@augmenting-integrations/auth 4.2.0 → 5.0.1

package/dist/client/use-impersonation.cjs

@@ -0,0 +1,77 @@
+"use strict";
+"use client";
+var __create = Object.create;
+var __defProp = Object.defineProperty;
+var __getOwnPropDesc = Object.getOwnPropertyDescriptor;
+var __getOwnPropNames = Object.getOwnPropertyNames;
+var __getProtoOf = Object.getPrototypeOf;
+var __hasOwnProp = Object.prototype.hasOwnProperty;
+var __export = (target, all) => {
+  for (var name in all)
+    __defProp(target, name, { get: all[name], enumerable: true });
+};
+var __copyProps = (to, from, except, desc) => {
+  if (from && typeof from === "object" || typeof from === "function") {
+    for (let key of __getOwnPropNames(from))
+      if (!__hasOwnProp.call(to, key) && key !== except)
+        __defProp(to, key, { get: () => from[key], enumerable: !(desc = __getOwnPropDesc(from, key)) || desc.enumerable });
+  }
+  return to;
+};
+var __toESM = (mod, isNodeMode, target) => (target = mod != null ? __create(__getProtoOf(mod)) : {}, __copyProps(
+  // If the importer is in node compatibility mode or this is not an ESM
+  // file that has been converted to a CommonJS file using a Babel-
+  // compatible transform (i.e. "__esModule" has not been set), then set
+  // "default" to the CommonJS "module.exports" for node compatibility.
+  isNodeMode || !mod || !mod.__esModule ? __defProp(target, "default", { value: mod, enumerable: true }) : target,
+  mod
+));
+var __toCommonJS = (mod) => __copyProps(__defProp({}, "__esModule", { value: true }), mod);
+var use_impersonation_exports = {};
+__export(use_impersonation_exports, {
+  useImpersonation: () => useImpersonation
+});
+module.exports = __toCommonJS(use_impersonation_exports);
+var React = __toESM(require("react"));
+function useImpersonation() {
+  const [state, setState] = React.useState({
+    status: "loading",
+    data: null,
+    error: null
+  });
+  const refresh = React.useCallback(async () => {
+    try {
+      const res = await fetch("/api/auth/me", {
+        credentials: "same-origin",
+        cache: "no-store"
+      });
+      if (res.status === 401) {
+        setState({ status: "anonymous", data: null, error: null });
+        return;
+      }
+      if (!res.ok) {
+        const txt = await res.text().catch(() => "");
+        setState({
+          status: "error",
+          data: null,
+          error: txt || `HTTP ${res.status}`
+        });
+        return;
+      }
+      const data = await res.json();
+      setState({ status: "ready", data, error: null });
+    } catch (err) {
+      const message = err instanceof Error ? err.message : String(err);
+      setState({ status: "error", data: null, error: message });
+    }
+  }, []);
+  React.useEffect(() => {
+    void refresh();
+  }, [refresh]);
+  return { ...state, refresh };
+}
+// Annotate the CommonJS export names for ESM import in node:
+0 && (module.exports = {
+  useImpersonation
+});
+//# sourceMappingURL=use-impersonation.cjs.map

package/dist/client/use-impersonation.cjs.map

@@ -0,0 +1 @@
+{"version":3,"sources":["../../src/client/use-impersonation.ts"],"sourcesContent":["\"use client\";\n\nimport * as React from \"react\";\n\n// =============================================================================\n// useImpersonation -- surfaces the *effective* user via /api/auth/me.\n//\n// Used by ImpersonationBanner + admin surfaces to know whether the current\n// session is impersonated. Hits the spoke's /api/auth/me which returns\n// `{user, impersonatedBy}`.\n//\n// Deliberately doesn't lean on TanStack Query so this can be imported from\n// any client component without forcing a QueryClient provider. Refetch is\n// manual via `refresh()`, which the impersonate API mutators call after a\n// successful start / stop.\n// =============================================================================\n\nexport type EffectiveUser = {\n  id: string;\n  email: string;\n  name: string;\n  role: string;\n  is_active: boolean;\n  credit_balance: number;\n};\n\nexport type ImpersonatedBy = {\n  id: string;\n  name: string;\n  email: string;\n};\n\nexport type MeResponse = {\n  user: EffectiveUser;\n  impersonatedBy: ImpersonatedBy | null;\n};\n\ntype State =\n  | { status: \"loading\"; data: null; error: null }\n  | { status: \"anonymous\"; data: null; error: null }\n  | { status: \"ready\"; data: MeResponse; error: null }\n  | { status: \"error\"; data: null; error: string };\n\nexport function useImpersonation(): State & { refresh: () => Promise<void> } {\n  const [state, setState] = React.useState<State>({\n    status: \"loading\",\n    data: null,\n    error: null,\n  });\n\n  const refresh = React.useCallback(async () => {\n    try {\n      const res = await fetch(\"/api/auth/me\", {\n        credentials: \"same-origin\",\n        cache: \"no-store\",\n      });\n      if (res.status === 401) {\n        setState({ status: \"anonymous\", data: null, error: null });\n        return;\n      }\n      if (!res.ok) {\n        const txt = await res.text().catch(() => \"\");\n        setState({\n          status: \"error\",\n          data: null,\n          error: txt || `HTTP ${res.status}`,\n        });\n        return;\n      }\n      const data = (await res.json()) as MeResponse;\n      setState({ status: \"ready\", data, error: null });\n    } catch (err) {\n      const message = err instanceof Error ? err.message : String(err);\n      setState({ status: \"error\", data: null, error: message });\n    }\n  }, []);\n\n  React.useEffect(() => {\n    void refresh();\n  }, [refresh]);\n\n  return { ...state, refresh };\n}\n"],"mappings":";;;;;;;;;;;;;;;;;;;;;;;;;;;;;AAAA;AAAA;AAAA;AAAA;AAAA;AAEA,YAAuB;AAyChB,SAAS,mBAA6D;AAC3E,QAAM,CAAC,OAAO,QAAQ,IAAI,MAAM,SAAgB;AAAA,IAC9C,QAAQ;AAAA,IACR,MAAM;AAAA,IACN,OAAO;AAAA,EACT,CAAC;AAED,QAAM,UAAU,MAAM,YAAY,YAAY;AAC5C,QAAI;AACF,YAAM,MAAM,MAAM,MAAM,gBAAgB;AAAA,QACtC,aAAa;AAAA,QACb,OAAO;AAAA,MACT,CAAC;AACD,UAAI,IAAI,WAAW,KAAK;AACtB,iBAAS,EAAE,QAAQ,aAAa,MAAM,MAAM,OAAO,KAAK,CAAC;AACzD;AAAA,MACF;AACA,UAAI,CAAC,IAAI,IAAI;AACX,cAAM,MAAM,MAAM,IAAI,KAAK,EAAE,MAAM,MAAM,EAAE;AAC3C,iBAAS;AAAA,UACP,QAAQ;AAAA,UACR,MAAM;AAAA,UACN,OAAO,OAAO,QAAQ,IAAI,MAAM;AAAA,QAClC,CAAC;AACD;AAAA,MACF;AACA,YAAM,OAAQ,MAAM,IAAI,KAAK;AAC7B,eAAS,EAAE,QAAQ,SAAS,MAAM,OAAO,KAAK,CAAC;AAAA,IACjD,SAAS,KAAK;AACZ,YAAM,UAAU,eAAe,QAAQ,IAAI,UAAU,OAAO,GAAG;AAC/D,eAAS,EAAE,QAAQ,SAAS,MAAM,MAAM,OAAO,QAAQ,CAAC;AAAA,IAC1D;AAAA,EACF,GAAG,CAAC,CAAC;AAEL,QAAM,UAAU,MAAM;AACpB,SAAK,QAAQ;AAAA,EACf,GAAG,CAAC,OAAO,CAAC;AAEZ,SAAO,EAAE,GAAG,OAAO,QAAQ;AAC7B;","names":[]}

