@habityzer/nuxt-symfony-kinde-layer 2.1.2 → 2.2.0

package/.env.example

@@ -0,0 +1,17 @@
+# Kinde Authentication Configuration
+# These are required for the @habityzer/nuxt-kinde-auth module
+KINDE_AUTH_DOMAIN=https://your-domain.kinde.com
+KINDE_CLIENT_ID=your_client_id
+KINDE_CLIENT_SECRET=your_client_secret
+KINDE_REDIRECT_URL=http://localhost:3000/api/auth/callback
+KINDE_LOGOUT_REDIRECT_URL=http://localhost:3000
+
+# Auth Cookie and Middleware Configuration
+NUXT_PUBLIC_AUTH_COOKIE_PREFIX=auth_
+NUXT_PUBLIC_AUTH_LOGIN_PATH=/login
+NUXT_PUBLIC_AUTH_CLOCK_SKEW_SECONDS=300
+NUXT_PUBLIC_AUTH_APP_TOKEN_PREFIX=Bearer
+NUXT_PUBLIC_AUTH_E2E_TOKEN_COOKIE_NAME=e2e_token
+NUXT_PUBLIC_AUTH_ID_TOKEN_NAME=id_token
+NUXT_PUBLIC_AUTH_ACCESS_TOKEN_NAME=access_token
+NUXT_PUBLIC_AUTH_REFRESH_TOKEN_NAME=refresh_token

package/.github/workflows/publish.yml

@@ -0,0 +1,66 @@
+name: Publish to npm
+
+on:
+  push:
+    branches:
+      - main
+      - master
+
+jobs:
+  release:
+    runs-on: ubuntu-latest
+    permissions:
+      contents: write
+      issues: write
+      pull-requests: write
+      id-token: write
+    
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v4
+        with:
+          fetch-depth: 0
+          persist-credentials: false
+      
+      - name: Setup pnpm
+        uses: pnpm/action-setup@v4
+        with:
+          version: 9
+      
+      - name: Setup Node.js
+        uses: actions/setup-node@v4
+        with:
+          node-version: '20'
+          cache: 'pnpm'
+          registry-url: 'https://registry.npmjs.org'
+      
+      - name: Install dependencies
+        run: pnpm install --frozen-lockfile
+      
+      - name: Prepare Nuxt
+        env:
+          KINDE_AUTH_DOMAIN: https://placeholder.kinde.com
+          KINDE_CLIENT_ID: placeholder_client_id
+          KINDE_CLIENT_SECRET: placeholder_client_secret
+          KINDE_REDIRECT_URL: http://localhost:3000/api/auth/callback
+          KINDE_LOGOUT_REDIRECT_URL: http://localhost:3000
+          NUXT_PUBLIC_AUTH_COOKIE_PREFIX: auth_
+          NUXT_PUBLIC_AUTH_LOGIN_PATH: /login
+          NUXT_PUBLIC_AUTH_CLOCK_SKEW_SECONDS: 300
+          NUXT_PUBLIC_AUTH_APP_TOKEN_PREFIX: Bearer
+          NUXT_PUBLIC_AUTH_E2E_TOKEN_COOKIE_NAME: e2e_token
+          NUXT_PUBLIC_AUTH_ID_TOKEN_NAME: id_token
+          NUXT_PUBLIC_AUTH_ACCESS_TOKEN_NAME: access_token
+          NUXT_PUBLIC_AUTH_REFRESH_TOKEN_NAME: refresh_token
+        run: pnpm nuxt prepare
+      
+      - name: Run linter
+        run: pnpm lint
+      
+      - name: Release
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          NPM_TOKEN: ${{ secrets.NPM_TOKEN }}
+          NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }}
+        run: pnpm release
+

package/.husky/commit-msg

@@ -0,0 +1,5 @@
+#!/usr/bin/env sh
+. "$(dirname -- "$0")/_/husky.sh"
+
+# Validate commit message format
+pnpm exec commitlint --edit "$1"

