@gello/auth 0.1.0 → 0.1.2

package/index.cjs

@@ -1,3074 +0,0 @@
-"use strict";
-var __create = Object.create;
-var __defProp = Object.defineProperty;
-var __getOwnPropDesc = Object.getOwnPropertyDescriptor;
-var __getOwnPropNames = Object.getOwnPropertyNames;
-var __getProtoOf = Object.getPrototypeOf;
-var __hasOwnProp = Object.prototype.hasOwnProperty;
-var __export = (target, all) => {
-  for (var name in all)
-    __defProp(target, name, { get: all[name], enumerable: true });
-};
-var __copyProps = (to, from, except, desc) => {
-  if (from && typeof from === "object" || typeof from === "function") {
-    for (let key of __getOwnPropNames(from))
-      if (!__hasOwnProp.call(to, key) && key !== except)
-        __defProp(to, key, { get: () => from[key], enumerable: !(desc = __getOwnPropDesc(from, key)) || desc.enumerable });
-  }
-  return to;
-};
-var __toESM = (mod, isNodeMode, target) => (target = mod != null ? __create(__getProtoOf(mod)) : {}, __copyProps(
-  // If the importer is in node compatibility mode or this is not an ESM
-  // file that has been converted to a CommonJS file using a Babel-
-  // compatible transform (i.e. "__esModule" has not been set), then set
-  // "default" to the CommonJS "module.exports" for node compatibility.
-  isNodeMode || !mod || !mod.__esModule ? __defProp(target, "default", { value: mod, enumerable: true }) : target,
-  mod
-));
-var __toCommonJS = (mod) => __copyProps(__defProp({}, "__esModule", { value: true }), mod);
-
-// libs/publishable/auth/src/index.ts
-var index_exports = {};
-__export(index_exports, {
-  AbilitiesLive: () => AbilitiesLive,
-  AbilitiesTag: () => AbilitiesTag,
-  AbstractProvider: () => AbstractProvider,
-  Auth: () => Auth,
-  AuthError: () => AuthError,
-  AuthGuard: () => AuthGuard,
-  AuthServiceLive: () => AuthServiceLive,
-  AuthTag: () => AuthTag,
-  AuthenticatedUserTag: () => AuthenticatedUserTag,
-  AuthenticationError: () => AuthenticationError,
-  AuthorizationError: () => AuthorizationError,
-  CommonAbilities: () => CommonAbilities,
-  CsrfMismatchError: () => CsrfMismatchError,
-  CsrfToken: () => CsrfToken,
-  CsrfTokenTag: () => CsrfTokenTag,
-  CurrentSessionTag: () => CurrentSessionTag,
-  ForbiddenError: () => ForbiddenError,
-  FullTestAuthLayer: () => FullTestAuthLayer,
-  GithubProvider: () => GithubProvider,
-  GoogleProvider: () => GoogleProvider,
-  HashedToken: () => HashedToken,
-  HashingError: () => HashingError,
-  InsufficientScopeError: () => InsufficientScopeError,
-  InvalidPasswordError: () => InvalidPasswordError,
-  JwtError: () => JwtError,
-  JwtServiceLive: () => JwtServiceLive,
-  JwtServiceTag: () => JwtServiceTag,
-  MemorySessionStoreLive: () => MemorySessionStoreLive,
-  MockPasswordHasherLive: () => MockPasswordHasherLive,
-  MockTokenHasherLive: () => MockTokenHasherLive,
-  MockTokenStoreLive: () => MockTokenStoreLive,
-  MockUserProviderLive: () => MockUserProviderLive,
-  NewLogin: () => NewLogin,
-  NewLoginMailable: () => NewLoginMailable,
-  OAuthConfigError: () => OAuthConfigError,
-  OAuthError: () => OAuthError,
-  OAuthProviderNotFoundError: () => OAuthProviderNotFoundError,
-  OAuthStateMismatchError: () => OAuthStateMismatchError,
-  OAuthTokenError: () => OAuthTokenError,
-  OAuthUserError: () => OAuthUserError,
-  PasswordChanged: () => PasswordChanged,
-  PasswordHasherTag: () => PasswordHasherTag,
-  PersonalAccessToken: () => PersonalAccessToken,
-  PlainTextToken: () => PlainTextToken,
-  RateLimitError: () => RateLimitError,
-  ResetPassword: () => ResetPassword,
-  ResetPasswordMailable: () => ResetPasswordMailable,
-  Session: () => Session,
-  SessionError: () => SessionError,
-  SessionExpiredError: () => SessionExpiredError,
-  SessionId: () => SessionId,
-  SessionNotFoundError: () => SessionNotFoundError,
-  SessionStoreTag: () => SessionStoreTag,
-  Social: () => Social,
-  SocialLive: () => SocialLive,
-  SocialTag: () => SocialTag,
-  SocialToken: () => SocialToken,
-  SocialUser: () => SocialUser,
-  TestAuthLayer: () => TestAuthLayer,
-  TestSessionLayer: () => TestSessionLayer,
-  TokenExpiredError: () => TokenExpiredError,
-  TokenHasherTag: () => TokenHasherTag,
-  TokenId: () => TokenId,
-  TokenNotFoundError: () => TokenNotFoundError,
-  TokenServiceLive: () => TokenServiceLive,
-  TokenServiceTag: () => TokenServiceTag,
-  TokenStoreTag: () => TokenStoreTag,
-  UserId: () => UserId,
-  UserNotFoundError: () => UserNotFoundError,
-  UserProviderTag: () => UserProviderTag,
-  VerifyEmail: () => VerifyEmail,
-  VerifyEmailMailable: () => VerifyEmailMailable,
-  WelcomeEmail: () => WelcomeEmail,
-  WelcomeEmailMailable: () => WelcomeEmailMailable,
-  actingAs: () => actingAs,
-  actingAsLayer: () => actingAsLayer,
-  assertAuthenticated: () => assertAuthenticated,
-  assertCan: () => assertCan,
-  assertCannot: () => assertCannot,
-  assertGuest: () => assertGuest,
-  assertHasScope: () => assertHasScope,
-  assertLacksScope: () => assertLacksScope,
-  authenticate: () => authenticate,
-  authorize: () => authorize,
-  authorizeAction: () => authorizeMiddleware,
-  authorizeAll: () => authorizeAll,
-  authorizeAny: () => authorizeAny,
-  authorizeMiddleware: () => authorizeMiddleware,
-  can: () => can,
-  cannot: () => cannot,
-  createAbilities: () => createAbilities,
-  createAuthenticatedUser: () => createAuthenticatedUser,
-  createGithubProvider: () => createGithubProvider,
-  createGoogleProvider: () => createGoogleProvider,
-  createMockUser: () => createMockUser,
-  csrf: () => csrf,
-  currentUser: () => currentUser,
-  defaultCsrfConfig: () => defaultCsrfConfig,
-  defaultSessionConfig: () => defaultSessionConfig,
-  defineAbilitiesFor: () => defineAbilitiesFor,
-  endSession: () => endSession,
-  generateCsrfCookie: () => generateCsrfCookie,
-  getSessionData: () => getSessionData,
-  getSubjectType: () => getSubjectType,
-  hasApiTokens: () => hasApiTokens,
-  hasScope: () => hasScope,
-  isAuthenticated: () => isAuthenticated,
-  makeJwtService: () => makeJwtService,
-  makeMemorySessionStore: () => makeMemorySessionStore,
-  makeMockPasswordHasher: () => makeMockPasswordHasher,
-  makeMockTokenHasher: () => makeMockTokenHasher,
-  makeMockTokenStore: () => makeMockTokenStore,
-  makeMockUserProvider: () => makeMockUserProvider,
-  makeSocialService: () => makeSocialService,
-  matchAction: () => matchAction,
-  matchConditions: () => matchConditions,
-  matchSubject: () => matchSubject,
-  newLogin: () => newLogin,
-  requireAdmin: () => requireAdmin,
-  requireAny: () => requireAny,
-  requireScope: () => requireScope,
-  resetPassword: () => resetPassword,
-  session: () => session,
-  setSessionData: () => setSessionData,
-  startSession: () => startSession,
-  tokenScope: () => tokenScope,
-  tokenScopes: () => tokenScopes,
-  verifyCsrfToken: () => verifyCsrfToken,
-  verifyEmail: () => verifyEmail,
-  welcomeEmail: () => welcomeEmail,
-  withApiTokens: () => withApiTokens
-});
-module.exports = __toCommonJS(index_exports);
-
-// libs/auth/core/src/lib/domain/types.ts
-var import_effect = require("effect");
-var TokenId = import_effect.Brand.nominal();
-var PlainTextToken = import_effect.Brand.nominal();
-var HashedToken = import_effect.Brand.nominal();
-var UserId = import_effect.Brand.nominal();
-var PersonalAccessToken = {
-  /**
-   * Generate a new TokenId
-   */
-  generateId: () => TokenId(crypto.randomUUID()),
-  /**
-   * Generate a random plain text token
-   */
-  generatePlainText: () => {
-    const bytes = new Uint8Array(32);
-    crypto.getRandomValues(bytes);
-    const token = Array.from(bytes).map((b) => b.toString(16).padStart(2, "0")).join("");
-    return PlainTextToken(token);
-  },
-  /**
-   * Check if token has a specific scope
-   */
-  hasScope: (token, scope) => {
-    if (token.scopes.includes("*")) return true;
-    return token.scopes.includes(scope);
-  },
-  /**
-   * Check if token has all specified scopes
-   */
-  hasAllScopes: (token, scopes) => {
-    return scopes.every((scope) => PersonalAccessToken.hasScope(token, scope));
-  },
-  /**
-   * Check if token has any of the specified scopes
-   */
-  hasAnyScope: (token, scopes) => {
-    return scopes.some((scope) => PersonalAccessToken.hasScope(token, scope));
-  },
-  /**
-   * Check if token is expired
-   */
-  isExpired: (token) => {
-    if (!token.expiresAt) return false;
-    return /* @__PURE__ */ new Date() > token.expiresAt;
-  }
-};
-var AuthGuard = {
-  authenticated: (user) => ({
-    _tag: "Authenticated",
-    user
-  }),
-  guest: () => ({
-    _tag: "Guest"
-  }),
-  isAuthenticated: (guard) => guard._tag === "Authenticated",
-  isGuest: (guard) => guard._tag === "Guest"
-};
-
-// libs/auth/core/src/lib/domain/errors.ts
-var import_effect2 = require("effect");
-var AuthError = class extends import_effect2.Data.TaggedError("AuthError") {
-};
-var AuthenticationError = class extends import_effect2.Data.TaggedError("AuthenticationError") {
-};
-var TokenNotFoundError = class extends import_effect2.Data.TaggedError("TokenNotFoundError") {
-};
-var TokenExpiredError = class extends import_effect2.Data.TaggedError("TokenExpiredError") {
-};
-var InsufficientScopeError = class extends import_effect2.Data.TaggedError("InsufficientScopeError") {
-};
-var UserNotFoundError = class extends import_effect2.Data.TaggedError("UserNotFoundError") {
-};
-var HashingError = class extends import_effect2.Data.TaggedError("HashingError") {
-};
-var InvalidPasswordError = class extends import_effect2.Data.TaggedError("InvalidPasswordError") {
-};
-var RateLimitError = class extends import_effect2.Data.TaggedError("RateLimitError") {
-};
-
-// libs/auth/core/src/lib/ports/TokenStore.ts
-var import_effect3 = require("effect");
-var TokenStoreTag = class extends import_effect3.Context.Tag("@gello/auth/TokenStore")() {
-};
-
-// libs/auth/core/src/lib/ports/PasswordHasher.ts
-var import_effect4 = require("effect");
-var PasswordHasherTag = class extends import_effect4.Context.Tag("@gello/auth/PasswordHasher")() {
-};
-var TokenHasherTag = class extends import_effect4.Context.Tag("@gello/auth/TokenHasher")() {
-};
-
-// libs/auth/core/src/lib/ports/Authenticatable.ts
-var import_effect5 = require("effect");
-var UserProviderTag = class extends import_effect5.Context.Tag("@gello/auth/UserProvider")() {
-};
-
-// libs/auth/core/src/lib/services/TokenService.ts
-var import_effect6 = require("effect");
-var TokenServiceTag = class extends import_effect6.Context.Tag("@gello/auth/TokenService")() {
-};
-var TokenServiceLive = import_effect6.Layer.effect(
-  TokenServiceTag,
-  import_effect6.Effect.gen(function* () {
-    const store = yield* TokenStoreTag;
-    const hasher = yield* TokenHasherTag;
-    const service = {
-      createToken: (userId, name, scopes = ["*"], expiresAt) => import_effect6.Effect.gen(function* () {
-        const plainTextToken = PersonalAccessToken.generatePlainText();
-        const hashedToken = HashedToken(hasher.hash(plainTextToken));
-        const token = {
-          id: PersonalAccessToken.generateId(),
-          userId,
-          name,
-          token: hashedToken,
-          scopes,
-          expiresAt,
-          createdAt: /* @__PURE__ */ new Date()
-        };
-        const savedToken = yield* store.create(token);
-        return {
-          accessToken: savedToken,
-          plainTextToken
-        };
-      }),
-      verifyToken: (plainTextToken) => import_effect6.Effect.gen(function* () {
-        const hashedToken = HashedToken(hasher.hash(plainTextToken));
-        const maybeToken = yield* store.findByToken(hashedToken);
-        if (import_effect6.Option.isNone(maybeToken)) {
-          return yield* import_effect6.Effect.fail(
-            new AuthenticationError({
-              message: "Invalid token",
-              reason: "invalid_token"
-            })
-          );
-        }
-        const token = maybeToken.value;
-        if (PersonalAccessToken.isExpired(token)) {
-          return yield* import_effect6.Effect.fail(
-            new TokenExpiredError({
-              message: "Token has expired",
-              tokenId: token.id,
-              expiredAt: token.expiresAt
-            })
-          );
-        }
-        yield* store.updateLastUsed(token.id, /* @__PURE__ */ new Date()).pipe(import_effect6.Effect.catchAll(() => import_effect6.Effect.void));
-        return token;
-      }),
-      getUserTokens: (userId) => store.findByUser(userId),
-      revokeToken: (tokenId) => store.delete(tokenId),
-      revokeAllTokens: (userId) => store.deleteByUser(userId),
-      pruneExpiredTokens: () => store.deleteExpired()
-    };
-    return service;
-  })
-);
-
-// libs/auth/core/src/lib/services/Auth.ts
-var import_effect7 = require("effect");
-var AuthTag = class extends import_effect7.Context.Tag("@gello/auth/Auth")() {
-};
-var AuthServiceLive = import_effect7.Layer.effect(
-  AuthTag,
-  import_effect7.Effect.gen(function* () {
-    const userProvider = yield* UserProviderTag;
-    const passwordHasher = yield* PasswordHasherTag;
-    const tokenService = yield* TokenServiceTag;
-    const service = {
-      attempt: (email, password) => import_effect7.Effect.gen(function* () {
-        const maybeUser = yield* userProvider.findByEmail(email);
-        if (import_effect7.Option.isNone(maybeUser)) {
-          return yield* import_effect7.Effect.fail(
-            new AuthenticationError({
-              message: "Invalid credentials",
-              reason: "invalid_credentials"
-            })
-          );
-        }
