@cfast/auth 0.0.1 → 0.2.0

package/README.md

@@ -138,12 +138,12 @@ function Header() {
 
 ### Login Page
 
-The consumer creates their own login route and renders `<LoginPage>`. The component accepts an `authClient` prop and a `components` prop for UI slot overrides. Default slots render plain HTML — use `@cfast/ui/joy` for Joy UI styling.
+The consumer creates their own login route and renders `<LoginPage>`. The component accepts an `authClient` prop and a `components` prop for UI slot overrides. Default slots render plain HTML — use `@cfast/joy` for Joy UI styling.
 
 ```typescript
 // routes/login.tsx
 import { LoginPage } from "@cfast/auth/client";
-import { joyLoginComponents } from "@cfast/ui/joy";
+import { joyLoginComponents } from "@cfast/joy";
 import { authClient } from "~/auth.client";
 
 export default function Login() {
@@ -196,7 +196,7 @@ export default function Login() {
 }
 ```
 
-For Joy UI, use the pre-built `joyLoginComponents` from `@cfast/ui/joy` instead of writing custom slots.
+For Joy UI, use the pre-built `joyLoginComponents` from `@cfast/joy` instead of writing custom slots.
 
 ### Redirect Flow
 

package/dist/client.d.ts

@@ -72,9 +72,15 @@ type LoginComponents = {
     ErrorMessage?: ComponentType<{
         error: string;
     }>;
+    PasskeySignUpButton?: ComponentType<{
+        onClick: () => void;
+        loading: boolean;
+    }>;
 };
 type LoginPageProps = {
-    authClient: {
+    /** Pass `undefined` during SSR (e.g. from a `.client.ts` module). The
+     *  component renders a static shell and hydrates with full interactivity. */
+    authClient?: {
         signIn: {
             magicLink: (opts: {
                 email: string;
@@ -89,6 +95,24 @@ type LoginPageProps = {
                 } | null;
             } | undefined>;
         };
+        signUp?: {
+            email: (opts: {
+                email: string;
+                password: string;
+                name: string;
+            }) => Promise<{
+                error?: {
+                    message?: string;
+                } | null;
+            }>;
+        };
+        passkey?: {
+            addPasskey: () => Promise<{
+                error?: {
+                    message?: string;
+                } | null;
+            } | undefined>;
+        };
     };
     components?: LoginComponents;
     title?: string;

