@arch-cadre/core 0.0.42 → 0.0.43

package/dist/core/auth/logic.d.mts

@@ -1,110 +0,0 @@
-import { UserPermission, UserRole } from "../types.mjs";
-import { AuthResponse, FullUser, Session, SessionFlags, User } from "./types.mjs";
-import { LoginInput, RegisterInput } from "./validation.mjs";
-import { augmentSession, augmentUser, registerIdentityAugmenter, registerPasswordResetSessionAugmenter, registerSessionAugmenter } from "./augment.mjs";
-
-//#region src/core/auth/logic.d.ts
-/**
- * Registry for login validators (e.g. 2FA module)
- */
-type AuthValidator = (userId: string) => Promise<AuthResponse | null>;
-/**
- * Registry for Security Requirements (e.g. checking if 2FA is needed for a session)
- */
-type SecurityRequirement = (session: Session, user: FullUser) => Promise<{
-  satisfied: boolean;
-  redirect?: string;
-} | null>;
-/**
- * Registry for password reset validators (e.g. 2FA module requiring check during reset)
- */
-type PasswordResetValidator = (userId: string) => Promise<AuthResponse | null>;
-/**
- * Registry for email verification validators
- */
-type EmailVerificationValidator = (userId: string) => Promise<AuthResponse | null>;
-declare function registerAuthValidator(validator: AuthValidator): Promise<void>;
-declare function registerPasswordResetValidator(validator: PasswordResetValidator): Promise<void>;
-declare function registerEmailVerificationValidator(validator: EmailVerificationValidator): Promise<void>;
-declare function registerSecurityRequirement(requirement: SecurityRequirement): Promise<void>;
-declare function runPasswordResetValidators(userId: string): Promise<AuthResponse | null>;
-declare function runEmailVerificationValidators(userId: string): Promise<AuthResponse | null>;
-/**
- * Augments a base user with data from all registered modules.
- * This is now just a wrapper that includes core RBAC data.
- */
-declare function performFullUserAugmentation(user: User): Promise<FullUser>;
-/**
- * Checks if the current session satisfies all registered security requirements.
- */
-declare function checkSecurity(session: Session, user: FullUser, requiredRoles?: UserRole[], requiredPermissions?: UserPermission[], fallbackRedirect?: string): Promise<{
-  satisfied: boolean;
-  redirect: string | undefined;
-} | {
-  satisfied: boolean;
-  redirect?: undefined;
-}>;
-/**
- * Sign In Logic
- */
-declare function signIn(data: LoginInput): Promise<AuthResponse>;
-/**
- * Sign Up Logic
- */
-declare function signUp(data: RegisterInput): Promise<{
-  session: {
-    [x: string]: any;
-    id: string;
-    createdAt: Date;
-    updatedAt: Date | null;
-    userId: string;
-    active_organization_id: string | null;
-    expiresAt: Date;
-  };
-  user: {
-    [x: string]: any;
-    email: string;
-    password: string | null;
-    name: string;
-    id: string;
-    image: string | null;
-    recovery_code: Buffer<ArrayBufferLike>;
-    emailVerifiedAt: Date | null;
-    createdAt: Date;
-    updatedAt: Date | null;
-    roles: UserRole[];
-    permissions: UserPermission[];
-  };
-}>;
-/**
- * Finalizes login after a challenge
- */
-declare function finalizeLogin(userId: string, flags: SessionFlags): Promise<{
-  session: {
-    [x: string]: any;
-    id: string;
-    createdAt: Date;
-    updatedAt: Date | null;
-    userId: string;
-    active_organization_id: string | null;
-    expiresAt: Date;
-  } | null;
-  user: {
-    email: string;
-    password: string | null;
-    name: string;
-    id: string;
-    image: string | null;
-    recovery_code: Buffer<ArrayBufferLike>;
-    emailVerifiedAt: Date | null;
-    createdAt: Date;
-    updatedAt: Date | null;
-  } | null;
-}>;
-/**
- * Sign Out
- */
-declare function signOut(): Promise<void>;
-//#endregion
-export { checkSecurity, finalizeLogin, performFullUserAugmentation, registerAuthValidator, registerEmailVerificationValidator, registerPasswordResetValidator, registerSecurityRequirement, runEmailVerificationValidators, runPasswordResetValidators, signIn, signOut, signUp };
-//# sourceMappingURL=logic.d.mts.map

package/dist/core/auth/logic.d.mts.map

@@ -1 +0,0 @@
-{"version":3,"file":"logic.d.mts","names":[],"sources":["../../../src/core/auth/logic.ts"],"mappings":";;;;;;;;;KAyHK,aAAA,IAAiB,MAAA,aAAmB,OAAA,CAAQ,YAAA;;;;KAK5C,mBAAA,IACH,OAAA,EAAS,OAAA,EACT,IAAA,EAAM,QAAA,KACH,OAAA;EAAU,SAAA;EAAoB,QAAA;AAAA;;AAR0B;;KAaxD,sBAAA,IAA0B,MAAA,aAAmB,OAAA,CAAQ,YAAA;;;;KAKrD,0BAAA,IACH,MAAA,aACG,OAAA,CAAQ,YAAA;AAAA,iBA6BS,qBAAA,CAAsB,SAAA,EAAW,aAAA,GAAa,OAAA;AAAA,iBAI9C,8BAAA,CACpB,SAAA,EAAW,sBAAA,GAAsB,OAAA;AAAA,iBAKb,kCAAA,CACpB,SAAA,EAAW,0BAAA,GAA0B,OAAA;AAAA,iBAajB,2BAAA,CACpB,WAAA,EAAa,mBAAA,GAAmB,OAAA;AAAA,iBAKZ,0BAAA,CACpB,MAAA,WACC,OAAA,CAAQ,YAAA;AAAA,iBAQW,8BAAA,CACpB,MAAA,WACC,OAAA,CAAQ,YAAA;;;;AAnFgC;iBA+FrB,2BAAA,CACpB,IAAA,EAAM,IAAA,GACL,OAAA,CAAQ,QAAA;;;;iBAQW,aAAA,CACpB,OAAA,EAAS,OAAA,EACT,IAAA,EAAM,QAAA,EACN,aAAA,GAAgB,QAAA,IAChB,mBAAA,GAAsB,cAAA,IACtB,gBAAA,YAAyB,OAAA;;;;;;;;;;iBA+DL,MAAA,CAAO,IAAA,EAAM,UAAA,GAAa,OAAA,CAAQ,YAAA;;;AApIxD;iBAyKsB,MAAA,CAAO,IAAA,EAAM,aAAA,GAAa,OAAA;;;;;;;;;;;;;;;;;;;;;;;;;;AAjJhD;;iBAyLsB,aAAA,CAAc,MAAA,UAAgB,KAAA,EAAO,YAAA,GAAY,OAAA;;;;;;;;;;;;;;;;;;;;;;;;;iBAoBjD,OAAA,CAAA,GAAO,OAAA"}

package/dist/core/auth/logic.mjs

@@ -1,2 +0,0 @@
-"use server";import{loginSchema as e,registerSchema as t}from"./validation.mjs";import{eventBus as n}from"../event-bus.mjs";import{db as r}from"../../server/database/inject.mjs";import{permissionsTable as i,rolesTable as a,rolesToPermissionsTable as o,usersToPermissionsTable as s,usersToRolesTable as c}from"../../server/database/schema.mjs";import{augmentSession as l,augmentUser as u,registerIdentityAugmenter as d,registerPasswordResetSessionAugmenter as f,registerSessionAugmenter as p}from"./augment.mjs";import{verifyPasswordHash as m,verifyPasswordStrength as h}from"../../server/auth/password.mjs";import{createUser as g,getUserById as _,getUserFromEmail as v,getUserPasswordHash as y,verifyUsernameInput as b}from"../../server/auth/user.mjs";import{createEmailVerificationRequest as x,sendVerificationEmail as S,setEmailVerificationRequestCookie as C}from"./email-verification.mjs";import{createSession as w,deleteSessionTokenCookie as T,generateSessionToken as E,getCurrentSession as D,invalidateSession as O,setSessionTokenCookie as k}from"./session.mjs";import{eq as A,inArray as j}from"drizzle-orm";async function M(e){try{let t=(await r.select({name:a.name}).from(c).innerJoin(a,A(c.roleId,a.id)).where(A(c.userId,e.id))).map(e=>e.name),n=(await r.select({name:i.name}).from(s).innerJoin(i,A(s.permissionId,i.id)).where(A(s.userId,e.id))).map(e=>e.name),l=[];if(t.length>0){let e=(await r.select({id:a.id}).from(a).where(j(a.name,t))).map(e=>e.id);e.length>0&&(l=(await r.select({name:i.name}).from(o).innerJoin(i,A(o.permissionId,i.id)).where(j(o.roleId,e))).map(e=>e.name))}return{roles:t,permissions:Array.from(new Set([...n,...l]))}}catch(e){return console.error(`[Auth:RBAC] Failed to augment user:`,e),{roles:[],permissions:[]}}}const N=globalThis,P=N.__KRYO_AUTH_VALIDATORS__??new Set,F=N.__KRYO_SECURITY_REQUIREMENTS__??new Set,I=N.__KRYO_PASSWORD_RESET_VALIDATORS__??new Set,L=N.__KRYO_EMAIL_VERIFICATION_VALIDATORS__??new Set;N.__KRYO_AUTH_VALIDATORS__=P,N.__KRYO_SECURITY_REQUIREMENTS__=F,N.__KRYO_PASSWORD_RESET_VALIDATORS__=I,N.__KRYO_EMAIL_VERIFICATION_VALIDATORS__=L;async function R(e){P.add(e)}async function z(e){I.add(e)}async function B(e){L.add(e)}async function V(e){F.add(e)}async function H(e){for(let t of I){let n=await t(e);if(n)return n}return null}async function U(e){for(let t of L){let n=await t(e);if(n)return n}return null}async function W(e){return await u(e,await M(e))}async function G(e,t,n,r,i){if(!t)return console.warn(`User is required for security check`),{satisfied:!1,redirect:i??`/signin`};let a=Array.isArray(t.roles)?t.roles:[],o=Array.isArray(t.permissions)?t.permissions:[];if(n&&n.length>0&&!n.some(e=>a.includes(e)))return console.warn(`User lacks required roles: ${n.join(`, `)}`),{satisfied:!1,redirect:i};if(r&&r.length>0&&!r.every(e=>o.includes(e)))return console.warn(`User lacks required permissions: ${r.join(`, `)}`),{satisfied:!1,redirect:i};if(F)for(let n of F)try{let r=await n(e,t);if(r&&!r.satisfied)return{...r,redirect:r.redirect??i}}catch(e){console.error(`[Auth:Security] Requirement failed:`,e)}return{satisfied:!0}}async function K(t){let{email:r,password:i}=await e.parseAsync(t),a=await v(r);if(!a)return{status:`ERROR`,message:`Invalid email or password`};let o=await y(a.id);if(!o||!await m(o,i))return{status:`ERROR`,message:`Invalid email or password`};for(let e of P){let t=await e(a.id);if(t)return t}let s={},c=await E(),l=await w(c,a.id,s);await k(c,l.expiresAt);let u=await W(a);return await n.publish(`auth:session-created`,{session:l,user:u}),{status:`SUCCESS`,session:{...l},user:{...u}}}async function q(e){let{email:r,username:i,password:a}=t.parse(e);if(!await b(i))throw Error(`Invalid username`);if(!await h(a))throw Error(`Weak password`);let o=await g(r,i,a),s=await x(o.id,o.email);await S(s.email,s.code),await C(s);let c={},l=await E(),u=await w(l,o.id,c);await k(l,u.expiresAt);let d=await W(o);return await n.publish(`auth:session-created`,{session:u,user:d}),{session:{...u},user:{...d}}}async function J(e,t){let r=await E(),i=await w(r,e,t);await k(r,i.expiresAt);let a=await _(e);return a&&await n.publish(`auth:session-created`,{session:i,user:a}),{session:i?{...i}:null,user:a?{...a}:null}}async function Y(){let{session:e,user:t}=await D();e&&(t&&await n.publish(`auth:signed-out`,{userId:t.id}),await O(e.id),await T())}export{G as checkSecurity,J as finalizeLogin,W as performFullUserAugmentation,R as registerAuthValidator,B as registerEmailVerificationValidator,z as registerPasswordResetValidator,V as registerSecurityRequirement,U as runEmailVerificationValidators,H as runPasswordResetValidators,K as signIn,Y as signOut,q as signUp};
-//# sourceMappingURL=logic.mjs.map

