@gravito/satellite-membership 0.1.1

package/dist/index.js

@@ -0,0 +1,1121 @@
+// src/index.ts
+import { readFileSync } from "fs";
+import { join } from "path";
+import { fileURLToPath } from "url";
+import { ServiceProvider } from "@gravito/core";
+import { auth } from "@gravito/sentinel";
+
+// src/Application/Mail/ForgotPasswordMail.ts
+import { app } from "@gravito/core";
+import { Mailable } from "@gravito/signal";
+var ForgotPasswordMail = class extends Mailable {
+  constructor(email, token) {
+    super();
+    this.email = email;
+    this.token = token;
+  }
+  build() {
+    const branding = {
+      name: "Gravito App",
+      color: "#f43f5e"
+    };
+    let baseUrl = "http://localhost:3000";
+    try {
+      const core = app();
+      if (core) {
+        branding.name = core.config.get("membership.branding.name", branding.name);
+        branding.color = core.config.get("membership.branding.primary_color", branding.color);
+        baseUrl = core.config.get("app.url", baseUrl);
+      }
+    } catch (_e) {
+    }
+    return this.to(this.email).subject(this.t("membership.emails.reset_password_subject")).view("emails/reset_password", {
+      resetUrl: `${baseUrl}/reset-password?token=${this.token}`,
+      branding,
+      currentYear: (/* @__PURE__ */ new Date()).getFullYear(),
+      lang: {
+        reset_password_title: this.t("membership.emails.reset_password_title"),
+        reset_password_body: this.t("membership.emails.reset_password_body"),
+        reset_password_button: this.t("membership.emails.reset_password_button"),
+        reset_password_warning: this.t("membership.emails.reset_password_warning")
+      }
+    });
+  }
+};
+
+// src/Application/Mail/MemberLevelChangedMail.ts
+import { app as app2 } from "@gravito/core";
+import { Mailable as Mailable2 } from "@gravito/signal";
+var MemberLevelChangedMail = class extends Mailable2 {
+  constructor(email, oldLevel, newLevel) {
+    super();
+    this.email = email;
+    this.oldLevel = oldLevel;
+    this.newLevel = newLevel;
+  }
+  build() {
+    const branding = {
+      name: "Gravito App",
+      color: "#f59e0b"
+    };
+    try {
+      const core = app2();
+      if (core) {
+        branding.name = core.config.get("membership.branding.name", branding.name);
+        branding.color = core.config.get("membership.branding.primary_color", branding.color);
+      }
+    } catch (_e) {
+    }
+    return this.to(this.email).subject(this.t("membership.emails.level_changed_subject")).view("emails/level_changed", {
+      oldLevel: this.oldLevel,
+      newLevel: this.newLevel,
+      branding,
+      currentYear: (/* @__PURE__ */ new Date()).getFullYear(),
+      lang: {
+        badge_text: this.t("membership.emails.level_changed_badge"),
+        title: this.t("membership.emails.level_changed_title"),
+        body: this.t("membership.emails.level_changed_body")
+      }
+    });
+  }
+};
+
+// src/Application/Mail/WelcomeMail.ts
+import { app as app3 } from "@gravito/core";
+import { Mailable as Mailable3 } from "@gravito/signal";
+var WelcomeMail = class extends Mailable3 {
+  constructor(email, token) {
+    super();
+    this.email = email;
+    this.token = token;
+  }
+  build() {
+    const branding = {
+      name: "Gravito App",
+      color: "#6366f1"
+    };
+    let baseUrl = "http://localhost:3000";
+    try {
+      const core = app3();
+      if (core) {
+        branding.name = core.config.get("membership.branding.name", branding.name);
+        branding.color = core.config.get("membership.branding.primary_color", branding.color);
+        baseUrl = core.config.get("app.url", baseUrl);
+      }
+    } catch (_e) {
+    }
+    return this.to(this.email).subject(this.t("membership.emails.welcome_subject")).view("emails/welcome", {
+      verificationUrl: `${baseUrl}/verify?token=${this.token}`,
+      branding,
+      currentYear: (/* @__PURE__ */ new Date()).getFullYear(),
+      lang: {
+        welcome_title: this.t("membership.emails.welcome_title"),
+        welcome_body: this.t("membership.emails.welcome_body"),
+        verify_button: this.t("membership.emails.verify_button")
+      }
+    });
+  }
+};
+
+// src/Application/Services/PasskeysService.ts
+import { AuthenticationException } from "@gravito/core";
+import {
+  generateAuthenticationOptions,
+  generateRegistrationOptions,
+  verifyAuthenticationResponse,
+  verifyRegistrationResponse
+} from "@simplewebauthn/server";
+
+// src/Domain/Entities/MemberPasskey.ts
+import { Entity } from "@gravito/enterprise";
+var MemberPasskey = class _MemberPasskey extends Entity {
+  constructor(id, props) {
+    super(id);
+    this.props = props;
+  }
+  static create(params) {
+    const now = /* @__PURE__ */ new Date();
