@beeblock/svelar 0.4.0

package/LICENSE

@@ -0,0 +1,21 @@
+MIT License
+
+Copyright (c) 2026 Raoni
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.

package/README.md

@@ -0,0 +1,110 @@
+<p align="center">
+  <img src="https://raw.githubusercontent.com/beeblock/svelar/main/docs/assets/svelar-full-logo.svg" alt="Svelar" width="180" />
+</p>
+
+<h1 align="center">Svelar</h1>
+
+Laravel-inspired framework on top of SvelteKit 2. Brings the developer experience of Laravel — routing, middleware, Eloquent-style ORM, service container, auth, sessions, caching, queues, mail, broadcasting, and more — into the SvelteKit ecosystem.
+
+**Batteries included.** Authentication, dashboard, admin panel, email templates, API keys, team management, file uploads, and more — all out of the box so you can focus on building your core business features.
+
+## Documentation
+
+Full documentation is available at **[svelar.dev](https://svelar.dev)**.
+
+## Quick Start
+
+```bash
+# Scaffold a new project
+npx svelar new my-app
+cd my-app
+npm install
+npx svelar migrate
+npm run dev
+```
+
+Or add to an existing SvelteKit project:
+
+```bash
+npm install @beeblock/svelar
+```
+
+See the [Getting Started guide](https://svelar.dev/docs/getting-started) for a complete walkthrough.
+
+## Features
+
+| Module | Import | Description |
+|--------|--------|-------------|
+| **ORM** | `svelar/orm` | Eloquent-style models with relationships, soft deletes, scopes, eager loading |
+| **Database** | `svelar/database` | Schema builder, migrations, seeders (SQLite, PostgreSQL, MySQL) |
+| **Auth** | `svelar/auth` | Session, JWT (with refresh tokens), API tokens, password reset, email verification, OTP login |
+| **Middleware** | `svelar/middleware` | CORS, CSRF, rate limiting, origin validation, request signatures |
+| **Routing** | `svelar/routing` | Controllers, form requests, API resources, response helpers |
+| **Validation** | `svelar/validation` | Zod-based validation with FormRequest DTOs |
+| **Session** | `svelar/session` | Cookie, memory, Redis, and database session stores |
+| **Hashing** | `svelar/hashing` | scrypt (zero-dep), bcrypt, argon2 |
+| **Queue** | `svelar/queue` | Job dispatching with sync, memory, and Redis (BullMQ) drivers |
+| **Scheduler** | `svelar/scheduler` | Cron-based task scheduling with distributed locking and DB history |
+| **Events** | `svelar/events` | Typed event dispatcher with listeners and subscribers |
+| **Broadcasting** | `svelar/broadcasting` | Server-Sent Events and Pusher/Soketi WebSocket support |
+| **Cache** | `svelar/cache` | Memory and Redis cache with TTL and remember pattern |
+| **Storage** | `svelar/storage` | Local and S3-compatible file storage |
+| **Mail** | `svelar/mail` | SMTP, Postmark, Resend, log, and null transports with Mailable classes |
+| **Excel** | `svelar/excel` | Import/export Excel files with streaming support for large datasets |
+| **Notifications** | `svelar/notifications` | Multi-channel notifications (mail, database, broadcast) |
+| **Logging** | `svelar/logging` | File-based logger with levels and rotation |
+| **HTTP Client** | `svelar/http` | Client-side CSRF fetch + server-side fluent HTTP client for third-party APIs |
+| **Permissions** | `svelar/permissions` | Role-based access control with permissions and gates |
+| **i18n** | `svelar/i18n` | Paraglide-js integration with language switcher |
+| **Forms** | `svelar/forms` | SvelteKit Superforms integration helpers |
+| **UI Components** | `svelar/ui` | Button, Card, Input, Alert, Badge, Avatar, Tabs, Icon, Toaster |
+| **Hooks** | `svelar/hooks` | One-line SvelteKit hooks setup with sensible defaults |
+| **Container** | `svelar/container` | IoC container with singleton/transient bindings |
+| **Plugins** | `svelar/plugins` | Plugin discovery, publishing, and CLI management |
+| **PDF** | `svelar/pdf` | PDF generation with PDFKit (default) and Gotenberg drivers |
+| **Feature Flags** | `svelar/feature-flags` | Per-user, per-team, and percentage rollout feature flags |
+| **Audit** | `svelar/audit` | Model change tracking |
+| **API Keys** | `svelar/api-keys` | API key generation, validation, and management |
+| **Webhooks** | `svelar/webhooks` | Webhook dispatch and signature verification |
+| **Teams** | `svelar/teams` | Multi-tenant team management with database-backed storage |
+| **Email Templates** | `svelar/email-templates` | Database-stored templates with variable interpolation |
+| **Uploads** | `svelar/uploads` | File upload handling with validation (local + S3) |
+| **Dashboard** | `svelar/dashboard` | Admin dashboard with job/scheduler monitoring and log viewer |
+
+## CLI
+
+```bash
+npx svelar new my-app                  # scaffold a new project
+npx svelar make:model Post -m -c       # model + migration + controller
+npx svelar make:service PaymentService # service class
+npx svelar make:job SendEmail          # queue job
+npx svelar make:task CleanupTokens     # scheduled task
+npx svelar migrate                     # run migrations
+npx svelar schedule:run                # start the scheduler
+npx svelar queue:work                  # process queue jobs
+npx svelar tinker                      # interactive REPL
+```
+
+30+ code generation commands available. Run `npx svelar` to see all commands.
+
+## Database Support
+
+```bash
+# SQLite (recommended for development)
+npm install better-sqlite3
+
+# PostgreSQL
+npm install postgres
+
+# MySQL
+npm install mysql2
+```
+
+## Requirements
+
+- Node.js >= 20
+- SvelteKit >= 2.0
+
+## License
+
+MIT

