@archlast/server 0.0.1

package/dist/auth/session-security.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"session-security.js","sourceRoot":"","sources":["../../src/auth/session-security.ts"],"names":[],"mappings":";;AAWA,wDAoBC;AApBD,SAAgB,sBAAsB,CAClC,OAAgB,EAChB,OAA0D,EAC1D,OAA+B;IAE/B,IAAI,OAAO,CAAC,QAAQ,IAAI,OAAO,EAAE,SAAS,EAAE,CAAC;QACzC,MAAM,SAAS,GAAG,WAAW,CAAC,OAAO,CAAC,CAAC;QACvC,IAAI,SAAS,KAAK,OAAO,CAAC,SAAS,EAAE,CAAC;YAClC,OAAO,EAAE,KAAK,EAAE,KAAK,EAAE,MAAM,EAAE,qBAAqB,EAAE,CAAC;QAC3D,CAAC;IACL,CAAC;IAED,IAAI,OAAO,CAAC,eAAe,IAAI,OAAO,EAAE,SAAS,EAAE,CAAC;QAChD,MAAM,SAAS,GAAG,OAAO,CAAC,OAAO,CAAC,GAAG,CAAC,YAAY,CAAC,CAAC;QACpD,IAAI,SAAS,KAAK,OAAO,CAAC,SAAS,EAAE,CAAC;YAClC,OAAO,EAAE,KAAK,EAAE,KAAK,EAAE,MAAM,EAAE,qBAAqB,EAAE,CAAC;QAC3D,CAAC;IACL,CAAC;IAED,OAAO,EAAE,KAAK,EAAE,IAAI,EAAE,CAAC;AAC3B,CAAC;AAED,SAAS,WAAW,CAAC,OAAgB;IACjC,MAAM,SAAS,GAAG,OAAO,CAAC,OAAO,CAAC,GAAG,CAAC,iBAAiB,CAAC,CAAC;IACzD,IAAI,SAAS,EAAE,CAAC;QACZ,OAAO,SAAS,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,CAAC,IAAI,EAAE,CAAC;IAC1C,CAAC;IACD,OAAO,OAAO,CAAC,OAAO,CAAC,GAAG,CAAC,kBAAkB,CAAC,IAAI,EAAE,CAAC;AACzD,CAAC"}

package/dist/auth/system/better-auth-schema.d.ts

@@ -0,0 +1,144 @@
+/**
+ * Better-Auth Schema Tables
+ *
+ * These tables are used by the Better-Auth integration.
+ * They extend the existing auth schema with Better-Auth-specific fields.
+ *
+ * NOTE: Better-Auth uses singular table names (user, session, account, verification, organization, member)
+ * The adapter maps these to Archlast's `system_auth_*` prefixed collection names.
+ */
+/**
+ * Better-Auth additional fields for the user table
+ * These fields extend the existing auth_users table
+ */
+export declare const betterAuthUserFields: {
+    readonly role: import("../../schema/validators.js").FieldSchema<import("zod").ZodOptional<import("zod").ZodString>>;
+    readonly banned: import("../../schema/validators.js").FieldSchema<import("zod").ZodDefault<import("zod").ZodBoolean>>;
+    readonly banReason: import("../../schema/validators.js").FieldSchema<import("zod").ZodOptional<import("zod").ZodString>>;
+    readonly banExpires: import("../../schema/validators.js").FieldSchema<import("zod").ZodOptional<import("zod").ZodNumber>>;
+    readonly username: import("../../schema/validators.js").FieldSchema<import("zod").ZodOptional<import("zod").ZodString>>;
+    readonly displayUsername: import("../../schema/validators.js").FieldSchema<import("zod").ZodOptional<import("zod").ZodString>>;
+    readonly isAnonymous: import("../../schema/validators.js").FieldSchema<import("zod").ZodDefault<import("zod").ZodBoolean>>;
+};
+/**
+ * Better-Auth additional fields for the session table
+ * These fields extend the existing auth_sessions table
+ */
+export declare const betterAuthSessionFields: {
+    readonly token: import("../../schema/validators.js").FieldSchema<import("zod").ZodOptional<import("zod").ZodString>>;
+    readonly impersonatedBy: import("../../schema/validators.js").FieldSchema<import("zod").ZodOptional<import("zod").ZodString>>;
+    readonly activeOrganizationId: import("../../schema/validators.js").FieldSchema<import("zod").ZodOptional<import("zod").ZodString>>;
+};
+/**
+ * Better-Auth verification table
+ * Used for email verification and other verification codes
+ */
+export declare const verificationTable: import("../../schema/definition.js").TableDefinition<{
+    _id: import("../../schema/validators.js").FieldSchema<import("zod").ZodString>;
+    identifier: import("../../schema/validators.js").FieldSchema<import("zod").ZodString>;
+    value: import("../../schema/validators.js").FieldSchema<import("zod").ZodString>;
+    expiresAt: import("../../schema/validators.js").FieldSchema<import("zod").ZodDate>;
+    createdAt: import("../../schema/validators.js").FieldSchema<import("zod").ZodDate>;
+    updatedAt: import("../../schema/validators.js").FieldSchema<import("zod").ZodDate>;
+}>;
+/**
+ * Better-Auth organization table
+ * Multi-tenancy support via the organization plugin
+ */
+export declare const organizationTable: import("../../schema/definition.js").TableDefinition<{
+    _id: import("../../schema/validators.js").FieldSchema<import("zod").ZodString>;
