@happyvertical/smrt-users 0.30.0

package/dist/chunks/index-DkoYIvIu.js

@@ -0,0 +1,169 @@
+import { Y as getSigKey, Z as checkKeyLength, _ as subtleAlgorithm, $ as JWSInvalid, a0 as isDisjoint, a1 as validateCrit, a2 as checkKeyType, a3 as encode, a4 as encode$1, a5 as concat, a6 as normalizeKey, a7 as JWTClaimsBuilder, a8 as JWTInvalid, a9 as errors, aa as jwtVerify } from "./TerminalAuthService-DoAMQ_yn.js";
+import { ab, ac, ad, ae, af, ag, ah } from "./TerminalAuthService-DoAMQ_yn.js";
+async function sign(alg, key, data) {
+  const cryptoKey = await getSigKey(alg, key, "sign");
+  checkKeyLength(alg, cryptoKey);
+  const signature = await crypto.subtle.sign(subtleAlgorithm(alg, cryptoKey.algorithm), cryptoKey, data);
+  return new Uint8Array(signature);
+}
+class FlattenedSign {
+  #payload;
+  #protectedHeader;
+  #unprotectedHeader;
+  constructor(payload) {
+    if (!(payload instanceof Uint8Array)) {
+      throw new TypeError("payload must be an instance of Uint8Array");
+    }
+    this.#payload = payload;
+  }
+  setProtectedHeader(protectedHeader) {
+    if (this.#protectedHeader) {
+      throw new TypeError("setProtectedHeader can only be called once");
+    }
+    this.#protectedHeader = protectedHeader;
+    return this;
+  }
+  setUnprotectedHeader(unprotectedHeader) {
+    if (this.#unprotectedHeader) {
+      throw new TypeError("setUnprotectedHeader can only be called once");
+    }
+    this.#unprotectedHeader = unprotectedHeader;
+    return this;
+  }
+  async sign(key, options) {
+    if (!this.#protectedHeader && !this.#unprotectedHeader) {
+      throw new JWSInvalid("either setProtectedHeader or setUnprotectedHeader must be called before #sign()");
+    }
+    if (!isDisjoint(this.#protectedHeader, this.#unprotectedHeader)) {
+      throw new JWSInvalid("JWS Protected and JWS Unprotected Header Parameter names must be disjoint");
+    }
+    const joseHeader = {
+      ...this.#protectedHeader,
+      ...this.#unprotectedHeader
+    };
+    const extensions = validateCrit(JWSInvalid, /* @__PURE__ */ new Map([["b64", true]]), options?.crit, this.#protectedHeader, joseHeader);
+    let b64 = true;
+    if (extensions.has("b64")) {
+      b64 = this.#protectedHeader.b64;
+      if (typeof b64 !== "boolean") {
+        throw new JWSInvalid('The "b64" (base64url-encode payload) Header Parameter must be a boolean');
+      }
+    }
+    const { alg } = joseHeader;
+    if (typeof alg !== "string" || !alg) {
+      throw new JWSInvalid('JWS "alg" (Algorithm) Header Parameter missing or invalid');
+    }
+    checkKeyType(alg, key, "sign");
+    let payloadS;
+    let payloadB;
+    if (b64) {
+      payloadS = encode(this.#payload);
+      payloadB = encode$1(payloadS);
+    } else {
+      payloadB = this.#payload;
+      payloadS = "";
+    }
+    let protectedHeaderString;
+    let protectedHeaderBytes;
+    if (this.#protectedHeader) {
+      protectedHeaderString = encode(JSON.stringify(this.#protectedHeader));
+      protectedHeaderBytes = encode$1(protectedHeaderString);
+    } else {
+      protectedHeaderString = "";
+      protectedHeaderBytes = new Uint8Array();
+    }
+    const data = concat(protectedHeaderBytes, encode$1("."), payloadB);
+    const k = await normalizeKey(key, alg);
+    const signature = await sign(alg, k, data);
+    const jws = {
+      signature: encode(signature),
+      payload: payloadS
+    };
+    if (this.#unprotectedHeader) {
+      jws.header = this.#unprotectedHeader;
+    }
+    if (this.#protectedHeader) {
+      jws.protected = protectedHeaderString;
+    }
+    return jws;
+  }
+}
+class CompactSign {
+  #flattened;
+  constructor(payload) {
+    this.#flattened = new FlattenedSign(payload);
+  }
+  setProtectedHeader(protectedHeader) {
+    this.#flattened.setProtectedHeader(protectedHeader);
+    return this;
+  }
+  async sign(key, options) {
+    const jws = await this.#flattened.sign(key, options);
+    if (jws.payload === void 0) {
+      throw new TypeError("use the flattened module for creating JWS with b64: false");
+    }
+    return `${jws.protected}.${jws.payload}.${jws.signature}`;
+  }
+}
+class SignJWT {
+  #protectedHeader;
+  #jwt;
+  constructor(payload = {}) {
+    this.#jwt = new JWTClaimsBuilder(payload);
+  }
+  setIssuer(issuer) {
+    this.#jwt.iss = issuer;
+    return this;
+  }
+  setSubject(subject) {
+    this.#jwt.sub = subject;
+    return this;
+  }
+  setAudience(audience) {
+    this.#jwt.aud = audience;
+    return this;
+  }
+  setJti(jwtId) {
+    this.#jwt.jti = jwtId;
+    return this;
+  }
+  setNotBefore(input) {
+    this.#jwt.nbf = input;
+    return this;
+  }
+  setExpirationTime(input) {
+    this.#jwt.exp = input;
+    return this;
+  }
+  setIssuedAt(input) {
+    this.#jwt.iat = input;
+    return this;
+  }
+  setProtectedHeader(protectedHeader) {
+    this.#protectedHeader = protectedHeader;
+    return this;
+  }
+  async sign(key, options) {
+    const sig = new CompactSign(this.#jwt.data());
+    sig.setProtectedHeader(this.#protectedHeader);
+    if (Array.isArray(this.#protectedHeader?.crit) && this.#protectedHeader.crit.includes("b64") && this.#protectedHeader.b64 === false) {
+      throw new JWTInvalid("JWTs MUST NOT use unencoded payload");
+    }
+    return sig.sign(key, options);
+  }
+}
+export {
+  CompactSign,
+  FlattenedSign,
+  SignJWT,
+  ab as compactVerify,
+  ac as createLocalJWKSet,
+  ad as createRemoteJWKSet,
+  ae as customFetch,
+  errors,
+  af as flattenedVerify,
+  ag as importJWK,
+  ah as jwksCache,
+  jwtVerify
+};
+//# sourceMappingURL=index-DkoYIvIu.js.map

