npm - @fragno-dev/auth - Versions diffs - 0.0.14 → 0.0.16 - Mend

@fragno-dev/auth 0.0.14 → 0.0.16

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (36) hide show

package/README.md +196 -9
package/dist/browser/client/react.d.ts +1194 -64
package/dist/browser/client/react.d.ts.map +1 -1
package/dist/browser/client/react.js +1 -1
package/dist/browser/client/react.js.map +1 -1
package/dist/browser/client/solid.d.ts +1446 -64
package/dist/browser/client/solid.d.ts.map +1 -1
package/dist/browser/client/solid.js +1 -1
package/dist/browser/client/solid.js.map +1 -1
package/dist/browser/client/svelte.d.ts +1194 -64
package/dist/browser/client/svelte.d.ts.map +1 -1
package/dist/browser/client/svelte.js +1 -1
package/dist/browser/client/svelte.js.map +1 -1
package/dist/browser/client/vanilla.d.ts +1194 -64
package/dist/browser/client/vanilla.d.ts.map +1 -1
package/dist/browser/client/vanilla.js +1 -1
package/dist/browser/client/vanilla.js.map +1 -1
package/dist/browser/client/vue.d.ts +1150 -20
package/dist/browser/client/vue.d.ts.map +1 -1
package/dist/browser/client/vue.js +1 -1
package/dist/browser/client/vue.js.map +1 -1
package/dist/browser/index-m_5zsra2.d.ts +7141 -0
package/dist/browser/index-m_5zsra2.d.ts.map +1 -0
package/dist/browser/index.d.ts +2 -600
package/dist/browser/index.js +2 -2
package/dist/browser/src-Ck4bl2NH.js +1892 -0
package/dist/browser/src-Ck4bl2NH.js.map +1 -0
package/dist/node/index.d.ts +6806 -265
package/dist/node/index.d.ts.map +1 -1
package/dist/node/index.js +5532 -266
package/dist/node/index.js.map +1 -1
package/dist/tsconfig.tsbuildinfo +1 -1
package/package.json +20 -39
package/dist/browser/index.d.ts.map +0 -1
package/dist/browser/src-DNrh9CQq.js +0 -184
package/dist/browser/src-DNrh9CQq.js.map +0 -1

package/dist/browser/src-Ck4bl2NH.js ADDED Viewed

@@ -0,0 +1,1892 @@
+import { createClientBuilder } from "@fragno-dev/core/client";
+import { defineFragment, defineRoute, defineRoutes } from "@fragno-dev/core";
+import { atom, computed, onMount } from "nanostores";
+import { z } from "zod";
+import { decodeCursor } from "@fragno-dev/db/cursor";
+import { column, idColumn, referenceColumn, schema } from "@fragno-dev/db/schema";
+//#region src/client/default-organization.ts
+const DEFAULT_ORGANIZATION_STORAGE_KEY = "fragno-auth.default-organization-id";
+const DEFAULT_ORGANIZATION_CHANGE_EVENT = "fragno-auth:default-organization-change";
+const NO_ORGANIZATIONS_ERROR_MESSAGE = "Authenticated users must always have at least one organization.";
+function getStorage(storage) {
+	if (storage != null) return storage;
+	if (typeof window === "undefined") return null;
+	try {
+		return window.localStorage;
+	} catch {
+		return null;
+	}
+}
+function getWindow(win) {
+	if (win != null) return win;
+	return typeof window !== "undefined" ? window : null;
+}
+function toNonEmptyString(value) {
+	const trimmed = value?.trim();
+	return trimmed && trimmed.length > 0 ? trimmed : null;
+}
+function readCurrentDefaultOrganizationId(storage) {
+	const s = getStorage(storage);
+	if (!s) return null;
+	return toNonEmptyString(s.getItem(getDefaultOrganizationStorageKey()));
+}
+function getDefaultOrganizationStorageKey(_accountId) {
+	return DEFAULT_ORGANIZATION_STORAGE_KEY;
+}
+function getDefaultOrganizationChangeEventName(_accountId) {
+	return DEFAULT_ORGANIZATION_CHANGE_EVENT;
+}
+function readDefaultOrganizationId(_accountId, storage) {
+	const s = getStorage(storage);
+	if (!s) return null;
+	try {
+		return readCurrentDefaultOrganizationId(s);
+	} catch {
+		return null;
+	}
+}
+function writeDefaultOrganizationId(_accountId, organizationId, storage, win) {
+	const trimmed = toNonEmptyString(organizationId);
+	if (!trimmed) return clearDefaultOrganizationId(_accountId, storage, win);
+	const s = getStorage(storage);
+	const storageKey = getDefaultOrganizationStorageKey();
+	const eventName = getDefaultOrganizationChangeEventName();
+	if (!s) return false;
+	if (readCurrentDefaultOrganizationId(s) === trimmed) return false;
+	try {
+		s.setItem(storageKey, trimmed);
+	} catch {
+		return false;
+	}
+	getWindow(win)?.dispatchEvent(new Event(eventName));
+	return true;
+}
+function clearDefaultOrganizationId(_accountId, storage, win) {
+	const s = getStorage(storage);
+	const storageKey = getDefaultOrganizationStorageKey();
+	const eventName = getDefaultOrganizationChangeEventName();
+	if (!s) return false;
+	if (!readCurrentDefaultOrganizationId(s)) return false;
+	try {
+		s.removeItem(storageKey);
+	} catch {
+		return false;
+	}
+	getWindow(win)?.dispatchEvent(new Event(eventName));
+	return true;
+}
+function subscribeToDefaultOrganizationPreference(_accountId, onChange, options) {
+	const win = getWindow(options?.windowObject);
+	const storageKey = getDefaultOrganizationStorageKey();
+	const eventName = getDefaultOrganizationChangeEventName();
+	if (!win) return () => {};
+	const handleChange = () => onChange();
+	const handleStorage = (e) => {
+		if (typeof StorageEvent === "undefined") return onChange();
+		if (e instanceof StorageEvent && (!e.key || e.key === storageKey)) onChange();
+	};
+	win.addEventListener(eventName, handleChange);
+	win.addEventListener("storage", handleStorage);
+	return () => {
+		win.removeEventListener(eventName, handleChange);
+		win.removeEventListener("storage", handleStorage);
+	};
+}
+function findOrganizationEntry(me, organizationId) {
+	const id = toNonEmptyString(organizationId);
+	if (!id) return null;
+	return me.organizations.find((e) => e.organization.id === id) ?? null;
+}
+function toResolution(entry, status, storedId) {
+	return {
+		status,
+		storedOrganizationId: storedId,
+		resolvedOrganizationId: entry.organization.id,
+		entry,
+		organization: entry.organization,
+		member: entry.member
+	};
+}
+function resolveDefaultOrganization(me, storedOrganizationId) {
+	if (me.organizations.length === 0) throw new Error(NO_ORGANIZATIONS_ERROR_MESSAGE);
+	const stored = findOrganizationEntry(me, storedOrganizationId);
+	if (stored) return toResolution(stored, "reused", storedOrganizationId);
+	const active = findOrganizationEntry(me, me.activeOrganization?.organization.id ?? null);
+	const fallback = active ?? me.organizations[0];
+	return toResolution(fallback, storedOrganizationId ? "repaired" : "initialized", storedOrganizationId);
+}
+function syncDefaultOrganizationPreference(_accountId, me, storage, win) {
+	const resolution = resolveDefaultOrganization(me, readDefaultOrganizationId(_accountId, storage));
+	if (resolution.status !== "reused") writeDefaultOrganizationId(_accountId, resolution.resolvedOrganizationId, storage, win);
+	return resolution;
+}
+function setDefaultOrganizationForMe(_accountId, me, organizationId, storage, win) {
+	const entry = findOrganizationEntry(me, organizationId);
+	if (!entry) throw new Error("The selected organization is no longer available for this account.");
+	writeDefaultOrganizationId(_accountId, entry.organization.id, storage, win);
+	return resolveDefaultOrganization(me, entry.organization.id);
+}
+function createDefaultOrganizationPreferenceState(options) {
+	const { meStore, readMe, storage, windowObject } = options;
+	const storageVersion = atom(0);
+	const refresh = () => storageVersion.set(storageVersion.get() + 1);
+	const getCurrentStorageKey = () => getDefaultOrganizationStorageKey();
+	const storedOrganizationId = computed(storageVersion, () => readDefaultOrganizationId(null, storage));
+	const write = (id) => {
+		const ok = writeDefaultOrganizationId(null, id, storage, windowObject);
+		if (ok) refresh();
+		return ok;
+	};
+	const clear = () => {
+		const ok = clearDefaultOrganizationId(null, storage, windowObject);
+		if (ok) refresh();
+		return ok;
+	};
+	const syncForMe = (me) => {
+		const resolution$1 = syncDefaultOrganizationPreference(null, me, storage, windowObject);
+		refresh();
+		return resolution$1;
+	};
+	const setForMe = (me, id) => {
+		const entry = findOrganizationEntry(me, id);
+		if (!entry) throw new Error("The selected organization is no longer available for this account.");
+		const resolution$1 = setDefaultOrganizationForMe(null, me, id, storage, windowObject);
+		refresh();
+		return resolution$1;
+	};
+	onMount(storedOrganizationId, () => subscribeToDefaultOrganizationPreference(null, refresh, { windowObject }));
+	const resolution = computed([meStore, storedOrganizationId], (meState, orgId) => {
+		if (!meState.data) return null;
+		return resolveDefaultOrganization(meState.data, orgId);
+	});