package/.husky/pre-commit

@@ -0,0 +1,32 @@
+#!/usr/bin/env bash
+
+# Pre-commit hook to ensure code quality
+set -e
+
+echo "🔍 Running pre-commit checks..."
+
+# Check if .nuxt directory exists, if not, prepare it
+if [ ! -d ".nuxt" ]; then
+  echo "📦 Preparing Nuxt (first time)..."
+  export KINDE_AUTH_DOMAIN="https://placeholder.kinde.com"
+  export KINDE_CLIENT_ID="placeholder_client_id"
+  export KINDE_CLIENT_SECRET="placeholder_client_secret"
+  export KINDE_REDIRECT_URL="http://localhost:3000/api/auth/callback"
+  export KINDE_LOGOUT_REDIRECT_URL="http://localhost:3000"
+  export NUXT_PUBLIC_AUTH_COOKIE_PREFIX="auth_"
+  export NUXT_PUBLIC_AUTH_LOGIN_PATH="/login"
+  export NUXT_PUBLIC_AUTH_CLOCK_SKEW_SECONDS="300"
+  export NUXT_PUBLIC_AUTH_APP_TOKEN_PREFIX="Bearer"
+  export NUXT_PUBLIC_AUTH_E2E_TOKEN_COOKIE_NAME="e2e_token"
+  export NUXT_PUBLIC_AUTH_ID_TOKEN_NAME="id_token"
+  export NUXT_PUBLIC_AUTH_ACCESS_TOKEN_NAME="access_token"
+  export NUXT_PUBLIC_AUTH_REFRESH_TOKEN_NAME="refresh_token"
+  
+  pnpm nuxt prepare > /dev/null 2>&1
+fi
+
+# Run linter
+echo "✨ Running ESLint..."
+pnpm lint
+
+echo "✅ Pre-commit checks passed!"

package/.releaserc.json

@@ -23,7 +23,7 @@
       "changelogFile": "CHANGELOG.md"
     }],
     ["@semantic-release/npm", {
-      "npmPublish": false
+      "npmPublish": true
     }],
     ["@semantic-release/git", {
       "assets": ["package.json", "CHANGELOG.md"],

package/CHANGELOG.md

@@ -1,3 +1,26 @@
+# [2.2.0](https://github.com/Habityzer/nuxt-symfony-kinde-layer/compare/v2.1.4...v2.2.0) (2026-02-13)
+
+
+### Features
+
+* Enhance Kinde authentication configuration and middleware handling ([d8b722a](https://github.com/Habityzer/nuxt-symfony-kinde-layer/commit/d8b722a8ba5a126f02c31aea0347fa3e21bb29b9))
+* Refactor Kinde authentication configuration and enhance middleware setup ([c577a2a](https://github.com/Habityzer/nuxt-symfony-kinde-layer/commit/c577a2a047299f30cb745a91aac82b50c2bfedb1))
+
+## [2.1.4](https://github.com/Habityzer/nuxt-symfony-kinde-layer/compare/v2.1.3...v2.1.4) (2026-01-01)
+
+
+### Bug Fixes
+
+* Add Nuxt prepare step to CI and correct ESLint config import path ([07471f5](https://github.com/Habityzer/nuxt-symfony-kinde-layer/commit/07471f5234e1322a2ccfe5709cb8109badededda))
+* Remove invalid pnpm-workspace.yaml for single package ([7e7d6a1](https://github.com/Habityzer/nuxt-symfony-kinde-layer/commit/7e7d6a19ffd2edccfee80b944c947c364b6b2863))
+
+## [2.1.3](https://github.com/Habityzer/nuxt-symfony-kinde-layer/compare/v2.1.2...v2.1.3) (2026-01-01)
+
+
+### Bug Fixes
+
+* Update Kinde configuration to use environment variables and enhance Symfony proxy request handling ([3e0d0bd](https://github.com/Habityzer/nuxt-symfony-kinde-layer/commit/3e0d0bd09ea26a21940f0a0d16cc9aaf5a327be8))
+
 ## [2.1.2](https://github.com/Habityzer/nuxt-symfony-kinde-layer/compare/v2.1.1...v2.1.2) (2025-12-26)
 
