@gello/auth 0.1.2 → 0.2.0

package/index.js

@@ -1,2266 +0,0 @@
-var He = Object.defineProperty;
-var je = (e, t, r) => t in e ? He(e, t, { enumerable: !0, configurable: !0, writable: !0, value: r }) : e[t] = r;
-var O = (e, t, r) => je(e, typeof t != "symbol" ? t + "" : t, r);
-import { Brand as E, Data as h, Context as y, Layer as p, Effect as o, Option as m, Duration as U, pipe as te } from "effect";
-import { HttpServerRequest as J, HttpServerResponse as x } from "@effect/platform";
-import { jsx as d, jsxs as u, Fragment as ze } from "react/jsx-runtime";
-import * as q from "react";
-import { Html as Be, Head as We, Body as qe, Container as Je, Section as M, Link as P, Img as Ve, Text as $, Hr as ke, Heading as Ge, Button as Ye } from "@react-email/components";
-import { render as we } from "@react-email/render";
-const Te = E.nominal(), Ke = E.nominal(), Q = E.nominal(), Xe = E.nominal(), v = {
-  /**
-   * Generate a new TokenId
-   */
-  generateId: () => Te(crypto.randomUUID()),
-  /**
-   * Generate a random plain text token
-   */
-  generatePlainText: () => {
-    const e = new Uint8Array(32);
-    crypto.getRandomValues(e);
-    const t = Array.from(e).map((r) => r.toString(16).padStart(2, "0")).join("");
-    return Ke(t);
-  },
-  /**
-   * Check if token has a specific scope
-   */
-  hasScope: (e, t) => e.scopes.includes("*") ? !0 : e.scopes.includes(t),
-  /**
-   * Check if token has all specified scopes
-   */
-  hasAllScopes: (e, t) => t.every((r) => v.hasScope(e, r)),
-  /**
-   * Check if token has any of the specified scopes
-   */
-  hasAnyScope: (e, t) => t.some((r) => v.hasScope(e, r)),
-  /**
-   * Check if token is expired
-   */
-  isExpired: (e) => e.expiresAt ? /* @__PURE__ */ new Date() > e.expiresAt : !1
-}, cr = {
-  authenticated: (e) => ({
-    _tag: "Authenticated",
-    user: e
-  }),
-  guest: () => ({
-    _tag: "Guest"
-  }),
-  isAuthenticated: (e) => e._tag === "Authenticated",
-  isGuest: (e) => e._tag === "Guest"
-};
-class lr extends h.TaggedError("AuthError") {
-}
-class A extends h.TaggedError("AuthenticationError") {
-}
-class re extends h.TaggedError("TokenNotFoundError") {
-}
-class Qe extends h.TaggedError("TokenExpiredError") {
-}
-class Ze extends h.TaggedError("InsufficientScopeError") {
-}
-class et extends h.TaggedError("UserNotFoundError") {
-}
-class dr extends h.TaggedError("HashingError") {
-}
-class ur extends h.TaggedError("InvalidPasswordError") {
-}
-class hr extends h.TaggedError("RateLimitError") {
-}
-class ve extends y.Tag("@gello/auth/TokenStore")() {
-}
-class xe extends y.Tag("@gello/auth/PasswordHasher")() {
-}
-class be extends y.Tag("@gello/auth/TokenHasher")() {
-}
-class Se extends y.Tag("@gello/auth/UserProvider")() {
-}
-class C extends y.Tag("@gello/auth/TokenService")() {
-}
-const tt = p.effect(
-  C,
-  o.gen(function* () {
-    const e = yield* ve, t = yield* be;
-    return {
-      createToken: (n, s, i = ["*"], a) => o.gen(function* () {
-        const l = v.generatePlainText(), c = Q(t.hash(l)), g = {
-          id: v.generateId(),
-          userId: n,
-          name: s,
-          token: c,
-          scopes: i,
-          expiresAt: a,
-          createdAt: /* @__PURE__ */ new Date()
-        };
-        return {
-          accessToken: yield* e.create(g),
-          plainTextToken: l
-        };
-      }),
-      verifyToken: (n) => o.gen(function* () {
-        const s = Q(t.hash(n)), i = yield* e.findByToken(s);
-        if (m.isNone(i))
-          return yield* o.fail(
-            new A({
-              message: "Invalid token",
-              reason: "invalid_token"
-            })
-          );
-        const a = i.value;
-        return v.isExpired(a) ? yield* o.fail(
-          new Qe({
-            message: "Token has expired",
-            tokenId: a.id,
-            expiredAt: a.expiresAt
-          })
-        ) : (yield* e.updateLastUsed(a.id, /* @__PURE__ */ new Date()).pipe(o.catchAll(() => o.void)), a);
-      }),
-      getUserTokens: (n) => e.findByUser(n),
-      revokeToken: (n) => e.delete(n),
-      revokeAllTokens: (n) => e.deleteByUser(n),
-      pruneExpiredTokens: () => e.deleteExpired()
-    };
-  })
-);
-class Ae extends y.Tag("@gello/auth/Auth")() {
-}
-const rt = p.effect(
-  Ae,
-  o.gen(function* () {
-    const e = yield* Se, t = yield* xe, r = yield* C;
-    return {
-      attempt: (s, i) => o.gen(function* () {
-        const a = yield* e.findByEmail(s);
-        if (m.isNone(a))
-          return yield* o.fail(
-            new A({
-              message: "Invalid credentials",
-              reason: "invalid_credentials"
-            })
-          );
-        const l = a.value;
-        return (yield* t.verify(i, l.password).pipe(
-          o.mapError(
-            () => new A({
-              message: "Invalid credentials",
-              reason: "invalid_credentials"
-            })
-          )
-        )) ? l : yield* o.fail(
-          new A({
-            message: "Invalid credentials",
-            reason: "invalid_credentials"
-          })
-        );
-      }),
-      authenticateWithToken: (s) => o.gen(function* () {
-        const i = yield* r.verifyToken(s).pipe(
-          o.mapError(
-            (l) => new A({
-              message: l.message,
-              reason: l._tag === "TokenExpiredError" ? "expired_token" : "invalid_token"
-            })
-          )
-        ), a = yield* e.findById(i.userId);
-        return m.isNone(a) ? yield* o.fail(
-          new A({
-            message: "User not found",
-            reason: "invalid_token"
-          })
-        ) : {
-          id: i.userId,
-          token: i
-        };
-      }),
-      getUser: (s) => o.gen(function* () {
-        const i = yield* e.findById(s);
-        return m.isNone(i) ? yield* o.fail(
-          new et({
-            message: "User not found",
-            userId: s
-          })
-        ) : i.value;
-      }),
-      createToken: (s, i, a, l) => r.createToken(s, i, a, l),
-      getTokens: (s) => r.getUserTokens(s),
-      revokeToken: (s) => r.revokeToken(s).pipe(
-        o.catchAll(() => o.void)
-      ),
-      revokeAllTokens: (s) => r.revokeAllTokens(s),
-      hashPassword: (s) => t.hash(s).pipe(
-        o.catchAll(() => o.succeed(""))
-      ),
-      needsRehash: (s) => t.needsRehash(s)
-    };
-  })
-);
-function fr(e) {
-  return {
-    ...e,
-    createToken(t, r, n) {
-      return o.gen(function* () {
-        return yield* (yield* C).createToken(e.id, t, r, n);
-      });
-    },
-    tokens() {
-      return o.gen(function* () {
-        return yield* (yield* C).getUserTokens(e.id);
-      });
-    },
-    revokeToken(t) {
-      return o.gen(function* () {
-        return yield* (yield* C).revokeToken(t).pipe(
-          o.catchAll(() => o.void)
-        );
-      });
-    },
-    revokeAllTokens() {
-      return o.gen(function* () {
-        return yield* (yield* C).revokeAllTokens(e.id);
-      });
-    }
-  };
-}
-function gr(e) {
-  return typeof e == "object" && e !== null && "id" in e && "createToken" in e && "tokens" in e;
-}
-class w extends y.Tag("@gello/auth/AuthenticatedUser")() {
-}
-const nt = (e) => {
-  if (!e) return null;
-  const t = e.match(/^Bearer\s+(.+)$/i);
-  return t ? t[1] : null;
-}, ne = (e = {}) => ({
-  name: "authenticate",
-  apply: (t) => o.gen(function* () {
-    const r = yield* J.HttpServerRequest, n = yield* Ae, s = r.headers.authorization, i = nt(s);
-    if (!i)
-      return e.optional ? yield* t : x.json(
-        { error: "Authentication required" },
-        { status: 401 }
-      );
-    const a = yield* n.authenticateWithToken(i).pipe(
-      o.either
-    );
-    if (a._tag === "Left") {
-      if (e.optional)
-        return yield* t;
-      const c = a.left;
-      return x.json(
-        { error: c.message },
-        { status: 401 }
-      );
-    }
-    const l = a.right;
-    return yield* t.pipe(
-      o.provideService(w, l)
-    );
-  })
-});
-ne.optional = () => ({
-  ...ne({ optional: !0 }),
-  name: "authenticate.optional"
