@augmenting-integrations/auth 0.1.0

package/LICENSE

@@ -0,0 +1,21 @@
+MIT License
+
+Copyright (c) 2026 Augmenting Integrations LLC
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.

package/dist/index.d.ts

@@ -0,0 +1,65 @@
+import { type DefaultSession } from "next-auth";
+export type Role = "visitor" | "sales" | "agent" | "admin";
+declare module "next-auth" {
+    interface Session {
+        user: {
+            role: Role;
+        } & DefaultSession["user"];
+    }
+    interface User {
+        role: Role;
+    }
+}
+export type CreateAuthOptions = {
+    /**
+     * Path prefixes that require an authenticated session.
+     * Empty array = no gating (rare).
+     */
+    authedRoutePrefixes: string[];
+    /**
+     * Page to redirect to when an unauthed user hits a gated route. Can be a
+     * relative path (`"/login"`) for in-app login, or a fully-qualified URL
+     * (`"https://compass.aillc.link/login"`) to delegate login to a peer app
+     * on a sibling subdomain. Default: `/login`.
+     */
+    signInPage?: string;
+    /**
+     * Cookie domain for the session token. Set this to the parent domain
+     * (e.g. `.compass.aillc.link`) when running across multiple subdomains
+     * so the session JWT is readable by every app sharing that parent.
+     * Default: read from `process.env.AUTH_COOKIE_DOMAIN`; if unset, Auth.js
+     * defaults to host-only (current request hostname).
+     *
+     * In dev (NODE_ENV !== "production"), this is ignored — cookies stay
+     * scoped to localhost so per-port apps don't collide.
+     */
+    cookieDomain?: string;
+    /**
+     * Override prod/dev detection. Default reads NODE_ENV.
+     */
+    isProd?: boolean;
+};
+/**
+ * Build an Auth.js v5 NextAuth() invocation. Each consuming app calls this
+ * once at module scope and re-exports the returned `handlers`, `auth`,
+ * `signIn`, `signOut`.
+ *
+ * Cognito creds are read from process.env (typically set from SSM at deploy):
+ *   AUTH_COGNITO_ID, AUTH_COGNITO_SECRET, AUTH_COGNITO_ISSUER, AUTH_SECRET
+ */
+export declare function createAuth(opts: CreateAuthOptions): import("next-auth").NextAuthResult;
+/**
+ * Convenience: build the proxy default-export for `src/proxy.ts`. In Next 16
+ * the proxy must be a default export and must live at `src/proxy.ts` — the
+ * named-export form throws "TypeError: adapterFn is not a function".
+ *
+ * Usage:
+ *   // src/proxy.ts
+ *   import { auth } from "@/lib/auth";
+ *   export default auth;
+ *   export const config = {
+ *     matcher: ["/dashboard", "/dashboard/:path*"],
+ *   };
+ */
+export type { NextAuthConfig } from "next-auth";
+//# sourceMappingURL=index.d.ts.map

package/dist/index.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":"AAeA,OAAiB,EAAE,KAAK,cAAc,EAAuB,MAAM,WAAW,CAAC;AAI/E,MAAM,MAAM,IAAI,GAAG,SAAS,GAAG,OAAO,GAAG,OAAO,GAAG,OAAO,CAAC;AAI3D,OAAO,QAAQ,WAAW,CAAC;IACzB,UAAU,OAAO;QACf,IAAI,EAAE;YACJ,IAAI,EAAE,IAAI,CAAC;SACZ,GAAG,cAAc,CAAC,MAAM,CAAC,CAAC;KAC5B;IACD,UAAU,IAAI;QACZ,IAAI,EAAE,IAAI,CAAC;KACZ;CACF;AAED,MAAM,MAAM,iBAAiB,GAAG;IAC9B;;;OAGG;IACH,mBAAmB,EAAE,MAAM,EAAE,CAAC;IAC9B;;;;;OAKG;IACH,UAAU,CAAC,EAAE,MAAM,CAAC;IACpB;;;;;;;;;OASG;IACH,YAAY,CAAC,EAAE,MAAM,CAAC;IACtB;;OAEG;IACH,MAAM,CAAC,EAAE,OAAO,CAAC;CAClB,CAAC;AAUF;;;;;;;GAOG;AACH,wBAAgB,UAAU,CAAC,IAAI,EAAE,iBAAiB,sCAoGjD;AAED;;;;;;;;;;;;GAYG;AACH,YAAY,EAAE,cAAc,EAAE,MAAM,WAAW,CAAC"}

package/dist/index.js

@@ -0,0 +1,130 @@
+// Auth.js v5 (the package is still distributed as `next-auth`, but treat
+// these as Auth.js v5 internally — docs at https://authjs.dev, NOT
+// next-auth.js.org which is v4 and incompatible).
