@dbsc-toolkit/better-auth 0.1.0

package/dist/client.d.ts

@@ -0,0 +1,43 @@
+/**
+ * Client plugin for @dbsc-toolkit/better-auth.
+ *
+ * Provides TypeScript inference for the DBSC endpoints so your
+ * Better Auth client knows about /dbsc/* and /dbsc-bound/* paths.
+ *
+ * Usage:
+ *   import { createAuthClient } from "better-auth/client"
+ *   import { dbscClient } from "@dbsc-toolkit/better-auth/client"
+ *
+ *   export const authClient = createAuthClient({
+ *     plugins: [dbscClient()]
+ *   })
+ *
+ * Then initialize the polyfill in your browser entry point:
+ *   import { initBoundDbsc } from "dbsc-toolkit/client"
+ *   initBoundDbsc({ baseUrl: "" })
+ */
+export declare function dbscClient(): {
+    id: string;
+    pathMethods: {
+        readonly "/dbsc/registration": "POST";
+        readonly "/dbsc/refresh": "POST";
+        readonly "/dbsc-bound/state": "GET";
+        readonly "/dbsc-bound/challenge": "GET";
+        readonly "/dbsc-bound/registration": "POST";
+        readonly "/dbsc-bound/refresh": "POST";
+    };
+    getActions(fetch: (path: string, options?: RequestInit) => Promise<Response>): {
+        dbsc: {
+            /** Check bound state for the current session. */
+            getBoundState: () => Promise<Response>;
+            /** Manually trigger polyfill registration (normally automatic). */
+            registerBound: (body: {
+                sessionId: string;
+                jwk: JsonWebKey;
+                challenge: string;
+            }) => Promise<Response>;
+        };
+    };
+    getAtoms(): {};
+};
+//# sourceMappingURL=client.d.ts.map

package/dist/client.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"client.d.ts","sourceRoot":"","sources":["../src/client.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;GAiBG;AAEH,wBAAgB,UAAU;;;;;;;;;;sBAcJ,CAAC,IAAI,EAAE,MAAM,EAAE,OAAO,CAAC,EAAE,WAAW,KAAK,OAAO,CAAC,QAAQ,CAAC;;YAGtE,iDAAiD;;YAEjD,mEAAmE;kCAC7C;gBAAE,SAAS,EAAE,MAAM,CAAC;gBAAC,GAAG,EAAE,UAAU,CAAC;gBAAC,SAAS,EAAE,MAAM,CAAA;aAAE;;;;EAiBxF"}

package/dist/client.js

@@ -0,0 +1,53 @@
+/**
+ * Client plugin for @dbsc-toolkit/better-auth.
+ *
+ * Provides TypeScript inference for the DBSC endpoints so your
+ * Better Auth client knows about /dbsc/* and /dbsc-bound/* paths.
+ *
+ * Usage:
+ *   import { createAuthClient } from "better-auth/client"
+ *   import { dbscClient } from "@dbsc-toolkit/better-auth/client"
+ *
+ *   export const authClient = createAuthClient({
+ *     plugins: [dbscClient()]
+ *   })
+ *
+ * Then initialize the polyfill in your browser entry point:
+ *   import { initBoundDbsc } from "dbsc-toolkit/client"
+ *   initBoundDbsc({ baseUrl: "" })
+ */
+export function dbscClient() {
+    return {
+        id: "dbsc-toolkit",
+        // Path → HTTP method map so Better Auth's client can infer the right fetch
+        pathMethods: {
+            "/dbsc/registration": "POST",
+            "/dbsc/refresh": "POST",
+            "/dbsc-bound/state": "GET",
+            "/dbsc-bound/challenge": "GET",
+            "/dbsc-bound/registration": "POST",
+            "/dbsc-bound/refresh": "POST",
+        },
+        getActions(fetch) {
+            return {
+                dbsc: {
+                    /** Check bound state for the current session. */
+                    getBoundState: () => fetch("/dbsc-bound/state"),
+                    /** Manually trigger polyfill registration (normally automatic). */
+                    registerBound: (body) => fetch("/dbsc-bound/registration", {
+                        method: "POST",
+                        headers: { "content-type": "application/json" },
+                        body: JSON.stringify(body),
+                    }),
+                },
+            };
+        },
+        getAtoms() {
+            // No reactive state atoms needed for DBSC — the binding happens
+            // transparently in the background. Add nanostores here if you need
+            // UI that reflects binding status.
+            return {};
+        },
+    };
+}
+//# sourceMappingURL=client.js.map

package/dist/client.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"client.js","sourceRoot":"","sources":["../src/client.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;GAiBG;AAEH,MAAM,UAAU,UAAU;IACxB,OAAO;QACL,EAAE,EAAE,cAAc;QAElB,2EAA2E;QAC3E,WAAW,EAAE;YACX,oBAAoB,EAAE,MAAM;YAC5B,eAAe,EAAE,MAAM;YACvB,mBAAmB,EAAE,KAAK;YAC1B,uBAAuB,EAAE,KAAK;YAC9B,0BAA0B,EAAE,MAAM;YAClC,qBAAqB,EAAE,MAAM;SACrB;QAEV,UAAU,CAAC,KAAiE;YAC1E,OAAO;gBACL,IAAI,EAAE;oBACJ,iDAAiD;oBACjD,aAAa,EAAE,GAAG,EAAE,CAAC,KAAK,CAAC,mBAAmB,CAAC;oBAC/C,mEAAmE;oBACnE,aAAa,EAAE,CAAC,IAA+D,EAAE,EAAE,CACjF,KAAK,CAAC,0BAA0B,EAAE;wBAChC,MAAM,EAAE,MAAM;wBACd,OAAO,EAAE,EAAE,cAAc,EAAE,kBAAkB,EAAE;wBAC/C,IAAI,EAAE,IAAI,CAAC,SAAS,CAAC,IAAI,CAAC;qBAC3B,CAAC;iBACL;aACF,CAAC;QACJ,CAAC;QAED,QAAQ;YACN,gEAAgE;YAChE,mEAAmE;YACnE,mCAAmC;YACnC,OAAO,EAAE,CAAC;QACZ,CAAC;KACF,CAAC;AACJ,CAAC"}

