@cellarnode/auth 0.1.0

package/LICENSE

@@ -0,0 +1,21 @@
+MIT License
+
+Copyright (c) 2026 CellarNode
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.

package/README.md

@@ -0,0 +1,52 @@
+# @cellarnode/auth
+
+Shared OTP-based authentication for CellarNode dashboards — token store, API client, React UI components.
+
+## Install
+
+```bash
+npm install @cellarnode/auth
+```
+
+## Usage
+
+### Core (framework-agnostic)
+
+```ts
+import { createAuthStore, createAuthClient, createAuthApi } from "@cellarnode/auth";
+
+const authStore = createAuthStore({
+  baseUrl: "http://localhost:4000",
+});
+
+const authClient = createAuthClient({
+  baseUrl: "http://localhost:4000",
+  store: authStore,
+  onAuthFailure: () => window.location.assign("/login"),
+});
+
+const authApi = createAuthApi({ client: authClient, store: authStore });
+```
+
+### React Components
+
+```tsx
+import { LoginForm, RegisterForm, UnauthorizedPage } from "@cellarnode/auth/react";
+```
+
+### Tailwind CSS Content Scan
+
+Add this to your CSS file so Tailwind picks up utility classes from the package:
+
+```css
+@source "../node_modules/@cellarnode/auth/dist/**/*.js";
+```
+
+## Exports
+
+- `@cellarnode/auth` — Core: `createAuthStore`, `createAuthClient`, `createAuthApi`, `validateUserType`, types
+- `@cellarnode/auth/react` — React: `LoginForm`, `RegisterForm`, `UnauthorizedPage`, `SquircleShift`
+
+## License
+
+MIT

package/dist/auth-api.d.ts

@@ -0,0 +1,6 @@
+import type { AuthApi, AuthClient, AuthStore } from "./types.js";
+export declare function createAuthApi(config: {
+    client: AuthClient;
+    store: AuthStore;
+}): AuthApi;
+//# sourceMappingURL=auth-api.d.ts.map

package/dist/auth-api.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"auth-api.d.ts","sourceRoot":"","sources":["../src/auth-api.ts"],"names":[],"mappings":"AACA,OAAO,KAAK,EACV,OAAO,EACP,UAAU,EACV,SAAS,EAKV,MAAM,YAAY,CAAC;AAGpB,wBAAgB,aAAa,CAAC,MAAM,EAAE;IACpC,MAAM,EAAE,UAAU,CAAC;IACnB,KAAK,EAAE,SAAS,CAAC;CAClB,GAAG,OAAO,CAiEV"}

package/dist/auth-api.js

@@ -0,0 +1,53 @@
+import { AuthError } from "./types.js";
+import { extractAccessToken } from "./extract-token.js";
+export function createAuthApi(config) {
+    const { client, store } = config;
+    return {
+        async register(input) {
+            return client.fetch("/auth/register", {
+                method: "POST",
+                skipAuth: true,
+                body: JSON.stringify(input),
+            });
+        },
+        async requestOtp(email) {
+            return client.fetch("/auth/request-otp", {
+                method: "POST",
+                skipAuth: true,
+                body: JSON.stringify({ email }),
+            });
+        },
+        async verifyOtp(email, code) {
+            const raw = await client.fetch("/auth/verify-otp", {
+                method: "POST",
+                skipAuth: true,
+                body: JSON.stringify({ email, code }),
+            });
+            const token = extractAccessToken(raw);
+            if (!token) {
+                throw new AuthError(500, "TOKEN_EXTRACTION_FAILED", "No access token found in verify-otp response");
+            }
+            const expiresIn = typeof raw.expiresIn === "number" ? raw.expiresIn : 900;
+            store.setAccessToken(token, expiresIn);
+            return {
+                accessToken: token,
+                expiresIn,
+                user: raw.user,
+            };
+        },
+        async logout() {
+            await client.fetch("/auth/logout", { method: "POST" });
+        },
+        async getMe(token) {
+            if (token) {
+                return client.fetch("/auth/me", {
+                    method: "GET",
+                    skipAuth: true,
+                    headers: { Authorization: `Bearer ${token}` },
+                });
+            }
+            return client.fetch("/auth/me", { method: "GET" });
+        },
+    };
+}
+//# sourceMappingURL=auth-api.js.map

