@holeauth/core 0.0.1-alpha.0

package/LICENSE

@@ -0,0 +1,21 @@
+MIT License
+
+Copyright (c) 2026 Robert Kratz
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.

package/README.md

@@ -0,0 +1,5 @@
+# @holeauth/core
+
+Edge-native auth primitives: JWT, sessions, password hashing, TOTP, OTP, OIDC, adapter interfaces.
+
+> Part of the [holeauth](https://github.com/robert-kratz/holeauth) ecosystem.

package/cjs-error.cjs

@@ -0,0 +1,8 @@
+// Shim loaded when a CommonJS consumer does `require('@holeauth/<pkg>')`.
+// All @holeauth/* packages are ESM-only.
+throw new Error(
+  '[@holeauth] This package is ESM-only. ' +
+    'Use `import` (or a dynamic `import()`) instead of `require()`. ' +
+    'If you are in a CommonJS project, add `"type": "module"` to your package.json ' +
+    'or migrate the consuming file to `.mjs`.',
+);

package/dist/adapters/index.d.ts

@@ -0,0 +1 @@
+export { c as AccountAdapter, d as AdapterAccount, a as AdapterAuditEvent, e as AdapterSession, A as AdapterUser, f as AdapterVerificationToken, b as AuditLogAdapter, S as SessionAdapter, T as TransactionAdapter, U as UserAdapter, V as VerificationTokenAdapter } from '../index-CNtnPdzk.js';

package/dist/adapters/index.js

@@ -0,0 +1,3 @@
+
+//# sourceMappingURL=index.js.map
+//# sourceMappingURL=index.js.map

package/dist/adapters/index.js.map

@@ -0,0 +1 @@
+{"version":3,"sources":[],"names":[],"mappings":"","file":"index.js"}

package/dist/cookies/index.d.ts

@@ -0,0 +1,3 @@
+export { B as BuildCookieInput, C as CSRF_HEADER, a as CookieName, b as CookieSpec, c as buildCookie, d as cookieName, e as deleteCookie, g as generateCsrfToken, f as isProduction, s as serializeCookie, v as verifyCsrf } from '../index-BIXESLma.js';
+import '../index-BmYQquGs.js';
+import '../index-CNtnPdzk.js';

package/dist/cookies/index.js

@@ -0,0 +1,74 @@
+// src/cookies/spec.ts
+function cookieName(cfg, kind) {
+  const prefix = cfg.tokens?.cookiePrefix ?? "holeauth";
+  switch (kind) {
+    case "access":
+      return `${prefix}.at`;
+    case "refresh":
+      return `${prefix}.rt`;
+    case "csrf":
+      return `${prefix}.csrf`;
+    case "pending":
+      return `${prefix}.pending`;
+    case "oauthState":
+      return `${prefix}.oauth.state`;
+    case "oauthPkce":
+      return `${prefix}.oauth.pkce`;
+  }
+}
+function isProduction() {
+  return globalThis.process?.env?.NODE_ENV === "production";
+}
+function buildCookie(cfg, input) {
+  const httpOnly = input.httpOnly ?? input.kind !== "csrf";
+  const secure = cfg.tokens?.cookieSecure ?? isProduction();
+  return {
+    name: cookieName(cfg, input.kind),
+    value: input.value,
+    maxAge: input.maxAge,
+    httpOnly,
+    secure,
+    sameSite: input.sameSite ?? cfg.tokens?.sameSite ?? "lax",
+    path: input.path ?? "/",
+    domain: cfg.tokens?.cookieDomain
+  };
+}
+function serializeCookie(c) {
+  const parts = [`${c.name}=${encodeURIComponent(c.value)}`];
+  parts.push(`Path=${c.path}`);
+  if (c.domain) parts.push(`Domain=${c.domain}`);
+  if (c.maxAge !== void 0) {
+    parts.push(`Max-Age=${c.maxAge}`);
+    if (c.maxAge === 0) parts.push("Expires=Thu, 01 Jan 1970 00:00:00 GMT");
+  }
+  if (c.httpOnly) parts.push("HttpOnly");
+  if (c.secure) parts.push("Secure");
+  parts.push(`SameSite=${c.sameSite.charAt(0).toUpperCase()}${c.sameSite.slice(1)}`);
+  return parts.join("; ");
+}
+function deleteCookie(cfg, kind) {
+  return buildCookie(cfg, { kind, value: "", maxAge: 0 });
+}
+
+// src/cookies/csrf.ts
+var b64urlChars = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789-_";
+function generateCsrfToken() {
+  const bytes = crypto.getRandomValues(new Uint8Array(32));
+  let out = "";
+  for (const b of bytes) out += b64urlChars[b % 64];
+  return out;
+}
+function verifyCsrf(cookieValue, headerValue) {
+  if (!cookieValue || !headerValue) return false;
+  if (cookieValue.length !== headerValue.length) return false;
+  let diff = 0;
+  for (let i = 0; i < cookieValue.length; i++) {
+    diff |= cookieValue.charCodeAt(i) ^ headerValue.charCodeAt(i);
+  }
+  return diff === 0;
+}
+var CSRF_HEADER = "x-csrf-token";
+
+export { CSRF_HEADER, buildCookie, cookieName, deleteCookie, generateCsrfToken, isProduction, serializeCookie, verifyCsrf };
+//# sourceMappingURL=index.js.map
+//# sourceMappingURL=index.js.map