+//
+// Provider strategy:
+//   - Production: Cognito OIDC. Group membership from `cognito:groups`
+//     drives role.
+//   - Dev / preview: Credentials with a role picker, BUT shaped to mirror
+//     Cognito's claim payload so consumers (callbacks, gates, audit logs)
+//     never branch on environment. Same `sub`, `email`, `cognito:groups`
+//     in both modes.
+//
+// IMPORTANT: do not let the dev-mode session diverge from production. If
+// you add a claim in prod, also add it (with a synthetic value) in dev.
+import NextAuth from "next-auth";
+import Credentials from "next-auth/providers/credentials";
+import Cognito from "next-auth/providers/cognito";
+const VALID_ROLES = ["visitor", "sales", "agent", "admin"];
+function roleFromGroups(groups) {
+    if (Array.isArray(groups) && groups.length > 0) {
+        const first = String(groups[0]).toLowerCase();
+        if (VALID_ROLES.includes(first))
+            return first;
+    }
+    return "visitor";
+}
+/**
+ * Build an Auth.js v5 NextAuth() invocation. Each consuming app calls this
+ * once at module scope and re-exports the returned `handlers`, `auth`,
+ * `signIn`, `signOut`.
+ *
+ * Cognito creds are read from process.env (typically set from SSM at deploy):
+ *   AUTH_COGNITO_ID, AUTH_COGNITO_SECRET, AUTH_COGNITO_ISSUER, AUTH_SECRET
+ */
+export function createAuth(opts) {
+    const isProd = opts.isProd ?? process.env.NODE_ENV === "production";
+    const signInPage = opts.signInPage ?? "/login";
+    // Cookie domain is only honored in production. In dev, leaving it unset
+    // keeps the cookie scoped to localhost so apps on different ports don't
+    // stomp on each other.
+    const cookieDomain = isProd
+        ? (opts.cookieDomain ?? process.env.AUTH_COOKIE_DOMAIN)
+        : undefined;
+    const SECRET = process.env.AUTH_SECRET ?? (isProd ? undefined : "dev-only-fallback-not-for-prod");
+    const config = {
+        secret: SECRET,
+        cookies: cookieDomain
+            ? {
+                sessionToken: {
+                    name: "authjs.session-token",
+                    options: {
+                        domain: cookieDomain,
+                        sameSite: "lax",
+                        secure: true,
+                        httpOnly: true,
+                        path: "/",
+                    },
+                },
+            }
+            : undefined,
+        providers: isProd
+            ? [
+                Cognito({
+                    clientId: process.env.AUTH_COGNITO_ID,
+                    clientSecret: process.env.AUTH_COGNITO_SECRET,
+                    issuer: process.env.AUTH_COGNITO_ISSUER,
+                }),
+            ]
+            : [
+                Credentials({
+                    name: "Mock role (dev only)",
+                    credentials: {
+                        role: {
+                            label: "Role",
+                            type: "text",
+                            placeholder: "visitor | sales | agent | admin",
+                        },
+                    },
+                    authorize: async (credentials) => {
+                        const role = credentials?.role;