package/dist/core/auth/logic.mjs.map

@@ -1 +0,0 @@
-{"version":3,"file":"logic.mjs","names":[],"sources":["../../../src/core/auth/logic.ts"],"sourcesContent":["\"use server\";\n\nimport { eq, inArray } from \"drizzle-orm\";\nimport {\n  verifyPasswordHash,\n  verifyPasswordStrength,\n} from \"../../server/auth/password\";\nimport {\n  createUser,\n  getUserById,\n  getUserFromEmail,\n  getUserPasswordHash,\n  verifyUsernameInput,\n} from \"../../server/auth/user\";\nimport { db } from \"../../server/database/inject\";\nimport {\n  permissionsTable,\n  rolesTable,\n  rolesToPermissionsTable,\n  usersToPermissionsTable,\n  usersToRolesTable,\n} from \"../../server/database/schema\";\nimport { eventBus } from \"../event-bus\";\nimport {\n  augmentSession,\n  augmentUser,\n  registerIdentityAugmenter,\n  registerPasswordResetSessionAugmenter,\n  registerSessionAugmenter,\n} from \"./augment\";\nimport {\n  createEmailVerificationRequest,\n  sendVerificationEmail,\n  setEmailVerificationRequestCookie,\n} from \"./email-verification\";\nimport {\n  createSession,\n  deleteSessionTokenCookie,\n  generateSessionToken,\n  getCurrentSession,\n  invalidateSession,\n  setSessionTokenCookie,\n} from \"./session\";\nimport type {\n  AuthResponse,\n  FullUser,\n  Session,\n  SessionFlags,\n  User,\n  UserPermission,\n  UserRole,\n} from \"./types\";\nimport {\n  type LoginInput,\n  loginSchema,\n  type RegisterInput,\n  registerSchema,\n} from \"./validation\";\n\n/**\n * Podstawowy moduł rozszerzający tożsamość dla ról i uprawnień\n */\nasync function coreRbacAugmenter(user: User): Promise<Record<string, any>> {\n  try {\n    // 1. Fetch direct roles\n    const userRoles = await db\n      .select({ name: rolesTable.name })\n      .from(usersToRolesTable)\n      .innerJoin(rolesTable, eq(usersToRolesTable.roleId, rolesTable.id))\n      .where(eq(usersToRolesTable.userId, user.id));\n\n    const roles = userRoles.map((r) => r.name);\n\n    // 2. Fetch direct permissions\n    const userDirectPerms = await db\n      .select({ name: permissionsTable.name })\n      .from(usersToPermissionsTable)\n      .innerJoin(\n        permissionsTable,\n        eq(usersToPermissionsTable.permissionId, permissionsTable.id),\n      )\n      .where(eq(usersToPermissionsTable.userId, user.id));\n\n    const directPerms = userDirectPerms.map((p) => p.name);\n\n    // 3. Fetch permissions from roles\n    let rolePerms: string[] = [];\n    if (roles.length > 0) {\n      const roleIdsResult = await db\n        .select({ id: rolesTable.id })\n        .from(rolesTable)\n        .where(inArray(rolesTable.name, roles));\n\n      const roleIds = roleIdsResult.map((r) => r.id);\n\n      if (roleIds.length > 0) {\n        const rolePermsData = await db\n          .select({ name: permissionsTable.name })\n          .from(rolesToPermissionsTable)\n          .innerJoin(\n            permissionsTable,\n            eq(rolesToPermissionsTable.permissionId, permissionsTable.id),\n          )\n          .where(inArray(rolesToPermissionsTable.roleId, roleIds));\n        rolePerms = rolePermsData.map((p) => p.name);\n      }\n    }\n\n    return {\n      roles,\n      permissions: Array.from(new Set([...directPerms, ...rolePerms])),\n    };\n  } catch (error) {\n    console.error(\"[Auth:RBAC] Failed to augment user:\", error);\n    return { roles: [], permissions: [] };\n  }\n}\n\n/**\n * Registry for login validators (e.g. 2FA module)\n */\ntype AuthValidator = (userId: string) => Promise<AuthResponse | null>;\n\n/**\n * Registry for Security Requirements (e.g. checking if 2FA is needed for a session)\n */\ntype SecurityRequirement = (\n  session: Session,\n  user: FullUser,\n) => Promise<{ satisfied: boolean; redirect?: string } | null>;\n\n/**\n * Registry for password reset validators (e.g. 2FA module requiring check during reset)\n */\ntype PasswordResetValidator = (userId: string) => Promise<AuthResponse | null>;\n\n/**\n * Registry for email verification validators\n */\ntype EmailVerificationValidator = (\n  userId: string,\n) => Promise<AuthResponse | null>;\n\nconst globalForAuth = globalThis as unknown as {\n  __KRYO_AUTH_VALIDATORS__: Set<AuthValidator> | undefined;\n  __KRYO_SECURITY_REQUIREMENTS__: Set<SecurityRequirement> | undefined;\n  __KRYO_PASSWORD_RESET_VALIDATORS__: Set<PasswordResetValidator> | undefined;\n  __KRYO_EMAIL_VERIFICATION_VALIDATORS__:\n  | Set<EmailVerificationValidator>\n  | undefined;\n};\n\nconst authValidators =\n  globalForAuth.__KRYO_AUTH_VALIDATORS__ ?? new Set<AuthValidator>();\nconst securityRequirements =\n  globalForAuth.__KRYO_SECURITY_REQUIREMENTS__ ??\n  new Set<SecurityRequirement>();\nconst passwordResetValidators =\n  globalForAuth.__KRYO_PASSWORD_RESET_VALIDATORS__ ??\n  new Set<PasswordResetValidator>();\nconst emailVerificationValidators =\n  globalForAuth.__KRYO_EMAIL_VERIFICATION_VALIDATORS__ ??\n  new Set<EmailVerificationValidator>();\n\nglobalForAuth.__KRYO_AUTH_VALIDATORS__ = authValidators;\nglobalForAuth.__KRYO_SECURITY_REQUIREMENTS__ = securityRequirements;\nglobalForAuth.__KRYO_PASSWORD_RESET_VALIDATORS__ = passwordResetValidators;\nglobalForAuth.__KRYO_EMAIL_VERIFICATION_VALIDATORS__ =\n  emailVerificationValidators;\n\nexport async function registerAuthValidator(validator: AuthValidator) {\n  authValidators.add(validator);\n}\n\nexport async function registerPasswordResetValidator(\n  validator: PasswordResetValidator,\n) {\n  passwordResetValidators.add(validator);\n}\n\nexport async function registerEmailVerificationValidator(\n  validator: EmailVerificationValidator,\n) {\n  emailVerificationValidators.add(validator);\n}\n\nexport {\n  registerIdentityAugmenter,\n  registerSessionAugmenter,\n  registerPasswordResetSessionAugmenter,\n  augmentUser,\n  augmentSession,\n};\n\nexport async function registerSecurityRequirement(\n  requirement: SecurityRequirement,\n) {\n  securityRequirements.add(requirement);\n}\n\nexport async function runPasswordResetValidators(\n  userId: string,\n): Promise<AuthResponse | null> {\n  for (const validator of passwordResetValidators) {\n    const interception = await validator(userId);\n    if (interception) return interception;\n  }\n  return null;\n}\n\nexport async function runEmailVerificationValidators(\n  userId: string,\n): Promise<AuthResponse | null> {\n  for (const validator of emailVerificationValidators) {\n    const interception = await validator(userId);\n    if (interception) return interception;\n  }\n  return null;\n}\n\n/**\n * Augments a base user with data from all registered modules.\n * This is now just a wrapper that includes core RBAC data.\n */\nexport async function performFullUserAugmentation(\n  user: User,\n): Promise<FullUser> {\n  const coreRbacData = await coreRbacAugmenter(user);\n  return await augmentUser(user, coreRbacData);\n}\n\n/**\n * Checks if the current session satisfies all registered security requirements.\n */\nexport async function checkSecurity(\n  session: Session,\n  user: FullUser,\n  requiredRoles?: UserRole[],\n  requiredPermissions?: UserPermission[],\n  fallbackRedirect?: string,\n) {\n  if (!user) {\n    console.warn(\"User is required for security check\");\n    return { satisfied: false, redirect: fallbackRedirect ?? \"/signin\" };\n  }\n\n  const userRoles = Array.isArray(user.roles) ? user.roles : [];\n  const userPermissions = Array.isArray(user.permissions)\n    ? user.permissions\n    : [];\n\n  // 1. Core Role Check (At least one role must match)\n  if (requiredRoles && requiredRoles.length > 0) {\n    const hasRole = requiredRoles.some((role) => userRoles.includes(role));\n    if (!hasRole) {\n      console.warn(`User lacks required roles: ${requiredRoles.join(\", \")}`);\n      return {\n        satisfied: false,\n        redirect: fallbackRedirect,\n      };\n    }\n  }\n\n  // 2. Core Permission Check (ALL permissions must match)\n  if (requiredPermissions && requiredPermissions.length > 0) {\n    const hasAllPermissions = requiredPermissions.every((perm) =>\n      userPermissions.includes(perm),\n    );\n    if (!hasAllPermissions) {\n      console.warn(\n        `User lacks required permissions: ${requiredPermissions.join(\", \")}`,\n      );\n\n      return {\n        satisfied: false,\n        redirect: fallbackRedirect,\n      };\n    }\n  }\n\n  // 3. Modular Requirements Check\n  if (securityRequirements) {\n    for (const requirement of securityRequirements) {\n      try {\n        const result = await requirement(session, user);\n        if (result && !result.satisfied) {\n          return {\n            ...result,\n            redirect: result.redirect ?? fallbackRedirect,\n          };\n        }\n      } catch (error) {\n        console.error(\"[Auth:Security] Requirement failed:\", error);\n      }\n    }\n  }\n  return { satisfied: true };\n}\n\n/**\n * Sign In Logic\n */\nexport async function signIn(data: LoginInput): Promise<AuthResponse> {\n  const { email, password } = await loginSchema.parseAsync(data);\n\n  const user = await getUserFromEmail(email);\n  if (!user) {\n    return { status: \"ERROR\", message: \"Invalid email or password\" };\n  }\n\n  const passwordHash = await getUserPasswordHash(user.id);\n  if (!passwordHash || !(await verifyPasswordHash(passwordHash, password))) {\n    return { status: \"ERROR\", message: \"Invalid email or password\" };\n  }\n\n  // Interception Layer\n  for (const validator of authValidators) {\n    const interception = await validator(user.id);\n    if (interception) return interception;\n  }\n\n  const sessionFlags: SessionFlags = {};\n  const sessionToken = await generateSessionToken();\n  const session = await createSession(sessionToken, user.id, sessionFlags);\n  await setSessionTokenCookie(sessionToken, session.expiresAt);\n\n  const fullUser = await performFullUserAugmentation(user);\n  await eventBus.publish(\"auth:session-created\", { session, user: fullUser });\n\n  return {\n    status: \"SUCCESS\",\n    session: { ...session },\n    user: { ...fullUser },\n  };\n}\n\n/**\n * Sign Up Logic\n */\nexport async function signUp(data: RegisterInput) {\n  const { email, username, password } = registerSchema.parse(data);\n\n  if (!(await verifyUsernameInput(username))) {\n    throw new Error(\"Invalid username\");\n  }\n\n  if (!(await verifyPasswordStrength(password))) {\n    throw new Error(\"Weak password\");\n  }\n\n  const user = await createUser(email, username, password);\n  const verificationRequest = await createEmailVerificationRequest(\n    user.id,\n    user.email,\n  );\n\n  await sendVerificationEmail(\n    verificationRequest.email,\n    verificationRequest.code,\n  );\n  await setEmailVerificationRequestCookie(verificationRequest);\n\n  const sessionFlags: SessionFlags = {};\n  const sessionToken = await generateSessionToken();\n  const session = await createSession(sessionToken, user.id, sessionFlags);\n  await setSessionTokenCookie(sessionToken, session.expiresAt);\n\n  const fullUser = await performFullUserAugmentation(user);\n  await eventBus.publish(\"auth:session-created\", { session, user: fullUser });\n\n  return {\n    session: { ...session },\n    user: { ...fullUser },\n  };\n}\n\n/**\n * Finalizes login after a challenge\n */\nexport async function finalizeLogin(userId: string, flags: SessionFlags) {\n  const sessionToken = await generateSessionToken();\n  const session = await createSession(sessionToken, userId, flags);\n  await setSessionTokenCookie(sessionToken, session.expiresAt);\n\n  const user = await getUserById(userId);\n\n  if (user) {\n    await eventBus.publish(\"auth:session-created\", { session, user });\n  }\n\n  return {\n    session: session ? { ...session } : null,\n    user: user ? { ...user } : null,\n  };\n}\n\n/**\n * Sign Out\n */\nexport async function signOut() {\n  const { session, user } = await getCurrentSession();\n  if (session) {\n    if (user) {\n      await eventBus.publish(\"auth:signed-out\", { userId: user.id });\n    }\n    await invalidateSession(session.id);\n    await deleteSessionTokenCookie();\n  }\n}\n"],"mappings":"ylCA8DA,eAAe,EAAkB,EAA0C,CACzE,GAAI,CAQF,IAAM,GANY,MAAM,EACrB,OAAO,CAAE,KAAM,EAAW,KAAM,CAAC,CACjC,KAAK,EAAkB,CACvB,UAAU,EAAY,EAAG,EAAkB,OAAQ,EAAW,GAAG,CAAC,CAClE,MAAM,EAAG,EAAkB,OAAQ,EAAK,GAAG,CAAC,EAEvB,IAAK,GAAM,EAAE,KAAK,CAYpC,GATkB,MAAM,EAC3B,OAAO,CAAE,KAAM,EAAiB,KAAM,CAAC,CACvC,KAAK,EAAwB,CAC7B,UACC,EACA,EAAG,EAAwB,aAAc,EAAiB,GAAG,CAC9D,CACA,MAAM,EAAG,EAAwB,OAAQ,EAAK,GAAG,CAAC,EAEjB,IAAK,GAAM,EAAE,KAAK,CAGlD,EAAsB,EAAE,CAC5B,GAAI,EAAM,OAAS,EAAG,CAMpB,IAAM,GALgB,MAAM,EACzB,OAAO,CAAE,GAAI,EAAW,GAAI,CAAC,CAC7B,KAAK,EAAW,CAChB,MAAM,EAAQ,EAAW,KAAM,EAAM,CAAC,EAEX,IAAK,GAAM,EAAE,GAAG,CAE1C,EAAQ,OAAS,IASnB,GARsB,MAAM,EACzB,OAAO,CAAE,KAAM,EAAiB,KAAM,CAAC,CACvC,KAAK,EAAwB,CAC7B,UACC,EACA,EAAG,EAAwB,aAAc,EAAiB,GAAG,CAC9D,CACA,MAAM,EAAQ,EAAwB,OAAQ,EAAQ,CAAC,EAChC,IAAK,GAAM,EAAE,KAAK,EAIhD,MAAO,CACL,QACA,YAAa,MAAM,KAAK,IAAI,IAAI,CAAC,GAAG,EAAa,GAAG,EAAU,CAAC,CAAC,CACjE,OACM,EAAO,CAEd,OADA,QAAQ,MAAM,sCAAuC,EAAM,CACpD,CAAE,MAAO,EAAE,CAAE,YAAa,EAAE,CAAE,EA6BzC,MAAM,EAAgB,WAShB,EACJ,EAAc,0BAA4B,IAAI,IAC1C,EACJ,EAAc,gCACd,IAAI,IACA,EACJ,EAAc,oCACd,IAAI,IACA,EACJ,EAAc,wCACd,IAAI,IAEN,EAAc,yBAA2B,EACzC,EAAc,+BAAiC,EAC/C,EAAc,mCAAqC,EACnD,EAAc,uCACZ,EAEF,eAAsB,EAAsB,EAA0B,CACpE,EAAe,IAAI,EAAU,CAG/B,eAAsB,EACpB,EACA,CACA,EAAwB,IAAI,EAAU,CAGxC,eAAsB,EACpB,EACA,CACA,EAA4B,IAAI,EAAU,CAW5C,eAAsB,EACpB,EACA,CACA,EAAqB,IAAI,EAAY,CAGvC,eAAsB,EACpB,EAC8B,CAC9B,IAAK,IAAM,KAAa,EAAyB,CAC/C,IAAM,EAAe,MAAM,EAAU,EAAO,CAC5C,GAAI,EAAc,OAAO,EAE3B,OAAO,KAGT,eAAsB,EACpB,EAC8B,CAC9B,IAAK,IAAM,KAAa,EAA6B,CACnD,IAAM,EAAe,MAAM,EAAU,EAAO,CAC5C,GAAI,EAAc,OAAO,EAE3B,OAAO,KAOT,eAAsB,EACpB,EACmB,CAEnB,OAAO,MAAM,EAAY,EADJ,MAAM,EAAkB,EAAK,CACN,CAM9C,eAAsB,EACpB,EACA,EACA,EACA,EACA,EACA,CACA,GAAI,CAAC,EAEH,OADA,QAAQ,KAAK,sCAAsC,CAC5C,CAAE,UAAW,GAAO,SAAU,GAAoB,UAAW,CAGtE,IAAM,EAAY,MAAM,QAAQ,EAAK,MAAM,CAAG,EAAK,MAAQ,EAAE,CACvD,EAAkB,MAAM,QAAQ,EAAK,YAAY,CACnD,EAAK,YACL,EAAE,CAGN,GAAI,GAAiB,EAAc,OAAS,GAEtC,CADY,EAAc,KAAM,GAAS,EAAU,SAAS,EAAK,CAAC,CAGpE,OADA,QAAQ,KAAK,8BAA8B,EAAc,KAAK,KAAK,GAAG,CAC/D,CACL,UAAW,GACX,SAAU,EACX,CAKL,GAAI,GAAuB,EAAoB,OAAS,GAIlD,CAHsB,EAAoB,MAAO,GACnD,EAAgB,SAAS,EAAK,CAC/B,CAMC,OAJA,QAAQ,KACN,oCAAoC,EAAoB,KAAK,KAAK,GACnE,CAEM,CACL,UAAW,GACX,SAAU,EACX,CAKL,GAAI,EACF,IAAK,IAAM,KAAe,EACxB,GAAI,CACF,IAAM,EAAS,MAAM,EAAY,EAAS,EAAK,CAC/C,GAAI,GAAU,CAAC,EAAO,UACpB,MAAO,CACL,GAAG,EACH,SAAU,EAAO,UAAY,EAC9B,OAEI,EAAO,CACd,QAAQ,MAAM,sCAAuC,EAAM,CAIjE,MAAO,CAAE,UAAW,GAAM,CAM5B,eAAsB,EAAO,EAAyC,CACpE,GAAM,CAAE,QAAO,YAAa,MAAM,EAAY,WAAW,EAAK,CAExD,EAAO,MAAM,EAAiB,EAAM,CAC1C,GAAI,CAAC,EACH,MAAO,CAAE,OAAQ,QAAS,QAAS,4BAA6B,CAGlE,IAAM,EAAe,MAAM,EAAoB,EAAK,GAAG,CACvD,GAAI,CAAC,GAAgB,CAAE,MAAM,EAAmB,EAAc,EAAS,CACrE,MAAO,CAAE,OAAQ,QAAS,QAAS,4BAA6B,CAIlE,IAAK,IAAM,KAAa,EAAgB,CACtC,IAAM,EAAe,MAAM,EAAU,EAAK,GAAG,CAC7C,GAAI,EAAc,OAAO,EAG3B,IAAM,EAA6B,EAAE,CAC/B,EAAe,MAAM,GAAsB,CAC3C,EAAU,MAAM,EAAc,EAAc,EAAK,GAAI,EAAa,CACxE,MAAM,EAAsB,EAAc,EAAQ,UAAU,CAE5D,IAAM,EAAW,MAAM,EAA4B,EAAK,CAGxD,OAFA,MAAM,EAAS,QAAQ,uBAAwB,CAAE,UAAS,KAAM,EAAU,CAAC,CAEpE,CACL,OAAQ,UACR,QAAS,CAAE,GAAG,EAAS,CACvB,KAAM,CAAE,GAAG,EAAU,CACtB,CAMH,eAAsB,EAAO,EAAqB,CAChD,GAAM,CAAE,QAAO,WAAU,YAAa,EAAe,MAAM,EAAK,CAEhE,GAAI,CAAE,MAAM,EAAoB,EAAS,CACvC,MAAU,MAAM,mBAAmB,CAGrC,GAAI,CAAE,MAAM,EAAuB,EAAS,CAC1C,MAAU,MAAM,gBAAgB,CAGlC,IAAM,EAAO,MAAM,EAAW,EAAO,EAAU,EAAS,CAClD,EAAsB,MAAM,EAChC,EAAK,GACL,EAAK,MACN,CAED,MAAM,EACJ,EAAoB,MACpB,EAAoB,KACrB,CACD,MAAM,EAAkC,EAAoB,CAE5D,IAAM,EAA6B,EAAE,CAC/B,EAAe,MAAM,GAAsB,CAC3C,EAAU,MAAM,EAAc,EAAc,EAAK,GAAI,EAAa,CACxE,MAAM,EAAsB,EAAc,EAAQ,UAAU,CAE5D,IAAM,EAAW,MAAM,EAA4B,EAAK,CAGxD,OAFA,MAAM,EAAS,QAAQ,uBAAwB,CAAE,UAAS,KAAM,EAAU,CAAC,CAEpE,CACL,QAAS,CAAE,GAAG,EAAS,CACvB,KAAM,CAAE,GAAG,EAAU,CACtB,CAMH,eAAsB,EAAc,EAAgB,EAAqB,CACvE,IAAM,EAAe,MAAM,GAAsB,CAC3C,EAAU,MAAM,EAAc,EAAc,EAAQ,EAAM,CAChE,MAAM,EAAsB,EAAc,EAAQ,UAAU,CAE5D,IAAM,EAAO,MAAM,EAAY,EAAO,CAMtC,OAJI,GACF,MAAM,EAAS,QAAQ,uBAAwB,CAAE,UAAS,OAAM,CAAC,CAG5D,CACL,QAAS,EAAU,CAAE,GAAG,EAAS,CAAG,KACpC,KAAM,EAAO,CAAE,GAAG,EAAM,CAAG,KAC5B,CAMH,eAAsB,GAAU,CAC9B,GAAM,CAAE,UAAS,QAAS,MAAM,GAAmB,CAC/C,IACE,GACF,MAAM,EAAS,QAAQ,kBAAmB,CAAE,OAAQ,EAAK,GAAI,CAAC,CAEhE,MAAM,EAAkB,EAAQ,GAAG,CACnC,MAAM,GAA0B"}