package/dist/client/use-impersonation.d.ts

@@ -0,0 +1,39 @@
+export type EffectiveUser = {
+    id: string;
+    email: string;
+    name: string;
+    role: string;
+    is_active: boolean;
+    credit_balance: number;
+};
+export type ImpersonatedBy = {
+    id: string;
+    name: string;
+    email: string;
+};
+export type MeResponse = {
+    user: EffectiveUser;
+    impersonatedBy: ImpersonatedBy | null;
+};
+type State = {
+    status: "loading";
+    data: null;
+    error: null;
+} | {
+    status: "anonymous";
+    data: null;
+    error: null;
+} | {
+    status: "ready";
+    data: MeResponse;
+    error: null;
+} | {
+    status: "error";
+    data: null;
+    error: string;
+};
+export declare function useImpersonation(): State & {
+    refresh: () => Promise<void>;
+};
+export {};
+//# sourceMappingURL=use-impersonation.d.ts.map

package/dist/client/use-impersonation.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"use-impersonation.d.ts","sourceRoot":"","sources":["../../src/client/use-impersonation.ts"],"names":[],"mappings":"AAiBA,MAAM,MAAM,aAAa,GAAG;IAC1B,EAAE,EAAE,MAAM,CAAC;IACX,KAAK,EAAE,MAAM,CAAC;IACd,IAAI,EAAE,MAAM,CAAC;IACb,IAAI,EAAE,MAAM,CAAC;IACb,SAAS,EAAE,OAAO,CAAC;IACnB,cAAc,EAAE,MAAM,CAAC;CACxB,CAAC;AAEF,MAAM,MAAM,cAAc,GAAG;IAC3B,EAAE,EAAE,MAAM,CAAC;IACX,IAAI,EAAE,MAAM,CAAC;IACb,KAAK,EAAE,MAAM,CAAC;CACf,CAAC;AAEF,MAAM,MAAM,UAAU,GAAG;IACvB,IAAI,EAAE,aAAa,CAAC;IACpB,cAAc,EAAE,cAAc,GAAG,IAAI,CAAC;CACvC,CAAC;AAEF,KAAK,KAAK,GACN;IAAE,MAAM,EAAE,SAAS,CAAC;IAAC,IAAI,EAAE,IAAI,CAAC;IAAC,KAAK,EAAE,IAAI,CAAA;CAAE,GAC9C;IAAE,MAAM,EAAE,WAAW,CAAC;IAAC,IAAI,EAAE,IAAI,CAAC;IAAC,KAAK,EAAE,IAAI,CAAA;CAAE,GAChD;IAAE,MAAM,EAAE,OAAO,CAAC;IAAC,IAAI,EAAE,UAAU,CAAC;IAAC,KAAK,EAAE,IAAI,CAAA;CAAE,GAClD;IAAE,MAAM,EAAE,OAAO,CAAC;IAAC,IAAI,EAAE,IAAI,CAAC;IAAC,KAAK,EAAE,MAAM,CAAA;CAAE,CAAC;AAEnD,wBAAgB,gBAAgB,IAAI,KAAK,GAAG;IAAE,OAAO,EAAE,MAAM,OAAO,CAAC,IAAI,CAAC,CAAA;CAAE,CAuC3E"}