package/dist/client.js

@@ -133,6 +133,21 @@ function DefaultPasskeyButton({
     }
   );
 }
+function DefaultPasskeySignUpButton({
+  onClick,
+  loading
+}) {
+  return /* @__PURE__ */ jsx4(
+    "button",
+    {
+      type: "button",
+      onClick,
+      disabled: loading,
+      style: { width: "100%", padding: 8 },
+      children: loading ? "Creating account..." : "Sign up with Passkey"
+    }
+  );
+}
 function DefaultSuccessMessage({ email }) {
   return /* @__PURE__ */ jsxs("div", { role: "status", children: [
     "Check your email (",
@@ -154,6 +169,7 @@ function LoginPage({
   const EmailInput = components.EmailInput ?? DefaultEmailInput;
   const MagicLinkBtn = components.MagicLinkButton ?? DefaultMagicLinkButton;
   const PasskeyBtn = components.PasskeyButton ?? DefaultPasskeyButton;
+  const PasskeySignUpBtn = components.PasskeySignUpButton ?? DefaultPasskeySignUpButton;
   const SuccessMsg = components.SuccessMessage ?? DefaultSuccessMessage;
   const ErrorMsg = components.ErrorMessage ?? DefaultErrorMessage;
   const [email, setEmail] = useState("");
@@ -161,11 +177,14 @@ function LoginPage({
   const [loading, setLoading] = useState(false);
   const [error, setError] = useState(null);
   const [passkeyLoading, setPasskeyLoading] = useState(false);
+  const [passkeySignUpLoading, setPasskeySignUpLoading] = useState(false);
+  const canPasskeySignUp = !!(authClient?.signUp?.email && authClient?.passkey?.addPasskey);
   async function handleMagicLink() {
     if (!email.trim()) {
       setError("Please enter your email address.");
       return;
     }
+    if (!authClient) return;
     setLoading(true);
     setError(null);
     try {
@@ -183,6 +202,7 @@ function LoginPage({
     }
   }
   async function handlePasskey() {
+    if (!authClient) return;
     setPasskeyLoading(true);
     setError(null);
     try {
@@ -198,6 +218,36 @@ function LoginPage({
       setPasskeyLoading(false);
     }
   }
+  async function handlePasskeySignUp() {
+    if (!email.trim()) {
+      setError("Please enter your email address.");
+      return;
+    }
+    if (!authClient) return;
+    setPasskeySignUpLoading(true);
+    setError(null);
+    try {
+      const signUpResult = await authClient.signUp.email({
+        email,
+        password: crypto.randomUUID(),
+        name: ""
+      });
+      if (signUpResult.error) {
+        setError(signUpResult.error.message ?? "Sign-up failed.");
+        return;
+      }
+      const passkeyResult = await authClient.passkey.addPasskey();
+      if (passkeyResult?.error) {
+        setError(passkeyResult.error.message ?? "Passkey registration failed.");
+        return;
+      }
+      onSuccess?.();
+    } catch {
+      setError("Passkey sign-up failed. Please try again.");
+    } finally {
+      setPasskeySignUpLoading(false);
+    }
+  }
   return /* @__PURE__ */ jsxs(Layout, { children: [
     /* @__PURE__ */ jsx4("h2", { children: title }),
     subtitle && /* @__PURE__ */ jsx4("p", { children: subtitle }),
@@ -205,7 +255,14 @@ function LoginPage({
     sent ? /* @__PURE__ */ jsx4(SuccessMsg, { email }) : /* @__PURE__ */ jsxs("div", { children: [
       /* @__PURE__ */ jsx4(EmailInput, { value: email, onChange: setEmail }),
       /* @__PURE__ */ jsx4("div", { style: { marginTop: 8 }, children: /* @__PURE__ */ jsx4(MagicLinkBtn, { onClick: handleMagicLink, loading }) }),
-      authClient?.signIn?.passkey && /* @__PURE__ */ jsx4("div", { style: { marginTop: 8 }, children: /* @__PURE__ */ jsx4(PasskeyBtn, { onClick: handlePasskey, loading: passkeyLoading }) })
+      authClient?.signIn?.passkey && /* @__PURE__ */ jsx4("div", { style: { marginTop: 8 }, children: /* @__PURE__ */ jsx4(PasskeyBtn, { onClick: handlePasskey, loading: passkeyLoading }) }),
+      canPasskeySignUp && /* @__PURE__ */ jsx4("div", { style: { marginTop: 8 }, children: /* @__PURE__ */ jsx4(
+        PasskeySignUpBtn,
+        {
+          onClick: handlePasskeySignUp,
+          loading: passkeySignUpLoading
+        }
+      ) })
     ] })
   ] });
 }
@@ -213,6 +270,7 @@ function LoginPage({
 // src/client/create-auth-client.ts
 import { createAuthClient } from "better-auth/react";
 import { magicLinkClient } from "better-auth/client/plugins";
+import { passkeyClient } from "@better-auth/passkey/client";
 export {
   AuthClientProvider,
   AuthGuard,

package/dist/index.d.ts

@@ -1,6 +1,6 @@
-import { a as AuthConfig, b as AuthEnvConfig, c as AuthInstance } from './types-ghXti5CW.js';
-export { d as AuthContext, A as AuthUser, e as AuthenticatedContext } from './types-ghXti5CW.js';
-import '@cfast/permissions';
+import { a as AuthConfig, b as AuthEnvConfig, c as AuthInstance, A as AuthUser } from './types-ghXti5CW.js';
+export { d as AuthContext, e as AuthenticatedContext } from './types-ghXti5CW.js';
+import { Grant } from '@cfast/permissions';
 
 /**
  * Creates a pre-configured auth factory for Cloudflare Workers.
@@ -164,4 +164,43 @@ declare function createAuthRouteHandlers(getAuth: () => AuthInstance): {
     }) => Promise<Response>;
 };
 
