@kyro-cms/core 0.1.4 → 0.1.6

package/dist/{chunk-I4BORBXT.cjs → chunk-3EVLFWH2.cjs}

@@ -1,63 +1,283 @@
 'use strict';
 
-var Redis2 = require('ioredis');
 var bcrypt = require('bcryptjs');
 var crypto = require('crypto');
+var fs = require('fs');
+var path = require('path');
 var nodemailer = require('nodemailer');
 
 function _interopDefault (e) { return e && e.__esModule ? e : { default: e }; }
 
-var Redis2__default = /*#__PURE__*/_interopDefault(Redis2);
 var bcrypt__default = /*#__PURE__*/_interopDefault(bcrypt);
 var nodemailer__default = /*#__PURE__*/_interopDefault(nodemailer);
 
-// src/auth/bootstrap.ts
-var DEFAULT_PREFIX = "kyro:auth:";
-var DEFAULT_TOKEN_EXPIRATION = 86400;
-var DEFAULT_REFRESH_EXPIRATION = 604800;
-var RedisAuthAdapter = class {
-  redis;
-  prefix;
-  tokenExpiration;
-  refreshExpiration;
+// src/auth/sqlite-adapter.ts
+var DEFAULT_BUSY_TIMEOUT = 5e3;
+var DEFAULT_WAL_CHECKPOINT = 1e3;
+var DEFAULT_CACHE_SIZE = -64e3;
+var DEFAULT_MMAP_SIZE = 268435456;
+var SQLiteAuthAdapter = class {
+  db = null;
+  path;
+  saltRounds;
+  externalDb;
+  busyTimeout;
+  walAutoCheckpoint;
+  cacheSize;
+  mmapSize;
+  preparedStatements = /* @__PURE__ */ new Map();
   constructor(options = {}) {
-    const url = options.url || `redis://${options.host || "localhost"}:${options.port || 6379}`;
-    this.redis = new Redis2__default.default(url, {
-      password: options.password,
-      db: options.db,
-      lazyConnect: true,
-      tls: options.tls ? {} : void 0
-    });
-    this.prefix = options.keyPrefix || DEFAULT_PREFIX;
-    this.tokenExpiration = options.tokenExpiration || DEFAULT_TOKEN_EXPIRATION;
-    this.refreshExpiration = options.refreshTokenExpiration || DEFAULT_REFRESH_EXPIRATION;
+    this.path = options.path || "./data/auth.db";
+    this.saltRounds = options.saltRounds || 12;
+    this.externalDb = !!options.db;
+    this.busyTimeout = options.busyTimeout ?? DEFAULT_BUSY_TIMEOUT;
+    this.walAutoCheckpoint = options.walAutoCheckpoint ?? DEFAULT_WAL_CHECKPOINT;
+    this.cacheSize = options.cacheSize ?? DEFAULT_CACHE_SIZE;
+    this.mmapSize = options.mmapSize ?? DEFAULT_MMAP_SIZE;
+    if (options.db) {
+      this.db = options.db;
+    }
   }
   async connect() {
-    await this.redis.connect();
+    if (this.db) return;
+    const dir = path.dirname(this.path);
+    if (dir && dir !== ".") {
+      fs.mkdirSync(dir, { recursive: true });
+    }
+    const Database = (await import('better-sqlite3')).default;
+    this.db = new Database(this.path, {
+      timeout: this.busyTimeout
+    });
+    this.db.pragma("journal_mode = WAL");
+    this.db.pragma("synchronous = NORMAL");
+    this.db.pragma("cache_size = " + this.cacheSize);
+    this.db.pragma("mmap_size = " + this.mmapSize);
+    this.db.pragma("wal_autocheckpoint = " + this.walAutoCheckpoint);
+    this.db.pragma("foreign_keys = ON");
+    this.db.pragma("temp_store = MEMORY");
+    this.ensureTables();
+    this.prepareStatements();
   }
   async disconnect() {
-    await this.redis.quit();
+    if (this.db && !this.externalDb) {
+      this.db.pragma("wal_checkpoint(TRUNCATE)");
+      this.db.close();
+      this.db = null;
+      this.preparedStatements.clear();
+    }
+  }
+  ensureTables() {
+    if (!this.db) return;
+    this.db.exec(`
+      CREATE TABLE IF NOT EXISTS kyro_users (
+        id TEXT PRIMARY KEY,
+        email TEXT UNIQUE NOT NULL,
+        password_hash TEXT NOT NULL,