+	onMount(resolution, () => resolution.listen((next) => {
+		if (!next || next.status === "reused") return;
+		if (writeDefaultOrganizationId(null, next.resolvedOrganizationId, storage, windowObject)) refresh();
+	}));
+	const effectiveMe = computed([meStore, resolution], (meState) => meState.data ?? null);
+	return {
+		me: async (params) => {
+			const me = await readMe(params);
+			if (getWindow(windowObject)) syncForMe(me);
+			return me;
+		},
+		defaultOrganization: {
+			get storageKey() {
+				return getCurrentStorageKey();
+			},
+			read: () => readDefaultOrganizationId(null, storage),
+			write,
+			clear,
+			resolve: resolveDefaultOrganization,
+			sync: syncForMe,
+			setForMe
+		},
+		store: {
+			get storageKey() {
+				return getCurrentStorageKey();
+			},
+			storedOrganizationId,
+			resolution,
+			status: computed(resolution, (r) => r?.status ?? null),
+			defaultOrganizationId: computed(resolution, (r) => r?.resolvedOrganizationId ?? null),
+			defaultOrganization: computed(resolution, (r) => r?.entry ?? null),
+			me: effectiveMe,
+			loading: computed(meStore, (s) => s.loading),
+			error: computed(meStore, (s) => s.error),
+			readDefaultOrganizationId: () => readDefaultOrganizationId(null, storage),
+			writeDefaultOrganizationId: write,
+			clearDefaultOrganizationId: clear,
+			syncPreference: () => {
+				const me = effectiveMe.get();
+				return me ? syncForMe(me) : null;
+			},
+			setDefaultOrganization: (id) => {
+				const me = effectiveMe.get();
+				if (!me) throw new Error("Cannot set a default organization without an authenticated user.");
+				return setForMe(me, id);
+			}
+		}
+	};
+}
+//#endregion
+//#region src/oauth/routes.ts
+const oauthRoutesFactory = defineRoutes().create(({ services, config }) => {
+	return [defineRoute({
+		method: "GET",
+		path: "/oauth/:provider/authorize",
+		queryParameters: [
+			"redirectUri",
+			"returnTo",
+			"link",
+			"sessionId",
+			"scope",
+			"loginHint",
+			"session"
+		],
+		outputSchema: z.object({ url: z.string() }),
+		errorCodes: [
+			"oauth_disabled",
+			"provider_not_found",
+			"missing_redirect_uri",
+			"redirect_uri_mismatch",
+			"invalid_input",
+			"session_invalid"
+		],
+		handler: () => {}
+	}), defineRoute({
+		method: "GET",
+		path: "/oauth/:provider/callback",
+		queryParameters: [
+			"code",
+			"state",
+			"requestSignUp"
+		],
+		outputSchema: z.object({
+			sessionId: z.string(),
+			userId: z.string(),
+			email: z.string(),
+			role: z.enum(["user", "admin"]),
+			returnTo: z.string().nullable()
+		}),
+		errorCodes: [
+			"oauth_disabled",
+			"provider_not_found",
+			"missing_redirect_uri",
+			"invalid_code",
+			"invalid_state",
+			"email_required",
+			"signup_disabled",
+			"signup_required",
+			"user_banned"
+		],
+		handler: () => {}
+	})];
+});
+//#endregion
+//#region src/utils/cookie.ts
+/**
+* Cookie utilities for session management
+*/
+const COOKIE_NAME = "sessionid";
+/**
+* Parse cookies from a Cookie header string
+*/
+function parseCookies(cookieHeader) {
+	if (!cookieHeader) return {};
+	const cookies = {};
+	const pairs = cookieHeader.split(";");
+	for (const pair of pairs) {
+		const [key, ...valueParts] = pair.split("=");
+		const trimmedKey = key?.trim();
+		const value = valueParts.join("=").trim();
+		if (trimmedKey) cookies[trimmedKey] = decodeURIComponent(value);
+	}
+	return cookies;
+}
+/**
+* Extract session ID from headers, checking cookies first, then query/body
+*/
+function extractSessionId(headers, queryParam, bodySessionId) {
+	const cookieHeader = headers.get("Cookie");
+	const cookies = parseCookies(cookieHeader);
+	const sessionIdFromCookie = cookies[COOKIE_NAME];
+	if (sessionIdFromCookie) return sessionIdFromCookie;
+	if (queryParam) return queryParam;
+	if (bodySessionId) return bodySessionId;
+	return null;
+}
+//#endregion
+//#region src/organization/schemas.ts
+const organizationSchema = z.object({
+	id: z.string(),
+	name: z.string(),
+	slug: z.string(),
+	logoUrl: z.string().nullable(),
+	metadata: z.record(z.string(), z.unknown()).nullable(),
+	createdBy: z.string(),
+	createdAt: z.string(),
+	updatedAt: z.string(),
+	deletedAt: z.string().nullable()
+});
+const memberSchema = z.object({
+	id: z.string(),
+	organizationId: z.string(),
+	userId: z.string(),
+	roles: z.array(z.string()),
+	createdAt: z.string(),
+	updatedAt: z.string()
+});
+const invitationSchema = z.object({
+	id: z.string(),
+	organizationId: z.string(),
+	email: z.string(),
+	roles: z.array(z.string()),
+	status: z.enum([
+		"pending",
+		"accepted",
+		"rejected",
+		"canceled",
+		"expired"
+	]),
+	token: z.string(),
+	inviterId: z.string(),
+	expiresAt: z.string(),
+	createdAt: z.string(),
+	respondedAt: z.string().nullable()
+});
+const invitationSummarySchema = invitationSchema.omit({ token: true });
+//#endregion
+//#region src/organization/serializers.ts
+const normalizeMetadata = (value) => {
+	if (!value || typeof value !== "object" || Array.isArray(value)) return null;
+	return value;
+};
+function serializeOrganization(organization) {
+	return {
+		id: organization.id,
+		name: organization.name,
+		slug: organization.slug,
+		logoUrl: organization.logoUrl ?? null,
+		metadata: normalizeMetadata(organization.metadata),
+		createdBy: organization.createdBy,
+		createdAt: organization.createdAt.toISOString(),
+		updatedAt: organization.updatedAt.toISOString(),
+		deletedAt: organization.deletedAt ? organization.deletedAt.toISOString() : null
+	};
+}
+function serializeMember(member) {
+	return {
+		id: member.id,
+		organizationId: member.organizationId,
+		userId: member.userId,
+		roles: member.roles,
+		createdAt: member.createdAt.toISOString(),
+		updatedAt: member.updatedAt.toISOString()
+	};
+}
+function serializeInvitation(invitation) {
+	return {
+		id: invitation.id,
+		organizationId: invitation.organizationId,
+		email: invitation.email,
+		roles: invitation.roles,
+		status: invitation.status,
+		token: invitation.token,
+		inviterId: invitation.inviterId,
+		expiresAt: invitation.expiresAt.toISOString(),
+		createdAt: invitation.createdAt.toISOString(),
+		respondedAt: invitation.respondedAt ? invitation.respondedAt.toISOString() : null
+	};
+}
+//#endregion
+//#region src/organization/routes.ts
+const createOrganizationInputSchema = z.object({
+	name: z.string().min(1).max(120),
+	slug: z.string().min(1),
+	logoUrl: z.string().nullable().optional(),
+	metadata: z.record(z.string(), z.unknown()).nullable().optional()
+});
+const updateOrganizationInputSchema = z.object({
+	name: z.string().min(1).max(120).optional(),
+	slug: z.string().min(1).optional(),
+	logoUrl: z.string().nullable().optional(),
+	metadata: z.record(z.string(), z.unknown()).nullable().optional()
+}).refine((value) => Object.keys(value).length > 0, { message: "At least one field must be provided" });
+const pageQuerySchema = z.object({ pageSize: z.coerce.number().int().min(1).max(100).default(20) });
+const parseCursor = (cursorParam) => {
+	if (!cursorParam) return void 0;
+	try {
+		return decodeCursor(cursorParam);
+	} catch {
+		return void 0;
+	}
+};
+const organizationRoutesFactory = defineRoutes().create(({ config, services }) => {
+	const defineOrganizationRoute = (route) => defineRoute({
+		...route,
+		errorCodes: route.errorCodes ? Array.from(new Set([...route.errorCodes, "feature_disabled"])) : ["feature_disabled"],
+		handler: () => {}
+	});
+	return [
+		defineOrganizationRoute({
+			method: "POST",
+			path: "/organizations",
+			inputSchema: createOrganizationInputSchema,
+			outputSchema: z.object({
+				organization: organizationSchema,
+				member: memberSchema
+			}),
+			errorCodes: [
+				"invalid_input",
+				"organization_slug_taken",
+				"permission_denied",
+				"limit_reached",
+				"session_invalid"
+			],
+			handler: async function({ input, headers, query }, { json, error }) {
+				const sessionId = extractSessionId(headers, query.get("sessionId"));
+				if (!sessionId) return error({
+					message: "Session ID required",
+					code: "session_invalid"
+				}, 400);
+				let body = null;
+				let inputError = null;
+				try {
+					body = await input.valid();
+				} catch (err) {
+					inputError = err;
+				}
+				const [result] = await this.handlerTx().withServiceCalls(() => [services.createOrganizationWithSession({
+					sessionId,
+					input: body,
+					inputError
+				})]).execute();
+				if (!result.ok) {
+					if (result.code === "session_invalid") return error({
+						message: "Invalid session",