 

package/README.md

@@ -257,6 +257,83 @@ Add these scripts to your project's `package.json`:
 }
 ```
 
+## Development
+
+### Local Development Setup
+
+1. **Install dependencies:**
+   ```bash
+   pnpm install
+   ```
+
+2. **The project uses Husky for git hooks:**
+   - Pre-commit: Automatically runs `pnpm lint` before each commit
+   - Commit-msg: Validates commit message format (conventional commits)
+
+3. **Run linter manually:**
+   ```bash
+   pnpm lint        # Check for issues
+   pnpm lint:fix    # Auto-fix issues
+   ```
+
+4. **First time setup:**
+   The pre-commit hook will automatically run `nuxt prepare` if needed (with placeholder environment variables).
+
+### Commit Message Format
+
+This project uses [Conventional Commits](https://www.conventionalcommits.org/). Your commits must follow this format:
+
+```
+type(scope): subject
+
+body (optional)
+```
+
+**Types:**
+- `feat`: New feature
+- `fix`: Bug fix
+- `docs`: Documentation changes
+- `style`: Code style changes (formatting, etc.)
+- `refactor`: Code refactoring
+- `test`: Adding or updating tests
+- `chore`: Maintenance tasks
+
+**Examples:**
+```bash
+git commit -m "feat: add authentication middleware"
+git commit -m "fix: resolve cookie prefix conflict"
+git commit -m "docs: update README with CI setup"
+```
+
+## CI/CD Setup
+
+### Required Environment Variables for GitHub Actions
+
+When building or publishing this layer in CI/CD (e.g., GitHub Actions), you need to provide placeholder environment variables for the `nuxt prepare` step. The layer's `nuxt.config.ts` validates these at build time.
+
+Add these to your workflow:
+
+```yaml
+- name: Prepare Nuxt
+  env:
+    KINDE_AUTH_DOMAIN: https://placeholder.kinde.com
+    KINDE_CLIENT_ID: placeholder_client_id
+    KINDE_CLIENT_SECRET: placeholder_client_secret
+    KINDE_REDIRECT_URL: http://localhost:3000/api/auth/callback
+    KINDE_LOGOUT_REDIRECT_URL: http://localhost:3000
+    NUXT_PUBLIC_AUTH_COOKIE_PREFIX: auth_
+    NUXT_PUBLIC_AUTH_LOGIN_PATH: /login
+    NUXT_PUBLIC_AUTH_CLOCK_SKEW_SECONDS: 300
+    NUXT_PUBLIC_AUTH_APP_TOKEN_PREFIX: Bearer
+    NUXT_PUBLIC_AUTH_E2E_TOKEN_COOKIE_NAME: e2e_token
+    NUXT_PUBLIC_AUTH_ID_TOKEN_NAME: id_token
+    NUXT_PUBLIC_AUTH_ACCESS_TOKEN_NAME: access_token
+    NUXT_PUBLIC_AUTH_REFRESH_TOKEN_NAME: refresh_token
+  run: pnpm nuxt prepare
+```
+
+**Note**: These are placeholder values only used for type generation and validation. Projects consuming this layer will provide their own real credentials at runtime.
+
 ## Troubleshooting
 
 ### Cookie Name Conflicts
@@ -324,3 +401,4 @@ MIT
 ## Contributing
 
 This is a private layer for Habityzer projects. For issues or improvements, contact the team.
+

package/SETUP_NPM_PUBLISH.md

@@ -0,0 +1,134 @@
+# Setting Up Automated NPM Publishing
+
+This project uses GitHub Actions with semantic-release to automatically publish to npm when you push to the `master` branch.
+
+## Setup Instructions
+
+### 1. Create NPM Access Token
+
+> **Important**: As of December 9, 2025, npm classic tokens have been permanently revoked. You must use **granular access tokens** for CI/CD workflows.
+
+**Option A: Using npm CLI (recommended):**
+```bash
+npm token create --type automation --scope @habityzer
+```
+
+**Option B: Using the web interface:**