package/dist/express.d.ts

@@ -0,0 +1,65 @@
+/**
+ * Express adapter for @dbsc-toolkit/better-auth.
+ *
+ * One factory call gives you the same `install / requireProof` shape the
+ * Express adapter in `dbsc-toolkit` exposes, but backed by Better Auth's DB.
+ *
+ *   import { dbscExpress } from "@dbsc-toolkit/better-auth/express"
+ *   const dbsc = dbscExpress(auth)
+ *   dbsc.install(app)
+ *   app.get("/profile", dbsc.requireProof(), handler)
+ *
+ * The storage adapter is resolved lazily from `auth.$context` on the first
+ * DBSC request — that's why `dbscExpress()` is sync and never touches the DB
+ * at module-evaluation time.
+ */
+import type { Express, RequestHandler } from "express";
+import { type AnyTelemetryEvent, type ProofReplayCache, type RateLimiter } from "dbsc-toolkit";
+export interface AuthLike {
+    $context: Promise<{
+        adapter: any;
+        internalAdapter: any;
+    }>;
+}
+export interface DbscExpressOptions {
+    /** Base path Better Auth is mounted at. Default "/api/auth". Must match `dbsc({ basePath })` in your auth.ts. */
+    basePath?: string;
+    /** Mount path for the polyfill SDK + init shim. Default "/dbsc-client". Set false to skip serving. */
+    clientPath?: string | false;
+    /** Cookie scope. Default "host". */
+    cookieScope?: "host" | "site";
+    /** Required when cookieScope is "site". */
+    cookieDomain?: string;
+    /** Use `Secure` cookies + `__Host-`/`__Secure-` prefixes. Default true. Set false on bare-http localhost. */
+    secure?: boolean;
+    /** Bound cookie TTL (ms). Default 600_000 (10 min). */
+    sessionTtl?: number;
+    /** Replay cache for per-request proofs. Default no-op. */
+    replayCache?: ProofReplayCache;
+    /** Rate limiter for /dbsc/* routes. Default no-op. */
+    rateLimiter?: RateLimiter;
+    /** Telemetry hook fired on registration, refresh, failures. */
+    onEvent?: (event: AnyTelemetryEvent) => void | Promise<void>;
+}
+export interface DbscExpressKit {
+    /** Mount the full DBSC surface: protocol routes + polyfill routes + /dbsc-client/*. */
+    install(app: Express): Express;
+    /** Raw middleware for manual mounting (skips install()'s static SDK + init shim). */
+    middleware(): RequestHandler;
+    /** Route guard that verifies the X-Dbsc-Bound-Proof header. 403 on missing/invalid. */
+    requireProof(): RequestHandler;
+}
+/**
+ * Build a DBSC kit for an Express + Better Auth app.
+ *
+ * The Better Auth plugin (`dbsc()` in `auth.ts`) issues the
+ * `Secure-Session-Registration` header after every sign-in. This kit handles
+ * everything that follows: the protocol routes Chrome posts to, the polyfill
+ * endpoints, and the per-request proof verifier.
+ *
+ *   const dbsc = dbscExpress(auth)
+ *   dbsc.install(app)
+ *   app.get("/profile", dbsc.requireProof(), profileHandler)
+ */
+export declare function dbscExpress(auth: AuthLike, opts?: DbscExpressOptions): DbscExpressKit;
+//# sourceMappingURL=express.d.ts.map

package/dist/express.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"express.d.ts","sourceRoot":"","sources":["../src/express.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;GAcG;AACH,OAAO,KAAK,EAAE,OAAO,EAAE,cAAc,EAAmC,MAAM,SAAS,CAAC;AAExF,OAAO,EAML,KAAK,iBAAiB,EACtB,KAAK,gBAAgB,EACrB,KAAK,WAAW,EACjB,MAAM,cAAc,CAAC;AAKtB,MAAM,WAAW,QAAQ;IACvB,QAAQ,EAAE,OAAO,CAAC;QAChB,OAAO,EAAE,GAAG,CAAC;QACb,eAAe,EAAE,GAAG,CAAC;KACtB,CAAC,CAAC;CACJ;AAED,MAAM,WAAW,kBAAkB;IACjC,iHAAiH;IACjH,QAAQ,CAAC,EAAE,MAAM,CAAC;IAClB,sGAAsG;IACtG,UAAU,CAAC,EAAE,MAAM,GAAG,KAAK,CAAC;IAC5B,oCAAoC;IACpC,WAAW,CAAC,EAAE,MAAM,GAAG,MAAM,CAAC;IAC9B,2CAA2C;IAC3C,YAAY,CAAC,EAAE,MAAM,CAAC;IACtB,6GAA6G;IAC7G,MAAM,CAAC,EAAE,OAAO,CAAC;IACjB,uDAAuD;IACvD,UAAU,CAAC,EAAE,MAAM,CAAC;IACpB,0DAA0D;IAC1D,WAAW,CAAC,EAAE,gBAAgB,CAAC;IAC/B,sDAAsD;IACtD,WAAW,CAAC,EAAE,WAAW,CAAC;IAC1B,+DAA+D;IAC/D,OAAO,CAAC,EAAE,CAAC,KAAK,EAAE,iBAAiB,KAAK,IAAI,GAAG,OAAO,CAAC,IAAI,CAAC,CAAC;CAC9D;AAuDD,MAAM,WAAW,cAAc;IAC7B,uFAAuF;IACvF,OAAO,CAAC,GAAG,EAAE,OAAO,GAAG,OAAO,CAAC;IAC/B,qFAAqF;IACrF,UAAU,IAAI,cAAc,CAAC;IAC7B,uFAAuF;IACvF,YAAY,IAAI,cAAc,CAAC;CAChC;AAED;;;;;;;;;;;GAWG;AACH,wBAAgB,WAAW,CAAC,IAAI,EAAE,QAAQ,EAAE,IAAI,GAAE,kBAAuB,GAAG,cAAc,CA6DzF"}