package/dist/chunks/index-DkoYIvIu.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"index-DkoYIvIu.js","sources":["../../../../node_modules/.pnpm/jose@6.1.3/node_modules/jose/dist/webapi/lib/sign.js","../../../../node_modules/.pnpm/jose@6.1.3/node_modules/jose/dist/webapi/jws/flattened/sign.js","../../../../node_modules/.pnpm/jose@6.1.3/node_modules/jose/dist/webapi/jws/compact/sign.js","../../../../node_modules/.pnpm/jose@6.1.3/node_modules/jose/dist/webapi/jwt/sign.js"],"sourcesContent":["import { subtleAlgorithm } from './subtle_dsa.js';\nimport { checkKeyLength } from './check_key_length.js';\nimport { getSigKey } from './get_sign_verify_key.js';\nexport async function sign(alg, key, data) {\n    const cryptoKey = await getSigKey(alg, key, 'sign');\n    checkKeyLength(alg, cryptoKey);\n    const signature = await crypto.subtle.sign(subtleAlgorithm(alg, cryptoKey.algorithm), cryptoKey, data);\n    return new Uint8Array(signature);\n}\n","import { encode as b64u } from '../../util/base64url.js';\nimport { sign } from '../../lib/sign.js';\nimport { isDisjoint } from '../../lib/is_disjoint.js';\nimport { JWSInvalid } from '../../util/errors.js';\nimport { concat, encode } from '../../lib/buffer_utils.js';\nimport { checkKeyType } from '../../lib/check_key_type.js';\nimport { validateCrit } from '../../lib/validate_crit.js';\nimport { normalizeKey } from '../../lib/normalize_key.js';\nexport class FlattenedSign {\n    #payload;\n    #protectedHeader;\n    #unprotectedHeader;\n    constructor(payload) {\n        if (!(payload instanceof Uint8Array)) {\n            throw new TypeError('payload must be an instance of Uint8Array');\n        }\n        this.#payload = payload;\n    }\n    setProtectedHeader(protectedHeader) {\n        if (this.#protectedHeader) {\n            throw new TypeError('setProtectedHeader can only be called once');\n        }\n        this.#protectedHeader = protectedHeader;\n        return this;\n    }\n    setUnprotectedHeader(unprotectedHeader) {\n        if (this.#unprotectedHeader) {\n            throw new TypeError('setUnprotectedHeader can only be called once');\n        }\n        this.#unprotectedHeader = unprotectedHeader;\n        return this;\n    }\n    async sign(key, options) {\n        if (!this.#protectedHeader && !this.#unprotectedHeader) {\n            throw new JWSInvalid('either setProtectedHeader or setUnprotectedHeader must be called before #sign()');\n        }\n        if (!isDisjoint(this.#protectedHeader, this.#unprotectedHeader)) {\n            throw new JWSInvalid('JWS Protected and JWS Unprotected Header Parameter names must be disjoint');\n        }\n        const joseHeader = {\n            ...this.#protectedHeader,\n            ...this.#unprotectedHeader,\n        };\n        const extensions = validateCrit(JWSInvalid, new Map([['b64', true]]), options?.crit, this.#protectedHeader, joseHeader);\n        let b64 = true;\n        if (extensions.has('b64')) {\n            b64 = this.#protectedHeader.b64;\n            if (typeof b64 !== 'boolean') {\n                throw new JWSInvalid('The \"b64\" (base64url-encode payload) Header Parameter must be a boolean');\n            }\n        }\n        const { alg } = joseHeader;\n        if (typeof alg !== 'string' || !alg) {\n            throw new JWSInvalid('JWS \"alg\" (Algorithm) Header Parameter missing or invalid');\n        }\n        checkKeyType(alg, key, 'sign');\n        let payloadS;\n        let payloadB;\n        if (b64) {\n            payloadS = b64u(this.#payload);\n            payloadB = encode(payloadS);\n        }\n        else {\n            payloadB = this.#payload;\n            payloadS = '';\n        }\n        let protectedHeaderString;\n        let protectedHeaderBytes;\n        if (this.#protectedHeader) {\n            protectedHeaderString = b64u(JSON.stringify(this.#protectedHeader));\n            protectedHeaderBytes = encode(protectedHeaderString);\n        }\n        else {\n            protectedHeaderString = '';\n            protectedHeaderBytes = new Uint8Array();\n        }\n        const data = concat(protectedHeaderBytes, encode('.'), payloadB);\n        const k = await normalizeKey(key, alg);\n        const signature = await sign(alg, k, data);\n        const jws = {\n            signature: b64u(signature),\n            payload: payloadS,\n        };\n        if (this.#unprotectedHeader) {\n            jws.header = this.#unprotectedHeader;\n        }\n        if (this.#protectedHeader) {\n            jws.protected = protectedHeaderString;\n        }\n        return jws;\n    }\n}\n","import { FlattenedSign } from '../flattened/sign.js';\nexport class CompactSign {\n    #flattened;\n    constructor(payload) {\n        this.#flattened = new FlattenedSign(payload);\n    }\n    setProtectedHeader(protectedHeader) {\n        this.#flattened.setProtectedHeader(protectedHeader);\n        return this;\n    }\n    async sign(key, options) {\n        const jws = await this.