@byline/admin 0.9.3

package/dist/modules/admin-users/schemas.d.ts

@@ -0,0 +1,136 @@
+/**
+ * This Source Code is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ *
+ * Copyright (c) Infonomic Company Limited
+ */
+import { z } from 'zod';
+export declare const listAdminUsersRequestSchema: z.ZodObject<{
+    page: z.ZodDefault<z.ZodOptional<z.ZodNumber>>;
+    pageSize: z.ZodDefault<z.ZodOptional<z.ZodNumber>>;
+    query: z.ZodOptional<z.ZodString>;
+    order: z.ZodDefault<z.ZodOptional<z.ZodEnum<{
+        email: "email";
+        given_name: "given_name";
+        family_name: "family_name";
+        username: "username";
+        created_at: "created_at";
+        updated_at: "updated_at";
+    }>>>;
+    desc: z.ZodDefault<z.ZodOptional<z.ZodBoolean>>;
+}, z.core.$strip>;
+export type ListAdminUsersRequest = z.infer<typeof listAdminUsersRequestSchema>;
+export declare const getAdminUserRequestSchema: z.ZodObject<{
+    id: z.ZodUUID;
+}, z.core.$strip>;
+export type GetAdminUserRequest = z.infer<typeof getAdminUserRequestSchema>;
+export declare const createAdminUserRequestSchema: z.ZodObject<{
+    email: z.ZodPipe<z.ZodEmail, z.ZodTransform<string, string>>;
+    password: z.ZodString;
+    given_name: z.ZodOptional<z.ZodNullable<z.ZodString>>;
+    family_name: z.ZodOptional<z.ZodNullable<z.ZodString>>;
+    username: z.ZodOptional<z.ZodNullable<z.ZodString>>;
+    is_super_admin: z.ZodOptional<z.ZodBoolean>;
+    is_enabled: z.ZodOptional<z.ZodBoolean>;
+    is_email_verified: z.ZodOptional<z.ZodBoolean>;
+}, z.core.$strip>;
+export type CreateAdminUserRequest = z.infer<typeof createAdminUserRequestSchema>;
+export declare const updateAdminUserRequestSchema: z.ZodObject<{
+    id: z.ZodUUID;
+    vid: z.ZodNumber;
+    patch: z.ZodObject<{
+        email: z.ZodOptional<z.ZodPipe<z.ZodEmail, z.ZodTransform<string, string>>>;
+        given_name: z.ZodOptional<z.ZodNullable<z.ZodString>>;
+        family_name: z.ZodOptional<z.ZodNullable<z.ZodString>>;
+        username: z.ZodOptional<z.ZodNullable<z.ZodString>>;
+        is_super_admin: z.ZodOptional<z.ZodBoolean>;
+        is_enabled: z.ZodOptional<z.ZodBoolean>;
+        is_email_verified: z.ZodOptional<z.ZodBoolean>;
+    }, z.core.$strip>;
+}, z.core.$strip>;
+export type UpdateAdminUserRequest = z.infer<typeof updateAdminUserRequestSchema>;
+export declare const setAdminUserPasswordRequestSchema: z.ZodObject<{
+    id: z.ZodUUID;
+    vid: z.ZodNumber;
+    password: z.ZodString;
+}, z.core.$strip>;
+export type SetAdminUserPasswordRequest = z.infer<typeof setAdminUserPasswordRequestSchema>;
+export declare const enableAdminUserRequestSchema: z.ZodObject<{
+    id: z.ZodUUID;
+}, z.core.$strip>;
+export type EnableAdminUserRequest = z.infer<typeof enableAdminUserRequestSchema>;
+export declare const disableAdminUserRequestSchema: z.ZodObject<{
+    id: z.ZodUUID;
+}, z.core.$strip>;
+export type DisableAdminUserRequest = z.infer<typeof disableAdminUserRequestSchema>;
+export declare const deleteAdminUserRequestSchema: z.ZodObject<{
+    id: z.ZodUUID;
+    vid: z.ZodNumber;
+}, z.core.$strip>;
+export type DeleteAdminUserRequest = z.infer<typeof deleteAdminUserRequestSchema>;
+/**
+ * Public shape of an admin user. Deliberately excludes `password_hash` —
+ * the DTO in `dto.ts` is responsible for producing exactly this shape
+ * from an `AdminUserRow`, so the schema acts as a contract check.
+ */
+export declare const adminUserResponseSchema: z.ZodObject<{
+    id: z.ZodString;
+    vid: z.ZodNumber;
+    email: z.ZodString;
+    given_name: z.ZodNullable<z.ZodString>;
+    family_name: z.ZodNullable<z.ZodString>;
+    username: z.ZodNullable<z.ZodString>;
+    remember_me: z.ZodBoolean;
+    last_login: z.ZodNullable<z.ZodDate>;
+    last_login_ip: z.ZodNullable<z.ZodString>;
+    failed_login_attempts: z.ZodNumber;
+    is_super_admin: z.ZodBoolean;
+    is_enabled: z.ZodBoolean;
+    is_email_verified: z.ZodBoolean;
+    created_at: z.ZodDate;
+    updated_at: z.ZodDate;
+}, z.core.$strip>;
+export type AdminUserResponse = z.infer<typeof adminUserResponseSchema>;
+export declare const adminUserListResponseSchema: z.ZodObject<{
+    users: z.ZodArray<z.ZodObject<{
+        id: z.ZodString;
+        vid: z.ZodNumber;
+        email: z.ZodString;
+        given_name: z.ZodNullable<z.ZodString>;
+        family_name: z.ZodNullable<z.ZodString>;
+        username: z.ZodNullable<z.ZodString>;
+        remember_me: z.ZodBoolean;
+        last_login: z.ZodNullable<z.ZodDate>;
+        last_login_ip: z.ZodNullable<z.ZodString>;
+        failed_login_attempts: z.ZodNumber;
+        is_super_admin: z.ZodBoolean;
+        is_enabled: z.ZodBoolean;
+        is_email_verified: z.ZodBoolean;
+        created_at: z.ZodDate;
+        updated_at: z.ZodDate;
+    }, z.core.$strip>>;
+    meta: z.ZodObject<{
+        total: z.ZodNumber;
+        total_pages: z.ZodNumber;
+        page: z.ZodNumber;
+        page_size: z.ZodNumber;
+        query: z.ZodString;
+        order: z.ZodEnum<{
+            email: "email";
+            given_name: "given_name";
+            family_name: "family_name";
+            username: "username";
+            created_at: "created_at";
+            updated_at: "updated_at";
+        }>;
+        desc: z.ZodBoolean;
+    }, z.core.$strip>;
+}, z.core.$strip>;
+export type AdminUserListResponse = z.infer<typeof adminUserListResponseSchema>;
+/** Empty response for void-returning mutations (set-password, enable, disable, delete). */
+export declare const okResponseSchema: z.ZodObject<{
+    ok: z.ZodLiteral<true>;
+}, z.core.$strip>;
+export type OkResponse = z.infer<typeof okResponseSchema>;
+//# sourceMappingURL=schemas.d.ts.map

