npm - @kyro-cms/core - Versions diffs - 0.1.3 → 0.1.5 - Mend

@kyro-cms/core 0.1.3 → 0.1.5

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (77) hide show

package/dist/bootstrap-BDTTUGY2.js +4 -0
package/dist/{bootstrap-Q2TWUQF3.js.map → bootstrap-BDTTUGY2.js.map} +1 -1
package/dist/bootstrap-X6TP3NKX.cjs +29 -0
package/dist/{bootstrap-2WJK6PG7.cjs.map → bootstrap-X6TP3NKX.cjs.map} +1 -1
package/dist/chunk-5BLDMQED.cjs +18 -0
package/dist/{chunk-Q7SFCCGT.cjs.map → chunk-5BLDMQED.cjs.map} +1 -1
package/dist/{chunk-U4CHJTWX.cjs → chunk-7G6EVYCU.cjs} +5 -5
package/dist/{chunk-U4CHJTWX.cjs.map → chunk-7G6EVYCU.cjs.map} +1 -1
package/dist/chunk-A3RQWHKD.cjs +263 -0
package/dist/chunk-A3RQWHKD.cjs.map +1 -0
package/dist/{chunk-V67YXRBT.js → chunk-C74MQIRL.js} +517 -203
package/dist/chunk-C74MQIRL.js.map +1 -0
package/dist/{chunk-XLMVCGXA.js → chunk-LRTZJJPD.js} +3 -3
package/dist/{chunk-XLMVCGXA.js.map → chunk-LRTZJJPD.js.map} +1 -1
package/dist/{chunk-I4BORBXT.cjs → chunk-MHS6CPO5.cjs} +517 -204
package/dist/chunk-MHS6CPO5.cjs.map +1 -0
package/dist/chunk-NSBPE2FW.js +15 -0
package/dist/{chunk-PZ5AY32C.js.map → chunk-NSBPE2FW.js.map} +1 -1
package/dist/{chunk-M4JFHQ5J.js → chunk-QUJ4OLSC.js} +3 -3
package/dist/{chunk-M4JFHQ5J.js.map → chunk-QUJ4OLSC.js.map} +1 -1
package/dist/{chunk-5AOILNGY.cjs → chunk-TZFJMPCH.cjs} +4 -4
package/dist/{chunk-5AOILNGY.cjs.map → chunk-TZFJMPCH.cjs.map} +1 -1
package/dist/chunk-VMSRTAH7.js +256 -0
package/dist/chunk-VMSRTAH7.js.map +1 -0
package/dist/{chunk-KA3UOIFC.js → chunk-XTZSUDSI.js} +3 -3
package/dist/{chunk-KA3UOIFC.js.map → chunk-XTZSUDSI.js.map} +1 -1
package/dist/{chunk-KWTKEBHM.cjs → chunk-YD7Y25W7.cjs} +19 -19
package/dist/{chunk-KWTKEBHM.cjs.map → chunk-YD7Y25W7.cjs.map} +1 -1
package/dist/cli/index.cjs +5 -5
package/dist/cli/index.js +5 -5
package/dist/database-7CJOXEZR.js +5 -0
package/dist/{database-37KXWUER.js.map → database-7CJOXEZR.js.map} +1 -1
package/dist/database-QOIV44GT.cjs +22 -0
package/dist/{database-LJKD3HE4.cjs.map → database-QOIV44GT.cjs.map} +1 -1
package/dist/drizzle/index.cjs +8 -8
package/dist/drizzle/index.d.cts +1 -1
package/dist/drizzle/index.d.ts +1 -1
package/dist/drizzle/index.js +4 -4
package/dist/graphql/index.cjs +1 -1
package/dist/graphql/index.js +1 -1
package/dist/{index-CzkEHKqu.d.cts → index-BMySjW6o.d.cts} +6 -0
package/dist/{index-BVFlb7uU.d.ts → index-CMUNCIWQ.d.ts} +6 -0
package/dist/index.cjs +727 -346
package/dist/index.cjs.map +1 -1
package/dist/index.d.cts +229 -62
package/dist/index.d.ts +229 -62
package/dist/index.js +706 -331
package/dist/index.js.map +1 -1
package/dist/mongodb/index.cjs +1 -1
package/dist/mongodb/index.js +1 -1
package/dist/postgres-auth-adapter-REJFUMP7.js +5 -0
package/dist/{postgres-auth-adapter-LTDUGBMB.js.map → postgres-auth-adapter-REJFUMP7.js.map} +1 -1
package/dist/postgres-auth-adapter-VK6GY7LX.cjs +14 -0
package/dist/{postgres-auth-adapter-CYZAVPPP.cjs.map → postgres-auth-adapter-VK6GY7LX.cjs.map} +1 -1
package/dist/redis-adapter-4YDY4LWE.js +4 -0
package/dist/redis-adapter-4YDY4LWE.js.map +1 -0
package/dist/redis-adapter-LBLNKGNS.cjs +13 -0
package/dist/redis-adapter-LBLNKGNS.cjs.map +1 -0
package/dist/rest/index.cjs +1 -1
package/dist/rest/index.js +1 -1
package/dist/templates/index.cjs +1 -1
package/dist/templates/index.js +1 -1
package/dist/trpc/index.cjs +1 -1
package/dist/trpc/index.js +1 -1
package/dist/ws/index.cjs +1 -1
package/dist/ws/index.js +1 -1
package/package.json +2 -2
package/dist/bootstrap-2WJK6PG7.cjs +0 -29
package/dist/bootstrap-Q2TWUQF3.js +0 -4
package/dist/chunk-I4BORBXT.cjs.map +0 -1
package/dist/chunk-PZ5AY32C.js +0 -9
package/dist/chunk-Q7SFCCGT.cjs +0 -11
package/dist/chunk-V67YXRBT.js.map +0 -1
package/dist/database-37KXWUER.js +0 -5
package/dist/database-LJKD3HE4.cjs +0 -22
package/dist/postgres-auth-adapter-CYZAVPPP.cjs +0 -14
package/dist/postgres-auth-adapter-LTDUGBMB.js +0 -5

package/dist/index.js CHANGED Viewed

@@ -1,6 +1,7 @@
 export { allSettingsGlobals, blogCollections, blogGlobals, coreSettingsGlobals, createTemplateConfig, ecommerceCollections, ecommerceGlobals, ecommerceSettingsGlobals, kitchenSinkCollections, mediaCollections, minimalCollections } from './chunk-3QX6KG2S.js';
-import { RedisAuthAdapter, EmailTransport, PasswordPolicy } from './chunk-V67YXRBT.js';
-export { EmailTransport, PasswordPolicy, RedisAuthAdapter, autoBootstrap, bootstrapAdmin, getBootstrapFromEnv } from './chunk-V67YXRBT.js';
+export { RedisAuthAdapter } from './chunk-VMSRTAH7.js';
+import { EmailTransport, PasswordPolicy, SQLiteAuthAdapter } from './chunk-C74MQIRL.js';
+export { EmailTransport, PasswordPolicy, SQLiteAuthAdapter, autoBootstrap, bootstrapAdmin, getBootstrapFromEnv } from './chunk-C74MQIRL.js';
 import { createKyroServer } from './chunk-UEYC46RL.js';
 export { createContext, createCountProcedure, createCreateProcedure, createDeleteProcedure, createDynamicRouter, createFindByIDProcedure, createFindProcedure, createKyroServer, createUpdateProcedure } from './chunk-UEYC46RL.js';
 import { buildGraphQLSchema } from './chunk-OG3KX56O.js';
@@ -11,18 +12,17 @@ export { evaluateAccess, getWhereClause, mergeWhereClauses } from './chunk-SDMNU
 import { KyroPubSub, createWSServer } from './chunk-3TPQ2BU6.js';
 export { KyroPubSub, KyroWSServer, PubSub, createWSServer } from './chunk-3TPQ2BU6.js';
 export { DrizzleAdapter, collectionToDrizzleSchema, createDrizzleAdapter, fieldToDrizzleType } from './chunk-EINVJPFM.js';
-export { PostgresAuthAdapter } from './chunk-M4JFHQ5J.js';
-export { createDatabase, runMigrations, seedDefaultRoles } from './chunk-XLMVCGXA.js';
-import './chunk-KA3UOIFC.js';
+export { PostgresAuthAdapter } from './chunk-QUJ4OLSC.js';
+export { createDatabase, runMigrations, seedDefaultRoles } from './chunk-LRTZJJPD.js';
+import './chunk-XTZSUDSI.js';
 export { MongoDBAdapter, createMongoDBAdapter } from './chunk-DIC236EW.js';
 import { AbstractBaseAdapter } from './chunk-BXMWDUED.js';
 export { AbstractBaseAdapter } from './chunk-BXMWDUED.js';
-import './chunk-PZ5AY32C.js';
+import { __require } from './chunk-NSBPE2FW.js';
 import { z } from 'zod';
 export { z } from 'zod';
-import bcrypt2 from 'bcrypt';
+import bcrypt from 'bcrypt';
 import jwt2 from 'jsonwebtoken';
-import bcrypt from 'bcryptjs';
 import { randomBytes } from 'crypto';
 // src/registry/validator.ts
@@ -2000,277 +2000,6 @@ var defaultFieldStyling = {