-export { AuthConfig, AuthEnvConfig, AuthInstance, createAuth, createAuthRouteHandlers, createImpersonationManager, createRoleManager };
+/**
+ * Adapter type matching @cfast/admin's AdminAuthConfig interface.
+ * Duplicated here to avoid a circular dependency on @cfast/admin.
+ */
+type AdminAuthBridge = {
+    requireUser(request: Request): Promise<{
+        user: AuthUser;
+        grants: Grant[];
+    }>;
+    hasRole(user: {
+        roles: string[];
+    }, role: string): boolean;
+    getRoles(userId: string): Promise<string[]>;
+    setRole(userId: string, role: string): Promise<void>;
+    removeRole(userId: string, role: string): Promise<void>;
+    setRoles(userId: string, roles: string[]): Promise<void>;
+};
+/**
+ * Creates an admin auth adapter from a cfast auth instance factory.
+ *
+ * Replaces ~150 lines of manual adapter boilerplate with a single call.
+ * The factory is called per-operation to ensure fresh env bindings on Workers.
+ *
+ * @param getAuth - Factory that returns an initialized AuthInstance.
+ * @returns An object satisfying `@cfast/admin`'s `AdminAuthConfig` interface.
+ *
+ * @example
+ * ```ts
+ * import { createAdminAuth } from "@cfast/auth";
+ *
+ * const auth = createAdminAuth(() =>
+ *   initAuth({ d1: env.get().DB, appUrl: env.get().APP_URL })
+ * );
+ *
+ * const admin = createAdmin({ auth, db: createDbForAdmin, schema });
+ * ```
+ */
+declare function createAdminAuth(getAuth: () => AuthInstance): AdminAuthBridge;
+
+export { AuthConfig, AuthEnvConfig, AuthInstance, AuthUser, createAdminAuth, createAuth, createAuthRouteHandlers, createImpersonationManager, createRoleManager };

package/dist/index.js

@@ -2,6 +2,7 @@
 import { betterAuth } from "better-auth";
 import { drizzleAdapter } from "better-auth/adapters/drizzle";
 import { magicLink } from "better-auth/plugins/magic-link";
+import { passkey } from "@better-auth/passkey";
 import { drizzle } from "drizzle-orm/d1";
 import { resolveGrants } from "@cfast/permissions";
 
@@ -127,6 +128,15 @@ function createAuth(config) {
         magicLink({ sendMagicLink: config.magicLink.sendMagicLink })
       );
     }
+    if (config.passkeys) {
+      plugins.push(
+        passkey({
+          rpName: config.passkeys.rpName,
+          rpID: config.passkeys.rpId,
+          origin: env.appUrl
+        })
+      );
+    }
     const expiresIn = config.session?.expiresIn ? parseExpiresIn(config.session.expiresIn) : void 0;
     const auth = betterAuth({
       baseURL: env.appUrl,
@@ -252,7 +262,33 @@ function createAuthRouteHandlers(getAuth) {
   }
   return { loader: handleRequest, action: handleRequest };
 }
+
+// src/admin-auth.ts
+function createAdminAuth(getAuth) {
+  return {
+    async requireUser(request) {
+      const ctx = await getAuth().requireUser(request);
+      return { user: ctx.user, grants: ctx.grants };
+    },
+    hasRole(user, role) {
+      return user.roles.includes(role);
+    },
+    async getRoles(userId) {
+      return getAuth().getRoles(userId);
+    },
+    async setRole(userId, role) {
+      await getAuth().setRole(userId, role);
+    },
+    async removeRole(userId, role) {
+      await getAuth().removeRole(userId, role);
+    },
+    async setRoles(userId, roles) {
+      await getAuth().setRoles(userId, roles);
+    }
+  };
+}
 export {
+  createAdminAuth,
   createAuth,
   createAuthRouteHandlers,
   createImpersonationManager,