package/dist/modules/admin-users/schemas.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"schemas.d.ts","sourceRoot":"","sources":["../../../src/modules/admin-users/schemas.ts"],"names":[],"mappings":"AAAA;;;;;;GAMG;AAGH,OAAO,EAAE,CAAC,EAAE,MAAM,KAAK,CAAA;AAoDvB,eAAO,MAAM,2BAA2B;;;;;;;;;;;;;iBAMtC,CAAA;AACF,MAAM,MAAM,qBAAqB,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,2BAA2B,CAAC,CAAA;AAE/E,eAAO,MAAM,yBAAyB;;iBAEpC,CAAA;AACF,MAAM,MAAM,mBAAmB,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,yBAAyB,CAAC,CAAA;AAE3E,eAAO,MAAM,4BAA4B;;;;;;;;;iBASvC,CAAA;AACF,MAAM,MAAM,sBAAsB,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,4BAA4B,CAAC,CAAA;AAEjF,eAAO,MAAM,4BAA4B;;;;;;;;;;;;iBAcvC,CAAA;AACF,MAAM,MAAM,sBAAsB,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,4BAA4B,CAAC,CAAA;AAEjF,eAAO,MAAM,iCAAiC;;;;iBAI5C,CAAA;AACF,MAAM,MAAM,2BAA2B,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,iCAAiC,CAAC,CAAA;AAE3F,eAAO,MAAM,4BAA4B;;iBAA6B,CAAA;AACtE,MAAM,MAAM,sBAAsB,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,4BAA4B,CAAC,CAAA;AAEjF,eAAO,MAAM,6BAA6B;;iBAA6B,CAAA;AACvE,MAAM,MAAM,uBAAuB,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,6BAA6B,CAAC,CAAA;AAEnF,eAAO,MAAM,4BAA4B;;;iBAGvC,CAAA;AACF,MAAM,MAAM,sBAAsB,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,4BAA4B,CAAC,CAAA;AAMjF;;;;GAIG;AACH,eAAO,MAAM,uBAAuB;;;;;;;;;;;;;;;;iBAgBlC,CAAA;AACF,MAAM,MAAM,iBAAiB,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,uBAAuB,CAAC,CAAA;AAEvE,eAAO,MAAM,2BAA2B;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;iBAWtC,CAAA;AACF,MAAM,MAAM,qBAAqB,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,2BAA2B,CAAC,CAAA;AAE/E,2FAA2F;AAC3F,eAAO,MAAM,gBAAgB;;iBAAoC,CAAA;AACjE,MAAM,MAAM,UAAU,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,gBAAgB,CAAC,CAAA"}

package/dist/modules/admin-users/schemas.js

@@ -0,0 +1,137 @@
+/**
+ * This Source Code is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ *
+ * Copyright (c) Infonomic Company Limited
+ */
+import { passwordSchema, uuidSchema } from '@byline/core/validation';
+import { z } from 'zod';
+/**
+ * Zod request/response schemas for the admin-users commands.
+ *
+ * Both input and output are validated — response validation keeps the
+ * admin surface honest about what it promises downstream clients. The
+ * DTO shaper in `dto.ts` produces values that match `adminUserResponseSchema`
+ * exactly; if the schema or the DTO drifts, tests catch it at the
+ * command boundary.
+ *
+ * `vid` is the optimistic-concurrency version — every write that touches
+ * content content takes the client-held `vid` and the adapter gates the
+ * write on it, throwing `ADMIN_USER_VERSION_CONFLICT` on mismatch.
+ *
+ * Password and uuid helpers come from `@byline/core/validation` — the
+ * shared primitives ported from the organisation's `@infonomic/shared`
+ * schemas so rules stay consistent across projects.
+ */
+// ---------------------------------------------------------------------------
+// Field-level schemas (re-used across requests)
+// ---------------------------------------------------------------------------
+const idSchema = uuidSchema;
+const vidSchema = z
+    .number({ message: 'vid is required' })
+    .int({ message: 'vid must be an integer' })
+    .positive({ message: 'vid must be positive' });
+const emailSchema = z
+    .email({ message: 'email must be a valid address' })
+    .min(3)
+    .max(254)
+    .transform((v) => v.toLowerCase());
+const nameSchema = z.string().min(1).max(100);
+const orderSchema = z.enum([
+    'given_name',
+    'family_name',
+    'email',
+    'username',
+    'created_at',
+    'updated_at',
+]);
+// ---------------------------------------------------------------------------
+// Requests
+// ---------------------------------------------------------------------------
+export const listAdminUsersRequestSchema = z.object({
+    page: z.number().int().min(1).optional().default(1),
+    pageSize: z.number().int().min(1).max(100).optional().default(20),
+    query: z.string().max(128).optional(),
+    order: orderSchema.optional().default('created_at'),
+    desc: z.boolean().optional().default(true),
+});
+export const getAdminUserRequestSchema = z.object({
+    id: idSchema,
+});
+export const createAdminUserRequestSchema = z.object({
+    email: emailSchema,
+    password: passwordSchema,
+    given_name: nameSchema.nullish(),
+    family_name: nameSchema.nullish(),
+    username: z.string().min(1).max(100).nullish(),
+    is_super_admin: z.boolean().optional(),
+    is_enabled: z.boolean().optional(),
+    is_email_verified: z.boolean().optional(),
+});
+export const updateAdminUserRequestSchema = z.object({
+    id: idSchema,
+    vid: vidSchema,
+    patch: z
+        .object({
+        email: emailSchema.optional(),
+        given_name: nameSchema.nullish(),
+        family_name: nameSchema.nullish(),
+        username: z.string().min(1).max(100).nullish(),
+        is_super_admin: z.boolean().optional(),
+        is_enabled: z.boolean().optional(),
+        is_email_verified: z.boolean().optional(),
+    })
+        .refine((p) => Object.keys(p).length > 0, { message: 'patch cannot be empty' }),
+});
+export const setAdminUserPasswordRequestSchema = z.object({
+    id: idSchema,
+    vid: vidSchema,
+    password: passwordSchema,
+});
+export const enableAdminUserRequestSchema = z.object({ id: idSchema });
+export const disableAdminUserRequestSchema = z.object({ id: idSchema });
+export const deleteAdminUserRequestSchema = z.object({
+    id: idSchema,
+    vid: vidSchema,
+});
+// ---------------------------------------------------------------------------
+// Responses
+// ---------------------------------------------------------------------------
+/**
+ * Public shape of an admin user. Deliberately excludes `password_hash` —
+ * the DTO in `dto.ts` is responsible for producing exactly this shape
+ * from an `AdminUserRow`, so the schema acts as a contract check.
+ */
+export const adminUserResponseSchema = z.object({
+    id: z.string(),
+    vid: z.number().int(),
+    email: z.string(),
+    given_name: z.string().nullable(),
+    family_name: z.string().nullable(),
+    username: z.string().nullable(),
+    remember_me: z.boolean(),
+    last_login: z.date().nullable(),
+    last_login_ip: z.string().nullable(),
+    failed_login_attempts: z.number().int(),
+    is_super_admin: z.boolean(),
+    is_enabled: z.boolean(),
+    is_email_verified: z.boolean(),
+    created_at: z.date(),
+    updated_at: z.date(),
+});
+export const adminUserListResponseSchema = z.object({
+    users: z.array(adminUserResponseSchema),
+    meta: z.object({
+        total: z.number().int().min(0),
+        total_pages: z.number().int().min(0),
+        page: z.number().int().min(1),
+        page_size: z.number().int().min(1),
+        query: z.string(),
+        order: orderSchema,
+        desc: z.boolean(),
+    }),
+});
+/** Empty response for void-returning mutations (set-password, enable, disable, delete). */
+export const okResponseSchema = z.object({ ok: z.literal(true) });
+//# sourceMappingURL=schemas.js.map

