@aura-stack/auth 0.1.0-rc.1

package/dist/schemas.d.ts

@@ -0,0 +1,130 @@
+import * as zod_v4_core from 'zod/v4/core';
+import * as zod_v4 from 'zod/v4';
+
+/**
+ * Schema for OAuth Provider Configuration
+ */
+declare const OAuthProviderConfigSchema: zod_v4.ZodObject<{
+    authorizeURL: zod_v4.ZodURL;
+    accessToken: zod_v4.ZodURL;
+    scope: zod_v4.ZodOptional<zod_v4.ZodString>;
+    userInfo: zod_v4.ZodURL;
+    responseType: zod_v4.ZodEnum<{
+        code: "code";
+        token: "token";
+        id_token: "id_token";
+    }>;
+    clientId: zod_v4.ZodString;
+    clientSecret: zod_v4.ZodString;
+}, zod_v4_core.$strip>;
+/**
+ * Schema used to create the authorization URL for the OAuth flow and verify the
+ * OAuth configuration.
+ * @see https://datatracker.ietf.org/doc/html/rfc6749#section-4.1.1
+ */
+declare const OAuthAuthorization: zod_v4.ZodObject<{
+    authorizeURL: zod_v4.ZodURL;
+    accessToken: zod_v4.ZodURL;
+    scope: zod_v4.ZodOptional<zod_v4.ZodString>;
+    userInfo: zod_v4.ZodURL;
+    responseType: zod_v4.ZodEnum<{
+        code: "code";
+        token: "token";
+        id_token: "id_token";
+    }>;
+    clientId: zod_v4.ZodString;
+    clientSecret: zod_v4.ZodString;
+    redirectURI: zod_v4.ZodString;
+    state: zod_v4.ZodString;
+    codeChallenge: zod_v4.ZodString;
+    codeChallengeMethod: zod_v4.ZodEnum<{
+        plain: "plain";
+        S256: "S256";
+    }>;
+}, zod_v4_core.$strip>;
+/**
+ * Schema used in the callback action to validate the authorization response when the resource owner
+ * has granted.
+ * @see https://datatracker.ietf.org/doc/html/rfc6749#section-4.1.2
+ */
+declare const OAuthAuthorizationResponse: zod_v4.ZodObject<{
+    state: zod_v4.ZodString;
+    code: zod_v4.ZodString;
+}, zod_v4_core.$strip>;
+/**
+ * Schema used in the callback action to validate the authorization error response when the resource owner
+ * has denied the authorization request.
+ * @see https://datatracker.ietf.org/doc/html/rfc6749#section-4.1.2.1
+ */
+declare const OAuthAuthorizationErrorResponse: zod_v4.ZodObject<{
+    error: zod_v4.ZodEnum<{
+        invalid_request: "invalid_request";
+        unauthorized_client: "unauthorized_client";
+        access_denied: "access_denied";
+        unsupported_response_type: "unsupported_response_type";
+        invalid_scope: "invalid_scope";
+        server_error: "server_error";
+        temporarily_unavailable: "temporarily_unavailable";
+    }>;
+    error_description: zod_v4.ZodOptional<zod_v4.ZodString>;
+    error_uri: zod_v4.ZodOptional<zod_v4.ZodString>;
+    state: zod_v4.ZodString;
+}, zod_v4_core.$strip>;
+/**
+ * Schema for OAuth Access Token Request and OAuth Configuration
+ * @see https://datatracker.ietf.org/doc/html/rfc6749#section-4.1.3
+ */
+declare const OAuthAccessToken: zod_v4.ZodObject<{
+    authorizeURL: zod_v4.ZodURL;
+    accessToken: zod_v4.ZodURL;
+    scope: zod_v4.ZodOptional<zod_v4.ZodString>;
+    userInfo: zod_v4.ZodURL;
+    responseType: zod_v4.ZodEnum<{
+        code: "code";
+        token: "token";
+        id_token: "id_token";
+    }>;
+    clientId: zod_v4.ZodString;
+    clientSecret: zod_v4.ZodString;
+    redirectURI: zod_v4.ZodString;
+    code: zod_v4.ZodString;
+    codeVerifier: zod_v4.ZodString;
+}, zod_v4_core.$strip>;
+/**
+ * Schema for OAuth Access Token Response
+ * @see https://datatracker.ietf.org/doc/html/rfc6749#section-5.1
+ * @see https://datatracker.ietf.org/doc/html/rfc7636#section-4
+ */
+declare const OAuthAccessTokenResponse: zod_v4.ZodObject<{
+    access_token: zod_v4.ZodString;
+    token_type: zod_v4.ZodString;
+    expires_in: zod_v4.ZodOptional<zod_v4.ZodNumber>;
+    refresh_token: zod_v4.ZodOptional<zod_v4.ZodString>;
+    scope: zod_v4.ZodOptional<zod_v4.ZodString>;
+}, zod_v4_core.$strip>;
+/**
+ * Schema for OAuth Access Token Error Response
+ * @see https://datatracker.ietf.org/doc/html/rfc6749#section-5.2
+ */
+declare const OAuthAccessTokenErrorResponse: zod_v4.ZodObject<{
+    error: zod_v4.ZodEnum<{
+        invalid_request: "invalid_request";
+        unauthorized_client: "unauthorized_client";
+        invalid_scope: "invalid_scope";
+        invalid_client: "invalid_client";
+        invalid_grant: "invalid_grant";
+        unsupported_grant_type: "unsupported_grant_type";
+    }>;
+    error_description: zod_v4.ZodOptional<zod_v4.ZodString>;
+    error_uri: zod_v4.ZodOptional<zod_v4.ZodString>;
+}, zod_v4_core.$strip>;
+/**
+ * @todo: verify if this schema is still needed
+ * @deprecated
+ */
+declare const OAuthErrorResponse: zod_v4.ZodObject<{
+    error: zod_v4.ZodString;
+    error_description: zod_v4.ZodOptional<zod_v4.ZodString>;
+}, zod_v4_core.$strip>;
+
+export { OAuthAccessToken, OAuthAccessTokenErrorResponse, OAuthAccessTokenResponse, OAuthAuthorization, OAuthAuthorizationErrorResponse, OAuthAuthorizationResponse, OAuthErrorResponse, OAuthProviderConfigSchema };