package/dist/auth-api.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"auth-api.js","sourceRoot":"","sources":["../src/auth-api.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,SAAS,EAAE,MAAM,YAAY,CAAC;AAUvC,OAAO,EAAE,kBAAkB,EAAE,MAAM,oBAAoB,CAAC;AAExD,MAAM,UAAU,aAAa,CAAC,MAG7B;IACC,MAAM,EAAE,MAAM,EAAE,KAAK,EAAE,GAAG,MAAM,CAAC;IAEjC,OAAO;QACL,KAAK,CAAC,QAAQ,CAAC,KAAoB;YACjC,OAAO,MAAM,CAAC,KAAK,CACjB,gBAAgB,EAChB;gBACE,MAAM,EAAE,MAAM;gBACd,QAAQ,EAAE,IAAI;gBACd,IAAI,EAAE,IAAI,CAAC,SAAS,CAAC,KAAK,CAAC;aAC5B,CACF,CAAC;QACJ,CAAC;QAED,KAAK,CAAC,UAAU,CAAC,KAAa;YAC5B,OAAO,MAAM,CAAC,KAAK,CAAqB,mBAAmB,EAAE;gBAC3D,MAAM,EAAE,MAAM;gBACd,QAAQ,EAAE,IAAI;gBACd,IAAI,EAAE,IAAI,CAAC,SAAS,CAAC,EAAE,KAAK,EAAE,CAAC;aAChC,CAAC,CAAC;QACL,CAAC;QAED,KAAK,CAAC,SAAS,CAAC,KAAa,EAAE,IAAY;YACzC,MAAM,GAAG,GAAG,MAAM,MAAM,CAAC,KAAK,CAC5B,kBAAkB,EAClB;gBACE,MAAM,EAAE,MAAM;gBACd,QAAQ,EAAE,IAAI;gBACd,IAAI,EAAE,IAAI,CAAC,SAAS,CAAC,EAAE,KAAK,EAAE,IAAI,EAAE,CAAC;aACtC,CACF,CAAC;YAEF,MAAM,KAAK,GAAG,kBAAkB,CAAC,GAAG,CAAC,CAAC;YACtC,IAAI,CAAC,KAAK,EAAE,CAAC;gBACX,MAAM,IAAI,SAAS,CAAC,GAAG,EAAE,yBAAyB,EAAE,8CAA8C,CAAC,CAAC;YACtG,CAAC;YAED,MAAM,SAAS,GACb,OAAO,GAAG,CAAC,SAAS,KAAK,QAAQ,CAAC,CAAC,CAAC,GAAG,CAAC,SAAS,CAAC,CAAC,CAAC,GAAG,CAAC;YAE1D,KAAK,CAAC,cAAc,CAAC,KAAK,EAAE,SAAS,CAAC,CAAC;YAEvC,OAAO;gBACL,WAAW,EAAE,KAAK;gBAClB,SAAS;gBACT,IAAI,EAAE,GAAG,CAAC,IAAgB;aAC3B,CAAC;QACJ,CAAC;QAED,KAAK,CAAC,MAAM;YACV,MAAM,MAAM,CAAC,KAAK,CAAO,cAAc,EAAE,EAAE,MAAM,EAAE,MAAM,EAAE,CAAC,CAAC;QAC/D,CAAC;QAED,KAAK,CAAC,KAAK,CAAC,KAAc;YACxB,IAAI,KAAK,EAAE,CAAC;gBACV,OAAO,MAAM,CAAC,KAAK,CAAW,UAAU,EAAE;oBACxC,MAAM,EAAE,KAAK;oBACb,QAAQ,EAAE,IAAI;oBACd,OAAO,EAAE,EAAE,aAAa,EAAE,UAAU,KAAK,EAAE,EAAE;iBAC9C,CAAC,CAAC;YACL,CAAC;YACD,OAAO,MAAM,CAAC,KAAK,CAAW,UAAU,EAAE,EAAE,MAAM,EAAE,KAAK,EAAE,CAAC,CAAC;QAC/D,CAAC;KACF,CAAC;AACJ,CAAC"}

package/dist/auth-client.d.ts

@@ -0,0 +1,3 @@
+import type { AuthClientConfig, AuthClient } from "./types.js";
+export declare function createAuthClient(config: AuthClientConfig): AuthClient;
+//# sourceMappingURL=auth-client.d.ts.map

package/dist/auth-client.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"auth-client.d.ts","sourceRoot":"","sources":["../src/auth-client.ts"],"names":[],"mappings":"AACA,OAAO,KAAK,EAAE,gBAAgB,EAAE,UAAU,EAAqB,MAAM,YAAY,CAAC;AAElF,wBAAgB,gBAAgB,CAAC,MAAM,EAAE,gBAAgB,GAAG,UAAU,CAmFrE"}

package/dist/auth-client.js

@@ -0,0 +1,65 @@
+import { AuthError } from "./types.js";
+export function createAuthClient(config) {
+    const { baseUrl, store, onAuthFailure } = config;
+    async function parseErrorResponse(res) {
+        try {
+            const body = (await res.json());
+            return {
+                error: typeof body.error === "string" ? body.error : `HTTP ${res.status}`,
+                code: typeof body.code === "string" ? body.code : "UNKNOWN",
+                remainingAttempts: typeof body.remainingAttempts === "number"
+                    ? body.remainingAttempts
+                    : undefined,
+            };
+        }
+        catch {
+            return { error: `HTTP ${res.status}`, code: "UNKNOWN" };
+        }
+    }
+    const client = {
+        async fetch(path, options) {
+            const { skipAuth, ...init } = options ?? {};
+            const headers = new Headers(init.headers);
+            if (!skipAuth) {
+                const token = store.getAccessToken();
+                if (token) {
+                    headers.set("Authorization", `Bearer ${token}`);
+                }
+            }
+            if (!headers.has("Content-Type") && init.body) {
+                headers.set("Content-Type", "application/json");
+            }
+            const url = `${baseUrl}${path}`;
+            const res = await fetch(url, {
+                ...init,
+                headers,
+                credentials: "include",
+            });
+            if (res.ok) {
+                return (await res.json());
+            }
+            // 401: attempt one refresh + retry (only for authenticated requests)
+            if (res.status === 401 && !skipAuth) {
+                const newToken = await store.ensureAccessToken(true);
+                if (newToken) {
+                    headers.set("Authorization", `Bearer ${newToken}`);
+                    const retryRes = await fetch(url, {
+                        ...init,
+                        headers,
+                        credentials: "include",
+                    });
+                    if (retryRes.ok) {
+                        return (await retryRes.json());
+                    }
+                }
+                // Refresh failed or retry failed
+                store.clearAccessToken();
+                onAuthFailure?.();
+            }
+            const errBody = await parseErrorResponse(res);
+            throw new AuthError(res.status, errBody.code, errBody.error, errBody.remainingAttempts);
+        },
+    };
+    return client;
+}
+//# sourceMappingURL=auth-client.js.map

