@archlast/server 0.0.1

package/dist/auth/system/constants.js

@@ -0,0 +1,205 @@
+"use strict";
+/**
+ * Archlast built-in auth constants & small helpers.
+ *
+ * Notes:
+ * - These are platform-level defaults.
+ * - No SQL tables are created; collections are logical names stored in the shared `documents` table.
+ * - Cookies are used for browser-friendly, secure-by-default auth.
+ */
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.DEFAULT_ROLE_PERMISSIONS = exports.PERMISSION_WILDCARD = exports.TENANT_ROLES = exports.AUTH_COLLECTIONS = exports.DEFAULT_SESSION_TOUCH_THROTTLE_MS = exports.DEFAULT_SESSION_ROTATE_AFTER_MS = exports.DEFAULT_SESSION_TTL_MS = exports.AUTH_COOKIE_SAMESITE = exports.AUTH_COOKIE_PATH = exports.AUTH_COOKIE_NAME = void 0;
+exports.hasPermission = hasPermission;
+exports.pickDefaultTenantId = pickDefaultTenantId;
+exports.buildSessionSetCookie = buildSessionSetCookie;
+exports.buildSessionClearCookie = buildSessionClearCookie;
+exports.parseCookies = parseCookies;
+exports.AUTH_COOKIE_NAME = "archlast_session";
+/**
+ * Cookie path for the session cookie. Keep this rooted so it's sent to all routes.
+ */
+exports.AUTH_COOKIE_PATH = "/";
+/**
+ * Default SameSite policy.
+ * - "Lax" prevents most CSRF while preserving top-level navigation flows.
+ * - Some OAuth flows may require special handling (state param), but cookie should remain Lax.
+ */
+exports.AUTH_COOKIE_SAMESITE = "Lax";
+/**
+ * Default session TTL: 30 days.
+ * Adjust with env if needed elsewhere, but keep a secure default here.
+ */
+exports.DEFAULT_SESSION_TTL_MS = 1000 * 60 * 60 * 24 * 30;
+/**
+ * Rotation policy: if the session is older than this since last active, rotate token.
+ * Default: 7 days.
+ */
+exports.DEFAULT_SESSION_ROTATE_AFTER_MS = 1000 * 60 * 60 * 24 * 7;
+/**
+ * Activity update throttle: avoid DB writes on every request.
+ * Default: 5 minutes.
+ */
+exports.DEFAULT_SESSION_TOUCH_THROTTLE_MS = 1000 * 60 * 5;
+/**
+ * Collection names for built-in auth documents (stored in the shared `documents` table).
+ *
+ * These should be treated as reserved collection names.
+ */
+exports.AUTH_COLLECTIONS = {
+    users: "auth_users",
+    accounts: "auth_accounts",
+    sessions: "auth_sessions",
+    tenants: "auth_tenants",
+    memberships: "auth_memberships",
+    invites: "auth_invites",
+};
+/**
+ * Default roles for tenant membership.
+ */
+exports.TENANT_ROLES = {
+    owner: "owner",
+    admin: "admin",
+    member: "member",
+};
+/**
+ * Default permission wildcard.
+ * - Used for owner role.
+ */
+exports.PERMISSION_WILDCARD = "*";
+/**
+ * Basic permission helpers.
+ *
+ * Policy:
+ * - Exact match grants permission.
+ * - Wildcard "*" grants all.
+ * - Prefix wildcards like "tasks.*" grant any permission under that namespace.
+ */
+function hasPermission(permissions, permission) {
+    if (!permission)
+        return false;
+    if (!permissions || permissions.length === 0)
+        return false;
+    for (const p of permissions) {
+        if (p === exports.PERMISSION_WILDCARD)
+            return true;
+        if (p === permission)
+            return true;
+        // namespace wildcard: "tasks.*" matches "tasks.read"
+        if (p.endsWith(".*")) {
+            const prefix = p.slice(0, -2);
+            if (permission === prefix)
+                return true;
+            if (permission.startsWith(prefix + "."))
+                return true;
+        }
+    }
+    return false;
+}
+/**
+ * Default permissions by role.
+ *
+ * Keep conservative; you can expand this as platform features land.
+ */
+exports.DEFAULT_ROLE_PERMISSIONS = {
+    owner: [exports.PERMISSION_WILDCARD],
+    admin: [
+        "tenant.read",
+        "tenant.write",
+        "members.read",
+        "members.write",
+        "invites.read",
+        "invites.write",
+    ],
+    member: ["tenant.read", "members.read"],
+};
+/**
+ * Pick a default tenant for a user if multiple memberships exist.
+ *
+ * Policy (as requested):
+ * - Auto-pick "owned" tenant if present (role === "owner"; earliest createdAt wins)
+ * - Else pick the oldest membership by createdAt
+ */
+function pickDefaultTenantId(memberships) {
+    if (!memberships || memberships.length === 0)
+        return null;
+    const owners = memberships
+        .filter((m) => m.role === exports.TENANT_ROLES.owner)
+        .slice()
+        .sort((a, b) => (a.createdAt ?? Number.MAX_SAFE_INTEGER) - (b.createdAt ?? Number.MAX_SAFE_INTEGER));
+    if (owners.length > 0)
+        return owners[0].tenantId;
+    const sorted = memberships
+        .slice()
+        .sort((a, b) => (a.createdAt ?? Number.MAX_SAFE_INTEGER) - (b.createdAt ?? Number.MAX_SAFE_INTEGER));
+    return sorted[0].tenantId ?? null;
+}
+/**
+ * Build a Set-Cookie header value for the session cookie.