+    name: import("../../schema/validators.js").FieldSchema<import("zod").ZodString>;
+    slug: import("../../schema/validators.js").FieldSchema<import("zod").ZodString>;
+    logo: import("../../schema/validators.js").FieldSchema<import("zod").ZodOptional<import("zod").ZodString>>;
+    metadata: import("../../schema/validators.js").FieldSchema<import("zod").ZodOptional<import("zod").ZodAny>>;
+    createdAt: import("../../schema/validators.js").FieldSchema<import("zod").ZodDate>;
+    updatedAt: import("../../schema/validators.js").FieldSchema<import("zod").ZodOptional<import("zod").ZodDate>>;
+}>;
+/**
+ * Better-Auth member table
+ * Links users to organizations with roles
+ */
+export declare const memberTable: import("../../schema/definition.js").TableDefinition<{
+    _id: import("../../schema/validators.js").FieldSchema<import("zod").ZodString>;
+    organizationId: import("../../schema/validators.js").FieldSchema<import("zod").ZodString>;
+    userId: import("../../schema/validators.js").FieldSchema<import("zod").ZodString>;
+    role: import("../../schema/validators.js").FieldSchema<import("zod").ZodDefault<import("zod").ZodString>>;
+    createdAt: import("../../schema/validators.js").FieldSchema<import("zod").ZodDate>;
+}>;
+/**
+ * Better-Auth invitation table
+ * Organization invitations for users to join
+ */
+export declare const invitationTable: import("../../schema/definition.js").TableDefinition<{
+    _id: import("../../schema/validators.js").FieldSchema<import("zod").ZodString>;
+    organizationId: import("../../schema/validators.js").FieldSchema<import("zod").ZodString>;
+    email: import("../../schema/validators.js").FieldSchema<import("zod").ZodString>;
+    role: import("../../schema/validators.js").FieldSchema<import("zod").ZodString>;
+    status: import("../../schema/validators.js").FieldSchema<import("zod").ZodDefault<import("zod").ZodString>>;
+    expiresAt: import("../../schema/validators.js").FieldSchema<import("zod").ZodOptional<import("zod").ZodDate>>;
+    createdAt: import("../../schema/validators.js").FieldSchema<import("zod").ZodDate>;
+    inviterId: import("../../schema/validators.js").FieldSchema<import("zod").ZodString>;
+}>;
+/**
+ * Better-Auth API key table
+ * Used for API key authentication and management
+ */
+export declare const apiKeyTable: import("../../schema/definition.js").TableDefinition<{
+    _id: import("../../schema/validators.js").FieldSchema<import("zod").ZodString>;
+    name: import("../../schema/validators.js").FieldSchema<import("zod").ZodOptional<import("zod").ZodString>>;
+    start: import("../../schema/validators.js").FieldSchema<import("zod").ZodOptional<import("zod").ZodString>>;
+    prefix: import("../../schema/validators.js").FieldSchema<import("zod").ZodOptional<import("zod").ZodString>>;
+    key: import("../../schema/validators.js").FieldSchema<import("zod").ZodString>;
+    userId: import("../../schema/validators.js").FieldSchema<import("zod").ZodString>;
+    refillInterval: import("../../schema/validators.js").FieldSchema<import("zod").ZodOptional<import("zod").ZodNumber>>;
+    refillAmount: import("../../schema/validators.js").FieldSchema<import("zod").ZodOptional<import("zod").ZodNumber>>;
+    lastRefillAt: import("../../schema/validators.js").FieldSchema<import("zod").ZodOptional<import("zod").ZodNumber>>;
+    enabled: import("../../schema/validators.js").FieldSchema<import("zod").ZodDefault<import("zod").ZodBoolean>>;
+    rateLimitEnabled: import("../../schema/validators.js").FieldSchema<import("zod").ZodDefault<import("zod").ZodBoolean>>;
+    rateLimitTimeWindow: import("../../schema/validators.js").FieldSchema<import("zod").ZodOptional<import("zod").ZodNumber>>;
+    rateLimitMax: import("../../schema/validators.js").FieldSchema<import("zod").ZodOptional<import("zod").ZodNumber>>;
+    requestCount: import("../../schema/validators.js").FieldSchema<import("zod").ZodDefault<import("zod").ZodNumber>>;
+    remaining: import("../../schema/validators.js").FieldSchema<import("zod").ZodOptional<import("zod").ZodNumber>>;