+1. Go to [npmjs.com/settings/~/tokens](https://www.npmjs.com/settings/~/tokens) and log in
+2. Click **Generate New Token** → **Granular Access Token**
+3. Configure your token:
+   - **Token name**: `github-actions-publish` (or any descriptive name)
+   - **Expiration**: Up to 90 days (maximum for publish tokens)
+   - **Packages and scopes**: Select your package or `@habityzer` scope
+   - **Permissions**: Select **Read and write**
+   - ✅ **Enable "Bypass 2FA"** for automated workflows
+4. Click **Generate Token**
+5. Copy the token (starts with `npm_...`)
+
+> **Note**: Granular tokens for publishing expire after a maximum of 90 days. Set a reminder to regenerate the token before expiration, or consider using [OIDC trusted publishing](https://docs.npmjs.com/generating-provenance-statements) for a more secure, token-free approach.
+
+### 2. Add NPM Token to GitHub
+
+1. Go to your GitHub repository
+2. Navigate to **Settings** → **Secrets and variables** → **Actions**
+3. Click **New repository secret**
+4. Name: `NPM_TOKEN`
+5. Value: Paste your npm token from step 1
+6. Click **Add secret**
+
+### 3. Configure GitHub Actions in NPM
+
+When setting up your package on npmjs.com for automated publishing:
+
+1. Go to your package page on npmjs.com
+2. Navigate to **Settings** → **Publishing Access**
+3. Under **GitHub Actions**, you'll be asked for:
+   - **Workflow filename**: Enter `publish.yml`
+   - This tells npm which workflow file in `.github/workflows/` will publish your package
+
+### 4. How It Works
+
+The workflow (`.github/workflows/publish.yml`) will:
+
+1. **Trigger**: Automatically runs when you push to the `master` branch
+2. **Analyze**: Semantic-release reads your commit messages (following conventional commits)
+3. **Version**: Automatically bumps the version based on your commits:
+   - `feat:` → minor version (1.0.0 → 1.1.0)
+   - `fix:` → patch version (1.0.0 → 1.0.1)
+   - `BREAKING CHANGE:` → major version (1.0.0 → 2.0.0)
+4. **Changelog**: Updates `CHANGELOG.md`
+5. **Git Tag**: Creates a git tag for the new version
+6. **Publish**: Publishes to npm
+7. **Commit**: Commits the changelog and version bump back to your repo
+
+### 5. Commit Message Format
+
+Use conventional commits for automatic versioning:
+
+```bash
+# Patch release (1.0.0 → 1.0.1)
+git commit -m "fix: resolve authentication bug"
+
+# Minor release (1.0.0 → 1.1.0)
+git commit -m "feat: add new login method"
+
+# Major release (1.0.0 → 2.0.0)
+git commit -m "feat: redesign API
+
+BREAKING CHANGE: API structure has changed"
+
+# No release (documentation, etc.)
+git commit -m "docs: update README"
+git commit -m "chore: update dependencies"
+```
+
+### 6. Manual Release (Optional)
+
+If you prefer to release manually:
+
+```bash
+pnpm release
+```
+
+This runs semantic-release locally. Make sure you have:
+- `NPM_TOKEN` environment variable set
+- Committed all your changes
+- Pushed to the master branch
+
+## Troubleshooting
+
+### "No NPM_TOKEN found"
+- Make sure you've added `NPM_TOKEN` as a GitHub secret
+- Check that the secret name is exactly `NPM_TOKEN` (case-sensitive)
+
+### "No release published"
+- Check your commit messages follow conventional commits format
+- Semantic-release only publishes if there are releasable commits
+- View the GitHub Actions logs for details
+
+### "Permission denied" or "Invalid npm token"