#flattened.sign(key, options);\n        if (jws.payload === undefined) {\n            throw new TypeError('use the flattened module for creating JWS with b64: false');\n        }\n        return `${jws.protected}.${jws.payload}.${jws.signature}`;\n    }\n}\n","import { CompactSign } from '../jws/compact/sign.js';\nimport { JWTInvalid } from '../util/errors.js';\nimport { JWTClaimsBuilder } from '../lib/jwt_claims_set.js';\nexport class SignJWT {\n    #protectedHeader;\n    #jwt;\n    constructor(payload = {}) {\n        this.#jwt = new JWTClaimsBuilder(payload);\n    }\n    setIssuer(issuer) {\n        this.#jwt.iss = issuer;\n        return this;\n    }\n    setSubject(subject) {\n        this.#jwt.sub = subject;\n        return this;\n    }\n    setAudience(audience) {\n        this.#jwt.aud = audience;\n        return this;\n    }\n    setJti(jwtId) {\n        this.#jwt.jti = jwtId;\n        return this;\n    }\n    setNotBefore(input) {\n        this.#jwt.nbf = input;\n        return this;\n    }\n    setExpirationTime(input) {\n        this.#jwt.exp = input;\n        return this;\n    }\n    setIssuedAt(input) {\n        this.#jwt.iat = input;\n        return this;\n    }\n    setProtectedHeader(protectedHeader) {\n        this.#protectedHeader = protectedHeader;\n        return this;\n    }\n    async sign(key, options) {\n        const sig = new CompactSign(this.#jwt.data());\n        sig.setProtectedHeader(this.#protectedHeader);\n        if (Array.isArray(this.#protectedHeader?.crit) &&\n            this.#protectedHeader.crit.includes('b64') &&\n            this.#protectedHeader.b64 === false) {\n            throw new JWTInvalid('JWTs MUST NOT use unencoded payload');\n        }\n        return sig.sign(key, options);\n    }\n}\n"],"names":["b64u","encode"],"mappings":";;AAGO,eAAe,KAAK,KAAK,KAAK,MAAM;AACvC,QAAM,YAAY,MAAM,UAAU,KAAK,KAAK,MAAM;AAClD,iBAAe,KAAK,SAAS;AAC7B,QAAM,YAAY,MAAM,OAAO,OAAO,KAAK,gBAAgB,KAAK,UAAU,SAAS,GAAG,WAAW,IAAI;AACrG,SAAO,IAAI,WAAW,SAAS;AACnC;ACAO,MAAM,cAAc;AAAA,EACvB;AAAA,EACA;AAAA,EACA;AAAA,EACA,YAAY,SAAS;AACjB,QAAI,EAAE,mBAAmB,aAAa;AAClC,YAAM,IAAI,UAAU,2CAA2C;AAAA,IACnE;AACA,SAAK,WAAW;AAAA,EACpB;AAAA,EACA,mBAAmB,iBAAiB;AAChC,QAAI,KAAK,kBAAkB;AACvB,YAAM,IAAI,UAAU,4CAA4C;AAAA,IACpE;AACA,SAAK,mBAAmB;AACxB,WAAO;AAAA,EACX;AAAA,EACA,qBAAqB,mBAAmB;AACpC,QAAI,KAAK,oBAAoB;AACzB,YAAM,IAAI,UAAU,8CAA8C;AAAA,IACtE;AACA,SAAK,qBAAqB;AAC1B,WAAO;AAAA,EACX;AAAA,EACA,MAAM,KAAK,KAAK,SAAS;AACrB,QAAI,CAAC,KAAK,oBAAoB,CAAC,KAAK,oBAAoB;AACpD,YAAM,IAAI,WAAW,iFAAiF;AAAA,IAC1G;AACA,QAAI,CAAC,WAAW,KAAK,kBAAkB,KAAK,kBAAkB,GAAG;AAC7D,YAAM,IAAI,WAAW,2EAA2E;AAAA,IACpG;AACA,UAAM,aAAa;AAAA,MACf,GAAG,KAAK;AAAA,MACR,GAAG,KAAK;AAAA,IACpB;AACQ,UAAM,aAAa,aAAa,YAAY,oBAAI,IAAI,CAAC,CAAC,OAAO,IAAI,CAAC,CAAC,GAAG,SAAS,MAAM,KAAK,kBAAkB,UAAU;AACtH,QAAI,MAAM;AACV,QAAI,WAAW,IAAI,KAAK,GAAG;AACvB,YAAM,KAAK,iBAAiB;AAC5B,UAAI,OAAO,QAAQ,WAAW;AAC1B,cAAM,IAAI,WAAW,yEAAyE;AAAA,MAClG;AAAA,IACJ;AACA,UAAM,EAAE,IAAG,IAAK;AAChB,QAAI,OAAO,QAAQ,YAAY,CAAC,KAAK;AACjC,YAAM,IAAI,WAAW,2DAA2D;AAAA,IACpF;AACA,iBAAa,KAAK,KAAK,MAAM;AAC7B,QAAI;AACJ,QAAI;AACJ,QAAI,KAAK;AACL,iBAAWA,OAAK,KAAK,QAAQ;AAC7B,iBAAWC,SAAO,QAAQ;AAAA,IAC9B,OACK;AACD,iBAAW,KAAK;AAChB,iBAAW;AAAA,IACf;AACA,QAAI;AACJ,QAAI;AACJ,QAAI,KAAK,kBAAkB;AACvB,8BAAwBD,OAAK,KAAK,UAAU,KAAK,gBAAgB,CAAC;AAClE,6BAAuBC,SAAO,qBAAqB;AAAA,IACvD,OACK;AACD,8BAAwB;AACxB,6BAAuB,IAAI,WAAU;AAAA,IACzC;AACA,UAAM,OAAO,OAAO,sBAAsBA,SAAO,GAAG,GAAG,QAAQ;AAC/D,UAAM,IAAI,MAAM,aAAa,KAAK,GAAG;AACrC,UAAM,YAAY,MAAM,KAAK,KAAK,GAAG,IAAI;AACzC,UAAM,MAAM;AAAA,MACR,WAAWD,OAAK,SAAS;AAAA,MACzB,SAAS;AAAA,IACrB;AACQ,QAAI,KAAK,oBAAoB;AACzB,UAAI,SAAS,KAAK;AAAA,IACtB;AACA,QAAI,KAAK,kBAAkB;AACvB,UAAI,YAAY;AAAA,IACpB;AACA,WAAO;AAAA,EACX;AACJ;AC1FO,MAAM,YAAY;AAAA,EACrB;AAAA,EACA,YAAY,SAAS;AACjB,SAAK,aAAa,IAAI,cAAc,OAAO;AAAA,EAC/C;AAAA,EACA,mBAAmB,iBAAiB;AAChC,SAAK,WAAW,mBAAmB,eAAe;AAClD,WAAO;AAAA,EACX;AAAA,EACA,MAAM,KAAK,KAAK,SAAS;AACrB,UAAM,MAAM,MAAM,KAAK,WAAW,KAAK,KAAK,OAAO;AACnD,QAAI,IAAI,YAAY,QAAW;AAC3B,YAAM,IAAI,UAAU,2DAA2D;AAAA,IACnF;AACA,WAAO,GAAG,IAAI,SAAS,IAAI,IAAI,OAAO,IAAI,IAAI,SAAS;AAAA,EAC3D;AACJ;ACdO,MAAM,QAAQ;AAAA,EACjB;AAAA,EACA;AAAA,EACA,YAAY,UAAU,IAAI;AACtB,SAAK,OAAO,IAAI,iBAAiB,OAAO;AAAA,EAC5C;AAAA,EACA,UAAU,QAAQ;AACd,SAAK,KAAK,MAAM;AAChB,WAAO;AAAA,EACX;AAAA,EACA,WAAW,SAAS;AAChB,SAAK,KAAK,MAAM;AAChB,WAAO;AAAA,EACX;AAAA,EACA,YAAY,UAAU;AAClB,SAAK,KAAK,MAAM;AAChB,WAAO;AAAA,EACX;AAAA,EACA,OAAO,OAAO;AACV,SAAK,KAAK,MAAM;AAChB,WAAO;AAAA,EACX;AAAA,EACA,aAAa,OAAO;AAChB,SAAK,KAAK,MAAM;AAChB,WAAO;AAAA,EACX;AAAA,EACA,kBAAkB,OAAO;AACrB,SAAK,KAAK,MAAM;AAChB,WAAO;AAAA,EACX;AAAA,EACA,YAAY,OAAO;AACf,SAAK,KAAK,MAAM;AAChB,WAAO;AAAA,EACX;AAAA,EACA,mBAAmB,iBAAiB;AAChC,SAAK,mBAAmB;AACxB,WAAO;AAAA,EACX;AAAA,EACA,MAAM,KAAK,KAAK,SAAS;AACrB,UAAM,MAAM,IAAI,YAAY,KAAK,KAAK,KAAI,CAAE;AAC5C,QAAI,mBAAmB,KAAK,gBAAgB;AAC5C,QAAI,MAAM,QAAQ,KAAK,kBAAkB,IAAI,KACzC,KAAK,iBAAiB,KAAK,SAAS,KAAK,KACzC,KAAK,iBAAiB,QAAQ,OAAO;AACrC,YAAM,IAAI,WAAW,qCAAqC;AAAA,IAC9D;AACA,WAAO,IAAI,KAAK,KAAK,OAAO;AAAA,EAChC;AACJ;","x_google_ignoreList":[0,1,2,3]}