package/llms.txt

@@ -0,0 +1,216 @@
+# @cfast/auth
+
+> Authentication for Cloudflare Workers: magic email links, passkeys, roles, impersonation. Built on Better Auth.
+
+## When to use
+
+Use `@cfast/auth` to add authentication to a cfast app. It handles login (magic link + passkeys), session management, role assignment, and user impersonation. It produces the `user` and `grants` objects that `@cfast/db` needs for permission-aware queries.
+
+## Key concepts
+
+- **Two-phase initialization.** `createAuth(config)` returns an `initAuth` factory. Call `initAuth({ d1, appUrl })` per-request to get an `AuthInstance`.
+- **Roles bridge auth and permissions.** Auth assigns roles to users. `@cfast/permissions` defines what roles can do. The `grants` from auth feed directly into `createDb()`.
+- **Cookie-based redirect-back.** Unauthenticated users get a `cfast_redirect_to` cookie before redirecting to `/login`. After login, the cookie restores their intended destination.
+
+## API Reference
+
+### Server: createAuth(config) => initAuth
+
+```typescript
+import { createAuth } from "@cfast/auth";
+
+export const initAuth = createAuth({
+  permissions: Permissions,            // from definePermissions()
+  magicLink?: {
+    sendMagicLink: (params: { email: string; url: string }) => Promise<void>,
+  },
+  passkeys?: { rpName: string; rpId: string },
+  session?: { expiresIn?: string },    // e.g. "30d"
+  redirects?: { afterLogin?: string; loginPath?: string },
+  anonymousRoles?: string[],
+  defaultRoles?: string[],             // default: ["reader"]
+  roleGrants?: Record<string, string[]>,  // who can assign which roles
+  impersonation?: { allowedRoles?: string[] },
+  templates?: { magicLink?: (props: { url: string; email: string }) => string },
+});
+```
+
+### initAuth(env) => AuthInstance
+
+```typescript
+const auth: AuthInstance = initAuth({ d1: env.DB, appUrl: "https://myapp.com" });
+```
+
+### AuthInstance methods
+
+```typescript
+auth.createContext(request): Promise<AuthContext>
+// { user: AuthUser | null, grants: Grant[] }
+
+auth.requireUser(request): Promise<AuthenticatedContext>
+// { user: AuthUser, grants: Grant[] }  -- throws 302 redirect if not authenticated
+
+auth.getRoles(userId): Promise<string[]>
+auth.setRole(userId, role, caller?): Promise<void>
+auth.setRoles(userId, roles, caller?): Promise<void>
+auth.removeRole(userId, role): Promise<void>
+
+auth.impersonate(adminUserId, targetUserId): Promise<void>
+auth.stopImpersonating(adminUserId): Promise<void>
+
+auth.sendMagicLink({ email, callbackURL? }): Promise<void>
+auth.handler(request): Promise<Response>   // forwards to Better Auth
+```
+
+### AuthUser type
+
+```typescript
+type AuthUser = {
+  id: string;
+  email: string;
+  name: string;
+  avatarUrl: string | null;
+  roles: string[];
+  isImpersonating?: boolean;
+  realUser?: { id: string; name: string };
+};
+```
+
+### createAdminAuth(getAuth): AdminAuthBridge
+
+```typescript
+import { createAdminAuth } from "@cfast/auth";
+
+function createAdminAuth(getAuth: () => AuthInstance): AdminAuthBridge
+```
+
+Creates an admin auth adapter from a cfast auth instance factory. Replaces ~150 lines of manual adapter boilerplate with a single call. The factory is called per-operation to ensure fresh env bindings on Workers.
+
+Returns an object satisfying `@cfast/admin`'s `AdminAuthConfig` interface with: `requireUser`, `hasRole`, `getRoles`, `setRole`, `removeRole`, `setRoles`.
+
+```typescript
+const auth = createAdminAuth(() =>
+  initAuth({ d1: env.get().DB, appUrl: env.get().APP_URL })
+);
+const admin = createAdmin({ auth, db: createDbForAdmin, schema });
+```
+
+### Client exports (`@cfast/auth/client`)
+
+```typescript
+// Providers
+<AuthClientProvider authClient={authClient}>   // wraps app root
+<AuthProvider user={user}>                      // wraps layout routes
+<AuthGuard user={user}>                         // layout component, provides user to children
+
+// Hooks
+useCurrentUser(): AuthUser | null              // user from nearest AuthGuard/AuthProvider