+    lastRequest: import("../../schema/validators.js").FieldSchema<import("zod").ZodOptional<import("zod").ZodNumber>>;
+    expiresAt: import("../../schema/validators.js").FieldSchema<import("zod").ZodOptional<import("zod").ZodNumber>>;
+    createdAt: import("../../schema/validators.js").FieldSchema<import("zod").ZodNumber>;
+    updatedAt: import("../../schema/validators.js").FieldSchema<import("zod").ZodOptional<import("zod").ZodNumber>>;
+    permissions: import("../../schema/validators.js").FieldSchema<import("zod").ZodOptional<import("zod").ZodString>>;
+    metadata: import("../../schema/validators.js").FieldSchema<import("zod").ZodOptional<import("zod").ZodAny>>;
+}>;
+/**
+ * Index definitions for Better-Auth tables
+ */
+export declare const betterAuthIndexes: {
+    readonly sessionToken: {
+        readonly table: "system_auth_session";
+        readonly fields: readonly ["token"];
+        readonly name: "idx_system_auth_session_token";
+        readonly unique: true;
+    };
+    readonly username: {
+        readonly table: "system_auth_user";
+        readonly fields: readonly ["username"];
+        readonly name: "idx_system_auth_user_username";
+        readonly unique: true;
+    };
+    readonly verificationIdentifier: {
+        readonly table: "system_auth_verification";
+        readonly fields: readonly ["identifier"];
+        readonly name: "idx_system_auth_verification_identifier";
+    };
+};
+/**
+ * Role to permissions mapping
+ * Maps Better-Auth roles to permission strings
+ */
+export declare const ROLE_PERMISSIONS: Record<string, string[]>;
+/**
+ * Get permissions for a given role
+ */
+export declare function getPermissionsForRole(role: string | null | undefined): string[];
+/**
+ * Check if a role has a specific permission
+ */
+export declare function roleHasPermission(role: string | null | undefined, permission: string): boolean;
+//# sourceMappingURL=better-auth-schema.d.ts.map

package/dist/auth/system/better-auth-schema.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"better-auth-schema.d.ts","sourceRoot":"","sources":["../../../src/auth/system/better-auth-schema.ts"],"names":[],"mappings":"AAAA;;;;;;;;GAQG;AAIH;;;GAGG;AACH,eAAO,MAAM,oBAAoB;;;;;;;;CAavB,CAAC;AAEX;;;GAGG;AACH,eAAO,MAAM,uBAAuB;;;;CAS1B,CAAC;AAEX;;;GAGG;AACH,eAAO,MAAM,iBAAiB;;;;;;;EAc7B,CAAC;AAEF;;;GAGG;AACH,eAAO,MAAM,iBAAiB;;;;;;;;EAgB7B,CAAC;AAEF;;;GAGG;AACH,eAAO,MAAM,WAAW;;;;;;EAoBvB,CAAC;AAEF;;;GAGG;AACH,eAAO,MAAM,eAAe;;;;;;;;;EA0B3B,CAAC;AAEF;;;GAGG;AACH,eAAO,MAAM,WAAW;;;;;;;;;;;;;;;;;;;;;;EAmCvB,CAAC;AAEF;;GAEG;AACH,eAAO,MAAM,iBAAiB;;;;;;;;;;;;;;;;;;CAqBpB,CAAC;AAEX;;;GAGG;AACH,eAAO,MAAM,gBAAgB,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,EAAE,CA4B5C,CAAC;AAEX;;GAEG;AACH,wBAAgB,qBAAqB,CAAC,IAAI,EAAE,MAAM,GAAG,IAAI,GAAG,SAAS,GAAG,MAAM,EAAE,CAG/E;AAED;;GAEG;AACH,wBAAgB,iBAAiB,CAC7B,IAAI,EAAE,MAAM,GAAG,IAAI,GAAG,SAAS,EAC/B,UAAU,EAAE,MAAM,GACnB,OAAO,CAgBT"}

package/dist/auth/system/better-auth-schema.js

@@ -0,0 +1,250 @@
+"use strict";
+/**
+ * Better-Auth Schema Tables
+ *
+ * These tables are used by the Better-Auth integration.
+ * They extend the existing auth schema with Better-Auth-specific fields.
+ *
+ * NOTE: Better-Auth uses singular table names (user, session, account, verification, organization, member)
+ * The adapter maps these to Archlast's `system_auth_*` prefixed collection names.
+ */
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.ROLE_PERMISSIONS = exports.betterAuthIndexes = exports.apiKeyTable = exports.invitationTable = exports.memberTable = exports.organizationTable = exports.verificationTable = exports.betterAuthSessionFields = exports.betterAuthUserFields = void 0;
+exports.getPermissionsForRole = getPermissionsForRole;
+exports.roleHasPermission = roleHasPermission;
+const definition_js_1 = require("../../schema/definition.js");
+/**
+ * Better-Auth additional fields for the user table
+ * These fields extend the existing auth_users table
+ */
+exports.betterAuthUserFields = {
+    // Admin plugin fields
+    role: definition_js_1.v.string().optional(),
+    banned: definition_js_1.v.boolean().default(false),
+    banReason: definition_js_1.v.string().optional(),
+    banExpires: definition_js_1.v.number().optional(),
