@classic-homes/auth 0.1.23 → 0.1.25

package/dist/testing/index.js

@@ -0,0 +1,2033 @@
+// src/testing/fixtures/users.ts
+var mockUser = {
+  id: "user-123",
+  username: "testuser",
+  email: "test@example.com",
+  firstName: "Test",
+  lastName: "User",
+  phone: "+1234567890",
+  role: "user",
+  roles: ["user"],
+  permissions: ["read:profile", "write:profile"],
+  isActive: true,
+  emailVerified: true,
+  authMethod: "password",
+  createdAt: "2024-01-01T00:00:00.000Z",
+  lastLoginAt: "2024-06-01T12:00:00.000Z"
+};
+var mockAdminUser = {
+  id: "admin-123",
+  username: "adminuser",
+  email: "admin@example.com",
+  firstName: "Admin",
+  lastName: "User",
+  phone: "+1234567891",
+  role: "admin",
+  roles: ["admin", "user"],
+  permissions: [
+    "read:profile",
+    "write:profile",
+    "read:users",
+    "write:users",
+    "delete:users",
+    "read:admin",
+    "write:admin",
+    "manage:system"
+  ],
+  isActive: true,
+  emailVerified: true,
+  authMethod: "password",
+  createdAt: "2024-01-01T00:00:00.000Z",
+  lastLoginAt: "2024-06-01T12:00:00.000Z"
+};
+var mockSSOUser = {
+  id: "sso-123",
+  username: "ssouser",
+  email: "sso@example.com",
+  firstName: "SSO",
+  lastName: "User",
+  role: "user",
+  roles: ["user"],
+  permissions: ["read:profile", "write:profile"],
+  isActive: true,
+  emailVerified: true,
+  authMethod: "oauth",
+  ssoProfileUrl: "https://sso.example.com/profile/sso-123",
+  createdAt: "2024-01-01T00:00:00.000Z",
+  lastLoginAt: "2024-06-01T12:00:00.000Z"
+};
+var mockMFAUser = {
+  id: "mfa-123",
+  username: "mfauser",
+  email: "mfa@example.com",
+  firstName: "MFA",
+  lastName: "User",
+  role: "user",
+  roles: ["user"],
+  permissions: ["read:profile", "write:profile"],
+  isActive: true,
+  emailVerified: true,
+  authMethod: "password",
+  createdAt: "2024-01-01T00:00:00.000Z",
+  lastLoginAt: "2024-06-01T12:00:00.000Z"
+};
+var mockUnverifiedUser = {
+  id: "unverified-123",
+  username: "unverifieduser",
+  email: "unverified@example.com",
+  firstName: "Unverified",
+  lastName: "User",
+  role: "user",
+  roles: ["user"],
+  permissions: [],
+  isActive: true,
+  emailVerified: false,
+  authMethod: "password",
+  createdAt: "2024-01-01T00:00:00.000Z"
+};
+var mockInactiveUser = {
+  id: "inactive-123",
+  username: "inactiveuser",
+  email: "inactive@example.com",
+  firstName: "Inactive",
+  lastName: "User",
+  role: "user",
+  roles: ["user"],
+  permissions: [],
+  isActive: false,
+  emailVerified: true,
+  authMethod: "password",
+  createdAt: "2024-01-01T00:00:00.000Z"
+};
+function createMockUser(overrides = {}) {
+  return {
+    ...mockUser,
+    id: overrides.id ?? `user-${Date.now()}`,
+    ...overrides
+  };
+}
+function createMockUserWithRoles(roles, permissions, overrides = {}) {
+  return createMockUser({
+    role: roles[0] ?? "user",
+    roles,
+    permissions,
+    ...overrides
+  });
+}
+function createMockUserWithAuthMethod(authMethod, overrides = {}) {
+  const baseOverrides = { authMethod };
+  if (authMethod === "oauth" || authMethod === "both") {
+    baseOverrides.ssoProfileUrl = `https://sso.example.com/profile/${overrides.id ?? "user-123"}`;
+  }
+  return createMockUser({
+    ...baseOverrides,
+    ...overrides
+  });
+}
+
+// src/testing/fixtures/tokens.ts
+var BASE64_URL_ENCODE = (str) => {
+  return btoa(str).replace(/\+/g, "-").replace(/\//g, "_").replace(/=+$/, "");
+};
+var createFakeJWT = (payload, expiresIn = 3600) => {
+  const header = { alg: "HS256", typ: "JWT" };
+  const now = Math.floor(Date.now() / 1e3);
+  const fullPayload = {
+    iat: now,
+    exp: now + expiresIn,
+    ...payload
+  };
+  const headerB64 = BASE64_URL_ENCODE(JSON.stringify(header));
+  const payloadB64 = BASE64_URL_ENCODE(JSON.stringify(fullPayload));
+  const signature = BASE64_URL_ENCODE("fake-signature");
+  return `${headerB64}.${payloadB64}.${signature}`;
+};
+var mockAccessToken = createFakeJWT(
+  {
+    sub: "user-123",
+    username: "testuser",
+    email: "test@example.com",
+    roles: ["user"],
+    permissions: ["read:profile", "write:profile"],
+    type: "access"
+  },
+  3600
+);
+var mockRefreshToken = createFakeJWT(
+  {
+    sub: "user-123",
+    type: "refresh"
+  },
+  604800
+);
+var mockExpiredToken = createFakeJWT(
+  {
+    sub: "user-123",
+    username: "testuser",
+    email: "test@example.com",
+    roles: ["user"],
+    permissions: ["read:profile", "write:profile"],
+    type: "access"
+  },
+  -3600
+  // Already expired
+);
+var mockAdminToken = createFakeJWT(
+  {
+    sub: "admin-123",
+    username: "adminuser",
+    email: "admin@example.com",
+    roles: ["admin", "user"],
+    permissions: [
+      "read:profile",
+      "write:profile",
+      "read:users",
+      "write:users",
+      "delete:users",
+      "read:admin",
+      "write:admin",
+      "manage:system"
+    ],
+    type: "access"
+  },
+  3600
+);
+var mockMFAToken = createFakeJWT(
+  {
+    sub: "mfa-123",
+    type: "mfa_challenge",
+    username: "mfauser"
+  },
+  300
+  // 5 minutes
+);
+var mockSessionToken = createFakeJWT(
+  {
+    sub: "user-123",
+    type: "session",
+    deviceId: "device-123",
+    trusted: true
+  },
+  86400
+  // 24 hours
+);
+function createMockJWT(payload = {}, expiresIn = 3600) {
+  const defaultPayload = {
+    sub: "user-123",
+    type: "access",
+    ...payload
+  };
+  return createFakeJWT(defaultPayload, expiresIn);
+}
+function createExpiredMockJWT(payload = {}, expiredSecondsAgo = 3600) {
+  return createMockJWT(payload, -expiredSecondsAgo);
+}
+function createMockTokenPair(userId = "user-123", options = {}) {
+  const accessToken = createMockJWT(
+    {
+      sub: userId,
+      type: "access",
+      roles: options.roles ?? ["user"],
+      permissions: options.permissions ?? ["read:profile", "write:profile"]
+    },
+    options.accessExpiresIn ?? 3600
+  );
+  const refreshToken = createMockJWT(
+    {
+      sub: userId,
+      type: "refresh"
+    },
+    options.refreshExpiresIn ?? 604800
+  );
+  return { accessToken, refreshToken };
+}
+function createMockMFAToken(userId = "mfa-123", expiresIn = 300) {
+  return createMockJWT(
+    {
+      sub: userId,
+      type: "mfa_challenge"
+    },
+    expiresIn
+  );
+}
+
+// src/testing/fixtures/responses.ts
+var mockLoginSuccess = {
+  accessToken: mockAccessToken,
+  refreshToken: mockRefreshToken,
+  sessionToken: mockSessionToken,
+  user: mockUser,
+  expiresIn: 3600
+};
+var mockMFARequired = {
+  accessToken: "",
+  refreshToken: "",
+  user: mockMFAUser,
+  expiresIn: 0,
+  requiresMFA: true,
+  mfaToken: mockMFAToken,
+  availableMethods: ["totp", "backup"]
+};
+var mockMFARequiredLegacy = {
+  accessToken: "",
+  refreshToken: "",
+  user: mockMFAUser,
+  expiresIn: 0,
+  mfaRequired: true,
+  mfaChallengeToken: mockMFAToken
+};
+var mockAdminLoginSuccess = {
+  ...mockLoginSuccess,
+  user: mockAdminUser,
+  ...createMockTokenPair("admin-123", {
+    roles: ["admin", "user"],
+    permissions: mockAdminUser.permissions
+  })
+};
+var mockSSOLoginSuccess = {
+  ...mockLoginSuccess,
+  user: mockSSOUser
+};
+var mockLogoutSuccess = {
+  success: true,
+  message: "Logged out successfully"
+};
+var mockSSOLogoutResponse = {
+  success: true,
+  message: "Logged out successfully",
+  ssoLogout: true,