package/dist/actions/index.d.ts

@@ -0,0 +1,101 @@
+/**
+ * Svelar Actions
+ *
+ * Single-responsibility action classes for complex business operations.
+ * Each action does ONE thing, following the Command pattern.
+ *
+ * @example
+ * ```ts
+ * import { Action } from 'svelar/actions';
+ *
+ * class RegisterUserAction extends Action<RegisterDTO, User> {
+ *   constructor(
+ *     private userRepo: UserRepository,
+ *     private mailer: Mailer,
+ *   ) {
+ *     super();
+ *   }
+ *
+ *   async execute(data: RegisterDTO): Promise<User> {
+ *     const user = await this.userRepo.create({
+ *       name: data.name,
+ *       email: data.email,
+ *       password: await Hash.make(data.password),
+ *     });
+ *
+ *     await this.mailer.send({
+ *       to: user.email,
+ *       template: 'welcome',
+ *     });
+ *
+ *     return user;
+ *   }
+ * }
+ *
+ * // Usage
+ * const action = new RegisterUserAction(userRepo, mailer);
+ * const user = await action.run(dto);
+ * ```
+ */
+export interface ActionResult<T = any> {
+    success: boolean;
+    data?: T;
+    error?: string;
+}
+export type ActionMiddleware<TInput = any> = (input: TInput, next: (input: TInput) => Promise<any>) => Promise<any>;
+export declare abstract class Action<TInput = any, TOutput = any> {
+    private beforeHooks;
+    private afterHooks;
+    private middlewarePipeline;
+    /**
+     * Execute the action logic. Override this in subclasses.
+     */
+    abstract execute(input: TInput): Promise<TOutput>;
+    /**
+     * Run the action with before/after hooks and middleware pipeline
+     */
+    run(input: TInput): Promise<TOutput>;
+    /**
+     * Run the action and catch errors, returning an ActionResult
+     */
+    runSafe(input: TInput): Promise<ActionResult<TOutput>>;
+    /**
+     * Register a before hook
+     */
+    before(hook: (input: TInput) => Promise<void> | void): this;
+    /**
+     * Register an after hook
+     */
+    after(hook: (input: TInput, output: TOutput) => Promise<void> | void): this;
+    /**
+     * Add middleware to the action pipeline
+     */
+    through(middleware: ActionMiddleware<TInput>): this;
+    /**
+     * Run the action through the middleware pipeline
+     */
+    private runWithMiddleware;
+}
+/**
+ * An action that can be chained into a pipeline of actions.
+ * The output of one becomes the input of the next.
+ */
+export declare abstract class ChainableAction<TInput = any, TOutput = any> extends Action<TInput, TOutput> {
+    /**
+     * Chain another action after this one
+     */
+    then<TNext>(nextAction: ChainableAction<TOutput, TNext>): ChainableAction<TInput, TNext>;
+}
+/**
+ * Create an action from a simple function, without creating a class.
+ *
+ * @example
+ * ```ts
+ * const sendEmail = inlineAction(async (data: { to: string; body: string }) => {
+ *   await mailer.send(data);
+ * });
+ *
+ * await sendEmail.run({ to: 'user@example.com', body: 'Hello!' });
+ * ```
+ */
+export declare function inlineAction<TInput = any, TOutput = any>(fn: (input: TInput) => Promise<TOutput>): Action<TInput, TOutput>;

package/dist/actions/index.js

@@ -0,0 +1 @@
+var i=class{beforeHooks=[];afterHooks=[];middlewarePipeline=[];async run(t){for(let u of this.beforeHooks)await u(t);let e;this.middlewarePipeline.length>0?e=await this.runWithMiddleware(t):e=await this.execute(t);for(let u of this.afterHooks)await u(t,e);return e}async runSafe(t){try{return{success:!0,data:await this.run(t)}}catch(e){return{success:!1,error:e.message}}}before(t){return this.beforeHooks.push(t),this}after(t){return this.afterHooks.push(t),this}through(t){return this.middlewarePipeline.push(t),this}async runWithMiddleware(t){let e=0,u=this.middlewarePipeline,o=async a=>{if(e>=u.length)return this.execute(a);let p=u[e++];return p(a,o)};return o(t)}},r=class extends i{then(t){return new s(this,t)}},s=class extends r{constructor(e,u){super();this.first=e;this.second=u}async execute(e){let u=await this.first.run(e);return this.second.run(u)}};function T(n){class t extends i{async execute(u){return n(u)}}return new t}export{i as Action,r as ChainableAction,T as inlineAction};