+						code: "session_invalid"
+					}, 401);
+					if (result.code === "input_invalid") {
+						if (inputError) throw inputError;
+						return error({
+							message: "Invalid input",
+							code: "invalid_input"
+						}, 400);
+					}
+					if (result.code === "organization_slug_taken") return error({
+						message: "Organization slug taken",
+						code: "organization_slug_taken"
+					}, 400);
+					if (result.code === "invalid_slug") return error({
+						message: "Invalid input",
+						code: "invalid_input"
+					}, 400);
+					if (result.code === "limit_reached") return error({
+						message: "Limit reached",
+						code: "limit_reached"
+					}, 400);
+					return error({
+						message: "Permission denied",
+						code: "permission_denied"
+					}, 403);
+				}
+				return json({
+					organization: serializeOrganization(result.organization),
+					member: serializeMember(result.member)
+				});
+			}
+		}),
+		defineOrganizationRoute({
+			method: "GET",
+			path: "/organizations",
+			queryParameters: [
+				"pageSize",
+				"cursor",
+				"sessionId"
+			],
+			outputSchema: z.object({
+				organizations: z.array(z.object({
+					organization: organizationSchema,
+					member: memberSchema
+				})),
+				cursor: z.string().optional(),
+				hasNextPage: z.boolean()
+			}),
+			errorCodes: ["invalid_input", "session_invalid"],
+			handler: async function({ query, headers }, { json, error }) {
+				const parsed = pageQuerySchema.safeParse(Object.fromEntries(query.entries()));
+				if (!parsed.success) return error({
+					message: "Invalid query parameters",
+					code: "invalid_input"
+				}, 400);
+				const sessionId = extractSessionId(headers, query.get("sessionId"));
+				if (!sessionId) return error({
+					message: "Session ID required",
+					code: "session_invalid"
+				}, 400);
+				const rawCursor = parseCursor(query.get("cursor"));
+				const cursor = rawCursor && (rawCursor.indexName === "_primary" || rawCursor.indexName === "primary") ? rawCursor : void 0;
+				const [result] = await this.handlerTx().withServiceCalls(() => [services.getOrganizationsForSession({
+					sessionId,
+					pageSize: parsed.data.pageSize,
+					cursor
+				})]).execute();
+				if (!result.ok) return error({
+					message: "Invalid session",
+					code: "session_invalid"
+				}, 401);
+				return json({
+					organizations: result.organizations.map((entry) => ({
+						organization: serializeOrganization(entry.organization),
+						member: serializeMember(entry.member)
+					})),
+					cursor: result.cursor,
+					hasNextPage: result.hasNextPage
+				});
+			}
+		}),
+		defineOrganizationRoute({
+			method: "GET",
+			path: "/organizations/active",
+			queryParameters: ["sessionId"],
+			outputSchema: z.object({
+				organization: organizationSchema,
+				member: memberSchema
+			}).nullable(),
+			errorCodes: ["session_invalid"],
+			handler: async function({ headers, query }, { json, error }) {
+				const sessionId = extractSessionId(headers, query.get("sessionId"));
+				if (!sessionId) return error({
+					message: "Session ID required",
+					code: "session_invalid"
+				}, 400);
+				const [result] = await this.handlerTx().withServiceCalls(() => [services.getActiveOrganizationForSession({ sessionId })]).execute();
+				if (!result.ok) return error({
+					message: "Invalid session",
+					code: "session_invalid"
+				}, 401);
+				if (!result.data) return json(null);
+				return json({
+					organization: serializeOrganization(result.data.organization),
+					member: serializeMember(result.data.member)
+				});
+			}
+		}),
+		defineOrganizationRoute({
+			method: "POST",
+			path: "/organizations/active",
+			queryParameters: ["sessionId"],
+			inputSchema: z.object({ organizationId: z.string() }),
+			outputSchema: z.object({
+				organization: organizationSchema,
+				member: memberSchema
+			}),
+			errorCodes: [
+				"organization_not_found",
+				"membership_not_found",
+				"session_invalid"
+			],
+			handler: async function({ input, headers, query }, { json, error }) {
+				const sessionId = extractSessionId(headers, query.get("sessionId"));
+				if (!sessionId) return error({
+					message: "Session ID required",
+					code: "session_invalid"
+				}, 400);
+				const body = await input.valid();
+				const [result] = await this.handlerTx().withServiceCalls(() => [services.setActiveOrganizationForSession({
+					sessionId,
+					organizationId: body.organizationId
+				})]).execute();
+				if (!result.ok) {
+					if (result.code === "organization_not_found") return error({
+						message: "Organization not found",
+						code: "organization_not_found"
+					}, 404);
+					if (result.code === "membership_not_found") return error({
+						message: "Membership not found",
+						code: "membership_not_found"
+					}, 404);
+					return error({
+						message: "Invalid session",
+						code: "session_invalid"
+					}, 401);
+				}
+				return json({
+					organization: serializeOrganization(result.organization),
+					member: serializeMember(result.member)
+				});
+			}
+		}),
+		defineOrganizationRoute({
+			method: "GET",
+			path: "/organizations/invitations",
+			queryParameters: ["sessionId"],
+			outputSchema: z.object({ invitations: z.array(z.object({
+				invitation: invitationSchema,
+				organization: organizationSchema
+			})) }),
+			errorCodes: ["session_invalid"],
+			handler: async function({ headers, query }, { json, error }) {
+				const sessionId = extractSessionId(headers, query.get("sessionId"));
+				if (!sessionId) return error({
+					message: "Session ID required",
+					code: "session_invalid"
+				}, 400);
+				const [result] = await this.handlerTx().withServiceCalls(() => [services.listInvitationsForSession({ sessionId })]).execute();
+				if (!result.ok) return error({
+					message: "Invalid session",
+					code: "session_invalid"
+				}, 401);
+				return json({ invitations: result.invitations.map((entry) => ({
+					invitation: serializeInvitation(entry.invitation),
+					organization: serializeOrganization(entry.organization)
+				})) });
+			}
+		}),
+		defineOrganizationRoute({
+			method: "PATCH",
+			path: "/organizations/invitations/:invitationId",
+			queryParameters: ["sessionId"],
+			inputSchema: z.object({
+				action: z.enum([
+					"accept",
+					"reject",
+					"cancel"
+				]),
+				token: z.string().optional()
+			}),
+			outputSchema: z.object({ invitation: invitationSchema }),
+			errorCodes: [
+				"invitation_not_found",
+				"invitation_expired",
+				"permission_denied",
+				"invalid_token",
+				"limit_reached",
+				"session_invalid"
+			],
+			handler: async function({ input, pathParams, headers, query }, { json, error }) {
+				const sessionId = extractSessionId(headers, query.get("sessionId"));
+				if (!sessionId) return error({
+					message: "Session ID required",
+					code: "session_invalid"
+				}, 400);
+				const body = await input.valid();
+				if ((body.action === "accept" || body.action === "reject") && !body.token) return error({
+					message: "Invalid token",
+					code: "invalid_token"
+				}, 400);
+				const [result] = await this.handlerTx().withServiceCalls(() => [services.respondToInvitationWithSession({
+					sessionId,
+					invitationId: pathParams.invitationId,
+					action: body.action,
+					token: body.token
+				})]).execute();
+				if (!result.ok) {
+					if (result.code === "invalid_token") return error({
+						message: "Invalid token",
+						code: "invalid_token"
+					}, 400);
+					if (result.code === "invitation_expired") return error({
+						message: "Invitation expired",
+						code: "invitation_expired"
+					}, 400);
+					if (result.code === "limit_reached") return error({
+						message: "Limit reached",
+						code: "limit_reached"
+					}, 400);
+					if (result.code === "permission_denied") return error({
+						message: "Permission denied",
+						code: "permission_denied"
+					}, 403);
+					if (result.code === "session_invalid") return error({
+						message: "Invalid session",
+						code: "session_invalid"
+					}, 401);
+					return error({
+						message: "Invitation not found",
+						code: "invitation_not_found"
+					}, 404);
+				}
+				return json({ invitation: serializeInvitation(result.invitation) });
+			}
+		}),
+		defineOrganizationRoute({
+			method: "GET",
+			path: "/organizations/:organizationId",
+			queryParameters: ["sessionId"],
+			outputSchema: z.object({
+				organization: organizationSchema,
+				member: memberSchema
+			}),
