@cosmicdrift/kumiko-bundled-features 0.1.0

package/src/auth-email-password/__tests__/session-strict-mode.integration.ts

@@ -0,0 +1,101 @@
+// Tests the `sessionStrictMode` flag on AuthRoutesConfig. When enabled, a
+// JWT that arrives WITHOUT a `jti` is rejected at the middleware — useful
+// after a rolling deploy has been emitting sids longer than the JWT TTL,
+// so legacy stateless tokens are expected to have expired. Default false
+// keeps pre-upgrade tokens working; this suite flips it on and asserts.
+
+import type { TenantId } from "@cosmicdrift/kumiko-framework/engine";
+import {
+  setupTestStack,
+  type TestStack,
+  TestUsers,
+  testTenantId,
+} from "@cosmicdrift/kumiko-framework/stack";
+import { afterAll, beforeAll, describe, expect, test } from "vitest";
+import { createConfigFeature } from "../../config";
+import { createTenantFeature } from "../../tenant";
+import { createUserFeature } from "../../user";
+import { createAuthEmailPasswordFeature } from "../feature";
+
+let stack: TestStack;
+const TENANT: TenantId = testTenantId(1);
+const userId = TestUsers.systemAdmin.id;
+
+// Stub checker that always accepts. The strictMode branch runs BEFORE the
+// checker is even consulted (no jti → nothing to check), so the stub never
+// fires in the strict-mode path. It's present to satisfy the framework's
+// "you wired sessionChecker, so we'll run it if we have an sid" contract.
+// Accepts the full AuthSessionChecker signature (sid + expectedUserId)
+// even though it doesn't use the args.
+async function stubChecker(_sid: string, _expectedUserId: string): Promise<"live"> {
+  return "live";
+}
+
+beforeAll(async () => {
+  stack = await setupTestStack({
+    features: [
+      createConfigFeature(),
+      createUserFeature(),
+      createTenantFeature(),
+      createAuthEmailPasswordFeature(),
+    ],
+    authConfig: {
+      membershipQuery: "tenant:query:memberships",
+      sessionChecker: stubChecker,
+      sessionStrictMode: true,
+    },
+  });
+});
+
+afterAll(async () => {
+  await stack.cleanup();
+});
+
+describe("sessionStrictMode: sidless JWTs are rejected", () => {
+  test("JWT without jti → 401 with reason=no_sid", async () => {
+    // Hand-signed JWT that carries id + tenantId + roles but NO jti. The
+    // standard testing request-helper signs JWTs the same way on user
+    // arguments without a sid field.
+    const token = await stack.jwt.sign({ id: userId, tenantId: TENANT, roles: ["SystemAdmin"] });
+
+    const res = await stack.http.raw(
+      "POST",
+      "/api/query",
+      { type: "user:query:user:me", payload: {} },
+      { Authorization: `Bearer ${token}` },
+    );
+    expect(res.status).toBe(401);
+    const body = (await res.json()) as { error?: { details?: { reason?: string } } };
+    expect(body.error?.details?.reason).toBe("no_sid");
+  });
+
+  test("JWT WITH jti passes the middleware gate (stubChecker returns 'live')", async () => {
+    const token = await stack.jwt.sign({
+      id: userId,
+      tenantId: TENANT,
+      roles: ["SystemAdmin"],
+      sid: "aaaa1111-bbbb-2222-cccc-3333dddd4444",
+    });
+
+    // Hit /health — it's in PUBLIC_API_PATHS and bypasses auth entirely,
+    // so a success there tells us nothing. Instead send to a known handler
+    // and just assert the middleware didn't turn it into a 401. The
+    // minimal stack has no user-table; the me-query would 500 on its SQL
+    // call, which is fine for this test (we're specifically NOT making
+    // statements about the handler behaviour). 401 means "middleware
+    // blocked us", which is exactly the bug this suite catches.
+    const res = await stack.http.raw(
+      "POST",
+      "/api/query",
+      { type: "user:query:user:me", payload: {} },
+      { Authorization: `Bearer ${token}` },
+    );
+    expect(res.status).not.toBe(401);
+    // Narrow the "not 401" to exclude other 4xx middleware errors too.