+                        if (!role || !VALID_ROLES.includes(role))
+                            return null;
+                        const display = role.charAt(0).toUpperCase() + role.slice(1);
+                        return {
+                            id: `mock-${role}`,
+                            name: `${display} (mock)`,
+                            email: `${role}@example.local`,
+                            role,
+                        };
+                    },
+                }),
+            ],
+        session: { strategy: "jwt" },
+        callbacks: {
+            jwt: ({ token, user, profile }) => {
+                if (user) {
+                    token.sub ??= user.id ?? undefined;
+                    token.email ??= user.email ?? undefined;
+                    if (!isProd && user.role) {
+                        token["cognito:groups"] = [
+                            user.role,
+                        ];
+                    }
+                }
+                if (isProd && profile) {
+                    const groups = profile["cognito:groups"];
+                    if (groups) {
+                        token["cognito:groups"] = groups;
+                    }
+                }
+                return token;
+            },
+            session: ({ session, token }) => {
+                session.user.role = roleFromGroups(token["cognito:groups"]);
+                return session;
+            },
+            authorized: ({ auth: session, request: { nextUrl } }) => {
+                const path = nextUrl.pathname;
+                const isAuthedRoute = opts.authedRoutePrefixes.some((prefix) => path === prefix || path.startsWith(`${prefix}/`));
+                if (!session && isAuthedRoute)
+                    return false;
+                return true;
+            },
+        },
+        pages: { signIn: signInPage },
+        trustHost: true,
+    };
+    return NextAuth(config);
+}
+//# sourceMappingURL=index.js.map

package/dist/index.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.js","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":"AAAA,yEAAyE;AACzE,mEAAmE;AACnE,kDAAkD;AAClD,EAAE;AACF,qBAAqB;AACrB,uEAAuE;AACvE,mBAAmB;AACnB,0EAA0E;AAC1E,0EAA0E;AAC1E,yEAAyE;AACzE,qBAAqB;AACrB,EAAE;AACF,yEAAyE;AACzE,wEAAwE;AAExE,OAAO,QAAsD,MAAM,WAAW,CAAC;AAC/E,OAAO,WAAW,MAAM,iCAAiC,CAAC;AAC1D,OAAO,OAAO,MAAM,6BAA6B,CAAC;AAIlD,MAAM,WAAW,GAAW,CAAC,SAAS,EAAE,OAAO,EAAE,OAAO,EAAE,OAAO,CAAC,CAAC;AA2CnE,SAAS,cAAc,CAAC,MAAe;IACrC,IAAI,KAAK,CAAC,OAAO,CAAC,MAAM,CAAC,IAAI,MAAM,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;QAC/C,MAAM,KAAK,GAAG,MAAM,CAAC,MAAM,CAAC,CAAC,CAAC,CAAC,CAAC,WAAW,EAAE,CAAC;QAC9C,IAAK,WAAwB,CAAC,QAAQ,CAAC,KAAK,CAAC;YAAE,OAAO,KAAa,CAAC;IACtE,CAAC;IACD,OAAO,SAAS,CAAC;AACnB,CAAC;AAED;;;;;;;GAOG;AACH,MAAM,UAAU,UAAU,CAAC,IAAuB;IAChD,MAAM,MAAM,GAAG,IAAI,CAAC,MAAM,IAAI,OAAO,CAAC,GAAG,CAAC,QAAQ,KAAK,YAAY,CAAC;IACpE,MAAM,UAAU,GAAG,IAAI,CAAC,UAAU,IAAI,QAAQ,CAAC;IAC/C,wEAAwE;IACxE,wEAAwE;IACxE,uBAAuB;IACvB,MAAM,YAAY,GAAG,MAAM;QACzB,CAAC,CAAC,CAAC,IAAI,CAAC,YAAY,IAAI,OAAO,CAAC,GAAG,CAAC,kBAAkB,CAAC;QACvD,CAAC,CAAC,SAAS,CAAC;IAEd,MAAM,MAAM,GACV,OAAO,CAAC,GAAG,CAAC,WAAW,IAAI,CAAC,MAAM,CAAC,CAAC,CAAC,SAAS,CAAC,CAAC,CAAC,gCAAgC,CAAC,CAAC;IAErF,MAAM,MAAM,GAAmB;QAC7B,MAAM,EAAE,MAAM;QACd,OAAO,EAAE,YAAY;YACnB,CAAC,CAAC;gBACE,YAAY,EAAE;oBACZ,IAAI,EAAE,sBAAsB;oBAC5B,OAAO,EAAE;wBACP,MAAM,EAAE,YAAY;wBACpB,QAAQ,EAAE,KAAK;wBACf,MAAM,EAAE,IAAI;wBACZ,QAAQ,EAAE,IAAI;wBACd,IAAI,EAAE,GAAG;qBACV;iBACF;aACF;YACH,CAAC,CAAC,SAAS;QACb,SAAS,EAAE,MAAM;YACf,CAAC,CAAC;gBACE,OAAO,CAAC;oBACN,QAAQ,EAAE,OAAO,CAAC,GAAG,CAAC,eAAe;oBACrC,YAAY,EAAE,OAAO,CAAC,GAAG,CAAC,mBAAmB;oBAC7C,MAAM,EAAE,OAAO,CAAC,GAAG,CAAC,mBAAmB;iBACxC,CAAC;aACH;YACH,CAAC,CAAC;gBACE,WAAW,CAAC;oBACV,IAAI,EAAE,sBAAsB;oBAC5B,WAAW,EAAE;wBACX,IAAI,EAAE;4BACJ,KAAK,EAAE,MAAM;4BACb,IAAI,EAAE,MAAM;4BACZ,WAAW,EAAE,iCAAiC;yBAC/C;qBACF;oBACD,SAAS,EAAE,KAAK,EAAE,WAAW,EAAE,EAAE;wBAC/B,MAAM,IAAI,GAAG,WAAW,EAAE,IAAwB,CAAC;wBACnD,IAAI,CAAC,IAAI,IAAI,CAAC,WAAW,CAAC,QAAQ,CAAC,IAAI,CAAC;4BAAE,OAAO,IAAI,CAAC;wBACtD,MAAM,OAAO,GAAG,IAAI,CAAC,MAAM,CAAC,CAAC,CAAC,CAAC,WAAW,EAAE,GAAG,IAAI,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC;wBAC7D,OAAO;4BACL,EAAE,EAAE,QAAQ,IAAI,EAAE;4BAClB,IAAI,EAAE,GAAG,OAAO,SAAS;4BACzB,KAAK,EAAE,GAAG,IAAI,gBAAgB;4BAC9B,IAAI;yBACL,CAAC;oBACJ,CAAC;iBACF,CAAC;aACH;QACL,OAAO,EAAE,EAAE,QAAQ,EAAE,KAAK,EAAE;QAC5B,SAAS,EAAE;YACT,GAAG,EAAE,CAAC,EAAE,KAAK,EAAE,IAAI,EAAE,OAAO,EAAE,EAAE,EAAE;gBAChC,IAAI,IAAI,EAAE,CAAC;oBACT,KAAK,CAAC,GAAG,KAAK,IAAI,CAAC,EAAE,IAAI,SAAS,CAAC;oBACnC,KAAK,CAAC,KAAK,KAAK,IAAI,CAAC,KAAK,IAAI,SAAS,CAAC;oBACxC,IAAI,CAAC,MAAM,IAAK,IAAwB,CAAC,IAAI,EAAE,CAAC;wBAC7C,KAAiC,CAAC,gBAAgB,CAAC,GAAG;4BACpD,IAAuB,CAAC,IAAI;yBAC9B,CAAC;oBACJ,CAAC;gBACH,CAAC;gBACD,IAAI,MAAM,IAAI,OAAO,EAAE,CAAC;oBACtB,MAAM,MAAM,GAAI,OAAmC,CAAC,gBAAgB,CAAC,CAAC;oBACtE,IAAI,MAAM,EAAE,CAAC;wBACV,KAAiC,CAAC,gBAAgB,CAAC,GAAG,MAAM,CAAC;oBAChE,CAAC;gBACH,CAAC;gBACD,OAAO,KAAK,CAAC;YACf,CAAC;YACD,OAAO,EAAE,CAAC,EAAE,OAAO,EAAE,KAAK,EAAE,EAAE,EAAE;gBAC9B,OAAO,CAAC,IAAI,CAAC,IAAI,GAAG,cAAc,CAC/B,KAAiC,CAAC,gBAAgB,CAAC,CACrD,CAAC;gBACF,OAAO,OAAO,CAAC;YACjB,CAAC;YACD,UAAU,EAAE,CAAC,EAAE,IAAI,EAAE,OAAO,EAAE,OAAO,EAAE,EAAE,OAAO,EAAE,EAAE,EAAE,EAAE;gBACtD,MAAM,IAAI,GAAG,OAAO,CAAC,QAAQ,CAAC;gBAC9B,MAAM,aAAa,GAAG,IAAI,CAAC,mBAAmB,CAAC,IAAI,CACjD,CAAC,MAAM,EAAE,EAAE,CAAC,IAAI,KAAK,MAAM,IAAI,IAAI,CAAC,UAAU,CAAC,GAAG,MAAM,GAAG,CAAC,CAC7D,CAAC;gBACF,IAAI,CAAC,OAAO,IAAI,aAAa;oBAAE,OAAO,KAAK,CAAC;gBAC5C,OAAO,IAAI,CAAC;YACd,CAAC;SACF;QACD,KAAK,EAAE,EAAE,MAAM,EAAE,UAAU,EAAE;QAC7B,SAAS,EAAE,IAAI;KAChB,CAAC;IAEF,OAAO,QAAQ,CAAC,MAAM,CAAC,CAAC;AAC1B,CAAC"}

package/dist/index.mjs

@@ -0,0 +1,104 @@
+// src/index.ts
+import NextAuth from "next-auth";
+import Credentials from "next-auth/providers/credentials";
+import Cognito from "next-auth/providers/cognito";
+var VALID_ROLES = ["visitor", "sales", "agent", "admin"];
+function roleFromGroups(groups) {
+  if (Array.isArray(groups) && groups.length > 0) {
+    const first = String(groups[0]).toLowerCase();
+    if (VALID_ROLES.includes(first)) return first;
+  }
+  return "visitor";
+}
+function createAuth(opts) {
+  const isProd = opts.isProd ?? process.env.NODE_ENV === "production";
+  const signInPage = opts.signInPage ?? "/login";
+  const cookieDomain = isProd ? opts.cookieDomain ?? process.env.AUTH_COOKIE_DOMAIN : void 0;
