAlreadyAcceptedEnvelope, buildProtectedResourceMetadata, buildWwwAuthenticateBearerChallenge, canonicalizeIssuer, createAuthEmailOutlet, deriveWfStateSecret, generateMagicLinkToken, getAuthMate, isSafeRelativeRedirect, oauthCsrfCookieAttrs, parseInviteRoles, resolveOAuthRedirect, stripReservedUserKeys, useAuth };
+export { ADD_MFA_WORKFLOW, AUTHZ_BINDING_COOKIE, AUTH_CODE_STORE_TOKEN, type AuditEmitter, type AuditEvent, type AuthBindings, type AuthContext, AuthController, type AuthDeliveryPayload, type AuthEmailEvent, type AuthEmailKind, type AuthEmailOutletDeps, AuthGuarded, type AuthLoginResponse, type AuthLogoutBody, type AuthOkResponse, type AuthOptions, type AuthRefreshBody, type AuthSmsEvent, type AuthSmsKind, type AuthWfCompletionState, type AuthWfConsentsState, type AuthWfCtx, type AuthWfMfaEnrollState, type AuthWfOAuthState, type AuthWfPasswordUiState, type AuthWfPincodeUiState, AuthWorkflow, type AuthWorkflowOpts, type AuthorizationServerMetadata, AuthorizeController, AuthorizeRuntime, type BuildAuthorizationServerMetadataOptions, type BuildMagicLinkUrl, type BuildProtectedResourceMetadataOptions, CHANGE_PASSWORD_WORKFLOW, CLIENT_REDIRECT_POLICY_TOKEN, type ConcurrencyLimitOptions, type ConnectedAccount, type ConsentDescriptor, type ConsentDescriptorLike, type ConsentEvent, ConsentStore, DEFAULT_AUTH_WORKFLOWS, DYNAMIC_CLIENT_STORE_TOKEN, DynamicClientRegistration, type DynamicClientRegistrationOptions, type EmailSender, type EnrichedSession, FEDERATED_IDENTITY_STORE_TOKEN, type IssueResult, type LoginRedirect, type MfaSummary, type MfaTransport, OAUTH_CSRF_COOKIE, OAuthController, OAuthRuntime, PENDING_AUTHORIZATION_STORE_TOKEN, type ProtectedResourceMetadata, Public, RESERVED_USER_KEYS, type ResolvedAuthCookieConfig, type ResolvedAuthOptions, type ResolvedAuthWorkflowOpts, type SessionEnricher, SessionEnricherProvider, type SessionInfo, SessionsController, type SmsSender, type SsoProvider, type TAuthMeta, UserId, WfTrigger, type WfTriggerOpts, WfTriggerProvider, type WwwAuthenticateBearerChallengeOptions, authGuardInterceptor, authzBindingCookieAttrs, buildAuthorizationServerMetadata, buildInviteAlreadyAcceptedEnvelope, buildProtectedResourceMetadata, buildWwwAuthenticateBearerChallenge, canonicalizeIssuer, createAuthEmailOutlet, deriveWfStateSecret, generateMagicLinkToken, getAuthMate, haversineKm, humanizeUserAgent, isSafeRelativeRedirect, oauthCsrfCookieAttrs, parseInviteRoles, resolveOAuthRedirect, stripReservedUserKeys, useAuth };

package/dist/index.mjs CHANGED Viewed

@@ -4,7 +4,7 @@ import { AuthCredential, AuthError, generateMagicLinkToken } from "@aooth/auth";
 import { current, defineWook, eventTypeKey, key } from "@wooksjs/event-core";
 import { HttpError, useAuthorization, useCookies, useHeaders, useRequest, useResponse, useUrlParams } from "@wooksjs/event-http";
 import { ArbacAction, ArbacResource, getArbacMate } from "@aooth/arbac-moost";
-import { FederatedIdentityStore, UserAuthError, UserService, generateMfaCode, generateTotpSecret, generateTotpUri, maskEmail, maskPhone, pickDefinedProfile, verifyTotpCode } from "@aooth/user";