+ *
+ * This produces a cookie string; callers should attach it as `Set-Cookie`.
+ *
+ * Security defaults:
+ * - HttpOnly (prevents JS access)
+ * - SameSite=Lax (CSRF mitigation)
+ * - Secure in production (env NODE_ENV === 'production')
+ */
+function buildSessionSetCookie(token, opts) {
+    const maxAgeSeconds = opts?.maxAgeSeconds;
+    const secure = opts?.secure ?? process.env.NODE_ENV === "production";
+    const parts = [];
+    parts.push(`${exports.AUTH_COOKIE_NAME}=${encodeURIComponent(token)}`);
+    parts.push(`Path=${exports.AUTH_COOKIE_PATH}`);
+    parts.push(`HttpOnly`);
+    parts.push(`SameSite=${exports.AUTH_COOKIE_SAMESITE}`);
+    if (secure)
+        parts.push("Secure");
+    if (typeof maxAgeSeconds === "number")
+        parts.push(`Max-Age=${Math.max(0, Math.floor(maxAgeSeconds))}`);
+    return parts.join("; ");
+}
+/**
+ * Build a Set-Cookie header value that clears the session cookie.
+ */
+function buildSessionClearCookie(opts) {
+    // Max-Age=0 clears; also set an old Expires for compatibility.
+    const secure = opts?.secure ?? process.env.NODE_ENV === "production";
+    const parts = [];
+    parts.push(`${exports.AUTH_COOKIE_NAME}=`);
+    parts.push(`Path=${exports.AUTH_COOKIE_PATH}`);
+    parts.push(`HttpOnly`);
+    parts.push(`SameSite=${exports.AUTH_COOKIE_SAMESITE}`);
+    parts.push("Max-Age=0");
+    parts.push("Expires=Thu, 01 Jan 1970 00:00:00 GMT");
+    if (secure)
+        parts.push("Secure");
+    return parts.join("; ");
+}
+/**
+ * Best-effort cookie parser used for Bun Request headers.
+ */
+function parseCookies(cookieHeader) {
+    const out = {};
+    if (!cookieHeader)
+        return out;
+    const pairs = cookieHeader.split(";");
+    for (const pair of pairs) {
+        const idx = pair.indexOf("=");
+        if (idx === -1)
+            continue;
+        const name = pair.slice(0, idx).trim();
+        const value = pair.slice(idx + 1).trim();
+        if (!name)
+            continue;
+        out[name] = safeDecodeURIComponent(value);
+    }
+    return out;
+}
+function safeDecodeURIComponent(value) {
+    try {
+        return decodeURIComponent(value);
+    }
+    catch {
+        return value;
+    }
+}
+//# sourceMappingURL=constants.js.map

package/dist/auth/system/constants.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"constants.js","sourceRoot":"","sources":["../../../src/auth/system/constants.ts"],"names":[],"mappings":";AAAA;;;;;;;GAOG;;;AA2EH,sCAoBC;AA2BD,kDAuBC;AAYD,sDAkBC;AAKD,0DAYC;AAKD,oCAcC;AAjNY,QAAA,gBAAgB,GAAG,kBAA2B,CAAC;AAE5D;;GAEG;AACU,QAAA,gBAAgB,GAAG,GAAY,CAAC;AAE7C;;;;GAIG;AACU,QAAA,oBAAoB,GAAG,KAAc,CAAC;AAEnD;;;GAGG;AACU,QAAA,sBAAsB,GAAG,IAAI,GAAG,EAAE,GAAG,EAAE,GAAG,EAAE,GAAG,EAAE,CAAC;AAE/D;;;GAGG;AACU,QAAA,+BAA+B,GAAG,IAAI,GAAG,EAAE,GAAG,EAAE,GAAG,EAAE,GAAG,CAAC,CAAC;AAEvE;;;GAGG;AACU,QAAA,iCAAiC,GAAG,IAAI,GAAG,EAAE,GAAG,CAAC,CAAC;AAE/D;;;;GAIG;AACU,QAAA,gBAAgB,GAAG;IAC5B,KAAK,EAAE,YAAY;IACnB,QAAQ,EAAE,eAAe;IACzB,QAAQ,EAAE,eAAe;IACzB,OAAO,EAAE,cAAc;IACvB,WAAW,EAAE,kBAAkB;IAC/B,OAAO,EAAE,cAAc;CACjB,CAAC;AAIX;;GAEG;AACU,QAAA,YAAY,GAAG;IACxB,KAAK,EAAE,OAAO;IACd,KAAK,EAAE,OAAO;IACd,MAAM,EAAE,QAAQ;CACV,CAAC;AAIX;;;GAGG;AACU,QAAA,mBAAmB,GAAG,GAAY,CAAC;AAEhD;;;;;;;GAOG;AACH,SAAgB,aAAa,CACzB,WAAiD,EACjD,UAAkB;IAElB,IAAI,CAAC,UAAU;QAAE,OAAO,KAAK,CAAC;IAC9B,IAAI,CAAC,WAAW,IAAI,WAAW,CAAC,MAAM,KAAK,CAAC;QAAE,OAAO,KAAK,CAAC;IAE3D,KAAK,MAAM,CAAC,IAAI,WAAW,EAAE,CAAC;QAC1B,IAAI,CAAC,KAAK,2BAAmB;YAAE,OAAO,IAAI,CAAC;QAC3C,IAAI,CAAC,KAAK,UAAU;YAAE,OAAO,IAAI,CAAC;QAElC,qDAAqD;QACrD,IAAI,CAAC,CAAC,QAAQ,CAAC,IAAI,CAAC,EAAE,CAAC;YACnB,MAAM,MAAM,GAAG,CAAC,CAAC,KAAK,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,CAAC;YAC9B,IAAI,UAAU,KAAK,MAAM;gBAAE,OAAO,IAAI,CAAC;YACvC,IAAI,UAAU,CAAC,UAAU,CAAC,MAAM,GAAG,GAAG,CAAC;gBAAE,OAAO,IAAI,CAAC;QACzD,CAAC;IACL,CAAC;IAED,OAAO,KAAK,CAAC;AACjB,CAAC;AAED;;;;GAIG;AACU,QAAA,wBAAwB,GAA0C;IAC3E,KAAK,EAAE,CAAC,2BAAmB,CAAC;IAC5B,KAAK,EAAE;QACH,aAAa;QACb,cAAc;QACd,cAAc;QACd,eAAe;QACf,cAAc;QACd,eAAe;KAClB;IACD,MAAM,EAAE,CAAC,aAAa,EAAE,cAAc,CAAC;CACjC,CAAC;AAEX;;;;;;GAMG;AACH,SAAgB,mBAAmB,CAC/B,WAA2E;IAE3E,IAAI,CAAC,WAAW,IAAI,WAAW,CAAC,MAAM,KAAK,CAAC;QAAE,OAAO,IAAI,CAAC;IAE1D,MAAM,MAAM,GAAG,WAAW;SACrB,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,IAAI,KAAK,oBAAY,CAAC,KAAK,CAAC;SAC5C,KAAK,EAAE;SACP,IAAI,CACD,CAAC,CAAC,EAAE,CAAC,EAAE,EAAE,CACL,CAAC,CAAC,CAAC,SAAS,IAAI,MAAM,CAAC,gBAAgB,CAAC,GAAG,CAAC,CAAC,CAAC,SAAS,IAAI,MAAM,CAAC,gBAAgB,CAAC,CAC1F,CAAC;IAEN,IAAI,MAAM,CAAC,MAAM,GAAG,CAAC;QAAE,OAAO,MAAM,CAAC,CAAC,CAAE,CAAC,QAAQ,CAAC;IAElD,MAAM,MAAM,GAAG,WAAW;SACrB,KAAK,EAAE;SACP,IAAI,CACD,CAAC,CAAC,EAAE,CAAC,EAAE,EAAE,CACL,CAAC,CAAC,CAAC,SAAS,IAAI,MAAM,CAAC,gBAAgB,CAAC,GAAG,CAAC,CAAC,CAAC,SAAS,IAAI,MAAM,CAAC,gBAAgB,CAAC,CAC1F,CAAC;IAEN,OAAO,MAAM,CAAC,CAAC,CAAE,CAAC,QAAQ,IAAI,IAAI,CAAC;AACvC,CAAC;AAED;;;;;;;;;GASG;AACH,SAAgB,qBAAqB,CACjC,KAAa,EACb,IAAmD;IAEnD,MAAM,aAAa,GAAG,IAAI,EAAE,aAAa,CAAC;IAC1C,MAAM,MAAM,GAAG,IAAI,EAAE,MAAM,IAAI,OAAO,CAAC,GAAG,CAAC,QAAQ,KAAK,YAAY,CAAC;IAErE,MAAM,KAAK,GAAa,EAAE,CAAC;IAC3B,KAAK,CAAC,IAAI,CAAC,GAAG,wBAAgB,IAAI,kBAAkB,CAAC,KAAK,CAAC,EAAE,CAAC,CAAC;IAC/D,KAAK,CAAC,IAAI,CAAC,QAAQ,wBAAgB,EAAE,CAAC,CAAC;IACvC,KAAK,CAAC,IAAI,CAAC,UAAU,CAAC,CAAC;IACvB,KAAK,CAAC,IAAI,CAAC,YAAY,4BAAoB,EAAE,CAAC,CAAC;IAE/C,IAAI,MAAM;QAAE,KAAK,CAAC,IAAI,CAAC,QAAQ,CAAC,CAAC;IACjC,IAAI,OAAO,aAAa,KAAK,QAAQ;QACjC,KAAK,CAAC,IAAI,CAAC,WAAW,IAAI,CAAC,GAAG,CAAC,CAAC,EAAE,IAAI,CAAC,KAAK,CAAC,aAAa,CAAC,CAAC,EAAE,CAAC,CAAC;IAEpE,OAAO,KAAK,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;AAC5B,CAAC;AAED;;GAEG;AACH,SAAgB,uBAAuB,CAAC,IAA2B;IAC/D,+DAA+D;IAC/D,MAAM,MAAM,GAAG,IAAI,EAAE,MAAM,IAAI,OAAO,CAAC,GAAG,CAAC,QAAQ,KAAK,YAAY,CAAC;IACrE,MAAM,KAAK,GAAa,EAAE,CAAC;IAC3B,KAAK,CAAC,IAAI,CAAC,GAAG,wBAAgB,GAAG,CAAC,CAAC;IACnC,KAAK,CAAC,IAAI,CAAC,QAAQ,wBAAgB,EAAE,CAAC,CAAC;IACvC,KAAK,CAAC,IAAI,CAAC,UAAU,CAAC,CAAC;IACvB,KAAK,CAAC,IAAI,CAAC,YAAY,4BAAoB,EAAE,CAAC,CAAC;IAC/C,KAAK,CAAC,IAAI,CAAC,WAAW,CAAC,CAAC;IACxB,KAAK,CAAC,IAAI,CAAC,uCAAuC,CAAC,CAAC;IACpD,IAAI,MAAM;QAAE,KAAK,CAAC,IAAI,CAAC,QAAQ,CAAC,CAAC;IACjC,OAAO,KAAK,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;AAC5B,CAAC;AAED;;GAEG;AACH,SAAgB,YAAY,CAAC,YAAuC;IAChE,MAAM,GAAG,GAA2B,EAAE,CAAC;IACvC,IAAI,CAAC,YAAY;QAAE,OAAO,