+- Ensure you're using a **granular access token** (not classic token)
+- Check that the token has **Read and write** permissions
+- Ensure **"Bypass 2FA"** is enabled for CI/CD workflows
+- Check that your npm account has publish access to the `@habityzer` scope
+- Verify the token hasn't expired (granular tokens expire after max 90 days)
+
+### "Package already published"
+- Semantic-release automatically handles versions
+- If you manually published the same version, semantic-release will skip it
+
+## Current Configuration
+
+- **Branch**: `master` (configured in `.releaserc.json`)
+- **Package**: `@habityzer/nuxt-symfony-kinde-layer`
+- **Workflow**: `.github/workflows/publish.yml`
+- **NPM Publish**: Enabled (set in `.releaserc.json`)
+
+## Additional Resources
+
+- [npm Granular Access Tokens Documentation](https://docs.npmjs.com/about-access-tokens#granular-access-tokens)
+- [GitHub Blog: npm Classic Tokens Revoked (Dec 2025)](https://github.blog/changelog/2025-12-09-npm-classic-tokens-revoked-session-based-auth-and-cli-token-management-now-available/)
+- [Semantic Release Documentation](https://semantic-release.gitbook.io/)
+- [Conventional Commits](https://www.conventionalcommits.org/)
+- [OIDC Trusted Publishing for npm](https://docs.npmjs.com/generating-provenance-statements)
+

package/app/composables/useAuth.ts

@@ -1,6 +1,8 @@
 import { computed, ref, readonly } from 'vue'
 import { E2E_TOKEN_COOKIE_NAME } from '../constants/auth'
 
+const LEGACY_E2E_STORAGE_KEY = 'e2e_app_token'
+
 interface SymfonyUser {
   id: number
   email: string
@@ -105,9 +107,30 @@ export const useAuth = () => {
     // Clear local Symfony state
     userProfile.value = null
 
-    // Clear E2E test token if exists
+    // Clear auth cookies first so route middleware blocks protected pages immediately.
     if (import.meta.client) {
-      localStorage.removeItem('e2e_app_token')
+      const config = useRuntimeConfig()
+      const kindeConfig = config.public.kindeAuth || {}
+      const cookieConfig = kindeConfig.cookie || {}
+      const middlewareConfig = kindeConfig.middleware || {}
+      const cookiePrefix = requireString(cookieConfig.prefix, 'kindeAuth.cookie.prefix')
+      const idTokenName = requireString(cookieConfig.idTokenName, 'kindeAuth.cookie.idTokenName')
+      const accessTokenName = requireString(cookieConfig.accessTokenName, 'kindeAuth.cookie.accessTokenName')
+      const refreshTokenName = requireString(cookieConfig.refreshTokenName, 'kindeAuth.cookie.refreshTokenName')
+      const e2eTokenCookieName = requireString(middlewareConfig.e2eTokenCookieName, 'kindeAuth.middleware.e2eTokenCookieName')
+
+      const authCookies = [idTokenName, accessTokenName, refreshTokenName]
+      const scopedE2eCookieName = `${cookiePrefix}${e2eTokenCookieName}`
+      const scopedE2eStorageKey = `${cookiePrefix}e2e_app_token`
+
+      authCookies.forEach((cookieName) => {
+        document.cookie = `${cookiePrefix}${cookieName}=; path=/; max-age=0`
+      })
+
+      // Remove both scoped and legacy keys for backward compatibility.
+      localStorage.removeItem(scopedE2eStorageKey)
+      localStorage.removeItem(LEGACY_E2E_STORAGE_KEY)
+      document.cookie = `${scopedE2eCookieName}=; path=/; max-age=0`
       document.cookie = `${E2E_TOKEN_COOKIE_NAME}=; path=/; max-age=0`