+    return new _MemberPasskey(crypto.randomUUID(), {
+      memberId: params.memberId,
+      credentialId: params.credentialId,
+      publicKey: params.publicKey,
+      counter: params.counter ?? 0,
+      transports: params.transports,
+      displayName: params.displayName,
+      createdAt: now,
+      updatedAt: now
+    });
+  }
+  static reconstitute(id, props) {
+    return new _MemberPasskey(id, props);
+  }
+  get memberId() {
+    return this.props.memberId;
+  }
+  get credentialId() {
+    return this.props.credentialId;
+  }
+  get publicKey() {
+    return this.props.publicKey;
+  }
+  get counter() {
+    return this.props.counter;
+  }
+  get transports() {
+    return this.props.transports;
+  }
+  get displayName() {
+    return this.props.displayName;
+  }
+  get createdAt() {
+    return this.props.createdAt;
+  }
+  get updatedAt() {
+    return this.props.updatedAt;
+  }
+  updateCounter(next) {
+    this.props.counter = next;
+    this.props.updatedAt = /* @__PURE__ */ new Date();
+  }
+  toRecord() {
+    return {
+      id: this.id,
+      member_id: this.memberId,
+      credential_id: this.credentialId,
+      public_key: this.publicKey,
+      counter: this.counter,
+      transports: this.transports ? JSON.stringify(this.transports) : null,
+      display_name: this.displayName,
+      created_at: this.createdAt,
+      updated_at: this.updatedAt
+    };
+  }
+};
+
+// src/Application/Services/PasskeysService.ts
+var SESSION_KEYS = {
+  registration: "membership.passkeys.registration.challenge",
+  authentication: "membership.passkeys.authentication.challenge"
+};
+var PasskeysService = class {
+  constructor(passkeyRepo, config) {
+    this.passkeyRepo = passkeyRepo;
+    this.config = config;
+  }
+  async generateRegistrationOptions(member, session) {
+    const credentials = await this.passkeyRepo.findByMemberId(member.id);
+    const options = await generateRegistrationOptions({
+      rpName: this.config.rpName,
+      rpID: this.config.rpID,
+      userName: member.email,
+      userID: new TextEncoder().encode(member.id),
+      attestationType: this.config.attestationType ?? "none",
+      timeout: this.config.timeout || 6e4,
+      userDisplayName: member.name,
+      authenticatorSelection: {
+        userVerification: this.config.userVerification ?? "preferred"
+      },
+      excludeCredentials: credentials.map((credential) => ({
+        id: credential.credentialId,
+        type: "public-key",
+        transports: normalizeTransports(credential.transports)
+      }))
+    });
+    this.storeChallenge(session, SESSION_KEYS.registration, options.challenge);
+    return options;
+  }
+  async verifyRegistrationResponse(member, response, session, displayName) {
+    const challenge = this.requireChallenge(session, SESSION_KEYS.registration);
+    const verification = await verifyRegistrationResponse({
+      response,
+      expectedChallenge: challenge,
+      expectedOrigin: this.config.origin,
+      expectedRPID: this.config.rpID,
+      requireUserVerification: this.config.userVerification !== "discouraged"
+    });
+    this.clearChallenge(session, SESSION_KEYS.registration);
+    if (!verification.verified || !verification.registrationInfo) {
+      throw new AuthenticationException("Passkey registration could not be verified.");
+    }
+    const { credential } = verification.registrationInfo;
+    const passkey = MemberPasskey.create({
+      memberId: member.id,
+      credentialId: credential.id,
+      publicKey: Buffer.from(credential.publicKey).toString("base64"),
+      counter: credential.counter,
+      transports: credential.transports,
+      displayName
+    });
+    await this.passkeyRepo.save(passkey);
+    return passkey;
+  }
+  async generateAuthenticationOptions(member, session) {
+    const credentials = await this.passkeyRepo.findByMemberId(member.id);
+    const options = await generateAuthenticationOptions({
+      rpID: this.config.rpID,
+      timeout: this.config.timeout || 6e4,
+      userVerification: this.config.userVerification ?? "preferred",
+      allowCredentials: credentials.map((credential) => ({
+        id: credential.credentialId,
+        transports: normalizeTransports(credential.transports)
+      }))
+    });
+    this.storeChallenge(session, SESSION_KEYS.authentication, options.challenge);
+    return options;
+  }
+  async verifyAuthenticationResponse(member, response, session) {
+    const challenge = this.requireChallenge(session, SESSION_KEYS.authentication);
+    const credential = await this.passkeyRepo.findByCredentialId(response.id);
+    if (!credential) {
+      throw new AuthenticationException("Passkey not registered.");
+    }
+    if (credential.memberId !== member.id) {