package/dist/client/use-impersonation.js

@@ -0,0 +1,43 @@
+"use client";
+import * as React from "react";
+function useImpersonation() {
+  const [state, setState] = React.useState({
+    status: "loading",
+    data: null,
+    error: null
+  });
+  const refresh = React.useCallback(async () => {
+    try {
+      const res = await fetch("/api/auth/me", {
+        credentials: "same-origin",
+        cache: "no-store"
+      });
+      if (res.status === 401) {
+        setState({ status: "anonymous", data: null, error: null });
+        return;
+      }
+      if (!res.ok) {
+        const txt = await res.text().catch(() => "");
+        setState({
+          status: "error",
+          data: null,
+          error: txt || `HTTP ${res.status}`
+        });
+        return;
+      }
+      const data = await res.json();
+      setState({ status: "ready", data, error: null });
+    } catch (err) {
+      const message = err instanceof Error ? err.message : String(err);
+      setState({ status: "error", data: null, error: message });
+    }
+  }, []);
+  React.useEffect(() => {
+    void refresh();
+  }, [refresh]);
+  return { ...state, refresh };
+}
+export {
+  useImpersonation
+};
+//# sourceMappingURL=use-impersonation.js.map

package/dist/client/use-impersonation.js.map

@@ -0,0 +1 @@
+{"version":3,"sources":["../../src/client/use-impersonation.ts"],"sourcesContent":["\"use client\";\n\nimport * as React from \"react\";\n\n// =============================================================================\n// useImpersonation -- surfaces the *effective* user via /api/auth/me.\n//\n// Used by ImpersonationBanner + admin surfaces to know whether the current\n// session is impersonated. Hits the spoke's /api/auth/me which returns\n// `{user, impersonatedBy}`.\n//\n// Deliberately doesn't lean on TanStack Query so this can be imported from\n// any client component without forcing a QueryClient provider. Refetch is\n// manual via `refresh()`, which the impersonate API mutators call after a\n// successful start / stop.\n// =============================================================================\n\nexport type EffectiveUser = {\n  id: string;\n  email: string;\n  name: string;\n  role: string;\n  is_active: boolean;\n  credit_balance: number;\n};\n\nexport type ImpersonatedBy = {\n  id: string;\n  name: string;\n  email: string;\n};\n\nexport type MeResponse = {\n  user: EffectiveUser;\n  impersonatedBy: ImpersonatedBy | null;\n};\n\ntype State =\n  | { status: \"loading\"; data: null; error: null }\n  | { status: \"anonymous\"; data: null; error: null }\n  | { status: \"ready\"; data: MeResponse; error: null }\n  | { status: \"error\"; data: null; error: string };\n\nexport function useImpersonation(): State & { refresh: () => Promise<void> } {\n  const [state, setState] = React.useState<State>({\n    status: \"loading\",\n    data: null,\n    error: null,\n  });\n\n  const refresh = React.useCallback(async () => {\n    try {\n      const res = await fetch(\"/api/auth/me\", {\n        credentials: \"same-origin\",\n        cache: \"no-store\",\n      });\n      if (res.status === 401) {\n        setState({ status: \"anonymous\", data: null, error: null });\n        return;\n      }\n      if (!res.ok) {\n        const txt = await res.text().catch(() => \"\");\n        setState({\n          status: \"error\",\n          data: null,\n          error: txt || `HTTP ${res.status}`,\n        });\n        return;\n      }\n      const data = (await res.json()) as MeResponse;\n      setState({ status: \"ready\", data, error: null });\n    } catch (err) {\n      const message = err instanceof Error ? err.message : String(err);\n      setState({ status: \"error\", data: null, error: message });\n    }\n  }, []);\n\n  React.useEffect(() => {\n    void refresh();\n  }, [refresh]);\n\n  return { ...state, refresh };\n}\n"],"mappings":";AAEA,YAAY,WAAW;AAyChB,SAAS,mBAA6D;AAC3E,QAAM,CAAC,OAAO,QAAQ,IAAI,MAAM,SAAgB;AAAA,IAC9C,QAAQ;AAAA,IACR,MAAM;AAAA,IACN,OAAO;AAAA,EACT,CAAC;AAED,QAAM,UAAU,MAAM,YAAY,YAAY;AAC5C,QAAI;AACF,YAAM,MAAM,MAAM,MAAM,gBAAgB;AAAA,QACtC,aAAa;AAAA,QACb,OAAO;AAAA,MACT,CAAC;AACD,UAAI,IAAI,WAAW,KAAK;AACtB,iBAAS,EAAE,QAAQ,aAAa,MAAM,MAAM,OAAO,KAAK,CAAC;AACzD;AAAA,MACF;AACA,UAAI,CAAC,IAAI,IAAI;AACX,cAAM,MAAM,MAAM,IAAI,KAAK,EAAE,MAAM,MAAM,EAAE;AAC3C,iBAAS;AAAA,UACP,QAAQ;AAAA,UACR,MAAM;AAAA,UACN,OAAO,OAAO,QAAQ,IAAI,MAAM;AAAA,QAClC,CAAC;AACD;AAAA,MACF;AACA,YAAM,OAAQ,MAAM,IAAI,KAAK;AAC7B,eAAS,EAAE,QAAQ,SAAS,MAAM,OAAO,KAAK,CAAC;AAAA,IACjD,SAAS,KAAK;AACZ,YAAM,UAAU,eAAe,QAAQ,IAAI,UAAU,OAAO,GAAG;AAC/D,eAAS,EAAE,QAAQ,SAAS,MAAM,MAAM,OAAO,QAAQ,CAAC;AAAA,IAC1D;AAAA,EACF,GAAG,CAAC,CAAC;AAEL,QAAM,UAAU,MAAM;AACpB,SAAK,QAAQ;AAAA,EACf,GAAG,CAAC,OAAO,CAAC;AAEZ,SAAO,EAAE,GAAG,OAAO,QAAQ;AAC7B;","names":[]}