package/dist/core/auth/password-reset.d.mts

@@ -1,39 +0,0 @@
-import { PasswordResetAuthSession, PasswordResetSession } from "./types.mjs";
-
-//#region src/core/auth/password-reset.d.ts
-/**
- * Creates a new password reset session.
- */
-declare function createPasswordResetSession(token: string, userId: string, email: string): Promise<PasswordResetSession>;
-/**
- * Validates the password reset session token and retrieves user data.
- * The user data is augmented by registered modules (e.g. 2FA).
- */
-declare function validatePasswordResetSessionToken(token: string): Promise<PasswordResetAuthSession>;
-/**
- * Marks the password reset session as email verified.
- */
-declare function setPasswordResetSessionAsEmailVerified(sessionId: string): Promise<void>;
-/**
- * Invalidates all password reset sessions for a user.
- */
-declare function invalidateUserPasswordResetSessions(userId: string): Promise<void>;
-/**
- * Validates the current password reset session from cookies.
- */
-declare function getCurrentPasswordResetSession(): Promise<PasswordResetAuthSession>;
-/**
- * Sets the password reset session token cookie.
- */
-declare function setPasswordResetSessionTokenCookie(token: string, expiresAt: Date): Promise<void>;
-/**
- * Deletes the password reset session token cookie.
- */
-declare function deletePasswordResetSessionTokenCookie(): Promise<void>;
-/**
- * Sends a password reset email with the OTP code.
- */
-declare function sendPasswordResetEmail(email: string, code: string): Promise<void>;
-//#endregion
-export { createPasswordResetSession, deletePasswordResetSessionTokenCookie, getCurrentPasswordResetSession, invalidateUserPasswordResetSessions, sendPasswordResetEmail, setPasswordResetSessionAsEmailVerified, setPasswordResetSessionTokenCookie, validatePasswordResetSessionToken };
-//# sourceMappingURL=password-reset.d.mts.map

package/dist/core/auth/password-reset.d.mts.map

@@ -1 +0,0 @@
-{"version":3,"file":"password-reset.d.mts","names":[],"sources":["../../../src/core/auth/password-reset.ts"],"mappings":";;;;;AAqBA;iBAAsB,0BAAA,CACpB,KAAA,UACA,MAAA,UACA,KAAA,WACC,OAAA,CAAQ,oBAAA;;;;;iBAqBW,iCAAA,CACpB,KAAA,WACC,OAAA,CAAQ,wBAAA;;;;iBAyCW,sCAAA,CACpB,SAAA,WACC,OAAA;AA7CH;;;AAAA,iBAyDsB,mCAAA,CACpB,MAAA,WACC,OAAA;;;;iBASmB,8BAAA,CAAA,GAAkC,OAAA,CAAQ,wBAAA;;AAzBhE;;iBA6CsB,kCAAA,CACpB,KAAA,UACA,SAAA,EAAW,IAAA,GACV,OAAA;;;AAlCH;iBAiDsB,qCAAA,CAAA,GAAyC,OAAA;;;;iBAQzC,sBAAA,CACpB,KAAA,UACA,IAAA,WACC,OAAA"}

package/dist/core/auth/password-reset.mjs

@@ -1,2 +0,0 @@
-"use server";import{db as e}from"../../server/database/inject.mjs";import{passwordResetSessionTable as t,userTable as n}from"../../server/database/schema.mjs";import{augmentPasswordResetSession as r}from"./augment.mjs";import{generateRandomOTP as i}from"./utils/encode.mjs";import{sendResetPassword as a}from"../../server/emails/index.mjs";import{performFullUserAugmentation as o}from"./logic.mjs";import{eq as s}from"drizzle-orm";import{sha256 as c}from"@oslojs/crypto/sha2";import{encodeHexLowerCase as l}from"@oslojs/encoding";import{addHours as u}from"date-fns";import{cookies as d}from"next/headers";async function f(n,r,a){let o=l(c(new TextEncoder().encode(n))),[s]=await e.insert(t).values({id:o,email:a,code:i(),expiresAt:new Date(u(new Date,1)),userId:r}).returning();return s}async function p(i){let a=l(c(new TextEncoder().encode(i))),[u]=await e.select({session:t,user:n}).from(t).innerJoin(n,s(t.userId,n.id)).where(s(t.id,a));if(!u||!u.user)return{session:null,user:null};let{session:d,user:f}=u;if(new Date>d.expiresAt)return await e.delete(t).where(s(t.id,d.id)),{session:null,user:null};let{password:p,recovery_code:m,...h}=f,g=await o(h);return{session:await r(d),user:g}}async function m(n){await e.update(t).set({emailVerified:!0}).where(s(t.id,n))}async function h(n){await e.delete(t).where(s(t.userId,n))}async function g(){let e=(await d()).get(`password_reset_session`)?.value??null;if(e===null)return{session:null,user:null};let t=await p(e);return t.session===null&&await v(),t}async function _(e,t){(await d()).set(`password_reset_session`,e,{expires:t,sameSite:`lax`,httpOnly:!0,path:`/`,secure:process.env.NODE_ENV===`production`})}async function v(){(await d()).delete(`password_reset_session`)}async function y(e,t){await a(e,t)}export{f as createPasswordResetSession,v as deletePasswordResetSessionTokenCookie,g as getCurrentPasswordResetSession,h as invalidateUserPasswordResetSessions,y as sendPasswordResetEmail,m as setPasswordResetSessionAsEmailVerified,_ as setPasswordResetSessionTokenCookie,p as validatePasswordResetSessionToken};
-//# sourceMappingURL=password-reset.mjs.map