package/dist/express.js

@@ -0,0 +1,124 @@
+import { createDbsc } from "dbsc-toolkit/express";
+import { createBetterAuthStorageAdapter } from "./adapter.js";
+import { buildInitScript } from "./init-script.js";
+const DEFAULT_BASE_PATH = "/api/auth";
+const DEFAULT_CLIENT_PATH = "/dbsc-client";
+/**
+ * Wraps a `Promise<StorageAdapter>` as a synchronous `StorageAdapter` whose
+ * methods await the underlying adapter on first call. Lets us hand a
+ * StorageAdapter to `createDbsc()` synchronously, without ever resolving
+ * `auth.$context` at module load.
+ */
+function lazyStorage(resolve) {
+    let cached;
+    const get = async () => {
+        if (!cached)
+            cached = await resolve();
+        return cached;
+    };
+    return {
+        async getSession(id) {
+            return (await get()).getSession(id);
+        },
+        async setSession(session) {
+            return (await get()).setSession(session);
+        },
+        async deleteSession(id) {
+            return (await get()).deleteSession(id);
+        },
+        async getBoundKey(sessionId, kind) {
+            return (await get()).getBoundKey(sessionId, kind);
+        },
+        async setBoundKey(key) {
+            return (await get()).setBoundKey(key);
+        },
+        async deleteBoundKey(sessionId, kind) {
+            return (await get()).deleteBoundKey(sessionId, kind);
+        },
+        async getChallenge(jti) {
+            return (await get()).getChallenge(jti);
+        },
+        async setChallenge(challenge) {
+            return (await get()).setChallenge(challenge);
+        },
+        async consumeChallenge(jti) {
+            return (await get()).consumeChallenge(jti);
+        },
+        async revokeSession(sessionId) {
+            return (await get()).revokeSession(sessionId);
+        },
+        async revokeAllForUser(userId) {
+            return (await get()).revokeAllForUser(userId);
+        },
+    };
+}
+/**
+ * Build a DBSC kit for an Express + Better Auth app.
+ *
+ * The Better Auth plugin (`dbsc()` in `auth.ts`) issues the
+ * `Secure-Session-Registration` header after every sign-in. This kit handles
+ * everything that follows: the protocol routes Chrome posts to, the polyfill
+ * endpoints, and the per-request proof verifier.
+ *
+ *   const dbsc = dbscExpress(auth)
+ *   dbsc.install(app)
+ *   app.get("/profile", dbsc.requireProof(), profileHandler)
+ */
+export function dbscExpress(auth, opts = {}) {
+    const basePath = opts.basePath ?? DEFAULT_BASE_PATH;
+    const clientPath = opts.clientPath ?? DEFAULT_CLIENT_PATH;
+    const secure = opts.secure ?? true;
+    const storage = lazyStorage(async () => {
+        const ctx = await auth.$context;
+        return createBetterAuthStorageAdapter(ctx.adapter, ctx.internalAdapter);
+    });
+    // Mount paths reflect basePath so Chrome's auto-POST lands correctly.
+    const registrationPath = `${basePath}/dbsc/registration`;
+    const refreshPath = `${basePath}/dbsc/refresh`;
+    const boundStatePath = `${basePath}/dbsc-bound/state`;
+    const boundChallengePath = `${basePath}/dbsc-bound/challenge`;
+    const boundRegistrationPath = `${basePath}/dbsc-bound/registration`;
+    const boundRefreshPath = `${basePath}/dbsc-bound/refresh`;
+    const kit = createDbsc({
+        storage,
+        secure,
+        registrationPath,
+        refreshPath,
+        boundStatePath,
+        boundChallengePath,
+        boundRegistrationPath,
+        boundRefreshPath,
+        clientPath: clientPath === false ? false : clientPath,
+        ...(opts.cookieScope !== undefined && { cookieScope: opts.cookieScope }),
+        ...(opts.cookieDomain !== undefined && { cookieDomain: opts.cookieDomain }),
+        ...(opts.sessionTtl !== undefined && { sessionTtl: opts.sessionTtl }),
+        ...(opts.replayCache !== undefined && { replayCache: opts.replayCache }),
+        ...(opts.rateLimiter !== undefined && { rateLimiter: opts.rateLimiter }),
+        ...(opts.onEvent !== undefined && { onEvent: opts.onEvent }),
+    });
+    function install(app) {
+        // Serve /dbsc-client/init.js BEFORE the static directory below so it wins
+        // the match. The shim re-points the polyfill SDK at the basePath the
+        // user actually configured.
+        if (clientPath !== false) {
+            const initJs = buildInitScript({ basePath, clientPath });
+            const initRoute = `${clientPath}/init.js`;
+            app.get(initRoute, (_req, res) => {
+                res.setHeader("Content-Type", "application/javascript; charset=utf-8");
+                res.setHeader("Cache-Control", "public, max-age=300");
+                res.send(initJs);
+            });
+        }
+        // kit.install mounts the dbsc-toolkit middleware (all protocol + bound
+        // routes) and serves the polyfill SDK static files at clientPath.
+        return kit.install(app);
+    }
+    return {
+        install,
+        middleware: kit.middleware,
+        requireProof() {
+            return kit.requireProof();
+        },
+    };
+}
+//# sourceMappingURL=express.js.map