package/dist/schemas.js

@@ -0,0 +1,20 @@
+import {
+  OAuthAccessToken,
+  OAuthAccessTokenErrorResponse,
+  OAuthAccessTokenResponse,
+  OAuthAuthorization,
+  OAuthAuthorizationErrorResponse,
+  OAuthAuthorizationResponse,
+  OAuthErrorResponse,
+  OAuthProviderConfigSchema
+} from "./chunk-HMRKN75I.js";
+export {
+  OAuthAccessToken,
+  OAuthAccessTokenErrorResponse,
+  OAuthAccessTokenResponse,
+  OAuthAuthorization,
+  OAuthAuthorizationErrorResponse,
+  OAuthAuthorizationResponse,
+  OAuthErrorResponse,
+  OAuthProviderConfigSchema
+};

package/dist/secure.cjs

@@ -0,0 +1,120 @@
+"use strict";
+var __create = Object.create;
+var __defProp = Object.defineProperty;
+var __getOwnPropDesc = Object.getOwnPropertyDescriptor;
+var __getOwnPropNames = Object.getOwnPropertyNames;
+var __getProtoOf = Object.getPrototypeOf;
+var __hasOwnProp = Object.prototype.hasOwnProperty;
+var __export = (target, all) => {
+  for (var name in all)
+    __defProp(target, name, { get: all[name], enumerable: true });
+};
+var __copyProps = (to, from, except, desc) => {
+  if (from && typeof from === "object" || typeof from === "function") {
+    for (let key of __getOwnPropNames(from))
+      if (!__hasOwnProp.call(to, key) && key !== except)
+        __defProp(to, key, { get: () => from[key], enumerable: !(desc = __getOwnPropDesc(from, key)) || desc.enumerable });
+  }
+  return to;
+};
+var __toESM = (mod, isNodeMode, target) => (target = mod != null ? __create(__getProtoOf(mod)) : {}, __copyProps(
+  // If the importer is in node compatibility mode or this is not an ESM
+  // file that has been converted to a CommonJS file using a Babel-
+  // compatible transform (i.e. "__esModule" has not been set), then set
+  // "default" to the CommonJS "module.exports" for node compatibility.
+  isNodeMode || !mod || !mod.__esModule ? __defProp(target, "default", { value: mod, enumerable: true }) : target,
+  mod
+));
+var __toCommonJS = (mod) => __copyProps(__defProp({}, "__esModule", { value: true }), mod);
+
+// src/secure.ts
+var secure_exports = {};
+__export(secure_exports, {
+  createCSRF: () => createCSRF,
+  createDerivedSalt: () => createDerivedSalt,
+  createHash: () => createHash,
+  createPKCE: () => createPKCE,
+  generateSecure: () => generateSecure,
+  verifyCSRF: () => verifyCSRF
+});
+module.exports = __toCommonJS(secure_exports);
+var import_node_crypto = __toESM(require("crypto"), 1);
+
+// src/utils.ts
+var import_router = require("@aura-stack/router");
+
+// src/error.ts
+var AuthError = class extends Error {
+  constructor(type, message) {
+    super(message);
+    this.type = type;
+    this.name = "AuthError";
+  }
+};
+var InvalidCsrfTokenError = class extends AuthError {
+  constructor(message = "The provided CSRF token is invalid or has expired") {
+    super("invalid_csrf_token", message);
+    this.name = "InvalidCsrfTokenError";
+  }
+};
+
+// src/utils.ts
+var equals = (a, b) => {
+  if (a === null || b === null || a === void 0 || b === void 0) return false;
+  return a === b;
+};
+
+// src/secure.ts
+var generateSecure = (length = 32) => {
+  return import_node_crypto.default.randomBytes(length).toString("base64url");
+};
+var createHash = (data, base = "hex") => {
+  return import_node_crypto.default.createHash("sha256").update(data).digest().toString(base);
+};
+var createPKCE = async (verifier) => {
+  const codeVerifier = verifier ?? generateSecure(86);
+  const codeChallenge = createHash(codeVerifier, "base64url");
+  return { codeVerifier, codeChallenge, method: "S256" };
+};
+var createCSRF = async (jose, csrfCookie) => {
+  try {
+    const token = generateSecure(32);
+    if (csrfCookie) {
+      await jose.verifyJWS(csrfCookie);
+      return csrfCookie;
+    }
+    return jose.signJWS({ token });
+  } catch {
+    const token = generateSecure(32);
+    return jose.signJWS({ token });
+  }
+};
+var verifyCSRF = async (jose, cookie, header) => {
+  try {
+    const { token: cookieToken } = await jose.verifyJWS(cookie);
+    const { token: headerToken } = await jose.verifyJWS(header);
+    const cookieBuffer = Buffer.from(cookieToken);
+    const headerBuffer = Buffer.from(headerToken);
+    if (!equals(headerBuffer.length, cookieBuffer.length)) {
+      throw new InvalidCsrfTokenError();
+    }
+    if (!import_node_crypto.default.timingSafeEqual(cookieBuffer, headerBuffer)) {
+      throw new InvalidCsrfTokenError();
+    }
+    return true;
+  } catch {
+    throw new InvalidCsrfTokenError();
+  }
+};
+var createDerivedSalt = (secret) => {
+  return import_node_crypto.default.createHash("sha256").update(secret).update("aura-auth-salt").digest("hex");
+};
+// Annotate the CommonJS export names for ESM import in node:
+0 && (module.exports = {
+  createCSRF,
+  createDerivedSalt,
+  createHash,
+  createPKCE,
+  generateSecure,
+  verifyCSRF
+});