     }
   }
 };
-var SQLiteAuthAdapter = class {
-  db = null;
-  path;
-  saltRounds;
-  externalDb;
-  constructor(options = {}) {
-    this.path = options.path || "./data.db";
-    this.saltRounds = options.saltRounds || 12;
-    this.externalDb = !!options.db;
-    if (options.db) {
-      this.db = options.db;
-    }
-  }
-  async connect() {
-    if (this.db) return;
-    const Database = (await import('better-sqlite3')).default;
-    this.db = new Database(this.path);
-    this.db.pragma("journal_mode = WAL");
-    this.db.pragma("foreign_keys = ON");
-    this.ensureTables();
-  }
-  async disconnect() {
-    if (this.db && !this.externalDb) {
-      this.db.close();
-      this.db = null;
-    }
-  }
-  ensureTables() {
-    if (!this.db) return;
-    this.db.exec(`
-      CREATE TABLE IF NOT EXISTS kyro_users (
-        id TEXT PRIMARY KEY,
-        email TEXT UNIQUE NOT NULL,
-        password_hash TEXT NOT NULL,
-        role TEXT NOT NULL DEFAULT 'customer',
-        tenant_id TEXT,
-        email_verified INTEGER DEFAULT 0,
-        locked INTEGER DEFAULT 0,
-        last_login TEXT,
-        failed_login_attempts INTEGER DEFAULT 0,
-        locked_until TEXT,
-        created_at TEXT NOT NULL,
-        updated_at TEXT NOT NULL
-      );
-      CREATE TABLE IF NOT EXISTS kyro_sessions (
-        id TEXT PRIMARY KEY,
-        user_id TEXT NOT NULL,
-        token TEXT NOT NULL,
-        refresh_token TEXT,
-        expires_at TEXT NOT NULL,
-        created_at TEXT NOT NULL,
-        ip_address TEXT,
-        user_agent TEXT,
-        FOREIGN KEY (user_id) REFERENCES kyro_users(id) ON DELETE CASCADE
-      );
-      CREATE TABLE IF NOT EXISTS kyro_password_history (
-        id INTEGER PRIMARY KEY AUTOINCREMENT,
-        user_id TEXT NOT NULL,
-        password_hash TEXT NOT NULL,
-        created_at TEXT NOT NULL,
-        FOREIGN KEY (user_id) REFERENCES kyro_users(id) ON DELETE CASCADE
-      );
-      CREATE INDEX IF NOT EXISTS idx_kyro_users_email ON kyro_users(email);
-      CREATE INDEX IF NOT EXISTS idx_kyro_sessions_user_id ON kyro_sessions(user_id);
-      CREATE INDEX IF NOT EXISTS idx_kyro_sessions_token ON kyro_sessions(token);
-      CREATE INDEX IF NOT EXISTS idx_kyro_sessions_refresh_token ON kyro_sessions(refresh_token);
-      CREATE INDEX IF NOT EXISTS idx_kyro_password_history_user_id ON kyro_password_history(user_id);
-    `);
-  }
-  async createUser(data) {
-    if (!this.db) throw new Error("Not connected");
-    const id = randomBytes(16).toString("hex");
-    const now = (/* @__PURE__ */ new Date()).toISOString();
-    const user = {
-      id,
-      email: data.email.toLowerCase(),
-      passwordHash: data.passwordHash,
-      role: data.role || "customer",
-      tenantId: data.tenantId,
-      createdAt: now,
-      updatedAt: now
-    };
-    this.db.prepare(
-      `INSERT INTO kyro_users (id, email, password_hash, role, tenant_id, created_at, updated_at)
-         VALUES (?, ?, ?, ?, ?, ?, ?)`
-    ).run(
-      id,
-      user.email,
-      user.passwordHash,
-      user.role,
-      user.tenantId,
-      now,
-      now
-    );
-    return user;
-  }
-  async findUserByEmail(email) {
-    if (!this.db) throw new Error("Not connected");
-    const row = this.db.prepare("SELECT * FROM kyro_users WHERE email = ?").get(email.toLowerCase());
-    if (!row) return null;
-    return this.rowToUser(row);
-  }
-  async findUserById(userId) {
-    if (!this.db) throw new Error("Not connected");
-    const row = this.db.prepare("SELECT * FROM kyro_users WHERE id = ?").get(userId);
-    if (!row) return null;
-    return this.rowToUser(row);
-  }
-  async updateUser(userId, data) {
-    if (!this.db) throw new Error("Not connected");
-    const existing = await this.findUserById(userId);
-    if (!existing) return null;
-    const updates = [];
-    const values = [];
-    if (data.email !== void 0) {
-      updates.push("email = ?");
-      values.push(data.email.toLowerCase());
-    }
-    if (data.passwordHash !== void 0) {
-      updates.push("password_hash = ?");
-      values.push(data.passwordHash);
-    }
-    if (data.role !== void 0) {
-      updates.push("role = ?");
-      values.push(data.role);
-    }
-    if (data.tenantId !== void 0) {
-      updates.push("tenant_id = ?");
-      values.push(data.tenantId);
-    }
-    if (data.emailVerified !== void 0) {
-      updates.push("email_verified = ?");
-      values.push(data.emailVerified ? 1 : 0);
-    }
-    if (data.locked !== void 0) {
-      updates.push("locked = ?");
-      values.push(data.locked ? 1 : 0);
-    }
-    if (data.lastLogin !== void 0) {
-      updates.push("last_login = ?");
-      values.push(data.lastLogin);
-    }
-    if (data.failedLoginAttempts !== void 0) {
-      updates.push("failed_login_attempts = ?");
-      values.push(data.failedLoginAttempts);
-    }
-    updates.push("updated_at = ?");
-    values.push((/* @__PURE__ */ new Date()).toISOString());
-    values.push(userId);
-    this.db.prepare(`UPDATE kyro_users SET ${updates.join(", ")} WHERE id = ?`).run(...values);
-    return this.findUserById(userId);
-  }
-  async deleteUser(userId) {
-    if (!this.db) throw new Error("Not connected");
-    const result = this.db.prepare("DELETE FROM kyro_users WHERE id = ?").run(userId);
-    return result.changes > 0;
-  }
-  async hashPassword(password) {
-    return bcrypt.hash(password, this.saltRounds);
-  }
-  async verifyPassword(password, hash) {
-    return bcrypt.compare(password, hash);
-  }
-  async createSession(userId, data = {}) {
-    if (!this.db) throw new Error("Not connected");
-    const id = randomBytes(32).toString("hex");
-    const token = randomBytes(32).toString("base64url");
-    const refreshToken = randomBytes(32).toString("base64url");
-    const now = /* @__PURE__ */ new Date();
-    const expiresAt = new Date(now.getTime() + 864e5).toISOString();
-    const session = {
-      id,
-      userId,
-      token,
-      refreshToken,
-      expiresAt,
-      createdAt: now.toISOString(),
-      ipAddress: data.ipAddress,
-      userAgent: data.userAgent
-    };
-    this.db.prepare(
-      `INSERT INTO kyro_sessions (id, user_id, token, refresh_token, expires_at, created_at, ip_address, user_agent)
-         VALUES (?, ?, ?, ?, ?, ?, ?, ?)`
-    ).run(
-      session.id,
-      session.userId,
-      session.token,
-      session.refreshToken,
