@aooth/user 0.1.7 → 0.1.9

package/dist/{user-store-BPZVAboN.cjs → federated-identity-store-BEEEcoaP.cjs}

@@ -15,6 +15,8 @@ const defaultMessages = {
 	CAS_EXHAUSTED: "Update conflict — please retry"
 };
 var UserAuthError = class extends Error {
+	type;
+	details;
 	name = "UserAuthError";
 	constructor(type, message, details) {
 		super(message ?? defaultMessages[type]);
@@ -92,8 +94,52 @@ function incrementAtPath(obj, path, amount) {
 }
 //#endregion
 //#region src/store/user-store.ts
+/**
+* Storage seam for user credentials, keyed by the stable surrogate **`id`**
+* (the token subject). Reads come in three flavours:
+*
+* - `findById` — strict, by the surrogate id; the canonical identity read used
+*   by authenticated flows that resolve the session subject (`getUserId()`).
+* - `findByHandle` — deterministic LOGIN resolver (`username`, then the
+*   annotation-resolved handle fields — email, then phone — in order).
+* - `findByIdentifier` — permissive internal/admin/recovery lookup (`id`, then
+*   the `findByHandle` chain).
+*
+* Writes (`update`/`delete`/`withCas`) all key on the surrogate `id`.
+*/
 var UserStore = class {};
 //#endregion
+//#region src/store/federated-identity-store.ts
+/**
+* Copy only the DEFINED display fields — so a `touchLogin` / `link` with a
+* partial profile (e.g. Apple omitting the email on a repeat login) never
+* overwrites a stored value with `undefined`. Shared by every
+* {@link FederatedIdentityStore} impl.
+*/
+function pickDefinedProfile(src) {
+	const out = {};
+	if (src.email !== void 0) out.email = src.email;
+	if (src.emailVerified !== void 0) out.emailVerified = src.emailVerified;
+	if (src.displayName !== void 0) out.displayName = src.displayName;
+	if (src.avatarUrl !== void 0) out.avatarUrl = src.avatarUrl;
+	return out;
+}
+/**
+* Storage seam for the account-linking table (RFC IDP.md §3.3). The stable
+* lookup key is the composite `(provider, subject)`; a user may own many rows
+* (one per linked provider account), so `userId` reads return a list.
+*
+* In-memory + atscript-db implementations ship alongside; the abstract surface
+* keeps the federated-login core (`@aooth/idp`, phase 2) storage-agnostic.
+*/
+var FederatedIdentityStore = class {};
+//#endregion
+Object.defineProperty(exports, "FederatedIdentityStore", {
+	enumerable: true,
+	get: function() {
+		return FederatedIdentityStore;
+	}
+});
 Object.defineProperty(exports, "UserAuthError", {
 	enumerable: true,
 	get: function() {
@@ -142,6 +188,12 @@ Object.defineProperty(exports, "maskPhone", {
 		return maskPhone;
 	}
 });
+Object.defineProperty(exports, "pickDefinedProfile", {
+	enumerable: true,
+	get: function() {
+		return pickDefinedProfile;
+	}
+});
 Object.defineProperty(exports, "setAtPath", {
 	enumerable: true,
 	get: function() {

package/dist/{user-store-BaBmH13V.mjs → federated-identity-store-CHW1xtMp.mjs}

@@ -15,6 +15,8 @@ const defaultMessages = {
 	CAS_EXHAUSTED: "Update conflict — please retry"
 };
 var UserAuthError = class extends Error {
+	type;
+	details;
 	name = "UserAuthError";
 	constructor(type, message, details) {
 		super(message ?? defaultMessages[type]);
@@ -92,6 +94,44 @@ function incrementAtPath(obj, path, amount) {
 }
 //#endregion
 //#region src/store/user-store.ts
+/**
+* Storage seam for user credentials, keyed by the stable surrogate **`id`**
+* (the token subject). Reads come in three flavours:
+*
+* - `findById` — strict, by the surrogate id; the canonical identity read used
+*   by authenticated flows that resolve the session subject (`getUserId()`).
