@archlast/server 0.0.1

package/dist/functions/built-in/auth-password.js

@@ -0,0 +1,107 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.authResetPassword = exports.authRequestPasswordReset = exports.authChangePassword = void 0;
+/** Built-in Auth Functions: Password Management */
+const definition_1 = require("../definition");
+const zod_1 = require("zod");
+const cuid2_1 = require("@paralleldrive/cuid2");
+const crypto_1 = require("../../auth/system/crypto");
+const audit_1 = require("../../auth/audit");
+// auth.changePassword
+exports.authChangePassword = (0, definition_1.mutation)({
+    args: {
+        currentPassword: zod_1.z.string(),
+        newPassword: zod_1.z.string().min(8).max(100),
+    },
+    handler: async (ctx, args) => {
+        ctx.auth.requireAuthenticated();
+        if (ctx.auth.type !== "session")
+            throw new Error("API keys cannot change passwords");
+        const user = await ctx.db.get("auth_users", ctx.auth.userId);
+        if (!user || !user.passwordHash)
+            throw new Error("User not found");
+        const valid = await (0, crypto_1.verifyPassword)(args.currentPassword, user.passwordHash);
+        if (!valid)
+            throw new Error("Current password is incorrect");
+        const newHash = await (0, crypto_1.hashPassword)(args.newPassword);
+        await ctx.db.update("auth_users", user._id, {
+            passwordHash: newHash,
+            updatedAt: Date.now(),
+        });
+        await (0, audit_1.writeAuditLog)(ctx, {
+            action: audit_1.AuditActions.CHANGE_PASSWORD,
+            resourceType: audit_1.ResourceTypes.USER,
+            resourceId: user._id,
+            status: "success",
+        });
+        return { success: true };
+    },
+    auth: "required",
+});
+// auth.requestPasswordReset
+exports.authRequestPasswordReset = (0, definition_1.mutation)({
+    args: {
+        email: zod_1.z.string().email(),
+    },
+    handler: async (ctx, args) => {
+        const user = await ctx.db.query("auth_users").where({ email: args.email }).findFirst();
+        if (!user)
+            return { success: true }; // Don't reveal if user exists
+        const token = crypto.randomUUID();
+        const tokenHash = (0, crypto_1.hashSessionToken)(token);
+        const now = Date.now();
+        await ctx.db.insert("auth_password_reset_tokens", {
+            _id: (0, cuid2_1.createId)(),
+            userId: user._id,
+            tenantId: ctx.auth.tenantId || "",
+            tokenHash,
+            email: args.email,
+            expiresAt: now + 60 * 60 * 1000, // 1 hour
+            createdAt: now,
+        });
+        // TODO: Send email with reset link
+        // NOTE: In production, do NOT return the token in the response.
+        return { success: true, token };
+    },
+    auth: "public",
+});
+// auth.resetPassword
+exports.authResetPassword = (0, definition_1.mutation)({
+    args: {
+        token: zod_1.z.string(),
+        newPassword: zod_1.z.string().min(8).max(100),
+    },
+    handler: async (ctx, args) => {
+        const tokenHash = (0, crypto_1.hashSessionToken)(args.token);
+        const resetToken = await ctx.db
+            .query("auth_password_reset_tokens")
+            .where({ tokenHash, consumedAt: null })
+            .findFirst();
+        if (!resetToken || resetToken.expiresAt < Date.now()) {
+            throw new Error("Invalid or expired reset token");
+        }
+        const newHash = await (0, crypto_1.hashPassword)(args.newPassword);
+        await ctx.db.update("auth_users", resetToken.userId, {
+            passwordHash: newHash,
+            updatedAt: Date.now(),
+        });
+        await ctx.db.update("auth_password_reset_tokens", resetToken._id, {
+            consumedAt: Date.now(),
+        });
+        // Optional: audit-log (best-effort)
+        try {
+            await (0, audit_1.writeAuditLog)(ctx, {
+                action: audit_1.AuditActions.RESET_PASSWORD,
+                resourceType: audit_1.ResourceTypes.PASSWORD_RESET_TOKEN,
+                resourceId: resetToken._id,
+                status: "success",
+            });
+        }
+        catch {
+            // ignore audit errors
+        }
+        return { success: true };
+    },
+    auth: "public",
+});
+//# sourceMappingURL=auth-password.js.map