package/dist/auth-client.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"auth-client.js","sourceRoot":"","sources":["../src/auth-client.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,SAAS,EAAE,MAAM,YAAY,CAAC;AAGvC,MAAM,UAAU,gBAAgB,CAAC,MAAwB;IACvD,MAAM,EAAE,OAAO,EAAE,KAAK,EAAE,aAAa,EAAE,GAAG,MAAM,CAAC;IAEjD,KAAK,UAAU,kBAAkB,CAC/B,GAAa;QAEb,IAAI,CAAC;YACH,MAAM,IAAI,GAAG,CAAC,MAAM,GAAG,CAAC,IAAI,EAAE,CAA4B,CAAC;YAC3D,OAAO;gBACL,KAAK,EACH,OAAO,IAAI,CAAC,KAAK,KAAK,QAAQ,CAAC,CAAC,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC,CAAC,QAAQ,GAAG,CAAC,MAAM,EAAE;gBACpE,IAAI,EAAE,OAAO,IAAI,CAAC,IAAI,KAAK,QAAQ,CAAC,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC,CAAC,SAAS;gBAC3D,iBAAiB,EACf,OAAO,IAAI,CAAC,iBAAiB,KAAK,QAAQ;oBACxC,CAAC,CAAC,IAAI,CAAC,iBAAiB;oBACxB,CAAC,CAAC,SAAS;aAChB,CAAC;QACJ,CAAC;QAAC,MAAM,CAAC;YACP,OAAO,EAAE,KAAK,EAAE,QAAQ,GAAG,CAAC,MAAM,EAAE,EAAE,IAAI,EAAE,SAAS,EAAE,CAAC;QAC1D,CAAC;IACH,CAAC;IAED,MAAM,MAAM,GAAe;QACzB,KAAK,CAAC,KAAK,CACT,IAAY,EACZ,OAA8C;YAE9C,MAAM,EAAE,QAAQ,EAAE,GAAG,IAAI,EAAE,GAAG,OAAO,IAAI,EAAE,CAAC;YAC5C,MAAM,OAAO,GAAG,IAAI,OAAO,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC;YAE1C,IAAI,CAAC,QAAQ,EAAE,CAAC;gBACd,MAAM,KAAK,GAAG,KAAK,CAAC,cAAc,EAAE,CAAC;gBACrC,IAAI,KAAK,EAAE,CAAC;oBACV,OAAO,CAAC,GAAG,CAAC,eAAe,EAAE,UAAU,KAAK,EAAE,CAAC,CAAC;gBAClD,CAAC;YACH,CAAC;YAED,IAAI,CAAC,OAAO,CAAC,GAAG,CAAC,cAAc,CAAC,IAAI,IAAI,CAAC,IAAI,EAAE,CAAC;gBAC9C,OAAO,CAAC,GAAG,CAAC,cAAc,EAAE,kBAAkB,CAAC,CAAC;YAClD,CAAC;YAED,MAAM,GAAG,GAAG,GAAG,OAAO,GAAG,IAAI,EAAE,CAAC;YAEhC,MAAM,GAAG,GAAG,MAAM,KAAK,CAAC,GAAG,EAAE;gBAC3B,GAAG,IAAI;gBACP,OAAO;gBACP,WAAW,EAAE,SAAS;aACvB,CAAC,CAAC;YAEH,IAAI,GAAG,CAAC,EAAE,EAAE,CAAC;gBACX,OAAO,CAAC,MAAM,GAAG,CAAC,IAAI,EAAE,CAAM,CAAC;YACjC,CAAC;YAED,qEAAqE;YACrE,IAAI,GAAG,CAAC,MAAM,KAAK,GAAG,IAAI,CAAC,QAAQ,EAAE,CAAC;gBACpC,MAAM,QAAQ,GAAG,MAAM,KAAK,CAAC,iBAAiB,CAAC,IAAI,CAAC,CAAC;gBACrD,IAAI,QAAQ,EAAE,CAAC;oBACb,OAAO,CAAC,GAAG,CAAC,eAAe,EAAE,UAAU,QAAQ,EAAE,CAAC,CAAC;oBACnD,MAAM,QAAQ,GAAG,MAAM,KAAK,CAAC,GAAG,EAAE;wBAChC,GAAG,IAAI;wBACP,OAAO;wBACP,WAAW,EAAE,SAAS;qBACvB,CAAC,CAAC;oBACH,IAAI,QAAQ,CAAC,EAAE,EAAE,CAAC;wBAChB,OAAO,CAAC,MAAM,QAAQ,CAAC,IAAI,EAAE,CAAM,CAAC;oBACtC,CAAC;gBACH,CAAC;gBACD,iCAAiC;gBACjC,KAAK,CAAC,gBAAgB,EAAE,CAAC;gBACzB,aAAa,EAAE,EAAE,CAAC;YACpB,CAAC;YAED,MAAM,OAAO,GAAG,MAAM,kBAAkB,CAAC,GAAG,CAAC,CAAC;YAC9C,MAAM,IAAI,SAAS,CACjB,GAAG,CAAC,MAAM,EACV,OAAO,CAAC,IAAI,EACZ,OAAO,CAAC,KAAK,EACb,OAAO,CAAC,iBAAiB,CAC1B,CAAC;QACJ,CAAC;KACF,CAAC;IAEF,OAAO,MAAM,CAAC;AAChB,CAAC"}