+			errorCodes: [
+				"organization_not_found",
+				"permission_denied",
+				"session_invalid"
+			],
+			handler: async function({ pathParams, headers, query }, { json, error }) {
+				const sessionId = extractSessionId(headers, query.get("sessionId"));
+				if (!sessionId) return error({
+					message: "Session ID required",
+					code: "session_invalid"
+				}, 400);
+				const [result] = await this.handlerTx().withServiceCalls(() => [services.getOrganizationForSession({
+					sessionId,
+					organizationId: pathParams.organizationId
+				})]).execute();
+				if (!result.ok) {
+					if (result.code === "organization_not_found") return error({
+						message: "Organization not found",
+						code: "organization_not_found"
+					}, 404);
+					if (result.code === "permission_denied") return error({
+						message: "Permission denied",
+						code: "permission_denied"
+					}, 403);
+					return error({
+						message: "Invalid session",
+						code: "session_invalid"
+					}, 401);
+				}
+				return json({
+					organization: serializeOrganization(result.organization),
+					member: serializeMember(result.member)
+				});
+			}
+		}),
+		defineOrganizationRoute({
+			method: "PATCH",
+			path: "/organizations/:organizationId",
+			queryParameters: ["sessionId"],
+			inputSchema: updateOrganizationInputSchema,
+			outputSchema: z.object({ organization: organizationSchema }),
+			errorCodes: [
+				"invalid_input",
+				"organization_not_found",
+				"organization_slug_taken",
+				"permission_denied",
+				"session_invalid"
+			],
+			handler: async function({ input, pathParams, headers, query }, { json, error }) {
+				const sessionId = extractSessionId(headers, query.get("sessionId"));
+				if (!sessionId) return error({
+					message: "Session ID required",
+					code: "session_invalid"
+				}, 400);
+				const body = await input.valid();
+				const [result] = await this.handlerTx().withServiceCalls(() => [services.updateOrganizationWithSession({
+					sessionId,
+					organizationId: pathParams.organizationId,
+					patch: body
+				})]).execute();
+				if (!result.ok) {
+					if (result.code === "session_invalid") return error({
+						message: "Invalid session",
+						code: "session_invalid"
+					}, 401);
+					if (result.code === "organization_not_found") return error({
+						message: "Organization not found",
+						code: "organization_not_found"
+					}, 404);
+					if (result.code === "organization_slug_taken") return error({
+						message: "Organization slug taken",
+						code: "organization_slug_taken"
+					}, 400);
+					if (result.code === "permission_denied") return error({
+						message: "Permission denied",
+						code: "permission_denied"
+					}, 403);
+					return error({
+						message: "Invalid input",
+						code: "invalid_input"
+					}, 400);
+				}
+				return json({ organization: serializeOrganization(result.organization) });
+			}
+		}),
+		defineOrganizationRoute({
+			method: "DELETE",
+			path: "/organizations/:organizationId",
+			queryParameters: ["sessionId"],
+			outputSchema: z.object({ success: z.boolean() }),
+			errorCodes: [
+				"organization_not_found",
+				"permission_denied",
+				"session_invalid"
+			],
+			handler: async function({ pathParams, headers, query }, { json, error }) {
+				const sessionId = extractSessionId(headers, query.get("sessionId"));
+				if (!sessionId) return error({
+					message: "Session ID required",
+					code: "session_invalid"
+				}, 400);
+				const [result] = await this.handlerTx().withServiceCalls(() => [services.deleteOrganizationWithSession({
+					sessionId,
+					organizationId: pathParams.organizationId
+				})]).execute();
+				if (!result.ok) {
+					if (result.code === "session_invalid") return error({
+						message: "Invalid session",
+						code: "session_invalid"
+					}, 401);
+					if (result.code === "organization_not_found") return error({
+						message: "Organization not found",
+						code: "organization_not_found"
+					}, 404);
+					return error({
+						message: "Permission denied",
+						code: "permission_denied"
+					}, 403);
+				}
+				return json({ success: true });
+			}
+		}),
+		defineOrganizationRoute({
+			method: "GET",
+			path: "/organizations/:organizationId/members",
+			queryParameters: [
+				"pageSize",
+				"cursor",
+				"sessionId"
+			],
+			outputSchema: z.object({
+				members: z.array(memberSchema),
+				cursor: z.string().optional(),
+				hasNextPage: z.boolean()
+			}),
+			errorCodes: [
+				"invalid_input",
+				"organization_not_found",
+				"permission_denied",
+				"session_invalid"
+			],
+			handler: async function({ pathParams, query, headers }, { json, error }) {
+				const parsed = pageQuerySchema.safeParse(Object.fromEntries(query.entries()));
+				if (!parsed.success) return error({
+					message: "Invalid query parameters",
+					code: "invalid_input"
+				}, 400);
+				const sessionId = extractSessionId(headers, query.get("sessionId"));
+				if (!sessionId) return error({
+					message: "Session ID required",
+					code: "session_invalid"
+				}, 400);
+				const cursor = parseCursor(query.get("cursor"));
+				const [result] = await this.handlerTx().withServiceCalls(() => [services.listOrganizationMembersWithSession({
+					sessionId,
+					organizationId: pathParams.organizationId,
+					pageSize: parsed.data.pageSize,
+					cursor
+				})]).execute();
+				if (!result.ok) {
+					if (result.code === "session_invalid") return error({
+						message: "Invalid session",
+						code: "session_invalid"
+					}, 401);
+					if (result.code === "organization_not_found") return error({
+						message: "Organization not found",
+						code: "organization_not_found"
+					}, 404);
+					return error({
+						message: "Permission denied",
+						code: "permission_denied"
+					}, 403);
+				}
+				return json({
+					members: result.members.map((member) => serializeMember(member)),
+					cursor: result.cursor,
+					hasNextPage: result.hasNextPage
+				});
+			}
+		}),
+		defineOrganizationRoute({
+			method: "POST",
+			path: "/organizations/:organizationId/members",
+			queryParameters: ["sessionId"],
+			inputSchema: z.object({
+				userId: z.string(),
+				roles: z.array(z.string()).optional()
+			}),
+			outputSchema: z.object({ member: memberSchema }),
+			errorCodes: [
+				"organization_not_found",
+				"permission_denied",
+				"member_already_exists",
+				"limit_reached",
+				"session_invalid"
+			],
+			handler: async function({ input, pathParams, headers, query }, { json, error }) {
+				const sessionId = extractSessionId(headers, query.get("sessionId"));
+				if (!sessionId) return error({
+					message: "Session ID required",
+					code: "session_invalid"
+				}, 400);
+				const body = await input.valid();
+				const [result] = await this.handlerTx().withServiceCalls(() => [services.createOrganizationMemberWithSession({
+					sessionId,
+					organizationId: pathParams.organizationId,
+					userId: body.userId,
+					roles: body.roles
+				})]).execute();
+				if (!result.ok) {
+					if (result.code === "session_invalid") return error({
+						message: "Invalid session",
+						code: "session_invalid"
+					}, 401);
+					if (result.code === "organization_not_found") return error({
+						message: "Organization not found",
+						code: "organization_not_found"
+					}, 404);
+					if (result.code === "member_already_exists") return error({
+						message: "Member already exists",
+						code: "member_already_exists"
+					}, 400);
+					if (result.code === "limit_reached") return error({
+						message: "Limit reached",
+						code: "limit_reached"
+					}, 400);
+					return error({
+						message: "Permission denied",
+						code: "permission_denied"
+					}, 403);
+				}
+				return json({ member: serializeMember(result.member) });
+			}
+		}),
+		defineOrganizationRoute({
+			method: "PATCH",
+			path: "/organizations/:organizationId/members/:memberId",
+			queryParameters: ["sessionId"],
+			inputSchema: z.object({ roles: z.array(z.string()).min(1) }),
+			outputSchema: z.object({ member: memberSchema }),
+			errorCodes: [
+				"member_not_found",
+				"permission_denied",
+				"last_owner",
+				"session_invalid"
+			],
+			handler: async function({ input, pathParams, headers, query }, { json, error }) {
+				const sessionId = extractSessionId(headers, query.get("sessionId"));
+				if (!sessionId) return error({
+					message: "Session ID required",
+					code: "session_invalid"