GAAG,CAAC;IAE9B,MAAM,KAAK,GAAG,YAAY,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC;IACtC,KAAK,MAAM,IAAI,IAAI,KAAK,EAAE,CAAC;QACvB,MAAM,GAAG,GAAG,IAAI,CAAC,OAAO,CAAC,GAAG,CAAC,CAAC;QAC9B,IAAI,GAAG,KAAK,CAAC,CAAC;YAAE,SAAS;QACzB,MAAM,IAAI,GAAG,IAAI,CAAC,KAAK,CAAC,CAAC,EAAE,GAAG,CAAC,CAAC,IAAI,EAAE,CAAC;QACvC,MAAM,KAAK,GAAG,IAAI,CAAC,KAAK,CAAC,GAAG,GAAG,CAAC,CAAC,CAAC,IAAI,EAAE,CAAC;QACzC,IAAI,CAAC,IAAI;YAAE,SAAS;QACpB,GAAG,CAAC,IAAI,CAAC,GAAG,sBAAsB,CAAC,KAAK,CAAC,CAAC;IAC9C,CAAC;IACD,OAAO,GAAG,CAAC;AACf,CAAC;AAED,SAAS,sBAAsB,CAAC,KAAa;IACzC,IAAI,CAAC;QACD,OAAO,kBAAkB,CAAC,KAAK,CAAC,CAAC;IACrC,CAAC;IAAC,MAAM,CAAC;QACL,OAAO,KAAK,CAAC;IACjB,CAAC;AACL,CAAC"}

package/dist/auth/system/cookies.d.ts

@@ -0,0 +1,83 @@
+/**
+ * Cookie parsing + serialization helpers for Bun/Fetch Request/Response usage.
+ *
+ * Notes:
+ * - We keep this dependency-free and intentionally conservative.
+ * - Parsing is tolerant (best-effort) and does not throw on malformed segments.
+ * - Serialization supports common attributes with sane defaults.
+ *
+ * Intended usage:
+ *   const cookies = parseCookieHeader(req.headers.get("cookie"));
+ *   const token = cookies["archlast_session"];
+ *
+ *   const setCookie = serializeSetCookie("archlast_session", token, {
+ *     httpOnly: true,
+ *     secure: !isDev,
+ *     sameSite: "lax",
+ *     path: "/",
+ *     maxAge: 60 * 60 * 24 * 30,
+ *   });
+ *   return new Response("ok", { headers: { "set-cookie": setCookie }});
+ */
+export type CookieMap = Record<string, string>;
+export type SameSite = "strict" | "lax" | "none";
+export type CookieSerializeOptions = {
+    /**
+     * Cookie Path attribute. Default: "/"
+     */
+    path?: string;
+    /**
+     * Cookie Domain attribute.
+     */
+    domain?: string;
+    /**
+     * Cookie Expires attribute (absolute date).
+     * If provided, serialized as UTC string.
+     */
+    expires?: Date;
+    /**
+     * Cookie Max-Age attribute in seconds.
+     * Prefer Max-Age over Expires when possible.
+     */
+    maxAge?: number;
+    /**
+     * HttpOnly attribute.
+     */
+    httpOnly?: boolean;
+    /**
+     * Secure attribute.
+     */
+    secure?: boolean;
+    /**
+     * SameSite attribute.
+     */
+    sameSite?: SameSite;
+    /**
+     * Partitioned attribute (CHIPS). Optional; supported by modern browsers.
+     */
+    partitioned?: boolean;
+};
+/**
+ * Parse a Cookie header value into a key/value map.
+ *
+ * This is designed for incoming requests: `req.headers.get("cookie")`.
+ */
+export declare function parseCookieHeader(headerValue: string | null | undefined): CookieMap;
+/**
+ * Convenience: get a single cookie value by name from a Request.
+ */
+export declare function getCookie(req: Request, name: string): string | null;
+/**
+ * Serialize a Set-Cookie header value.
+ *
+ * Important:
+ * - This returns a *single* Set-Cookie header string. If you need multiple cookies,
+ *   set multiple Set-Cookie headers on Response (platform support varies) or
+ *   concatenate only if your framework supports it. Bun supports multiple via Headers.append().