+  logoutUrl: "https://sso.example.com/logout?redirect=https://app.example.com"
+};
+var mockRegisterSuccess = {
+  message: "Registration successful",
+  user: mockUser,
+  requiresEmailVerification: false
+};
+var mockRegisterRequiresVerification = {
+  message: "Registration successful. Please verify your email.",
+  user: mockUnverifiedUser,
+  requiresEmailVerification: true
+};
+var mockMFASetup = {
+  qrCodeUrl: "data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAADUlEQVR42mNk+M9QDwADhgGAWjR9awAAAABJRU5ErkJggg==",
+  manualEntryKey: "JBSWY3DPEHPK3PXP",
+  backupCodes: [
+    "AAAA-BBBB-CCCC",
+    "DDDD-EEEE-FFFF",
+    "GGGG-HHHH-IIII",
+    "JJJJ-KKKK-LLLL",
+    "MMMM-NNNN-OOOO",
+    "PPPP-QQQQ-RRRR",
+    "SSSS-TTTT-UUUU",
+    "VVVV-WWWW-XXXX"
+  ],
+  instructions: {
+    step1: "Download an authenticator app (e.g., Google Authenticator, Authy)",
+    step2: "Scan the QR code or manually enter the key",
+    step3: "Enter the 6-digit code from your authenticator app",
+    step4: "Store your backup codes in a safe place"
+  }
+};
+var mockMFAStatusEnabled = {
+  enabled: true,
+  methods: ["totp"]
+};
+var mockMFAStatusDisabled = {
+  enabled: false,
+  methods: []
+};
+var mockCurrentSession = {
+  id: "session-current",
+  deviceName: "Chrome on macOS",
+  browser: "Chrome 120",
+  location: "San Francisco, CA",
+  ipAddress: "192.168.1.1",
+  lastActivity: (/* @__PURE__ */ new Date()).toISOString(),
+  isCurrent: true,
+  isTrusted: true,
+  deviceFingerprint: "fp-abc123",
+  trustedDeviceId: "device-123",
+  createdAt: new Date(Date.now() - 864e5).toISOString(),
+  expiresAt: new Date(Date.now() + 6048e5).toISOString()
+};
+var mockOtherSession = {
+  id: "session-other",
+  deviceName: "Firefox on Windows",
+  browser: "Firefox 121",
+  location: "New York, NY",
+  ipAddress: "10.0.0.1",
+  lastActivity: new Date(Date.now() - 36e5).toISOString(),
+  isCurrent: false,
+  isTrusted: false,
+  deviceFingerprint: "fp-def456",
+  createdAt: new Date(Date.now() - 1728e5).toISOString(),
+  expiresAt: new Date(Date.now() + 5184e5).toISOString()
+};
+var mockSessions = [mockCurrentSession, mockOtherSession];
+var mockTrustedDevice = {
+  id: "device-trusted",
+  deviceFingerprint: "fp-trusted-123",
+  deviceName: "MacBook Pro",
+  userAgent: "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7)",
+  ipAddress: "192.168.1.1",
+  trusted: true,
+  status: "active",
+  lastSeen: (/* @__PURE__ */ new Date()).toISOString(),
+  createdAt: new Date(Date.now() - 2592e6).toISOString()
+};
+var mockUntrustedDevice = {
+  id: "device-untrusted",
+  deviceFingerprint: "fp-untrusted-456",
+  deviceName: "Unknown Device",
+  userAgent: "Mozilla/5.0 (Windows NT 10.0; Win64; x64)",
+  ipAddress: "10.0.0.100",
+  trusted: false,
+  status: "active",
+  lastSeen: new Date(Date.now() - 864e5).toISOString(),
+  createdAt: new Date(Date.now() - 6048e5).toISOString()
+};
+var mockDevices = [mockTrustedDevice, mockUntrustedDevice];
+var mockApiKey = {
+  id: "key-123",
+  name: "Production API Key",
+  description: "Main API key for production environment",
+  keyPreview: "sk_live_xxxx...xxxx",
+  permissions: ["read:data", "write:data"],
+  role: "api",
+  isActive: true,
+  expiresAt: new Date(Date.now() + 31536e6).toISOString(),
+  lastUsedAt: (/* @__PURE__ */ new Date()).toISOString(),
+  createdAt: new Date(Date.now() - 2592e6).toISOString(),
+  usageCount: 1234
+};
+var mockApiKeys = [
+  mockApiKey,
+  {
+    ...mockApiKey,
+    id: "key-456",
+    name: "Development API Key",
+    description: "API key for development",
+    keyPreview: "sk_test_xxxx...xxxx",
+    usageCount: 56
+  }
+];
+var mockLinkedAccount = {
+  id: "link-123",
+  provider: "authentik",
+  providerAccountId: "auth-user-123",
+  providerEmail: "user@sso.example.com",
+  providerUsername: "ssouser",
+  providerAvatarUrl: "https://sso.example.com/avatar/123.png",
+  isPrimary: true,
+  isVerified: true,
+  createdAt: new Date(Date.now() - 2592e6).toISOString(),
+  lastUsedAt: (/* @__PURE__ */ new Date()).toISOString()
+};
+var mockSecurityEventLogin = {
+  id: "event-login",
+  eventType: "login",
+  description: "Successful login from new device",
+  severity: "low",
+  ipAddress: "192.168.1.1",
+  userAgent: "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7)",
+  location: "San Francisco, CA",
+  createdAt: (/* @__PURE__ */ new Date()).toISOString()
+};
+var mockSecurityEventPasswordChange = {
+  id: "event-password",
+  eventType: "password_change",
+  description: "Password changed successfully",
+  severity: "medium",
+  ipAddress: "192.168.1.1",
+  createdAt: new Date(Date.now() - 864e5).toISOString()
+};
+var mockSecurityEventSuspicious = {
+  id: "event-suspicious",
+  eventType: "suspicious_login",
+  description: "Login attempt from unusual location",
+  severity: "high",
+  ipAddress: "203.0.113.50",
+  location: "Unknown",
+  metadata: {
+    blocked: true,
+    reason: "Location mismatch"
+  },
+  createdAt: new Date(Date.now() - 36e5).toISOString()
+};
+var mockSecurityEvents = [
+  mockSecurityEventLogin,
+  mockSecurityEventPasswordChange,
+  mockSecurityEventSuspicious
+];
+var mockUserPreferences = {
+  emailNotifications: true,
+  securityAlerts: true,
+  loginNotifications: true,
+  suspiciousActivityAlerts: true,
+  passwordChangeNotifications: true,
+  mfaChangeNotifications: true,
+  accountUpdates: true,
+  systemMaintenance: false,
+  featureAnnouncements: true,
+  newsAndUpdates: false,
+  apiKeyExpiration: true,
+  apiUsageAlerts: false,
+  rateLimit: true,
+  dataExportReady: true,
+  reportGeneration: true,
+  theme: "system",
+  language: "en",
+  timezone: "America/Los_Angeles",
+  dateFormat: "MM/DD/YYYY",
+  timeFormat: "12h"
+};
+function createMockLoginSuccess(options = {}) {
+  const tokenPair = createMockTokenPair(options.userId ?? mockUser.id);
+  return {
+    ...tokenPair,
+    user: options.user ? { ...mockUser, ...options.user } : mockUser,
+    expiresIn: options.expiresIn ?? 3600
+  };
+}
+function createMockMFARequired(options = {}) {
+  return {
+    accessToken: "",
+    refreshToken: "",
+    user: mockMFAUser,
+    expiresIn: 0,
+    requiresMFA: true,
+    mfaToken: options.mfaToken ?? mockMFAToken,
+    availableMethods: options.availableMethods ?? ["totp"]
+  };
+}
+function createMockSession(overrides = {}) {
+  return {
+    ...mockCurrentSession,
+    id: `session-${Date.now()}`,
+    ...overrides
+  };
+}
+function createMockDevice(overrides = {}) {
+  return {
+    ...mockTrustedDevice,
+    id: `device-${Date.now()}`,
+    ...overrides
+  };
+}
+function createMockSecurityEvent(overrides = {}) {
+  return {
+    ...mockSecurityEventLogin,
+    id: `event-${Date.now()}`,
+    ...overrides
+  };
+}
+
+// src/testing/mocks/storage.ts
+var MockStorageAdapter = class {
+  constructor(options = {}) {
+    this.data = /* @__PURE__ */ new Map();
+    this.callHistory = [];
+    if (options.initialData) {
+      Object.entries(options.initialData).forEach(([key, value]) => {
+        this.data.set(key, value);
+      });
+    }
+  }
+  // ============================================================================
+  // StorageAdapter Interface
+  // ============================================================================
+  /**
+   * Get an item from storage.
