@archlast/server 0.0.1

package/dist/auth/better-auth-session-adapter.d.ts

@@ -0,0 +1,49 @@
+/**
+ * Better-Auth Session Adapter
+ *
+ * This adapter implements the Archlast AuthAdapter interface for Better-Auth sessions.
+ * It verifies session tokens from Better-Auth cookies and returns an AuthContext.
+ */
+import type { AuthAdapter, AuthContext, AuthInput } from "./interfaces.js";
+/**
+ * Better-Auth session adapter options
+ */
+export interface BetterAuthSessionAdapterOptions {
+    /**
+     * Better-Auth instance for session verification
+     */
+    auth: any;
+    /**
+     * Database client for fetching additional user data
+     */
+    db?: any;
+}
+/**
+ * Better-Auth session adapter
+ *
+ * This adapter verifies Better-Auth session tokens from cookies
+ * and converts them to Archlast AuthContext.
+ */
+export declare class BetterAuthSessionAdapter implements AuthAdapter {
+    name: string;
+    private auth;
+    private db?;
+    constructor(options: BetterAuthSessionAdapterOptions);
+    /**
+     * Verify a Better-Auth session from the input
+     */
+    verify(input: AuthInput): Promise<AuthContext | null>;
+    /**
+     * Extract session token from cookies or headers
+     */
+    private extractSessionToken;
+    /**
+     * Create headers object from AuthInput for Better-Auth API calls
+     */
+    private createHeadersFromInput;
+}
+/**
+ * Create a Better-Auth session adapter
+ */
+export declare function createBetterAuthSessionAdapter(options: BetterAuthSessionAdapterOptions): BetterAuthSessionAdapter;
+//# sourceMappingURL=better-auth-session-adapter.d.ts.map

package/dist/auth/better-auth-session-adapter.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"better-auth-session-adapter.d.ts","sourceRoot":"","sources":["../../src/auth/better-auth-session-adapter.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AAEH,OAAO,KAAK,EACR,WAAW,EACX,WAAW,EACX,SAAS,EACZ,MAAM,iBAAiB,CAAC;AAMzB;;GAEG;AACH,MAAM,WAAW,+BAA+B;IAC5C;;OAEG;IACH,IAAI,EAAE,GAAG,CAAC;IAEV;;OAEG;IACH,EAAE,CAAC,EAAE,GAAG,CAAC;CACZ;AAsJD;;;;;GAKG;AACH,qBAAa,wBAAyB,YAAW,WAAW;IACxD,IAAI,SAAyB;IAE7B,OAAO,CAAC,IAAI,CAAM;IAClB,OAAO,CAAC,EAAE,CAAC,CAAM;gBAEL,OAAO,EAAE,+BAA+B;IAKpD;;OAEG;IACG,MAAM,CAAC,KAAK,EAAE,SAAS,GAAG,OAAO,CAAC,WAAW,GAAG,IAAI,CAAC;IAkD3D;;OAEG;IACH,OAAO,CAAC,mBAAmB;IA0B3B;;OAEG;IACH,OAAO,CAAC,sBAAsB;CAkBjC;AAED;;GAEG;AACH,wBAAgB,8BAA8B,CAC1C,OAAO,EAAE,+BAA+B,GACzC,wBAAwB,CAE1B"}