+useAuth(): UseAuthReturn                       // { signOut, registerPasskey, deletePasskey, stopImpersonating, authClient }
+
+// Login
+<LoginPage authClient={authClient} components? title? subtitle? />
+createAuthClient(): AuthClientInstance
+magicLinkClient(): plugin                          // re-exported from better-auth
+passkeyClient(): plugin                            // re-exported from @better-auth/passkey
+```
+
+### LoginComponents slots
+
+```typescript
+type LoginComponents = {
+  Layout?, EmailInput?, PasskeyButton?, PasskeySignUpButton?,
+  MagicLinkButton?, SuccessMessage?, ErrorMessage?,
+};
+```
+
+### Passkey sign-up
+
+When the `authClient` passed to `<LoginPage>` has both `signUp.email` and `passkey.addPasskey` (i.e., the client was created with `passkeyClient()`), a "Sign up with Passkey" button appears automatically. The flow:
+
+1. User enters email, clicks "Sign up with Passkey"
+2. Account is created via `signUp.email` with a random password
+3. Browser's WebAuthn registration prompt fires immediately via `addPasskey()`
+4. User is signed up with a passkey — no magic link email needed
+
+To enable passkey sign-up, configure both server and client:
+
+```typescript
+// Server: createAuth config
+const initAuth = createAuth({
+  permissions,
+  passkeys: { rpName: "My App", rpId: "myapp.com" },
+  magicLink: { sendMagicLink: ... },
+});
+
+// Client: auth client
+import { createAuthClient, magicLinkClient, passkeyClient } from "@cfast/auth/client";
+const authClient = createAuthClient({
+  plugins: [magicLinkClient(), passkeyClient()],
+});
+```
+
+### Route plugin (`@cfast/auth/plugin`)
+
+```typescript
+import { authRoutes } from "@cfast/auth/plugin";
+// In routes.ts:
+export default [...authRoutes({ handlerFile: "routes/auth.$.tsx" }), ...otherRoutes];
+```
+
+### Schema (`@cfast/auth/schema`)
+
+Drizzle tables: `user`, `session`, `passkey`, `role`, `impersonation_log`.
+
+## Usage Examples
+
+### Protect a layout route
+
+```typescript
+// routes/_protected.tsx
+import { AuthGuard } from "@cfast/auth/client";
+
+export async function loader({ request, context }) {
+  const auth = initAuth({ d1: context.env.DB, appUrl: context.env.APP_URL });
+  const { user, grants } = await auth.requireUser(request);
+  return { user };
+}
+
+export default function ProtectedLayout() {
+  const { user } = useLoaderData<typeof loader>();
+  return <AuthGuard user={user}><Outlet /></AuthGuard>;
+}
+```
+
+### Auth -> Db flow in a loader
+
+```typescript
+export async function loader({ request, context }) {
+  const auth = initAuth({ d1: context.env.DB, appUrl: context.env.APP_URL });
+  const { user, grants } = await auth.requireUser(request);
+
+  const db = createDb({ d1: context.env.DB, schema, grants, user });
+  const posts = await db.query(postsTable).findMany().run({});
+  return { user, posts };
+}
+```
+
+### Role management
+
+```typescript
+await auth.setRole(userId, "editor");
+await auth.setRoles(userId, ["editor", "moderator"]);
+await auth.removeRole(userId, "editor");
+```
+
+## Integration
+
+- **@cfast/permissions** -- `createAuth({ permissions })` takes the permissions config. Roles defined in permissions are the same roles assigned to users. `auth.requireUser()` returns `grants` resolved from the user's roles.
+- **@cfast/db** -- Pass `{ user, grants }` from `auth.requireUser()` directly to `createDb()`. Role changes via `auth.setRole()` take effect on the next request.
+- **@cfast/joy** -- Provides `joyLoginComponents` for Joy UI styled login page slots.
+
+## Common Mistakes
+
+- **Calling `createAuth()` per-request** -- `createAuth()` is called once at module level. Only `initAuth()` is called per-request with the D1 binding.
+- **Forgetting to add auth routes** -- The magic link callback and passkey endpoints need `authRoutes()` in your `routes.ts`.
+- **Using `unsafe()` instead of roles for admin** -- Admins should have a proper role with grants, not bypass permissions entirely.
+- **Not wrapping the app with `AuthClientProvider`** -- `useAuth()` and `LoginPage` require the provider at the app root.

