@happyvertical/smrt-profiles 0.30.0

package/dist/chunks/index-jFtOWsAV.js

@@ -0,0 +1,1014 @@
+import { ObjectRegistry, foreignKey, smrt, SmrtObject, SmrtCollection, field } from "@happyvertical/smrt-core";
+import { P as ProfileType, a as Profile } from "./ProfileCollection-DU6wUJTO.js";
+import { createHash, randomBytes } from "node:crypto";
+import { N as NostrIdentityCollection, g as generateNostrKeypair, e as encryptPrivkey, a as NostrIdentity, v as verifyAuthEvent } from "./NostrIdentityCollection-DadQBHWy.js";
+import { ApiKey } from "./ApiKey-B2LKEaP8.js";
+import "./ApiKeyCollection-B6Op817e.js";
+import "./AuditLogCollection-BYqCj0uE.js";
+import "./ProfileAssetCollection-D_tk1kKG.js";
+import "./ProfileMetadataCollection-DEhmljMY.js";
+import "./ProfileMetafieldCollection-DMKhSHXX.js";
+import "./ProfileRelationshipCollection-C0IM8UQR.js";
+import "./ProfileRelationshipTermCollection-CXem_qT-.js";
+import "./ProfileRelationshipTypeCollection-CF8YvLTV.js";
+import "./ProfileRelationshipType-BXBLldea.js";
+ObjectRegistry.registerPackageManifest(
+  new URL("./manifest.json", import.meta.url)
+);
+var __defProp$1 = Object.defineProperty;
+var __getOwnPropDesc$2 = Object.getOwnPropertyDescriptor;
+var __decorateClass$2 = (decorators, target, key, kind) => {
+  var result = kind > 1 ? void 0 : kind ? __getOwnPropDesc$2(target, key) : target;
+  for (var i = decorators.length - 1, decorator; i >= 0; i--)
+    if (decorator = decorators[i])
+      result = (kind ? decorator(target, key, result) : decorator(result)) || result;
+  if (kind && result) __defProp$1(target, key, result);
+  return result;
+};
+const DEFAULT_EXPIRATION_MINUTES = 15;
+let MagicLinkToken = class extends SmrtObject {
+  nostrIdentityId;
+  /**
+   * SHA-256 hash of the token (never store plaintext)
+   */
+  tokenHash = "";
+  /**
+   * Email this token was sent to
+   */
+  email = "";
+  /**
+   * When this token expires
+   */
+  expiresAt = new Date(
+    Date.now() + DEFAULT_EXPIRATION_MINUTES * 60 * 1e3
+  );
+  /**
+   * When this token was used (null = unused)
+   */
+  usedAt = null;
+  /**
+   * IP address that requested the token (for rate limiting)
+   */
+  requestedFromIp = "";
+  /**
+   * When this token was created (for rate limiting)
+   */
+  createdAt = /* @__PURE__ */ new Date();
+  constructor(options = {}) {
+    super(options);
+    if (options.nostrIdentityId) this.nostrIdentityId = options.nostrIdentityId;
+    if (options.tokenHash) this.tokenHash = options.tokenHash;
+    if (options.email) this.email = options.email;
+    if (options.expiresAt) this.expiresAt = options.expiresAt;
+    if (options.usedAt !== void 0) this.usedAt = options.usedAt;
+    if (options.requestedFromIp) this.requestedFromIp = options.requestedFromIp;
+    if (options.createdAt) this.createdAt = options.createdAt;
+  }
+  /**
+   * Hash a token using SHA-256
+   */
+  static hashToken(token) {
+    return createHash("sha256").update(token).digest("hex");
+  }
+  /**
+   * Generate a new magic link token
+   * @param nostrIdentity - The identity this token is for
+   * @param email - The email address to send to
+   * @param options - Additional options
+   */
+  static async generate(nostrIdentity, email, options = {}) {
+    const tokenBytes = randomBytes(32);
+    const token = tokenBytes.toString("base64url");
+    const tokenHash = MagicLinkToken.hashToken(token);
+    const expiresInMinutes = options.expiresInMinutes ?? DEFAULT_EXPIRATION_MINUTES;
+    const expiresAt = new Date(Date.now() + expiresInMinutes * 60 * 1e3);
+    const magicLinkToken = new MagicLinkToken({
+      db: options.db ?? nostrIdentity.options?.db,
+      nostrIdentityId: nostrIdentity.id,
+      tokenHash,
+      email: email.toLowerCase(),
+      expiresAt,
+      requestedFromIp: options.requestedFromIp || ""
+    });
+    await magicLinkToken.initialize();
+    await magicLinkToken.save();
+    return { token, magicLinkToken };
+  }
+  /**