package/dist/functions/built-in/auth-password.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"auth-password.js","sourceRoot":"","sources":["../../../src/functions/built-in/auth-password.ts"],"names":[],"mappings":";;;AAAA,mDAAmD;AACnD,8CAAyC;AACzC,6BAAwB;AACxB,gDAAgD;AAEhD,qDAA0F;AAC1F,4CAA8E;AAE9E,sBAAsB;AACT,QAAA,kBAAkB,GAAG,IAAA,qBAAQ,EAAC;IACvC,IAAI,EAAE;QACF,eAAe,EAAE,OAAC,CAAC,MAAM,EAAE;QAC3B,WAAW,EAAE,OAAC,CAAC,MAAM,EAAE,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,GAAG,CAAC,GAAG,CAAC;KAC1C;IACD,OAAO,EAAE,KAAK,EAAE,GAAgB,EAAE,IAAI,EAAE,EAAE;QACtC,GAAG,CAAC,IAAI,CAAC,oBAAoB,EAAE,CAAC;QAChC,IAAI,GAAG,CAAC,IAAI,CAAC,IAAI,KAAK,SAAS;YAAE,MAAM,IAAI,KAAK,CAAC,kCAAkC,CAAC,CAAC;QAErF,MAAM,IAAI,GAAG,MAAM,GAAG,CAAC,EAAE,CAAC,GAAG,CAAC,YAAY,EAAE,GAAG,CAAC,IAAI,CAAC,MAAO,CAAC,CAAC;QAC9D,IAAI,CAAC,IAAI,IAAI,CAAC,IAAI,CAAC,YAAY;YAAE,MAAM,IAAI,KAAK,CAAC,gBAAgB,CAAC,CAAC;QAEnE,MAAM,KAAK,GAAG,MAAM,IAAA,uBAAc,EAAC,IAAI,CAAC,eAAe,EAAE,IAAI,CAAC,YAAY,CAAC,CAAC;QAC5E,IAAI,CAAC,KAAK;YAAE,MAAM,IAAI,KAAK,CAAC,+BAA+B,CAAC,CAAC;QAE7D,MAAM,OAAO,GAAG,MAAM,IAAA,qBAAY,EAAC,IAAI,CAAC,WAAW,CAAC,CAAC;QACrD,MAAM,GAAG,CAAC,EAAE,CAAC,MAAM,CAAC,YAAY,EAAE,IAAI,CAAC,GAAG,EAAE;YACxC,YAAY,EAAE,OAAO;YACrB,SAAS,EAAE,IAAI,CAAC,GAAG,EAAE;SACxB,CAAC,CAAC;QAEH,MAAM,IAAA,qBAAa,EAAC,GAAG,EAAE;YACrB,MAAM,EAAE,oBAAY,CAAC,eAAe;YACpC,YAAY,EAAE,qBAAa,CAAC,IAAI;YAChC,UAAU,EAAE,IAAI,CAAC,GAAG;YACpB,MAAM,EAAE,SAAS;SACpB,CAAC,CAAC;QAEH,OAAO,EAAE,OAAO,EAAE,IAAI,EAAE,CAAC;IAC7B,CAAC;IACD,IAAI,EAAE,UAAU;CACnB,CAAC,CAAC;AAEH,4BAA4B;AACf,QAAA,wBAAwB,GAAG,IAAA,qBAAQ,EAAC;IAC7C,IAAI,EAAE;QACF,KAAK,EAAE,OAAC,CAAC,MAAM,EAAE,CAAC,KAAK,EAAE;KAC5B;IACD,OAAO,EAAE,KAAK,EAAE,GAAgB,EAAE,IAAI,EAAE,EAAE;QACtC,MAAM,IAAI,GAAG,MAAM,GAAG,CAAC,EAAE,CAAC,KAAK,CAAC,YAAY,CAAC,CAAC,KAAK,CAAC,EAAE,KAAK,EAAE,IAAI,CAAC,KAAK,EAAE,CAAC,CAAC,SAAS,EAAE,CAAC;QACvF,IAAI,CAAC,IAAI;YAAE,OAAO,EAAE,OAAO,EAAE,IAAI,EAAE,CAAC,CAAC,8BAA8B;QAEnE,MAAM,KAAK,GAAG,MAAM,CAAC,UAAU,EAAE,CAAC;QAClC,MAAM,SAAS,GAAG,IAAA,yBAAgB,EAAC,KAAK,CAAC,CAAC;QAC1C,MAAM,GAAG,GAAG,IAAI,CAAC,GAAG,EAAE,CAAC;QAEvB,MAAM,GAAG,CAAC,EAAE,CAAC,MAAM,CAAC,4BAA4B,EAAE;YAC9C,GAAG,EAAE,IAAA,gBAAQ,GAAE;YACf,MAAM,EAAE,IAAI,CAAC,GAAG;YAChB,QAAQ,EAAE,GAAG,CAAC,IAAI,CAAC,QAAQ,IAAI,EAAE;YACjC,SAAS;YACT,KAAK,EAAE,IAAI,CAAC,KAAK;YACjB,SAAS,EAAE,GAAG,GAAG,EAAE,GAAG,EAAE,GAAG,IAAI,EAAE,SAAS;YAC1C,SAAS,EAAE,GAAG;SACjB,CAAC,CAAC;QAEH,mCAAmC;QACnC,gEAAgE;QAChE,OAAO,EAAE,OAAO,EAAE,IAAI,EAAE,KAAK,EAAE,CAAC;IACpC,CAAC;IACD,IAAI,EAAE,QAAQ;CACjB,CAAC,CAAC;AAEH,qBAAqB;AACR,QAAA,iBAAiB,GAAG,IAAA,qBAAQ,EAAC;IACtC,IAAI,EAAE;QACF,KAAK,EAAE,OAAC,CAAC,MAAM,EAAE;QACjB,WAAW,EAAE,OAAC,CAAC,MAAM,EAAE,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,GAAG,CAAC,GAAG,CAAC;KAC1C;IACD,OAAO,EAAE,KAAK,EAAE,GAAgB,EAAE,IAAI,EAAE,EAAE;QACtC,MAAM,SAAS,GAAG,IAAA,yBAAgB,EAAC,IAAI,CAAC,KAAK,CAAC,CAAC;QAE/C,MAAM,UAAU,GAAG,MAAM,GAAG,CAAC,EAAE;aAC1B,KAAK,CAAC,4BAA4B,CAAC;aACnC,KAAK,CAAC,EAAE,SAAS,EAAE,UAAU,EAAE,IAAI,EAAE,CAAC;aACtC,SAAS,EAAE,CAAC;QAEjB,IAAI,CAAC,UAAU,IAAI,UAAU,CAAC,SAAS,GAAG,IAAI,CAAC,GAAG,EAAE,EAAE,CAAC;YACnD,MAAM,IAAI,KAAK,CAAC,gCAAgC,CAAC,CAAC;QACtD,CAAC;QAED,MAAM,OAAO,GAAG,MAAM,IAAA,qBAAY,EAAC,IAAI,CAAC,WAAW,CAAC,CAAC;QAErD,MAAM,GAAG,CAAC,EAAE,CAAC,MAAM,CAAC,YAAY,EAAE,UAAU,CAAC,MAAM,EAAE;YACjD,YAAY,EAAE,OAAO;YACrB,SAAS,EAAE,IAAI,CAAC,GAAG,EAAE;SACxB,CAAC,CAAC;QAEH,MAAM,GAAG,CAAC,EAAE,CAAC,MAAM,CAAC,4BAA4B,EAAE,UAAU,CAAC,GAAG,EAAE;YAC9D,UAAU,EAAE,IAAI,CAAC,GAAG,EAAE;SACzB,CAAC,CAAC;QAEH,oCAAoC;QACpC,IAAI,CAAC;YACD,MAAM,IAAA,qBAAa,EAAC,GAAG,EAAE;gBACrB,MAAM,EAAE,oBAAY,CAAC,cAAc;gBACnC,YAAY,EAAE,qBAAa,CAAC,oBAAoB;gBAChD,UAAU,EAAE,UAAU,CAAC,GAAG;gBAC1B,MAAM,EAAE,SAAS;aACpB,CAAC,CAAC;QACP,CAAC;QAAC,MAAM,CAAC;YACL,sBAAsB;QAC1B,CAAC;QAED,OAAO,EAAE,OAAO,EAAE,IAAI,EAAE,CAAC;IAC7B,CAAC;IACD,IAAI,EAAE,QAAQ;CACjB,CAAC,CAAC"}

package/dist/functions/built-in/auth-session.d.ts

@@ -0,0 +1,18 @@
+/**
+ * Built-in Auth Functions: Session Management
+ *
+ * - auth.refreshSession: Refresh/rotate a session token
+ * - auth.revokeSession: Revoke a specific session
+ * - auth.revokeAllSessions: Revoke all sessions for current user
+ *
+ * Features:
+ * - Session token rotation
+ * - Session revocation (single or all)
+ * - Audit logging
+ * - Cache invalidation
+ * - WebSocket session eviction
+ */
+export declare const authRefreshSession: import("../definition").FunctionDefinition;
+export declare const authRevokeSession: import("../definition").FunctionDefinition;
+export declare const authRevokeAllSessions: import("../definition").FunctionDefinition;
+//# sourceMappingURL=auth-session.d.ts.map

package/dist/functions/built-in/auth-session.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"auth-session.d.ts","sourceRoot":"","sources":["../../../src/functions/built-in/auth-session.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;GAaG;AAqHH,eAAO,MAAM,kBAAkB,4CAI7B,CAAC;AAyEH,eAAO,MAAM,iBAAiB,4CAI5B,CAAC;AAiFH,eAAO,MAAM,qBAAqB,4CAIhC,CAAC"}