package/dist/client.cjs

@@ -0,0 +1,47 @@
+"use strict";
+var __defProp = Object.defineProperty;
+var __getOwnPropDesc = Object.getOwnPropertyDescriptor;
+var __getOwnPropNames = Object.getOwnPropertyNames;
+var __hasOwnProp = Object.prototype.hasOwnProperty;
+var __export = (target, all) => {
+  for (var name in all)
+    __defProp(target, name, { get: all[name], enumerable: true });
+};
+var __copyProps = (to, from, except, desc) => {
+  if (from && typeof from === "object" || typeof from === "function") {
+    for (let key of __getOwnPropNames(from))
+      if (!__hasOwnProp.call(to, key) && key !== except)
+        __defProp(to, key, { get: () => from[key], enumerable: !(desc = __getOwnPropDesc(from, key)) || desc.enumerable });
+  }
+  return to;
+};
+var __toCommonJS = (mod) => __copyProps(__defProp({}, "__esModule", { value: true }), mod);
+var client_exports = {};
+__export(client_exports, {
+  AppUserProvider: () => import_AppUserProvider.AppUserProvider,
+  ImpersonationBanner: () => import_ImpersonationBanner.ImpersonationBanner,
+  SignOutButton: () => import_SignOutButton.SignOutButton,
+  UserMenu: () => import_UserMenu.UserMenu,
+  useAppUser: () => import_AppUserProvider.useAppUser,
+  useDbAppUser: () => import_AppUserProvider.useDbAppUser,
+  useImpersonation: () => import_use_impersonation.useImpersonation,
+  useRole: () => import_AppUserProvider.useRole
+});
+module.exports = __toCommonJS(client_exports);
+var import_AppUserProvider = require("./client/AppUserProvider.js");
+var import_UserMenu = require("./client/UserMenu.js");
+var import_SignOutButton = require("./client/SignOutButton.js");
+var import_ImpersonationBanner = require("./client/ImpersonationBanner.js");
+var import_use_impersonation = require("./client/use-impersonation.js");
+// Annotate the CommonJS export names for ESM import in node:
+0 && (module.exports = {
+  AppUserProvider,
+  ImpersonationBanner,
+  SignOutButton,
+  UserMenu,
+  useAppUser,
+  useDbAppUser,
+  useImpersonation,
+  useRole
+});
+//# sourceMappingURL=client.cjs.map

package/dist/client.cjs.map

@@ -0,0 +1 @@
+{"version":3,"sources":["../src/client.ts"],"sourcesContent":["export {\n  AppUserProvider,\n  useAppUser,\n  useDbAppUser,\n  useRole,\n  type AppUserState,\n  type DbAppUser,\n  type SessionAppUser,\n} from \"./client/AppUserProvider.js\";\nexport { UserMenu } from \"./client/UserMenu.js\";\nexport { SignOutButton } from \"./client/SignOutButton.js\";\nexport { ImpersonationBanner } from \"./client/ImpersonationBanner.js\";\nexport {\n  useImpersonation,\n  type EffectiveUser,\n  type ImpersonatedBy,\n  type MeResponse,\n} from \"./client/use-impersonation.js\";\n"],"mappings":";;;;;;;;;;;;;;;;;;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,6BAQO;AACP,sBAAyB;AACzB,2BAA8B;AAC9B,iCAAoC;AACpC,+BAKO;","names":[]}

package/dist/client.d.ts

@@ -0,0 +1,6 @@
+export { AppUserProvider, useAppUser, useDbAppUser, useRole, type AppUserState, type DbAppUser, type SessionAppUser, } from "./client/AppUserProvider.js";
+export { UserMenu } from "./client/UserMenu.js";
+export { SignOutButton } from "./client/SignOutButton.js";
+export { ImpersonationBanner } from "./client/ImpersonationBanner.js";
+export { useImpersonation, type EffectiveUser, type ImpersonatedBy, type MeResponse, } from "./client/use-impersonation.js";
+//# sourceMappingURL=client.d.ts.map

package/dist/client.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"client.d.ts","sourceRoot":"","sources":["../src/client.ts"],"names":[],"mappings":"AAAA,OAAO,EACL,eAAe,EACf,UAAU,EACV,YAAY,EACZ,OAAO,EACP,KAAK,YAAY,EACjB,KAAK,SAAS,EACd,KAAK,cAAc,GACpB,MAAM,6BAA6B,CAAC;AACrC,OAAO,EAAE,QAAQ,EAAE,MAAM,sBAAsB,CAAC;AAChD,OAAO,EAAE,aAAa,EAAE,MAAM,2BAA2B,CAAC;AAC1D,OAAO,EAAE,mBAAmB,EAAE,MAAM,iCAAiC,CAAC;AACtE,OAAO,EACL,gBAAgB,EAChB,KAAK,aAAa,EAClB,KAAK,cAAc,EACnB,KAAK,UAAU,GAChB,MAAM,+BAA+B,CAAC"}

package/dist/client.js

@@ -0,0 +1,23 @@
+import {
+  AppUserProvider,
+  useAppUser,
+  useDbAppUser,
+  useRole
+} from "./client/AppUserProvider.js";
+import { UserMenu } from "./client/UserMenu.js";
+import { SignOutButton } from "./client/SignOutButton.js";
+import { ImpersonationBanner } from "./client/ImpersonationBanner.js";
+import {
+  useImpersonation
+} from "./client/use-impersonation.js";
+export {
+  AppUserProvider,
+  ImpersonationBanner,
+  SignOutButton,
+  UserMenu,
+  useAppUser,
+  useDbAppUser,
+  useImpersonation,
+  useRole
+};
+//# sourceMappingURL=client.js.map

package/dist/client.js.map

@@ -0,0 +1 @@
+{"version":3,"sources":["../src/client.ts"],"sourcesContent":["export {\n  AppUserProvider,\n  useAppUser,\n  useDbAppUser,\n  useRole,\n  type AppUserState,\n  type DbAppUser,\n  type SessionAppUser,\n} from \"./client/AppUserProvider.js\";\nexport { UserMenu } from \"./client/UserMenu.js\";\nexport { SignOutButton } from \"./client/SignOutButton.js\";\nexport { ImpersonationBanner } from \"./client/ImpersonationBanner.js\";\nexport {\n  useImpersonation,\n  type EffectiveUser,\n  type ImpersonatedBy,\n  type MeResponse,\n} from \"./client/use-impersonation.js\";\n"],"mappings":"AAAA;AAAA,EACE;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,OAIK;AACP,SAAS,gBAAgB;AACzB,SAAS,qBAAqB;AAC9B,SAAS,2BAA2B;AACpC;AAAA,EACE;AAAA,OAIK;","names":[]}