package/dist/cookies/index.js.map

@@ -0,0 +1 @@
+{"version":3,"sources":["../../src/cookies/spec.ts","../../src/cookies/csrf.ts"],"names":[],"mappings":";AAeO,SAAS,UAAA,CAAW,KAAqB,IAAA,EAA0B;AACxE,EAAA,MAAM,MAAA,GAAS,GAAA,CAAI,MAAA,EAAQ,YAAA,IAAgB,UAAA;AAC3C,EAAA,QAAQ,IAAA;AAAM,IACZ,KAAK,QAAA;AAAc,MAAA,OAAO,GAAG,MAAM,CAAA,GAAA,CAAA;AAAA,IACnC,KAAK,SAAA;AAAc,MAAA,OAAO,GAAG,MAAM,CAAA,GAAA,CAAA;AAAA,IACnC,KAAK,MAAA;AAAc,MAAA,OAAO,GAAG,MAAM,CAAA,KAAA,CAAA;AAAA,IACnC,KAAK,SAAA;AAAc,MAAA,OAAO,GAAG,MAAM,CAAA,QAAA,CAAA;AAAA,IACnC,KAAK,YAAA;AAAc,MAAA,OAAO,GAAG,MAAM,CAAA,YAAA,CAAA;AAAA,IACnC,KAAK,WAAA;AAAc,MAAA,OAAO,GAAG,MAAM,CAAA,WAAA,CAAA;AAAA;AAEvC;AAEO,SAAS,YAAA,GAAwB;AACtC,EAAA,OAAQ,UAAA,CAA6D,OAAA,EAAS,GAAA,EAAK,QAAA,KAAa,YAAA;AAClG;AAaO,SAAS,WAAA,CAAY,KAAqB,KAAA,EAAqC;AACpF,EAAA,MAAM,QAAA,GAAW,KAAA,CAAM,QAAA,IAAY,KAAA,CAAM,IAAA,KAAS,MAAA;AAClD,EAAA,MAAM,MAAA,GAAS,GAAA,CAAI,MAAA,EAAQ,YAAA,IAAgB,YAAA,EAAa;AACxD,EAAA,OAAO;AAAA,IACL,IAAA,EAAM,UAAA,CAAW,GAAA,EAAK,KAAA,CAAM,IAAI,CAAA;AAAA,IAChC,OAAO,KAAA,CAAM,KAAA;AAAA,IACb,QAAQ,KAAA,CAAM,MAAA;AAAA,IACd,QAAA;AAAA,IACA,MAAA;AAAA,IACA,QAAA,EAAU,KAAA,CAAM,QAAA,IAAY,GAAA,CAAI,QAAQ,QAAA,IAAY,KAAA;AAAA,IACpD,IAAA,EAAM,MAAM,IAAA,IAAQ,GAAA;AAAA,IACpB,MAAA,EAAQ,IAAI,MAAA,EAAQ;AAAA,GACtB;AACF;AAGO,SAAS,gBAAgB,CAAA,EAAuB;AACrD,EAAA,MAAM,KAAA,GAAQ,CAAC,CAAA,EAAG,CAAA,CAAE,IAAI,IAAI,kBAAA,CAAmB,CAAA,CAAE,KAAK,CAAC,CAAA,CAAE,CAAA;AACzD,EAAA,KAAA,CAAM,IAAA,CAAK,CAAA,KAAA,EAAQ,CAAA,CAAE,IAAI,CAAA,CAAE,CAAA;AAC3B,EAAA,IAAI,EAAE,MAAA,EAAQ,KAAA,CAAM,KAAK,CAAA,OAAA,EAAU,CAAA,CAAE,MAAM,CAAA,CAAE,CAAA;AAC7C,EAAA,IAAI,CAAA,CAAE,WAAW,MAAA,EAAW;AAC1B,IAAA,KAAA,CAAM,IAAA,CAAK,CAAA,QAAA,EAAW,CAAA,CAAE,MAAM,CAAA,CAAE,CAAA;AAChC,IAAA,IAAI,CAAA,CAAE,MAAA,KAAW,CAAA,EAAG,KAAA,CAAM,KAAK,uCAAuC,CAAA;AAAA,EACxE;AACA,EAAA,IAAI,CAAA,CAAE,QAAA,EAAU,KAAA,CAAM,IAAA,CAAK,UAAU,CAAA;AACrC,EAAA,IAAI,CAAA,CAAE,MAAA,EAAQ,KAAA,CAAM,IAAA,CAAK,QAAQ,CAAA;AACjC,EAAA,KAAA,CAAM,IAAA,CAAK,CAAA,SAAA,EAAY,CAAA,CAAE,QAAA,CAAS,OAAO,CAAC,CAAA,CAAE,WAAA,EAAa,GAAG,CAAA,CAAE,QAAA,CAAS,KAAA,CAAM,CAAC,CAAC,CAAA,CAAE,CAAA;AACjF,EAAA,OAAO,KAAA,CAAM,KAAK,IAAI,CAAA;AACxB;AAEO,SAAS,YAAA,CAAa,KAAqB,IAAA,EAA8B;AAC9E,EAAA,OAAO,WAAA,CAAY,KAAK,EAAE,IAAA,EAAM,OAAO,EAAA,EAAI,MAAA,EAAQ,GAAG,CAAA;AACxD;;;AClEA,IAAM,WAAA,GAAc,kEAAA;AAEb,SAAS,iBAAA,GAA4B;AAC1C,EAAA,MAAM,QAAQ,MAAA,CAAO,eAAA,CAAgB,IAAI,UAAA,CAAW,EAAE,CAAC,CAAA;AACvD,EAAA,IAAI,GAAA,GAAM,EAAA;AACV,EAAA,KAAA,MAAW,CAAA,IAAK,KAAA,EAAO,GAAA,IAAO,WAAA,CAAY,IAAI,EAAE,CAAA;AAChD,EAAA,OAAO,GAAA;AACT;AAGO,SAAS,UAAA,CAAW,aAAiC,WAAA,EAA0C;AACpG,EAAA,IAAI,CAAC,WAAA,IAAe,CAAC,WAAA,EAAa,OAAO,KAAA;AACzC,EAAA,IAAI,WAAA,CAAY,MAAA,KAAW,WAAA,CAAY,MAAA,EAAQ,OAAO,KAAA;AACtD,EAAA,IAAI,IAAA,GAAO,CAAA;AACX,EAAA,KAAA,IAAS,CAAA,GAAI,CAAA,EAAG,CAAA,GAAI,WAAA,CAAY,QAAQ,CAAA,EAAA,EAAK;AAC3C,IAAA,IAAA,IAAQ,YAAY,UAAA,CAAW,CAAC,CAAA,GAAI,WAAA,CAAY,WAAW,CAAC,CAAA;AAAA,EAC9D;AACA,EAAA,OAAO,IAAA,KAAS,CAAA;AAClB;AAEO,IAAM,WAAA,GAAc","file":"index.js","sourcesContent":["import type { HoleauthConfig } from '../types/index.js';\n\nexport interface CookieSpec {\n  name: string;\n  value: string;\n  maxAge?: number; // seconds; 0 means delete\n  httpOnly: boolean;\n  secure: boolean;\n  sameSite: 'lax' | 'strict' | 'none';\n  path: string;\n  domain?: string;\n}\n\nexport type CookieName = 'access' | 'refresh' | 'csrf' | 'pending' | 'oauthState' | 'oauthPkce';\n\nexport function cookieName(cfg: HoleauthConfig, kind: CookieName): string {\n  const prefix = cfg.tokens?.cookiePrefix ?? 