package/dist/express.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"express.js","sourceRoot":"","sources":["../src/express.ts"],"names":[],"mappings":"AAgBA,OAAO,EAAE,UAAU,EAAgB,MAAM,sBAAsB,CAAC;AAYhE,OAAO,EAAE,8BAA8B,EAAE,MAAM,cAAc,CAAC;AAC9D,OAAO,EAAE,eAAe,EAAE,MAAM,kBAAkB,CAAC;AA8BnD,MAAM,iBAAiB,GAAG,WAAW,CAAC;AACtC,MAAM,mBAAmB,GAAG,cAAc,CAAC;AAE3C;;;;;GAKG;AACH,SAAS,WAAW,CAAC,OAAsC;IACzD,IAAI,MAAkC,CAAC;IACvC,MAAM,GAAG,GAAG,KAAK,IAA6B,EAAE;QAC9C,IAAI,CAAC,MAAM;YAAE,MAAM,GAAG,MAAM,OAAO,EAAE,CAAC;QACtC,OAAO,MAAM,CAAC;IAChB,CAAC,CAAC;IAEF,OAAO;QACL,KAAK,CAAC,UAAU,CAAC,EAAU;YACzB,OAAO,CAAC,MAAM,GAAG,EAAE,CAAC,CAAC,UAAU,CAAC,EAAE,CAAC,CAAC;QACtC,CAAC;QACD,KAAK,CAAC,UAAU,CAAC,OAAgB;YAC/B,OAAO,CAAC,MAAM,GAAG,EAAE,CAAC,CAAC,UAAU,CAAC,OAAO,CAAC,CAAC;QAC3C,CAAC;QACD,KAAK,CAAC,aAAa,CAAC,EAAU;YAC5B,OAAO,CAAC,MAAM,GAAG,EAAE,CAAC,CAAC,aAAa,CAAC,EAAE,CAAC,CAAC;QACzC,CAAC;QACD,KAAK,CAAC,WAAW,CAAC,SAAiB,EAAE,IAAmB;YACtD,OAAO,CAAC,MAAM,GAAG,EAAE,CAAC,CAAC,WAAW,CAAC,SAAS,EAAE,IAAI,CAAC,CAAC;QACpD,CAAC;QACD,KAAK,CAAC,WAAW,CAAC,GAAa;YAC7B,OAAO,CAAC,MAAM,GAAG,EAAE,CAAC,CAAC,WAAW,CAAC,GAAG,CAAC,CAAC;QACxC,CAAC;QACD,KAAK,CAAC,cAAc,CAAC,SAAiB,EAAE,IAAmB;YACzD,OAAO,CAAC,MAAM,GAAG,EAAE,CAAC,CAAC,cAAc,CAAC,SAAS,EAAE,IAAI,CAAC,CAAC;QACvD,CAAC;QACD,KAAK,CAAC,YAAY,CAAC,GAAW;YAC5B,OAAO,CAAC,MAAM,GAAG,EAAE,CAAC,CAAC,YAAY,CAAC,GAAG,CAAC,CAAC;QACzC,CAAC;QACD,KAAK,CAAC,YAAY,CAAC,SAAoB;YACrC,OAAO,CAAC,MAAM,GAAG,EAAE,CAAC,CAAC,YAAY,CAAC,SAAS,CAAC,CAAC;QAC/C,CAAC;QACD,KAAK,CAAC,gBAAgB,CAAC,GAAW;YAChC,OAAO,CAAC,MAAM,GAAG,EAAE,CAAC,CAAC,gBAAgB,CAAC,GAAG,CAAC,CAAC;QAC7C,CAAC;QACD,KAAK,CAAC,aAAa,CAAC,SAAiB;YACnC,OAAO,CAAC,MAAM,GAAG,EAAE,CAAC,CAAC,aAAa,CAAC,SAAS,CAAC,CAAC;QAChD,CAAC;QACD,KAAK,CAAC,gBAAgB,CAAC,MAAc;YACnC,OAAO,CAAC,MAAM,GAAG,EAAE,CAAC,CAAC,gBAAgB,CAAC,MAAM,CAAC,CAAC;QAChD,CAAC;KACF,CAAC;AACJ,CAAC;AAWD;;;;;;;;;;;GAWG;AACH,MAAM,UAAU,WAAW,CAAC,IAAc,EAAE,OAA2B,EAAE;IACvE,MAAM,QAAQ,GAAG,IAAI,CAAC,QAAQ,IAAI,iBAAiB,CAAC;IACpD,MAAM,UAAU,GAAG,IAAI,CAAC,UAAU,IAAI,mBAAmB,CAAC;IAC1D,MAAM,MAAM,GAAG,IAAI,CAAC,MAAM,IAAI,IAAI,CAAC;IAEnC,MAAM,OAAO,GAAG,WAAW,CAAC,KAAK,IAAI,EAAE;QACrC,MAAM,GAAG,GAAG,MAAM,IAAI,CAAC,QAAQ,CAAC;QAChC,OAAO,8BAA8B,CAAC,GAAG,CAAC,OAAO,EAAE,GAAG,CAAC,eAAe,CAAC,CAAC;IAC1E,CAAC,CAAC,CAAC;IAEH,sEAAsE;IACtE,MAAM,gBAAgB,GAAG,GAAG,QAAQ,oBAAoB,CAAC;IACzD,MAAM,WAAW,GAAG,GAAG,QAAQ,eAAe,CAAC;IAC/C,MAAM,cAAc,GAAG,GAAG,QAAQ,mBAAmB,CAAC;IACtD,MAAM,kBAAkB,GAAG,GAAG,QAAQ,uBAAuB,CAAC;IAC9D,MAAM,qBAAqB,GAAG,GAAG,QAAQ,0BAA0B,CAAC;IACpE,MAAM,gBAAgB,GAAG,GAAG,QAAQ,qBAAqB,CAAC;IAE1D,MAAM,GAAG,GAAY,UAAU,CAAC;QAC9B,OAAO;QACP,MAAM;QACN,gBAAgB;QAChB,WAAW;QACX,cAAc;QACd,kBAAkB;QAClB,qBAAqB;QACrB,gBAAgB;QAChB,UAAU,EAAE,UAAU,KAAK,KAAK,CAAC,CAAC,CAAC,KAAK,CAAC,CAAC,CAAC,UAAU;QACrD,GAAG,CAAC,IAAI,CAAC,WAAW,KAAK,SAAS,IAAI,EAAE,WAAW,EAAE,IAAI,CAAC,WAAW,EAAE,CAAC;QACxE,GAAG,CAAC,IAAI,CAAC,YAAY,KAAK,SAAS,IAAI,EAAE,YAAY,EAAE,IAAI,CAAC,YAAY,EAAE,CAAC;QAC3E,GAAG,CAAC,IAAI,CAAC,UAAU,KAAK,SAAS,IAAI,EAAE,UAAU,EAAE,IAAI,CAAC,UAAU,EAAE,CAAC;QACrE,GAAG,CAAC,IAAI,CAAC,WAAW,KAAK,SAAS,IAAI,EAAE,WAAW,EAAE,IAAI,CAAC,WAAW,EAAE,CAAC;QACxE,GAAG,CAAC,IAAI,CAAC,WAAW,KAAK,SAAS,IAAI,EAAE,WAAW,EAAE,IAAI,CAAC,WAAW,EAAE,CAAC;QACxE,GAAG,CAAC,IAAI,CAAC,OAAO,KAAK,SAAS,IAAI,EAAE,OAAO,EAAE,IAAI,CAAC,OAAO,EAAE,CAAC;KAC7D,CAAC,CAAC;IAEH,SAAS,OAAO,CAAC,GAAY;QAC3B,0EAA0E;QAC1E,qEAAqE;QACrE,4BAA4B;QAC5B,IAAI,UAAU,KAAK,KAAK,EAAE,CAAC;YACzB,MAAM,MAAM,GAAG,eAAe,CAAC,EAAE,QAAQ,EAAE,UAAU,EAAE,CAAC,CAAC;YACzD,MAAM,SAAS,GAAG,GAAG,UAAU,UAAU,CAAC;YAC1C,GAAG,CAAC,GAAG,CAAC,SAAS,EAAE,CAAC,IAAa,EAAE,GAAa,EAAE,EAAE;gBAClD,GAAG,CAAC,SAAS,CAAC,cAAc,EAAE,uCAAuC,CAAC,CAAC;gBACvE,GAAG,CAAC,SAAS,CAAC,eAAe,EAAE,qBAAqB,CAAC,CAAC;gBACtD,GAAG,CAAC,IAAI,CAAC,MAAM,CAAC,CAAC;YACnB,CAAC,CAAC,CAAC;QACL,CAAC;QACD,uEAAuE;QACvE,kEAAkE;QAClE,OAAO,GAAG,CAAC,OAAO,CAAC,GAAG,CAAC,CAAC;IAC1B,CAAC;IAED,OAAO;QACL,OAAO;QACP,UAAU,EAAE,GAAG,CAAC,UAAU;QAC1B,YAAY;YACV,OAAO,GAAG,CAAC,YAAY,EAAE,CAAC;QAC5B,CAAC;KACF,CAAC;AACJ,CAAC"}