package/dist/api-keys/index.d.ts

@@ -0,0 +1,58 @@
+/**
+ * Svelar API Key Management
+ * Generate, validate, and revoke API keys for programmatic access.
+ */
+export interface ApiKeyRecord {
+    id: string;
+    userId: string | number;
+    name: string;
+    key: string;
+    prefix: string;
+    lastUsedAt?: number;
+    expiresAt?: number;
+    permissions?: string[];
+    metadata?: Record<string, any>;
+    createdAt: number;
+    revokedAt?: number;
+}
+export interface CreateKeyOptions {
+    name: string;
+    userId: string | number;
+    prefix?: string;
+    permissions?: string[];
+    expiresIn?: number;
+    metadata?: Record<string, any>;
+}
+export interface ApiKeyConfig {
+    driver: 'database' | 'memory';
+    table?: string;
+    prefix?: string;
+    hashAlgorithm?: string;
+}
+declare class ApiKeyManager {
+    private config;
+    private keys;
+    configure(config: ApiKeyConfig): void;
+    private hashKey;
+    private generateRandomKey;
+    /** Generate a new API key. Returns the PLAIN TEXT key (only shown once!) */
+    create(options: CreateKeyOptions): Promise<{
+        record: ApiKeyRecord;
+        plainTextKey: string;
+    }>;
+    /** Validate a key and return the associated record */
+    validate(plainTextKey: string): Promise<ApiKeyRecord | null>;
+    /** Revoke a key */
+    revoke(keyId: string): Promise<boolean>;
+    /** List keys for a user */
+    listForUser(userId: string | number): Promise<ApiKeyRecord[]>;
+    /** Rotate a key (revoke old, create new with same settings) */
+    rotate(keyId: string): Promise<{
+        record: ApiKeyRecord;
+        plainTextKey: string;
+    } | null>;
+    /** Check if a key has a specific permission */
+    hasPermission(plainTextKey: string, permission: string): Promise<boolean>;
+}
+export declare const ApiKeys: ApiKeyManager;
+export {};