+   * Verify a token and return the MagicLinkToken if valid
+   * @param token - The plaintext token to verify
+   * @param options - Database options
+   * @returns The MagicLinkToken if valid, null otherwise
+   */
+  static async verify(token, options = {}) {
+    const tokenHash = MagicLinkToken.hashToken(token);
+    const { MagicLinkTokenCollection: MagicLinkTokenCollection2 } = await Promise.resolve().then(() => MagicLinkTokenCollection$1);
+    const collection = await MagicLinkTokenCollection2.create(options);
+    const magicLinkToken = await collection.findOne({
+      where: { tokenHash }
+    });
+    if (!magicLinkToken) {
+      return null;
+    }
+    if (!magicLinkToken.isValid()) {
+      return null;
+    }
+    return magicLinkToken;
+  }
+  /**
+   * Check if this token is valid (not expired and not used)
+   */
+  isValid() {
+    if (this.usedAt !== null) {
+      return false;
+    }
+    if (/* @__PURE__ */ new Date() > this.expiresAt) {
+      return false;
+    }
+    return true;
+  }
+  /**
+   * Check if this token has expired
+   */
+  isExpired() {
+    return /* @__PURE__ */ new Date() > this.expiresAt;
+  }
+  /**
+   * Check if this token has been used
+   */
+  isUsed() {
+    return this.usedAt !== null;
+  }
+  /**
+   * Mark this token as used
+   */
+  async markUsed() {
+    this.usedAt = /* @__PURE__ */ new Date();
+    await this.save();
+  }
+  /**
+   * Get the NostrIdentity this token is for
+   */
+  async getNostrIdentity() {
+    return await this.getRelated("nostrIdentityId");
+  }
+  /**
+   * Get time remaining until expiration in seconds
+   */
+  getTimeRemainingSeconds() {
+    const now = /* @__PURE__ */ new Date();
+    const diff = this.expiresAt.getTime() - now.getTime();
+    return Math.max(0, Math.floor(diff / 1e3));
+  }
+};
+__decorateClass$2([
+  foreignKey("NostrIdentity", { required: true })
+], MagicLinkToken.prototype, "nostrIdentityId", 2);
+MagicLinkToken = __decorateClass$2([
+  smrt({
+    tableName: "magic_link_tokens",
+    api: { exclude: ["*"] },
+    // No API access - internal only
+    mcp: { exclude: ["*"] },
+    cli: { include: ["list"] }
+    // Admin visibility only
+  })
+], MagicLinkToken);
+class MagicLinkTokenCollection extends SmrtCollection {
+  static _itemClass = MagicLinkToken;
+  /**
+   * Find token by hash
+   */
+  async findByTokenHash(tokenHash) {
+    return await this.findOne({
+      where: { tokenHash }
+    });
+  }
+  /**
+   * Find active (non-expired, non-used) tokens for an email
+   */
+  async findActiveForEmail(email) {
+    const tokens = await this.list({
+      where: { email: email.toLowerCase() }
+    });
+    return tokens.filter((token) => token.isValid());
+  }
+  /**
+   * Find tokens for a NostrIdentity
+   */
+  async findByIdentity(nostrIdentityId) {
+    return await this.list({
+      where: { nostrIdentityId }
+    });
+  }
+  /**
+   * Count tokens created for an email within a time window (for rate limiting)
+   * @param email - Email address
+   * @param withinMinutes - Time window in minutes
+   */
+  async countRecentByEmail(email, withinMinutes) {
+    const cutoff = new Date(Date.now() - withinMinutes * 60 * 1e3);
+    const tokens = await this.list({
+      where: { email: email.toLowerCase() }
+    });
+    return tokens.filter((token) => {
+      const createdAt = token.createdAt;
+      return createdAt && new Date(createdAt) > cutoff;
+    }).length;
+  }
+  /**
+   * Count tokens created from an IP within a time window (for rate limiting)
+   * @param ip - IP address
+   * @param withinMinutes - Time window in minutes
+   */
+  async countRecentByIp(ip, withinMinutes) {
+    const cutoff = new Date(Date.now() - withinMinutes * 60 * 1e3);
+    const tokens = await this.list({
+      where: { requestedFromIp: ip }
+    });
+    return tokens.filter((token) => {
+      const createdAt = token.createdAt;
+      return createdAt && new Date(createdAt) > cutoff;
+    }).length;
