@camstack/core 0.1.32 → 0.1.34

package/dist/builtins/local-auth/local-auth.addon.mjs

@@ -1,5 +1,5 @@
 import { i as __toESM, r as __require, t as __commonJSMin } from "../../chunk-hT5z_Zn9.mjs";
-import * as crypto from "node:crypto";
+import * as crypto$1 from "node:crypto";
 import { ApiKeyRecordSchema, BaseAddon, ScopedTokenSchema, UserRecordSchema, authProviderCapability, userManagementCapability } from "@camstack/types";
 //#region ../../node_modules/safe-buffer/index.js
 var require_safe_buffer = /* @__PURE__ */ __commonJSMin(((exports, module) => {
@@ -224,14 +224,14 @@ var require_buffer_equal_constant_time = /* @__PURE__ */ __commonJSMin(((exports
 //#region ../../node_modules/jwa/index.js
 var require_jwa = /* @__PURE__ */ __commonJSMin(((exports, module) => {
 	var Buffer = require_safe_buffer().Buffer;
-	var crypto$1 = __require("crypto");
+	var crypto$2 = __require("crypto");
 	var formatEcdsa = require_ecdsa_sig_formatter();
 	var util$2 = __require("util");
 	var MSG_INVALID_ALGORITHM = "\"%s\" is not a valid algorithm.\n  Supported algorithms are:\n  \"HS256\", \"HS384\", \"HS512\", \"RS256\", \"RS384\", \"RS512\", \"PS256\", \"PS384\", \"PS512\", \"ES256\", \"ES384\", \"ES512\" and \"none\".";
 	var MSG_INVALID_SECRET = "secret must be a string or buffer";
 	var MSG_INVALID_VERIFIER_KEY = "key must be a string or a buffer";
 	var MSG_INVALID_SIGNER_KEY = "key must be a string, a buffer or an object";
-	var supportsKeyObjects = typeof crypto$1.createPublicKey === "function";
+	var supportsKeyObjects = typeof crypto$2.createPublicKey === "function";
 	if (supportsKeyObjects) {
 		MSG_INVALID_VERIFIER_KEY += " or a KeyObject";
 		MSG_INVALID_SECRET += "or a KeyObject";
@@ -284,14 +284,14 @@ var require_jwa = /* @__PURE__ */ __commonJSMin(((exports, module) => {
 		return function sign(thing, secret) {
 			checkIsSecretKey(secret);
 			thing = normalizeInput(thing);
-			var hmac = crypto$1.createHmac("sha" + bits, secret);
+			var hmac = crypto$2.createHmac("sha" + bits, secret);
 			return fromBase64((hmac.update(thing), hmac.digest("base64")));
 		};
 	}
 	var bufferEqual;
-	var timingSafeEqual = "timingSafeEqual" in crypto$1 ? function timingSafeEqual(a, b) {
+	var timingSafeEqual = "timingSafeEqual" in crypto$2 ? function timingSafeEqual(a, b) {
 		if (a.byteLength !== b.byteLength) return false;
-		return crypto$1.timingSafeEqual(a, b);
+		return crypto$2.timingSafeEqual(a, b);
 	} : function timingSafeEqual(a, b) {
 		if (!bufferEqual) bufferEqual = require_buffer_equal_constant_time();
 		return bufferEqual(a, b);
@@ -306,7 +306,7 @@ var require_jwa = /* @__PURE__ */ __commonJSMin(((exports, module) => {
 		return function sign(thing, privateKey) {
 			checkIsPrivateKey(privateKey);
 			thing = normalizeInput(thing);
-			var signer = crypto$1.createSign("RSA-SHA" + bits);
+			var signer = crypto$2.createSign("RSA-SHA" + bits);
 			return fromBase64((signer.update(thing), signer.sign(privateKey, "base64")));
 		};
 	}
@@ -315,7 +315,7 @@ var require_jwa = /* @__PURE__ */ __commonJSMin(((exports, module) => {
 			checkIsPublicKey(publicKey);
 			thing = normalizeInput(thing);
 			signature = toBase64(signature);
-			var verifier = crypto$1.createVerify("RSA-SHA" + bits);
+			var verifier = crypto$2.createVerify("RSA-SHA" + bits);
 			verifier.update(thing);
 			return verifier.verify(publicKey, signature, "base64");
 		};
@@ -324,11 +324,11 @@ var require_jwa = /* @__PURE__ */ __commonJSMin(((exports, module) => {
 		return function sign(thing, privateKey) {
 			checkIsPrivateKey(privateKey);
 			thing = normalizeInput(thing);
-			var signer = crypto$1.createSign("RSA-SHA" + bits);
+			var signer = crypto$2.createSign("RSA-SHA" + bits);
 			return fromBase64((signer.update(thing), signer.sign({
 				key: privateKey,
-				padding: crypto$1.constants.RSA_PKCS1_PSS_PADDING,
-				saltLength: crypto$1.constants.RSA_PSS_SALTLEN_DIGEST
+				padding: crypto$2.constants.RSA_PKCS1_PSS_PADDING,
+				saltLength: crypto$2.constants.RSA_PSS_SALTLEN_DIGEST
 			}, "base64")));
 		};
 	}
@@ -337,12 +337,12 @@ var require_jwa = /* @__PURE__ */ __commonJSMin(((exports, module) => {
 			checkIsPublicKey(publicKey);
 			thing = normalizeInput(thing);
 			signature = toBase64(signature);
-			var verifier = crypto$1.createVerify("RSA-SHA" + bits);
+			var verifier = crypto$2.createVerify("RSA-SHA" + bits);
 			verifier.update(thing);
 			return verifier.verify({
 				key: publicKey,
-				padding: crypto$1.constants.RSA_PKCS1_PSS_PADDING,
-				saltLength: crypto$1.constants.RSA_PSS_SALTLEN_DIGEST
+				padding: crypto$2.constants.RSA_PKCS1_PSS_PADDING,
+				saltLength: crypto$2.constants.RSA_PSS_SALTLEN_DIGEST
 			}, signature, "base64");
 		};
 	}
@@ -6168,7 +6168,7 @@ var AuthManager = class {
 		const configured = this.config.get("auth.jwtSecret");
 		if (configured) this.jwtSecret = configured;
 		else {
-			const secret = crypto.randomBytes(32).toString("hex");
+			const secret = crypto$1.randomBytes(32).toString("hex");
 			this.config.update("auth", { jwtSecret: secret });
 			this.logger.info("Generated JWT secret and saved to config.yaml (auth.jwtSecret)");
 			this.jwtSecret = secret;
@@ -6187,15 +6187,15 @@ var AuthManager = class {
 		return import_bcryptjs.compare(password, hash);
 	}
 	generateApiKey() {
-		const token = crypto.randomBytes(32).toString("hex");
+		const token = crypto$1.randomBytes(32).toString("hex");
 		return {
 			token,
-			hash: crypto.createHash("sha256").update(token).digest("hex"),
+			hash: crypto$1.createHash("sha256").update(token).digest("hex"),
 			prefix: token.slice(0, 8)
 		};
 	}
 	validateApiKey(token, storedHash) {
-		return crypto.createHash("sha256").update(token).digest("hex") === storedHash;
+		return crypto$1.createHash("sha256").update(token).digest("hex") === storedHash;
 	}
 	/**
 	* Create a service token for agent/worker authentication.