-      session.expiresAt,
-      session.createdAt,
-      session.ipAddress,
-      session.userAgent
-    );
-    return session;
-  }
-  async findSessionByToken(token) {
-    if (!this.db) throw new Error("Not connected");
-    const row = this.db.prepare("SELECT * FROM kyro_sessions WHERE token = ?").get(token);
-    if (!row) return null;
-    return this.rowToSession(row);
-  }
-  async findSessionByRefreshToken(refreshToken) {
-    if (!this.db) throw new Error("Not connected");
-    const row = this.db.prepare("SELECT * FROM kyro_sessions WHERE refresh_token = ?").get(refreshToken);
-    if (!row) return null;
-    return this.rowToSession(row);
-  }
-  async deleteSession(sessionId) {
-    if (!this.db) throw new Error("Not connected");
-    const result = this.db.prepare("DELETE FROM kyro_sessions WHERE id = ? OR token = ?").run(sessionId, sessionId);
-    return result.changes > 0;
-  }
-  async deleteUserSessions(userId) {
-    if (!this.db) throw new Error("Not connected");
-    const result = this.db.prepare("DELETE FROM kyro_sessions WHERE user_id = ?").run(userId);
-    return result.changes;
-  }
-  async hasAnyUsers() {
-    if (!this.db) throw new Error("Not connected");
-    const row = this.db.prepare("SELECT COUNT(*) as count FROM kyro_users").get();
-    return row.count > 0;
-  }
-  async addPasswordToHistory(userId, passwordHash) {
-    if (!this.db) throw new Error("Not connected");
-    this.db.prepare(
-      "INSERT INTO kyro_password_history (user_id, password_hash, created_at) VALUES (?, ?, ?)"
-    ).run(userId, passwordHash, (/* @__PURE__ */ new Date()).toISOString());
-    this.db.prepare(
-      `DELETE FROM kyro_password_history WHERE id IN (
-          SELECT id FROM kyro_password_history WHERE user_id = ? ORDER BY created_at DESC LIMIT -1 OFFSET 5
-        )`
-    ).run(userId);
-  }
-  async getPasswordHistory(userId, count = 5) {
-    if (!this.db) throw new Error("Not connected");
-    const rows = this.db.prepare(
-      "SELECT password_hash FROM kyro_password_history WHERE user_id = ? ORDER BY created_at DESC LIMIT ?"
-    ).all(userId, count);
-    return rows.map((r) => r.password_hash);
-  }
-  rowToUser(row) {
-    return {
-      id: row.id,
-      email: row.email,
-      passwordHash: row.password_hash,
-      role: row.role,
-      tenantId: row.tenant_id,
-      emailVerified: row.email_verified === 1,
-      locked: row.locked === 1,
-      lastLogin: row.last_login,
-      failedLoginAttempts: row.failed_login_attempts || 0,
-      createdAt: row.created_at,
-      updatedAt: row.updated_at
-    };
-  }
-  rowToSession(row) {
-    return {
-      id: row.id,
-      userId: row.user_id,
-      token: row.token,
-      refreshToken: row.refresh_token,
-      expiresAt: row.expires_at,
-      createdAt: row.created_at,
-      ipAddress: row.ip_address,
-      userAgent: row.user_agent
-    };
-  }
-};
 // src/auth/security/lockout.ts
 var DEFAULT_LOCKOUT_CONFIG = {
@@ -2537,6 +2266,8 @@ var RateLimiter = class {
     this.userLimits[type] = config;
   }
 };
+var DEFAULT_RETENTION_CONFIG = {
+  retentionDays: 30};
 var AuditLogger = class {
   redis;
   prefix;
@@ -2767,6 +2498,572 @@ function createAuditContext(req) {
     userAgent: req.headers.get("user-agent") || "unknown"
   };
 }
+var InMemoryAuthAdapter = class {
+  users = /* @__PURE__ */ new Map();
+  sessions = /* @__PURE__ */ new Map();
+  refreshTokens = /* @__PURE__ */ new Map();
+  // refreshToken -> sessionId
+  emailToUserId = /* @__PURE__ */ new Map();
+  passwordHistory = /* @__PURE__ */ new Map();
+  // userId -> passwordHash[]
+  externalDb = false;
+  constructor() {
+  }
+  async connect() {
+  }
+  async disconnect() {
+    this.users.clear();
+    this.sessions.clear();
+    this.refreshTokens.clear();
+    this.emailToUserId.clear();
+    this.passwordHistory.clear();
+  }
+  async createUser(data) {
+    const userId = randomBytes(16).toString("hex");
+    const now = (/* @__PURE__ */ new Date()).toISOString();
+    const user = {
+      id: userId,
+      email: data.email.toLowerCase(),
+      passwordHash: data.passwordHash,
+      role: data.role || "customer",
+      tenantId: data.tenantId,
+      createdAt: now,
+      updatedAt: now
+    };
+    this.users.set(userId, user);
+    this.emailToUserId.set(data.email.toLowerCase(), userId);
+    this.passwordHistory.set(userId, []);
+    return user;
+  }
+  async findUserByEmail(email) {
+    const userId = this.emailToUserId.get(email.toLowerCase());
+    if (!userId) return null;
+    return this.findUserById(userId);
+  }
+  async findUserById(userId) {
+    return this.users.get(userId) || null;
+  }
+  async updateUser(userId, data) {
+    const existing = await this.findUserById(userId);
+    if (!existing) return null;
+    const updated = {
+      ...existing,
+      ...data,
+      id: userId,
+      updatedAt: (/* @__PURE__ */ new Date()).toISOString()
+    };
+    if (data.email && data.email !== existing.email) {
+      this.emailToUserId.delete(existing.email.toLowerCase());
+      this.emailToUserId.set(data.email.toLowerCase(), userId);
+    }
+    this.users.set(userId, updated);
+    return updated;
+  }
+  async deleteUser(userId) {
+    const user = await this.findUserById(userId);
+    if (!user) return false;
+    this.users.delete(userId);
+    this.emailToUserId.delete(user.email.toLowerCase());
+    this.refreshTokens.forEach((sessionId, refreshToken) => {
+      if (this.sessions.get(sessionId)?.userId === userId) {
+        this.refreshTokens.delete(refreshToken);
+        this.sessions.delete(sessionId);
+      }
+    });
+    this.passwordHistory.delete(userId);
+    this.sessions.forEach((session, sessionId) => {
+      if (session.userId === userId) {
+        this.sessions.delete(sessionId);
+      }
+    });
+    return true;
+  }
+  async hashPassword(password) {
+    const bcrypt2 = (await import('bcryptjs')).default;
+    return bcrypt2.hash(password, 12);
+  }
+  async verifyPassword(password, hash) {
+    const bcrypt2 = (await import('bcryptjs')).default;
+    return bcrypt2.compare(password, hash);
+  }
+  async createSession(userId, data = {}) {
+    const sessionId = randomBytes(32).toString("hex");
+    const token = randomBytes(32).toString("base64url");
+    const refreshToken = randomBytes(32).toString("base64url");
+    const now = /* @__PURE__ */ new Date();