+  const SECRET = process.env.AUTH_SECRET ?? (isProd ? void 0 : "dev-only-fallback-not-for-prod");
+  const config = {
+    secret: SECRET,
+    cookies: cookieDomain ? {
+      sessionToken: {
+        name: "authjs.session-token",
+        options: {
+          domain: cookieDomain,
+          sameSite: "lax",
+          secure: true,
+          httpOnly: true,
+          path: "/"
+        }
+      }
+    } : void 0,
+    providers: isProd ? [
+      Cognito({
+        clientId: process.env.AUTH_COGNITO_ID,
+        clientSecret: process.env.AUTH_COGNITO_SECRET,
+        issuer: process.env.AUTH_COGNITO_ISSUER
+      })
+    ] : [
+      Credentials({
+        name: "Mock role (dev only)",
+        credentials: {
+          role: {
+            label: "Role",
+            type: "text",
+            placeholder: "visitor | sales | agent | admin"
+          }
+        },
+        authorize: async (credentials) => {
+          const role = credentials?.role;
+          if (!role || !VALID_ROLES.includes(role)) return null;
+          const display = role.charAt(0).toUpperCase() + role.slice(1);
+          return {
+            id: `mock-${role}`,
+            name: `${display} (mock)`,
+            email: `${role}@example.local`,
+            role
+          };
+        }
+      })
+    ],
+    session: { strategy: "jwt" },
+    callbacks: {
+      jwt: ({ token, user, profile }) => {
+        if (user) {
+          token.sub ??= user.id ?? void 0;
+          token.email ??= user.email ?? void 0;
+          if (!isProd && user.role) {
+            token["cognito:groups"] = [
+              user.role
+            ];
+          }
+        }
+        if (isProd && profile) {
+          const groups = profile["cognito:groups"];
+          if (groups) {
+            token["cognito:groups"] = groups;
+          }
+        }
+        return token;
+      },
+      session: ({ session, token }) => {
+        session.user.role = roleFromGroups(
+          token["cognito:groups"]
+        );
+        return session;
+      },
+      authorized: ({ auth: session, request: { nextUrl } }) => {
+        const path = nextUrl.pathname;
+        const isAuthedRoute = opts.authedRoutePrefixes.some(
+          (prefix) => path === prefix || path.startsWith(`${prefix}/`)
+        );
+        if (!session && isAuthedRoute) return false;
+        return true;
+      }
+    },
+    pages: { signIn: signInPage },
+    trustHost: true
+  };
+  return NextAuth(config);
+}
+export {
+  createAuth
+};
+//# sourceMappingURL=index.mjs.map

package/dist/index.mjs.map

@@ -0,0 +1 @@
+{"version":3,"sources":["../src/index.ts"],"sourcesContent":["// Auth.js v5 (the package is still distributed as `next-auth`, but treat\n// these as Auth.js v5 internally — docs at https://authjs.dev, NOT\n// next-auth.js.org which is v4 and incompatible).\n//\n// Provider strategy:\n//   - Production: Cognito OIDC. Group membership from `cognito:groups`\n//     drives role.\n//   - Dev / preview: Credentials with a role picker, BUT shaped to mirror\n//     Cognito's claim payload so consumers (callbacks, gates, audit logs)\n//     never branch on environment. Same `sub`, `email`, `cognito:groups`\n//     in both modes.