@kyro-cms/core 0.1.1 → 0.1.3

package/dist/index.js

@@ -1,3 +1,6 @@
+export { allSettingsGlobals, blogCollections, blogGlobals, coreSettingsGlobals, createTemplateConfig, ecommerceCollections, ecommerceGlobals, ecommerceSettingsGlobals, kitchenSinkCollections, mediaCollections, minimalCollections } from './chunk-3QX6KG2S.js';
+import { RedisAuthAdapter, EmailTransport, PasswordPolicy } from './chunk-V67YXRBT.js';
+export { EmailTransport, PasswordPolicy, RedisAuthAdapter, autoBootstrap, bootstrapAdmin, getBootstrapFromEnv } from './chunk-V67YXRBT.js';
 import { createKyroServer } from './chunk-UEYC46RL.js';
 export { createContext, createCountProcedure, createCreateProcedure, createDeleteProcedure, createDynamicRouter, createFindByIDProcedure, createFindProcedure, createKyroServer, createUpdateProcedure } from './chunk-UEYC46RL.js';
 import { buildGraphQLSchema } from './chunk-OG3KX56O.js';
@@ -7,15 +10,20 @@ export { createHonoApp, createRESTAPI } from './chunk-YPAFJ7EV.js';
 export { evaluateAccess, getWhereClause, mergeWhereClauses } from './chunk-SDMNUYVU.js';
 import { KyroPubSub, createWSServer } from './chunk-3TPQ2BU6.js';
 export { KyroPubSub, KyroWSServer, PubSub, createWSServer } from './chunk-3TPQ2BU6.js';
-export { DrizzleAdapter, collectionToDrizzleSchema, createDrizzleAdapter, fieldToDrizzleType } from './chunk-DKSMFC3L.js';
+export { DrizzleAdapter, collectionToDrizzleSchema, createDrizzleAdapter, fieldToDrizzleType } from './chunk-EINVJPFM.js';
+export { PostgresAuthAdapter } from './chunk-M4JFHQ5J.js';
+export { createDatabase, runMigrations, seedDefaultRoles } from './chunk-XLMVCGXA.js';
+import './chunk-KA3UOIFC.js';
 export { MongoDBAdapter, createMongoDBAdapter } from './chunk-DIC236EW.js';
 import { AbstractBaseAdapter } from './chunk-BXMWDUED.js';
 export { AbstractBaseAdapter } from './chunk-BXMWDUED.js';
+import './chunk-PZ5AY32C.js';
 import { z } from 'zod';
 export { z } from 'zod';
-import bcrypt from 'bcrypt';
-import jwt from 'jsonwebtoken';
-import { randomUUID } from 'crypto';
+import bcrypt2 from 'bcrypt';
+import jwt2 from 'jsonwebtoken';
+import bcrypt from 'bcryptjs';
+import { randomBytes } from 'crypto';
 
 // src/registry/validator.ts
 var ConfigValidationError = class extends Error {
@@ -645,10 +653,6 @@ var Registry = class {
     if (this.initialized) {
       throw new Error("Cannot add collections after Registry has been initialized");
     }
-    const errors = validateCollection(config);
-    if (errors.length > 0) {
-      throw new Error(`Invalid collection config: ${errors.join(", ")}`);
-    }
     let finalConfig = { ...config };
     for (const plugin of this.plugins) {
       if (plugin.extendCollection) {
@@ -656,6 +660,10 @@ var Registry = class {
       }
     }
     finalConfig.fields = this.applyFieldDefaults(finalConfig);
+    const errors = validateCollection(finalConfig);
+    if (errors.length > 0) {
+      throw new Error(`Invalid collection config: ${errors.join(", ")}`);
+    }
     this.collections.set(finalConfig.slug, finalConfig);
     this.clearSchemaCache(finalConfig.slug);
   }
@@ -1143,13 +1151,13 @@ async function runFieldHooks(hooks, args) {
 // src/database/local/adapter.ts
 var LocalAdapter = class extends AbstractBaseAdapter {
   db;
+  path;
   migrations = /* @__PURE__ */ new Map();
   constructor(options) {
     super();
+    this.path = options.path;
     if (options.db) {
       this.db = options.db;
-    } else if (options.path) {
-      this.db = null;
     } else {
       this.db = null;
     }
@@ -1157,12 +1165,12 @@ var LocalAdapter = class extends AbstractBaseAdapter {
   async connect() {
     if (!this.db) {
       const Database = (await import('better-sqlite3')).default;
-      this.db = new Database(":memory:");
+      this.db = new Database(this.path || ":memory:");
     }
     this.db.pragma("journal_mode = WAL");
     this.db.pragma("foreign_keys = ON");
     this.connected = true;
-    console.log("[LocalAdapter] Connected to SQLite");
+    console.log(`[LocalAdapter] Connected to SQLite (${this.path || "memory"})`);
   }
   async disconnect() {
     if (this.db) {
@@ -1992,6 +2000,1333 @@ var defaultFieldStyling = {
     }
   }
 };
+var SQLiteAuthAdapter = class {
+  db = null;
+  path;
+  saltRounds;
+  externalDb;
+  constructor(options = {}) {
+    this.path = options.path || "./data.db";
+    this.saltRounds = options.saltRounds || 12;
+    this.externalDb = !!options.db;
+    if (options.db) {
+      this.db = options.db;
+    }
+  }
+  async connect() {
+    if (this.db) return;
+    const Database = (await import('better-sqlite3')).default;
+    this.db = new Database(this.path);
+    this.db.pragma("journal_mode = WAL");
+    this.db.pragma("foreign_keys = ON");
+    this.ensureTables();
+  }
+  async disconnect() {
+    if (this.db && !this.externalDb) {
+      this.db.close();
+      this.db = null;
+    }
+  }
+  ensureTables() {
+    if (!this.db) return;
+    this.db.exec(`
+      CREATE TABLE IF NOT EXISTS kyro_users (
+        id TEXT PRIMARY KEY,
+        email TEXT UNIQUE NOT NULL,
+        password_hash TEXT NOT NULL,
+        role TEXT NOT NULL DEFAULT 'customer',
+        tenant_id TEXT,
+        email_verified INTEGER DEFAULT 0,
+        locked INTEGER DEFAULT 0,
+        last_login TEXT,
+        failed_login_attempts INTEGER DEFAULT 0,
+        locked_until TEXT,
+        created_at TEXT NOT NULL,
+        updated_at TEXT NOT NULL
+      );
+
+      CREATE TABLE IF NOT EXISTS kyro_sessions (
+        id TEXT PRIMARY KEY,
+        user_id TEXT NOT NULL,
+        token TEXT NOT NULL,
+        refresh_token TEXT,
+        expires_at TEXT NOT NULL,
+        created_at TEXT NOT NULL,
+        ip_address TEXT,
+        user_agent TEXT,
+        FOREIGN KEY (user_id) REFERENCES kyro_users(id) ON DELETE CASCADE
+      );
+
+      CREATE TABLE IF NOT EXISTS kyro_password_history (
+        id INTEGER PRIMARY KEY AUTOINCREMENT,
+        user_id TEXT NOT NULL,
+        password_hash TEXT NOT NULL,
+        created_at TEXT NOT NULL,
+        FOREIGN KEY (user_id) REFERENCES kyro_users(id) ON DELETE CASCADE
+      );
+
+      CREATE INDEX IF NOT EXISTS idx_kyro_users_email ON kyro_users(email);
+      CREATE INDEX IF NOT EXISTS idx_kyro_sessions_user_id ON kyro_sessions(user_id);
+      CREATE INDEX IF NOT EXISTS idx_kyro_sessions_token ON kyro_sessions(token);
