@archlast/server 0.0.1

package/dist/auth/system/crypto.js

@@ -0,0 +1,188 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.generateSessionToken = generateSessionToken;
+exports.hashSessionToken = hashSessionToken;
+exports.safeEqualHex = safeEqualHex;
+exports.buildSessionCookie = buildSessionCookie;
+exports.buildClearCookie = buildClearCookie;
+exports.getPasswordHasher = getPasswordHasher;
+exports.hashPassword = hashPassword;
+exports.verifyPassword = verifyPassword;
+const crypto_1 = require("crypto");
+/**
+ * Archlast Auth Crypto Helpers
+ *
+ * Goals:
+ * - Secure session token generation
+ * - Server-side token hashing (no plaintext in DB)
+ * - Password hashing support (PBKDF2-only for now)
+ *
+ * Notes:
+ * - In production you SHOULD set ARCHLAST_AUTH_TOKEN_PEPPER to a long random secret.
+ * - Pepper is never stored in DB; it's an additional secret mixed into token hashing.
+ * - Password hashing:
+ *   - Uses PBKDF2 (ships with Bun/Node crypto) to avoid optional native deps.
+ */
+const DEFAULT_TOKEN_BYTES = 48; // 384 bits
+const DEFAULT_PBKDF2_ITERATIONS = 210_000;
+const DEFAULT_PBKDF2_DIGEST = "sha256";
+const DEFAULT_PBKDF2_KEYLEN = 32;
+function getPepper() {
+    // Pepper may be empty in dev, but production should set this.
+    return process.env.ARCHLAST_AUTH_TOKEN_PEPPER ?? "";
+}
+/**
+ * Generate a raw session token suitable for cookie storage.
+ * - URL-safe base64 avoids quoting/escaping issues in cookies/headers.
+ */
+function generateSessionToken(bytes = DEFAULT_TOKEN_BYTES) {
+    return (0, crypto_1.randomBytes)(bytes).toString("base64url");
+}
+/**
+ * Hash a raw session token for DB storage and lookup.
+ * The hash uses a server-side pepper (recommended in prod).
+ *
+ * Storage recommendation:
+ * - store tokenHash (hex string)
+ * - never store raw token
+ */
+function hashSessionToken(token) {
+    if (typeof token !== "string" || token.length === 0) {
+        throw new Error("Token must be a non-empty string");
+    }
+    const pepper = getPepper();
+    // Use WebCrypto SHA-256 to avoid Node's createHash import.
+    // Represent as hex for storage and lookup.
+    // NOTE: Bun supports crypto.subtle in runtime.
+    // Since this function is sync in callers, we keep hashing sync by using a small helper below.
+    return sha256Hex(`${token}.${pepper}`);
+}
+/**
+ * Constant-time compare for hashes (hex).
+ */
+function safeEqualHex(a, b) {
+    if (typeof a !== "string" || typeof b !== "string")
+        return false;
+    if (a.length !== b.length)
+        return false;
+    try {
+        const ab = Buffer.from(a, "hex");
+        const bb = Buffer.from(b, "hex");
+        if (ab.length !== bb.length)
+            return false;
+        return (0, crypto_1.timingSafeEqual)(ab, bb);
+    }
+    catch {
+        return false;
+    }
+}
+/**
+ * Build a secure Set-Cookie string for the Archlast session token.
+ * (Used by HTTP auth endpoints.)
+ */
+function buildSessionCookie(options) {
+    const parts = [];
+    parts.push(`${options.name}=${options.token}`);
+    parts.push(`Path=${options.path ?? "/"}`);
+    parts.push(`Max-Age=${Math.max(0, Math.floor(options.maxAgeSeconds))}`);
+    parts.push("HttpOnly");
+    parts.push(`SameSite=${options.sameSite ?? "Lax"}`);
+    if (options.secure ?? process.env.NODE_ENV === "production") {
+        parts.push("Secure");
+    }
+    if (options.domain) {
+        parts.push(`Domain=${options.domain}`);
+    }
+    return parts.join("; ");
+}
+function buildClearCookie(options) {
+    return buildSessionCookie({
+        name: options.name,
+        token: "",
+        maxAgeSeconds: 0,
+        secure: options.secure,
+        sameSite: options.sameSite,
+        path: options.path,
+        domain: options.domain,
+    });
+}
+let cachedHasher = null;
+/**
+ * Returns a PBKDF2 password hasher implementation.
+ *
+ * Format: "pbkdf2$sha256$iterations$salt_b64url$dk_b64url"
+ */
+async function getPasswordHasher() {
+    if (cachedHasher)
+        return cachedHasher;
+    const { pbkdf2 } = await import("crypto");
+    const iterations = Number(process.env.ARCHLAST_AUTH_PBKDF2_ITERATIONS ?? String(DEFAULT_PBKDF2_ITERATIONS));
+    const digest = process.env.ARCHLAST_AUTH_PBKDF2_DIGEST ?? DEFAULT_PBKDF2_DIGEST;
+    const keylen = Number(process.env.ARCHLAST_AUTH_PBKDF2_KEYLEN ?? String(DEFAULT_PBKDF2_KEYLEN));
+    function pbkdf2Async(password, salt, it, dkLen, dig) {
+        return new Promise((resolve, reject) => {
+            pbkdf2(password, salt, it, dkLen, dig, (err, derivedKey) => {
+                if (err)
+                    reject(err);
+                else
+                    resolve(derivedKey);
+            });
+        });
+    }
+    async function hash(password) {
+        if (typeof password !== "string" || password.length < 8) {
+            throw new Error("Password must be at least 8 characters");
+        }
+        const salt = (0, crypto_1.randomBytes)(16);
+        const dk = await pbkdf2Async(password, salt, iterations, keylen, digest);
+        return `pbkdf2$${digest}$${iterations}$${salt.toString("base64url")}$${dk.toString("base64url")}`;
+    }
+    async function verify(password, stored) {
+        if (typeof stored !== "string")
+            return false;
+        const parts = stored.split("$");
+        if (parts.length !== 5)
+            return false;
+        const [kind, storedDigest, storedIterationsStr, saltB64, dkB64] = parts;
+        if (kind !== "pbkdf2")
+            return false;
+        const it = Number(storedIterationsStr);
+        if (!Number.isFinite(it) || it <= 0)
+            return false;
+        const salt = Buffer.from(saltB64, "base64url");
+        const expected = Buffer.from(dkB64, "base64url");
+        const derived = await pbkdf2Async(password, salt, it, expected.length, storedDigest);
+        if (derived.length !== expected.length)
+            return false;
+        return (0, crypto_1.timingSafeEqual)(derived, expected);
+    }
+    cachedHasher = { kind: "pbkdf2", hash, verify };
+    return cachedHasher;
+}
+async function hashPassword(password) {
+    const hasher = await getPasswordHasher();
+    return hasher.hash(password);
+}
+async function verifyPassword(password, storedHash) {
+    const hasher = await getPasswordHasher();
+    return hasher.verify(password, storedHash);
+}
+/* -------------------------------------------------------------------------- */
+/*                                 Internals                                  */
+/* -------------------------------------------------------------------------- */
+function sha256Hex(input) {
+    // Use WebCrypto when available (Bun). Fall back to Node createHash if needed.