+   */
+  getItem(key) {
+    this.callHistory.push({
+      method: "getItem",
+      key,
+      timestamp: Date.now()
+    });
+    return this.data.get(key) ?? null;
+  }
+  /**
+   * Set an item in storage.
+   */
+  setItem(key, value) {
+    this.callHistory.push({
+      method: "setItem",
+      key,
+      value,
+      timestamp: Date.now()
+    });
+    this.data.set(key, value);
+  }
+  /**
+   * Remove an item from storage.
+   */
+  removeItem(key) {
+    this.callHistory.push({
+      method: "removeItem",
+      key,
+      timestamp: Date.now()
+    });
+    this.data.delete(key);
+  }
+  // ============================================================================
+  // Test Utilities
+  // ============================================================================
+  /**
+   * Clear all data from storage.
+   */
+  clear() {
+    this.data.clear();
+  }
+  /**
+   * Reset the call history.
+   */
+  resetHistory() {
+    this.callHistory = [];
+  }
+  /**
+   * Reset both data and history.
+   */
+  reset() {
+    this.clear();
+    this.resetHistory();
+  }
+  /**
+   * Get all storage keys.
+   */
+  keys() {
+    return Array.from(this.data.keys());
+  }
+  /**
+   * Check if a key exists in storage.
+   */
+  has(key) {
+    return this.data.has(key);
+  }
+  /**
+   * Get the number of items in storage.
+   */
+  get size() {
+    return this.data.size;
+  }
+  /**
+   * Get all data as a plain object.
+   */
+  getData() {
+    return Object.fromEntries(this.data);
+  }
+  /**
+   * Set multiple items at once.
+   */
+  setData(data) {
+    Object.entries(data).forEach(([key, value]) => {
+      this.data.set(key, value);
+    });
+  }
+  // ============================================================================
+  // Call History Utilities
+  // ============================================================================
+  /**
+   * Get the full call history.
+   */
+  getHistory() {
+    return [...this.callHistory];
+  }
+  /**
+   * Get calls for a specific method.
+   */
+  getCallsFor(method) {
+    return this.callHistory.filter((call) => call.method === method);
+  }
+  /**
+   * Get calls for a specific key.
+   */
+  getCallsForKey(key) {
+    return this.callHistory.filter((call) => call.key === key);
+  }
+  /**
+   * Check if a method was called.
+   */
+  wasCalled(method) {
+    return this.callHistory.some((call) => call.method === method);
+  }
+  /**
+   * Check if a method was called with a specific key.
+   */
+  wasCalledWith(method, key) {
+    return this.callHistory.some((call) => call.method === method && call.key === key);
+  }
+  /**
+   * Get the last call made.
+   */
+  getLastCall() {
+    return this.callHistory[this.callHistory.length - 1];
+  }
+  /**
+   * Get the total number of calls made.
+   */
+  get callCount() {
+    return this.callHistory.length;
+  }
+};
+function createMockStorage(options = {}) {
+  return new MockStorageAdapter(options);
+}
+function createMockStorageWithAuth(accessToken, refreshToken, user, storageKey = "classic_auth") {
+  const storage = new MockStorageAdapter();
+  storage.setItem(
+    storageKey,
+    JSON.stringify({
+      accessToken,
+      refreshToken,
+      user
+    })
+  );
+  return storage;
+}
+
+// src/testing/mocks/fetch.ts
+var MockFetchInstance = class {
+  constructor(options = {}) {
+    this.routes = [];
+    this.callHistory = [];
+    // ============================================================================
+    // Fetch Implementation
+    // ============================================================================
+    /**
+     * The mock fetch function.
+     */
+    this.fetch = async (input, init) => {
+      const url = typeof input === "string" ? input : input instanceof URL ? input.href : input.url;
+      const method = (init?.method ?? "GET").toUpperCase();
+      const path = this.extractPath(url);
+      this.callHistory.push({
+        url,
+        options: init ?? {},
+        timestamp: Date.now()
+      });
+      let body = null;
+      if (init?.body) {
+        try {
+          body = JSON.parse(init.body);
+        } catch {
+          body = init.body;
+        }
+      }
+      const request = {
+        method,
+        url,
+        path,
+        body,
+        headers: new Headers(init?.headers)
+      };
+      const route = this.routes.find((r) => r.method === method && this.pathMatches(r.path, path));
+      if (!route) {
+        return this.createResponse(this.defaultResponse);
+      }
+      if (route.delay) {
+        await new Promise((resolve) => setTimeout(resolve, route.delay));
+      }
+      let responseData;
+      if (route.handler) {
+        responseData = await route.handler(request);
+      } else {
+        responseData = {
+          status: route.status ?? 200,
+          response: route.response,
+          headers: route.headers
+        };
+      }
+      return this.createResponse(responseData);
+    };
+    this.baseUrl = options.baseUrl ?? "http://localhost:3000";
+    this.defaultResponse = options.defaultResponse ?? {
+      status: 404,
+      response: { error: { message: "Not Found" } }
+    };
+    this.setupDefaultRoutes();
+  }
+  // ============================================================================
+  // Route Management
+  // ============================================================================
+  /**
+   * Add a route to the mock.
+   */
+  addRoute(route) {
+    this.routes.unshift(route);
+    return this;
+  }
+  /**
+   * Add multiple routes at once.
+   */
+  addRoutes(routes) {
+    routes.forEach((route) => this.addRoute(route));
+    return this;
+  }
+  /**
+   * Remove a route by path and method.
+   */
+  removeRoute(method, path) {
+    this.routes = this.routes.filter(
+      (route) => !(route.method === method && this.pathMatches(route.path, path.toString()))
+    );
+    return this;
+  }
+  /**
+   * Clear all routes.
+   */
+  clearRoutes() {
+    this.routes = [];
+    return this;
+  }
+  /**
+   * Reset to default routes.