-});
-const mr = () => o.flatMap(
-  o.either(w),
-  (e) => e._tag === "Right" ? o.succeed(e.right) : o.fail(
-    new A({
-      message: "Not authenticated",
-      reason: "missing_token"
-    })
-  )
-), pr = () => o.map(o.either(w), (e) => e._tag === "Right"), yr = (...e) => ({
-  name: "tokenScopes",
-  apply: (t) => o.gen(function* () {
-    const r = yield* w;
-    return r.token ? v.hasAllScopes(r.token, e) ? yield* t : x.json(
-      {
-        error: "Insufficient scope",
-        required: e,
-        provided: r.token.scopes
-      },
-      { status: 403 }
-    ) : yield* t;
-  })
-}), kr = (...e) => ({
-  name: "tokenScope",
-  apply: (t) => o.gen(function* () {
-    const r = yield* w;
-    return r.token ? v.hasAnyScope(r.token, e) ? yield* t : x.json(
-      {
-        error: "Insufficient scope",
-        required: `One of: ${e.join(", ")}`,
-        provided: r.token.scopes
-      },
-      { status: 403 }
-    ) : yield* t;
-  })
-}), wr = (e) => o.gen(function* () {
-  const t = yield* w;
-  return t.token ? v.hasScope(t.token, e) : !0;
-}), Tr = (e) => o.gen(function* () {
-  const t = yield* w;
-  if (t.token && !v.hasScope(t.token, e))
-    return yield* o.fail(
-      new Ze({
-        message: `Token lacks required scope: ${e}`,
-        required: [e],
-        provided: t.token.scopes
-      })
-    );
-}), Ee = E.nominal(), Ue = E.nominal(), L = {
-  /**
-   * Generate a new SessionId
-   */
-  generateId: () => Ee(crypto.randomUUID()),
-  /**
-   * Generate a CSRF token
-   */
-  generateCsrfToken: () => {
-    const e = new Uint8Array(32);
-    return crypto.getRandomValues(e), Ue(
-      Array.from(e).map((t) => t.toString(16).padStart(2, "0")).join("")
-    );
-  },
-  /**
-   * Create a new session
-   */
-  make: (e, t) => {
-    const r = /* @__PURE__ */ new Date(), n = (t == null ? void 0 : t.lifetime) ?? U.hours(2), s = new Date(r.getTime() + U.toMillis(n));
-    return {
-      id: L.generateId(),
-      userId: e,
-      data: (t == null ? void 0 : t.data) ?? {},
-      ipAddress: t == null ? void 0 : t.ipAddress,
-      userAgent: t == null ? void 0 : t.userAgent,
-      lastActivity: r,
-      createdAt: r,
-      expiresAt: s
-    };
-  },
-  /**
-   * Check if session is expired
-   */
-  isExpired: (e) => /* @__PURE__ */ new Date() > e.expiresAt,
-  /**
-   * Extend session expiration
-   */
-  touch: (e, t) => {
-    const r = /* @__PURE__ */ new Date();
-    return {
-      ...e,
-      lastActivity: r,
-      expiresAt: new Date(r.getTime() + U.toMillis(t))
-    };
-  }
-}, Z = {
-  cookieName: "gello_session",
-  lifetime: U.hours(2),
-  path: "/",
-  secure: !0,
-  httpOnly: !0,
-  sameSite: "lax"
-};
-class vr extends h.TaggedError("SessionError") {
-}
-class se extends h.TaggedError("SessionNotFoundError") {
-}
-class xr extends h.TaggedError("SessionExpiredError") {
-}
-class st extends h.TaggedError("CsrfMismatchError") {
-}
-class T extends h.TaggedError("JwtError") {
-}
-class F extends y.Tag("@gello/auth/SessionStore")() {
-}
-const ot = () => {
-  const e = /* @__PURE__ */ new Map();
-  return {
-    get: (t) => o.sync(() => {
-      const r = e.get(t);
-      return r ? /* @__PURE__ */ new Date() > r.expiresAt ? (e.delete(t), m.none()) : m.some(r) : m.none();
-    }),
-    put: (t) => o.sync(() => {
-      e.set(t.id, t);
-    }),
-    destroy: (t) => o.sync(() => {
-      if (!e.has(t))
-        throw new se({
-          message: "Session not found",
-          sessionId: t
-        });
-      e.delete(t);
-    }),
-    destroyByUser: (t) => o.sync(() => {
-      let r = 0;
-      for (const [n, s] of e)
-        s.userId === t && (e.delete(n), r++);
-      return r;
-    }),
-    touch: (t, r) => o.sync(() => {
-      const n = e.get(t);
-      if (!n)
-        throw new se({
-          message: "Session not found",
-          sessionId: t
-        });
-      const s = /* @__PURE__ */ new Date();
-      e.set(t, {
-        ...n,
-        lastActivity: s,
-        expiresAt: new Date(s.getTime() + U.toMillis(r))
-      });
-    }),
-    gc: (t) => o.sync(() => {
-      const r = /* @__PURE__ */ new Date(), n = new Date(r.getTime() - U.toMillis(t));
-      let s = 0;
-      for (const [i, a] of e)
-        (a.expiresAt < r || a.lastActivity < n) && (e.delete(i), s++);
-      return s;
-    })
-  };
-}, it = p.succeed(
-  F,
-  ot()
-);
-class at extends y.Tag("@gello/auth/JwtService")() {
-}
-const oe = (e) => Buffer.from(e).toString("base64").replace(/\+/g, "-").replace(/\//g, "_").replace(/=/g, ""), ie = (e) => {
-  const t = e.replace(/-/g, "+").replace(/_/g, "/"), r = t.length % 4, n = r ? t + "=".repeat(4 - r) : t;
-  return Buffer.from(n, "base64").toString("utf-8");
-}, ae = async (e, t) => {
-  const r = new TextEncoder(), n = await crypto.subtle.importKey(
-    "raw",
-    r.encode(t),
-    { name: "HMAC", hash: "SHA-256" },
-    !1,
-    ["sign"]
-  ), s = await crypto.subtle.sign("HMAC", n, r.encode(e));
-  return Buffer.from(s).toString("base64").replace(/\+/g, "-").replace(/\//g, "_").replace(/=/g, "");
-}, ct = (e) => ({
-  sign: (t, r = 3600) => o.tryPromise({
-    try: async () => {
-      const n = Math.floor(Date.now() / 1e3), s = {
-        ...t,
-        iat: n,
-        exp: n + r
-      }, i = oe(JSON.stringify({ alg: "HS256", typ: "JWT" })), a = oe(JSON.stringify(s)), l = await ae(`${i}.${a}`, e);
-      return `${i}.${a}.${l}`;
-    },
-    catch: (n) => new T({
-      message: "Failed to sign JWT",
-      reason: "malformed",
-      cause: n
-    })
-  }),
-  verify: (t) => o.tryPromise({
-    try: async () => {
-      const r = t.split(".");
-      if (r.length !== 3)
-        throw new T({
-          message: "Invalid JWT format",
-          reason: "malformed"
-        });
-      const [n, s, i] = r, a = await ae(`${n}.${s}`, e);
-      if (i !== a)
-        throw new T({
-          message: "Invalid JWT signature",
-          reason: "invalid"
-        });
-      const l = JSON.parse(ie(s)), c = Math.floor(Date.now() / 1e3);
-      if (l.exp && l.exp < c)
-        throw new T({
-          message: "JWT has expired",
-          reason: "expired"
-        });
-      return l;
-    },
-    catch: (r) => r instanceof T ? r : new T({
-      message: "Failed to verify JWT",
-      reason: "malformed",
-      cause: r
-    })
-  }),
-  decode: (t) => o.try({
-    try: () => {
-      const r = t.split(".");
-      if (r.length !== 3)
-        throw new T({
-          message: "Invalid JWT format",
-          reason: "malformed"
-        });
-      return JSON.parse(ie(r[1]));
-    },
-    catch: (r) => r instanceof T ? r : new T({
-      message: "Failed to decode JWT",
-      reason: "malformed",
-      cause: r
-    })
-  })
-}), br = (e) => p.succeed(at, ct(e));
-class V extends y.Tag("@gello/auth/CurrentSession")() {
-}
-const lt = (e) => {
-  const t = /* @__PURE__ */ new Map();
-  return e && e.split(";").forEach((r) => {
-    const [n, ...s] = r.trim().split("=");
-    n && t.set(n, s.join("="));
-  }), t;
-}, ce = (e = {}) => {
-  const t = { ...Z, ...e };
-  return {
-    name: "session",
-    apply: (r) => o.gen(function* () {
-      const n = yield* J.HttpServerRequest, s = yield* F, a = lt(n.headers.cookie).get(t.cookieName);
-      let l = null;
-      if (a) {
-        const c = yield* s.get(Ee(a));
-        if (m.isSome(c)) {
-          const g = c.value;
-          L.isExpired(g) || (yield* s.touch(g.id, t.lifetime).pipe(
-            o.catchAll(() => o.void)
-          ), l = L.touch(g, t.lifetime));
-        }
-      }
-      return !l && !e.optional ? x.json(
-        { error: "Session required" },
-        { status: 401 }
-      ) : l ? yield* r.pipe(
-        o.provideService(V, l)
-      ) : yield* r;
-    })
-  };
-};
-ce.optional = () => ({
-  ...ce({ optional: !0 }),
-  name: "session.optional"
-});
-const Sr = (e, t = Z, r = {}) => o.gen(function* () {
-  const n = yield* F, s = yield* J.HttpServerRequest, i = L.make(e.id, {
-    data: r,
-    ipAddress: s.headers["x-forwarded-for"] ?? s.headers["x-real-ip"],