+  }
+  /**
+   * Verify a token and return it if valid
+   */
+  async verify(token) {
+    const tokenHash = MagicLinkToken.hashToken(token);
+    const magicLinkToken = await this.findByTokenHash(tokenHash);
+    if (!magicLinkToken) {
+      return null;
+    }
+    if (!magicLinkToken.isValid()) {
+      return null;
+    }
+    return magicLinkToken;
+  }
+  /**
+   * Clean up expired tokens by deleting them
+   * @returns Number of tokens deleted
+   */
+  async cleanupExpired() {
+    const allTokens = await this.list({});
+    let deleted = 0;
+    for (const token of allTokens) {
+      if (token.isExpired() || token.isUsed()) {
+        await token.delete();
+        deleted++;
+      }
+    }
+    return deleted;
+  }
+  /**
+   * Revoke all tokens for a NostrIdentity (e.g., when identity is deleted)
+   */
+  async revokeForIdentity(nostrIdentityId) {
+    const tokens = await this.findByIdentity(nostrIdentityId);
+    let revoked = 0;
+    for (const token of tokens) {
+      if (!token.isUsed()) {
+        await token.markUsed();
+        revoked++;
+      }
+    }
+    return revoked;
+  }
+  /**
+   * Check if rate limit is exceeded for email
+   * @param email - Email address
+   * @param maxPerHour - Maximum tokens allowed per hour (default: 5)
+   */
+  async isRateLimitedByEmail(email, maxPerHour = 5) {
+    const count = await this.countRecentByEmail(email, 60);
+    return count >= maxPerHour;
+  }
+  /**
+   * Check if rate limit is exceeded for IP
+   * @param ip - IP address
+   * @param maxPerHour - Maximum tokens allowed per hour (default: 10)
+   */
+  async isRateLimitedByIp(ip, maxPerHour = 10) {
+    const count = await this.countRecentByIp(ip, 60);
+    return count >= maxPerHour;
+  }
+}
+const MagicLinkTokenCollection$1 = /* @__PURE__ */ Object.freeze(/* @__PURE__ */ Object.defineProperty({
+  __proto__: null,
+  MagicLinkTokenCollection
+}, Symbol.toStringTag, { value: "Module" }));
+function createMagicLinkService(config) {
+  const {
+    baseUrl,
+    verifyPath = "/auth/verify",
+    expiresInMinutes = 15,
+    maxTokensPerEmailPerHour = 5,
+    maxTokensPerIpPerHour = 10,
+    masterSecret,
+    sendEmail,
+    db
+  } = config;
+  return {
+    async initiate(email, options = {}) {
+      const normalizedEmail = email.toLowerCase().trim();
+      const { requestedFromIp, nip05Username } = options;
+      const identityCollection = await NostrIdentityCollection.create({ db });
+      const tokenCollection = await MagicLinkTokenCollection.create({ db });
+      if (await tokenCollection.isRateLimitedByEmail(
+        normalizedEmail,
+        maxTokensPerEmailPerHour
+      )) {
+        return {
+          success: false,
+          created: false,
+          error: "Too many requests for this email. Please try again later.",
+          errorCode: "RATE_LIMITED_EMAIL"
+        };
+      }
+      if (requestedFromIp && await tokenCollection.isRateLimitedByIp(
+        requestedFromIp,
+        maxTokensPerIpPerHour
+      )) {
+        return {
+          success: false,
+          created: false,
+          error: "Too many requests from this IP. Please try again later.",
+          errorCode: "RATE_LIMITED_IP"
+        };
+      }
+      let nostrIdentity = await identityCollection.findByEmail(normalizedEmail);
+      let profile = null;
+      let created = false;
+      if (!nostrIdentity) {
+        const { Person: Person2 } = await Promise.resolve().then(() => ProfileTypes);
+        profile = new Person2({
+          db,
+          email: normalizedEmail,
+          name: normalizedEmail.split("@")[0]
+          // Default name from email
+        });
+        await profile.initialize();
+        await profile.save();
+        const keypair = generateNostrKeypair();
+        const encrypted = encryptPrivkey(keypair.privkey, masterSecret);
+        const { NostrIdentity: NostrIdentityClass } = await import("./NostrIdentityCollection-DadQBHWy.js").then((n) => n.o);