-        const user = maybeUser.value;
-        const isValid = yield* passwordHasher.verify(password, user.password).pipe(
-          import_effect7.Effect.mapError(
-            () => new AuthenticationError({
-              message: "Invalid credentials",
-              reason: "invalid_credentials"
-            })
-          )
-        );
-        if (!isValid) {
-          return yield* import_effect7.Effect.fail(
-            new AuthenticationError({
-              message: "Invalid credentials",
-              reason: "invalid_credentials"
-            })
-          );
-        }
-        return user;
-      }),
-      authenticateWithToken: (token) => import_effect7.Effect.gen(function* () {
-        const accessToken = yield* tokenService.verifyToken(token).pipe(
-          import_effect7.Effect.mapError(
-            (e) => new AuthenticationError({
-              message: e.message,
-              reason: e._tag === "TokenExpiredError" ? "expired_token" : "invalid_token"
-            })
-          )
-        );
-        const maybeUser = yield* userProvider.findById(accessToken.userId);
-        if (import_effect7.Option.isNone(maybeUser)) {
-          return yield* import_effect7.Effect.fail(
-            new AuthenticationError({
-              message: "User not found",
-              reason: "invalid_token"
-            })
-          );
-        }
-        return {
-          id: accessToken.userId,
-          token: accessToken
-        };
-      }),
-      getUser: (userId) => import_effect7.Effect.gen(function* () {
-        const maybeUser = yield* userProvider.findById(userId);
-        if (import_effect7.Option.isNone(maybeUser)) {
-          return yield* import_effect7.Effect.fail(
-            new UserNotFoundError({
-              message: "User not found",
-              userId
-            })
-          );
-        }
-        return maybeUser.value;
-      }),
-      createToken: (userId, name, scopes, expiresAt) => tokenService.createToken(userId, name, scopes, expiresAt),
-      getTokens: (userId) => tokenService.getUserTokens(userId),
-      revokeToken: (tokenId) => tokenService.revokeToken(tokenId).pipe(
-        import_effect7.Effect.catchAll(() => import_effect7.Effect.void)
-      ),
-      revokeAllTokens: (userId) => tokenService.revokeAllTokens(userId),
-      hashPassword: (password) => passwordHasher.hash(password).pipe(
-        import_effect7.Effect.catchAll(() => import_effect7.Effect.succeed(""))
-      ),
-      needsRehash: (hash) => passwordHasher.needsRehash(hash)
-    };
-    return service;
-  })
-);
-
-// libs/auth/core/src/lib/mixins/HasApiTokens.ts
-var import_effect8 = require("effect");
-function withApiTokens(user) {
-  return {
-    ...user,
-    createToken(name, scopes, expiresAt) {
-      return import_effect8.Effect.gen(function* () {
-        const tokenService = yield* TokenServiceTag;
-        return yield* tokenService.createToken(user.id, name, scopes, expiresAt);
-      });
-    },
-    tokens() {
-      return import_effect8.Effect.gen(function* () {
-        const tokenService = yield* TokenServiceTag;
-        return yield* tokenService.getUserTokens(user.id);
-      });
-    },
-    revokeToken(tokenId) {
-      return import_effect8.Effect.gen(function* () {
-        const tokenService = yield* TokenServiceTag;
-        return yield* tokenService.revokeToken(tokenId).pipe(
-          import_effect8.Effect.catchAll(() => import_effect8.Effect.void)
-        );
-      });
-    },
-    revokeAllTokens() {
-      return import_effect8.Effect.gen(function* () {
-        const tokenService = yield* TokenServiceTag;
-        return yield* tokenService.revokeAllTokens(user.id);
-      });
-    }
-  };
-}
-function hasApiTokens(obj) {
-  return typeof obj === "object" && obj !== null && "id" in obj && "createToken" in obj && "tokens" in obj;
-}
-
-// libs/auth/core/src/lib/middleware/authenticate.ts
-var import_effect9 = require("effect");
-var import_platform = require("@effect/platform");
-var AuthenticatedUserTag = class extends import_effect9.Context.Tag("@gello/auth/AuthenticatedUser")() {
-};
-var extractBearerToken = (header) => {
-  if (!header) return null;
-  const match = header.match(/^Bearer\s+(.+)$/i);
-  return match ? match[1] : null;
-};
-var authenticate = (options = {}) => ({
-  name: "authenticate",
-  apply: (effect) => import_effect9.Effect.gen(function* () {
-    const request = yield* import_platform.HttpServerRequest.HttpServerRequest;
-    const auth = yield* AuthTag;
-    const authHeader = request.headers["authorization"];
-    const token = extractBearerToken(authHeader);
-    if (!token) {
-      if (options.optional) {
-        return yield* effect;
-      }
-      return import_platform.HttpServerResponse.json(
-        { error: "Authentication required" },
-        { status: 401 }
-      );
-    }
-    const authResult = yield* auth.authenticateWithToken(token).pipe(
-      import_effect9.Effect.either
-    );
-    if (authResult._tag === "Left") {
-      if (options.optional) {
-        return yield* effect;
-      }
-      const error = authResult.left;
-      return import_platform.HttpServerResponse.json(
-        { error: error.message },
-        { status: 401 }
-      );
-    }
-    const user = authResult.right;
-    return yield* effect.pipe(
-      import_effect9.Effect.provideService(AuthenticatedUserTag, user)
-    );
-  })
-});
-authenticate.optional = () => {
-  const base = authenticate({ optional: true });
-  return {
-    ...base,
-    name: "authenticate.optional"
-  };
-};
-var currentUser = () => import_effect9.Effect.flatMap(
-  import_effect9.Effect.either(AuthenticatedUserTag),
-  (result) => result._tag === "Right" ? import_effect9.Effect.succeed(result.right) : import_effect9.Effect.fail(
-    new AuthenticationError({
-      message: "Not authenticated",
-      reason: "missing_token"
-    })
-  )
-);
-var isAuthenticated = () => import_effect9.Effect.map(import_effect9.Effect.either(AuthenticatedUserTag), (result) => result._tag === "Right");
-
-// libs/auth/core/src/lib/middleware/scopes.ts
-var import_effect10 = require("effect");
-var import_platform2 = require("@effect/platform");
-var tokenScopes = (...requiredScopes) => ({
-  name: "tokenScopes",
-  apply: (effect) => import_effect10.Effect.gen(function* () {
-    const user = yield* AuthenticatedUserTag;
-    if (!user.token) {
-      return yield* effect;
-    }
-    const hasAll = PersonalAccessToken.hasAllScopes(user.token, requiredScopes);
-    if (!hasAll) {
-      return import_platform2.HttpServerResponse.json(
-        {
-          error: "Insufficient scope",
-          required: requiredScopes,
-          provided: user.token.scopes
-        },
-        { status: 403 }
-      );
-    }
-    return yield* effect;
-  })
-});
-var tokenScope = (...allowedScopes) => ({
-  name: "tokenScope",
-  apply: (effect) => import_effect10.Effect.gen(function* () {
-    const user = yield* AuthenticatedUserTag;
-    if (!user.token) {
-      return yield* effect;
-    }
-    const hasAny = PersonalAccessToken.hasAnyScope(user.token, allowedScopes);
-    if (!hasAny) {
-      return import_platform2.HttpServerResponse.json(
-        {
-          error: "Insufficient scope",
-          required: `One of: ${allowedScopes.join(", ")}`,
-          provided: user.token.scopes
-        },
-        { status: 403 }
-      );
-    }
-    return yield* effect;
-  })
-});
-var hasScope = (scope) => import_effect10.Effect.gen(function* () {
-  const user = yield* AuthenticatedUserTag;
-  if (!user.token) return true;
-  return PersonalAccessToken.hasScope(user.token, scope);
-});
-var requireScope = (scope) => import_effect10.Effect.gen(function* () {
-  const user = yield* AuthenticatedUserTag;
-  if (!user.token) return;
-  if (!PersonalAccessToken.hasScope(user.token, scope)) {
-    return yield* import_effect10.Effect.fail(
-      new InsufficientScopeError({
-        message: `Token lacks required scope: ${scope}`,
-        required: [scope],
-        provided: user.token.scopes
-      })
-    );
-  }
-});
-
-// libs/auth/session/src/lib/domain/types.ts
-var import_effect11 = require("effect");
-var SessionId = import_effect11.Brand.nominal();
-var CsrfToken = import_effect11.Brand.nominal();
-var Session = {
-  /**
-   * Generate a new SessionId
-   */
-  generateId: () => SessionId(crypto.randomUUID()),
-  /**
-   * Generate a CSRF token
-   */
-  generateCsrfToken: () => {
-    const bytes = new Uint8Array(32);
-    crypto.getRandomValues(bytes);
-    return CsrfToken(
-      Array.from(bytes).map((b) => b.toString(16).padStart(2, "0")).join("")
-    );
-  },
-  /**
-   * Create a new session
-   */
-  make: (userId, options) => {
-    const now = /* @__PURE__ */ new Date();
-    const lifetime = options?.lifetime ?? import_effect11.Duration.hours(2);
-    const expiresAt = new Date(now.getTime() + import_effect11.Duration.toMillis(lifetime));
-    return {
-      id: Session.generateId(),
-      userId,
-      data: options?.data ?? {},
-      ipAddress: options?.ipAddress,
-      userAgent: options?.userAgent,
-      lastActivity: now,
-      createdAt: now,
-      expiresAt
-    };
-  },
-  /**
-   * Check if session is expired
-   */
-  isExpired: (session2) => {
-    return /* @__PURE__ */ new Date() > session2.expiresAt;
-  },
-  /**
-   * Extend session expiration
-   */
-  touch: (session2, lifetime) => {
-    const now = /* @__PURE__ */ new Date();
-    return {
-      ...session2,
-      lastActivity: now,
-      expiresAt: new Date(now.getTime() + import_effect11.Duration.toMillis(lifetime))
-    };
-  }
-};
-var defaultSessionConfig = {
-  cookieName: "gello_session",
-  lifetime: import_effect11.Duration.hours(2),
-  path: "/",
-  secure: true,
-  httpOnly: true,
-  sameSite: "lax"
-};
-
-// libs/auth/session/src/lib/domain/errors.ts
-var import_effect12 = require("effect");
-var SessionError = class extends import_effect12.Data.TaggedError("SessionError") {
-};
-var SessionNotFoundError = class extends import_effect12.Data.TaggedError("SessionNotFoundError") {
-};
-var SessionExpiredError = class extends import_effect12.Data.TaggedError("SessionExpiredError") {
-};
-var CsrfMismatchError = class extends import_effect12.Data.TaggedError("CsrfMismatchError") {
-};
-var JwtError = class extends import_effect12.Data.TaggedError("JwtError") {
-};
-
-// libs/auth/session/src/lib/ports/SessionStore.ts
-var import_effect13 = require("effect");
-var SessionStoreTag = class extends import_effect13.Context.Tag("@gello/auth/SessionStore")() {
-};
-
-// libs/auth/session/src/lib/drivers/MemorySessionStore.ts
-var import_effect14 = require("effect");
-var makeMemorySessionStore = () => {
-  const sessions = /* @__PURE__ */ new Map();
-  return {
-    get: (id) => import_effect14.Effect.sync(() => {
-      const session2 = sessions.get(id);
-      if (!session2) return import_effect14.Option.none();
-      if (/* @__PURE__ */ new Date() > session2.expiresAt) {
-        sessions.delete(id);
-        return import_effect14.Option.none();
-      }
-      return import_effect14.Option.some(session2);
-    }),
-    put: (session2) => import_effect14.Effect.sync(() => {
-      sessions.set(session2.id, session2);
-    }),
-    destroy: (id) => import_effect14.Effect.sync(() => {
-      if (!sessions.has(id)) {
-        throw new SessionNotFoundError({
-          message: "Session not found",
-          sessionId: id
-        });
-      }
-      sessions.delete(id);
-    }),
-    destroyByUser: (userId) => import_effect14.Effect.sync(() => {
-      let count = 0;
-      for (const [id, session2] of sessions) {
-        if (session2.userId === userId) {
-          sessions.delete(id);
-          count++;
-        }
-      }
-      return count;
-    }),
-    touch: (id, lifetime) => import_effect14.Effect.sync(() => {
-      const session2 = sessions.get(id);
-      if (!session2) {
-        throw new SessionNotFoundError({
-          message: "Session not found",
-          sessionId: id
-        });
-      }
-      const now = /* @__PURE__ */ new Date();
-      sessions.set(id, {
-        ...session2,
-        lastActivity: now,
-        expiresAt: new Date(now.getTime() + import_effect14.Duration.toMillis(lifetime))
-      });
-    }),
-    gc: (maxLifetime) => import_effect14.Effect.sync(() => {
-      const now = /* @__PURE__ */ new Date();
-      const cutoff = new Date(now.getTime() - import_effect14.Duration.toMillis(maxLifetime));
-      let count = 0;
-      for (const [id, session2] of sessions) {
-        if (session2.expiresAt < now || session2.lastActivity < cutoff) {
-          sessions.delete(id);
-          count++;
-        }
-      }
-      return count;
-    })
-  };
-};
-var MemorySessionStoreLive = import_effect14.Layer.succeed(
-  SessionStoreTag,
-  makeMemorySessionStore()
-);
-
-// libs/auth/session/src/lib/services/JwtService.ts
-var import_effect15 = require("effect");
-var JwtServiceTag = class extends import_effect15.Context.Tag("@gello/auth/JwtService")() {
-};
-var base64urlEncode = (data) => {
-  const base64 = Buffer.from(data).toString("base64");
-  return base64.replace(/\+/g, "-").replace(/\//g, "_").replace(/=/g, "");
-};
-var base64urlDecode = (data) => {
-  const base64 = data.replace(/-/g, "+").replace(/_/g, "/");
-  const pad = base64.length % 4;
-  const padded = pad ? base64 + "=".repeat(4 - pad) : base64;
-  return Buffer.from(padded, "base64").toString("utf-8");
-};
-var hmacSha256 = async (data, secret) => {
-  const encoder = new TextEncoder();