package/dist/secure.d.ts

@@ -0,0 +1,43 @@
+import { A as AuthRuntimeConfig } from './index-CGRZ0wrw.js';
+import 'zod/v4';
+import './jose.js';
+import '@aura-stack/jose/jose';
+import './schemas.js';
+import 'zod/v4/core';
+import '@aura-stack/router';
+import 'cookie';
+import './@types/utility.js';
+
+declare const generateSecure: (length?: number) => string;
+declare const createHash: (data: string, base?: "hex" | "base64" | "base64url") => string;
+/**
+ * Creates the code challenge flow for PKCE OAuth flow. It generates a code verifier and its corresponding
+ * code challenge using SHA-256 hashing.
+ *   - code_verifier: A cryptographically random string used to mitigate authorization code interception attacks.
+ *   - code_challenge: A hashed version of the code_verifier sent in the authorization request.
+ *   - method: The method used to generate the code challenge, typically "S256" for SHA-256.
+ *
+ * @see https://datatracker.ietf.org/doc/html/rfc7636#section-4.1
+ */
+declare const createPKCE: (verifier?: string) => Promise<{
+    codeVerifier: string;
+    codeChallenge: string;
+    method: string;
+}>;
+/**
+ * Creates a CSRF token to be used in OAuth flows to prevent cross-site request forgery attacks.
+ *
+ * @param csrfCookie - Optional existing CSRF cookie to verify and reuse
+ * @returns Signed CSRF token
+ */
+declare const createCSRF: (jose: AuthRuntimeConfig["jose"], csrfCookie?: string) => Promise<string>;
+declare const verifyCSRF: (jose: AuthRuntimeConfig["jose"], cookie: string, header: string) => Promise<boolean>;
+/**
+ * Creates a deterministic derived salt from the provided secret.
+ *
+ * @param secret the base secret to derive the salt from
+ * @returns the derived salt as a hexadecimal string
+ */
+declare const createDerivedSalt: (secret: string) => string;
+
+export { createCSRF, createDerivedSalt, createHash, createPKCE, generateSecure, verifyCSRF };

package/dist/secure.js

@@ -0,0 +1,18 @@
+import {
+  createCSRF,
+  createDerivedSalt,
+  createHash,
+  createPKCE,
+  generateSecure,
+  verifyCSRF
+} from "./chunk-GZU3RBTB.js";
+import "./chunk-256KIVJL.js";
+import "./chunk-FJUDBLCP.js";
+export {
+  createCSRF,
+  createDerivedSalt,
+  createHash,
+  createPKCE,
+  generateSecure,
+  verifyCSRF
+};