@@ -6205,7 +6205,7 @@ var AuthManager = class {
 		const payload = {
 			userId: opts.agentId,
 			username: opts.agentId,
-			role: opts.role ?? "agent",
+			isAdmin: true,
 			type: "service",
 			agentId: opts.agentId,
 			allowedProviders: "*",
@@ -6214,6 +6214,109 @@ var AuthManager = class {
 		const expiresIn = opts.expiresIn ?? "24h";
 		return import_jsonwebtoken.sign(payload, this.jwtSecret, { expiresIn });
 	}
+	/**
+	* Mint a short-lived HMAC-signed bridge token used by SSO-style auth
+	* providers (OIDC, SAML, magic-link, …) to hand the post-callback
+	* claims to `/api/auth/sso/finish` without trusting unsigned query
+	* parameters. The endpoint verifies the token signature with the same
+	* `jwtSecret` and only then mints the user session JWT. This closes
+	* the privilege-escalation gap where any client could craft a
+	* `?isAdmin=1` link to `/sso/finish` and become admin.
+	*
+	* The payload carries `kind: 'sso-bridge'` so `verifySsoBridgeToken`
+	* can reject session tokens reused as bridge tokens (and vice versa).
+	* TTL defaults to 5 minutes — long enough to survive the IdP
+	* redirect bounce, short enough that a leaked URL stops being useful
+	* before the operator notices.
+	*/
+	signSsoBridgeToken(payload, ttlSec = 300) {
+		const body = {
+			kind: "sso-bridge",
+			userId: payload.userId,
+			username: payload.username,
+			isAdmin: payload.isAdmin,
+			provider: payload.provider,
+			...payload.email !== void 0 ? { email: payload.email } : {},
+			...payload.displayName !== void 0 ? { displayName: payload.displayName } : {}
+		};
+		return import_jsonwebtoken.sign(body, this.jwtSecret, { expiresIn: ttlSec });
+	}
+	/**
+	* Verify + decode a bridge token minted by `signSsoBridgeToken`.
+	* Returns `null` for invalid signature, expired token, or wrong
+	* `kind` claim. Never throws — the consumer ( `/sso/finish`) treats
+	* `null` as 400 Bad Request.
+	*/
+	verifySsoBridgeToken(token) {
+		try {
+			const decoded = import_jsonwebtoken.verify(token, this.jwtSecret);
+			if (decoded["kind"] !== "sso-bridge") return null;
+			const userId = decoded["userId"];
+			const username = decoded["username"];
+			const isAdmin = decoded["isAdmin"];
+			const provider = decoded["provider"];
+			if (typeof userId !== "string" || typeof username !== "string" || typeof isAdmin !== "boolean" || typeof provider !== "string") return null;
+			const email = typeof decoded["email"] === "string" ? decoded["email"] : void 0;
+			const displayName = typeof decoded["displayName"] === "string" ? decoded["displayName"] : void 0;
+			return {
+				userId,
+				username,
+				isAdmin,
+				provider,
+				...email !== void 0 ? { email } : {},
+				...displayName !== void 0 ? { displayName } : {}
+			};
+		} catch {
+			return null;
+		}
+	}
+	/**
+	* Mint a TOTP challenge token bridging the two-step login flow:
+	*
+	*   1. POST /login → password OK + user has 2FA  →  returns
+	*      `{requiresTotp: true, challengeToken: '...'}` (this token).
+	*   2. POST /login/totp-verify → operator types 6-digit code →
+	*      server verifies challenge token + code → mints the real
+	*      session JWT.
+	*
+	* The token carries `kind: 'totp-challenge'` so it can't be confused
+	* with a regular session token, plus the `userId` + `username` +
+	* `isAdmin` claims that will end up in the final session if the code
+	* verifies. TTL defaults to 5 minutes — long enough to type the code,
+	* short enough that an abandoned login can't be picked up later.
+	*/
+	signTotpChallengeToken(payload, ttlSec = 300) {
+		return import_jsonwebtoken.sign({
+			kind: "totp-challenge",
+			userId: payload.userId,
+			username: payload.username,
+			isAdmin: payload.isAdmin
+		}, this.jwtSecret, { expiresIn: ttlSec });
+	}
+	/**
+	* Verify + decode a TOTP challenge token. Returns `null` for any
+	* failure (invalid signature, expired, wrong `kind`, missing
+	* claims). The caller MUST also verify the 6-digit code against
+	* `totpManager.verify(userId, code)` before minting the real
+	* session — this method validates the bridge transport only.