package/dist/core/auth/password-reset.mjs.map

@@ -1 +0,0 @@
-{"version":3,"file":"password-reset.mjs","names":[],"sources":["../../../src/core/auth/password-reset.ts"],"sourcesContent":["\"use server\";\n\nimport { sha256 } from \"@oslojs/crypto/sha2\";\nimport { encodeHexLowerCase } from \"@oslojs/encoding\";\nimport { addHours } from \"date-fns\";\nimport { eq } from \"drizzle-orm\";\nimport { cookies } from \"next/headers\";\nimport { db } from \"../../server/database/inject\";\nimport {\n  passwordResetSessionTable,\n  userTable,\n} from \"../../server/database/schema\";\nimport { sendResetPassword } from \"../../server/emails/index\";\nimport { augmentPasswordResetSession } from \"./augment\";\nimport { performFullUserAugmentation } from \"./logic\";\nimport type { PasswordResetAuthSession, PasswordResetSession } from \"./types\";\nimport { generateRandomOTP } from \"./utils/encode\";\n\n/**\n * Creates a new password reset session.\n */\nexport async function createPasswordResetSession(\n  token: string,\n  userId: string,\n  email: string,\n): Promise<PasswordResetSession> {\n  const sessionId = encodeHexLowerCase(sha256(new TextEncoder().encode(token)));\n\n  const [session] = await db\n    .insert(passwordResetSessionTable)\n    .values({\n      id: sessionId,\n      email: email,\n      code: generateRandomOTP(),\n      expiresAt: new Date(addHours(new Date(), 1)),\n      userId: userId,\n    })\n    .returning();\n\n  return session;\n}\n\n/**\n * Validates the password reset session token and retrieves user data.\n * The user data is augmented by registered modules (e.g. 2FA).\n */\nexport async function validatePasswordResetSessionToken(\n  token: string,\n): Promise<PasswordResetAuthSession> {\n  const sessionId = encodeHexLowerCase(sha256(new TextEncoder().encode(token)));\n\n  const [row] = await db\n    .select({\n      session: passwordResetSessionTable,\n      user: userTable,\n    })\n    .from(passwordResetSessionTable)\n    .innerJoin(userTable, eq(passwordResetSessionTable.userId, userTable.id))\n    .where(eq(passwordResetSessionTable.id, sessionId));\n\n  if (!row || !row.user) {\n    return { session: null, user: null };\n  }\n\n  const { session: baseSession, user: baseUser } = row;\n\n  // Check for expiration\n  if (new Date() > baseSession.expiresAt) {\n    await db\n      .delete(passwordResetSessionTable)\n      .where(eq(passwordResetSessionTable.id, baseSession.id));\n    return { session: null, user: null };\n  }\n\n  // STRICTLY remove non-serializable and sensitive fields\n  const { password, recovery_code, ...safeUser } = baseUser;\n\n  // AUGMENT (EXTENSIBILITY POINTS)\n  const user = await performFullUserAugmentation(safeUser as any);\n  const session = await augmentPasswordResetSession(\n    baseSession as PasswordResetSession,\n  );\n\n  return { session, user };\n}\n\n/**\n * Marks the password reset session as email verified.\n */\nexport async function setPasswordResetSessionAsEmailVerified(\n  sessionId: string,\n): Promise<void> {\n  await db\n    .update(passwordResetSessionTable)\n    .set({\n      emailVerified: true,\n    })\n    .where(eq(passwordResetSessionTable.id, sessionId));\n}\n\n/**\n * Invalidates all password reset sessions for a user.\n */\nexport async function invalidateUserPasswordResetSessions(\n  userId: string,\n): Promise<void> {\n  await db\n    .delete(passwordResetSessionTable)\n    .where(eq(passwordResetSessionTable.userId, userId));\n}\n\n/**\n * Validates the current password reset session from cookies.\n */\nexport async function getCurrentPasswordResetSession(): Promise<PasswordResetAuthSession> {\n  const cookieStore = await cookies();\n  const token = cookieStore.get(\"password_reset_session\")?.value ?? null;\n\n  if (token === null) {\n    return { session: null, user: null };\n  }\n\n  const result = await validatePasswordResetSessionToken(token);\n\n  if (result.session === null) {\n    await deletePasswordResetSessionTokenCookie();\n  }\n\n  return result;\n}\n\n/**\n * Sets the password reset session token cookie.\n */\nexport async function setPasswordResetSessionTokenCookie(\n  token: string,\n  expiresAt: Date,\n): Promise<void> {\n  const cookieStore = await cookies();\n\n  cookieStore.set(\"password_reset_session\", token, {\n    expires: expiresAt,\n    sameSite: \"lax\",\n    httpOnly: true,\n    path: \"/\",\n    secure: process.env.NODE_ENV === \"production\",\n  });\n}\n\n/**\n * Deletes the password reset session token cookie.\n */\nexport async function deletePasswordResetSessionTokenCookie(): Promise<void> {\n  const cookieStore = await cookies();\n  cookieStore.delete(\"password_reset_session\");\n}\n\n/**\n * Sends a password reset email with the OTP code.\n */\nexport async function sendPasswordResetEmail(\n  email: string,\n  code: string,\n): Promise<void> {\n  await sendResetPassword(email, code);\n}\n"],"mappings":"6lBAqBA,eAAsB,EACpB,EACA,EACA,EAC+B,CAC/B,IAAM,EAAY,EAAmB,EAAO,IAAI,aAAa,CAAC,OAAO,EAAM,CAAC,CAAC,CAEvE,CAAC,GAAW,MAAM,EACrB,OAAO,EAA0B,CACjC,OAAO,CACN,GAAI,EACG,QACP,KAAM,GAAmB,CACzB,UAAW,IAAI,KAAK,EAAS,IAAI,KAAQ,EAAE,CAAC,CACpC,SACT,CAAC,CACD,WAAW,CAEd,OAAO,EAOT,eAAsB,EACpB,EACmC,CACnC,IAAM,EAAY,EAAmB,EAAO,IAAI,aAAa,CAAC,OAAO,EAAM,CAAC,CAAC,CAEvE,CAAC,GAAO,MAAM,EACjB,OAAO,CACN,QAAS,EACT,KAAM,EACP,CAAC,CACD,KAAK,EAA0B,CAC/B,UAAU,EAAW,EAAG,EAA0B,OAAQ,EAAU,GAAG,CAAC,CACxE,MAAM,EAAG,EAA0B,GAAI,EAAU,CAAC,CAErD,GAAI,CAAC,GAAO,CAAC,EAAI,KACf,MAAO,CAAE,QAAS,KAAM,KAAM,KAAM,CAGtC,GAAM,CAAE,QAAS,EAAa,KAAM,GAAa,EAGjD,GAAI,IAAI,KAAS,EAAY,UAI3B,OAHA,MAAM,EACH,OAAO,EAA0B,CACjC,MAAM,EAAG,EAA0B,GAAI,EAAY,GAAG,CAAC,CACnD,CAAE,QAAS,KAAM,KAAM,KAAM,CAItC,GAAM,CAAE,WAAU,gBAAe,GAAG,GAAa,EAG3C,EAAO,MAAM,EAA4B,EAAgB,CAK/D,MAAO,CAAE,QAJO,MAAM,EACpB,EACD,CAEiB,OAAM,CAM1B,eAAsB,EACpB,EACe,CACf,MAAM,EACH,OAAO,EAA0B,CACjC,IAAI,CACH,cAAe,GAChB,CAAC,CACD,MAAM,EAAG,EAA0B,GAAI,EAAU,CAAC,CAMvD,eAAsB,EACpB,EACe,CACf,MAAM,EACH,OAAO,EAA0B,CACjC,MAAM,EAAG,EAA0B,OAAQ,EAAO,CAAC,CAMxD,eAAsB,GAAoE,CAExF,IAAM,GADc,MAAM,GAAS,EACT,IAAI,yBAAyB,EAAE,OAAS,KAElE,GAAI,IAAU,KACZ,MAAO,CAAE,QAAS,KAAM,KAAM,KAAM,CAGtC,IAAM,EAAS,MAAM,EAAkC,EAAM,CAM7D,OAJI,EAAO,UAAY,MACrB,MAAM,GAAuC,CAGxC,EAMT,eAAsB,EACpB,EACA,EACe,EACK,MAAM,GAAS,EAEvB,IAAI,yBAA0B,EAAO,CAC/C,QAAS,EACT,SAAU,MACV,SAAU,GACV,KAAM,IACN,OAAQ,QAAQ,IAAI,WAAa,aAClC,CAAC,CAMJ,eAAsB,GAAuD,EACvD,MAAM,GAAS,EACvB,OAAO,yBAAyB,CAM9C,eAAsB,EACpB,EACA,EACe,CACf,MAAM,EAAkB,EAAO,EAAK"}

package/dist/core/auth/rbac.d.mts

@@ -1,61 +0,0 @@
-import * as pg from "pg";
-
-//#region src/core/auth/rbac.d.ts
-/**
- * CORE RBAC LOGIC
- * This file handles all database operations for Roles and Permissions.
- */
-declare function getRoles(): Promise<{
-  id: string;
-  name: string;
-  description: string | null;
-}[]>;
-declare function getRoleById(roleId: string): Promise<{
-  id: string;
-  name: string;
-  description: string | null;
-}>;
-declare function createRole(name: string, description?: string): Promise<{
-  name: string;
-  id: string;
-  description: string | null;
-}[]>;
-declare function deleteRole(roleId: string): Promise<pg.QueryResult<never>>;
-declare function getPermissions(): Promise<{
-  id: string;
-  name: string;
-  description: string | null;
-}[]>;
-declare function createPermission(name: string, description?: string): Promise<{
-  name: string;
-  id: string;
-  description: string | null;
-}[]>;
-declare function deletePermission(permissionId: string): Promise<pg.QueryResult<never>>;
-declare function getRolePermissions(roleId: string): Promise<{
-  id: string;
-  name: string;
-}[]>;
-declare function assignPermissionToRole(roleId: string, permissionId: string): Promise<pg.QueryResult<never>>;
-declare function revokePermissionFromRole(roleId: string, permissionId: string): Promise<pg.QueryResult<never>>;
-declare function assignRoleToUser(userId: string, roleId: string): Promise<pg.QueryResult<never>>;
-declare function revokeRoleFromUser(userId: string, roleId: string): Promise<pg.QueryResult<never>>;
-declare function assignPermissionToUser(userId: string, permissionId: string): Promise<pg.QueryResult<never>>;
-declare function revokePermissionFromUser(userId: string, permissionId: string): Promise<pg.QueryResult<never>>;
-declare function getUserRbacData(userId: string): Promise<{
-  roles: {
-    id: string;
-    name: string;
-  }[];
-  directPermissions: {
-    id: string;
-    name: string;
-  }[];
-  effectivePermissions: {
-    id: string;
-    name: string;
-  }[];
-}>;
-//#endregion
-export { assignPermissionToRole, assignPermissionToUser, assignRoleToUser, createPermission, createRole, deletePermission, deleteRole, getPermissions, getRoleById, getRolePermissions, getRoles, getUserRbacData, revokePermissionFromRole, revokePermissionFromUser, revokeRoleFromUser };
-//# sourceMappingURL=rbac.d.mts.map

package/dist/core/auth/rbac.d.mts.map

@@ -1 +0,0 @@
-{"version":3,"file":"rbac.d.mts","names":[],"sources":["../../../src/core/auth/rbac.ts"],"mappings":";;;;;;AAyBA;iBAAsB,QAAA,CAAA,GAAQ,OAAA;;;;;iBAIR,WAAA,CAAY,MAAA,WAAc,OAAA;;;;;iBAQ1B,UAAA,CAAW,IAAA,UAAc,WAAA,YAAoB,OAAA;;;;;iBAI7C,UAAA,CAAW,MAAA,WAAc,OAAA,CAAf,EAAA,CAAe,WAAA;AAAA,iBAMzB,cAAA,CAAA,GAAc,OAAA;;;;;iBAOd,gBAAA,CAAiB,IAAA,UAAc,WAAA,YAAoB,OAAA;;;;;iBAOnD,gBAAA,CAAiB,YAAA,WAAoB,OAAA,CAArB,EAAA,CAAqB,WAAA;AAAA,iBAQrC,kBAAA,CAAmB,MAAA,WAAc,OAAA;;;;iBAcjC,sBAAA,CACpB,MAAA,UACA,YAAA,WAAoB,OAAA,CAFsB,EAAA,CAEtB,WAAA;AAAA,iBAQA,wBAAA,CACpB,MAAA,UACA,YAAA,WAAoB,OAAA,CAFwB,EAAA,CAExB,WAAA;AAAA,iBAcA,gBAAA,CAAiB,MAAA,UAAgB,MAAA,WAAc,OAAA,CAA/B,EAAA,CAA+B,WAAA;AAAA,iBAO/C,kBAAA,CAAmB,MAAA,UAAgB,MAAA,WAAc,OAAA,CAA/B,EAAA,CAA+B,WAAA;AAAA,iBAWjD,sBAAA,CACpB,MAAA,UACA,YAAA,WAAoB,OAAA,CAFsB,EAAA,CAEtB,WAAA;AAAA,iBAQA,wBAAA,CACpB,MAAA,UACA,YAAA,WAAoB,OAAA,CAFwB,EAAA,CAExB,WAAA;AAAA,iBAYA,eAAA,CAAgB,MAAA,WAAc,OAAA"}

package/dist/core/auth/rbac.mjs

@@ -1,2 +0,0 @@
-"use server";import{db as e}from"../../server/database/inject.mjs";import{permissionsTable as t,rolesTable as n,rolesToPermissionsTable as r,usersToPermissionsTable as i,usersToRolesTable as a}from"../../server/database/schema.mjs";import{notificationService as o}from"../notifications/service.mjs";import"../notifications/index.mjs";import{and as s,eq as c,inArray as l}from"drizzle-orm";typeof window>`u`&&o.init();async function u(){return await e.select().from(n).orderBy(n.name)}async function d(t){let[r]=await e.select().from(n).where(c(n.id,t));return r}async function f(t,r){return await e.insert(n).values({name:t,description:r}).returning()}async function p(t){return await e.delete(n).where(c(n.id,t))}async function m(){return await e.select().from(t).orderBy(t.name)}async function h(n,r){return await e.insert(t).values({name:n,description:r}).returning()}async function g(n){return await e.delete(t).where(c(t.id,n))}async function _(n){return await e.select({id:t.id,name:t.name}).from(r).innerJoin(t,c(r.permissionId,t.id)).where(c(r.roleId,n))}async function v(t,n){return await e.insert(r).values({roleId:t,permissionId:n}).onConflictDoNothing()}async function y(t,n){return await e.delete(r).where(s(c(r.roleId,t),c(r.permissionId,n)))}async function b(t,n){return await e.insert(a).values({userId:t,roleId:n}).onConflictDoNothing()}async function x(t,n){return await e.delete(a).where(s(c(a.userId,t),c(a.roleId,n)))}async function S(t,n){return await e.insert(i).values({userId:t,permissionId:n}).onConflictDoNothing()}async function C(t,n){return await e.delete(i).where(s(c(i.userId,t),c(i.permissionId,n)))}async function w(o){let s=await e.select({id:n.id,name:n.name}).from(a).innerJoin(n,c(a.roleId,n.id)).where(c(a.userId,o)),u=await e.select({id:t.id,name:t.name}).from(i).innerJoin(t,c(i.permissionId,t.id)).where(c(i.userId,o)),d=[];if(s.length>0){let n=s.map(e=>e.id);d=await e.select({id:t.id,name:t.name}).from(r).innerJoin(t,c(r.permissionId,t.id)).where(l(r.roleId,n))}let f=new Map;for(let e of[...u,...d])f.set(e.id,e);return{roles:s,directPermissions:u,effectivePermissions:Array.from(f.values())}}export{v as assignPermissionToRole,S as assignPermissionToUser,b as assignRoleToUser,h as createPermission,f as createRole,g as deletePermission,p as deleteRole,m as getPermissions,d as getRoleById,_ as getRolePermissions,u as getRoles,w as getUserRbacData,y as revokePermissionFromRole,C as revokePermissionFromUser,x as revokeRoleFromUser};
-//# sourceMappingURL=rbac.mjs.map