+    // Keeping this sync via Node createHash would require importing createHash, but we can do
+    // a lightweight fallback here by using global crypto.subtle only when present.
+    const g = globalThis;
+    if (g.crypto?.subtle) {
+        // WARNING: subtle.digest is async, so we cannot use it here.
+        // Therefore, we keep a synchronous implementation via Node createHash as a nested require-style import.
+    }
+    // Synchronous SHA-256 via crypto.createHash without top-level import.
+    // This avoids pulling other crypto APIs into the module's static import surface.
+    // eslint-disable-next-line @typescript-eslint/no-var-requires
+    const { createHash } = require("crypto");
+    return createHash("sha256").update(input).digest("hex");
+}
+//# sourceMappingURL=crypto.js.map

package/dist/auth/system/crypto.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"crypto.js","sourceRoot":"","sources":["../../../src/auth/system/crypto.ts"],"names":[],"mappings":";;AAgCA,oDAEC;AAUD,4CAWC;AAKD,oCAYC;AAMD,gDAsBC;AAED,4CAgBC;AAmBD,8CA4DC;AAED,oCAGC;AAED,wCAGC;AA/MD,mCAAsD;AAEtD;;;;;;;;;;;;;GAaG;AAEH,MAAM,mBAAmB,GAAG,EAAE,CAAC,CAAC,WAAW;AAE3C,MAAM,yBAAyB,GAAG,OAAO,CAAC;AAC1C,MAAM,qBAAqB,GAAG,QAAQ,CAAC;AACvC,MAAM,qBAAqB,GAAG,EAAE,CAAC;AAEjC,SAAS,SAAS;IACd,8DAA8D;IAC9D,OAAO,OAAO,CAAC,GAAG,CAAC,0BAA0B,IAAI,EAAE,CAAC;AACxD,CAAC;AAED;;;GAGG;AACH,SAAgB,oBAAoB,CAAC,QAAgB,mBAAmB;IACpE,OAAO,IAAA,oBAAW,EAAC,KAAK,CAAC,CAAC,QAAQ,CAAC,WAAW,CAAC,CAAC;AACpD,CAAC;AAED;;;;;;;GAOG;AACH,SAAgB,gBAAgB,CAAC,KAAa;IAC1C,IAAI,OAAO,KAAK,KAAK,QAAQ,IAAI,KAAK,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;QAClD,MAAM,IAAI,KAAK,CAAC,kCAAkC,CAAC,CAAC;IACxD,CAAC;IAED,MAAM,MAAM,GAAG,SAAS,EAAE,CAAC;IAC3B,2DAA2D;IAC3D,2CAA2C;IAC3C,+CAA+C;IAC/C,8FAA8F;IAC9F,OAAO,SAAS,CAAC,GAAG,KAAK,IAAI,MAAM,EAAE,CAAC,CAAC;AAC3C,CAAC;AAED;;GAEG;AACH,SAAgB,YAAY,CAAC,CAAS,EAAE,CAAS;IAC7C,IAAI,OAAO,CAAC,KAAK,QAAQ,IAAI,OAAO,CAAC,KAAK,QAAQ;QAAE,OAAO,KAAK,CAAC;IACjE,IAAI,CAAC,CAAC,MAAM,KAAK,CAAC,CAAC,MAAM;QAAE,OAAO,KAAK,CAAC;IAExC,IAAI,CAAC;QACD,MAAM,EAAE,GAAG,MAAM,CAAC,IAAI,CAAC,CAAC,EAAE,KAAK,CAAC,CAAC;QACjC,MAAM,EAAE,GAAG,MAAM,CAAC,IAAI,CAAC,CAAC,EAAE,KAAK,CAAC,CAAC;QACjC,IAAI,EAAE,CAAC,MAAM,KAAK,EAAE,CAAC,MAAM;YAAE,OAAO,KAAK,CAAC;QAC1C,OAAO,IAAA,wBAAe,EAAC,EAAE,EAAE,EAAE,CAAC,CAAC;IACnC,CAAC;IAAC,MAAM,CAAC;QACL,OAAO,KAAK,CAAC;IACjB,CAAC;AACL,CAAC;AAED;;;GAGG;AACH,SAAgB,kBAAkB,CAAC,OAQlC;IACG,MAAM,KAAK,GAAa,EAAE,CAAC;IAC3B,KAAK,CAAC,IAAI,CAAC,GAAG,OAAO,CAAC,IAAI,IAAI,OAAO,CAAC,KAAK,EAAE,CAAC,CAAC;IAC/C,KAAK,CAAC,IAAI,CAAC,QAAQ,OAAO,CAAC,IAAI,IAAI,GAAG,EAAE,CAAC,CAAC;IAC1C,KAAK,CAAC,IAAI,CAAC,WAAW,IAAI,CAAC,GAAG,CAAC,CAAC,EAAE,IAAI,CAAC,KAAK,CAAC,OAAO,CAAC,aAAa,CAAC,CAAC,EAAE,CAAC,CAAC;IACxE,KAAK,CAAC,IAAI,CAAC,UAAU,CAAC,CAAC;IACvB,KAAK,CAAC,IAAI,CAAC,YAAY,OAAO,CAAC,QAAQ,IAAI,KAAK,EAAE,CAAC,CAAC;IACpD,IAAI,OAAO,CAAC,MAAM,IAAI,OAAO,CAAC,GAAG,CAAC,QAAQ,KAAK,YAAY,EAAE,CAAC;QAC1D,KAAK,CAAC,IAAI,CAAC,QAAQ,CAAC,CAAC;IACzB,CAAC;IACD,IAAI,OAAO,CAAC,MAAM,EAAE,CAAC;QACjB,KAAK,CAAC,IAAI,CAAC,UAAU,OAAO,CAAC,MAAM,EAAE,CAAC,CAAC;IAC3C,CAAC;IACD,OAAO,KAAK,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;AAC5B,CAAC;AAED,SAAgB,gBAAgB,CAAC,OAMhC;IACG,OAAO,kBAAkB,CAAC;QACtB,IAAI,EAAE,OAAO,CAAC,IAAI;QAClB,KAAK,EAAE,EAAE;QACT,aAAa,EAAE,CAAC;QAChB,MAAM,EAAE,OAAO,CAAC,MAAM;QACtB,QAAQ,EAAE,OAAO,CAAC,QAAQ;QAC1B,IAAI,EAAE,OAAO,CAAC,IAAI;QAClB,MAAM,EAAE,OAAO,CAAC,MAAM;KACzB,CAAC,CAAC;AACP,CAAC;AAYD,IAAI,YAAY,GAA0B,IAAI,CAAC;AAE/C;;;;GAIG;AACI,KAAK,UAAU,iBAAiB;IACnC,IAAI,YAAY;QAAE,OAAO,YAAY,CAAC;IAEtC,MAAM,EAAE,MAAM,EAAE,GAAG,MAAM,MAAM,CAAC,QAAQ,CAAC,CAAC;IAE1C,MAAM,UAAU,GAAG,MAAM,CACrB,OAAO,CAAC,GAAG,CAAC,+BAA+B,IAAI,MAAM,CAAC,yBAAyB,CAAC,CACnF,CAAC;IACF,MAAM,MAAM,GAAG,OAAO,CAAC,GAAG,CAAC,2BAA2B,IAAI,qBAAqB,CAAC;IAChF,MAAM,MAAM,GAAG,MAAM,CAAC,OAAO,CAAC,GAAG,CAAC,2BAA2B,IAAI,MAAM,CAAC,qBAAqB,CAAC,CAAC,CAAC;IAEhG,SAAS,WAAW,CAChB,QAAgB,EAChB,IAAY,EACZ,EAAU,EACV,KAAa,EACb,GAAW;QAEX,OAAO,IAAI,OAAO,CAAC,CAAC,OAAO,EAAE,MAAM,EAAE,EAAE;YACnC,MAAM,CAAC,QAAQ,EAAE,IAAI,EAAE,EAAE,EAAE,KAAK,EAAE,GAAG,EAAE,CAAC,GAAG,EAAE,UAAU,EAAE,EAAE;gBACvD,IAAI,GAAG;oBAAE,MAAM,CAAC,GAAG,CAAC,CAAC;;oBAChB