+ */
+export declare function serializeSetCookie(name: string, value: string, options?: CookieSerializeOptions): string;
+/**
+ * Generate a Set-Cookie string that deletes the cookie.
+ */
+export declare function serializeDeleteCookie(name: string, options?: Omit<CookieSerializeOptions, "expires" | "maxAge">): string;
+//# sourceMappingURL=cookies.d.ts.map

package/dist/auth/system/cookies.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"cookies.d.ts","sourceRoot":"","sources":["../../../src/auth/system/cookies.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;GAoBG;AAEH,MAAM,MAAM,SAAS,GAAG,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;AAE/C,MAAM,MAAM,QAAQ,GAAG,QAAQ,GAAG,KAAK,GAAG,MAAM,CAAC;AAEjD,MAAM,MAAM,sBAAsB,GAAG;IACjC;;OAEG;IACH,IAAI,CAAC,EAAE,MAAM,CAAC;IAEd;;OAEG;IACH,MAAM,CAAC,EAAE,MAAM,CAAC;IAEhB;;;OAGG;IACH,OAAO,CAAC,EAAE,IAAI,CAAC;IAEf;;;OAGG;IACH,MAAM,CAAC,EAAE,MAAM,CAAC;IAEhB;;OAEG;IACH,QAAQ,CAAC,EAAE,OAAO,CAAC;IAEnB;;OAEG;IACH,MAAM,CAAC,EAAE,OAAO,CAAC;IAEjB;;OAEG;IACH,QAAQ,CAAC,EAAE,QAAQ,CAAC;IAEpB;;OAEG;IACH,WAAW,CAAC,EAAE,OAAO,CAAC;CACzB,CAAC;AAEF;;;;GAIG;AACH,wBAAgB,iBAAiB,CAAC,WAAW,EAAE,MAAM,GAAG,IAAI,GAAG,SAAS,GAAG,SAAS,CA2BnF;AAED;;GAEG;AACH,wBAAgB,SAAS,CAAC,GAAG,EAAE,OAAO,EAAE,IAAI,EAAE,MAAM,GAAG,MAAM,GAAG,IAAI,CAGnE;AAED;;;;;;;GAOG;AACH,wBAAgB,kBAAkB,CAC9B,IAAI,EAAE,MAAM,EACZ,KAAK,EAAE,MAAM,EACb,OAAO,GAAE,sBAA2B,GACrC,MAAM,CAoCR;AAED;;GAEG;AACH,wBAAgB,qBAAqB,CACjC,IAAI,EAAE,MAAM,EACZ,OAAO,GAAE,IAAI,CAAC,sBAAsB,EAAE,SAAS,GAAG,QAAQ,CAAM,GACjE,MAAM,CAOR"}

package/dist/auth/system/cookies.js

@@ -0,0 +1,148 @@
+"use strict";
+/**
+ * Cookie parsing + serialization helpers for Bun/Fetch Request/Response usage.
+ *
+ * Notes:
+ * - We keep this dependency-free and intentionally conservative.
+ * - Parsing is tolerant (best-effort) and does not throw on malformed segments.
+ * - Serialization supports common attributes with sane defaults.
+ *
+ * Intended usage:
+ *   const cookies = parseCookieHeader(req.headers.get("cookie"));
+ *   const token = cookies["archlast_session"];
+ *
+ *   const setCookie = serializeSetCookie("archlast_session", token, {
+ *     httpOnly: true,
+ *     secure: !isDev,
+ *     sameSite: "lax",
+ *     path: "/",
+ *     maxAge: 60 * 60 * 24 * 30,
+ *   });
+ *   return new Response("ok", { headers: { "set-cookie": setCookie }});
+ */
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.parseCookieHeader = parseCookieHeader;
+exports.getCookie = getCookie;
+exports.serializeSetCookie = serializeSetCookie;
+exports.serializeDeleteCookie = serializeDeleteCookie;
+/**
+ * Parse a Cookie header value into a key/value map.
+ *
+ * This is designed for incoming requests: `req.headers.get("cookie")`.
+ */
+function parseCookieHeader(headerValue) {
+    const out = {};
+    if (!headerValue)
+        return out;
+    // RFC6265: cookies separated by ';' with optional whitespace
+    const parts = headerValue.split(";");
+    for (const rawPart of parts) {
+        const part = rawPart.trim();
+        if (!part)
+            continue;
+        const eq = part.indexOf("=");
+        if (eq === -1) {
+            // Invalid cookie segment; ignore
+            continue;
+        }
+        const name = part.slice(0, eq).trim();
+        if (!name)
+            continue;
+        const value = part.slice(eq + 1).trim();
+        // Cookie values are typically URI encoded by clients, but not guaranteed.
+        // We'll attempt decoding; if it fails, keep the raw value.
+        out[name] = safeDecodeURIComponent(value);
+    }
+    return out;
+}
+/**
+ * Convenience: get a single cookie value by name from a Request.
+ */
+function getCookie(req, name) {
+    const cookies = parseCookieHeader(req.headers.get("cookie"));
+    return cookies[name] ?? null;
+}
+/**
+ * Serialize a Set-Cookie header value.