+   */
+  reset() {
+    this.routes = [];
+    this.callHistory = [];
+    this.setupDefaultRoutes();
+    return this;
+  }
+  // ============================================================================
+  // Response Helpers
+  // ============================================================================
+  createResponse(data) {
+    const status = data.status ?? 200;
+    const body = data.response !== void 0 ? JSON.stringify(data.response) : null;
+    const headers = new Headers({
+      "Content-Type": "application/json",
+      ...data.headers
+    });
+    return new Response(body, { status, headers });
+  }
+  extractPath(url) {
+    try {
+      const urlObj = new URL(url, this.baseUrl);
+      return urlObj.pathname + urlObj.search;
+    } catch {
+      return url;
+    }
+  }
+  pathMatches(pattern, path) {
+    if (pattern instanceof RegExp) {
+      return pattern.test(path);
+    }
+    if (pattern.includes("*")) {
+      const regexPattern = pattern.replace(/\*/g, "[^/]+");
+      return new RegExp(`^${regexPattern}$`).test(path);
+    }
+    if (path.includes("?") && !pattern.includes("?")) {
+      return path.startsWith(pattern);
+    }
+    return pattern === path;
+  }
+  // ============================================================================
+  // Call History Utilities
+  // ============================================================================
+  /**
+   * Get all recorded calls.
+   */
+  getCalls() {
+    return [...this.callHistory];
+  }
+  /**
+   * Get calls to a specific path.
+   */
+  getCallsTo(path) {
+    return this.callHistory.filter((call) => {
+      const callPath = this.extractPath(call.url);
+      return callPath.startsWith(path);
+    });
+  }
+  /**
+   * Get calls with a specific method.
+   */
+  getCallsWithMethod(method) {
+    return this.callHistory.filter(
+      (call) => (call.options.method ?? "GET").toUpperCase() === method.toUpperCase()
+    );
+  }
+  /**
+   * Check if a path was called.
+   */
+  wasCalled(path) {
+    return this.getCallsTo(path).length > 0;
+  }
+  /**
+   * Check if a path was called with a specific method.
+   */
+  wasCalledWith(method, path) {
+    return this.callHistory.some((call) => {
+      const callPath = this.extractPath(call.url);
+      const callMethod = (call.options.method ?? "GET").toUpperCase();
+      return callMethod === method.toUpperCase() && callPath.startsWith(path);
+    });
+  }
+  /**
+   * Assert that a path was called.
+   */
+  assertCalled(path, message) {
+    if (!this.wasCalled(path)) {
+      throw new Error(message ?? `Expected ${path} to be called`);
+    }
+  }
+  /**
+   * Assert that a path was not called.
+   */
+  assertNotCalled(path, message) {
+    if (this.wasCalled(path)) {
+      throw new Error(message ?? `Expected ${path} not to be called`);
+    }
+  }
+  /**
+   * Get the last call made.
+   */
+  getLastCall() {
+    return this.callHistory[this.callHistory.length - 1];
+  }
+  /**
+   * Clear call history.
+   */
+  clearHistory() {
+    this.callHistory = [];
+    return this;
+  }
+  /**
+   * Get total call count.
+   */
+  get callCount() {
+    return this.callHistory.length;
+  }
+  // ============================================================================
+  // Scenario Configuration Helpers
+  // ============================================================================
+  /**
+   * Configure login to require MFA.
+   */
+  requireMFA() {
+    this.removeRoute("POST", "/auth/login");
+    this.addRoute({
+      method: "POST",
+      path: "/auth/login",
+      response: { data: mockMFARequired }
+    });
+    return this;
+  }
+  /**
+   * Configure login to fail.
+   */
+  failLogin(error = "Invalid credentials") {
+    this.removeRoute("POST", "/auth/login");
+    this.addRoute({
+      method: "POST",
+      path: "/auth/login",
+      status: 401,
+      response: { error: { message: error } }
+    });
+    return this;
+  }
+  /**
+   * Configure an endpoint to fail.
+   */
+  failEndpoint(method, path, status = 500, error = "Internal Server Error") {
+    this.removeRoute(method, path);
+    this.addRoute({
+      method,
+      path,
+      status,
+      response: { error: { message: error } }
+    });
+    return this;
+  }
+  /**
+   * Configure logout to return SSO redirect URL.
+   */
+  enableSSOLogout(logoutUrl = "https://sso.example.com/logout") {
+    this.removeRoute("POST", "/auth/logout");
+    this.addRoute({
+      method: "POST",
+      path: "/auth/logout",
+      response: { data: { ...mockSSOLogoutResponse, logoutUrl } }
+    });
+    return this;
+  }
+  /**
+   * Add response delay to all routes.
+   */
+  setDelay(delay) {
+    this.routes.forEach((route) => {
+      route.delay = delay;
+    });
+    return this;
+  }
+  // ============================================================================
+  // Default Routes Setup
+  // ============================================================================
+  setupDefaultRoutes() {
+    this.addRoute({
+      method: "POST",
+      path: "/auth/login",
+      response: { data: mockLoginSuccess }
+    });
+    this.addRoute({
+      method: "POST",
+      path: "/auth/logout",
+      response: { data: mockLogoutSuccess }
+    });
+    this.addRoute({
+      method: "POST",
+      path: "/auth/register",
+      response: { data: mockRegisterSuccess }
+    });
+    this.addRoute({
+      method: "POST",
+      path: "/auth/refresh",
+      response: { data: { accessToken: mockAccessToken, refreshToken: mockRefreshToken } }
+    });
+    this.addRoute({
+      method: "POST",
+      path: "/auth/forgot-password",
+      response: { message: "Password reset email sent" }
+    });
+    this.addRoute({
+      method: "POST",
+      path: "/auth/reset-password",
+      response: { message: "Password reset successful" }
+    });
+    this.addRoute({
+      method: "GET",
+      path: "/auth/profile",
+      response: mockUser
+    });
+    this.addRoute({
+      method: "PUT",
+      path: "/auth/profile",
+      response: { data: mockUser }
+    });
+    this.addRoute({
+      method: "PUT",
+      path: "/auth/change-password",
+      response: { message: "Password changed successfully" }
+    });
+    this.addRoute({
+      method: "POST",
+      path: "/auth/resend-verification",
+      response: { message: "Verification email sent" }
+    });
+    this.addRoute({
+      method: "POST",
+      path: "/auth/verify-email",
+      response: { message: "Email verified successfully", user: mockUser }
+    });
+    this.addRoute({
+      method: "GET",
+      path: "/auth/sessions",
+      response: { sessions: mockSessions, total: mockSessions.length }
+    });
+    this.addRoute({
+      method: "DELETE",
+      path: /^\/auth\/sessions(\/.*)?$/,
+      response: { message: "Session revoked" }
+    });
+    this.addRoute({
+      method: "GET",
+      path: "/auth/api-keys",
+      response: { apiKeys: mockApiKeys }
+    });
+    this.addRoute({
+      method: "POST",
+      path: "/auth/api-keys",
+      response: { data: { ...mockApiKeys[0], key: "sk_live_full_key_shown_once" } }
+    });
+    this.addRoute({
+      method: "DELETE",
+      path: /^\/auth\/api-keys\/.+$/,
+      response: { message: "API key revoked" }
+    });
+    this.addRoute({
+      method: "PUT",
+      path: /^\/auth\/api-keys\/.+$/,
+      response: { message: "API key updated" }
+    });
+    this.addRoute({
+      method: "GET",
+      path: "/auth/mfa/status",
+      response: mockMFAStatusEnabled
+    });
+    this.addRoute({
+      method: "POST",
+      path: "/auth/mfa-setup",
+      response: { data: mockMFASetup }
+    });
+    this.addRoute({
+      method: "POST",
+      path: "/auth/mfa/verify",
+      response: { message: "MFA setup complete" }
+    });
+    this.addRoute({
+      method: "POST",
+      path: "/auth/mfa/challenge",
+      response: { data: mockLoginSuccess }
+    });
+    this.addRoute({
+      method: "DELETE",
+      path: "/auth/mfa",
+      response: { message: "MFA disabled" }
+    });
+    this.addRoute({
+      method: "POST",
+      path: "/auth/mfa/regenerate-backup-codes",
+      response: { data: { backupCodes: mockMFASetup.backupCodes } }
+    });