+    const session = {
+      id: sessionId,
+      userId,
+      token,
+      refreshToken,
+      expiresAt: new Date(now.getTime() + 86400 * 1e3).toISOString(),
+      // 24 hours
+      createdAt: now.toISOString(),
+      ipAddress: data.ipAddress,
+      userAgent: data.userAgent
+    };
+    this.sessions.set(sessionId, session);
+    this.refreshTokens.set(refreshToken, sessionId);
+    return session;
+  }
+  async findSessionByToken(token) {
+    return this.sessions.get(token) || null;
+  }
+  async deleteSession(sessionId) {
+    const session = this.sessions.get(sessionId);
+    if (!session) return false;
+    if (session.refreshToken) {
+      this.refreshTokens.delete(session.refreshToken);
+    }
+    this.sessions.delete(sessionId);
+    return true;
+  }
+  async deleteUserSessions(userId) {
+    let deleted = 0;
+    this.sessions.forEach((session, sessionId) => {
+      if (session.userId === userId) {
+        if (session.refreshToken) {
+          this.refreshTokens.delete(session.refreshToken);
+        }
+        this.sessions.delete(sessionId);
+        deleted++;
+      }
+    });
+    return deleted;
+  }
+  async addPasswordToHistory(userId, passwordHash) {
+    const history = this.passwordHistory.get(userId) || [];
+    history.push(passwordHash);
+    if (history.length > 5) {
+      history.splice(0, history.length - 5);
+    }
+    this.passwordHistory.set(userId, history);
+  }
+  async getPasswordHistory(userId, count = 5) {
+    return this.passwordHistory.get(userId) || [];
+  }
+  async isPasswordInHistory(password, userId, historyCount = 5) {
+    const history = await this.getPasswordHistory(userId, historyCount);
+    const bcrypt2 = (await import('bcryptjs')).default;
+    for (const hash of history) {
+      if (await bcrypt2.compare(password, hash)) {
+        return true;
+      }
+    }
+    return false;
+  }
+  async hasAnyUsers() {
+    return this.users.size > 0;
+  }
+};
+// src/auth/security/in-memory-rate-limit.ts
+var InMemoryRateLimiter = class {
+  storage = /* @__PURE__ */ new Map();
+  userStorage = /* @__PURE__ */ new Map();
+  limits;
+  userLimits;
+  constructor(limits, userLimits) {
+    this.limits = { ...DEFAULT_RATE_LIMITS2, ...limits };
+    this.userLimits = userLimits || {
+      "user:api": { window: 6e4, max: 500 },
+      "user:write": { window: 36e5, max: 100 }
+    };
+  }
+  getKey(type, identifier) {
+    return `${type}:${identifier}`;
+  }
+  getUserKey(type, userId, identifier) {
+    return `user:${type}:${userId}:${identifier}`;
+  }
+  cleanupOldEntries(entries, window) {
+    const now = Date.now();
+    const windowStart = now - window;
+    while (entries.length > 0 && entries[0].timestamp < windowStart) {
+      entries.shift();
+    }
+  }
+  async check(type, identifier) {
+    const config = this.limits[type] || this.limits["api:general"];
+    const key = this.getKey(type, identifier);
+    let entries = this.storage.get(key);
+    if (!entries) {
+      entries = [];
+      this.storage.set(key, entries);
+    }
+    this.cleanupOldEntries(entries, config.window);
+    const now = Date.now();
+    const count = entries.reduce((sum, entry) => sum + entry.count, 0);
+    entries.push({ timestamp: now, count: 1 });
+    if (count >= config.max) {
+      const oldestEntry = entries.reduce(
+        (oldest, current) => oldest.timestamp < current.timestamp ? oldest : current,
+        entries[0]
+      );
+      const resetAt = oldestEntry.timestamp + config.window;
+      return {
+        allowed: false,
+        remaining: 0,
+        resetAt,
+        retryAfter: Math.ceil((resetAt - now) / 1e3)
+      };
+    }
+    return {
+      allowed: true,
+      remaining: config.max - count - 1,
+      resetAt: now + config.window
+    };
+  }
+  async checkUser(type, userId, identifier) {
+    const config = this.userLimits[type] || this.userLimits["user:api"];
+    const userMap = this.userStorage.get(userId);
+    let entries = [];
+    if (userMap) {
+      entries = userMap.get(this.getKey(type, identifier)) || [];
+    } else {
+      if (!this.userStorage.has(userId)) {
+        this.userStorage.set(userId, /* @__PURE__ */ new Map());
+      }
+      this.userStorage.get(userId).set(this.getKey(type, identifier), entries);
+    }
+    this.cleanupOldEntries(entries, config.window);
+    const now = Date.now();
+    const count = entries.reduce((sum, entry) => sum + entry.count, 0);
+    entries.push({ timestamp: now, count: 1 });
+    if (count >= config.max) {
+      const oldestEntry = entries.reduce(
+        (oldest, current) => oldest.timestamp < current.timestamp ? oldest : current,
+        entries[0]
+      );
+      const resetAt = oldestEntry.timestamp + config.window;
+      return {
+        allowed: false,
+        remaining: 0,
+        resetAt,
+        retryAfter: Math.ceil((resetAt - now) / 1e3)
+      };
+    }
+    return {
+      allowed: true,
+      remaining: config.max - count - 1,
+      resetAt: now + config.window
+    };
+  }
+  async reset(type, identifier) {
+    const key = this.getKey(type, identifier);
+    this.storage.delete(key);
+  }
+  async resetUser(type, userId, identifier) {
+    const userMap = this.userStorage.get(userId);
+    if (userMap) {
+      const key = this.getKey(type, identifier);
+      userMap.delete(key);
+    }
+  }
+  async getStatus(type, identifier) {
+    const config = this.limits[type] || this.limits["api:general"];
+    const key = this.getKey(type, identifier);
+    let entries = this.storage.get(key);
+    if (!entries) {
+      entries = [];
+      this.storage.set(key, entries);
+    }
+    this.cleanupOldEntries(entries, config.window);
+    const now = Date.now();
+    const count = entries.reduce((sum, entry) => sum + entry.count, 0);
+    return {
+      count,
+      limit: config.max,
+      remaining: Math.max(0, config.max - count),
+      resetAt: now + config.window
+    };
+  }
+  setLimit(type, config) {
+    this.limits[type] = config;
+  }
+  setUserLimit(type, config) {
+    this.userLimits[type] = config;
+  }
+};
+var DEFAULT_RATE_LIMITS2 = {
+  "auth:login": { window: 9e5, max: 5 },
+  "auth:register": { window: 36e5, max: 3 },
+  "auth:forgot": { window: 36e5, max: 3 },
+  "auth:reset": { window: 36e5, max: 5 },
+  "auth:verify": { window: 36e5, max: 5 },
+  "api:general": { window: 6e4, max: 100 },