\n//\n// IMPORTANT: do not let the dev-mode session diverge from production. If\n// you add a claim in prod, also add it (with a synthetic value) in dev.\n\nimport NextAuth, { type DefaultSession, type NextAuthConfig } from \"next-auth\";\nimport Credentials from \"next-auth/providers/credentials\";\nimport Cognito from \"next-auth/providers/cognito\";\n\nexport type Role = \"visitor\" | \"sales\" | \"agent\" | \"admin\";\n\nconst VALID_ROLES: Role[] = [\"visitor\", \"sales\", \"agent\", \"admin\"];\n\ndeclare module \"next-auth\" {\n  interface Session {\n    user: {\n      role: Role;\n    } & DefaultSession[\"user\"];\n  }\n  interface User {\n    role: Role;\n  }\n}\n\nexport type CreateAuthOptions = {\n  /**\n   * Path prefixes that require an authenticated session.\n   * Empty array = no gating (rare).\n   */\n  authedRoutePrefixes: string[];\n  /**\n   * Page to redirect to when an unauthed user hits a gated route. Can be a\n   * relative path (`\"/login\"`) for in-app login, or a fully-qualified URL\n   * (`\"https://compass.aillc.link/login\"`) to delegate login to a peer app\n   * on a sibling subdomain. Default: `/login`.\n   */\n  signInPage?: string;\n  /**\n   * Cookie domain for the session token. Set this to the parent domain\n   * (e.g. `.compass.aillc.link`) when running across multiple subdomains\n   * so the session JWT is readable by every app sharing that parent.\n   * Default: read from `process.env.AUTH_COOKIE_DOMAIN`; if unset, Auth.js\n   * defaults to host-only (current request hostname).\n   *\n   * In dev (NODE_ENV !== \"production\"), this is ignored — cookies stay\n   * scoped to localhost so per-port apps don't collide.\n   */\n  cookieDomain?: string;\n  /**\n   * Override prod/dev detection. Default reads NODE_ENV.\n   */\n  isProd?: boolean;\n};\n\nfunction roleFromGroups(groups: unknown): Role {\n  if (Array.isArray(groups) && groups.length > 0) {\n    const first = String(groups[0]).toLowerCase();\n    if ((VALID_ROLES as string[]).includes(first)) return first as Role;\n  }\n  return \"visitor\";\n}\n\n/**\n * Build an Auth.js v5 NextAuth() invocation. Each consuming app calls this\n * once at module scope and re-exports the returned `handlers`, `auth`,\n * `signIn`, `signOut`.\n *\n * Cognito creds are read from process.env (typically set from SSM at deploy):\n *   AUTH_COGNITO_ID, AUTH_COGNITO_SECRET, AUTH_COGNITO_ISSUER, AUTH_SECRET\n */\nexport function createAuth(opts: CreateAuthOptions) {\n  const isProd = opts.isProd ?? process.env.NODE_ENV === \"production\";\n  const signInPage = opts.signInPage ?? \"/login\";\n  // Cookie domain is only honored in production. In dev, leaving it unset\n  // keeps the cookie scoped to localhost so apps on different ports don't\n  // stomp on each other.