package/dist/auth-guard.d.ts

@@ -0,0 +1,3 @@
+import type { AuthUser, UserType } from "./types.js";
+export declare function validateUserType(user: AuthUser, expected: UserType): boolean;
+//# sourceMappingURL=auth-guard.d.ts.map

package/dist/auth-guard.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"auth-guard.d.ts","sourceRoot":"","sources":["../src/auth-guard.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,QAAQ,EAAE,QAAQ,EAAE,MAAM,YAAY,CAAC;AAErD,wBAAgB,gBAAgB,CAAC,IAAI,EAAE,QAAQ,EAAE,QAAQ,EAAE,QAAQ,GAAG,OAAO,CAE5E"}

package/dist/auth-guard.js

@@ -0,0 +1,4 @@
+export function validateUserType(user, expected) {
+    return user.userType === expected;
+}
+//# sourceMappingURL=auth-guard.js.map

package/dist/auth-guard.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"auth-guard.js","sourceRoot":"","sources":["../src/auth-guard.ts"],"names":[],"mappings":"AAEA,MAAM,UAAU,gBAAgB,CAAC,IAAc,EAAE,QAAkB;IACjE,OAAO,IAAI,CAAC,QAAQ,KAAK,QAAQ,CAAC;AACpC,CAAC"}

package/dist/auth-store.d.ts

@@ -0,0 +1,3 @@
+import type { AuthStoreConfig, AuthStore } from "./types.js";
+export declare function createAuthStore(config: AuthStoreConfig): AuthStore;
+//# sourceMappingURL=auth-store.d.ts.map

package/dist/auth-store.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"auth-store.d.ts","sourceRoot":"","sources":["../src/auth-store.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,eAAe,EAAE,SAAS,EAAE,MAAM,YAAY,CAAC;AAG7D,wBAAgB,eAAe,CAAC,MAAM,EAAE,eAAe,GAAG,SAAS,CA0ElE"}

package/dist/auth-store.js

@@ -0,0 +1,71 @@
+import { extractAccessToken } from "./extract-token.js";
+export function createAuthStore(config) {
+    const { baseUrl, refreshPath = "/auth/refresh", refreshBuffer = 60 } = config;
+    let accessToken = null;
+    let refreshTimer = null;
+    let refreshPromise = null;
+    function scheduleRefresh(expiresInSeconds) {
+        if (refreshTimer)
+            clearTimeout(refreshTimer);
+        const delay = Math.max((expiresInSeconds - refreshBuffer) * 1000, 0);
+        refreshTimer = setTimeout(() => {
+            performRefresh();
+        }, delay);
+    }
+    async function performRefresh() {
+        try {
+            const res = await fetch(`${baseUrl}${refreshPath}`, {
+                method: "POST",
+                credentials: "include",
+                headers: { "Content-Type": "application/json" },
+            });
+            if (!res.ok) {
+                accessToken = null;
+                return null;
+            }
+            const json = (await res.json());
+            const token = extractAccessToken(json);
+            if (token) {
+                const expiresIn = typeof json.expiresIn === "number" ? json.expiresIn : 900;
+                accessToken = token;
+                scheduleRefresh(expiresIn);
+            }
+            return token;
+        }
+        catch {
+            accessToken = null;
+            return null;
+        }
+    }
+    const store = {
+        getAccessToken() {
+            return accessToken;
+        },
+        hasAccessToken() {
+            return accessToken !== null;
+        },
+        setAccessToken(token, expiresIn) {
+            accessToken = token;
+            scheduleRefresh(expiresIn);
+        },
+        clearAccessToken() {
+            accessToken = null;
+            if (refreshTimer) {
+                clearTimeout(refreshTimer);
+                refreshTimer = null;
+            }
+        },
+        async ensureAccessToken(forceRefresh = false) {
+            if (!forceRefresh && accessToken)
+                return accessToken;
+            if (refreshPromise)
+                return refreshPromise;
+            refreshPromise = performRefresh().finally(() => {
+                refreshPromise = null;
+            });
+            return refreshPromise;
+        },
+    };
+    return store;
+}
+//# sourceMappingURL=auth-store.js.map