package/dist/auth/better-auth-session-adapter.js

@@ -0,0 +1,254 @@
+"use strict";
+/**
+ * Better-Auth Session Adapter
+ *
+ * This adapter implements the Archlast AuthAdapter interface for Better-Auth sessions.
+ * It verifies session tokens from Better-Auth cookies and returns an AuthContext.
+ */
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.BetterAuthSessionAdapter = void 0;
+exports.createBetterAuthSessionAdapter = createBetterAuthSessionAdapter;
+const interfaces_js_1 = require("./interfaces.js");
+const logger_js_1 = require("../logging/logger.js");
+const better_auth_schema_js_1 = require("./system/better-auth-schema.js");
+const schema_js_1 = require("./system/schema.js");
+/**
+ * Fetch organization and member data for a session
+ */
+async function fetchOrganizationData(db, activeOrganizationId, userId) {
+    try {
+        if (!db)
+            return null;
+        // Fetch the organization
+        const orgResult = await db.query(schema_js_1.AUTH_COLLECTIONS.organization)
+            .where({ _id: activeOrganizationId })
+            .findOne();
+        if (!orgResult)
+            return null;
+        // Fetch the member record for this user in the organization
+        const memberResult = await db.query(schema_js_1.AUTH_COLLECTIONS.member)
+            .where({
+            organizationId: activeOrganizationId,
+            userId: userId,
+        })
+            .findOne();
+        return {
+            tenant: {
+                _id: orgResult._id,
+                name: orgResult.name,
+                slug: orgResult.slug,
+                logo: orgResult.logo,
+                metadata: orgResult.metadata,
+                createdAt: orgResult.createdAt,
+                updatedAt: orgResult.updatedAt,
+            },
+            membership: memberResult ? {
+                _id: memberResult._id,
+                userId: memberResult.userId,
+                tenantId: memberResult.organizationId,
+                role: memberResult.role,
+                permissions: [], // Will be populated from role-based permissions
+                createdAt: memberResult.createdAt,
+            } : null,
+        };
+    }
+    catch (error) {
+        logger_js_1.logger.log({
+            timestamp: Date.now(),
+            level: "error",
+            kind: "system",
+            message: "Failed to fetch organization data",
+            context: { error: error instanceof Error ? error.message : String(error) },
+        });
+        return null;
+    }
+}
+/**
+ * Convert Better-Auth session to Archlast AuthContext
+ */
+async function betterAuthSessionToAuthContext(session, db, provider = "better-auth") {
+    if (!session || !session.user) {
+        return (0, interfaces_js_1.createUnauthenticatedAuthContext)(provider);
+    }
+    const user = session.user;
+    const activeOrganizationId = session.session?.activeOrganizationId;
+    // Fetch organization data if an active organization is set
+    let orgData = null;
+    if (activeOrganizationId && db) {
+        orgData = await fetchOrganizationData(db, activeOrganizationId, user.id);
+    }
+    // Determine role: prefer organization member role, fallback to user role
+    const role = orgData?.membership?.role || user.role || null;
+    const isAdmin = role === "admin" || role === "super-admin";
+    // Get permissions based on role
+    const permissions = (0, better_auth_schema_js_1.getPermissionsForRole)(role);
+    const base = {
+        type: "session",
+        userId: user.id || null,
+        isAuthenticated: true,
+        isAdminToken: isAdmin, // Set to true for admin/super-admin roles
+        provider,
+        raw: session,
+        // User data
+        user: {
+            _id: user.id,
+            email: user.email,
+            emailVerified: user.emailVerified,
+            name: user.name,
+            imageUrl: user.image,
+            createdAt: user.createdAt,
+            updatedAt: user.updatedAt,
+            // Better-Auth plugin fields
+            role: user.role,
+            banned: user.banned,
+            banReason: user.banReason,
+            banExpires: user.banExpires,
+            username: user.username,
+            isAnonymous: user.isAnonymous,
+        },
+        // Session data
+        session: {
+            _id: session.session?.id,
+            userId: session.session?.userId,
+            tenantId: activeOrganizationId || session.session?.tenantId || null,
+            expiresAt: session.session?.expiresAt,
+            lastActiveAt: session.session?.updatedAt || Date.now(),
+            // Better-Auth admin plugin fields
+            impersonatedBy: session.session?.impersonatedBy,
+            // Better-Auth organization plugin
+            activeOrganizationId: activeOrganizationId || null,
+        },
+        // API key fields (not applicable for session auth)
+        apiKeyId: null,
+        apiKey: null,
+        // Tenant data from organization plugin
+        tenant: orgData?.tenant || null,
+        membership: orgData?.membership || null,
+        tenantId: activeOrganizationId || null,
+        // Role and permissions from Better-Auth admin/organization plugins
+        role: role,
+        permissions: permissions,
+        // Authorization helpers (attached below)
+        hasPermission: null,
+        requireAuthenticated: null,
+        requireTenant: null,
+        requireRole: null,
+        requirePermission: null,
+    };
+    return (0, interfaces_js_1.attachAuthHelpers)(base);
+}
+/**
+ * Better-Auth session adapter
+ *
+ * This adapter verifies Better-Auth session tokens from cookies
+ * and converts them to Archlast AuthContext.
+ */
+class BetterAuthSessionAdapter {
+    name = "better-auth-session";
+    auth;
+    db;
+    constructor(options) {
+        this.auth = options.auth;
+        this.db = options.db;
+    }
+    /**
+     * Verify a Better-Auth session from the input
+     */
+    async verify(input) {
+        try {
+            // Get session token from cookies
+            const sessionToken = this.extractSessionToken(input);
+            if (!sessionToken) {
+                return null;
+            }
+            // Verify session with Better-Auth
+            // Better-Auth provides a session API that we can use
+            const session = await this.auth.api.getSession({
+                headers: this.createHeadersFromInput(input),
+            });
+            if (!session || !session.user) {
+                return null;
+            }
+            // Check if user is banned
+            if (session.user.banned) {
+                const banReason = session.user.banReason || "Account banned";
+                logger_js_1.logger.log({
+                    timestamp: Date.now(),
+                    level: "warn",
+                    kind: "system",
+                    message: "Banned user attempted to authenticate",
+                    context: {
+                        userId: session.user.id,
+                        banReason,
+                        banExpires: session.user.banExpires,
+                    },
+                });
+                return null;
+            }
+            return await betterAuthSessionToAuthContext(session, this.db, "better-auth");
+        }
+        catch (error) {
+            logger_js_1.logger.log({
+                timestamp: Date.now(),
+                level: "error",
+                kind: "system",
+                message: "Better-Auth session verification failed",
+                context: {
+                    error: error instanceof Error ? error.message : String(error),
+                },
+            });
+            return null;
+        }
+    }
+    /**
+     * Extract session token from cookies or headers
+     */
+    extractSessionToken(input) {
+        // Check cookies first
+        if (input.cookies) {
+            // Better-Auth default cookie name is "better-auth.session_token"
+            const sessionCookie = input.cookies["better-auth.session_token"];
+            if (sessionCookie) {
+                return sessionCookie;
+            }
+        }
+        // Check authorization header (bearer token)
+        if (input.headers?.authorization) {
+            const authHeader = input.headers.authorization;
+            if (authHeader.startsWith("Bearer ")) {
+                return authHeader.slice(7);
+            }
+        }
+        // Check the token field directly
+        if (input.token) {
+            return input.token;
+        }
+        return null;
+    }
+    /**
+     * Create headers object from AuthInput for Better-Auth API calls
+     */
+    createHeadersFromInput(input) {
+        const headers = {};
+        // Add cookie header
+        if (input.cookies) {
+            const cookieString = Object.entries(input.cookies)
+                .map(([key, value]) => `${key}=${value}`)
+                .join("; ");
+            headers.cookie = cookieString;
+        }
+        // Add authorization header
+        if (input.headers?.authorization) {
+            headers.authorization = input.headers.authorization;
+        }
+        return headers;
+    }
+}
+exports.BetterAuthSessionAdapter = BetterAuthSessionAdapter;
+/**
+ * Create a Better-Auth session adapter
+ */
+function createBetterAuthSessionAdapter(options) {
+    return new BetterAuthSessionAdapter(options);
+}
+//# sourceMappingURL=better-auth-session-adapter.js.map