+ *
+ * Important:
+ * - This returns a *single* Set-Cookie header string. If you need multiple cookies,
+ *   set multiple Set-Cookie headers on Response (platform support varies) or
+ *   concatenate only if your framework supports it. Bun supports multiple via Headers.append().
+ */
+function serializeSetCookie(name, value, options = {}) {
+    const encName = sanitizeCookieName(name);
+    const encValue = encodeCookieValue(value);
+    const parts = [];
+    parts.push(`${encName}=${encValue}`);
+    // Defaults
+    const path = options.path ?? "/";
+    if (path)
+        parts.push(`Path=${path}`);
+    if (options.domain)
+        parts.push(`Domain=${options.domain}`);
+    if (typeof options.maxAge === "number" && Number.isFinite(options.maxAge)) {
+        const maxAge = Math.trunc(options.maxAge);
+        // Negative max-age means delete immediately
+        parts.push(`Max-Age=${maxAge}`);
+    }
+    if (options.expires instanceof Date && !Number.isNaN(options.expires.getTime())) {
+        parts.push(`Expires=${options.expires.toUTCString()}`);
+    }
+    if (options.httpOnly)
+        parts.push("HttpOnly");
+    if (options.secure)
+        parts.push("Secure");
+    if (options.sameSite) {
+        parts.push(`SameSite=${formatSameSite(options.sameSite)}`);
+    }
+    if (options.partitioned) {
+        // Must be Secure when Partitioned is set per spec expectations; we don't enforce here.
+        parts.push("Partitioned");
+    }
+    return parts.join("; ");
+}
+/**
+ * Generate a Set-Cookie string that deletes the cookie.
+ */
+function serializeDeleteCookie(name, options = {}) {
+    // Per RFC: deletion is commonly Max-Age=0 + Expires in the past.
+    return serializeSetCookie(name, "", {
+        ...options,
+        expires: new Date(0),
+        maxAge: 0,
+    });
+}
+/* --------------------------------- Internals -------------------------------- */
+function safeDecodeURIComponent(value) {
+    // Cookies often use percent encoding, but not always. If decoding fails, return raw.
+    try {
+        return decodeURIComponent(value);
+    }
+    catch {
+        return value;
+    }
+}
+function encodeCookieValue(value) {
+    // We encode to prevent illegal characters (esp. semicolons/commas/whitespace).
+    // This is conservative and broadly compatible.
+    return encodeURIComponent(value);
+}
+function sanitizeCookieName(name) {
+    // Cookie name must be a token; we strip/replace any invalid characters.
+    // We keep it conservative to avoid header injection.
+    // Allowed token per RFC2616-ish: ASCII excluding CTLs and separators.
+    const cleaned = name.replace(/[^\w!#$%&'*+\-.^`|~]/g, "_");
+    return cleaned.length > 0 ? cleaned : "cookie";
+}
+function formatSameSite(value) {
+    switch (value) {
+        case "strict":
+            return "Strict";
+        case "lax":
+            return "Lax";
+        case "none":
+            return "None";
+    }
+}
+//# sourceMappingURL=cookies.js.map