+    // A 403 from access-layer or a 400 from shape-validation wouldn't
+    // come from sessionStrictMode, but either would be a different code
+    // path than the one we're testing — flag them if they surface.
+    expect(res.status).not.toBe(403);
+    expect(res.status).not.toBe(400);
+  });
+});

package/src/auth-email-password/__tests__/signed-token.test.ts

@@ -0,0 +1,78 @@
+import { Temporal } from "temporal-polyfill";
+import { describe, expect, test } from "vitest";
+import { signToken, TokenPurpose, verifyToken } from "../signed-token";
+
+const SECRET = "test-hmac-secret-32-bytes-minimum!!";
+const USER_ID = "11111111-1111-4111-8111-111111111111";
+
+describe("signed-token", () => {
+  test("round-trip: sign → verify (matching purpose) → userId", () => {
+    const { token } = signToken(USER_ID, TokenPurpose.passwordReset, 15, SECRET);
+    const result = verifyToken(token, TokenPurpose.passwordReset, SECRET);
+    expect(result.ok).toBe(true);
+    if (result.ok) expect(result.userId).toBe(USER_ID);
+  });
+
+  test("cross-purpose replay is rejected (reset token on verify endpoint)", () => {
+    const { token } = signToken(USER_ID, TokenPurpose.passwordReset, 15, SECRET);
+    const result = verifyToken(token, TokenPurpose.emailVerification, SECRET);
+    expect(result).toEqual({ ok: false, reason: "bad_signature" });
+  });
+
+  test("tampered signature → bad_signature", () => {
+    const { token } = signToken(USER_ID, TokenPurpose.passwordReset, 15, SECRET);
+    const tampered = `${token.slice(0, -3)}XXX`;
+    const result = verifyToken(tampered, TokenPurpose.passwordReset, SECRET);
+    expect(result).toEqual({ ok: false, reason: "bad_signature" });
+  });
+
+  test("different secret → bad_signature", () => {
+    const { token } = signToken(USER_ID, TokenPurpose.passwordReset, 15, SECRET);
+    const result = verifyToken(
+      token,
+      TokenPurpose.passwordReset,
+      "other-secret-not-the-same-one!!!!",
+    );
+    expect(result).toEqual({ ok: false, reason: "bad_signature" });
+  });
+
+  test("expired → expired", () => {
+    const t0 = Temporal.Instant.fromEpochMilliseconds(1_700_000_000_000);
+    const laterThanTtl = t0.add({ minutes: 16 });
+    const { token } = signToken(USER_ID, TokenPurpose.passwordReset, 15, SECRET, t0);
+    const result = verifyToken(token, TokenPurpose.passwordReset, SECRET, laterThanTtl);
+    expect(result).toEqual({ ok: false, reason: "expired" });
+  });
+
+  test("malformed: wrong part count", () => {
+    expect(verifyToken("not-a-token", "reset", SECRET)).toEqual({
+      ok: false,
+      reason: "malformed",
+    });
+    expect(verifyToken("a.b", "reset", SECRET)).toEqual({
+      ok: false,
+      reason: "malformed",
+    });
+    expect(verifyToken("a.b.c.d", "reset", SECRET)).toEqual({
+      ok: false,
+      reason: "malformed",
+    });
+  });
+
+  test("malformed: non-numeric expiry", () => {
+    const result = verifyToken(`${USER_ID}.not-a-number.sig`, "reset", SECRET);
+    expect(result).toEqual({ ok: false, reason: "malformed" });
+  });
+
+  test("empty parts count as malformed", () => {
+    const result = verifyToken("..", "reset", SECRET);
+    expect(result).toEqual({ ok: false, reason: "malformed" });
+  });
+
+  test("expiresAt reflects configured TTL", () => {
+    const t0 = Temporal.Instant.fromEpochMilliseconds(1_700_000_000_000);
+    const { expiresAt } = signToken(USER_ID, "reset", 30, SECRET, t0);
+    const diff = expiresAt.since(t0).total({ unit: "minutes" });
+    expect(diff).toBe(30);
+  });
+});

package/src/auth-email-password/__tests__/signup-flow.integration.ts

@@ -0,0 +1,259 @@
+// Magic-Link-Self-Signup Full-Stack Integration-Test. Spec ist der
+// Test selbst (advisor-Empfehlung). Geht durch HTTP, weil
+// stack.dispatcher nicht exposed ist und die Routes ohnehin der
+// reale User-Pfad sind.