'holeauth';\n  switch (kind) {\n    case 'access':     return `${prefix}.at`;\n    case 'refresh':    return `${prefix}.rt`;\n    case 'csrf':       return `${prefix}.csrf`;\n    case 'pending':    return `${prefix}.pending`;\n    case 'oauthState': return `${prefix}.oauth.state`;\n    case 'oauthPkce':  return `${prefix}.oauth.pkce`;\n  }\n}\n\nexport function isProduction(): boolean {\n  return (globalThis as { process?: { env?: { NODE_ENV?: string } } }).process?.env?.NODE_ENV === 'production';\n}\n\nexport interface BuildCookieInput {\n  kind: CookieName;\n  value: string;\n  maxAge?: number; // seconds; 0 deletes\n  /** CSRF is readable by JS — everything else is httpOnly. */\n  httpOnly?: boolean;\n  /** Override SameSite for the OAuth hop. */\n  sameSite?: 'lax' | 'strict' | 'none';\n  path?: string;\n}\n\nexport function buildCookie(cfg: HoleauthConfig, input: BuildCookieInput): CookieSpec {\n  const httpOnly = input.httpOnly ?? input.kind !== 'csrf';\n  const secure = cfg.tokens?.cookieSecure ?? isProduction();\n  return {\n    name: cookieName(cfg, input.kind),\n    value: input.value,\n    maxAge: input.maxAge,\n    httpOnly,\n    secure,\n    sameSite: input.sameSite ?? cfg.tokens?.sameSite ?? 'lax',\n    path: input.path ?? '/',\n    domain: cfg.tokens?.cookieDomain,\n  };\n}\n\n/** RFC 6265 serialisation used by Set-Cookie headers. */\nexport function serializeCookie(c: CookieSpec): string {\n  const parts = [`${c.name}=${encodeURIComponent(c.value)}`];\n  parts.push(`Path=${c.path}`);\n  if (c.domain) parts.push(`Domain=${c.domain}`);\n  if (c.maxAge !== undefined) {\n    parts.push(`Max-Age=${c.maxAge}`);\n    if (c.maxAge === 0) parts.push('Expires=Thu, 01 Jan 1970 00:00:00 GMT');\n  }\n  if (c.httpOnly) parts.push('HttpOnly');\n  if (c.secure) parts.push('Secure');\n  parts.push(`SameSite=${c.sameSite.charAt(0).toUpperCase()}${c.sameSite.slice(1)}`);\n  return parts.join('; ');\n}\n\nexport function deleteCookie(cfg: HoleauthConfig, kind: CookieName): CookieSpec {\n  return buildCookie(cfg, { kind, value: '', maxAge: 0 });\n}\n","/**\n * Double-submit CSRF protection.\n * The cookie holeauth.csrf is readable by JS (httpOnly:false). The client\n * echoes its value in header `x-csrf-token`; the server compares the two.\n * Because cross-origin JS cannot read the cookie, an attacker cannot mint\n * a matching header, defeating the cross-site POST scenario.\n */\n\nconst b64urlChars = 'ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789-_';\n\nexport function generateCsrfToken(): string {\n  const bytes = crypto.getRandomValues(new Uint8Array(32));\n  let out = '';\n  for (const b of bytes) out += b64urlChars[b % 64];\n  return out;\n}\n\n/** Constant-time compare. */\nexport function verifyCsrf(cookieValue: string | undefined, headerValue: string | undefined): boolean {\n  if (!cookieValue || !headerValue) return false;\n  if (cookieValue.length !== headerValue.length) return false;\n  let diff = 0;\n  for (let i = 0; i < cookieValue.length; i++) {\n    diff |= cookieValue.charCodeAt(i) ^ headerValue.charCodeAt(i);\n  }\n  return diff === 0;\n}\n\nexport const CSRF_HEADER = 'x-csrf-token';\n"]}