+    // Username plugin fields
+    username: definition_js_1.v.string().optional(),
+    displayUsername: definition_js_1.v.string().optional(),
+    // Anonymous plugin field
+    isAnonymous: definition_js_1.v.boolean().default(false),
+};
+/**
+ * Better-Auth additional fields for the session table
+ * These fields extend the existing auth_sessions table
+ */
+exports.betterAuthSessionFields = {
+    // Better-Auth stores the token (not just hash) for session lookup
+    token: definition_js_1.v.string().optional(),
+    // Admin plugin - impersonation support
+    impersonatedBy: definition_js_1.v.string().optional(),
+    // Organization plugin - active organization selection
+    activeOrganizationId: definition_js_1.v.string().optional(),
+};
+/**
+ * Better-Auth verification table
+ * Used for email verification and other verification codes
+ */
+exports.verificationTable = (0, definition_js_1.defineTable)({
+    _id: definition_js_1.v.id().primaryKey(),
+    identifier: definition_js_1.v.string(),
+    value: definition_js_1.v.string(),
+    expiresAt: definition_js_1.v.datetime(),
+    createdAt: definition_js_1.v.datetime(),
+    updatedAt: definition_js_1.v.datetime(),
+}, {
+    indexes: [
+        { fields: ["identifier"], name: "idx_system_auth_verification_identifier" },
+    ],
+});
+/**
+ * Better-Auth organization table
+ * Multi-tenancy support via the organization plugin
+ */
+exports.organizationTable = (0, definition_js_1.defineTable)({
+    _id: definition_js_1.v.id().primaryKey(),
+    name: definition_js_1.v.string(),
+    slug: definition_js_1.v.string(),
+    logo: definition_js_1.v.string().optional(),
+    metadata: definition_js_1.v.json().optional(),
+    createdAt: definition_js_1.v.datetime(),
+    updatedAt: definition_js_1.v.datetime().optional(),
+}, {
+    indexes: [
+        { fields: ["slug"], name: "idx_system_auth_organization_slug", unique: true },
+        { fields: ["name"], name: "idx_system_auth_organization_name" },
+    ],
+});
+/**
+ * Better-Auth member table
+ * Links users to organizations with roles
+ */
+exports.memberTable = (0, definition_js_1.defineTable)({
+    _id: definition_js_1.v.id().primaryKey(),
+    organizationId: definition_js_1.v
+        .id()
+        .foreignKey("system_auth_organization", "_id", { onDelete: "CASCADE" })
+        .index(),
+    userId: definition_js_1.v
+        .id()
+        .foreignKey("system_auth_user", "_id", { onDelete: "CASCADE" })
+        .index(),
+    role: definition_js_1.v.string().default("member"),
+    createdAt: definition_js_1.v.datetime(),
+}, {
+    indexes: [
+        { fields: ["organizationId", "userId"], name: "idx_system_auth_member_org_user" },
+        { fields: ["userId"], name: "idx_system_auth_member_user" },
+    ],
+});
+/**
+ * Better-Auth invitation table
+ * Organization invitations for users to join
+ */
+exports.invitationTable = (0, definition_js_1.defineTable)({
+    _id: definition_js_1.v.id().primaryKey(),
+    organizationId: definition_js_1.v
+        .id()
+        .foreignKey("system_auth_organization", "_id", { onDelete: "CASCADE" })
+        .index(),
+    email: definition_js_1.v.string(),
+    role: definition_js_1.v.string(),
+    status: definition_js_1.v
+        .string()
+        .default("pending"),
+    expiresAt: definition_js_1.v.datetime().optional(),
+    createdAt: definition_js_1.v.datetime(),
+    inviterId: definition_js_1.v
+        .id()
+        .foreignKey("system_auth_user", "_id", { onDelete: "CASCADE" })
+        .index(),
+}, {
+    indexes: [
+        { fields: ["organizationId", "email"], name: "idx_system_auth_invitation_org_email" },
+        { fields: ["email"], name: "idx_system_auth_invitation_email" },
+        { fields: ["status"], name: "idx_system_auth_invitation_status" },
+    ],
+});
+/**
+ * Better-Auth API key table
+ * Used for API key authentication and management
+ */
+exports.apiKeyTable = (0, definition_js_1.defineTable)({
+    _id: definition_js_1.v.id().primaryKey(),
+    name: definition_js_1.v.string().optional(),
+    start: definition_js_1.v.string().optional(),
+    prefix: definition_js_1.v.string().optional(),