+import { FederatedIdentityStore, SEEN_DEVICES_DEFAULT_CAP, UserAuthError, UserService, generateMfaCode, generateTotpSecret, generateTotpUri, maskEmail, maskPhone, pickDefinedProfile, verifyTotpCode } from "@aooth/user";
 import { Body, Delete, Get, HttpError as HttpError$1, Post, Query } from "@moostjs/event-http";
 import { createHash, randomBytes, timingSafeEqual } from "node:crypto";
 import { createAsHttpOutlet, finishWf, handleAsOutletRequest, useAtscriptWf } from "@atscript/moost-wf";
@@ -964,6 +964,12 @@ const DEFAULT_FORMS = {
 	authzConsent: AuthorizeConsentForm
 };
 function mergeAuthWorkflowOpts(opts) {
+	const deviceTrust = {
+		cookieName: "aooth_trusted_device",
+		ttlMs: 1440 * 6e4,
+		bindsTo: "cookie",
+		...opts.deviceTrust
+	};
 	return {
 		autoLoginOnInvite: opts.autoLoginOnInvite ?? true,
 		autoLoginOnRecover: opts.autoLoginOnRecover ?? false,
@@ -976,11 +982,11 @@ function mergeAuthWorkflowOpts(opts) {
 		recoveryStateTtlMs: opts.recoveryStateTtlMs ?? 3600 * 1e3,
 		loginUrl: opts.loginUrl ?? "/login",
 		totpIssuer: opts.totpIssuer ?? "aooth",
-		deviceTrust: {
-			cookieName: "aooth_trusted_device",
-			ttlMs: 1440 * 6e4,
-			bindsTo: "cookie",
-			...opts.deviceTrust
+		deviceTrust,
+		deviceRecognition: {
+			cookieName: opts.deviceRecognition?.cookieName ?? `${deviceTrust.cookieName}_seen`,
+			ttlMs: opts.deviceRecognition?.ttlMs ?? 4320 * 60 * 6e4,
+			maxDevices: opts.deviceRecognition?.maxDevices ?? SEEN_DEVICES_DEFAULT_CAP
 		},
 		forms: {
 			...DEFAULT_FORMS,
@@ -1006,6 +1012,7 @@ const RESERVED_USER_KEYS = new Set([
 	"passwordHistory",
 	"mfa",
 	"trustedDevices",
+	"seenDevices",
 	"pendingInvitation"
 ]);
 /**
@@ -1017,6 +1024,50 @@ function stripReservedUserKeys(profile) {
 	for (const key of Object.keys(profile)) if (!RESERVED_USER_KEYS.has(key)) out[key] = profile[key];
 	return out;
 }
+const UA_BROWSERS = [
+	["Edg", "Edge"],
+	["Chrome", "Chrome"],
+	["Firefox", "Firefox"],
+	["Safari", "Safari"]
+];
+const UA_OSES = [
+	[/iPhone|iPad|iPod/, "iOS"],
+	[/Android/, "Android"],
+	[/Mac OS X|Macintosh/, "macOS"],
+	[/Windows/, "Windows"],
+	[/Linux/, "Linux"]
+];
+/**
+* Best-effort "Browser on OS" label from a raw User-Agent string — feeds the
+* `name` field of `seenDevices` records so a device list reads "Chrome on
+* Windows" instead of a token. Deliberately tiny (no UA-parser dependency);
+* detection order lives in the `UA_BROWSERS` / `UA_OSES` tables above.
+* Returns just the browser or just the OS when only one side is detected;
+* `undefined` for empty / fully unrecognized input.
+*/
+function humanizeUserAgent(ua) {
+	if (!ua) return void 0;
+	const browser = UA_BROWSERS.find(([token]) => ua.includes(token))?.[1];
+	const os = UA_OSES.find(([pattern]) => pattern.test(ua))?.[1];
+	if (browser && os) return `${browser} on ${os}`;
+	return browser ?? os;
+}
+/**
+* Great-circle distance in kilometres between two coordinates (haversine,
+* WGS84 mean radius 6371 km) — for impossible-travel thresholds against
+* per-session geo metadata captured via `resolveIssueMetadata`. Pure and
+* dependency-free; aooth ships no geo resolution or default thresholds —
+* feeding coordinates in (and deciding what distance is "impossible") is
+* consumer policy.