+	*/
+	verifyTotpChallengeToken(token) {
+		try {
+			const decoded = import_jsonwebtoken.verify(token, this.jwtSecret);
+			if (decoded["kind"] !== "totp-challenge") return null;
+			const userId = decoded["userId"];
+			const username = decoded["username"];
+			const isAdmin = decoded["isAdmin"];
+			if (typeof userId !== "string" || typeof username !== "string" || typeof isAdmin !== "boolean") return null;
+			return {
+				userId,
+				username,
+				isAdmin
+			};
+		} catch {
+			return null;
+		}
+	}
 };
 //#endregion
 //#region src/auth/parse-record.ts
@@ -6247,10 +6350,10 @@ var UserManager = class {
 		const passwordHash = await this.auth.hashPassword(input.password);
 		const now = Date.now();
 		const record = {
-			id: crypto.randomUUID(),
+			id: crypto$1.randomUUID(),
 			username: input.username,
 			passwordHash,
-			role: input.role,
+			isAdmin: input.isAdmin ?? false,
 			allowedProviders: input.allowedProviders ?? "*",
 			allowedDevices: input.allowedDevices ?? {},
 			scopes: input.scopes ?? [],
@@ -6338,7 +6441,7 @@ var UserManager = class {
 		await this.create({
 			username: adminUsername,
 			password: adminPassword,
-			role: "admin",
+			isAdmin: true,
 			allowedProviders: "*",
 			allowedDevices: {}
 		});
@@ -6362,9 +6465,9 @@ var ApiKeyManager = class {
 		const { token: rawToken, hash, prefix } = this.auth.generateApiKey();
 		const now = Date.now();
 		const record = {
-			id: crypto.randomUUID(),
+			id: crypto$1.randomUUID(),
 			label: input.label,
-			role: input.role,
+			isAdmin: input.isAdmin ?? false,
 			allowedProviders: input.allowedProviders ?? "*",
 			allowedDevices: input.allowedDevices ?? {},
 			tokenHash: hash,
@@ -6438,11 +6541,11 @@ var ScopedTokenManager = class {
 		this.store = store;
 	}
 	async create(userId, name, scopes, expiresAt) {
-		const rawToken = `${TOKEN_PREFIX}${crypto.randomBytes(32).toString("hex")}`;
-		const tokenHash = crypto.createHash("sha256").update(rawToken).digest("hex");
+		const rawToken = `${TOKEN_PREFIX}${crypto$1.randomBytes(32).toString("hex")}`;
+		const tokenHash = crypto$1.createHash("sha256").update(rawToken).digest("hex");
 		const tokenPrefix = rawToken.slice(0, 12);
 		const record = {
-			id: crypto.randomUUID(),
+			id: crypto$1.randomUUID(),
 			userId,
 			name,
 			tokenHash,
@@ -6466,7 +6569,7 @@ var ScopedTokenManager = class {
 	}
 	async validate(rawToken) {
 		if (!rawToken.startsWith(TOKEN_PREFIX)) return null;
-		const tokenHash = crypto.createHash("sha256").update(rawToken).digest("hex");
+		const tokenHash = crypto$1.createHash("sha256").update(rawToken).digest("hex");
 		const results = await this.store.query.query({
 			collection: TOKENS_COLLECTION,
 			filter: { where: { tokenHash } }
@@ -6558,10 +6661,841 @@ var ScopedTokenManager = class {
 	}
 };
 //#endregion
+//#region ../../node_modules/@otplib/plugin-crypto/index.js
+/**
+* @otplib/plugin-crypto
+*
+* @author Gerald Yeo <contact@fusedthought.com>
+* @version: 12.0.1
+* @license: MIT
+**/
+var require_plugin_crypto = /* @__PURE__ */ __commonJSMin(((exports) => {
+	Object.defineProperty(exports, "__esModule", { value: true });
+	function _interopDefault(ex) {
+		return ex && typeof ex === "object" && "default" in ex ? ex["default"] : ex;
+	}
+	var crypto = _interopDefault(__require("crypto"));
+	var createDigest = (algorithm, hmacKey, counter) => {
+		return crypto.createHmac(algorithm, Buffer.from(hmacKey, "hex")).update(Buffer.from(counter, "hex")).digest().toString("hex");
+	};
+	var createRandomBytes = (size, encoding) => {
+		return crypto.randomBytes(size).toString(encoding);
+	};
+	exports.createDigest = createDigest;
+	exports.createRandomBytes = createRandomBytes;
+}));
+//#endregion
+//#region ../../node_modules/thirty-two/lib/thirty-two/thirty-two.js
+var require_thirty_two$1 = /* @__PURE__ */ __commonJSMin(((exports) => {
+	var charTable = "ABCDEFGHIJKLMNOPQRSTUVWXYZ234567";
+	var byteTable = [
+		255,
+		255,
+		26,
+		27,
+		28,
+		29,
+		30,
+		31,
+		255,
+		255,
+		255,
+		255,
+		255,
+		255,
+		255,
+		255,
+		255,
+		0,
+		1,
+		2,
+		3,
+		4,
+		5,
+		6,
+		7,
+		8,
+		9,
+		10,
+		11,
+		12,
+		13,
+		14,
+		15,
+		16,
+		17,
+		18,
+		19,
+		20,
+		21,
+		22,
+		23,
+		24,
+		25,
+		255,
+		255,
+		255,
+		255,
+		255,
+		255,
+		0,
+		1,
+		2,
+		3,
+		4,
+		5,
+		6,
+		7,
+		8,
+		9,
+		10,
+		11,
+		12,
+		13,
+		14,
+		15,
+		16,
+		17,
+		18,
+		19,
+		20,
+		21,
+		22,
+		23,
+		24,
+		25,
+		255,
+		255,
+		255,
+		255,
+		255
+	];
+	function quintetCount(buff) {
+		var quintets = Math.floor(buff.length / 5);
+		return buff.length % 5 === 0 ? quintets : quintets + 1;
+	}
+	exports.encode = function(plain) {
+		if (!Buffer.isBuffer(plain)) plain = new Buffer(plain);
+		var i = 0;
+		var j = 0;
+		var shiftIndex = 0;
+		var digit = 0;
+		var encoded = new Buffer(quintetCount(plain) * 8);
+		while (i < plain.length) {
+			var current = plain[i];
+			if (shiftIndex > 3) {
+				digit = current & 255 >> shiftIndex;
+				shiftIndex = (shiftIndex + 5) % 8;
+				digit = digit << shiftIndex | (i + 1 < plain.length ? plain[i + 1] : 0) >> 8 - shiftIndex;
+				i++;
+			} else {
+				digit = current >> 8 - (shiftIndex + 5) & 31;
+				shiftIndex = (shiftIndex + 5) % 8;
+				if (shiftIndex === 0) i++;
+			}
+			encoded[j] = charTable.charCodeAt(digit);
+			j++;
+		}
+		for (i = j; i < encoded.length; i++) encoded[i] = 61;
+		return encoded;
+	};
+	exports.decode = function(encoded) {
+		var shiftIndex = 0;
+		var plainDigit = 0;
+		var plainChar;
+		var plainPos = 0;
+		if (!Buffer.isBuffer(encoded)) encoded = new Buffer(encoded);
+		var decoded = new Buffer(Math.ceil(encoded.length * 5 / 8));
+		for (var i = 0; i < encoded.length; i++) {
+			if (encoded[i] === 61) break;
+			var encodedByte = encoded[i] - 48;
+			if (encodedByte < byteTable.length) {
+				plainDigit = byteTable[encodedByte];
+				if (shiftIndex <= 3) {
+					shiftIndex = (shiftIndex + 5) % 8;
+					if (shiftIndex === 0) {
+						plainChar |= plainDigit;
+						decoded[plainPos] = plainChar;
+						plainPos++;
+						plainChar = 0;
+					} else plainChar |= 255 & plainDigit << 8 - shiftIndex;
+				} else {
+					shiftIndex = (shiftIndex + 5) % 8;