+    key: definition_js_1.v.string(),
+    userId: definition_js_1.v
+        .id()
+        .foreignKey("system_auth_user", "_id", { onDelete: "CASCADE" })
+        .index(),
+    refillInterval: definition_js_1.v.number().optional(),
+    refillAmount: definition_js_1.v.number().optional(),
+    lastRefillAt: definition_js_1.v.number().optional(),
+    enabled: definition_js_1.v.boolean().default(true),
+    rateLimitEnabled: definition_js_1.v.boolean().default(false),
+    rateLimitTimeWindow: definition_js_1.v.number().optional(),
+    rateLimitMax: definition_js_1.v.number().optional(),
+    requestCount: definition_js_1.v.number().default(0),
+    remaining: definition_js_1.v.number().optional(),
+    lastRequest: definition_js_1.v.number().optional(),
+    expiresAt: definition_js_1.v.number().optional(),
+    createdAt: definition_js_1.v.number(),
+    updatedAt: definition_js_1.v.number().optional(),
+    permissions: definition_js_1.v.string().optional(),
+    metadata: definition_js_1.v.json().optional(),
+}, {
+    indexes: [
+        { fields: ["userId"], name: "idx_system_auth_api_key_userId" },
+        { fields: ["key"], name: "idx_system_auth_api_key_key", unique: true },
+        { fields: ["enabled"], name: "idx_system_auth_api_key_enabled" },
+        { fields: ["expiresAt"], name: "idx_system_auth_api_key_expiresAt" },
+    ],
+});
+/**
+ * Index definitions for Better-Auth tables
+ */
+exports.betterAuthIndexes = {
+    // Session token index for fast session lookup
+    sessionToken: {
+        table: "system_auth_session",
+        fields: ["token"],
+        name: "idx_system_auth_session_token",
+        unique: true,
+    },
+    // User username index for username lookup
+    username: {
+        table: "system_auth_user",
+        fields: ["username"],
+        name: "idx_system_auth_user_username",
+        unique: true,
+    },
+    // Verification identifier index
+    verificationIdentifier: {
+        table: "system_auth_verification",
+        fields: ["identifier"],
+        name: "idx_system_auth_verification_identifier",
+    },
+};
+/**
+ * Role to permissions mapping
+ * Maps Better-Auth roles to permission strings
+ */
+exports.ROLE_PERMISSIONS = {
+    // Admin roles from admin plugin
+    admin: [
+        "admin.*",
+        "users.read",
+        "users.write",
+        "users.delete",
+        "organizations.read",
+        "organizations.write",
+        "organizations.delete",
+        "settings.read",
+        "settings.write",
+    ],
+    // Member roles (default)
+    member: [
+        "organizations.read",
+        "profile.read",
+        "profile.write",
+    ],
+    // Owner role (from organization plugin)
+    owner: [
+        "admin.*",
+        "organizations.*",
+        "members.read",
+        "members.write",
+        "members.delete",
+        "settings.*",
+    ],
+};
+/**
+ * Get permissions for a given role
+ */
+function getPermissionsForRole(role) {
+    if (!role)
+        return [];
+    return exports.ROLE_PERMISSIONS[role] || exports.ROLE_PERMISSIONS.member || [];
+}
+/**
+ * Check if a role has a specific permission
+ */
+function roleHasPermission(role, permission) {
+    const permissions = getPermissionsForRole(role);
+    // Check for wildcard permissions
+    for (const perm of permissions) {
+        if (perm.endsWith("*")) {
+            const prefix = perm.slice(0, -1);
+            if (permission.startsWith(prefix)) {
+                return true;
+            }
+        }
+        else if (perm === permission) {
+            return true;
+        }
+    }
+    return false;
+}
+//# sourceMappingURL=better-auth-schema.js.map