+*/
+const toRad = (deg) => deg * Math.PI / 180;
+function haversineKm(a, b) {
+	const R = 6371;
+	const dLat = toRad(b.lat - a.lat);
+	const dLon = toRad(b.lon - a.lon);
+	const h = Math.sin(dLat / 2) ** 2 + Math.cos(toRad(a.lat)) * Math.cos(toRad(b.lat)) * Math.sin(dLon / 2) ** 2;
+	return 2 * R * Math.asin(Math.sqrt(h));
+}
 /** Trim + de-duplicate role identifiers submitted via the admin invite form. */
 function parseInviteRoles(input) {
 	if (!Array.isArray(input)) return [];
@@ -1153,6 +1204,27 @@ let AuthWorkflow = class AuthWorkflow {
 	*/
 	deliver(_payload) {}
 	/**
+	* The blessed one-call alert path for risk overrides — emit a
+	* `security-alert` delivery (e.g. from an impossible-travel
+	* `resolveRiskStepUp` override). Recipient comes from `ctx.notice.email`,
+	* the proven-first correspondence chain seeded by `credentials` /
+	* `seedChannelState` and refreshed by `verify/email`. No recipient →
+	* SILENT no-op (a user with no provable inbox simply can't be alerted —
+	* mirrors `notifyNewDevice`'s posture). Never called by the base class.
+	*/
+	async sendSecurityAlert(ctx, reason, context) {
+		const recipient = ctx.notice?.email;
+		if (!recipient) return;
+		await this.deliver({
+			kind: "security-alert",
+			channel: "email",
+			recipient,
+			reason,
+			loginAt: Date.now(),
+			...context && { context }
+		});
+	}
+	/**
 	* Return the list of selectable role identifiers for the admin invite form.
 	* Mirrors the prior `InviteWorkflow.getAvailableRoles()` consumer hook —
 	* `undefined` (default) means no whitelist is enforced. Read by
@@ -1661,6 +1733,19 @@ let AuthWorkflow = class AuthWorkflow {
 	*/
 	resolvePromoteHandleField(_ctx, _channel) {}
 	/**
+	* Decide whether a verified federated profile's email claim counts as inbox
+	* proof for the CORRESPONDENCE address (`users.setVerifiedEmail`). Default
+	* trusts the provider's `email_verified` claim — a provider trusted to
+	* AUTHENTICATE the user is strictly more trusted than its email claim. The
+	* capture is correspondence-only: it never promotes the address to a login
+	* handle and never resolves accounts by it. Override to exclude providers
+	* whose claim should not be taken at face value (e.g. an internal OIDC
+	* issuer that stamps `email_verified` on unverified directory entries).
+	*/
+	resolveFederatedEmailTrust(_ctx, profile) {
+		return profile.emailVerified === true;
+	}
+	/**
 	* Route a form alt-action click to a canonical outcome. Defaults match the
 	* action ids the bundled `PincodeForm` declares; customers override per
 	* form when adding new actions or remapping the canonical ones.
@@ -2116,7 +2201,7 @@ let AuthWorkflow = class AuthWorkflow {
 			else if (ctx.isPasswordExpired) (ctx.password ??= {}).changeReason = "expired";
 			const email = result.user.mfa.methods.find((m) => m.name === "email" && m.confirmed);
 			if (email) {
-				ctx.email = email.value;
+				(ctx.notice ??= {}).email = email.value;
 				(ctx.channel ??= {}).emailConfirmed = true;
 			}
 			const phone = result.user.mfa.methods.find((m) => m.name === "sms" && m.confirmed);
@@ -2125,6 +2210,7 @@ let AuthWorkflow = class AuthWorkflow {
 				channel.phone = phone.value;
 				channel.phoneConfirmed = true;
 			}
+			if (!ctx.notice?.email) await this.seedCorrespondenceEmail(ctx, result.user);
 		} catch (err) {
 			if (err instanceof UserAuthError) {
 				if (err.type === "LOCKED") throw this.throwPublic(ctx, wf, { formMessage: "Account locked, please try again later" });
@@ -2602,7 +2688,7 @@ let AuthWorkflow = class AuthWorkflow {
 	/** Activate the invited user account (flips the account status flag). */
 	async activateUser(ctx) {
 		this.requireSubject(ctx);
-		await this.users.activateAccount(ctx.subject);
+		await this.users.activateAccount(ctx.subject, ctx.email ? { verifiedEmail: ctx.email } : {});
 	}
 	/**
 	* Emit the success-confirmation envelope. The downstream `finalize-auto-
@@ -2959,7 +3045,7 @@ let AuthWorkflow = class AuthWorkflow {