package/dist/auth-store.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"auth-store.js","sourceRoot":"","sources":["../src/auth-store.ts"],"names":[],"mappings":"AACA,OAAO,EAAE,kBAAkB,EAAE,MAAM,oBAAoB,CAAC;AAExD,MAAM,UAAU,eAAe,CAAC,MAAuB;IACrD,MAAM,EAAE,OAAO,EAAE,WAAW,GAAG,eAAe,EAAE,aAAa,GAAG,EAAE,EAAE,GAAG,MAAM,CAAC;IAE9E,IAAI,WAAW,GAAkB,IAAI,CAAC;IACtC,IAAI,YAAY,GAAyC,IAAI,CAAC;IAC9D,IAAI,cAAc,GAAkC,IAAI,CAAC;IAEzD,SAAS,eAAe,CAAC,gBAAwB;QAC/C,IAAI,YAAY;YAAE,YAAY,CAAC,YAAY,CAAC,CAAC;QAC7C,MAAM,KAAK,GAAG,IAAI,CAAC,GAAG,CAAC,CAAC,gBAAgB,GAAG,aAAa,CAAC,GAAG,IAAI,EAAE,CAAC,CAAC,CAAC;QACrE,YAAY,GAAG,UAAU,CAAC,GAAG,EAAE;YAC7B,cAAc,EAAE,CAAC;QACnB,CAAC,EAAE,KAAK,CAAC,CAAC;IACZ,CAAC;IAED,KAAK,UAAU,cAAc;QAC3B,IAAI,CAAC;YACH,MAAM,GAAG,GAAG,MAAM,KAAK,CAAC,GAAG,OAAO,GAAG,WAAW,EAAE,EAAE;gBAClD,MAAM,EAAE,MAAM;gBACd,WAAW,EAAE,SAAS;gBACtB,OAAO,EAAE,EAAE,cAAc,EAAE,kBAAkB,EAAE;aAChD,CAAC,CAAC;YACH,IAAI,CAAC,GAAG,CAAC,EAAE,EAAE,CAAC;gBACZ,WAAW,GAAG,IAAI,CAAC;gBACnB,OAAO,IAAI,CAAC;YACd,CAAC;YACD,MAAM,IAAI,GAAG,CAAC,MAAM,GAAG,CAAC,IAAI,EAAE,CAA4B,CAAC;YAC3D,MAAM,KAAK,GAAG,kBAAkB,CAAC,IAAI,CAAC,CAAC;YACvC,IAAI,KAAK,EAAE,CAAC;gBACV,MAAM,SAAS,GACb,OAAO,IAAI,CAAC,SAAS,KAAK,QAAQ,CAAC,CAAC,CAAC,IAAI,CAAC,SAAS,CAAC,CAAC,CAAC,GAAG,CAAC;gBAC5D,WAAW,GAAG,KAAK,CAAC;gBACpB,eAAe,CAAC,SAAS,CAAC,CAAC;YAC7B,CAAC;YACD,OAAO,KAAK,CAAC;QACf,CAAC;QAAC,MAAM,CAAC;YACP,WAAW,GAAG,IAAI,CAAC;YACnB,OAAO,IAAI,CAAC;QACd,CAAC;IACH,CAAC;IAED,MAAM,KAAK,GAAc;QACvB,cAAc;YACZ,OAAO,WAAW,CAAC;QACrB,CAAC;QAED,cAAc;YACZ,OAAO,WAAW,KAAK,IAAI,CAAC;QAC9B,CAAC;QAED,cAAc,CAAC,KAAa,EAAE,SAAiB;YAC7C,WAAW,GAAG,KAAK,CAAC;YACpB,eAAe,CAAC,SAAS,CAAC,CAAC;QAC7B,CAAC;QAED,gBAAgB;YACd,WAAW,GAAG,IAAI,CAAC;YACnB,IAAI,YAAY,EAAE,CAAC;gBACjB,YAAY,CAAC,YAAY,CAAC,CAAC;gBAC3B,YAAY,GAAG,IAAI,CAAC;YACtB,CAAC;QACH,CAAC;QAED,KAAK,CAAC,iBAAiB,CAAC,YAAY,GAAG,KAAK;YAC1C,IAAI,CAAC,YAAY,IAAI,WAAW;gBAAE,OAAO,WAAW,CAAC;YACrD,IAAI,cAAc;gBAAE,OAAO,cAAc,CAAC;YAC1C,cAAc,GAAG,cAAc,EAAE,CAAC,OAAO,CAAC,GAAG,EAAE;gBAC7C,cAAc,GAAG,IAAI,CAAC;YACxB,CAAC,CAAC,CAAC;YACH,OAAO,cAAc,CAAC;QACxB,CAAC;KACF,CAAC;IAEF,OAAO,KAAK,CAAC;AACf,CAAC"}

package/dist/extract-token.d.ts

@@ -0,0 +1,2 @@
+export declare function extractAccessToken(payload: Record<string, unknown>): string | null;
+//# sourceMappingURL=extract-token.d.ts.map

package/dist/extract-token.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"extract-token.d.ts","sourceRoot":"","sources":["../src/extract-token.ts"],"names":[],"mappings":"AAAA,wBAAgB,kBAAkB,CAAC,OAAO,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,GAAG,MAAM,GAAG,IAAI,CAoBlF"}

package/dist/extract-token.js

@@ -0,0 +1,26 @@
+export function extractAccessToken(payload) {
+    if (typeof payload.accessToken === "string")
+        return payload.accessToken;
+    if (typeof payload.access_token === "string")
+        return payload.access_token;
+    if (typeof payload.token === "string")
+        return payload.token;
+    const data = payload.data;
+    if (data && typeof data === "object") {
+        const d = data;
+        if (typeof d.accessToken === "string")
+            return d.accessToken;
+        if (typeof d.access_token === "string")
+            return d.access_token;
+    }
+    const session = payload.session;
+    if (session && typeof session === "object") {
+        const s = session;
+        if (typeof s.accessToken === "string")
+            return s.accessToken;
+        if (typeof s.access_token === "string")
+            return s.access_token;
+    }
+    return null;
+}
+//# sourceMappingURL=extract-token.js.map