package/dist/core/auth/rbac.mjs.map

@@ -1 +0,0 @@
-{"version":3,"file":"rbac.mjs","names":[],"sources":["../../../src/core/auth/rbac.ts"],"sourcesContent":["\"use server\";\n\nimport { and, eq, inArray } from \"drizzle-orm\";\nimport { db } from \"../../server/database/inject\";\nimport {\n  permissionsTable,\n  rolesTable,\n  rolesToPermissionsTable,\n  usersToPermissionsTable,\n  usersToRolesTable,\n} from \"../../server/database/schema\";\nimport { notificationService } from \"../notifications/index\";\n\n// Ensure notification service is loaded\nif (typeof window === \"undefined\") {\n  notificationService.init();\n}\n\n/**\n * CORE RBAC LOGIC\n * This file handles all database operations for Roles and Permissions.\n */\n\n// --- Roles ---\n\nexport async function getRoles() {\n  return await db.select().from(rolesTable).orderBy(rolesTable.name);\n}\n\nexport async function getRoleById(roleId: string) {\n  const [role] = await db\n    .select()\n    .from(rolesTable)\n    .where(eq(rolesTable.id, roleId));\n  return role;\n}\n\nexport async function createRole(name: string, description?: string) {\n  return await db.insert(rolesTable).values({ name, description }).returning();\n}\n\nexport async function deleteRole(roleId: string) {\n  return await db.delete(rolesTable).where(eq(rolesTable.id, roleId));\n}\n\n// --- Permissions ---\n\nexport async function getPermissions() {\n  return await db\n    .select()\n    .from(permissionsTable)\n    .orderBy(permissionsTable.name);\n}\n\nexport async function createPermission(name: string, description?: string) {\n  return await db\n    .insert(permissionsTable)\n    .values({ name, description })\n    .returning();\n}\n\nexport async function deletePermission(permissionId: string) {\n  return await db\n    .delete(permissionsTable)\n    .where(eq(permissionsTable.id, permissionId));\n}\n\n// --- Mappings ---\n\nexport async function getRolePermissions(roleId: string) {\n  return await db\n    .select({\n      id: permissionsTable.id,\n      name: permissionsTable.name,\n    })\n    .from(rolesToPermissionsTable)\n    .innerJoin(\n      permissionsTable,\n      eq(rolesToPermissionsTable.permissionId, permissionsTable.id),\n    )\n    .where(eq(rolesToPermissionsTable.roleId, roleId));\n}\n\nexport async function assignPermissionToRole(\n  roleId: string,\n  permissionId: string,\n) {\n  return await db\n    .insert(rolesToPermissionsTable)\n    .values({ roleId, permissionId })\n    .onConflictDoNothing();\n}\n\nexport async function revokePermissionFromRole(\n  roleId: string,\n  permissionId: string,\n) {\n  return await db\n    .delete(rolesToPermissionsTable)\n    .where(\n      and(\n        eq(rolesToPermissionsTable.roleId, roleId),\n        eq(rolesToPermissionsTable.permissionId, permissionId),\n      ),\n    );\n}\n\n// --- User Assignment ---\n\nexport async function assignRoleToUser(userId: string, roleId: string) {\n  return await db\n    .insert(usersToRolesTable)\n    .values({ userId, roleId })\n    .onConflictDoNothing();\n}\n\nexport async function revokeRoleFromUser(userId: string, roleId: string) {\n  return await db\n    .delete(usersToRolesTable)\n    .where(\n      and(\n        eq(usersToRolesTable.userId, userId),\n        eq(usersToRolesTable.roleId, roleId),\n      ),\n    );\n}\n\nexport async function assignPermissionToUser(\n  userId: string,\n  permissionId: string,\n) {\n  return await db\n    .insert(usersToPermissionsTable)\n    .values({ userId, permissionId })\n    .onConflictDoNothing();\n}\n\nexport async function revokePermissionFromUser(\n  userId: string,\n  permissionId: string,\n) {\n  return await db\n    .delete(usersToPermissionsTable)\n    .where(\n      and(\n        eq(usersToPermissionsTable.userId, userId),\n        eq(usersToPermissionsTable.permissionId, permissionId),\n      ),\n    );\n}\n\nexport async function getUserRbacData(userId: string) {\n  const roles = await db\n    .select({\n      id: rolesTable.id,\n      name: rolesTable.name,\n    })\n    .from(usersToRolesTable)\n    .innerJoin(rolesTable, eq(usersToRolesTable.roleId, rolesTable.id))\n    .where(eq(usersToRolesTable.userId, userId));\n\n  const directPermissions = await db\n    .select({\n      id: permissionsTable.id,\n      name: permissionsTable.name,\n    })\n    .from(usersToPermissionsTable)\n    .innerJoin(\n      permissionsTable,\n      eq(usersToPermissionsTable.permissionId, permissionsTable.id),\n    )\n    .where(eq(usersToPermissionsTable.userId, userId));\n\n  // Fetch inherited permissions from roles\n  let rolePermissions: { id: string; name: string }[] = [];\n  if (roles.length > 0) {\n    const roleIds = roles.map((r) => r.id);\n    rolePermissions = await db\n      .select({\n        id: permissionsTable.id,\n        name: permissionsTable.name,\n      })\n      .from(rolesToPermissionsTable)\n      .innerJoin(\n        permissionsTable,\n        eq(rolesToPermissionsTable.permissionId, permissionsTable.id),\n      )\n      .where(inArray(rolesToPermissionsTable.roleId, roleIds));\n  }\n\n  // Combine for effective permissions\n  const effectiveMap = new Map<string, { id: string; name: string }>();\n  for (const p of [...directPermissions, ...rolePermissions]) {\n    effectiveMap.set(p.id, p);\n  }\n\n  return {\n    roles,\n    directPermissions,\n    effectivePermissions: Array.from(effectiveMap.values()),\n  };\n}\n"],"mappings":"qYAcI,OAAO,OAAW,KACpB,EAAoB,MAAM,CAU5B,eAAsB,GAAW,CAC/B,OAAO,MAAM,EAAG,QAAQ,CAAC,KAAK,EAAW,CAAC,QAAQ,EAAW,KAAK,CAGpE,eAAsB,EAAY,EAAgB,CAChD,GAAM,CAAC,GAAQ,MAAM,EAClB,QAAQ,CACR,KAAK,EAAW,CAChB,MAAM,EAAG,EAAW,GAAI,EAAO,CAAC,CACnC,OAAO,EAGT,eAAsB,EAAW,EAAc,EAAsB,CACnE,OAAO,MAAM,EAAG,OAAO,EAAW,CAAC,OAAO,CAAE,OAAM,cAAa,CAAC,CAAC,WAAW,CAG9E,eAAsB,EAAW,EAAgB,CAC/C,OAAO,MAAM,EAAG,OAAO,EAAW,CAAC,MAAM,EAAG,EAAW,GAAI,EAAO,CAAC,CAKrE,eAAsB,GAAiB,CACrC,OAAO,MAAM,EACV,QAAQ,CACR,KAAK,EAAiB,CACtB,QAAQ,EAAiB,KAAK,CAGnC,eAAsB,EAAiB,EAAc,EAAsB,CACzE,OAAO,MAAM,EACV,OAAO,EAAiB,CACxB,OAAO,CAAE,OAAM,cAAa,CAAC,CAC7B,WAAW,CAGhB,eAAsB,EAAiB,EAAsB,CAC3D,OAAO,MAAM,EACV,OAAO,EAAiB,CACxB,MAAM,EAAG,EAAiB,GAAI,EAAa,CAAC,CAKjD,eAAsB,EAAmB,EAAgB,CACvD,OAAO,MAAM,EACV,OAAO,CACN,GAAI,EAAiB,GACrB,KAAM,EAAiB,KACxB,CAAC,CACD,KAAK,EAAwB,CAC7B,UACC,EACA,EAAG,EAAwB,aAAc,EAAiB,GAAG,CAC9D,CACA,MAAM,EAAG,EAAwB,OAAQ,EAAO,CAAC,CAGtD,eAAsB,EACpB,EACA,EACA,CACA,OAAO,MAAM,EACV,OAAO,EAAwB,CAC/B,OAAO,CAAE,SAAQ,eAAc,CAAC,CAChC,qBAAqB,CAG1B,eAAsB,EACpB,EACA,EACA,CACA,OAAO,MAAM,EACV,OAAO,EAAwB,CAC/B,MACC,EACE,EAAG,EAAwB,OAAQ,EAAO,CAC1C,EAAG,EAAwB,aAAc,EAAa,CACvD,CACF,CAKL,eAAsB,EAAiB,EAAgB,EAAgB,CACrE,OAAO,MAAM,EACV,OAAO,EAAkB,CACzB,OAAO,CAAE,SAAQ,SAAQ,CAAC,CAC1B,qBAAqB,CAG1B,eAAsB,EAAmB,EAAgB,EAAgB,CACvE,OAAO,MAAM,EACV,OAAO,EAAkB,CACzB,MACC,EACE,EAAG,EAAkB,OAAQ,EAAO,CACpC,EAAG,EAAkB,OAAQ,EAAO,CACrC,CACF,CAGL,eAAsB,EACpB,EACA,EACA,CACA,OAAO,MAAM,EACV,OAAO,EAAwB,CAC/B,OAAO,CAAE,SAAQ,eAAc,CAAC,CAChC,qBAAqB,CAG1B,eAAsB,EACpB,EACA,EACA,CACA,OAAO,MAAM,EACV,OAAO,EAAwB,CAC/B,MACC,EACE,EAAG,EAAwB,OAAQ,EAAO,CAC1C,EAAG,EAAwB,aAAc,EAAa,CACvD,CACF,CAGL,eAAsB,EAAgB,EAAgB,CACpD,IAAM,EAAQ,MAAM,EACjB,OAAO,CACN,GAAI,EAAW,GACf,KAAM,EAAW,KAClB,CAAC,CACD,KAAK,EAAkB,CACvB,UAAU,EAAY,EAAG,EAAkB,OAAQ,EAAW,GAAG,CAAC,CAClE,MAAM,EAAG,EAAkB,OAAQ,EAAO,CAAC,CAExC,EAAoB,MAAM,EAC7B,OAAO,CACN,GAAI,EAAiB,GACrB,KAAM,EAAiB,KACxB,CAAC,CACD,KAAK,EAAwB,CAC7B,UACC,EACA,EAAG,EAAwB,aAAc,EAAiB,GAAG,CAC9D,CACA,MAAM,EAAG,EAAwB,OAAQ,EAAO,CAAC,CAGhD,EAAkD,EAAE,CACxD,GAAI,EAAM,OAAS,EAAG,CACpB,IAAM,EAAU,EAAM,IAAK,GAAM,EAAE,GAAG,CACtC,EAAkB,MAAM,EACrB,OAAO,CACN,GAAI,EAAiB,GACrB,KAAM,EAAiB,KACxB,CAAC,CACD,KAAK,EAAwB,CAC7B,UACC,EACA,EAAG,EAAwB,aAAc,EAAiB,GAAG,CAC9D,CACA,MAAM,EAAQ,EAAwB,OAAQ,EAAQ,CAAC,CAI5D,IAAM,EAAe,IAAI,IACzB,IAAK,IAAM,IAAK,CAAC,GAAG,EAAmB,GAAG,EAAgB,CACxD,EAAa,IAAI,EAAE,GAAI,EAAE,CAG3B,MAAO,CACL,QACA,oBACA,qBAAsB,MAAM,KAAK,EAAa,QAAQ,CAAC,CACxD"}

package/dist/core/auth/session.d.mts

@@ -1,54 +0,0 @@
-import { AuthSession, Session, SessionFlags, UserSession } from "./types.mjs";
-
-//#region src/core/auth/session.d.ts
-/**
- * Returns the user's IP address.
- */
-declare function getIPAddress(): Promise<string | null>;
-/**
- * Validates the session token.
- */
-declare function validateSessionToken(token: string): Promise<AuthSession>;
-/**
- * Returns the current user session from cookies.
- */
-declare const getCurrentSession: () => Promise<AuthSession>;
-/**
- * Invalidates a single session.
- */
-declare function invalidateSession(sessionId: string): Promise<void>;
-/**
- * Invalidates all user sessions.
- */
-declare function invalidateUserSessions(userId: string): Promise<void>;
-/**
- * Sets the session token in a cookie.
- */
-declare function setSessionTokenCookie(token: string, expiresAt: Date): Promise<void>;
-/**
- * Removes the session token cookie.
- */
-declare function deleteSessionTokenCookie(): Promise<void>;
-/**
- * Generates a new random session token.
- */
-declare function generateSessionToken(): Promise<string>;
-/**
- * Creates a new session in the database.
- */
-declare function createSession(token: string, userId: string, flags: SessionFlags): Promise<Session>;
-/**
- * Signs the user out and redirects to the sign-in page.
- */
-declare function sessionSignOut(): Promise<void>;
-/**
- * Get all active sessions for a user.
- */
-declare function getUserSessions(userId: string, currentSessionId: string): Promise<UserSession[]>;
-/**
- * Invalidate all sessions for a user except the specified current one.
- */
-declare function invalidateOtherSessions(userId: string, currentSessionId: string): Promise<void>;
-//#endregion
-export { createSession, deleteSessionTokenCookie, generateSessionToken, getCurrentSession, getIPAddress, getUserSessions, invalidateOtherSessions, invalidateSession, invalidateUserSessions, sessionSignOut, setSessionTokenCookie, validateSessionToken };
-//# sourceMappingURL=session.d.mts.map