-  const key = await crypto.subtle.importKey(
-    "raw",
-    encoder.encode(secret),
-    { name: "HMAC", hash: "SHA-256" },
-    false,
-    ["sign"]
-  );
-  const signature = await crypto.subtle.sign("HMAC", key, encoder.encode(data));
-  const base64 = Buffer.from(signature).toString("base64");
-  return base64.replace(/\+/g, "-").replace(/\//g, "_").replace(/=/g, "");
-};
-var makeJwtService = (secret) => {
-  return {
-    sign: (payload, expiresInSeconds = 3600) => import_effect15.Effect.tryPromise({
-      try: async () => {
-        const now = Math.floor(Date.now() / 1e3);
-        const fullPayload = {
-          ...payload,
-          iat: now,
-          exp: now + expiresInSeconds
-        };
-        const header = base64urlEncode(JSON.stringify({ alg: "HS256", typ: "JWT" }));
-        const body = base64urlEncode(JSON.stringify(fullPayload));
-        const signature = await hmacSha256(`${header}.${body}`, secret);
-        return `${header}.${body}.${signature}`;
-      },
-      catch: (e) => new JwtError({
-        message: "Failed to sign JWT",
-        reason: "malformed",
-        cause: e
-      })
-    }),
-    verify: (token) => import_effect15.Effect.tryPromise({
-      try: async () => {
-        const parts = token.split(".");
-        if (parts.length !== 3) {
-          throw new JwtError({
-            message: "Invalid JWT format",
-            reason: "malformed"
-          });
-        }
-        const [header, body, signature] = parts;
-        const expectedSignature = await hmacSha256(`${header}.${body}`, secret);
-        if (signature !== expectedSignature) {
-          throw new JwtError({
-            message: "Invalid JWT signature",
-            reason: "invalid"
-          });
-        }
-        const payload = JSON.parse(base64urlDecode(body));
-        const now = Math.floor(Date.now() / 1e3);
-        if (payload.exp && payload.exp < now) {
-          throw new JwtError({
-            message: "JWT has expired",
-            reason: "expired"
-          });
-        }
-        return payload;
-      },
-      catch: (e) => {
-        if (e instanceof JwtError) return e;
-        return new JwtError({
-          message: "Failed to verify JWT",
-          reason: "malformed",
-          cause: e
-        });
-      }
-    }),
-    decode: (token) => import_effect15.Effect.try({
-      try: () => {
-        const parts = token.split(".");
-        if (parts.length !== 3) {
-          throw new JwtError({
-            message: "Invalid JWT format",
-            reason: "malformed"
-          });
-        }
-        return JSON.parse(base64urlDecode(parts[1]));
-      },
-      catch: (e) => {
-        if (e instanceof JwtError) return e;
-        return new JwtError({
-          message: "Failed to decode JWT",
-          reason: "malformed",
-          cause: e
-        });
-      }
-    })
-  };
-};
-var JwtServiceLive = (secret) => import_effect15.Layer.succeed(JwtServiceTag, makeJwtService(secret));
-
-// libs/auth/session/src/lib/middleware/session.ts
-var import_effect16 = require("effect");
-var import_platform3 = require("@effect/platform");
-var CurrentSessionTag = class extends import_effect16.Context.Tag("@gello/auth/CurrentSession")() {
-};
-var parseCookies = (header) => {
-  const cookies = /* @__PURE__ */ new Map();
-  if (!header) return cookies;
-  header.split(";").forEach((cookie) => {
-    const [name, ...rest] = cookie.trim().split("=");
-    if (name) {
-      cookies.set(name, rest.join("="));
-    }
-  });
-  return cookies;
-};
-var session = (options = {}) => {
-  const config = { ...defaultSessionConfig, ...options };
-  return {
-    name: "session",
-    apply: (effect) => import_effect16.Effect.gen(function* () {
-      const request = yield* import_platform3.HttpServerRequest.HttpServerRequest;
-      const store = yield* SessionStoreTag;
-      const cookies = parseCookies(request.headers["cookie"]);
-      const sessionId = cookies.get(config.cookieName);
-      let currentSession = null;
-      if (sessionId) {
-        const maybeSession = yield* store.get(SessionId(sessionId));
-        if (import_effect16.Option.isSome(maybeSession)) {
-          const sess = maybeSession.value;
-          if (!Session.isExpired(sess)) {
-            yield* store.touch(sess.id, config.lifetime).pipe(
-              import_effect16.Effect.catchAll(() => import_effect16.Effect.void)
-            );
-            currentSession = Session.touch(sess, config.lifetime);
-          }
-        }
-      }
-      if (!currentSession && !options.optional) {
-        return import_platform3.HttpServerResponse.json(
-          { error: "Session required" },
-          { status: 401 }
-        );
-      }
-      if (currentSession) {
-        return yield* effect.pipe(
-          import_effect16.Effect.provideService(CurrentSessionTag, currentSession)
-        );
-      }
-      return yield* effect;
-    })
-  };
-};
-session.optional = () => {
-  const base = session({ optional: true });
-  return {
-    ...base,
-    name: "session.optional"
-  };
-};
-var startSession = (user, config = defaultSessionConfig, data = {}) => import_effect16.Effect.gen(function* () {
-  const store = yield* SessionStoreTag;
-  const request = yield* import_platform3.HttpServerRequest.HttpServerRequest;
-  const newSession = Session.make(user.id, {
-    data,
-    ipAddress: request.headers["x-forwarded-for"] ?? request.headers["x-real-ip"],
-    userAgent: request.headers["user-agent"],
-    lifetime: config.lifetime
-  });
-  yield* store.put(newSession);
-  const cookieParts = [
-    `${config.cookieName}=${newSession.id}`,
-    `Path=${config.path}`,
-    `Max-Age=${Math.floor(import_effect16.Duration.toSeconds(config.lifetime))}`,
-    config.httpOnly ? "HttpOnly" : "",
-    config.secure ? "Secure" : "",
-    `SameSite=${config.sameSite}`,
-    config.domain ? `Domain=${config.domain}` : ""
-  ].filter(Boolean);
-  return {
-    session: newSession,
-    cookie: cookieParts.join("; ")
-  };
-});
-var endSession = (config = defaultSessionConfig) => import_effect16.Effect.gen(function* () {
-  const session2 = yield* CurrentSessionTag;
-  const store = yield* SessionStoreTag;
-  yield* store.destroy(session2.id).pipe(import_effect16.Effect.catchAll(() => import_effect16.Effect.void));
-  const cookieParts = [
-    `${config.cookieName}=`,
-    `Path=${config.path}`,
-    `Max-Age=0`,
-    config.httpOnly ? "HttpOnly" : "",
-    config.secure ? "Secure" : "",
-    `SameSite=${config.sameSite}`
-  ].filter(Boolean);
-  return cookieParts.join("; ");
-});
-var getSessionData = (key) => import_effect16.Effect.gen(function* () {
-  const session2 = yield* CurrentSessionTag;
-  return session2.data[key];
-});
-var setSessionData = (key, value) => import_effect16.Effect.gen(function* () {
-  const session2 = yield* CurrentSessionTag;
-  const store = yield* SessionStoreTag;
-  const updatedSession = {
-    ...session2,
-    data: { ...session2.data, [key]: value }
-  };
-  yield* store.put(updatedSession);
-});
-
-// libs/auth/session/src/lib/middleware/csrf.ts
-var import_effect17 = require("effect");
-var import_platform4 = require("@effect/platform");
-var CsrfTokenTag = class extends import_effect17.Context.Tag("@gello/auth/CsrfToken")() {
-};
-var defaultCsrfConfig = {
-  cookieName: "XSRF-TOKEN",
-  headerName: "X-XSRF-TOKEN",
-  protectedMethods: ["POST", "PUT", "PATCH", "DELETE"],
-  path: "/",
-  secure: true,
-  sameSite: "lax"
-};
-var parseCookies2 = (header) => {
-  const cookies = /* @__PURE__ */ new Map();
-  if (!header) return cookies;
-  header.split(";").forEach((cookie) => {
-    const [name, ...rest] = cookie.trim().split("=");
-    if (name) {
-      cookies.set(name, rest.join("="));
-    }
-  });
-  return cookies;
-};
-var csrf = (config = {}) => {
-  const cfg = { ...defaultCsrfConfig, ...config };
-  return {
-    name: "csrf",
-    apply: (effect) => import_effect17.Effect.gen(function* () {
-      const request = yield* import_platform4.HttpServerRequest.HttpServerRequest;
-      const method = request.method.toUpperCase();
-      if (!cfg.protectedMethods.includes(method)) {
-        return yield* effect;
-      }
-      const cookies = parseCookies2(request.headers["cookie"]);
-      const cookieToken = cookies.get(cfg.cookieName);
-      const headerToken = request.headers[cfg.headerName.toLowerCase()];
-      if (!cookieToken || !headerToken) {
-        return import_platform4.HttpServerResponse.json(
-          { error: "CSRF token missing" },
-          { status: 419 }
-        );
-      }
-      if (cookieToken !== headerToken) {
-        return import_platform4.HttpServerResponse.json(
-          { error: "CSRF token mismatch" },
-          { status: 419 }
-        );
-      }
-      return yield* effect.pipe(
-        import_effect17.Effect.provideService(CsrfTokenTag, CsrfToken(cookieToken))
-      );
-    })
-  };
-};
-var generateCsrfCookie = (config = {}) => {
-  const cfg = { ...defaultCsrfConfig, ...config };
-  return import_effect17.Effect.sync(() => {
-    const token = Session.generateCsrfToken();
-    const cookieParts = [
-      `${cfg.cookieName}=${token}`,
-      `Path=${cfg.path}`,
-      // Not HttpOnly so JS can read it
-      cfg.secure ? "Secure" : "",
-      `SameSite=${cfg.sameSite}`
-    ].filter(Boolean);
-    return cookieParts.join("; ");
-  });
-};
-var verifyCsrfToken = (expected, provided) => import_effect17.Effect.gen(function* () {
-  if (expected !== provided) {
-    return yield* import_effect17.Effect.fail(
-      new CsrfMismatchError({
-        message: "CSRF token mismatch"
-      })
-    );
-  }
-});
-
-// libs/auth/authorization/src/lib/domain/types.ts
-var getSubjectType = (subject) => {
-  if (typeof subject === "string") return subject;
-  return subject.constructor.name;
-};
-var matchAction = (ruleAction, action) => {
-  const actions = Array.isArray(ruleAction) ? ruleAction : [ruleAction];
-  return actions.includes(action) || actions.includes("manage");
-};
-var matchSubject = (ruleSubject, subject) => {
-  const subjects = Array.isArray(ruleSubject) ? ruleSubject : [ruleSubject];
-  const subjectType = getSubjectType(subject);
-  return subjects.some((s) => {
-    if (s === "all") return true;
-    if (typeof s === "string") return s === subjectType;
-    return s === subject;
-  });
-};
-var matchConditions = (conditions, subject) => {
-  if (!conditions) return true;
-  if (typeof subject === "string") return true;
-  return Object.entries(conditions).every(([key, value]) => {
-    return subject[key] === value;
-  });
-};
-var createAbilities = (rules) => {
-  const can2 = (action, subject) => {
-    const matchingRules = rules.filter(
-      (rule) => matchAction(rule.action, action) && matchSubject(rule.subject, subject) && matchConditions(rule.conditions, subject)
-    );
-    if (matchingRules.length === 0) return false;
-    const hasInverted = matchingRules.some((r) => r.inverted);
-    const hasPositive = matchingRules.some((r) => !r.inverted);
-    if (hasInverted) return false;
-    return hasPositive;
-  };
-  const cannot2 = (action, subject) => !can2(action, subject);
-  const relevantRuleFor = (action, subject) => {
-    return rules.find(
-      (rule) => matchAction(rule.action, action) && matchSubject(rule.subject, subject) && matchConditions(rule.conditions, subject)
-    );
-  };
-  return {
-    rules,
-    can: can2,
-    cannot: cannot2,
-    relevantRuleFor
-  };
-};
-
-// libs/auth/authorization/src/lib/domain/errors.ts
-var import_effect18 = require("effect");
-var AuthorizationError = class extends import_effect18.Data.TaggedError("AuthorizationError") {
-};
-var ForbiddenError = class extends import_effect18.Data.TaggedError("ForbiddenError") {
-};
-
-// libs/auth/authorization/src/lib/services/AbilityBuilder.ts
-function defineAbilitiesFor(user, define) {
-  const rules = [];
-  const context = {
-    user,
-    can: (action, subject, conditions) => {
-      rules.push({
-        action: Array.isArray(action) ? action : [action],
-        subject: Array.isArray(subject) ? subject : [subject],
-        conditions,
-        inverted: false
-      });
-    },
-    cannot: (action, subject, conditions, reason) => {
-      rules.push({
-        action: Array.isArray(action) ? action : [action],
-        subject: Array.isArray(subject) ? subject : [subject],
-        conditions,
-        inverted: true,
-        reason
-      });
-    }
-  };
-  define(context);
-  return createAbilities(rules);
-}
-var CommonAbilities = {
-  /**
-   * CRUD abilities for a resource
-   */
-  crud: (subject) => ["create", "read", "update", "delete"],
-  /**
-   * Full management (includes all actions)
-   */
-  manage: "manage",
-  /**
-   * All subjects wildcard
-   */
-  all: "all"
-};
-
-// libs/auth/authorization/src/lib/services/Abilities.ts
-var import_effect19 = require("effect");
-var AbilitiesTag = class extends import_effect19.Context.Tag("@gello/auth/Abilities")() {
-};
-var can = (action, subject) => import_effect19.Effect.gen(function* () {
-  const abilities = yield* AbilitiesTag;
-  return abilities.can(action, subject);
-});
-var cannot = (action, subject) => import_effect19.Effect.gen(function* () {
-  const abilities = yield* AbilitiesTag;
-  return abilities.cannot(action, subject);
-});
-var authorize = (action, subject) => import_effect19.Effect.gen(function* () {
-  const abilities = yield* AbilitiesTag;
-  const allowed = abilities.can(action, subject);
-  if (!allowed) {
-    const rule = abilities.relevantRuleFor(action, subject);