package/dist/{index.d.ts → server/createAuth.d.ts}

@@ -70,4 +70,4 @@ export declare function hasGroup(session: Session | null | undefined, name: stri
 export declare function requireGroup(session: Session | null | undefined, ...names: string[]): void;
 export declare function createAuth(opts: CreateAuthOptions): import("next-auth").NextAuthResult;
 export type { NextAuthConfig } from "next-auth";
-//# sourceMappingURL=index.d.ts.map
+//# sourceMappingURL=createAuth.d.ts.map

package/dist/server/createAuth.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"createAuth.d.ts","sourceRoot":"","sources":["../../src/server/createAuth.ts"],"names":[],"mappings":"AAkBA,OAAiB,EACf,KAAK,cAAc,EAEnB,KAAK,OAAO,EACb,MAAM,WAAW,CAAC;AAInB,OAAO,QAAQ,WAAW,CAAC;IACzB,UAAU,OAAO;QACf,IAAI,EAAE;YACJ,MAAM,EAAE,MAAM,EAAE,CAAC;YACjB,IAAI,EAAE,MAAM,CAAC;SACd,GAAG,cAAc,CAAC,MAAM,CAAC,CAAC;KAC5B;IACD,UAAU,IAAI;QACZ,IAAI,CAAC,EAAE,MAAM,CAAC;QACd,MAAM,CAAC,EAAE,MAAM,EAAE,CAAC;KACnB;CACF;AAED,MAAM,MAAM,iBAAiB,GAAG;IAC9B,2DAA2D;IAC3D,mBAAmB,EAAE,MAAM,EAAE,CAAC;IAC9B;;;;OAIG;IACH,UAAU,CAAC,EAAE,MAAM,CAAC;IACpB;;;;;OAKG;IACH,YAAY,CAAC,EAAE,MAAM,CAAC;IACtB;;;;;OAKG;IACH,mBAAmB,CAAC,EAAE,MAAM,CAAC;IAC7B;;;;OAIG;IACH,SAAS,CAAC,EAAE,MAAM,CAAC;IACnB,2DAA2D;IAC3D,MAAM,CAAC,EAAE,OAAO,CAAC;IACjB;;;;OAIG;IACH,MAAM,CAAC,EAAE,MAAM,CAAC;IAChB,OAAO,CAAC,EAAE;QACR,QAAQ,CAAC,EAAE,MAAM,CAAC;QAClB,YAAY,CAAC,EAAE,MAAM,CAAC;QACtB,MAAM,CAAC,EAAE,MAAM,CAAC;KACjB,CAAC;CACH,CAAC;AAIF,qBAAa,SAAU,SAAQ,KAAK;IACf,IAAI,EAAE,iBAAiB,GAAG,WAAW;gBAArC,IAAI,EAAE,iBAAiB,GAAG,WAAW;CAIzD;AAID,2EAA2E;AAC3E,wBAAgB,aAAa,CAAC,OAAO,EAAE,OAAO,GAAG,IAAI,GAAG,SAAS,GAAG,MAAM,EAAE,CAE3E;AAED,+CAA+C;AAC/C,wBAAgB,QAAQ,CAAC,OAAO,EAAE,OAAO,GAAG,IAAI,GAAG,SAAS,EAAE,IAAI,EAAE,MAAM,GAAG,OAAO,CAInF;AAED;;;;GAIG;AACH,wBAAgB,YAAY,CAC1B,OAAO,EAAE,OAAO,GAAG,IAAI,GAAG,SAAS,EACnC,GAAG,KAAK,EAAE,MAAM,EAAE,GACjB,IAAI,CAKN;AAyFD,wBAAgB,UAAU,CAAC,IAAI,EAAE,iBAAiB,sCAgJjD;AAED,YAAY,EAAE,cAAc,EAAE,MAAM,WAAW,CAAC"}

package/dist/server/impersonation.d.ts

@@ -0,0 +1,23 @@
+import "server-only";
+export declare const IMPERSONATE_COOKIE_NAME = "__impersonate";
+export declare const IMPERSONATE_TTL_SECONDS = 3600;
+export type ImpersonationClaims = {
+    /** Admin user id who started the impersonation (stringified BigInt). */
+    impersonatedBy: string;
+    /** Target user id being impersonated (stringified BigInt). */
+    sub: string;
+    /** Issued-at (seconds since epoch). */
+    iat: number;
+    /** Expiry (seconds since epoch). */
+    exp: number;
+};
+export declare function mintImpersonationToken(args: {
+    adminId: bigint | string;
+    targetId: bigint | string;
+    now?: Date;
+}): Promise<{
+    token: string;
+    expiresAt: Date;
+}>;
+export declare function verifyImpersonationToken(token: string): Promise<ImpersonationClaims | null>;
+//# sourceMappingURL=impersonation.d.ts.map