package/dist/collections/CliAuthRequestCollection.d.ts

@@ -0,0 +1,19 @@
+import { SmrtCollection } from '@happyvertical/smrt-core';
+import { UsersCliAuthRequest } from '../models/CliAuthRequest.js';
+export declare class UsersCliAuthRequestCollection extends SmrtCollection<UsersCliAuthRequest> {
+    static readonly _itemClass: typeof UsersCliAuthRequest;
+    /**
+     * Look up a pending or completed request by the short user code shown in the CLI.
+     */
+    findByUserCode(userCode: string): Promise<UsersCliAuthRequest | null>;
+    /**
+     * Look up a request by the hash of its device code (the CLI's polling key).
+     */
+    findByDeviceCodeHash(deviceCodeHash: string): Promise<UsersCliAuthRequest | null>;
+    /**
+     * Delete expired pending requests (cleanup job).
+     */
+    deleteExpired(): Promise<number>;
+}
+export { UsersCliAuthRequestCollection as CliAuthRequestCollection };
+//# sourceMappingURL=CliAuthRequestCollection.d.ts.map

package/dist/collections/CliAuthRequestCollection.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"CliAuthRequestCollection.d.ts","sourceRoot":"","sources":["../../src/collections/CliAuthRequestCollection.ts"],"names":[],"mappings":"AAAA;;;;GAIG;AAEH,OAAO,EAAE,cAAc,EAAE,MAAM,0BAA0B,CAAC;AAC1D,OAAO,EAAE,mBAAmB,EAAE,MAAM,6BAA6B,CAAC;AAElE,qBAAa,6BAA8B,SAAQ,cAAc,CAAC,mBAAmB,CAAC;IACpF,MAAM,CAAC,QAAQ,CAAC,UAAU,6BAAuB;IAEjD;;OAEG;IACG,cAAc,CAAC,QAAQ,EAAE,MAAM,GAAG,OAAO,CAAC,mBAAmB,GAAG,IAAI,CAAC;IAQ3E;;OAEG;IACG,oBAAoB,CACxB,cAAc,EAAE,MAAM,GACrB,OAAO,CAAC,mBAAmB,GAAG,IAAI,CAAC;IAQtC;;OAEG;IACG,aAAa,IAAI,OAAO,CAAC,MAAM,CAAC;CAevC;AAED,OAAO,EAAE,6BAA6B,IAAI,wBAAwB,EAAE,CAAC"}

package/dist/collections/GroupCollection.d.ts

@@ -0,0 +1,17 @@
+import { SmrtCollection } from '@happyvertical/smrt-core';
+import { Group } from '../models/Group.js';
+/**
+ * Collection for managing Group objects
+ */
+export declare class GroupCollection extends SmrtCollection<Group> {
+    static readonly _itemClass: typeof Group;
+    /**
+     * Find all groups in a tenant
+     */
+    findByTenant(tenantId: string): Promise<Group[]>;
+    /**
+     * Find group by slug within a tenant
+     */
+    findBySlug(slug: string, tenantId: string): Promise<Group | null>;
+}
+//# sourceMappingURL=GroupCollection.d.ts.map

package/dist/collections/GroupCollection.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"GroupCollection.d.ts","sourceRoot":"","sources":["../../src/collections/GroupCollection.ts"],"names":[],"mappings":"AAAA;;;GAGG;AAEH,OAAO,EAAE,cAAc,EAAE,MAAM,0BAA0B,CAAC;AAC1D,OAAO,EAAE,KAAK,EAAE,MAAM,oBAAoB,CAAC;AAE3C;;GAEG;AACH,qBAAa,eAAgB,SAAQ,cAAc,CAAC,KAAK,CAAC;IACxD,MAAM,CAAC,QAAQ,CAAC,UAAU,eAAS;IAEnC;;OAEG;IACG,YAAY,CAAC,QAAQ,EAAE,MAAM,GAAG,OAAO,CAAC,KAAK,EAAE,CAAC;IAOtD;;OAEG;IACG,UAAU,CAAC,IAAI,EAAE,MAAM,EAAE,QAAQ,EAAE,MAAM,GAAG,OAAO,CAAC,KAAK,GAAG,IAAI,CAAC;CAOxE"}

package/dist/collections/GroupMemberCollection.d.ts

@@ -0,0 +1,43 @@
+import { SmrtCollection } from '@happyvertical/smrt-core';
+import { GroupMember } from '../models/GroupMember.js';
+/**
+ * Collection for managing GroupMember objects
+ */
+export declare class GroupMemberCollection extends SmrtCollection<GroupMember> {
+    static readonly _itemClass: typeof GroupMember;
+    /**
+     * Find all members of a group
+     */
+    findByGroup(groupId: string): Promise<GroupMember[]>;
+    /**
+     * Find all groups a user belongs to
+     */
+    findByUser(userId: string): Promise<GroupMember[]>;
+    /**
+     * Check if a user is in a group
+     */
+    isMember(groupId: string, userId: string): Promise<boolean>;
+    /**
+     * Add user to a group
+     */
+    addMember(groupId: string, userId: string): Promise<GroupMember>;
+    /**
+     * Remove user from a group
+     */
+    removeMember(groupId: string, userId: string): Promise<boolean>;
+    /**
+     * Get group IDs for a user
+     * @deprecated Use getGroupIdsForTenant to prevent cross-tenant leakage
+     */
+    getGroupIds(userId: string): Promise<string[]>;
+    /**
+     * Get group IDs for a user within a specific tenant
+     * This prevents cross-tenant permission leakage by filtering groups by tenant
+     */
+    getGroupIdsForTenant(userId: string, tenantId: string): Promise<string[]>;
+    /**
+     * Get user IDs in a group
+     */
+    getUserIds(groupId: string): Promise<string[]>;
+}
+//# sourceMappingURL=GroupMemberCollection.d.ts.map