+      throw new AuthenticationException("Passkey does not belong to the member.");
+    }
+    const verification = await verifyAuthenticationResponse({
+      response,
+      expectedChallenge: challenge,
+      expectedOrigin: this.config.origin,
+      expectedRPID: this.config.rpID,
+      credential: buildWebAuthnCredential(credential),
+      requireUserVerification: this.config.userVerification !== "discouraged"
+    });
+    this.clearChallenge(session, SESSION_KEYS.authentication);
+    if (!verification.verified) {
+      throw new AuthenticationException("Passkey authentication failed.");
+    }
+    credential.updateCounter(verification.authenticationInfo.newCounter);
+    await this.passkeyRepo.save(credential);
+    return credential;
+  }
+  storeChallenge(session, key, challenge) {
+    this.sessionGuard(session);
+    session.put(key, challenge);
+  }
+  requireChallenge(session, key) {
+    this.sessionGuard(session);
+    const challenge = session.get(key);
+    if (!challenge) {
+      throw new AuthenticationException("Passkey challenge is missing.");
+    }
+    return challenge;
+  }
+  clearChallenge(session, key) {
+    this.sessionGuard(session);
+    if (typeof session.forget === "function") {
+      session.forget(key);
+    }
+  }
+  sessionGuard(session) {
+    if (!session || typeof session.put !== "function" || typeof session.get !== "function") {
+      throw new AuthenticationException("Session store is required for Passkeys.");
+    }
+  }
+};
+function normalizeTransports(transports) {
+  return transports ? transports : void 0;
+}
+function buildWebAuthnCredential(passkey) {
+  const publicKey = Buffer.from(passkey.publicKey, "base64");
+  return {
+    id: passkey.credentialId,
+    publicKey,
+    counter: passkey.counter,
+    transports: normalizeTransports(passkey.transports)
+  };
+}
+
+// src/Application/UseCases/ForgotPassword.ts
+import { UseCase } from "@gravito/enterprise";
+var ForgotPassword = class extends UseCase {
+  constructor(repository, core) {
+    super();
+    this.repository = repository;
+    this.core = core;
+  }
+  async execute(input) {
+    const member = await this.repository.findByEmail(input.email);
+    if (!member) {
+      return;
+    }
+    member.generatePasswordResetToken();
+    await this.repository.save(member);
+    await this.core.hooks.doAction("membership:send-reset-password", {
+      email: member.email,
+      token: member.passwordResetToken
+    });
+  }
+};
+
+// src/Application/UseCases/LoginMember.ts
+import { UseCase as UseCase2 } from "@gravito/enterprise";
+
+// src/Application/DTOs/MemberDTO.ts
+var MemberMapper = class {
+  /**
+   * Convert a member entity to a serializable DTO
+   */
+  static toDTO(member) {
+    return {
+      id: member.id,
+      name: member.name,
+      email: member.email,
+      status: member.status,
+      level: member.level || "standard",
+      roles: member.roles || [],
+      createdAt: member.createdAt.toISOString(),
+      metadata: member.metadata
+    };
+  }
+};
+
+// src/Application/UseCases/LoginMember.ts
+var LoginMember = class extends UseCase2 {
+  constructor(repository, core) {
+    super();
+    this.repository = repository;
+    this.core = core;
+  }
+  async execute(input) {
+    const auth2 = this.core.container.make("auth");
+    const result = await auth2.guard("web").attempt(
+      {
+        email: input.email,
+        password: input.passwordPlain
+      },
+      input.remember || false
+    );
+    if (!result) {
+      throw new Error("Invalid credentials");
+    }
+    const user = await auth2.guard("web").user();
+    const singleDevice = this.core.config.get("membership.auth.single_device", false);
+    if (singleDevice) {
+      const session = this.core.container.make("session");
+      if (session) {
+        const sessionId = session.id();
+        const member = await this.repository.findById(user.id);
+        if (member) {
+          member.bindSession(sessionId);
+          await this.repository.save(member);
+        }
+      }
+    }
+    return MemberMapper.toDTO(user);
+  }
+};
+
+// src/Application/UseCases/RegisterMember.ts
+import { UseCase as UseCase3 } from "@gravito/enterprise";
+
+// src/Domain/Entities/Member.ts
+import { Entity as Entity2 } from "@gravito/enterprise";
+var Member = class _Member extends Entity2 {
+  constructor(id, props) {
+    super(id);
+    this.props = props;
+  }
+  static create(id, name, email, passwordHash) {
+    return new _Member(id, {
+      name,
+      email,
+      passwordHash,
+      status: "pending" /* PENDING */,
+      roles: ["member"],
+      verificationToken: crypto.randomUUID(),
+      createdAt: /* @__PURE__ */ new Date(),
+      updatedAt: /* @__PURE__ */ new Date()
+    });
+  }