package/dist/functions/built-in/auth-session.js

@@ -0,0 +1,221 @@
+"use strict";
+/**
+ * Built-in Auth Functions: Session Management
+ *
+ * - auth.refreshSession: Refresh/rotate a session token
+ * - auth.revokeSession: Revoke a specific session
+ * - auth.revokeAllSessions: Revoke all sessions for current user
+ *
+ * Features:
+ * - Session token rotation
+ * - Session revocation (single or all)
+ * - Audit logging
+ * - Cache invalidation
+ * - WebSocket session eviction
+ */
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.authRevokeAllSessions = exports.authRevokeSession = exports.authRefreshSession = void 0;
+const definition_1 = require("../definition");
+const zod_1 = require("zod");
+const cuid2_1 = require("@paralleldrive/cuid2");
+const crypto_1 = require("../../auth/system/crypto");
+const audit_1 = require("../../auth/audit");
+// ============================================================================
+// auth.refreshSession
+// ============================================================================
+const refreshSessionArgs = {
+    sessionId: zod_1.z.string().optional(), // Optional: defaults to current session
+};
+async function refreshSessionHandler(ctx, args) {
+    const { auth } = ctx;
+    // Require authentication
+    auth.requireAuthenticated();
+    if (auth.type !== "session") {
+        throw new Error("Cannot refresh session with API key authentication");
+    }
+    const sessionId = args.sessionId || auth.session?._id;
+    if (!sessionId) {
+        throw new Error("No session to refresh");
+    }
+    // Get current session
+    const session = await ctx.db.get("auth_sessions", sessionId);
+    if (!session) {
+        throw new Error("Session not found");
+    }
+    if (session.userId !== auth.userId) {
+        throw new Error("Cannot refresh another user's session");
+    }
+    if (session.revokedAt) {
+        throw new Error("Session is revoked");
+    }
+    // Check if expired
+    const now = Date.now();
+    if (session.expiresAt < now) {
+        throw new Error("Session is expired");
+    }
+    // Generate new session token (raw token -> cookie/header), hash stored in DB
+    const sessionToken = (0, crypto_1.generateSessionToken)();
+    const tokenHash = (0, crypto_1.hashSessionToken)(sessionToken);
+    const newSessionId = (0, cuid2_1.createId)();
+    const sessionTTL = 30 * 24 * 60 * 60 * 1000; // 30 days
+    // Create new session
+    const newSession = {
+        _id: newSessionId,
+        userId: session.userId,
+        tenantId: session.tenantId,
+        tokenHash,
+        expiresAt: now + sessionTTL,
+        lastActiveAt: now,
+        rotatedFrom: sessionId,
+        createdAt: now,
+        updatedAt: now,
+    };
+    await ctx.db.insert("auth_sessions", newSession);
+    // Revoke old session
+    await ctx.db.update("auth_sessions", sessionId, {
+        revokedAt: now,
+        updatedAt: now,
+    });
+    // Write audit log
+    await (0, audit_1.writeAuditLog)(ctx, {
+        action: audit_1.AuditActions.REFRESH_SESSION,
+        resourceType: audit_1.ResourceTypes.SESSION,
+        resourceId: newSessionId,
+        status: "success",
+        metadata: {
+            additionalInfo: {
+                oldSessionId: sessionId,
+                userId: auth.userId,
+                tenantId: auth.tenantId,
+            },
+        },
+    });
+    // Invalidate cache
+    ctx.db.clearCache();
+    return {
+        sessionId: newSessionId,
+        sessionToken,
+        expiresAt: newSession.expiresAt,
+    };
+}
+exports.authRefreshSession = (0, definition_1.mutation)({
+    args: refreshSessionArgs,
+    handler: refreshSessionHandler,
+    auth: "required",
+});
+// ============================================================================
+// auth.revokeSession
+// ============================================================================
+const revokeSessionArgs = {
+    sessionId: zod_1.z.string(),
+};
+async function revokeSessionHandler(ctx, args) {
+    const { auth } = ctx;
+    const { sessionId } = args;
+    // Require authentication
+    auth.requireAuthenticated();
+    if (auth.type !== "session") {
+        throw new Error("Cannot revoke sessions with API key authentication");
+    }
+    // Get session
+    const session = await ctx.db.get("auth_sessions", sessionId);
+    if (!session) {
+        throw new Error("Session not found");
+    }
+    // Verify ownership
+    if (session.userId !== auth.userId) {
+        throw new Error("Cannot revoke another user's session");
+    }
+    // Revoke session
+    const now = Date.now();
+    await ctx.db.update("auth_sessions", sessionId, {
+        revokedAt: now,
+        updatedAt: now,
+    });
+    // Write audit log
+    await (0, audit_1.writeAuditLog)(ctx, {
+        action: audit_1.AuditActions.REVOKE_SESSION,
+        resourceType: audit_1.ResourceTypes.SESSION,
+        resourceId: sessionId,
+        status: "success",
+        metadata: {
+            additionalInfo: {
+                userId: auth.userId,
+                tenantId: session.tenantId,
+            },
+        },
+    });
+    // Invalidate cache
+    ctx.db.clearCache();
+    return {
+        success: true,
+        sessionId,
+    };
+}
+exports.authRevokeSession = (0, definition_1.mutation)({
+    args: revokeSessionArgs,
+    handler: revokeSessionHandler,
+    auth: "required",
+});
+// ============================================================================
+// auth.revokeAllSessions
+// ============================================================================
+const revokeAllSessionsArgs = {
+    exceptCurrent: zod_1.z.boolean().optional().default(true), // Keep current session active
+};
+async function revokeAllSessionsHandler(ctx, args) {
+    const { auth } = ctx;
+    const { exceptCurrent } = args;
+    // Require authentication
+    auth.requireAuthenticated();
+    if (auth.type !== "session") {
+        throw new Error("Cannot revoke sessions with API key authentication");
+    }
+    // Get all active sessions for user
+    const sessions = await ctx.db
+        .query("auth_sessions")
+        .where({
+        userId: auth.userId,
+        revokedAt: null,
+    })
+        .findMany();
+    const now = Date.now();
+    let revokedCount = 0;
+    for (const session of sessions) {
+        // Skip current session if exceptCurrent is true
+        if (exceptCurrent && session._id === auth.session?._id) {
+            continue;
+        }
+        await ctx.db.update("auth_sessions", session._id, {
+            revokedAt: now,
+            updatedAt: now,
+        });
+        revokedCount++;
+    }
+    // Write audit log
+    await (0, audit_1.writeAuditLog)(ctx, {
+        action: audit_1.AuditActions.REVOKE_ALL_SESSIONS,
+        resourceType: audit_1.ResourceTypes.SESSION,
+        resourceId: auth.userId || "unknown",
+        status: "success",
+        metadata: {
+            additionalInfo: {
+                userId: auth.userId,
+                revokedCount,
+                exceptCurrent,
+            },
+        },
+    });
+    // Invalidate cache
+    ctx.db.clearCache();
+    return {
+        success: true,
+        revokedCount,
+    };
+}
+exports.authRevokeAllSessions = (0, definition_1.mutation)({
+    args: revokeAllSessionsArgs,
+    handler: revokeAllSessionsHandler,
+    auth: "required",
+});
+//# sourceMappingURL=auth-session.js.map