+    this.addRoute({
+      method: "GET",
+      path: "/auth/devices",
+      response: { devices: mockDevices, total: mockDevices.length }
+    });
+    this.addRoute({
+      method: "PUT",
+      path: /^\/auth\/devices\/.+\/trust$/,
+      response: { message: "Device trusted" }
+    });
+    this.addRoute({
+      method: "DELETE",
+      path: /^\/auth\/devices\/.+\/(revoke)?$/,
+      response: { message: "Device removed" }
+    });
+    this.addRoute({
+      method: "POST",
+      path: "/auth/device/approve",
+      response: { data: { message: "Device approved", device: mockDevices[0] } }
+    });
+    this.addRoute({
+      method: "POST",
+      path: "/auth/device/block",
+      response: { data: { message: "Device blocked", device: mockDevices[0] } }
+    });
+    this.addRoute({
+      method: "GET",
+      path: "/auth/preferences",
+      response: { preferences: mockUserPreferences }
+    });
+    this.addRoute({
+      method: "PUT",
+      path: "/auth/preferences",
+      response: { message: "Preferences updated" }
+    });
+    this.addRoute({
+      method: "GET",
+      path: "/auth/sso/accounts",
+      response: { accounts: [mockLinkedAccount], count: 1 }
+    });
+    this.addRoute({
+      method: "DELETE",
+      path: "/auth/sso/unlink",
+      response: { message: "Account unlinked" }
+    });
+    this.addRoute({
+      method: "GET",
+      path: "/auth/security/events",
+      response: {
+        data: {
+          events: mockSecurityEvents,
+          pagination: { page: 1, limit: 10, total: mockSecurityEvents.length, totalPages: 1 }
+        }
+      }
+    });
+  }
+};
+function createMockFetch(options = {}) {
+  return new MockFetchInstance(options);
+}
+function createMockFetchWithRoutes(routes) {
+  const mock = new MockFetchInstance();
+  mock.clearRoutes();
+  mock.addRoutes(routes);
+  return mock;
+}
+
+// src/testing/mocks/auth-store.ts
+var MockAuthStore = class {
+  constructor(options = {}) {
+    this.subscribers = /* @__PURE__ */ new Set();
+    this.callHistory = [];
+    this.state = {
+      accessToken: options.initialState?.accessToken ?? null,
+      refreshToken: options.initialState?.refreshToken ?? null,
+      user: options.initialState?.user ?? null,
+      isAuthenticated: options.initialState?.isAuthenticated ?? false
+    };
+  }
+  // ============================================================================
+  // Store Contract
+  // ============================================================================
+  /**
+   * Subscribe to state changes (Svelte store contract).
+   */
+  subscribe(subscriber) {
+    this.subscribers.add(subscriber);
+    subscriber(this.state);
+    return () => this.subscribers.delete(subscriber);
+  }
+  notify() {
+    this.subscribers.forEach((sub) => sub(this.state));
+  }
+  recordCall(method, args) {
+    this.callHistory.push({
+      method,
+      args,
+      timestamp: Date.now()
+    });
+  }
+  // ============================================================================
+  // Getters
+  // ============================================================================
+  get accessToken() {
+    return this.state.accessToken;
+  }
+  get refreshToken() {
+    return this.state.refreshToken;
+  }
+  get user() {
+    return this.state.user;
+  }
+  get isAuthenticated() {
+    return this.state.isAuthenticated;
+  }
+  /**
+   * Get the current auth state snapshot.
+   */
+  getState() {
+    return { ...this.state };
+  }
+  // ============================================================================
+  // Auth Actions
+  // ============================================================================
+  /**
+   * Set auth data after successful login.
+   */
+  setAuth(accessToken, refreshToken, user, sessionToken) {
+    this.recordCall("setAuth", [accessToken, refreshToken, user, sessionToken]);
+    this.state = {
+      accessToken,
+      refreshToken,
+      user,
+      isAuthenticated: true
+    };
+    this.notify();
+  }
+  /**
+   * Update tokens (e.g., after refresh).
+   */
+  updateTokens(accessToken, refreshToken) {
+    this.recordCall("updateTokens", [accessToken, refreshToken]);
+    this.state = {
+      ...this.state,
+      accessToken,
+      refreshToken
+    };
+    this.notify();
+  }
+  /**
+   * Update user data.
+   */
+  updateUser(user) {
+    this.recordCall("updateUser", [user]);
+    this.state = {
+      ...this.state,
+      user
+    };
+    this.notify();
+  }
+  /**
+   * Clear auth state (logout).
+   */
+  logout() {
+    this.recordCall("logout", []);
+    this.state = {
+      accessToken: null,
+      refreshToken: null,
+      user: null,
+      isAuthenticated: false
+    };
+    this.notify();
+  }
+  /**
+   * Logout with SSO support.
+   */
+  async logoutWithSSO() {
+    this.recordCall("logoutWithSSO", []);
+    this.logout();
+    return {};
+  }
+  /**
+   * Re-hydrate state from storage.
+   */
+  rehydrate() {
+    this.recordCall("rehydrate", []);
+  }
+  // ============================================================================
+  // Permission Checks
+  // ============================================================================
+  /**
+   * Check if user has a specific permission.
+   */
+  hasPermission(permission) {
+    return this.state.user?.permissions?.includes(permission) ?? false;
+  }
+  /**
+   * Check if user has a specific role.
+   */
+  hasRole(role) {
+    return this.state.user?.roles?.includes(role) ?? false;
+  }
+  /**
+   * Check if user has any of the specified roles.
+   */
+  hasAnyRole(roles) {
+    return roles.some((role) => this.state.user?.roles?.includes(role)) ?? false;
+  }
+  /**
+   * Check if user has all of the specified roles.
+   */
+  hasAllRoles(roles) {
+    return roles.every((role) => this.state.user?.roles?.includes(role)) ?? false;
+  }
+  /**
+   * Check if user has any of the specified permissions.
+   */
+  hasAnyPermission(permissions) {
+    return permissions.some((perm) => this.state.user?.permissions?.includes(perm)) ?? false;
+  }
+  /**
+   * Check if user has all of the specified permissions.
+   */
+  hasAllPermissions(permissions) {
+    return permissions.every((perm) => this.state.user?.permissions?.includes(perm)) ?? false;
+  }
+  // ============================================================================
+  // Test Utilities
+  // ============================================================================
+  /**
+   * Reset the store to initial state.
+   */
+  reset() {
+    this.state = {
+      accessToken: null,
+      refreshToken: null,
+      user: null,
+      isAuthenticated: false
+    };
+    this.callHistory = [];
+    this.notify();
+  }
+  /**
+   * Simulate an authenticated state.
+   */
+  simulateAuthenticated(user = mockUser) {
+    this.state = {
+      accessToken: mockAccessToken,
+      refreshToken: mockRefreshToken,
+      user,
+      isAuthenticated: true
+    };
+    this.notify();
+  }
+  /**
+   * Simulate an unauthenticated state.
+   */
+  simulateUnauthenticated() {
+    this.state = {
+      accessToken: null,
+      refreshToken: null,
+      user: null,
+      isAuthenticated: false
+    };
+    this.notify();
+  }
+  /**
+   * Set the state directly for testing.
+   */
+  setState(state) {
+    this.state = {
+      ...this.state,
+      ...state
+    };
+    this.notify();
+  }
+  // ============================================================================
+  // Call History
+  // ============================================================================
+  /**
+   * Get all recorded method calls.
+   */
+  getCalls() {
+    return [...this.callHistory];
+  }
+  /**
+   * Get calls for a specific method.
+   */
+  getCallsFor(method) {
+    return this.callHistory.filter((call) => call.method === method);
+  }
+  /**
+   * Check if a method was called.
+   */
+  wasCalled(method) {
+    return this.callHistory.some((call) => call.method === method);
+  }
+  /**
+   * Assert that a method was called.
+   */
+  assertMethodCalled(method, message) {
+    if (!this.wasCalled(method)) {
+      throw new Error(message ?? `Expected ${method} to be called`);
+    }
+  }
+  /**
+   * Assert that a method was not called.