+  static reconstitute(id, props) {
+    return new _Member(id, props);
+  }
+  // Getters
+  get name() {
+    return this.props.name;
+  }
+  get email() {
+    return this.props.email;
+  }
+  get status() {
+    return this.props.status;
+  }
+  get roles() {
+    return this.props.roles;
+  }
+  get passwordHash() {
+    return this.props.passwordHash;
+  }
+  get createdAt() {
+    return this.props.createdAt;
+  }
+  get emailVerifiedAt() {
+    return this.props.emailVerifiedAt;
+  }
+  get verificationToken() {
+    return this.props.verificationToken;
+  }
+  get passwordResetToken() {
+    return this.props.passwordResetToken;
+  }
+  get passwordResetExpiresAt() {
+    return this.props.passwordResetExpiresAt;
+  }
+  get currentSessionId() {
+    return this.props.currentSessionId;
+  }
+  get rememberToken() {
+    return this.props.rememberToken;
+  }
+  get metadata() {
+    return this.props.metadata || {};
+  }
+  // Authenticatable implementation
+  getAuthIdentifier() {
+    return this.id;
+  }
+  getAuthPassword() {
+    return this.props.passwordHash;
+  }
+  getRememberToken() {
+    return this.props.rememberToken || null;
+  }
+  setRememberToken(token) {
+    this.props.rememberToken = token;
+    this.props.updatedAt = /* @__PURE__ */ new Date();
+  }
+  /**
+   * Bind a session ID to this member to restrict multi-device login.
+   */
+  bindSession(sessionId) {
+    this.props.currentSessionId = sessionId;
+    this.props.updatedAt = /* @__PURE__ */ new Date();
+  }
+  /**
+   * Get current membership level (from metadata or default)
+   */
+  get level() {
+    return this.metadata.level || "standard";
+  }
+  /**
+   * Check if member has a specific role
+   */
+  hasRole(role) {
+    return this.props.roles.includes(role);
+  }
+  /**
+   * Assign a new role
+   */
+  addRole(role) {
+    if (!this.hasRole(role)) {
+      this.props.roles.push(role);
+      this.props.updatedAt = /* @__PURE__ */ new Date();
+    }
+  }
+  /**
+   * Remove a role
+   */
+  removeRole(role) {
+    this.props.roles = this.props.roles.filter((r) => r !== role);
+    this.props.updatedAt = /* @__PURE__ */ new Date();
+  }
+  /**
+   * Update membership level
+   */
+  changeLevel(newLevel) {
+    this.updateMetadata({ level: newLevel });
+  }
+  /**
+   * Update core profile information
+   */
+  updateProfile(name) {
+    this.props.name = name;
+    this.props.updatedAt = /* @__PURE__ */ new Date();
+  }
+  /**
+   * Update member password
+   */
+  changePassword(newPasswordHash) {
+    this.props.passwordHash = newPasswordHash;
+    this.props.updatedAt = /* @__PURE__ */ new Date();
+  }
+  /**
+   * Merges new metadata into existing metadata
+   */
+  updateMetadata(data) {
+    this.props.metadata = {
+      ...this.props.metadata || {},
+      ...data
+    };
+    this.props.updatedAt = /* @__PURE__ */ new Date();
+  }
+  /**
+   * Mark email as verified
+   */
+  verifyEmail() {
+    this.props.emailVerifiedAt = /* @__PURE__ */ new Date();
+    this.props.status = "active" /* ACTIVE */;
+    this.props.verificationToken = void 0;
+    this.props.updatedAt = /* @__PURE__ */ new Date();
+  }
+  /**
+   * Generate a password reset token
+   */
+  generatePasswordResetToken() {
+    this.props.passwordResetToken = crypto.randomUUID();
+    this.props.passwordResetExpiresAt = new Date(Date.now() + 36e5);
+    this.props.updatedAt = /* @__PURE__ */ new Date();
+  }
+  /**
+   * Complete password reset
+   */
+  resetPassword(newPasswordHash) {
+    this.props.passwordHash = newPasswordHash;
+    this.props.passwordResetToken = void 0;
+    this.props.passwordResetExpiresAt = void 0;
+    this.props.updatedAt = /* @__PURE__ */ new Date();
+  }
+};
+
+// src/Application/UseCases/RegisterMember.ts
+var RegisterMember = class extends UseCase3 {
+  constructor(repository, core) {
+    super();
+    this.repository = repository;
+    this.core = core;
+  }
+  /**
+   * Execute the registration flow
+   */
+  async execute(input) {
+    const existing = await this.repository.findByEmail(input.email);
+    if (existing) {
+      const i18n = this.core.container.make("i18n");
+      throw new Error(i18n?.t("membership.errors.member_exists") || "Member already exists");
+    }
+    const passwordHash = await this.core.hasher.make(input.passwordPlain);
+    const member = Member.create(crypto.randomUUID(), input.name, input.email, passwordHash);
+    await this.repository.save(member);
+    await this.core.hooks.doAction("membership:send-verification", {
+      email: member.email,
+      token: member.verificationToken
+    });
+    await this.core.hooks.doAction("membership:registered", {
+      member: MemberMapper.toDTO(member)
+    });
+    return MemberMapper.toDTO(member);
+  }
+};
+