package/dist/api-keys/index.js

@@ -0,0 +1 @@
+var w=Object.defineProperty;var h=(c,e)=>()=>(c&&(e=c(c=0)),e);var C=(c,e)=>{for(var t in e)w(c,t,{get:e[t],enumerable:!0})};function u(c,e){let t=Symbol.for(c),r=globalThis;return r[t]||(r[t]=e()),r[t]}var p=h(()=>{"use strict"});var f={};C(f,{Connection:()=>b});var m,b,y=h(()=>{"use strict";p();m=class{connections=new Map;config=null;defaultName="default";configure(e){this.config=e,this.defaultName=e.default}async connection(e){let t=e??this.defaultName;if(this.connections.has(t))return this.connections.get(t).drizzle;if(!this.config)throw new Error("Database not configured. Call Connection.configure() first, or register DatabaseServiceProvider.");let r=this.config.connections[t];if(!r)throw new Error(`Database connection "${t}" is not defined in configuration.`);let i=await this.createConnection(r);return this.connections.set(t,i),i.drizzle}async rawClient(e){let t=e??this.defaultName;return await this.connection(t),this.connections.get(t).rawClient}async raw(e,t=[],r){let i=await this.connection(r),n=this.getConfig(r);switch(n.driver){case"sqlite":{let s=await this.rawClient(r),l=t.map(o=>typeof o=="boolean"?o?1:0:o instanceof Date?o.toISOString():o),a=s.prepare(e),d=e.trimStart().toUpperCase();return d.startsWith("SELECT")||d.startsWith("PRAGMA")||d.startsWith("WITH")?a.all(...l):a.run(...l)}case"postgres":return(await this.rawClient(r))(e,...t);case"mysql":{let s=await this.rawClient(r),[l]=await s.execute(e,t);return l}default:throw new Error(`Unsupported driver: ${n.driver}`)}}getDriver(e){return this.getConfig(e).driver}getConfig(e){let t=e??this.defaultName;if(!this.config)throw new Error("Database not configured.");let r=this.config.connections[t];if(!r)throw new Error(`Database connection "${t}" is not defined.`);return r}async disconnect(e){if(e){let t=this.connections.get(e);t&&(await this.closeConnection(t),this.connections.delete(e))}else{for(let[t,r]of this.connections)await this.closeConnection(r);this.connections.clear()}}isConnected(e){return this.connections.has(e??this.defaultName)}async transaction(e,t){let r=this.getConfig(t),i=await this.rawClient(t);switch(r.driver){case"sqlite":{i.exec("BEGIN");try{let n=await e();return i.exec("COMMIT"),n}catch(n){throw i.exec("ROLLBACK"),n}}case"postgres":{await i`BEGIN`;try{let n=await e();return await i`COMMIT`,n}catch(n){throw await i`ROLLBACK`,n}}case"mysql":{let n=await i.getConnection();await n.beginTransaction();try{let s=await e();return await n.commit(),n.release(),s}catch(s){throw await n.rollback(),n.release(),s}}default:throw new Error(`Unsupported driver: ${r.driver}`)}}async createConnection(e){switch(e.driver){case"sqlite":return this.createSQLiteConnection(e);case"postgres":return this.createPostgresConnection(e);case"mysql":return this.createMySQLConnection(e);default:throw new Error(`Unsupported database driver: ${e.driver}`)}}async createSQLiteConnection(e){let t=e.filename??e.database??":memory:";try{let r=(await import("better-sqlite3")).default,{drizzle:i}=await import("drizzle-orm/better-sqlite3"),n=new r(t);return n.pragma("journal_mode = WAL"),n.pragma("foreign_keys = ON"),{drizzle:i(n),config:e,rawClient:n}}catch(r){let i;try{i=(await new Function("mod","return import(mod)")("node:sqlite")).DatabaseSync}catch{throw new Error(`No SQLite driver available. Install better-sqlite3 (npm install better-sqlite3) or use Node.js v22+ which includes built-in SQLite support. Original error: ${r instanceof Error?r.message:String(r)}`)}let n=new i(t);n.exec("PRAGMA journal_mode = WAL"),n.exec("PRAGMA foreign_keys = ON");let s={prepare(a){let d=n.prepare(a);return{all(...o){return d.all(...o)},run(...o){return d.run(...o)},get(...o){return d.get(...o)}}},exec(a){n.exec(a)},pragma(a){return n.prepare(`PRAGMA ${a}`).all()},close(){n.close()}},l;try{let{drizzle:a}=await import("drizzle-orm/better-sqlite3");l=a(s)}catch{l=s}return{drizzle:l,config:e,rawClient:s}}}async createPostgresConnection(e){let t=(await import("postgres")).default,{drizzle:r}=await import("drizzle-orm/postgres-js"),i=e.url??`postgres://${e.user}:${e.password}@${e.host??"localhost"}:${e.port??5432}/${e.database}`,n=t(i);return{drizzle:r(n),config:e,rawClient:n}}async createMySQLConnection(e){let t=await import("mysql2/promise"),{drizzle:r}=await import("drizzle-orm/mysql2"),i=t.createPool({host:e.host??"localhost",port:e.port??3306,database:e.database,user:e.user,password:e.password,uri:e.url});return{drizzle:r(i),config:e,rawClient:i}}async closeConnection(e){try{switch(e.config.driver){case"sqlite":e.rawClient.close();break;case"postgres":await e.rawClient.end();break;case"mysql":await e.rawClient.end();break}}catch{}}},b=u("svelar.connection",()=>new m)});p();import{randomBytes as v,createHash as A,timingSafeEqual as x}from"crypto";import{randomUUID as D}from"crypto";var g=class{config={driver:"memory",prefix:"sk_"};keys=[];configure(e){this.config=e}hashKey(e){return A("sha256").update(e).digest("hex")}generateRandomKey(e=32){return v(e).toString("base64url")}async create(e){let t=e.prefix||this.config.prefix||"sk_",r=`${t}${this.generateRandomKey(32)}`,i=this.hashKey(r),n={id:D(),userId:e.userId,name:e.name,key:i,prefix:t,permissions:e.permissions||[],metadata:e.metadata,createdAt:Date.now(),expiresAt:e.expiresIn?Date.now()+e.expiresIn*1e3:void 0};if(this.config.driver==="memory")this.keys.push(n);else if(this.config.driver==="database")try{let{Connection:s}=await Promise.resolve().then(()=>(y(),f));await s.connection()}catch{this.keys.push(n)}return{record:n,plainTextKey:r}}async validate(e){let t=this.hashKey(e);for(let r of this.keys)if(!r.revokedAt&&!(r.expiresAt&&r.expiresAt<Date.now()))try{if(x(Buffer.from(r.key),Buffer.from(t)))return r.lastUsedAt=Date.now(),r}catch{continue}return null}async revoke(e){let t=this.keys.find(r=>r.id===e);return t?(t.revokedAt=Date.now(),!0):!1}async listForUser(e){return this.keys.filter(t=>t.userId===e&&!t.revokedAt).map(t=>({...t}))}async rotate(e){let t=this.keys.find(r=>r.id===e);return!t||t.revokedAt?null:(await this.revoke(e),this.create({name:`${t.name} (rotated)`,userId:t.userId,prefix:t.prefix,permissions:t.permissions,metadata:t.metadata}))}async hasPermission(e,t){let r=await this.validate(e);return r?!r.permissions||r.permissions.length===0?!0:r.permissions.includes(t):!1}},R=u("svelar.apiKeys",()=>new g);export{R as ApiKeys};