+      CREATE INDEX IF NOT EXISTS idx_kyro_sessions_refresh_token ON kyro_sessions(refresh_token);
+      CREATE INDEX IF NOT EXISTS idx_kyro_password_history_user_id ON kyro_password_history(user_id);
+    `);
+  }
+  async createUser(data) {
+    if (!this.db) throw new Error("Not connected");
+    const id = randomBytes(16).toString("hex");
+    const now = (/* @__PURE__ */ new Date()).toISOString();
+    const user = {
+      id,
+      email: data.email.toLowerCase(),
+      passwordHash: data.passwordHash,
+      role: data.role || "customer",
+      tenantId: data.tenantId,
+      createdAt: now,
+      updatedAt: now
+    };
+    this.db.prepare(
+      `INSERT INTO kyro_users (id, email, password_hash, role, tenant_id, created_at, updated_at)
+         VALUES (?, ?, ?, ?, ?, ?, ?)`
+    ).run(
+      id,
+      user.email,
+      user.passwordHash,
+      user.role,
+      user.tenantId,
+      now,
+      now
+    );
+    return user;
+  }
+  async findUserByEmail(email) {
+    if (!this.db) throw new Error("Not connected");
+    const row = this.db.prepare("SELECT * FROM kyro_users WHERE email = ?").get(email.toLowerCase());
+    if (!row) return null;
+    return this.rowToUser(row);
+  }
+  async findUserById(userId) {
+    if (!this.db) throw new Error("Not connected");
+    const row = this.db.prepare("SELECT * FROM kyro_users WHERE id = ?").get(userId);
+    if (!row) return null;
+    return this.rowToUser(row);
+  }
+  async updateUser(userId, data) {
+    if (!this.db) throw new Error("Not connected");
+    const existing = await this.findUserById(userId);
+    if (!existing) return null;
+    const updates = [];
+    const values = [];
+    if (data.email !== void 0) {
+      updates.push("email = ?");
+      values.push(data.email.toLowerCase());
+    }
+    if (data.passwordHash !== void 0) {
+      updates.push("password_hash = ?");
+      values.push(data.passwordHash);
+    }
+    if (data.role !== void 0) {
+      updates.push("role = ?");
+      values.push(data.role);
+    }
+    if (data.tenantId !== void 0) {
+      updates.push("tenant_id = ?");
+      values.push(data.tenantId);
+    }
+    if (data.emailVerified !== void 0) {
+      updates.push("email_verified = ?");
+      values.push(data.emailVerified ? 1 : 0);
+    }
+    if (data.locked !== void 0) {
+      updates.push("locked = ?");
+      values.push(data.locked ? 1 : 0);
+    }
+    if (data.lastLogin !== void 0) {
+      updates.push("last_login = ?");
+      values.push(data.lastLogin);
+    }
+    if (data.failedLoginAttempts !== void 0) {
+      updates.push("failed_login_attempts = ?");
+      values.push(data.failedLoginAttempts);
+    }
+    updates.push("updated_at = ?");
+    values.push((/* @__PURE__ */ new Date()).toISOString());
+    values.push(userId);
+    this.db.prepare(`UPDATE kyro_users SET ${updates.join(", ")} WHERE id = ?`).run(...values);
+    return this.findUserById(userId);
+  }
+  async deleteUser(userId) {
+    if (!this.db) throw new Error("Not connected");
+    const result = this.db.prepare("DELETE FROM kyro_users WHERE id = ?").run(userId);
+    return result.changes > 0;
+  }
+  async hashPassword(password) {
+    return bcrypt.hash(password, this.saltRounds);
+  }
+  async verifyPassword(password, hash) {
+    return bcrypt.compare(password, hash);
+  }
+  async createSession(userId, data = {}) {
+    if (!this.db) throw new Error("Not connected");
+    const id = randomBytes(32).toString("hex");
+    const token = randomBytes(32).toString("base64url");
+    const refreshToken = randomBytes(32).toString("base64url");
+    const now = /* @__PURE__ */ new Date();
+    const expiresAt = new Date(now.getTime() + 864e5).toISOString();
+    const session = {
+      id,
+      userId,
+      token,
+      refreshToken,
+      expiresAt,
+      createdAt: now.toISOString(),
+      ipAddress: data.ipAddress,
+      userAgent: data.userAgent
+    };
+    this.db.prepare(
+      `INSERT INTO kyro_sessions (id, user_id, token, refresh_token, expires_at, created_at, ip_address, user_agent)
+         VALUES (?, ?, ?, ?, ?, ?, ?, ?)`
+    ).run(
+      session.id,
+      session.userId,
+      session.token,
+      session.refreshToken,
+      session.expiresAt,
+      session.createdAt,
+      session.ipAddress,
+      session.userAgent
+    );
+    return session;
+  }
+  async findSessionByToken(token) {
+    if (!this.db) throw new Error("Not connected");
+    const row = this.db.prepare("SELECT * FROM kyro_sessions WHERE token = ?").get(token);
+    if (!row) return null;
+    return this.rowToSession(row);
+  }
+  async findSessionByRefreshToken(refreshToken) {
+    if (!this.db) throw new Error("Not connected");
+    const row = this.db.prepare("SELECT * FROM kyro_sessions WHERE refresh_token = ?").get(refreshToken);
+    if (!row) return null;
+    return this.rowToSession(row);
+  }
+  async deleteSession(sessionId) {
+    if (!this.db) throw new Error("Not connected");
+    const result = this.db.prepare("DELETE FROM kyro_sessions WHERE id = ? OR token = ?").run(sessionId, sessionId);
+    return result.changes > 0;
+  }
+  async deleteUserSessions(userId) {
+    if (!this.db) throw new Error("Not connected");
+    const result = this.db.prepare("DELETE FROM kyro_sessions WHERE user_id = ?").run(userId);
+    return result.changes;
+  }
+  async hasAnyUsers() {
+    if (!this.db) throw new Error("Not connected");
+    const row = this.db.prepare("SELECT COUNT(*) as count FROM kyro_users").get();
+    return row.count > 0;
+  }
+  async addPasswordToHistory(userId, passwordHash) {
+    if (!this.db) throw new Error("Not connected");
+    this.db.prepare(
+      "INSERT INTO kyro_password_history (user_id, password_hash, created_at) VALUES (?, ?, ?)"
+    ).run(userId, passwordHash, (/* @__PURE__ */ new Date()).toISOString());
+    this.db.prepare(
+      `DELETE FROM kyro_password_history WHERE id IN (
+          SELECT id FROM kyro_password_history WHERE user_id = ? ORDER BY created_at DESC LIMIT -1 OFFSET 5
+        )`
+    ).run(userId);
+  }
+  async getPasswordHistory(userId, count = 5) {
+    if (!this.db) throw new Error("Not connected");
+    const rows = this.db.prepare(
+      "SELECT password_hash FROM kyro_password_history WHERE user_id = ? ORDER BY created_at DESC LIMIT ?"