+        nostrIdentity = new NostrIdentityClass({
+          db,
+          profileId: profile.id,
+          pubkey: keypair.pubkey,
+          encryptedPrivkey: encrypted.ciphertext,
+          encryptionIv: encrypted.iv,
+          encryptionTag: encrypted.tag,
+          email: normalizedEmail,
+          nip05Username: nip05Username?.toLowerCase() || normalizedEmail.split("@")[0]
+        });
+        await nostrIdentity.initialize();
+        await nostrIdentity.save();
+        created = true;
+      } else {
+        profile = await nostrIdentity.getProfile();
+      }
+      const { token } = await MagicLinkToken.generate(
+        nostrIdentity,
+        normalizedEmail,
+        {
+          expiresInMinutes,
+          requestedFromIp,
+          db
+        }
+      );
+      const magicLink = `${baseUrl}${verifyPath}?token=${encodeURIComponent(token)}`;
+      try {
+        await sendEmail(normalizedEmail, magicLink);
+      } catch (emailError) {
+        return {
+          success: false,
+          created,
+          nostrIdentity,
+          profile: profile || void 0,
+          error: "Failed to send email. Please try again.",
+          errorCode: "EMAIL_SEND_FAILED"
+        };
+      }
+      return {
+        success: true,
+        created,
+        nostrIdentity,
+        profile: profile || void 0
+      };
+    },
+    async verify(token) {
+      const magicLinkToken = await MagicLinkToken.verify(token, { db });
+      if (!magicLinkToken) {
+        const tokenHash = MagicLinkToken.hashToken(token);
+        const tokenCollection = await MagicLinkTokenCollection.create({ db });
+        const existingToken = await tokenCollection.findByTokenHash(tokenHash);
+        if (!existingToken) {
+          return {
+            success: false,
+            error: "Invalid or expired token.",
+            errorCode: "NOT_FOUND"
+          };
+        }
+        if (existingToken.isUsed()) {
+          return {
+            success: false,
+            error: "This link has already been used.",
+            errorCode: "USED_TOKEN"
+          };
+        }
+        if (existingToken.isExpired()) {
+          return {
+            success: false,
+            error: "This link has expired. Please request a new one.",
+            errorCode: "EXPIRED_TOKEN"
+          };
+        }
+        return {
+          success: false,
+          error: "Invalid token.",
+          errorCode: "INVALID_TOKEN"
+        };
+      }
+      await magicLinkToken.markUsed();
+      const nostrIdentity = await magicLinkToken.getNostrIdentity();
+      if (!nostrIdentity) {
+        return {
+          success: false,
+          error: "Identity not found.",
+          errorCode: "NOT_FOUND"
+        };
+      }
+      await nostrIdentity.markVerified();
+      const profile = await nostrIdentity.getProfile();
+      const keypair = nostrIdentity.getKeypair(masterSecret);
+      return {
+        success: true,
+        profile: profile || void 0,
+        nostrIdentity,
+        keypair
+      };
+    }
+  };
+}
+function createNip05Handler(config) {
+  const { db, defaultRelays = [], cacheTtlSeconds = 300 } = config;
+  return async function handleNip05Request(request) {
+    const { name } = request;
+    const collection = await NostrIdentityCollection.create({ db });
+    const response = await collection.getNip05Response(name || void 0);
+    if (defaultRelays.length > 0 && Object.keys(response.names).length > 0) {
+      response.relays = {};
+      for (const pubkey of Object.values(response.names)) {
+        response.relays[pubkey] = defaultRelays;
+      }
+    }
+    if (name && Object.keys(response.names).length === 0) {
+      return {
+        body: { names: {} },
+        headers: {
+          "Content-Type": "application/json",
+          "Access-Control-Allow-Origin": "*",
+          "Cache-Control": `public, max-age=${cacheTtlSeconds}`
+        },
+        status: 200