package/dist/audit/index.d.ts

@@ -0,0 +1,52 @@
+/**
+ * Svelar Audit Logging
+ * Track user actions across the application for compliance and debugging.
+ */
+export interface AuditEntry {
+    id: string;
+    userId: string | number | null;
+    action: string;
+    modelType: string;
+    modelId: string | number;
+    oldValues?: Record<string, any>;
+    newValues?: Record<string, any>;
+    metadata?: Record<string, any>;
+    ipAddress?: string;
+    userAgent?: string;
+    timestamp: number;
+}
+export interface AuditFilter {
+    userId?: string | number;
+    action?: string;
+    modelType?: string;
+    modelId?: string | number;
+    since?: number;
+    until?: number;
+    limit?: number;
+    offset?: number;
+}
+export type AuditDriver = 'database' | 'memory' | 'log';
+export interface AuditConfig {
+    driver: AuditDriver;
+    table?: string;
+    enabled?: boolean;
+    exclude?: string[];
+}
+declare class AuditManager {
+    private config;
+    private entries;
+    private maxEntries;
+    configure(config: AuditConfig): void;
+    log(entry: Omit<AuditEntry, 'id' | 'timestamp'>): Promise<void>;
+    query(filter: AuditFilter): Promise<AuditEntry[]>;
+    forModel(type: string, id: string | number): Promise<AuditEntry[]>;
+    byUser(userId: string | number, limit?: number): Promise<AuditEntry[]>;
+    getStats(): Promise<{
+        total: number;
+        byAction: Record<string, number>;
+        byModel: Record<string, number>;
+    }>;
+}
+export declare function auditable(target: any): any;
+export declare const Audit: AuditManager;
+export {};