package/dist/index.d.ts

@@ -0,0 +1,33 @@
+/**
+ * @dbsc-toolkit/better-auth
+ *
+ * DBSC (Device Bound Session Credentials) plugin for Better Auth.
+ * Powered by dbsc-toolkit — hardware-bound sessions on Chromium 145+,
+ * Web Crypto polyfill for Firefox/Safari/older Chromium.
+ *
+ * Usage:
+ *   import { betterAuth } from "better-auth"
+ *   import { dbsc } from "@dbsc-toolkit/better-auth"
+ *
+ *   export const auth = betterAuth({
+ *     plugins: [dbsc()]
+ *   })
+ */
+import { type AnyTelemetryEvent } from "dbsc-toolkit";
+export interface DbscPluginOptions {
+    /**
+     * The base path where Better Auth is mounted. Default: "/api/auth".
+     * Used to build the full registration path in the Secure-Session-Registration header.
+     */
+    basePath?: string;
+    /** Cookie scope: "host" (default, __Host-) or "site" (__Secure- + Domain). */
+    cookieScope?: "host" | "site";
+    /** Required when cookieScope is "site". E.g. "example.com" */
+    cookieDomain?: string;
+    /** Bound cookie TTL in ms. Default: 600_000 (10 min) */
+    sessionTtl?: number;
+    /** Telemetry hook */
+    onEvent?: (event: AnyTelemetryEvent) => void | Promise<void>;
+}
+export declare function dbsc(opts?: DbscPluginOptions): object;
+//# sourceMappingURL=index.d.ts.map

package/dist/index.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;GAcG;AACH,OAAO,EAOL,KAAK,iBAAiB,EACvB,MAAM,cAAc,CAAC;AAKtB,MAAM,WAAW,iBAAiB;IAChC;;;OAGG;IACH,QAAQ,CAAC,EAAE,MAAM,CAAC;IAClB,8EAA8E;IAC9E,WAAW,CAAC,EAAE,MAAM,GAAG,MAAM,CAAC;IAC9B,8DAA8D;IAC9D,YAAY,CAAC,EAAE,MAAM,CAAC;IACtB,wDAAwD;IACxD,UAAU,CAAC,EAAE,MAAM,CAAC;IACpB,qBAAqB;IACrB,OAAO,CAAC,EAAE,CAAC,KAAK,EAAE,iBAAiB,KAAK,IAAI,GAAG,OAAO,CAAC,IAAI,CAAC,CAAC;CAC9D;AAMD,wBAAgB,IAAI,CAAC,IAAI,GAAE,iBAAsB,GAAG,MAAM,CA2IzD"}

package/dist/index.js

@@ -0,0 +1,138 @@
+/**
+ * @dbsc-toolkit/better-auth
+ *
+ * DBSC (Device Bound Session Credentials) plugin for Better Auth.
+ * Powered by dbsc-toolkit — hardware-bound sessions on Chromium 145+,
+ * Web Crypto polyfill for Firefox/Safari/older Chromium.
+ *
+ * Usage:
+ *   import { betterAuth } from "better-auth"
+ *   import { dbsc } from "@dbsc-toolkit/better-auth"
+ *
+ *   export const auth = betterAuth({
+ *     plugins: [dbsc()]
+ *   })
+ */
+import { issueChallenge, buildRegistrationHeader, REGISTRATION_HEADER, LEGACY_REGISTRATION_HEADER, resolveCookieNames, } from "dbsc-toolkit";
+import { createBetterAuthStorageAdapter } from "./adapter.js";
+import { dbscSchema } from "./schema.js";
+const REGISTRATION_PATH = "/dbsc/registration";
+const DEFAULT_SESSION_TTL = 600_000;
+const DEFAULT_BASE_PATH = "/api/auth";
+export function dbsc(opts = {}) {
+    const { basePath = DEFAULT_BASE_PATH, cookieScope = "host", cookieDomain, sessionTtl = DEFAULT_SESSION_TTL, } = opts;
+    const secure = true;
+    const scopeOpts = cookieDomain
+        ? { secure, cookieScope, cookieDomain }
+        : { secure, cookieScope };
+    const names = resolveCookieNames(scopeOpts);
+    function regCookieHeader(sessionId) {
+        return [
+            `${names.reg}=${sessionId}`,
+            "HttpOnly",
+            "Path=/",
+            "SameSite=Lax",
+            `Max-Age=${Math.floor(sessionTtl / 1000)}`,
+            ...(secure ? ["Secure"] : []),
+            ...(cookieDomain ? [`Domain=${cookieDomain}`] : []),
+        ].join("; ");
+    }
+    function sessionCookieHeader(sessionId) {
+        return [
+            `${names.bound}=${sessionId}`,
+            "HttpOnly",
+            "Path=/",
+            "SameSite=Lax",
+            `Max-Age=${Math.floor(sessionTtl / 1000)}`,
+            ...(secure ? ["Secure"] : []),
+            ...(cookieDomain ? [`Domain=${cookieDomain}`] : []),
+        ].join("; ");
+    }
+    function challengeCookieHeader(jti) {
+        return [
+            `${names.challenge}=${jti}`,
+            "HttpOnly",
+            "Path=/",
+            "SameSite=Lax",
+            `Max-Age=300`,
+            ...(secure ? ["Secure"] : []),
+            ...(cookieDomain ? [`Domain=${cookieDomain}`] : []),
+        ].join("; ");
+    }
+    return {
+        id: "dbsc-toolkit",
+        schema: dbscSchema,
+        // The DBSC protocol routes do NOT live inside the plugin — Better Auth's
+        // createAuthEndpoint refuses POSTs without a body (responds 415), and
+        // Chrome's registration request has the JWS in a header with no body.
+        // Use mountDbscRoutes(app, auth) on your Hono/Express app instead.
+        hooks: {
+            after: [
+                {
+                    // Fires after any endpoint whose response contains a token — sign-in,
+                    // sign-up, OAuth callback, magic link, passkey. Better Auth returns
+                    // { token, user } for all these paths.
+                    matcher: (ctx) => {
+                        const returned = ctx.context?.returned;
+                        const token = returned?.["token"];
+                        return typeof token === "string" && token.length > 0;
+                    },
+                    handler: async (ctx) => {
+                        const empty = { headers: new Headers() };
+                        const returned = ctx.context?.returned;
+                        const token = returned?.token;
+                        if (!token)
+                            return empty;
+                        const internalAdapter = ctx.context?.internalAdapter;
+                        if (!internalAdapter?.findSession)
+                            return empty;
+                        let sessionId;
+                        let userId;
+                        try {
+                            const result = await internalAdapter.findSession(token);
+                            sessionId = result?.session?.id;
+                            userId = result?.session?.userId ?? result?.user?.id;
+                        }
+                        catch {
+                            return empty;
+                        }
+                        if (!sessionId || !userId)
+                            return empty;
+                        const store = createBetterAuthStorageAdapter(ctx.context.adapter, ctx.context.internalAdapter);
+                        const now = Date.now();
+                        const existing = await store.getSession(sessionId);
+                        if (!existing) {
+                            await store.setSession({
+                                id: sessionId,
+                                userId,
+                                tier: "none",
+                                createdAt: now,
+                                expiresAt: now + sessionTtl,
+                                lastRefreshAt: now,
+                            });
+                        }
+                        const { jti } = await issueChallenge(sessionId, store, sessionTtl);
+                        const regHeader = buildRegistrationHeader({
+                            registrationPath: `${basePath}${REGISTRATION_PATH}`,
+                            challenge: jti,
+                            cookieName: names.bound,
+                        });
+                        // Return headers — Better Auth merges these into the response.
+                        // Three cookies:
+                        //   - __Host-dbsc-session: bound cookie Chrome watches
+                        //   - __Host-dbsc-reg: carries sessionId to /dbsc/registration
+                        //   - __Host-dbsc-challenge: carries jti to /dbsc/registration
+                        const headers = new Headers();
+                        headers.set(REGISTRATION_HEADER, regHeader);
+                        headers.set(LEGACY_REGISTRATION_HEADER, regHeader);
+                        headers.append("Set-Cookie", sessionCookieHeader(sessionId));
+                        headers.append("Set-Cookie", regCookieHeader(sessionId));
+                        headers.append("Set-Cookie", challengeCookieHeader(jti));
+                        return { headers };
+                    },
+                },
+            ],
+        },
+    };
+}
+//# sourceMappingURL=index.js.map