package/package.json

@@ -1,7 +1,14 @@
 {
   "name": "@cfast/auth",
-  "version": "0.0.1",
+  "version": "0.2.0",
   "description": "Authentication for Cloudflare Workers: magic email, passkeys, roles, and impersonation",
+  "keywords": [
+    "cfast",
+    "cloudflare-workers",
+    "authentication",
+    "passkeys",
+    "magic-link"
+  ],
   "license": "MIT",
   "repository": {
     "type": "git",
@@ -30,19 +37,28 @@
     }
   },
   "files": [
-    "dist"
+    "dist",
+    "llms.txt"
   ],
   "sideEffects": false,
   "publishConfig": {
     "access": "public"
   },
+  "scripts": {
+    "build": "tsup src/index.ts src/client.ts src/plugin.ts src/schema.ts --format esm --dts",
+    "dev": "tsup src/index.ts src/client.ts src/plugin.ts src/schema.ts --format esm --dts --watch",
+    "test": "vitest run",
+    "typecheck": "tsc --noEmit",
+    "lint": "eslint src/"
+  },
   "peerDependencies": {
+    "@better-auth/passkey": ">=1",
     "better-auth": ">=1",
     "drizzle-orm": ">=0.35",
     "react": ">=18"
   },
   "dependencies": {
-    "@cfast/permissions": "0.0.1"
+    "@cfast/permissions": "workspace:*"
   },
   "devDependencies": {
     "@cloudflare/workers-types": "^4.20260305.1",
@@ -55,12 +71,5 @@
     "tsup": "^8",
     "typescript": "^5.7",
     "vitest": "^4.1.0"
-  },
-  "scripts": {
-    "build": "tsup src/index.ts src/client.ts src/plugin.ts src/schema.ts --format esm --dts",
-    "dev": "tsup src/index.ts src/client.ts src/plugin.ts src/schema.ts --format esm --dts --watch",
-    "test": "vitest run",
-    "typecheck": "tsc --noEmit",
-    "lint": "eslint src/"
   }
-}
+}

package/LICENSE

@@ -1,21 +0,0 @@
-MIT License
-
-Copyright (c) 2026 Daniel Schmidt
-
-Permission is hereby granted, free of charge, to any person obtaining a copy
-of this software and associated documentation files (the "Software"), to deal
-in the Software without restriction, including without limitation the rights
-to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
-copies of the Software, and to permit persons to whom the Software is
-furnished to do so, subject to the following conditions:
-
-The above copyright notice and this permission notice shall be included in all
-copies or substantial portions of the Software.
-
-THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
-IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
-FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
-AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
-LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
-OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
-SOFTWARE.

package/dist/types-19GeiMs4.d.ts

@@ -1,64 +0,0 @@
-import { Permissions, Grant } from '@cfast/permissions';
-
-type AuthUser = {
-    id: string;
-    email: string;
-    name: string;
-    avatarUrl: string | null;
-    roles: string[];
-    isImpersonating?: boolean;
-    realUser?: {
-        id: string;
-        name: string;
-    };
-};
-type AuthContext = {
-    user: AuthUser | null;
-    grants: Grant[];
-};
-type AuthenticatedContext = {
-    user: AuthUser;
-    grants: Grant[];
-};
-type AuthConfig = {
-    permissions: Permissions;
-    schema?: Record<string, unknown>;
-    passkeys?: {
-        rpName: string;
-        rpId: string;
-    };
-    magicLink?: {
-        sendMagicLink: (params: {
-            email: string;
-            url: string;
-        }) => Promise<void>;
-    };
-    session?: {
-        expiresIn?: string;
-    };
-    redirects?: {
-        afterLogin?: string;
-        loginPath?: string;
-    };
-    anonymousRoles?: string[];
-    defaultRoles?: string[];
-    roleTableName?: string;
-};
-type AuthEnvConfig = {
-    d1: D1Database;
-    appUrl: string;
-};
-type AuthInstance = {
-    createContext: (request: Request) => Promise<AuthContext>;
-    requireUser: (request: Request) => Promise<AuthenticatedContext>;
-    getRoles: (userId: string) => Promise<string[]>;
-    setRole: (userId: string, role: string) => Promise<void>;
-    setRoles: (userId: string, roles: string[]) => Promise<void>;
-    removeRole: (userId: string, role: string) => Promise<void>;
-    /** Handle auth API requests (forwards to Better Auth) */
-    handler: (request: Request) => Promise<Response>;
-    /** The underlying Better Auth instance */
-    api: unknown;
-};
-
-export type { AuthUser as A, AuthConfig as a, AuthEnvConfig as b, AuthInstance as c, AuthContext as d, AuthenticatedContext as e };