-    userAgent: s.headers["user-agent"],
-    lifetime: t.lifetime
-  });
-  yield* n.put(i);
-  const a = [
-    `${t.cookieName}=${i.id}`,
-    `Path=${t.path}`,
-    `Max-Age=${Math.floor(U.toSeconds(t.lifetime))}`,
-    t.httpOnly ? "HttpOnly" : "",
-    t.secure ? "Secure" : "",
-    `SameSite=${t.sameSite}`,
-    t.domain ? `Domain=${t.domain}` : ""
-  ].filter(Boolean);
-  return {
-    session: i,
-    cookie: a.join("; ")
-  };
-}), Ar = (e = Z) => o.gen(function* () {
-  const t = yield* V;
-  return yield* (yield* F).destroy(t.id).pipe(o.catchAll(() => o.void)), [
-    `${e.cookieName}=`,
-    `Path=${e.path}`,
-    "Max-Age=0",
-    e.httpOnly ? "HttpOnly" : "",
-    e.secure ? "Secure" : "",
-    `SameSite=${e.sameSite}`
-  ].filter(Boolean).join("; ");
-}), Er = (e) => o.gen(function* () {
-  return (yield* V).data[e];
-}), Ur = (e, t) => o.gen(function* () {
-  const r = yield* V, n = yield* F, s = {
-    ...r,
-    data: { ...r.data, [e]: t }
-  };
-  yield* n.put(s);
-});
-class dt extends y.Tag("@gello/auth/CsrfToken")() {
-}
-const $e = {
-  cookieName: "XSRF-TOKEN",
-  headerName: "X-XSRF-TOKEN",
-  protectedMethods: ["POST", "PUT", "PATCH", "DELETE"],
-  path: "/",
-  secure: !0,
-  sameSite: "lax"
-}, ut = (e) => {
-  const t = /* @__PURE__ */ new Map();
-  return e && e.split(";").forEach((r) => {
-    const [n, ...s] = r.trim().split("=");
-    n && t.set(n, s.join("="));
-  }), t;
-}, $r = (e = {}) => {
-  const t = { ...$e, ...e };
-  return {
-    name: "csrf",
-    apply: (r) => o.gen(function* () {
-      const n = yield* J.HttpServerRequest, s = n.method.toUpperCase();
-      if (!t.protectedMethods.includes(s))
-        return yield* r;
-      const a = ut(n.headers.cookie).get(t.cookieName), l = n.headers[t.headerName.toLowerCase()];
-      return !a || !l ? x.json(
-        { error: "CSRF token missing" },
-        { status: 419 }
-      ) : a !== l ? x.json(
-        { error: "CSRF token mismatch" },
-        { status: 419 }
-      ) : yield* r.pipe(
-        o.provideService(dt, Ue(a))
-      );
-    })
-  };
-}, Mr = (e = {}) => {
-  const t = { ...$e, ...e };
-  return o.sync(() => {
-    const r = L.generateCsrfToken();
-    return [
-      `${t.cookieName}=${r}`,
-      `Path=${t.path}`,
-      // Not HttpOnly so JS can read it
-      t.secure ? "Secure" : "",
-      `SameSite=${t.sameSite}`
-    ].filter(Boolean).join("; ");
-  });
-}, Ir = (e, t) => o.gen(function* () {
-  if (e !== t)
-    return yield* o.fail(
-      new st({
-        message: "CSRF token mismatch"
-      })
-    );
-}), N = (e) => typeof e == "string" ? e : e.constructor.name, le = (e, t) => {
-  const r = Array.isArray(e) ? e : [e];
-  return r.includes(t) || r.includes("manage");
-}, de = (e, t) => {
-  const r = Array.isArray(e) ? e : [e], n = N(t);
-  return r.some((s) => s === "all" ? !0 : typeof s == "string" ? s === n : s === t);
-}, ue = (e, t) => !e || typeof t == "string" ? !0 : Object.entries(e).every(([r, n]) => t[r] === n), ht = (e) => {
-  const t = (s, i) => {
-    const a = e.filter(
-      (g) => le(g.action, s) && de(g.subject, i) && ue(g.conditions, i)
-    );
-    if (a.length === 0) return !1;
-    const l = a.some((g) => g.inverted), c = a.some((g) => !g.inverted);
-    return l ? !1 : c;
-  };
-  return {
-    rules: e,
-    can: t,
-    cannot: (s, i) => !t(s, i),
-    relevantRuleFor: (s, i) => e.find(
-      (a) => le(a.action, s) && de(a.subject, i) && ue(a.conditions, i)
-    )
-  };
-};
-class Pr extends h.TaggedError("AuthorizationError") {
-}
-class Me extends h.TaggedError("ForbiddenError") {
-}
-function Cr(e, t) {
-  const r = [];
-  return t({
-    user: e,
-    can: (s, i, a) => {
-      r.push({
-        action: Array.isArray(s) ? s : [s],
-        subject: Array.isArray(i) ? i : [i],
-        conditions: a,
-        inverted: !1
-      });
-    },
-    cannot: (s, i, a, l) => {
-      r.push({
-        action: Array.isArray(s) ? s : [s],
-        subject: Array.isArray(i) ? i : [i],
-        conditions: a,
-        inverted: !0,
-        reason: l
-      });
-    }
-  }), ht(r);
-}
-const Nr = {
-  /**
-   * CRUD abilities for a resource
-   */
-  crud: (e) => ["create", "read", "update", "delete"],
-  /**
-   * Full management (includes all actions)
-   */
-  manage: "manage",
-  /**
-   * All subjects wildcard
-   */
-  all: "all"
-};
-class b extends y.Tag("@gello/auth/Abilities")() {
-}
-const Dr = (e, t) => o.gen(function* () {
-  return (yield* b).can(e, t);
-}), Rr = (e, t) => o.gen(function* () {
-  return (yield* b).cannot(e, t);
-}), ft = (e, t) => o.gen(function* () {
-  const r = yield* b;
-  if (!r.can(e, t)) {
-    const s = r.relevantRuleFor(e, t);
-    return yield* o.fail(
-      new Me({
-        message: (s == null ? void 0 : s.reason) ?? `You are not authorized to ${e} this ${N(t)}`,
-        action: e,
-        subject: N(t),
-        rule: s
-      })
-    );
-  }
-}), _r = (e, t) => o.gen(function* () {
-  for (const r of e)
-    yield* ft(r, t);
-}), Or = (e, t) => o.gen(function* () {
-  const r = yield* b;
-  if (!e.some((s) => r.can(s, t)))
-    return yield* o.fail(
-      new Me({
-        message: `You are not authorized to perform any of [${e.join(", ")}] on this ${N(t)}`,
-        action: e[0],
-        subject: N(t)
-      })
-    );
-}), Lr = (e) => p.succeed(b, e), gt = (e, t, r = {}) => ({
-  name: "authorize",
-  apply: (n) => o.gen(function* () {
-    const s = yield* b, i = t ? yield* t().pipe(o.catchAll(() => o.succeed(e))) : e;
-    if (!s.can(e, i)) {
-      const l = N(i), c = r.message ?? `You are not authorized to ${e} ${l}`, g = r.status ?? 403;
-      return x.json({ error: c }, { status: g });
-    }
-    return yield* n;
-  })
-}), Fr = (e = {}) => ({
-  ...gt("manage", () => o.succeed("all"), e),
-  name: "requireAdmin"
-}), Hr = (e, t, r = {}) => ({
-  name: "requireAny",
-  apply: (n) => o.gen(function* () {
-    const s = yield* b, i = t ? yield* t().pipe(o.catchAll(() => o.succeed(e[0]))) : e[0];
-    if (!e.some((l) => s.can(l, i))) {
-      const l = r.message ?? "You are not authorized to perform this action", c = r.status ?? 403;
-      return x.json({ error: l }, { status: c });
-    }
-    return yield* n;
-  })
-}), Ie = {
-  make: (e, t) => ({
-    id: t.id,
-    email: t.email ?? null,
-    name: t.name ?? null,
-    firstName: t.firstName ?? null,
-    lastName: t.lastName ?? null,
-    avatar: t.avatar ?? null,
-    nickname: t.nickname ?? null,
-    provider: e,
-    raw: t.raw ?? {}
-  })
-}, he = {
-  make: (e) => ({
-    accessToken: e.accessToken,
-    refreshToken: e.refreshToken ?? null,
-    expiresAt: e.expiresAt ?? (e.expiresIn ? new Date(Date.now() + e.expiresIn * 1e3) : null),
-    tokenType: e.tokenType ?? "Bearer",
-    scopes: typeof e.scope == "string" ? e.scope.split(" ") : e.scope ?? []
-  }),
-  /**
-   * Check if token is expired
-   */
-  isExpired: (e) => e.expiresAt ? /* @__PURE__ */ new Date() > e.expiresAt : !1,
-  /**
-   * Check if token can be refreshed
-   */
-  canRefresh: (e) => e.refreshToken !== null
-};
-class jr extends h.TaggedError("OAuthError") {
-}
-class zr extends h.TaggedError("OAuthConfigError") {
-}
-class mt extends h.TaggedError("OAuthStateMismatchError") {
-}
-class I extends h.TaggedError("OAuthTokenError") {
-}
-class K extends h.TaggedError("OAuthUserError") {
-}
-class fe extends h.TaggedError("OAuthProviderNotFoundError") {
-}
-class Pe {
-  constructor(t) {
-    O(this, "config");
-    this.config = t;
-  }
-  /**
-   * Build the authorization URL
-   */
-  getAuthorizationUrl(t, r) {
-    const n = [.../* @__PURE__ */ new Set([...this.defaultScopes, ...t])], s = new URLSearchParams({
-      client_id: this.config.clientId,
-      redirect_uri: this.config.redirectUri,
-      response_type: "code",
-      scope: n.join(" "),
-      state: r
-    });
-    return `${this.authorizationUrl}?${s.toString()}`;
-  }
-  /**
-   * Exchange code for access token
-   */
-  getAccessToken(t) {
-    return o.tryPromise({
-      try: async () => {
-        const r = await fetch(this.tokenUrl, {