package/dist/core/auth/session.d.mts.map

@@ -1 +0,0 @@
-{"version":3,"file":"session.d.mts","names":[],"sources":["../../../src/core/auth/session.ts"],"mappings":";;;;;AA2BA;iBAAsB,YAAA,CAAA,GAAgB,OAAA;;;;iBAOhB,oBAAA,CACpB,KAAA,WACC,OAAA,CAAQ,WAAA;;;;cAyCE,iBAAA,QAA8B,OAAA,CAAQ,WAAA;;;;iBAc7B,iBAAA,CAAkB,SAAA,WAAoB,OAAA;AAd5D;;;AAAA,iBAqBsB,sBAAA,CAAuB,MAAA,WAAiB,OAAA;;AAP9D;;iBAcsB,qBAAA,CACpB,KAAA,UACA,SAAA,EAAW,IAAA,GACV,OAAA;;;AAVH;iBAwBsB,wBAAA,CAAA,GAA4B,OAAA;;;;iBAQ5B,oBAAA,CAAA,GAAwB,OAAA;;;;iBASxB,aAAA,CACpB,KAAA,UACA,MAAA,UACA,KAAA,EAAO,YAAA,GACN,OAAA,CAAQ,OAAA;;;;iBAmBW,cAAA,CAAA,GAAc,OAAA;;AAxCpC;;iBAsDsB,eAAA,CACpB,MAAA,UACA,gBAAA,WACC,OAAA,CAAQ,WAAA;;;AAjDX;iBAkEsB,uBAAA,CACpB,MAAA,UACA,gBAAA,WACC,OAAA"}

package/dist/core/auth/session.mjs

@@ -1,2 +0,0 @@
-"use server";import{db as e}from"../../server/database/inject.mjs";import{sessionTable as t,userTable as n}from"../../server/database/schema.mjs";import{augmentSession as r}from"./augment.mjs";import{performFullUserAugmentation as i}from"./logic.mjs";import{and as a,eq as o,ne as s}from"drizzle-orm";import{sha256 as c}from"@oslojs/crypto/sha2";import{encodeBase32LowerCaseNoPadding as l,encodeHexLowerCase as u}from"@oslojs/encoding";import{addDays as d}from"date-fns";import{cookies as f,headers as p}from"next/headers";import{redirect as m}from"next/navigation";async function h(){return(await p()).get(`x-forwarded-for`)}async function g(a){let s=u(c(new TextEncoder().encode(a))),[l]=await e.select({session:t,user:n}).from(t).innerJoin(n,o(t.userId,n.id)).where(o(t.id,s));if(!l||!l.user)return{session:null,user:null};let{session:d,user:f}=l,{password:p,recovery_code:m,...h}=f;if(new Date>d.expiresAt)return await e.delete(t).where(o(t.id,d.id)),{session:null,user:null};let g=await i(h),_=await r(d);return{session:_?{..._}:null,user:g?{...g}:null}}const _=async()=>{let e=(await f()).get(`session`)?.value??null;return e===null?{session:null,user:null}:await g(e)};async function v(n){await e.delete(t).where(o(t.id,n))}async function y(n){await e.delete(t).where(o(t.userId,n))}async function b(e,t){(await f()).set(`session`,e,{httpOnly:!0,path:`/`,secure:process.env.NODE_ENV===`production`,sameSite:`lax`,expires:t})}async function x(){(await f()).delete(`session`)}async function S(){let e=new Uint8Array(20);return crypto.getRandomValues(e),l(e).toLowerCase()}async function C(n,r,i){let a=u(c(new TextEncoder().encode(n))),[o]=await e.insert(t).values({id:a,expiresAt:new Date(d(new Date,7)),active_organization_id:i.activeOrganizationId,userId:r}).returning();return o}async function w(){let{session:e}=await _();e&&(await v(e.id),await x()),m(`/signin`)}async function T(n,r){return(await e.select().from(t).where(o(t.userId,n))).map(e=>({id:e.id,createdAt:e.createdAt,expiresAt:e.expiresAt,isCurrent:e.id===r}))}async function E(n,r){await e.delete(t).where(a(o(t.userId,n),s(t.id,r)))}export{C as createSession,x as deleteSessionTokenCookie,S as generateSessionToken,_ as getCurrentSession,h as getIPAddress,T as getUserSessions,E as invalidateOtherSessions,v as invalidateSession,y as invalidateUserSessions,w as sessionSignOut,b as setSessionTokenCookie,g as validateSessionToken};
-//# sourceMappingURL=session.mjs.map

package/dist/core/auth/session.mjs.map

@@ -1 +0,0 @@
-{"version":3,"file":"session.mjs","names":[],"sources":["../../../src/core/auth/session.ts"],"sourcesContent":["\"use server\";\n\nimport { sha256 } from \"@oslojs/crypto/sha2\";\nimport {\n  encodeBase32LowerCaseNoPadding,\n  encodeHexLowerCase,\n} from \"@oslojs/encoding\";\nimport { addDays } from \"date-fns\";\nimport { and, eq, ne } from \"drizzle-orm\";\nimport { cookies, headers } from \"next/headers\";\nimport { redirect } from \"next/navigation\";\nimport { db } from \"../../server/database/inject\";\nimport { sessionTable, userTable } from \"../../server/database/schema\";\nimport { augmentSession } from \"./augment\";\nimport { performFullUserAugmentation } from \"./logic\";\n\nimport type {\n  AuthSession,\n  Session,\n  SessionFlags,\n  User,\n  UserSession,\n} from \"./types\";\n\n/**\n * Returns the user's IP address.\n */\nexport async function getIPAddress(): Promise<string | null> {\n  return (await headers()).get(\"x-forwarded-for\");\n}\n\n/**\n * Validates the session token.\n */\nexport async function validateSessionToken(\n  token: string,\n): Promise<AuthSession> {\n  const sessionId = encodeHexLowerCase(sha256(new TextEncoder().encode(token)));\n\n  const [row] = await db\n    .select({\n      session: sessionTable,\n      user: userTable,\n    })\n    .from(sessionTable)\n    .innerJoin(userTable, eq(sessionTable.userId, userTable.id))\n    .where(eq(sessionTable.id, sessionId));\n\n  if (!row || !row.user) {\n    return { session: null, user: null };\n  }\n\n  const { session: baseSession, user: baseUser } = row;\n\n  // STRICTLY remove non-serializable and sensitive fields\n  const { password, recovery_code, ...safeUser } = baseUser;\n\n  // Check if session is expired\n  if (new Date() > baseSession.expiresAt) {\n    await db.delete(sessionTable).where(eq(sessionTable.id, baseSession.id));\n    return { session: null, user: null };\n  }\n\n  // AUGMENT (EXTENSIBILITY POINTS)\n  const augmentedUser = await performFullUserAugmentation(safeUser as User);\n  const augmentedSession = await augmentSession(baseSession as Session);\n\n  // ENSURE PLAIN OBJECTS for Client Components\n  return {\n    session: augmentedSession ? { ...augmentedSession } : null,\n    user: augmentedUser ? { ...augmentedUser } : null,\n  };\n}\n\n/**\n * Returns the current user session from cookies.\n */\nexport const getCurrentSession = async (): Promise<AuthSession> => {\n  const cookieStore = await cookies();\n  const token = cookieStore.get(\"session\")?.value ?? null;\n\n  if (token === null) {\n    return { session: null, user: null };\n  }\n\n  return await validateSessionToken(token);\n};\n\n/**\n * Invalidates a single session.\n */\nexport async function invalidateSession(sessionId: string): Promise<void> {\n  await db.delete(sessionTable).where(eq(sessionTable.id, sessionId));\n}\n\n/**\n * Invalidates all user sessions.\n */\nexport async function invalidateUserSessions(userId: string): Promise<void> {\n  await db.delete(sessionTable).where(eq(sessionTable.userId, userId));\n}\n\n/**\n * Sets the session token in a cookie.\n */\nexport async function setSessionTokenCookie(\n  token: string,\n  expiresAt: Date,\n): Promise<void> {\n  const cookieStore = await cookies();\n  cookieStore.set(\"session\", token, {\n    httpOnly: true,\n    path: \"/\",\n    secure: process.env.NODE_ENV === \"production\",\n    sameSite: \"lax\",\n    expires: expiresAt,\n  });\n}\n\n/**\n * Removes the session token cookie.\n */\nexport async function deleteSessionTokenCookie(): Promise<void> {\n  const cookieStore = await cookies();\n  cookieStore.delete(\"session\");\n}\n\n/**\n * Generates a new random session token.\n */\nexport async function generateSessionToken(): Promise<string> {\n  const tokenBytes = new Uint8Array(20);\n  crypto.getRandomValues(tokenBytes);\n  return encodeBase32LowerCaseNoPadding(tokenBytes).toLowerCase();\n}\n\n/**\n * Creates a new session in the database.\n */\nexport async function createSession(\n  token: string,\n  userId: string,\n  flags: SessionFlags,\n): Promise<Session> {\n  const sessionId = encodeHexLowerCase(sha256(new TextEncoder().encode(token)));\n\n  const [session] = await db\n    .insert(sessionTable)\n    .values({\n      id: sessionId,\n      expiresAt: new Date(addDays(new Date(), 7)),\n      active_organization_id: flags.activeOrganizationId,\n      userId: userId,\n    })\n    .returning();\n\n  return session;\n}\n\n/**\n * Signs the user out and redirects to the sign-in page.\n */\nexport async function sessionSignOut() {\n  const { session } = await getCurrentSession();\n\n  if (session) {\n    await invalidateSession(session.id);\n    await deleteSessionTokenCookie();\n  }\n\n  redirect(\"/signin\");\n}\n\n/**\n * Get all active sessions for a user.\n */\nexport async function getUserSessions(\n  userId: string,\n  currentSessionId: string,\n): Promise<UserSession[]> {\n  const sessions = await db\n    .select()\n    .from(sessionTable)\n    .where(eq(sessionTable.userId, userId));\n\n  return sessions.map((session) => ({\n    id: session.id,\n    createdAt: session.createdAt,\n    expiresAt: session.expiresAt,\n    isCurrent: session.id === currentSessionId,\n  }));\n}\n\n/**\n * Invalidate all sessions for a user except the specified current one.\n */\nexport async function invalidateOtherSessions(\n  userId: string,\n  currentSessionId: string,\n): Promise<void> {\n  await db\n    .delete(sessionTable)\n    .where(\n      and(\n        eq(sessionTable.userId, userId),\n        ne(sessionTable.id, currentSessionId),\n      ),\n    );\n}\n"],"mappings":"sjBA2BA,eAAsB,GAAuC,CAC3D,OAAQ,MAAM,GAAS,EAAE,IAAI,kBAAkB,CAMjD,eAAsB,EACpB,EACsB,CACtB,IAAM,EAAY,EAAmB,EAAO,IAAI,aAAa,CAAC,OAAO,EAAM,CAAC,CAAC,CAEvE,CAAC,GAAO,MAAM,EACjB,OAAO,CACN,QAAS,EACT,KAAM,EACP,CAAC,CACD,KAAK,EAAa,CAClB,UAAU,EAAW,EAAG,EAAa,OAAQ,EAAU,GAAG,CAAC,CAC3D,MAAM,EAAG,EAAa,GAAI,EAAU,CAAC,CAExC,GAAI,CAAC,GAAO,CAAC,EAAI,KACf,MAAO,CAAE,QAAS,KAAM,KAAM,KAAM,CAGtC,GAAM,CAAE,QAAS,EAAa,KAAM,GAAa,EAG3C,CAAE,WAAU,gBAAe,GAAG,GAAa,EAGjD,GAAI,IAAI,KAAS,EAAY,UAE3B,OADA,MAAM,EAAG,OAAO,EAAa,CAAC,MAAM,EAAG,EAAa,GAAI,EAAY,GAAG,CAAC,CACjE,CAAE,QAAS,KAAM,KAAM,KAAM,CAItC,IAAM,EAAgB,MAAM,EAA4B,EAAiB,CACnE,EAAmB,MAAM,EAAe,EAAuB,CAGrE,MAAO,CACL,QAAS,EAAmB,CAAE,GAAG,EAAkB,CAAG,KACtD,KAAM,EAAgB,CAAE,GAAG,EAAe,CAAG,KAC9C,CAMH,MAAa,EAAoB,SAAkC,CAEjE,IAAM,GADc,MAAM,GAAS,EACT,IAAI,UAAU,EAAE,OAAS,KAMnD,OAJI,IAAU,KACL,CAAE,QAAS,KAAM,KAAM,KAAM,CAG/B,MAAM,EAAqB,EAAM,EAM1C,eAAsB,EAAkB,EAAkC,CACxE,MAAM,EAAG,OAAO,EAAa,CAAC,MAAM,EAAG,EAAa,GAAI,EAAU,CAAC,CAMrE,eAAsB,EAAuB,EAA+B,CAC1E,MAAM,EAAG,OAAO,EAAa,CAAC,MAAM,EAAG,EAAa,OAAQ,EAAO,CAAC,CAMtE,eAAsB,EACpB,EACA,EACe,EACK,MAAM,GAAS,EACvB,IAAI,UAAW,EAAO,CAChC,SAAU,GACV,KAAM,IACN,OAAQ,QAAQ,IAAI,WAAa,aACjC,SAAU,MACV,QAAS,EACV,CAAC,CAMJ,eAAsB,GAA0C,EAC1C,MAAM,GAAS,EACvB,OAAO,UAAU,CAM/B,eAAsB,GAAwC,CAC5D,IAAM,EAAa,IAAI,WAAW,GAAG,CAErC,OADA,OAAO,gBAAgB,EAAW,CAC3B,EAA+B,EAAW,CAAC,aAAa,CAMjE,eAAsB,EACpB,EACA,EACA,EACkB,CAClB,IAAM,EAAY,EAAmB,EAAO,IAAI,aAAa,CAAC,OAAO,EAAM,CAAC,CAAC,CAEvE,CAAC,GAAW,MAAM,EACrB,OAAO,EAAa,CACpB,OAAO,CACN,GAAI,EACJ,UAAW,IAAI,KAAK,EAAQ,IAAI,KAAQ,EAAE,CAAC,CAC3C,uBAAwB,EAAM,qBACtB,SACT,CAAC,CACD,WAAW,CAEd,OAAO,EAMT,eAAsB,GAAiB,CACrC,GAAM,CAAE,WAAY,MAAM,GAAmB,CAEzC,IACF,MAAM,EAAkB,EAAQ,GAAG,CACnC,MAAM,GAA0B,EAGlC,EAAS,UAAU,CAMrB,eAAsB,EACpB,EACA,EACwB,CAMxB,OALiB,MAAM,EACpB,QAAQ,CACR,KAAK,EAAa,CAClB,MAAM,EAAG,EAAa,OAAQ,EAAO,CAAC,EAEzB,IAAK,IAAa,CAChC,GAAI,EAAQ,GACZ,UAAW,EAAQ,UACnB,UAAW,EAAQ,UACnB,UAAW,EAAQ,KAAO,EAC3B,EAAE,CAML,eAAsB,EACpB,EACA,EACe,CACf,MAAM,EACH,OAAO,EAAa,CACpB,MACC,EACE,EAAG,EAAa,OAAQ,EAAO,CAC/B,EAAG,EAAa,GAAI,EAAiB,CACtC,CACF"}