package/dist/types-8eZilolN.d.ts

@@ -1,63 +0,0 @@
-import { Permissions, Grant } from '@cfast/permissions';
-
-type AuthUser = {
-    id: string;
-    email: string;
-    name: string;
-    avatarUrl: string | null;
-    roles: string[];
-    isImpersonating?: boolean;
-    realUser?: {
-        id: string;
-        name: string;
-    };
-};
-type AuthContext = {
-    user: AuthUser | null;
-    grants: Grant[];
-};
-type AuthenticatedContext = {
-    user: AuthUser;
-    grants: Grant[];
-};
-type AuthConfig = {
-    permissions: Permissions;
-    schema?: Record<string, unknown>;
-    passkeys?: {
-        rpName: string;
-        rpId: string;
-    };
-    magicLink?: {
-        sendMagicLink: (params: {
-            email: string;
-            url: string;
-        }) => Promise<void>;
-    };
-    session?: {
-        expiresIn?: string;
-    };
-    redirects?: {
-        afterLogin?: string;
-        loginPath?: string;
-    };
-    anonymousRoles?: string[];
-    defaultRoles?: string[];
-};
-type AuthEnvConfig = {
-    d1: D1Database;
-    appUrl: string;
-};
-type AuthInstance = {
-    createContext: (request: Request) => Promise<AuthContext>;
-    requireUser: (request: Request) => Promise<AuthenticatedContext>;
-    getRoles: (userId: string) => Promise<string[]>;
-    setRole: (userId: string, role: string) => Promise<void>;
-    setRoles: (userId: string, roles: string[]) => Promise<void>;
-    removeRole: (userId: string, role: string) => Promise<void>;
-    /** Handle auth API requests (forwards to Better Auth) */
-    handler: (request: Request) => Promise<Response>;
-    /** The underlying Better Auth instance */
-    api: unknown;
-};
-
-export type { AuthUser as A, AuthConfig as a, AuthEnvConfig as b, AuthInstance as c, AuthContext as d, AuthenticatedContext as e };

package/dist/types-DZ7AeznW.d.ts

@@ -1,74 +0,0 @@
-import { Permissions, Grant } from '@cfast/permissions';
-
-type AuthUser = {
-    id: string;
-    email: string;
-    name: string;
-    avatarUrl: string | null;
-    roles: string[];
-    isImpersonating?: boolean;
-    realUser?: {
-        id: string;
-        name: string;
-    };
-};
-type AuthContext = {
-    user: AuthUser | null;
-    grants: Grant[];
-};
-type AuthenticatedContext = {
-    user: AuthUser;
-    grants: Grant[];
-};
-type AuthConfig = {
-    permissions: Permissions;
-    schema?: Record<string, unknown>;
-    passkeys?: {
-        rpName: string;
-        rpId: string;
-    };
-    magicLink?: {
-        sendMagicLink: (params: {
-            email: string;
-            url: string;
-        }) => Promise<void>;
-    };
-    session?: {
-        expiresIn?: string;
-    };
-    redirects?: {
-        afterLogin?: string;
-        loginPath?: string;
-    };
-    anonymousRoles?: string[];
-    defaultRoles?: string[];
-    roleTableName?: string;
-    roleGrants?: Record<string, string[]>;
-    impersonation?: {
-        allowedRoles?: string[];
-    };
-};
-type AuthEnvConfig = {
-    d1: D1Database;
-    appUrl: string;
-};
-type AuthInstance = {
-    createContext: (request: Request) => Promise<AuthContext>;
-    requireUser: (request: Request) => Promise<AuthenticatedContext>;
-    getRoles: (userId: string) => Promise<string[]>;
-    setRole: (userId: string, role: string, caller?: {
-        callerRoles?: string[];
-    }) => Promise<void>;
-    setRoles: (userId: string, roles: string[], caller?: {
-        callerRoles?: string[];
-    }) => Promise<void>;
-    removeRole: (userId: string, role: string) => Promise<void>;
-    impersonate: (adminUserId: string, targetUserId: string) => Promise<void>;
-    stopImpersonating: (adminUserId: string) => Promise<void>;
-    /** Handle auth API requests (forwards to Better Auth) */
-    handler: (request: Request) => Promise<Response>;
-    /** The underlying Better Auth instance */
-    api: unknown;
-};
-
-export type { AuthUser as A, AuthConfig as a, AuthEnvConfig as b, AuthInstance as c, AuthContext as d, AuthenticatedContext as e };