-          method: "POST",
-          headers: {
-            "Content-Type": "application/x-www-form-urlencoded",
-            Accept: "application/json"
-          },
-          body: new URLSearchParams({
-            client_id: this.config.clientId,
-            client_secret: this.config.clientSecret,
-            code: t,
-            redirect_uri: this.config.redirectUri,
-            grant_type: "authorization_code"
-          })
-        });
-        if (!r.ok) {
-          const s = await r.json().catch(() => ({}));
-          throw new I({
-            message: "Failed to exchange code for token",
-            provider: this.name,
-            error: s.error,
-            errorDescription: s.error_description
-          });
-        }
-        const n = await r.json();
-        return he.make({
-          accessToken: n.access_token,
-          refreshToken: n.refresh_token,
-          expiresIn: n.expires_in,
-          tokenType: n.token_type,
-          scope: n.scope
-        });
-      },
-      catch: (r) => r instanceof I ? r : new I({
-        message: "Failed to exchange code for token",
-        provider: this.name,
-        error: String(r)
-      })
-    });
-  }
-  /**
-   * Refresh access token
-   */
-  refreshToken(t) {
-    return o.tryPromise({
-      try: async () => {
-        const r = await fetch(this.tokenUrl, {
-          method: "POST",
-          headers: {
-            "Content-Type": "application/x-www-form-urlencoded",
-            Accept: "application/json"
-          },
-          body: new URLSearchParams({
-            client_id: this.config.clientId,
-            client_secret: this.config.clientSecret,
-            refresh_token: t,
-            grant_type: "refresh_token"
-          })
-        });
-        if (!r.ok) {
-          const s = await r.json().catch(() => ({}));
-          throw new I({
-            message: "Failed to refresh token",
-            provider: this.name,
-            error: s.error,
-            errorDescription: s.error_description
-          });
-        }
-        const n = await r.json();
-        return he.make({
-          accessToken: n.access_token,
-          refreshToken: n.refresh_token ?? t,
-          expiresIn: n.expires_in,
-          tokenType: n.token_type,
-          scope: n.scope
-        });
-      },
-      catch: (r) => r instanceof I ? r : new I({
-        message: "Failed to refresh token",
-        provider: this.name,
-        error: String(r)
-      })
-    });
-  }
-  /**
-   * Get user information
-   */
-  getUser(t) {
-    return o.tryPromise({
-      try: async () => {
-        const r = await fetch(this.userInfoUrl, {
-          headers: {
-            Authorization: `${t.tokenType} ${t.accessToken}`,
-            Accept: "application/json"
-          }
-        });
-        if (!r.ok)
-          throw new K({
-            message: "Failed to fetch user info",
-            provider: this.name
-          });
-        const n = await r.json();
-        return this.parseUser(n);
-      },
-      catch: (r) => r instanceof K ? r : new K({
-        message: "Failed to fetch user info",
-        provider: this.name,
-        cause: r
-      })
-    });
-  }
-  /**
-   * Create a builder for fluent API
-   */
-  builder() {
-    let t = [], r = !1, n = null;
-    const s = this, i = {
-      scopes: (a) => (t = a, i),
-      stateless: () => (r = !0, i),
-      redirect: () => o.sync(() => (n = crypto.randomUUID(), s.getAuthorizationUrl(t, n))),
-      user: (a, l) => o.gen(function* () {
-        if (!r && n && l !== n)
-          return yield* o.fail(
-            new mt({
-              message: "OAuth state mismatch",
-              provider: s.name
-            })
-          );
-        const c = yield* s.getAccessToken(a);
-        return { user: yield* s.getUser(c), token: c };
-      })
-    };
-    return i;
-  }
-}
-class Ce extends Pe {
-  constructor() {
-    super(...arguments);
-    O(this, "name", "github");
-  }
-  get authorizationUrl() {
-    return "https://github.com/login/oauth/authorize";
-  }
-  get tokenUrl() {
-    return "https://github.com/login/oauth/access_token";
-  }
-  get userInfoUrl() {
-    return "https://api.github.com/user";
-  }
-  get defaultScopes() {
-    return ["user:email"];
-  }
-  parseUser(r) {
-    return Ie.make("github", {
-      id: String(r.id),
-      email: r.email,
-      name: r.name,
-      nickname: r.login,
-      avatar: r.avatar_url,
-      raw: r
-    });
-  }
-}
-const Br = (e) => new Ce(e);
-class Ne extends Pe {
-  constructor() {
-    super(...arguments);
-    O(this, "name", "google");
-  }
-  get authorizationUrl() {
-    return "https://accounts.google.com/o/oauth2/v2/auth";
-  }
-  get tokenUrl() {
-    return "https://oauth2.googleapis.com/token";
-  }
-  get userInfoUrl() {
-    return "https://www.googleapis.com/oauth2/v2/userinfo";
-  }
-  get defaultScopes() {
-    return ["openid", "email", "profile"];
-  }
-  parseUser(r) {
-    return Ie.make("google", {
-      id: r.id,
-      email: r.email,
-      name: r.name,
-      firstName: r.given_name,
-      lastName: r.family_name,
-      avatar: r.picture,
-      raw: r
-    });
-  }
-  /**
-   * Override to add Google-specific parameters
-   */
-  getAuthorizationUrl(r, n) {
-    const s = [.../* @__PURE__ */ new Set([...this.defaultScopes, ...r])], i = new URLSearchParams({
-      client_id: this.config.clientId,
-      redirect_uri: this.config.redirectUri,
-      response_type: "code",
-      scope: s.join(" "),
-      state: n,
-      access_type: "offline",
-      // Get refresh token
-      prompt: "consent"
-      // Force consent screen
-    });
-    return `${this.authorizationUrl}?${i.toString()}`;
-  }
-}
-const Wr = (e) => new Ne(e);
-class W extends y.Tag("@gello/auth/Social")() {
-}
-const pt = {
-  github: (e) => new Ce(e),
-  google: (e) => new Ne(e)
-}, yt = (e, t = {}) => {
-  const r = { ...pt, ...t }, n = /* @__PURE__ */ new Map(), s = (i) => {
-    let a = n.get(i);
-    if (a) return a;
-    const l = e.providers[i];
-    if (!l)
-      throw new fe({
-        message: `OAuth provider "${i}" is not configured`,
-        provider: i
-      });
-    const c = r[i];
-    if (!c)
-      throw new fe({
-        message: `OAuth provider "${i}" is not supported`,
-        provider: i
-      });
-    return a = c(l), n.set(i, a), a;
-  };
-  return {
-    driver: (i) => {
-      const a = s(i);
-      if ("builder" in a && typeof a.builder == "function")
-        return a.builder();
-      throw new Error(`Provider "${i}" does not support the builder pattern`);
-    },
-    hasProvider: (i) => i in e.providers && i in r,
-    providers: () => Object.keys(e.providers).filter((i) => i in r)
-  };
-}, qr = (e, t) => p.succeed(W, yt(e, t)), Jr = {
-  driver: (e) => o.gen(function* () {
-    return (yield* W).driver(e);
-  }),
-  hasProvider: (e) => o.gen(function* () {
-    return (yield* W).hasProvider(e);
-  }),
-  providers: () => o.gen(function* () {
-    return (yield* W).providers();
-  })
-}, R = {
-  brand: {
-    name: "My App",
-    logoWidth: 120
-  },
-  colors: {
-    primary: "#3b82f6",
-    // Blue 500
-    secondary: "#64748b",
-    // Slate 500
-    background: "#ffffff",
-    surface: "#f8fafc",
-    // Slate 50
-    text: "#1e293b",
-    // Slate 800
-    muted: "#94a3b8",
-    // Slate 400
-    border: "#e2e8f0",
-    // Slate 200
-    success: "#22c55e",
-    // Green 500
-    warning: "#f59e0b",
-    // Amber 500
-    error: "#ef4444"
-    // Red 500
-  },
-  fonts: {
-    heading: "-apple-system, BlinkMacSystemFont, 'Segoe UI', Roboto, 'Helvetica Neue', Arial, sans-serif",
-    body: "-apple-system, BlinkMacSystemFont, 'Segoe UI', Roboto, 'Helvetica Neue', Arial, sans-serif",
-    mono: "ui-monospace, SFMono-Regular, 'SF Mono', Menlo, Consolas, monospace"
-  },
-  layout: {
-    maxWidth: 600,
-    padding: 24,
-    borderRadius: 8
-  }
-}, De = q.createContext(R);
-function S() {
-  return q.useContext(De);
-}
-function kt({ theme: e, children: t }) {