+* - `findByHandle` — deterministic LOGIN resolver (`username`, then the
+*   annotation-resolved handle fields — email, then phone — in order).
+* - `findByIdentifier` — permissive internal/admin/recovery lookup (`id`, then
+*   the `findByHandle` chain).
+*
+* Writes (`update`/`delete`/`withCas`) all key on the surrogate `id`.
+*/
 var UserStore = class {};
 //#endregion
-export { maskEmail as a, setAtPath as c, incrementAtPath as i, UserAuthError as l, deepMerge as n, maskMfaValue as o, generateSecureRandom as r, maskPhone as s, UserStore as t };
+//#region src/store/federated-identity-store.ts
+/**
+* Copy only the DEFINED display fields — so a `touchLogin` / `link` with a
+* partial profile (e.g. Apple omitting the email on a repeat login) never
+* overwrites a stored value with `undefined`. Shared by every
+* {@link FederatedIdentityStore} impl.
+*/
+function pickDefinedProfile(src) {
+	const out = {};
+	if (src.email !== void 0) out.email = src.email;
+	if (src.emailVerified !== void 0) out.emailVerified = src.emailVerified;
+	if (src.displayName !== void 0) out.displayName = src.displayName;
+	if (src.avatarUrl !== void 0) out.avatarUrl = src.avatarUrl;
+	return out;
+}
+/**
+* Storage seam for the account-linking table (RFC IDP.md §3.3). The stable
+* lookup key is the composite `(provider, subject)`; a user may own many rows
+* (one per linked provider account), so `userId` reads return a list.
+*
+* In-memory + atscript-db implementations ship alongside; the abstract surface
+* keeps the federated-login core (`@aooth/idp`, phase 2) storage-agnostic.
+*/
+var FederatedIdentityStore = class {};
+//#endregion
+export { generateSecureRandom as a, maskMfaValue as c, UserAuthError as d, deepMerge as i, maskPhone as l, pickDefinedProfile as n, incrementAtPath as o, UserStore as r, maskEmail as s, FederatedIdentityStore as t, setAtPath as u };

package/dist/{user-store-62LCSa8q.d.mts → federated-identity-store-CI7Vgllp.d.cts}

@@ -13,12 +13,6 @@ interface UserCredentials {
   password: PasswordData;
   account: AccountData;
   mfa: MfaData;
-  /**
-   * Hashed backup codes (SHA-256, hex-encoded). Generated via
-   * `UserService.generateBackupCodes`. Undefined when the user has not
-   * enrolled backup codes; an empty array means all codes were consumed.
-   */
-  backupCodes?: string[];
   /**
    * Persisted device-trust records ("remember this device, skip MFA next
    * time"). Managed by `UserService.{issue,add,verify,revoke,list}TrustedDevice`.
@@ -225,30 +219,155 @@ interface WithCasOptions {
    */
   maxAttempts?: number;
 }
+/**
+ * Storage seam for user credentials, keyed by the stable surrogate **`id`**
+ * (the token subject). Reads come in three flavours:
+ *
+ * - `findById` — strict, by the surrogate id; the canonical identity read used
+ *   by authenticated flows that resolve the session subject (`getUserId()`).
+ * - `findByHandle` — deterministic LOGIN resolver (`username`, then the
+ *   annotation-resolved handle fields — email, then phone — in order).
+ * - `findByIdentifier` — permissive internal/admin/recovery lookup (`id`, then
+ *   the `findByHandle` chain).
+ *
+ * Writes (`update`/`delete`/`withCas`) all key on the surrogate `id`.
+ */
 declare abstract class UserStore<T extends object = object> {
-  abstract exists(username: string): Promise<boolean>;
-  abstract findByUsername(username: string): Promise<(UserCredentials & T) | null>;
+  /** True when a user with this login handle (`username`) exists. */
+  abstract exists(handle: string): Promise<boolean>;
+  /**
+   * Strict read by the stable surrogate `id` — the token subject. Authenticated
+   * flows resolve the session subject (`useAuth().getUserId()`) through this.