package/dist/audit/index.js

@@ -0,0 +1 @@
+var b=Object.defineProperty;var f=(s,t)=>()=>(s&&(t=s(s=0)),t);var C=(s,t)=>{for(var e in t)b(s,e,{get:t[e],enumerable:!0})};function u(s,t){let e=Symbol.for(s),i=globalThis;return i[e]||(i[e]=t()),i[e]}var m=f(()=>{"use strict"});var h={};C(h,{Connection:()=>v});var p,v,w=f(()=>{"use strict";m();p=class{connections=new Map;config=null;defaultName="default";configure(t){this.config=t,this.defaultName=t.default}async connection(t){let e=t??this.defaultName;if(this.connections.has(e))return this.connections.get(e).drizzle;if(!this.config)throw new Error("Database not configured. Call Connection.configure() first, or register DatabaseServiceProvider.");let i=this.config.connections[e];if(!i)throw new Error(`Database connection "${e}" is not defined in configuration.`);let r=await this.createConnection(i);return this.connections.set(e,r),r.drizzle}async rawClient(t){let e=t??this.defaultName;return await this.connection(e),this.connections.get(e).rawClient}async raw(t,e=[],i){let r=await this.connection(i),n=this.getConfig(i);switch(n.driver){case"sqlite":{let o=await this.rawClient(i),l=e.map(c=>typeof c=="boolean"?c?1:0:c instanceof Date?c.toISOString():c),a=o.prepare(t),d=t.trimStart().toUpperCase();return d.startsWith("SELECT")||d.startsWith("PRAGMA")||d.startsWith("WITH")?a.all(...l):a.run(...l)}case"postgres":return(await this.rawClient(i))(t,...e);case"mysql":{let o=await this.rawClient(i),[l]=await o.execute(t,e);return l}default:throw new Error(`Unsupported driver: ${n.driver}`)}}getDriver(t){return this.getConfig(t).driver}getConfig(t){let e=t??this.defaultName;if(!this.config)throw new Error("Database not configured.");let i=this.config.connections[e];if(!i)throw new Error(`Database connection "${e}" is not defined.`);return i}async disconnect(t){if(t){let e=this.connections.get(t);e&&(await this.closeConnection(e),this.connections.delete(t))}else{for(let[e,i]of this.connections)await this.closeConnection(i);this.connections.clear()}}isConnected(t){return this.connections.has(t??this.defaultName)}async transaction(t,e){let i=this.getConfig(e),r=await this.rawClient(e);switch(i.driver){case"sqlite":{r.exec("BEGIN");try{let n=await t();return r.exec("COMMIT"),n}catch(n){throw r.exec("ROLLBACK"),n}}case"postgres":{await r`BEGIN`;try{let n=await t();return await r`COMMIT`,n}catch(n){throw await r`ROLLBACK`,n}}case"mysql":{let n=await r.getConnection();await n.beginTransaction();try{let o=await t();return await n.commit(),n.release(),o}catch(o){throw await n.rollback(),n.release(),o}}default:throw new Error(`Unsupported driver: ${i.driver}`)}}async createConnection(t){switch(t.driver){case"sqlite":return this.createSQLiteConnection(t);case"postgres":return this.createPostgresConnection(t);case"mysql":return this.createMySQLConnection(t);default:throw new Error(`Unsupported database driver: ${t.driver}`)}}async createSQLiteConnection(t){let e=t.filename??t.database??":memory:";try{let i=(await import("better-sqlite3")).default,{drizzle:r}=await import("drizzle-orm/better-sqlite3"),n=new i(e);return n.pragma("journal_mode = WAL"),n.pragma("foreign_keys = ON"),{drizzle:r(n),config:t,rawClient:n}}catch(i){let r;try{r=(await new Function("mod","return import(mod)")("node:sqlite")).DatabaseSync}catch{throw new Error(`No SQLite driver available. Install better-sqlite3 (npm install better-sqlite3) or use Node.js v22+ which includes built-in SQLite support. Original error: ${i instanceof Error?i.message:String(i)}`)}let n=new r(e);n.exec("PRAGMA journal_mode = WAL"),n.exec("PRAGMA foreign_keys = ON");let o={prepare(a){let d=n.prepare(a);return{all(...c){return d.all(...c)},run(...c){return d.run(...c)},get(...c){return d.get(...c)}}},exec(a){n.exec(a)},pragma(a){return n.prepare(`PRAGMA ${a}`).all()},close(){n.close()}},l;try{let{drizzle:a}=await import("drizzle-orm/better-sqlite3");l=a(o)}catch{l=o}return{drizzle:l,config:t,rawClient:o}}}async createPostgresConnection(t){let e=(await import("postgres")).default,{drizzle:i}=await import("drizzle-orm/postgres-js"),r=t.url??`postgres://${t.user}:${t.password}@${t.host??"localhost"}:${t.port??5432}/${t.database}`,n=e(r);return{drizzle:i(n),config:t,rawClient:n}}async createMySQLConnection(t){let e=await import("mysql2/promise"),{drizzle:i}=await import("drizzle-orm/mysql2"),r=e.createPool({host:t.host??"localhost",port:t.port??3306,database:t.database,user:t.user,password:t.password,uri:t.url});return{drizzle:i(r),config:t,rawClient:r}}async closeConnection(t){try{switch(t.config.driver){case"sqlite":t.rawClient.close();break;case"postgres":await t.rawClient.end();break;case"mysql":await t.rawClient.end();break}}catch{}}},v=u("svelar.connection",()=>new p)});m();import{randomUUID as A}from"crypto";var y=class{config={driver:"memory",enabled:!0};entries=[];maxEntries=1e4;configure(t){this.config=t}async log(t){if(!this.config.enabled||this.config.exclude?.includes(t.modelType))return;let e={...t,id:A(),timestamp:Date.now()};if(this.config.driver==="memory")this.entries.push(e),this.entries.length>this.maxEntries&&this.entries.shift();else if(this.config.driver==="log")console.log("[Audit]",JSON.stringify(e));else if(this.config.driver==="database")try{let{Connection:i}=await Promise.resolve().then(()=>(w(),h));await i.connection()}catch{this.entries.push(e)}}async query(t){let e=[...this.entries];t.userId!==void 0&&(e=e.filter(n=>n.userId===t.userId)),t.action&&(e=e.filter(n=>n.action===t.action)),t.modelType&&(e=e.filter(n=>n.modelType===t.modelType)),t.modelId!==void 0&&(e=e.filter(n=>n.modelId===t.modelId)),t.since&&(e=e.filter(n=>n.timestamp>=t.since)),t.until&&(e=e.filter(n=>n.timestamp<=t.until)),e.sort((n,o)=>o.timestamp-n.timestamp);let i=t.offset||0,r=t.limit||100;return e.slice(i,i+r)}async forModel(t,e){return this.query({modelType:t,modelId:e,limit:1e3})}async byUser(t,e){return this.query({userId:t,limit:e||100})}async getStats(){let t={},e={};for(let i of this.entries)t[i.action]=(t[i.action]||0)+1,e[i.modelType]=(e[i.modelType]||0)+1;return{total:this.entries.length,byAction:t,byModel:e}}};function P(s){let t=s.create||s.insert,e=s.update,i=s.delete;return t&&(s.create=async function(r){let n=await t.call(this,r);return await g.log({userId:null,action:"created",modelType:s.name,modelId:n.id,newValues:r}),n}),e&&(s.update=async function(r,n){let o=await e.call(this,r,n);return await g.log({userId:null,action:"updated",modelType:s.name,modelId:r,newValues:n}),o}),i&&(s.delete=async function(r){let n=await i.call(this,r);return await g.log({userId:null,action:"deleted",modelType:s.name,modelId:r}),n}),s}var g=u("svelar.audit",()=>new y);export{g as Audit,P as auditable};