+					plainChar |= 255 & plainDigit >>> shiftIndex;
+					decoded[plainPos] = plainChar;
+					plainPos++;
+					plainChar = 255 & plainDigit << 8 - shiftIndex;
+				}
+			} else throw new Error("Invalid input - it is not base32 encoded string");
+		}
+		return decoded.slice(0, plainPos);
+	};
+}));
+//#endregion
+//#region ../../node_modules/thirty-two/lib/thirty-two/index.js
+var require_thirty_two = /* @__PURE__ */ __commonJSMin(((exports) => {
+	var base32 = require_thirty_two$1();
+	exports.encode = base32.encode;
+	exports.decode = base32.decode;
+}));
+//#endregion
+//#region ../../node_modules/@otplib/plugin-thirty-two/index.js
+/**
+* @otplib/plugin-thirty-two
+*
+* @author Gerald Yeo <contact@fusedthought.com>
+* @version: 12.0.1
+* @license: MIT
+**/
+var require_plugin_thirty_two = /* @__PURE__ */ __commonJSMin(((exports) => {
+	Object.defineProperty(exports, "__esModule", { value: true });
+	function _interopDefault(ex) {
+		return ex && typeof ex === "object" && "default" in ex ? ex["default"] : ex;
+	}
+	var thirtyTwo = _interopDefault(require_thirty_two());
+	var keyDecoder = (encodedSecret, encoding) => {
+		return thirtyTwo.decode(encodedSecret).toString(encoding);
+	};
+	var keyEncoder = (secret, encoding) => {
+		return thirtyTwo.encode(Buffer.from(secret, encoding).toString("ascii")).toString().replace(/=/g, "");
+	};
+	exports.keyDecoder = keyDecoder;
+	exports.keyEncoder = keyEncoder;
+}));
+//#endregion
+//#region ../../node_modules/@otplib/core/index.js
+/**
+* @otplib/core
+*
+* @author Gerald Yeo <contact@fusedthought.com>
+* @version: 12.0.1
+* @license: MIT
+**/
+var require_core = /* @__PURE__ */ __commonJSMin(((exports) => {
+	Object.defineProperty(exports, "__esModule", { value: true });
+	function objectValues(value) {
+		return Object.keys(value).map((key) => value[key]);
+	}
+	(function(HashAlgorithms) {
+		HashAlgorithms["SHA1"] = "sha1";
+		HashAlgorithms["SHA256"] = "sha256";
+		HashAlgorithms["SHA512"] = "sha512";
+	})(exports.HashAlgorithms || (exports.HashAlgorithms = {}));
+	var HASH_ALGORITHMS = objectValues(exports.HashAlgorithms);
+	(function(KeyEncodings) {
+		KeyEncodings["ASCII"] = "ascii";
+		KeyEncodings["BASE64"] = "base64";
+		KeyEncodings["HEX"] = "hex";
+		KeyEncodings["LATIN1"] = "latin1";
+		KeyEncodings["UTF8"] = "utf8";
+	})(exports.KeyEncodings || (exports.KeyEncodings = {}));
+	var KEY_ENCODINGS = objectValues(exports.KeyEncodings);
+	(function(Strategy) {
+		Strategy["HOTP"] = "hotp";
+		Strategy["TOTP"] = "totp";
+	})(exports.Strategy || (exports.Strategy = {}));
+	var STRATEGY = objectValues(exports.Strategy);
+	var createDigestPlaceholder = () => {
+		throw new Error("Please provide an options.createDigest implementation.");
+	};
+	function isTokenValid(value) {
+		return /^(\d+)$/.test(value);
+	}
+	function padStart(value, maxLength, fillString) {
+		if (value.length >= maxLength) return value;
+		return `${Array(maxLength + 1).join(fillString)}${value}`.slice(-1 * maxLength);
+	}
+	function keyuri(options) {
+		const tmpl = `otpauth://${options.type}/{labelPrefix}:{accountName}?secret={secret}{query}`;
+		const params = [];
+		if (STRATEGY.indexOf(options.type) < 0) throw new Error(`Expecting options.type to be one of ${STRATEGY.join(", ")}. Received ${options.type}.`);
+		if (options.type === "hotp") {
+			if (options.counter == null || typeof options.counter !== "number") throw new Error("Expecting options.counter to be a number when options.type is \"hotp\".");
+			params.push(`&counter=${options.counter}`);
+		}
+		if (options.type === "totp" && options.step) params.push(`&period=${options.step}`);
+		if (options.digits) params.push(`&digits=${options.digits}`);
+		if (options.algorithm) params.push(`&algorithm=${options.algorithm.toUpperCase()}`);
+		if (options.issuer) params.push(`&issuer=${encodeURIComponent(options.issuer)}`);
+		return tmpl.replace("{labelPrefix}", encodeURIComponent(options.issuer || options.accountName)).replace("{accountName}", encodeURIComponent(options.accountName)).replace("{secret}", options.secret).replace("{query}", params.join(""));
+	}
+	var OTP = class OTP {
+		constructor(defaultOptions = {}) {
+			this._defaultOptions = Object.freeze({ ...defaultOptions });
+			this._options = Object.freeze({});
+		}
+		create(defaultOptions = {}) {
+			return new OTP(defaultOptions);
+		}
+		clone(defaultOptions = {}) {
+			const instance = this.create({
+				...this._defaultOptions,
+				...defaultOptions
+			});
+			instance.options = this._options;
+			return instance;
+		}
+		get options() {
+			return Object.freeze({
+				...this._defaultOptions,
+				...this._options
+			});
+		}
+		set options(options) {
+			this._options = Object.freeze({
+				...this._options,
+				...options
+			});
+		}
+		allOptions() {
+			return this.options;
+		}
+		resetOptions() {
+			this._options = Object.freeze({});
+		}
+	};
+	function hotpOptionsValidator(options) {
+		if (typeof options.createDigest !== "function") throw new Error("Expecting options.createDigest to be a function.");
+		if (typeof options.createHmacKey !== "function") throw new Error("Expecting options.createHmacKey to be a function.");
+		if (typeof options.digits !== "number") throw new Error("Expecting options.digits to be a number.");
+		if (!options.algorithm || HASH_ALGORITHMS.indexOf(options.algorithm) < 0) throw new Error(`Expecting options.algorithm to be one of ${HASH_ALGORITHMS.join(", ")}. Received ${options.algorithm}.`);
+		if (!options.encoding || KEY_ENCODINGS.indexOf(options.encoding) < 0) throw new Error(`Expecting options.encoding to be one of ${KEY_ENCODINGS.join(", ")}. Received ${options.encoding}.`);
+	}
+	var hotpCreateHmacKey = (algorithm, secret, encoding) => {
+		return Buffer.from(secret, encoding).toString("hex");
+	};
+	function hotpDefaultOptions() {
+		return {
+			algorithm: exports.HashAlgorithms.SHA1,
+			createHmacKey: hotpCreateHmacKey,
+			createDigest: createDigestPlaceholder,
+			digits: 6,
+			encoding: exports.KeyEncodings.ASCII
+		};
+	}
+	function hotpOptions(opt) {
+		const options = {
+			...hotpDefaultOptions(),
+			...opt
+		};
+		hotpOptionsValidator(options);
+		return Object.freeze(options);
+	}
+	function hotpCounter(counter) {