package/dist/collections/GroupMemberCollection.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"GroupMemberCollection.d.ts","sourceRoot":"","sources":["../../src/collections/GroupMemberCollection.ts"],"names":[],"mappings":"AAAA;;;GAGG;AAEH,OAAO,EAAE,cAAc,EAAE,MAAM,0BAA0B,CAAC;AAC1D,OAAO,EAAE,WAAW,EAAE,MAAM,0BAA0B,CAAC;AAEvD;;GAEG;AACH,qBAAa,qBAAsB,SAAQ,cAAc,CAAC,WAAW,CAAC;IACpE,MAAM,CAAC,QAAQ,CAAC,UAAU,qBAAe;IAEzC;;OAEG;IACG,WAAW,CAAC,OAAO,EAAE,MAAM,GAAG,OAAO,CAAC,WAAW,EAAE,CAAC;IAM1D;;OAEG;IACG,UAAU,CAAC,MAAM,EAAE,MAAM,GAAG,OAAO,CAAC,WAAW,EAAE,CAAC;IAMxD;;OAEG;IACG,QAAQ,CAAC,OAAO,EAAE,MAAM,EAAE,MAAM,EAAE,MAAM,GAAG,OAAO,CAAC,OAAO,CAAC;IAQjE;;OAEG;IACG,SAAS,CAAC,OAAO,EAAE,MAAM,EAAE,MAAM,EAAE,MAAM,GAAG,OAAO,CAAC,WAAW,CAAC;IAetE;;OAEG;IACG,YAAY,CAAC,OAAO,EAAE,MAAM,EAAE,MAAM,EAAE,MAAM,GAAG,OAAO,CAAC,OAAO,CAAC;IAarE;;;OAGG;IACG,WAAW,CAAC,MAAM,EAAE,MAAM,GAAG,OAAO,CAAC,MAAM,EAAE,CAAC;IAKpD;;;OAGG;IACG,oBAAoB,CACxB,MAAM,EAAE,MAAM,EACd,QAAQ,EAAE,MAAM,GACf,OAAO,CAAC,MAAM,EAAE,CAAC;IAapB;;OAEG;IACG,UAAU,CAAC,OAAO,EAAE,MAAM,GAAG,OAAO,CAAC,MAAM,EAAE,CAAC;CAIrD"}

package/dist/collections/GroupRoleCollection.d.ts

@@ -0,0 +1,33 @@
+import { SmrtCollection } from '@happyvertical/smrt-core';
+import { GroupRole } from '../models/GroupRole.js';
+/**
+ * Collection for managing GroupRole objects
+ */
+export declare class GroupRoleCollection extends SmrtCollection<GroupRole> {
+    static readonly _itemClass: typeof GroupRole;
+    /**
+     * Find all roles for a group
+     */
+    findByGroup(groupId: string): Promise<GroupRole[]>;
+    /**
+     * Find all groups that have a role
+     */
+    findByRole(roleId: string): Promise<GroupRole[]>;
+    /**
+     * Check if a group has a role
+     */
+    hasRole(groupId: string, roleId: string): Promise<boolean>;
+    /**
+     * Add role to a group
+     */
+    addRole(groupId: string, roleId: string): Promise<GroupRole>;
+    /**
+     * Remove role from a group
+     */
+    removeRole(groupId: string, roleId: string): Promise<boolean>;
+    /**
+     * Get role IDs for a group
+     */
+    getRoleIds(groupId: string): Promise<string[]>;
+}
+//# sourceMappingURL=GroupRoleCollection.d.ts.map

package/dist/collections/GroupRoleCollection.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"GroupRoleCollection.d.ts","sourceRoot":"","sources":["../../src/collections/GroupRoleCollection.ts"],"names":[],"mappings":"AAAA;;;GAGG;AAEH,OAAO,EAAE,cAAc,EAAE,MAAM,0BAA0B,CAAC;AAC1D,OAAO,EAAE,SAAS,EAAE,MAAM,wBAAwB,CAAC;AAEnD;;GAEG;AACH,qBAAa,mBAAoB,SAAQ,cAAc,CAAC,SAAS,CAAC;IAChE,MAAM,CAAC,QAAQ,CAAC,UAAU,mBAAa;IAEvC;;OAEG;IACG,WAAW,CAAC,OAAO,EAAE,MAAM,GAAG,OAAO,CAAC,SAAS,EAAE,CAAC;IAMxD;;OAEG;IACG,UAAU,CAAC,MAAM,EAAE,MAAM,GAAG,OAAO,CAAC,SAAS,EAAE,CAAC;IAMtD;;OAEG;IACG,OAAO,CAAC,OAAO,EAAE,MAAM,EAAE,MAAM,EAAE,MAAM,GAAG,OAAO,CAAC,OAAO,CAAC;IAQhE;;OAEG;IACG,OAAO,CAAC,OAAO,EAAE,MAAM,EAAE,MAAM,EAAE,MAAM,GAAG,OAAO,CAAC,SAAS,CAAC;IAelE;;OAEG;IACG,UAAU,CAAC,OAAO,EAAE,MAAM,EAAE,MAAM,EAAE,MAAM,GAAG,OAAO,CAAC,OAAO,CAAC;IAanE;;OAEG;IACG,UAAU,CAAC,OAAO,EAAE,MAAM,GAAG,OAAO,CAAC,MAAM,EAAE,CAAC;CAIrD"}

package/dist/collections/MagicLinkTokenCollection.d.ts

@@ -0,0 +1,26 @@
+import { SmrtCollection } from '@happyvertical/smrt-core';
+import { UsersMagicLinkToken } from '../models/MagicLinkToken.js';
+/**
+ * Collection for managing smrt-users magic link token records
+ */
+export declare class UsersMagicLinkTokenCollection extends SmrtCollection<UsersMagicLinkToken> {
+    static readonly _itemClass: typeof UsersMagicLinkToken;
+    /**
+     * Find a token by its nonce
+     */
+    findByNonce(nonce: string): Promise<UsersMagicLinkToken | null>;
+    /**
+     * Atomically mark a token as used (single-use enforcement).
+     *
+     * Returns true if the nonce was successfully claimed (transitioned from
+     * unused to used). Returns false if the nonce was already used, expired,
+     * or doesn't exist — preventing race conditions in concurrent verify() calls.
+     */
+    markUsed(nonce: string): Promise<boolean>;
+    /**
+     * Delete expired tokens (cleanup job)
+     */
+    deleteExpired(): Promise<number>;
+}
+export { UsersMagicLinkTokenCollection as MagicLinkTokenCollection };
+//# sourceMappingURL=MagicLinkTokenCollection.d.ts.map