+//
+// Pinst:
+//   1. POST signup-request mit valid email → 200, Mail captured durch
+//      sendActivationEmail-callback (echte route + signup-feature).
+//   2. Resend-Idempotenz: zweiter Request für selbe email → gleicher
+//      Token in Mail (existing token in Redis wird re-genutzt).
+//   3. POST signup-confirm mit captured Token + Password → 200, Cookies
+//      gesetzt (kumiko_auth + kumiko_csrf), Body mit user + tenantKey,
+//      DB hat user (emailVerified=true) + tenant + Admin-membership.
+//   4. POST /api/auth/login mit demselben Password → 200 (Authority-
+//      Beweis: tenant + user + membership wirklich da, Auto-Login
+//      könnte stattdessen den JWT aus signup-confirm verwenden, aber
+//      dieser zweite Login schließt aus dass die signup-confirm-
+//      pipeline irgendetwas verschluckt hat).
+//   5. Replay: zweiter signup-confirm mit gleichem Token → 422
+//      invalid_signup_token (single-use burn).
+//   6. Token-not-found / abgelaufen → 422 invalid_signup_token
+//      (uniformer Code, kein Enumeration-leak).
+//   7. Sequential Signups → unique tenantKey-Slugs (TOCTOU-Schutz
+//      via DB-unique-index + generateUniqueName-isAvailable-check
+//      zusammen).
+
+import {
+  createEntityTable,
+  pushTables,
+  setupTestStack,
+  type TestStack,
+} from "@cosmicdrift/kumiko-framework/stack";
+import { eq } from "drizzle-orm";
+import { afterAll, beforeAll, beforeEach, describe, expect, test } from "vitest";
+import { createConfigFeature } from "../../config";
+import { createConfigResolver } from "../../config/resolver";
+import { configValuesTable } from "../../config/table";
+import { createTenantFeature } from "../../tenant";
+import { tenantMembershipsTable } from "../../tenant/membership-table";
+import { tenantEntity, tenantTable } from "../../tenant/schema/tenant";
+import { createUserFeature } from "../../user/feature";
+import { userEntity, userTable } from "../../user/schema/user";
+import { AuthErrors, AuthHandlers } from "../constants";
+import { createAuthEmailPasswordFeature } from "../feature";
+
+const APP_ACTIVATION_URL = "https://app.example.com/signup/complete";
+const capturedActivationEmails: Array<{
+  email: string;
+  activationUrl: string;
+  expiresAt: string;
+}> = [];
+
+let stack: TestStack;
+
+beforeAll(async () => {
+  stack = await setupTestStack({
+    features: [
+      createConfigFeature(),
+      createUserFeature(),
+      createTenantFeature(),
+      createAuthEmailPasswordFeature({
+        signup: { tokenTtlMinutes: 60 },
+      }),
+    ],
+    extraContext: { configResolver: createConfigResolver() },
+    authConfig: {
+      membershipQuery: "tenant:query:memberships",
+      loginHandler: AuthHandlers.login,
+      signup: {
+        requestHandler: AuthHandlers.signupRequest,
+        confirmHandler: AuthHandlers.signupConfirm,
+        appActivationUrl: APP_ACTIVATION_URL,
+        sendActivationEmail: async (args) => {
+          capturedActivationEmails.push(args);
+        },
+      },
+    },
+  });
+
+  await createEntityTable(stack.db, userEntity);
+  // tenant-entity hat den unique-constraint auf .key (siehe
+  // tenant.schema.indexes). createEntityTable baut das via
+  // buildDrizzleTable nach — pinst den TOCTOU-Schutz für signup-confirm.