-  return /* @__PURE__ */ d(De.Provider, { value: e, children: t });
-}
-function H({ theme: e, preview: t, children: r }) {
-  return /* @__PURE__ */ d(kt, { theme: e, children: /* @__PURE__ */ u(Be, { children: [
-    /* @__PURE__ */ d(We, {}),
-    t && /* @__PURE__ */ d("span", { style: { display: "none" }, children: t }),
-    /* @__PURE__ */ d(qe, { style: vt(e), children: /* @__PURE__ */ u(Je, { style: xt(e), children: [
-      /* @__PURE__ */ d(wt, {}),
-      /* @__PURE__ */ d(M, { style: At(e), children: r }),
-      /* @__PURE__ */ d(Tt, {})
-    ] }) })
-  ] }) });
-}
-function wt() {
-  const e = S();
-  return /* @__PURE__ */ d(M, { style: bt(e), children: e.brand.logo ? /* @__PURE__ */ d(P, { href: e.brand.website, children: /* @__PURE__ */ d(
-    Ve,
-    {
-      src: e.brand.logo,
-      width: e.brand.logoWidth ?? 120,
-      alt: e.brand.name,
-      style: { margin: "0 auto" }
-    }
-  ) }) : /* @__PURE__ */ d($, { style: St(e), children: e.brand.name }) });
-}
-function Tt() {
-  const e = S(), t = e.footer;
-  return t ? /* @__PURE__ */ u(M, { style: Et(e), children: [
-    /* @__PURE__ */ d(ke, { style: Ut(e) }),
-    t.company && /* @__PURE__ */ d($, { style: ge(e), children: t.company }),
-    t.address && /* @__PURE__ */ d($, { style: ge(e), children: t.address }),
-    t.socialLinks && /* @__PURE__ */ u(M, { style: { textAlign: "center", marginTop: "16px" }, children: [
-      t.socialLinks.twitter && /* @__PURE__ */ d(P, { href: t.socialLinks.twitter, style: B(e), children: "Twitter" }),
-      t.socialLinks.facebook && /* @__PURE__ */ d(P, { href: t.socialLinks.facebook, style: B(e), children: "Facebook" }),
-      t.socialLinks.linkedin && /* @__PURE__ */ d(P, { href: t.socialLinks.linkedin, style: B(e), children: "LinkedIn" }),
-      t.socialLinks.github && /* @__PURE__ */ d(P, { href: t.socialLinks.github, style: B(e), children: "GitHub" })
-    ] }),
-    t.unsubscribeUrl && /* @__PURE__ */ d($, { style: $t(e), children: /* @__PURE__ */ d(P, { href: t.unsubscribeUrl, style: { color: e.colors.muted }, children: "Unsubscribe" }) })
-  ] }) : null;
-}
-function vt(e) {
-  return {
-    backgroundColor: e.colors.surface,
-    fontFamily: e.fonts.body,
-    margin: 0,
-    padding: "40px 0"
-  };
-}
-function xt(e) {
-  return {
-    maxWidth: `${e.layout.maxWidth}px`,
-    margin: "0 auto",
-    backgroundColor: e.colors.background,
-    borderRadius: `${e.layout.borderRadius}px`,
-    overflow: "hidden"
-  };
-}
-function bt(e) {
-  return {
-    padding: `${e.layout.padding}px`,
-    textAlign: "center",
-    borderBottom: `1px solid ${e.colors.border}`
-  };
-}
-function St(e) {
-  return {
-    fontSize: "24px",
-    fontWeight: "bold",
-    color: e.colors.text,
-    fontFamily: e.fonts.heading,
-    margin: 0
-  };
-}
-function At(e) {
-  return {
-    padding: `${e.layout.padding}px`
-  };
-}
-function Et(e) {
-  return {
-    padding: `${e.layout.padding}px`,
-    textAlign: "center"
-  };
-}
-function ge(e) {
-  return {
-    fontSize: "12px",
-    color: e.colors.muted,
-    margin: "4px 0",
-    lineHeight: "1.5"
-  };
-}
-function Ut(e) {
-  return {
-    borderColor: e.colors.border,
-    borderTop: "none",
-    marginBottom: "16px"
-  };
-}
-function B(e) {
-  return {
-    color: e.colors.muted,
-    fontSize: "12px",
-    marginRight: "16px",
-    textDecoration: "none"
-  };
-}
-function $t(e) {
-  return {
-    fontSize: "11px",
-    color: e.colors.muted,
-    marginTop: "16px"
-  };
-}
-function j({ children: e, padding: t = !0, style: r }) {
-  const n = S();
-  return /* @__PURE__ */ d(
-    M,
-    {
-      style: {
-        padding: t ? `${n.layout.padding / 2}px 0` : void 0,
-        ...r
-      },
-      children: e
-    }
-  );
-}
-function Mt({ children: e, style: t }) {
-  const r = S();
-  return /* @__PURE__ */ d(
-    M,
-    {
-      style: {
-        backgroundColor: r.colors.surface,
-        borderRadius: `${r.layout.borderRadius}px`,
-        padding: `${r.layout.padding}px`,
-        border: `1px solid ${r.colors.border}`,
-        margin: "16px 0",
-        ...t
-      },
-      children: e
-    }
-  );
-}
-function me({ style: e }) {
-  const t = S();
-  return /* @__PURE__ */ d(
-    ke,
-    {
-      style: {
-        borderColor: t.colors.border,
-        borderTop: "none",
-        margin: "24px 0",
-        ...e
-      }
-    }
-  );
-}
-const It = {
-  h1: 28,
-  h2: 24,
-  h3: 20,
-  h4: 18,
-  h5: 16,
-  h6: 14
-}, Pt = {
-  h1: "0 0 16px 0",
-  h2: "24px 0 12px 0",
-  h3: "20px 0 10px 0",
-  h4: "16px 0 8px 0",
-  h5: "12px 0 6px 0",
-  h6: "8px 0 4px 0"
-};
-function D({ as: e = "h1", children: t, style: r }) {
-  const n = S();
-  return /* @__PURE__ */ d(
-    Ge,
-    {
-      as: e,
-      style: {
-        fontFamily: n.fonts.heading,
-        fontSize: `${It[e]}px`,
-        fontWeight: "600",
-        color: n.colors.text,
-        margin: Pt[e],
-        lineHeight: "1.3",
-        ...r
-      },
-      children: t
-    }
-  );
-}
-function f({
-  children: e,
-  muted: t = !1,
-  small: r = !1,
-  center: n = !1,
-  style: s
-}) {
-  const i = S();
-  return /* @__PURE__ */ d(
-    $,
-    {
-      style: {
-        fontFamily: i.fonts.body,
-        fontSize: r ? "14px" : "16px",
-        color: t ? i.colors.muted : i.colors.text,
-        lineHeight: "1.6",
-        margin: "0 0 16px 0",
-        textAlign: n ? "center" : void 0,
-        ...s
-      },
-      children: e
-    }
-  );
-}
-function z({
-  href: e,
-  children: t,
-  variant: r = "primary",
-  size: n = "md",
-  fullWidth: s = !1,
-  style: i
-}) {
-  const a = S(), l = {
-    sm: { padding: "8px 16px", fontSize: "14px" },
-    md: { padding: "12px 24px", fontSize: "16px" },
-    lg: { padding: "16px 32px", fontSize: "18px" }
-  }, c = {
-    primary: {
-      backgroundColor: a.colors.primary,
-      color: "#ffffff",
-      border: "none"
-    },
-    secondary: {
-      backgroundColor: a.colors.secondary,
-      color: "#ffffff",
-      border: "none"
-    },
-    outline: {
-      backgroundColor: "transparent",
-      color: a.colors.primary,
-      border: `2px solid ${a.colors.primary}`
-    }
-  };
-  return /* @__PURE__ */ d(
-    Ye,
-    {
-      href: e,
-      style: {
-        display: s ? "block" : "inline-block",
-        width: s ? "100%" : void 0,
-        textAlign: "center",
-        fontFamily: a.fonts.body,
-        fontWeight: "600",
-        textDecoration: "none",
-        borderRadius: `${a.layout.borderRadius}px`,
-        ...l[n],
-        ...c[r],
-        ...i
-      },
-      children: t
-    }
-  );
-}
-function G({
-  type: e = "info",
-  title: t,
-  children: r,
-  style: n
-}) {
-  const s = S(), a = {
-    info: {
-      bg: "#eff6ff",
-      border: "#3b82f6",
-      title: "#1e40af",
-      text: "#1e3a5f"
-    },
-    success: {
-      bg: "#f0fdf4",
-      border: "#22c55e",
-      title: "#166534",
-      text: "#14532d"
-    },
-    warning: {
-      bg: "#fffbeb",
-      border: "#f59e0b",
-      title: "#92400e",
-      text: "#78350f"
-    },
-    error: {
-      bg: "#fef2f2",
-      border: "#ef4444",
-      title: "#991b1b",
-      text: "#7f1d1d"
-    }
-  }[e];
-  return /* @__PURE__ */ u(
-    M,
-    {
-      style: {
-        backgroundColor: a.bg,
-        borderLeft: `4px solid ${a.border}`,
-        borderRadius: `${s.layout.borderRadius}px`,
-        padding: "16px",
-        margin: "16px 0",
-        ...n
-      },
-      children: [
-        t && /* @__PURE__ */ d(
-          $,
-          {
-            style: {
-              fontFamily: s.fonts.heading,
-              fontSize: "14px",
-              fontWeight: "600",
-              color: a.title,
-              margin: "0 0 8px 0"
-            },
-            children: t
-          }
-        ),
-        /* @__PURE__ */ d(
-          $,
-          {
-            style: {
-              fontFamily: s.fonts.body,
-              fontSize: "14px",
-              color: a.text,
-              margin: 0,
-              lineHeight: "1.5"
-            },
-            children: r