 			value,
 			confirmed: false
 		}));
-		if (isEmail) ctx.email = value;
+		if (isEmail) (ctx.channel ??= {}).email = value;
 		else (ctx.channel ??= {}).phone = value;
 		const code = this.mintPin(ctx, this.opts.mfa.pincodeLength, this.opts.mfa.pincodeTtlMs);
 		await this.deliver({
@@ -2986,7 +3072,7 @@ let AuthWorkflow = class AuthWorkflow {
 				const remainingSec = Math.ceil((ctx.pincode.resendAllowedAt - Date.now()) / 1e3);
 				throw this.throwPublic(ctx, pincodeWf, { formMessage: `Please wait ${remainingSec}s before requesting a new code.` });
 			}
-			const recipient = isEmail ? ctx.email : ctx.channel?.phone;
+			const recipient = isEmail ? ctx.channel?.email : ctx.channel?.phone;
 			const code = this.mintPin(ctx, this.opts.mfa.pincodeLength, this.opts.mfa.pincodeTtlMs);
 			await this.deliver({
 				kind: "enroll-pincode",
@@ -3006,11 +3092,16 @@ let AuthWorkflow = class AuthWorkflow {
 		if (pinErr) throw this.throwPublic(ctx, pincodeWf, { errors: pinErr });
 		await this.withStoreErrorTranslation(() => this.users.confirmMfaMethod(ctx.subject, isEmail ? "email" : "sms"));
 		const channelState = ctx.channel ??= {};
-		if (isEmail) channelState.emailConfirmed = true;
-		else channelState.phoneConfirmed = true;
+		if (isEmail) {
+			channelState.emailConfirmed = true;
+			if (channelState.email) {
+				await this.users.setVerifiedEmail(ctx.subject, channelState.email);
+				(ctx.notice ??= {}).email = channelState.email;
+			}
+		} else channelState.phoneConfirmed = true;
 		if (channelState.otpDisclosure) {
 			const channelArg = isEmail ? "email" : "sms";
-			const target = isEmail ? ctx.email : channelState.phone;
+			const target = isEmail ? channelState.email : channelState.phone;
 			await this.consentStore.recordOtpChannelConsent(ctx.subject, channelArg, target, channelState.otpDisclosure);
 		}
 		delete ctx.pin;
@@ -3199,6 +3290,9 @@ let AuthWorkflow = class AuthWorkflow {
 			code,
 			expiresInMs: this.opts.mfa.pincodeTtlMs
 		});
+		const otp = ctx.otp ??= {};
+		otp.deliveredTo = target.address;
+		otp.deliveredChannel = target.channel;
 		const pincode = ctx.pincode ??= {};
 		pincode.sentTo = this.maskAddress(target.address, target.channel);
 		pincode.codeLength = this.opts.mfa.pincodeLength;
@@ -3249,7 +3343,9 @@ let AuthWorkflow = class AuthWorkflow {
 		}
 		const pinErr = this.verifyPin(ctx, input.code);
 		if (pinErr) throw this.throwPublic(ctx, wf, { errors: pinErr });
-		(ctx.otp ??= {}).verified = true;
+		const otp = ctx.otp ??= {};
+		otp.verified = true;
+		if (ctx.subject && otp.deliveredChannel === "email" && otp.deliveredTo) await this.users.setVerifiedEmail(ctx.subject, otp.deliveredTo);
 		(ctx.session ??= {}).riskStepUpEvaluated = false;
 		if (ctx.deviceTrust?.enabled && ctx.deviceTrust?.optIn) (ctx.trust ??= {}).rememberDevice = Boolean(input.rememberDevice);
 		delete ctx.pin;
@@ -3449,6 +3545,7 @@ let AuthWorkflow = class AuthWorkflow {
 			value,
 			confirmed: true
 		}));
+		if (methodName === "email") await this.users.setVerifiedEmail(username, value);
 		if (!m.keepExistingDefault) await this.users.setDefaultMfaMethod(username, methodName);
 		m.done = true;
 		(ctx.otp ??= {}).verified = true;
@@ -3545,6 +3642,47 @@ let AuthWorkflow = class AuthWorkflow {
 		(ctx.trust ??= {}).deviceTrustToken = record.token;
 	}
 	/**
+	* Always-on device RECOGNITION — verify-or-mint the long-lived recognition
+	* cookie against the `seenDevices` ledger. Recognition is a notification
+	* suppressor ONLY (the notify-new-device gate reads `trust.recognized`); it
+	* never skips MFA — that is `deviceTrust`, which stays opt-in and strict.
+	*
+	* Deliberately a SEPARATE step from `check-trusted-device`: that step is
+	* schema-gated on `deviceTrust.enabled && skipsMfa`, so recognition must
+	* not piggyback on it or recognition dies whenever trust is disabled —
+	* exactly the consumers who get the noisiest notify behaviour today.