+				}, 400);
+				const body = await input.valid();
+				const [result] = await this.handlerTx().withServiceCalls(() => [services.updateOrganizationMemberRolesWithSession({
+					sessionId,
+					organizationId: pathParams.organizationId,
+					memberId: pathParams.memberId,
+					roles: body.roles
+				})]).execute();
+				if (!result.ok) {
+					if (result.code === "session_invalid") return error({
+						message: "Invalid session",
+						code: "session_invalid"
+					}, 401);
+					if (result.code === "member_not_found") return error({
+						message: "Member not found",
+						code: "member_not_found"
+					}, 404);
+					if (result.code === "last_owner") return error({
+						message: "Last owner",
+						code: "last_owner"
+					}, 400);
+					return error({
+						message: "Permission denied",
+						code: "permission_denied"
+					}, 403);
+				}
+				return json({ member: serializeMember(result.member) });
+			}
+		}),
+		defineOrganizationRoute({
+			method: "DELETE",
+			path: "/organizations/:organizationId/members/:memberId",
+			queryParameters: ["sessionId"],
+			outputSchema: z.object({ success: z.boolean() }),
+			errorCodes: [
+				"member_not_found",
+				"permission_denied",
+				"last_owner",
+				"session_invalid"
+			],
+			handler: async function({ pathParams, headers, query }, { json, error }) {
+				const sessionId = extractSessionId(headers, query.get("sessionId"));
+				if (!sessionId) return error({
+					message: "Session ID required",
+					code: "session_invalid"
+				}, 400);
+				const [result] = await this.handlerTx().withServiceCalls(() => [services.deleteOrganizationMemberWithSession({
+					sessionId,
+					organizationId: pathParams.organizationId,
+					memberId: pathParams.memberId
+				})]).execute();
+				if (!result.ok) {
+					if (result.code === "session_invalid") return error({
+						message: "Invalid session",
+						code: "session_invalid"
+					}, 401);
+					if (result.code === "member_not_found") return error({
+						message: "Member not found",
+						code: "member_not_found"
+					}, 404);
+					if (result.code === "last_owner") return error({
+						message: "Last owner",
+						code: "last_owner"
+					}, 400);
+					return error({
+						message: "Permission denied",
+						code: "permission_denied"
+					}, 403);
+				}
+				return json({ success: true });
+			}
+		}),
+		defineOrganizationRoute({
+			method: "GET",
+			path: "/organizations/:organizationId/invitations",
+			queryParameters: ["sessionId"],
+			outputSchema: z.object({ invitations: z.array(invitationSchema) }),
+			errorCodes: [
+				"organization_not_found",
+				"permission_denied",
+				"session_invalid"
+			],
+			handler: async function({ pathParams, headers, query }, { json, error }) {
+				const sessionId = extractSessionId(headers, query.get("sessionId"));
+				if (!sessionId) return error({
+					message: "Session ID required",
+					code: "session_invalid"
+				}, 400);
+				const [result] = await this.handlerTx().withServiceCalls(() => [services.listOrganizationInvitationsWithSession({
+					sessionId,
+					organizationId: pathParams.organizationId
+				})]).execute();
+				if (!result.ok) {
+					if (result.code === "session_invalid") return error({
+						message: "Invalid session",
+						code: "session_invalid"
+					}, 401);
+					if (result.code === "organization_not_found") return error({
+						message: "Organization not found",
+						code: "organization_not_found"
+					}, 404);
+					return error({
+						message: "Permission denied",
+						code: "permission_denied"
+					}, 403);
+				}
+				return json({ invitations: result.invitations.map(serializeInvitation) });
+			}
+		}),
+		defineOrganizationRoute({
+			method: "POST",
+			path: "/organizations/:organizationId/invitations",
+			queryParameters: ["sessionId"],
+			inputSchema: z.object({
+				email: z.email(),
+				roles: z.array(z.string()).optional()
+			}),
+			outputSchema: z.object({ invitation: invitationSchema }),
+			errorCodes: [
+				"organization_not_found",
+				"permission_denied",
+				"limit_reached",
+				"session_invalid"
+			],
+			handler: async function({ input, pathParams, headers, query }, { json, error }) {
+				const sessionId = extractSessionId(headers, query.get("sessionId"));
+				if (!sessionId) return error({
+					message: "Session ID required",
+					code: "session_invalid"
+				}, 400);
+				const body = await input.valid();
+				const [result] = await this.handlerTx().withServiceCalls(() => [services.createOrganizationInvitationWithSession({
+					sessionId,
+					organizationId: pathParams.organizationId,
+					email: body.email,
+					roles: body.roles
+				})]).execute();
+				if (!result.ok) {
+					if (result.code === "session_invalid") return error({
+						message: "Invalid session",
+						code: "session_invalid"
+					}, 401);
+					if (result.code === "organization_not_found") return error({
+						message: "Organization not found",
+						code: "organization_not_found"
+					}, 404);
+					if (result.code === "limit_reached") return error({
+						message: "Limit reached",
+						code: "limit_reached"
+					}, 400);
+					return error({
+						message: "Permission denied",
+						code: "permission_denied"
+					}, 403);
+				}
+				return json({ invitation: serializeInvitation(result.invitation) });
+			}
+		})
+	];
+});
+//#endregion
+//#region src/schema.ts
+const authSchema = schema("auth", (s) => {
+	return s.addTable("user", (t) => {
+		return t.addColumn("id", idColumn()).addColumn("email", column("string")).addColumn("passwordHash", column("string")).addColumn("role", column("string").defaultTo("user")).addColumn("createdAt", column("timestamp").defaultTo((b) => b.now())).createIndex("idx_user_email", ["email"]).createIndex("idx_user_id", ["id"], { unique: true });
+	}).addTable("session", (t) => {
+		return t.addColumn("id", idColumn()).addColumn("userId", referenceColumn()).addColumn("expiresAt", column("timestamp")).addColumn("createdAt", column("timestamp").defaultTo((b) => b.now())).createIndex("idx_session_user", ["userId"]);
+	}).alterTable("user", (t) => {
+		return t.addColumn("bannedAt", column("timestamp").nullable()).createIndex("idx_user_createdAt", ["createdAt"]);
+	}).alterTable("session", (t) => {
+		return t.addColumn("activeOrganizationId", referenceColumn().nullable());
+	}).addTable("organization", (t) => {
+		return t.addColumn("id", idColumn()).addColumn("name", column("string")).addColumn("slug", column("string")).addColumn("logoUrl", column("string").nullable()).addColumn("metadata", column("json").nullable()).addColumn("createdBy", referenceColumn()).addColumn("createdAt", column("timestamp").defaultTo((b) => b.now())).addColumn("updatedAt", column("timestamp").defaultTo((b) => b.now())).addColumn("deletedAt", column("timestamp").nullable()).createIndex("idx_organization_slug", ["slug"], { unique: true }).createIndex("idx_organization_createdBy", ["createdBy"]);
+	}).addTable("organizationMember", (t) => {
+		return t.addColumn("id", idColumn()).addColumn("organizationId", referenceColumn()).addColumn("userId", referenceColumn()).addColumn("createdAt", column("timestamp").defaultTo((b) => b.now())).addColumn("updatedAt", column("timestamp").defaultTo((b) => b.now())).createIndex("idx_org_member_org_user", ["organizationId", "userId"], { unique: true }).createIndex("idx_org_member_user", ["userId"]).createIndex("idx_org_member_org", ["organizationId"]);
+	}).addTable("organizationMemberRole", (t) => {
+		return t.addColumn("id", idColumn()).addColumn("memberId", referenceColumn()).addColumn("role", column("string")).addColumn("createdAt", column("timestamp").defaultTo((b) => b.now())).createIndex("idx_org_member_role_member_role", ["memberId", "role"], { unique: true }).createIndex("idx_org_member_role_member", ["memberId"]).createIndex("idx_org_member_role_role", ["role"]);
+	}).addTable("organizationInvitation", (t) => {
+		return t.addColumn("id", idColumn()).addColumn("organizationId", referenceColumn()).addColumn("email", column("string")).addColumn("roles", column("json")).addColumn("status", column("string")).addColumn("token", column("string")).addColumn("inviterId", referenceColumn()).addColumn("expiresAt", column("timestamp")).addColumn("createdAt", column("timestamp").defaultTo((b) => b.now())).addColumn("respondedAt", column("timestamp").nullable()).createIndex("idx_org_invitation_token", ["token"], { unique: true }).createIndex("idx_org_invitation_org_status", ["organizationId", "status"]).createIndex("idx_org_invitation_email", ["email"]).createIndex("idx_org_invitation_email_status", ["email", "status"]);