package/dist/types-DdbPIOVK.d.ts

@@ -1,85 +0,0 @@
-import { Permissions, Grant } from '@cfast/permissions';
-
-type AuthUser = {
-    id: string;
-    email: string;
-    name: string;
-    avatarUrl: string | null;
-    roles: string[];
-    isImpersonating?: boolean;
-    realUser?: {
-        id: string;
-        name: string;
-    };
-};
-type AuthContext = {
-    user: AuthUser | null;
-    grants: Grant[];
-};
-type AuthenticatedContext = {
-    user: AuthUser;
-    grants: Grant[];
-};
-type AuthConfig = {
-    permissions: Permissions;
-    schema?: Record<string, unknown>;
-    passkeys?: {
-        rpName: string;
-        rpId: string;
-    };
-    magicLink?: {
-        sendMagicLink: (params: {
-            email: string;
-            url: string;
-        }) => Promise<void>;
-    };
-    session?: {
-        expiresIn?: string;
-    };
-    redirects?: {
-        afterLogin?: string;
-        loginPath?: string;
-    };
-    anonymousRoles?: string[];
-    defaultRoles?: string[];
-    roleTableName?: string;
-    roleGrants?: Record<string, string[]>;
-    impersonation?: {
-        allowedRoles?: string[];
-    };
-    templates?: {
-        magicLink?: (props: {
-            url: string;
-            email: string;
-        }) => string;
-    };
-};
-type AuthEnvConfig = {
-    d1: D1Database;
-    appUrl: string;
-};
-type AuthInstance = {
-    createContext: (request: Request) => Promise<AuthContext>;
-    requireUser: (request: Request) => Promise<AuthenticatedContext>;
-    getRoles: (userId: string) => Promise<string[]>;
-    setRole: (userId: string, role: string, caller?: {
-        callerRoles?: string[];
-    }) => Promise<void>;
-    setRoles: (userId: string, roles: string[], caller?: {
-        callerRoles?: string[];
-    }) => Promise<void>;
-    removeRole: (userId: string, role: string) => Promise<void>;
-    impersonate: (adminUserId: string, targetUserId: string) => Promise<void>;
-    stopImpersonating: (adminUserId: string) => Promise<void>;
-    /** Send a magic link email to the given address */
-    sendMagicLink: (params: {
-        email: string;
-        callbackURL?: string;
-    }) => Promise<void>;
-    /** Handle auth API requests (forwards to Better Auth) */
-    handler: (request: Request) => Promise<Response>;
-    /** The underlying Better Auth instance */
-    api: unknown;
-};
-
-export type { AuthUser as A, AuthConfig as a, AuthEnvConfig as b, AuthInstance as c, AuthContext as d, AuthenticatedContext as e };

package/dist/types-DrnTPiku.d.ts

@@ -1,62 +0,0 @@
-import { Permissions, Grant } from '@cfast/permissions';
-
-type AuthUser = {
-    id: string;
-    email: string;
-    name: string;
-    avatarUrl: string | null;
-    roles: string[];
-    isImpersonating?: boolean;
-    realUser?: {
-        id: string;
-        name: string;
-    };
-};
-type AuthContext = {
-    user: AuthUser | null;
-    grants: Grant[];
-};
-type AuthenticatedContext = {
-    user: AuthUser;
-    grants: Grant[];
-};
-type AuthConfig = {
-    permissions: Permissions;
-    passkeys?: {
-        rpName: string;
-        rpId: string;
-    };
-    magicLink?: {
-        sendMagicLink: (params: {
-            email: string;
-            url: string;
-        }) => Promise<void>;
-    };
-    session?: {
-        expiresIn?: string;
-    };
-    redirects?: {
-        afterLogin?: string;
-        loginPath?: string;
-    };
-    anonymousRoles?: string[];
-    defaultRoles?: string[];
-};
-type AuthEnvConfig = {
-    d1: D1Database;
-    appUrl: string;
-};
-type AuthInstance = {
-    createContext: (request: Request) => Promise<AuthContext>;
-    requireUser: (request: Request) => Promise<AuthenticatedContext>;
-    getRoles: (userId: string) => Promise<string[]>;
-    setRole: (userId: string, role: string) => Promise<void>;
-    setRoles: (userId: string, roles: string[]) => Promise<void>;
-    removeRole: (userId: string, role: string) => Promise<void>;
-    /** Handle auth API requests (forwards to Better Auth) */
-    handler: (request: Request) => Promise<Response>;
-    /** The underlying Better Auth instance */
-    api: unknown;
-};
-
-export type { AuthUser as A, AuthConfig as a, AuthEnvConfig as b, AuthInstance as c, AuthContext as d, AuthenticatedContext as e };