package/dist/modules/admin-users/schemas.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"schemas.js","sourceRoot":"","sources":["../../../src/modules/admin-users/schemas.ts"],"names":[],"mappings":"AAAA;;;;;;GAMG;AAEH,OAAO,EAAE,cAAc,EAAE,UAAU,EAAE,MAAM,yBAAyB,CAAA;AACpE,OAAO,EAAE,CAAC,EAAE,MAAM,KAAK,CAAA;AAEvB;;;;;;;;;;;;;;;;GAgBG;AAEH,8EAA8E;AAC9E,gDAAgD;AAChD,8EAA8E;AAE9E,MAAM,QAAQ,GAAG,UAAU,CAAA;AAE3B,MAAM,SAAS,GAAG,CAAC;KAChB,MAAM,CAAC,EAAE,OAAO,EAAE,iBAAiB,EAAE,CAAC;KACtC,GAAG,CAAC,EAAE,OAAO,EAAE,wBAAwB,EAAE,CAAC;KAC1C,QAAQ,CAAC,EAAE,OAAO,EAAE,sBAAsB,EAAE,CAAC,CAAA;AAEhD,MAAM,WAAW,GAAG,CAAC;KAClB,KAAK,CAAC,EAAE,OAAO,EAAE,+BAA+B,EAAE,CAAC;KACnD,GAAG,CAAC,CAAC,CAAC;KACN,GAAG,CAAC,GAAG,CAAC;KACR,SAAS,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,WAAW,EAAE,CAAC,CAAA;AAEpC,MAAM,UAAU,GAAG,CAAC,CAAC,MAAM,EAAE,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,GAAG,CAAC,GAAG,CAAC,CAAA;AAE7C,MAAM,WAAW,GAAG,CAAC,CAAC,IAAI,CAAC;IACzB,YAAY;IACZ,aAAa;IACb,OAAO;IACP,UAAU;IACV,YAAY;IACZ,YAAY;CACb,CAAC,CAAA;AAEF,8EAA8E;AAC9E,WAAW;AACX,8EAA8E;AAE9E,MAAM,CAAC,MAAM,2BAA2B,GAAG,CAAC,CAAC,MAAM,CAAC;IAClD,IAAI,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,GAAG,EAAE,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,QAAQ,EAAE,CAAC,OAAO,CAAC,CAAC,CAAC;IACnD,QAAQ,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,GAAG,EAAE,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,GAAG,CAAC,GAAG,CAAC,CAAC,QAAQ,EAAE,CAAC,OAAO,CAAC,EAAE,CAAC;IACjE,KAAK,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,GAAG,CAAC,GAAG,CAAC,CAAC,QAAQ,EAAE;IACrC,KAAK,EAAE,WAAW,CAAC,QAAQ,EAAE,CAAC,OAAO,CAAC,YAAY,CAAC;IACnD,IAAI,EAAE,CAAC,CAAC,OAAO,EAAE,CAAC,QAAQ,EAAE,CAAC,OAAO,CAAC,IAAI,CAAC;CAC3C,CAAC,CAAA;AAGF,MAAM,CAAC,MAAM,yBAAyB,GAAG,CAAC,CAAC,MAAM,CAAC;IAChD,EAAE,EAAE,QAAQ;CACb,CAAC,CAAA;AAGF,MAAM,CAAC,MAAM,4BAA4B,GAAG,CAAC,CAAC,MAAM,CAAC;IACnD,KAAK,EAAE,WAAW;IAClB,QAAQ,EAAE,cAAc;IACxB,UAAU,EAAE,UAAU,CAAC,OAAO,EAAE;IAChC,WAAW,EAAE,UAAU,CAAC,OAAO,EAAE;IACjC,QAAQ,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,GAAG,CAAC,GAAG,CAAC,CAAC,OAAO,EAAE;IAC9C,cAAc,EAAE,CAAC,CAAC,OAAO,EAAE,CAAC,QAAQ,EAAE;IACtC,UAAU,EAAE,CAAC,CAAC,OAAO,EAAE,CAAC,QAAQ,EAAE;IAClC,iBAAiB,EAAE,CAAC,CAAC,OAAO,EAAE,CAAC,QAAQ,EAAE;CAC1C,CAAC,CAAA;AAGF,MAAM,CAAC,MAAM,4BAA4B,GAAG,CAAC,CAAC,MAAM,CAAC;IACnD,EAAE,EAAE,QAAQ;IACZ,GAAG,EAAE,SAAS;IACd,KAAK,EAAE,CAAC;SACL,MAAM,CAAC;QACN,KAAK,EAAE,WAAW,CAAC,QAAQ,EAAE;QAC7B,UAAU,EAAE,UAAU,CAAC,OAAO,EAAE;QAChC,WAAW,EAAE,UAAU,CAAC,OAAO,EAAE;QACjC,QAAQ,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,GAAG,CAAC,GAAG,CAAC,CAAC,OAAO,EAAE;QAC9C,cAAc,EAAE,CAAC,CAAC,OAAO,EAAE,CAAC,QAAQ,EAAE;QACtC,UAAU,EAAE,CAAC,CAAC,OAAO,EAAE,CAAC,QAAQ,EAAE;QAClC,iBAAiB,EAAE,CAAC,CAAC,OAAO,EAAE,CAAC,QAAQ,EAAE;KAC1C,CAAC;SACD,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,MAAM,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC,MAAM,GAAG,CAAC,EAAE,EAAE,OAAO,EAAE,uBAAuB,EAAE,CAAC;CAClF,CAAC,CAAA;AAGF,MAAM,CAAC,MAAM,iCAAiC,GAAG,CAAC,CAAC,MAAM,CAAC;IACxD,EAAE,EAAE,QAAQ;IACZ,GAAG,EAAE,SAAS;IACd,QAAQ,EAAE,cAAc;CACzB,CAAC,CAAA;AAGF,MAAM,CAAC,MAAM,4BAA4B,GAAG,CAAC,CAAC,MAAM,CAAC,EAAE,EAAE,EAAE,QAAQ,EAAE,CAAC,CAAA;AAGtE,MAAM,CAAC,MAAM,6BAA6B,GAAG,CAAC,CAAC,MAAM,CAAC,EAAE,EAAE,EAAE,QAAQ,EAAE,CAAC,CAAA;AAGvE,MAAM,CAAC,MAAM,4BAA4B,GAAG,CAAC,CAAC,MAAM,CAAC;IACnD,EAAE,EAAE,QAAQ;IACZ,GAAG,EAAE,SAAS;CACf,CAAC,CAAA;AAGF,8EAA8E;AAC9E,YAAY;AACZ,8EAA8E;AAE9E;;;;GAIG;AACH,MAAM,CAAC,MAAM,uBAAuB,GAAG,CAAC,CAAC,MAAM,CAAC;IAC9C,EAAE,EAAE,CAAC,CAAC,MAAM,EAAE;IACd,GAAG,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,GAAG,EAAE;IACrB,KAAK,EAAE,CAAC,CAAC,MAAM,EAAE;IACjB,UAAU,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,EAAE;IACjC,WAAW,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,EAAE;IAClC,QAAQ,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,EAAE;IAC/B,WAAW,EAAE,CAAC,CAAC,OAAO,EAAE;IACxB,UAAU,EAAE,CAAC,CAAC,IAAI,EAAE,CAAC,QAAQ,EAAE;IAC/B,aAAa,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,EAAE;IACpC,qBAAqB,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,GAAG,EAAE;IACvC,cAAc,EAAE,CAAC,CAAC,OAAO,EAAE;IAC3B,UAAU,EAAE,CAAC,CAAC,OAAO,EAAE;IACvB,iBAAiB,EAAE,CAAC,CAAC,OAAO,EAAE;IAC9B,UAAU,EAAE,CAAC,CAAC,IAAI,EAAE;IACpB,UAAU,EAAE,CAAC,CAAC,IAAI,EAAE;CACrB,CAAC,CAAA;AAGF,MAAM,CAAC,MAAM,2BAA2B,GAAG,CAAC,CAAC,MAAM,CAAC;IAClD,KAAK,EAAE,CAAC,CAAC,KAAK,CAAC,uBAAuB,CAAC;IACvC,IAAI,EAAE,CAAC,CAAC,MAAM,CAAC;QACb,KAAK,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,GAAG,EAAE,CAAC,GAAG,CAAC,CAAC,CAAC;QAC9B,WAAW,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,GAAG,EAAE,CAAC,GAAG,CAAC,CAAC,CAAC;QACpC,IAAI,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,GAAG,EAAE,CAAC,GAAG,CAAC,CAAC,CAAC;QAC7B,SAAS,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,GAAG,EAAE,CAAC,GAAG,CAAC,CAAC,CAAC;QAClC,KAAK,EAAE,CAAC,CAAC,MAAM,EAAE;QACjB,KAAK,EAAE,WAAW;QAClB,IAAI,EAAE,CAAC,CAAC,OAAO,EAAE;KAClB,CAAC;CACH,CAAC,CAAA;AAGF,2FAA2F;AAC3F,MAAM,CAAC,MAAM,gBAAgB,GAAG,CAAC,CAAC,MAAM,CAAC,EAAE,EAAE,EAAE,CAAC,CAAC,OAAO,CAAC,IAAI,CAAC,EAAE,CAAC,CAAA"}