package/dist/utils.cjs

@@ -0,0 +1,141 @@
+"use strict";
+var __defProp = Object.defineProperty;
+var __getOwnPropDesc = Object.getOwnPropertyDescriptor;
+var __getOwnPropNames = Object.getOwnPropertyNames;
+var __hasOwnProp = Object.prototype.hasOwnProperty;
+var __export = (target, all) => {
+  for (var name in all)
+    __defProp(target, name, { get: all[name], enumerable: true });
+};
+var __copyProps = (to, from, except, desc) => {
+  if (from && typeof from === "object" || typeof from === "function") {
+    for (let key of __getOwnPropNames(from))
+      if (!__hasOwnProp.call(to, key) && key !== except)
+        __defProp(to, key, { get: () => from[key], enumerable: !(desc = __getOwnPropDesc(from, key)) || desc.enumerable });
+  }
+  return to;
+};
+var __toCommonJS = (mod) => __copyProps(__defProp({}, "__esModule", { value: true }), mod);
+
+// src/utils.ts
+var utils_exports = {};
+__export(utils_exports, {
+  equals: () => equals,
+  getNormalizedOriginPath: () => getNormalizedOriginPath,
+  isValidRelativePath: () => isValidRelativePath,
+  onErrorHandler: () => onErrorHandler,
+  sanitizeURL: () => sanitizeURL,
+  toCastCase: () => toCastCase,
+  toISOString: () => toISOString,
+  toSnakeCase: () => toSnakeCase,
+  toUpperCase: () => toUpperCase
+});
+module.exports = __toCommonJS(utils_exports);
+var import_router = require("@aura-stack/router");
+
+// src/error.ts
+var AuthError = class extends Error {
+  constructor(type, message) {
+    super(message);
+    this.type = type;
+    this.name = "AuthError";
+  }
+};
+var isAuthError = (error) => {
+  return error instanceof AuthError;
+};
+
+// src/utils.ts
+var toSnakeCase = (str) => {
+  return str.replace(/([a-z0-9])([A-Z])/g, "$1_$2").replace(/([A-Z]+)([A-Z][a-z])/g, "$1_$2").toLowerCase().replace(/^_+/, "");
+};
+var toUpperCase = (str) => {
+  return str.toUpperCase();
+};
+var toCastCase = (obj, type = "snake") => {
+  return Object.entries(obj).reduce((previous, [key, value]) => {
+    const newKey = type === "snake" ? toSnakeCase(key) : toUpperCase(key);
+    return { ...previous, [newKey]: value };
+  }, {});
+};
+var equals = (a, b) => {
+  if (a === null || b === null || a === void 0 || b === void 0) return false;
+  return a === b;
+};
+var sanitizeURL = (url) => {
+  try {
+    let decodedURL = decodeURIComponent(url).trim();
+    const protocolMatch = decodedURL.match(/^([a-zA-Z][a-zA-Z0-9+.-]*:\/\/)/);
+    let protocol = "";
+    let rest = decodedURL;
+    if (protocolMatch) {
+      protocol = protocolMatch[1];
+      rest = decodedURL.slice(protocol.length);
+      const slashIndex = rest.indexOf("/");
+      if (slashIndex === -1) {
+        return protocol + rest;
+      }
+      const domain = rest.slice(0, slashIndex);
+      let path = rest.slice(slashIndex).replace(/\/\.\.\//g, "/").replace(/\/\.\.$/, "").replace(/\.{2,}/g, "").replace(/\/{2,}/g, "/");
+      if (path !== "/" && path.endsWith("/")) {
+        path = path.replace(/\/+$/, "/");
+      } else if (path !== "/") {
+        path = path.replace(/\/+$/, "");
+      }
+      return protocol + domain + path;
+    }
+    let sanitized = decodedURL.replace(/\/\.\.\//g, "/").replace(/\/\.\.$/, "").replace(/\.{2,}/g, "").replace(/\/{2,}/g, "/");
+    if (sanitized !== "/" && sanitized.endsWith("/")) {
+      sanitized = sanitized.replace(/\/+$/, "/");
+    } else if (sanitized !== "/") {
+      sanitized = sanitized.replace(/\/+$/, "");
+    }
+    return sanitized;
+  } catch {
+    return url.trim();
+  }
+};
+var isValidRelativePath = (path) => {
+  if (!path || typeof path !== "string") return false;