package/dist/collections/MagicLinkTokenCollection.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"MagicLinkTokenCollection.d.ts","sourceRoot":"","sources":["../../src/collections/MagicLinkTokenCollection.ts"],"names":[],"mappings":"AAAA;;;;;;GAMG;AAEH,OAAO,EAAE,cAAc,EAAE,MAAM,0BAA0B,CAAC;AAC1D,OAAO,EAAE,mBAAmB,EAAE,MAAM,6BAA6B,CAAC;AAElE;;GAEG;AACH,qBAAa,6BAA8B,SAAQ,cAAc,CAAC,mBAAmB,CAAC;IACpF,MAAM,CAAC,QAAQ,CAAC,UAAU,6BAAuB;IAEjD;;OAEG;IACG,WAAW,CAAC,KAAK,EAAE,MAAM,GAAG,OAAO,CAAC,mBAAmB,GAAG,IAAI,CAAC;IAMrE;;;;;;OAMG;IACG,QAAQ,CAAC,KAAK,EAAE,MAAM,GAAG,OAAO,CAAC,OAAO,CAAC;IAgB/C;;OAEG;IACG,aAAa,IAAI,OAAO,CAAC,MAAM,CAAC;CAgBvC;AAED,OAAO,EAAE,6BAA6B,IAAI,wBAAwB,EAAE,CAAC"}

package/dist/collections/MembershipCollection.d.ts

@@ -0,0 +1,38 @@
+import { SmrtCollection } from '@happyvertical/smrt-core';
+import { Membership } from '../models/Membership.js';
+import { MembershipStatus } from '../types/index.js';
+/**
+ * Collection for managing Membership objects
+ */
+export declare class MembershipCollection extends SmrtCollection<Membership> {
+    static readonly _itemClass: typeof Membership;
+    /**
+     * Find all memberships for a user
+     */
+    findByUser(userId: string): Promise<Membership[]>;
+    /**
+     * Find all active memberships for a user
+     */
+    findActiveByUser(userId: string): Promise<Membership[]>;
+    /**
+     * Find all memberships in a tenant
+     */
+    findByTenant(tenantId: string): Promise<Membership[]>;
+    /**
+     * Find active memberships in a tenant
+     */
+    findActiveByTenant(tenantId: string): Promise<Membership[]>;
+    /**
+     * Find a specific user's membership in a tenant
+     */
+    findByUserAndTenant(userId: string, tenantId: string): Promise<Membership | null>;
+    /**
+     * Find memberships by role
+     */
+    findByRole(roleId: string): Promise<Membership[]>;
+    /**
+     * Find memberships by status
+     */
+    findByStatus(status: MembershipStatus): Promise<Membership[]>;
+}
+//# sourceMappingURL=MembershipCollection.d.ts.map

package/dist/collections/MembershipCollection.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"MembershipCollection.d.ts","sourceRoot":"","sources":["../../src/collections/MembershipCollection.ts"],"names":[],"mappings":"AAAA;;;GAGG;AAEH,OAAO,EAAE,cAAc,EAAE,MAAM,0BAA0B,CAAC;AAC1D,OAAO,EAAE,UAAU,EAAE,MAAM,yBAAyB,CAAC;AACrD,OAAO,EAAE,gBAAgB,EAAE,MAAM,mBAAmB,CAAC;AAErD;;GAEG;AACH,qBAAa,oBAAqB,SAAQ,cAAc,CAAC,UAAU,CAAC;IAClE,MAAM,CAAC,QAAQ,CAAC,UAAU,oBAAc;IAExC;;OAEG;IACG,UAAU,CAAC,MAAM,EAAE,MAAM,GAAG,OAAO,CAAC,UAAU,EAAE,CAAC;IAOvD;;OAEG;IACG,gBAAgB,CAAC,MAAM,EAAE,MAAM,GAAG,OAAO,CAAC,UAAU,EAAE,CAAC;IAO7D;;OAEG;IACG,YAAY,CAAC,QAAQ,EAAE,MAAM,GAAG,OAAO,CAAC,UAAU,EAAE,CAAC;IAO3D;;OAEG;IACG,kBAAkB,CAAC,QAAQ,EAAE,MAAM,GAAG,OAAO,CAAC,UAAU,EAAE,CAAC;IAOjE;;OAEG;IACG,mBAAmB,CACvB,MAAM,EAAE,MAAM,EACd,QAAQ,EAAE,MAAM,GACf,OAAO,CAAC,UAAU,GAAG,IAAI,CAAC;IAQ7B;;OAEG;IACG,UAAU,CAAC,MAAM,EAAE,MAAM,GAAG,OAAO,CAAC,UAAU,EAAE,CAAC;IAOvD;;OAEG;IACG,YAAY,CAAC,MAAM,EAAE,gBAAgB,GAAG,OAAO,CAAC,UAAU,EAAE,CAAC;CAMpE"}

package/dist/collections/MembershipOverrideCollection.d.ts

@@ -0,0 +1,55 @@
+import { SmrtCollection } from '@happyvertical/smrt-core';
+import { MembershipOverride } from '../models/MembershipOverride.js';
+import { OverrideEffect } from '../types/index.js';
+/**
+ * Collection for managing MembershipOverride objects
+ */
+export declare class MembershipOverrideCollection extends SmrtCollection<MembershipOverride> {
+    static readonly _itemClass: typeof MembershipOverride;
+    /**
+     * Find all overrides for a membership
+     */
+    findByMembership(membershipId: string): Promise<MembershipOverride[]>;
+    /**
+     * Find grant overrides for a membership.
+     *
+     * Filters in memory because the `effect` column is JSON-typed and
+     * Postgres rejects bare `json = text` comparisons.  A single
+     * `findByMembership` call is reused for both grant and deny lookups
+     * within the same request (see `_overridesByMembership` cache).
+     */
+    findGrants(membershipId: string): Promise<MembershipOverride[]>;
+    /**
+     * Find deny overrides for a membership.
+     *
+     * See `findGrants` for rationale on in-memory filtering.
+     */
+    findDenies(membershipId: string): Promise<MembershipOverride[]>;
+    /**
+     * Get grant permission IDs for a membership
+     */
+    getGrantedPermissionIds(membershipId: string): Promise<string[]>;
+    /**
+     * Get denied permission IDs for a membership
+     */
+    getDeniedPermissionIds(membershipId: string): Promise<string[]>;
+    /**
+     * Set an override for a membership
+     */
+    setOverride(membershipId: string, permissionId: string, effect: OverrideEffect): Promise<MembershipOverride>;
+    /**
+     * Remove an override
+     */
+    removeOverride(membershipId: string, permissionId: string): Promise<boolean>;
+    /**
+     * Grant a permission to a membership
+     * Convenience method for setOverride with GRANT effect
+     */
+    grantPermission(membershipId: string, permissionId: string): Promise<MembershipOverride>;
+    /**
+     * Deny a permission for a membership
+     * Convenience method for setOverride with DENY effect
+     */
+    denyPermission(membershipId: string, permissionId: string): Promise<MembershipOverride>;
+}
+//# sourceMappingURL=MembershipOverrideCollection.d.ts.map