package/dist/modules/admin-users/seed-super-admin.d.ts

@@ -0,0 +1,44 @@
+/**
+ * This Source Code is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ *
+ * Copyright (c) Infonomic Company Limited
+ */
+import type { AdminStore } from '../../store.js';
+export interface SeedSuperAdminInput {
+    email: string;
+    /** Plaintext — hashed before insert. */
+    password: string;
+    given_name?: string;
+    family_name?: string;
+    /** Role machine_name. Defaults to `'super-admin'`. */
+    roleMachineName?: string;
+    /** Role display name. Defaults to `'Super Admin'`. */
+    roleName?: string;
+}
+export interface SeedSuperAdminResult {
+    userId: string;
+    roleId: string;
+    created: {
+        user: boolean;
+        role: boolean;
+        assignment: boolean;
+    };
+}
+/**
+ * Idempotently create the super-admin role + user and assign them to each
+ * other. Safe to re-run against an existing database — reports what was
+ * newly created via the `created` flags so scripts can log meaningfully.
+ *
+ * This is the only built-in seed we ship for auth. Everything else is
+ * configured through the admin UI (or directly via the repositories) once
+ * the super-admin is in.
+ *
+ * The user row has `is_super_admin: true` and `is_enabled: true` set
+ * explicitly — the default for `is_enabled` is false so UI-created
+ * accounts require deliberate enablement, but the seed always produces a
+ * usable account.
+ */
+export declare function seedSuperAdmin(store: AdminStore, input: SeedSuperAdminInput): Promise<SeedSuperAdminResult>;
+//# sourceMappingURL=seed-super-admin.d.ts.map

package/dist/modules/admin-users/seed-super-admin.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"seed-super-admin.d.ts","sourceRoot":"","sources":["../../../src/modules/admin-users/seed-super-admin.ts"],"names":[],"mappings":"AAAA;;;;;;GAMG;AAGH,OAAO,KAAK,EAAE,UAAU,EAAE,MAAM,gBAAgB,CAAA;AAEhD,MAAM,WAAW,mBAAmB;IAClC,KAAK,EAAE,MAAM,CAAA;IACb,wCAAwC;IACxC,QAAQ,EAAE,MAAM,CAAA;IAChB,UAAU,CAAC,EAAE,MAAM,CAAA;IACnB,WAAW,CAAC,EAAE,MAAM,CAAA;IACpB,sDAAsD;IACtD,eAAe,CAAC,EAAE,MAAM,CAAA;IACxB,sDAAsD;IACtD,QAAQ,CAAC,EAAE,MAAM,CAAA;CAClB;AAED,MAAM,WAAW,oBAAoB;IACnC,MAAM,EAAE,MAAM,CAAA;IACd,MAAM,EAAE,MAAM,CAAA;IACd,OAAO,EAAE;QACP,IAAI,EAAE,OAAO,CAAA;QACb,IAAI,EAAE,OAAO,CAAA;QACb,UAAU,EAAE,OAAO,CAAA;KACpB,CAAA;CACF;AAED;;;;;;;;;;;;;GAaG;AACH,wBAAsB,cAAc,CAClC,KAAK,EAAE,UAAU,EACjB,KAAK,EAAE,mBAAmB,GACzB,OAAO,CAAC,oBAAoB,CAAC,CAmD/B"}