package/dist/auth/system/better-auth-schema.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"better-auth-schema.js","sourceRoot":"","sources":["../../../src/auth/system/better-auth-schema.ts"],"names":[],"mappings":";AAAA;;;;;;;;GAQG;;;AAkPH,sDAGC;AAKD,8CAmBC;AA3QD,8DAA4D;AAE5D;;;GAGG;AACU,QAAA,oBAAoB,GAAG;IAChC,sBAAsB;IACtB,IAAI,EAAE,iBAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,EAAE;IAC3B,MAAM,EAAE,iBAAC,CAAC,OAAO,EAAE,CAAC,OAAO,CAAC,KAAK,CAAC;IAClC,SAAS,EAAE,iBAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,EAAE;IAChC,UAAU,EAAE,iBAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,EAAE;IAEjC,yBAAyB;IACzB,QAAQ,EAAE,iBAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,EAAE;IAC/B,eAAe,EAAE,iBAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,EAAE;IAEtC,yBAAyB;IACzB,WAAW,EAAE,iBAAC,CAAC,OAAO,EAAE,CAAC,OAAO,CAAC,KAAK,CAAC;CACjC,CAAC;AAEX;;;GAGG;AACU,QAAA,uBAAuB,GAAG;IACnC,kEAAkE;IAClE,KAAK,EAAE,iBAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,EAAE;IAE5B,uCAAuC;IACvC,cAAc,EAAE,iBAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,EAAE;IAErC,sDAAsD;IACtD,oBAAoB,EAAE,iBAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,EAAE;CACrC,CAAC;AAEX;;;GAGG;AACU,QAAA,iBAAiB,GAAG,IAAA,2BAAW,EACxC;IACI,GAAG,EAAE,iBAAC,CAAC,EAAE,EAAE,CAAC,UAAU,EAAE;IACxB,UAAU,EAAE,iBAAC,CAAC,MAAM,EAAE;IACtB,KAAK,EAAE,iBAAC,CAAC,MAAM,EAAE;IACjB,SAAS,EAAE,iBAAC,CAAC,QAAQ,EAAE;IACvB,SAAS,EAAE,iBAAC,CAAC,QAAQ,EAAE;IACvB,SAAS,EAAE,iBAAC,CAAC,QAAQ,EAAE;CAC1B,EACD;IACI,OAAO,EAAE;QACL,EAAE,MAAM,EAAE,CAAC,YAAY,CAAC,EAAE,IAAI,EAAE,yCAAyC,EAAE;KAC9E;CACJ,CACJ,CAAC;AAEF;;;GAGG;AACU,QAAA,iBAAiB,GAAG,IAAA,2BAAW,EACxC;IACI,GAAG,EAAE,iBAAC,CAAC,EAAE,EAAE,CAAC,UAAU,EAAE;IACxB,IAAI,EAAE,iBAAC,CAAC,MAAM,EAAE;IAChB,IAAI,EAAE,iBAAC,CAAC,MAAM,EAAE;IAChB,IAAI,EAAE,iBAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,EAAE;IAC3B,QAAQ,EAAE,iBAAC,CAAC,IAAI,EAAE,CAAC,QAAQ,EAAE;IAC7B,SAAS,EAAE,iBAAC,CAAC,QAAQ,EAAE;IACvB,SAAS,EAAE,iBAAC,CAAC,QAAQ,EAAE,CAAC,QAAQ,EAAE;CACrC,EACD;IACI,OAAO,EAAE;QACL,EAAE,MAAM,EAAE,CAAC,MAAM,CAAC,EAAE,IAAI,EAAE,mCAAmC,EAAE,MAAM,EAAE,IAAI,EAAE;QAC7E,EAAE,MAAM,EAAE,CAAC,MAAM,CAAC,EAAE,IAAI,EAAE,mCAAmC,EAAE;KAClE;CACJ,CACJ,CAAC;AAEF;;;GAGG;AACU,QAAA,WAAW,GAAG,IAAA,2BAAW,EAClC;IACI,GAAG,EAAE,iBAAC,CAAC,EAAE,EAAE,CAAC,UAAU,EAAE;IACxB,cAAc,EAAE,iBAAC;SACZ,EAAE,EAAE;SACJ,UAAU,CAAC,0BAA0B,EAAE,KAAK,EAAE,EAAE,QAAQ,EAAE,SAAS,EAAE,CAAC;SACtE,KAAK,EAAE;IACZ,MAAM,EAAE,iBAAC;SACJ,EAAE,EAAE;SACJ,UAAU,CAAC,kBAAkB,EAAE,KAAK,EAAE,EAAE,QAAQ,EAAE,SAAS,EAAE,CAAC;SAC9D,KAAK,EAAE;IACZ,IAAI,EAAE,iBAAC,CAAC,MAAM,EAAE,CAAC,OAAO,CAAC,QAAQ,CAAC;IAClC,SAAS,EAAE,iBAAC,CAAC,QAAQ,EAAE;CAC1B,EACD;IACI,OAAO,EAAE;QACL,EAAE,MAAM,EAAE,CAAC,gBAAgB,EAAE,QAAQ,CAAC,EAAE,IAAI,EAAE,iCAAiC,EAAE;QACjF,EAAE,MAAM,EAAE,CAAC,QAAQ,CAAC,EAAE,IAAI,EAAE,6BAA6B,EAAE;KAC9D;CACJ,CACJ,CAAC;AAEF;;;GAGG;AACU,QAAA,eAAe,GAAG,IAAA,2BAAW,EACtC;IACI,GAAG,EAAE,iBAAC,CAAC,EAAE,EAAE,CAAC,UAAU,EAAE;IACxB,cAAc,EAAE,iBAAC;SACZ,EAAE,EAAE;SACJ,UAAU,CAAC,0BAA0B,EAAE,KAAK,EAAE,EAAE,QAAQ,EAAE,SAAS,EAAE,CAAC;SACtE,KAAK,EAAE;IACZ,KAAK,EAAE,iBAAC,CAAC,MAAM,EAAE;IACjB,IAAI,EAAE,iBAAC,CAAC,MAAM,EAAE;IAChB,MAAM,EAAE,iBAAC;SACJ,MAAM,EAAE;SACR,OAAO,CAAC,SAAS,CAAC;IACvB,SAAS,EAAE,iBAAC,CAAC,QAAQ,EAAE,CAAC,QAAQ,EAAE;IAClC,SAAS,EAAE,iBAAC,CAAC,QAAQ,EAAE;IACvB,SAAS,EAAE,iBAAC;SACP,EAAE,EAAE;SACJ,UAAU,CAAC,kBAAkB,EAAE,KAAK,EAAE,EAAE,QAAQ,EAAE,SAAS,EAAE,CAAC;SAC9D,KAAK,EAAE;CACf,EACD;IACI,OAAO,EAAE;QACL,EAAE,MAAM,EAAE,CAAC,gBAAgB,EAAE,OAAO,CAAC,EAAE,IAAI,EAAE,sCAAsC,EAAE;QACrF,EAAE,MAAM,EAAE,CAAC,OAAO,CAAC,EAAE,IAAI,EAAE,kCAAkC,EAAE;QAC/D,EAAE,MAAM,EAAE,CAAC,QAAQ,CAAC,EAAE,IAAI,EAAE,mCAAmC,EAAE;KACpE;CACJ,CACJ,CAAC;AAEF;;;GAGG;AACU,QAAA,WAAW,GAAG,IAAA,2BAAW,EAClC;IACI,GAAG,EAAE,iBAAC,CAAC,EAAE,EAAE,CAAC,UAAU,EAAE;IACxB,IAAI,EAAE,iBAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,EAAE;IAC3B,KAAK,EAAE,iBAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,EAAE;IAC5B,MAAM,EAAE,iBAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,EAAE;IAC7B,GAAG,EAAE,iBAAC,CAAC,MAAM,EAAE;IACf,MAAM,EAAE,iBAAC;SACJ,EAAE,EAAE;SACJ,UAAU,CAAC,kBAAkB,EAAE,KAAK,EAAE,EAAE,QAAQ,EAAE,SAAS,EAAE,CAAC;SAC9D,KAAK,EAAE;IACZ,cAAc,EAAE,iBAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,EAAE;IACrC,YAAY,EAAE,iBAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,EAAE;IACnC,YAAY,EAAE,iBAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,EAAE;IACnC,OAAO,EAAE,iBAAC,CAAC,OAAO,EAAE,CAAC,OAAO,CAAC,IAAI,CAAC;IAClC,gBAAgB,EAAE,iBAAC,CAAC,OAAO,EAAE,CAAC,OAAO,CAAC,KAAK,CAAC;IAC5C,mBAAmB,EAAE,iBAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,EAAE;IAC1C,YAAY,EAAE,iBAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,EAAE;IACnC,YAAY,EAAE,iBAAC,CAAC,MAAM,EAAE,CAAC,OAAO,CAAC,CAAC,CAAC;IACnC,SAAS,EAAE,iBAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,EAAE;IAChC,WAAW,EAAE,iBAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,EAAE;IAClC,SAAS,EAAE,iBAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,EAAE;IAChC,SAAS,EAAE,iBAAC,CAAC,MAAM,EAAE;IACrB,SAAS,EAAE,iBAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,EAAE;IAChC,WAAW,EAAE,iBAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,EAAE;IAClC,QAAQ,EAAE,iBAAC,CAAC,IAAI,EAAE,CAAC,QAAQ,EAAE;CAChC,EACD;IACI,OAAO,EAAE;QACL,EAAE,MAAM,EAAE,CAAC,QAAQ,CAAC,EAAE,IAAI,EAAE,gCAAgC,EAAE;QAC9D,EAAE,MAAM,EAAE,CAAC,KAAK,CAAC,EAAE,IAAI,EAAE,6BAA6B,EAAE,MAAM,EAAE,IAAI,EAAE;QACtE,EAAE,MAAM,EAAE,CAAC,SAAS,CAAC,EAAE,IAAI,EAAE,iCAAiC,EAAE;QAChE,EAAE,MAAM,EAAE,CAAC,WAAW,CAAC,EAAE,IAAI,EAAE,mCAAmC,EAAE;KACvE;CACJ,CACJ,CAAC;AAEF;;GAEG;AACU,QAAA,iBAAiB,GAAG;IAC7B,8CAA8C;IAC9C,YAAY,EAAE;QACV,KAAK,EAAE,qBAAqB;QAC5B,MAAM,EAAE,CAAC,OAAO,CAAC;QACjB,IAAI,EAAE,+BAA+B;QACrC,MAAM,EAAE,IAAI;KACf;IACD,0CAA0C;IAC1C,QAAQ,EAAE;QACN,KAAK,EAAE,kBAAkB;QACzB,MAAM,EAAE,CAAC,UAAU,CAAC;QACpB,IAAI,EAAE,+BAA+B;QACrC,MAAM,EAAE,IAAI;KACf;IACD,gCAAgC;IAChC,sBAAsB,EAAE;QACpB,KAAK,EAAE,0BAA0B;QACjC,MAAM,EAAE,CAAC,YAAY,CAAC;QACtB,IAAI,EAAE,yCAAyC;KAClD;CACK,CAAC;AAEX;;;GAGG;AACU,QAAA,gBAAgB,GAA6B;IACtD,gCAAgC;IAChC,KAAK,EAAE;QACH,SAAS;QACT,YAAY;QACZ,aAAa;QACb,cAAc;QACd,oBAAoB;QACpB,qBAAqB;QACrB,sBAAsB;QACtB,eAAe;QACf,gBAAgB;KACnB;IACD,yBAAyB;IACzB,MAAM,EAAE;QACJ,oBAAoB;QACpB,cAAc;QACd,eAAe;KAClB;IACD,wCAAwC;IACxC,KAAK,EAAE;QACH,SAAS;QACT,iBAAiB;QACjB,cAAc;QACd,eAAe;QACf,gBAAgB;QAChB,YAAY;KACf;CACK,CAAC;AAEX;;GAEG;AACH,SAAgB,qBAAqB,CAAC,IAA+B;IACjE,IAAI,CAAC,IAAI;QAAE,OAAO,EAAE,CAAC;IACrB,OAAO,wBAAgB,CAAC,IAAI,CAAC,IAAI,wBAAgB,CAAC,MAAM,IAAI,EAAE,CAAC;AACnE,CAAC;AAED;;GAEG;AACH,SAAgB,iBAAiB,CAC7B,IAA+B,EAC/B,UAAkB;IAElB,MAAM,WAAW,GAAG,qBAAqB,CAAC,IAAI,CAAC,CAAC;IAEhD,iCAAiC;IACjC,KAAK,MAAM,IAAI,IAAI,WAAW,EAAE,CAAC;QAC7B,IAAI,IAAI,CAAC,QAAQ,CAAC,GAAG,CAAC,EAAE,CAAC;YACrB,MAAM,MAAM,GAAG,IAAI,CAAC,KAAK,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,CAAC;YACjC,IAAI,UAAU,CAAC,UAAU,CAAC,MAAM,CAAC,EAAE,CAAC;gBAChC,OAAO,IAAI,CAAC;YAChB,CAAC;QACL,CAAC;aAAM,IAAI,IAAI,KAAK,UAAU,EAAE,CAAC;YAC7B,OAAO,IAAI,CAAC;QAChB,CAAC;IACL,CAAC;IAED,OAAO,KAAK,CAAC;AACjB,CAAC"}

package/dist/auth/system/constants.d.ts

@@ -0,0 +1,114 @@
+/**
+ * Archlast built-in auth constants & small helpers.
+ *
+ * Notes:
+ * - These are platform-level defaults.
+ * - No SQL tables are created; collections are logical names stored in the shared `documents` table.
+ * - Cookies are used for browser-friendly, secure-by-default auth.
+ */
+export declare const AUTH_COOKIE_NAME: "archlast_session";
+/**
+ * Cookie path for the session cookie. Keep this rooted so it's sent to all routes.
+ */
+export declare const AUTH_COOKIE_PATH: "/";
+/**
+ * Default SameSite policy.
+ * - "Lax" prevents most CSRF while preserving top-level navigation flows.
+ * - Some OAuth flows may require special handling (state param), but cookie should remain Lax.
+ */
+export declare const AUTH_COOKIE_SAMESITE: "Lax";
+/**
+ * Default session TTL: 30 days.
+ * Adjust with env if needed elsewhere, but keep a secure default here.
+ */
+export declare const DEFAULT_SESSION_TTL_MS: number;
+/**
+ * Rotation policy: if the session is older than this since last active, rotate token.
+ * Default: 7 days.
+ */
+export declare const DEFAULT_SESSION_ROTATE_AFTER_MS: number;
+/**
+ * Activity update throttle: avoid DB writes on every request.
+ * Default: 5 minutes.
+ */
+export declare const DEFAULT_SESSION_TOUCH_THROTTLE_MS: number;
+/**
+ * Collection names for built-in auth documents (stored in the shared `documents` table).
+ *
+ * These should be treated as reserved collection names.
+ */
+export declare const AUTH_COLLECTIONS: {
+    readonly users: "auth_users";
+    readonly accounts: "auth_accounts";
+    readonly sessions: "auth_sessions";
+    readonly tenants: "auth_tenants";
+    readonly memberships: "auth_memberships";
+    readonly invites: "auth_invites";
+};
+export type AuthCollectionName = (typeof AUTH_COLLECTIONS)[keyof typeof AUTH_COLLECTIONS];
+/**
+ * Default roles for tenant membership.