+    ).all(userId, count);
+    return rows.map((r) => r.password_hash);
+  }
+  rowToUser(row) {
+    return {
+      id: row.id,
+      email: row.email,
+      passwordHash: row.password_hash,
+      role: row.role,
+      tenantId: row.tenant_id,
+      emailVerified: row.email_verified === 1,
+      locked: row.locked === 1,
+      lastLogin: row.last_login,
+      failedLoginAttempts: row.failed_login_attempts || 0,
+      createdAt: row.created_at,
+      updatedAt: row.updated_at
+    };
+  }
+  rowToSession(row) {
+    return {
+      id: row.id,
+      userId: row.user_id,
+      token: row.token,
+      refreshToken: row.refresh_token,
+      expiresAt: row.expires_at,
+      createdAt: row.created_at,
+      ipAddress: row.ip_address,
+      userAgent: row.user_agent
+    };
+  }
+};
+
+// src/auth/security/lockout.ts
+var DEFAULT_LOCKOUT_CONFIG = {
+  maxAttempts: 5,
+  lockDuration: 9e5,
+  notifyUser: true,
+  notifyAdmin: true,
+  adminNotifyAfter: 3
+};
+var AccountLockout = class {
+  redis;
+  prefix;
+  config;
+  constructor(redis, config = {}, prefix = "kyro:lockout:") {
+    this.redis = redis;
+    this.prefix = prefix;
+    this.config = { ...DEFAULT_LOCKOUT_CONFIG, ...config };
+  }
+  lockKey(userId) {
+    return `${this.prefix}${userId}`;
+  }
+  historyKey(userId) {
+    return `${this.prefix}${userId}:history`;
+  }
+  async checkLockout(userId) {
+    const key = this.lockKey(userId);
+    const data = await this.redis.hgetall(key);
+    if (!data || Object.keys(data).length === 0) {
+      return {
+        locked: false,
+        attemptsRemaining: this.config.maxAttempts,
+        totalAttempts: 0
+      };
+    }
+    const attempts = parseInt(data.attempts, 10);
+    const lockedUntil = data.lockedUntil ? new Date(parseInt(data.lockedUntil, 10)) : void 0;
+    if (lockedUntil && lockedUntil > /* @__PURE__ */ new Date()) {
+      return {
+        locked: true,
+        attemptsRemaining: 0,
+        lockedUntil,
+        totalAttempts: attempts
+      };
+    }
+    if (lockedUntil && lockedUntil <= /* @__PURE__ */ new Date()) {
+      await this.unlockAccount(userId);
+      return {
+        locked: false,
+        attemptsRemaining: this.config.maxAttempts,
+        totalAttempts: 0
+      };
+    }
+    return {
+      locked: false,
+      attemptsRemaining: Math.max(0, this.config.maxAttempts - attempts),
+      totalAttempts: attempts
+    };
+  }
+  async recordFailedAttempt(userId) {
+    const key = this.lockKey(userId);
+    const historyKey = this.historyKey(userId);
+    const now = Date.now();
+    const current = await this.redis.hincrby(key, "attempts", 1);
+    await this.redis.hset(key, "lastAttempt", now.toString());
+    await this.redis.lpush(historyKey, now.toString());
+    await this.redis.ltrim(historyKey, 0, 99);
+    if (current >= this.config.maxAttempts) {
+      const lockedUntil = new Date(now + this.config.lockDuration);
+      await this.redis.hset(key, {
+        lockedAt: now.toString(),
+        lockedUntil: lockedUntil.getTime().toString()
+      });
+      await this.redis.expire(
+        key,
+        Math.ceil(this.config.lockDuration / 1e3) + 3600
+      );
+      return {
+        locked: true,
+        attemptsRemaining: 0,
+        lockedUntil,
+        totalAttempts: current
+      };
+    }
+    return {
+      locked: false,
+      attemptsRemaining: Math.max(0, this.config.maxAttempts - current),
+      totalAttempts: current
+    };
+  }
+  async lockAccount(userId, duration) {
+    const key = this.lockKey(userId);
+    const now = Date.now();
+    const lockDuration = duration || this.config.lockDuration;
+    const lockedUntil = new Date(now + lockDuration);
+    const pipeline = this.redis.pipeline();
+    pipeline.hset(key, {
+      attempts: this.config.maxAttempts.toString(),
+      lockedAt: now.toString(),
+      lockedUntil: lockedUntil.getTime().toString()
+    });
+    pipeline.expire(key, Math.ceil(lockDuration / 1e3) + 3600);
+    await pipeline.exec();
+  }
+  async unlockAccount(userId) {
+    const key = this.lockKey(userId);
+    await this.redis.del(key);
+  }
+  async resetAttempts(userId) {
+    const key = this.lockKey(userId);
+    const data = await this.redis.hgetall(key);
+    if (data.lockedAt) {
+      await this.redis.hset(key, {
+        attempts: "0",
+        lockedAt: "",
+        lockedUntil: ""
+      });
+    } else {
+      await this.redis.del(key);
+    }
+  }
+  async getLockoutHistory(userId, limit = 10) {
+    const historyKey = this.historyKey(userId);
+    const timestamps = await this.redis.lrange(historyKey, 0, limit - 1);
+    return timestamps.map((ts) => new Date(parseInt(ts, 10)));
+  }
+  async getLockoutStats(userId) {
+    const historyKey = this.historyKey(userId);
+    const timestamps = await this.redis.lrange(historyKey, 0, -1);
+    const lockouts = timestamps.filter((_, i) => {
+      const attemptNum = i + 1;
+      return attemptNum % this.config.maxAttempts === 0;
+    }).length;
+    const lastLockoutData = await this.redis.hget(
+      this.lockKey(userId),
+      "lockedAt"
+    );
+    return {
+      totalFailedAttempts: timestamps.length,
+      lockoutCount: lockouts,
+      lastLockout: lastLockoutData ? new Date(parseInt(lastLockoutData, 10)) : null,
+      averageAttemptsBeforeLockout: lockouts > 0 ? this.config.maxAttempts : 0
+    };
+  }
+  shouldNotifyAdmin(currentAttempts) {
+    return this.config.notifyAdmin && currentAttempts >= this.config.adminNotifyAfter;
+  }
+  getConfig() {
+    return { ...this.config };
+  }
+  setConfig(config) {
+    this.config = { ...this.config, ...config };
+  }
+};
+
+// src/auth/security/rate-limit.ts
+var DEFAULT_RATE_LIMITS = {
+  "auth:login": { window: 9e5, max: 5 },
+  "auth:register": { window: 36e5, max: 3 },
+  "auth:forgot": { window: 36e5, max: 3 },
+  "auth:reset": { window: 36e5, max: 5 },
+  "auth:verify": { window: 36e5, max: 5 },
+  "api:general": { window: 6e4, max: 100 },
+  "api:authenticated": { window: 6e4, max: 200 }
+};
+var RateLimiter = class {
+  redis;
+  prefix;
+  limits;
+  userLimits;
+  constructor(redis, limits, userLimits, prefix = "kyro:ratelimit:") {
+    this.redis = redis;
+    this.prefix = prefix;
+    this.limits = { ...DEFAULT_RATE_LIMITS, ...limits };
+    this.userLimits = userLimits || {
+      "user:api": { window: 6e4, max: 500 },
+      "user:write": { window: 36e5, max: 100 }
+    };
+  }
+  getKey(type, identifier) {
+    return `${this.prefix}${type}:${identifier}`;
+  }
+  async check(type, identifier) {
+    const config = this.limits[type] || this.limits["api:general"];
+    const key = this.getKey(type, identifier);
+    const now = Date.now();
+    const windowStart = now - config.window;
+    const pipeline = this.redis.pipeline();
+    pipeline.zremrangebyscore(key, 0, windowStart);
+    pipeline.zcard(key);
+    pipeline.zadd(key, now, `${now}:${Math.random()}`);