+   */
+  assertMethodNotCalled(method, message) {
+    if (this.wasCalled(method)) {
+      throw new Error(message ?? `Expected ${method} not to be called`);
+    }
+  }
+  /**
+   * Get the last call made.
+   */
+  getLastCall() {
+    return this.callHistory[this.callHistory.length - 1];
+  }
+  /**
+   * Get the last call to a specific method.
+   */
+  getLastCallTo(method) {
+    return [...this.callHistory].reverse().find((call) => call.method === method);
+  }
+  /**
+   * Get total call count.
+   */
+  get callCount() {
+    return this.callHistory.length;
+  }
+  /**
+   * Clear call history.
+   */
+  clearHistory() {
+    this.callHistory = [];
+  }
+};
+function createMockAuthStore(options = {}) {
+  return new MockAuthStore(options);
+}
+function createAuthenticatedMockStore(user = mockUser) {
+  const store = new MockAuthStore();
+  store.simulateAuthenticated(user);
+  return store;
+}
+function createMockAuthActions(store) {
+  return {
+    setAuth: (accessToken, refreshToken, user, sessionToken) => store.setAuth(accessToken, refreshToken, user, sessionToken),
+    updateTokens: (accessToken, refreshToken) => store.updateTokens(accessToken, refreshToken),
+    updateUser: (user) => store.updateUser(user),
+    logout: () => store.logout(),
+    logoutWithSSO: () => store.logoutWithSSO(),
+    hasPermission: (permission) => store.hasPermission(permission),
+    hasRole: (role) => store.hasRole(role),
+    hasAnyRole: (roles) => store.hasAnyRole(roles),
+    hasAllRoles: (roles) => store.hasAllRoles(roles),
+    hasAnyPermission: (permissions) => store.hasAnyPermission(permissions),
+    hasAllPermissions: (permissions) => store.hasAllPermissions(permissions),
+    rehydrate: () => store.rehydrate()
+  };
+}
+function createMockIsAuthenticated(store) {
+  return {
+    subscribe: (subscriber) => {
+      return store.subscribe((state) => subscriber(state.isAuthenticated));
+    }
+  };
+}
+function createMockCurrentUser(store) {
+  return {
+    subscribe: (subscriber) => {
+      return store.subscribe((state) => subscriber(state.user));
+    }
+  };
+}
+function initAuth(options) {
+  ({
+    ...options,
+    storageKey: options.storageKey ?? "classic_auth"
+  });
+}
+
+// src/testing/helpers/setup.ts
+function setupTestAuth(options = {}) {
+  const {
+    baseUrl = "http://localhost:3000",
+    storageKey = "classic_auth",
+    initialStorage,
+    initialAuthState,
+    fetchOptions,
+    initConfig = true
+  } = options;
+  const mockStorage = createMockStorage({ initialData: initialStorage });
+  const mockFetch = createMockFetch({ baseUrl, ...fetchOptions });
+  const mockStore = createMockAuthStore({ initialState: initialAuthState });
+  if (initConfig) {
+    const config2 = {
+      baseUrl,
+      storageKey,
+      storage: mockStorage,
+      fetch: mockFetch.fetch
+    };
+    initAuth(config2);
+  }
+  const cleanup = () => {
+    mockStorage.reset();
+    mockFetch.reset();
+    mockStore.reset();
+  };
+  return {
+    mockFetch,
+    mockStorage,
+    mockStore,
+    cleanup
+  };
+}
+function createTestAuthHelpers(options = {}) {
+  let context = null;
+  return {
+    /**
+     * Setup function to call in beforeEach.
+     */
+    setup: () => {
+      context = setupTestAuth(options);
+      return context;
+    },
+    /**
+     * Cleanup function to call in afterEach.
+     */
+    cleanup: () => {
+      context?.cleanup();
+      context = null;
+    },
+    /**
+     * Get the current test context.
+     */
+    getContext: () => {
+      if (!context) {
+        throw new Error("Test context not initialized. Call setup() first.");
+      }
+      return context;
+    },
+    /**
+     * Get mocks directly (convenience accessors).
+     */
+    getMockFetch: () => context?.mockFetch ?? null,
+    getMockStorage: () => context?.mockStorage ?? null,
+    getMockStore: () => context?.mockStore ?? null
+  };
+}
+function quickSetupAuth(options = {}) {
+  const { cleanup } = setupTestAuth(options);
+  return cleanup;
+}
+function initAuthWithMocks(mockFetch, mockStorage, options = {}) {
+  initAuth({
+    baseUrl: options.baseUrl ?? "http://localhost:3000",
+    storageKey: options.storageKey ?? "classic_auth",
+    storage: mockStorage,
+    fetch: mockFetch.fetch,
+    ...options
+  });
+}
+function resetTestAuth(mockFetch, mockStorage, mockStore) {
+  mockFetch?.reset();
+  mockStorage?.reset();
+  mockStore?.reset();
+}
+async function withTestAuth(fn, options = {}) {
+  const context = setupTestAuth(options);
+  try {
+    return await fn(context);
+  } finally {
+    context.cleanup();
+  }
+}
+async function withTestAuthEach(tests, options = {}) {
+  const results = [];
+  for (const test of tests) {
+    const result = await withTestAuth(test, options);
+    results.push(result);
+  }
+  return results;
+}
+
+// src/testing/helpers/states.ts
+var authScenarios = {
+  unauthenticated: {
+    state: {
+      accessToken: null,
+      refreshToken: null,
+      user: null,
+      isAuthenticated: false
+    },
+    user: null,
+    description: "User is not logged in"
+  },
+  authenticated: {
+    state: {
+      accessToken: mockAccessToken,
+      refreshToken: mockRefreshToken,
+      user: mockUser,
+      isAuthenticated: true
+    },
+    user: mockUser,
+    description: "Standard authenticated user"
+  },
+  admin: {
+    state: {
+      accessToken: mockAdminToken,
+      refreshToken: mockRefreshToken,
+      user: mockAdminUser,
+      isAuthenticated: true
+    },
+    user: mockAdminUser,
+    description: "Admin user with elevated permissions"
+  },
+  ssoUser: {
+    state: {
+      accessToken: mockAccessToken,
+      refreshToken: mockRefreshToken,
+      user: mockSSOUser,
+      isAuthenticated: true
+    },
+    user: mockSSOUser,
+    description: "SSO-authenticated user"
+  },
+  mfaEnabled: {
+    state: {
+      accessToken: mockAccessToken,
+      refreshToken: mockRefreshToken,
+      user: mockMFAUser,
+      isAuthenticated: true
+    },
+    user: mockMFAUser,
+    description: "User with MFA enabled"
+  },
+  unverifiedEmail: {
+    state: {
+      accessToken: mockAccessToken,
+      refreshToken: mockRefreshToken,
+      user: mockUnverifiedUser,
+      isAuthenticated: true
+    },
+    user: mockUnverifiedUser,
+    description: "User with unverified email"
+  },
+  inactive: {
+    state: {
+      accessToken: null,
+      refreshToken: null,
+      user: mockInactiveUser,
+      isAuthenticated: false
+    },
+    user: mockInactiveUser,
+    description: "Inactive/deactivated user"
+  },
+  expiredToken: {
+    state: {
+      accessToken: "expired.token.here",
+      refreshToken: mockRefreshToken,
+      user: mockUser,
+      isAuthenticated: true
+      // Still "authenticated" until refresh fails
+    },
+    user: mockUser,
+    description: "User with expired access token"
+  }
+};
+function applyScenario(store, scenario) {
+  const scenarioData = authScenarios[scenario];
+  store.setState(scenarioData.state);
+}
+function applyScenarios(store, scenarios) {
+  scenarios.forEach((scenario) => applyScenario(store, scenario));
+}
+function getScenarioState(scenario) {
+  return authScenarios[scenario];
+}
+function configureMFAFlow(mockFetch) {
+  mockFetch.removeRoute("POST", "/auth/login");
+  mockFetch.addRoute({