package/dist/errors/index.d.ts

@@ -0,0 +1,40 @@
+declare class HoleauthError extends Error {
+    readonly code: string;
+    readonly status: number;
+    constructor(code: string, message: string, status?: number);
+}
+declare class InvalidTokenError extends HoleauthError {
+    constructor(message?: string);
+}
+declare class SessionExpiredError extends HoleauthError {
+    constructor(message?: string);
+}
+declare class AdapterError extends HoleauthError {
+    constructor(message?: string);
+}
+declare class ProviderError extends HoleauthError {
+    constructor(message?: string);
+}
+declare class CsrfError extends HoleauthError {
+    constructor(message?: string);
+}
+declare class CredentialsError extends HoleauthError {
+    constructor(message?: string);
+}
+declare class AccountConflictError extends HoleauthError {
+    constructor(message?: string);
+}
+declare class RefreshReuseError extends HoleauthError {
+    constructor(message?: string);
+}
+declare class PendingChallengeError extends HoleauthError {
+    constructor(message?: string);
+}
+declare class RegistrationDisabledError extends HoleauthError {
+    constructor(message?: string);
+}
+declare class NotSupportedError extends HoleauthError {
+    constructor(message?: string);
+}
+
+export { AccountConflictError, AdapterError, CredentialsError, CsrfError, HoleauthError, InvalidTokenError, NotSupportedError, PendingChallengeError, ProviderError, RefreshReuseError, RegistrationDisabledError, SessionExpiredError };