package/dist/core/auth/types.d.mts

@@ -1,55 +0,0 @@
-import { passwordResetSessionTable, sessionTable, userTable } from "../../server/database/schema.mjs";
-import { UserPermission, UserRole } from "../types.mjs";
-
-//#region src/core/auth/types.d.ts
-type User = typeof userTable.$inferSelect;
-type Session = typeof sessionTable.$inferSelect & Record<string, any>;
-type PasswordResetSession = typeof passwordResetSessionTable.$inferSelect & Record<string, any>;
-/**
- * Represents a user with all potential extensions.
- * Use this type in UI components that require data added by modules.
- */
-type FullUser = User & Record<string, any> & {
-  roles: UserRole[];
-  permissions: UserPermission[];
-};
-/**
- * Basic session context.
- */
-interface AuthSession {
-  session: Session | null;
-  user: FullUser | null;
-}
-interface SessionFlags {
-  [key: string]: any;
-}
-type UserSession = {
-  id: string;
-  createdAt: Date;
-  expiresAt: Date;
-  isCurrent: boolean;
-  [key: string]: any;
-};
-type AuthResponse = {
-  status: "SUCCESS";
-  session: Session;
-  user: FullUser;
-  redirect?: string;
-} | {
-  status: "CHALLENGE_REQUIRED";
-  type: string;
-  userId: string;
-  tempToken?: string;
-  redirect?: string;
-} | {
-  status: "ERROR";
-  message: string;
-  redirect?: string;
-};
-interface PasswordResetAuthSession {
-  session: PasswordResetSession | null;
-  user: FullUser | null;
-}
-//#endregion
-export { AuthResponse, AuthSession, FullUser, PasswordResetAuthSession, PasswordResetSession, Session, SessionFlags, User, UserSession };
-//# sourceMappingURL=types.d.mts.map

package/dist/core/auth/types.d.mts.map

@@ -1 +0,0 @@
-{"version":3,"file":"types.d.mts","names":[],"sources":["../../../src/core/auth/types.ts"],"mappings":";;;;KASY,IAAA,UAAc,SAAA,CAAU,YAAA;AAAA,KACxB,OAAA,UAAiB,YAAA,CAAa,YAAA,GAAe,MAAA;AAAA,KAC7C,oBAAA,UACH,yBAAA,CAA0B,YAAA,GAAe,MAAA;;;;AAFlD;KAQY,QAAA,GAAW,IAAA,GACrB,MAAA;EACE,KAAA,EAAO,QAAA;EACP,WAAA,EAAa,cAAA;AAAA;;;;UAMA,WAAA;EACf,OAAA,EAAS,OAAA;EACT,IAAA,EAAM,QAAA;AAAA;AAAA,UAGS,YAAA;EAAA,CACd,GAAA;AAAA;AAAA,KAGS,WAAA;EACV,EAAA;EACA,SAAA,EAAW,IAAA;EACX,SAAA,EAAW,IAAA;EACX,SAAA;EAAA,CACC,GAAA;AAAA;AAAA,KAGS,YAAA;EACN,MAAA;EAAmB,OAAA,EAAS,OAAA;EAAS,IAAA,EAAM,QAAA;EAAU,QAAA;AAAA;EAEvD,MAAA;EACA,IAAA;EACA,MAAA;EACA,SAAA;EACA,QAAA;AAAA;EAEE,MAAA;EAAiB,OAAA;EAAiB,QAAA;AAAA;AAAA,UAEvB,wBAAA;EACf,OAAA,EAAS,oBAAA;EACT,IAAA,EAAM,QAAA;AAAA"}

package/dist/core/auth/utils/encode.d.mts

@@ -1,15 +0,0 @@
-//#region src/core/auth/utils/encode.d.ts
-/**
- * Generates a random one-time code (OTP).
- * @param length Length of the generated code (default 6).
- * @returns A random uppercase base32 string.
- */
-declare function generateRandomOTP(length?: number): string;
-/**
- * Generates a random recovery code.
- * @returns A random uppercase base32 string.
- */
-declare function generateRandomRecoveryCode(): string;
-//#endregion
-export { generateRandomOTP, generateRandomRecoveryCode };
-//# sourceMappingURL=encode.d.mts.map

package/dist/core/auth/utils/encode.d.mts.map

@@ -1 +0,0 @@
-{"version":3,"file":"encode.d.mts","names":[],"sources":["../../../../src/core/auth/utils/encode.ts"],"mappings":";;AAOA;;;;iBAAgB,iBAAA,CAAkB,MAAA;AAUlC;;;;AAAA,iBAAgB,0BAAA,CAAA"}

package/dist/core/auth/utils/encode.mjs

@@ -1,2 +0,0 @@
-import{encodeBase32UpperCaseNoPadding as e}from"@oslojs/encoding";function t(t=6){let n=new Uint8Array(5);return crypto.getRandomValues(n),e(n).substring(0,t)}function n(){let t=new Uint8Array(10);return crypto.getRandomValues(t),e(t)}export{t as generateRandomOTP,n as generateRandomRecoveryCode};
-//# sourceMappingURL=encode.mjs.map

package/dist/core/auth/utils/encode.mjs.map

@@ -1 +0,0 @@
-{"version":3,"file":"encode.mjs","names":[],"sources":["../../../../src/core/auth/utils/encode.ts"],"sourcesContent":["import { encodeBase32UpperCaseNoPadding } from \"@oslojs/encoding\";\n\n/**\n * Generates a random one-time code (OTP).\n * @param length Length of the generated code (default 6).\n * @returns A random uppercase base32 string.\n */\nexport function generateRandomOTP(length = 6): string {\n  const bytes = new Uint8Array(5);\n  crypto.getRandomValues(bytes);\n  return encodeBase32UpperCaseNoPadding(bytes).substring(0, length);\n}\n\n/**\n * Generates a random recovery code.\n * @returns A random uppercase base32 string.\n */\nexport function generateRandomRecoveryCode(): string {\n  const recoveryCodeBytes = new Uint8Array(10);\n  crypto.getRandomValues(recoveryCodeBytes);\n  return encodeBase32UpperCaseNoPadding(recoveryCodeBytes);\n}\n"],"mappings":"kEAOA,SAAgB,EAAkB,EAAS,EAAW,CACpD,IAAM,EAAQ,IAAI,WAAW,EAAE,CAE/B,OADA,OAAO,gBAAgB,EAAM,CACtB,EAA+B,EAAM,CAAC,UAAU,EAAG,EAAO,CAOnE,SAAgB,GAAqC,CACnD,IAAM,EAAoB,IAAI,WAAW,GAAG,CAE5C,OADA,OAAO,gBAAgB,EAAkB,CAClC,EAA+B,EAAkB"}

package/dist/core/auth/utils/encryption.d.mts.map

@@ -1 +0,0 @@
-{"version":3,"file":"encryption.d.mts","names":[],"sources":["../../../../src/core/auth/utils/encryption.ts"],"mappings":";;AAoBA;;;;iBAAgB,OAAA,CAAQ,IAAA,EAAM,UAAA,GAAa,UAAA;;;;;AAiB3C;iBAAgB,aAAA,CAAc,IAAA,WAAe,UAAA;;;;AAS7C;;iBAAgB,OAAA,CAAQ,SAAA,EAAW,UAAA,GAAa,UAAA;;;;;;iBAsBhC,eAAA,CAAgB,IAAA,EAAM,UAAA"}

package/dist/core/auth/utils/encryption.mjs

@@ -1,2 +0,0 @@
-import{decodeBase64 as e}from"@oslojs/encoding";import{createCipheriv as t,createDecipheriv as n}from"node:crypto";import{DynamicBuffer as r}from"@oslojs/binary";const i=process.env.ENCRYPTION_KEY;if(!i)throw Error(`ENCRYPTION_KEY environment variable is not set`);const a=e(i);function o(e){let n=new Uint8Array(16);crypto.getRandomValues(n);let i=t(`aes-128-gcm`,a,n),o=new r(0);return o.write(n),o.write(i.update(e)),o.write(i.final()),o.write(i.getAuthTag()),o.bytes()}function s(e){return o(new TextEncoder().encode(e))}function c(e){if(e.byteLength<33)throw Error(`Invalid encrypted data length`);let t=e.slice(0,16),i=e.slice(e.byteLength-16),o=e.slice(16,e.byteLength-16),s=n(`aes-128-gcm`,a,t);s.setAuthTag(i);let c=new r(0);return c.write(s.update(o)),c.write(s.final()),c.bytes()}function l(e){return new TextDecoder().decode(c(e))}export{c as decrypt,l as decryptToString,o as encrypt,s as encryptString};
-//# sourceMappingURL=encryption.mjs.map

package/dist/core/auth/utils/encryption.mjs.map

@@ -1 +0,0 @@
-{"version":3,"file":"encryption.mjs","names":[],"sources":["../../../../src/core/auth/utils/encryption.ts"],"sourcesContent":["import { createCipheriv, createDecipheriv } from \"node:crypto\";\nimport { DynamicBuffer } from \"@oslojs/binary\";\nimport { decodeBase64 } from \"@oslojs/encoding\";\n\nconst ENCRYPTION_KEY = process.env.ENCRYPTION_KEY;\n\nif (!ENCRYPTION_KEY) {\n  throw new Error(\"ENCRYPTION_KEY environment variable is not set\");\n}\n\n/**\n * The encryption key decoded from base64.\n */\nconst key = decodeBase64(ENCRYPTION_KEY);\n\n/**\n * Encrypts data using AES-128-GCM.\n * @param data Data to be encrypted.\n * @returns Encrypted data including IV and auth tag.\n */\nexport function encrypt(data: Uint8Array): Uint8Array {\n  const iv = new Uint8Array(16);\n  crypto.getRandomValues(iv);\n  const cipher = createCipheriv(\"aes-128-gcm\", key, iv);\n  const encrypted = new DynamicBuffer(0);\n  encrypted.write(iv);\n  encrypted.write(cipher.update(data));\n  encrypted.write(cipher.final());\n  encrypted.write(cipher.getAuthTag());\n  return encrypted.bytes();\n}\n\n/**\n * Encrypts a string.\n * @param data String to be encrypted.\n * @returns Encrypted data as Uint8Array.\n */\nexport function encryptString(data: string): Uint8Array {\n  return encrypt(new TextEncoder().encode(data));\n}\n\n/**\n * Decrypts data using AES-128-GCM.\n * @param encrypted Encrypted data (IV + content + auth tag).\n * @returns Decrypted data.\n */\nexport function decrypt(encrypted: Uint8Array): Uint8Array {\n  if (encrypted.byteLength < 33) {\n    throw new Error(\"Invalid encrypted data length\");\n  }\n  const iv = encrypted.slice(0, 16);\n  const authTag = encrypted.slice(encrypted.byteLength - 16);\n  const content = encrypted.slice(16, encrypted.byteLength - 16);\n\n  const decipher = createDecipheriv(\"aes-128-gcm\", key, iv);\n  decipher.setAuthTag(authTag);\n\n  const decrypted = new DynamicBuffer(0);\n  decrypted.write(decipher.update(content));\n  decrypted.write(decipher.final());\n  return decrypted.bytes();\n}\n\n/**\n * Decrypts data to a string.\n * @param data Encrypted data.\n * @returns Odszyfrowany ciąg znaków.\n */\nexport function decryptToString(data: Uint8Array): string {\n  return new TextDecoder().decode(decrypt(data));\n}\n"],"mappings":"kKAIA,MAAM,EAAiB,QAAQ,IAAI,eAEnC,GAAI,CAAC,EACH,MAAU,MAAM,iDAAiD,CAMnE,MAAM,EAAM,EAAa,EAAe,CAOxC,SAAgB,EAAQ,EAA8B,CACpD,IAAM,EAAK,IAAI,WAAW,GAAG,CAC7B,OAAO,gBAAgB,EAAG,CAC1B,IAAM,EAAS,EAAe,cAAe,EAAK,EAAG,CAC/C,EAAY,IAAI,EAAc,EAAE,CAKtC,OAJA,EAAU,MAAM,EAAG,CACnB,EAAU,MAAM,EAAO,OAAO,EAAK,CAAC,CACpC,EAAU,MAAM,EAAO,OAAO,CAAC,CAC/B,EAAU,MAAM,EAAO,YAAY,CAAC,CAC7B,EAAU,OAAO,CAQ1B,SAAgB,EAAc,EAA0B,CACtD,OAAO,EAAQ,IAAI,aAAa,CAAC,OAAO,EAAK,CAAC,CAQhD,SAAgB,EAAQ,EAAmC,CACzD,GAAI,EAAU,WAAa,GACzB,MAAU,MAAM,gCAAgC,CAElD,IAAM,EAAK,EAAU,MAAM,EAAG,GAAG,CAC3B,EAAU,EAAU,MAAM,EAAU,WAAa,GAAG,CACpD,EAAU,EAAU,MAAM,GAAI,EAAU,WAAa,GAAG,CAExD,EAAW,EAAiB,cAAe,EAAK,EAAG,CACzD,EAAS,WAAW,EAAQ,CAE5B,IAAM,EAAY,IAAI,EAAc,EAAE,CAGtC,OAFA,EAAU,MAAM,EAAS,OAAO,EAAQ,CAAC,CACzC,EAAU,MAAM,EAAS,OAAO,CAAC,CAC1B,EAAU,OAAO,CAQ1B,SAAgB,EAAgB,EAA0B,CACxD,OAAO,IAAI,aAAa,CAAC,OAAO,EAAQ,EAAK,CAAC"}