-    return yield* import_effect19.Effect.fail(
-      new ForbiddenError({
-        message: rule?.reason ?? `You are not authorized to ${action} this ${getSubjectType(subject)}`,
-        action,
-        subject: getSubjectType(subject),
-        rule
-      })
-    );
-  }
-});
-var authorizeAll = (actions, subject) => import_effect19.Effect.gen(function* () {
-  for (const action of actions) {
-    yield* authorize(action, subject);
-  }
-});
-var authorizeAny = (actions, subject) => import_effect19.Effect.gen(function* () {
-  const abilities = yield* AbilitiesTag;
-  const hasAny = actions.some((action) => abilities.can(action, subject));
-  if (!hasAny) {
-    return yield* import_effect19.Effect.fail(
-      new ForbiddenError({
-        message: `You are not authorized to perform any of [${actions.join(", ")}] on this ${getSubjectType(subject)}`,
-        action: actions[0],
-        subject: getSubjectType(subject)
-      })
-    );
-  }
-});
-var AbilitiesLive = (abilities) => import_effect19.Layer.succeed(AbilitiesTag, abilities);
-
-// libs/auth/authorization/src/lib/middleware/authorize.ts
-var import_effect20 = require("effect");
-var import_platform5 = require("@effect/platform");
-var authorizeMiddleware = (action, getSubject, options = {}) => ({
-  name: "authorize",
-  apply: (effect) => import_effect20.Effect.gen(function* () {
-    const abilities = yield* AbilitiesTag;
-    const subject = getSubject ? yield* getSubject().pipe(import_effect20.Effect.catchAll(() => import_effect20.Effect.succeed(action))) : action;
-    const allowed = abilities.can(action, subject);
-    if (!allowed) {
-      const subjectType = getSubjectType(subject);
-      const message = options.message ?? `You are not authorized to ${action} ${subjectType}`;
-      const status = options.status ?? 403;
-      return import_platform5.HttpServerResponse.json({ error: message }, { status });
-    }
-    return yield* effect;
-  })
-});
-var requireAdmin = (options = {}) => {
-  const base = authorizeMiddleware("manage", () => import_effect20.Effect.succeed("all"), options);
-  return {
-    ...base,
-    name: "requireAdmin"
-  };
-};
-var requireAny = (actions, getSubject, options = {}) => ({
-  name: "requireAny",
-  apply: (effect) => import_effect20.Effect.gen(function* () {
-    const abilities = yield* AbilitiesTag;
-    const subject = getSubject ? yield* getSubject().pipe(import_effect20.Effect.catchAll(() => import_effect20.Effect.succeed(actions[0]))) : actions[0];
-    const hasAny = actions.some((action) => abilities.can(action, subject));
-    if (!hasAny) {
-      const message = options.message ?? `You are not authorized to perform this action`;
-      const status = options.status ?? 403;
-      return import_platform5.HttpServerResponse.json({ error: message }, { status });
-    }
-    return yield* effect;
-  })
-});
-
-// libs/auth/social/src/lib/domain/SocialUser.ts
-var SocialUser = {
-  make: (provider, data) => ({
-    id: data.id,
-    email: data.email ?? null,
-    name: data.name ?? null,
-    firstName: data.firstName ?? null,
-    lastName: data.lastName ?? null,
-    avatar: data.avatar ?? null,
-    nickname: data.nickname ?? null,
-    provider,
-    raw: data.raw ?? {}
-  })
-};
-
-// libs/auth/social/src/lib/domain/SocialToken.ts
-var SocialToken = {
-  make: (data) => ({
-    accessToken: data.accessToken,
-    refreshToken: data.refreshToken ?? null,
-    expiresAt: data.expiresAt ?? (data.expiresIn ? new Date(Date.now() + data.expiresIn * 1e3) : null),
-    tokenType: data.tokenType ?? "Bearer",
-    scopes: typeof data.scope === "string" ? data.scope.split(" ") : data.scope ?? []
-  }),
-  /**
-   * Check if token is expired
-   */
-  isExpired: (token) => {
-    if (!token.expiresAt) return false;
-    return /* @__PURE__ */ new Date() > token.expiresAt;
-  },
-  /**
-   * Check if token can be refreshed
-   */
-  canRefresh: (token) => {
-    return token.refreshToken !== null;
-  }
-};
-
-// libs/auth/social/src/lib/domain/errors.ts
-var import_effect21 = require("effect");
-var OAuthError = class extends import_effect21.Data.TaggedError("OAuthError") {
-};
-var OAuthConfigError = class extends import_effect21.Data.TaggedError("OAuthConfigError") {
-};
-var OAuthStateMismatchError = class extends import_effect21.Data.TaggedError("OAuthStateMismatchError") {
-};
-var OAuthTokenError = class extends import_effect21.Data.TaggedError("OAuthTokenError") {
-};
-var OAuthUserError = class extends import_effect21.Data.TaggedError("OAuthUserError") {
-};
-var OAuthProviderNotFoundError = class extends import_effect21.Data.TaggedError("OAuthProviderNotFoundError") {
-};
-
-// libs/auth/social/src/lib/providers/AbstractProvider.ts
-var import_effect22 = require("effect");
-var AbstractProvider = class {
-  config;
-  constructor(config) {
-    this.config = config;
-  }
-  /**
-   * Build the authorization URL
-   */
-  getAuthorizationUrl(scopes, state) {
-    const allScopes = [.../* @__PURE__ */ new Set([...this.defaultScopes, ...scopes])];
-    const params = new URLSearchParams({
-      client_id: this.config.clientId,
-      redirect_uri: this.config.redirectUri,
-      response_type: "code",
-      scope: allScopes.join(" "),
-      state
-    });
-    return `${this.authorizationUrl}?${params.toString()}`;
-  }
-  /**
-   * Exchange code for access token
-   */
-  getAccessToken(code) {
-    return import_effect22.Effect.tryPromise({
-      try: async () => {
-        const response = await fetch(this.tokenUrl, {
-          method: "POST",
-          headers: {
-            "Content-Type": "application/x-www-form-urlencoded",
-            Accept: "application/json"
-          },
-          body: new URLSearchParams({
-            client_id: this.config.clientId,
-            client_secret: this.config.clientSecret,
-            code,
-            redirect_uri: this.config.redirectUri,
-            grant_type: "authorization_code"
-          })
-        });
-        if (!response.ok) {
-          const error = await response.json().catch(() => ({}));
-          throw new OAuthTokenError({
-            message: "Failed to exchange code for token",
-            provider: this.name,
-            error: error["error"],
-            errorDescription: error["error_description"]
-          });
-        }
-        const data = await response.json();
-        return SocialToken.make({
-          accessToken: data["access_token"],
-          refreshToken: data["refresh_token"],
-          expiresIn: data["expires_in"],
-          tokenType: data["token_type"],
-          scope: data["scope"]
-        });
-      },
-      catch: (e) => {
-        if (e instanceof OAuthTokenError) return e;
-        return new OAuthTokenError({
-          message: "Failed to exchange code for token",
-          provider: this.name,
-          error: String(e)
-        });
-      }
-    });
-  }
-  /**
-   * Refresh access token
-   */
-  refreshToken(refreshToken) {
-    return import_effect22.Effect.tryPromise({
-      try: async () => {
-        const response = await fetch(this.tokenUrl, {
-          method: "POST",
-          headers: {
-            "Content-Type": "application/x-www-form-urlencoded",
-            Accept: "application/json"
-          },
-          body: new URLSearchParams({
-            client_id: this.config.clientId,
-            client_secret: this.config.clientSecret,
-            refresh_token: refreshToken,
-            grant_type: "refresh_token"
-          })
-        });
-        if (!response.ok) {
-          const error = await response.json().catch(() => ({}));
-          throw new OAuthTokenError({
-            message: "Failed to refresh token",
-            provider: this.name,
-            error: error["error"],
-            errorDescription: error["error_description"]
-          });
-        }
-        const data = await response.json();
-        return SocialToken.make({
-          accessToken: data["access_token"],
-          refreshToken: data["refresh_token"] ?? refreshToken,
-          expiresIn: data["expires_in"],
-          tokenType: data["token_type"],
-          scope: data["scope"]
-        });
-      },
-      catch: (e) => {
-        if (e instanceof OAuthTokenError) return e;
-        return new OAuthTokenError({
-          message: "Failed to refresh token",
-          provider: this.name,
-          error: String(e)
-        });
-      }
-    });
-  }
-  /**
-   * Get user information
-   */
-  getUser(token) {
-    return import_effect22.Effect.tryPromise({
-      try: async () => {
-        const response = await fetch(this.userInfoUrl, {
-          headers: {
-            Authorization: `${token.tokenType} ${token.accessToken}`,
-            Accept: "application/json"
-          }
-        });
-        if (!response.ok) {
-          throw new OAuthUserError({
-            message: "Failed to fetch user info",
-            provider: this.name
-          });
-        }
-        const data = await response.json();
-        return this.parseUser(data);
-      },
-      catch: (e) => {
-        if (e instanceof OAuthUserError) return e;
-        return new OAuthUserError({
-          message: "Failed to fetch user info",
-          provider: this.name,
-          cause: e
-        });
-      }
-    });
-  }
-  /**
-   * Create a builder for fluent API
-   */
-  builder() {
-    let additionalScopes = [];
-    let isStateless = false;
-    let storedState = null;
-    const provider = this;
-    const builder = {
-      scopes: (scopes) => {
-        additionalScopes = scopes;
-        return builder;
-      },
-      stateless: () => {
-        isStateless = true;
-        return builder;
-      },
-      redirect: () => import_effect22.Effect.sync(() => {
-        storedState = crypto.randomUUID();
-        return provider.getAuthorizationUrl(additionalScopes, storedState);
-      }),
-      user: (code, state) => import_effect22.Effect.gen(function* () {
-        if (!isStateless && storedState && state !== storedState) {
-          return yield* import_effect22.Effect.fail(
-            new OAuthStateMismatchError({
-              message: "OAuth state mismatch",
-              provider: provider.name
-            })
-          );
-        }
-        const token = yield* provider.getAccessToken(code);
-        const user = yield* provider.getUser(token);
-        return { user, token };
-      })
-    };
-    return builder;
-  }
-};
-
-// libs/auth/social/src/lib/providers/GithubProvider.ts
-var GithubProvider = class extends AbstractProvider {
-  name = "github";
-  get authorizationUrl() {
-    return "https://github.com/login/oauth/authorize";
-  }
-  get tokenUrl() {
-    return "https://github.com/login/oauth/access_token";
-  }
-  get userInfoUrl() {
-    return "https://api.github.com/user";
-  }
-  get defaultScopes() {
-    return ["user:email"];
-  }
-  parseUser(data) {
-    return SocialUser.make("github", {
-      id: String(data["id"]),
-      email: data["email"],
-      name: data["name"],
-      nickname: data["login"],
-      avatar: data["avatar_url"],
-      raw: data
-    });
-  }
-};
-var createGithubProvider = (config) => {
-  return new GithubProvider(config);
-};
-
-// libs/auth/social/src/lib/providers/GoogleProvider.ts
-var GoogleProvider = class extends AbstractProvider {
-  name = "google";
-  get authorizationUrl() {
-    return "https://accounts.google.com/o/oauth2/v2/auth";
-  }
-  get tokenUrl() {
-    return "https://oauth2.googleapis.com/token";
-  }
-  get userInfoUrl() {
-    return "https://www.googleapis.com/oauth2/v2/userinfo";
-  }
-  get defaultScopes() {
-    return ["openid", "email", "profile"];
-  }
-  parseUser(data) {
-    return SocialUser.make("google", {
-      id: data["id"],
-      email: data["email"],
-      name: data["name"],
-      firstName: data["given_name"],
-      lastName: data["family_name"],
-      avatar: data["picture"],
-      raw: data
-    });
-  }
-  /**
-   * Override to add Google-specific parameters
-   */
-  getAuthorizationUrl(scopes, state) {
-    const allScopes = [.../* @__PURE__ */ new Set([...this.defaultScopes, ...scopes])];
-    const params = new URLSearchParams({
-      client_id: this.config.clientId,
-      redirect_uri: this.config.redirectUri,
-      response_type: "code",
-      scope: allScopes.join(" "),
-      state,
-      access_type: "offline",
-      // Get refresh token
-      prompt: "consent"
-      // Force consent screen
-    });
-    return `${this.authorizationUrl}?${params.toString()}`;
-  }
-};
-var createGoogleProvider = (config) => {
-  return new GoogleProvider(config);
-};
-
-// libs/auth/social/src/lib/services/Social.ts
-var import_effect23 = require("effect");
-var SocialTag = class extends import_effect23.Context.Tag("@gello/auth/Social")() {
-};
-var builtInProviders = {
-  github: (config) => new GithubProvider(config),
-  google: (config) => new GoogleProvider(config)
-};
-var makeSocialService = (config, customProviders = {}) => {
-  const allFactories = { ...builtInProviders, ...customProviders };
-  const providerInstances = /* @__PURE__ */ new Map();
-  const getProvider = (name) => {
-    let provider = providerInstances.get(name);
-    if (provider) return provider;
-    const providerConfig = config.providers[name];
-    if (!providerConfig) {
-      throw new OAuthProviderNotFoundError({
-        message: `OAuth provider "${name}" is not configured`,
-        provider: name
-      });
-    }
-    const factory = allFactories[name];
-    if (!factory) {