+// src/Application/UseCases/ResetPassword.ts
+import { UseCase as UseCase4 } from "@gravito/enterprise";
+var ResetPassword = class extends UseCase4 {
+  constructor(repository, core) {
+    super();
+    this.repository = repository;
+    this.core = core;
+  }
+  async execute(input) {
+    const member = await this.repository.findByResetToken(input.token);
+    if (!member || !member.passwordResetExpiresAt || member.passwordResetExpiresAt < /* @__PURE__ */ new Date()) {
+      throw new Error("Invalid or expired reset token");
+    }
+    const newHash = await this.core.hasher.make(input.newPasswordPlain);
+    member.resetPassword(newHash);
+    await this.repository.save(member);
+  }
+};
+
+// src/Application/UseCases/UpdateMemberLevel.ts
+import { UseCase as UseCase5 } from "@gravito/enterprise";
+var UpdateMemberLevel = class extends UseCase5 {
+  constructor(repository, core) {
+    super();
+    this.repository = repository;
+    this.core = core;
+  }
+  async execute(input) {
+    const member = await this.repository.findById(input.memberId);
+    if (!member) {
+      throw new Error("Member not found");
+    }
+    const oldLevel = member.level;
+    member.changeLevel(input.newLevel);
+    await this.repository.save(member);
+    await this.core.hooks.doAction("membership:level-changed", {
+      memberId: member.id,
+      email: member.email,
+      oldLevel,
+      newLevel: input.newLevel
+    });
+    return MemberMapper.toDTO(member);
+  }
+};
+
+// src/Application/UseCases/UpdateSettings.ts
+import { UseCase as UseCase6 } from "@gravito/enterprise";
+var UpdateSettings = class extends UseCase6 {
+  constructor(repository, core) {
+    super();
+    this.repository = repository;
+    this.core = core;
+  }
+  /**
+   * Execute the update flow
+   */
+  async execute(input) {
+    const member = await this.repository.findById(input.memberId);
+    if (!member) {
+      throw new Error("Member not found");
+    }
+    if (input.name) {
+      member.updateProfile(input.name);
+    }
+    if (input.newPassword) {
+      if (!input.currentPassword) {
+        throw new Error("Current password is required to set a new password");
+      }
+      const isCurrentValid = await this.core.hasher.check(
+        input.currentPassword,
+        member.passwordHash
+      );
+      if (!isCurrentValid) {
+        throw new Error("Invalid current password");
+      }
+      const newHash = await this.core.hasher.make(input.newPassword);
+      member.changePassword(newHash);
+    }
+    if (input.metadata) {
+      member.updateMetadata(input.metadata);
+    }
+    await this.repository.save(member);
+    await this.core.hooks.doAction("membership:updated", {
+      member: MemberMapper.toDTO(member),
+      updatedFields: Object.keys(input).filter((k) => k !== "memberId" && k !== "currentPassword")
+    });
+    return MemberMapper.toDTO(member);
+  }
+};
+
+// src/Application/UseCases/VerifyEmail.ts
+import { UseCase as UseCase7 } from "@gravito/enterprise";
+var VerifyEmail = class extends UseCase7 {
+  constructor(repository) {
+    super();
+    this.repository = repository;
+  }
+  async execute(input) {
+    const member = await this.repository.findByVerificationToken(input.token);
+    if (!member) {
+      throw new Error("Invalid verification token");
+    }
+    member.verifyEmail();
+    await this.repository.save(member);
+  }
+};
+
+// src/Infrastructure/Auth/SentinelMemberProvider.ts
+var SentinelMemberProvider = class {
+  constructor(repository) {
+    this.repository = repository;
+  }
+  async retrieveById(id) {
+    const member = await this.repository.findById(id);
+    return member ? this.toAuthenticatable(member) : null;
+  }
+  async retrieveByToken(id, token) {
+    const member = await this.repository.findById(id);
+    if (member && member.getRememberToken() === token) {
+      return member;
+    }
+    return null;
+  }
+  async updateRememberToken(user, token) {
+    const member = await this.repository.findById(user.getAuthIdentifier());
+    if (member) {
+      member.setRememberToken(token);
+      await this.repository.save(member);
+    }
+  }
+  async retrieveByCredentials(credentials) {
+    if (!credentials.email) {
+      return null;
+    }
+    return await this.repository.findByEmail(credentials.email);
+  }
+  async validateCredentials(_user, _credentials) {
+    return true;
+  }
+  toAuthenticatable(member) {
+    return member;
+  }
+};
+
+// src/Infrastructure/Persistence/AtlasMemberPasskeyRepository.ts
+import { DB } from "@gravito/atlas";
+var AtlasMemberPasskeyRepository = class {
+  table = "member_passkeys";
+  async save(entity) {
+    const record = entity.toRecord();
+    const exists = await this.exists(entity.id);
+    if (exists) {