+    pipeline.expire(key, Math.ceil(config.window / 1e3) + 1);
+    const results = await pipeline.exec();
+    const count = results?.[1]?.[1] || 0;
+    if (count >= config.max) {
+      const oldestTimestamp = await this.redis.zrange(key, 0, 0, "WITHSCORES");
+      const resetAt = oldestTimestamp.length > 1 ? parseInt(oldestTimestamp[1], 10) + config.window : now + config.window;
+      return {
+        allowed: false,
+        remaining: 0,
+        resetAt,
+        retryAfter: Math.ceil((resetAt - now) / 1e3)
+      };
+    }
+    return {
+      allowed: true,
+      remaining: config.max - count - 1,
+      resetAt: now + config.window
+    };
+  }
+  async checkUser(type, userId, identifier) {
+    const config = this.userLimits[type] || this.userLimits["user:api"];
+    const key = this.getKey(`user:${type}:${userId}`, identifier);
+    const now = Date.now();
+    const windowStart = now - config.window;
+    const pipeline = this.redis.pipeline();
+    pipeline.zremrangebyscore(key, 0, windowStart);
+    pipeline.zcard(key);
+    pipeline.zadd(key, now, `${now}:${Math.random()}`);
+    pipeline.expire(key, Math.ceil(config.window / 1e3) + 1);
+    const results = await pipeline.exec();
+    const count = results?.[1]?.[1] || 0;
+    if (count >= config.max) {
+      const oldestTimestamp = await this.redis.zrange(key, 0, 0, "WITHSCORES");
+      const resetAt = oldestTimestamp.length > 1 ? parseInt(oldestTimestamp[1], 10) + config.window : now + config.window;
+      return {
+        allowed: false,
+        remaining: 0,
+        resetAt,
+        retryAfter: Math.ceil((resetAt - now) / 1e3)
+      };
+    }
+    return {
+      allowed: true,
+      remaining: config.max - count - 1,
+      resetAt: now + config.window
+    };
+  }
+  async reset(type, identifier) {
+    const key = this.getKey(type, identifier);
+    await this.redis.del(key);
+  }
+  async resetUser(type, userId, identifier) {
+    const key = this.getKey(`user:${type}:${userId}`, identifier);
+    await this.redis.del(key);
+  }
+  async getStatus(type, identifier) {
+    const config = this.limits[type] || this.limits["api:general"];
+    const key = this.getKey(type, identifier);
+    const now = Date.now();
+    const windowStart = now - config.window;
+    await this.redis.zremrangebyscore(key, 0, windowStart);
+    const count = await this.redis.zcard(key);
+    return {
+      count,
+      limit: config.max,
+      remaining: Math.max(0, config.max - count),
+      resetAt: now + config.window
+    };
+  }
+  setLimit(type, config) {
+    this.limits[type] = config;
+  }
+  setUserLimit(type, config) {
+    this.userLimits[type] = config;
+  }
+};
+var AuditLogger = class {
+  redis;
+  prefix;
+  retentionDays;
+  constructor(redis, retentionDays = 30, prefix = "kyro:audit:") {
+    this.redis = redis;
+    this.prefix = prefix;
+    this.retentionDays = retentionDays;
+  }
+  async log(data) {
+    const id = randomBytes(16).toString("hex");
+    const timestamp = /* @__PURE__ */ new Date();
+    const log = {
+      ...data,
+      id,
+      timestamp
+    };
+    const key = this.getKeyForDate(timestamp);
+    const hashKey = `${this.prefix}log:${id}`;
+    await this.redis.hset(hashKey, this.serializeLog(log));
+    await this.redis.expire(hashKey, this.retentionDays * 24 * 60 * 60 + 3600);
+    await this.redis.zadd(key, timestamp.getTime(), id);
+    await this.redis.expire(key, this.retentionDays * 24 * 60 * 60 + 3600);
+    const userIndex = data.userId ? `${this.prefix}user:${data.userId}` : null;
+    if (userIndex) {
+      await this.redis.zadd(userIndex, timestamp.getTime(), id);
+      await this.redis.expire(
+        userIndex,
+        this.retentionDays * 24 * 60 * 60 + 3600
+      );
+    }
+    return id;
+  }
+  async get(id) {
+    const hashKey = `${this.prefix}log:${id}`;
+    const data = await this.redis.hgetall(hashKey);
+    if (!data || Object.keys(data).length === 0) {
+      return null;
+    }
+    return this.deserializeLog(data);
+  }
+  async query(filter = {}) {
+    const { limit = 50, offset = 0 } = filter;
+    let keys = [];
+    if (filter.userId) {
+      keys.push(`${this.prefix}user:${filter.userId}`);
+    } else if (filter.startDate || filter.endDate) {
+      keys = this.getKeysForDateRange(filter.startDate, filter.endDate);
+    } else {
+      const now = /* @__PURE__ */ new Date();
+      keys = this.getKeysForDateRange(
+        new Date(now.getTime() - this.retentionDays * 24 * 60 * 60 * 1e3),
+        now
+      );
+    }
+    let idScores = [];
+    for (const key of keys) {
+      const items = await this.redis.zrange(key, 0, -1, "WITHSCORES");
+      for (let i = 0; i < items.length; i += 2) {
+        idScores.push([items[i], parseInt(items[i + 1], 10)]);
+      }
+    }
+    idScores.sort((a, b) => b[1] - a[1]);
+    const total = idScores.length;
+    idScores = idScores.slice(offset, offset + limit);
+    const logs = [];
+    for (const [id] of idScores) {
+      const log = await this.get(id);
+      if (log) {
+        if (this.matchesFilter(log, filter)) {
+          logs.push(log);
+        }
+      }
+    }
+    return { logs, total };
+  }
+  async getRecent(limit = 50) {
+    const logs = [];
+    const now = /* @__PURE__ */ new Date();
+    const keys = this.getKeysForDateRange(
+      new Date(now.getTime() - 7 * 24 * 60 * 60 * 1e3),
+      now
+    );
+    let allIds = [];
+    for (const key of keys) {
+      const items = await this.redis.zrange(key, 0, -1, "WITHSCORES");
+      for (let i = 0; i < items.length; i += 2) {
+        allIds.push([items[i], parseInt(items[i + 1], 10)]);
+      }
+    }
+    allIds.sort((a, b) => b[1] - a[1]);
+    for (const [id] of allIds.slice(0, limit)) {
+      const log = await this.get(id);
+      if (log) logs.push(log);
+    }
+    return logs;
+  }
+  async getUserActivity(userId, limit = 50) {
+    const key = `${this.prefix}user:${userId}`;
+    const ids = await this.redis.zrange(key, 0, limit - 1);
+    const logs = [];
+    for (const id of ids) {
+      const log = await this.get(id);
+      if (log) logs.push(log);
+    }
+    return logs;
+  }
+  async getStats(startDate, endDate) {
+    const keys = this.getKeysForDateRange(
+      startDate || new Date(Date.now() - 30 * 24 * 60 * 60 * 1e3),
+      endDate || /* @__PURE__ */ new Date()
+    );
+    const byAction = {};
+    let totalEvents = 0;
+    let failedLogins = 0;
+    let successCount = 0;
+    const uniqueUsers = /* @__PURE__ */ new Set();
+    for (const key of keys) {
+      const ids = await this.redis.zrange(key, 0, -1);
+      for (const id of ids) {
+        const log = await this.get(id);
+        if (log) {
+          totalEvents++;
+          byAction[log.action] = (byAction[log.action] || 0) + 1;
+          if (log.success) {
+            successCount++;
+          }
+          if (log.action === "login_failed") {