package/dist/collections/MembershipOverrideCollection.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"MembershipOverrideCollection.d.ts","sourceRoot":"","sources":["../../src/collections/MembershipOverrideCollection.ts"],"names":[],"mappings":"AAAA;;;GAGG;AAEH,OAAO,EAAE,cAAc,EAAE,MAAM,0BAA0B,CAAC;AAC1D,OAAO,EAAE,kBAAkB,EAAE,MAAM,iCAAiC,CAAC;AACrE,OAAO,EAAE,cAAc,EAAE,MAAM,mBAAmB,CAAC;AAEnD;;GAEG;AACH,qBAAa,4BAA6B,SAAQ,cAAc,CAAC,kBAAkB,CAAC;IAClF,MAAM,CAAC,QAAQ,CAAC,UAAU,4BAAsB;IAEhD;;OAEG;IACG,gBAAgB,CAAC,YAAY,EAAE,MAAM,GAAG,OAAO,CAAC,kBAAkB,EAAE,CAAC;IAM3E;;;;;;;OAOG;IACG,UAAU,CAAC,YAAY,EAAE,MAAM,GAAG,OAAO,CAAC,kBAAkB,EAAE,CAAC;IAKrE;;;;OAIG;IACG,UAAU,CAAC,YAAY,EAAE,MAAM,GAAG,OAAO,CAAC,kBAAkB,EAAE,CAAC;IAKrE;;OAEG;IACG,uBAAuB,CAAC,YAAY,EAAE,MAAM,GAAG,OAAO,CAAC,MAAM,EAAE,CAAC;IAKtE;;OAEG;IACG,sBAAsB,CAAC,YAAY,EAAE,MAAM,GAAG,OAAO,CAAC,MAAM,EAAE,CAAC;IAKrE;;OAEG;IACG,WAAW,CACf,YAAY,EAAE,MAAM,EACpB,YAAY,EAAE,MAAM,EACpB,MAAM,EAAE,cAAc,GACrB,OAAO,CAAC,kBAAkB,CAAC;IAoB9B;;OAEG;IACG,cAAc,CAClB,YAAY,EAAE,MAAM,EACpB,YAAY,EAAE,MAAM,GACnB,OAAO,CAAC,OAAO,CAAC;IAcnB;;;OAGG;IACG,eAAe,CACnB,YAAY,EAAE,MAAM,EACpB,YAAY,EAAE,MAAM,GACnB,OAAO,CAAC,kBAAkB,CAAC;IAQ9B;;;OAGG;IACG,cAAc,CAClB,YAAY,EAAE,MAAM,EACpB,YAAY,EAAE,MAAM,GACnB,OAAO,CAAC,kBAAkB,CAAC;CAO/B"}

package/dist/collections/PermissionCollection.d.ts

@@ -0,0 +1,34 @@
+import { SmrtCollection } from '@happyvertical/smrt-core';
+import { Permission } from '../models/Permission.js';
+/**
+ * Collection for managing Permission objects
+ */
+export declare class PermissionCollection extends SmrtCollection<Permission> {
+    static readonly _itemClass: typeof Permission;
+    /**
+     * Find permissions by category
+     */
+    findByCategory(category: string): Promise<Permission[]>;
+    /**
+     * Find permission by slug
+     */
+    findBySlug(slug: string): Promise<Permission | null>;
+    /**
+     * Batch fetch permissions by IDs
+     * Returns a Map of id -> Permission for efficient lookup
+     */
+    findByIds(ids: string[]): Promise<Map<string, Permission>>;
+    /**
+     * Get all unique categories
+     */
+    getCategories(): Promise<string[]>;
+    /**
+     * Find or create a permission by slug
+     */
+    findOrCreate(slug: string, defaults?: Partial<{
+        name: string;
+        description: string;
+        category: string;
+    }>): Promise<Permission>;
+}
+//# sourceMappingURL=PermissionCollection.d.ts.map

package/dist/collections/PermissionCollection.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"PermissionCollection.d.ts","sourceRoot":"","sources":["../../src/collections/PermissionCollection.ts"],"names":[],"mappings":"AAAA;;;GAGG;AAEH,OAAO,EAAE,cAAc,EAAE,MAAM,0BAA0B,CAAC;AAC1D,OAAO,EAAE,UAAU,EAAE,MAAM,yBAAyB,CAAC;AAErD;;GAEG;AACH,qBAAa,oBAAqB,SAAQ,cAAc,CAAC,UAAU,CAAC;IAClE,MAAM,CAAC,QAAQ,CAAC,UAAU,oBAAc;IAExC;;OAEG;IACG,cAAc,CAAC,QAAQ,EAAE,MAAM,GAAG,OAAO,CAAC,UAAU,EAAE,CAAC;IAO7D;;OAEG;IACG,UAAU,CAAC,IAAI,EAAE,MAAM,GAAG,OAAO,CAAC,UAAU,GAAG,IAAI,CAAC;IAQ1D;;;OAGG;IACG,SAAS,CAAC,GAAG,EAAE,MAAM,EAAE,GAAG,OAAO,CAAC,GAAG,CAAC,MAAM,EAAE,UAAU,CAAC,CAAC;IAwBhE;;OAEG;IACG,aAAa,IAAI,OAAO,CAAC,MAAM,EAAE,CAAC;IAOxC;;OAEG;IACG,YAAY,CAChB,IAAI,EAAE,MAAM,EACZ,QAAQ,GAAE,OAAO,CAAC;QAChB,IAAI,EAAE,MAAM,CAAC;QACb,WAAW,EAAE,MAAM,CAAC;QACpB,QAAQ,EAAE,MAAM,CAAC;KAClB,CAAM,GACN,OAAO,CAAC,UAAU,CAAC;CAevB"}

package/dist/collections/RoleCollection.d.ts

@@ -0,0 +1,29 @@
+import { SmrtCollection } from '@happyvertical/smrt-core';
+import { Role } from '../models/Role.js';
+/**
+ * Collection for managing Role objects
+ */
+export declare class RoleCollection extends SmrtCollection<Role> {
+    static readonly _itemClass: typeof Role;
+    /**
+     * Find all system roles (tenantId is null)
+     */
+    findSystemRoles(): Promise<Role[]>;
+    /**
+     * Find roles available for a tenant (system + tenant-specific)
+     */
+    findByTenant(tenantId: string): Promise<Role[]>;
+    /**
+     * Find tenant-specific roles only
+     */
+    findTenantRoles(tenantId: string): Promise<Role[]>;
+    /**
+     * Find role by slug within a tenant context
+     */
+    findBySlug(slug: string, tenantId?: string): Promise<Role | null>;
+    /**
+     * Seed default system roles
+     */
+    seedSystemRoles(): Promise<Role[]>;
+}
+//# sourceMappingURL=RoleCollection.d.ts.map