package/dist/extract-token.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"extract-token.js","sourceRoot":"","sources":["../src/extract-token.ts"],"names":[],"mappings":"AAAA,MAAM,UAAU,kBAAkB,CAAC,OAAgC;IACjE,IAAI,OAAO,OAAO,CAAC,WAAW,KAAK,QAAQ;QAAE,OAAO,OAAO,CAAC,WAAW,CAAC;IACxE,IAAI,OAAO,OAAO,CAAC,YAAY,KAAK,QAAQ;QAAE,OAAO,OAAO,CAAC,YAAY,CAAC;IAC1E,IAAI,OAAO,OAAO,CAAC,KAAK,KAAK,QAAQ;QAAE,OAAO,OAAO,CAAC,KAAK,CAAC;IAE5D,MAAM,IAAI,GAAG,OAAO,CAAC,IAAI,CAAC;IAC1B,IAAI,IAAI,IAAI,OAAO,IAAI,KAAK,QAAQ,EAAE,CAAC;QACrC,MAAM,CAAC,GAAG,IAA+B,CAAC;QAC1C,IAAI,OAAO,CAAC,CAAC,WAAW,KAAK,QAAQ;YAAE,OAAO,CAAC,CAAC,WAAW,CAAC;QAC5D,IAAI,OAAO,CAAC,CAAC,YAAY,KAAK,QAAQ;YAAE,OAAO,CAAC,CAAC,YAAY,CAAC;IAChE,CAAC;IAED,MAAM,OAAO,GAAG,OAAO,CAAC,OAAO,CAAC;IAChC,IAAI,OAAO,IAAI,OAAO,OAAO,KAAK,QAAQ,EAAE,CAAC;QAC3C,MAAM,CAAC,GAAG,OAAkC,CAAC;QAC7C,IAAI,OAAO,CAAC,CAAC,WAAW,KAAK,QAAQ;YAAE,OAAO,CAAC,CAAC,WAAW,CAAC;QAC5D,IAAI,OAAO,CAAC,CAAC,YAAY,KAAK,QAAQ;YAAE,OAAO,CAAC,CAAC,YAAY,CAAC;IAChE,CAAC;IAED,OAAO,IAAI,CAAC;AACd,CAAC"}

package/dist/index.d.ts

@@ -0,0 +1,7 @@
+export { createAuthStore } from "./auth-store.js";
+export { createAuthClient } from "./auth-client.js";
+export { createAuthApi } from "./auth-api.js";
+export { validateUserType } from "./auth-guard.js";
+export { extractAccessToken } from "./extract-token.js";
+export { AuthError, type AuthUser, type AuthStore, type AuthStoreConfig, type AuthClient, type AuthClientConfig, type AuthApi, type RegisterInput, type RequestOtpResponse, type VerifyOtpResponse, type AuthErrorResponse, type UserType, } from "./types.js";
+//# sourceMappingURL=index.d.ts.map

package/dist/index.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,eAAe,EAAE,MAAM,iBAAiB,CAAC;AAClD,OAAO,EAAE,gBAAgB,EAAE,MAAM,kBAAkB,CAAC;AACpD,OAAO,EAAE,aAAa,EAAE,MAAM,eAAe,CAAC;AAC9C,OAAO,EAAE,gBAAgB,EAAE,MAAM,iBAAiB,CAAC;AACnD,OAAO,EAAE,kBAAkB,EAAE,MAAM,oBAAoB,CAAC;AAExD,OAAO,EACL,SAAS,EACT,KAAK,QAAQ,EACb,KAAK,SAAS,EACd,KAAK,eAAe,EACpB,KAAK,UAAU,EACf,KAAK,gBAAgB,EACrB,KAAK,OAAO,EACZ,KAAK,aAAa,EAClB,KAAK,kBAAkB,EACvB,KAAK,iBAAiB,EACtB,KAAK,iBAAiB,EACtB,KAAK,QAAQ,GACd,MAAM,YAAY,CAAC"}

package/dist/index.js

@@ -0,0 +1,7 @@
+export { createAuthStore } from "./auth-store.js";
+export { createAuthClient } from "./auth-client.js";
+export { createAuthApi } from "./auth-api.js";
+export { validateUserType } from "./auth-guard.js";
+export { extractAccessToken } from "./extract-token.js";
+export { AuthError, } from "./types.js";
+//# sourceMappingURL=index.js.map

package/dist/index.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.js","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,eAAe,EAAE,MAAM,iBAAiB,CAAC;AAClD,OAAO,EAAE,gBAAgB,EAAE,MAAM,kBAAkB,CAAC;AACpD,OAAO,EAAE,aAAa,EAAE,MAAM,eAAe,CAAC;AAC9C,OAAO,EAAE,gBAAgB,EAAE,MAAM,iBAAiB,CAAC;AACnD,OAAO,EAAE,kBAAkB,EAAE,MAAM,oBAAoB,CAAC;AAExD,OAAO,EACL,SAAS,GAYV,MAAM,YAAY,CAAC"}

package/dist/react/index.d.ts

@@ -0,0 +1,2 @@
+export {};
+//# sourceMappingURL=index.d.ts.map

package/dist/react/index.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../src/react/index.ts"],"names":[],"mappings":"AAEA,OAAO,EAAE,CAAC"}

package/dist/react/index.js

@@ -0,0 +1,4 @@
+// React components will be added in a future task.
+// This barrel export satisfies the package.json exports map.
+export {};
+//# sourceMappingURL=index.js.map

package/dist/react/index.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.js","sourceRoot":"","sources":["../../src/react/index.ts"],"names":[],"mappings":"AAAA,mDAAmD;AACnD,6DAA6D;AAC7D,OAAO,EAAE,CAAC"}