,OAAO,CAAC,UAAU,CAAC,CAAC;YAC7B,CAAC,CAAC,CAAC;QACP,CAAC,CAAC,CAAC;IACP,CAAC;IAED,KAAK,UAAU,IAAI,CAAC,QAAgB;QAChC,IAAI,OAAO,QAAQ,KAAK,QAAQ,IAAI,QAAQ,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;YACtD,MAAM,IAAI,KAAK,CAAC,wCAAwC,CAAC,CAAC;QAC9D,CAAC;QAED,MAAM,IAAI,GAAG,IAAA,oBAAW,EAAC,EAAE,CAAC,CAAC;QAC7B,MAAM,EAAE,GAAG,MAAM,WAAW,CAAC,QAAQ,EAAE,IAAI,EAAE,UAAU,EAAE,MAAM,EAAE,MAAM,CAAC,CAAC;QAEzE,OAAO,UAAU,MAAM,IAAI,UAAU,IAAI,IAAI,CAAC,QAAQ,CAAC,WAAW,CAAC,IAAI,EAAE,CAAC,QAAQ,CAAC,WAAW,CAAC,EAAE,CAAC;IACtG,CAAC;IAED,KAAK,UAAU,MAAM,CAAC,QAAgB,EAAE,MAAc;QAClD,IAAI,OAAO,MAAM,KAAK,QAAQ;YAAE,OAAO,KAAK,CAAC;QAE7C,MAAM,KAAK,GAAG,MAAM,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC;QAChC,IAAI,KAAK,CAAC,MAAM,KAAK,CAAC;YAAE,OAAO,KAAK,CAAC;QAErC,MAAM,CAAC,IAAI,EAAE,YAAY,EAAE,mBAAmB,EAAE,OAAO,EAAE,KAAK,CAAC,GAAG,KAAK,CAAC;QACxE,IAAI,IAAI,KAAK,QAAQ;YAAE,OAAO,KAAK,CAAC;QAEpC,MAAM,EAAE,GAAG,MAAM,CAAC,mBAAmB,CAAC,CAAC;QACvC,IAAI,CAAC,MAAM,CAAC,QAAQ,CAAC,EAAE,CAAC,IAAI,EAAE,IAAI,CAAC;YAAE,OAAO,KAAK,CAAC;QAElD,MAAM,IAAI,GAAG,MAAM,CAAC,IAAI,CAAC,OAAO,EAAE,WAAW,CAAC,CAAC;QAC/C,MAAM,QAAQ,GAAG,MAAM,CAAC,IAAI,CAAC,KAAK,EAAE,WAAW,CAAC,CAAC;QAEjD,MAAM,OAAO,GAAG,MAAM,WAAW,CAAC,QAAQ,EAAE,IAAI,EAAE,EAAE,EAAE,QAAQ,CAAC,MAAM,EAAE,YAAY,CAAC,CAAC;QACrF,IAAI,OAAO,CAAC,MAAM,KAAK,QAAQ,CAAC,MAAM;YAAE,OAAO,KAAK,CAAC;QAErD,OAAO,IAAA,wBAAe,EAAC,OAAO,EAAE,QAAQ,CAAC,CAAC;IAC9C,CAAC;IAED,YAAY,GAAG,EAAE,IAAI,EAAE,QAAQ,EAAE,IAAI,EAAE,MAAM,EAAE,CAAC;IAChD,OAAO,YAAY,CAAC;AACxB,CAAC;AAEM,KAAK,UAAU,YAAY,CAAC,QAAgB;IAC/C,MAAM,MAAM,GAAG,MAAM,iBAAiB,EAAE,CAAC;IACzC,OAAO,MAAM,CAAC,IAAI,CAAC,QAAQ,CAAC,CAAC;AACjC,CAAC;AAEM,KAAK,UAAU,cAAc,CAAC,QAAgB,EAAE,UAAkB;IACrE,MAAM,MAAM,GAAG,MAAM,iBAAiB,EAAE,CAAC;IACzC,OAAO,MAAM,CAAC,MAAM,CAAC,QAAQ,EAAE,UAAU,CAAC,CAAC;AAC/C,CAAC;AAED,gFAAgF;AAChF,gFAAgF;AAChF,gFAAgF;AAEhF,SAAS,SAAS,CAAC,KAAa;IAC5B,8EAA8E;IAC9E,0FAA0F;IAC1F,+EAA+E;IAC/E,MAAM,CAAC,GAAQ,UAAiB,CAAC;IACjC,IAAI,CAAC,CAAC,MAAM,EAAE,MAAM,EAAE,CAAC;QACnB,6DAA6D;QAC7D,wGAAwG;IAC5G,CAAC;IAED,sEAAsE;IACtE,iFAAiF;IACjF,8DAA8D;IAC9D,MAAM,EAAE,UAAU,EAAE,GAAG,OAAO,CAAC,QAAQ,CAAyC,CAAC;IACjF,OAAO,UAAU,CAAC,QAAQ,CAAC,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC;AAC5D,CAAC"}

package/dist/auth/system/extended-schema.d.ts

@@ -0,0 +1,145 @@
+export declare const adminApiKeysTable: import("../../schema/definition").TableDefinition<{
+    _id: import("../../schema/validators").FieldSchema<import("zod").ZodString>;
+    tenantId: import("../../schema/validators").FieldSchema<import("zod").ZodString>;
+    name: import("../../schema/validators").FieldSchema<import("zod").ZodString>;
+    description: import("../../schema/validators").FieldSchema<import("zod").ZodOptional<import("zod").ZodString>>;
+    keyHash: import("../../schema/validators").FieldSchema<import("zod").ZodString>;
+    keyPrefix: import("../../schema/validators").FieldSchema<import("zod").ZodString>;
+    permissions: import("../../schema/validators").FieldSchema<import("zod").ZodArray<import("zod").ZodString>>;
+    scopes: import("../../schema/validators").FieldSchema<import("zod").ZodArray<import("zod").ZodString>>;
+    createdAt: import("../../schema/validators").FieldSchema<import("zod").ZodNumber>;
+    createdBy: import("../../schema/validators").FieldSchema<import("zod").ZodOptional<import("zod").ZodString>>;
+    lastUsedAt: import("../../schema/validators").FieldSchema<import("zod").ZodOptional<import("zod").ZodNumber>>;
+    expiresAt: import("../../schema/validators").FieldSchema<import("zod").ZodOptional<import("zod").ZodNumber>>;
+    revokedAt: import("../../schema/validators").FieldSchema<import("zod").ZodOptional<import("zod").ZodNumber>>;
+    revokedBy: import("../../schema/validators").FieldSchema<import("zod").ZodOptional<import("zod").ZodString>>;
+    revokedReason: import("../../schema/validators").FieldSchema<import("zod").ZodOptional<import("zod").ZodString>>;
+}>;
+export declare const auditLogsTable: import("../../schema/definition").TableDefinition<{
+    _id: import("../../schema/validators").FieldSchema<import("zod").ZodString>;