+            failedLogins++;
+          }
+          if (log.userId) {
+            uniqueUsers.add(log.userId);
+          }
+        }
+      }
+    }
+    return {
+      totalEvents,
+      byAction,
+      successRate: totalEvents > 0 ? successCount / totalEvents : 1,
+      failedLogins,
+      uniqueUsers
+    };
+  }
+  async cleanup() {
+    const cutoff = Date.now() - this.retentionDays * 24 * 60 * 60 * 1e3;
+    const keys = await this.redis.keys(`${this.prefix}date:*`);
+    let deleted = 0;
+    for (const key of keys) {
+      const timestamp = await this.redis.zrangebyscore(key, 0, cutoff);
+      for (const id of timestamp) {
+        await this.redis.del(`${this.prefix}log:${id}`);
+        deleted++;
+      }
+      await this.redis.zremrangebyscore(key, 0, cutoff);
+    }
+    return deleted;
+  }
+  getKeyForDate(date) {
+    const year = date.getFullYear();
+    const month = String(date.getMonth() + 1).padStart(2, "0");
+    const day = String(date.getDate()).padStart(2, "0");
+    return `${this.prefix}date:${year}-${month}-${day}`;
+  }
+  getKeysForDateRange(start, end) {
+    const keys = [];
+    const startDate = start || new Date(Date.now() - this.retentionDays * 24 * 60 * 60 * 1e3);
+    const endDate = end || /* @__PURE__ */ new Date();
+    const current = new Date(startDate);
+    while (current <= endDate) {
+      keys.push(this.getKeyForDate(current));
+      current.setDate(current.getDate() + 1);
+    }
+    return keys;
+  }
+  matchesFilter(log, filter) {
+    if (filter.action) {
+      const actions = Array.isArray(filter.action) ? filter.action : [filter.action];
+      if (!actions.includes(log.action)) return false;
+    }
+    if (filter.resource && log.resource !== filter.resource) return false;
+    if (filter.resourceId && log.resourceId !== filter.resourceId) return false;
+    if (filter.success !== void 0 && log.success !== filter.success)
+      return false;
+    return true;
+  }
+  serializeLog(log) {
+    const result = {
+      id: log.id,
+      timestamp: log.timestamp.toISOString(),
+      action: log.action,
+      resource: log.resource,
+      success: log.success ? "1" : "0"
+    };
+    if (log.userId) result.userId = log.userId;
+    if (log.userEmail) result.userEmail = log.userEmail;
+    if (log.role) result.role = log.role;
+    if (log.resourceId) result.resourceId = log.resourceId;
+    if (log.ipAddress) result.ipAddress = log.ipAddress;
+    if (log.userAgent) result.userAgent = log.userAgent;
+    if (log.error) result.error = log.error;
+    if (log.changes) result.changes = JSON.stringify(log.changes);
+    if (log.metadata) result.metadata = JSON.stringify(log.metadata);
+    return result;
+  }
+  deserializeLog(data) {
+    return {
+      id: data.id,
+      timestamp: new Date(data.timestamp),
+      action: data.action,
+      userId: data.userId,
+      userEmail: data.userEmail,
+      role: data.role,
+      resource: data.resource,
+      resourceId: data.resourceId,
+      ipAddress: data.ipAddress,
+      userAgent: data.userAgent,
+      success: data.success === "1",
+      error: data.error,
+      changes: data.changes ? JSON.parse(data.changes) : void 0,
+      metadata: data.metadata ? JSON.parse(data.metadata) : void 0
+    };
+  }
+};
+function createAuditContext(req) {
+  return {
+    ipAddress: req.headers.get("x-forwarded-for")?.split(",")[0]?.trim() || req.headers.get("x-real-ip") || "unknown",
+    userAgent: req.headers.get("user-agent") || "unknown"
+  };
+}
+function defaultExtractToken(req) {
+  const authHeader = req.headers.get("Authorization");
+  if (authHeader?.startsWith("Bearer ")) {
+    return authHeader.slice(7);
+  }
+  const cookieHeader = req.headers.get("Cookie");
+  if (cookieHeader) {
+    const cookies = Object.fromEntries(
+      cookieHeader.split("; ").map((c) => {
+        const [key, ...val] = c.split("=");
+        return [key.trim(), val.join("=")];
+      })
+    );
+    return cookies["auth_token"] || null;
+  }
+  return null;
+}
+function generateToken(payload, secret, options = {}) {
+  return jwt2.sign(payload, secret, {
+    expiresIn: options.expiresIn || "24h",
+    issuer: options.issuer,
+    audience: options.audience
+  });
+}
+
+// src/api/rest/auth-routes.ts
+var AuthRoutes = class {
+  redis;
+  email;
+  jwtSecret;
+  jwtExpiresIn;
+  jwtIssuer;
+  jwtAudience;
+  passwordPolicy;
+  lockout;
+  rateLimiter;
+  auditLogger;
+  baseUrl;
+  emailVerificationRequired;
+  constructor(config) {
+    this.redis = config.redis;
+    this.email = config.email;
+    this.jwtSecret = config.jwtSecret;
+    this.jwtExpiresIn = config.jwtExpiresIn || "24h";
+    this.jwtIssuer = config.jwtIssuer;
+    this.jwtAudience = config.jwtAudience;
+    this.passwordPolicy = config.passwordPolicy || new PasswordPolicy();
+    this.lockout = config.lockout;
+    this.rateLimiter = config.rateLimiter;
+    this.auditLogger = config.auditLogger;
+    this.baseUrl = config.baseUrl || "http://localhost:3000";
+    this.emailVerificationRequired = config.emailVerificationRequired ?? true;
+  }
+  async register(req) {
+    const { ipAddress, userAgent } = createAuditContext(req);
+    if (this.rateLimiter) {
+      const limit = await this.rateLimiter.check("auth:register", ipAddress);
+      if (!limit.allowed) {
+        return this.rateLimitResponse(limit);
+      }
+    }
+    try {
+      const body = await req.json();
+      if (!body.email || !body.password) {
+        return this.errorResponse("Email and password are required", 400);
+      }
+      if (body.password !== body.confirmPassword) {
+        return this.errorResponse("Passwords do not match", 400);
+      }
+      const passwordValidation = this.passwordPolicy.validate(body.password);
+      if (!passwordValidation.valid) {
+        return this.errorResponse(passwordValidation.errors.join(". "), 400);
+      }
+      const existingUser = await this.redis.findUserByEmail(body.email);
+      if (existingUser) {
+        return this.errorResponse("Email already registered", 400);
+      }
+      const passwordHash = await this.redis.hashPassword(body.password);
+      const user = await this.redis.createUser({
+        email: body.email,
+        passwordHash,
+        role: body.role || "customer",
+        tenantId: body.tenantId
+      });
+      if (this.emailVerificationRequired && this.email) {
+        const verificationToken = randomBytes(32).toString("hex");
+        const verificationUrl = `${this.baseUrl}/api/auth/verify?token=${verificationToken}`;
+        await this.redis.createSession(user.id, { ipAddress, userAgent });
+        const template = this.email.getTemplates().verifyEmail(verificationUrl, body.email);
+        await this.email.send({ to: body.email, ...template });
+      }
+      if (this.auditLogger) {
+        await this.auditLogger.log({
+          action: "register",