+        role TEXT NOT NULL DEFAULT 'customer',
+        tenant_id TEXT,
+        email_verified INTEGER DEFAULT 0,
+        locked INTEGER DEFAULT 0,
+        last_login TEXT,
+        failed_login_attempts INTEGER DEFAULT 0,
+        locked_until TEXT,
+        created_at TEXT NOT NULL,
+        updated_at TEXT NOT NULL
+      );
+
+      CREATE TABLE IF NOT EXISTS kyro_sessions (
+        id TEXT PRIMARY KEY,
+        user_id TEXT NOT NULL,
+        token TEXT NOT NULL,
+        refresh_token TEXT,
+        expires_at TEXT NOT NULL,
+        created_at TEXT NOT NULL,
+        ip_address TEXT,
+        user_agent TEXT,
+        FOREIGN KEY (user_id) REFERENCES kyro_users(id) ON DELETE CASCADE
+      );
+
+      CREATE TABLE IF NOT EXISTS kyro_password_history (
+        id INTEGER PRIMARY KEY AUTOINCREMENT,
+        user_id TEXT NOT NULL,
+        password_hash TEXT NOT NULL,
+        created_at TEXT NOT NULL,
+        FOREIGN KEY (user_id) REFERENCES kyro_users(id) ON DELETE CASCADE
+      );
+
+      CREATE TABLE IF NOT EXISTS kyro_rate_limits (
+        id INTEGER PRIMARY KEY AUTOINCREMENT,
+        key TEXT NOT NULL,
+        window_start INTEGER NOT NULL,
+        count INTEGER NOT NULL DEFAULT 1,
+        UNIQUE(key, window_start)
+      );
+
+      CREATE TABLE IF NOT EXISTS kyro_lockouts (
+        user_id TEXT PRIMARY KEY,
+        attempts INTEGER NOT NULL DEFAULT 0,
+        last_attempt INTEGER,
+        locked_at INTEGER,
+        locked_until INTEGER
+      );
+
+      CREATE TABLE IF NOT EXISTS kyro_audit_logs (
+        id TEXT PRIMARY KEY,
+        timestamp TEXT NOT NULL,
+        action TEXT NOT NULL,
+        user_id TEXT,
+        user_email TEXT,
+        role TEXT,
+        resource TEXT NOT NULL,
+        resource_id TEXT,
+        ip_address TEXT,
+        user_agent TEXT,
+        success INTEGER NOT NULL,
+        error TEXT,
+        metadata TEXT,
+        created_at TEXT NOT NULL DEFAULT (datetime('now'))
+      );
+
+      CREATE INDEX IF NOT EXISTS idx_kyro_users_email ON kyro_users(email);
+      CREATE INDEX IF NOT EXISTS idx_kyro_sessions_user_id ON kyro_sessions(user_id);
+      CREATE INDEX IF NOT EXISTS idx_kyro_sessions_token ON kyro_sessions(token);
+      CREATE INDEX IF NOT EXISTS idx_kyro_sessions_refresh_token ON kyro_sessions(refresh_token);
+      CREATE INDEX IF NOT EXISTS idx_kyro_sessions_expires ON kyro_sessions(expires_at);
+      CREATE INDEX IF NOT EXISTS idx_kyro_password_history_user_id ON kyro_password_history(user_id);
+      CREATE INDEX IF NOT EXISTS idx_kyro_rate_limits_key ON kyro_rate_limits(key);
+      CREATE INDEX IF NOT EXISTS idx_kyro_rate_limits_window ON kyro_rate_limits(window_start);
+      CREATE INDEX IF NOT EXISTS idx_kyro_lockouts_locked_until ON kyro_lockouts(locked_until);
+      CREATE INDEX IF NOT EXISTS idx_kyro_audit_logs_timestamp ON kyro_audit_logs(timestamp);
+      CREATE INDEX IF NOT EXISTS idx_kyro_audit_logs_action ON kyro_audit_logs(action);
+      CREATE INDEX IF NOT EXISTS idx_kyro_audit_logs_user_id ON kyro_audit_logs(user_id);
+      CREATE INDEX IF NOT EXISTS idx_kyro_audit_logs_resource ON kyro_audit_logs(resource);
+    `);
   }
-  userKey(userId) {
-    return `${this.prefix}users:${userId}`;
+  prepareStatements() {
+    if (!this.db) return;
+    this.preparedStatements.set(
+      "findUserByEmail",
+      this.db.prepare("SELECT * FROM kyro_users WHERE email = ?")