package/dist/index.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.js","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;GAcG;AACH,OAAO,EACL,cAAc,EACd,uBAAuB,EACvB,mBAAmB,EACnB,0BAA0B,EAC1B,kBAAkB,GAGnB,MAAM,cAAc,CAAC;AAEtB,OAAO,EAAE,8BAA8B,EAAE,MAAM,cAAc,CAAC;AAC9D,OAAO,EAAE,UAAU,EAAE,MAAM,aAAa,CAAC;AAkBzC,MAAM,iBAAiB,GAAG,oBAAoB,CAAC;AAC/C,MAAM,mBAAmB,GAAG,OAAO,CAAC;AACpC,MAAM,iBAAiB,GAAG,WAAW,CAAC;AAEtC,MAAM,UAAU,IAAI,CAAC,OAA0B,EAAE;IAC/C,MAAM,EACJ,QAAQ,GAAG,iBAAiB,EAC5B,WAAW,GAAG,MAAM,EACpB,YAAY,EACZ,UAAU,GAAG,mBAAmB,GACjC,GAAG,IAAI,CAAC;IAET,MAAM,MAAM,GAAG,IAAI,CAAC;IACpB,MAAM,SAAS,GAAG,YAAY;QAC5B,CAAC,CAAC,EAAE,MAAM,EAAE,WAAW,EAAE,YAAY,EAAE;QACvC,CAAC,CAAC,EAAE,MAAM,EAAE,WAAW,EAAE,CAAC;IAC5B,MAAM,KAAK,GAAG,kBAAkB,CAAC,SAAS,CAAC,CAAC;IAE5C,SAAS,eAAe,CAAC,SAAiB;QACxC,OAAO;YACL,GAAG,KAAK,CAAC,GAAG,IAAI,SAAS,EAAE;YAC3B,UAAU;YACV,QAAQ;YACR,cAAc;YACd,WAAW,IAAI,CAAC,KAAK,CAAC,UAAU,GAAG,IAAI,CAAC,EAAE;YAC1C,GAAG,CAAC,MAAM,CAAC,CAAC,CAAC,CAAC,QAAQ,CAAC,CAAC,CAAC,CAAC,EAAE,CAAC;YAC7B,GAAG,CAAC,YAAY,CAAC,CAAC,CAAC,CAAC,UAAU,YAAY,EAAE,CAAC,CAAC,CAAC,CAAC,EAAE,CAAC;SACpD,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;IACf,CAAC;IAED,SAAS,mBAAmB,CAAC,SAAiB;QAC5C,OAAO;YACL,GAAG,KAAK,CAAC,KAAK,IAAI,SAAS,EAAE;YAC7B,UAAU;YACV,QAAQ;YACR,cAAc;YACd,WAAW,IAAI,CAAC,KAAK,CAAC,UAAU,GAAG,IAAI,CAAC,EAAE;YAC1C,GAAG,CAAC,MAAM,CAAC,CAAC,CAAC,CAAC,QAAQ,CAAC,CAAC,CAAC,CAAC,EAAE,CAAC;YAC7B,GAAG,CAAC,YAAY,CAAC,CAAC,CAAC,CAAC,UAAU,YAAY,EAAE,CAAC,CAAC,CAAC,CAAC,EAAE,CAAC;SACpD,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;IACf,CAAC;IAED,SAAS,qBAAqB,CAAC,GAAW;QACxC,OAAO;YACL,GAAG,KAAK,CAAC,SAAS,IAAI,GAAG,EAAE;YAC3B,UAAU;YACV,QAAQ;YACR,cAAc;YACd,aAAa;YACb,GAAG,CAAC,MAAM,CAAC,CAAC,CAAC,CAAC,QAAQ,CAAC,CAAC,CAAC,CAAC,EAAE,CAAC;YAC7B,GAAG,CAAC,YAAY,CAAC,CAAC,CAAC,CAAC,UAAU,YAAY,EAAE,CAAC,CAAC,CAAC,CAAC,EAAE,CAAC;SACpD,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;IACf,CAAC;IAED,OAAO;QACL,EAAE,EAAE,cAAc;QAElB,MAAM,EAAE,UAAU;QAElB,yEAAyE;QACzE,sEAAsE;QACtE,sEAAsE;QACtE,mEAAmE;QAEnE,KAAK,EAAE;YACL,KAAK,EAAE;gBACL;oBACE,sEAAsE;oBACtE,oEAAoE;oBACpE,uCAAuC;oBACvC,OAAO,EAAE,CAAC,GAAQ,EAAE,EAAE;wBACpB,MAAM,QAAQ,GAAG,GAAG,CAAC,OAAO,EAAE,QAA+C,CAAC;wBAC9E,MAAM,KAAK,GAAG,QAAQ,EAAE,CAAC,OAAO,CAAC,CAAC;wBAClC,OAAO,OAAO,KAAK,KAAK,QAAQ,IAAI,KAAK,CAAC,MAAM,GAAG,CAAC,CAAC;oBACvD,CAAC;oBACD,OAAO,EAAE,KAAK,EAAE,GAAQ,EAAiC,EAAE;wBACzD,MAAM,KAAK,GAAG,EAAE,OAAO,EAAE,IAAI,OAAO,EAAE,EAAE,CAAC;wBACzC,MAAM,QAAQ,GAAG,GAAG,CAAC,OAAO,EAAE,QAA+C,CAAC;wBAC9E,MAAM,KAAK,GAAG,QAAQ,EAAE,KAA2B,CAAC;wBACpD,IAAI,CAAC,KAAK;4BAAE,OAAO,KAAK,CAAC;wBAEzB,MAAM,eAAe,GAAG,GAAG,CAAC,OAAO,EAAE,eAAe,CAAC;wBACrD,IAAI,CAAC,eAAe,EAAE,WAAW;4BAAE,OAAO,KAAK,CAAC;wBAEhD,IAAI,SAA6B,CAAC;wBAClC,IAAI,MAA0B,CAAC;wBAE/B,IAAI,CAAC;4BACH,MAAM,MAAM,GAAG,MAAM,eAAe,CAAC,WAAW,CAAC,KAAK,CAE9C,CAAC;4BACT,SAAS,GAAG,MAAM,EAAE,OAAO,EAAE,EAAE,CAAC;4BAChC,MAAM,GAAG,MAAM,EAAE,OAAO,EAAE,MAAM,IAAI,MAAM,EAAE,IAAI,EAAE,EAAE,CAAC;wBACvD,CAAC;wBAAC,MAAM,CAAC;4BACP,OAAO,KAAK,CAAC;wBACf,CAAC;wBAED,IAAI,CAAC,SAAS,IAAI,CAAC,MAAM;4BAAE,OAAO,KAAK,CAAC;wBAExC,MAAM,KAAK,GAAG,8BAA8B,CAC1C,GAAG,CAAC,OAAO,CAAC,OAAO,EACnB,GAAG,CAAC,OAAO,CAAC,eAAe,CAC5B,CAAC;wBACF,MAAM,GAAG,GAAG,IAAI,CAAC,GAAG,EAAE,CAAC;wBAEvB,MAAM,QAAQ,GAAG,MAAM,KAAK,CAAC,UAAU,CAAC,SAAS,CAAC,CAAC;wBACnD,IAAI,CAAC,QAAQ,EAAE,CAAC;4BACd,MAAM,KAAK,CAAC,UAAU,CAAC;gCACrB,EAAE,EAAE,SAAS;gCACb,MAAM;gCACN,IAAI,EAAE,MAAM;gCACZ,SAAS,EAAE,GAAG;gCACd,SAAS,EAAE,GAAG,GAAG,UAAU;gCAC3B,aAAa,EAAE,GAAG;6BACnB,CAAC,CAAC;wBACL,CAAC;wBAED,MAAM,EAAE,GAAG,EAAE,GAAG,MAAM,cAAc,CAAC,SAAS,EAAE,KAAK,EAAE,UAAU,CAAC,CAAC;wBAEnE,MAAM,SAAS,GAAG,uBAAuB,CAAC;4BACxC,gBAAgB,EAAE,GAAG,QAAQ,GAAG,iBAAiB,EAAE;4BACnD,SAAS,EAAE,GAAG;4BACd,UAAU,EAAE,KAAK,CAAC,KAAK;yBACxB,CAAC,CAAC;wBAEH,+DAA+D;wBAC/D,iBAAiB;wBACjB,uDAAuD;wBACvD,+DAA+D;wBAC/D,+DAA+D;wBAC/D,MAAM,OAAO,GAAG,IAAI,OAAO,EAAE,CAAC;wBAC9B,OAAO,CAAC,GAAG,CAAC,mBAAmB,EAAE,SAAS,CAAC,CAAC;wBAC5C,OAAO,CAAC,GAAG,CAAC,0BAA0B,EAAE,SAAS,CAAC,CAAC;wBACnD,OAAO,CAAC,MAAM,CAAC,YAAY,EAAE,mBAAmB,CAAC,SAAS,CAAC,CAAC,CAAC;wBAC7D,OAAO,CAAC,MAAM,CAAC,YAAY,EAAE,eAAe,CAAC,SAAS,CAAC,CAAC,CAAC;wBACzD,OAAO,CAAC,MAAM,CAAC,YAAY,EAAE,qBAAqB,CAAC,GAAG,CAAC,CAAC,CAAC;wBAEzD,OAAO,EAAE,OAAO,EAAE,CAAC;oBACrB,CAAC;iBACF;aACF;SACF;KACe,CAAC;AACrB,CAAC"}