+  await createEntityTable(stack.db, tenantEntity);
+  await pushTables(stack.db, { configValuesTable, tenantMembershipsTable });
+});
+
+afterAll(async () => {
+  await stack.cleanup();
+});
+
+beforeEach(async () => {
+  await stack.db.delete(userTable);
+  await stack.db.delete(tenantMembershipsTable);
+  await stack.db.delete(tenantTable);
+  capturedActivationEmails.length = 0;
+  // Redis-cleanup damit Resend-Tests keine state-leaks haben.
+  const allKeys = await stack.redis.redis.keys("signup:*");
+  if (allKeys.length > 0) await stack.redis.redis.del(...allKeys);
+});
+
+async function postSignupRequest(email: string): Promise<Response> {
+  return stack.http.raw("POST", "/api/auth/signup-request", { email });
+}
+
+async function postSignupConfirm(token: string, password: string): Promise<Response> {
+  return stack.http.raw("POST", "/api/auth/signup-confirm", { token, password });
+}
+
+async function postLogin(email: string, password: string): Promise<Response> {
+  return stack.http.raw("POST", "/api/auth/login", { email, password });
+}
+
+function extractTokenFromUrl(url: string): string {
+  const match = url.match(/[?&]token=([^&]+)/);
+  if (!match?.[1]) throw new Error(`No token in url: ${url}`);
+  return decodeURIComponent(match[1]);
+}
+
+describe("POST /api/auth/signup-request", () => {
+  test("known email → 200, mail captured mit activation-url", async () => {
+    const res = await postSignupRequest("alice@example.com");
+    expect(res.status).toBe(200);
+    expect(await res.json()).toEqual({ isSuccess: true });
+    expect(capturedActivationEmails).toHaveLength(1);
+    const [captured] = capturedActivationEmails;
+    if (!captured) throw new Error("no captured email");
+    expect(captured.email).toBe("alice@example.com");
+    expect(captured.activationUrl.startsWith(`${APP_ACTIVATION_URL}?token=`)).toBe(true);
+    expect(typeof captured.expiresAt).toBe("string");
+  });
+
+  test("Resend: zweiter Request für selbe email → gleicher token in Mail", async () => {
+    await postSignupRequest("resend@example.com");
+    await postSignupRequest("resend@example.com");
+
+    expect(capturedActivationEmails).toHaveLength(2);
+    const [first, second] = capturedActivationEmails;
+    if (!first || !second) throw new Error("missing emails");
+    expect(extractTokenFromUrl(second.activationUrl)).toBe(
+      extractTokenFromUrl(first.activationUrl),
+    );
+  });
+
+  test("malformed body → 200 (silent success, anti-enumeration)", async () => {
+    const res = await stack.http.raw("POST", "/api/auth/signup-request", { wrong: "shape" });
+    expect(res.status).toBe(200);
+    expect(capturedActivationEmails).toHaveLength(0);
+  });
+});
+
+describe("POST /api/auth/signup-confirm", () => {
+  async function requestSignup(email: string): Promise<string> {
+    capturedActivationEmails.length = 0;
+    const res = await postSignupRequest(email);
+    expect(res.status).toBe(200);
+    const captured = capturedActivationEmails[0];
+    if (!captured) throw new Error("signup-request fixture didn't capture mail");
+    return extractTokenFromUrl(captured.activationUrl);
+  }
+
+  test("voller Roundtrip: confirm legt user + tenant + Admin-Membership an, Cookies + Login funktioniert", async () => {
+    const email = "bob@example.com";
+    const password = "fresh-secure-pw-1234";
+    const token = await requestSignup(email);
+
+    const confirmRes = await postSignupConfirm(token, password);
+    expect(confirmRes.status).toBe(200);
+    const body = (await confirmRes.json()) as {
+      isSuccess: boolean;
+      token?: string;
+      user?: { id: string; tenantId: string; roles: string[] };
+      tenantKey?: string;
+    };