package/dist/core/auth/validation.d.mts

@@ -1,48 +0,0 @@
-import { z } from "zod";
-
-//#region src/core/auth/validation.d.ts
-declare const loginSchema: z.ZodObject<{
-  email: z.ZodString;
-  password: z.ZodString;
-  remember: z.ZodOptional<z.ZodBoolean>;
-}, z.core.$strip>;
-declare const registerSchema: z.ZodObject<{
-  username: z.ZodString;
-  email: z.ZodString;
-  password: z.ZodString;
-  terms: z.ZodBoolean;
-}, z.core.$strip>;
-declare const forgotPasswordSchema: z.ZodObject<{
-  email: z.ZodString;
-}, z.core.$strip>;
-declare const resetPasswordSchema: z.ZodObject<{
-  password: z.ZodString;
-  confirm: z.ZodString;
-}, z.core.$strip>;
-declare const verifyEmailSchema: z.ZodObject<{
-  code: z.ZodString;
-}, z.core.$strip>;
-declare const totpSetupSchema: z.ZodObject<{
-  code: z.ZodString;
-}, z.core.$strip>;
-declare const totpVerifySchema: z.ZodObject<{
-  code: z.ZodString;
-}, z.core.$strip>;
-declare const passkeysSetupSchema: z.ZodObject<{
-  name: z.ZodString;
-}, z.core.$strip>;
-declare const recoveryCodeVerifySchema: z.ZodObject<{
-  code: z.ZodString;
-}, z.core.$strip>;
-type LoginInput = z.infer<typeof loginSchema>;
-type RegisterInput = z.infer<typeof registerSchema>;
-type ForgotPasswordInput = z.infer<typeof forgotPasswordSchema>;
-type ResetPasswordInput = z.infer<typeof resetPasswordSchema>;
-type TOTPSetupInput = z.infer<typeof totpSetupSchema>;
-type TOTPVerifyInput = z.infer<typeof totpVerifySchema>;
-type PasskeysSetupInput = z.infer<typeof passkeysSetupSchema>;
-type VerifyEmailInput = z.infer<typeof verifyEmailSchema>;
-type RecoveryVerifyInput = z.infer<typeof recoveryCodeVerifySchema>;
-//#endregion
-export { ForgotPasswordInput, LoginInput, PasskeysSetupInput, RecoveryVerifyInput, RegisterInput, ResetPasswordInput, TOTPSetupInput, TOTPVerifyInput, VerifyEmailInput, forgotPasswordSchema, loginSchema, passkeysSetupSchema, recoveryCodeVerifySchema, registerSchema, resetPasswordSchema, totpSetupSchema, totpVerifySchema, verifyEmailSchema };
-//# sourceMappingURL=validation.d.mts.map

package/dist/core/auth/validation.d.mts.map

@@ -1 +0,0 @@
-{"version":3,"file":"validation.d.mts","names":[],"sources":["../../../src/core/auth/validation.ts"],"mappings":";;;cAGa,WAAA,EAAW,CAAA,CAAA,SAAA;;;;;cAMX,cAAA,EAAc,CAAA,CAAA,SAAA;;;;;;cAOd,oBAAA,EAAoB,CAAA,CAAA,SAAA;;;cAIpB,mBAAA,EAAmB,CAAA,CAAA,SAAA;;;;cAUnB,iBAAA,EAAiB,CAAA,CAAA,SAAA;;;cAKjB,eAAA,EAAe,CAAA,CAAA,SAAA;;;cAIf,gBAAA,EAAgB,CAAA,CAAA,SAAA;;;cAIhB,mBAAA,EAAmB,CAAA,CAAA,SAAA;;;cAInB,wBAAA,EAAwB,CAAA,CAAA,SAAA;;;KAKzB,UAAA,GAAa,CAAA,CAAE,KAAA,QAAa,WAAA;AAAA,KAC5B,aAAA,GAAgB,CAAA,CAAE,KAAA,QAAa,cAAA;AAAA,KAC/B,mBAAA,GAAsB,CAAA,CAAE,KAAA,QAAa,oBAAA;AAAA,KACrC,kBAAA,GAAqB,CAAA,CAAE,KAAA,QAAa,mBAAA;AAAA,KACpC,cAAA,GAAiB,CAAA,CAAE,KAAA,QAAa,eAAA;AAAA,KAChC,eAAA,GAAkB,CAAA,CAAE,KAAA,QAAa,gBAAA;AAAA,KACjC,kBAAA,GAAqB,CAAA,CAAE,KAAA,QAAa,mBAAA;AAAA,KACpC,gBAAA,GAAmB,CAAA,CAAE,KAAA,QAAa,iBAAA;AAAA,KAClC,mBAAA,GAAsB,CAAA,CAAE,KAAA,QAAa,wBAAA"}

package/dist/core/auth/validation.mjs

@@ -1,2 +0,0 @@
-import{z as e}from"zod";const t=e.object({email:e.string().email(`Invalid email address`),password:e.string().min(8),remember:e.boolean().optional()}),n=e.object({username:e.string().min(2,`Name must be at least 2 characters`),email:e.string().email(`Invalid email address`),password:e.string().min(8,`Password must be at least 8 characters`),terms:e.boolean().refine(e=>e===!0,`You must accept the terms`)}),r=e.object({email:e.string().email(`Invalid email address`)}),i=e.object({password:e.string().min(8,`Password must be at least 8 characters`),confirm:e.string()}).refine(e=>e.password===e.confirm,{message:`Passwords do not match`,path:[`confirm`]}),a=e.object({code:e.string().min(6).max(6)}),o=e.object({code:e.string().regex(/^\d{6}$/,`Code must be 6 digits`)}),s=e.object({code:e.string().regex(/^\d{6}$/,`Code must be 6 digits`)}),c=e.object({name:e.string().min(1,`Passkey name is required`)}),l=e.object({code:e.string().min(16,`Recovery code is required`).max(16)});export{r as forgotPasswordSchema,t as loginSchema,c as passkeysSetupSchema,l as recoveryCodeVerifySchema,n as registerSchema,i as resetPasswordSchema,o as totpSetupSchema,s as totpVerifySchema,a as verifyEmailSchema};
-//# sourceMappingURL=validation.mjs.map

package/dist/core/auth/validation.mjs.map

@@ -1 +0,0 @@
-{"version":3,"file":"validation.mjs","names":[],"sources":["../../../src/core/auth/validation.ts"],"sourcesContent":["import { z } from \"zod\";\n\n// Auth validation schemas - CLEAN (No DB dependencies for client-side)\nexport const loginSchema = z.object({\n  email: z.string().email(\"Invalid email address\"),\n  password: z.string().min(8),\n  remember: z.boolean().optional(),\n});\n\nexport const registerSchema = z.object({\n  username: z.string().min(2, \"Name must be at least 2 characters\"),\n  email: z.string().email(\"Invalid email address\"),\n  password: z.string().min(8, \"Password must be at least 8 characters\"),\n  terms: z.boolean().refine((val) => val === true, \"You must accept the terms\"),\n});\n\nexport const forgotPasswordSchema = z.object({\n  email: z.string().email(\"Invalid email address\"),\n});\n\nexport const resetPasswordSchema = z\n  .object({\n    password: z.string().min(8, \"Password must be at least 8 characters\"),\n    confirm: z.string(),\n  })\n  .refine((data) => data.password === data.confirm, {\n    message: \"Passwords do not match\",\n    path: [\"confirm\"],\n  });\n\nexport const verifyEmailSchema = z.object({\n  code: z.string().min(6).max(6),\n});\n\n// mfa validation schemas\nexport const totpSetupSchema = z.object({\n  code: z.string().regex(/^\\d{6}$/, \"Code must be 6 digits\"),\n});\n\nexport const totpVerifySchema = z.object({\n  code: z.string().regex(/^\\d{6}$/, \"Code must be 6 digits\"),\n});\n\nexport const passkeysSetupSchema = z.object({\n  name: z.string().min(1, \"Passkey name is required\"),\n});\n\nexport const recoveryCodeVerifySchema = z.object({\n  code: z.string().min(16, \"Recovery code is required\").max(16),\n});\n\n// Type exports for use in components\nexport type LoginInput = z.infer<typeof loginSchema>;\nexport type RegisterInput = z.infer<typeof registerSchema>;\nexport type ForgotPasswordInput = z.infer<typeof forgotPasswordSchema>;\nexport type ResetPasswordInput = z.infer<typeof resetPasswordSchema>;\nexport type TOTPSetupInput = z.infer<typeof totpSetupSchema>;\nexport type TOTPVerifyInput = z.infer<typeof totpVerifySchema>;\nexport type PasskeysSetupInput = z.infer<typeof passkeysSetupSchema>;\nexport type VerifyEmailInput = z.infer<typeof verifyEmailSchema>;\nexport type RecoveryVerifyInput = z.infer<typeof recoveryCodeVerifySchema>;\n"],"mappings":"wBAGA,MAAa,EAAc,EAAE,OAAO,CAClC,MAAO,EAAE,QAAQ,CAAC,MAAM,wBAAwB,CAChD,SAAU,EAAE,QAAQ,CAAC,IAAI,EAAE,CAC3B,SAAU,EAAE,SAAS,CAAC,UAAU,CACjC,CAAC,CAEW,EAAiB,EAAE,OAAO,CACrC,SAAU,EAAE,QAAQ,CAAC,IAAI,EAAG,qCAAqC,CACjE,MAAO,EAAE,QAAQ,CAAC,MAAM,wBAAwB,CAChD,SAAU,EAAE,QAAQ,CAAC,IAAI,EAAG,yCAAyC,CACrE,MAAO,EAAE,SAAS,CAAC,OAAQ,GAAQ,IAAQ,GAAM,4BAA4B,CAC9E,CAAC,CAEW,EAAuB,EAAE,OAAO,CAC3C,MAAO,EAAE,QAAQ,CAAC,MAAM,wBAAwB,CACjD,CAAC,CAEW,EAAsB,EAChC,OAAO,CACN,SAAU,EAAE,QAAQ,CAAC,IAAI,EAAG,yCAAyC,CACrE,QAAS,EAAE,QAAQ,CACpB,CAAC,CACD,OAAQ,GAAS,EAAK,WAAa,EAAK,QAAS,CAChD,QAAS,yBACT,KAAM,CAAC,UAAU,CAClB,CAAC,CAES,EAAoB,EAAE,OAAO,CACxC,KAAM,EAAE,QAAQ,CAAC,IAAI,EAAE,CAAC,IAAI,EAAE,CAC/B,CAAC,CAGW,EAAkB,EAAE,OAAO,CACtC,KAAM,EAAE,QAAQ,CAAC,MAAM,UAAW,wBAAwB,CAC3D,CAAC,CAEW,EAAmB,EAAE,OAAO,CACvC,KAAM,EAAE,QAAQ,CAAC,MAAM,UAAW,wBAAwB,CAC3D,CAAC,CAEW,EAAsB,EAAE,OAAO,CAC1C,KAAM,EAAE,QAAQ,CAAC,IAAI,EAAG,2BAA2B,CACpD,CAAC,CAEW,EAA2B,EAAE,OAAO,CAC/C,KAAM,EAAE,QAAQ,CAAC,IAAI,GAAI,4BAA4B,CAAC,IAAI,GAAG,CAC9D,CAAC"}

package/dist/core/bootstrap.d.mts

@@ -1,5 +0,0 @@
-//#region src/core/bootstrap.d.ts
-declare function ensureSystemInitialized(providedDb?: any): Promise<void>;
-//#endregion
-export { ensureSystemInitialized };
-//# sourceMappingURL=bootstrap.d.mts.map

package/dist/core/bootstrap.d.mts.map

@@ -1 +0,0 @@
-{"version":3,"file":"bootstrap.d.mts","names":[],"sources":["../../src/core/bootstrap.ts"],"mappings":";iBAQsB,uBAAA,CAAwB,UAAA,SAAgB,OAAA"}

package/dist/core/bootstrap.mjs

@@ -1,2 +0,0 @@
-import{eventBus as e}from"./event-bus.mjs";import{injectDb as t}from"../server/database/inject.mjs";import{initEmailVerification as n}from"./auth/email-verification.mjs";import{notificationService as r}from"./notifications/service.mjs";import{LocalFileProvider as i}from"./filesystem/providers/local.mjs";import{filesystemService as a}from"./filesystem/service.mjs";import"./filesystem/index.mjs";import{isSystemInstalled as o}from"./setup.mjs";async function s(s){if(typeof window<`u`)return;let c=globalThis;if(s&&t(s),!c.__KRYO_INITIALIZED__&&!c.__KRYO_INITIALIZING__){c.__KRYO_INITIALIZING__=!0;try{if(console.log(`[Kryo:Bootstrap] Starting system initialization...`),c.__KRYO_DB__||console.warn(`[Kryo:Bootstrap] DB not detected during bootstrap start. Trying to continue...`),await o()){r.init(),await n();let e=new i;a.registerProvider(e),a.setDefaultProvider(e.id)}else console.log(`[Kryo:Bootstrap] System not installed. Skipping module initialization.`);await e.publish(`system:start`,{runtime:`nodejs`}),console.log(`[Kryo:Bootstrap] System initialized successfully.`),c.__KRYO_INITIALIZED__=!0}catch(e){console.error(`[Kryo:Bootstrap] Initialization failed:`,e)}finally{c.__KRYO_INITIALIZING__=!1}}}export{s as ensureSystemInitialized};
-//# sourceMappingURL=bootstrap.mjs.map