package/dist/auth/better-auth-session-adapter.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"better-auth-session-adapter.js","sourceRoot":"","sources":["../../src/auth/better-auth-session-adapter.ts"],"names":[],"mappings":";AAAA;;;;;GAKG;;;AA4SH,wEAIC;AAzSD,mDAAsF;AACtF,oDAA8C;AAC9C,0EAAuE;AACvE,kDAAsD;AAiBtD;;GAEG;AACH,KAAK,UAAU,qBAAqB,CAChC,EAAO,EACP,oBAA4B,EAC5B,MAAc;IAEd,IAAI,CAAC;QACD,IAAI,CAAC,EAAE;YAAE,OAAO,IAAI,CAAC;QAErB,yBAAyB;QACzB,MAAM,SAAS,GAAG,MAAM,EAAE,CAAC,KAAK,CAAC,4BAAgB,CAAC,YAAY,CAAC;aAC1D,KAAK,CAAC,EAAE,GAAG,EAAE,oBAAoB,EAAE,CAAC;aACpC,OAAO,EAAE,CAAC;QAEf,IAAI,CAAC,SAAS;YAAE,OAAO,IAAI,CAAC;QAE5B,4DAA4D;QAC5D,MAAM,YAAY,GAAG,MAAM,EAAE,CAAC,KAAK,CAAC,4BAAgB,CAAC,MAAM,CAAC;aACvD,KAAK,CAAC;YACH,cAAc,EAAE,oBAAoB;YACpC,MAAM,EAAE,MAAM;SACjB,CAAC;aACD,OAAO,EAAE,CAAC;QAEf,OAAO;YACH,MAAM,EAAE;gBACJ,GAAG,EAAE,SAAS,CAAC,GAAG;gBAClB,IAAI,EAAE,SAAS,CAAC,IAAI;gBACpB,IAAI,EAAE,SAAS,CAAC,IAAI;gBACpB,IAAI,EAAE,SAAS,CAAC,IAAI;gBACpB,QAAQ,EAAE,SAAS,CAAC,QAAQ;gBAC5B,SAAS,EAAE,SAAS,CAAC,SAAS;gBAC9B,SAAS,EAAE,SAAS,CAAC,SAAS;aACjC;YACD,UAAU,EAAE,YAAY,CAAC,CAAC,CAAC;gBACvB,GAAG,EAAE,YAAY,CAAC,GAAG;gBACrB,MAAM,EAAE,YAAY,CAAC,MAAM;gBAC3B,QAAQ,EAAE,YAAY,CAAC,cAAc;gBACrC,IAAI,EAAE,YAAY,CAAC,IAAI;gBACvB,WAAW,EAAE,EAAE,EAAE,gDAAgD;gBACjE,SAAS,EAAE,YAAY,CAAC,SAAS;aACpC,CAAC,CAAC,CAAC,IAAI;SACX,CAAC;IACN,CAAC;IAAC,OAAO,KAAK,EAAE,CAAC;QACb,kBAAM,CAAC,GAAG,CAAC;YACP,SAAS,EAAE,IAAI,CAAC,GAAG,EAAE;YACrB,KAAK,EAAE,OAAO;YACd,IAAI,EAAE,QAAQ;YACd,OAAO,EAAE,mCAAmC;YAC5C,OAAO,EAAE,EAAE,KAAK,EAAE,KAAK,YAAY,KAAK,CAAC,CAAC,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,KAAK,CAAC,EAAE;SAC7E,CAAC,CAAC;QACH,OAAO,IAAI,CAAC;IAChB,CAAC;AACL,CAAC;AAED;;GAEG;AACH,KAAK,UAAU,8BAA8B,CACzC,OAAY,EACZ,EAAO,EACP,WAA0B,aAAa;IAEvC,IAAI,CAAC,OAAO,IAAI,CAAC,OAAO,CAAC,IAAI,EAAE,CAAC;QAC5B,OAAO,IAAA,gDAAgC,EAAC,QAAQ,CAAC,CAAC;IACtD,CAAC;IAED,MAAM,IAAI,GAAG,OAAO,CAAC,IAAI,CAAC;IAC1B,MAAM,oBAAoB,GAAG,OAAO,CAAC,OAAO,EAAE,oBAAoB,CAAC;IAEnE,2DAA2D;IAC3D,IAAI,OAAO,GAA4C,IAAI,CAAC;IAC5D,IAAI,oBAAoB,IAAI,EAAE,EAAE,CAAC;QAC7B,OAAO,GAAG,MAAM,qBAAqB,CAAC,EAAE,EAAE,oBAAoB,EAAE,IAAI,CAAC,EAAE,CAAC,CAAC;IAC7E,CAAC;IAED,yEAAyE;IACzE,MAAM,IAAI,GAAG,OAAO,EAAE,UAAU,EAAE,IAAI,IAAI,IAAI,CAAC,IAAI,IAAI,IAAI,CAAC;IAC5D,MAAM,OAAO,GAAG,IAAI,KAAK,OAAO,IAAI,IAAI,KAAK,aAAa,CAAC;IAE3D,gCAAgC;IAChC,MAAM,WAAW,GAAG,IAAA,6CAAqB,EAAC,IAAI,CAAC,CAAC;IAEhD,MAAM,IAAI,GAAG;QACT,IAAI,EAAE,SAAkB;QACxB,MAAM,EAAE,IAAI,CAAC,EAAE,IAAI,IAAI;QACvB,eAAe,EAAE,IAAI;QACrB,YAAY,EAAE,OAAO,EAAE,0CAA0C;QACjE,QAAQ;QACR,GAAG,EAAE,OAAO;QAEZ,YAAY;QACZ,IAAI,EAAE;YACF,GAAG,EAAE,IAAI,CAAC,EAAE;YACZ,KAAK,EAAE,IAAI,CAAC,KAAK;YACjB,aAAa,EAAE,IAAI,CAAC,aAAa;YACjC,IAAI,EAAE,IAAI,CAAC,IAAI;YACf,QAAQ,EAAE,IAAI,CAAC,KAAK;YACpB,SAAS,EAAE,IAAI,CAAC,SAAS;YACzB,SAAS,EAAE,IAAI,CAAC,SAAS;YACzB,4BAA4B;YAC5B,IAAI,EAAE,IAAI,CAAC,IAAI;YACf,MAAM,EAAE,IAAI,CAAC,MAAM;YACnB,SAAS,EAAE,IAAI,CAAC,SAAS;YACzB,UAAU,EAAE,IAAI,CAAC,UAAU;YAC3B,QAAQ,EAAE,IAAI,CAAC,QAAQ;YACvB,WAAW,EAAE,IAAI,CAAC,WAAW;SAChC;QAED,eAAe;QACf,OAAO,EAAE;YACL,GAAG,EAAE,OAAO,CAAC,OAAO,EAAE,EAAE;YACxB,MAAM,EAAE,OAAO,CAAC,OAAO,EAAE,MAAM;YAC/B,QAAQ,EAAE,oBAAoB,IAAI,OAAO,CAAC,OAAO,EAAE,QAAQ,IAAI,IAAI;YACnE,SAAS,EAAE,OAAO,CAAC,OAAO,EAAE,SAAS;YACrC,YAAY,EAAE,OAAO,CAAC,OAAO,EAAE,SAAS,IAAI,IAAI,CAAC,GAAG,EAAE;YACtD,kCAAkC;YAClC,cAAc,EAAE,OAAO,CAAC,OAAO,EAAE,cAAc;YAC/C,kCAAkC;YAClC,oBAAoB,EAAE,oBAAoB,IAAI,IAAI;SACrD;QAED,mDAAmD;QACnD,QAAQ,EAAE,IAAI;QACd,MAAM,EAAE,IAAI;QAEZ,uCAAuC;QACvC,MAAM,EAAE,OAAO,EAAE,MAAM,IAAI,IAAI;QAC/B,UAAU,EAAE,OAAO,EAAE,UAAU,IAAI,IAAI;QACvC,QAAQ,EAAE,oBAAoB,IAAI,IAAI;QAEtC,mEAAmE;QACnE,IAAI,EAAE,IAAI;QACV,WAAW,EAAE,WAAW;QAExB,yCAAyC;QACzC,aAAa,EAAE,IAAW;QAC1B,oBAAoB,EAAE,IAAW;QACjC,aAAa,EAAE,IAAW;QAC1B,WAAW,EAAE,IAAW;QACxB,iBAAiB,EAAE,IAAW;KACjC,CAAC;IAEF,OAAO,IAAA,iCAAiB,EAAC,IAAI,CAAC,CAAC;AACnC,CAAC;AAED;;;;;GAKG;AACH,MAAa,wBAAwB;IACjC,IAAI,GAAG,qBAAqB,CAAC;IAErB,IAAI,CAAM;IACV,EAAE,CAAO;IAEjB,YAAY,OAAwC;QAChD,IAAI,CAAC,IAAI,GAAG,OAAO,CAAC,IAAI,CAAC;QACzB,IAAI,CAAC,EAAE,GAAG,OAAO,CAAC,EAAE,CAAC;IACzB,CAAC;IAED;;OAEG;IACH,KAAK,CAAC,MAAM,CAAC,KAAgB;QACzB,IAAI,CAAC;YACD,iCAAiC;YACjC,MAAM,YAAY,GAAG,IAAI,CAAC,mBAAmB,CAAC,KAAK,CAAC,CAAC;YACrD,IAAI,CAAC,YAAY,EAAE,CAAC;gBAChB,OAAO,IAAI,CAAC;YAChB,CAAC;YAED,kCAAkC;YAClC,qDAAqD;YACrD,MAAM,OAAO,GAAG,MAAM,IAAI,CAAC,IAAI,CAAC,GAAG,CAAC,UAAU,CAAC;gBAC3C,OAAO,EAAE,IAAI,CAAC,sBAAsB,CAAC,KAAK,CAAC;aAC9C,CAAC,CAAC;YAEH,IAAI,CAAC,OAAO,IAAI,CAAC,OAAO,CAAC,IAAI,EAAE,CAAC;gBAC5B,OAAO,IAAI,CAAC;YAChB,CAAC;YAED,0BAA0B;YAC1B,IAAI,OAAO,CAAC,IAAI,CAAC,MAAM,EAAE,CAAC;gBACtB,MAAM,SAAS,GAAG,OAAO,CAAC,IAAI,CAAC,SAAS,IAAI,gBAAgB,CAAC;gBAC7D,kBAAM,CAAC,GAAG,CAAC;oBACP,SAAS,EAAE,IAAI,CAAC,GAAG,EAAE;oBACrB,KAAK,EAAE,MAAM;oBACb,IAAI,EAAE,QAAQ;oBACd,OAAO,EAAE,uCAAuC;oBAChD,OAAO,EAAE;wBACL,MAAM,EAAE,OAAO,CAAC,IAAI,CAAC,EAAE;wBACvB,SAAS;wBACT,UAAU,EAAE,OAAO,CAAC,IAAI,CAAC,UAAU;qBACtC;iBACJ,CAAC,CAAC;gBACH,OAAO,IAAI,CAAC;YAChB,CAAC;YAED,OAAO,MAAM,8BAA8B,CAAC,OAAO,EAAE,IAAI,CAAC,EAAE,EAAE,aAAa,CAAC,CAAC;QACjF,CAAC;QAAC,OAAO,KAAK,EAAE,CAAC;YACb,kBAAM,CAAC,GAAG,CAAC;gBACP,SAAS,EAAE,IAAI,CAAC,GAAG,EAAE;gBACrB,KAAK,EAAE,OAAO;gBACd,IAAI,EAAE,QAAQ;gBACd,OAAO,EAAE,yCAAyC;gBAClD,OAAO,EAAE;oBACL,KAAK,EAAE,KAAK,YAAY,KAAK,CAAC,CAAC,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,KAAK,CAAC;iBAChE;aACJ,CAAC,CAAC;YACH,OAAO,IAAI,CAAC;QAChB,CAAC;IACL,CAAC;IAED;;OAEG;IACK,mBAAmB,CAAC,KAAgB;QACxC,sBAAsB;QACtB,IAAI,KAAK,CAAC,OAAO,EAAE,CAAC;YAChB,iEAAiE;YACjE,MAAM,aAAa,GAAG,KAAK,CAAC,OAAO,CAAC,2BAA2B,CAAC,CAAC;YACjE,IAAI,aAAa,EAAE,CAAC;gBAChB,OAAO,aAAa,CAAC;YACzB,CAAC;QACL,CAAC;QAED,4CAA4C;QAC5C,IAAI,KAAK,CAAC,OAAO,EAAE,aAAa,EAAE,CAAC;YAC/B,MAAM,UAAU,GAAG,KAAK,CAAC,OAAO,CAAC,aAAa,CAAC;YAC/C,IAAI,UAAU,CAAC,UAAU,CAAC,SAAS,CAAC,EAAE,CAAC;gBACnC,OAAO,UAAU,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC;YAC/B,CAAC;QACL,CAAC;QAED,iCAAiC;QACjC,IAAI,KAAK,CAAC,KAAK,EAAE,CAAC;YACd,OAAO,KAAK,CAAC,KAAK,CAAC;QACvB,CAAC;QAED,OAAO,IAAI,CAAC;IAChB,CAAC;IAED;;OAEG;IACK,sBAAsB,CAAC,KAAgB;QAC3C,MAAM,OAAO,GAA2B,EAAE,CAAC;QAE3C,oBAAoB;QACpB,IAAI,KAAK,CAAC,OAAO,EAAE,CAAC;YAChB,MAAM,YAAY,GAAG,MAAM,CAAC,OAAO,CAAC,KAAK,CAAC,OAAO,CAAC;iBAC7C,GAAG,CAAC,CAAC,CAAC,GAAG,EAAE,KAAK,CAAC,EAAE,EAAE,CAAC,GAAG,GAAG,IAAI,KAAK,EAAE,CAAC;iBACxC,IAAI,CAAC,IAAI,CAAC,CAAC;YAChB,OAAO,CAAC,MAAM,GAAG,YAAY,CAAC;QAClC,CAAC;QAED,2BAA2B;QAC3B,IAAI,KAAK,CAAC,OAAO,EAAE,aAAa,EAAE,CAAC;YAC/B,OAAO,CAAC,aAAa,GAAG,KAAK,CAAC,OAAO,CAAC,aAAa,CAAC;QACxD,CAAC;QAED,OAAO,OAAO,CAAC;IACnB,CAAC;CACJ;AAlHD,4DAkHC;AAED;;GAEG;AACH,SAAgB,8BAA8B,CAC1C,OAAwC;IAExC,OAAO,IAAI,wBAAwB,CAAC,OAAO,CAAC,CAAC;AACjD,CAAC"}