+          userId: user.id,
+          userEmail: user.email,
+          resource: "auth",
+          ipAddress,
+          userAgent,
+          success: true
+        });
+      }
+      return this.jsonResponse(
+        {
+          success: true,
+          message: "Registration successful",
+          user: this.sanitizeUser(user),
+          requiresVerification: this.emailVerificationRequired && !!this.email
+        },
+        201
+      );
+    } catch (error) {
+      return this.errorResponse("Registration failed", 500);
+    }
+  }
+  async login(req) {
+    const { ipAddress, userAgent } = createAuditContext(req);
+    if (this.rateLimiter) {
+      const limit = await this.rateLimiter.check("auth:login", ipAddress);
+      if (!limit.allowed) {
+        return this.rateLimitResponse(limit);
+      }
+    }
+    try {
+      const body = await req.json();
+      if (!body.email || !body.password) {
+        return this.errorResponse("Email and password are required", 400);
+      }
+      const user = await this.redis.findUserByEmail(body.email);
+      if (!user) {
+        await this.recordFailedLogin(ipAddress, userAgent);
+        return this.errorResponse("Invalid credentials", 401);
+      }
+      if (this.lockout) {
+        const lockoutStatus = await this.lockout.checkLockout(user.id);
+        if (lockoutStatus.locked) {
+          if (this.auditLogger) {
+            await this.auditLogger.log({
+              action: "login_failed",
+              userId: user.id,
+              userEmail: user.email,
+              resource: "auth",
+              ipAddress,
+              userAgent,
+              success: false,
+              error: "Account locked"
+            });
+          }
+          return this.errorResponse(
+            `Account locked. Try again in ${Math.ceil((lockoutStatus.lockedUntil.getTime() - Date.now()) / 6e4)} minutes`,
+            423
+          );
+        }
+      }
+      const validPassword = user.passwordHash ? await this.redis.verifyPassword(body.password, user.passwordHash) : false;
+      if (!validPassword) {
+        await this.recordFailedLogin(ipAddress, userAgent, user.id, user.email);
+        return this.errorResponse("Invalid credentials", 401);
+      }
+      if (this.lockout) {
+        await this.lockout.resetAttempts(user.id);
+      }
+      const session = await this.redis.createSession(user.id, {
+        ipAddress,
+        userAgent
+      });
+      const payload = {
+        sub: user.id,
+        email: user.email,
+        role: user.role,
+        tenantId: user.tenantId,
+        iat: Math.floor(Date.now() / 1e3),
+        exp: Math.floor(Date.now() / 1e3) + 86400
+      };
+      const accessToken = generateToken(payload, this.jwtSecret, {
+        expiresIn: this.jwtExpiresIn,
+        issuer: this.jwtIssuer,
+        audience: this.jwtAudience
+      });
+      if (this.auditLogger) {
+        await this.auditLogger.log({
+          action: "login",
+          userId: user.id,
+          userEmail: user.email,
+          role: user.role,
+          resource: "auth",
+          ipAddress,
+          userAgent,
+          success: true
+        });
+      }
+      await this.redis.updateUser(user.id, {
+        lastLogin: (/* @__PURE__ */ new Date()).toISOString()
+      });
+      return this.jsonResponse({
+        success: true,
+        user: this.sanitizeUser(user),
+        accessToken,
+        refreshToken: session.refreshToken,
+        expiresIn: this.jwtExpiresIn
+      });
+    } catch (error) {
+      return this.errorResponse("Login failed", 500);
+    }
+  }
+  async logout(req) {
+    const token = defaultExtractToken(req);
+    if (!token) {
+      return this.errorResponse("No session to logout", 401);
+    }
+    const { ipAddress, userAgent } = createAuditContext(req);
+    try {
+      const payload = jwt2.decode(token);
+      if (payload && payload.sub) {
+        await this.redis.deleteUserSessions(payload.sub);
+        if (this.auditLogger) {
+          await this.auditLogger.log({
+            action: "logout",
+            userId: payload.sub,
+            userEmail: payload.email,
+            resource: "auth",
+            ipAddress,
+            userAgent,
+            success: true
+          });
+        }
+      }
+      return this.jsonResponse({
+        success: true,
+        message: "Logged out successfully"
+      });
+    } catch (error) {
+      return this.errorResponse("Logout failed", 500);
+    }
+  }
+  async refresh(req) {
+    try {
+      const body = await req.json();
+      const { refreshToken } = body;
+      if (!refreshToken) {
+        return this.errorResponse("Refresh token required", 400);
+      }
+      return this.jsonResponse({ success: true, accessToken: "" });
+    } catch (error) {
+      return this.errorResponse("Token refresh failed", 500);
+    }
+  }
+  async me(req) {
+    const token = defaultExtractToken(req);
+    if (!token) {
+      return this.errorResponse("Not authenticated", 401);
+    }
+    try {
+      const payload = jwt2.verify(token, this.jwtSecret, {
+        issuer: this.jwtIssuer,
+        audience: this.jwtAudience
+      });
+      const user = await this.redis.findUserById(payload.sub);
+      if (!user) {
+        return this.errorResponse("User not found", 404);
+      }
+      return this.jsonResponse({
+        success: true,
+        user: this.sanitizeUser(user)
+      });
+    } catch (error) {
+      return this.errorResponse("Authentication failed", 401);
+    }
+  }
+  async changePassword(req) {
+    const token = defaultExtractToken(req);
+    if (!token) {
+      return this.errorResponse("Not authenticated", 401);
+    }
+    const { ipAddress, userAgent } = createAuditContext(req);
+    try {
+      const payload = jwt2.verify(token, this.jwtSecret);
+      const body = await req.json();
+      const { currentPassword, newPassword, confirmPassword } = body;
+      if (!currentPassword || !newPassword) {
+        return this.errorResponse("Current and new password required", 400);
+      }
+      if (newPassword !== confirmPassword) {
+        return this.errorResponse("Passwords do not match", 400);
+      }
+      const passwordValidation = this.passwordPolicy.validate(newPassword);
+      if (!passwordValidation.valid) {
+        return this.errorResponse(passwordValidation.errors.join(". "), 400);
+      }
+      const user = await this.redis.findUserById(payload.sub);
+      if (!user) {
+        return this.errorResponse("User not found", 404);
+      }
+      const validPassword = user.passwordHash ? await this.redis.verifyPassword(currentPassword, user.passwordHash) : false;
+      if (!validPassword) {
+        return this.errorResponse("Current password is incorrect", 401);
+      }
+      const passwordHistory = await this.redis.getPasswordHistory(user.id, 5);
+      const isReused = await this.redis.isPasswordInHistory(