+   */
+  abstract findById(id: string): Promise<(UserCredentials & T) | null>;
+  /**
+   * Deterministic LOGIN resolver: matches `username` exactly, then each
+   * annotation-resolved handle field (email, then phone) exactly, in that
+   * order. Intentionally NOT a permissive `$or` — handle values are all
+   * strings, so a permissive match could silently resolve a value that is one
+   * user's username and another's email to an arbitrary account. Each handle
+   * field is unique-when-present (the `@aooth.user.*` boot contract), so a
+   * present value resolves to at most one row.
+   */
+  abstract findByHandle(handle: string): Promise<(UserCredentials & T) | null>;
+  /**
+   * Permissive lookup for internal / admin / recovery callers: `id`, then the
+   * `findByHandle` chain (`username`, then the resolved handle fields). NOT for
+   * the login path — use `findByHandle` there.
+   */
+  abstract findByIdentifier(value: string): Promise<(UserCredentials & T) | null>;
   abstract create(data: UserCredentials & T): Promise<void>;
-  abstract update(username: string, update: UserStoreUpdate): Promise<boolean>;
+  /** Apply a patch to the row identified by the stable `id`. */
+  abstract update(id: string, update: UserStoreUpdate): Promise<boolean>;
   /**
-   * Hard-delete the row. Returns `true` when a row was removed, `false` when
-   * the username was not found. Used by `UserService.deleteUser` (and in turn
-   * by the invite workflow's `auth/invite/cancel` step).
+   * Hard-delete the row by `id`. Returns `true` when a row was removed, `false`
+   * when the id was not found.
    */
-  abstract delete(username: string): Promise<boolean>;
+  abstract delete(id: string): Promise<boolean>;
   /**
-   * Run a read-modify-write cycle under optimistic concurrency. Each attempt
-   * fetches the current row, calls `mutator` with it, and applies the returned
-   * patch under CAS (`expectedVersion = current.version`). On CAS miss the
-   * cycle repeats up to `opts.maxAttempts`. The mutator MAY return `null` to
-   * exit early without writing — used for "race-loser detects nothing left to
-   * do" paths (e.g. the backup code was already consumed by the winner).
+   * Run a read-modify-write cycle under optimistic concurrency, keyed by `id`.
+   * Each attempt re-reads (via `findById`), calls `mutator`, and applies the
+   * returned patch under CAS (`expectedVersion = current.version`). On CAS miss
+   * the cycle repeats up to `opts.maxAttempts`. The mutator MAY return `null`
+   * to exit early without writing (race-loser "nothing left to do").
    *
-   * Throws `UserAuthError("NOT_FOUND")` when no row matches `username`, or
-   * `UserAuthError("CAS_EXHAUSTED")` when retries are saturated. Errors
-   * thrown from inside `mutator` propagate immediately without retry.
+   * Throws `UserAuthError("NOT_FOUND")` when no row matches `id`, or
+   * `UserAuthError("CAS_EXHAUSTED")` when retries are saturated. Errors thrown
+   * from inside `mutator` propagate immediately without retry.
+   */
+  abstract withCas(id: string, mutator: (current: UserCredentials & T) => UserStoreUpdate | null, opts?: WithCasOptions): Promise<void>;
+}
+//#endregion
+//#region src/store/federated-identity-store.d.ts
+/**
+ * Display fields snapshotted from an IdP profile onto a federated-identity row.
+ * Refreshed on each login via {@link FederatedIdentityStore.touchLogin}; never
+ * a join key (the stable join is `(provider, subject)`). Phase-2's
+ * `NormalizedProfile` (in `@aooth/idp`) is a structural superset of this — it
+ * is declared HERE rather than imported so `@aooth/user` keeps no dependency on
+ * the layer above it.
+ */
+interface FederatedProfileSnapshot {
+  email?: string;
+  emailVerified?: boolean;
+  displayName?: string;
+  avatarUrl?: string;
+}
+/**
+ * Copy only the DEFINED display fields — so a `touchLogin` / `link` with a
+ * partial profile (e.g. Apple omitting the email on a repeat login) never
+ * overwrites a stored value with `undefined`. Shared by every
+ * {@link FederatedIdentityStore} impl.