+    expect(body.isSuccess).toBe(true);
+    expect(body.token).toBeTruthy();
+    expect(body.user?.id).toBeTruthy();
+    expect(body.user?.tenantId).toBeTruthy();
+    expect(body.user?.roles).toContain("Admin");
+    expect(body.tenantKey).toBeTruthy();
+
+    // Cookies gesetzt (auth + csrf)
+    const setCookies = confirmRes.headers.get("set-cookie") ?? "";
+    expect(setCookies).toContain("kumiko_auth=");
+    expect(setCookies).toContain("kumiko_csrf=");
+
+    // DB-State pinst
+    const userRows = await stack.db.select().from(userTable).where(eq(userTable.email, email));
+    expect(userRows).toHaveLength(1);
+    expect(userRows[0]?.["emailVerified"]).toBe(true);
+    expect(userRows[0]?.["passwordHash"]).toBeTruthy();
+
+    const tenantRows = await stack.db
+      .select()
+      .from(tenantTable)
+      .where(eq(tenantTable.id, body.user?.tenantId ?? ""));
+    expect(tenantRows).toHaveLength(1);
+    expect(tenantRows[0]?.["key"]).toBe(body.tenantKey);
+
+    const memberships = await stack.db
+      .select()
+      .from(tenantMembershipsTable)
+      .where(eq(tenantMembershipsTable.userId, body.user?.id ?? ""));
+    expect(memberships).toHaveLength(1);
+    const rolesRaw = memberships[0]?.["roles"];
+    if (typeof rolesRaw === "string") {
+      expect(JSON.parse(rolesRaw) as string[]).toContain("Admin");
+    }
+
+    // Authority-Beweis: Login mit dem gesetzten Password funktioniert.
+    const loginRes = await postLogin(email, password);
+    expect(loginRes.status).toBe(200);
+  });
+
+  test("Single-Use-Burn: zweiter confirm mit gleichem Token → 422 invalid_signup_token", async () => {
+    const email = "burn@example.com";
+    const password = "burn-test-pw-1234";
+    const token = await requestSignup(email);
+
+    const first = await postSignupConfirm(token, password);
+    expect(first.status).toBe(200);
+
+    const second = await postSignupConfirm(token, "another-pw-9876");
+    expect(second.status).toBe(422);
+    const body = (await second.json()) as {
+      error?: { details?: { reason?: string } };
+    };
+    expect(body.error?.details?.reason).toBe(AuthErrors.invalidSignupToken);
+  });
+
+  test("unbekannter Token → 422 invalid_signup_token (Anti-Enumeration)", async () => {
+    const res = await postSignupConfirm("nonexistent-token-xxxxxxxxxx", "any-pw-1234");
+    expect(res.status).toBe(422);
+    const body = (await res.json()) as {
+      error?: { details?: { reason?: string } };
+    };
+    expect(body.error?.details?.reason).toBe(AuthErrors.invalidSignupToken);
+  });
+
+  test("zu kurzes Password → 400 invalid_body (Schema-Reject vor dispatcher)", async () => {
+    const email = "short@example.com";
+    const token = await requestSignup(email);
+    const res = await postSignupConfirm(token, "tiny");
+    expect(res.status).toBe(400);
+  });
+
+  test("mehrere sequentielle Signups → unterschiedliche tenant.key-Slugs", async () => {
+    const keys: string[] = [];
+    for (let i = 0; i < 3; i++) {
+      const email = `multi-${i}@example.com`;
+      const token = await requestSignup(email);
+      const confirmRes = await postSignupConfirm(token, `multi-pw-${i}-1234`);
+      expect(confirmRes.status).toBe(200);
+      const body = (await confirmRes.json()) as { tenantKey: string };
+      keys.push(body.tenantKey);
+    }
+    expect(new Set(keys).size).toBe(3);
+  });
+});

package/src/auth-email-password/auth-user-row.ts

@@ -0,0 +1,41 @@
+// Narrow cross-feature query results (ctx.queryAs → Promise<unknown>) into
+// the shape the auth handlers actually read. Replaces a bare
+// `as AuthUserRow | null` at the system boundary — the coding standard
+// requires a TypeGuard in place of unchecked casts from unknown.