+        newPassword,
+        user.id,
+        5
+      );
+      if (isReused) {
+        return this.errorResponse(
+          "Password was recently used. Please choose a different password",
+          400
+        );
+      }
+      const newPasswordHash = await this.redis.hashPassword(newPassword);
+      if (user.passwordHash) {
+        await this.redis.addPasswordToHistory(user.id, user.passwordHash);
+      }
+      await this.redis.updateUser(user.id, { passwordHash: newPasswordHash });
+      await this.redis.deleteUserSessions(user.id);
+      if (this.email && this.email.getTemplates) {
+        const template = this.email.getTemplates().passwordChanged(user.email);
+        await this.email.send({ to: user.email, ...template });
+      }
+      if (this.auditLogger) {
+        await this.auditLogger.log({
+          action: "password_change",
+          userId: user.id,
+          userEmail: user.email,
+          resource: "auth",
+          ipAddress,
+          userAgent,
+          success: true
+        });
+      }
+      return this.jsonResponse({
+        success: true,
+        message: "Password changed successfully"
+      });
+    } catch (error) {
+      return this.errorResponse("Password change failed", 500);
+    }
+  }
+  async forgotPassword(req) {
+    const { ipAddress, userAgent } = createAuditContext(req);
+    if (this.rateLimiter) {
+      const limit = await this.rateLimiter.check("auth:forgot", ipAddress);
+      if (!limit.allowed) {
+        return this.rateLimitResponse(limit);
+      }
+    }
+    try {
+      const body = await req.json();
+      const { email } = body;
+      if (!email) {
+        return this.errorResponse("Email required", 400);
+      }
+      const user = await this.redis.findUserByEmail(email);
+      if (!user) {
+        return this.jsonResponse({
+          success: true,
+          message: "If the email exists, a reset link has been sent"
+        });
+      }
+      if (this.email) {
+        const resetToken = randomBytes(32).toString("hex");
+        const resetUrl = `${this.baseUrl}/api/auth/reset-password?token=${resetToken}`;
+        const template = this.email.getTemplates().resetPassword(resetUrl, user.email);
+        await this.email.send({ to: user.email, ...template });
+      }
+      if (this.auditLogger) {
+        await this.auditLogger.log({
+          action: "password_reset_request",
+          userId: user.id,
+          userEmail: user.email,
+          resource: "auth",
+          ipAddress,
+          userAgent,
+          success: true
+        });
+      }
+      return this.jsonResponse({
+        success: true,
+        message: "If the email exists, a reset link has been sent"
+      });
+    } catch (error) {
+      return this.errorResponse("Password reset request failed", 500);
+    }
+  }
+  async verifyEmail(req) {
+    const url = new URL(req.url);
+    const token = url.searchParams.get("token");
+    if (!token) {
+      return this.errorResponse("Verification token required", 400);
+    }
+    try {
+      return this.jsonResponse({ success: true, message: "Email verified" });
+    } catch (error) {
+      return this.errorResponse("Email verification failed", 500);
+    }
+  }
+  async recordFailedLogin(ipAddress, userAgent, userId, userEmail) {
+    if (this.lockout) {
+      await this.lockout.recordFailedAttempt(userId || ipAddress);
+    }
+    if (this.auditLogger) {
+      await this.auditLogger.log({
+        action: "login_failed",
+        userId,
+        userEmail,
+        resource: "auth",
+        ipAddress,
+        userAgent,
+        success: false,
+        error: "Invalid credentials"
+      });
+    }
+  }
+  sanitizeUser(user) {
+    const { passwordHash, ...sanitized } = user;
+    return sanitized;
+  }
+  jsonResponse(data, status = 200) {
+    return new Response(JSON.stringify(data), {
+      status,
+      headers: {
+        "Content-Type": "application/json"
+      }
+    });
+  }
+  errorResponse(message, status) {
+    return new Response(JSON.stringify({ success: false, error: message }), {
+      status,
+      headers: {
+        "Content-Type": "application/json"
+      }
+    });
+  }
+  rateLimitResponse(limit) {
+    return new Response(
+      JSON.stringify({
+        success: false,
+        error: "Too many requests",
+        retryAfter: limit.retryAfter
+      }),
+      {
+        status: 429,
+        headers: {
+          "Content-Type": "application/json",
+          "Retry-After": String(limit.retryAfter || 60)
+        }
+      }
+    );
+  }
+};
+
+// src/auth/config.ts
+function getEnv(key, fallback = "") {
+  return process.env[key] || fallback;
+}
+function getEnvBool(key, fallback = false) {
+  const val = process.env[key];
+  if (!val) return fallback;
+  return val.toLowerCase() === "true";
+}
+function getEnvNum(key, fallback = 0) {
+  const val = process.env[key];
+  if (!val) return fallback;
+  return parseInt(val, 10);
+}
+async function createAuthConfig() {
+  const redisUrl = getEnv("REDIS_URL", "redis://localhost:6379");
+  const redisKeyPrefix = getEnv("REDIS_KEY_PREFIX", "kyro:auth:");
+  const redisSessionTTL = getEnvNum("REDIS_SESSION_TTL", 86400);
+  const redisRefreshTTL = getEnvNum("REDIS_REFRESH_TOKEN_TTL", 604800);
+  const redisAdapter = new RedisAuthAdapter({
+    url: redisUrl,
+    keyPrefix: redisKeyPrefix,
+    tokenExpiration: redisSessionTTL,
+    refreshTokenExpiration: redisRefreshTTL,
+    tls: getEnvBool("REDIS_TLS", false)
+  });
+  await redisAdapter.connect();
+  const redisClient = redisAdapter.redis;
+  const emailConfig = getEmailConfig();
+  const email = emailConfig ? new EmailTransport(emailConfig) : void 0;
+  const passwordPolicy = new PasswordPolicy({
+    minLength: getEnvNum("PASSWORD_MIN_LENGTH", 12),
+    requireUppercase: getEnvBool("PASSWORD_REQUIRE_UPPERCASE", true),
+    requireLowercase: getEnvBool("PASSWORD_REQUIRE_LOWERCASE", true),
+    requireNumbers: getEnvBool("PASSWORD_REQUIRE_NUMBERS", true),
+    requireSpecialChars: getEnvBool("PASSWORD_REQUIRE_SPECIAL", true),
+    preventReuse: getEnvNum("PASSWORD_PREVENT_REUSE", 5),
+    maxLength: getEnvNum("PASSWORD_MAX_LENGTH", 128)
+  });
+  let lockout;
+  if (getEnvBool("LOCKOUT_ENABLED", true)) {
+    lockout = new AccountLockout(redisClient, {
+      maxAttempts: getEnvNum("LOCKOUT_MAX_ATTEMPTS", 5),
+      lockDuration: getEnvNum("LOCKOUT_DURATION_MINUTES", 15) * 60 * 1e3
+    });
+  }
+  let rateLimiter;
+  if (getEnvBool("RATE_LIMIT_ENABLED", true)) {
+    rateLimiter = new RateLimiter(redisClient, {
+      "auth:login": {
+        window: getEnvNum("RATE_LIMIT_AUTH_WINDOW_MS", 9e5),
+        max: getEnvNum("RATE_LIMIT_AUTH_MAX_REQUESTS", 10)
+      },
+      "api:general": {
+        window: getEnvNum("RATE_LIMIT_WINDOW_MS", 6e4),
+        max: getEnvNum("RATE_LIMIT_MAX_REQUESTS", 100)
+      }