+	* Verify-or-mint lives in ONE step so `trust.recognized` captures the
+	* PRE-MINT arrival state the notify gate needs (a freshly minted token
+	* must not mark the current login as recognized).
+	*
+	* A valid arriving cookie is verified with `slideTtlMs` (LRU bump) and
+	* re-stashed on `trust.seenDeviceToken` so `issue` re-sets it with a fresh
+	* maxAge. An unrecognized arrival mints + persists a new record (capped at
+	* `deviceRecognition.maxDevices`) and stashes the new token — `recognized`
+	* stays unset so the notification still fires for this login. Degrades
+	* gracefully to a no-op when no `deviceTrust.secret` is configured,
+	* preserving the legacy notify behaviour for those consumers.
+	*/
+	async deviceRecognition(ctx) {
+		if (!ctx.subject) return void 0;
+		if (!this.users.hasDeviceTrustSecret()) return void 0;
+		const cookieValue = useCookies(current()).getCookie(this.opts.deviceRecognition.cookieName);
+		const trust = ctx.trust ??= {};
+		if (cookieValue) {
+			if (await this.users.verifySeenDevice(ctx.subject, cookieValue, { slideTtlMs: this.opts.deviceRecognition.ttlMs })) {
+				trust.recognized = true;
+				trust.seenDeviceToken = cookieValue;
+				return;
+			}
+		}
+		const record = this.users.issueSeenDevice(ctx.subject, {
+			ttlMs: this.opts.deviceRecognition.ttlMs,
+			name: humanizeUserAgent(this.resolveUserAgent())
+		});
+		await this.users.addSeenDevice(ctx.subject, record, { cap: this.opts.deviceRecognition.maxDevices });
+		trust.seenDeviceToken = record.token;
+	}
+	/**
 	* Standalone terms-bump prompt for returning users whose accepted terms
 	* version is stale and no carrier form ran. Delegates to
 	* `processInlineConsent` for validation + ctx writes.
@@ -3620,14 +3758,8 @@ let AuthWorkflow = class AuthWorkflow {
 	*/
 	async revokeSessions(ctx) {
 		if (!ctx.subject) return void 0;
-		if (ctx.changePassword?.revokeOtherSessions) {
-			const currentSessionId = useAuth().getSessionId();
-			if (currentSessionId) {
-				await this.auth.revokeOtherSessions(ctx.subject, currentSessionId);
-				return;
-			}
-		}
-		await this.auth.revokeAllForUser(ctx.subject);
+		const currentSessionId = ctx.changePassword?.revokeOtherSessions ? useAuth().getSessionId() : void 0;
+		await Promise.all([currentSessionId ? this.auth.revokeOtherSessions(ctx.subject, currentSessionId) : this.auth.revokeAllForUser(ctx.subject), this.users.revokeSeenDevices(ctx.subject)]);
 	}
 	/**
 	* Lift a failed-login lockout after a successful password reset. Recovery
@@ -3653,14 +3785,19 @@ let AuthWorkflow = class AuthWorkflow {
 			finished: true,
 			data: auth.buildLoginResponse(ctx.subject, issue)
 		};
-		const sessionCookies = auth.buildFinishedCookies(issue);
-		const cookies = ctx.trust?.deviceTrustToken ? {
-			...sessionCookies,
-			[this.opts.deviceTrust.cookieName]: {
-				value: ctx.trust.deviceTrustToken,
-				options: auth.cookieAttrs({ maxAge: this.opts.deviceTrust.ttlMs / 1e3 })
-			}
-		} : sessionCookies;
+		let cookies = auth.buildFinishedCookies(issue);
+		const attachDeviceCookie = (name, value, ttlMs) => {
+			if (!value) return;
+			cookies = {
+				...cookies,
+				[name]: {
+					value,
+					options: auth.cookieAttrs({ maxAge: ttlMs / 1e3 })
+				}
+			};
+		};
+		attachDeviceCookie(this.opts.deviceTrust.cookieName, ctx.trust?.deviceTrustToken, this.opts.deviceTrust.ttlMs);
+		attachDeviceCookie(this.opts.deviceRecognition.cookieName, ctx.trust?.seenDeviceToken, this.opts.deviceRecognition.ttlMs);
 		useWfFinished().set({
 			type: "data",
 			value: envelope,
@@ -3670,14 +3807,24 @@ let AuthWorkflow = class AuthWorkflow {
 	/**
 	* Notify the user of a login from a new device via the unified `deliver`
 	* hook. Gated upstream by
-	* `!ctx.isFirstLogin && !!ctx.finalize.notifyNewDevice && !!ctx.trust.newDevice`.