+		return padStart(counter.toString(16), 16, "0");
+	}
+	function hotpDigestToToken(hexDigest, digits) {
+		const digest = Buffer.from(hexDigest, "hex");
+		const offset = digest[digest.length - 1] & 15;
+		const token = ((digest[offset] & 127) << 24 | (digest[offset + 1] & 255) << 16 | (digest[offset + 2] & 255) << 8 | digest[offset + 3] & 255) % Math.pow(10, digits);
+		return padStart(String(token), digits, "0");
+	}
+	function hotpDigest(secret, counter, options) {
+		const hexCounter = hotpCounter(counter);
+		const hmacKey = options.createHmacKey(options.algorithm, secret, options.encoding);
+		return options.createDigest(options.algorithm, hmacKey, hexCounter);
+	}
+	function hotpToken(secret, counter, options) {
+		return hotpDigestToToken(options.digest || hotpDigest(secret, counter, options), options.digits);
+	}
+	function hotpCheck(token, secret, counter, options) {
+		if (!isTokenValid(token)) return false;
+		return token === hotpToken(secret, counter, options);
+	}
+	function hotpKeyuri(accountName, issuer, secret, counter, options) {
+		return keyuri({
+			algorithm: options.algorithm,
+			digits: options.digits,
+			type: exports.Strategy.HOTP,
+			accountName,
+			counter,
+			issuer,
+			secret
+		});
+	}
+	var HOTP = class HOTP extends OTP {
+		create(defaultOptions = {}) {
+			return new HOTP(defaultOptions);
+		}
+		allOptions() {
+			return hotpOptions(this.options);
+		}
+		generate(secret, counter) {
+			return hotpToken(secret, counter, this.allOptions());
+		}
+		check(token, secret, counter) {
+			return hotpCheck(token, secret, counter, this.allOptions());
+		}
+		verify(opts) {
+			if (typeof opts !== "object") throw new Error("Expecting argument 0 of verify to be an object");
+			return this.check(opts.token, opts.secret, opts.counter);
+		}
+		keyuri(accountName, issuer, secret, counter) {
+			return hotpKeyuri(accountName, issuer, secret, counter, this.allOptions());
+		}
+	};
+	function parseWindowBounds(win) {
+		if (typeof win === "number") return [Math.abs(win), Math.abs(win)];
+		if (Array.isArray(win)) {
+			const [past, future] = win;
+			if (typeof past === "number" && typeof future === "number") return [Math.abs(past), Math.abs(future)];
+		}
+		throw new Error("Expecting options.window to be an number or [number, number].");
+	}
+	function totpOptionsValidator(options) {
+		hotpOptionsValidator(options);
+		parseWindowBounds(options.window);
+		if (typeof options.epoch !== "number") throw new Error("Expecting options.epoch to be a number.");
+		if (typeof options.step !== "number") throw new Error("Expecting options.step to be a number.");
+	}
+	var totpPadSecret = (secret, encoding, minLength) => {
+		const currentLength = secret.length;
+		const hexSecret = Buffer.from(secret, encoding).toString("hex");
+		if (currentLength < minLength) {
+			const newSecret = new Array(minLength - currentLength + 1).join(hexSecret);
+			return Buffer.from(newSecret, "hex").slice(0, minLength).toString("hex");
+		}
+		return hexSecret;
+	};
+	var totpCreateHmacKey = (algorithm, secret, encoding) => {
+		switch (algorithm) {
+			case exports.HashAlgorithms.SHA1: return totpPadSecret(secret, encoding, 20);
+			case exports.HashAlgorithms.SHA256: return totpPadSecret(secret, encoding, 32);
+			case exports.HashAlgorithms.SHA512: return totpPadSecret(secret, encoding, 64);
+			default: throw new Error(`Expecting algorithm to be one of ${HASH_ALGORITHMS.join(", ")}. Received ${algorithm}.`);
+		}
+	};
+	function totpDefaultOptions() {
+		return {
+			algorithm: exports.HashAlgorithms.SHA1,
+			createDigest: createDigestPlaceholder,
+			createHmacKey: totpCreateHmacKey,
+			digits: 6,
+			encoding: exports.KeyEncodings.ASCII,
+			epoch: Date.now(),
+			step: 30,
+			window: 0
+		};
+	}
+	function totpOptions(opt) {
+		const options = {
+			...totpDefaultOptions(),
+			...opt
+		};
+		totpOptionsValidator(options);
+		return Object.freeze(options);
+	}
+	function totpCounter(epoch, step) {
+		return Math.floor(epoch / step / 1e3);
+	}
+	function totpToken(secret, options) {
+		return hotpToken(secret, totpCounter(options.epoch, options.step), options);
+	}
+	function totpEpochsInWindow(epoch, direction, deltaPerEpoch, numOfEpoches) {
+		const result = [];
+		if (numOfEpoches === 0) return result;
+		for (let i = 1; i <= numOfEpoches; i++) {
+			const delta = direction * i * deltaPerEpoch;
+			result.push(epoch + delta);
+		}
+		return result;
+	}
+	function totpEpochAvailable(epoch, step, win) {
+		const bounds = parseWindowBounds(win);
+		const delta = step * 1e3;
+		return {
+			current: epoch,
+			past: totpEpochsInWindow(epoch, -1, delta, bounds[0]),
+			future: totpEpochsInWindow(epoch, 1, delta, bounds[1])
+		};
+	}
+	function totpCheck(token, secret, options) {
+		if (!isTokenValid(token)) return false;
+		return token === totpToken(secret, options);
+	}
+	function totpCheckByEpoch(epochs, token, secret, options) {
+		let position = null;
+		epochs.some((epoch, idx) => {
+			if (totpCheck(token, secret, {
+				...options,
+				epoch
+			})) {
+				position = idx + 1;
+				return true;
+			}
+			return false;
+		});
+		return position;
+	}
+	function totpCheckWithWindow(token, secret, options) {
+		if (totpCheck(token, secret, options)) return 0;
+		const epochs = totpEpochAvailable(options.epoch, options.step, options.window);
+		const backward = totpCheckByEpoch(epochs.past, token, secret, options);
+		if (backward !== null) return backward * -1;
+		return totpCheckByEpoch(epochs.future, token, secret, options);
+	}
+	function totpTimeUsed(epoch, step) {
+		return Math.floor(epoch / 1e3) % step;
+	}
+	function totpTimeRemaining(epoch, step) {
+		return step - totpTimeUsed(epoch, step);
+	}
+	function totpKeyuri(accountName, issuer, secret, options) {
+		return keyuri({
+			algorithm: options.algorithm,
+			digits: options.digits,
+			step: options.step,
+			type: exports.Strategy.TOTP,
+			accountName,
+			issuer,
+			secret
+		});
+	}
+	var TOTP = class TOTP extends HOTP {
+		create(defaultOptions = {}) {
+			return new TOTP(defaultOptions);
+		}
+		allOptions() {
+			return totpOptions(this.options);
+		}
+		generate(secret) {
+			return totpToken(secret, this.allOptions());