package/dist/functions/built-in/auth-session.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"auth-session.js","sourceRoot":"","sources":["../../../src/functions/built-in/auth-session.ts"],"names":[],"mappings":";AAAA;;;;;;;;;;;;;GAaG;;;AAEH,8CAAgD;AAChD,6BAAwB;AACxB,gDAAgD;AAChD,qDAAkF;AAClF,4CAA8E;AAG9E,+EAA+E;AAC/E,sBAAsB;AACtB,+EAA+E;AAE/E,MAAM,kBAAkB,GAAG;IACvB,SAAS,EAAE,OAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,EAAE,EAAE,wCAAwC;CAC7E,CAAC;AAUF,KAAK,UAAU,qBAAqB,CAChC,GAAgB,EAChB,IAAwB;IAExB,MAAM,EAAE,IAAI,EAAE,GAAG,GAAG,CAAC;IAErB,yBAAyB;IACzB,IAAI,CAAC,oBAAoB,EAAE,CAAC;IAE5B,IAAI,IAAI,CAAC,IAAI,KAAK,SAAS,EAAE,CAAC;QAC1B,MAAM,IAAI,KAAK,CAAC,oDAAoD,CAAC,CAAC;IAC1E,CAAC;IAED,MAAM,SAAS,GAAG,IAAI,CAAC,SAAS,IAAI,IAAI,CAAC,OAAO,EAAE,GAAG,CAAC;IAEtD,IAAI,CAAC,SAAS,EAAE,CAAC;QACb,MAAM,IAAI,KAAK,CAAC,uBAAuB,CAAC,CAAC;IAC7C,CAAC;IAED,sBAAsB;IACtB,MAAM,OAAO,GAAG,MAAM,GAAG,CAAC,EAAE,CAAC,GAAG,CAAC,eAAe,EAAE,SAAS,CAAC,CAAC;IAE7D,IAAI,CAAC,OAAO,EAAE,CAAC;QACX,MAAM,IAAI,KAAK,CAAC,mBAAmB,CAAC,CAAC;IACzC,CAAC;IAED,IAAI,OAAO,CAAC,MAAM,KAAK,IAAI,CAAC,MAAM,EAAE,CAAC;QACjC,MAAM,IAAI,KAAK,CAAC,uCAAuC,CAAC,CAAC;IAC7D,CAAC;IAED,IAAI,OAAO,CAAC,SAAS,EAAE,CAAC;QACpB,MAAM,IAAI,KAAK,CAAC,oBAAoB,CAAC,CAAC;IAC1C,CAAC;IAED,mBAAmB;IACnB,MAAM,GAAG,GAAG,IAAI,CAAC,GAAG,EAAE,CAAC;IACvB,IAAI,OAAO,CAAC,SAAS,GAAG,GAAG,EAAE,CAAC;QAC1B,MAAM,IAAI,KAAK,CAAC,oBAAoB,CAAC,CAAC;IAC1C,CAAC;IAED,6EAA6E;IAC7E,MAAM,YAAY,GAAG,IAAA,6BAAoB,GAAE,CAAC;IAC5C,MAAM,SAAS,GAAG,IAAA,yBAAgB,EAAC,YAAY,CAAC,CAAC;IACjD,MAAM,YAAY,GAAG,IAAA,gBAAQ,GAAE,CAAC;IAChC,MAAM,UAAU,GAAG,EAAE,GAAG,EAAE,GAAG,EAAE,GAAG,EAAE,GAAG,IAAI,CAAC,CAAC,UAAU;IAEvD,qBAAqB;IACrB,MAAM,UAAU,GAAG;QACf,GAAG,EAAE,YAAY;QACjB,MAAM,EAAE,OAAO,CAAC,MAAM;QACtB,QAAQ,EAAE,OAAO,CAAC,QAAQ;QAC1B,SAAS;QACT,SAAS,EAAE,GAAG,GAAG,UAAU;QAC3B,YAAY,EAAE,GAAG;QACjB,WAAW,EAAE,SAAS;QACtB,SAAS,EAAE,GAAG;QACd,SAAS,EAAE,GAAG;KACjB,CAAC;IAEF,MAAM,GAAG,CAAC,EAAE,CAAC,MAAM,CAAC,eAAe,EAAE,UAAU,CAAC,CAAC;IAEjD,qBAAqB;IACrB,MAAM,GAAG,CAAC,EAAE,CAAC,MAAM,CAAC,eAAe,EAAE,SAAS,EAAE;QAC5C,SAAS,EAAE,GAAG;QACd,SAAS,EAAE,GAAG;KACjB,CAAC,CAAC;IAEH,kBAAkB;IAClB,MAAM,IAAA,qBAAa,EAAC,GAAG,EAAE;QACrB,MAAM,EAAE,oBAAY,CAAC,eAAe;QACpC,YAAY,EAAE,qBAAa,CAAC,OAAO;QACnC,UAAU,EAAE,YAAY;QACxB,MAAM,EAAE,SAAS;QACjB,QAAQ,EAAE;YACN,cAAc,EAAE;gBACZ,YAAY,EAAE,SAAS;gBACvB,MAAM,EAAE,IAAI,CAAC,MAAM;gBACnB,QAAQ,EAAE,IAAI,CAAC,QAAQ;aAC1B;SACJ;KACJ,CAAC,CAAC;IAEH,mBAAmB;IACnB,GAAG,CAAC,EAAE,CAAC,UAAU,EAAE,CAAC;IAEpB,OAAO;QACH,SAAS,EAAE,YAAY;QACvB,YAAY;QACZ,SAAS,EAAE,UAAU,CAAC,SAAS;KAClC,CAAC;AACN,CAAC;AAEY,QAAA,kBAAkB,GAAG,IAAA,qBAAQ,EAAC;IACvC,IAAI,EAAE,kBAAkB;IACxB,OAAO,EAAE,qBAAqB;IAC9B,IAAI,EAAE,UAAU;CACnB,CAAC,CAAC;AAEH,+EAA+E;AAC/E,qBAAqB;AACrB,+EAA+E;AAE/E,MAAM,iBAAiB,GAAG;IACtB,SAAS,EAAE,OAAC,CAAC,MAAM,EAAE;CACxB,CAAC;AASF,KAAK,UAAU,oBAAoB,CAC/B,GAAgB,EAChB,IAAuB;IAEvB,MAAM,EAAE,IAAI,EAAE,GAAG,GAAG,CAAC;IACrB,MAAM,EAAE,SAAS,EAAE,GAAG,IAAI,CAAC;IAE3B,yBAAyB;IACzB,IAAI,CAAC,oBAAoB,EAAE,CAAC;IAE5B,IAAI,IAAI,CAAC,IAAI,KAAK,SAAS,EAAE,CAAC;QAC1B,MAAM,IAAI,KAAK,CAAC,oDAAoD,CAAC,CAAC;IAC1E,CAAC;IAED,cAAc;IACd,MAAM,OAAO,GAAG,MAAM,GAAG,CAAC,EAAE,CAAC,GAAG,CAAC,eAAe,EAAE,SAAS,CAAC,CAAC;IAE7D,IAAI,CAAC,OAAO,EAAE,CAAC;QACX,MAAM,IAAI,KAAK,CAAC,mBAAmB,CAAC,CAAC;IACzC,CAAC;IAED,mBAAmB;IACnB,IAAI,OAAO,CAAC,MAAM,KAAK,IAAI,CAAC,MAAM,EAAE,CAAC;QACjC,MAAM,IAAI,KAAK,CAAC,sCAAsC,CAAC,CAAC;IAC5D,CAAC;IAED,iBAAiB;IACjB,MAAM,GAAG,GAAG,IAAI,CAAC,GAAG,EAAE,CAAC;IACvB,MAAM,GAAG,CAAC,EAAE,CAAC,MAAM,CAAC,eAAe,EAAE,SAAS,EAAE;QAC5C,SAAS,EAAE,GAAG;QACd,SAAS,EAAE,GAAG;KACjB,CAAC,CAAC;IAEH,kBAAkB;IAClB,MAAM,IAAA,qBAAa,EAAC,GAAG,EAAE;QACrB,MAAM,EAAE,oBAAY,CAAC,cAAc;QACnC,YAAY,EAAE,qBAAa,CAAC,OAAO;QACnC,UAAU,EAAE,SAAS;QACrB,MAAM,EAAE,SAAS;QACjB,QAAQ,EAAE;YACN,cAAc,EAAE;gBACZ,MAAM,EAAE,IAAI,CAAC,MAAM;gBACnB,QAAQ,EAAE,OAAO,CAAC,QAAQ;aAC7B;SACJ;KACJ,CAAC,CAAC;IAEH,mBAAmB;IACnB,GAAG,CAAC,EAAE,CAAC,UAAU,EAAE,CAAC;IAEpB,OAAO;QACH,OAAO,EAAE,IAAI;QACb,SAAS;KACZ,CAAC;AACN,CAAC;AAEY,QAAA,iBAAiB,GAAG,IAAA,qBAAQ,EAAC;IACtC,IAAI,EAAE,iBAAiB;IACvB,OAAO,EAAE,oBAAoB;IAC7B,IAAI,EAAE,UAAU;CACnB,CAAC,CAAC;AAEH,+EAA+E;AAC/E,yBAAyB;AACzB,+EAA+E;AAE/E,MAAM,qBAAqB,GAAG;IAC1B,aAAa,EAAE,OAAC,CAAC,OAAO,EAAE,CAAC,QAAQ,EAAE,CAAC,OAAO,CAAC,IAAI,CAAC,EAAE,8BAA8B;CACtF,CAAC;AASF,KAAK,UAAU,wBAAwB,CACnC,GAAgB,EAChB,IAA2B;IAE3B,MAAM,EAAE,IAAI,EAAE,GAAG,GAAG,CAAC;IACrB,MAAM,EAAE,aAAa,EAAE,GAAG,IAAI,CAAC;IAE/B,yBAAyB;IACzB,IAAI,CAAC,oBAAoB,EAAE,CAAC;IAE5B,IAAI,IAAI,CAAC,IAAI,KAAK,SAAS,EAAE,CAAC;QAC1B,MAAM,IAAI,KAAK,CAAC,oDAAoD,CAAC,CAAC;IAC1E,CAAC;IAED,mCAAmC;IACnC,MAAM,QAAQ,GAAG,MAAM,GAAG,CAAC,EAAE;SACxB,KAAK,CAAC,eAAe,CAAC;SACtB,KAAK,CAAC;QACH,MAAM,EAAE,IAAI,CAAC,MAAM;QACnB,SAAS,EAAE,IAAI;KAClB,CAAC;SACD,QAAQ,EAAE,CAAC;IAEhB,MAAM,GAAG,GAAG,IAAI,CAAC,GAAG,EAAE,CAAC;IACvB,IAAI,YAAY,GAAG,CAAC,CAAC;IAErB,KAAK,MAAM,OAAO,IAAI,QAAQ,EAAE,CAAC;QAC7B,gDAAgD;QAChD,IAAI,aAAa,IAAI,OAAO,CAAC,GAAG,KAAK,IAAI,CAAC,OAAO,EAAE,GAAG,EAAE,CAAC;YACrD,SAAS;QACb,CAAC;QAED,MAAM,GAAG,CAAC,EAAE,CAAC,MAAM,CAAC,eAAe,EAAE,OAAO,CAAC,GAAG,EAAE;YAC9C,SAAS,EAAE,GAAG;YACd,SAAS,EAAE,GAAG;SACjB,CAAC,CAAC;QAEH,YAAY,EAAE,CAAC;IACnB,CAAC;IAED,kBAAkB;IAClB,MAAM,IAAA,qBAAa,EAAC,GAAG,EAAE;QACrB,MAAM,EAAE,oBAAY,CAAC,mBAAmB;QACxC,YAAY,EAAE,qBAAa,CAAC,OAAO;QACnC,UAAU,EAAE,IAAI,CAAC,MAAM,IAAI,SAAS;QACpC,MAAM,EAAE,SAAS;QACjB,QAAQ,EAAE;YACN,cAAc,EAAE;gBACZ,MAAM,EAAE,IAAI,CAAC,MAAM;gBACnB,YAAY;gBACZ,aAAa;aAChB;SACJ;KACJ,CAAC,CAAC;IAEH,mBAAmB;IACnB,GAAG,CAAC,EAAE,CAAC,UAAU,EAAE,CAAC;IAEpB,OAAO;QACH,OAAO,EAAE,IAAI;QACb,YAAY;KACf,CAAC;AACN,CAAC;AAEY,QAAA,qBAAqB,GAAG,IAAA,qBAAQ,EAAC;IAC1C,IAAI,EAAE,qBAAqB;IAC3B,OAAO,EAAE,wBAAwB;IACjC,IAAI,EAAE,UAAU;CACnB,CAAC,CAAC"}