+ */
+export declare const TENANT_ROLES: {
+    readonly owner: "owner";
+    readonly admin: "admin";
+    readonly member: "member";
+};
+export type TenantRole = (typeof TENANT_ROLES)[keyof typeof TENANT_ROLES];
+/**
+ * Default permission wildcard.
+ * - Used for owner role.
+ */
+export declare const PERMISSION_WILDCARD: "*";
+/**
+ * Basic permission helpers.
+ *
+ * Policy:
+ * - Exact match grants permission.
+ * - Wildcard "*" grants all.
+ * - Prefix wildcards like "tasks.*" grant any permission under that namespace.
+ */
+export declare function hasPermission(permissions: readonly string[] | null | undefined, permission: string): boolean;
+/**
+ * Default permissions by role.
+ *
+ * Keep conservative; you can expand this as platform features land.
+ */
+export declare const DEFAULT_ROLE_PERMISSIONS: Record<TenantRole, readonly string[]>;
+/**
+ * Pick a default tenant for a user if multiple memberships exist.
+ *
+ * Policy (as requested):
+ * - Auto-pick "owned" tenant if present (role === "owner"; earliest createdAt wins)
+ * - Else pick the oldest membership by createdAt
+ */
+export declare function pickDefaultTenantId(memberships: Array<{
+    tenantId: string;
+    role?: string;
+    createdAt?: number;
+}>): string | null;
+/**
+ * Build a Set-Cookie header value for the session cookie.
+ *
+ * This produces a cookie string; callers should attach it as `Set-Cookie`.
+ *
+ * Security defaults:
+ * - HttpOnly (prevents JS access)
+ * - SameSite=Lax (CSRF mitigation)
+ * - Secure in production (env NODE_ENV === 'production')
+ */
+export declare function buildSessionSetCookie(token: string, opts?: {
+    maxAgeSeconds?: number;
+    secure?: boolean;
+}): string;
+/**
+ * Build a Set-Cookie header value that clears the session cookie.
+ */
+export declare function buildSessionClearCookie(opts?: {
+    secure?: boolean;
+}): string;
+/**
+ * Best-effort cookie parser used for Bun Request headers.
+ */
+export declare function parseCookies(cookieHeader: string | null | undefined): Record<string, string>;
+//# sourceMappingURL=constants.d.ts.map

package/dist/auth/system/constants.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"constants.d.ts","sourceRoot":"","sources":["../../../src/auth/system/constants.ts"],"names":[],"mappings":"AAAA;;;;;;;GAOG;AAEH,eAAO,MAAM,gBAAgB,EAAG,kBAA2B,CAAC;AAE5D;;GAEG;AACH,eAAO,MAAM,gBAAgB,EAAG,GAAY,CAAC;AAE7C;;;;GAIG;AACH,eAAO,MAAM,oBAAoB,EAAG,KAAc,CAAC;AAEnD;;;GAGG;AACH,eAAO,MAAM,sBAAsB,QAA2B,CAAC;AAE/D;;;GAGG;AACH,eAAO,MAAM,+BAA+B,QAA0B,CAAC;AAEvE;;;GAGG;AACH,eAAO,MAAM,iCAAiC,QAAgB,CAAC;AAE/D;;;;GAIG;AACH,eAAO,MAAM,gBAAgB;;;;;;;CAOnB,CAAC;AAEX,MAAM,MAAM,kBAAkB,GAAG,CAAC,OAAO,gBAAgB,CAAC,CAAC,MAAM,OAAO,gBAAgB,CAAC,CAAC;AAE1F;;GAEG;AACH,eAAO,MAAM,YAAY;;;;CAIf,CAAC;AAEX,MAAM,MAAM,UAAU,GAAG,CAAC,OAAO,YAAY,CAAC,CAAC,MAAM,OAAO,YAAY,CAAC,CAAC;AAE1E;;;GAGG;AACH,eAAO,MAAM,mBAAmB,EAAG,GAAY,CAAC;AAEhD;;;;;;;GAOG;AACH,wBAAgB,aAAa,CACzB,WAAW,EAAE,SAAS,MAAM,EAAE,GAAG,IAAI,GAAG,SAAS,EACjD,UAAU,EAAE,MAAM,GACnB,OAAO,CAiBT;AAED;;;;GAIG;AACH,eAAO,MAAM,wBAAwB,EAAE,MAAM,CAAC,UAAU,EAAE,SAAS,MAAM,EAAE,CAWjE,CAAC;AAEX;;;;;;GAMG;AACH,wBAAgB,mBAAmB,CAC/B,WAAW,EAAE,KAAK,CAAC;IAAE,QAAQ,EAAE,MAAM,CAAC;IAAC,IAAI,CAAC,EAAE,MAAM,CAAC;IAAC,SAAS,CAAC,EAAE,MAAM,CAAA;CAAE,CAAC,GAC5E,MAAM,GAAG,IAAI,CAqBf;AAED;;;;;;;;;GASG;AACH,wBAAgB,qBAAqB,CACjC,KAAK,EAAE,MAAM,EACb,IAAI,CAAC,EAAE;IAAE,aAAa,CAAC,EAAE,MAAM,CAAC;IAAC,MAAM,CAAC,EAAE,OAAO,CAAA;CAAE,GACpD,MAAM,CAeR;AAED;;GAEG;AACH,wBAAgB,uBAAuB,CAAC,IAAI,CAAC,EAAE;IAAE,MAAM,CAAC,EAAE,OAAO,CAAA;CAAE,GAAG,MAAM,CAY3E;AAED;;GAEG;AACH,wBAAgB,YAAY,CAAC,YAAY,EAAE,MAAM,GAAG,IAAI,GAAG,SAAS,GAAG,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAc5F"}