+    method: "POST",
+    path: "/auth/login",
+    response: { data: mockMFARequired }
+  });
+  mockFetch.removeRoute("POST", "/auth/mfa/challenge");
+  mockFetch.addRoute({
+    method: "POST",
+    path: "/auth/mfa/challenge",
+    response: { data: mockLoginSuccess }
+  });
+}
+function configureTokenRefresh(mockFetch, options = {}) {
+  const { success = true, newTokens, errorMessage = "Refresh token expired" } = options;
+  mockFetch.removeRoute("POST", "/auth/refresh");
+  if (success) {
+    const tokens = newTokens ?? createMockTokenPair();
+    mockFetch.addRoute({
+      method: "POST",
+      path: "/auth/refresh",
+      response: { data: tokens }
+    });
+  } else {
+    mockFetch.addRoute({
+      method: "POST",
+      path: "/auth/refresh",
+      status: 401,
+      response: { error: { message: errorMessage } }
+    });
+  }
+}
+function configureSSOLogout(mockFetch, logoutUrl = "https://sso.example.com/logout") {
+  mockFetch.removeRoute("POST", "/auth/logout");
+  mockFetch.addRoute({
+    method: "POST",
+    path: "/auth/logout",
+    response: { data: { ...mockSSOLogoutResponse, logoutUrl } }
+  });
+}
+function configureAuthFailure(mockFetch, options = {}) {
+  const { endpoint, status = 401, message = "Unauthorized" } = options;
+  if (endpoint) {
+    mockFetch.failEndpoint("GET", endpoint, status, message);
+    mockFetch.failEndpoint("POST", endpoint, status, message);
+  } else {
+    mockFetch.failLogin(message);
+    mockFetch.failEndpoint("GET", "/auth/profile", status, message);
+    mockFetch.failEndpoint("GET", "/auth/sessions", status, message);
+  }
+}
+function configureRateLimiting(mockFetch, endpoint) {
+  mockFetch.failEndpoint("GET", endpoint, 429, "Too Many Requests");
+  mockFetch.failEndpoint("POST", endpoint, 429, "Too Many Requests");
+}
+function createTestUserWithPermissions(permissions, roles = ["user"], overrides = {}) {
+  return createMockUserWithRoles(roles, permissions, overrides);
+}
+function createTestAdminUser(overrides = {}) {
+  return {
+    ...mockAdminUser,
+    ...overrides
+  };
+}
+function createTestSSOUser(provider = "authentik", overrides = {}) {
+  return {
+    ...mockSSOUser,
+    authMethod: "oauth",
+    ssoProfileUrl: `https://${provider}.example.com/profile/${mockSSOUser.id}`,
+    ...overrides
+  };
+}
+function simulateLogin(store, user = mockUser, tokens) {
+  const { accessToken, refreshToken } = tokens ?? createMockTokenPair(user.id);
+  store.setAuth(accessToken, refreshToken, user);
+}
+function simulateLogout(store) {
+  store.logout();
+}
+function simulateTokenRefresh(store, newTokens) {
+  const tokens = newTokens ?? createMockTokenPair();
+  store.updateTokens(tokens.accessToken, tokens.refreshToken);
+}
+function simulateProfileUpdate(store, updates) {
+  const currentUser = store.user;
+  if (currentUser) {
+    store.updateUser({ ...currentUser, ...updates });
+  }
+}
+function configureMFAEnrollmentFlow(mockFetch) {
+  mockFetch.addRoute({
+    method: "GET",
+    path: "/auth/mfa/status",
+    response: { enabled: false, methods: [] }
+  });
+}
+function configurePasswordResetFlow(mockFetch) {
+  mockFetch.addRoute({
+    method: "POST",
+    path: "/auth/forgot-password",
+    response: { message: "Password reset email sent" }
+  });
+  mockFetch.addRoute({
+    method: "POST",
+    path: "/auth/reset-password",
+    response: { message: "Password reset successful" }
+  });
+}
+function configureSessionManagementFlow(mockFetch, sessionCount = 3) {
+  const sessions = Array.from({ length: sessionCount }, (_, i) => ({
+    id: `session-${i}`,
+    deviceName: `Device ${i}`,
+    browser: "Chrome",
+    location: "Test Location",
+    ipAddress: `192.168.1.${i}`,
+    lastActivity: (/* @__PURE__ */ new Date()).toISOString(),
+    isCurrent: i === 0,
+    isTrusted: i === 0,
+    deviceFingerprint: `fp-${i}`,
+    createdAt: (/* @__PURE__ */ new Date()).toISOString(),
+    expiresAt: new Date(Date.now() + 6048e5).toISOString()
+  }));
+  mockFetch.removeRoute("GET", "/auth/sessions");
+  mockFetch.addRoute({
+    method: "GET",
+    path: "/auth/sessions",
+    response: { sessions, total: sessionCount }
+  });
+}
+
+// src/core/jwt.ts
+function decodeJWT(token) {
+  try {
+    const parts = token.split(".");
+    if (parts.length !== 3) {
+      return null;
+    }
+    const payload = parts[1];
+    const decoded = atob(payload.replace(/-/g, "+").replace(/_/g, "/"));
+    return JSON.parse(decoded);
+  } catch {
+    return null;
+  }
+}
+function isTokenExpired(token) {
+  const payload = decodeJWT(token);
+  if (!payload || !payload.exp) {
+    return true;
+  }
+  return payload.exp * 1e3 < Date.now();
+}
+
+// src/testing/helpers/assertions.ts
+function assertAuthenticated(state, message = "Expected state to be authenticated") {
+  if (!state.isAuthenticated) {
+    throw new Error(message);
+  }
+  if (!state.accessToken) {
+    throw new Error(`${message}: missing access token`);
+  }
+  if (!state.user) {
+    throw new Error(`${message}: missing user`);
+  }
+}
+function assertUnauthenticated(state, message = "Expected state to be unauthenticated") {
+  if (state.isAuthenticated) {
+    throw new Error(message);
+  }
+  if (state.accessToken) {
+    throw new Error(`${message}: should not have access token`);
+  }
+  if (state.user) {
+    throw new Error(`${message}: should not have user`);
+  }
+}
+function assertHasUser(state, userId, message) {
+  if (!state.user) {
+    throw new Error(message ?? `Expected user with id ${userId} but no user found`);
+  }
+  if (state.user.id !== userId) {
+    throw new Error(message ?? `Expected user id ${userId} but got ${state.user.id}`);
+  }
+}
+function assertHasPermissions(user, permissions, message) {
+  const missing = permissions.filter((p) => !user.permissions?.includes(p));
+  if (missing.length > 0) {
+    throw new Error(message ?? `User missing permissions: ${missing.join(", ")}`);
+  }
+}
+function assertLacksPermissions(user, permissions, message) {
+  const present = permissions.filter((p) => user.permissions?.includes(p));
+  if (present.length > 0) {
+    throw new Error(message ?? `User should not have permissions: ${present.join(", ")}`);
+  }
+}
+function assertHasRoles(user, roles, message) {
+  const missing = roles.filter((r) => !user.roles?.includes(r));
+  if (missing.length > 0) {
+    throw new Error(message ?? `User missing roles: ${missing.join(", ")}`);
+  }
+}
+function assertLacksRoles(user, roles, message) {
+  const present = roles.filter((r) => user.roles?.includes(r));
+  if (present.length > 0) {
+    throw new Error(message ?? `User should not have roles: ${present.join(", ")}`);
+  }
+}
+function assertTokenValid(token, message = "Expected token to be valid") {
+  if (isTokenExpired(token)) {
+    throw new Error(message);
+  }
+}
+function assertTokenExpired(token, message = "Expected token to be expired") {
+  if (!isTokenExpired(token)) {
+    throw new Error(message);
+  }
+}
+function assertTokenHasClaims(token, claims, message) {
+  const payload = decodeJWT(token);
+  if (!payload) {
+    throw new Error(message ?? "Could not decode token");
+  }
+  for (const [key, value] of Object.entries(claims)) {
+    if (payload[key] !== value) {
+      throw new Error(
+        message ?? `Expected token claim ${key} to be ${value} but got ${payload[key]}`