package/dist/types.d.ts

@@ -0,0 +1,69 @@
+export interface AuthUser {
+    id: string;
+    email: string;
+    name: string;
+    phone?: string;
+    userType: "importer" | "producer" | "admin";
+    orgId: string | null;
+    roles: string[];
+    createdAt: string;
+}
+export interface RegisterInput {
+    name: string;
+    email: string;
+    phone?: string;
+    userType: "importer" | "producer";
+}
+export interface RequestOtpResponse {
+    expiresAt: string;
+}
+export interface VerifyOtpResponse {
+    accessToken: string;
+    expiresIn: number;
+    user: AuthUser;
+}
+export interface AuthErrorResponse {
+    error: string;
+    code: string;
+    remainingAttempts?: number;
+}
+export declare class AuthError extends Error {
+    readonly status: number;
+    readonly code: string;
+    readonly remainingAttempts?: number | undefined;
+    constructor(status: number, code: string, message: string, remainingAttempts?: number | undefined);
+}
+export interface AuthStoreConfig {
+    baseUrl: string;
+    refreshPath?: string;
+    refreshBuffer?: number;
+}
+export interface AuthStore {
+    getAccessToken(): string | null;
+    hasAccessToken(): boolean;
+    setAccessToken(token: string, expiresIn: number): void;
+    clearAccessToken(): void;
+    ensureAccessToken(forceRefresh?: boolean): Promise<string | null>;
+}
+export interface AuthClientConfig {
+    baseUrl: string;
+    store: AuthStore;
+    onAuthFailure?: () => void;
+}
+export interface AuthClient {
+    fetch<T>(path: string, options?: RequestInit & {
+        skipAuth?: boolean;
+    }): Promise<T>;
+}
+export interface AuthApi {
+    register(input: RegisterInput): Promise<{
+        userId: string;
+        message?: string;
+    }>;
+    requestOtp(email: string): Promise<RequestOtpResponse>;
+    verifyOtp(email: string, code: string): Promise<VerifyOtpResponse>;
+    logout(): Promise<void>;
+    getMe(token?: string): Promise<AuthUser>;
+}
+export type UserType = "importer" | "producer" | "admin";
+//# sourceMappingURL=types.d.ts.map

package/dist/types.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"types.d.ts","sourceRoot":"","sources":["../src/types.ts"],"names":[],"mappings":"AAAA,MAAM,WAAW,QAAQ;IACvB,EAAE,EAAE,MAAM,CAAC;IACX,KAAK,EAAE,MAAM,CAAC;IACd,IAAI,EAAE,MAAM,CAAC;IACb,KAAK,CAAC,EAAE,MAAM,CAAC;IACf,QAAQ,EAAE,UAAU,GAAG,UAAU,GAAG,OAAO,CAAC;IAC5C,KAAK,EAAE,MAAM,GAAG,IAAI,CAAC;IACrB,KAAK,EAAE,MAAM,EAAE,CAAC;IAChB,SAAS,EAAE,MAAM,CAAC;CACnB;AAED,MAAM,WAAW,aAAa;IAC5B,IAAI,EAAE,MAAM,CAAC;IACb,KAAK,EAAE,MAAM,CAAC;IACd,KAAK,CAAC,EAAE,MAAM,CAAC;IACf,QAAQ,EAAE,UAAU,GAAG,UAAU,CAAC;CACnC;AAED,MAAM,WAAW,kBAAkB;IACjC,SAAS,EAAE,MAAM,CAAC;CACnB;AAED,MAAM,WAAW,iBAAiB;IAChC,WAAW,EAAE,MAAM,CAAC;IACpB,SAAS,EAAE,MAAM,CAAC;IAClB,IAAI,EAAE,QAAQ,CAAC;CAChB;AAED,MAAM,WAAW,iBAAiB;IAChC,KAAK,EAAE,MAAM,CAAC;IACd,IAAI,EAAE,MAAM,CAAC;IACb,iBAAiB,CAAC,EAAE,MAAM,CAAC;CAC5B;AAED,qBAAa,SAAU,SAAQ,KAAK;aAEhB,MAAM,EAAE,MAAM;aACd,IAAI,EAAE,MAAM;aAEZ,iBAAiB,CAAC,EAAE,MAAM;gBAH1B,MAAM,EAAE,MAAM,EACd,IAAI,EAAE,MAAM,EAC5B,OAAO,EAAE,MAAM,EACC,iBAAiB,CAAC,EAAE,MAAM,YAAA;CAK7C;AAED,MAAM,WAAW,eAAe;IAC9B,OAAO,EAAE,MAAM,CAAC;IAChB,WAAW,CAAC,EAAE,MAAM,CAAC;IACrB,aAAa,CAAC,EAAE,MAAM,CAAC;CACxB;AAED,MAAM,WAAW,SAAS;IACxB,cAAc,IAAI,MAAM,GAAG,IAAI,CAAC;IAChC,cAAc,IAAI,OAAO,CAAC;IAC1B,cAAc,CAAC,KAAK,EAAE,MAAM,EAAE,SAAS,EAAE,MAAM,GAAG,IAAI,CAAC;IACvD,gBAAgB,IAAI,IAAI,CAAC;IACzB,iBAAiB,CAAC,YAAY,CAAC,EAAE,OAAO,GAAG,OAAO,CAAC,MAAM,GAAG,IAAI,CAAC,CAAC;CACnE;AAED,MAAM,WAAW,gBAAgB;IAC/B,OAAO,EAAE,MAAM,CAAC;IAChB,KAAK,EAAE,SAAS,CAAC;IACjB,aAAa,CAAC,EAAE,MAAM,IAAI,CAAC;CAC5B;AAED,MAAM,WAAW,UAAU;IACzB,KAAK,CAAC,CAAC,EAAE,IAAI,EAAE,MAAM,EAAE,OAAO,CAAC,EAAE,WAAW,GAAG;QAAE,QAAQ,CAAC,EAAE,OAAO,CAAA;KAAE,GAAG,OAAO,CAAC,CAAC,CAAC,CAAC;CACpF;AAED,MAAM,WAAW,OAAO;IACtB,QAAQ,CAAC,KAAK,EAAE,aAAa,GAAG,OAAO,CAAC;QAAE,MAAM,EAAE,MAAM,CAAC;QAAC,OAAO,CAAC,EAAE,MAAM,CAAA;KAAE,CAAC,CAAC;IAC9E,UAAU,CAAC,KAAK,EAAE,MAAM,GAAG,OAAO,CAAC,kBAAkB,CAAC,CAAC;IACvD,SAAS,CAAC,KAAK,EAAE,MAAM,EAAE,IAAI,EAAE,MAAM,GAAG,OAAO,CAAC,iBAAiB,CAAC,CAAC;IACnE,MAAM,IAAI,OAAO,CAAC,IAAI,CAAC,CAAC;IACxB,KAAK,CAAC,KAAK,CAAC,EAAE,MAAM,GAAG,OAAO,CAAC,QAAQ,CAAC,CAAC;CAC1C;AAED,MAAM,MAAM,QAAQ,GAAG,UAAU,GAAG,UAAU,GAAG,OAAO,CAAC"}