package/dist/auth/errors.d.ts

@@ -0,0 +1,18 @@
+export declare class AuthError extends Error {
+    code: string;
+    httpStatus: number;
+    constructor(code: string, message: string, httpStatus?: number);
+}
+export declare const AuthErrors: {
+    INVALID_CREDENTIALS: AuthError;
+    SESSION_EXPIRED: AuthError;
+    ACCOUNT_BANNED: AuthError;
+    EMAIL_NOT_VERIFIED: AuthError;
+    USER_NOT_FOUND: AuthError;
+    RATE_LIMITED: AuthError;
+    INVALID_API_KEY: AuthError;
+    API_KEY_REQUIRED: AuthError;
+    EMAIL_REQUIRED: AuthError;
+    PASSWORD_REQUIRED: AuthError;
+};
+//# sourceMappingURL=errors.d.ts.map

package/dist/auth/errors.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"errors.d.ts","sourceRoot":"","sources":["../../src/auth/errors.ts"],"names":[],"mappings":"AAAA,qBAAa,SAAU,SAAQ,KAAK;IAChC,IAAI,EAAE,MAAM,CAAC;IACb,UAAU,EAAE,MAAM,CAAC;gBAEP,IAAI,EAAE,MAAM,EAAE,OAAO,EAAE,MAAM,EAAE,UAAU,GAAE,MAAY;CAMtE;AAED,eAAO,MAAM,UAAU;;;;;;;;;;;CAWtB,CAAC"}

package/dist/auth/errors.js

@@ -0,0 +1,27 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.AuthErrors = exports.AuthError = void 0;
+class AuthError extends Error {
+    code;
+    httpStatus;
+    constructor(code, message, httpStatus = 401) {
+        super(message);
+        this.name = 'AuthError';
+        this.code = code;
+        this.httpStatus = httpStatus;
+    }
+}
+exports.AuthError = AuthError;
+exports.AuthErrors = {
+    INVALID_CREDENTIALS: new AuthError('AUTH_INVALID_CREDENTIALS', 'Invalid email or password', 401),
+    SESSION_EXPIRED: new AuthError('AUTH_SESSION_EXPIRED', 'Session has expired', 401),
+    ACCOUNT_BANNED: new AuthError('AUTH_ACCOUNT_BANNED', 'Account has been suspended', 403),
+    EMAIL_NOT_VERIFIED: new AuthError('AUTH_EMAIL_NOT_VERIFIED', 'Email address not verified', 403),
+    USER_NOT_FOUND: new AuthError('AUTH_USER_NOT_FOUND', 'User not found', 404),
+    RATE_LIMITED: new AuthError('AUTH_RATE_LIMITED', 'Too many requests', 429),
+    INVALID_API_KEY: new AuthError('AUTH_INVALID_API_KEY', 'Invalid API key format', 401),
+    API_KEY_REQUIRED: new AuthError('AUTH_API_KEY_REQUIRED', 'API key is required', 401),
+    EMAIL_REQUIRED: new AuthError('AUTH_EMAIL_REQUIRED', 'Email is required', 400),
+    PASSWORD_REQUIRED: new AuthError('AUTH_PASSWORD_REQUIRED', 'Password is required', 400),
+};
+//# sourceMappingURL=errors.js.map

package/dist/auth/errors.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"errors.js","sourceRoot":"","sources":["../../src/auth/errors.ts"],"names":[],"mappings":";;;AAAA,MAAa,SAAU,SAAQ,KAAK;IAChC,IAAI,CAAS;IACb,UAAU,CAAS;IAEnB,YAAY,IAAY,EAAE,OAAe,EAAE,aAAqB,GAAG;QAC/D,KAAK,CAAC,OAAO,CAAC,CAAC;QACf,IAAI,CAAC,IAAI,GAAG,WAAW,CAAC;QACxB,IAAI,CAAC,IAAI,GAAG,IAAI,CAAC;QACjB,IAAI,CAAC,UAAU,GAAG,UAAU,CAAC;IACjC,CAAC;CACJ;AAVD,8BAUC;AAEY,QAAA,UAAU,GAAG;IACtB,mBAAmB,EAAE,IAAI,SAAS,CAAC,0BAA0B,EAAE,2BAA2B,EAAE,GAAG,CAAC;IAChG,eAAe,EAAE,IAAI,SAAS,CAAC,sBAAsB,EAAE,qBAAqB,EAAE,GAAG,CAAC;IAClF,cAAc,EAAE,IAAI,SAAS,CAAC,qBAAqB,EAAE,4BAA4B,EAAE,GAAG,CAAC;IACvF,kBAAkB,EAAE,IAAI,SAAS,CAAC,yBAAyB,EAAE,4BAA4B,EAAE,GAAG,CAAC;IAC/F,cAAc,EAAE,IAAI,SAAS,CAAC,qBAAqB,EAAE,gBAAgB,EAAE,GAAG,CAAC;IAC3E,YAAY,EAAE,IAAI,SAAS,CAAC,mBAAmB,EAAE,mBAAmB,EAAE,GAAG,CAAC;IAC1E,eAAe,EAAE,IAAI,SAAS,CAAC,sBAAsB,EAAE,wBAAwB,EAAE,GAAG,CAAC;IACrF,gBAAgB,EAAE,IAAI,SAAS,CAAC,uBAAuB,EAAE,qBAAqB,EAAE,GAAG,CAAC;IACpF,cAAc,EAAE,IAAI,SAAS,CAAC,qBAAqB,EAAE,mBAAmB,EAAE,GAAG,CAAC;IAC9E,iBAAiB,EAAE,IAAI,SAAS,CAAC,wBAAwB,EAAE,sBAAsB,EAAE,GAAG,CAAC;CAC1F,CAAC"}