+        // NIP-05 spec says return 200 with empty names, not 404
+      };
+    }
+    return {
+      body: response,
+      headers: {
+        "Content-Type": "application/json",
+        "Access-Control-Allow-Origin": "*",
+        "Cache-Control": `public, max-age=${cacheTtlSeconds}`
+      },
+      status: 200
+    };
+  };
+}
+function isValidNip05Identifier(identifier) {
+  const parts = identifier.split("@");
+  if (parts.length !== 2) {
+    return false;
+  }
+  const [localPart, domain] = parts;
+  if (!/^[a-z0-9_-]+$/i.test(localPart)) {
+    return false;
+  }
+  if (!/^[a-z0-9.-]+\.[a-z]{2,}$/i.test(domain)) {
+    return false;
+  }
+  return true;
+}
+function parseNip05Identifier(identifier) {
+  if (!isValidNip05Identifier(identifier)) {
+    return null;
+  }
+  const [localPart, domain] = identifier.split("@");
+  return { localPart, domain };
+}
+var __defProp = Object.defineProperty;
+var __getOwnPropDesc$1 = Object.getOwnPropertyDescriptor;
+var __decorateClass$1 = (decorators, target, key, kind) => {
+  var result = kind > 1 ? void 0 : kind ? __getOwnPropDesc$1(target, key) : target;
+  for (var i = decorators.length - 1, decorator; i >= 0; i--)
+    if (decorator = decorators[i])
+      result = (kind ? decorator(target, key, result) : decorator(result)) || result;
+  if (kind && result) __defProp(target, key, result);
+  return result;
+};
+let OidcIdentity = class extends SmrtObject {
+  profileId;
+  provider = "";
+  issuer = "";
+  subject = "";
+  email = "";
+  lastUsedAt = null;
+  constructor(options = {}) {
+    super(options);
+    if (options.profileId) this.profileId = options.profileId;
+    if (options.provider) this.provider = options.provider;
+    if (options.issuer) this.issuer = options.issuer;
+    if (options.subject) this.subject = options.subject;
+    if (options.email) this.email = options.email;
+    if (options.lastUsedAt !== void 0) this.lastUsedAt = options.lastUsedAt;
+  }
+  /**
+   * Get the linked Profile
+   */
+  async getProfile() {
+    return await this.getRelated("profileId");
+  }
+  /**
+   * Find identity by issuer and subject
+   */
+  static async findBySubject(issuer, subject, options = {}) {
+    const { OidcIdentityCollection: OidcIdentityCollection2 } = await Promise.resolve().then(() => OidcIdentityCollection$1);
+    const collection = await OidcIdentityCollection2.create(options);
+    return await collection.findOne({
+      where: { issuer, subject }
+    });
+  }
+  /**
+   * Find or create identity for a profile
+   */
+  static async findOrCreate(profile, oidcData, options = {}) {
+    const existing = await OidcIdentity.findBySubject(
+      oidcData.issuer,
+      oidcData.subject,
+      options
+    );
+    if (existing) {
+      existing.lastUsedAt = /* @__PURE__ */ new Date();
+      if (oidcData.email) existing.email = oidcData.email;
+      await existing.save();
+      return existing;
+    }
+    const identity = new OidcIdentity({
+      ...options,
+      profileId: profile.id,
+      provider: oidcData.provider,
+      issuer: oidcData.issuer,
+      subject: oidcData.subject,
+      email: oidcData.email || ""
+    });
+    await identity.initialize();
+    await identity.save();
+    return identity;
+  }
+  /**
+   * Record usage of this identity
+   */
+  async recordUsage() {
+    this.lastUsedAt = /* @__PURE__ */ new Date();
+    await this.save();
+  }
+};
+__decorateClass$1([
+  foreignKey("Profile", { required: true })
+], OidcIdentity.prototype, "profileId", 2);
+__decorateClass$1([
+  field({ type: "text" })
+], OidcIdentity.prototype, "provider", 2);
+__decorateClass$1([
+  field({ type: "text" })
+], OidcIdentity.prototype, "issuer", 2);
+__decorateClass$1([
+  field({ type: "text" })
+], OidcIdentity.prototype, "subject", 2);
+__decorateClass$1([
+  field({ type: "text" })
+], OidcIdentity.prototype, "email", 2);
+__decorateClass$1([
+  field({ type: "datetime", nullable: true })