+      );
+    }
+  }
+}
+function assertTokenSubject(token, subject, message) {
+  const payload = decodeJWT(token);
+  if (!payload || payload.sub !== subject) {
+    throw new Error(message ?? `Expected token subject ${subject} but got ${payload?.sub}`);
+  }
+}
+function assertApiCalled(mockFetch, method, path, options = {}) {
+  const calls = mockFetch.getCallsTo(path).filter((call) => (call.options.method ?? "GET").toUpperCase() === method.toUpperCase());
+  if (calls.length === 0) {
+    throw new Error(`Expected ${method} ${path} to be called`);
+  }
+  if (options.times !== void 0 && calls.length !== options.times) {
+    throw new Error(
+      `Expected ${method} ${path} to be called ${options.times} times but was called ${calls.length} times`
+    );
+  }
+  if (options.body !== void 0) {
+    const lastCall = calls[calls.length - 1];
+    let body;
+    try {
+      body = JSON.parse(lastCall.options.body);
+    } catch {
+      body = lastCall.options.body;
+    }
+    const bodyStr = JSON.stringify(body);
+    const expectedStr = JSON.stringify(options.body);
+    if (bodyStr !== expectedStr) {
+      throw new Error(
+        `Expected ${method} ${path} to be called with body ${expectedStr} but got ${bodyStr}`
+      );
+    }
+  }
+  if (options.headers) {
+    const lastCall = calls[calls.length - 1];
+    const callHeaders = lastCall.options.headers;
+    for (const [key, value] of Object.entries(options.headers)) {
+      if (callHeaders?.[key] !== value) {
+        throw new Error(`Expected ${method} ${path} to have header ${key}: ${value}`);
+      }
+    }
+  }
+}
+function assertApiNotCalled(mockFetch, method, path, message) {
+  const calls = mockFetch.getCallsTo(path).filter((call) => (call.options.method ?? "GET").toUpperCase() === method.toUpperCase());
+  if (calls.length > 0) {
+    throw new Error(
+      message ?? `Expected ${method} ${path} not to be called but was called ${calls.length} times`
+    );
+  }
+}
+function assertApiCallOrder(mockFetch, expectedOrder) {
+  const calls = mockFetch.getCalls();
+  let lastIndex = -1;
+  for (const expected of expectedOrder) {
+    const index = calls.findIndex((call, i) => {
+      if (i <= lastIndex) return false;
+      const method = (call.options.method ?? "GET").toUpperCase();
+      const path = new URL(call.url, "http://localhost").pathname;
+      return method === expected.method.toUpperCase() && path.startsWith(expected.path);
+    });
+    if (index === -1) {
+      throw new Error(
+        `Expected ${expected.method} ${expected.path} to be called after previous calls`
+      );
+    }
+    lastIndex = index;
+  }
+}
+function assertStoreMethodCalled(store, method, options = {}) {
+  const calls = store.getCallsFor(method);
+  if (calls.length === 0) {
+    throw new Error(`Expected store.${method}() to be called`);
+  }
+  if (options.times !== void 0 && calls.length !== options.times) {
+    throw new Error(
+      `Expected store.${method}() to be called ${options.times} times but was called ${calls.length} times`
+    );
+  }
+  if (options.args !== void 0) {
+    const lastCall = calls[calls.length - 1];
+    const argsStr = JSON.stringify(lastCall.args);
+    const expectedStr = JSON.stringify(options.args);
+    if (argsStr !== expectedStr) {
+      throw new Error(
+        `Expected store.${method}() to be called with ${expectedStr} but got ${argsStr}`
+      );
+    }
+  }
+}
+function assertStoreMethodNotCalled(store, method, message) {
+  const calls = store.getCallsFor(method);
+  if (calls.length > 0) {
+    throw new Error(
+      message ?? `Expected store.${method}() not to be called but was called ${calls.length} times`
+    );
+  }
+}
+function assertRequiresMFA(response, message = "Expected response to require MFA") {
+  if (!response.requiresMFA && !response.mfaRequired) {
+    throw new Error(message);
+  }
+  if (!response.mfaToken) {
+    throw new Error(`${message}: missing MFA token`);
+  }
+}
+function assertNoMFARequired(response, message = "Expected response not to require MFA") {
+  if (response.requiresMFA || response.mfaRequired) {
+    throw new Error(message);
+  }
+  if (!response.accessToken) {
+    throw new Error(`${message}: missing access token`);
+  }
+}
+function assertEmailVerified(user, message = "Expected user email to be verified") {
+  if (!user.emailVerified) {
+    throw new Error(message);
+  }
+}
+function assertEmailNotVerified(user, message = "Expected user email not to be verified") {
+  if (user.emailVerified) {
+    throw new Error(message);
+  }
+}
+function assertUserActive(user, message = "Expected user to be active") {
+  if (!user.isActive) {
+    throw new Error(message);
+  }
+}
+function assertUserInactive(user, message = "Expected user to be inactive") {
+  if (user.isActive) {
+    throw new Error(message);
+  }
+}
+function assertAuthMethod(user, method, message) {
+  if (user.authMethod !== method) {
+    throw new Error(message ?? `Expected user auth method ${method} but got ${user.authMethod}`);
+  }
+}
+
+export { MockAuthStore, MockFetchInstance, MockStorageAdapter, applyScenario, applyScenarios, assertApiCallOrder, assertApiCalled, assertApiNotCalled, assertAuthMethod, assertAuthenticated, assertEmailNotVerified, assertEmailVerified, assertHasPermissions, assertHasRoles, assertHasUser, assertLacksPermissions, assertLacksRoles, assertNoMFARequired, assertRequiresMFA, assertStoreMethodCalled, assertStoreMethodNotCalled, assertTokenExpired, assertTokenHasClaims, assertTokenSubject, assertTokenValid, assertUnauthenticated, assertUserActive, assertUserInactive, authScenarios, configureAuthFailure, configureMFAEnrollmentFlow, configureMFAFlow, configurePasswordResetFlow, configureRateLimiting, configureSSOLogout, configureSessionManagementFlow, configureTokenRefresh, createAuthenticatedMockStore, createExpiredMockJWT, createMockAuthActions, createMockAuthStore, createMockCurrentUser, createMockDevice, createMockFetch, createMockFetchWithRoutes, createMockIsAuthenticated, createMockJWT, createMockLoginSuccess, createMockMFARequired, createMockMFAToken, createMockSecurityEvent, createMockSession, createMockStorage, createMockStorageWithAuth, createMockTokenPair, createMockUser, createMockUserWithAuthMethod, createMockUserWithRoles, createTestAdminUser, createTestAuthHelpers, createTestSSOUser, createTestUserWithPermissions, getScenarioState, initAuthWithMocks, mockAccessToken, mockAdminLoginSuccess, mockAdminToken, mockAdminUser, mockApiKey, mockApiKeys, mockCurrentSession, mockDevices, mockExpiredToken, mockInactiveUser, mockLinkedAccount, mockLoginSuccess, mockLogoutSuccess, mockMFARequired, mockMFARequiredLegacy, mockMFASetup, mockMFAStatusDisabled, mockMFAStatusEnabled, mockMFAToken, mockMFAUser, mockOtherSession, mockRefreshToken, mockRegisterRequiresVerification, mockRegisterSuccess, mockSSOLoginSuccess, mockSSOLogoutResponse, mockSSOUser, mockSecurityEventLogin, mockSecurityEventPasswordChange, mockSecurityEventSuspicious, mockSecurityEvents, mockSessionToken, mockSessions, mockTrustedDevice, mockUntrustedDevice, mockUnverifiedUser, mockUser, mockUserPreferences, quickSetupAuth, resetTestAuth, setupTestAuth, simulateLogin, simulateLogout, simulateProfileUpdate, simulateTokenRefresh, withTestAuth, withTestAuthEach };