package/dist/modules/admin-users/seed-super-admin.js

@@ -0,0 +1,70 @@
+/**
+ * This Source Code is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ *
+ * Copyright (c) Infonomic Company Limited
+ */
+import { hashPassword } from '../auth/password.js';
+/**
+ * Idempotently create the super-admin role + user and assign them to each
+ * other. Safe to re-run against an existing database — reports what was
+ * newly created via the `created` flags so scripts can log meaningfully.
+ *
+ * This is the only built-in seed we ship for auth. Everything else is
+ * configured through the admin UI (or directly via the repositories) once
+ * the super-admin is in.
+ *
+ * The user row has `is_super_admin: true` and `is_enabled: true` set
+ * explicitly — the default for `is_enabled` is false so UI-created
+ * accounts require deliberate enablement, but the seed always produces a
+ * usable account.
+ */
+export async function seedSuperAdmin(store, input) {
+    const roleMachineName = input.roleMachineName ?? 'super-admin';
+    const roleName = input.roleName ?? 'Super Admin';
+    // 1. Role
+    let role = await store.adminRoles.getByMachineName(roleMachineName);
+    let roleCreated = false;
+    if (!role) {
+        role = await store.adminRoles.create({
+            name: roleName,
+            machine_name: roleMachineName,
+            description: 'Built-in role held by the initial super-admin. Individual users also carry the is_super_admin flag.',
+            order: 0,
+        });
+        roleCreated = true;
+    }
+    // 2. User
+    let user = await store.adminUsers.getByEmail(input.email);
+    let userCreated = false;
+    if (!user) {
+        const passwordHash = await hashPassword(input.password);
+        user = await store.adminUsers.create({
+            email: input.email,
+            password_hash: passwordHash,
+            given_name: input.given_name ?? null,
+            family_name: input.family_name ?? null,
+            is_super_admin: true,
+            is_enabled: true,
+            is_email_verified: true,
+        });
+        userCreated = true;
+    }
+    // 3. Assignment (idempotent)
+    const existingRoles = await store.adminRoles.listRolesForUser(user.id);
+    const alreadyAssigned = existingRoles.some((r) => r.id === role.id);
+    if (!alreadyAssigned) {
+        await store.adminRoles.assignToUser(role.id, user.id);
+    }
+    return {
+        userId: user.id,
+        roleId: role.id,
+        created: {
+            user: userCreated,
+            role: roleCreated,
+            assignment: !alreadyAssigned,
+        },
+    };
+}
+//# sourceMappingURL=seed-super-admin.js.map

package/dist/modules/admin-users/seed-super-admin.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"seed-super-admin.js","sourceRoot":"","sources":["../../../src/modules/admin-users/seed-super-admin.ts"],"names":[],"mappings":"AAAA;;;;;;GAMG;AAEH,OAAO,EAAE,YAAY,EAAE,MAAM,qBAAqB,CAAA;AAyBlD;;;;;;;;;;;;;GAaG;AACH,MAAM,CAAC,KAAK,UAAU,cAAc,CAClC,KAAiB,EACjB,KAA0B;IAE1B,MAAM,eAAe,GAAG,KAAK,CAAC,eAAe,IAAI,aAAa,CAAA;IAC9D,MAAM,QAAQ,GAAG,KAAK,CAAC,QAAQ,IAAI,aAAa,CAAA;IAEhD,UAAU;IACV,IAAI,IAAI,GAAG,MAAM,KAAK,CAAC,UAAU,CAAC,gBAAgB,CAAC,eAAe,CAAC,CAAA;IACnE,IAAI,WAAW,GAAG,KAAK,CAAA;IACvB,IAAI,CAAC,IAAI,EAAE,CAAC;QACV,IAAI,GAAG,MAAM,KAAK,CAAC,UAAU,CAAC,MAAM,CAAC;YACnC,IAAI,EAAE,QAAQ;YACd,YAAY,EAAE,eAAe;YAC7B,WAAW,EACT,qGAAqG;YACvG,KAAK,EAAE,CAAC;SACT,CAAC,CAAA;QACF,WAAW,GAAG,IAAI,CAAA;IACpB,CAAC;IAED,UAAU;IACV,IAAI,IAAI,GAAG,MAAM,KAAK,CAAC,UAAU,CAAC,UAAU,CAAC,KAAK,CAAC,KAAK,CAAC,CAAA;IACzD,IAAI,WAAW,GAAG,KAAK,CAAA;IACvB,IAAI,CAAC,IAAI,EAAE,CAAC;QACV,MAAM,YAAY,GAAG,MAAM,YAAY,CAAC,KAAK,CAAC,QAAQ,CAAC,CAAA;QACvD,IAAI,GAAG,MAAM,KAAK,CAAC,UAAU,CAAC,MAAM,CAAC;YACnC,KAAK,EAAE,KAAK,CAAC,KAAK;YAClB,aAAa,EAAE,YAAY;YAC3B,UAAU,EAAE,KAAK,CAAC,UAAU,IAAI,IAAI;YACpC,WAAW,EAAE,KAAK,CAAC,WAAW,IAAI,IAAI;YACtC,cAAc,EAAE,IAAI;YACpB,UAAU,EAAE,IAAI;YAChB,iBAAiB,EAAE,IAAI;SACxB,CAAC,CAAA;QACF,WAAW,GAAG,IAAI,CAAA;IACpB,CAAC;IAED,6BAA6B;IAC7B,MAAM,aAAa,GAAG,MAAM,KAAK,CAAC,UAAU,CAAC,gBAAgB,CAAC,IAAI,CAAC,EAAE,CAAC,CAAA;IACtE,MAAM,eAAe,GAAG,aAAa,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,EAAE,KAAK,IAAI,CAAC,EAAE,CAAC,CAAA;IACnE,IAAI,CAAC,eAAe,EAAE,CAAC;QACrB,MAAM,KAAK,CAAC,UAAU,CAAC,YAAY,CAAC,IAAI,CAAC,EAAE,EAAE,IAAI,CAAC,EAAE,CAAC,CAAA;IACvD,CAAC;IAED,OAAO;QACL,MAAM,EAAE,IAAI,CAAC,EAAE;QACf,MAAM,EAAE,IAAI,CAAC,EAAE;QACf,OAAO,EAAE;YACP,IAAI,EAAE,WAAW;YACjB,IAAI,EAAE,WAAW;YACjB,UAAU,EAAE,CAAC,eAAe;SAC7B;KACF,CAAA;AACH,CAAC"}

package/dist/modules/admin-users/service.d.ts

@@ -0,0 +1,53 @@
+/**
+ * This Source Code is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ *
+ * Copyright (c) Infonomic Company Limited
+ */
+import type { AdminAuth } from '@byline/auth';
+import type { AdminUsersRepository } from './repository.js';
+import type { AdminUserListResponse, AdminUserResponse, CreateAdminUserRequest, DeleteAdminUserRequest, DisableAdminUserRequest, EnableAdminUserRequest, GetAdminUserRequest, ListAdminUsersRequest, SetAdminUserPasswordRequest, UpdateAdminUserRequest } from './schemas.js';
+/**
+ * Business logic for administering admin users.
+ *
+ * The service owns four concerns the repository deliberately avoids:
+ *
+ *   1. **Password hashing.** `hashPassword` from `@byline/admin/auth`
+ *      runs here so every write path (create, setPassword, future
+ *      password-reset flows) hashes consistently.
+ *   2. **Domain invariants.** Email conflict detection on create/update,
+ *      self-delete / self-disable prevention — rules the database
+ *      cannot enforce on its own.
+ *   3. **DTO shaping.** Raw rows are shaped through `toAdminUser` so
+ *      the response contract is owned in one place.
+ *   4. **Optimistic-concurrency plumbing.** The repo gates writes on
+ *      `expectedVid`; the service just threads it from the validated
+ *      request shape. Version conflicts surface as
+ *      `AdminUsersError(VERSION_CONFLICT)` from the adapter; the service
+ *      does not catch them.
+ *
+ * Commands call service methods after Zod-validating input and asserting
+ * abilities; internal callers (seeds, other services) can call service
+ * methods directly. Either way, the service is transport-agnostic.
+ *
+ * Service methods take the acting `AdminAuth` as an explicit first
+ * argument when they need it for invariants (self-delete checks). Reads
+ * do not need the actor — the ability check at the command boundary is
+ * sufficient.
+ */
+export declare class AdminUsersService {
+    #private;
+    constructor(deps: {
+        repo: AdminUsersRepository;
+    });
+    listUsers(request: ListAdminUsersRequest): Promise<AdminUserListResponse>;
+    getUser(request: GetAdminUserRequest): Promise<AdminUserResponse>;
+    createUser(request: CreateAdminUserRequest): Promise<AdminUserResponse>;
+    updateUser(request: UpdateAdminUserRequest): Promise<AdminUserResponse>;
+    setPassword(request: SetAdminUserPasswordRequest): Promise<AdminUserResponse>;
+    enableUser(request: EnableAdminUserRequest): Promise<void>;
+    disableUser(actor: AdminAuth, request: DisableAdminUserRequest): Promise<void>;
+    deleteUser(actor: AdminAuth, request: DeleteAdminUserRequest): Promise<void>;
+}
+//# sourceMappingURL=service.d.ts.map