-      throw new OAuthProviderNotFoundError({
-        message: `OAuth provider "${name}" is not supported`,
-        provider: name
-      });
-    }
-    provider = factory(providerConfig);
-    providerInstances.set(name, provider);
-    return provider;
-  };
-  return {
-    driver: (name) => {
-      const provider = getProvider(name);
-      if ("builder" in provider && typeof provider.builder === "function") {
-        return provider.builder();
-      }
-      throw new Error(`Provider "${name}" does not support the builder pattern`);
-    },
-    hasProvider: (name) => {
-      return name in config.providers && name in allFactories;
-    },
-    providers: () => {
-      return Object.keys(config.providers).filter((name) => name in allFactories);
-    }
-  };
-};
-var SocialLive = (config, customProviders) => import_effect23.Layer.succeed(SocialTag, makeSocialService(config, customProviders));
-var Social = {
-  driver: (name) => import_effect23.Effect.gen(function* () {
-    const social = yield* SocialTag;
-    return social.driver(name);
-  }),
-  hasProvider: (name) => import_effect23.Effect.gen(function* () {
-    const social = yield* SocialTag;
-    return social.hasProvider(name);
-  }),
-  providers: () => import_effect23.Effect.gen(function* () {
-    const social = yield* SocialTag;
-    return social.providers();
-  })
-};
-
-// libs/mail/templates/src/lib/theme/defaultTheme.ts
-var defaultTheme = {
-  brand: {
-    name: "My App",
-    logoWidth: 120
-  },
-  colors: {
-    primary: "#3b82f6",
-    // Blue 500
-    secondary: "#64748b",
-    // Slate 500
-    background: "#ffffff",
-    surface: "#f8fafc",
-    // Slate 50
-    text: "#1e293b",
-    // Slate 800
-    muted: "#94a3b8",
-    // Slate 400
-    border: "#e2e8f0",
-    // Slate 200
-    success: "#22c55e",
-    // Green 500
-    warning: "#f59e0b",
-    // Amber 500
-    error: "#ef4444"
-    // Red 500
-  },
-  fonts: {
-    heading: "-apple-system, BlinkMacSystemFont, 'Segoe UI', Roboto, 'Helvetica Neue', Arial, sans-serif",
-    body: "-apple-system, BlinkMacSystemFont, 'Segoe UI', Roboto, 'Helvetica Neue', Arial, sans-serif",
-    mono: "ui-monospace, SFMono-Regular, 'SF Mono', Menlo, Consolas, monospace"
-  },
-  layout: {
-    maxWidth: 600,
-    padding: 24,
-    borderRadius: 8
-  }
-};
-
-// libs/mail/templates/src/lib/theme/ThemeProvider.tsx
-var React = __toESM(require("react"), 1);
-var import_jsx_runtime = require("react/jsx-runtime");
-var ThemeContext = React.createContext(defaultTheme);
-function useMailTheme() {
-  return React.useContext(ThemeContext);
-}
-function ThemeProvider({ theme, children }) {
-  return /* @__PURE__ */ (0, import_jsx_runtime.jsx)(ThemeContext.Provider, { value: theme, children });
-}
-
-// libs/mail/templates/src/lib/components/layout/BaseLayout.tsx
-var import_components = require("@react-email/components");
-var import_jsx_runtime2 = require("react/jsx-runtime");
-function BaseLayout({ theme, preview, children }) {
-  return /* @__PURE__ */ (0, import_jsx_runtime2.jsx)(ThemeProvider, { theme, children: /* @__PURE__ */ (0, import_jsx_runtime2.jsxs)(import_components.Html, { children: [
-    /* @__PURE__ */ (0, import_jsx_runtime2.jsx)(import_components.Head, {}),
-    preview && /* @__PURE__ */ (0, import_jsx_runtime2.jsx)("span", { style: { display: "none" }, children: preview }),
-    /* @__PURE__ */ (0, import_jsx_runtime2.jsx)(import_components.Body, { style: bodyStyle(theme), children: /* @__PURE__ */ (0, import_jsx_runtime2.jsxs)(import_components.Container, { style: containerStyle(theme), children: [
-      /* @__PURE__ */ (0, import_jsx_runtime2.jsx)(Header, {}),
-      /* @__PURE__ */ (0, import_jsx_runtime2.jsx)(import_components.Section, { style: contentStyle(theme), children }),
-      /* @__PURE__ */ (0, import_jsx_runtime2.jsx)(Footer, {})
-    ] }) })
-  ] }) });
-}
-function Header() {
-  const theme = useMailTheme();
-  return /* @__PURE__ */ (0, import_jsx_runtime2.jsx)(import_components.Section, { style: headerStyle(theme), children: theme.brand.logo ? /* @__PURE__ */ (0, import_jsx_runtime2.jsx)(import_components.Link, { href: theme.brand.website, children: /* @__PURE__ */ (0, import_jsx_runtime2.jsx)(
-    import_components.Img,
-    {
-      src: theme.brand.logo,
-      width: theme.brand.logoWidth ?? 120,
-      alt: theme.brand.name,
-      style: { margin: "0 auto" }
-    }
-  ) }) : /* @__PURE__ */ (0, import_jsx_runtime2.jsx)(import_components.Text, { style: brandTextStyle(theme), children: theme.brand.name }) });
-}
-function Footer() {
-  const theme = useMailTheme();
-  const footer = theme.footer;
-  if (!footer) return null;
-  return /* @__PURE__ */ (0, import_jsx_runtime2.jsxs)(import_components.Section, { style: footerStyle(theme), children: [
-    /* @__PURE__ */ (0, import_jsx_runtime2.jsx)(import_components.Hr, { style: dividerStyle(theme) }),
-    footer.company && /* @__PURE__ */ (0, import_jsx_runtime2.jsx)(import_components.Text, { style: footerTextStyle(theme), children: footer.company }),
-    footer.address && /* @__PURE__ */ (0, import_jsx_runtime2.jsx)(import_components.Text, { style: footerTextStyle(theme), children: footer.address }),
-    footer.socialLinks && /* @__PURE__ */ (0, import_jsx_runtime2.jsxs)(import_components.Section, { style: { textAlign: "center", marginTop: "16px" }, children: [
-      footer.socialLinks.twitter && /* @__PURE__ */ (0, import_jsx_runtime2.jsx)(import_components.Link, { href: footer.socialLinks.twitter, style: socialLinkStyle(theme), children: "Twitter" }),
-      footer.socialLinks.facebook && /* @__PURE__ */ (0, import_jsx_runtime2.jsx)(import_components.Link, { href: footer.socialLinks.facebook, style: socialLinkStyle(theme), children: "Facebook" }),
-      footer.socialLinks.linkedin && /* @__PURE__ */ (0, import_jsx_runtime2.jsx)(import_components.Link, { href: footer.socialLinks.linkedin, style: socialLinkStyle(theme), children: "LinkedIn" }),
-      footer.socialLinks.github && /* @__PURE__ */ (0, import_jsx_runtime2.jsx)(import_components.Link, { href: footer.socialLinks.github, style: socialLinkStyle(theme), children: "GitHub" })
-    ] }),
-    footer.unsubscribeUrl && /* @__PURE__ */ (0, import_jsx_runtime2.jsx)(import_components.Text, { style: unsubscribeStyle(theme), children: /* @__PURE__ */ (0, import_jsx_runtime2.jsx)(import_components.Link, { href: footer.unsubscribeUrl, style: { color: theme.colors.muted }, children: "Unsubscribe" }) })
-  ] });
-}
-function bodyStyle(theme) {
-  return {
-    backgroundColor: theme.colors.surface,
-    fontFamily: theme.fonts.body,
-    margin: 0,
-    padding: "40px 0"
-  };
-}
-function containerStyle(theme) {
-  return {
-    maxWidth: `${theme.layout.maxWidth}px`,
-    margin: "0 auto",
-    backgroundColor: theme.colors.background,
-    borderRadius: `${theme.layout.borderRadius}px`,
-    overflow: "hidden"
-  };
-}
-function headerStyle(theme) {
-  return {
-    padding: `${theme.layout.padding}px`,
-    textAlign: "center",
-    borderBottom: `1px solid ${theme.colors.border}`
-  };
-}
-function brandTextStyle(theme) {
-  return {
-    fontSize: "24px",
-    fontWeight: "bold",
-    color: theme.colors.text,
-    fontFamily: theme.fonts.heading,
-    margin: 0
-  };
-}
-function contentStyle(theme) {
-  return {
-    padding: `${theme.layout.padding}px`
-  };
-}
-function footerStyle(theme) {
-  return {
-    padding: `${theme.layout.padding}px`,
-    textAlign: "center"
-  };
-}
-function footerTextStyle(theme) {
-  return {
-    fontSize: "12px",
-    color: theme.colors.muted,
-    margin: "4px 0",
-    lineHeight: "1.5"
-  };
-}
-function dividerStyle(theme) {
-  return {
-    borderColor: theme.colors.border,
-    borderTop: "none",
-    marginBottom: "16px"
-  };
-}
-function socialLinkStyle(theme) {
-  return {
-    color: theme.colors.muted,
-    fontSize: "12px",
-    marginRight: "16px",
-    textDecoration: "none"
-  };
-}
-function unsubscribeStyle(theme) {
-  return {
-    fontSize: "11px",
-    color: theme.colors.muted,
-    marginTop: "16px"
-  };
-}
-
-// libs/mail/templates/src/lib/components/layout/Section.tsx
-var import_components2 = require("@react-email/components");
-var import_jsx_runtime3 = require("react/jsx-runtime");
-function Section2({ children, padding = true, style }) {
-  const theme = useMailTheme();
-  return /* @__PURE__ */ (0, import_jsx_runtime3.jsx)(
-    import_components2.Section,
-    {
-      style: {
-        padding: padding ? `${theme.layout.padding / 2}px 0` : void 0,
-        ...style
-      },
-      children
-    }
-  );
-}
-
-// libs/mail/templates/src/lib/components/layout/Card.tsx
-var import_components3 = require("@react-email/components");
-var import_jsx_runtime4 = require("react/jsx-runtime");
-function Card({ children, style }) {
-  const theme = useMailTheme();
-  return /* @__PURE__ */ (0, import_jsx_runtime4.jsx)(
-    import_components3.Section,
-    {
-      style: {
-        backgroundColor: theme.colors.surface,
-        borderRadius: `${theme.layout.borderRadius}px`,
-        padding: `${theme.layout.padding}px`,
-        border: `1px solid ${theme.colors.border}`,
-        margin: "16px 0",
-        ...style
-      },
-      children
-    }
-  );
-}
-
-// libs/mail/templates/src/lib/components/layout/Divider.tsx
-var import_components4 = require("@react-email/components");
-var import_jsx_runtime5 = require("react/jsx-runtime");
-function Divider({ style }) {
-  const theme = useMailTheme();
-  return /* @__PURE__ */ (0, import_jsx_runtime5.jsx)(
-    import_components4.Hr,
-    {
-      style: {
-        borderColor: theme.colors.border,
-        borderTop: "none",
-        margin: "24px 0",
-        ...style
-      }
-    }
-  );
-}
-
-// libs/mail/templates/src/lib/components/layout/Spacer.tsx
-var import_components5 = require("@react-email/components");
-var import_jsx_runtime6 = require("react/jsx-runtime");
-
-// libs/mail/templates/src/lib/components/typography/Heading.tsx
-var import_components6 = require("@react-email/components");
-var import_jsx_runtime7 = require("react/jsx-runtime");
-var fontSizes = {
-  h1: 28,
-  h2: 24,
-  h3: 20,
-  h4: 18,
-  h5: 16,
-  h6: 14
-};
-var margins = {
-  h1: "0 0 16px 0",
-  h2: "24px 0 12px 0",
-  h3: "20px 0 10px 0",
-  h4: "16px 0 8px 0",
-  h5: "12px 0 6px 0",
-  h6: "8px 0 4px 0"
-};
-function Heading({ as = "h1", children, style }) {
-  const theme = useMailTheme();
-  return /* @__PURE__ */ (0, import_jsx_runtime7.jsx)(
-    import_components6.Heading,
-    {
-      as,
-      style: {
-        fontFamily: theme.fonts.heading,
-        fontSize: `${fontSizes[as]}px`,
-        fontWeight: "600",
-        color: theme.colors.text,
-        margin: margins[as],
-        lineHeight: "1.3",
-        ...style
-      },
-      children
-    }
-  );
-}
-
-// libs/mail/templates/src/lib/components/typography/Text.tsx
-var import_components7 = require("@react-email/components");
-var import_jsx_runtime8 = require("react/jsx-runtime");
-function Text2({
-  children,
-  muted = false,
-  small = false,
-  center = false,
-  style
-}) {
-  const theme = useMailTheme();
-  return /* @__PURE__ */ (0, import_jsx_runtime8.jsx)(
-    import_components7.Text,
-    {
-      style: {
-        fontFamily: theme.fonts.body,
-        fontSize: small ? "14px" : "16px",
-        color: muted ? theme.colors.muted : theme.colors.text,
-        lineHeight: "1.6",
-        margin: "0 0 16px 0",
-        textAlign: center ? "center" : void 0,
-        ...style
-      },
-      children
-    }
-  );
-}
-
-// libs/mail/templates/src/lib/components/typography/Link.tsx
-var import_components8 = require("@react-email/components");
-var import_jsx_runtime9 = require("react/jsx-runtime");
-
-// libs/mail/templates/src/lib/components/typography/Code.tsx
-var import_jsx_runtime10 = require("react/jsx-runtime");
-
-// libs/mail/templates/src/lib/components/actions/Button.tsx
-var import_components9 = require("@react-email/components");
-var import_jsx_runtime11 = require("react/jsx-runtime");
-function Button({
-  href,
-  children,
-  variant = "primary",
-  size = "md",
-  fullWidth = false,
-  style
-}) {
-  const theme = useMailTheme();
-  const sizes = {
-    sm: { padding: "8px 16px", fontSize: "14px" },
-    md: { padding: "12px 24px", fontSize: "16px" },
-    lg: { padding: "16px 32px", fontSize: "18px" }
-  };
-  const variants = {
-    primary: {
-      backgroundColor: theme.colors.primary,
-      color: "#ffffff",
-      border: "none"
-    },
-    secondary: {
-      backgroundColor: theme.colors.secondary,
-      color: "#ffffff",
-      border: "none"
-    },
-    outline: {
-      backgroundColor: "transparent",
-      color: theme.colors.primary,
-      border: `2px solid ${theme.colors.primary}`
-    }
-  };
-  return /* @__PURE__ */ (0, import_jsx_runtime11.jsx)(
-    import_components9.Button,
-    {
-      href,
-      style: {
-        display: fullWidth ? "block" : "inline-block",
-        width: fullWidth ? "100%" : void 0,
-        textAlign: "center",
-        fontFamily: theme.fonts.body,
-        fontWeight: "600",
-        textDecoration: "none",
-        borderRadius: `${theme.layout.borderRadius}px`,
-        ...sizes[size],
-        ...variants[variant],
-        ...style
-      },
-      children
-    }
-  );
-}
-
-// libs/mail/templates/src/lib/components/data/Badge.tsx
-var import_jsx_runtime12 = require("react/jsx-runtime");
-
-// libs/mail/templates/src/lib/components/data/Alert.tsx
-var import_components10 = require("@react-email/components");