+      await DB.table(this.table).where("id", entity.id).update(record);
+    } else {
+      await DB.table(this.table).insert(record);
+    }
+  }
+  async findById(id) {
+    const row = await DB.table(this.table).where("id", id).first();
+    return row ? this.map(row) : null;
+  }
+  async findAll() {
+    const rows = await DB.table(this.table).get();
+    return rows.map((row) => this.map(row));
+  }
+  async delete(id) {
+    await DB.table(this.table).where("id", id).delete();
+  }
+  async exists(id) {
+    const count = await DB.table(this.table).where("id", id).count();
+    return count > 0;
+  }
+  async findByMemberId(memberId) {
+    const rows = await DB.table(this.table).where("member_id", memberId).get();
+    return rows.map((row) => this.map(row));
+  }
+  async findByCredentialId(credentialId) {
+    const row = await DB.table(this.table).where("credential_id", credentialId).first();
+    return row ? this.map(row) : null;
+  }
+  async deleteByCredentialId(credentialId) {
+    await DB.table(this.table).where("credential_id", credentialId).delete();
+  }
+  map(row) {
+    return MemberPasskey.reconstitute(row.id, {
+      memberId: row.member_id,
+      credentialId: row.credential_id,
+      publicKey: row.public_key,
+      counter: Number(row.counter ?? 0),
+      transports: row.transports ? JSON.parse(row.transports) : void 0,
+      displayName: row.display_name || void 0,
+      createdAt: new Date(row.created_at),
+      updatedAt: row.updated_at ? new Date(row.updated_at) : new Date(row.created_at)
+    });
+  }
+};
+
+// src/Infrastructure/Persistence/AtlasMemberRepository.ts
+import { DB as DB2 } from "@gravito/atlas";
+var AtlasMemberRepository = class {
+  table = "members";
+  async save(member) {
+    const data = {
+      id: member.id,
+      name: member.name,
+      email: member.email,
+      password_hash: member.passwordHash,
+      status: member.status,
+      roles: JSON.stringify(member.roles),
+      verification_token: member.verificationToken || null,
+      email_verified_at: member.emailVerifiedAt || null,
+      password_reset_token: member.passwordResetToken || null,
+      password_reset_expires_at: member.passwordResetExpiresAt || null,
+      current_session_id: member.currentSessionId || null,
+      remember_token: member.rememberToken || null,
+      created_at: member.createdAt,
+      metadata: JSON.stringify(member.metadata)
+    };
+    const exists = await this.exists(member.id);
+    if (exists) {
+      await DB2.table(this.table).where("id", member.id).update(data);
+    } else {
+      await DB2.table(this.table).insert(data);
+    }
+  }
+  async findByEmail(email) {
+    const row = await DB2.table(this.table).where("email", email).first();
+    return row ? this.mapToDomain(row) : null;
+  }
+  async findByVerificationToken(token) {
+    const row = await DB2.table(this.table).where("verification_token", token).first();
+    return row ? this.mapToDomain(row) : null;
+  }
+  async findByResetToken(token) {
+    const row = await DB2.table(this.table).where("password_reset_token", token).first();
+    return row ? this.mapToDomain(row) : null;
+  }
+  async findById(id) {
+    const row = await DB2.table(this.table).where("id", id).first();
+    return row ? this.mapToDomain(row) : null;
+  }
+  async findAll() {
+    const rows = await DB2.table(this.table).get();
+    return rows.map((row) => this.mapToDomain(row));
+  }
+  async delete(id) {
+    await DB2.table(this.table).where("id", id).delete();
+  }
+  async exists(id) {
+    const count = await DB2.table(this.table).where("id", id).count();
+    return count > 0;
+  }
+  mapToDomain(row) {
+    return Member.reconstitute(row.id, {
+      name: row.name,
+      email: row.email,
+      passwordHash: row.password_hash,
+      status: row.status,
+      roles: row.roles ? JSON.parse(row.roles) : ["member"],
+      verificationToken: row.verification_token,
+      emailVerifiedAt: row.email_verified_at ? new Date(row.email_verified_at) : void 0,
+      passwordResetToken: row.password_reset_token,
+      passwordResetExpiresAt: row.password_reset_expires_at ? new Date(row.password_reset_expires_at) : void 0,
+      currentSessionId: row.current_session_id,
+      rememberToken: row.remember_token,
+      createdAt: new Date(row.created_at),
+      updatedAt: new Date(row.updated_at || row.created_at),
+      metadata: row.metadata ? JSON.parse(row.metadata) : {}
+    });
+  }
+};
+
+// src/Interface/Http/Controllers/PasskeyController.ts
+import { AuthenticationException as AuthenticationException2 } from "@gravito/core";
+var PasskeyController = class {
+  constructor(passkeys, members) {
+    this.passkeys = passkeys;
+    this.members = members;
+  }