package/dist/errors/index.js

@@ -0,0 +1,70 @@
+// src/errors/index.ts
+var HoleauthError = class extends Error {
+  code;
+  status;
+  constructor(code, message, status = 400) {
+    super(message);
+    this.name = "HoleauthError";
+    this.code = code;
+    this.status = status;
+  }
+};
+var InvalidTokenError = class extends HoleauthError {
+  constructor(message = "Invalid token") {
+    super("INVALID_TOKEN", message, 401);
+  }
+};
+var SessionExpiredError = class extends HoleauthError {
+  constructor(message = "Session expired") {
+    super("SESSION_EXPIRED", message, 401);
+  }
+};
+var AdapterError = class extends HoleauthError {
+  constructor(message = "Adapter error") {
+    super("ADAPTER_ERROR", message, 500);
+  }
+};
+var ProviderError = class extends HoleauthError {
+  constructor(message = "Provider error") {
+    super("PROVIDER_ERROR", message, 502);
+  }
+};
+var CsrfError = class extends HoleauthError {
+  constructor(message = "CSRF validation failed") {
+    super("CSRF_FAILED", message, 403);
+  }
+};
+var CredentialsError = class extends HoleauthError {
+  constructor(message = "Invalid credentials") {
+    super("INVALID_CREDENTIALS", message, 401);
+  }
+};
+var AccountConflictError = class extends HoleauthError {
+  constructor(message = "Account conflict") {
+    super("ACCOUNT_CONFLICT", message, 409);
+  }
+};
+var RefreshReuseError = class extends HoleauthError {
+  constructor(message = "Refresh token reuse detected") {
+    super("REFRESH_REUSE", message, 401);
+  }
+};
+var PendingChallengeError = class extends HoleauthError {
+  constructor(message = "Pending challenge required") {
+    super("PENDING_CHALLENGE", message, 401);
+  }
+};
+var RegistrationDisabledError = class extends HoleauthError {
+  constructor(message = "Self-registration is disabled") {
+    super("REGISTRATION_DISABLED", message, 403);
+  }
+};
+var NotSupportedError = class extends HoleauthError {
+  constructor(message = "Operation not supported by adapter") {
+    super("NOT_SUPPORTED", message, 501);
+  }
+};
+
+export { AccountConflictError, AdapterError, CredentialsError, CsrfError, HoleauthError, InvalidTokenError, NotSupportedError, PendingChallengeError, ProviderError, RefreshReuseError, RegistrationDisabledError, SessionExpiredError };
+//# sourceMappingURL=index.js.map
+//# sourceMappingURL=index.js.map