+    });
+  }
+  let auditLogger;
+  if (getEnvBool("AUDIT_LOG_ENABLED", true)) {
+    auditLogger = new AuditLogger(
+      redisClient,
+      getEnvNum("AUDIT_LOG_RETENTION_DAYS", 30)
+    );
+  }
+  const routes = new AuthRoutes({
+    redis: redisAdapter,
+    email,
+    jwtSecret: getEnv("JWT_SECRET", "change-me"),
+    jwtExpiresIn: getEnv("JWT_EXPIRES_IN", "24h"),
+    jwtIssuer: getEnv("JWT_ISSUER", "kyro-cms"),
+    jwtAudience: getEnv("JWT_AUDIENCE", "kyro-cms-client"),
+    passwordPolicy,
+    lockout,
+    rateLimiter,
+    auditLogger,
+    baseUrl: getEnv("EMAIL_BASE_URL", "http://localhost:4321"),
+    emailVerificationRequired: getEnvBool("EMAIL_VERIFICATION_REQUIRED", true)
+  });
+  return {
+    redis: redisAdapter,
+    redisClient,
+    email,
+    passwordPolicy,
+    lockout,
+    rateLimiter,
+    auditLogger,
+    routes
+  };
+}
+function getEmailConfig() {
+  const host = getEnv("SMTP_HOST");
+  if (!host) return void 0;
+  return {
+    host,
+    port: getEnvNum("SMTP_PORT", 587),
+    secure: getEnvBool("SMTP_SECURE", false),
+    auth: {
+      user: getEnv("SMTP_USER"),
+      pass: getEnv("SMTP_PASS")
+    },
+    from: getEnv("SMTP_FROM", "noreply@example.com"),
+    fromName: getEnv("SMTP_FROM_NAME", "Kyro CMS")
+  };
+}
+var authConfig = createAuthConfig();
+
+// src/auth/index.ts
 var DEFAULT_SALT_ROUNDS = 12;
 var DEFAULT_EXPIRES_IN = "24h";
 var DEFAULT_REFRESH_EXPIRES_IN = "7d";
@@ -2020,7 +3355,7 @@ var Auth = class {
         email: data.email,
         passwordHash,
         role: data.role ?? "customer",
-        tenant: data.tenant
+        tenantId: data.tenantId
       });
       return this.createSessionForUser(user);
     } catch (error) {
@@ -2051,7 +3386,7 @@ var Auth = class {
   async refreshToken(refreshToken) {
     try {
       const session = await this.adapter.findSessionByToken(refreshToken);
-      if (!session || session.expiresAt < /* @__PURE__ */ new Date()) {
+      if (!session || new Date(session.expiresAt) < /* @__PURE__ */ new Date()) {
         return { success: false, error: "Invalid or expired refresh token" };
       }
       const user = await this.adapter.findUserById(session.userId);
@@ -2066,7 +3401,7 @@ var Auth = class {
   }
   async verifyToken(token) {
     try {
-      const decoded = jwt.verify(token, this.config.secret, {
+      const decoded = jwt2.verify(token, this.config.secret, {
         issuer: this.config.issuer,
         audience: this.config.audience.length > 0 ? this.config.audience[0] : void 0
       });
@@ -2130,9 +3465,7 @@ var Auth = class {
   }
   async createSessionForUser(user) {
     const token = this.generateToken(user);
-    const refreshToken = randomUUID();
-    const expiresAt = new Date(Date.now() + this.parseExpiresIn(this.config.refreshExpiresIn));
-    const session = await this.adapter.createSession(user.id, refreshToken, expiresAt);
+    const session = await this.adapter.createSession(user.id);
     return {
       success: true,
       user,
@@ -2145,7 +3478,7 @@ var Auth = class {
       sub: user.id,
       email: user.email,
       role: user.role,
-      tenant: user.tenant
+      tenantId: user.tenantId
     };
     const signOptions = {
       expiresIn: this.parseExpiresIn(this.config.expiresIn) / 1e3,
@@ -2154,10 +3487,10 @@ var Auth = class {
     if (this.config.audience.length > 0) {
       signOptions.audience = this.config.audience[0];
     }
-    return jwt.sign(payload, this.config.secret, signOptions);
+    return jwt2.sign(payload, this.config.secret, signOptions);
   }
   async hashPassword(password) {
-    return bcrypt.hash(password, this.config.saltRounds);
+    return bcrypt2.hash(password, this.config.saltRounds);
   }
   parseExpiresIn(value) {
     if (typeof value === "number") return value;
@@ -2329,6 +3662,35 @@ function isArchived(status) {
   return status === "archived";
 }
 
-export { ALL_FIELD_TYPES, AnalyticsPlugin, Auth, COMPLEX_FIELD_TYPES, CSSGenerator, CommentsPlugin, ConfigValidationError, Kyro, KyroPlugin, LAYOUT_FIELD_TYPES, LocalAdapter, PRIMITIVE_FIELD_TYPES, PluginManager, RELATIONAL_FIELD_TYPES, Registry, ReviewsPlugin, SEOPLugin, VersionManager, WishlistPlugin, collectionToCreateZod, collectionToUpdateZod, collectionToWhereZod, collectionToZod, createAdminStyling, createAuth, createKyro, createLocalAdapter, createRegistry, createVersionManager, defaultDarkTheme, defaultFieldStyling, defaultLightTheme, ecommerce2026Theme, fieldToZod, generateCSSVariables, generateTailwindConfig, getDefaultDraftPublishConfig, getRegistry, globalToZod, isArchived, isArrayField, isBlocksField, isDraft, isGroupField, isLayoutField, isNumberField, isPublished, isRelationshipField, isRichTextField, isSelectField, isTextField, isUploadField, presetPlugins, resetRegistry, runFieldHooks, runHooks, validateCollection, validateConfig, validateFields, validateGlobal };
+// src/registry/config.ts
+function normalizeCollections(collections) {
+  if (!collections) return [];
+  if (Array.isArray(collections)) return collections;
+  return Object.values(collections);
+}
+function normalizeGlobals(globals) {
+  if (!globals) return [];
+  if (Array.isArray(globals)) return globals;
+  return Object.values(globals);
+}
+function defineConfig(config) {
+  return {
+    collections: normalizeCollections(config.collections),
+    globals: normalizeGlobals(config.globals),
+    adapter: config.adapter,
+    plugins: config.plugins,
+    auth: config.auth,
+    cors: config.cors,
+    admin: config.admin,
+    upload: config.upload,
+    graphQL: config.graphQL,
+    typescript: config.typescript,
+    localization: config.localization,
+    rateLimit: config.rateLimit,
+    debug: config.debug
+  };
+}
+
+export { ALL_FIELD_TYPES, AccountLockout, AnalyticsPlugin, AuditLogger, Auth, COMPLEX_FIELD_TYPES, CSSGenerator, CommentsPlugin, ConfigValidationError, Kyro, KyroPlugin, LAYOUT_FIELD_TYPES, LocalAdapter, PRIMITIVE_FIELD_TYPES, PluginManager, RELATIONAL_FIELD_TYPES, RateLimiter, Registry, ReviewsPlugin, SEOPLugin, SQLiteAuthAdapter, VersionManager, WishlistPlugin, authConfig, collectionToCreateZod, collectionToUpdateZod, collectionToWhereZod, collectionToZod, createAdminStyling, createAuditContext, createAuth, createAuthConfig, createKyro, createLocalAdapter, createRegistry, createVersionManager, defaultDarkTheme, defaultFieldStyling, defaultLightTheme, defineConfig, ecommerce2026Theme, fieldToZod, generateCSSVariables, generateTailwindConfig, getDefaultDraftPublishConfig, getRegistry, globalToZod, isArchived, isArrayField, isBlocksField, isDraft, isGroupField, isLayoutField, isNumberField, isPublished, isRelationshipField, isRichTextField, isSelectField, isTextField, isUploadField, presetPlugins, resetRegistry, runFieldHooks, runHooks, validateCollection, validateConfig, validateFields, validateGlobal };
 //# sourceMappingURL=index.js.map
 //# sourceMappingURL=index.js.map