+	* `!ctx.isFirstLogin && !!ctx.finalize.notifyNewDevice && !ctx.trust.recognized`
+	* — "not recognized" (no valid recognition cookie on arrival), NOT "no
+	* valid trust cookie": users who decline remember-me, or whose strict trust
+	* cookie expired / failed IP binding, must not get the email on every
+	* login. Recognition is the loose always-on ledger minted by
+	* `device-recognition`; trust stays strict and drives MFA skip only.
+	*
+	* Recipient is `notice.email` — the security-notice slot owned by the
+	* `credentials` / `seedChannelState` seeding and refreshed by
+	* `verify/email`. No recipient seeded → silently skips.
 	*/
 	async notifyNewDevice(ctx) {
-		if (!ctx.email) return void 0;
+		const recipient = ctx.notice?.email;
+		if (!recipient) return void 0;
 		await this.deliver({
 			kind: "new-device-notice",
 			channel: "email",
-			recipient: ctx.email,
+			recipient,
 			loginAt: Date.now()
 		});
 	}
@@ -4149,7 +4296,7 @@ let AuthWorkflow = class AuthWorkflow {
 			});
 			if (Object.keys(extras).length > 0) await this.users.update(outcome.userId, extras);
 		}
-		this.seedChannelState(ctx, user, profile.email);
+		await this.seedChannelState(ctx, user, profile);
 		swapStrategy("store");
 	}
 	/**
@@ -4176,19 +4323,31 @@ let AuthWorkflow = class AuthWorkflow {
 		} });
 	}
 	/**
-	* Seed `ctx.email` / `ctx.channel` from a resolved user's confirmed channels —
+	* Seed `ctx.notice.email` / `ctx.channel` from a resolved user's confirmed channels —
 	* shared by `ssoCallback` (linked / created / auto-linked) and `proveControl`
 	* (interactively-linked) so the post-success channel shape can't drift between
-	* the two federated entry points. Mirrors `credentials`' post-login seeding.
-	* `fallbackEmail` (the provider / snapshot email) is a DISPLAY fallback only —
-	* never promoted to the unique login handle (a gated, later-phase concern).
-	*/
-	seedChannelState(ctx, user, fallbackEmail) {
+	* the two federated entry points. Mirrors `credentials`' post-login seeding,
+	* including the correspondence fallback (confirmed email-MFA →
+	* `users.getCorrespondenceEmail` → provider display email).
+	*
+	* Also the single federated capture point for `users.setVerifiedEmail`: a
+	* trusted `profile.email` (per `resolveFederatedEmailTrust`) is recorded as
+	* the proven correspondence address on EVERY federated login — first-time
+	* create, returning link, and interactive link alike (the store write is
+	* skipped when the capture is already current). The profile email is
+	* otherwise a DISPLAY fallback only — never promoted to the unique login
+	* handle (a gated, later-phase concern).
+	*/
+	async seedChannelState(ctx, user, profile) {
+		if (profile?.email && user.account.verifiedEmail !== profile.email && await this.resolveFederatedEmailTrust(ctx, profile)) {
+			await this.users.setVerifiedEmail(user.id, profile.email);
+			user.account.verifiedEmail = profile.email;
+		}
 		const email = user.mfa.methods.find((m) => m.name === "email" && m.confirmed);
 		if (email) {
-			ctx.email = email.value;
+			(ctx.notice ??= {}).email = email.value;
 			(ctx.channel ??= {}).emailConfirmed = true;
-		} else if (fallbackEmail) ctx.email = fallbackEmail;
+		} else await this.seedCorrespondenceEmail(ctx, user, profile?.email);
 		const phone = user.mfa.methods.find((m) => m.name === "sms" && m.confirmed);
 		if (phone) {
 			const channel = ctx.channel ??= {};
@@ -4197,6 +4356,19 @@ let AuthWorkflow = class AuthWorkflow {
 		}
 	}
 	/**
+	* Correspondence tail of the `ctx.notice.email` seeding — shared by
+	* `credentials` (post-login) and `seedChannelState` (federated) so the
+	* fallback chain (`users.getCorrespondenceEmail` → optional display email)
+	* can't drift between the two. Does NOT set `channel.emailConfirmed` — that
+	* flag means "confirmed email-MFA channel" and gates enrolment; a
+	* correspondence address is a notice recipient, not a proven OTP channel.