package/dist/auth/system/cookies.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"cookies.js","sourceRoot":"","sources":["../../../src/auth/system/cookies.ts"],"names":[],"mappings":";AAAA;;;;;;;;;;;;;;;;;;;;GAoBG;;AAuDH,8CA2BC;AAKD,8BAGC;AAUD,gDAwCC;AAKD,sDAUC;AAzGD;;;;GAIG;AACH,SAAgB,iBAAiB,CAAC,WAAsC;IACpE,MAAM,GAAG,GAAc,EAAE,CAAC;IAC1B,IAAI,CAAC,WAAW;QAAE,OAAO,GAAG,CAAC;IAE7B,6DAA6D;IAC7D,MAAM,KAAK,GAAG,WAAW,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC;IACrC,KAAK,MAAM,OAAO,IAAI,KAAK,EAAE,CAAC;QAC1B,MAAM,IAAI,GAAG,OAAO,CAAC,IAAI,EAAE,CAAC;QAC5B,IAAI,CAAC,IAAI;YAAE,SAAS;QAEpB,MAAM,EAAE,GAAG,IAAI,CAAC,OAAO,CAAC,GAAG,CAAC,CAAC;QAC7B,IAAI,EAAE,KAAK,CAAC,CAAC,EAAE,CAAC;YACZ,iCAAiC;YACjC,SAAS;QACb,CAAC;QAED,MAAM,IAAI,GAAG,IAAI,CAAC,KAAK,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,IAAI,EAAE,CAAC;QACtC,IAAI,CAAC,IAAI;YAAE,SAAS;QAEpB,MAAM,KAAK,GAAG,IAAI,CAAC,KAAK,CAAC,EAAE,GAAG,CAAC,CAAC,CAAC,IAAI,EAAE,CAAC;QAExC,0EAA0E;QAC1E,2DAA2D;QAC3D,GAAG,CAAC,IAAI,CAAC,GAAG,sBAAsB,CAAC,KAAK,CAAC,CAAC;IAC9C,CAAC;IAED,OAAO,GAAG,CAAC;AACf,CAAC;AAED;;GAEG;AACH,SAAgB,SAAS,CAAC,GAAY,EAAE,IAAY;IAChD,MAAM,OAAO,GAAG,iBAAiB,CAAC,GAAG,CAAC,OAAO,CAAC,GAAG,CAAC,QAAQ,CAAC,CAAC,CAAC;IAC7D,OAAO,OAAO,CAAC,IAAI,CAAC,IAAI,IAAI,CAAC;AACjC,CAAC;AAED;;;;;;;GAOG;AACH,SAAgB,kBAAkB,CAC9B,IAAY,EACZ,KAAa,EACb,UAAkC,EAAE;IAEpC,MAAM,OAAO,GAAG,kBAAkB,CAAC,IAAI,CAAC,CAAC;IACzC,MAAM,QAAQ,GAAG,iBAAiB,CAAC,KAAK,CAAC,CAAC;IAE1C,MAAM,KAAK,GAAa,EAAE,CAAC;IAC3B,KAAK,CAAC,IAAI,CAAC,GAAG,OAAO,IAAI,QAAQ,EAAE,CAAC,CAAC;IAErC,WAAW;IACX,MAAM,IAAI,GAAG,OAAO,CAAC,IAAI,IAAI,GAAG,CAAC;IACjC,IAAI,IAAI;QAAE,KAAK,CAAC,IAAI,CAAC,QAAQ,IAAI,EAAE,CAAC,CAAC;IAErC,IAAI,OAAO,CAAC,MAAM;QAAE,KAAK,CAAC,IAAI,CAAC,UAAU,OAAO,CAAC,MAAM,EAAE,CAAC,CAAC;IAE3D,IAAI,OAAO,OAAO,CAAC,MAAM,KAAK,QAAQ,IAAI,MAAM,CAAC,QAAQ,CAAC,OAAO,CAAC,MAAM,CAAC,EAAE,CAAC;QACxE,MAAM,MAAM,GAAG,IAAI,CAAC,KAAK,CAAC,OAAO,CAAC,MAAM,CAAC,CAAC;QAC1C,4CAA4C;QAC5C,KAAK,CAAC,IAAI,CAAC,WAAW,MAAM,EAAE,CAAC,CAAC;IACpC,CAAC;IAED,IAAI,OAAO,CAAC,OAAO,YAAY,IAAI,IAAI,CAAC,MAAM,CAAC,KAAK,CAAC,OAAO,CAAC,OAAO,CAAC,OAAO,EAAE,CAAC,EAAE,CAAC;QAC9E,KAAK,CAAC,IAAI,CAAC,WAAW,OAAO,CAAC,OAAO,CAAC,WAAW,EAAE,EAAE,CAAC,CAAC;IAC3D,CAAC;IAED,IAAI,OAAO,CAAC,QAAQ;QAAE,KAAK,CAAC,IAAI,CAAC,UAAU,CAAC,CAAC;IAC7C,IAAI,OAAO,CAAC,MAAM;QAAE,KAAK,CAAC,IAAI,CAAC,QAAQ,CAAC,CAAC;IAEzC,IAAI,OAAO,CAAC,QAAQ,EAAE,CAAC;QACnB,KAAK,CAAC,IAAI,CAAC,YAAY,cAAc,CAAC,OAAO,CAAC,QAAQ,CAAC,EAAE,CAAC,CAAC;IAC/D,CAAC;IAED,IAAI,OAAO,CAAC,WAAW,EAAE,CAAC;QACtB,uFAAuF;QACvF,KAAK,CAAC,IAAI,CAAC,aAAa,CAAC,CAAC;IAC9B,CAAC;IAED,OAAO,KAAK,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;AAC5B,CAAC;AAED;;GAEG;AACH,SAAgB,qBAAqB,CACjC,IAAY,EACZ,UAA8D,EAAE;IAEhE,iEAAiE;IACjE,OAAO,kBAAkB,CAAC,IAAI,EAAE,EAAE,EAAE;QAChC,GAAG,OAAO;QACV,OAAO,EAAE,IAAI,IAAI,CAAC,CAAC,CAAC;QACpB,MAAM,EAAE,CAAC;KACZ,CAAC,CAAC;AACP,CAAC;AAED,kFAAkF;AAElF,SAAS,sBAAsB,CAAC,KAAa;IACzC,qFAAqF;IACrF,IAAI,CAAC;QACD,OAAO,kBAAkB,CAAC,KAAK,CAAC,CAAC;IACrC,CAAC;IAAC,MAAM,CAAC;QACL,OAAO,KAAK,CAAC;IACjB,CAAC;AACL,CAAC;AAED,SAAS,iBAAiB,CAAC,KAAa;IACpC,+EAA+E;IAC/E,+CAA+C;IAC/C,OAAO,kBAAkB,CAAC,KAAK,CAAC,CAAC;AACrC,CAAC;AAED,SAAS,kBAAkB,CAAC,IAAY;IACpC,wEAAwE;IACxE,qDAAqD;IACrD,sEAAsE;IACtE,MAAM,OAAO,GAAG,IAAI,CAAC,OAAO,CAAC,uBAAuB,EAAE,GAAG,CAAC,CAAC;IAC3D,OAAO,OAAO,CAAC,MAAM,GAAG,CAAC,CAAC,CAAC,CAAC,OAAO,CAAC,CAAC,CAAC,QAAQ,CAAC;AACnD,CAAC;AAED,SAAS,cAAc,CAAC,KAAe;IACnC,QAAQ,KAAK,EAAE,CAAC;QACZ,KAAK,QAAQ;YACT,OAAO,QAAQ,CAAC;QACpB,KAAK,KAAK;YACN,OAAO,KAAK,CAAC;QACjB,KAAK,MAAM;YACP,OAAO,MAAM,CAAC;IACtB,CAAC;AACL,CAAC"}

package/dist/auth/system/crypto.d.ts

@@ -0,0 +1,53 @@
+/**
+ * Generate a raw session token suitable for cookie storage.