-var import_jsx_runtime13 = require("react/jsx-runtime");
-function Alert({
-  type = "info",
-  title,
-  children,
-  style
-}) {
-  const theme = useMailTheme();
-  const types = {
-    info: {
-      bg: "#eff6ff",
-      border: "#3b82f6",
-      title: "#1e40af",
-      text: "#1e3a5f"
-    },
-    success: {
-      bg: "#f0fdf4",
-      border: "#22c55e",
-      title: "#166534",
-      text: "#14532d"
-    },
-    warning: {
-      bg: "#fffbeb",
-      border: "#f59e0b",
-      title: "#92400e",
-      text: "#78350f"
-    },
-    error: {
-      bg: "#fef2f2",
-      border: "#ef4444",
-      title: "#991b1b",
-      text: "#7f1d1d"
-    }
-  };
-  const colors = types[type];
-  return /* @__PURE__ */ (0, import_jsx_runtime13.jsxs)(
-    import_components10.Section,
-    {
-      style: {
-        backgroundColor: colors.bg,
-        borderLeft: `4px solid ${colors.border}`,
-        borderRadius: `${theme.layout.borderRadius}px`,
-        padding: "16px",
-        margin: "16px 0",
-        ...style
-      },
-      children: [
-        title && /* @__PURE__ */ (0, import_jsx_runtime13.jsx)(
-          import_components10.Text,
-          {
-            style: {
-              fontFamily: theme.fonts.heading,
-              fontSize: "14px",
-              fontWeight: "600",
-              color: colors.title,
-              margin: "0 0 8px 0"
-            },
-            children: title
-          }
-        ),
-        /* @__PURE__ */ (0, import_jsx_runtime13.jsx)(
-          import_components10.Text,
-          {
-            style: {
-              fontFamily: theme.fonts.body,
-              fontSize: "14px",
-              color: colors.text,
-              margin: 0,
-              lineHeight: "1.5"
-            },
-            children
-          }
-        )
-      ]
-    }
-  );
-}
-
-// libs/mail/templates/src/lib/engine/ReactEmailEngine.ts
-var React2 = __toESM(require("react"), 1);
-var import_effect30 = require("effect");
-var import_render = require("@react-email/render");
-
-// libs/mail/core/src/lib/domain/types.ts
-var import_effect24 = require("effect");
-var MessageId = import_effect24.Brand.nominal();
-var EmailAddress = import_effect24.Brand.nominal();
-var Address = {
-  make: (email, name) => ({
-    email: EmailAddress(email),
-    name
-  }),
-  /**
-   * Format address as string: "Name <email>" or just "email"
-   */
-  format: (address) => address.name ? `"${address.name}" <${address.email}>` : address.email,
-  /**
-   * Parse string like "Name <email>" into Address
-   */
-  parse: (str) => {
-    const match = str.match(/^(?:"?([^"]*)"?\s)?<?([^>]+@[^>]+)>?$/);
-    if (!match) return null;
-    return Address.make(match[2].trim(), match[1]?.trim());
-  }
-};
-var Message = {
-  /**
-   * Generate a new MessageId
-   */
-  generateId: () => MessageId(crypto.randomUUID()),
-  /**
-   * Create a new message with defaults
-   */
-  make: (envelope, content, options) => ({
-    id: Message.generateId(),
-    envelope,
-    content,
-    attachments: options?.attachments ?? [],
-    headers: options?.headers ?? /* @__PURE__ */ new Map(),
-    priority: options?.priority ?? "normal",
-    tags: options?.tags,
-    metadata: options?.metadata,
-    createdAt: /* @__PURE__ */ new Date()
-  })
-};
-
-// libs/mail/core/src/lib/domain/errors.ts
-var import_effect25 = require("effect");
-var MailError = class extends import_effect25.Data.TaggedError("MailError") {
-};
-var MailConnectionError = class extends import_effect25.Data.TaggedError("MailConnectionError") {
-};
-var MailValidationError = class extends import_effect25.Data.TaggedError("MailValidationError") {
-};
-var MailDeliveryError = class extends import_effect25.Data.TaggedError("MailDeliveryError") {
-};
-var TemplateError = class extends import_effect25.Data.TaggedError("TemplateError") {
-};
-var TemplateNotFoundError = class extends import_effect25.Data.TaggedError("TemplateNotFoundError") {
-};
-var AttachmentError = class extends import_effect25.Data.TaggedError("AttachmentError") {
-};
-var MailConfigError = class extends import_effect25.Data.TaggedError("MailConfigError") {
-};
-
-// libs/mail/core/src/lib/domain/mailable.ts
-var import_effect26 = require("effect");
-var BaseMailable = class {
-  state = {
-    to: [],
-    cc: [],
-    bcc: [],
-    attachments: [],
-    headers: /* @__PURE__ */ new Map(),
-    priority: "normal",
-    tags: [],
-    metadata: {}
-  };
-  /**
-   * Build the final message
-   */
-  build() {
-    return import_effect26.Effect.gen(this, function* () {
-      const content = yield* this.getContent(this.state.data);
-      const envelope = {
-        from: this.state.from ?? Address.make("noreply@example.com"),
-        to: this.state.to,
-        cc: this.state.cc.length > 0 ? this.state.cc : void 0,
-        bcc: this.state.bcc.length > 0 ? this.state.bcc : void 0,
-        replyTo: this.state.replyTo
-      };
-      return Message.make(envelope, content, {
-        attachments: this.state.attachments,
-        headers: this.state.headers,
-        priority: this.state.priority,
-        tags: this.state.tags.length > 0 ? this.state.tags : void 0,
-        metadata: Object.keys(this.state.metadata).length > 0 ? this.state.metadata : void 0
-      });
-    });
-  }
-  to(address) {
-    const addresses = Array.isArray(address) ? address : [address];
-    this.state.to.push(...addresses.map(this.normalizeAddress));
-    return this;
-  }
-  cc(address) {
-    const addresses = Array.isArray(address) ? address : [address];
-    this.state.cc.push(...addresses.map(this.normalizeAddress));
-    return this;
-  }
-  bcc(address) {
-    const addresses = Array.isArray(address) ? address : [address];
-    this.state.bcc.push(...addresses.map(this.normalizeAddress));
-    return this;
-  }
-  from(address, name) {
-    this.state.from = typeof address === "string" ? Address.make(address, name) : address;
-    return this;
-  }
-  replyTo(address, name) {
-    this.state.replyTo = typeof address === "string" ? Address.make(address, name) : address;
-    return this;
-  }
-  subject(text) {
-    this.state.subject = text;
-    return this;
-  }
-  with(data) {
-    this.state.data = data;
-    return this;
-  }
-  attach(attachment) {
-    this.state.attachments.push(attachment);
-    return this;
-  }
-  header(name, value) {
-    this.state.headers.set(name, value);
-    return this;
-  }
-  priority(level) {
-    this.state.priority = level;
-    return this;
-  }
-  tag(tag) {
-    this.state.tags.push(tag);
-    return this;
-  }
-  metadata(key, value) {
-    this.state.metadata[key] = value;
-    return this;
-  }
-  /**
-   * Get the template data
-   */
-  getData() {
-    return this.state.data;
-  }
-  /**
-   * Get subject from state or abstract method
-   */
-  getSubjectText() {
-    return this.state.subject ?? this.getSubject();
-  }
-  normalizeAddress(addr) {
-    if (typeof addr === "string") {
-      return Address.parse(addr) ?? Address.make(addr);
-    }
-    return addr;
-  }
-};
-
-// libs/mail/core/src/lib/ports/MailDriver.ts
-var import_effect27 = require("effect");
-var MailDriverTag = class extends import_effect27.Context.Tag("@gello/MailDriver")() {
-};
-
-// libs/mail/core/src/lib/ports/TemplateEngine.ts
-var import_effect28 = require("effect");
-var TemplateEngineTag = class extends import_effect28.Context.Tag("@gello/TemplateEngine")() {
-};
-
-// libs/mail/core/src/lib/services/Mail.ts
-var import_effect29 = require("effect");
-var MailTag = class extends import_effect29.Context.Tag("@gello/Mail")() {
-};
-var makeMailService = import_effect29.Effect.gen(function* () {
-  const driver = yield* MailDriverTag;
-  const templateEngine = yield* import_effect29.Effect.serviceOption(TemplateEngineTag);
-  const resolveContent = (content) => {
-    if (!content.template) {
-      return import_effect29.Effect.succeed(content);
-    }
-    return (0, import_effect29.pipe)(
-      templateEngine,
-      import_effect29.Option.match({
-        onNone: () => (
-          // No template engine, return content as-is
-          import_effect29.Effect.succeed(content)
-        ),
-        onSome: (engine) => (0, import_effect29.pipe)(
-          engine.render(content.template.name, content.template.data),
-          import_effect29.Effect.map(({ html, text }) => ({
-            ...content,
-            html: html ?? content.html,
-            text: text ?? content.text
-          }))
-        )
-      })
-    );
-  };
-  const normalizeAddresses = (input) => {
-    const arr = Array.isArray(input) ? input : [input];
-    return arr.map(
-      (a) => typeof a === "string" ? Address.parse(a) ?? Address.make(a) : a
-    );
-  };
-  const service = {
-    send: (mailable) => import_effect29.Effect.gen(function* () {
-      const message = yield* mailable.build();
-      const resolvedContent = yield* resolveContent(message.content);
-      const finalMessage = { ...message, content: resolvedContent };
-      const messageToSend = mailable.beforeSend ? yield* mailable.beforeSend(finalMessage) : finalMessage;
-      const result = yield* driver.send(messageToSend);
-      if (mailable.afterSend) {
-        yield* mailable.afterSend(result);
-      }
-      return result;
-    }),
-    sendRaw: (to, subject, content, options) => import_effect29.Effect.gen(function* () {
-      const toAddresses = normalizeAddresses(to);
-      const contentObj = typeof content === "string" ? { text: content } : content;
-      const envelope = {
-        from: options?.from != null ? typeof options.from === "string" ? Address.parse(options.from) ?? Address.make(options.from) : options.from : Address.make("noreply@example.com"),
-        to: toAddresses,
-        cc: options?.cc ? normalizeAddresses(options.cc) : void 0,
-        bcc: options?.bcc ? normalizeAddresses(options.bcc) : void 0,
-        replyTo: options?.replyTo != null ? typeof options.replyTo === "string" ? Address.parse(options.replyTo) ?? Address.make(options.replyTo) : options.replyTo : void 0
-      };
-      const message = Message.make(
-        envelope,
-        { subject, ...contentObj },
-        {
-          attachments: options?.attachments,
-          headers: options?.headers ? new Map(Object.entries(options.headers)) : void 0,
-          priority: options?.priority,
-          tags: options?.tags
-        }
-      );
-      return yield* driver.send(message);
-    }),
-    driver: () => driver,
-    mailer: (_driverName) => {
-      return service;
-    }
-  };
-  return service;
-});
-var MailServiceLive = import_effect29.Layer.effect(MailTag, makeMailService);
-
-// libs/mail/templates/src/lib/engine/ReactEmailEngine.ts
-var templateRegistry = /* @__PURE__ */ new Map();
-var renderToHtml = (element) => import_effect30.Effect.tryPromise({
-  try: () => (0, import_render.render)(element, { pretty: true }),
-  catch: (error) => new TemplateError({
-    message: `Failed to render HTML: ${error}`,
-    cause: error
-  })
-});
-var renderToText = (element) => import_effect30.Effect.tryPromise({
-  try: () => (0, import_render.render)(element, { plainText: true }),
-  catch: (error) => new TemplateError({
-    message: `Failed to render text: ${error}`,
-    cause: error
-  })
-});
-var renderEmail = (element) => import_effect30.Effect.gen(function* () {
-  const html = yield* renderToHtml(element);
-  const text = yield* renderToText(element);
-  return { html, text };
-});
-var makeReactEmailEngine = () => ({
-  name: "react-email",
-  render: (template, data) => import_effect30.Effect.gen(function* () {
-    const Template = templateRegistry.get(template);
-    if (!Template) {
-      return yield* import_effect30.Effect.fail(
-        new TemplateNotFoundError({
-          message: `Template "${template}" not found`,
-          template
-        })
-      );
-    }
-    const element = React2.createElement(Template, data);
-    return yield* renderEmail(element);
-  }),
-  compile: (template) => import_effect30.Effect.gen(function* () {
-    const Template = templateRegistry.get(template);
-    if (!Template) {
-      return yield* import_effect30.Effect.fail(
-        new TemplateNotFoundError({
-          message: `Template "${template}" not found`,
-          template
-        })
-      );
-    }
-    return {
-      render: (data) => {
-        const element = React2.createElement(Template, data);
-        return renderEmail(element);
-      }
-    };
-  }),
-  exists: (template) => import_effect30.Effect.succeed(templateRegistry.has(template))
-});
-var ReactEmailEngineLive = import_effect30.Layer.succeed(
-  TemplateEngineTag,
-  makeReactEmailEngine()
-);
-
-// libs/auth/templates/src/lib/templates/VerifyEmail.tsx
-var import_jsx_runtime14 = require("react/jsx-runtime");
-var VerifyEmail = ({
-  userName,
-  verificationUrl,
-  expiresIn = "60 minutes",
-  appName = "Our App",
-  theme = defaultTheme
-}) => {
-  return /* @__PURE__ */ (0, import_jsx_runtime14.jsx)(BaseLayout, { theme, preview: `Verify your email address for ${appName}`, children: /* @__PURE__ */ (0, import_jsx_runtime14.jsxs)(Section2, { children: [
-    /* @__PURE__ */ (0, import_jsx_runtime14.jsx)(Heading, { as: "h1", children: "Verify Your Email Address" }),
-    /* @__PURE__ */ (0, import_jsx_runtime14.jsxs)(Text2, { children: [
-      "Hi ",
-      userName,
-      ","
-    ] }),
-    /* @__PURE__ */ (0, import_jsx_runtime14.jsxs)(Text2, { children: [
-      "Thank you for signing up for ",
-      appName,
-      "! Please verify your email address by clicking the button below."