package/dist/collections/RoleCollection.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"RoleCollection.d.ts","sourceRoot":"","sources":["../../src/collections/RoleCollection.ts"],"names":[],"mappings":"AAAA;;;GAGG;AAEH,OAAO,EAAE,cAAc,EAAE,MAAM,0BAA0B,CAAC;AAC1D,OAAO,EAAE,IAAI,EAAE,MAAM,mBAAmB,CAAC;AAGzC;;GAEG;AACH,qBAAa,cAAe,SAAQ,cAAc,CAAC,IAAI,CAAC;IACtD,MAAM,CAAC,QAAQ,CAAC,UAAU,cAAQ;IAElC;;OAEG;IACG,eAAe,IAAI,OAAO,CAAC,IAAI,EAAE,CAAC;IAOxC;;OAEG;IACG,YAAY,CAAC,QAAQ,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,EAAE,CAAC;IASrD;;OAEG;IACG,eAAe,CAAC,QAAQ,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,EAAE,CAAC;IAOxD;;OAEG;IACG,UAAU,CAAC,IAAI,EAAE,MAAM,EAAE,QAAQ,CAAC,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,GAAG,IAAI,CAAC;IAoBvE;;OAEG;IACG,eAAe,IAAI,OAAO,CAAC,IAAI,EAAE,CAAC;CAyBzC"}

package/dist/collections/RolePermissionCollection.d.ts

@@ -0,0 +1,33 @@
+import { SmrtCollection } from '@happyvertical/smrt-core';
+import { RolePermission } from '../models/RolePermission.js';
+/**
+ * Collection for managing RolePermission objects
+ */
+export declare class RolePermissionCollection extends SmrtCollection<RolePermission> {
+    static readonly _itemClass: typeof RolePermission;
+    /**
+     * Find all permissions for a role
+     */
+    findByRole(roleId: string): Promise<RolePermission[]>;
+    /**
+     * Find all roles that have a permission
+     */
+    findByPermission(permissionId: string): Promise<RolePermission[]>;
+    /**
+     * Check if a role has a specific permission
+     */
+    hasPermission(roleId: string, permissionId: string): Promise<boolean>;
+    /**
+     * Add a permission to a role
+     */
+    addPermission(roleId: string, permissionId: string): Promise<RolePermission>;
+    /**
+     * Remove a permission from a role
+     */
+    removePermission(roleId: string, permissionId: string): Promise<boolean>;
+    /**
+     * Get permission IDs for a role
+     */
+    getPermissionIds(roleId: string): Promise<string[]>;
+}
+//# sourceMappingURL=RolePermissionCollection.d.ts.map

package/dist/collections/RolePermissionCollection.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"RolePermissionCollection.d.ts","sourceRoot":"","sources":["../../src/collections/RolePermissionCollection.ts"],"names":[],"mappings":"AAAA;;;GAGG;AAEH,OAAO,EAAE,cAAc,EAAE,MAAM,0BAA0B,CAAC;AAC1D,OAAO,EAAE,cAAc,EAAE,MAAM,6BAA6B,CAAC;AAE7D;;GAEG;AACH,qBAAa,wBAAyB,SAAQ,cAAc,CAAC,cAAc,CAAC;IAC1E,MAAM,CAAC,QAAQ,CAAC,UAAU,wBAAkB;IAE5C;;OAEG;IACG,UAAU,CAAC,MAAM,EAAE,MAAM,GAAG,OAAO,CAAC,cAAc,EAAE,CAAC;IAM3D;;OAEG;IACG,gBAAgB,CAAC,YAAY,EAAE,MAAM,GAAG,OAAO,CAAC,cAAc,EAAE,CAAC;IAMvE;;OAEG;IACG,aAAa,CAAC,MAAM,EAAE,MAAM,EAAE,YAAY,EAAE,MAAM,GAAG,OAAO,CAAC,OAAO,CAAC;IAQ3E;;OAEG;IACG,aAAa,CACjB,MAAM,EAAE,MAAM,EACd,YAAY,EAAE,MAAM,GACnB,OAAO,CAAC,cAAc,CAAC;IAe1B;;OAEG;IACG,gBAAgB,CACpB,MAAM,EAAE,MAAM,EACd,YAAY,EAAE,MAAM,GACnB,OAAO,CAAC,OAAO,CAAC;IAanB;;OAEG;IACG,gBAAgB,CAAC,MAAM,EAAE,MAAM,GAAG,OAAO,CAAC,MAAM,EAAE,CAAC;CAI1D"}

package/dist/collections/SessionCollection.d.ts

@@ -0,0 +1,82 @@
+import { SmrtCollection } from '@happyvertical/smrt-core';
+import { Session } from '../models/Session.js';
+/**
+ * Options for creating a new session
+ */
+export interface CreateSessionOptions {
+    /** User ID for the session */
+    userId: string;
+    /** Optional tenant ID for multi-tenant context */
+    tenantId?: string;
+    /** Session TTL in seconds (default: 7 days) */
+    ttl?: number;
+    /** User agent string */
+    userAgent?: string;
+    /** Client IP address */
+    ipAddress?: string;
+    /** Custom session data */
+    data?: Record<string, unknown>;
+}
+/**
+ * Collection for managing Session objects
+ */
+export declare class SessionCollection extends SmrtCollection<Session> {
+    static readonly _itemClass: typeof Session;
+    /**
+     * Create a new session with a secure ID
+     */
+    createSession(options: CreateSessionOptions): Promise<Session>;
+    /**
+     * Find a valid session by ID
+     * Returns null if session doesn't exist, is expired, or is revoked
+     */
+    findValidSession(sessionId: string): Promise<Session | null>;
+    /**
+     * Update last accessed time and optionally extend session
+     */
+    touch(sessionId: string, extendTtl?: boolean, ttl?: number): Promise<boolean>;
+    /**
+     * Find all active sessions for a user
+     */
+    findByUser(userId: string): Promise<Session[]>;
+    /**
+     * Delete all sessions for a user (logout from all devices)
+     */
+    deleteUserSessions(userId: string): Promise<number>;
+    /**
+     * Revoke all sessions for a user (soft delete)
+     */
+    revokeUserSessions(userId: string): Promise<number>;
+    /**
+     * Revoke a specific session
+     */
+    revokeSession(sessionId: string): Promise<boolean>;
+    /**
+     * Delete expired sessions (cleanup job)
+     * Returns the number of deleted sessions
+     */
+    deleteExpired(): Promise<number>;
+    /**
+     * Count active sessions for a user
+     */
+    countUserSessions(userId: string): Promise<number>;
+    /**
+     * Update tenant context for a session (low-level primitive).
+     *
+     * SECURITY (#1400): this does NOT verify that the session's user is a member
+     * of `tenantId` — it is the unguarded storage primitive. Application/route
+     * code must go through {@link SessionService.switchTenant}, which fail-closes
+     * on a missing/inactive membership before calling this. Calling it directly
+     * with an untrusted `tenantId` reintroduces the cross-tenant access bug.
+     */
+    setSessionTenant(sessionId: string, tenantId: string | null): Promise<boolean>;
+    /**
+     * Set custom session data
+     */
+    setSessionData(sessionId: string, key: string, value: unknown): Promise<boolean>;
+    /**
+     * Get custom session data
+     */
+    getSessionData<T>(sessionId: string, key: string): Promise<T | undefined>;
+}
+//# sourceMappingURL=SessionCollection.d.ts.map