package/dist/errors/index.js.map

@@ -0,0 +1 @@
+{"version":3,"sources":["../../src/errors/index.ts"],"names":[],"mappings":";AAAO,IAAM,aAAA,GAAN,cAA4B,KAAA,CAAM;AAAA,EAC9B,IAAA;AAAA,EACA,MAAA;AAAA,EACT,WAAA,CAAY,IAAA,EAAc,OAAA,EAAiB,MAAA,GAAS,GAAA,EAAK;AACvD,IAAA,KAAA,CAAM,OAAO,CAAA;AACb,IAAA,IAAA,CAAK,IAAA,GAAO,eAAA;AACZ,IAAA,IAAA,CAAK,IAAA,GAAO,IAAA;AACZ,IAAA,IAAA,CAAK,MAAA,GAAS,MAAA;AAAA,EAChB;AACF;AACO,IAAM,iBAAA,GAAN,cAAgC,aAAA,CAAc;AAAA,EACnD,WAAA,CAAY,UAAU,eAAA,EAAiB;AAAE,IAAA,KAAA,CAAM,eAAA,EAAiB,SAAS,GAAG,CAAA;AAAA,EAAG;AACjF;AACO,IAAM,mBAAA,GAAN,cAAkC,aAAA,CAAc;AAAA,EACrD,WAAA,CAAY,UAAU,iBAAA,EAAmB;AAAE,IAAA,KAAA,CAAM,iBAAA,EAAmB,SAAS,GAAG,CAAA;AAAA,EAAG;AACrF;AACO,IAAM,YAAA,GAAN,cAA2B,aAAA,CAAc;AAAA,EAC9C,WAAA,CAAY,UAAU,eAAA,EAAiB;AAAE,IAAA,KAAA,CAAM,eAAA,EAAiB,SAAS,GAAG,CAAA;AAAA,EAAG;AACjF;AACO,IAAM,aAAA,GAAN,cAA4B,aAAA,CAAc;AAAA,EAC/C,WAAA,CAAY,UAAU,gBAAA,EAAkB;AAAE,IAAA,KAAA,CAAM,gBAAA,EAAkB,SAAS,GAAG,CAAA;AAAA,EAAG;AACnF;AACO,IAAM,SAAA,GAAN,cAAwB,aAAA,CAAc;AAAA,EAC3C,WAAA,CAAY,UAAU,wBAAA,EAA0B;AAAE,IAAA,KAAA,CAAM,aAAA,EAAe,SAAS,GAAG,CAAA;AAAA,EAAG;AACxF;AACO,IAAM,gBAAA,GAAN,cAA+B,aAAA,CAAc;AAAA,EAClD,WAAA,CAAY,UAAU,qBAAA,EAAuB;AAAE,IAAA,KAAA,CAAM,qBAAA,EAAuB,SAAS,GAAG,CAAA;AAAA,EAAG;AAC7F;AACO,IAAM,oBAAA,GAAN,cAAmC,aAAA,CAAc;AAAA,EACtD,WAAA,CAAY,UAAU,kBAAA,EAAoB;AAAE,IAAA,KAAA,CAAM,kBAAA,EAAoB,SAAS,GAAG,CAAA;AAAA,EAAG;AACvF;AACO,IAAM,iBAAA,GAAN,cAAgC,aAAA,CAAc;AAAA,EACnD,WAAA,CAAY,UAAU,8BAAA,EAAgC;AAAE,IAAA,KAAA,CAAM,eAAA,EAAiB,SAAS,GAAG,CAAA;AAAA,EAAG;AAChG;AACO,IAAM,qBAAA,GAAN,cAAoC,aAAA,CAAc;AAAA,EACvD,WAAA,CAAY,UAAU,4BAAA,EAA8B;AAAE,IAAA,KAAA,CAAM,mBAAA,EAAqB,SAAS,GAAG,CAAA;AAAA,EAAG;AAClG;AACO,IAAM,yBAAA,GAAN,cAAwC,aAAA,CAAc;AAAA,EAC3D,WAAA,CAAY,UAAU,+BAAA,EAAiC;AAAE,IAAA,KAAA,CAAM,uBAAA,EAAyB,SAAS,GAAG,CAAA;AAAA,EAAG;AACzG;AACO,IAAM,iBAAA,GAAN,cAAgC,aAAA,CAAc;AAAA,EACnD,WAAA,CAAY,UAAU,oCAAA,EAAsC;AAAE,IAAA,KAAA,CAAM,eAAA,EAAiB,SAAS,GAAG,CAAA;AAAA,EAAG;AACtG","file":"index.js","sourcesContent":["export class HoleauthError extends Error {\n  readonly code: string;\n  readonly status: number;\n  constructor(code: string, message: string, status = 400) {\n    super(message);\n    this.name = 'HoleauthError';\n    this.code = code;\n    this.status = status;\n  }\n}\nexport class InvalidTokenError extends HoleauthError {\n  constructor(message = 'Invalid token') { super('INVALID_TOKEN', message, 401); }\n}\nexport class SessionExpiredError extends HoleauthError {\n  constructor(message = 'Session expired') { super('SESSION_EXPIRED', message, 401); }\n}\nexport class AdapterError extends HoleauthError {\n  constructor(message = 'Adapter error') { super('ADAPTER_ERROR', message, 500); }\n}\nexport class ProviderError extends HoleauthError {\n  constructor(message = 'Provider error') { super('PROVIDER_ERROR', message, 502); }\n}\nexport class CsrfError extends HoleauthError {\n  constructor(message = 'CSRF validation failed') { super('CSRF_FAILED', message, 403); }\n}\nexport class CredentialsError extends HoleauthError {\n  constructor(message = 'Invalid credentials') { super('INVALID_CREDENTIALS', message, 401); }\n}\nexport class AccountConflictError extends HoleauthError {\n  constructor(message = 'Account conflict') { super('ACCOUNT_CONFLICT', message, 409); }\n}\nexport class RefreshReuseError extends HoleauthError {\n  constructor(message = 'Refresh token reuse detected') { super('REFRESH_REUSE', message, 401); }\n}\nexport class PendingChallengeError extends HoleauthError {\n  constructor(message = 'Pending challenge required') { super('PENDING_CHALLENGE', message, 401); }\n}\nexport class RegistrationDisabledError extends HoleauthError {\n  constructor(message = 'Self-registration is disabled') { super('REGISTRATION_DISABLED', message, 403); }\n}\nexport class NotSupportedError extends HoleauthError {\n  constructor(message = 'Operation not supported by adapter') { super('NOT_SUPPORTED', message, 501); }\n}\n"]}

package/dist/events/index.d.ts

@@ -0,0 +1,3 @@
+export { u as HoleauthEvent, v as HoleauthEventType } from '../index-BmYQquGs.js';
+export { e as emit, s as subscribe, u as unsubscribe } from '../index-DRN-5E_H.js';
+import '../index-CNtnPdzk.js';