+		}
+		checkDelta(token, secret) {
+			return totpCheckWithWindow(token, secret, this.allOptions());
+		}
+		check(token, secret) {
+			return typeof this.checkDelta(token, secret) === "number";
+		}
+		verify(opts) {
+			if (typeof opts !== "object") throw new Error("Expecting argument 0 of verify to be an object");
+			return this.check(opts.token, opts.secret);
+		}
+		timeRemaining() {
+			const options = this.allOptions();
+			return totpTimeRemaining(options.epoch, options.step);
+		}
+		timeUsed() {
+			const options = this.allOptions();
+			return totpTimeUsed(options.epoch, options.step);
+		}
+		keyuri(accountName, issuer, secret) {
+			return totpKeyuri(accountName, issuer, secret, this.allOptions());
+		}
+	};
+	function authenticatorOptionValidator(options) {
+		totpOptionsValidator(options);
+		if (typeof options.keyDecoder !== "function") throw new Error("Expecting options.keyDecoder to be a function.");
+		if (options.keyEncoder && typeof options.keyEncoder !== "function") throw new Error("Expecting options.keyEncoder to be a function.");
+	}
+	function authenticatorDefaultOptions() {
+		return {
+			algorithm: exports.HashAlgorithms.SHA1,
+			createDigest: createDigestPlaceholder,
+			createHmacKey: totpCreateHmacKey,
+			digits: 6,
+			encoding: exports.KeyEncodings.HEX,
+			epoch: Date.now(),
+			step: 30,
+			window: 0
+		};
+	}
+	function authenticatorOptions(opt) {
+		const options = {
+			...authenticatorDefaultOptions(),
+			...opt
+		};
+		authenticatorOptionValidator(options);
+		return Object.freeze(options);
+	}
+	function authenticatorEncoder(secret, options) {
+		return options.keyEncoder(secret, options.encoding);
+	}
+	function authenticatorDecoder(secret, options) {
+		return options.keyDecoder(secret, options.encoding);
+	}
+	function authenticatorGenerateSecret(numberOfBytes, options) {
+		return authenticatorEncoder(options.createRandomBytes(numberOfBytes, options.encoding), options);
+	}
+	function authenticatorToken(secret, options) {
+		return totpToken(authenticatorDecoder(secret, options), options);
+	}
+	function authenticatorCheckWithWindow(token, secret, options) {
+		return totpCheckWithWindow(token, authenticatorDecoder(secret, options), options);
+	}
+	exports.Authenticator = class Authenticator extends TOTP {
+		create(defaultOptions = {}) {
+			return new Authenticator(defaultOptions);
+		}
+		allOptions() {
+			return authenticatorOptions(this.options);
+		}
+		generate(secret) {
+			return authenticatorToken(secret, this.allOptions());
+		}
+		checkDelta(token, secret) {
+			return authenticatorCheckWithWindow(token, secret, this.allOptions());
+		}
+		encode(secret) {
+			return authenticatorEncoder(secret, this.allOptions());
+		}
+		decode(secret) {
+			return authenticatorDecoder(secret, this.allOptions());
+		}
+		generateSecret(numberOfBytes = 10) {
+			return authenticatorGenerateSecret(numberOfBytes, this.allOptions());
+		}
+	};
+	exports.HASH_ALGORITHMS = HASH_ALGORITHMS;
+	exports.HOTP = HOTP;
+	exports.KEY_ENCODINGS = KEY_ENCODINGS;
+	exports.OTP = OTP;
+	exports.STRATEGY = STRATEGY;
+	exports.TOTP = TOTP;
+	exports.authenticatorCheckWithWindow = authenticatorCheckWithWindow;
+	exports.authenticatorDecoder = authenticatorDecoder;
+	exports.authenticatorDefaultOptions = authenticatorDefaultOptions;
+	exports.authenticatorEncoder = authenticatorEncoder;
+	exports.authenticatorGenerateSecret = authenticatorGenerateSecret;
+	exports.authenticatorOptionValidator = authenticatorOptionValidator;
+	exports.authenticatorOptions = authenticatorOptions;
+	exports.authenticatorToken = authenticatorToken;
+	exports.createDigestPlaceholder = createDigestPlaceholder;
+	exports.hotpCheck = hotpCheck;
+	exports.hotpCounter = hotpCounter;
+	exports.hotpCreateHmacKey = hotpCreateHmacKey;
+	exports.hotpDefaultOptions = hotpDefaultOptions;
+	exports.hotpDigestToToken = hotpDigestToToken;
+	exports.hotpKeyuri = hotpKeyuri;
+	exports.hotpOptions = hotpOptions;
+	exports.hotpOptionsValidator = hotpOptionsValidator;
+	exports.hotpToken = hotpToken;
+	exports.isTokenValid = isTokenValid;
+	exports.keyuri = keyuri;
+	exports.objectValues = objectValues;
+	exports.padStart = padStart;
+	exports.totpCheck = totpCheck;
+	exports.totpCheckByEpoch = totpCheckByEpoch;
+	exports.totpCheckWithWindow = totpCheckWithWindow;
+	exports.totpCounter = totpCounter;
+	exports.totpCreateHmacKey = totpCreateHmacKey;
+	exports.totpDefaultOptions = totpDefaultOptions;
+	exports.totpEpochAvailable = totpEpochAvailable;
+	exports.totpKeyuri = totpKeyuri;
+	exports.totpOptions = totpOptions;
+	exports.totpOptionsValidator = totpOptionsValidator;
+	exports.totpPadSecret = totpPadSecret;
+	exports.totpTimeRemaining = totpTimeRemaining;
+	exports.totpTimeUsed = totpTimeUsed;
+	exports.totpToken = totpToken;
+}));
+//#endregion
+//#region ../../node_modules/@otplib/preset-default/index.js
+/**
+* @otplib/preset-default
+*
+* @author Gerald Yeo <contact@fusedthought.com>
+* @version: 12.0.1
+* @license: MIT
+**/
+var require_preset_default = /* @__PURE__ */ __commonJSMin(((exports) => {
+	Object.defineProperty(exports, "__esModule", { value: true });
+	var pluginCrypto = require_plugin_crypto();
+	var pluginThirtyTwo = require_plugin_thirty_two();
+	var core = require_core();
+	var hotp = new core.HOTP({ createDigest: pluginCrypto.createDigest });
+	var totp = new core.TOTP({ createDigest: pluginCrypto.createDigest });
+	exports.authenticator = new core.Authenticator({
+		createDigest: pluginCrypto.createDigest,
+		createRandomBytes: pluginCrypto.createRandomBytes,
+		keyDecoder: pluginThirtyTwo.keyDecoder,
+		keyEncoder: pluginThirtyTwo.keyEncoder
+	});
+	exports.hotp = hotp;
+	exports.totp = totp;
+}));
+//#endregion
+//#region src/auth/totp-manager.ts
+var import_otplib = (/* @__PURE__ */ __commonJSMin(((exports) => {
+	Object.defineProperty(exports, "__esModule", { value: true });
+	var presetDefault = require_preset_default();
+	Object.keys(presetDefault).forEach(function(k) {
+		if (k !== "default") Object.defineProperty(exports, k, {
+			enumerable: true,
+			get: function() {
+				return presetDefault[k];
+			}
+		});
+	});
+})))();
+/**
+* TOTP / 2FA enrollment manager.