+ */
+declare function pickDefinedProfile(src: FederatedProfileSnapshot): FederatedProfileSnapshot;
+/**
+ * A persisted federated-identity row: one external-provider account
+ * (`provider` + the IdP's stable `subject`) linked to exactly one aooth user
+ * (`userId` = the user's surrogate `id`). Mirrors the shipped
+ * `AoothFederatedIdentity` `.as` model by construction.
+ */
+interface FederatedIdentity extends FederatedProfileSnapshot {
+  /** Surrogate PK. Server-assigned (`@db.default.uuid` / `randomUUID`). */
+  id: string;
+  provider: string;
+  subject: string;
+  /** Owner — the user's stable surrogate `id`. */
+  userId: string;
+  /** When the link was first created. */
+  linkedAt: number;
+  /** Last federated login through this identity; absent until first `touchLogin`. */
+  lastLoginAt?: number;
+}
+/**
+ * Input to {@link FederatedIdentityStore.link} — the identity keys + owner plus
+ * an optional first-login profile snapshot. `id` and `linkedAt` are assigned by
+ * the store.
+ */
+interface NewFederatedIdentity extends FederatedProfileSnapshot {
+  provider: string;
+  subject: string;
+  userId: string;
+}
+/**
+ * Storage seam for the account-linking table (RFC IDP.md §3.3). The stable
+ * lookup key is the composite `(provider, subject)`; a user may own many rows
+ * (one per linked provider account), so `userId` reads return a list.
+ *
+ * In-memory + atscript-db implementations ship alongside; the abstract surface
+ * keeps the federated-login core (`@aooth/idp`, phase 2) storage-agnostic.
+ */
+declare abstract class FederatedIdentityStore {
+  /** Resolve a provider account to its linked row, or `null`. The federated-login hot path. */
+  abstract find(provider: string, subject: string): Promise<FederatedIdentity | null>;
+  /** All identities linked to a user — the "connected accounts" view. */
+  abstract listForUser(userId: string): Promise<FederatedIdentity[]>;
+  /**
+   * Link a provider account to a user. Throws `UserAuthError("ALREADY_EXISTS")`
+   * when `(provider, subject)` is already linked — to ANY user — which is the
+   * DB-enforced guarantee that one provider account maps to one aooth user.
+   */
+  abstract link(rec: NewFederatedIdentity): Promise<FederatedIdentity>;
+  /**
+   * Remove a single provider link. Returns `true` when a row was removed,
+   * `false` when `(provider, subject)` was not linked. (The "don't strand the
+   * user without a usable credential" guard lives in the service layer, not
+   * here — this is the raw delete.)
+   */
+  abstract unlink(provider: string, subject: string): Promise<boolean>;
+  /**
+   * Stamp `lastLoginAt = now` and merge any DEFINED `profile` fields onto the
+   * row. Profile is optional and merged field-by-field, so a provider that
+   * omits the email on a repeat login (e.g. Apple after the first auth) never
+   * nulls the stored snapshot. No-op when `(provider, subject)` is not linked.
+   */
+  abstract touchLogin(provider: string, subject: string, profile?: FederatedProfileSnapshot): Promise<void>;
+  /**
+   * Remove every identity linked to a user — GDPR hard-delete / "disconnect
+   * everything". Returns the number of rows removed. The app-level complement
+   * to a DB `onDelete cascade` (which this design deliberately does not use —
+   * `userId` is a plain column, not an FK).