package/dist/auth/Auth.d.ts

@@ -0,0 +1,283 @@
+/**
+ * Svelar Auth
+ *
+ * Authentication system with guards, JWT support, and session-based auth.
+ *
+ * @example
+ * ```ts
+ * // Session-based auth
+ * const auth = new AuthManager({ guard: 'session', model: User });
+ * const user = await auth.attempt({ email: 'john@example.com', password: 'secret' });
+ *
+ * // JWT auth
+ * const auth = new AuthManager({ guard: 'jwt', model: User, jwt: { secret: '...' } });
+ * const { user, token } = await auth.attemptJwt({ email: '...', password: '...' });
+ * ```
+ */
+export type GuardType = 'session' | 'jwt' | 'token';
+export interface AuthConfig {
+    guard: GuardType;
+    /** The Model class to query users from */
+    model: any;
+    /** Column used for login identifier (default: 'email') */
+    identifierColumn?: string;
+    /** Column storing the hashed password (default: 'password') */
+    passwordColumn?: string;
+    /** JWT configuration */
+    jwt?: JwtConfig;
+    /** API token configuration */
+    token?: TokenConfig;
+    /** Application URL for generating email links */
+    appUrl?: string;
+    /** Application name for email templates */
+    appName?: string;
+    /** Password reset configuration */
+    passwordResets?: PasswordResetConfig;
+    /** Email verification configuration */
+    emailVerification?: EmailVerificationConfig;
+    /** OTP (one-time password) configuration */
+    otp?: OtpConfig;
+}
+export interface PasswordResetConfig {
+    /** Table name (default: 'password_resets') */
+    table?: string;
+    /** Token lifetime in seconds (default: 3600 = 1 hour) */
+    expiresIn?: number;
+}
+export interface EmailVerificationConfig {
+    /** Table name (default: 'email_verifications') */
+    table?: string;
+    /** Token lifetime in seconds (default: 86400 = 24 hours) */
+    expiresIn?: number;
+    /** Column on user model storing verification timestamp (default: 'email_verified_at') */
+    verifiedColumn?: string;
+}
+export interface OtpConfig {
+    /** Table name (default: 'otp_codes') */
+    table?: string;
+    /** Code lifetime in seconds (default: 600 = 10 minutes) */
+    expiresIn?: number;
+    /** Code length (default: 6) */
+    length?: number;
+}
+export interface JwtConfig {
+    secret: string;
+    expiresIn?: number;
+    algorithm?: 'HS256' | 'HS384' | 'HS512';
+    issuer?: string;
+    /** Enable refresh tokens (default: false) */
+    refreshTokens?: boolean;
+    /** Refresh token lifetime in seconds (default: 604800 = 7 days) */
+    refreshExpiresIn?: number;
+    /** Table storing refresh tokens (default: 'refresh_tokens') */
+    refreshTable?: string;
+}
+export interface TokenConfig {
+    /** Table storing API tokens */
+    table?: string;
+    /** Header name for token (default: 'Authorization') */
+    header?: string;
+}
+export interface AuthUser {
+    getAttribute(key: string): any;
+    [key: string]: any;
+}
+export interface JwtPayload {
+    sub: string | number;
+    iat: number;
+    exp: number;
+    iss?: string;
+    [key: string]: any;
+}
+export interface JwtTokenPair {
+    user: AuthUser;
+    token: string;
+    expiresAt: Date;
+    refreshToken?: string;
+    refreshExpiresAt?: Date;
+}
+export declare function signJwt(payload: JwtPayload, secret: string, algorithm?: string): string;
+export declare function verifyJwt(token: string, secret: string): JwtPayload | null;
+export declare class AuthManager {
+    private config;
+    private currentUser;
+    constructor(userConfig: AuthConfig);
+    /**
+     * Attempt session-based login.
+     * Returns the user on success, null on failure.
+     */
+    attempt(credentials: Record<string, any>, session?: any): Promise<AuthUser | null>;
+    /**
+     * Attempt JWT-based login.
+     * Returns user + access token (+ refresh token if enabled) on success, null on failure.
+     */
+    attemptJwt(credentials: Record<string, any>): Promise<JwtTokenPair | null>;
+    /**
+     * Issue an access token (and optionally a refresh token) for a user.
+     */
+    private issueTokenPair;
+    /**
+     * Exchange a refresh token for a new access token + refresh token pair.
+     * The old refresh token is revoked (rotation).
+     */
+    refreshJwt(refreshToken: string): Promise<JwtTokenPair | null>;
+    /**
+     * Revoke all refresh tokens for a user (e.g. on logout or password change).
+     */
+    revokeRefreshTokens(userId: string | number): Promise<void>;
+    /**
+     * Resolve user from a JWT token
+     */
+    resolveFromToken(token: string): Promise<AuthUser | null>;
+    /**
+     * Resolve user from session
+     */
+    resolveFromSession(session: any): Promise<AuthUser | null>;
+    /**
+     * Register a new user
+     */
+    register(attributes: Record<string, any>): Promise<AuthUser>;
+    /**
+     * Logout
+     */
+    logout(session?: any): Promise<void>;
+    /**
+     * Get the currently authenticated user
+     */