package/dist/functions/built-in/auth-signin.d.ts

@@ -0,0 +1,20 @@
+/**
+ * Built-in Auth Function: signIn
+ *
+ * Authenticates a user with email/password credentials.
+ *
+ * Features:
+ * - Email/password validation
+ * - Password verification (PBKDF2)
+ * - Session creation and token generation
+ * - Failed login tracking (brute force detection)
+ * - Audit logging
+ * - Clears failed login attempts on success
+ *
+ * Auth mode: "public" (anyone can sign in)
+ */
+/**
+ * Export the function definition
+ */
+export declare const authSignIn: import("../definition").FunctionDefinition;
+//# sourceMappingURL=auth-signin.d.ts.map

package/dist/functions/built-in/auth-signin.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"auth-signin.d.ts","sourceRoot":"","sources":["../../../src/functions/built-in/auth-signin.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;GAcG;AAiPH;;GAEG;AACH,eAAO,MAAM,UAAU,4CAIrB,CAAC"}

package/dist/functions/built-in/auth-signin.js

@@ -0,0 +1,198 @@
+"use strict";
+/**
+ * Built-in Auth Function: signIn
+ *
+ * Authenticates a user with email/password credentials.
+ *
+ * Features:
+ * - Email/password validation
+ * - Password verification (PBKDF2)
+ * - Session creation and token generation
+ * - Failed login tracking (brute force detection)
+ * - Audit logging
+ * - Clears failed login attempts on success
+ *
+ * Auth mode: "public" (anyone can sign in)
+ */
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.authSignIn = void 0;
+const definition_1 = require("../definition");
+const zod_1 = require("zod");
+const cuid2_1 = require("@paralleldrive/cuid2");
+const crypto_1 = require("../../auth/system/crypto");
+const audit_1 = require("../../auth/audit");
+const signInArgs = {
+    email: zod_1.z.string().email(),
+    password: zod_1.z.string(),
+    tenantId: zod_1.z.string().optional(), // Optional: sign in to specific tenant
+};
+async function signInHandler(ctx, args) {
+    const { email, password, tenantId: requestedTenantId } = args;
+    // 1. Find user by email
+    const user = await ctx.db.query("auth_users").where({ email }).findFirst();
+    if (!user) {
+        // Track failed login attempt
+        await (0, audit_1.trackFailedLogin)(ctx, email, "unknown", undefined);
+        await (0, audit_1.writeAuditLog)(ctx, {
+            action: audit_1.AuditActions.SIGN_IN,
+            resourceType: audit_1.ResourceTypes.USER,
+            resourceId: email,
+            status: "failure",
+            errorCode: "USER_NOT_FOUND",
+            errorMessage: "Invalid email or password",
+        });
+        throw new Error("Invalid email or password");
+    }
+    // 2. Verify password
+    if (!user.passwordHash) {
+        await (0, audit_1.trackFailedLogin)(ctx, email, "unknown", undefined);
+        await (0, audit_1.writeAuditLog)(ctx, {
+            action: audit_1.AuditActions.SIGN_IN,
+            resourceType: audit_1.ResourceTypes.USER,
+            resourceId: user._id,
+            status: "failure",
+            errorCode: "NO_PASSWORD",
+            errorMessage: "User has no password (OAuth only?)",
+        });
+        throw new Error("Invalid email or password");
+    }
+    const passwordValid = await (0, crypto_1.verifyPassword)(password, user.passwordHash);
+    if (!passwordValid) {
+        // Track failed login attempt
+        const { shouldBlock, attemptCount } = await (0, audit_1.trackFailedLogin)(ctx, email, "unknown", undefined);
+        await (0, audit_1.writeAuditLog)(ctx, {
+            action: audit_1.AuditActions.SIGN_IN,
+            resourceType: audit_1.ResourceTypes.USER,
+            resourceId: user._id,
+            status: "failure",
+            errorCode: "INVALID_PASSWORD",
+            errorMessage: "Invalid email or password",
+            metadata: {
+                additionalInfo: {
+                    attemptCount,
+                    blocked: shouldBlock,
+                },
+            },
+        });
+        if (shouldBlock) {
+            throw new Error("Too many failed login attempts. Please try again later.");
+        }
+        throw new Error("Invalid email or password");
+    }
+    // 3. Clear failed login attempts on success
+    await (0, audit_1.clearFailedLoginAttempts)(ctx, email);
+    // 4. Find tenant and membership
+    let tenantId = requestedTenantId;
+    let membership = null;
+    let tenant = null;
+    if (tenantId) {
+        // Verify user has membership in requested tenant
+        membership = await ctx.db
+            .query("auth_memberships")
+            .where({ userId: user._id, tenantId })
+            .findFirst();
+        if (!membership) {
+            await (0, audit_1.writeAuditLog)(ctx, {
+                action: audit_1.AuditActions.SIGN_IN,
+                resourceType: audit_1.ResourceTypes.USER,
+                resourceId: user._id,
+                status: "failure",
+                errorCode: "NO_MEMBERSHIP",
+                errorMessage: "User is not a member of the requested tenant",
+            });
+            throw new Error("User is not a member of the requested tenant");
+        }
+        tenant = await ctx.db.get("auth_tenants", tenantId);
+    }
+    else {
+        // Get user's first membership
+        const memberships = await ctx.db
+            .query("auth_memberships")
+            .where({ userId: user._id })
+            .findMany();
+        if (memberships.length === 0) {
+            await (0, audit_1.writeAuditLog)(ctx, {
+                action: audit_1.AuditActions.SIGN_IN,
+                resourceType: audit_1.ResourceTypes.USER,
+                resourceId: user._id,
+                status: "failure",
+                errorCode: "NO_MEMBERSHIPS",
+                errorMessage: "User has no tenant memberships",
+            });
+            throw new Error("User has no tenant memberships");
+        }
+        membership = memberships[0];
+        tenantId = membership.tenantId;
+        tenant = await ctx.db.get("auth_tenants", tenantId);
+    }
+    if (!tenant) {
+        throw new Error("Tenant not found");
+    }
+    // 5. Create session
+    const sessionToken = (0, crypto_1.generateSessionToken)();
+    const tokenHash = (0, crypto_1.hashSessionToken)(sessionToken);
+    const sessionId = (0, cuid2_1.createId)();
+    const now = Date.now();
+    const sessionTTL = 30 * 24 * 60 * 60 * 1000; // 30 days
+    const session = {
+        _id: sessionId,
+        userId: user._id,
+        tenantId: tenantId,
+        tokenHash,
+        expiresAt: now + sessionTTL,
+        lastActiveAt: now,
+        createdAt: now,
+        updatedAt: now,
+    };
+    await ctx.db.insert("auth_sessions", session);
+    // 6. Update user lastLoginAt (optional field - would need schema extension)
+    // await ctx.db.update("auth_users", user._id, { lastLoginAt: now });
+    // 7. Write audit log
+    await (0, audit_1.writeAuditLog)(ctx, {
+        action: audit_1.AuditActions.SIGN_IN,
+        resourceType: audit_1.ResourceTypes.SESSION,
+        resourceId: sessionId,
+        status: "success",
+        metadata: {
+            additionalInfo: {
+                userId: user._id,
+                email: user.email,
+                tenantId,
+                loginMethod: "password",
+            },
+        },
+    });
+    // 8. Invalidate cache
+    ctx.db.clearCache();
+    return {
+        userId: user._id,
+        tenantId: tenantId,
+        sessionToken,
+        user: {
+            _id: user._id,
+            email: user.email,
+            emailVerified: user.emailVerified || false,
+            name: user.name,
+            createdAt: user.createdAt,
+        },
+        tenant: {
+            _id: tenant._id,
+            name: tenant.name || "Unknown Tenant",
+            ownerId: tenant.ownerId || "",
+            createdAt: tenant.createdAt || now,
+        },
+        membership: {
+            role: membership.role || "member",
+            permissions: membership.permissions || [],
+        },
+    };
+}
+/**
+ * Export the function definition
+ */
+exports.authSignIn = (0, definition_1.mutation)({
+    args: signInArgs,
+    handler: signInHandler,
+    auth: "public", // Anyone can sign in
+});
+//# sourceMappingURL=auth-signin.js.map