+], OidcIdentity.prototype, "lastUsedAt", 2);
+OidcIdentity = __decorateClass$1([
+  smrt({
+    tableName: "oidc_identities",
+    api: { exclude: ["delete"] },
+    mcp: { include: ["list", "get"] },
+    cli: { include: ["list", "get"] }
+  })
+], OidcIdentity);
+async function resolveIdentity(context) {
+  const options = { db: context.db };
+  if (context.apiKey) {
+    const apiKey = await ApiKey.verify(context.apiKey, options);
+    if (apiKey) {
+      const profile = await apiKey.getProfile();
+      if (profile) {
+        return {
+          profile,
+          source: "api_key",
+          apiKey
+        };
+      }
+    }
+  }
+  if (context.oidcSession?.sub && context.oidcSession?.iss) {
+    const oidcIdentity = await OidcIdentity.findBySubject(
+      context.oidcSession.iss,
+      context.oidcSession.sub,
+      options
+    );
+    if (oidcIdentity) {
+      await oidcIdentity.recordUsage();
+      const profile = await oidcIdentity.getProfile();
+      if (profile) {
+        return {
+          profile,
+          source: "oidc",
+          oidcIdentity
+        };
+      }
+    }
+  }
+  if (context.nostrAuth?.event && context.nostrAuth?.challenge) {
+    const { event, challenge } = context.nostrAuth;
+    const verifyResult = verifyAuthEvent(event, challenge);
+    if (verifyResult.valid) {
+      const nostrIdentity = await NostrIdentity.findByPubkey(
+        event.pubkey,
+        options
+      );
+      if (nostrIdentity) {
+        await nostrIdentity.recordUsage();
+        const profile = await nostrIdentity.getProfile();
+        if (profile) {
+          return {
+            profile,
+            source: "nostr",
+            nostrIdentity
+          };
+        }
+      }
+    }
+  }
+  if (context.actor) {
+    const profile = await findProfileByExternalId(
+      "github",
+      context.actor,
+      options
+    );
+    if (profile) {
+      return {
+        profile,
+        source: "actor"
+      };
+    }
+  }
+  return {
+    profile: null,
+    source: "none"
+  };
+}
+async function findProfileByExternalId(provider, externalId, options) {
+  const { OidcIdentityCollection: OidcIdentityCollection2 } = await Promise.resolve().then(() => OidcIdentityCollection$1);
+  const oidcCollection = await OidcIdentityCollection2.create(options);
+  const identities = await oidcCollection.findByProvider(provider);
+  for (const identity of identities) {
+    if (identity.subject === externalId || identity.email?.includes(externalId)) {
+      const profile = await identity.getProfile();
+      if (profile) return profile;
+    }
+  }
+  const { ProfileCollection } = await import("./ProfileCollection-DU6wUJTO.js").then((n) => n.d);
+  const profileCollection = await ProfileCollection.create(options);
+  const profiles = await profileCollection.list({
+    where: {
+      email: `${externalId}@users.noreply.github.com`
+    },
+    limit: 1
+  });
+  if (profiles.length > 0) {
+    return profiles[0];
+  }
+  return null;
+}
+async function createProfileFromOidc(claims, provider, options) {
+  const existingIdentity = await OidcIdentity.findBySubject(
+    claims.iss,
+    claims.sub,
+    options
+  );
+  if (existingIdentity) {
+    const profile2 = await existingIdentity.getProfile();
+    if (profile2) {
+      if (claims.email) existingIdentity.email = claims.email;
+      existingIdentity.lastUsedAt = /* @__PURE__ */ new Date();
+      await existingIdentity.save();
+      return {
+        profile: profile2,
+        oidcIdentity: existingIdentity,
+        created: false
+      };
+    }
+  }
+  if (claims.email && claims.email_verified) {
+    const { ProfileCollection } = await import("./ProfileCollection-DU6wUJTO.js").then((n) => n.d);
+    const profileCollection = await ProfileCollection.create(options);
+    const existingProfile = await profileCollection.findByEmail(claims.email);
+    if (existingProfile) {
+      const oidcIdentity2 = await OidcIdentity.findOrCreate(