package/dist/events/index.js

@@ -0,0 +1,52 @@
+// src/events/emitter.ts
+var busByConfig = /* @__PURE__ */ new WeakMap();
+function getBus(cfg) {
+  let bus = busByConfig.get(cfg);
+  if (!bus) {
+    bus = { byType: /* @__PURE__ */ new Map(), wildcard: /* @__PURE__ */ new Set() };
+    busByConfig.set(cfg, bus);
+  }
+  return bus;
+}
+function subscribe(cfg, type, handler) {
+  const bus = getBus(cfg);
+  if (type === "*") {
+    bus.wildcard.add(handler);
+    return () => bus.wildcard.delete(handler);
+  }
+  let set = bus.byType.get(type);
+  if (!set) {
+    set = /* @__PURE__ */ new Set();
+    bus.byType.set(type, set);
+  }
+  set.add(handler);
+  return () => set.delete(handler);
+}
+function unsubscribe(cfg, type, handler) {
+  const bus = getBus(cfg);
+  if (type === "*") {
+    bus.wildcard.delete(handler);
+    return;
+  }
+  bus.byType.get(type)?.delete(handler);
+}
+async function emit(cfg, event) {
+  const withTimestamp = { at: /* @__PURE__ */ new Date(), ...event };
+  await cfg.adapters.auditLog.record(withTimestamp);
+  const bus = getBus(cfg);
+  const typed = bus.byType.get(withTimestamp.type);
+  const fire = (h) => {
+    Promise.resolve().then(() => h(withTimestamp)).catch(() => {
+    });
+  };
+  if (typed) for (const h of typed) fire(h);
+  for (const h of bus.wildcard) fire(h);
+  if (cfg.onEvent) {
+    Promise.resolve().then(() => cfg.onEvent?.(withTimestamp)).catch(() => {
+    });
+  }
+}
+
+export { emit, subscribe, unsubscribe };
+//# sourceMappingURL=index.js.map
+//# sourceMappingURL=index.js.map