package/dist/server/impersonation.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"impersonation.d.ts","sourceRoot":"","sources":["../../src/server/impersonation.ts"],"names":[],"mappings":"AAAA,OAAO,aAAa,CAAC;AAqBrB,eAAO,MAAM,uBAAuB,kBAAkB,CAAC;AACvD,eAAO,MAAM,uBAAuB,OAAO,CAAC;AAG5C,MAAM,MAAM,mBAAmB,GAAG;IAChC,wEAAwE;IACxE,cAAc,EAAE,MAAM,CAAC;IACvB,8DAA8D;IAC9D,GAAG,EAAE,MAAM,CAAC;IACZ,uCAAuC;IACvC,GAAG,EAAE,MAAM,CAAC;IACZ,oCAAoC;IACpC,GAAG,EAAE,MAAM,CAAC;CACb,CAAC;AAkBF,wBAAsB,sBAAsB,CAAC,IAAI,EAAE;IACjD,OAAO,EAAE,MAAM,GAAG,MAAM,CAAC;IACzB,QAAQ,EAAE,MAAM,GAAG,MAAM,CAAC;IAC1B,GAAG,CAAC,EAAE,IAAI,CAAC;CACZ,GAAG,OAAO,CAAC;IAAE,KAAK,EAAE,MAAM,CAAC;IAAC,SAAS,EAAE,IAAI,CAAA;CAAE,CAAC,CAgB9C;AAED,wBAAsB,wBAAwB,CAC5C,KAAK,EAAE,MAAM,GACZ,OAAO,CAAC,mBAAmB,GAAG,IAAI,CAAC,CA0BrC"}

package/dist/server/jit.d.ts

@@ -0,0 +1,97 @@
+import "server-only";
+import type { Session } from "next-auth";
+/**
+ * Minimum contract every spoke User row must satisfy. Spokes can widen this
+ * with additional fields (credit_balance, must_change_password, etc.) and the
+ * factory will preserve them through the returned `Promise<TUser>`.
+ */
+export type BaseAppUser = {
+    id: bigint | string | number;
+    email: string;
+    name: string;
+    role: string;
+    parent_id: bigint | string | number | null;
+};
+/**
+ * Loose typing for the Prisma delegates the factory touches. Each spoke has
+ * its own generated client whose actual types are concrete; we use loose
+ * shapes here so the factory works with any spoke's schema.
+ */
+export type PrismaLikeUserDelegate<TUser> = {
+    findUnique: (args: {
+        where: {
+            id?: unknown;
+            email?: string;
+        };
+    }) => Promise<TUser | null>;
+    create: (args: {
+        data: unknown;
+    }) => Promise<TUser>;
+};
+export type PrismaLikeInvitationDelegate = {
+    findFirst: (args: {
+        where: {
+            email: string;
+            accepted_at: null;
+            expires_at: {
+                gt: Date;
+            };
+        };
+        orderBy?: unknown;
+    }) => Promise<{
+        id: bigint | string | number;
+        intended_role: string;
+        parent_id: bigint | string | number | null;
+    } | null>;
+    update: (args: {
+        where: {
+            id: unknown;
+        };
+        data: {
+            accepted_at: Date;
+            accepted_by_user_id: unknown;
+        };
+    }) => Promise<unknown>;
+};
+export type PrismaLikeClient<TUser> = {
+    user: PrismaLikeUserDelegate<TUser>;
+    invitation: PrismaLikeInvitationDelegate;
+    $transaction: <T>(fn: (tx: {
+        user: PrismaLikeUserDelegate<TUser>;
+        invitation: PrismaLikeInvitationDelegate;
+    }) => Promise<T>) => Promise<T>;
+};
+export type CreateGetOrCreateAppUserOptions<TUser extends BaseAppUser> = {
+    /** Returns the spoke's PrismaClient (lazily). */
+    db: () => Promise<PrismaLikeClient<TUser>>;
+    /** Fallback role when no admin email + no Cognito groups. */
+    defaultRole: string;
+    /** Starting credit balance per role. */
+    computeCreditBalance: (role: string) => number;
+    /** Emails auto-promoted to "admin" role on first sign-in (case-insensitive). */
+    adminEmails?: string[];
+    /**
+     * Hash value written to User.password on creation. Schema-inherited
+     * not-null constraint; never used to authenticate (Cognito does that).
+     * Default: a recognizable placeholder string.
+     */
+    placeholderPasswordHash?: string;
+    /**
+     * Extra column values written on creation. Use this for spoke-specific
+     * defaults (e.g. is_active: true, must_change_password: false).
+     */
+    extraCreateFields?: Record<string, unknown>;
+};
+export type AppUserWithImpersonation<TUser extends BaseAppUser> = TUser & {
+    /** Stringified admin id when this session is impersonated; absent otherwise. */
+    impersonatedBy?: string;
+};
+/**
+ * Build a `getOrCreateAppUser(session)` function configured for this spoke.
+ *
+ * Returned function is idempotent: subsequent calls with the same email
+ * return the existing row. First-time emails are created inside a transaction
+ * that also auto-accepts a matching Invitation row if present.
+ */
+export declare function createGetOrCreateAppUser<TUser extends BaseAppUser>(opts: CreateGetOrCreateAppUserOptions<TUser>): (session: Session) => Promise<AppUserWithImpersonation<TUser>>;
+//# sourceMappingURL=jit.d.ts.map