+	*/
+	async seedCorrespondenceEmail(ctx, user, displayEmail) {
+		const correspondence = await this.users.getCorrespondenceEmail(user);
+		if (correspondence) (ctx.notice ??= {}).email = correspondence;
+		else if (displayEmail) (ctx.notice ??= {}).email = displayEmail;
+	}
+	/**
 	* `needs-link` setup (decision A — password, OTP fallback). Decide how the
 	* user will prove control of the matched account, stash the pending-link
 	* state, and return so the `prove-control` @Step (gated on `ctx.pendingLink`)
@@ -4351,7 +4523,7 @@ let AuthWorkflow = class AuthWorkflow {
 			isNew: false,
 			...pending.redirect ? { redirect: pending.redirect } : {}
 		};
-		this.seedChannelState(ctx, candidate, pending.snapshot?.email);
+		await this.seedChannelState(ctx, candidate, pending.snapshot);
 		delete ctx.pendingLink;
 		swapStrategy("store");
 	}
@@ -4947,6 +5119,14 @@ __decorate([
 	__decorateMetadata("design:paramtypes", [Object]),
 	__decorateMetadata("design:returntype", Promise)
 ], AuthWorkflow.prototype, "deviceTrust", null);
+__decorate([
+	Step("device-recognition"),
+	Public(),
+	__decorateParam(0, WorkflowParam("context")),
+	__decorateMetadata("design:type", Function),
+	__decorateMetadata("design:paramtypes", [Object]),
+	__decorateMetadata("design:returntype", Promise)
+], AuthWorkflow.prototype, "deviceRecognition", null);
 __decorate([
 	Step("terms-bump-prompt"),
 	Public(),
@@ -5179,11 +5359,11 @@ __decorate([
 		},
 		{
 			id: "ask/email",
-			condition: (ctx) => (!!ctx.enrollment?.ensureEmail || !!ctx.guards?.emailVerifiedRequired) && !ctx.email
+			condition: (ctx) => (!!ctx.enrollment?.ensureEmail || !!ctx.guards?.emailVerifiedRequired) && !ctx.channel?.email && !ctx.channel?.emailConfirmed
 		},
 		{
 			id: "verify/email",
-			condition: (ctx) => (!!ctx.enrollment?.ensureEmail || !!ctx.guards?.emailVerifiedRequired) && !!ctx.email && !ctx.channel?.emailConfirmed
+			condition: (ctx) => (!!ctx.enrollment?.ensureEmail || !!ctx.guards?.emailVerifiedRequired) && !!ctx.channel?.email && !ctx.channel?.emailConfirmed
 		},
 		{
 			id: "ask/phone",
@@ -5218,10 +5398,11 @@ __decorate([
 		{
 			condition: (ctx) => !ctx.authz,
 			steps: [
+				{ id: "device-recognition" },
 				{ id: "issue" },
 				{
 					id: "notify-new-device",
-					condition: (ctx) => !ctx.isFirstLogin && !!ctx.finalize?.notifyNewDevice && !!ctx.trust?.newDevice
+					condition: (ctx) => !ctx.isFirstLogin && !!ctx.finalize?.notifyNewDevice && !ctx.trust?.recognized
 				},
 				{ id: "redirect" }
 			]
@@ -6437,4 +6618,4 @@ function createAuthEmailOutlet(deps) {
 	});
 }
 //#endregion
-export { ADD_MFA_WORKFLOW, AUTHZ_BINDING_COOKIE, AUTH_CODE_STORE_TOKEN, AuthController, AuthGuarded, AuthWorkflow, AuthorizeController, AuthorizeRuntime, CHANGE_PASSWORD_WORKFLOW, CLIENT_REDIRECT_POLICY_TOKEN, ConsentStore, DEFAULT_AUTH_WORKFLOWS, DYNAMIC_CLIENT_STORE_TOKEN, DynamicClientRegistration, FEDERATED_IDENTITY_STORE_TOKEN, OAUTH_CSRF_COOKIE, OAuthController, OAuthRuntime, PENDING_AUTHORIZATION_STORE_TOKEN, Public, RESERVED_USER_KEYS, SessionEnricherProvider, SessionsController, UserId, WfTrigger, WfTriggerProvider, authGuardInterceptor, authzBindingCookieAttrs, buildAuthorizationServerMetadata, buildInviteAlreadyAcceptedEnvelope, buildProtectedResourceMetadata, buildWwwAuthenticateBearerChallenge, canonicalizeIssuer, createAuthEmailOutlet, deriveWfStateSecret, generateMagicLinkToken, getAuthMate, isSafeRelativeRedirect, oauthCsrfCookieAttrs, parseInviteRoles, resolveOAuthRedirect, stripReservedUserKeys, useAuth };