+    tenantId: import("../../schema/validators").FieldSchema<import("zod").ZodString>;
+    userId: import("../../schema/validators").FieldSchema<import("zod").ZodOptional<import("zod").ZodString>>;
+    apiKeyId: import("../../schema/validators").FieldSchema<import("zod").ZodOptional<import("zod").ZodString>>;
+    actorType: import("../../schema/validators").FieldSchema<import("zod").ZodString>;
+    action: import("../../schema/validators").FieldSchema<import("zod").ZodString>;
+    resourceType: import("../../schema/validators").FieldSchema<import("zod").ZodString>;
+    resourceId: import("../../schema/validators").FieldSchema<import("zod").ZodString>;
+    status: import("../../schema/validators").FieldSchema<import("zod").ZodString>;
+    errorMessage: import("../../schema/validators").FieldSchema<import("zod").ZodOptional<import("zod").ZodString>>;
+    errorCode: import("../../schema/validators").FieldSchema<import("zod").ZodOptional<import("zod").ZodString>>;
+    ipAddress: import("../../schema/validators").FieldSchema<import("zod").ZodOptional<import("zod").ZodString>>;
+    userAgent: import("../../schema/validators").FieldSchema<import("zod").ZodOptional<import("zod").ZodString>>;
+    timestamp: import("../../schema/validators").FieldSchema<import("zod").ZodNumber>;
+}>;
+export declare const securityEventsTable: import("../../schema/definition").TableDefinition<{
+    _id: import("../../schema/validators").FieldSchema<import("zod").ZodString>;
+    tenantId: import("../../schema/validators").FieldSchema<import("zod").ZodOptional<import("zod").ZodString>>;
+    eventType: import("../../schema/validators").FieldSchema<import("zod").ZodString>;
+    severity: import("../../schema/validators").FieldSchema<import("zod").ZodString>;
+    userId: import("../../schema/validators").FieldSchema<import("zod").ZodOptional<import("zod").ZodString>>;
+    email: import("../../schema/validators").FieldSchema<import("zod").ZodOptional<import("zod").ZodString>>;
+    ipAddress: import("../../schema/validators").FieldSchema<import("zod").ZodString>;
+    userAgent: import("../../schema/validators").FieldSchema<import("zod").ZodOptional<import("zod").ZodString>>;
+    description: import("../../schema/validators").FieldSchema<import("zod").ZodString>;
+    resolved: import("../../schema/validators").FieldSchema<import("zod").ZodDefault<import("zod").ZodBoolean>>;
+    resolvedAt: import("../../schema/validators").FieldSchema<import("zod").ZodOptional<import("zod").ZodNumber>>;
+    resolvedBy: import("../../schema/validators").FieldSchema<import("zod").ZodOptional<import("zod").ZodString>>;
+    resolution: import("../../schema/validators").FieldSchema<import("zod").ZodOptional<import("zod").ZodString>>;
+    timestamp: import("../../schema/validators").FieldSchema<import("zod").ZodNumber>;
+}>;
+export declare const emailVerificationTokensTable: import("../../schema/definition").TableDefinition<{
+    _id: import("../../schema/validators").FieldSchema<import("zod").ZodString>;
+    userId: import("../../schema/validators").FieldSchema<import("zod").ZodString>;
+    tenantId: import("../../schema/validators").FieldSchema<import("zod").ZodString>;
+    tokenHash: import("../../schema/validators").FieldSchema<import("zod").ZodString>;
+    email: import("../../schema/validators").FieldSchema<import("zod").ZodString>;
+    createdAt: import("../../schema/validators").FieldSchema<import("zod").ZodNumber>;
+    expiresAt: import("../../schema/validators").FieldSchema<import("zod").ZodNumber>;
+    consumedAt: import("../../schema/validators").FieldSchema<import("zod").ZodOptional<import("zod").ZodNumber>>;
+    consumedBy: import("../../schema/validators").FieldSchema<import("zod").ZodOptional<import("zod").ZodString>>;
+}>;
+export declare const passwordResetTokensTable: import("../../schema/definition").TableDefinition<{
+    _id: import("../../schema/validators").FieldSchema<import("zod").ZodString>;
+    userId: import("../../schema/validators").FieldSchema<import("zod").ZodString>;
+    tenantId: import("../../schema/validators").FieldSchema<import("zod").ZodString>;