package/dist/events/index.js.map

@@ -0,0 +1 @@
+{"version":3,"sources":["../../src/events/emitter.ts"],"names":[],"mappings":";AAUA,IAAM,WAAA,uBAAkB,OAAA,EAAkC;AAE1D,SAAS,OAAO,GAAA,EAA+B;AAC7C,EAAA,IAAI,GAAA,GAAM,WAAA,CAAY,GAAA,CAAI,GAAG,CAAA;AAC7B,EAAA,IAAI,CAAC,GAAA,EAAK;AACR,IAAA,GAAA,GAAM,EAAE,wBAAQ,IAAI,GAAA,IAAO,QAAA,kBAAU,IAAI,KAAI,EAAE;AAC/C,IAAA,WAAA,CAAY,GAAA,CAAI,KAAK,GAAG,CAAA;AAAA,EAC1B;AACA,EAAA,OAAO,GAAA;AACT;AAGO,SAAS,SAAA,CAAU,GAAA,EAAqB,IAAA,EAAc,OAAA,EAA8B;AACzF,EAAA,MAAM,GAAA,GAAM,OAAO,GAAG,CAAA;AACtB,EAAA,IAAI,SAAS,GAAA,EAAK;AAChB,IAAA,GAAA,CAAI,QAAA,CAAS,IAAI,OAAO,CAAA;AACxB,IAAA,OAAO,MAAM,GAAA,CAAI,QAAA,CAAS,MAAA,CAAO,OAAO,CAAA;AAAA,EAC1C;AACA,EAAA,IAAI,GAAA,GAAM,GAAA,CAAI,MAAA,CAAO,GAAA,CAAI,IAAI,CAAA;AAC7B,EAAA,IAAI,CAAC,GAAA,EAAK;AACR,IAAA,GAAA,uBAAU,GAAA,EAAI;AACd,IAAA,GAAA,CAAI,MAAA,CAAO,GAAA,CAAI,IAAA,EAAM,GAAG,CAAA;AAAA,EAC1B;AACA,EAAA,GAAA,CAAI,IAAI,OAAO,CAAA;AACf,EAAA,OAAO,MAAM,GAAA,CAAK,MAAA,CAAO,OAAO,CAAA;AAClC;AAEO,SAAS,WAAA,CAAY,GAAA,EAAqB,IAAA,EAAc,OAAA,EAAwB;AACrF,EAAA,MAAM,GAAA,GAAM,OAAO,GAAG,CAAA;AACtB,EAAA,IAAI,SAAS,GAAA,EAAK;AAChB,IAAA,GAAA,CAAI,QAAA,CAAS,OAAO,OAAO,CAAA;AAC3B,IAAA;AAAA,EACF;AACA,EAAA,GAAA,CAAI,MAAA,CAAO,GAAA,CAAI,IAAI,CAAA,EAAG,OAAO,OAAO,CAAA;AACtC;AAUA,eAAsB,IAAA,CAAK,KAAqB,KAAA,EAAqC;AACnF,EAAA,MAAM,gBAA+B,EAAE,EAAA,sBAAQ,IAAA,EAAK,EAAG,GAAG,KAAA,EAAM;AAChE,EAAA,MAAM,GAAA,CAAI,QAAA,CAAS,QAAA,CAAS,MAAA,CAAO,aAAa,CAAA;AAEhD,EAAA,MAAM,GAAA,GAAM,OAAO,GAAG,CAAA;AACtB,EAAA,MAAM,KAAA,GAAQ,GAAA,CAAI,MAAA,CAAO,GAAA,CAAI,cAAc,IAAI,CAAA;AAC/C,EAAA,MAAM,IAAA,GAAO,CAAC,CAAA,KAAe;AAC3B,IAAA,OAAA,CAAQ,OAAA,GACL,IAAA,CAAK,MAAM,EAAE,aAAa,CAAC,CAAA,CAC3B,KAAA,CAAM,MAAM;AAAA,IAAyC,CAAC,CAAA;AAAA,EAC3D,CAAA;AACA,EAAA,IAAI,KAAA,EAAO,KAAA,MAAW,CAAA,IAAK,KAAA,OAAY,CAAC,CAAA;AACxC,EAAA,KAAA,MAAW,CAAA,IAAK,GAAA,CAAI,QAAA,EAAU,IAAA,CAAK,CAAC,CAAA;AAEpC,EAAA,IAAI,IAAI,OAAA,EAAS;AACf,IAAA,OAAA,CAAQ,OAAA,EAAQ,CACb,IAAA,CAAK,MAAM,GAAA,CAAI,UAAU,aAAa,CAAC,CAAA,CACvC,KAAA,CAAM,MAAM;AAAA,IAAyC,CAAC,CAAA;AAAA,EAC3D;AACF","file":"index.js","sourcesContent":["import type { HoleauthConfig } from '../types/index.js';\nimport type { HoleauthEvent } from './types.js';\n\ntype Handler = (e: HoleauthEvent) => void | Promise<void>;\n\ninterface EventBus {\n  byType: Map<string, Set<Handler>>;\n  wildcard: Set<Handler>;\n}\n\nconst busByConfig = new WeakMap<HoleauthConfig, EventBus>();\n\nfunction getBus(cfg: HoleauthConfig): EventBus {\n  let bus = busByConfig.get(cfg);\n  if (!bus) {\n    bus = { byType: new Map(), wildcard: new Set() };\n    busByConfig.set(cfg, bus);\n  }\n  return bus;\n}\n\n/** Subscribe to an event type. Use '*' to match all events. Returns an unsubscribe fn. */\nexport function subscribe(cfg: HoleauthConfig, type: string, handler: Handler): () => void {\n  const bus = getBus(cfg);\n  if (type === '*') {\n    bus.wildcard.add(handler);\n    return () => bus.wildcard.delete(handler);\n  }\n  let set = bus.byType.get(type);\n  if (!set) {\n    set = new Set();\n    bus.byType.set(type, set);\n  }\n  set.add(handler);\n  return () => set!.delete(handler);\n}\n\nexport function unsubscribe(cfg: HoleauthConfig, type: string, handler: Handler): void {\n  const bus = getBus(cfg);\n  if (type === '*') {\n    bus.wildcard.delete(handler);\n    return;\n  }\n  bus.byType.get(type)?.delete(handler);\n}\n\n/**\n * emit() persists the event via the mandatory AuditLogAdapter and\n * additionally fans out to all subscribers (typed + wildcard) plus the\n * legacy `cfg.onEvent` hook — all fire-and-forget so business flows are\n * never blocked by observer failures.\n *\n * Callers MUST await emit(): audit persistence is a hard requirement.\n */\nexport async function emit(cfg: HoleauthConfig, event: HoleauthEvent): Promise<void> {\n  const withTimestamp: HoleauthEvent = { at: new Date(), ...event };\n  await cfg.adapters.auditLog.record(withTimestamp);\n\n  const bus = getBus(cfg);\n  const typed = bus.byType.get(withTimestamp.type);\n  const fire = (h: Handler) => {\n    Promise.resolve()\n      .then(() => h(withTimestamp))\n      .catch(() => { /* observer errors do not propagate */ });\n  };\n  if (typed) for (const h of typed) fire(h);\n  for (const h of bus.wildcard) fire(h);\n\n  if (cfg.onEvent) {\n    Promise.resolve()\n      .then(() => cfg.onEvent?.(withTimestamp))\n      .catch(() => { /* observer errors do not propagate */ });\n  }\n}\n"]}

package/dist/flows/index.d.ts

@@ -0,0 +1,4 @@
+export { c as changePassword, a as consumeInvite, b as consumePasswordReset, d as createInvite, e as deleteUser, g as getInviteInfo, f as issuePendingToken, l as listInvites, r as refresh, h as register, j as requestPasswordReset, k as revokeInvite, s as signIn, m as signOut, u as updateUser, v as verifyPendingToken } from '../index-BbEXbI_k.js';
+import '../index-BmYQquGs.js';
+import '../index-CNtnPdzk.js';
+import '../registry-CZhM1tEB.js';