+  "api:authenticated": { window: 6e4, max: 200 }
+};
+// src/auth/security/in-memory-lockout.ts
+var InMemoryAccountLockout = class {
+  storage = /* @__PURE__ */ new Map();
+  history = /* @__PURE__ */ new Map();
+  // userId -> attempt timestamps
+  config;
+  constructor(config = {}) {
+    this.config = {
+      maxAttempts: 5,
+      lockDuration: 9e5,
+      // 15 minutes
+      notifyUser: true,
+      notifyAdmin: true,
+      adminNotifyAfter: 3,
+      ...config
+    };
+  }
+  async checkLockout(userId) {
+    const now = Date.now();
+    const record = this.storage.get(userId);
+    if (record && record.lockedUntil !== null && record.lockedUntil <= now) {
+      await this.resetAttempts(userId);
+      return {
+        locked: false,
+        attemptsRemaining: this.config.maxAttempts,
+        totalAttempts: 0
+      };
+    }
+    if (!record) {
+      return {
+        locked: false,
+        attemptsRemaining: this.config.maxAttempts,
+        totalAttempts: 0
+      };
+    }
+    const { attempts, lockedUntil } = record;
+    if (lockedUntil !== null && lockedUntil > now) {
+      return {
+        locked: true,
+        attemptsRemaining: 0,
+        lockedUntil: new Date(lockedUntil),
+        totalAttempts: attempts
+      };
+    }
+    return {
+      locked: false,
+      attemptsRemaining: Math.max(0, this.config.maxAttempts - attempts),
+      totalAttempts: attempts
+    };
+  }
+  async recordFailedAttempt(userId) {
+    const now = Date.now();
+    const record = this.storage.get(userId) || {
+      attempts: 0,
+      lastAttempt: null,
+      lockedAt: null,
+      lockedUntil: null
+    };
+    record.attempts += 1;
+    record.lastAttempt = now;
+    let history = this.history.get(userId) || [];
+    history.push(now);
+    if (history.length > 100) {
+      history.splice(0, history.length - 100);
+    }
+    this.history.set(userId, history);
+    this.storage.set(userId, record);
+    if (record.attempts >= this.config.maxAttempts) {
+      const lockedUntil = new Date(now + this.config.lockDuration);
+      record.lockedAt = now;
+      record.lockedUntil = lockedUntil.getTime();
+      this.storage.set(userId, record);
+      return {
+        locked: true,
+        attemptsRemaining: 0,
+        lockedUntil,
+        totalAttempts: record.attempts
+      };
+    }
+    return {
+      locked: false,
+      attemptsRemaining: Math.max(0, this.config.maxAttempts - record.attempts),
+      totalAttempts: record.attempts
+    };
+  }
+  async lockAccount(userId, duration) {
+    const now = Date.now();
+    const lockDuration = duration || this.config.lockDuration;
+    const lockedUntil = new Date(now + lockDuration);
+    const record = this.storage.get(userId) || {
+      attempts: 0,
+      lastAttempt: null,
+      lockedAt: null,
+      lockedUntil: null
+    };
+    record.attempts = this.config.maxAttempts;
+    record.lockedAt = now;
+    record.lockedUntil = lockedUntil.getTime();
+    this.storage.set(userId, record);
+  }
+  async unlockAccount(userId) {
+    await this.resetAttempts(userId);
+  }
+  async resetAttempts(userId) {
+    const record = this.storage.get(userId);
+    if (record) {
+      record.attempts = 0;
+      record.lockedAt = null;
+      record.lockedUntil = null;
+      this.storage.set(userId, record);
+    }
+    this.history.delete(userId);
+  }
+  async getLockoutHistory(userId, limit = 10) {
+    const history = this.history.get(userId) || [];
+    return history.slice(-limit).reverse().map((timestamp) => new Date(timestamp));
+  }
+  async getLockoutStats(userId) {
+    const history = this.history.get(userId) || [];
+    const totalFailedAttempts = history.length;
+    const lockoutCount = Math.floor(
+      totalFailedAttempts / this.config.maxAttempts
+    );
+    let lastLockout = null;
+    const record = this.storage.get(userId);
+    if (record && record.lockedAt !== null) {
+      lastLockout = new Date(record.lockedAt);
+    }
+    const averageAttemptsBeforeLockout = lockoutCount > 0 ? this.config.maxAttempts : 0;
+    return {
+      totalFailedAttempts,
+      lockoutCount,
+      lastLockout,
+      averageAttemptsBeforeLockout
+    };
+  }
+  shouldNotifyAdmin(currentAttempts) {
+    return this.config.notifyAdmin && currentAttempts >= this.config.adminNotifyAfter;
+  }
+  getConfig() {
+    return { ...this.config };
+  }
+  setConfig(config) {
+    this.config = { ...this.config, ...config };
+  }
+};
+var InMemoryAuditLogger = class {
+  logs = [];
+  retentionDays;
+  constructor(retentionDays = DEFAULT_RETENTION_CONFIG.retentionDays) {
+    this.retentionDays = retentionDays;
+  }
+  async log(data) {
+    const id = randomBytes(16).toString("hex");
+    const timestamp = /* @__PURE__ */ new Date();
+    const log = {
+      ...data,
+      id,
+      timestamp
+    };
+    this.logs.push(log);
+    this.cleanupOldLogs();
+    return id;
+  }
+  async get(id) {
+    return this.logs.find((log) => log.id === id) || null;
+  }
+  async query(filter = {}) {
+    const { limit = 50, offset = 0 } = filter;
+    let filteredLogs = [...this.logs];
+    if (filter.userId) {
+      filteredLogs = filteredLogs.filter((log) => log.userId === filter.userId);
+    }
+    if (filter.action) {
+      const actions = Array.isArray(filter.action) ? filter.action : [filter.action];
+      filteredLogs = filteredLogs.filter((log) => actions.includes(log.action));
+    }
+    if (filter.resource) {
+      filteredLogs = filteredLogs.filter(
+        (log) => log.resource === filter.resource
+      );
+    }
+    if (filter.resourceId) {
+      filteredLogs = filteredLogs.filter(
+        (log) => log.resourceId === filter.resourceId
+      );
+    }
+    if (filter.success !== void 0) {
+      filteredLogs = filteredLogs.filter(
+        (log) => log.success === filter.success
+      );
+    }
+    const startDate = filter.startDate;
+    const endDate = filter.endDate;
+    if (startDate !== void 0) {
+      filteredLogs = filteredLogs.filter((log) => log.timestamp >= startDate);
+    }
+    if (endDate !== void 0) {
+      filteredLogs = filteredLogs.filter((log) => log.timestamp <= endDate);
+    }
+    filteredLogs.sort((a, b) => b.timestamp.getTime() - a.timestamp.getTime());
+    const total = filteredLogs.length;
+    const paginatedLogs = filteredLogs.slice(offset, offset + limit);