+    tokenHash: import("../../schema/validators").FieldSchema<import("zod").ZodString>;
+    email: import("../../schema/validators").FieldSchema<import("zod").ZodString>;
+    createdAt: import("../../schema/validators").FieldSchema<import("zod").ZodNumber>;
+    expiresAt: import("../../schema/validators").FieldSchema<import("zod").ZodNumber>;
+    consumedAt: import("../../schema/validators").FieldSchema<import("zod").ZodOptional<import("zod").ZodNumber>>;
+    consumedBy: import("../../schema/validators").FieldSchema<import("zod").ZodOptional<import("zod").ZodString>>;
+}>;
+export declare const extendedAuthTables: {
+    auth_admin_api_keys: import("../../schema/definition").TableDefinition<{
+        _id: import("../../schema/validators").FieldSchema<import("zod").ZodString>;
+        tenantId: import("../../schema/validators").FieldSchema<import("zod").ZodString>;
+        name: import("../../schema/validators").FieldSchema<import("zod").ZodString>;
+        description: import("../../schema/validators").FieldSchema<import("zod").ZodOptional<import("zod").ZodString>>;
+        keyHash: import("../../schema/validators").FieldSchema<import("zod").ZodString>;
+        keyPrefix: import("../../schema/validators").FieldSchema<import("zod").ZodString>;
+        permissions: import("../../schema/validators").FieldSchema<import("zod").ZodArray<import("zod").ZodString>>;
+        scopes: import("../../schema/validators").FieldSchema<import("zod").ZodArray<import("zod").ZodString>>;
+        createdAt: import("../../schema/validators").FieldSchema<import("zod").ZodNumber>;
+        createdBy: import("../../schema/validators").FieldSchema<import("zod").ZodOptional<import("zod").ZodString>>;
+        lastUsedAt: import("../../schema/validators").FieldSchema<import("zod").ZodOptional<import("zod").ZodNumber>>;
+        expiresAt: import("../../schema/validators").FieldSchema<import("zod").ZodOptional<import("zod").ZodNumber>>;
+        revokedAt: import("../../schema/validators").FieldSchema<import("zod").ZodOptional<import("zod").ZodNumber>>;
+        revokedBy: import("../../schema/validators").FieldSchema<import("zod").ZodOptional<import("zod").ZodString>>;
+        revokedReason: import("../../schema/validators").FieldSchema<import("zod").ZodOptional<import("zod").ZodString>>;
+    }>;
+    auth_audit_logs: import("../../schema/definition").TableDefinition<{
+        _id: import("../../schema/validators").FieldSchema<import("zod").ZodString>;
+        tenantId: import("../../schema/validators").FieldSchema<import("zod").ZodString>;
+        userId: import("../../schema/validators").FieldSchema<import("zod").ZodOptional<import("zod").ZodString>>;
+        apiKeyId: import("../../schema/validators").FieldSchema<import("zod").ZodOptional<import("zod").ZodString>>;
+        actorType: import("../../schema/validators").FieldSchema<import("zod").ZodString>;
+        action: import("../../schema/validators").FieldSchema<import("zod").ZodString>;
+        resourceType: import("../../schema/validators").FieldSchema<import("zod").ZodString>;
+        resourceId: import("../../schema/validators").FieldSchema<import("zod").ZodString>;
+        status: import("../../schema/validators").FieldSchema<import("zod").ZodString>;
+        errorMessage: import("../../schema/validators").FieldSchema<import("zod").ZodOptional<import("zod").ZodString>>;
+        errorCode: import("../../schema/validators").FieldSchema<import("zod").ZodOptional<import("zod").ZodString>>;
+        ipAddress: import("../../schema/validators").FieldSchema<import("zod").ZodOptional<import("zod").ZodString>>;
+        userAgent: import("../../schema/validators").FieldSchema<import("zod").ZodOptional<import("zod").ZodString>>;
+        timestamp: import("../../schema/validators").FieldSchema<import("zod").ZodNumber>;
+    }>;
+    auth_security_events: import("../../schema/definition").TableDefinition<{
+        _id: import("../../schema/validators").FieldSchema<import("zod").ZodString>;
+        tenantId: import("../../schema/validators").FieldSchema<import("zod").ZodOptional<import("zod").ZodString>>;