-          }
-        )
-      ]
-    }
-  );
-}
-const Ct = E.nominal(), Nt = E.nominal(), k = {
-  make: (e, t) => ({
-    email: Nt(e),
-    name: t
-  }),
-  /**
-   * Format address as string: "Name <email>" or just "email"
-   */
-  format: (e) => e.name ? `"${e.name}" <${e.email}>` : e.email,
-  /**
-   * Parse string like "Name <email>" into Address
-   */
-  parse: (e) => {
-    var r;
-    const t = e.match(/^(?:"?([^"]*)"?\s)?<?([^>]+@[^>]+)>?$/);
-    return t ? k.make(t[2].trim(), (r = t[1]) == null ? void 0 : r.trim()) : null;
-  }
-}, ee = {
-  /**
-   * Generate a new MessageId
-   */
-  generateId: () => Ct(crypto.randomUUID()),
-  /**
-   * Create a new message with defaults
-   */
-  make: (e, t, r) => ({
-    id: ee.generateId(),
-    envelope: e,
-    content: t,
-    attachments: (r == null ? void 0 : r.attachments) ?? [],
-    headers: (r == null ? void 0 : r.headers) ?? /* @__PURE__ */ new Map(),
-    priority: (r == null ? void 0 : r.priority) ?? "normal",
-    tags: r == null ? void 0 : r.tags,
-    metadata: r == null ? void 0 : r.metadata,
-    createdAt: /* @__PURE__ */ new Date()
-  })
-};
-class Vr extends h.TaggedError("MailError") {
-}
-class Gr extends h.TaggedError("MailConnectionError") {
-}
-class Yr extends h.TaggedError("MailValidationError") {
-}
-class Kr extends h.TaggedError("MailDeliveryError") {
-}
-class Re extends h.TaggedError("TemplateError") {
-}
-class pe extends h.TaggedError("TemplateNotFoundError") {
-}
-class Xr extends h.TaggedError("AttachmentError") {
-}
-class Qr extends h.TaggedError("MailConfigError") {
-}
-class Y {
-  constructor() {
-    O(this, "state", {
-      to: [],
-      cc: [],
-      bcc: [],
-      attachments: [],
-      headers: /* @__PURE__ */ new Map(),
-      priority: "normal",
-      tags: [],
-      metadata: {}
-    });
-  }
-  /**
-   * Build the final message
-   */
-  build() {
-    return o.gen(this, function* () {
-      const t = yield* this.getContent(this.state.data), r = {
-        from: this.state.from ?? k.make("noreply@example.com"),
-        to: this.state.to,
-        cc: this.state.cc.length > 0 ? this.state.cc : void 0,
-        bcc: this.state.bcc.length > 0 ? this.state.bcc : void 0,
-        replyTo: this.state.replyTo
-      };
-      return ee.make(r, t, {
-        attachments: this.state.attachments,
-        headers: this.state.headers,
-        priority: this.state.priority,
-        tags: this.state.tags.length > 0 ? this.state.tags : void 0,
-        metadata: Object.keys(this.state.metadata).length > 0 ? this.state.metadata : void 0
-      });
-    });
-  }
-  to(t) {
-    const r = Array.isArray(t) ? t : [t];
-    return this.state.to.push(...r.map(this.normalizeAddress)), this;
-  }
-  cc(t) {
-    const r = Array.isArray(t) ? t : [t];
-    return this.state.cc.push(...r.map(this.normalizeAddress)), this;
-  }
-  bcc(t) {
-    const r = Array.isArray(t) ? t : [t];
-    return this.state.bcc.push(...r.map(this.normalizeAddress)), this;
-  }
-  from(t, r) {
-    return this.state.from = typeof t == "string" ? k.make(t, r) : t, this;
-  }
-  replyTo(t, r) {
-    return this.state.replyTo = typeof t == "string" ? k.make(t, r) : t, this;
-  }
-  subject(t) {
-    return this.state.subject = t, this;
-  }
-  with(t) {
-    return this.state.data = t, this;
-  }
-  attach(t) {
-    return this.state.attachments.push(t), this;
-  }
-  header(t, r) {
-    return this.state.headers.set(t, r), this;
-  }
-  priority(t) {
-    return this.state.priority = t, this;
-  }
-  tag(t) {
-    return this.state.tags.push(t), this;
-  }
-  metadata(t, r) {
-    return this.state.metadata[t] = r, this;
-  }
-  /**
-   * Get the template data
-   */
-  getData() {
-    return this.state.data;
-  }
-  /**
-   * Get subject from state or abstract method
-   */
-  getSubjectText() {
-    return this.state.subject ?? this.getSubject();
-  }
-  normalizeAddress(t) {
-    return typeof t == "string" ? k.parse(t) ?? k.make(t) : t;
-  }
-}
-class Dt extends y.Tag("@gello/MailDriver")() {
-}
-class _e extends y.Tag("@gello/TemplateEngine")() {
-}
-class Rt extends y.Tag("@gello/Mail")() {
-}
-const _t = o.gen(function* () {
-  const e = yield* Dt, t = yield* o.serviceOption(_e), r = (i) => i.template ? te(
-    t,
-    m.match({
-      onNone: () => (
-        // No template engine, return content as-is
-        o.succeed(i)
-      ),
-      onSome: (a) => te(
-        a.render(i.template.name, i.template.data),
-        o.map(({ html: l, text: c }) => ({
-          ...i,
-          html: l ?? i.html,
-          text: c ?? i.text
-        }))
-      )
-    })
-  ) : o.succeed(i), n = (i) => (Array.isArray(i) ? i : [i]).map(
-    (l) => typeof l == "string" ? k.parse(l) ?? k.make(l) : l
-  ), s = {
-    send: (i) => o.gen(function* () {
-      const a = yield* i.build(), l = yield* r(a.content), c = { ...a, content: l }, g = i.beforeSend ? yield* i.beforeSend(c) : c, _ = yield* e.send(g);
-      return i.afterSend && (yield* i.afterSend(_)), _;
-    }),
-    sendRaw: (i, a, l, c) => o.gen(function* () {
-      const g = n(i), _ = typeof l == "string" ? { text: l } : l, Le = {
-        from: (c == null ? void 0 : c.from) != null ? typeof c.from == "string" ? k.parse(c.from) ?? k.make(c.from) : c.from : k.make("noreply@example.com"),
-        to: g,
-        cc: c != null && c.cc ? n(c.cc) : void 0,
-        bcc: c != null && c.bcc ? n(c.bcc) : void 0,
-        replyTo: (c == null ? void 0 : c.replyTo) != null ? typeof c.replyTo == "string" ? k.parse(c.replyTo) ?? k.make(c.replyTo) : c.replyTo : void 0
-      }, Fe = ee.make(
-        Le,
-        { subject: a, ..._ },
-        {
-          attachments: c == null ? void 0 : c.attachments,
-          headers: c != null && c.headers ? new Map(Object.entries(c.headers)) : void 0,
-          priority: c == null ? void 0 : c.priority,
-          tags: c == null ? void 0 : c.tags
-        }
-      );
-      return yield* e.send(Fe);
-    }),
-    driver: () => e,
-    mailer: (i) => s
-  };
-  return s;
-});
-p.effect(Rt, _t);
-const X = /* @__PURE__ */ new Map(), Ot = (e) => o.tryPromise({
-  try: () => we(e, { pretty: !0 }),
-  catch: (t) => new Re({
-    message: `Failed to render HTML: ${t}`,
-    cause: t
-  })
-}), Lt = (e) => o.tryPromise({
-  try: () => we(e, { plainText: !0 }),
-  catch: (t) => new Re({
-    message: `Failed to render text: ${t}`,
-    cause: t
-  })
-}), ye = (e) => o.gen(function* () {
-  const t = yield* Ot(e), r = yield* Lt(e);
-  return { html: t, text: r };
-}), Ft = () => ({
-  name: "react-email",
-  render: (e, t) => o.gen(function* () {
-    const r = X.get(e);
-    if (!r)
-      return yield* o.fail(
-        new pe({
-          message: `Template "${e}" not found`,
-          template: e
-        })
-      );
-    const n = q.createElement(r, t);
-    return yield* ye(n);
-  }),
-  compile: (e) => o.gen(function* () {
-    const t = X.get(e);
-    return t ? {
-      render: (r) => {
-        const n = q.createElement(t, r);
-        return ye(n);
-      }
-    } : yield* o.fail(
-      new pe({
-        message: `Template "${e}" not found`,
-        template: e
-      })
-    );
-  }),
-  exists: (e) => o.succeed(X.has(e))
-});
-p.succeed(
-  _e,
-  Ft()
-);
-const Zr = ({
-  userName: e,
-  verificationUrl: t,
-  expiresIn: r = "60 minutes",
-  appName: n = "Our App",
-  theme: s = R
-}) => /* @__PURE__ */ d(H, { theme: s, preview: `Verify your email address for ${n}`, children: /* @__PURE__ */ u(j, { children: [
-  /* @__PURE__ */ d(D, { as: "h1", children: "Verify Your Email Address" }),
-  /* @__PURE__ */ u(f, { children: [
-    "Hi ",
-    e,
-    ","
-  ] }),
-  /* @__PURE__ */ u(f, { children: [
-    "Thank you for signing up for ",
-    n,
-    "! Please verify your email address by clicking the button below."
-  ] }),
-  /* @__PURE__ */ d(z, { href: t, children: "Verify Email Address" }),
-  /* @__PURE__ */ u(f, { muted: !0, children: [
-    "This verification link will expire in ",
-    r,
-    ". If you didn't create an account, you can safely ignore this email."