+        existingProfile,
+        {
+          provider,
+          issuer: claims.iss,
+          subject: claims.sub,
+          email: claims.email
+        },
+        options
+      );
+      return {
+        profile: existingProfile,
+        oidcIdentity: oidcIdentity2,
+        created: false
+      };
+    }
+  }
+  const { Person: Person2 } = await Promise.resolve().then(() => ProfileTypes);
+  const { ProfileTypeCollection: ProfileTypeCollection2 } = await Promise.resolve().then(() => ProfileTypeCollection$1);
+  const typeCollection = await ProfileTypeCollection2.create(options);
+  let personType = await typeCollection.getBySlug("person");
+  if (!personType) {
+    const { ProfileType: ProfileType2 } = await import("./ProfileCollection-DU6wUJTO.js").then((n) => n.c);
+    personType = new ProfileType2({
+      ...options,
+      slug: "person",
+      name: "Person",
+      description: "Individual person profile"
+    });
+    await personType.initialize();
+    await personType.save();
+  }
+  const profile = new Person2({
+    ...options,
+    typeId: personType.id,
+    email: claims.email || "",
+    name: claims.name || claims.preferred_username || claims.sub
+  });
+  await profile.initialize();
+  await profile.save();
+  const oidcIdentity = await OidcIdentity.findOrCreate(
+    profile,
+    {
+      provider,
+      issuer: claims.iss,
+      subject: claims.sub,
+      email: claims.email
+    },
+    options
+  );
+  return {
+    profile,
+    oidcIdentity,
+    created: true
+  };
+}
+async function createProfileFromNostr(email, nostrData, options) {
+  const normalizedEmail = email.toLowerCase();
+  const existingIdentity = await NostrIdentity.findByEmail(
+    normalizedEmail,
+    options
+  );
+  if (existingIdentity) {
+    const profile2 = await existingIdentity.getProfile();
+    if (profile2) {
+      return {
+        profile: profile2,
+        nostrIdentity: existingIdentity,
+        created: false
+      };
+    }
+  }
+  const { Person: Person2 } = await Promise.resolve().then(() => ProfileTypes);
+  const { ProfileTypeCollection: ProfileTypeCollection2 } = await Promise.resolve().then(() => ProfileTypeCollection$1);
+  const typeCollection = await ProfileTypeCollection2.create(options);
+  let personType = await typeCollection.getBySlug("person");
+  if (!personType) {
+    const { ProfileType: ProfileType2 } = await import("./ProfileCollection-DU6wUJTO.js").then((n) => n.c);
+    personType = new ProfileType2({
+      ...options,
+      slug: "person",
+      name: "Person",
+      description: "Individual person profile"
+    });
+    await personType.initialize();
+    await personType.save();
+  }
+  const profile = new Person2({
+    ...options,
+    typeId: personType.id,
+    email: normalizedEmail,
+    name: normalizedEmail.split("@")[0]
+    // Default name from email
+  });
+  await profile.initialize();
+  await profile.save();
+  const nostrIdentity = new NostrIdentity({
+    ...options,
+    profileId: profile.id,
+    pubkey: nostrData.pubkey,
+    encryptedPrivkey: nostrData.encryptedPrivkey,
+    encryptionIv: nostrData.encryptionIv,
+    encryptionTag: nostrData.encryptionTag,
+    email: normalizedEmail,
+    nip05Username: nostrData.nip05Username?.toLowerCase() || normalizedEmail.split("@")[0]
+  });
+  await nostrIdentity.initialize();
+  await nostrIdentity.save();
+  return {
+    profile,
+    nostrIdentity,
+    created: true
+  };
+}
+class OidcIdentityCollection extends SmrtCollection {
+  static _itemClass = OidcIdentity;
+  /**
+   * Find identities for a profile
+   */
+  async findByProfile(profileId) {
+    return await this.list({
+      where: { profileId }
+    });
+  }
+  /**
+   * Find identity by issuer and subject
+   */
+  async findBySubject(issuer, subject) {
+    return await this.findOne({
+      where: { issuer, subject }
+    });
+  }
+  /**
+   * Find identities by provider
+   */
+  async findByProvider(provider) {