package/dist/modules/admin-users/service.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"service.d.ts","sourceRoot":"","sources":["../../../src/modules/admin-users/service.ts"],"names":[],"mappings":"AAAA;;;;;;GAMG;AAEH,OAAO,KAAK,EAAE,SAAS,EAAE,MAAM,cAAc,CAAA;AAU7C,OAAO,KAAK,EAAE,oBAAoB,EAAE,MAAM,iBAAiB,CAAA;AAC3D,OAAO,KAAK,EACV,qBAAqB,EACrB,iBAAiB,EACjB,sBAAsB,EACtB,sBAAsB,EACtB,uBAAuB,EACvB,sBAAsB,EACtB,mBAAmB,EACnB,qBAAqB,EACrB,2BAA2B,EAC3B,sBAAsB,EACvB,MAAM,cAAc,CAAA;AAErB;;;;;;;;;;;;;;;;;;;;;;;;;;;GA2BG;AACH,qBAAa,iBAAiB;;gBAGhB,IAAI,EAAE;QAAE,IAAI,EAAE,oBAAoB,CAAA;KAAE;IAI1C,SAAS,CAAC,OAAO,EAAE,qBAAqB,GAAG,OAAO,CAAC,qBAAqB,CAAC;IA4BzE,OAAO,CAAC,OAAO,EAAE,mBAAmB,GAAG,OAAO,CAAC,iBAAiB,CAAC;IAMjE,UAAU,CAAC,OAAO,EAAE,sBAAsB,GAAG,OAAO,CAAC,iBAAiB,CAAC;IAsBvE,UAAU,CAAC,OAAO,EAAE,sBAAsB,GAAG,OAAO,CAAC,iBAAiB,CAAC;IAevE,WAAW,CAAC,OAAO,EAAE,2BAA2B,GAAG,OAAO,CAAC,iBAAiB,CAAC;IAQ7E,UAAU,CAAC,OAAO,EAAE,sBAAsB,GAAG,OAAO,CAAC,IAAI,CAAC;IAM1D,WAAW,CAAC,KAAK,EAAE,SAAS,EAAE,OAAO,EAAE,uBAAuB,GAAG,OAAO,CAAC,IAAI,CAAC;IAO9E,UAAU,CAAC,KAAK,EAAE,SAAS,EAAE,OAAO,EAAE,sBAAsB,GAAG,OAAO,CAAC,IAAI,CAAC;CAMnF"}

package/dist/modules/admin-users/service.js

@@ -0,0 +1,143 @@
+/**
+ * This Source Code is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ *
+ * Copyright (c) Infonomic Company Limited
+ */
+import { hashPassword } from '../auth/password.js';
+import { toAdminUser } from './dto.js';
+import { ERR_ADMIN_USER_EMAIL_IN_USE, ERR_ADMIN_USER_NOT_FOUND, ERR_ADMIN_USER_SELF_DELETE, ERR_ADMIN_USER_SELF_DISABLE, } from './errors.js';
+/**
+ * Business logic for administering admin users.
+ *
+ * The service owns four concerns the repository deliberately avoids:
+ *
+ *   1. **Password hashing.** `hashPassword` from `@byline/admin/auth`
+ *      runs here so every write path (create, setPassword, future
+ *      password-reset flows) hashes consistently.
+ *   2. **Domain invariants.** Email conflict detection on create/update,
+ *      self-delete / self-disable prevention — rules the database
+ *      cannot enforce on its own.
+ *   3. **DTO shaping.** Raw rows are shaped through `toAdminUser` so
+ *      the response contract is owned in one place.
+ *   4. **Optimistic-concurrency plumbing.** The repo gates writes on
+ *      `expectedVid`; the service just threads it from the validated
+ *      request shape. Version conflicts surface as
+ *      `AdminUsersError(VERSION_CONFLICT)` from the adapter; the service
+ *      does not catch them.
+ *
+ * Commands call service methods after Zod-validating input and asserting
+ * abilities; internal callers (seeds, other services) can call service
+ * methods directly. Either way, the service is transport-agnostic.
+ *
+ * Service methods take the acting `AdminAuth` as an explicit first
+ * argument when they need it for invariants (self-delete checks). Reads
+ * do not need the actor — the ability check at the command boundary is
+ * sufficient.
+ */
+export class AdminUsersService {
+    #repo;
+    constructor(deps) {
+        this.#repo = deps.repo;
+    }
+    async listUsers(request) {
+        // Run list + count in parallel — they hit the same indexes but
+        // there's no reason to serialise them.
+        const [rows, total] = await Promise.all([
+            this.#repo.list({
+                page: request.page,
+                pageSize: request.pageSize,
+                query: request.query,
+                order: request.order,
+                desc: request.desc,
+            }),
+            this.#repo.count({ query: request.query }),
+        ]);
+        const total_pages = Math.max(1, Math.ceil(total / request.pageSize));
+        return {
+            users: rows.map(toAdminUser),
+            meta: {
+                total,
+                total_pages,
+                page: request.page,
+                page_size: request.pageSize,
+                query: request.query ?? '',
+                order: request.order,
+                desc: request.desc,
+            },
+        };
+    }
+    async getUser(request) {
+        const row = await this.#repo.getById(request.id);
+        if (!row)
+            throw ERR_ADMIN_USER_NOT_FOUND();
+        return toAdminUser(row);
+    }
+    async createUser(request) {
+        // Pre-check for email conflict. The unique index on `email` is the
+        // ultimate backstop if a race beats this check; the pre-check exists
+        // so the common case returns a clean domain-specific error rather
+        // than a raw Postgres code.
+        const existing = await this.#repo.getByEmail(request.email);
+        if (existing)
+            throw ERR_ADMIN_USER_EMAIL_IN_USE();
+        const password_hash = await hashPassword(request.password);
+        const row = await this.#repo.create({
+            email: request.email,
+            password_hash,
+            given_name: request.given_name ?? null,
+            family_name: request.family_name ?? null,
+            username: request.username ?? null,
+            is_super_admin: request.is_super_admin,
+            is_enabled: request.is_enabled,
+            is_email_verified: request.is_email_verified,
+        });
+        return toAdminUser(row);
+    }
+    async updateUser(request) {
+        const current = await this.#repo.getById(request.id);
+        if (!current)
+            throw ERR_ADMIN_USER_NOT_FOUND();
+        // If email is being changed, check that the new address is not taken
+        // by another user.
+        if (request.patch.email != null && request.patch.email !== current.email) {
+            const owner = await this.#repo.getByEmail(request.patch.email);
+            if (owner && owner.id !== request.id)
+                throw ERR_ADMIN_USER_EMAIL_IN_USE();
+        }
+        const row = await this.#repo.update(request.id, request.vid, request.patch);
+        return toAdminUser(row);
+    }
+    async setPassword(request) {
+        const exists = await this.#repo.getById(request.id);
+        if (!exists)
+            throw ERR_ADMIN_USER_NOT_FOUND();
+        const password_hash = await hashPassword(request.password);
+        const row = await this.#repo.setPasswordHash(request.id, request.vid, password_hash);
+        return toAdminUser(row);
+    }
+    async enableUser(request) {
+        const exists = await this.#repo.getById(request.id);
+        if (!exists)
+            throw ERR_ADMIN_USER_NOT_FOUND();
+        await this.#repo.setEnabled(request.id, true);
+    }
+    async disableUser(actor, request) {
+        if (actor.id === request.id)
+            throw ERR_ADMIN_USER_SELF_DISABLE();
+        const exists = await this.#repo.getById(request.id);
+        if (!exists)
+            throw ERR_ADMIN_USER_NOT_FOUND();
+        await this.#repo.setEnabled(request.id, false);
+    }
+    async deleteUser(actor, request) {
+        if (actor.id === request.id)
+            throw ERR_ADMIN_USER_SELF_DELETE();
+        const exists = await this.#repo.getById(request.id);
+        if (!exists)
+            throw ERR_ADMIN_USER_NOT_FOUND();
+        await this.#repo.delete(request.id, request.vid);
+    }
+}
+//# sourceMappingURL=service.js.map