-    ] }),
-    /* @__PURE__ */ (0, import_jsx_runtime14.jsx)(Button, { href: verificationUrl, children: "Verify Email Address" }),
-    /* @__PURE__ */ (0, import_jsx_runtime14.jsxs)(Text2, { muted: true, children: [
-      "This verification link will expire in ",
-      expiresIn,
-      ". If you didn't create an account, you can safely ignore this email."
-    ] }),
-    /* @__PURE__ */ (0, import_jsx_runtime14.jsxs)(Alert, { type: "info", children: [
-      "If the button above doesn't work, copy and paste this URL into your browser: ",
-      verificationUrl
-    ] })
-  ] }) });
-};
-
-// libs/auth/templates/src/lib/templates/ResetPassword.tsx
-var import_jsx_runtime15 = require("react/jsx-runtime");
-var ResetPassword = ({
-  userName,
-  resetUrl,
-  expiresIn = "60 minutes",
-  appName = "Our App",
-  ipAddress,
-  theme = defaultTheme
-}) => {
-  return /* @__PURE__ */ (0, import_jsx_runtime15.jsx)(BaseLayout, { theme, preview: `Reset your password for ${appName}`, children: /* @__PURE__ */ (0, import_jsx_runtime15.jsxs)(Section2, { children: [
-    /* @__PURE__ */ (0, import_jsx_runtime15.jsx)(Heading, { as: "h1", children: "Reset Your Password" }),
-    /* @__PURE__ */ (0, import_jsx_runtime15.jsxs)(Text2, { children: [
-      "Hi ",
-      userName,
-      ","
-    ] }),
-    /* @__PURE__ */ (0, import_jsx_runtime15.jsxs)(Text2, { children: [
-      "We received a request to reset your password for your ",
-      appName,
-      " ",
-      "account. Click the button below to set a new password."
-    ] }),
-    /* @__PURE__ */ (0, import_jsx_runtime15.jsx)(Button, { href: resetUrl, children: "Reset Password" }),
-    /* @__PURE__ */ (0, import_jsx_runtime15.jsxs)(Text2, { muted: true, children: [
-      "This password reset link will expire in ",
-      expiresIn,
-      "."
-    ] }),
-    ipAddress && /* @__PURE__ */ (0, import_jsx_runtime15.jsxs)(Text2, { muted: true, children: [
-      "This request was made from IP address: ",
-      ipAddress
-    ] }),
-    /* @__PURE__ */ (0, import_jsx_runtime15.jsx)(Alert, { type: "warning", children: "If you didn't request a password reset, please ignore this email or contact support if you believe your account has been compromised." }),
-    /* @__PURE__ */ (0, import_jsx_runtime15.jsxs)(Text2, { muted: true, children: [
-      "If the button above doesn't work, copy and paste this URL into your browser: ",
-      resetUrl
-    ] })
-  ] }) });
-};
-
-// libs/auth/templates/src/lib/templates/WelcomeEmail.tsx
-var import_jsx_runtime16 = require("react/jsx-runtime");
-var WelcomeEmail = ({
-  userName,
-  loginUrl,
-  appName = "Our App",
-  features = [],
-  theme = defaultTheme
-}) => {
-  return /* @__PURE__ */ (0, import_jsx_runtime16.jsx)(BaseLayout, { theme, preview: `Welcome to ${appName}!`, children: /* @__PURE__ */ (0, import_jsx_runtime16.jsxs)(Section2, { children: [
-    /* @__PURE__ */ (0, import_jsx_runtime16.jsxs)(Heading, { as: "h1", children: [
-      "Welcome to ",
-      appName,
-      "!"
-    ] }),
-    /* @__PURE__ */ (0, import_jsx_runtime16.jsxs)(Text2, { children: [
-      "Hi ",
-      userName,
-      ","
-    ] }),
-    /* @__PURE__ */ (0, import_jsx_runtime16.jsxs)(Text2, { children: [
-      "Thank you for joining ",
-      appName,
-      "! We're excited to have you on board. Your account is now ready to use."
-    ] }),
-    /* @__PURE__ */ (0, import_jsx_runtime16.jsx)(Button, { href: loginUrl, children: "Get Started" }),
-    features.length > 0 && /* @__PURE__ */ (0, import_jsx_runtime16.jsxs)(import_jsx_runtime16.Fragment, { children: [
-      /* @__PURE__ */ (0, import_jsx_runtime16.jsx)(Divider, {}),
-      /* @__PURE__ */ (0, import_jsx_runtime16.jsx)(Heading, { as: "h2", children: "What you can do:" }),
-      /* @__PURE__ */ (0, import_jsx_runtime16.jsx)("ul", { children: features.map((feature, index) => /* @__PURE__ */ (0, import_jsx_runtime16.jsx)("li", { children: /* @__PURE__ */ (0, import_jsx_runtime16.jsx)(Text2, { children: feature }) }, index)) })
-    ] }),
-    /* @__PURE__ */ (0, import_jsx_runtime16.jsx)(Divider, {}),
-    /* @__PURE__ */ (0, import_jsx_runtime16.jsx)(Text2, { muted: true, children: "If you have any questions, feel free to reply to this email. We're here to help!" })
-  ] }) });
-};
-
-// libs/auth/templates/src/lib/templates/NewLogin.tsx
-var import_jsx_runtime17 = require("react/jsx-runtime");
-var NewLogin = ({
-  userName,
-  loginTime,
-  ipAddress,
-  location,
-  device,
-  browser,
-  securityUrl,
-  appName = "Our App",
-  theme = defaultTheme
-}) => {
-  return /* @__PURE__ */ (0, import_jsx_runtime17.jsx)(BaseLayout, { theme, preview: `New login to your ${appName} account`, children: /* @__PURE__ */ (0, import_jsx_runtime17.jsxs)(Section2, { children: [
-    /* @__PURE__ */ (0, import_jsx_runtime17.jsx)(Heading, { as: "h1", children: "New Login Detected" }),
-    /* @__PURE__ */ (0, import_jsx_runtime17.jsxs)(Text2, { children: [
-      "Hi ",
-      userName,
-      ","
-    ] }),
-    /* @__PURE__ */ (0, import_jsx_runtime17.jsxs)(Text2, { children: [
-      "We detected a new login to your ",
-      appName,
-      " account. If this was you, you can safely ignore this email."
-    ] }),
-    /* @__PURE__ */ (0, import_jsx_runtime17.jsxs)(Card, { children: [
-      /* @__PURE__ */ (0, import_jsx_runtime17.jsxs)(Text2, { children: [
-        /* @__PURE__ */ (0, import_jsx_runtime17.jsx)("strong", { children: "Time:" }),
-        " ",
-        loginTime
-      ] }),
-      /* @__PURE__ */ (0, import_jsx_runtime17.jsxs)(Text2, { children: [
-        /* @__PURE__ */ (0, import_jsx_runtime17.jsx)("strong", { children: "IP Address:" }),
-        " ",
-        ipAddress
-      ] }),
-      location && /* @__PURE__ */ (0, import_jsx_runtime17.jsxs)(Text2, { children: [
-        /* @__PURE__ */ (0, import_jsx_runtime17.jsx)("strong", { children: "Location:" }),
-        " ",
-        location
-      ] }),
-      device && /* @__PURE__ */ (0, import_jsx_runtime17.jsxs)(Text2, { children: [
-        /* @__PURE__ */ (0, import_jsx_runtime17.jsx)("strong", { children: "Device:" }),
-        " ",
-        device
-      ] }),
-      browser && /* @__PURE__ */ (0, import_jsx_runtime17.jsxs)(Text2, { children: [
-        /* @__PURE__ */ (0, import_jsx_runtime17.jsx)("strong", { children: "Browser:" }),
-        " ",
-        browser
-      ] })
-    ] }),
-    /* @__PURE__ */ (0, import_jsx_runtime17.jsx)(Alert, { type: "warning", children: "If you didn't sign in, your account may have been compromised. Please change your password immediately and review your account security." }),
-    /* @__PURE__ */ (0, import_jsx_runtime17.jsx)(Button, { href: securityUrl, children: "Review Account Security" }),
-    /* @__PURE__ */ (0, import_jsx_runtime17.jsx)(Text2, { muted: true, children: "For your security, we send these notifications whenever there's a new login to your account." })
-  ] }) });
-};
-
-// libs/auth/templates/src/lib/templates/PasswordChanged.tsx
-var import_jsx_runtime18 = require("react/jsx-runtime");
-var PasswordChanged = ({
-  userName,
-  changedAt,
-  ipAddress,
-  securityUrl,
-  appName = "Our App",
-  theme = defaultTheme
-}) => {
-  return /* @__PURE__ */ (0, import_jsx_runtime18.jsx)(BaseLayout, { theme, preview: `Your ${appName} password was changed`, children: /* @__PURE__ */ (0, import_jsx_runtime18.jsxs)(Section2, { children: [
-    /* @__PURE__ */ (0, import_jsx_runtime18.jsx)(Heading, { as: "h1", children: "Password Changed" }),
-    /* @__PURE__ */ (0, import_jsx_runtime18.jsxs)(Text2, { children: [
-      "Hi ",
-      userName,
-      ","
-    ] }),
-    /* @__PURE__ */ (0, import_jsx_runtime18.jsxs)(Text2, { children: [
-      "Your password for your ",
-      appName,
-      " account was successfully changed on",
-      " ",
-      changedAt,
-      "."