package/dist/functions/built-in/auth-signin.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"auth-signin.js","sourceRoot":"","sources":["../../../src/functions/built-in/auth-signin.ts"],"names":[],"mappings":";AAAA;;;;;;;;;;;;;;GAcG;;;AAEH,8CAAyC;AACzC,6BAAwB;AACxB,gDAAgD;AAChD,qDAAkG;AAClG,4CAM0B;AAG1B,MAAM,UAAU,GAAG;IACf,KAAK,EAAE,OAAC,CAAC,MAAM,EAAE,CAAC,KAAK,EAAE;IACzB,QAAQ,EAAE,OAAC,CAAC,MAAM,EAAE;IACpB,QAAQ,EAAE,OAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,EAAE,EAAE,uCAAuC;CAC3E,CAAC;AA2BF,KAAK,UAAU,aAAa,CAAC,GAAgB,EAAE,IAAgB;IAC3D,MAAM,EAAE,KAAK,EAAE,QAAQ,EAAE,QAAQ,EAAE,iBAAiB,EAAE,GAAG,IAAI,CAAC;IAE9D,wBAAwB;IACxB,MAAM,IAAI,GAAG,MAAM,GAAG,CAAC,EAAE,CAAC,KAAK,CAAC,YAAY,CAAC,CAAC,KAAK,CAAC,EAAE,KAAK,EAAE,CAAC,CAAC,SAAS,EAAE,CAAC;IAE3E,IAAI,CAAC,IAAI,EAAE,CAAC;QACR,6BAA6B;QAC7B,MAAM,IAAA,wBAAgB,EAAC,GAAG,EAAE,KAAK,EAAE,SAAS,EAAE,SAAS,CAAC,CAAC;QAEzD,MAAM,IAAA,qBAAa,EAAC,GAAG,EAAE;YACrB,MAAM,EAAE,oBAAY,CAAC,OAAO;YAC5B,YAAY,EAAE,qBAAa,CAAC,IAAI;YAChC,UAAU,EAAE,KAAK;YACjB,MAAM,EAAE,SAAS;YACjB,SAAS,EAAE,gBAAgB;YAC3B,YAAY,EAAE,2BAA2B;SAC5C,CAAC,CAAC;QAEH,MAAM,IAAI,KAAK,CAAC,2BAA2B,CAAC,CAAC;IACjD,CAAC;IAED,qBAAqB;IACrB,IAAI,CAAC,IAAI,CAAC,YAAY,EAAE,CAAC;QACrB,MAAM,IAAA,wBAAgB,EAAC,GAAG,EAAE,KAAK,EAAE,SAAS,EAAE,SAAS,CAAC,CAAC;QAEzD,MAAM,IAAA,qBAAa,EAAC,GAAG,EAAE;YACrB,MAAM,EAAE,oBAAY,CAAC,OAAO;YAC5B,YAAY,EAAE,qBAAa,CAAC,IAAI;YAChC,UAAU,EAAE,IAAI,CAAC,GAAG;YACpB,MAAM,EAAE,SAAS;YACjB,SAAS,EAAE,aAAa;YACxB,YAAY,EAAE,oCAAoC;SACrD,CAAC,CAAC;QAEH,MAAM,IAAI,KAAK,CAAC,2BAA2B,CAAC,CAAC;IACjD,CAAC;IAED,MAAM,aAAa,GAAG,MAAM,IAAA,uBAAc,EAAC,QAAQ,EAAE,IAAI,CAAC,YAAY,CAAC,CAAC;IAExE,IAAI,CAAC,aAAa,EAAE,CAAC;QACjB,6BAA6B;QAC7B,MAAM,EAAE,WAAW,EAAE,YAAY,EAAE,GAAG,MAAM,IAAA,wBAAgB,EACxD,GAAG,EACH,KAAK,EACL,SAAS,EACT,SAAS,CACZ,CAAC;QAEF,MAAM,IAAA,qBAAa,EAAC,GAAG,EAAE;YACrB,MAAM,EAAE,oBAAY,CAAC,OAAO;YAC5B,YAAY,EAAE,qBAAa,CAAC,IAAI;YAChC,UAAU,EAAE,IAAI,CAAC,GAAG;YACpB,MAAM,EAAE,SAAS;YACjB,SAAS,EAAE,kBAAkB;YAC7B,YAAY,EAAE,2BAA2B;YACzC,QAAQ,EAAE;gBACN,cAAc,EAAE;oBACZ,YAAY;oBACZ,OAAO,EAAE,WAAW;iBACvB;aACJ;SACJ,CAAC,CAAC;QAEH,IAAI,WAAW,EAAE,CAAC;YACd,MAAM,IAAI,KAAK,CAAC,yDAAyD,CAAC,CAAC;QAC/E,CAAC;QAED,MAAM,IAAI,KAAK,CAAC,2BAA2B,CAAC,CAAC;IACjD,CAAC;IAED,4CAA4C;IAC5C,MAAM,IAAA,gCAAwB,EAAC,GAAG,EAAE,KAAK,CAAC,CAAC;IAE3C,gCAAgC;IAChC,IAAI,QAAQ,GAAuB,iBAAiB,CAAC;IACrD,IAAI,UAAU,GAAQ,IAAI,CAAC;IAC3B,IAAI,MAAM,GAAQ,IAAI,CAAC;IAEvB,IAAI,QAAQ,EAAE,CAAC;QACX,iDAAiD;QACjD,UAAU,GAAG,MAAM,GAAG,CAAC,EAAE;aACpB,KAAK,CAAC,kBAAkB,CAAC;aACzB,KAAK,CAAC,EAAE,MAAM,EAAE,IAAI,CAAC,GAAG,EAAE,QAAQ,EAAE,CAAC;aACrC,SAAS,EAAE,CAAC;QAEjB,IAAI,CAAC,UAAU,EAAE,CAAC;YACd,MAAM,IAAA,qBAAa,EAAC,GAAG,EAAE;gBACrB,MAAM,EAAE,oBAAY,CAAC,OAAO;gBAC5B,YAAY,EAAE,qBAAa,CAAC,IAAI;gBAChC,UAAU,EAAE,IAAI,CAAC,GAAG;gBACpB,MAAM,EAAE,SAAS;gBACjB,SAAS,EAAE,eAAe;gBAC1B,YAAY,EAAE,8CAA8C;aAC/D,CAAC,CAAC;YAEH,MAAM,IAAI,KAAK,CAAC,8CAA8C,CAAC,CAAC;QACpE,CAAC;QAED,MAAM,GAAG,MAAM,GAAG,CAAC,EAAE,CAAC,GAAG,CAAC,cAAc,EAAE,QAAQ,CAAC,CAAC;IACxD,CAAC;SAAM,CAAC;QACJ,8BAA8B;QAC9B,MAAM,WAAW,GAAG,MAAM,GAAG,CAAC,EAAE;aAC3B,KAAK,CAAC,kBAAkB,CAAC;aACzB,KAAK,CAAC,EAAE,MAAM,EAAE,IAAI,CAAC,GAAG,EAAE,CAAC;aAC3B,QAAQ,EAAE,CAAC;QAEhB,IAAI,WAAW,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;YAC3B,MAAM,IAAA,qBAAa,EAAC,GAAG,EAAE;gBACrB,MAAM,EAAE,oBAAY,CAAC,OAAO;gBAC5B,YAAY,EAAE,qBAAa,CAAC,IAAI;gBAChC,UAAU,EAAE,IAAI,CAAC,GAAG;gBACpB,MAAM,EAAE,SAAS;gBACjB,SAAS,EAAE,gBAAgB;gBAC3B,YAAY,EAAE,gCAAgC;aACjD,CAAC,CAAC;YAEH,MAAM,IAAI,KAAK,CAAC,gCAAgC,CAAC,CAAC;QACtD,CAAC;QAED,UAAU,GAAG,WAAW,CAAC,CAAC,CAAC,CAAC;QAC5B,QAAQ,GAAG,UAAU,CAAC,QAAQ,CAAC;QAC/B,MAAM,GAAG,MAAM,GAAG,CAAC,EAAE,CAAC,GAAG,CAAC,cAAc,EAAE,QAAkB,CAAC,CAAC;IAClE,CAAC;IAED,IAAI,CAAC,MAAM,EAAE,CAAC;QACV,MAAM,IAAI,KAAK,CAAC,kBAAkB,CAAC,CAAC;IACxC,CAAC;IAED,oBAAoB;IACpB,MAAM,YAAY,GAAG,IAAA,6BAAoB,GAAE,CAAC;IAC5C,MAAM,SAAS,GAAG,IAAA,yBAAgB,EAAC,YAAY,CAAC,CAAC;IACjD,MAAM,SAAS,GAAG,IAAA,gBAAQ,GAAE,CAAC;IAC7B,MAAM,GAAG,GAAG,IAAI,CAAC,GAAG,EAAE,CAAC;IACvB,MAAM,UAAU,GAAG,EAAE,GAAG,EAAE,GAAG,EAAE,GAAG,EAAE,GAAG,IAAI,CAAC,CAAC,UAAU;IAEvD,MAAM,OAAO,GAAG;QACZ,GAAG,EAAE,SAAS;QACd,MAAM,EAAE,IAAI,CAAC,GAAG;QAChB,QAAQ,EAAE,QAAkB;QAC5B,SAAS;QACT,SAAS,EAAE,GAAG,GAAG,UAAU;QAC3B,YAAY,EAAE,GAAG;QACjB,SAAS,EAAE,GAAG;QACd,SAAS,EAAE,GAAG;KACjB,CAAC;IAEF,MAAM,GAAG,CAAC,EAAE,CAAC,MAAM,CAAC,eAAe,EAAE,OAAO,CAAC,CAAC;IAE9C,4EAA4E;IAC5E,qEAAqE;IAErE,qBAAqB;IACrB,MAAM,IAAA,qBAAa,EAAC,GAAG,EAAE;QACrB,MAAM,EAAE,oBAAY,CAAC,OAAO;QAC5B,YAAY,EAAE,qBAAa,CAAC,OAAO;QACnC,UAAU,EAAE,SAAS;QACrB,MAAM,EAAE,SAAS;QACjB,QAAQ,EAAE;YACN,cAAc,EAAE;gBACZ,MAAM,EAAE,IAAI,CAAC,GAAG;gBAChB,KAAK,EAAE,IAAI,CAAC,KAAK;gBACjB,QAAQ;gBACR,WAAW,EAAE,UAAU;aAC1B;SACJ;KACJ,CAAC,CAAC;IAEH,sBAAsB;IACtB,GAAG,CAAC,EAAE,CAAC,UAAU,EAAE,CAAC;IAEpB,OAAO;QACH,MAAM,EAAE,IAAI,CAAC,GAAG;QAChB,QAAQ,EAAE,QAAkB;QAC5B,YAAY;QACZ,IAAI,EAAE;YACF,GAAG,EAAE,IAAI,CAAC,GAAG;YACb,KAAK,EAAE,IAAI,CAAC,KAAK;YACjB,aAAa,EAAE,IAAI,CAAC,aAAa,IAAI,KAAK;YAC1C,IAAI,EAAE,IAAI,CAAC,IAAI;YACf,SAAS,EAAE,IAAI,CAAC,SAAS;SAC5B;QACD,MAAM,EAAE;YACJ,GAAG,EAAE,MAAM,CAAC,GAAG;YACf,IAAI,EAAE,MAAM,CAAC,IAAI,IAAI,gBAAgB;YACrC,OAAO,EAAE,MAAM,CAAC,OAAO,IAAI,EAAE;YAC7B,SAAS,EAAE,MAAM,CAAC,SAAS,IAAI,GAAG;SACrC;QACD,UAAU,EAAE;YACR,IAAI,EAAE,UAAU,CAAC,IAAI,IAAI,QAAQ;YACjC,WAAW,EAAE,UAAU,CAAC,WAAW,IAAI,EAAE;SAC5C;KACJ,CAAC;AACN,CAAC;AAED;;GAEG;AACU,QAAA,UAAU,GAAG,IAAA,qBAAQ,EAAC;IAC/B,IAAI,EAAE,UAAU;IAChB,OAAO,EAAE,aAAa;IACtB,IAAI,EAAE,QAAQ,EAAE,qBAAqB;CACxC,CAAC,CAAC"}

package/dist/functions/built-in/auth-signout.d.ts

@@ -0,0 +1,18 @@
+/**
+ * Built-in Auth Function: signOut
+ *
+ * Signs out the current user by revoking their session.
+ *
+ * Features:
+ * - Session revocation
+ * - Audit logging
+ * - Cache invalidation
+ * - WebSocket session eviction
+ *
+ * Auth mode: "required" (must be authenticated)
+ */
+/**
+ * Export the function definition
+ */
+export declare const authSignOut: import("../definition").FunctionDefinition;
+//# sourceMappingURL=auth-signout.d.ts.map

package/dist/functions/built-in/auth-signout.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"auth-signout.d.ts","sourceRoot":"","sources":["../../../src/functions/built-in/auth-signout.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;GAYG;AA8EH;;GAEG;AACH,eAAO,MAAM,WAAW,4CAItB,CAAC"}