package/dist/modules/admin-users/service.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"service.js","sourceRoot":"","sources":["../../../src/modules/admin-users/service.ts"],"names":[],"mappings":"AAAA;;;;;;GAMG;AAIH,OAAO,EAAE,YAAY,EAAE,MAAM,qBAAqB,CAAA;AAClD,OAAO,EAAE,WAAW,EAAE,MAAM,UAAU,CAAA;AACtC,OAAO,EACL,2BAA2B,EAC3B,wBAAwB,EACxB,0BAA0B,EAC1B,2BAA2B,GAC5B,MAAM,aAAa,CAAA;AAepB;;;;;;;;;;;;;;;;;;;;;;;;;;;GA2BG;AACH,MAAM,OAAO,iBAAiB;IACnB,KAAK,CAAsB;IAEpC,YAAY,IAAoC;QAC9C,IAAI,CAAC,KAAK,GAAG,IAAI,CAAC,IAAI,CAAA;IACxB,CAAC;IAED,KAAK,CAAC,SAAS,CAAC,OAA8B;QAC5C,+DAA+D;QAC/D,uCAAuC;QACvC,MAAM,CAAC,IAAI,EAAE,KAAK,CAAC,GAAG,MAAM,OAAO,CAAC,GAAG,CAAC;YACtC,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC;gBACd,IAAI,EAAE,OAAO,CAAC,IAAI;gBAClB,QAAQ,EAAE,OAAO,CAAC,QAAQ;gBAC1B,KAAK,EAAE,OAAO,CAAC,KAAK;gBACpB,KAAK,EAAE,OAAO,CAAC,KAAK;gBACpB,IAAI,EAAE,OAAO,CAAC,IAAI;aACnB,CAAC;YACF,IAAI,CAAC,KAAK,CAAC,KAAK,CAAC,EAAE,KAAK,EAAE,OAAO,CAAC,KAAK,EAAE,CAAC;SAC3C,CAAC,CAAA;QACF,MAAM,WAAW,GAAG,IAAI,CAAC,GAAG,CAAC,CAAC,EAAE,IAAI,CAAC,IAAI,CAAC,KAAK,GAAG,OAAO,CAAC,QAAQ,CAAC,CAAC,CAAA;QACpE,OAAO;YACL,KAAK,EAAE,IAAI,CAAC,GAAG,CAAC,WAAW,CAAC;YAC5B,IAAI,EAAE;gBACJ,KAAK;gBACL,WAAW;gBACX,IAAI,EAAE,OAAO,CAAC,IAAI;gBAClB,SAAS,EAAE,OAAO,CAAC,QAAQ;gBAC3B,KAAK,EAAE,OAAO,CAAC,KAAK,IAAI,EAAE;gBAC1B,KAAK,EAAE,OAAO,CAAC,KAAK;gBACpB,IAAI,EAAE,OAAO,CAAC,IAAI;aACnB;SACF,CAAA;IACH,CAAC;IAED,KAAK,CAAC,OAAO,CAAC,OAA4B;QACxC,MAAM,GAAG,GAAG,MAAM,IAAI,CAAC,KAAK,CAAC,OAAO,CAAC,OAAO,CAAC,EAAE,CAAC,CAAA;QAChD,IAAI,CAAC,GAAG;YAAE,MAAM,wBAAwB,EAAE,CAAA;QAC1C,OAAO,WAAW,CAAC,GAAG,CAAC,CAAA;IACzB,CAAC;IAED,KAAK,CAAC,UAAU,CAAC,OAA+B;QAC9C,mEAAmE;QACnE,qEAAqE;QACrE,kEAAkE;QAClE,4BAA4B;QAC5B,MAAM,QAAQ,GAAG,MAAM,IAAI,CAAC,KAAK,CAAC,UAAU,CAAC,OAAO,CAAC,KAAK,CAAC,CAAA;QAC3D,IAAI,QAAQ;YAAE,MAAM,2BAA2B,EAAE,CAAA;QAEjD,MAAM,aAAa,GAAG,MAAM,YAAY,CAAC,OAAO,CAAC,QAAQ,CAAC,CAAA;QAC1D,MAAM,GAAG,GAAG,MAAM,IAAI,CAAC,KAAK,CAAC,MAAM,CAAC;YAClC,KAAK,EAAE,OAAO,CAAC,KAAK;YACpB,aAAa;YACb,UAAU,EAAE,OAAO,CAAC,UAAU,IAAI,IAAI;YACtC,WAAW,EAAE,OAAO,CAAC,WAAW,IAAI,IAAI;YACxC,QAAQ,EAAE,OAAO,CAAC,QAAQ,IAAI,IAAI;YAClC,cAAc,EAAE,OAAO,CAAC,cAAc;YACtC,UAAU,EAAE,OAAO,CAAC,UAAU;YAC9B,iBAAiB,EAAE,OAAO,CAAC,iBAAiB;SAC7C,CAAC,CAAA;QACF,OAAO,WAAW,CAAC,GAAG,CAAC,CAAA;IACzB,CAAC;IAED,KAAK,CAAC,UAAU,CAAC,OAA+B;QAC9C,MAAM,OAAO,GAAG,MAAM,IAAI,CAAC,KAAK,CAAC,OAAO,CAAC,OAAO,CAAC,EAAE,CAAC,CAAA;QACpD,IAAI,CAAC,OAAO;YAAE,MAAM,wBAAwB,EAAE,CAAA;QAE9C,qEAAqE;QACrE,mBAAmB;QACnB,IAAI,OAAO,CAAC,KAAK,CAAC,KAAK,IAAI,IAAI,IAAI,OAAO,CAAC,KAAK,CAAC,KAAK,KAAK,OAAO,CAAC,KAAK,EAAE,CAAC;YACzE,MAAM,KAAK,GAAG,MAAM,IAAI,CAAC,KAAK,CAAC,UAAU,CAAC,OAAO,CAAC,KAAK,CAAC,KAAK,CAAC,CAAA;YAC9D,IAAI,KAAK,IAAI,KAAK,CAAC,EAAE,KAAK,OAAO,CAAC,EAAE;gBAAE,MAAM,2BAA2B,EAAE,CAAA;QAC3E,CAAC;QAED,MAAM,GAAG,GAAG,MAAM,IAAI,CAAC,KAAK,CAAC,MAAM,CAAC,OAAO,CAAC,EAAE,EAAE,OAAO,CAAC,GAAG,EAAE,OAAO,CAAC,KAAK,CAAC,CAAA;QAC3E,OAAO,WAAW,CAAC,GAAG,CAAC,CAAA;IACzB,CAAC;IAED,KAAK,CAAC,WAAW,CAAC,OAAoC;QACpD,MAAM,MAAM,GAAG,MAAM,IAAI,CAAC,KAAK,CAAC,OAAO,CAAC,OAAO,CAAC,EAAE,CAAC,CAAA;QACnD,IAAI,CAAC,MAAM;YAAE,MAAM,wBAAwB,EAAE,CAAA;QAC7C,MAAM,aAAa,GAAG,MAAM,YAAY,CAAC,OAAO,CAAC,QAAQ,CAAC,CAAA;QAC1D,MAAM,GAAG,GAAG,MAAM,IAAI,CAAC,KAAK,CAAC,eAAe,CAAC,OAAO,CAAC,EAAE,EAAE,OAAO,CAAC,GAAG,EAAE,aAAa,CAAC,CAAA;QACpF,OAAO,WAAW,CAAC,GAAG,CAAC,CAAA;IACzB,CAAC;IAED,KAAK,CAAC,UAAU,CAAC,OAA+B;QAC9C,MAAM,MAAM,GAAG,MAAM,IAAI,CAAC,KAAK,CAAC,OAAO,CAAC,OAAO,CAAC,EAAE,CAAC,CAAA;QACnD,IAAI,CAAC,MAAM;YAAE,MAAM,wBAAwB,EAAE,CAAA;QAC7C,MAAM,IAAI,CAAC,KAAK,CAAC,UAAU,CAAC,OAAO,CAAC,EAAE,EAAE,IAAI,CAAC,CAAA;IAC/C,CAAC;IAED,KAAK,CAAC,WAAW,CAAC,KAAgB,EAAE,OAAgC;QAClE,IAAI,KAAK,CAAC,EAAE,KAAK,OAAO,CAAC,EAAE;YAAE,MAAM,2BAA2B,EAAE,CAAA;QAChE,MAAM,MAAM,GAAG,MAAM,IAAI,CAAC,KAAK,CAAC,OAAO,CAAC,OAAO,CAAC,EAAE,CAAC,CAAA;QACnD,IAAI,CAAC,MAAM;YAAE,MAAM,wBAAwB,EAAE,CAAA;QAC7C,MAAM,IAAI,CAAC,KAAK,CAAC,UAAU,CAAC,OAAO,CAAC,EAAE,EAAE,KAAK,CAAC,CAAA;IAChD,CAAC;IAED,KAAK,CAAC,UAAU,CAAC,KAAgB,EAAE,OAA+B;QAChE,IAAI,KAAK,CAAC,EAAE,KAAK,OAAO,CAAC,EAAE;YAAE,MAAM,0BAA0B,EAAE,CAAA;QAC/D,MAAM,MAAM,GAAG,MAAM,IAAI,CAAC,KAAK,CAAC,OAAO,CAAC,OAAO,CAAC,EAAE,CAAC,CAAA;QACnD,IAAI,CAAC,MAAM;YAAE,MAAM,wBAAwB,EAAE,CAAA;QAC7C,MAAM,IAAI,CAAC,KAAK,CAAC,MAAM,CAAC,OAAO,CAAC,EAAE,EAAE,OAAO,CAAC,GAAG,CAAC,CAAA;IAClD,CAAC;CACF"}