package/dist/auth/http/handlers.d.ts

@@ -0,0 +1,17 @@
+/**
+ * NOTE: This file intentionally contains no implementation.
+ *
+ * Rationale:
+ * - The platform auth HTTP endpoints are currently implemented inline in
+ *   `packages/server/src/index.ts` within the main `fetch()` handler.
+ * - Keeping a stub file here avoids broken imports if other modules reference
+ *   `@archlast/server/auth/http/handlers` in the future, while we iterate.
+ *
+ * When we refactor:
+ * - Move the inline `/_auth/*` handlers out of `index.ts` into this module.
+ * - Keep the handlers dependency-injected (db, authResolver, logger, isDev),
+ *   and return `Response` objects with correct CORS/cookie handling.
+ */
+export type AuthHttpHandlersModulePresent = true;
+export declare const AUTH_HTTP_HANDLERS_MODULE_PRESENT: AuthHttpHandlersModulePresent;
+//# sourceMappingURL=handlers.d.ts.map

package/dist/auth/http/handlers.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"handlers.d.ts","sourceRoot":"","sources":["../../../src/auth/http/handlers.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;GAaG;AAGH,MAAM,MAAM,6BAA6B,GAAG,IAAI,CAAC;AACjD,eAAO,MAAM,iCAAiC,EAAE,6BAAoC,CAAC"}

package/dist/auth/http/handlers.js

@@ -0,0 +1,19 @@
+"use strict";
+/**
+ * NOTE: This file intentionally contains no implementation.
+ *
+ * Rationale:
+ * - The platform auth HTTP endpoints are currently implemented inline in
+ *   `packages/server/src/index.ts` within the main `fetch()` handler.
+ * - Keeping a stub file here avoids broken imports if other modules reference
+ *   `@archlast/server/auth/http/handlers` in the future, while we iterate.
+ *
+ * When we refactor:
+ * - Move the inline `/_auth/*` handlers out of `index.ts` into this module.
+ * - Keep the handlers dependency-injected (db, authResolver, logger, isDev),
+ *   and return `Response` objects with correct CORS/cookie handling.
+ */
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.AUTH_HTTP_HANDLERS_MODULE_PRESENT = void 0;
+exports.AUTH_HTTP_HANDLERS_MODULE_PRESENT = true;
+//# sourceMappingURL=handlers.js.map

package/dist/auth/http/handlers.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"handlers.js","sourceRoot":"","sources":["../../../src/auth/http/handlers.ts"],"names":[],"mappings":";AAAA;;;;;;;;;;;;;GAaG;;;AAIU,QAAA,iCAAiC,GAAkC,IAAI,CAAC"}

package/dist/auth/interfaces.d.ts

@@ -0,0 +1,138 @@
+export type AuthInput = {
+    token?: string;
+    cookies?: Record<string, string>;
+    headers?: Record<string, string>;
+};
+export type AuthUser = {
+    _id: string;
+    email?: string;
+    emailVerified?: boolean;
+    name?: string;
+    imageUrl?: string;
+    createdAt?: number;
+    updatedAt?: number;
+    _collection?: string;
+};
+export type AuthSession = {
+    _id: string;
+    userId: string;
+    tenantId: string | null;
+    expiresAt: number;
+    lastActiveAt: number;
+    revokedAt?: number;
+    rotatedFrom?: string;
+    createdAt?: number;
+    updatedAt?: number;
+    _collection?: string;
+};
+export type AuthTenant = {
+    _id: string;
+    name?: string;
+    ownerId?: string;
+    createdAt?: number;
+    updatedAt?: number;
+    _collection?: string;
+};
+export type AuthMembership = {
+    _id: string;
+    tenantId: string;
+    userId: string;
+    role?: string;
+    permissions?: string[];
+    createdAt?: number;
+    updatedAt?: number;
+    _collection?: string;
+};
+export type AuthApiKey = {
+    _id: string;
+    tenantId: string;
+    name: string;
+    description?: string;
+    keyHash: string;
+    keyPrefix: string;
+    permissions: string[];
+    scopes: string[];
+    createdAt: number;
+    createdBy?: string;
+    lastUsedAt?: number;
+    expiresAt?: number;
+    revokedAt?: number;
+    revokedBy?: string;
+    revokedReason?: string;
+    metadata?: {
+        allowedIps?: string[];
+        rateLimit?: number;
+        environment?: string;
+    };
+    _collection?: string;
+};
+export type AuthContext = {
+    /**
+     * Authentication type: session (user), apiKey (machine), or unauthenticated
+     */
+    type: "session" | "apiKey" | "unauthenticated";
+    /**
+     * Back-compat: `userId` remains the primary indicator for "who".
+     * Note: API key auth will have userId = null
+     */
+    userId: string | null;
+    /**
+     * High-level flags.
+     */
+    isAuthenticated: boolean;
+    /**
+     * Admin token authentication flag.
+     * When true, the client authenticated using an admin token (sat_ prefix).
+     * Edge functions (query/mutation/action) require this flag to be true.
+     */
+    isAdminToken: boolean;
+    /**
+     * Authentication provider identifier.
+     */
+    provider: "archlast" | "better-auth" | "mock" | "other";
+    /**
+     * Raw adapter output / provider session payload (redacted as needed).
+     */
+    raw: unknown;
+    /**
+     * Session-based auth objects (tenant-aware).
+     * These will be `null` when unauthenticated or using API key auth.
+     */
+    user: AuthUser | null;
+    session: AuthSession | null;
+    /**
+     * API key auth objects.
+     * These will be `null` when unauthenticated or using session auth.
+     */
+    apiKeyId: string | null;
+    apiKey: AuthApiKey | null;
+    /**
+     * Common auth objects (available for both session and API key auth).
+     */
+    tenant: AuthTenant | null;
+    membership: AuthMembership | null;
+    /**
+     * Tenant ID - available for both session and API key auth.
+     */
+    tenantId: string | null;
+    /**
+     * Derived authorization data.
+     */
+    role: string | null;
+    permissions: string[];
+    /**
+     * Authorization helpers (enforced server-side).
+     */
+    hasPermission: (permission: string) => boolean;
+    requireAuthenticated: () => void;
+    requireTenant: () => void;
+    requireRole: (role: string | string[]) => void;
+    requirePermission: (permission: string) => void;
+};
+export declare function createUnauthenticatedAuthContext(provider?: AuthContext["provider"]): AuthContext;
+export declare function attachAuthHelpers(base: Omit<AuthContext, "hasPermission" | "requireAuthenticated" | "requireTenant" | "requireRole" | "requirePermission">): AuthContext;
+export interface AuthAdapter {
+    name: string;
+    verify(input: AuthInput): Promise<AuthContext | null>;
+}
+//# sourceMappingURL=interfaces.d.ts.map