+        eventType: import("../../schema/validators").FieldSchema<import("zod").ZodString>;
+        severity: import("../../schema/validators").FieldSchema<import("zod").ZodString>;
+        userId: import("../../schema/validators").FieldSchema<import("zod").ZodOptional<import("zod").ZodString>>;
+        email: import("../../schema/validators").FieldSchema<import("zod").ZodOptional<import("zod").ZodString>>;
+        ipAddress: import("../../schema/validators").FieldSchema<import("zod").ZodString>;
+        userAgent: import("../../schema/validators").FieldSchema<import("zod").ZodOptional<import("zod").ZodString>>;
+        description: import("../../schema/validators").FieldSchema<import("zod").ZodString>;
+        resolved: import("../../schema/validators").FieldSchema<import("zod").ZodDefault<import("zod").ZodBoolean>>;
+        resolvedAt: import("../../schema/validators").FieldSchema<import("zod").ZodOptional<import("zod").ZodNumber>>;
+        resolvedBy: import("../../schema/validators").FieldSchema<import("zod").ZodOptional<import("zod").ZodString>>;
+        resolution: import("../../schema/validators").FieldSchema<import("zod").ZodOptional<import("zod").ZodString>>;
+        timestamp: import("../../schema/validators").FieldSchema<import("zod").ZodNumber>;
+    }>;
+    auth_email_verification_tokens: import("../../schema/definition").TableDefinition<{
+        _id: import("../../schema/validators").FieldSchema<import("zod").ZodString>;
+        userId: import("../../schema/validators").FieldSchema<import("zod").ZodString>;
+        tenantId: import("../../schema/validators").FieldSchema<import("zod").ZodString>;
+        tokenHash: import("../../schema/validators").FieldSchema<import("zod").ZodString>;
+        email: import("../../schema/validators").FieldSchema<import("zod").ZodString>;
+        createdAt: import("../../schema/validators").FieldSchema<import("zod").ZodNumber>;
+        expiresAt: import("../../schema/validators").FieldSchema<import("zod").ZodNumber>;
+        consumedAt: import("../../schema/validators").FieldSchema<import("zod").ZodOptional<import("zod").ZodNumber>>;
+        consumedBy: import("../../schema/validators").FieldSchema<import("zod").ZodOptional<import("zod").ZodString>>;
+    }>;
+    auth_password_reset_tokens: import("../../schema/definition").TableDefinition<{
+        _id: import("../../schema/validators").FieldSchema<import("zod").ZodString>;
+        userId: import("../../schema/validators").FieldSchema<import("zod").ZodString>;
+        tenantId: import("../../schema/validators").FieldSchema<import("zod").ZodString>;
+        tokenHash: import("../../schema/validators").FieldSchema<import("zod").ZodString>;
+        email: import("../../schema/validators").FieldSchema<import("zod").ZodString>;
+        createdAt: import("../../schema/validators").FieldSchema<import("zod").ZodNumber>;
+        expiresAt: import("../../schema/validators").FieldSchema<import("zod").ZodNumber>;
+        consumedAt: import("../../schema/validators").FieldSchema<import("zod").ZodOptional<import("zod").ZodNumber>>;
+        consumedBy: import("../../schema/validators").FieldSchema<import("zod").ZodOptional<import("zod").ZodString>>;
+    }>;
+};
+//# sourceMappingURL=extended-schema.d.ts.map

package/dist/auth/system/extended-schema.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"extended-schema.d.ts","sourceRoot":"","sources":["../../../src/auth/system/extended-schema.ts"],"names":[],"mappings":"AAKA,eAAO,MAAM,iBAAiB;;;;;;;;;;;;;;;;EAgB5B,CAAC;AAEH,eAAO,MAAM,cAAc;;;;;;;;;;;;;;;EAezB,CAAC;AAEH,eAAO,MAAM,mBAAmB;;;;;;;;;;;;;;;EAe9B,CAAC;AAEH,eAAO,MAAM,4BAA4B;;;;;;;;;;EAUvC,CAAC;AAEH,eAAO,MAAM,wBAAwB;;;;;;;;;;EAUnC,CAAC;AAEH,eAAO,MAAM,kBAAkB;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;CAM9B,CAAC"}

package/dist/auth/system/extended-schema.js

@@ -0,0 +1,86 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.extendedAuthTables = exports.passwordResetTokensTable = exports.emailVerificationTokensTable = exports.securityEventsTable = exports.auditLogsTable = exports.adminApiKeysTable = void 0;