+    return { logs: paginatedLogs, total };
+  }
+  async getRecent(limit = 50) {
+    const cutoffDate = new Date(Date.now() - 7 * 24 * 60 * 60 * 1e3);
+    const recentLogs = this.logs.filter((log) => log.timestamp >= cutoffDate).sort((a, b) => b.timestamp.getTime() - a.timestamp.getTime()).slice(0, limit);
+    return recentLogs;
+  }
+  async getUserActivity(userId, limit = 50) {
+    const userLogs = this.logs.filter((log) => log.userId === userId).sort((a, b) => b.timestamp.getTime() - a.timestamp.getTime()).slice(0, limit);
+    return userLogs;
+  }
+  async getStats(startDate, endDate) {
+    const start = startDate || new Date(Date.now() - 30 * 24 * 60 * 60 * 1e3);
+    const end = endDate || /* @__PURE__ */ new Date();
+    const filteredLogs = this.logs.filter(
+      (log) => log.timestamp >= start && log.timestamp <= end
+    );
+    const byAction = {};
+    let totalEvents = 0;
+    let failedLogins = 0;
+    let successCount = 0;
+    const uniqueUsers = /* @__PURE__ */ new Set();
+    for (const log of filteredLogs) {
+      totalEvents++;
+      const action = log.action;
+      byAction[action] = (byAction[action] || 0) + 1;
+      if (log.success) {
+        successCount++;
+      }
+      if (log.action === "login_failed") {
+        failedLogins++;
+      }
+      if (log.userId) {
+        uniqueUsers.add(log.userId);
+      }
+    }
+    return {
+      totalEvents,
+      byAction,
+      successRate: totalEvents > 0 ? successCount / totalEvents : 1,
+      failedLogins,
+      uniqueUsers
+    };
+  }
+  async cleanup() {
+    const cutoffDate = new Date(
+      Date.now() - this.retentionDays * 24 * 60 * 60 * 1e3
+    );
+    const initialCount = this.logs.length;
+    this.logs = this.logs.filter((log) => log.timestamp >= cutoffDate);
+    return initialCount - this.logs.length;
+  }
+  cleanupOldLogs() {
+    const cutoffDate = new Date(
+      Date.now() - this.retentionDays * 24 * 60 * 60 * 1e3
+    );
+    this.logs.length;
+    this.logs = this.logs.filter((log) => log.timestamp >= cutoffDate);
+  }
+};
+function createAuditContext2(req) {
+  return {
+    ipAddress: req.headers.get("x-forwarded-for")?.split(",")[0]?.trim() || req.headers.get("x-real-ip") || "unknown",
+    userAgent: req.headers.get("user-agent") || "unknown"
+  };
+}
 function defaultExtractToken(req) {
   const authHeader = req.headers.get("Authorization");
   if (authHeader?.startsWith("Bearer ")) {
@@ -2794,7 +3091,7 @@ function generateToken(payload, secret, options = {}) {
 // src/api/rest/auth-routes.ts
 var AuthRoutes = class {
-  redis;
+  authAdapter;
   email;
   jwtSecret;
   jwtExpiresIn;
@@ -2807,7 +3104,7 @@ var AuthRoutes = class {
   baseUrl;
   emailVerificationRequired;
   constructor(config) {
-    this.redis = config.redis;
+    this.authAdapter = config.redis;
     this.email = config.email;
     this.jwtSecret = config.jwtSecret;
     this.jwtExpiresIn = config.jwtExpiresIn || "24h";
@@ -2821,7 +3118,7 @@ var AuthRoutes = class {
     this.emailVerificationRequired = config.emailVerificationRequired ?? true;
   }
   async register(req) {
-    const { ipAddress, userAgent } = createAuditContext(req);
+    const { ipAddress, userAgent } = createAuditContext2(req);
     if (this.rateLimiter) {
       const limit = await this.rateLimiter.check("auth:register", ipAddress);
       if (!limit.allowed) {
@@ -2840,12 +3137,12 @@ var AuthRoutes = class {
       if (!passwordValidation.valid) {
         return this.errorResponse(passwordValidation.errors.join(". "), 400);
       }
-      const existingUser = await this.redis.findUserByEmail(body.email);
+      const existingUser = await this.authAdapter.findUserByEmail(body.email);
       if (existingUser) {
         return this.errorResponse("Email already registered", 400);
       }
-      const passwordHash = await this.redis.hashPassword(body.password);
-      const user = await this.redis.createUser({
+      const passwordHash = await this.authAdapter.hashPassword(body.password);
+      const user = await this.authAdapter.createUser({
         email: body.email,
         passwordHash,
         role: body.role || "customer",
@@ -2854,7 +3151,7 @@ var AuthRoutes = class {
       if (this.emailVerificationRequired && this.email) {
         const verificationToken = randomBytes(32).toString("hex");
         const verificationUrl = `${this.baseUrl}/api/auth/verify?token=${verificationToken}`;
-        await this.redis.createSession(user.id, { ipAddress, userAgent });
+        await this.authAdapter.createSession(user.id, { ipAddress, userAgent });
         const template = this.email.getTemplates().verifyEmail(verificationUrl, body.email);
         await this.email.send({ to: body.email, ...template });
       }
@@ -2883,7 +3180,7 @@ var AuthRoutes = class {
     }
   }
   async login(req) {
-    const { ipAddress, userAgent } = createAuditContext(req);
+    const { ipAddress, userAgent } = createAuditContext2(req);
     if (this.rateLimiter) {
       const limit = await this.rateLimiter.check("auth:login", ipAddress);
       if (!limit.allowed) {
@@ -2895,7 +3192,7 @@ var AuthRoutes = class {
       if (!body.email || !body.password) {
         return this.errorResponse("Email and password are required", 400);
       }
-      const user = await this.redis.findUserByEmail(body.email);
+      const user = await this.authAdapter.findUserByEmail(body.email);
       if (!user) {
         await this.recordFailedLogin(ipAddress, userAgent);
         return this.errorResponse("Invalid credentials", 401);
@@ -2921,7 +3218,10 @@ var AuthRoutes = class {
           );
         }
       }
-      const validPassword = user.passwordHash ? await this.redis.verifyPassword(body.password, user.passwordHash) : false;
+      const validPassword = user.passwordHash ? await this.authAdapter.verifyPassword(
+        body.password,
+        user.passwordHash
+      ) : false;
       if (!validPassword) {
         await this.recordFailedLogin(ipAddress, userAgent, user.id, user.email);
         return this.errorResponse("Invalid credentials", 401);
@@ -2929,7 +3229,7 @@ var AuthRoutes = class {
       if (this.lockout) {
         await this.lockout.resetAttempts(user.id);
       }
-      const session = await this.redis.createSession(user.id, {
+      const session = await this.authAdapter.createSession(user.id, {
         ipAddress,
         userAgent