+	}).addReference("sessionOwner", {
+		from: {
+			table: "session",
+			column: "userId"
+		},
+		to: {
+			table: "user",
+			column: "id"
+		},
+		type: "one"
+	}).addReference("sessionActiveOrganization", {
+		from: {
+			table: "session",
+			column: "activeOrganizationId"
+		},
+		to: {
+			table: "organization",
+			column: "id"
+		},
+		type: "one"
+	}).addReference("organizationCreator", {
+		from: {
+			table: "organization",
+			column: "createdBy"
+		},
+		to: {
+			table: "user",
+			column: "id"
+		},
+		type: "one"
+	}).addReference("organizationMemberOrganization", {
+		from: {
+			table: "organizationMember",
+			column: "organizationId"
+		},
+		to: {
+			table: "organization",
+			column: "id"
+		},
+		type: "one"
+	}).addReference("organizationMembers", {
+		from: {
+			table: "organization",
+			column: "id"
+		},
+		to: {
+			table: "organizationMember",
+			column: "organizationId"
+		},
+		type: "many",
+		foreignKey: false
+	}).addReference("organizationMemberUser", {
+		from: {
+			table: "organizationMember",
+			column: "userId"
+		},
+		to: {
+			table: "user",
+			column: "id"
+		},
+		type: "one"
+	}).addReference("organizationMemberRoleMember", {
+		from: {
+			table: "organizationMemberRole",
+			column: "memberId"
+		},
+		to: {
+			table: "organizationMember",
+			column: "id"
+		},
+		type: "one"
+	}).addReference("organizationInvitationOrganization", {
+		from: {
+			table: "organizationInvitation",
+			column: "organizationId"
+		},
+		to: {
+			table: "organization",
+			column: "id"
+		},
+		type: "one"
+	}).addReference("organizationInvitationInviter", {
+		from: {
+			table: "organizationInvitation",
+			column: "inviterId"
+		},
+		to: {
+			table: "user",
+			column: "id"
+		},
+		type: "one"
+	}).addTable("oauthAccount", (t) => {
+		return t.addColumn("id", idColumn()).addColumn("userId", referenceColumn()).addColumn("provider", column("string")).addColumn("providerAccountId", column("string")).addColumn("email", column("string").nullable()).addColumn("emailVerified", column("bool").defaultTo(false)).addColumn("image", column("string").nullable()).addColumn("accessToken", column("string").nullable()).addColumn("refreshToken", column("string").nullable()).addColumn("idToken", column("string").nullable()).addColumn("tokenType", column("string").nullable()).addColumn("tokenExpiresAt", column("timestamp").nullable()).addColumn("scopes", column("json").nullable()).addColumn("rawProfile", column("json").nullable()).addColumn("createdAt", column("timestamp").defaultTo((b) => b.now())).addColumn("updatedAt", column("timestamp").defaultTo((b) => b.now())).createIndex("idx_oauth_account_provider_account", ["provider", "providerAccountId"], { unique: true }).createIndex("idx_oauth_account_user", ["userId"]).createIndex("idx_oauth_account_provider", ["provider"]);
+	}).addTable("oauthState", (t) => {
+		return t.addColumn("id", idColumn()).addColumn("provider", column("string")).addColumn("state", column("string")).addColumn("codeVerifier", column("string").nullable()).addColumn("redirectUri", column("string").nullable()).addColumn("returnTo", column("string").nullable()).addColumn("linkUserId", referenceColumn().nullable()).addColumn("createdAt", column("timestamp").defaultTo((b) => b.now())).addColumn("expiresAt", column("timestamp")).createIndex("idx_oauth_state_state", ["state"], { unique: true }).createIndex("idx_oauth_state_provider", ["provider"]).createIndex("idx_oauth_state_expiresAt", ["expiresAt"]);
+	}).addReference("oauthAccountUser", {
+		from: {
+			table: "oauthAccount",
+			column: "userId"
+		},
+		to: {
+			table: "user",
+			column: "id"
+		},
+		type: "one"
+	}).addReference("oauthStateLinkUser", {
+		from: {
+			table: "oauthState",
+			column: "linkUserId"
+		},
+		to: {
+			table: "user",
+			column: "id"
+		},
+		type: "one"
+	}).alterTable("user", (t) => {
+		return t.alterColumn("passwordHash").nullable();
+	}).addReference("sessionOrganizationMembers", {
+		type: "many",
+		from: {
+			table: "session",
+			column: "userId"
+		},
+		to: {
+			table: "organizationMember",
+			column: "userId"
+		},
+		foreignKey: false
+	}).addReference("sessionMembers", {
+		type: "many",
+		from: {
+			table: "session",
+			column: "userId"
+		},
+		to: {
+			table: "organizationMember",
+			column: "userId"
+		},
+		foreignKey: false
+	}).addReference("organizationMemberRoles", {
+		type: "many",
+		from: {
+			table: "organizationMember",
+			column: "id"
+		},
+		to: {
+			table: "organizationMemberRole",
+			column: "memberId"
+		},
+		foreignKey: false
+	}).addReference("roles", {
+		type: "many",
+		from: {
+			table: "organizationMember",
+			column: "id"
+		},
+		to: {
+			table: "organizationMemberRole",
+			column: "memberId"
+		},
+		foreignKey: false
+	}).addReference("organization", {
+		type: "one",
+		from: {
+			table: "organizationMember",
+			column: "organizationId"
+		},
+		to: {
+			table: "organization",
+			column: "id"
+		},
+		foreignKey: false
+	}).addReference("userOrganizationInvitations", {
+		type: "many",
+		from: {
+			table: "user",
+			column: "email"
+		},
+		to: {
+			table: "organizationInvitation",
+			column: "email"
+		},
+		foreignKey: false
+	}).addReference("invitations", {
+		type: "many",
+		from: {
+			table: "user",
+			column: "email"
+		},
+		to: {
+			table: "organizationInvitation",
+			column: "email"
+		},
+		foreignKey: false
+	}).addReference("organization", {
+		type: "one",
+		from: {
+			table: "organizationInvitation",
+			column: "organizationId"
+		},
+		to: {
+			table: "organization",
+			column: "id"
+		},
+		foreignKey: false
+	}).alterTable("session", (t) => {
+		return t.createIndex("idx_session_id_expiresAt", ["id", "expiresAt"]);
+	}).addReference("userOrganizationMembers", {
+		type: "many",
+		from: {
+			table: "user",
+			column: "id"
+		},
+		to: {
+			table: "organizationMember",
+			column: "userId"
+		},
+		foreignKey: false
+	}).alterTable("oauthState", (t) => {
+		return t.addColumn("sessionSeed", column("json").nullable());
+	});
+});
+//#endregion
+//#region src/session/session-seed.ts
+const sessionSeedSchema = z.object({ activeOrganizationId: z.string().trim().min(1).optional() }).strict();
+function normalizeSessionSeed(session) {
+	const parsed = sessionSeedSchema.safeParse(session ?? {});
+	if (!parsed.success) return null;
+	return parsed.data.activeOrganizationId ? parsed.data : null;
+}
+function serializeSessionSeedForQuery(session) {
+	const normalized = normalizeSessionSeed(session);
+	return normalized ? JSON.stringify(normalized) : void 0;
+}
+//#endregion
+//#region src/session/session.ts
+const sessionRoutesFactory = defineRoutes().create(({ services, config }) => {
+	return [defineRoute({
+		method: "POST",
+		path: "/sign-out",
+		inputSchema: z.object({ sessionId: z.string().optional() }).optional(),
+		outputSchema: z.object({ success: z.boolean() }),
+		errorCodes: ["session_not_found"],
+		handler: () => {}
+	}), defineRoute({
+		method: "GET",
+		path: "/me",
+		queryParameters: ["sessionId"],
+		outputSchema: z.object({
+			user: z.object({
+				id: z.string(),
+				email: z.string(),
+				role: z.enum(["user", "admin"])
+			}),
+			organizations: z.array(z.object({
+				organization: organizationSchema,
+				member: memberSchema
+			})),
+			activeOrganization: z.object({
+				organization: organizationSchema,
+				member: memberSchema
+			}).nullable(),
+			invitations: z.array(z.object({
+				invitation: invitationSummarySchema,
+				organization: organizationSchema
+			}))
+		}),
+		errorCodes: ["session_invalid"],
+		handler: () => {}
+	})];
+});
+//#endregion
+//#region src/user/user-actions.ts
+const userActionsRoutesFactory = defineRoutes().create(({ services, config }) => {
+	return [
+		defineRoute({
+			method: "PATCH",
+			path: "/users/:userId/role",
+			inputSchema: z.object({ role: z.enum(["user", "admin"]) }),
+			outputSchema: z.object({ success: z.boolean() }),
+			errorCodes: [
+				"invalid_input",
+				"session_invalid",
+				"permission_denied"
+			],
+			handler: () => {}
+		}),
+		defineRoute({
+			method: "POST",
+			path: "/sign-up",
+			inputSchema: z.object({
+				email: z.email(),
+				password: z.string().min(8).max(100)
+			}),
+			outputSchema: z.object({
+				sessionId: z.string(),
+				userId: z.string(),
+				email: z.string(),