package/dist/server/jit.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"jit.d.ts","sourceRoot":"","sources":["../../src/server/jit.ts"],"names":[],"mappings":"AAAA,OAAO,aAAa,CAAC;AAGrB,OAAO,KAAK,EAAE,OAAO,EAAE,MAAM,WAAW,CAAC;AA6BzC;;;;GAIG;AACH,MAAM,MAAM,WAAW,GAAG;IACxB,EAAE,EAAE,MAAM,GAAG,MAAM,GAAG,MAAM,CAAC;IAC7B,KAAK,EAAE,MAAM,CAAC;IACd,IAAI,EAAE,MAAM,CAAC;IACb,IAAI,EAAE,MAAM,CAAC;IACb,SAAS,EAAE,MAAM,GAAG,MAAM,GAAG,MAAM,GAAG,IAAI,CAAC;CAC5C,CAAC;AAEF;;;;GAIG;AACH,MAAM,MAAM,sBAAsB,CAAC,KAAK,IAAI;IAC1C,UAAU,EAAE,CAAC,IAAI,EAAE;QACjB,KAAK,EAAE;YAAE,EAAE,CAAC,EAAE,OAAO,CAAC;YAAC,KAAK,CAAC,EAAE,MAAM,CAAA;SAAE,CAAC;KACzC,KAAK,OAAO,CAAC,KAAK,GAAG,IAAI,CAAC,CAAC;IAC5B,MAAM,EAAE,CAAC,IAAI,EAAE;QAAE,IAAI,EAAE,OAAO,CAAA;KAAE,KAAK,OAAO,CAAC,KAAK,CAAC,CAAC;CACrD,CAAC;AAEF,MAAM,MAAM,4BAA4B,GAAG;IACzC,SAAS,EAAE,CAAC,IAAI,EAAE;QAChB,KAAK,EAAE;YAAE,KAAK,EAAE,MAAM,CAAC;YAAC,WAAW,EAAE,IAAI,CAAC;YAAC,UAAU,EAAE;gBAAE,EAAE,EAAE,IAAI,CAAA;aAAE,CAAA;SAAE,CAAC;QACtE,OAAO,CAAC,EAAE,OAAO,CAAC;KACnB,KAAK,OAAO,CAAC;QACZ,EAAE,EAAE,MAAM,GAAG,MAAM,GAAG,MAAM,CAAC;QAC7B,aAAa,EAAE,MAAM,CAAC;QACtB,SAAS,EAAE,MAAM,GAAG,MAAM,GAAG,MAAM,GAAG,IAAI,CAAC;KAC5C,GAAG,IAAI,CAAC,CAAC;IACV,MAAM,EAAE,CAAC,IAAI,EAAE;QACb,KAAK,EAAE;YAAE,EAAE,EAAE,OAAO,CAAA;SAAE,CAAC;QACvB,IAAI,EAAE;YAAE,WAAW,EAAE,IAAI,CAAC;YAAC,mBAAmB,EAAE,OAAO,CAAA;SAAE,CAAC;KAC3D,KAAK,OAAO,CAAC,OAAO,CAAC,CAAC;CACxB,CAAC;AAEF,MAAM,MAAM,gBAAgB,CAAC,KAAK,IAAI;IACpC,IAAI,EAAE,sBAAsB,CAAC,KAAK,CAAC,CAAC;IACpC,UAAU,EAAE,4BAA4B,CAAC;IACzC,YAAY,EAAE,CAAC,CAAC,EACd,EAAE,EAAE,CAAC,EAAE,EAAE;QACP,IAAI,EAAE,sBAAsB,CAAC,KAAK,CAAC,CAAC;QACpC,UAAU,EAAE,4BAA4B,CAAC;KAC1C,KAAK,OAAO,CAAC,CAAC,CAAC,KACb,OAAO,CAAC,CAAC,CAAC,CAAC;CACjB,CAAC;AAEF,MAAM,MAAM,+BAA+B,CAAC,KAAK,SAAS,WAAW,IAAI;IACvE,iDAAiD;IACjD,EAAE,EAAE,MAAM,OAAO,CAAC,gBAAgB,CAAC,KAAK,CAAC,CAAC,CAAC;IAC3C,6DAA6D;IAC7D,WAAW,EAAE,MAAM,CAAC;IACpB,wCAAwC;IACxC,oBAAoB,EAAE,CAAC,IAAI,EAAE,MAAM,KAAK,MAAM,CAAC;IAC/C,gFAAgF;IAChF,WAAW,CAAC,EAAE,MAAM,EAAE,CAAC;IACvB;;;;OAIG;IACH,uBAAuB,CAAC,EAAE,MAAM,CAAC;IACjC;;;OAGG;IACH,iBAAiB,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC;CAC7C,CAAC;AAEF,MAAM,MAAM,wBAAwB,CAAC,KAAK,SAAS,WAAW,IAAI,KAAK,GAAG;IACxE,gFAAgF;IAChF,cAAc,CAAC,EAAE,MAAM,CAAC;CACzB,CAAC;AAKF;;;;;;GAMG;AACH,wBAAgB,wBAAwB,CAAC,KAAK,SAAS,WAAW,EAChE,IAAI,EAAE,+BAA+B,CAAC,KAAK,CAAC,GAC3C,CAAC,OAAO,EAAE,OAAO,KAAK,OAAO,CAAC,wBAAwB,CAAC,KAAK,CAAC,CAAC,CAqFhE"}

package/dist/{index.cjs → server.cjs}

@@ -27,16 +27,23 @@ var __toESM = (mod, isNodeMode, target) => (target = mod != null ? __create(__ge
 ));
 var __toCommonJS = (mod) => __copyProps(__defProp({}, "__esModule", { value: true }), mod);
 