package/dist/modules/auth/index.d.ts

@@ -0,0 +1,26 @@
+/**
+ * This Source Code is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ *
+ * Copyright (c) Infonomic Company Limited
+ */
+/**
+ * `@byline/admin/auth` — session handling for the built-in admin realm.
+ *
+ * Hosts the reference `JwtSessionProvider` and the sign-in / refresh /
+ * revoke orchestration that consumes it, along with password hashing
+ * (`hashPassword` / `verifyPassword`) and the `RefreshTokensRepository`
+ * contract the provider drives.
+ *
+ * The `SessionProvider` **interface** lives in `@byline/auth` so the
+ * pluggability contract stays narrow; this module supplies the
+ * Byline-native implementation. Third-party providers (Lucia, WorkOS,
+ * Clerk, institutional SSO) should be shipped as separate packages
+ * against `@byline/auth` rather than added here.
+ */
+export { JwtSessionProvider, type JwtSessionProviderConfig } from './jwt-session-provider.js';
+export { hashPassword, verifyPassword } from './password.js';
+export { resolveActor } from './resolve-actor.js';
+export type { IssueRefreshTokenInput, RefreshTokenRow, RefreshTokensRepository, } from './refresh-tokens-repository.js';
+//# sourceMappingURL=index.d.ts.map

package/dist/modules/auth/index.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../../src/modules/auth/index.ts"],"names":[],"mappings":"AAAA;;;;;;GAMG;AAEH;;;;;;;;;;;;;GAaG;AAEH,OAAO,EAAE,kBAAkB,EAAE,KAAK,wBAAwB,EAAE,MAAM,2BAA2B,CAAA;AAC7F,OAAO,EAAE,YAAY,EAAE,cAAc,EAAE,MAAM,eAAe,CAAA;AAC5D,OAAO,EAAE,YAAY,EAAE,MAAM,oBAAoB,CAAA;AACjD,YAAY,EACV,sBAAsB,EACtB,eAAe,EACf,uBAAuB,GACxB,MAAM,gCAAgC,CAAA"}