+  if (!path.startsWith("/") || path.includes("://") || path.includes("\r") || path.includes("\n")) return false;
+  if (/[\x00-\x1F\x7F]/.test(path) || path.includes("\0")) return false;
+  const sanitized = sanitizeURL(path);
+  if (sanitized.includes("..")) return false;
+  return true;
+};
+var onErrorHandler = (error) => {
+  if ((0, import_router.isRouterError)(error)) {
+    const { message, status, statusText } = error;
+    return Response.json({ error: "invalid_request", error_description: message }, { status, statusText });
+  }
+  if (isAuthError(error)) {
+    const { type, message } = error;
+    return Response.json({ error: type, error_description: message }, { status: 400 });
+  }
+  return Response.json({ error: "server_error", error_description: "An unexpected error occurred" }, { status: 500 });
+};
+var getNormalizedOriginPath = (path) => {
+  try {
+    const url = new URL(path);
+    url.hash = "";
+    url.search = "";
+    return `${url.origin}${url.pathname}`;
+  } catch {
+    return sanitizeURL(path);
+  }
+};
+var toISOString = (date) => {
+  return new Date(date).toISOString();
+};
+// Annotate the CommonJS export names for ESM import in node:
+0 && (module.exports = {
+  equals,
+  getNormalizedOriginPath,
+  isValidRelativePath,
+  onErrorHandler,
+  sanitizeURL,
+  toCastCase,
+  toISOString,
+  toSnakeCase,
+  toUpperCase
+});

package/dist/utils.d.ts

@@ -0,0 +1,45 @@
+import { RouterConfig } from '@aura-stack/router';
+
+declare const toSnakeCase: (str: string) => string;
+declare const toUpperCase: (str: string) => string;
+declare const toCastCase: <Obj extends Record<string, any>, Type extends "snake" | "upper">(obj: Obj, type?: Type) => Type extends "snake" ? { [K in keyof Obj as `${string & K}`]: Obj[K]; } : { [K in keyof Obj as Uppercase<string & K>]: Obj[K]; };
+declare const equals: (a: string | number | undefined | null, b: string | number | undefined | null) => boolean;
+/**
+ * Sanitizes a URL by removing dangerous patterns that could be used for path traversal
+ * or other attacks. This function:
+ * - Decodes URL-encoded characters
+ * - Removes multiple consecutive slashes (preserving protocol slashes)
+ * - Removes path traversal patterns (..)
+ * - Removes trailing slashes (except root)
+ * - Trims whitespace
+ *
+ * @param url - The URL or path to sanitize
+ * @returns The sanitized URL or path
+ */
+declare const sanitizeURL: (url: string) => string;
+/**
+ * Validates that a path is a safe relative path to prevent open redirect attacks.
+ * A safe relative path must:
+ * - Start with '/'
+ * - Not contain protocol schemes (://)
+ * - Not contain newline characters
+ * - Not contain null bytes
+ * - Not be an absolute URL
+ *
+ * @param path - The path to validate
+ * @returns true if the path is safe, false otherwise
+ */
+declare const isValidRelativePath: (path: string | undefined | null) => boolean;
+declare const onErrorHandler: RouterConfig["onError"];
+/**
+ * Extracts and normalizes the origin and pathname from a URL string.
+ * Removes query parameters and hash fragments for a clean path.
+ * Falls back to the original string if URL parsing fails.
+ *
+ * @param path - The URL or path string to process
+ * @returns The normalized URL with origin and pathname, or the original path
+ */
+declare const getNormalizedOriginPath: (path: string) => string;
+declare const toISOString: (date: Date | string | number) => string;
+
+export { equals, getNormalizedOriginPath, isValidRelativePath, onErrorHandler, sanitizeURL, toCastCase, toISOString, toSnakeCase, toUpperCase };