-// src/index.ts
-var index_exports = {};
-__export(index_exports, {
+// src/server.ts
+var server_exports = {};
+__export(server_exports, {
   AuthError: () => AuthError,
+  IMPERSONATE_COOKIE_NAME: () => IMPERSONATE_COOKIE_NAME,
+  IMPERSONATE_TTL_SECONDS: () => IMPERSONATE_TTL_SECONDS,
   createAuth: () => createAuth,
+  createGetOrCreateAppUser: () => createGetOrCreateAppUser,
   getUserGroups: () => getUserGroups,
   hasGroup: () => hasGroup,
-  requireGroup: () => requireGroup
+  mintImpersonationToken: () => mintImpersonationToken,
+  requireGroup: () => requireGroup,
+  verifyImpersonationToken: () => verifyImpersonationToken
 });
-module.exports = __toCommonJS(index_exports);
+module.exports = __toCommonJS(server_exports);
+
+// src/server/createAuth.ts
 var import_next_auth = __toESM(require("next-auth"));
 var import_credentials = __toESM(require("next-auth/providers/credentials"));
 var import_cognito = __toESM(require("next-auth/providers/cognito"));
@@ -233,12 +240,153 @@ function createAuth(opts) {
   };
   return (0, import_next_auth.default)(config);
 }
+
+// src/server/jit.ts
+var import_server_only2 = require("server-only");
+var import_headers = require("next/headers");
+
+// src/server/impersonation.ts
+var import_server_only = require("server-only");
+var import_jwt = require("next-auth/jwt");
+var import_server = require("@augmenting-integrations/aws/server");
+var IMPERSONATE_COOKIE_NAME = "__impersonate";
+var IMPERSONATE_TTL_SECONDS = 3600;
+var IMPERSONATE_JWT_SALT = "impersonate.v1";
+var cachedSecret = null;
+async function getAuthSecret() {
+  if (cachedSecret) return cachedSecret;
+  const arn = process.env.AUTH_SECRET_ARN;
+  const fromSm = arn ? await (0, import_server.getSecret)(arn) : null;
+  const secret = fromSm ?? process.env.AUTH_SECRET;
+  if (!secret) {
+    throw new Error(
+      "AUTH_SECRET (or AUTH_SECRET_ARN) must be set to mint/verify impersonation tokens"
+    );
+  }
+  cachedSecret = secret;
+  return secret;
+}
+async function mintImpersonationToken(args) {
+  const secret = await getAuthSecret();
+  const nowSec = Math.floor((args.now?.getTime() ?? Date.now()) / 1e3);
+  const exp = nowSec + IMPERSONATE_TTL_SECONDS;
+  const token = await (0, import_jwt.encode)({
+    secret,
+    salt: IMPERSONATE_JWT_SALT,
+    maxAge: IMPERSONATE_TTL_SECONDS,
+    token: {
+      impersonatedBy: String(args.adminId),
+      sub: String(args.targetId),
+      iat: nowSec,
+      exp
+    }
+  });
+  return { token, expiresAt: new Date(exp * 1e3) };
+}
+async function verifyImpersonationToken(token) {
+  try {
+    const secret = await getAuthSecret();
+    const decoded = await (0, import_jwt.decode)({
+      token,
+      secret,
+      salt: IMPERSONATE_JWT_SALT
+    });
+    if (!decoded) return null;
+    const impersonatedBy = decoded["impersonatedBy"];
+    const sub = decoded["sub"];
+    const iat = decoded["iat"];
+    const exp = decoded["exp"];
+    if (typeof impersonatedBy !== "string" || typeof sub !== "string" || typeof iat !== "number" || typeof exp !== "number") {
+      return null;
+    }
+    if (exp * 1e3 < Date.now()) return null;
+    return { impersonatedBy, sub, iat, exp };
+  } catch {
+    return null;
+  }
+}
+
+// src/server/jit.ts
+var DEFAULT_PLACEHOLDER_HASH = "$2y$12$.cognito-managed.never.used-for-login.placeholder";
+function createGetOrCreateAppUser(opts) {
+  const adminEmailsLower = (opts.adminEmails ?? []).map((s) => s.toLowerCase());
+  const placeholder = opts.placeholderPasswordHash ?? DEFAULT_PLACEHOLDER_HASH;
+  return async function getOrCreateAppUser(session) {
+    const email = session.user?.email;
+    if (!email) {
+      throw new Error("getOrCreateAppUser called with a session that has no user.email");
+    }
+    const db = await opts.db();
+    try {
+      const cookieStore = await (0, import_headers.cookies)();
+      const cookie = cookieStore.get(IMPERSONATE_COOKIE_NAME);
+      if (cookie?.value) {
+        const claims = await verifyImpersonationToken(cookie.value);
+        if (claims) {
+          const [admin, target] = await Promise.all([
+            db.user.findUnique({ where: { id: claims.impersonatedBy } }),
+            db.user.findUnique({ where: { id: claims.sub } })
+          ]);
+          if (admin && admin.role === "admin" && target) {
+            return Object.assign(target, {
+              impersonatedBy: claims.impersonatedBy
+            });
+          }
+        }
+      }
+    } catch {
+    }
+    const existing = await db.user.findUnique({ where: { email } });
+    if (existing) return existing;
+    const groups = session.user.groups ?? [];
+    const fallbackRole = adminEmailsLower.includes(email.toLowerCase()) ? "admin" : groups[0] ?? opts.defaultRole;
+    const name = session.user.name ?? email.split("@")[0];
+    return db.$transaction(async (tx) => {
+      const pendingInvite = await tx.invitation.findFirst({
+        where: {
+          email,
+          accepted_at: null,
+          expires_at: { gt: /* @__PURE__ */ new Date() }
+        },
+        orderBy: { created_at: "desc" }
+      });
+      const role = pendingInvite ? pendingInvite.intended_role : fallbackRole;
+      const parent_id = pendingInvite ? pendingInvite.parent_id : null;
+      const created = await tx.user.create({
+        data: {
+          email,
+          name,
+          role,
+          parent_id,
+          password: placeholder,
+          credit_balance: opts.computeCreditBalance(role),
+          ...opts.extraCreateFields ?? {}
+        }
+      });
+      if (pendingInvite) {
+        await tx.invitation.update({
+          where: { id: pendingInvite.id },
+          data: {
+            accepted_at: /* @__PURE__ */ new Date(),
+            accepted_by_user_id: created.id
+          }
+        });
+      }
+      return created;
+    });
+  };
+}
 // Annotate the CommonJS export names for ESM import in node:
 0 && (module.exports = {
   AuthError,
+  IMPERSONATE_COOKIE_NAME,
+  IMPERSONATE_TTL_SECONDS,
   createAuth,
+  createGetOrCreateAppUser,
   getUserGroups,
   hasGroup,
-  requireGroup
+  mintImpersonationToken,
+  requireGroup,
+  verifyImpersonationToken
 });
-//# sourceMappingURL=index.cjs.map
+//# sourceMappingURL=server.cjs.map