    */
-  abstract withCas(username: string, mutator: (current: UserCredentials & T) => UserStoreUpdate | null, opts?: WithCasOptions): Promise<void>;
+  abstract deleteAllForUser(userId: string): Promise<number>;
 }
 //#endregion
-export { UserServiceConfig as C, UserCredentials as S, PolicyCheckResult as _, LockStatus as a, TrustedDeviceRecord as b, MfaData as c, PasswordConfig as d, PasswordData as f, PasswordPolicyInstance as g, PasswordPolicyEvalFn as h, DeepPartial as i, MfaMethod as l, PasswordPolicyDef as m, WithCasOptions as n, LockoutConfig as o, PasswordPolicyContext as p, AccountData as r, LoginResult as s, UserStore as t, MfaMethodInfo as u, TotpConfig as v, UserStoreUpdate as w, UserAuthErrorType as x, TransferablePolicy as y };
+export { TotpConfig as C, UserCredentials as D, UserAuthErrorType as E, UserServiceConfig as O, PolicyCheckResult as S, TrustedDeviceRecord as T, PasswordData as _, pickDefinedProfile as a, PasswordPolicyEvalFn as b, AccountData as c, LockoutConfig as d, LoginResult as f, PasswordConfig as g, MfaMethodInfo as h, NewFederatedIdentity as i, UserStoreUpdate as k, DeepPartial as l, MfaMethod as m, FederatedIdentityStore as n, UserStore as o, MfaData as p, FederatedProfileSnapshot as r, WithCasOptions as s, FederatedIdentity as t, LockStatus as u, PasswordPolicyContext as v, TransferablePolicy as w, PasswordPolicyInstance as x, PasswordPolicyDef as y };

package/dist/{user-store-BZsKtBHy.d.cts → federated-identity-store-CI7Vgllp.d.mts}

@@ -13,12 +13,6 @@ interface UserCredentials {
   password: PasswordData;
   account: AccountData;
   mfa: MfaData;
-  /**
-   * Hashed backup codes (SHA-256, hex-encoded). Generated via
-   * `UserService.generateBackupCodes`. Undefined when the user has not
-   * enrolled backup codes; an empty array means all codes were consumed.
-   */
-  backupCodes?: string[];
   /**
    * Persisted device-trust records ("remember this device, skip MFA next
    * time"). Managed by `UserService.{issue,add,verify,revoke,list}TrustedDevice`.
@@ -225,30 +219,155 @@ interface WithCasOptions {
    */
   maxAttempts?: number;
 }
+/**
+ * Storage seam for user credentials, keyed by the stable surrogate **`id`**
+ * (the token subject). Reads come in three flavours:
+ *
+ * - `findById` — strict, by the surrogate id; the canonical identity read used
+ *   by authenticated flows that resolve the session subject (`getUserId()`).
+ * - `findByHandle` — deterministic LOGIN resolver (`username`, then the
+ *   annotation-resolved handle fields — email, then phone — in order).
+ * - `findByIdentifier` — permissive internal/admin/recovery lookup (`id`, then
+ *   the `findByHandle` chain).
+ *
+ * Writes (`update`/`delete`/`withCas`) all key on the surrogate `id`.
+ */
 declare abstract class UserStore<T extends object = object> {
-  abstract exists(username: string): Promise<boolean>;
-  abstract findByUsername(username: string): Promise<(UserCredentials & T) | null>;
+  /** True when a user with this login handle (`username`) exists. */
+  abstract exists(handle: string): Promise<boolean>;
+  /**
+   * Strict read by the stable surrogate `id` — the token subject. Authenticated
+   * flows resolve the session subject (`useAuth().getUserId()`) through this.
+   */
+  abstract findById(id: string): Promise<(UserCredentials & T) | null>;
+  /**
+   * Deterministic LOGIN resolver: matches `username` exactly, then each
+   * annotation-resolved handle field (email, then phone) exactly, in that
+   * order. Intentionally NOT a permissive `$or` — handle values are all
+   * strings, so a permissive match could silently resolve a value that is one
+   * user's username and another's email to an arbitrary account. Each handle
+   * field is unique-when-present (the `@aooth.user.*` boot contract), so a
+   * present value resolves to at most one row.
+   */
+  abstract findByHandle(handle: string): Promise<(UserCredentials & T) | null>;
+  /**
+   * Permissive lookup for internal / admin / recovery callers: `id`, then the
+   * `findByHandle` chain (`username`, then the resolved handle fields). NOT for
+   * the login path — use `findByHandle` there.