package/dist/utils.js

@@ -0,0 +1,23 @@
+import {
+  equals,
+  getNormalizedOriginPath,
+  isValidRelativePath,
+  onErrorHandler,
+  sanitizeURL,
+  toCastCase,
+  toISOString,
+  toSnakeCase,
+  toUpperCase
+} from "./chunk-256KIVJL.js";
+import "./chunk-FJUDBLCP.js";
+export {
+  equals,
+  getNormalizedOriginPath,
+  isValidRelativePath,
+  onErrorHandler,
+  sanitizeURL,
+  toCastCase,
+  toISOString,
+  toSnakeCase,
+  toUpperCase
+};

package/package.json

@@ -0,0 +1,70 @@
+{
+  "name": "@aura-stack/auth",
+  "version": "0.1.0-rc.1",
+  "private": false,
+  "type": "module",
+  "description": "Core auth for @aura-stack/auth",
+  "repository": {
+    "type": "git",
+    "url": "git+https://github.com/aura-stack-ts/auth"
+  },
+  "publishConfig": {
+    "access": "public",
+    "registry": "https://registry.npmjs.org/@aura-stack/auth"
+  },
+  "files": [
+    "dist"
+  ],
+  "exports": {
+    ".": {
+      "types": "./dist/index.d.ts",
+      "import": "./dist/index.js",
+      "require": "./dist/index.cjs"
+    },
+    "./oauth/*": {
+      "types": "./dist/oauth/*.d.ts",
+      "import": "./dist/oauth/*.js",
+      "require": "./dist/oauth/*.cjs"
+    },
+    "./types": {
+      "types": "./dist/@types/index.d.ts",
+      "import": "./dist/@types/index.js",
+      "require": "./dist/@types/index.cjs"
+    }
+  },
+  "keywords": [
+    "auth",
+    "session",
+    "authentication"
+  ],
+  "author": "Aura Stack <aurastackjs@gmail.com> | Hernan Alvarado <halvaradop.dev@gmail.com>",
+  "homepage": "https://aura-stack-auth.vercel.app",
+  "bugs": {
+    "url": "https://github.com/aura-stack-ts/auth/issues"
+  },
+  "license": "MIT",
+  "dependencies": {
+    "@aura-stack/router": "^0.4.0",
+    "cookie": "^1.0.2",
+    "dotenv": "^17.2.3",
+    "zod": "^4.1.12",
+    "@aura-stack/jose": "0.1.0-rc.1"
+  },
+  "devDependencies": {
+    "@aura-stack/tsconfig": "0.0.0",
+    "@aura-stack/tsup-config": "0.0.0"
+  },
+  "scripts": {
+    "dev": "tsup --watch",
+    "build": "tsup",
+    "test": "vitest --run",
+    "test:watch": "vitest",
+    "test:coverage": "vitest --run --coverage",
+    "format": "prettier --write . --cache --cache-location .cache/.prettiercache",
+    "format:check": "prettier --check . --cache --cache-location .cache/.prettiercache",
+    "type-check": "tsc --noEmit",
+    "clean": "rm -rf dist",
+    "clean:cts": "rm -rf dist/*.cts",
+    "prepublish": "pnpm clean:cts"
+  }
+}