+    user(): AuthUser | null;
+    /**
+     * Check if a user is authenticated
+     */
+    check(): boolean;
+    /**
+     * Get the authenticated user's ID
+     */
+    id(): any;
+    /**
+     * Generate an API token for a user
+     */
+    generateApiToken(user: AuthUser, name?: string): Promise<string>;
+    /**
+     * Resolve user from an API token
+     */
+    resolveFromApiToken(plainToken: string): Promise<AuthUser | null>;
+    /**
+     * Send a password reset email.
+     * Generates a token, stores its hash, and sends the password-reset email template.
+     * Auto-creates the password_resets table if it doesn't exist.
+     */
+    sendPasswordReset(email: string): Promise<boolean>;
+    /**
+     * Reset a user's password using a valid reset token.
+     * Validates the token, updates the password, and revokes all refresh tokens.
+     */
+    resetPassword(token: string, email: string, newPassword: string): Promise<boolean>;
+    /**
+     * Send an email verification link.
+     * Generates a token, stores its hash, and sends the email-verification template.
+     * Auto-creates the email_verifications table if it doesn't exist.
+     */
+    sendVerificationEmail(user: AuthUser): Promise<void>;
+    /**
+     * Verify an email address using a valid verification token.
+     * Sets the email_verified_at column on the user.
+     */
+    verifyEmail(token: string, userId: string | number): Promise<boolean>;
+    /**
+     * Check if a user has verified their email.
+     */
+    isEmailVerified(user: AuthUser): boolean;
+    /**
+     * Send an OTP code via email.
+     * Generates a numeric code, stores its hash, and sends the otp-code email template.
+     * Auto-creates the otp_codes table if it doesn't exist.
+     *
+     * @param email - User email address
+     * @param purpose - Purpose identifier (default: 'login')
+     * @returns true if sent (user exists), false if user not found
+     */
+    sendOtp(email: string, purpose?: string): Promise<boolean>;
+    /**
+     * Verify an OTP code without creating a session.
+     * Returns the user if valid, null otherwise.
+     */
+    verifyOtp(email: string, code: string, purpose?: string): Promise<AuthUser | null>;
+    /**
+     * Verify OTP and create a session (OTP login).
+     * Combines verifyOtp + session creation in one step.
+     */
+    attemptOtp(email: string, code: string, session?: any, purpose?: string): Promise<AuthUser | null>;
+    /**
+     * Delete expired tokens from password_resets, email_verifications, and otp_codes tables.
+     * Call this from a scheduled task (e.g., daily).
+     */
+    cleanupExpiredTokens(): Promise<{
+        passwordResets: number;
+        verifications: number;
+        otpCodes: number;
+    }>;
+    private hashToken;
+    private generateOtpCode;
+    private tablesEnsured;
+    private ensureTable;
+    private sendAuthEmail;
+}
+import { Middleware, type MiddlewareContext, type NextFunction } from '../middleware/Middleware.js';
+/**
+ * Authentication middleware that resolves the user from session or JWT.
+ */
+export declare class AuthenticateMiddleware extends Middleware {
+    private authManager;
+    constructor(authManager: AuthManager);
+    handle(ctx: MiddlewareContext, next: NextFunction): Promise<Response | void>;
+}
+/**
+ * Middleware that requires authentication — returns 401 JSON if not authenticated.
+ * Best for API routes.
+ */
+export declare class RequireAuthMiddleware extends Middleware {
+    handle(ctx: MiddlewareContext, next: NextFunction): Promise<Response | void>;
+}
+/**
+ * Middleware that redirects unauthenticated users to a login page.
+ * Best for page routes (dashboard, admin, etc.).
+ *
+ * @example
+ * ```ts
+ * // In +layout.server.ts to protect an entire route group:
+ * import { guardAuth } from 'svelar/auth';
+ *
+ * export const load = guardAuth();
+ * // or with a custom redirect:
+ * export const load = guardAuth('/signin');
+ * ```
+ */
+export declare class RedirectIfNotAuthenticated extends Middleware {
+    private redirectTo;
+    constructor(redirectTo?: string);
+    handle(ctx: MiddlewareContext, next: NextFunction): Promise<Response | void>;
+}
+/**
+ * Convenience helper to create a SvelteKit load function that guards a route.
+ * Use in `+layout.server.ts` to protect all pages under a route group.
+ *
+ * @example
+ * ```ts
+ * // src/routes/dashboard/+layout.server.ts
+ * import { guardAuth } from 'svelar/auth';
+ * export const load = guardAuth();
+ *
+ * // src/routes/admin/+layout.server.ts — custom redirect
+ * import { guardAuth } from 'svelar/auth';
+ * export const load = guardAuth('/login');
+ *
+ * // With role check
+ * import { guardAuth } from 'svelar/auth';
+ * export const load = guardAuth('/dashboard', { role: 'admin' });
+ * ```
+ */
+export declare function guardAuth(redirectTo?: string, options?: {
+    role?: string;
+}): (event: {
+    locals: Record<string, any>;
+}) => Promise<{}>;