     }
 
@@ -137,3 +160,11 @@ export const useAuth = () => {
     fetchUserProfile
   }
 }
+
+function requireString(value: unknown, key: string): string {
+  if (typeof value === 'string' && value.trim().length > 0) {
+    return value
+  }
+
+  throw new Error(`[useAuth] Missing required config: ${key}`)
+}

package/app/constants/auth.ts

@@ -1,26 +1,9 @@
-/**
- * Authentication constants shared across the application
- */
-
-/**
- * Cookie name for E2E test authentication token
- * Used by automated tests to bypass Kinde OAuth flow
- */
-export const E2E_TOKEN_COOKIE_NAME = 'kinde_token'
-
-/**
- * Prefix for Symfony app tokens (used in E2E tests)
- * These are long-lived tokens generated by `php bin/console app:token:manage create`
- */
-export const APP_TOKEN_PREFIX = 'app_'
-
-/**
- * Kinde authentication cookie names
- * These cookies are managed by the @habityzer/nuxt-kinde-auth module
- * The prefix is configured per-project in nuxt.config.ts
- *
- * Note: These constants use placeholder names. The actual cookie names
- * will have the project-specific prefix (e.g., 'ew-id_token', 'habityzer_id_token')
- */
-export const KINDE_ID_TOKEN_COOKIE_NAME = 'id_token'
-export const KINDE_ACCESS_TOKEN_COOKIE_NAME = 'access_token'
+export {
+  APP_TOKEN_PREFIX,
+  CLOCK_SKEW_SECONDS,
+  DEFAULT_LOGIN_PATH,
+  E2E_TOKEN_COOKIE_NAME,
+  KINDE_ACCESS_TOKEN_COOKIE_NAME,
+  KINDE_ID_TOKEN_COOKIE_NAME,
+  KINDE_REFRESH_TOKEN_COOKIE_NAME
+} from '../../shared/auth-constants'

package/app/plugins/auth-guard.client.ts

@@ -0,0 +1,134 @@
+export default defineNuxtPlugin(() => {
+  const router = useRouter()
+  const config = useRuntimeConfig()
+  const kindeConfig = config.public.kindeAuth || {}
+  const middlewareConfig = kindeConfig.middleware || {}
+  const cookieConfig = kindeConfig.cookie || {}
+  // @ts-expect-error - cookie property exists in runtime config but not in module types
+  const cookiePrefix = requireString(cookieConfig.prefix, 'kindeAuth.cookie.prefix')
+  const idTokenBaseName = requireString(cookieConfig.idTokenName, 'kindeAuth.cookie.idTokenName')
+  const accessTokenBaseName = requireString(cookieConfig.accessTokenName, 'kindeAuth.cookie.accessTokenName')
+  const e2eTokenCookieName = requireString(middlewareConfig.e2eTokenCookieName, 'kindeAuth.middleware.e2eTokenCookieName')
+  const appTokenPrefix = requireString(middlewareConfig.appTokenPrefix, 'kindeAuth.middleware.appTokenPrefix')
+  const clockSkewSeconds = requireNonNegativeNumber(middlewareConfig.clockSkewSeconds, 'kindeAuth.middleware.clockSkewSeconds')
+  const idToken = useCookie<string | null>(`${cookiePrefix}${idTokenBaseName}`)
+  const accessToken = useCookie<string | null>(`${cookiePrefix}${accessTokenBaseName}`)
+  const e2eToken = useCookie<string | null>(`${cookiePrefix}${e2eTokenCookieName}`)
+  const publicRoutes: string[] = middlewareConfig.publicRoutes || ['/']
+  const loginPath = requireString(middlewareConfig.loginPath, 'kindeAuth.middleware.loginPath')
+
+  router.beforeEach((to) => {
+    if (to.path.startsWith('/api') || to.path.startsWith('/_nuxt')) {
+      return true
+    }
+
+    const isPublicRoute = publicRoutes.some(route => to.path === route || to.path.startsWith(`${route}/`))
+    logClient('route-check', { path: to.path, isPublicRoute })