+				role: z.enum(["user", "admin"])
+			}),
+			errorCodes: [
+				"email_already_exists",
+				"invalid_input",
+				"email_password_disabled"
+			],
+			handler: () => {}
+		}),
+		defineRoute({
+			method: "POST",
+			path: "/sign-in",
+			inputSchema: z.object({
+				email: z.email(),
+				password: z.string().min(8).max(100),
+				session: sessionSeedSchema.optional()
+			}),
+			outputSchema: z.object({
+				sessionId: z.string(),
+				userId: z.string(),
+				email: z.string(),
+				role: z.enum(["user", "admin"])
+			}),
+			errorCodes: [
+				"invalid_credentials",
+				"user_banned",
+				"email_password_disabled"
+			],
+			handler: () => {}
+		}),
+		defineRoute({
+			method: "POST",
+			path: "/change-password",
+			inputSchema: z.object({ newPassword: z.string().min(8).max(100) }),
+			outputSchema: z.object({ success: z.boolean() }),
+			errorCodes: ["session_invalid"],
+			handler: () => {}
+		})
+	];
+});
+//#endregion
+//#region src/user/user-overview.ts
+const sortBySchema = z.enum(["email", "createdAt"]);
+const userOverviewRoutesFactory = defineRoutes().create(({ services }) => {
+	return [defineRoute({
+		method: "GET",
+		path: "/users",
+		queryParameters: [
+			"search",
+			"sortBy",
+			"sortOrder",
+			"pageSize",
+			"cursor"
+		],
+		outputSchema: z.object({
+			users: z.array(z.object({
+				id: z.string(),
+				email: z.string(),
+				role: z.enum(["user", "admin"]),
+				createdAt: z.string()
+			})),
+			cursor: z.string().optional(),
+			hasNextPage: z.boolean(),
+			sortBy: sortBySchema
+		}),
+		errorCodes: ["invalid_input"],
+		handler: () => {}
+	})];
+});
+//#endregion
+//#region src/oauth/utils.ts
+const DEFAULT_STATE_TTL_MS = 10 * 60 * 1e3;
+const createAuthorizationURL = (params) => {
+	const url = new URL(params.authorizationEndpoint);
+	url.searchParams.set("response_type", "code");
+	url.searchParams.set("client_id", params.clientId);
+	url.searchParams.set("redirect_uri", params.redirectURI);
+	url.searchParams.set("state", params.state);
+	if (params.scopes && params.scopes.length > 0) url.searchParams.set("scope", params.scopes.join(" "));
+	if (params.prompt) url.searchParams.set("prompt", params.prompt);
+	if (params.loginHint) url.searchParams.set("login_hint", params.loginHint);
+	if (params.codeChallenge) {
+		url.searchParams.set("code_challenge", params.codeChallenge);
+		url.searchParams.set("code_challenge_method", params.codeChallengeMethod ?? "S256");
+	}
+	if (params.extraParams) {
+		for (const [key, value] of Object.entries(params.extraParams)) if (typeof value === "string" && value.length > 0) url.searchParams.set(key, value);
+	}
+	return url;
+};
+const parseScopes = (scopeValue) => {
+	if (typeof scopeValue !== "string") return void 0;
+	const scopes = scopeValue.split(/[,\s]+/).map((scope) => scope.trim()).filter(Boolean);
+	return scopes.length > 0 ? scopes : void 0;
+};
+const readNumber = (value) => {
+	if (typeof value === "number") return Number.isFinite(value) ? value : void 0;
+	if (typeof value === "string") {
+		const parsed = Number(value);
+		return Number.isFinite(parsed) ? parsed : void 0;
+	}
+	return void 0;
+};
+const normalizeOAuthTokens = (response) => {
+	const accessToken = typeof response["access_token"] === "string" ? response["access_token"] : void 0;
+	const refreshToken = typeof response["refresh_token"] === "string" ? response["refresh_token"] : void 0;
+	const tokenType = typeof response["token_type"] === "string" ? response["token_type"] : void 0;
+	const idToken = typeof response["id_token"] === "string" ? response["id_token"] : void 0;
+	const expiresIn = readNumber(response["expires_in"]);
+	const accessTokenExpiresAt = expiresIn ? new Date(Date.now() + expiresIn * 1e3) : void 0;
+	return {
+		accessToken,
+		refreshToken,
+		tokenType,
+		idToken,
+		accessTokenExpiresAt,
+		scopes: parseScopes(response["scope"]),
+		raw: response
+	};
+};
+const parseOAuthTokenResponse = async (response) => {
+	const contentType = response.headers.get("content-type") ?? "";
+	const status = response.status;
+	let data;
+	try {
+		if (contentType.includes("application/json")) data = await response.json();
+		else {
+			const text = await response.text();
+			data = Object.fromEntries(new URLSearchParams(text));
+		}
+	} catch (err) {
+		return {
+			ok: false,
+			status,
+			error: err instanceof Error ? err.message : "Invalid token response"
+		};
+	}
+	if (!response.ok) {
+		const message = typeof data.error_description === "string" ? data.error_description : typeof data.error === "string" ? data.error : `Token request failed with status ${status}`;
+		return {
+			ok: false,
+			status,
+			error: message,
+			data
+		};
+	}
+	if (!data || typeof data !== "object") return {
+		ok: false,
+		status,
+		error: "Token response was empty"
+	};
+	return {
+		ok: true,
+		data
+	};
+};
+//#endregion
+//#region src/oauth/providers/github/github.ts
+const defaultScopes = ["read:user", "user:email"];
+const defaultUserAgent = "fragno-auth";
+const tokenEndpoint = "https://github.com/login/oauth/access_token";
+const profileEndpoint = "https://api.github.com/user";
+const emailsEndpoint = "https://api.github.com/user/emails";
+const createGithubOAuthClient = (options) => {
+	const fetcher = options?.fetcher ?? fetch;
+	const userAgent = options?.userAgent ?? defaultUserAgent;
+	return {
+		exchangeCode: async ({ code, redirectURI, clientId, clientSecret, codeVerifier }) => {
+			const body = new URLSearchParams({
+				client_id: clientId,
+				client_secret: clientSecret,
+				code,
+				redirect_uri: redirectURI
+			});
+			if (codeVerifier) body.set("code_verifier", codeVerifier);
+			const response = await fetcher(tokenEndpoint, {
+				method: "POST",
+				headers: {
+					accept: "application/json",
+					"content-type": "application/x-www-form-urlencoded"
+				},
+				body
+			});
+			const parsed = await parseOAuthTokenResponse(response);
+			if (!parsed.ok) return null;
+			return normalizeOAuthTokens(parsed.data);
+		},
+		fetchProfile: async (accessToken) => {
+			const response = await fetcher(profileEndpoint, { headers: {
+				"User-Agent": userAgent,
+				authorization: `Bearer ${accessToken}`
+			} });
+			if (!response.ok) return null;
+			return await response.json();
+		},
+		fetchEmails: async (accessToken) => {
+			const response = await fetcher(emailsEndpoint, { headers: {
+				"User-Agent": userAgent,
+				authorization: `Bearer ${accessToken}`
+			} });
+			if (!response.ok) return [];
+			return await response.json();
+		}
+	};
+};
+const github = (options) => {
+	const client = options.client ?? createGithubOAuthClient();
+	const authorizationEndpoint = options.authorizationEndpoint ?? "https://github.com/login/oauth/authorize";
+	return {
+		id: "github",
+		name: "GitHub",
+		options,
+		createAuthorizationURL({ state, scopes, loginHint, redirectURI }) {
+			const resolvedScopes = options.disableDefaultScope ? [] : [...defaultScopes];
+			if (options.scope) resolvedScopes.push(...options.scope);
+			if (scopes) resolvedScopes.push(...scopes);
+			return createAuthorizationURL({
+				authorizationEndpoint,
+				clientId: options.clientId,
+				redirectURI,
+				state,
+				scopes: resolvedScopes,
+				prompt: options.prompt,
+				loginHint: loginHint ?? void 0,
+				extraParams: loginHint ? { login: loginHint } : void 0
+			});
+		},
+		validateAuthorizationCode: async ({ code, redirectURI, codeVerifier }) => {
+			return client.exchangeCode({
+				code,
+				redirectURI,
+				clientId: options.clientId,
+				clientSecret: options.clientSecret,
+				codeVerifier
+			});
+		},
+		refreshAccessToken: options.refreshAccessToken,
+		async getUserInfo(token) {
+			if (options.getUserInfo) return options.getUserInfo(token);
+			if (!token.accessToken) return null;
+			const profile = await client.fetchProfile(token.accessToken);
+			if (!profile) return null;
+			const emails = await client.fetchEmails(token.accessToken);
+			if (!profile.email && emails.length > 0) profile.email = (emails.find((entry) => entry.primary) ?? emails[0])?.email;
+			const emailVerified = emails.find((entry) => entry.email === profile.email)?.verified ?? false;
+			const mapped = await options.mapProfileToUser?.(profile);
+			return {
+				user: {
+					id: profile.id,
+					name: profile.name || profile.login,
+					email: profile.email ?? null,
+					image: profile.avatar_url,
+					emailVerified,
+					...mapped
+				},
+				data: profile
+			};
+		}
+	};
+};
+//#endregion
+//#region src/index.ts