+/**
+ * Extended Auth System Schemas - Simplified stub
+ */
+const definition_1 = require("../../schema/definition");
+exports.adminApiKeysTable = (0, definition_1.defineTable)({
+    _id: definition_1.v.id().primaryKey(),
+    tenantId: definition_1.v.id().index(),
+    name: definition_1.v.string(),
+    description: definition_1.v.string().optional(),
+    keyHash: definition_1.v.string().unique().index(),
+    keyPrefix: definition_1.v.string().index(),
+    permissions: definition_1.v.array(definition_1.v.string()),
+    scopes: definition_1.v.array(definition_1.v.string()),
+    createdAt: definition_1.v.number(),
+    createdBy: definition_1.v.id().optional(),
+    lastUsedAt: definition_1.v.number().optional(),
+    expiresAt: definition_1.v.number().optional(),
+    revokedAt: definition_1.v.number().optional(),
+    revokedBy: definition_1.v.id().optional(),
+    revokedReason: definition_1.v.string().optional(),
+});
+exports.auditLogsTable = (0, definition_1.defineTable)({
+    _id: definition_1.v.id().primaryKey(),
+    tenantId: definition_1.v.id().index(),
+    userId: definition_1.v.id().optional().index(),
+    apiKeyId: definition_1.v.id().optional().index(),
+    actorType: definition_1.v.string(),
+    action: definition_1.v.string().index(),
+    resourceType: definition_1.v.string().index(),
+    resourceId: definition_1.v.string().index(),
+    status: definition_1.v.string(),
+    errorMessage: definition_1.v.string().optional(),
+    errorCode: definition_1.v.string().optional(),
+    ipAddress: definition_1.v.string().optional(),
+    userAgent: definition_1.v.string().optional(),
+    timestamp: definition_1.v.number().index(),
+});
+exports.securityEventsTable = (0, definition_1.defineTable)({
+    _id: definition_1.v.id().primaryKey(),
+    tenantId: definition_1.v.id().index().optional(),
+    eventType: definition_1.v.string().index(),
+    severity: definition_1.v.string().index(),
+    userId: definition_1.v.id().optional().index(),
+    email: definition_1.v.string().optional().index(),
+    ipAddress: definition_1.v.string().index(),
+    userAgent: definition_1.v.string().optional(),
+    description: definition_1.v.string(),
+    resolved: definition_1.v.boolean().default(false),
+    resolvedAt: definition_1.v.number().optional(),
+    resolvedBy: definition_1.v.id().optional(),
+    resolution: definition_1.v.string().optional(),
+    timestamp: definition_1.v.number().index(),
+});
+exports.emailVerificationTokensTable = (0, definition_1.defineTable)({
+    _id: definition_1.v.id().primaryKey(),
+    userId: definition_1.v.id().index(),
+    tenantId: definition_1.v.id().index(),
+    tokenHash: definition_1.v.string().unique().index(),
+    email: definition_1.v.string().index(),
+    createdAt: definition_1.v.number(),
+    expiresAt: definition_1.v.number().index(),
+    consumedAt: definition_1.v.number().optional(),
+    consumedBy: definition_1.v.string().optional(),
+});
+exports.passwordResetTokensTable = (0, definition_1.defineTable)({
+    _id: definition_1.v.id().primaryKey(),
+    userId: definition_1.v.id().index(),
+    tenantId: definition_1.v.id().index(),
+    tokenHash: definition_1.v.string().unique().index(),
+    email: definition_1.v.string().index(),
+    createdAt: definition_1.v.number(),
+    expiresAt: definition_1.v.number().index(),
+    consumedAt: definition_1.v.number().optional(),
+    consumedBy: definition_1.v.string().optional(),
+});
+exports.extendedAuthTables = {
+    auth_admin_api_keys: exports.adminApiKeysTable,
+    auth_audit_logs: exports.auditLogsTable,
+    auth_security_events: exports.securityEventsTable,
+    auth_email_verification_tokens: exports.emailVerificationTokensTable,
+    auth_password_reset_tokens: exports.passwordResetTokensTable,
+};
+//# sourceMappingURL=extended-schema.js.map