-  ] }),
-  /* @__PURE__ */ u(G, { type: "info", children: [
-    "If the button above doesn't work, copy and paste this URL into your browser: ",
-    t
-  ] })
-] }) }), en = ({
-  userName: e,
-  resetUrl: t,
-  expiresIn: r = "60 minutes",
-  appName: n = "Our App",
-  ipAddress: s,
-  theme: i = R
-}) => /* @__PURE__ */ d(H, { theme: i, preview: `Reset your password for ${n}`, children: /* @__PURE__ */ u(j, { children: [
-  /* @__PURE__ */ d(D, { as: "h1", children: "Reset Your Password" }),
-  /* @__PURE__ */ u(f, { children: [
-    "Hi ",
-    e,
-    ","
-  ] }),
-  /* @__PURE__ */ u(f, { children: [
-    "We received a request to reset your password for your ",
-    n,
-    " ",
-    "account. Click the button below to set a new password."
-  ] }),
-  /* @__PURE__ */ d(z, { href: t, children: "Reset Password" }),
-  /* @__PURE__ */ u(f, { muted: !0, children: [
-    "This password reset link will expire in ",
-    r,
-    "."
-  ] }),
-  s && /* @__PURE__ */ u(f, { muted: !0, children: [
-    "This request was made from IP address: ",
-    s
-  ] }),
-  /* @__PURE__ */ d(G, { type: "warning", children: "If you didn't request a password reset, please ignore this email or contact support if you believe your account has been compromised." }),
-  /* @__PURE__ */ u(f, { muted: !0, children: [
-    "If the button above doesn't work, copy and paste this URL into your browser: ",
-    t
-  ] })
-] }) }), tn = ({
-  userName: e,
-  loginUrl: t,
-  appName: r = "Our App",
-  features: n = [],
-  theme: s = R
-}) => /* @__PURE__ */ d(H, { theme: s, preview: `Welcome to ${r}!`, children: /* @__PURE__ */ u(j, { children: [
-  /* @__PURE__ */ u(D, { as: "h1", children: [
-    "Welcome to ",
-    r,
-    "!"
-  ] }),
-  /* @__PURE__ */ u(f, { children: [
-    "Hi ",
-    e,
-    ","
-  ] }),
-  /* @__PURE__ */ u(f, { children: [
-    "Thank you for joining ",
-    r,
-    "! We're excited to have you on board. Your account is now ready to use."
-  ] }),
-  /* @__PURE__ */ d(z, { href: t, children: "Get Started" }),
-  n.length > 0 && /* @__PURE__ */ u(ze, { children: [
-    /* @__PURE__ */ d(me, {}),
-    /* @__PURE__ */ d(D, { as: "h2", children: "What you can do:" }),
-    /* @__PURE__ */ d("ul", { children: n.map((i, a) => /* @__PURE__ */ d("li", { children: /* @__PURE__ */ d(f, { children: i }) }, a)) })
-  ] }),
-  /* @__PURE__ */ d(me, {}),
-  /* @__PURE__ */ d(f, { muted: !0, children: "If you have any questions, feel free to reply to this email. We're here to help!" })
-] }) }), rn = ({
-  userName: e,
-  loginTime: t,
-  ipAddress: r,
-  location: n,
-  device: s,
-  browser: i,
-  securityUrl: a,
-  appName: l = "Our App",
-  theme: c = R
-}) => /* @__PURE__ */ d(H, { theme: c, preview: `New login to your ${l} account`, children: /* @__PURE__ */ u(j, { children: [
-  /* @__PURE__ */ d(D, { as: "h1", children: "New Login Detected" }),
-  /* @__PURE__ */ u(f, { children: [
-    "Hi ",
-    e,
-    ","
-  ] }),
-  /* @__PURE__ */ u(f, { children: [
-    "We detected a new login to your ",
-    l,
-    " account. If this was you, you can safely ignore this email."
-  ] }),
-  /* @__PURE__ */ u(Mt, { children: [
-    /* @__PURE__ */ u(f, { children: [
-      /* @__PURE__ */ d("strong", { children: "Time:" }),
-      " ",
-      t
-    ] }),
-    /* @__PURE__ */ u(f, { children: [
-      /* @__PURE__ */ d("strong", { children: "IP Address:" }),
-      " ",
-      r
-    ] }),
-    n && /* @__PURE__ */ u(f, { children: [
-      /* @__PURE__ */ d("strong", { children: "Location:" }),
-      " ",
-      n
-    ] }),
-    s && /* @__PURE__ */ u(f, { children: [
-      /* @__PURE__ */ d("strong", { children: "Device:" }),
-      " ",
-      s
-    ] }),
-    i && /* @__PURE__ */ u(f, { children: [
-      /* @__PURE__ */ d("strong", { children: "Browser:" }),
-      " ",
-      i
-    ] })
-  ] }),
-  /* @__PURE__ */ d(G, { type: "warning", children: "If you didn't sign in, your account may have been compromised. Please change your password immediately and review your account security." }),
-  /* @__PURE__ */ d(z, { href: a, children: "Review Account Security" }),
-  /* @__PURE__ */ d(f, { muted: !0, children: "For your security, we send these notifications whenever there's a new login to your account." })
-] }) }), nn = ({
-  userName: e,
-  changedAt: t,
-  ipAddress: r,
-  securityUrl: n,
-  appName: s = "Our App",
-  theme: i = R
-}) => /* @__PURE__ */ d(H, { theme: i, preview: `Your ${s} password was changed`, children: /* @__PURE__ */ u(j, { children: [
-  /* @__PURE__ */ d(D, { as: "h1", children: "Password Changed" }),
-  /* @__PURE__ */ u(f, { children: [
-    "Hi ",
-    e,
-    ","
-  ] }),
-  /* @__PURE__ */ u(f, { children: [
-    "Your password for your ",
-    s,
-    " account was successfully changed on",
-    " ",
-    t,
-    "."
-  ] }),
-  r && /* @__PURE__ */ u(f, { muted: !0, children: [
-    "This change was made from IP address: ",
-    r
-  ] }),
-  /* @__PURE__ */ d(G, { type: "warning", children: "If you didn't make this change, your account may have been compromised. Please reset your password immediately and review your account security." }),
-  /* @__PURE__ */ d(z, { href: n, children: "Review Account Security" }),
-  /* @__PURE__ */ d(f, { muted: !0, children: "For your security, we send these notifications whenever your password is changed." })
-] }) });
-class Ht extends Y {
-  getSubject() {
-    return `Verify your email address for ${this.getData().appName ?? "Our App"}`;
-  }
-  getContent() {
-    const t = this.getData();
-    return o.succeed({
-      subject: this.getSubject(),
-      template: {
-        name: "auth/verify-email",
-        data: {
-          userName: t.userName,
-          verificationUrl: t.verificationUrl,
-          expiresIn: t.expiresIn ?? "60 minutes",
-          appName: t.appName ?? "Our App"
-        }
-      }
-    });
-  }
-}
-const sn = (e) => new Ht().to(e.email).with(e);
-class jt extends Y {
-  getSubject() {
-    return `Reset your password for ${this.getData().appName ?? "Our App"}`;
-  }
-  getContent() {
-    const t = this.getData();
-    return o.succeed({
-      subject: this.getSubject(),
-      template: {
-        name: "auth/reset-password",
-        data: {
-          userName: t.userName,
-          resetUrl: t.resetUrl,
-          expiresIn: t.expiresIn ?? "60 minutes",
-          appName: t.appName ?? "Our App",
-          ipAddress: t.ipAddress
-        }
-      }
-    });
-  }
-}
-const on = (e) => new jt().to(e.email).with(e);
-class zt extends Y {
-  getSubject() {
-    return `Welcome to ${this.getData().appName ?? "Our App"}!`;
-  }
-  getContent() {
-    const t = this.getData();
-    return o.succeed({
-      subject: this.getSubject(),
-      template: {
-        name: "auth/welcome",
-        data: {
-          userName: t.userName,
-          loginUrl: t.loginUrl,
-          appName: t.appName ?? "Our App",
-          features: t.features ?? []
-        }
-      }
-    });
-  }
-}
-const an = (e) => new zt().to(e.email).with(e);
-class Bt extends Y {
-  getSubject() {
-    return `New login to your ${this.getData().appName ?? "Our App"} account`;
-  }
-  getContent() {
-    const t = this.getData();
-    return o.succeed({
-      subject: this.getSubject(),
-      template: {
-        name: "auth/new-login",
-        data: {
-          userName: t.userName,
-          loginTime: t.loginTime,
-          ipAddress: t.ipAddress,
-          location: t.location,
-          device: t.device,
-          browser: t.browser,
-          securityUrl: t.securityUrl,
-          appName: t.appName ?? "Our App"
-        }
-      }
-    });
-  }
-}
-const cn = (e) => new Bt().to(e.email).with(e), Wt = () => {
-  const e = /* @__PURE__ */ new Map();
-  return {
-    create: (t) => o.sync(() => (e.set(t.id, t), t)),
-    findByToken: (t) => o.sync(() => {
-      for (const r of e.values())
-        if (r.token === t)
-          return m.some(r);
-      return m.none();
-    }),