+    return await this.list({
+      where: { provider }
+    });
+  }
+  /**
+   * Link a new OIDC identity to a profile
+   */
+  async linkToProfile(profile, oidcData) {
+    const existing = await this.findBySubject(
+      oidcData.issuer,
+      oidcData.subject
+    );
+    if (existing) {
+      existing.lastUsedAt = /* @__PURE__ */ new Date();
+      if (oidcData.email) existing.email = oidcData.email;
+      await existing.save();
+      return existing;
+    }
+    const identity = new OidcIdentity({
+      ...this.options,
+      profileId: profile.id,
+      provider: oidcData.provider,
+      issuer: oidcData.issuer,
+      subject: oidcData.subject,
+      email: oidcData.email || ""
+    });
+    await identity.initialize();
+    await identity.save();
+    return identity;
+  }
+  /**
+   * Unlink an OIDC identity from a profile
+   */
+  async unlinkFromProfile(profileId, issuer, subject) {
+    const identity = await this.findOne({
+      where: { profileId, issuer, subject }
+    });
+    if (identity) {
+      await identity.delete();
+      return true;
+    }
+    return false;
+  }
+}
+const OidcIdentityCollection$1 = /* @__PURE__ */ Object.freeze(/* @__PURE__ */ Object.defineProperty({
+  __proto__: null,
+  OidcIdentityCollection
+}, Symbol.toStringTag, { value: "Module" }));
+class ProfileTypeCollection extends SmrtCollection {
+  static _itemClass = ProfileType;
+  /**
+   * Get profile type by slug
+   *
+   * @param slug - The slug to search for
+   * @returns ProfileType instance or null
+   */
+  async getBySlug(slug) {
+    return await this.get({ slug });
+  }
+  /**
+   * Get or create a profile type by slug
+   *
+   * @param slug - The slug to search for
+   * @param defaults - Default values if creating
+   * @returns ProfileType instance
+   */
+  async getOrCreateBySlug(slug, defaults) {
+    const existing = await this.getBySlug(slug);
+    if (existing) return existing;
+    const profileType = await this.create({ slug, ...defaults });
+    await profileType.save();
+    return profileType;
+  }
+}
+const ProfileTypeCollection$1 = /* @__PURE__ */ Object.freeze(/* @__PURE__ */ Object.defineProperty({
+  __proto__: null,
+  ProfileTypeCollection
+}, Symbol.toStringTag, { value: "Module" }));
+var __getOwnPropDesc = Object.getOwnPropertyDescriptor;
+var __decorateClass = (decorators, target, key, kind) => {
+  var result = kind > 1 ? void 0 : kind ? __getOwnPropDesc(target, key) : target;
+  for (var i = decorators.length - 1, decorator; i >= 0; i--)
+    if (decorator = decorators[i])
+      result = decorator(result) || result;
+  return result;
+};
+let Person = class extends Profile {
+  constructor(options = {}) {
+    super(options);
+  }
+};
+Person = __decorateClass([
+  smrt({
+    tableStrategy: "sti"
+  })
+], Person);
+let Organization = class extends Profile {
+  constructor(options = {}) {
+    super(options);
+  }
+};
+Organization = __decorateClass([
+  smrt({
+    tableStrategy: "sti"
+  })
+], Organization);
+let Bot = class extends Profile {
+  constructor(options = {}) {
+    super(options);
+  }
+};
+Bot = __decorateClass([
+  smrt({
+    tableStrategy: "sti"
+  })
+], Bot);
+const ProfileTypes = /* @__PURE__ */ Object.freeze(/* @__PURE__ */ Object.defineProperty({
+  __proto__: null,
+  get Bot() {
+    return Bot;
+  },
+  get Organization() {
+    return Organization;
+  },
+  get Person() {
+    return Person;
+  }
+}, Symbol.toStringTag, { value: "Module" }));
+export {
+  Bot as B,
+  MagicLinkToken as M,
+  OidcIdentity as O,
+  Person as P,
+  MagicLinkTokenCollection as a,
+  OidcIdentityCollection as b,
+  Organization as c,
+  ProfileTypeCollection as d,
+  createMagicLinkService as e,
+  createNip05Handler as f,
+  createProfileFromNostr as g,
+  createProfileFromOidc as h,
+  isValidNip05Identifier as i,
+  OidcIdentityCollection$1 as j,
+  parseNip05Identifier as p,
+  resolveIdentity as r
+};
+//# sourceMappingURL=index-jFtOWsAV.js.map