package/dist/init-script.d.ts

@@ -0,0 +1,18 @@
+/**
+ * Generates the browser-side init shim served at `<clientPath>/init.js`.
+ *
+ * The user drops one tag in their HTML:
+ *
+ *   <script src="/dbsc-client/init.js"></script>
+ *
+ * The shim imports the polyfill SDK from `<clientPath>/index.js`, calls
+ * `initBoundDbsc()` with paths that match the configured Better Auth
+ * basePath, and exposes `window.boundFetch` so app code can sign per-request
+ * proofs by calling `boundFetch(...)` instead of `fetch(...)`.
+ */
+export interface InitScriptOptions {
+    basePath: string;
+    clientPath: string;
+}
+export declare function buildInitScript(opts: InitScriptOptions): string;
+//# sourceMappingURL=init-script.d.ts.map

package/dist/init-script.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"init-script.d.ts","sourceRoot":"","sources":["../src/init-script.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;GAWG;AACH,MAAM,WAAW,iBAAiB;IAChC,QAAQ,EAAE,MAAM,CAAC;IACjB,UAAU,EAAE,MAAM,CAAC;CACpB;AAED,wBAAgB,eAAe,CAAC,IAAI,EAAE,iBAAiB,GAAG,MAAM,CAiC/D"}

package/dist/init-script.js

@@ -0,0 +1,35 @@
+export function buildInitScript(opts) {
+    const { basePath, clientPath } = opts;
+    return `// @dbsc-toolkit/better-auth — browser init shim
+import { initBoundDbsc, wrapFetch, clearBoundKey } from "${clientPath}/index.js";
+
+const paths = {
+  statePath: "${basePath}/dbsc-bound/state",
+  challengePath: "${basePath}/dbsc-bound/challenge",
+  registrationPath: "${basePath}/dbsc-bound/registration",
+  refreshPath: "${basePath}/dbsc-bound/refresh",
+};
+
+// Polyfill kicks in on Firefox / Safari / older Chromium. On Chromium 145+
+// native DBSC runs first; the polyfill co-registers a key so per-request
+// proofs work everywhere.
+//
+// Expose initDbsc() on window so callers can re-trigger the flow after a
+// fresh sign-in or sign-up — without that, a logged-out page-load probe
+// resolves to "unbound" and the key record never appears.
+window.initDbsc = () => initBoundDbsc({ nativeProbeWindowMs: 8000, ...paths });
+
+// boundFetch signs every request body (empty bytes for GET). Replace
+// \`fetch\` with \`boundFetch\` on any call to a requireProof()-guarded route.
+window.boundFetch = wrapFetch({ signBody: true });
+window.clearBoundKey = clearBoundKey;
+
+// First probe on page load — finds an existing binding (returning user) or
+// resolves to unbound (logged-out user). Either way, callers must call
+// window.initDbsc() again after sign-up / sign-in so the SDK observes the
+// newly issued session.
+window.__dbscOutcome = window.initDbsc();
+window.__dbscOutcome.then((o) => console.log("[dbsc]", o)).catch((e) => console.error("[dbsc]", e));
+`;
+}
+//# sourceMappingURL=init-script.js.map

package/dist/init-script.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"init-script.js","sourceRoot":"","sources":["../src/init-script.ts"],"names":[],"mappings":"AAiBA,MAAM,UAAU,eAAe,CAAC,IAAuB;IACrD,MAAM,EAAE,QAAQ,EAAE,UAAU,EAAE,GAAG,IAAI,CAAC;IACtC,OAAO;2DACkD,UAAU;;;gBAGrD,QAAQ;oBACJ,QAAQ;uBACL,QAAQ;kBACb,QAAQ;;;;;;;;;;;;;;;;;;;;;;;CAuBzB,CAAC;AACF,CAAC"}

package/dist/internal.d.ts

@@ -0,0 +1,8 @@
+/**
+ * Internal helpers — exposed for advanced users who need to construct the
+ * storage adapter manually (e.g. for custom requireProof middleware in their
+ * own routes). Normal usage does NOT need this import.
+ */
+export { createBetterAuthStorageAdapter } from "./adapter.js";
+export type { BetterAuthDbAdapter, BetterAuthInternalAdapter } from "./adapter.js";
+//# sourceMappingURL=internal.d.ts.map

package/dist/internal.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"internal.d.ts","sourceRoot":"","sources":["../src/internal.ts"],"names":[],"mappings":"AAAA;;;;GAIG;AACH,OAAO,EAAE,8BAA8B,EAAE,MAAM,cAAc,CAAC;AAC9D,YAAY,EAAE,mBAAmB,EAAE,yBAAyB,EAAE,MAAM,cAAc,CAAC"}

package/dist/internal.js

@@ -0,0 +1,7 @@
+/**
+ * Internal helpers — exposed for advanced users who need to construct the
+ * storage adapter manually (e.g. for custom requireProof middleware in their
+ * own routes). Normal usage does NOT need this import.
+ */
+export { createBetterAuthStorageAdapter } from "./adapter.js";
+//# sourceMappingURL=internal.js.map

package/dist/internal.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"internal.js","sourceRoot":"","sources":["../src/internal.ts"],"names":[],"mappings":"AAAA;;;;GAIG;AACH,OAAO,EAAE,8BAA8B,EAAE,MAAM,cAAc,CAAC"}

package/dist/schema.d.ts

@@ -0,0 +1,69 @@
+/**
+ * Better Auth schema extension for dbsc-toolkit.
+ *
+ * Defines two tables:
+ *   dbscSession  — tracks binding state (tier, lastRefreshAt) per session
+ *   dbscBoundKey — stores the JWK for native (TPM) and bound (polyfill) keys
+ *
+ * Challenges are stored in Better Auth's built-in `verification` table
+ * so we get atomic consumeVerificationValue for free.
+ */
+export declare const dbscSchema: {
+    readonly dbscSession: {
+        readonly fields: {
+            readonly userId: {
+                readonly type: "string";
+                readonly required: true;
+                readonly references: {
+                    readonly model: "user";
+                    readonly field: "id";
+                };
+            };
+            readonly tier: {
+                readonly type: "string";
+                readonly required: true;
+            };
+            readonly createdAt: {
+                readonly type: "number";
+                readonly required: true;
+            };
+            readonly expiresAt: {
+                readonly type: "number";
+                readonly required: true;
+            };
+            readonly lastRefreshAt: {
+                readonly type: "number";
+                readonly required: true;
+            };
+        };
+    };
+    readonly dbscBoundKey: {
+        readonly fields: {
+            readonly sessionId: {
+                readonly type: "string";
+                readonly required: true;
+                readonly references: {
+                    readonly model: "dbscSession";
+                    readonly field: "id";
+                };
+            };
+            readonly kind: {
+                readonly type: "string";
+                readonly required: true;
+            };
+            readonly jwk: {
+                readonly type: "string";
+                readonly required: true;
+            };
+            readonly createdAt: {
+                readonly type: "number";
+                readonly required: true;
+            };
+            readonly algorithm: {
+                readonly type: "string";
+                readonly required: true;
+            };
+        };
+    };
+};
+//# sourceMappingURL=schema.d.ts.map

package/dist/schema.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"schema.d.ts","sourceRoot":"","sources":["../src/schema.ts"],"names":[],"mappings":"AAAA;;;;;;;;;GASG;AACH,eAAO,MAAM,UAAU;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;CAuDb,CAAC"}