+   */
+  abstract findByIdentifier(value: string): Promise<(UserCredentials & T) | null>;
   abstract create(data: UserCredentials & T): Promise<void>;
-  abstract update(username: string, update: UserStoreUpdate): Promise<boolean>;
+  /** Apply a patch to the row identified by the stable `id`. */
+  abstract update(id: string, update: UserStoreUpdate): Promise<boolean>;
   /**
-   * Hard-delete the row. Returns `true` when a row was removed, `false` when
-   * the username was not found. Used by `UserService.deleteUser` (and in turn
-   * by the invite workflow's `auth/invite/cancel` step).
+   * Hard-delete the row by `id`. Returns `true` when a row was removed, `false`
+   * when the id was not found.
    */
-  abstract delete(username: string): Promise<boolean>;
+  abstract delete(id: string): Promise<boolean>;
   /**
-   * Run a read-modify-write cycle under optimistic concurrency. Each attempt
-   * fetches the current row, calls `mutator` with it, and applies the returned
-   * patch under CAS (`expectedVersion = current.version`). On CAS miss the
-   * cycle repeats up to `opts.maxAttempts`. The mutator MAY return `null` to
-   * exit early without writing — used for "race-loser detects nothing left to
-   * do" paths (e.g. the backup code was already consumed by the winner).
+   * Run a read-modify-write cycle under optimistic concurrency, keyed by `id`.
+   * Each attempt re-reads (via `findById`), calls `mutator`, and applies the
+   * returned patch under CAS (`expectedVersion = current.version`). On CAS miss
+   * the cycle repeats up to `opts.maxAttempts`. The mutator MAY return `null`
+   * to exit early without writing (race-loser "nothing left to do").
    *
-   * Throws `UserAuthError("NOT_FOUND")` when no row matches `username`, or
-   * `UserAuthError("CAS_EXHAUSTED")` when retries are saturated. Errors
-   * thrown from inside `mutator` propagate immediately without retry.
+   * Throws `UserAuthError("NOT_FOUND")` when no row matches `id`, or
+   * `UserAuthError("CAS_EXHAUSTED")` when retries are saturated. Errors thrown
+   * from inside `mutator` propagate immediately without retry.
+   */
+  abstract withCas(id: string, mutator: (current: UserCredentials & T) => UserStoreUpdate | null, opts?: WithCasOptions): Promise<void>;
+}
+//#endregion
+//#region src/store/federated-identity-store.d.ts
+/**
+ * Display fields snapshotted from an IdP profile onto a federated-identity row.
+ * Refreshed on each login via {@link FederatedIdentityStore.touchLogin}; never
+ * a join key (the stable join is `(provider, subject)`). Phase-2's
+ * `NormalizedProfile` (in `@aooth/idp`) is a structural superset of this — it
+ * is declared HERE rather than imported so `@aooth/user` keeps no dependency on
+ * the layer above it.
+ */
+interface FederatedProfileSnapshot {
+  email?: string;
+  emailVerified?: boolean;
+  displayName?: string;
+  avatarUrl?: string;
+}
+/**
+ * Copy only the DEFINED display fields — so a `touchLogin` / `link` with a
+ * partial profile (e.g. Apple omitting the email on a repeat login) never
+ * overwrites a stored value with `undefined`. Shared by every
+ * {@link FederatedIdentityStore} impl.
+ */
+declare function pickDefinedProfile(src: FederatedProfileSnapshot): FederatedProfileSnapshot;
+/**
+ * A persisted federated-identity row: one external-provider account
+ * (`provider` + the IdP's stable `subject`) linked to exactly one aooth user
+ * (`userId` = the user's surrogate `id`). Mirrors the shipped
+ * `AoothFederatedIdentity` `.as` model by construction.
+ */
+interface FederatedIdentity extends FederatedProfileSnapshot {
+  /** Surrogate PK. Server-assigned (`@db.default.uuid` / `randomUUID`). */
+  id: string;
+  provider: string;
+  subject: string;
+  /** Owner — the user's stable surrogate `id`. */
+  userId: string;
+  /** When the link was first created. */
+  linkedAt: number;
+  /** Last federated login through this identity; absent until first `touchLogin`. */
+  lastLoginAt?: number;
+}
+/**
+ * Input to {@link FederatedIdentityStore.link} — the identity keys + owner plus
+ * an optional first-login profile snapshot. `id` and `linkedAt` are assigned by
+ * the store.