\n  const cookieDomain = isProd\n    ? (opts.cookieDomain ?? process.env.AUTH_COOKIE_DOMAIN)\n    : undefined;\n\n  const SECRET =\n    process.env.AUTH_SECRET ?? (isProd ? undefined : \"dev-only-fallback-not-for-prod\");\n\n  const config: NextAuthConfig = {\n    secret: SECRET,\n    cookies: cookieDomain\n      ? {\n          sessionToken: {\n            name: \"authjs.session-token\",\n            options: {\n              domain: cookieDomain,\n              sameSite: \"lax\",\n              secure: true,\n              httpOnly: true,\n              path: \"/\",\n            },\n          },\n        }\n      : undefined,\n    providers: isProd\n      ? [\n          Cognito({\n            clientId: process.env.AUTH_COGNITO_ID,\n            clientSecret: process.env.AUTH_COGNITO_SECRET,\n            issuer: process.env.AUTH_COGNITO_ISSUER,\n          }),\n        ]\n      : [\n          Credentials({\n            name: \"Mock role (dev only)\",\n            credentials: {\n              role: {\n                label: \"Role\",\n                type: \"text\",\n                placeholder: \"visitor | sales | agent | admin\",\n              },\n            },\n            authorize: async (credentials) => {\n              const role = credentials?.role as Role | undefined;\n              if (!role || !VALID_ROLES.includes(role)) return null;\n              const display = role.charAt(0).toUpperCase() + role.slice(1);\n              return {\n                id: `mock-${role}`,\n                name: `${display} (mock)`,\n                email: `${role}@example.local`,\n                role,\n              };\n            },\n          }),\n        ],\n    session: { strategy: \"jwt\" },\n    callbacks: {\n      jwt: ({ token, user, profile }) => {\n        if (user) {\n          token.sub ??= user.id ?? undefined;\n          token.email ??= user.email ?? undefined;\n          if (!isProd && (user as { role?: Role }).role) {\n            (token as Record<string, unknown>)[\"cognito:groups\"] = [\n              (user as { role: Role }).role,\n            ];\n          }\n        }\n        if (isProd && profile) {\n          const groups = (profile as Record<string, unknown>)[\"cognito:groups\"];\n          if (groups) {\n            (token as Record<string, unknown>)[\"cognito:groups\"] = groups;\n          }\n        }\n        return token;\n      },\n      session: ({ session, token }) => {\n        session.user.role = roleFromGroups(\n          (token as Record<string, unknown>)[\"cognito:groups\"],\n        );\n        return session;\n      },\n      authorized: ({ auth: session, request: { nextUrl } }) => {\n        const path = nextUrl.pathname;\n        const isAuthedRoute = opts.authedRoutePrefixes.some(\n          (prefix) => path === prefix || path.startsWith(`${prefix}/`),\n        );\n        if (!session && isAuthedRoute) return false;\n        return true;\n      },\n    },\n    pages: { signIn: signInPage },\n    trustHost: true,\n  };\n\n  return NextAuth(config);\n}\n\n/**\n * Convenience: build the proxy default-export for `src/proxy.ts`. In Next 16\n * the proxy must be a default export and must live at `src/proxy.ts` — the\n * named-export form throws \"TypeError: adapterFn is not a function\".