package/dist/auth/interfaces.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"interfaces.d.ts","sourceRoot":"","sources":["../../src/auth/interfaces.ts"],"names":[],"mappings":"AAAA,MAAM,MAAM,SAAS,GAAG;IACpB,KAAK,CAAC,EAAE,MAAM,CAAC;IACf,OAAO,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;IACjC,OAAO,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;CACpC,CAAC;AAEF,MAAM,MAAM,QAAQ,GAAG;IACnB,GAAG,EAAE,MAAM,CAAC;IACZ,KAAK,CAAC,EAAE,MAAM,CAAC;IACf,aAAa,CAAC,EAAE,OAAO,CAAC;IACxB,IAAI,CAAC,EAAE,MAAM,CAAC;IACd,QAAQ,CAAC,EAAE,MAAM,CAAC;IAClB,SAAS,CAAC,EAAE,MAAM,CAAC;IACnB,SAAS,CAAC,EAAE,MAAM,CAAC;IACnB,WAAW,CAAC,EAAE,MAAM,CAAC;CACxB,CAAC;AAEF,MAAM,MAAM,WAAW,GAAG;IACtB,GAAG,EAAE,MAAM,CAAC;IACZ,MAAM,EAAE,MAAM,CAAC;IACf,QAAQ,EAAE,MAAM,GAAG,IAAI,CAAC;IACxB,SAAS,EAAE,MAAM,CAAC;IAClB,YAAY,EAAE,MAAM,CAAC;IACrB,SAAS,CAAC,EAAE,MAAM,CAAC;IACnB,WAAW,CAAC,EAAE,MAAM,CAAC;IACrB,SAAS,CAAC,EAAE,MAAM,CAAC;IACnB,SAAS,CAAC,EAAE,MAAM,CAAC;IACnB,WAAW,CAAC,EAAE,MAAM,CAAC;CACxB,CAAC;AAEF,MAAM,MAAM,UAAU,GAAG;IACrB,GAAG,EAAE,MAAM,CAAC;IACZ,IAAI,CAAC,EAAE,MAAM,CAAC;IACd,OAAO,CAAC,EAAE,MAAM,CAAC;IACjB,SAAS,CAAC,EAAE,MAAM,CAAC;IACnB,SAAS,CAAC,EAAE,MAAM,CAAC;IACnB,WAAW,CAAC,EAAE,MAAM,CAAC;CACxB,CAAC;AAEF,MAAM,MAAM,cAAc,GAAG;IACzB,GAAG,EAAE,MAAM,CAAC;IACZ,QAAQ,EAAE,MAAM,CAAC;IACjB,MAAM,EAAE,MAAM,CAAC;IACf,IAAI,CAAC,EAAE,MAAM,CAAC;IACd,WAAW,CAAC,EAAE,MAAM,EAAE,CAAC;IACvB,SAAS,CAAC,EAAE,MAAM,CAAC;IACnB,SAAS,CAAC,EAAE,MAAM,CAAC;IACnB,WAAW,CAAC,EAAE,MAAM,CAAC;CACxB,CAAC;AAEF,MAAM,MAAM,UAAU,GAAG;IACrB,GAAG,EAAE,MAAM,CAAC;IACZ,QAAQ,EAAE,MAAM,CAAC;IACjB,IAAI,EAAE,MAAM,CAAC;IACb,WAAW,CAAC,EAAE,MAAM,CAAC;IACrB,OAAO,EAAE,MAAM,CAAC;IAChB,SAAS,EAAE,MAAM,CAAC;IAClB,WAAW,EAAE,MAAM,EAAE,CAAC;IACtB,MAAM,EAAE,MAAM,EAAE,CAAC;IACjB,SAAS,EAAE,MAAM,CAAC;IAClB,SAAS,CAAC,EAAE,MAAM,CAAC;IACnB,UAAU,CAAC,EAAE,MAAM,CAAC;IACpB,SAAS,CAAC,EAAE,MAAM,CAAC;IACnB,SAAS,CAAC,EAAE,MAAM,CAAC;IACnB,SAAS,CAAC,EAAE,MAAM,CAAC;IACnB,aAAa,CAAC,EAAE,MAAM,CAAC;IACvB,QAAQ,CAAC,EAAE;QACP,UAAU,CAAC,EAAE,MAAM,EAAE,CAAC;QACtB,SAAS,CAAC,EAAE,MAAM,CAAC;QACnB,WAAW,CAAC,EAAE,MAAM,CAAC;KACxB,CAAC;IACF,WAAW,CAAC,EAAE,MAAM,CAAC;CACxB,CAAC;AAEF,MAAM,MAAM,WAAW,GAAG;IACtB;;OAEG;IACH,IAAI,EAAE,SAAS,GAAG,QAAQ,GAAG,iBAAiB,CAAC;IAE/C;;;OAGG;IACH,MAAM,EAAE,MAAM,GAAG,IAAI,CAAC;IAEtB;;OAEG;IACH,eAAe,EAAE,OAAO,CAAC;IAEzB;;;;OAIG;IACH,YAAY,EAAE,OAAO,CAAC;IAEtB;;OAEG;IACH,QAAQ,EAAE,UAAU,GAAG,aAAa,GAAG,MAAM,GAAG,OAAO,CAAC;IAExD;;OAEG;IACH,GAAG,EAAE,OAAO,CAAC;IAEb;;;OAGG;IACH,IAAI,EAAE,QAAQ,GAAG,IAAI,CAAC;IACtB,OAAO,EAAE,WAAW,GAAG,IAAI,CAAC;IAE5B;;;OAGG;IACH,QAAQ,EAAE,MAAM,GAAG,IAAI,CAAC;IACxB,MAAM,EAAE,UAAU,GAAG,IAAI,CAAC;IAE1B;;OAEG;IACH,MAAM,EAAE,UAAU,GAAG,IAAI,CAAC;IAC1B,UAAU,EAAE,cAAc,GAAG,IAAI,CAAC;IAElC;;OAEG;IACH,QAAQ,EAAE,MAAM,GAAG,IAAI,CAAC;IAExB;;OAEG;IACH,IAAI,EAAE,MAAM,GAAG,IAAI,CAAC;IACpB,WAAW,EAAE,MAAM,EAAE,CAAC;IAEtB;;OAEG;IACH,aAAa,EAAE,CAAC,UAAU,EAAE,MAAM,KAAK,OAAO,CAAC;IAC/C,oBAAoB,EAAE,MAAM,IAAI,CAAC;IACjC,aAAa,EAAE,MAAM,IAAI,CAAC;IAC1B,WAAW,EAAE,CAAC,IAAI,EAAE,MAAM,GAAG,MAAM,EAAE,KAAK,IAAI,CAAC;IAC/C,iBAAiB,EAAE,CAAC,UAAU,EAAE,MAAM,KAAK,IAAI,CAAC;CACnD,CAAC;AAEF,wBAAgB,gCAAgC,CAC5C,QAAQ,GAAE,WAAW,CAAC,UAAU,CAAc,GAC/C,WAAW,CAuCb;AAsBD,wBAAgB,iBAAiB,CAC7B,IAAI,EAAE,IAAI,CACN,WAAW,EACT,eAAe,GACf,sBAAsB,GACtB,eAAe,GACf,aAAa,GACb,mBAAmB,CACxB,GACF,WAAW,CAmDb;AAED,MAAM,WAAW,WAAW;IACxB,IAAI,EAAE,MAAM,CAAC;IAEb,MAAM,CAAC,KAAK,EAAE,SAAS,GAAG,OAAO,CAAC,WAAW,GAAG,IAAI,CAAC,CAAC;CACzD"}