+ */
+interface NewFederatedIdentity extends FederatedProfileSnapshot {
+  provider: string;
+  subject: string;
+  userId: string;
+}
+/**
+ * Storage seam for the account-linking table (RFC IDP.md §3.3). The stable
+ * lookup key is the composite `(provider, subject)`; a user may own many rows
+ * (one per linked provider account), so `userId` reads return a list.
+ *
+ * In-memory + atscript-db implementations ship alongside; the abstract surface
+ * keeps the federated-login core (`@aooth/idp`, phase 2) storage-agnostic.
+ */
+declare abstract class FederatedIdentityStore {
+  /** Resolve a provider account to its linked row, or `null`. The federated-login hot path. */
+  abstract find(provider: string, subject: string): Promise<FederatedIdentity | null>;
+  /** All identities linked to a user — the "connected accounts" view. */
+  abstract listForUser(userId: string): Promise<FederatedIdentity[]>;
+  /**
+   * Link a provider account to a user. Throws `UserAuthError("ALREADY_EXISTS")`
+   * when `(provider, subject)` is already linked — to ANY user — which is the
+   * DB-enforced guarantee that one provider account maps to one aooth user.
+   */
+  abstract link(rec: NewFederatedIdentity): Promise<FederatedIdentity>;
+  /**
+   * Remove a single provider link. Returns `true` when a row was removed,
+   * `false` when `(provider, subject)` was not linked. (The "don't strand the
+   * user without a usable credential" guard lives in the service layer, not
+   * here — this is the raw delete.)
+   */
+  abstract unlink(provider: string, subject: string): Promise<boolean>;
+  /**
+   * Stamp `lastLoginAt = now` and merge any DEFINED `profile` fields onto the
+   * row. Profile is optional and merged field-by-field, so a provider that
+   * omits the email on a repeat login (e.g. Apple after the first auth) never
+   * nulls the stored snapshot. No-op when `(provider, subject)` is not linked.
+   */
+  abstract touchLogin(provider: string, subject: string, profile?: FederatedProfileSnapshot): Promise<void>;
+  /**
+   * Remove every identity linked to a user — GDPR hard-delete / "disconnect
+   * everything". Returns the number of rows removed. The app-level complement
+   * to a DB `onDelete cascade` (which this design deliberately does not use —
+   * `userId` is a plain column, not an FK).
    */
-  abstract withCas(username: string, mutator: (current: UserCredentials & T) => UserStoreUpdate | null, opts?: WithCasOptions): Promise<void>;
+  abstract deleteAllForUser(userId: string): Promise<number>;
 }
 //#endregion
-export { UserServiceConfig as C, UserCredentials as S, PolicyCheckResult as _, LockStatus as a, TrustedDeviceRecord as b, MfaData as c, PasswordConfig as d, PasswordData as f, PasswordPolicyInstance as g, PasswordPolicyEvalFn as h, DeepPartial as i, MfaMethod as l, PasswordPolicyDef as m, WithCasOptions as n, LockoutConfig as o, PasswordPolicyContext as p, AccountData as r, LoginResult as s, UserStore as t, MfaMethodInfo as u, TotpConfig as v, UserStoreUpdate as w, UserAuthErrorType as x, TransferablePolicy as y };
+export { TotpConfig as C, UserCredentials as D, UserAuthErrorType as E, UserServiceConfig as O, PolicyCheckResult as S, TrustedDeviceRecord as T, PasswordData as _, pickDefinedProfile as a, PasswordPolicyEvalFn as b, AccountData as c, LockoutConfig as d, LoginResult as f, PasswordConfig as g, MfaMethodInfo as h, NewFederatedIdentity as i, UserStoreUpdate as k, DeepPartial as l, MfaMethod as m, FederatedIdentityStore as n, UserStore as o, MfaData as p, FederatedProfileSnapshot as r, WithCasOptions as s, FederatedIdentity as t, LockStatus as u, PasswordPolicyContext as v, TransferablePolicy as w, PasswordPolicyInstance as x, PasswordPolicyDef as y };