\n *\n * Usage:\n *   // src/proxy.ts\n *   import { auth } from \"@/lib/auth\";\n *   export default auth;\n *   export const config = {\n *     matcher: [\"/dashboard\", \"/dashboard/:path*\"],\n *   };\n */\nexport type { NextAuthConfig } from \"next-auth\";\n"],"mappings":";AAeA,OAAO,cAA4D;AACnE,OAAO,iBAAiB;AACxB,OAAO,aAAa;AAIpB,IAAM,cAAsB,CAAC,WAAW,SAAS,SAAS,OAAO;AA2CjE,SAAS,eAAe,QAAuB;AAC7C,MAAI,MAAM,QAAQ,MAAM,KAAK,OAAO,SAAS,GAAG;AAC9C,UAAM,QAAQ,OAAO,OAAO,CAAC,CAAC,EAAE,YAAY;AAC5C,QAAK,YAAyB,SAAS,KAAK,EAAG,QAAO;AAAA,EACxD;AACA,SAAO;AACT;AAUO,SAAS,WAAW,MAAyB;AAClD,QAAM,SAAS,KAAK,UAAU,QAAQ,IAAI,aAAa;AACvD,QAAM,aAAa,KAAK,cAAc;AAItC,QAAM,eAAe,SAChB,KAAK,gBAAgB,QAAQ,IAAI,qBAClC;AAEJ,QAAM,SACJ,QAAQ,IAAI,gBAAgB,SAAS,SAAY;AAEnD,QAAM,SAAyB;AAAA,IAC7B,QAAQ;AAAA,IACR,SAAS,eACL;AAAA,MACE,cAAc;AAAA,QACZ,MAAM;AAAA,QACN,SAAS;AAAA,UACP,QAAQ;AAAA,UACR,UAAU;AAAA,UACV,QAAQ;AAAA,UACR,UAAU;AAAA,UACV,MAAM;AAAA,QACR;AAAA,MACF;AAAA,IACF,IACA;AAAA,IACJ,WAAW,SACP;AAAA,MACE,QAAQ;AAAA,QACN,UAAU,QAAQ,IAAI;AAAA,QACtB,cAAc,QAAQ,IAAI;AAAA,QAC1B,QAAQ,QAAQ,IAAI;AAAA,MACtB,CAAC;AAAA,IACH,IACA;AAAA,MACE,YAAY;AAAA,QACV,MAAM;AAAA,QACN,aAAa;AAAA,UACX,MAAM;AAAA,YACJ,OAAO;AAAA,YACP,MAAM;AAAA,YACN,aAAa;AAAA,UACf;AAAA,QACF;AAAA,QACA,WAAW,OAAO,gBAAgB;AAChC,gBAAM,OAAO,aAAa;AAC1B,cAAI,CAAC,QAAQ,CAAC,YAAY,SAAS,IAAI,EAAG,QAAO;AACjD,gBAAM,UAAU,KAAK,OAAO,CAAC,EAAE,YAAY,IAAI,KAAK,MAAM,CAAC;AAC3D,iBAAO;AAAA,YACL,IAAI,QAAQ,IAAI;AAAA,YAChB,MAAM,GAAG,OAAO;AAAA,YAChB,OAAO,GAAG,IAAI;AAAA,YACd;AAAA,UACF;AAAA,QACF;AAAA,MACF,CAAC;AAAA,IACH;AAAA,IACJ,SAAS,EAAE,UAAU,MAAM;AAAA,IAC3B,WAAW;AAAA,MACT,KAAK,CAAC,EAAE,OAAO,MAAM,QAAQ,MAAM;AACjC,YAAI,MAAM;AACR,gBAAM,QAAQ,KAAK,MAAM;AACzB,gBAAM,UAAU,KAAK,SAAS;AAC9B,cAAI,CAAC,UAAW,KAAyB,MAAM;AAC7C,YAAC,MAAkC,gBAAgB,IAAI;AAAA,cACpD,KAAwB;AAAA,YAC3B;AAAA,UACF;AAAA,QACF;AACA,YAAI,UAAU,SAAS;AACrB,gBAAM,SAAU,QAAoC,gBAAgB;AACpE,cAAI,QAAQ;AACV,YAAC,MAAkC,gBAAgB,IAAI;AAAA,UACzD;AAAA,QACF;AACA,eAAO;AAAA,MACT;AAAA,MACA,SAAS,CAAC,EAAE,SAAS,MAAM,MAAM;AAC/B,gBAAQ,KAAK,OAAO;AAAA,UACjB,MAAkC,gBAAgB;AAAA,QACrD;AACA,eAAO;AAAA,MACT;AAAA,MACA,YAAY,CAAC,EAAE,MAAM,SAAS,SAAS,EAAE,QAAQ,EAAE,MAAM;AACvD,cAAM,OAAO,QAAQ;AACrB,cAAM,gBAAgB,KAAK,oBAAoB;AAAA,UAC7C,CAAC,WAAW,SAAS,UAAU,KAAK,WAAW,GAAG,MAAM,GAAG;AAAA,QAC7D;AACA,YAAI,CAAC,WAAW,cAAe,QAAO;AACtC,eAAO;AAAA,MACT;AAAA,IACF;AAAA,IACA,OAAO,EAAE,QAAQ,WAAW;AAAA,IAC5B,WAAW;AAAA,EACb;AAEA,SAAO,SAAS,MAAM;AACxB;","names":[]}

package/package.json

@@ -0,0 +1,42 @@
+{
+  "name": "@augmenting-integrations/auth",
+  "version": "0.1.0",
+  "description": "Auth.js v5 factory: Cognito in prod, Credentials role-picker in dev. Same JWT shape (sub, email, cognito:groups) regardless of provider.",
+  "license": "MIT",
+  "publishConfig": {
+    "access": "public"
+  },
+  "sideEffects": false,
+  "main": "./dist/index.cjs",
+  "module": "./dist/index.js",
+  "types": "./dist/index.d.ts",
+  "exports": {
+    ".": {
+      "types": "./dist/index.d.ts",
+      "import": "./dist/index.js",
+      "require": "./dist/index.cjs"
+    }
+  },
+  "files": [
+    "dist",
+    "README.md"
+  ],
+  "peerDependencies": {
+    "next": "^16.0.0",
+    "next-auth": "^5.0.0-beta.31",
+    "react": "^19.0.0"
+  },
+  "devDependencies": {
+    "next": "^16.2.5",
+    "next-auth": "^5.0.0-beta.31",
+    "react": "^19.0.0",
+    "tsup": "^8.3.5",
+    "typescript": "^5.7.2",
+    "vitest": "^4.1.5"
+  },
+  "scripts": {
+    "build": "tsup",
+    "clean": "rm -rf dist",
+    "test": "vitest run --passWithNoTests"
+  }
+}