-    ] }),
-    ipAddress && /* @__PURE__ */ (0, import_jsx_runtime18.jsxs)(Text2, { muted: true, children: [
-      "This change was made from IP address: ",
-      ipAddress
-    ] }),
-    /* @__PURE__ */ (0, import_jsx_runtime18.jsx)(Alert, { type: "warning", children: "If you didn't make this change, your account may have been compromised. Please reset your password immediately and review your account security." }),
-    /* @__PURE__ */ (0, import_jsx_runtime18.jsx)(Button, { href: securityUrl, children: "Review Account Security" }),
-    /* @__PURE__ */ (0, import_jsx_runtime18.jsx)(Text2, { muted: true, children: "For your security, we send these notifications whenever your password is changed." })
-  ] }) });
-};
-
-// libs/auth/templates/src/lib/mailables/VerifyEmailMailable.ts
-var import_effect31 = require("effect");
-var VerifyEmailMailable = class extends BaseMailable {
-  getSubject() {
-    const data = this.getData();
-    return `Verify your email address for ${data.appName ?? "Our App"}`;
-  }
-  getContent() {
-    const data = this.getData();
-    return import_effect31.Effect.succeed({
-      subject: this.getSubject(),
-      template: {
-        name: "auth/verify-email",
-        data: {
-          userName: data.userName,
-          verificationUrl: data.verificationUrl,
-          expiresIn: data.expiresIn ?? "60 minutes",
-          appName: data.appName ?? "Our App"
-        }
-      }
-    });
-  }
-};
-var verifyEmail = (data) => {
-  return new VerifyEmailMailable().to(data.email).with(data);
-};
-
-// libs/auth/templates/src/lib/mailables/ResetPasswordMailable.ts
-var import_effect32 = require("effect");
-var ResetPasswordMailable = class extends BaseMailable {
-  getSubject() {
-    const data = this.getData();
-    return `Reset your password for ${data.appName ?? "Our App"}`;
-  }
-  getContent() {
-    const data = this.getData();
-    return import_effect32.Effect.succeed({
-      subject: this.getSubject(),
-      template: {
-        name: "auth/reset-password",
-        data: {
-          userName: data.userName,
-          resetUrl: data.resetUrl,
-          expiresIn: data.expiresIn ?? "60 minutes",
-          appName: data.appName ?? "Our App",
-          ipAddress: data.ipAddress
-        }
-      }
-    });
-  }
-};
-var resetPassword = (data) => {
-  return new ResetPasswordMailable().to(data.email).with(data);
-};
-
-// libs/auth/templates/src/lib/mailables/WelcomeEmailMailable.ts
-var import_effect33 = require("effect");
-var WelcomeEmailMailable = class extends BaseMailable {
-  getSubject() {
-    const data = this.getData();
-    return `Welcome to ${data.appName ?? "Our App"}!`;
-  }
-  getContent() {
-    const data = this.getData();
-    return import_effect33.Effect.succeed({
-      subject: this.getSubject(),
-      template: {
-        name: "auth/welcome",
-        data: {
-          userName: data.userName,
-          loginUrl: data.loginUrl,
-          appName: data.appName ?? "Our App",
-          features: data.features ?? []
-        }
-      }
-    });
-  }
-};
-var welcomeEmail = (data) => {
-  return new WelcomeEmailMailable().to(data.email).with(data);
-};
-
-// libs/auth/templates/src/lib/mailables/NewLoginMailable.ts
-var import_effect34 = require("effect");
-var NewLoginMailable = class extends BaseMailable {
-  getSubject() {
-    const data = this.getData();
-    return `New login to your ${data.appName ?? "Our App"} account`;
-  }
-  getContent() {
-    const data = this.getData();
-    return import_effect34.Effect.succeed({
-      subject: this.getSubject(),
-      template: {
-        name: "auth/new-login",
-        data: {
-          userName: data.userName,
-          loginTime: data.loginTime,
-          ipAddress: data.ipAddress,
-          location: data.location,
-          device: data.device,
-          browser: data.browser,
-          securityUrl: data.securityUrl,
-          appName: data.appName ?? "Our App"
-        }
-      }
-    });
-  }
-};
-var newLogin = (data) => {
-  return new NewLoginMailable().to(data.email).with(data);
-};
-
-// libs/auth/testing/src/lib/mocks/MockTokenStore.ts
-var import_effect35 = require("effect");
-var makeMockTokenStore = () => {
-  const tokens = /* @__PURE__ */ new Map();
-  return {
-    create: (token) => import_effect35.Effect.sync(() => {
-      tokens.set(token.id, token);
-      return token;
-    }),
-    findByToken: (hashedToken) => import_effect35.Effect.sync(() => {
-      for (const token of tokens.values()) {
-        if (token.token === hashedToken) {
-          return import_effect35.Option.some(token);
-        }
-      }
-      return import_effect35.Option.none();
-    }),
-    findById: (id) => import_effect35.Effect.sync(() => {
-      const token = tokens.get(id);
-      return token ? import_effect35.Option.some(token) : import_effect35.Option.none();
-    }),
-    findByUser: (userId) => import_effect35.Effect.sync(() => {
-      return Array.from(tokens.values()).filter((t) => t.userId === userId);
-    }),
-    updateLastUsed: (id, lastUsedAt) => import_effect35.Effect.sync(() => {
-      const token = tokens.get(id);
-      if (!token) {
-        throw new TokenNotFoundError({
-          message: "Token not found",
-          tokenId: id
-        });
-      }
-      tokens.set(id, { ...token, lastUsedAt });
-    }),
-    delete: (id) => import_effect35.Effect.sync(() => {
-      if (!tokens.has(id)) {
-        throw new TokenNotFoundError({
-          message: "Token not found",
-          tokenId: id
-        });
-      }
-      tokens.delete(id);
-    }),
-    deleteByUser: (userId) => import_effect35.Effect.sync(() => {
-      let count = 0;
-      for (const [id, token] of tokens) {
-        if (token.userId === userId) {
-          tokens.delete(id);
-          count++;
-        }
-      }
-      return count;
-    }),
-    deleteExpired: () => import_effect35.Effect.sync(() => {
-      const now = /* @__PURE__ */ new Date();
-      let count = 0;
-      for (const [id, token] of tokens) {
-        if (token.expiresAt && token.expiresAt < now) {
-          tokens.delete(id);
-          count++;
-        }
-      }
-      return count;
-    })
-  };
-};
-var MockTokenStoreLive = import_effect35.Layer.succeed(
-  TokenStoreTag,
-  makeMockTokenStore()
-);
-
-// libs/auth/testing/src/lib/mocks/MockPasswordHasher.ts
-var import_effect36 = require("effect");
-var makeMockPasswordHasher = () => ({
-  hash: (password) => import_effect36.Effect.sync(() => {
-    return `mock:${Buffer.from(password).toString("base64")}`;
-  }),
-  verify: (password, hash) => import_effect36.Effect.sync(() => {
-    if (!hash.startsWith("mock:")) {
-      return false;
-    }
-    const decoded = Buffer.from(hash.slice(5), "base64").toString("utf-8");
-    return password === decoded;
-  }),
-  needsRehash: (hash) => !hash.startsWith("mock:")
-});
-var MockPasswordHasherLive = import_effect36.Layer.succeed(
-  PasswordHasherTag,
-  makeMockPasswordHasher()
-);
-var makeMockTokenHasher = () => ({
-  hash: (token) => {
-    return `hash:${Buffer.from(token).toString("base64")}`;
-  },
-  verify: (token, hash) => {
-    if (!hash.startsWith("hash:")) {
-      return false;
-    }
-    const decoded = Buffer.from(hash.slice(5), "base64").toString("utf-8");
-    return token === decoded;
-  }
-});
-var MockTokenHasherLive = import_effect36.Layer.succeed(
-  TokenHasherTag,
-  makeMockTokenHasher()
-);
-
-// libs/auth/testing/src/lib/mocks/MockUserProvider.ts
-var import_effect37 = require("effect");
-var makeMockUserProvider = (users = []) => {
-  const userMap = /* @__PURE__ */ new Map();
-  const emailMap = /* @__PURE__ */ new Map();
-  for (const user of users) {
-    userMap.set(user.id, user);
-    emailMap.set(user.email.toLowerCase(), user);
-  }
-  return {
-    findById: (id) => import_effect37.Effect.sync(() => {
-      const user = userMap.get(id);
-      return user ? import_effect37.Option.some(user) : import_effect37.Option.none();
-    }),
-    findByEmail: (email) => import_effect37.Effect.sync(() => {
-      const user = emailMap.get(email.toLowerCase());
-      return user ? import_effect37.Option.some(user) : import_effect37.Option.none();
-    }),
-    findByCredentials: (credentials) => import_effect37.Effect.sync(() => {
-      for (const user of userMap.values()) {
-        const userObj = user;
-        const matches = Object.entries(credentials).every(
-          ([key, value]) => userObj[key] === value
-        );
-        if (matches) {
-          return import_effect37.Option.some(user);
-        }
-      }
-      return import_effect37.Option.none();
-    })
-  };
-};
-var MockUserProviderLive = (users = []) => import_effect37.Layer.succeed(UserProviderTag, makeMockUserProvider(users));
-var createMockUser = (overrides) => ({
-  id: UserId(crypto.randomUUID()),
-  password: "mock:dGVzdA==",
-  // "test" encoded
-  ...overrides
-});
-
-// libs/auth/testing/src/lib/utilities/actingAs.ts
-var import_effect38 = require("effect");
-var createAuthenticatedUser = (userId, options = {}) => {
-  const scopes = options.scopes ?? ["*"];
-  const tokenName = options.tokenName ?? "test-token";
-  const token = {
-    id: TokenId(crypto.randomUUID()),
-    userId,
-    name: tokenName,
-    token: HashedToken("test-hashed-token"),
-    scopes,
-    createdAt: /* @__PURE__ */ new Date()
-  };
-  return {
-    id: userId,
-    token
-  };
-};
-var actingAsLayer = (userId, options = {}) => {
-  const user = createAuthenticatedUser(userId, options);
-  return import_effect38.Layer.succeed(AuthenticatedUserTag, user);
-};
-var actingAs = (userId, options, effect) => {
-  return effect.pipe(import_effect38.Effect.provide(actingAsLayer(userId, options)));
-};
-var Auth = {
-  /**
-   * Run an effect as an authenticated user
-   */
-  actingAs: (userId, effect, options = {}) => {
-    return actingAs(userId, options, effect);
-  },
-  /**
-   * Create a layer for authenticated user
-   */
-  actingAsLayer
-};
-
-// libs/auth/testing/src/lib/utilities/assertions.ts
-var import_effect39 = require("effect");
-var assertAuthenticated = () => import_effect39.Effect.gen(function* () {
-  const result = yield* import_effect39.Effect.either(AuthenticatedUserTag);
-  if (result._tag === "Left") {
-    return yield* import_effect39.Effect.fail(
-      new AuthenticationError({
-        message: "Expected to be authenticated, but was not",
-        reason: "missing_token"
-      })
-    );
-  }
-  return result.right;
-});
-var assertGuest = () => import_effect39.Effect.gen(function* () {
-  const result = yield* import_effect39.Effect.either(AuthenticatedUserTag);
-  if (result._tag === "Right") {
-    return yield* import_effect39.Effect.fail(
-      new Error("Expected to be guest, but was authenticated")
-    );
-  }
-});
-var assertCan = (action, subject) => import_effect39.Effect.gen(function* () {
-  const abilities = yield* AbilitiesTag;
-  const canDo = abilities.can(action, subject);
-  if (!canDo) {
-    return yield* import_effect39.Effect.fail(
-      new Error(`Expected to be able to ${action} ${String(subject)}, but cannot`)
-    );
-  }
-});
-var assertCannot = (action, subject) => import_effect39.Effect.gen(function* () {
-  const abilities = yield* AbilitiesTag;
-  const canDo = abilities.can(action, subject);
-  if (canDo) {
-    return yield* import_effect39.Effect.fail(
-      new Error(`Expected NOT to be able to ${action} ${String(subject)}, but can`)
-    );
-  }
-});
-var assertHasScope = (scope) => import_effect39.Effect.gen(function* () {
-  const user = yield* AuthenticatedUserTag;
-  if (!user.token) {
-    return yield* import_effect39.Effect.fail(
-      new Error("No token present to check scope")
-    );
-  }
-  const hasScope2 = user.token.scopes.includes("*") || user.token.scopes.includes(scope);
-  if (!hasScope2) {
-    return yield* import_effect39.Effect.fail(
-      new Error(`Expected token to have scope "${scope}", but it doesn't`)
-    );
-  }
-});
-var assertLacksScope = (scope) => import_effect39.Effect.gen(function* () {
-  const user = yield* AuthenticatedUserTag;
-  if (!user.token) {
-    return;
-  }
-  const hasScope2 = user.token.scopes.includes("*") || user.token.scopes.includes(scope);
-  if (hasScope2) {
-    return yield* import_effect39.Effect.fail(
-      new Error(`Expected token NOT to have scope "${scope}", but it does`)
-    );
-  }
-});
-
-// libs/auth/testing/src/lib/utilities/layers.ts
-var import_effect40 = require("effect");
-var TestAuthLayer = (users = []) => import_effect40.Layer.mergeAll(
-  MockTokenStoreLive,
-  MockPasswordHasherLive,
-  MockTokenHasherLive,
-  MockUserProviderLive(users)
-).pipe(
-  import_effect40.Layer.provideMerge(TokenServiceLive),
-  import_effect40.Layer.provideMerge(AuthServiceLive)
-);
-var TestSessionLayer = MemorySessionStoreLive;
-var FullTestAuthLayer = (users = []) => import_effect40.Layer.mergeAll(TestAuthLayer(users), TestSessionLayer);
-// Annotate the CommonJS export names for ESM import in node:
-0 && (module.exports = {
-  AbilitiesLive,
-  AbilitiesTag,
-  AbstractProvider,
-  Auth,
-  AuthError,
-  AuthGuard,
-  AuthServiceLive,
-  AuthTag,
-  AuthenticatedUserTag,
-  AuthenticationError,
-  AuthorizationError,
-  CommonAbilities,
-  CsrfMismatchError,
-  CsrfToken,
-  CsrfTokenTag,
-  CurrentSessionTag,
-  ForbiddenError,
-  FullTestAuthLayer,
-  GithubProvider,
-  GoogleProvider,
-  HashedToken,
-  HashingError,
-  InsufficientScopeError,
-  InvalidPasswordError,
-  JwtError,
-  JwtServiceLive,
-  JwtServiceTag,
-  MemorySessionStoreLive,
-  MockPasswordHasherLive,
-  MockTokenHasherLive,
-  MockTokenStoreLive,
-  MockUserProviderLive,
-  NewLogin,
-  NewLoginMailable,
-  OAuthConfigError,
-  OAuthError,
-  OAuthProviderNotFoundError,
-  OAuthStateMismatchError,
-  OAuthTokenError,
-  OAuthUserError,
-  PasswordChanged,
-  PasswordHasherTag,
-  PersonalAccessToken,
-  PlainTextToken,
-  RateLimitError,
-  ResetPassword,
-  ResetPasswordMailable,
-  Session,
-  SessionError,
-  SessionExpiredError,
-  SessionId,
-  SessionNotFoundError,
-  SessionStoreTag,
-  Social,
-  SocialLive,
-  SocialTag,
-  SocialToken,
-  SocialUser,
-  TestAuthLayer,
-  TestSessionLayer,
-  TokenExpiredError,
-  TokenHasherTag,
-  TokenId,
-  TokenNotFoundError,
-  TokenServiceLive,
-  TokenServiceTag,
-  TokenStoreTag,
-  UserId,
-  UserNotFoundError,
-  UserProviderTag,
-  VerifyEmail,
-  VerifyEmailMailable,
-  WelcomeEmail,
-  WelcomeEmailMailable,
-  actingAs,
-  actingAsLayer,
-  assertAuthenticated,
-  assertCan,
-  assertCannot,
-  assertGuest,
-  assertHasScope,
-  assertLacksScope,
-  authenticate,
-  authorize,
-  authorizeAction,
-  authorizeAll,
-  authorizeAny,
-  authorizeMiddleware,
-  can,
-  cannot,
-  createAbilities,
-  createAuthenticatedUser,
-  createGithubProvider,
-  createGoogleProvider,
-  createMockUser,
-  csrf,
-  currentUser,
-  defaultCsrfConfig,
-  defaultSessionConfig,
-  defineAbilitiesFor,
-  endSession,
-  generateCsrfCookie,
-  getSessionData,
-  getSubjectType,
-  hasApiTokens,
-  hasScope,
-  isAuthenticated,
-  makeJwtService,
-  makeMemorySessionStore,
-  makeMockPasswordHasher,
-  makeMockTokenHasher,
-  makeMockTokenStore,
-  makeMockUserProvider,
-  makeSocialService,
-  matchAction,
-  matchConditions,
-  matchSubject,
-  newLogin,
-  requireAdmin,
-  requireAny,
-  requireScope,
-  resetPassword,
-  session,
-  setSessionData,
-  startSession,
-  tokenScope,
-  tokenScopes,
-  verifyCsrfToken,
-  verifyEmail,
-  welcomeEmail,
-  withApiTokens
-});