       });
@@ -2958,7 +3258,7 @@ var AuthRoutes = class {
           success: true
         });
       }
-      await this.redis.updateUser(user.id, {
+      await this.authAdapter.updateUser(user.id, {
         lastLogin: (/* @__PURE__ */ new Date()).toISOString()
       });
       return this.jsonResponse({
@@ -2977,11 +3277,11 @@ var AuthRoutes = class {
     if (!token) {
       return this.errorResponse("No session to logout", 401);
     }
-    const { ipAddress, userAgent } = createAuditContext(req);
+    const { ipAddress, userAgent } = createAuditContext2(req);
     try {
       const payload = jwt2.decode(token);
       if (payload && payload.sub) {
-        await this.redis.deleteUserSessions(payload.sub);
+        await this.authAdapter.deleteUserSessions(payload.sub);
         if (this.auditLogger) {
           await this.auditLogger.log({
             action: "logout",
@@ -3024,7 +3324,7 @@ var AuthRoutes = class {
         issuer: this.jwtIssuer,
         audience: this.jwtAudience
       });
-      const user = await this.redis.findUserById(payload.sub);
+      const user = await this.authAdapter.findUserById(payload.sub);
       if (!user) {
         return this.errorResponse("User not found", 404);
       }
@@ -3041,7 +3341,7 @@ var AuthRoutes = class {
     if (!token) {
       return this.errorResponse("Not authenticated", 401);
     }
-    const { ipAddress, userAgent } = createAuditContext(req);
+    const { ipAddress, userAgent } = createAuditContext2(req);
     try {
       const payload = jwt2.verify(token, this.jwtSecret);
       const body = await req.json();
@@ -3056,16 +3356,22 @@ var AuthRoutes = class {
       if (!passwordValidation.valid) {
         return this.errorResponse(passwordValidation.errors.join(". "), 400);
       }
-      const user = await this.redis.findUserById(payload.sub);
+      const user = await this.authAdapter.findUserById(payload.sub);
       if (!user) {
         return this.errorResponse("User not found", 404);
       }
-      const validPassword = user.passwordHash ? await this.redis.verifyPassword(currentPassword, user.passwordHash) : false;
+      const validPassword = user.passwordHash ? await this.authAdapter.verifyPassword(
+        currentPassword,
+        user.passwordHash
+      ) : false;
       if (!validPassword) {
         return this.errorResponse("Current password is incorrect", 401);
       }
-      const passwordHistory = await this.redis.getPasswordHistory(user.id, 5);
-      const isReused = await this.redis.isPasswordInHistory(
+      const passwordHistory = await this.authAdapter.getPasswordHistory?.(
+        user.id,
+        5
+      );
+      const isReused = await this.authAdapter.isPasswordInHistory?.(
         newPassword,
         user.id,
         5
@@ -3076,12 +3382,17 @@ var AuthRoutes = class {
           400
         );
       }
-      const newPasswordHash = await this.redis.hashPassword(newPassword);
+      const newPasswordHash = await this.authAdapter.hashPassword(newPassword);
       if (user.passwordHash) {
-        await this.redis.addPasswordToHistory(user.id, user.passwordHash);
+        await this.authAdapter.addPasswordToHistory?.(
+          user.id,
+          user.passwordHash
+        );
       }
-      await this.redis.updateUser(user.id, { passwordHash: newPasswordHash });
-      await this.redis.deleteUserSessions(user.id);
+      await this.authAdapter.updateUser(user.id, {
+        passwordHash: newPasswordHash
+      });
+      await this.authAdapter.deleteUserSessions(user.id);
       if (this.email && this.email.getTemplates) {
         const template = this.email.getTemplates().passwordChanged(user.email);
         await this.email.send({ to: user.email, ...template });
@@ -3106,7 +3417,7 @@ var AuthRoutes = class {
     }
   }
   async forgotPassword(req) {
-    const { ipAddress, userAgent } = createAuditContext(req);
+    const { ipAddress, userAgent } = createAuditContext2(req);
     if (this.rateLimiter) {
       const limit = await this.rateLimiter.check("auth:forgot", ipAddress);
       if (!limit.allowed) {
@@ -3119,7 +3430,7 @@ var AuthRoutes = class {
       if (!email) {
         return this.errorResponse("Email required", 400);
       }
-      const user = await this.redis.findUserByEmail(email);
+      const user = await this.authAdapter.findUserByEmail(email);
       if (!user) {
         return this.jsonResponse({
           success: true,
@@ -3232,20 +3543,69 @@ function getEnvNum(key, fallback = 0) {
   if (!val) return fallback;
   return parseInt(val, 10);
 }
-async function createAuthConfig() {
-  const redisUrl = getEnv("REDIS_URL", "redis://localhost:6379");
-  const redisKeyPrefix = getEnv("REDIS_KEY_PREFIX", "kyro:auth:");
-  const redisSessionTTL = getEnvNum("REDIS_SESSION_TTL", 86400);
-  const redisRefreshTTL = getEnvNum("REDIS_REFRESH_TOKEN_TTL", 604800);
-  const redisAdapter = new RedisAuthAdapter({
-    url: redisUrl,
-    keyPrefix: redisKeyPrefix,
-    tokenExpiration: redisSessionTTL,
-    refreshTokenExpiration: redisRefreshTTL,
-    tls: getEnvBool("REDIS_TLS", false)
-  });
-  await redisAdapter.connect();
-  const redisClient = redisAdapter.redis;
+function detectDatabaseType() {
+  const envDb = process.env.KYRO_AUTH_DATABASE?.toLowerCase();
+  if (envDb && ["sqlite", "postgres", "mysql", "mongodb", "memory"].includes(envDb)) {
+    return envDb;
+  }
+  try {
+    const { readFileSync } = __require("fs");
+    const { join } = __require("path");
+    const configPath = join(process.cwd(), "kyro.config.ts");
+    const configContent = readFileSync(configPath, "utf8");
+    if (configContent.includes("createLocalAdapter")) {
+      return "sqlite";
+    } else if (configContent.includes("createDrizzleAdapter")) {
+      if (configContent.includes("postgres") || configContent.includes("postgresql")) {
+        return "postgres";
+      } else if (configContent.includes("mysql")) {
+        return "mysql";
+      }
+      return "postgres";
+    } else if (configContent.includes("createMongoDBAdapter")) {
+      return "mongodb";
+    }
+  } catch {
+  }
+  return "memory";
+}
+async function createAuthAdapter(databaseType) {
+  switch (databaseType) {
+    case "sqlite":
+      return new SQLiteAuthAdapter({
+        path: getEnv("KYRO_AUTH_DB_PATH", "./data/auth.db")
+      });
+    case "postgres":
+    case "mysql":