+*
+* Three-state lifecycle keyed by `userId` (PK of `user_totp` collection):
+*
+*   - No row              → not set up. `setup()` inserts a row with a
+*                           fresh secret and `confirmedAt = null`.
+*   - `confirmedAt = null` → setup in progress; user has the secret but
+*                            hasn't proved possession of the
+*                            authenticator yet. `verify()` returns
+*                            false even with a valid code — the row is
+*                            inert until confirmed.
+*   - `confirmedAt != null` → enrolled; `verify()` accepts codes.
+*
+* Disable removes the row entirely. The next `setup()` starts fresh —
+* we do NOT reuse the old secret on re-enroll (avoids the case where a
+* leaked secret stays valid after a "rotation").
+*
+* The shared `authenticator` from `otplib` uses RFC 6238 TOTP with the
+* default 30-second window. We bump the validation window from 1 step
+* to 1 step in either direction (±30s) — operator clock skew is the
+* usual culprit for "valid code rejected" complaints.
+*/
+var TOTP_COLLECTION = "user_totp";
+var ISSUER = "CamStack";
+function parseRow(data) {
+	const userId = data["userId"];
+	const secret = data["secret"];
+	const confirmedAt = data["confirmedAt"];
+	const createdAt = data["createdAt"];
+	if (typeof userId !== "string") throw new Error("user_totp row: missing userId");
+	if (typeof secret !== "string") throw new Error("user_totp row: missing secret");
+	if (typeof createdAt !== "number") throw new Error("user_totp row: missing createdAt");
+	return {
+		userId,
+		secret,
+		confirmedAt: typeof confirmedAt === "number" ? confirmedAt : null,
+		createdAt
+	};
+}
+var TotpManager = class {
+	constructor(store, opts = {}) {
+		this.store = store;
+		this.opts = opts;
+		import_otplib.authenticator.options = { window: opts.window ?? 1 };
+	}
+	/**
+	* Begin enrollment. Always generates a fresh secret — calling `setup`
+	* a second time on the same user replaces any pending half-enrollment
+	* (the user must rescan the QR / re-enter the secret).
+	*
+	* The user identity (`label`) is what an authenticator displays as
+	* the account name; we use the supplied `username` for human-readable
+	* recognition. `ISSUER` is the CamStack brand.
+	*/
+	async setup(userId, username) {
+		const secret = import_otplib.authenticator.generateSecret();
+		const otpauthUrl = import_otplib.authenticator.keyuri(username, ISSUER, secret);
+		const row = {
+			userId,
+			secret,
+			confirmedAt: null,
+			createdAt: Date.now()
+		};
+		await this.store.delete.mutate({
+			collection: TOTP_COLLECTION,
+			key: userId
+		});
+		await this.store.insert.mutate({
+			collection: TOTP_COLLECTION,
+			record: {
+				id: userId,
+				data: { ...row }
+			}
+		});
+		return {
+			secret,
+			otpauthUrl
+		};
+	}
+	/**
+	* Confirm enrollment by checking a code from the authenticator
+	* against the pending secret. On success, flips `confirmedAt` so
+	* `verify()` starts accepting codes. Idempotent on already-confirmed
+	* rows: re-confirming a valid code just succeeds with no state
+	* change.
+	*/
+	async confirm(userId, code) {
+		const row = await this.find(userId);
+		if (!row) return false;
+		if (!import_otplib.authenticator.check(code, row.secret)) return false;
+		if (row.confirmedAt === null) {
+			const next = {
+				...row,
+				confirmedAt: Date.now()
+			};
+			await this.store.update.mutate({
+				collection: TOTP_COLLECTION,
+				id: userId,
+				data: { ...next }
+			});
+		}
+		return true;
+	}
+	/**
+	* Remove enrollment. Idempotent — no error if the user had no row.
+	*/
+	async disable(userId) {
+		await this.store.delete.mutate({
+			collection: TOTP_COLLECTION,
+			key: userId
+		});
+	}
+	/**
+	* Verify a code against the confirmed secret. Returns `false` when:
+	*   - The user has no row (not set up).
+	*   - The row is pending (`confirmedAt === null`).
+	*   - The code doesn't match within the configured window.
+	*/
+	async verify(userId, code) {
+		const row = await this.find(userId);
+		if (!row) return false;
+		if (row.confirmedAt === null) return false;
+		return import_otplib.authenticator.check(code, row.secret);
+	}
+	/**
+	* Read the user's enrollment status. Pending half-enrollments are
+	* reported as `enabled: false` — only a confirmed row counts.
+	*/
+	async getStatus(userId) {
+		const row = await this.find(userId);
+		if (!row) return {
+			enabled: false,
+			confirmedAt: null
+		};
+		return {
+			enabled: row.confirmedAt !== null,
+			confirmedAt: row.confirmedAt
+		};
+	}
+	async find(userId) {
+		const results = await this.store.query.query({
+			collection: TOTP_COLLECTION,
+			filter: { where: { userId } }
+		});
+		if (results.length === 0) return null;
+		return parseRow(results[0].data);
+	}
+};
+//#endregion
 //#region src/builtins/local-auth/auth-schema.ts
 var USERS_COLLECTION = "users";
 var API_KEYS_COLLECTION = "api_keys";
 var SCOPED_TOKENS_COLLECTION = "scoped_tokens";
+/**
+* TOTP enrollment table — split off from `users` to avoid the
+* destructive drop-+-recreate migration `ensureTable` performs when a
+* new column is added to a typed schema (see `sqlite-settings-backend.ts`).
+*
+* Lifecycle:
+*   - Setup: row inserted with `confirmedAt = null` and a fresh secret.