+
+import type { TenantId } from "@cosmicdrift/kumiko-framework/engine";
+
+// Fields findForAuth returns. `version` is present for updates, `email` +
+// `passwordHash` only for login/reset/verification lookups. Every field
+// except `id` is optional because different call-sites read different
+// subsets and the projection may add nullable columns later.
+export type AuthUserRow = {
+  readonly id: string;
+  readonly email?: string;
+  readonly version?: number;
+  readonly passwordHash?: string | null;
+  readonly isDeleted?: boolean | null;
+  readonly emailVerified?: boolean | null;
+  readonly lastActiveTenantId?: TenantId | string | null;
+  // JSON-encoded string[] — globale Rollen die parallel zu tenant-membership-
+  // roles gelten (z.B. SystemAdmin, BillingAdmin). Caller deserialisiert via
+  // parseRoles() vor dem Merge in die Session.
+  readonly roles?: string | null;
+};
+
+// Returns the narrowed row or null — mirrors findForAuth's contract where
+// "not found" is a legitimate outcome (unknown email, unknown id). Throws
+// NEVER — a malformed row is treated as not-found so enumeration surfaces
+// stay consistent across "user doesn't exist" and "DB gave back junk".
+export function parseAuthUserRow(raw: unknown): AuthUserRow | null {
+  if (raw === null || raw === undefined) return null;
+  if (typeof raw !== "object") return null;
+  const obj = raw as Record<string, unknown>; // @cast-boundary db-row
+  if (typeof obj["id"] !== "string") return null;
+  // Deliberate boundary-cast: id is verified; the remaining optional
+  // fields (email, version, isDeleted, …) are declared optional on
+  // AuthUserRow so a missing property at the callsite surfaces as
+  // `undefined` on read, not a runtime exception. Explicit validation
+  // of each column would duplicate findForAuth's schema and rot with it.
+  return obj as unknown as AuthUserRow;
+}

package/src/auth-email-password/constants.ts

@@ -0,0 +1,101 @@
+// @runtime client
+// Pure string-Konstanten — keine DB/Node-builtins. Mit `@runtime client`
+// markiert damit auch Browser-Code (Members-Screen etc.) sie importieren
+// kann ohne dass die runtime-isolation-Guard schreit. Runtime darf
+// "client"-Files importieren (siehe RUNTIME_RULES), also bleibt auch
+// der server-side Zugriff (handlers, dispatcher) erhalten.
+export const AUTH_EMAIL_PASSWORD_FEATURE = "auth-email-password" as const;
+
+// Qualified handler names. Non-CRUD handlers, no entity prefix.
+export const AuthHandlers = {
+  login: "auth-email-password:write:login",
+  logout: "auth-email-password:write:logout",
+  changePassword: "auth-email-password:write:change-password",
+  requestPasswordReset: "auth-email-password:write:request-password-reset",
+  resetPassword: "auth-email-password:write:reset-password",
+  requestEmailVerification: "auth-email-password:write:request-email-verification",
+  verifyEmail: "auth-email-password:write:verify-email",
+  // Magic-Link Self-Signup (Pre-Activation-Token-Pattern). request mintet
+  // einen opaken Random-Token, speichert ihn bidirektional in Redis und
+  // sendet eine Aktivierungs-Mail. confirm löst den Token ein und legt
+  // user + tenant + Admin-Membership atomar an. emailVerified=true ab
+  // Sekunde 0 — der Klick auf den Mail-Link IST der Beweis.
+  signupRequest: "auth-email-password:write:signup-request",
+  signupConfirm: "auth-email-password:write:signup-confirm",
+  // Tenant-Invite Magic-Link (Admin lädt User in existing Tenant ein).
+  // Drei separate accept-Endpoints für klare Branch-Separation:
+  //   inviteCreate: Admin → POST email + role
+  //   inviteAccept: logged-in User → POST token (membership-add)
+  //   inviteAcceptWithLogin: anon User mit existing email → POST token + email + password
+  //   inviteSignupComplete: anon User mit neuer email → POST token + password
+  //   inviteCancel: Admin cancelt pending invite
+  inviteCreate: "auth-email-password:write:invite-create",
+  inviteAccept: "auth-email-password:write:invite-accept",
+  inviteAcceptWithLogin: "auth-email-password:write:invite-accept-with-login",
+  inviteSignupComplete: "auth-email-password:write:invite-signup-complete",
+  inviteCancel: "auth-email-password:write:invite-cancel",
+} as const;
+
+// Error codes — kept intentionally generic so clients can't distinguish
+// "email doesn't exist" from "password wrong". Both surface as invalid_credentials.