+    if (isPublicRoute) {
+      return true
+    }
+
+    const hasIdToken = !!idToken.value
+    const hasAccessToken = !!accessToken.value
+    const e2eTokenValue = e2eToken.value
+
+    logClient('cookie-state', {
+      path: to.path,
+      cookiePrefix,
+      hasIdToken,
+      hasAccessToken,
+      hasScopedE2eToken: !!e2eTokenValue
+    })
+
+    if (e2eTokenValue && e2eTokenValue.startsWith(appTokenPrefix)) {
+      logClient('allow-e2e-app-token', { path: to.path })
+      return true
+    }
+
+    if (!hasIdToken && !hasAccessToken) {
+      logClient('redirect-missing-auth-cookies', { path: to.path })
+      window.location.href = loginPath
+      return false
+    }
+
+    const idTokenUsable = hasIdToken ? isUsableToken(idToken.value as string, appTokenPrefix, clockSkewSeconds) : false
+    const accessTokenUsable = hasAccessToken ? isUsableToken(accessToken.value as string, appTokenPrefix, clockSkewSeconds) : false
+    const isUnauthorized = !idTokenUsable && !accessTokenUsable
+
+    logClient('token-evaluation', {
+      path: to.path,
+      idTokenUsable,
+      accessTokenUsable
+    })
+
+    if (isUnauthorized) {
+      idToken.value = null
+      accessToken.value = null
+      logClient('redirect-all-auth-tokens-invalid-or-expired', { path: to.path })
+      window.location.href = loginPath
+      return false
+    }
+
+    logClient('allow-protected-route', { path: to.path })
+    return true
+  })
+})
+
+function isUsableToken(token: string, appTokenPrefix: string, clockSkewSeconds: number): boolean {
+  if (token.startsWith(appTokenPrefix)) {
+    return true
+  }
+
+  const payload = decodeJwtPayload(token)
+  if (!payload || typeof payload.exp !== 'number') {
+    return false
+  }
+
+  const nowSeconds = Math.floor(Date.now() / 1000)
+  return payload.exp > nowSeconds + clockSkewSeconds
+}
+
+function decodeJwtPayload(token: string): Record<string, unknown> | null {
+  const parts = token.split('.')
+  if (parts.length !== 3) {
+    return null
+  }
+
+  const payloadPart = parts[1]
+  if (!payloadPart) {
+    return null
+  }
+
+  try {
+    const padded = payloadPart.replace(/-/g, '+').replace(/_/g, '/').padEnd(Math.ceil(payloadPart.length / 4) * 4, '=')
+    const decoded = atob(padded)
+    const parsed = JSON.parse(decoded)
+    return parsed && typeof parsed === 'object' ? parsed as Record<string, unknown> : null
+  } catch {
+    return null
+  }
+}
+
+function logClient(event: string, details: Record<string, unknown>) {
+  if (!import.meta.dev) {
+    return
+  }
+
+  console.warn(`[AUTH GUARD CLIENT] ${event}`, details)
+}
+
+function requireString(value: unknown, key: string): string {
+  if (typeof value === 'string' && value.trim().length > 0) {
+    return value
+  }
+
+  throw new Error(`[AUTH GUARD CLIENT] Missing required config: ${key}`)
+}
+
+function requireNonNegativeNumber(value: unknown, key: string): number {
+  if (typeof value === 'number' && Number.isFinite(value) && value >= 0) {
+    return value
+  }
+
+  throw new Error(`[AUTH GUARD CLIENT] Invalid required numeric config: ${key}`)
+}

package/eslint.config.mjs

@@ -1,5 +1,5 @@
 // @ts-check
-import withNuxt from './node_modules/.cache/nuxt/.nuxt/eslint.config.mjs'
+import withNuxt from './.nuxt/eslint.config.mjs'
 
 export default withNuxt(
   // Your custom configs here