package/dist/auth/system/extended-schema.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"extended-schema.js","sourceRoot":"","sources":["../../../src/auth/system/extended-schema.ts"],"names":[],"mappings":";;;AAAA;;GAEG;AACH,wDAAyD;AAE5C,QAAA,iBAAiB,GAAG,IAAA,wBAAW,EAAC;IACzC,GAAG,EAAE,cAAC,CAAC,EAAE,EAAE,CAAC,UAAU,EAAE;IACxB,QAAQ,EAAE,cAAC,CAAC,EAAE,EAAE,CAAC,KAAK,EAAE;IACxB,IAAI,EAAE,cAAC,CAAC,MAAM,EAAE;IAChB,WAAW,EAAE,cAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,EAAE;IAClC,OAAO,EAAE,cAAC,CAAC,MAAM,EAAE,CAAC,MAAM,EAAE,CAAC,KAAK,EAAE;IACpC,SAAS,EAAE,cAAC,CAAC,MAAM,EAAE,CAAC,KAAK,EAAE;IAC7B,WAAW,EAAE,cAAC,CAAC,KAAK,CAAC,cAAC,CAAC,MAAM,EAAE,CAAC;IAChC,MAAM,EAAE,cAAC,CAAC,KAAK,CAAC,cAAC,CAAC,MAAM,EAAE,CAAC;IAC3B,SAAS,EAAE,cAAC,CAAC,MAAM,EAAE;IACrB,SAAS,EAAE,cAAC,CAAC,EAAE,EAAE,CAAC,QAAQ,EAAE;IAC5B,UAAU,EAAE,cAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,EAAE;IACjC,SAAS,EAAE,cAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,EAAE;IAChC,SAAS,EAAE,cAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,EAAE;IAChC,SAAS,EAAE,cAAC,CAAC,EAAE,EAAE,CAAC,QAAQ,EAAE;IAC5B,aAAa,EAAE,cAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,EAAE;CACvC,CAAC,CAAC;AAEU,QAAA,cAAc,GAAG,IAAA,wBAAW,EAAC;IACtC,GAAG,EAAE,cAAC,CAAC,EAAE,EAAE,CAAC,UAAU,EAAE;IACxB,QAAQ,EAAE,cAAC,CAAC,EAAE,EAAE,CAAC,KAAK,EAAE;IACxB,MAAM,EAAE,cAAC,CAAC,EAAE,EAAE,CAAC,QAAQ,EAAE,CAAC,KAAK,EAAE;IACjC,QAAQ,EAAE,cAAC,CAAC,EAAE,EAAE,CAAC,QAAQ,EAAE,CAAC,KAAK,EAAE;IACnC,SAAS,EAAE,cAAC,CAAC,MAAM,EAAE;IACrB,MAAM,EAAE,cAAC,CAAC,MAAM,EAAE,CAAC,KAAK,EAAE;IAC1B,YAAY,EAAE,cAAC,CAAC,MAAM,EAAE,CAAC,KAAK,EAAE;IAChC,UAAU,EAAE,cAAC,CAAC,MAAM,EAAE,CAAC,KAAK,EAAE;IAC9B,MAAM,EAAE,cAAC,CAAC,MAAM,EAAE;IAClB,YAAY,EAAE,cAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,EAAE;IACnC,SAAS,EAAE,cAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,EAAE;IAChC,SAAS,EAAE,cAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,EAAE;IAChC,SAAS,EAAE,cAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,EAAE;IAChC,SAAS,EAAE,cAAC,CAAC,MAAM,EAAE,CAAC,KAAK,EAAE;CAChC,CAAC,CAAC;AAEU,QAAA,mBAAmB,GAAG,IAAA,wBAAW,EAAC;IAC3C,GAAG,EAAE,cAAC,CAAC,EAAE,EAAE,CAAC,UAAU,EAAE;IACxB,QAAQ,EAAE,cAAC,CAAC,EAAE,EAAE,CAAC,KAAK,EAAE,CAAC,QAAQ,EAAE;IACnC,SAAS,EAAE,cAAC,CAAC,MAAM,EAAE,CAAC,KAAK,EAAE;IAC7B,QAAQ,EAAE,cAAC,CAAC,MAAM,EAAE,CAAC,KAAK,EAAE;IAC5B,MAAM,EAAE,cAAC,CAAC,EAAE,EAAE,CAAC,QAAQ,EAAE,CAAC,KAAK,EAAE;IACjC,KAAK,EAAE,cAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,EAAE,CAAC,KAAK,EAAE;IACpC,SAAS,EAAE,cAAC,CAAC,MAAM,EAAE,CAAC,KAAK,EAAE;IAC7B,SAAS,EAAE,cAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,EAAE;IAChC,WAAW,EAAE,cAAC,CAAC,MAAM,EAAE;IACvB,QAAQ,EAAE,cAAC,CAAC,OAAO,EAAE,CAAC,OAAO,CAAC,KAAK,CAAC;IACpC,UAAU,EAAE,cAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,EAAE;IACjC,UAAU,EAAE,cAAC,CAAC,EAAE,EAAE,CAAC,QAAQ,EAAE;IAC7B,UAAU,EAAE,cAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,EAAE;IACjC,SAAS,EAAE,cAAC,CAAC,MAAM,EAAE,CAAC,KAAK,EAAE;CAChC,CAAC,CAAC;AAEU,QAAA,4BAA4B,GAAG,IAAA,wBAAW,EAAC;IACpD,GAAG,EAAE,cAAC,CAAC,EAAE,EAAE,CAAC,UAAU,EAAE;IACxB,MAAM,EAAE,cAAC,CAAC,EAAE,EAAE,CAAC,KAAK,EAAE;IACtB,QAAQ,EAAE,cAAC,CAAC,EAAE,EAAE,CAAC,KAAK,EAAE;IACxB,SAAS,EAAE,cAAC,CAAC,MAAM,EAAE,CAAC,MAAM,EAAE,CAAC,KAAK,EAAE;IACtC,KAAK,EAAE,cAAC,CAAC,MAAM,EAAE,CAAC,KAAK,EAAE;IACzB,SAAS,EAAE,cAAC,CAAC,MAAM,EAAE;IACrB,SAAS,EAAE,cAAC,CAAC,MAAM,EAAE,CAAC,KAAK,EAAE;IAC7B,UAAU,EAAE,cAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,EAAE;IACjC,UAAU,EAAE,cAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,EAAE;CACpC,CAAC,CAAC;AAEU,QAAA,wBAAwB,GAAG,IAAA,wBAAW,EAAC;IAChD,GAAG,EAAE,cAAC,CAAC,EAAE,EAAE,CAAC,UAAU,EAAE;IACxB,MAAM,EAAE,cAAC,CAAC,EAAE,EAAE,CAAC,KAAK,EAAE;IACtB,QAAQ,EAAE,cAAC,CAAC,EAAE,EAAE,CAAC,KAAK,EAAE;IACxB,SAAS,EAAE,cAAC,CAAC,MAAM,EAAE,CAAC,MAAM,EAAE,CAAC,KAAK,EAAE;IACtC,KAAK,EAAE,cAAC,CAAC,MAAM,EAAE,CAAC,KAAK,EAAE;IACzB,SAAS,EAAE,cAAC,CAAC,MAAM,EAAE;IACrB,SAAS,EAAE,cAAC,CAAC,MAAM,EAAE,CAAC,KAAK,EAAE;IAC7B,UAAU,EAAE,cAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,EAAE;IACjC,UAAU,EAAE,cAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,EAAE;CACpC,CAAC,CAAC;AAEU,QAAA,kBAAkB,GAAG;IAC9B,mBAAmB,EAAE,yBAAiB;IACtC,eAAe,EAAE,sBAAc;IAC/B,oBAAoB,EAAE,2BAAmB;IACzC,8BAA8B,EAAE,oCAA4B;IAC5D,0BAA0B,EAAE,gCAAwB;CACvD,CAAC"}