+// Soft-deleted users also collapse into invalid_credentials to avoid enumeration.
+export const AuthErrors = {
+  invalidCredentials: "invalid_credentials",
+  noMembership: "no_membership",
+  // Reset-flow: the route maps every reset-token verify failure (malformed,
+  // bad signature, expired) to this single code so a probing client can't
+  // learn whether a token was tampered with or just stale.
+  invalidResetToken: "invalid_reset_token",
+  resetNotConfigured: "password_reset_not_configured",
+  // Verification-flow: mirrors the reset-token handling. The login path
+  // uses `emailNotVerified` which IS a deliberate enumeration leak —
+  // UX benefit (explicit "check your email") outweighs the marginal
+  // signal ("this email exists in our system"). Signup already surfaces
+  // that.
+  invalidVerificationToken: "invalid_verification_token",
+  verificationNotConfigured: "email_verification_not_configured",
+  emailNotVerified: "email_not_verified",
+  // Self-Signup: alle confirm-Failures (unbekannter Token, schon
+  // konsumiert, abgelaufen) collapsen auf diesen Code — gleicher
+  // anti-enumeration-Trade-off wie reset/verify.
+  invalidSignupToken: "invalid_signup_token",
+  signupNotConfigured: "signup_not_configured",
+  // Invite-Flow: alle Token-Failures collapsen auf invalidInviteToken
+  // (anti-enumeration). emailMismatch wenn der invitee versucht den
+  // Link mit einer anderen Email zu accepten als die eingeladene.
+  invalidInviteToken: "invalid_invite_token",
+  inviteEmailMismatch: "invite_email_mismatch",
+  inviteAlreadyMember: "invite_already_member",
+  // Account-lockout: login refuses with this code when the user's streak of
+  // failed attempts has crossed the configured threshold. The error detail
+  // carries `retryAfterSeconds` so the UI can show a countdown. Returning a
+  // distinct code (rather than hiding it inside invalid_credentials) is a
+  // deliberate enumeration trade-off: the lockout event itself is already
+  // observable to the attacker, and legit users benefit from a clear signal.
+  accountLocked: "account_locked",
+} as const;
+
+// Account-lockout defaults — overridable via
+// AuthEmailPasswordOptions.accountLockout on the feature. Defaults track the
+// industry norm (NIST 800-63B) for password-only logins: a small streak
+// threshold, a short cooldown.
+export const AUTH_LOCKOUT_DEFAULT_MAX_FAILED_ATTEMPTS = 5;
+export const AUTH_LOCKOUT_DEFAULT_DURATION_MINUTES = 15;
+
+export const AUTH_RESET_DEFAULT_TTL_MINUTES = 15;
+// Verification tokens live longer by default because the user may not be
+// at their computer the moment they sign up — 24h covers "verify after
+// I've got home from work". The HMAC-signed token is still single-use
+// because flipping emailVerified=true is an idempotent state change:
+// replaying the same token re-sets the same flag.
+export const AUTH_VERIFY_DEFAULT_TTL_MINUTES = 24 * 60;
+
+// Self-Signup: 24h Default. Lang genug damit User nicht denken muss
+// "schnell aktivieren" — ein Mail-Link der morgen früh noch geht ist
+// User-Friendly. Kürzere TTLs werfen Resend-Spam weil User vergessen.
+export const AUTH_SIGNUP_DEFAULT_TTL_MINUTES = 24 * 60;
+
+// Tenant-Invite: 7 Tage Default. Industry-Standard (GitHub, Linear,
+// Slack); invitees brauchen oft länger zum Reagieren als bei Self-
+// Signup wo die User-Intention frisch ist.
+export const AUTH_INVITE_DEFAULT_TTL_MINUTES = 7 * 24 * 60;