+export { ADD_MFA_WORKFLOW, AUTHZ_BINDING_COOKIE, AUTH_CODE_STORE_TOKEN, AuthController, AuthGuarded, AuthWorkflow, AuthorizeController, AuthorizeRuntime, CHANGE_PASSWORD_WORKFLOW, CLIENT_REDIRECT_POLICY_TOKEN, ConsentStore, DEFAULT_AUTH_WORKFLOWS, DYNAMIC_CLIENT_STORE_TOKEN, DynamicClientRegistration, FEDERATED_IDENTITY_STORE_TOKEN, OAUTH_CSRF_COOKIE, OAuthController, OAuthRuntime, PENDING_AUTHORIZATION_STORE_TOKEN, Public, RESERVED_USER_KEYS, SessionEnricherProvider, SessionsController, UserId, WfTrigger, WfTriggerProvider, authGuardInterceptor, authzBindingCookieAttrs, buildAuthorizationServerMetadata, buildInviteAlreadyAcceptedEnvelope, buildProtectedResourceMetadata, buildWwwAuthenticateBearerChallenge, canonicalizeIssuer, createAuthEmailOutlet, deriveWfStateSecret, generateMagicLinkToken, getAuthMate, haversineKm, humanizeUserAgent, isSafeRelativeRedirect, oauthCsrfCookieAttrs, parseInviteRoles, resolveOAuthRedirect, stripReservedUserKeys, useAuth };

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "@aooth/auth-moost",
-  "version": "0.1.19",
+  "version": "0.1.21",
   "description": "Moost auth integration for aoothjs — AuthGuard interceptor, useAuth composable, REST endpoints, workflows",
   "keywords": [
     "aoothjs",
@@ -57,33 +57,33 @@
     "access": "public"
   },
   "dependencies": {
-    "@atscript/moost-wf": "^0.1.98",
+    "@atscript/moost-wf": "^0.1.100",
     "@wooksjs/http-body": "^0.7.19",
-    "@aooth/auth": "0.1.19",
-    "@aooth/arbac-moost": "^0.1.19",
-    "@aooth/idp": "0.1.19",
-    "@aooth/user": "0.1.19"
+    "@aooth/arbac-moost": "^0.1.21",
+    "@aooth/auth": "0.1.21",
+    "@aooth/idp": "0.1.21",
+    "@aooth/user": "0.1.21"
   },
   "devDependencies": {
-    "@atscript/core": "^0.1.75",
-    "@atscript/typescript": "^0.1.75",
-    "@atscript/ui": "^0.1.98",
-    "@atscript/ui-fns": "^0.1.98",
-    "@moostjs/event-http": "^0.6.26",
-    "@moostjs/event-wf": "^0.6.26",
-    "moost": "^0.6.26",
-    "unplugin-atscript": "^0.1.75",
+    "@atscript/core": "^0.1.76",
+    "@atscript/typescript": "^0.1.76",
+    "@atscript/ui": "^0.1.100",
+    "@atscript/ui-fns": "^0.1.100",
+    "@moostjs/event-http": "^0.6.27",
+    "@moostjs/event-wf": "^0.6.27",
+    "moost": "^0.6.27",
+    "unplugin-atscript": "^0.1.76",
     "wooks": "^0.7.19"
   },
   "peerDependencies": {
-    "@atscript/moost-wf": "^0.1.98",
-    "@atscript/typescript": "^0.1.75",
-    "@moostjs/event-http": "^0.6.26",
-    "@moostjs/event-wf": "^0.6.26",
+    "@atscript/moost-wf": "^0.1.100",
+    "@atscript/typescript": "^0.1.76",
+    "@moostjs/event-http": "^0.6.27",
+    "@moostjs/event-wf": "^0.6.27",
     "@wooksjs/event-core": "^0.7.19",
     "@wooksjs/event-http": "^0.7.19",
     "@wooksjs/http-body": "^0.7.19",
-    "moost": "^0.6.26"
+    "moost": "^0.6.27"
   },
   "peerDependenciesMeta": {
     "@atscript/typescript": {