-    findById: (t) => o.sync(() => {
-      const r = e.get(t);
-      return r ? m.some(r) : m.none();
-    }),
-    findByUser: (t) => o.sync(() => Array.from(e.values()).filter((r) => r.userId === t)),
-    updateLastUsed: (t, r) => o.sync(() => {
-      const n = e.get(t);
-      if (!n)
-        throw new re({
-          message: "Token not found",
-          tokenId: t
-        });
-      e.set(t, { ...n, lastUsedAt: r });
-    }),
-    delete: (t) => o.sync(() => {
-      if (!e.has(t))
-        throw new re({
-          message: "Token not found",
-          tokenId: t
-        });
-      e.delete(t);
-    }),
-    deleteByUser: (t) => o.sync(() => {
-      let r = 0;
-      for (const [n, s] of e)
-        s.userId === t && (e.delete(n), r++);
-      return r;
-    }),
-    deleteExpired: () => o.sync(() => {
-      const t = /* @__PURE__ */ new Date();
-      let r = 0;
-      for (const [n, s] of e)
-        s.expiresAt && s.expiresAt < t && (e.delete(n), r++);
-      return r;
-    })
-  };
-}, qt = p.succeed(
-  ve,
-  Wt()
-), Jt = () => ({
-  hash: (e) => o.sync(() => `mock:${Buffer.from(e).toString("base64")}`),
-  verify: (e, t) => o.sync(() => {
-    if (!t.startsWith("mock:"))
-      return !1;
-    const r = Buffer.from(t.slice(5), "base64").toString("utf-8");
-    return e === r;
-  }),
-  needsRehash: (e) => !e.startsWith("mock:")
-}), Vt = p.succeed(
-  xe,
-  Jt()
-), Gt = () => ({
-  hash: (e) => `hash:${Buffer.from(e).toString("base64")}`,
-  verify: (e, t) => {
-    if (!t.startsWith("hash:"))
-      return !1;
-    const r = Buffer.from(t.slice(5), "base64").toString("utf-8");
-    return e === r;
-  }
-}), Yt = p.succeed(
-  be,
-  Gt()
-), Kt = (e = []) => {
-  const t = /* @__PURE__ */ new Map(), r = /* @__PURE__ */ new Map();
-  for (const n of e)
-    t.set(n.id, n), r.set(n.email.toLowerCase(), n);
-  return {
-    findById: (n) => o.sync(() => {
-      const s = t.get(n);
-      return s ? m.some(s) : m.none();
-    }),
-    findByEmail: (n) => o.sync(() => {
-      const s = r.get(n.toLowerCase());
-      return s ? m.some(s) : m.none();
-    }),
-    findByCredentials: (n) => o.sync(() => {
-      for (const s of t.values()) {
-        const i = s;
-        if (Object.entries(n).every(
-          ([l, c]) => i[l] === c
-        ))
-          return m.some(s);
-      }
-      return m.none();
-    })
-  };
-}, Xt = (e = []) => p.succeed(Se, Kt(e)), ln = (e) => ({
-  id: Xe(crypto.randomUUID()),
-  password: "mock:dGVzdA==",
-  // "test" encoded
-  ...e
-}), Qt = (e, t = {}) => {
-  const r = t.scopes ?? ["*"], n = t.tokenName ?? "test-token", s = {
-    id: Te(crypto.randomUUID()),
-    userId: e,
-    name: n,
-    token: Q("test-hashed-token"),
-    scopes: r,
-    createdAt: /* @__PURE__ */ new Date()
-  };
-  return {
-    id: e,
-    token: s
-  };
-}, Oe = (e, t = {}) => {
-  const r = Qt(e, t);
-  return p.succeed(w, r);
-}, Zt = (e, t, r) => r.pipe(o.provide(Oe(e, t))), dn = {
-  /**
-   * Run an effect as an authenticated user
-   */
-  actingAs: (e, t, r = {}) => Zt(e, r, t),
-  /**
-   * Create a layer for authenticated user
-   */
-  actingAsLayer: Oe
-}, un = () => o.gen(function* () {
-  const e = yield* o.either(w);
-  return e._tag === "Left" ? yield* o.fail(
-    new A({
-      message: "Expected to be authenticated, but was not",
-      reason: "missing_token"
-    })
-  ) : e.right;
-}), hn = () => o.gen(function* () {
-  if ((yield* o.either(w))._tag === "Right")
-    return yield* o.fail(
-      new Error("Expected to be guest, but was authenticated")
-    );
-}), fn = (e, t) => o.gen(function* () {
-  if (!(yield* b).can(e, t))
-    return yield* o.fail(
-      new Error(`Expected to be able to ${e} ${String(t)}, but cannot`)
-    );
-}), gn = (e, t) => o.gen(function* () {
-  if ((yield* b).can(e, t))
-    return yield* o.fail(
-      new Error(`Expected NOT to be able to ${e} ${String(t)}, but can`)
-    );
-}), mn = (e) => o.gen(function* () {
-  const t = yield* w;
-  if (!t.token)
-    return yield* o.fail(
-      new Error("No token present to check scope")
-    );
-  if (!(t.token.scopes.includes("*") || t.token.scopes.includes(e)))
-    return yield* o.fail(
-      new Error(`Expected token to have scope "${e}", but it doesn't`)
-    );
-}), pn = (e) => o.gen(function* () {
-  const t = yield* w;
-  if (!t.token)
-    return;
-  if (t.token.scopes.includes("*") || t.token.scopes.includes(e))
-    return yield* o.fail(
-      new Error(`Expected token NOT to have scope "${e}", but it does`)
-    );
-}), er = (e = []) => p.mergeAll(
-  qt,
-  Vt,
-  Yt,
-  Xt(e)
-).pipe(
-  p.provideMerge(tt),
-  p.provideMerge(rt)
-), tr = it, yn = (e = []) => p.mergeAll(er(e), tr);
-export {
-  Lr as AbilitiesLive,
-  b as AbilitiesTag,
-  Pe as AbstractProvider,
-  dn as Auth,
-  lr as AuthError,
-  cr as AuthGuard,
-  rt as AuthServiceLive,
-  Ae as AuthTag,
-  w as AuthenticatedUserTag,
-  A as AuthenticationError,
-  Pr as AuthorizationError,
-  Nr as CommonAbilities,
-  st as CsrfMismatchError,
-  Ue as CsrfToken,
-  dt as CsrfTokenTag,
-  V as CurrentSessionTag,
-  Me as ForbiddenError,
-  yn as FullTestAuthLayer,
-  Ce as GithubProvider,
-  Ne as GoogleProvider,
-  Q as HashedToken,
-  dr as HashingError,
-  Ze as InsufficientScopeError,
-  ur as InvalidPasswordError,
-  T as JwtError,
-  br as JwtServiceLive,
-  at as JwtServiceTag,
-  it as MemorySessionStoreLive,
-  Vt as MockPasswordHasherLive,
-  Yt as MockTokenHasherLive,
-  qt as MockTokenStoreLive,
-  Xt as MockUserProviderLive,
-  rn as NewLogin,
-  Bt as NewLoginMailable,
-  zr as OAuthConfigError,
-  jr as OAuthError,
-  fe as OAuthProviderNotFoundError,
-  mt as OAuthStateMismatchError,
-  I as OAuthTokenError,
-  K as OAuthUserError,
-  nn as PasswordChanged,
-  xe as PasswordHasherTag,
-  v as PersonalAccessToken,
-  Ke as PlainTextToken,
-  hr as RateLimitError,
-  en as ResetPassword,
-  jt as ResetPasswordMailable,
-  L as Session,
-  vr as SessionError,
-  xr as SessionExpiredError,
-  Ee as SessionId,
-  se as SessionNotFoundError,
-  F as SessionStoreTag,
-  Jr as Social,
-  qr as SocialLive,
-  W as SocialTag,
-  he as SocialToken,
-  Ie as SocialUser,
-  er as TestAuthLayer,
-  tr as TestSessionLayer,
-  Qe as TokenExpiredError,
-  be as TokenHasherTag,
-  Te as TokenId,
-  re as TokenNotFoundError,
-  tt as TokenServiceLive,
-  C as TokenServiceTag,
-  ve as TokenStoreTag,
-  Xe as UserId,
-  et as UserNotFoundError,
-  Se as UserProviderTag,
-  Zr as VerifyEmail,
-  Ht as VerifyEmailMailable,
-  tn as WelcomeEmail,
-  zt as WelcomeEmailMailable,
-  Zt as actingAs,
-  Oe as actingAsLayer,
-  un as assertAuthenticated,
-  fn as assertCan,
-  gn as assertCannot,
-  hn as assertGuest,
-  mn as assertHasScope,
-  pn as assertLacksScope,
-  ne as authenticate,
-  ft as authorize,
-  gt as authorizeAction,
-  _r as authorizeAll,
-  Or as authorizeAny,
-  gt as authorizeMiddleware,
-  Dr as can,
-  Rr as cannot,
-  ht as createAbilities,
-  Qt as createAuthenticatedUser,
-  Br as createGithubProvider,
-  Wr as createGoogleProvider,
-  ln as createMockUser,
-  $r as csrf,
-  mr as currentUser,
-  $e as defaultCsrfConfig,
-  Z as defaultSessionConfig,
-  Cr as defineAbilitiesFor,
-  Ar as endSession,
-  Mr as generateCsrfCookie,
-  Er as getSessionData,
-  N as getSubjectType,
-  gr as hasApiTokens,
-  wr as hasScope,
-  pr as isAuthenticated,
-  ct as makeJwtService,
-  ot as makeMemorySessionStore,
-  Jt as makeMockPasswordHasher,
-  Gt as makeMockTokenHasher,
-  Wt as makeMockTokenStore,
-  Kt as makeMockUserProvider,
-  yt as makeSocialService,
-  le as matchAction,
-  ue as matchConditions,
-  de as matchSubject,
-  cn as newLogin,
-  Fr as requireAdmin,
-  Hr as requireAny,
-  Tr as requireScope,
-  on as resetPassword,
-  ce as session,
-  Ur as setSessionData,
-  Sr as startSession,
-  kr as tokenScope,
-  yr as tokenScopes,
-  Ir as verifyCsrfToken,
-  sn as verifyEmail,
-  an as welcomeEmail,
-  fr as withApiTokens
-};