+    );
+    this.preparedStatements.set(
+      "findUserById",
+      this.db.prepare("SELECT * FROM kyro_users WHERE id = ?")
+    );
+    this.preparedStatements.set(
+      "findSessionByToken",
+      this.db.prepare("SELECT * FROM kyro_sessions WHERE token = ?")
+    );
+    this.preparedStatements.set(
+      "findSessionByRefreshToken",
+      this.db.prepare("SELECT * FROM kyro_sessions WHERE refresh_token = ?")
+    );
+    this.preparedStatements.set(
+      "deleteSession",
+      this.db.prepare("DELETE FROM kyro_sessions WHERE id = ? OR token = ?")
+    );
+    this.preparedStatements.set(
+      "deleteUserSessions",
+      this.db.prepare("DELETE FROM kyro_sessions WHERE user_id = ?")
+    );
+    this.preparedStatements.set(
+      "countUsers",
+      this.db.prepare("SELECT COUNT(*) as count FROM kyro_users")
+    );
+    this.preparedStatements.set(
+      "deleteUser",
+      this.db.prepare("DELETE FROM kyro_users WHERE id = ?")
+    );
+    this.preparedStatements.set(
+      "getPasswordHistory",
+      this.db.prepare(
+        "SELECT password_hash FROM kyro_password_history WHERE user_id = ? ORDER BY created_at DESC LIMIT ?"
+      )
+    );
+    this.preparedStatements.set(
+      "addPasswordHistory",
+      this.db.prepare(
+        "INSERT INTO kyro_password_history (user_id, password_hash, created_at) VALUES (?, ?, ?)"
+      )
+    );
+    this.preparedStatements.set(
+      "trimPasswordHistory",
+      this.db.prepare(
+        `DELETE FROM kyro_password_history WHERE id IN (
+          SELECT id FROM kyro_password_history WHERE user_id = ? ORDER BY created_at DESC LIMIT -1 OFFSET 5
+        )`
+      )
+    );
+    this.preparedStatements.set(
+      "deleteExpiredSessions",
+      this.db.prepare("DELETE FROM kyro_sessions WHERE expires_at < ?")
+    );
+    this.preparedStatements.set(
+      "cleanupOldAuditLogs",
+      this.db.prepare("DELETE FROM kyro_audit_logs WHERE timestamp < ?")
+    );
+    this.preparedStatements.set(
+      "cleanupExpiredLockouts",
+      this.db.prepare(
+        "UPDATE kyro_lockouts SET attempts = 0, locked_at = NULL, locked_until = NULL WHERE locked_until < ?"
+      )
+    );
+    this.preparedStatements.set(
+      "getLockout",
+      this.db.prepare("SELECT * FROM kyro_lockouts WHERE user_id = ?")
+    );
+    this.preparedStatements.set(
+      "upsertLockout",
+      this.db.prepare(`
+        INSERT INTO kyro_lockouts (user_id, attempts, last_attempt, locked_at, locked_until)
+        VALUES (?, ?, ?, ?, ?)