+  async registrationOptions(c) {
+    const auth2 = c.get("auth");
+    if (!auth2) {
+      throw new AuthenticationException2("Auth manager is unavailable.");
+    }
+    const member = await auth2.authenticate();
+    const session = this.resolveSession(c);
+    const options = await this.passkeys.generateRegistrationOptions(member, session);
+    return c.json(options);
+  }
+  async verifyRegistration(c) {
+    const auth2 = c.get("auth");
+    if (!auth2) {
+      throw new AuthenticationException2("Auth manager is unavailable.");
+    }
+    const member = await auth2.authenticate();
+    const session = this.resolveSession(c);
+    const body = await c.req.json();
+    await this.passkeys.verifyRegistrationResponse(
+      member,
+      body.credential,
+      session,
+      body.displayName
+    );
+    return c.json({ success: true });
+  }
+  async loginOptions(c) {
+    const session = this.resolveSession(c);
+    const body = await c.req.json();
+    if (!body?.email) {
+      return c.json({ error: "Email is required" }, 400);
+    }
+    const member = await this.members.findByEmail(body.email);
+    if (!member) {
+      return c.json({ error: "Member not found" }, 404);
+    }
+    const options = await this.passkeys.generateAuthenticationOptions(member, session);
+    return c.json(options);
+  }
+  async verifyAuthentication(c) {
+    const session = this.resolveSession(c);
+    const body = await c.req.json();
+    if (!body?.email || !body.assertion) {
+      return c.json({ error: "Email and assertion are required" }, 400);
+    }
+    const member = await this.members.findByEmail(body.email);
+    if (!member) {
+      return c.json({ error: "Member not found" }, 404);
+    }
+    await this.passkeys.verifyAuthenticationResponse(member, body.assertion, session);
+    const auth2 = c.get("auth");
+    if (!auth2) {
+      throw new AuthenticationException2("Auth manager is unavailable.");
+    }
+    await auth2.login(member);
+    return c.json({ success: true });
+  }
+  resolveSession(c) {
+    const session = c.get("session");
+    if (session) {
+      return session;
+    }
+    const fallback = c.req.session;
+    if (fallback) {
+      return fallback;
+    }
+    throw new AuthenticationException2("Session storage is required for Passkeys.");
+  }
+};
+
+// src/index.ts
+var __dirname = fileURLToPath(new URL(".", import.meta.url));
+var MembershipServiceProvider = class extends ServiceProvider {
+  /**
+   * Register bindings in the container
+   */
+  register(container) {
+    if (!container.has("cache")) {
+      const cacheFromServices = this.core?.services.get("cache");
+      if (cacheFromServices) {
+        container.instance("cache", cacheFromServices);
+      }
+    }
+    container.singleton("membership.repo", () => new AtlasMemberRepository());
+    container.singleton(
+      "auth.member_provider",
+      () => new SentinelMemberProvider(container.make("membership.repo"))
+    );
+    container.singleton("membership.register", () => {
+      return new RegisterMember(container.make("membership.repo"), this.core);
+    });
+    container.singleton("membership.login", () => {
+      return new LoginMember(container.make("membership.repo"), this.core);
+    });
+    container.singleton("membership.forgot-password", () => {
+      return new ForgotPassword(container.make("membership.repo"), this.core);
+    });
+    container.singleton("membership.reset-password", () => {
+      return new ResetPassword(container.make("membership.repo"), this.core);
+    });
+    container.singleton("membership.verify-email", () => {
+      return new VerifyEmail(container.make("membership.repo"));
+    });
+    container.singleton("membership.update-settings", () => {
+      return new UpdateSettings(container.make("membership.repo"), this.core);
+    });
+    container.singleton("membership.update-level", () => {
+      return new UpdateMemberLevel(container.make("membership.repo"), this.core);
+    });
+    container.singleton("membership.passkeys.repo", () => new AtlasMemberPasskeyRepository());
+    container.singleton("membership.passkeys.service", () => {
+      return new PasskeysService(
+        container.make("membership.passkeys.repo"),
+        this.buildPasskeysConfig()
+      );
+    });
+    container.singleton("membership.passkeys.controller", () => {
+      return new PasskeyController(
+        container.make("membership.passkeys.service"),
+        container.make("membership.repo")
+      );
+    });
+  }
+  /**
+   * Expose migration path using Bun-native __dirname
+   */
+  getMigrationsPath() {
+    return `${__dirname}/Infrastructure/Persistence/Migrations`;
+  }
+  /**
+   * Boot the satellite
+   * Loads local translations into the global i18n system.