+*   - Confirm: a valid code from the secret flips `confirmedAt` to now().
+*   - Disable: the row is deleted (next setup starts fresh).
+*
+* "Enabled" means `confirmedAt != null`. A half-enrolled row (`confirmedAt
+* = null`) is INACTIVE — `verifyTotp` returns false until confirmation.
+*/
+var USER_TOTP_COLLECTION = "user_totp";
 var USERS_COLUMNS = [
 	{
 		name: "id",
@@ -6581,8 +7515,8 @@ var USERS_COLUMNS = [
 		notNull: true
 	},
 	{
-		name: "role",
-		type: "TEXT",
+		name: "isAdmin",
+		type: "BOOLEAN",
 		notNull: true
 	},
 	{
@@ -6593,6 +7527,10 @@ var USERS_COLUMNS = [
 		name: "allowedDevices",
 		type: "JSON"
 	},
+	{
+		name: "scopes",
+		type: "JSON"
+	},
 	{
 		name: "createdAt",
 		type: "INTEGER",
@@ -6617,8 +7555,8 @@ var API_KEYS_COLUMNS = [
 		notNull: true
 	},
 	{
-		name: "role",
-		type: "TEXT",
+		name: "isAdmin",
+		type: "BOOLEAN",
 		notNull: true
 	},
 	{
@@ -6650,6 +7588,28 @@ var API_KEYS_COLUMNS = [
 		type: "INTEGER"
 	}
 ];
+var USER_TOTP_COLUMNS = [
+	{
+		name: "userId",
+		type: "TEXT",
+		primaryKey: true,
+		notNull: true
+	},
+	{
+		name: "secret",
+		type: "TEXT",
+		notNull: true
+	},
+	{
+		name: "confirmedAt",
+		type: "INTEGER"
+	},
+	{
+		name: "createdAt",
+		type: "INTEGER",
+		notNull: true
+	}
+];
 var SCOPED_TOKENS_COLUMNS = [
 	{
 		name: "id",
@@ -6723,6 +7683,10 @@ async function declareAuthSchema(store) {
 			columns: ["userId"]
 		}]
 	});
+	await store.declareCollection.mutate({
+		collection: USER_TOTP_COLLECTION,
+		columns: USER_TOTP_COLUMNS
+	});
 }
 //#endregion
 //#region src/builtins/local-auth/local-auth.addon.ts
@@ -6731,7 +7695,7 @@ function toAuthResult(user) {
 		userId: user.id,
 		username: user.username,
 		displayName: user.username,
-		roles: [user.role]
+		isAdmin: user.isAdmin
 	};
 }
 var LocalAuthAddon = class extends BaseAddon {
@@ -6739,6 +7703,7 @@ var LocalAuthAddon = class extends BaseAddon {
 	userManager = null;
 	apiKeyManager = null;
 	scopedTokenManager = null;
+	totpManager = null;
 	constructor() {
 		super({
 			jwtSecret: "",
@@ -6771,12 +7736,8 @@ var LocalAuthAddon = class extends BaseAddon {
 			this.userManager = new UserManager(storageAccess, this.authManager, reader);
 			this.apiKeyManager = new ApiKeyManager(storageAccess, this.authManager);
 			this.scopedTokenManager = new ScopedTokenManager(store);
+			this.totpManager = new TotpManager(store);
 			try {
-				try {
-					await this.migrateLegacyUserRecords(store);
-				} catch (err) {
-					this.ctx.logger.warn("caps-only migration pass failed; legacy super_admin rows may still exist", { meta: { error: err instanceof Error ? err.message : String(err) } });
-				}
 				await this.userManager.ensureAdminExists();
 				const liveUsers = await this.userManager.listAll();
 				const liveIds = new Set(liveUsers.map((u) => u.id));
@@ -6891,6 +7852,33 @@ var LocalAuthAddon = class extends BaseAddon {
 			listScopedTokens: async (input) => {
 				if (!this.scopedTokenManager) return [];
 				return this.scopedTokenManager.listForUser(input.userId);
+			},
+			setupTotp: async (input) => {
+				if (!this.totpManager || !this.userManager) throw new Error("TOTP management not available");
+				const user = await this.userManager.findById(input.userId);
+				if (!user) throw new Error(`User not found: ${input.userId}`);
+				return this.totpManager.setup(user.id, user.username);
+			},
+			confirmTotp: async (input) => {
+				if (!this.totpManager) throw new Error("TOTP management not available");
+				if (!await this.totpManager.confirm(input.userId, input.code)) throw new Error("TOTP confirmation failed — code did not match");
+				return { success: true };
+			},
+			disableTotp: async (input) => {
+				if (!this.totpManager) throw new Error("TOTP management not available");
+				await this.totpManager.disable(input.userId);
+				return { success: true };
+			},
+			getTotpStatus: async (input) => {
+				if (!this.totpManager) return {
+					enabled: false,
+					confirmedAt: null
+				};
+				return this.totpManager.getStatus(input.userId);
+			},
+			verifyTotp: async (input) => {
+				if (!this.totpManager) return { valid: false };
+				return { valid: await this.totpManager.verify(input.userId, input.code) };
 			}
 		};
 		this.ctx.logger.info("registered auth-provider + user-management capabilities");
@@ -6908,32 +7896,6 @@ var LocalAuthAddon = class extends BaseAddon {
 		this.apiKeyManager = null;
 		this.scopedTokenManager = null;
 	}
-	/**
-	* Caps-only auth migration — rewrites legacy `super_admin` rows to
-	* `admin` and backfills the missing `scopes` field with `[]`. Idempotent;
-	* a re-run sees no rows needing changes.
-	*/
-	async migrateLegacyUserRecords(store) {
-		const results = await store.query.query({ collection: "users" });
-		let migrated = 0;
-		for (const row of results) {
-			const data = row.data;
-			const needsRoleRewrite = (typeof data["role"] === "string" ? data["role"] : null) === "super_admin";
-			const needsScopesBackfill = !("scopes" in data);
-			if (!needsRoleRewrite && !needsScopesBackfill) continue;
-			const next = { ...data };
-			if (needsRoleRewrite) next["role"] = "admin";
-			if (needsScopesBackfill) next["scopes"] = [];
-			next["updatedAt"] = Date.now();
-			await store.update.mutate({
-				collection: "users",
-				id: row.id,
-				data: next
-			});
-			migrated++;
-		}
-		if (migrated > 0) this.ctx.logger.info("caps-only auth migration: rewrote legacy user records", { meta: { count: migrated } });
-	}
 };
 //#endregion
 export { LocalAuthAddon, LocalAuthAddon as default, AuthManager as i, ApiKeyManager as n, UserManager as r, ScopedTokenManager as t };