package/dist/auth/interfaces.js

@@ -0,0 +1,105 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.createUnauthenticatedAuthContext = createUnauthenticatedAuthContext;
+exports.attachAuthHelpers = attachAuthHelpers;
+function createUnauthenticatedAuthContext(provider = "archlast") {
+    const deny = () => false;
+    const ctx = {
+        type: "unauthenticated",
+        userId: null,
+        isAuthenticated: false,
+        isAdminToken: false,
+        provider,
+        raw: null,
+        user: null,
+        session: null,
+        apiKeyId: null,
+        apiKey: null,
+        tenant: null,
+        membership: null,
+        tenantId: null,
+        role: null,
+        permissions: [],
+        hasPermission: deny,
+        requireAuthenticated: () => {
+            throw new Error("Unauthenticated");
+        },
+        requireTenant: () => {
+            throw new Error("Unauthenticated");
+        },
+        requireRole: () => {
+            throw new Error("Unauthenticated");
+        },
+        requirePermission: () => {
+            throw new Error("Unauthenticated");
+        },
+    };
+    return ctx;
+}
+function hasPermission(permissions, permission) {
+    if (!permission)
+        return false;
+    if (!permissions || permissions.length === 0)
+        return false;
+    for (const p of permissions) {
+        if (p === "*")
+            return true;
+        if (p === permission)
+            return true;
+        if (p.endsWith(".*")) {
+            const prefix = p.slice(0, -2);
+            if (permission === prefix)
+                return true;
+            if (permission.startsWith(prefix + "."))
+                return true;
+        }
+    }
+    return false;
+}
+function attachAuthHelpers(base) {
+    const ctx = {
+        ...base,
+        hasPermission: (permission) => hasPermission(base.permissions, permission),
+        requireAuthenticated: () => {
+            if (!base.isAuthenticated) {
+                throw new Error("Unauthenticated");
+            }
+            // API keys are authenticated but have no userId
+            if (base.type === "session" && !base.userId) {
+                throw new Error("Unauthenticated");
+            }
+        },
+        requireTenant: () => {
+            if (!base.isAuthenticated) {
+                throw new Error("Unauthenticated");
+            }
+            if (!base.tenantId) {
+                throw new Error("No tenant selected");
+            }
+        },
+        requireRole: (role) => {
+            if (!base.isAuthenticated) {
+                throw new Error("Unauthenticated");
+            }
+            // API keys don't have roles - they use permissions
+            if (base.type === "apiKey") {
+                throw new Error("API keys cannot use role-based checks");
+            }
+            const required = Array.isArray(role) ? role : [role];
+            const current = base.role ?? null;
+            if (!current || !required.includes(current)) {
+                throw new Error("Forbidden");
+            }
+        },
+        requirePermission: (permission) => {
+            if (!base.isAuthenticated) {
+                throw new Error("Unauthenticated");
+            }
+            if (!hasPermission(base.permissions, permission)) {
+                throw new Error(`Forbidden: missing permission '${permission}'`);
+            }
+        },
+    };
+    return ctx;
+}
+//# sourceMappingURL=interfaces.js.map