+ * - URL-safe base64 avoids quoting/escaping issues in cookies/headers.
+ */
+export declare function generateSessionToken(bytes?: number): string;
+/**
+ * Hash a raw session token for DB storage and lookup.
+ * The hash uses a server-side pepper (recommended in prod).
+ *
+ * Storage recommendation:
+ * - store tokenHash (hex string)
+ * - never store raw token
+ */
+export declare function hashSessionToken(token: string): string;
+/**
+ * Constant-time compare for hashes (hex).
+ */
+export declare function safeEqualHex(a: string, b: string): boolean;
+/**
+ * Build a secure Set-Cookie string for the Archlast session token.
+ * (Used by HTTP auth endpoints.)
+ */
+export declare function buildSessionCookie(options: {
+    name: string;
+    token: string;
+    maxAgeSeconds: number;
+    secure?: boolean;
+    sameSite?: "Lax" | "Strict" | "None";
+    path?: string;
+    domain?: string;
+}): string;
+export declare function buildClearCookie(options: {
+    name: string;
+    secure?: boolean;
+    sameSite?: "Lax" | "Strict" | "None";
+    path?: string;
+    domain?: string;
+}): string;
+type PasswordHasher = {
+    kind: "pbkdf2";
+    hash: (password: string) => Promise<string>;
+    verify: (password: string, hash: string) => Promise<boolean>;
+};
+/**
+ * Returns a PBKDF2 password hasher implementation.
+ *
+ * Format: "pbkdf2$sha256$iterations$salt_b64url$dk_b64url"
+ */
+export declare function getPasswordHasher(): Promise<PasswordHasher>;
+export declare function hashPassword(password: string): Promise<string>;
+export declare function verifyPassword(password: string, storedHash: string): Promise<boolean>;
+export {};
+//# sourceMappingURL=crypto.d.ts.map

package/dist/auth/system/crypto.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"crypto.d.ts","sourceRoot":"","sources":["../../../src/auth/system/crypto.ts"],"names":[],"mappings":"AA4BA;;;GAGG;AACH,wBAAgB,oBAAoB,CAAC,KAAK,GAAE,MAA4B,GAAG,MAAM,CAEhF;AAED;;;;;;;GAOG;AACH,wBAAgB,gBAAgB,CAAC,KAAK,EAAE,MAAM,GAAG,MAAM,CAWtD;AAED;;GAEG;AACH,wBAAgB,YAAY,CAAC,CAAC,EAAE,MAAM,EAAE,CAAC,EAAE,MAAM,GAAG,OAAO,CAY1D;AAED;;;GAGG;AACH,wBAAgB,kBAAkB,CAAC,OAAO,EAAE;IACxC,IAAI,EAAE,MAAM,CAAC;IACb,KAAK,EAAE,MAAM,CAAC;IACd,aAAa,EAAE,MAAM,CAAC;IACtB,MAAM,CAAC,EAAE,OAAO,CAAC;IACjB,QAAQ,CAAC,EAAE,KAAK,GAAG,QAAQ,GAAG,MAAM,CAAC;IACrC,IAAI,CAAC,EAAE,MAAM,CAAC;IACd,MAAM,CAAC,EAAE,MAAM,CAAC;CACnB,GAAG,MAAM,CAcT;AAED,wBAAgB,gBAAgB,CAAC,OAAO,EAAE;IACtC,IAAI,EAAE,MAAM,CAAC;IACb,MAAM,CAAC,EAAE,OAAO,CAAC;IACjB,QAAQ,CAAC,EAAE,KAAK,GAAG,QAAQ,GAAG,MAAM,CAAC;IACrC,IAAI,CAAC,EAAE,MAAM,CAAC;IACd,MAAM,CAAC,EAAE,MAAM,CAAC;CACnB,GAAG,MAAM,CAUT;AAMD,KAAK,cAAc,GAAG;IAClB,IAAI,EAAE,QAAQ,CAAC;IACf,IAAI,EAAE,CAAC,QAAQ,EAAE,MAAM,KAAK,OAAO,CAAC,MAAM,CAAC,CAAC;IAC5C,MAAM,EAAE,CAAC,QAAQ,EAAE,MAAM,EAAE,IAAI,EAAE,MAAM,KAAK,OAAO,CAAC,OAAO,CAAC,CAAC;CAChE,CAAC;AAIF;;;;GAIG;AACH,wBAAsB,iBAAiB,IAAI,OAAO,CAAC,cAAc,CAAC,CA4DjE;AAED,wBAAsB,YAAY,CAAC,QAAQ,EAAE,MAAM,GAAG,OAAO,CAAC,MAAM,CAAC,CAGpE;AAED,wBAAsB,cAAc,CAAC,QAAQ,EAAE,MAAM,EAAE,UAAU,EAAE,MAAM,GAAG,OAAO,CAAC,OAAO,CAAC,CAG3F"}