package/dist/types.js

@@ -0,0 +1,13 @@
+export class AuthError extends Error {
+    status;
+    code;
+    remainingAttempts;
+    constructor(status, code, message, remainingAttempts) {
+        super(message);
+        this.status = status;
+        this.code = code;
+        this.remainingAttempts = remainingAttempts;
+        this.name = "AuthError";
+    }
+}
+//# sourceMappingURL=types.js.map

package/dist/types.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"types.js","sourceRoot":"","sources":["../src/types.ts"],"names":[],"mappings":"AAkCA,MAAM,OAAO,SAAU,SAAQ,KAAK;IAEhB;IACA;IAEA;IAJlB,YACkB,MAAc,EACd,IAAY,EAC5B,OAAe,EACC,iBAA0B;QAE1C,KAAK,CAAC,OAAO,CAAC,CAAC;QALC,WAAM,GAAN,MAAM,CAAQ;QACd,SAAI,GAAJ,IAAI,CAAQ;QAEZ,sBAAiB,GAAjB,iBAAiB,CAAS;QAG1C,IAAI,CAAC,IAAI,GAAG,WAAW,CAAC;IAC1B,CAAC;CACF"}

package/package.json

@@ -0,0 +1,72 @@
+{
+  "name": "@cellarnode/auth",
+  "version": "0.1.0",
+  "description": "Shared OTP-based authentication — token store, API client, React UI components for CellarNode dashboards.",
+  "license": "MIT",
+  "type": "module",
+  "repository": {
+    "type": "git",
+    "url": "git+https://github.com/CellarNode/cellarnode-auth.git"
+  },
+  "publishConfig": {
+    "access": "public"
+  },
+  "exports": {
+    ".": {
+      "types": "./dist/index.d.ts",
+      "default": "./dist/index.js"
+    },
+    "./react": {
+      "types": "./dist/react/index.d.ts",
+      "default": "./dist/react/index.js"
+    }
+  },
+  "types": "./dist/index.d.ts",
+  "sideEffects": false,
+  "files": ["dist"],
+  "keywords": ["cellarnode", "auth", "otp", "jwt", "react"],
+  "scripts": {
+    "build": "tsc",
+    "prepublishOnly": "npm run build",
+    "check-exports": "npx publint && npx @arethetypeswrong/cli --pack .",
+    "test": "vitest run",
+    "test:watch": "vitest",
+    "typecheck": "tsc --noEmit"
+  },
+  "dependencies": {
+    "clsx": "^2.1.0"
+  },
+  "peerDependencies": {
+    "react": "^18.0.0 || ^19.0.0",
+    "react-dom": "^18.0.0 || ^19.0.0",
+    "lucide-react": ">=0.400.0",
+    "input-otp": ">=1.4.0",
+    "@react-three/fiber": ">=8.0.0",
+    "three": ">=0.160.0",
+    "tailwindcss": ">=4.0.0"
+  },
+  "peerDependenciesMeta": {
+    "react": { "optional": true },
+    "react-dom": { "optional": true },
+    "lucide-react": { "optional": true },
+    "input-otp": { "optional": true },
+    "@react-three/fiber": { "optional": true },
+    "three": { "optional": true },
+    "tailwindcss": { "optional": true }
+  },
+  "engines": {
+    "node": ">=20.19.0"
+  },
+  "devDependencies": {
+    "typescript": "^5.7.0",
+    "vitest": "^3.0.0",
+    "react": "^19.0.0",
+    "react-dom": "^19.0.0",
+    "@types/react": "^19.0.0",
+    "@types/three": ">=0.160.0",
+    "@react-three/fiber": ">=8.0.0",
+    "three": ">=0.160.0",
+    "lucide-react": ">=0.400.0",
+    "input-otp": ">=1.4.0"
+  }
+}