+   */
+  async boot() {
+    const logger = this.core?.logger;
+    const i18n = this.core?.container.make("i18n");
+    if (i18n) {
+      try {
+        const en = JSON.parse(readFileSync(join(__dirname, "../locales/en.json"), "utf-8"));
+        const zhTW = JSON.parse(readFileSync(join(__dirname, "../locales/zh-TW.json"), "utf-8"));
+        i18n.addResource("en", "membership", en);
+        i18n.addResource("zh-TW", "membership", zhTW);
+      } catch (_err) {
+        logger?.warn("[Membership] Failed to load localizations");
+      }
+    }
+    if (this.core) {
+      this.core.hooks.addAction(
+        "membership:send-verification",
+        async (data) => {
+          try {
+            const mail = this.core?.container.make("mail");
+            if (mail) {
+              await mail.queue(new WelcomeMail(data.email, data.token));
+            }
+          } catch (err) {
+            this.core?.logger.error("[Membership] Failed to send verification email", err);
+          }
+        }
+      );
+      this.core.hooks.addAction(
+        "membership:send-reset-password",
+        async (data) => {
+          try {
+            const mail = this.core?.container.make("mail");
+            if (mail) {
+              await mail.queue(new ForgotPasswordMail(data.email, data.token));
+            }
+          } catch (err) {
+            this.core?.logger.error("[Membership] Failed to send reset password email", err);
+          }
+        }
+      );
+      this.core.hooks.addAction(
+        "membership:level-changed",
+        async (data) => {
+          try {
+            const mail = this.core?.container.make("mail");
+            if (mail) {
+              await mail.queue(new MemberLevelChangedMail(data.email, data.oldLevel, data.newLevel));
+            }
+          } catch (err) {
+            this.core?.logger.error("[Membership] Failed to send level change email", err);
+          }
+        }
+      );
+    }
+    if (this.core) {
+      const passkeyController = this.core.container.make(
+        "membership.passkeys.controller"
+      );
+      const passkeyRoutes = this.core.router.prefix("/api/membership/passkeys");
+      passkeyRoutes.post("/login/options", (c) => passkeyController.loginOptions(c));
+      passkeyRoutes.post("/login/verify", (c) => passkeyController.verifyAuthentication(c));
+      const protectedRoutes = passkeyRoutes.middleware(auth());
+      protectedRoutes.post("/register/options", (c) => passkeyController.registrationOptions(c));
+      protectedRoutes.post("/register/verify", (c) => passkeyController.verifyRegistration(c));
+    }
+    const startMsg = i18n?.t("membership.notifications.operational") || "\u{1F6F0}\uFE0F Satellite Membership is operational";
+    logger?.info(startMsg);
+  }
+  buildPasskeysConfig() {
+    const config = this.core?.config;
+    const readString = (key) => {
+      const value = config?.get(key);
+      return typeof value === "string" ? value : void 0;
+    };
+    const origin = readString("membership.passkeys.origin") ?? readString("APP_URL") ?? process.env.APP_URL ?? "http://localhost:3000";
+    const rpID = readString("membership.passkeys.rp_id") ?? (() => {
+      try {
+        return new URL(origin).hostname;
+      } catch {
+        return origin;
+      }
+    })();
+    const rpName = readString("membership.passkeys.name") ?? "Gravito Membership";
+    const timeoutValue = config?.get("membership.passkeys.timeout");
+    const timeout = typeof timeoutValue === "number" ? timeoutValue : typeof timeoutValue === "string" ? Number(timeoutValue) : 6e4;
+    const userVerification = readString("membership.passkeys.user_verification") ?? "preferred";
+    const attestation = readString("membership.passkeys.attestation") ?? "none";
+    return {
+      rpName,
+      rpID,
+      origin,
+      timeout,
+      userVerification,
+      attestationType: attestation
+    };
+  }
+};
+export {
+  MembershipServiceProvider
+};