+const authFragmentDefinition = defineFragment("auth").extend((x) => x).providesBaseService(() => {}).build();
+function createAuthFragment(config = {}, fragnoConfig) {
+	return {};
+}
+function createAuthFragmentClients(fragnoConfig) {
+	const config = { ...fragnoConfig };
+	const b = createClientBuilder(authFragmentDefinition, config, [
+		userActionsRoutesFactory,
+		sessionRoutesFactory,
+		userOverviewRoutesFactory,
+		organizationRoutesFactory,
+		oauthRoutesFactory
+	], {
+		type: "options",
+		options: { credentials: "include" }
+	});
+	const useMe = b.createHook("/me");
+	const useSignUp = b.createMutator("POST", "/sign-up");
+	const useSignIn = b.createMutator("POST", "/sign-in");
+	const useSignOut = b.createMutator("POST", "/sign-out", (invalidate) => {
+		invalidate("GET", "/me", {});
+		invalidate("GET", "/users", {});
+	});
+	const useUsers = b.createHook("/users");
+	const useUpdateUserRole = b.createMutator("PATCH", "/users/:userId/role", (invalidate) => {
+		invalidate("GET", "/users", {});
+		invalidate("GET", "/me", {});
+	});
+	const useChangePassword = b.createMutator("POST", "/change-password");
+	const useOrganizations = b.createHook("/organizations");
+	const useOrganization = b.createHook("/organizations/:organizationId");
+	const useCreateOrganization = b.createMutator("POST", "/organizations", (invalidate) => {
+		invalidate("GET", "/organizations", {});
+		invalidate("GET", "/organizations/active", {});
+		invalidate("GET", "/me", {});
+	});
+	const useUpdateOrganization = b.createMutator("PATCH", "/organizations/:organizationId", (invalidate, params) => {
+		const organizationId = params.pathParams.organizationId;
+		if (organizationId) {
+			invalidate("GET", "/organizations/:organizationId", { pathParams: { organizationId } });
+			invalidate("GET", "/organizations/:organizationId/members", { pathParams: { organizationId } });
+			invalidate("GET", "/organizations/:organizationId/invitations", { pathParams: { organizationId } });
+		}
+		invalidate("GET", "/organizations", {});
+		invalidate("GET", "/organizations/active", {});
+		invalidate("GET", "/me", {});
+	});
+	const useDeleteOrganization = b.createMutator("DELETE", "/organizations/:organizationId", (invalidate, params) => {
+		const organizationId = params.pathParams.organizationId;
+		if (organizationId) {
+			invalidate("GET", "/organizations/:organizationId", { pathParams: { organizationId } });
+			invalidate("GET", "/organizations/:organizationId/members", { pathParams: { organizationId } });
+			invalidate("GET", "/organizations/:organizationId/invitations", { pathParams: { organizationId } });
+		}
+		invalidate("GET", "/organizations", {});
+		invalidate("GET", "/organizations/active", {});
+		invalidate("GET", "/me", {});
+	});
+	const useActiveOrganization = b.createHook("/organizations/active");
+	const useSetActiveOrganization = b.createMutator("POST", "/organizations/active", (invalidate) => {
+		invalidate("GET", "/organizations/active", {});
+		invalidate("GET", "/me", {});
+	});
+	const useOrganizationMembers = b.createHook("/organizations/:organizationId/members");
+	const useAddOrganizationMember = b.createMutator("POST", "/organizations/:organizationId/members", (invalidate, params) => {
+		const organizationId = params.pathParams.organizationId;
+		if (!organizationId) return;
+		invalidate("GET", "/organizations/:organizationId/members", { pathParams: { organizationId } });
+		invalidate("GET", "/organizations/:organizationId", { pathParams: { organizationId } });
+		invalidate("GET", "/organizations", {});
+		invalidate("GET", "/me", {});
+	});
+	const useUpdateOrganizationMemberRoles = b.createMutator("PATCH", "/organizations/:organizationId/members/:memberId", (invalidate, params) => {
+		const organizationId = params.pathParams.organizationId;
+		if (!organizationId) return;
+		invalidate("GET", "/organizations/:organizationId/members", { pathParams: { organizationId } });
+		invalidate("GET", "/organizations/:organizationId", { pathParams: { organizationId } });
+		invalidate("GET", "/organizations", {});
+		invalidate("GET", "/me", {});
+	});
+	const useRemoveOrganizationMember = b.createMutator("DELETE", "/organizations/:organizationId/members/:memberId", (invalidate, params) => {
+		const organizationId = params.pathParams.organizationId;
+		if (!organizationId) return;
+		invalidate("GET", "/organizations/:organizationId/members", { pathParams: { organizationId } });
+		invalidate("GET", "/organizations/:organizationId", { pathParams: { organizationId } });
+		invalidate("GET", "/organizations", {});
+		invalidate("GET", "/me", {});
+	});
+	const useOrganizationInvitations = b.createHook("/organizations/:organizationId/invitations");
+	const useInviteOrganizationMember = b.createMutator("POST", "/organizations/:organizationId/invitations", (invalidate, params) => {
+		const organizationId = params.pathParams.organizationId;
+		if (!organizationId) return;
+		invalidate("GET", "/organizations/:organizationId/invitations", { pathParams: { organizationId } });
+	});
+	const useRespondOrganizationInvitation = b.createMutator("PATCH", "/organizations/invitations/:invitationId", (invalidate) => {
+		invalidate("GET", "/organizations/invitations", {});
+		invalidate("GET", "/organizations", {});
+		invalidate("GET", "/organizations/active", {});
+		invalidate("GET", "/me", {});
+	});
+	const useUserInvitations = b.createHook("/organizations/invitations");
+	const useOAuthAuthorize = b.createHook("/oauth/:provider/authorize");
+	const useOAuthCallback = b.createHook("/oauth/:provider/callback");
+	const readRawMe = async (params) => {
+		if (params?.sessionId) return useMe.query({ query: { sessionId: params.sessionId } });
+		return useMe.query();
+	};
+	const defaultOrganizationPreference = createDefaultOrganizationPreferenceState({
+		meStore: useMe.store(),
+		readMe: readRawMe,
+		getAccountId: (me) => me.user.id
+	});
+	return {
+		useSignUp,
+		useSignIn,
+		useSignOut,
+		useMe,
+		useDefaultOrganizationPreference: b.createStore(defaultOrganizationPreference.store),
+		useUsers,
+		useUpdateUserRole,
+		useChangePassword,
+		useOrganizations,
+		useOrganization,
+		useCreateOrganization,
+		useUpdateOrganization,
+		useDeleteOrganization,
+		useActiveOrganization,
+		useSetActiveOrganization,
+		useOrganizationMembers,
+		useAddOrganizationMember,
+		useUpdateOrganizationMemberRoles,
+		useRemoveOrganizationMember,
+		useOrganizationInvitations,
+		useInviteOrganizationMember,
+		useRespondOrganizationInvitation,
+		useUserInvitations,
+		useOAuthAuthorize,
+		useOAuthCallback,
+		signIn: { email: async ({ email, password, session, rememberMe: _rememberMe }) => {
+			return useSignIn.mutateQuery({ body: {
+				email,
+				password,
+				session
+			} });
+		} },
+		signUp: { email: async ({ email, password }) => {
+			return useSignUp.mutateQuery({ body: {
+				email,
+				password
+			} });
+		} },
+		signOut: (params) => {
+			return useSignOut.mutateQuery({ body: params?.sessionId ? { sessionId: params.sessionId } : {} });
+		},
+		me: defaultOrganizationPreference.me,
+		defaultOrganization: defaultOrganizationPreference.defaultOrganization,
+		oauth: {
+			getAuthorizationUrl: async (params) => {
+				return useOAuthAuthorize.query({
+					path: { provider: params.provider },
+					query: {
+						redirectUri: params.redirectUri,
+						returnTo: params.returnTo,
+						link: params.link ? "true" : void 0,
+						sessionId: params.sessionId,
+						session: serializeSessionSeedForQuery(params.session),
+						scope: params.scope,
+						loginHint: params.loginHint
+					}
+				});
+			},
+			callback: async (params) => {
+				return useOAuthCallback.query({
+					path: { provider: params.provider },
+					query: {
+						code: params.code,
+						state: params.state,
+						requestSignUp: params.requestSignUp ? "true" : void 0
+					}
+				});
+			}
+		}
+	};
+}
+//#endregion
+export { DEFAULT_ORGANIZATION_CHANGE_EVENT, DEFAULT_ORGANIZATION_STORAGE_KEY, NO_ORGANIZATIONS_ERROR_MESSAGE, authFragmentDefinition, clearDefaultOrganizationId, createAuthFragment, createAuthFragmentClients, createGithubOAuthClient, findOrganizationEntry, getDefaultOrganizationChangeEventName, getDefaultOrganizationStorageKey, github, readDefaultOrganizationId, resolveDefaultOrganization, setDefaultOrganizationForMe, subscribeToDefaultOrganizationPreference, syncDefaultOrganizationPreference, writeDefaultOrganizationId };
+//# sourceMappingURL=src-Ck4bl2NH.js.map