+      return new SQLiteAuthAdapter({
+        path: getEnv("KYRO_AUTH_DB_PATH", "./data/auth.db")
+      });
+    case "mongodb":
+      return new SQLiteAuthAdapter({
+        path: getEnv("KYRO_AUTH_DB_PATH", "./data/auth.db")
+      });
+    case "memory":
+    default:
+      return new InMemoryAuthAdapter();
+  }
+}
+async function createAuthConfig(databaseType) {
+  const distributed = getEnvBool("KYRO_DISTRIBUTED", false);
+  let authAdapter;
+  if (distributed) {
+    const { RedisAuthAdapter: RedisAuthAdapter2 } = await import('./redis-adapter-4YDY4LWE.js');
+    const redisUrl = getEnv("REDIS_URL", "redis://localhost:6379");
+    const redisTls = getEnvBool("REDIS_TLS", false);
+    const redisAdapter = new RedisAuthAdapter2({ url: redisUrl, tls: redisTls });
+    await redisAdapter.connect?.();
+    authAdapter = redisAdapter;
+  } else {
+    const initialDbType = databaseType || detectDatabaseType();
+    authAdapter = await createAuthAdapter(initialDbType);
+    if (authAdapter.connect) {
+      await authAdapter.connect();
+    }
+  }
   const emailConfig = getEmailConfig();
   const email = emailConfig ? new EmailTransport(emailConfig) : void 0;
   const passwordPolicy = new PasswordPolicy({
@@ -3258,14 +3618,15 @@ async function createAuthConfig() {
     maxLength: getEnvNum("PASSWORD_MAX_LENGTH", 128)
   });
   let lockout;
-  if (getEnvBool("LOCKOUT_ENABLED", true)) {
+  let rateLimiter;
+  let auditLogger;
+  if (distributed) {
+    const redis = authAdapter;
+    const redisClient = redis.redis;
     lockout = new AccountLockout(redisClient, {
       maxAttempts: getEnvNum("LOCKOUT_MAX_ATTEMPTS", 5),
       lockDuration: getEnvNum("LOCKOUT_DURATION_MINUTES", 15) * 60 * 1e3
     });
-  }
-  let rateLimiter;
-  if (getEnvBool("RATE_LIMIT_ENABLED", true)) {
     rateLimiter = new RateLimiter(redisClient, {
       "auth:login": {
         window: getEnvNum("RATE_LIMIT_AUTH_WINDOW_MS", 9e5),
@@ -3276,16 +3637,29 @@ async function createAuthConfig() {
         max: getEnvNum("RATE_LIMIT_MAX_REQUESTS", 100)
       }
     });
-  }
-  let auditLogger;
-  if (getEnvBool("AUDIT_LOG_ENABLED", true)) {
     auditLogger = new AuditLogger(
       redisClient,
       getEnvNum("AUDIT_LOG_RETENTION_DAYS", 30)
     );
+  } else {
+    lockout = new InMemoryAccountLockout({
+      maxAttempts: getEnvNum("LOCKOUT_MAX_ATTEMPTS", 5),
+      lockDuration: getEnvNum("LOCKOUT_DURATION_MINUTES", 15) * 60 * 1e3
+    });
+    rateLimiter = new InMemoryRateLimiter({
+      "auth:login": {
+        window: getEnvNum("RATE_LIMIT_AUTH_WINDOW_MS", 9e5),
+        max: getEnvNum("RATE_LIMIT_AUTH_MAX_REQUESTS", 10)
+      },
+      "api:general": {
+        window: getEnvNum("RATE_LIMIT_WINDOW_MS", 6e4),
+        max: getEnvNum("RATE_LIMIT_MAX_REQUESTS", 100)
+      }
+    });
+    auditLogger = getEnvBool("AUDIT_LOG_ENABLED", true) ? new InMemoryAuditLogger(getEnvNum("AUDIT_LOG_RETENTION_DAYS", 30)) : void 0;
   }
   const routes = new AuthRoutes({
-    redis: redisAdapter,
+    redis: authAdapter,
     email,
     jwtSecret: getEnv("JWT_SECRET", "change-me"),
     jwtExpiresIn: getEnv("JWT_EXPIRES_IN", "24h"),
@@ -3298,9 +3672,10 @@ async function createAuthConfig() {
     baseUrl: getEnv("EMAIL_BASE_URL", "http://localhost:4321"),
     emailVerificationRequired: getEnvBool("EMAIL_VERIFICATION_REQUIRED", true)
   });
+  const actualDbType = distributed ? "distributed" : databaseType || detectDatabaseType();
   return {
-    redis: redisAdapter,
-    redisClient,
+    authAdapter,
+    databaseType: actualDbType,
     email,
     passwordPolicy,
     lockout,
@@ -3490,7 +3865,7 @@ var Auth = class {
     return jwt2.sign(payload, this.config.secret, signOptions);
   }
   async hashPassword(password) {
-    return bcrypt2.hash(password, this.config.saltRounds);
+    return bcrypt.hash(password, this.config.saltRounds);
   }
   parseExpiresIn(value) {
     if (typeof value === "number") return value;
@@ -3691,6 +4066,6 @@ function defineConfig(config) {
   };
 }
-export { ALL_FIELD_TYPES, AccountLockout, AnalyticsPlugin, AuditLogger, Auth, COMPLEX_FIELD_TYPES, CSSGenerator, CommentsPlugin, ConfigValidationError, Kyro, KyroPlugin, LAYOUT_FIELD_TYPES, LocalAdapter, PRIMITIVE_FIELD_TYPES, PluginManager, RELATIONAL_FIELD_TYPES, RateLimiter, Registry, ReviewsPlugin, SEOPLugin, SQLiteAuthAdapter, VersionManager, WishlistPlugin, authConfig, collectionToCreateZod, collectionToUpdateZod, collectionToWhereZod, collectionToZod, createAdminStyling, createAuditContext, createAuth, createAuthConfig, createKyro, createLocalAdapter, createRegistry, createVersionManager, defaultDarkTheme, defaultFieldStyling, defaultLightTheme, defineConfig, ecommerce2026Theme, fieldToZod, generateCSSVariables, generateTailwindConfig, getDefaultDraftPublishConfig, getRegistry, globalToZod, isArchived, isArrayField, isBlocksField, isDraft, isGroupField, isLayoutField, isNumberField, isPublished, isRelationshipField, isRichTextField, isSelectField, isTextField, isUploadField, presetPlugins, resetRegistry, runFieldHooks, runHooks, validateCollection, validateConfig, validateFields, validateGlobal };
+export { ALL_FIELD_TYPES, AccountLockout, AnalyticsPlugin, AuditLogger, Auth, COMPLEX_FIELD_TYPES, CSSGenerator, CommentsPlugin, ConfigValidationError, InMemoryAccountLockout, InMemoryAuditLogger, InMemoryAuthAdapter, InMemoryRateLimiter, Kyro, KyroPlugin, LAYOUT_FIELD_TYPES, LocalAdapter, PRIMITIVE_FIELD_TYPES, PluginManager, RELATIONAL_FIELD_TYPES, RateLimiter, Registry, ReviewsPlugin, SEOPLugin, VersionManager, WishlistPlugin, authConfig, collectionToCreateZod, collectionToUpdateZod, collectionToWhereZod, collectionToZod, createAdminStyling, createAuditContext, createAuth, createAuthConfig, createKyro, createLocalAdapter, createRegistry, createVersionManager, defaultDarkTheme, defaultFieldStyling, defaultLightTheme, defineConfig, ecommerce2026Theme, fieldToZod, generateCSSVariables, generateTailwindConfig, getDefaultDraftPublishConfig, getRegistry, globalToZod, isArchived, isArrayField, isBlocksField, isDraft, isGroupField, isLayoutField, isNumberField, isPublished, isRelationshipField, isRichTextField, isSelectField, isTextField, isUploadField, presetPlugins, resetRegistry, runFieldHooks, runHooks, validateCollection, validateConfig, validateFields, validateGlobal };
 //# sourceMappingURL=index.js.map
 //# sourceMappingURL=index.js.map