+        ON CONFLICT(user_id) DO UPDATE SET
+          attempts = excluded.attempts,
+          last_attempt = excluded.last_attempt,
+          locked_at = excluded.locked_at,
+          locked_until = excluded.locked_until
+      `)
+    );
+    this.preparedStatements.set(
+      "resetLockout",
+      this.db.prepare(
+        "UPDATE kyro_lockouts SET attempts = 0, locked_at = NULL, locked_until = NULL WHERE user_id = ?"
+      )
+    );
   }
-  sessionKey(sessionId) {
-    return `${this.prefix}sessions:${sessionId}`;
+  stmt(name) {
+    const stmt = this.preparedStatements.get(name);
+    if (!stmt) throw new Error(`Prepared statement not found: ${name}`);
+    return stmt;
   }
-  refreshKey(token) {
-    return `${this.prefix}refresh:${token}`;
+  async cleanupExpiredSessions() {
+    if (!this.db) throw new Error("Not connected");
+    const result = this.stmt("deleteExpiredSessions").run(
+      (/* @__PURE__ */ new Date()).toISOString()
+    );
+    return result.changes;
   }
-  userByEmailKey(email) {
-    return `${this.prefix}users:email:${email.toLowerCase()}`;
+  async cleanupOldAuditLogs(retentionDays = 30) {
+    if (!this.db) throw new Error("Not connected");
+    const cutoff = new Date(
+      Date.now() - retentionDays * 24 * 60 * 60 * 1e3
+    ).toISOString();
+    const result = this.stmt("cleanupOldAuditLogs").run(cutoff);
+    return result.changes;
   }
-  passwordHistoryKey(userId) {
-    return `${this.prefix}users:${userId}:password_history`;
+  async getStats() {
+    if (!this.db) throw new Error("Not connected");
+    const userCount = this.stmt("countUsers").get().count;
+    const activeSessionCount = this.db.prepare(
+      "SELECT COUNT(*) as count FROM kyro_sessions WHERE expires_at > ?"
+    ).get((/* @__PURE__ */ new Date()).toISOString()).count;
+    const auditLogCount = this.db.prepare("SELECT COUNT(*) as count FROM kyro_audit_logs").get().count;
+    return { userCount, activeSessionCount, auditLogCount };
   }
   async createUser(data) {
-    const userId = crypto.randomBytes(16).toString("hex");
+    if (!this.db) throw new Error("Not connected");
+    const id = crypto.randomBytes(16).toString("hex");
     const now = (/* @__PURE__ */ new Date()).toISOString();
     const user = {
-      id: userId,
+      id,
       email: data.email.toLowerCase(),
       passwordHash: data.passwordHash,
       role: data.role || "customer",
@@ -65,197 +285,317 @@ var RedisAuthAdapter = class {
       createdAt: now,
       updatedAt: now
     };
-    const pipeline = this.redis.pipeline();
-    pipeline.hset(this.userKey(userId), this.userToHash(user));
-    pipeline.set(this.userByEmailKey(data.email), userId);
-    await pipeline.exec();
+    this.db.prepare(
+      `INSERT INTO kyro_users (id, email, password_hash, role, tenant_id, created_at, updated_at)
+         VALUES (?, ?, ?, ?, ?, ?, ?)`
+    ).run(
+      id,
+      user.email,
+      user.passwordHash,
+      user.role,
+      user.tenantId,
+      now,
+      now
+    );
     return user;
   }
   async findUserByEmail(email) {
-    const userId = await this.redis.get(
-      this.userByEmailKey(email.toLowerCase())
-    );
-    if (!userId) return null;
-    return this.findUserById(userId);
+    if (!this.db) throw new Error("Not connected");
+    const row = this.stmt("findUserByEmail").get(email.toLowerCase());
+    if (!row) return null;
+    return this.rowToUser(row);
   }
   async findUserById(userId) {
-    const data = await this.redis.hgetall(this.userKey(userId));
-    if (!data || Object.keys(data).length === 0) return null;
-    return this.hashToUser(data);
+    if (!this.db) throw new Error("Not connected");
+    const row = this.stmt("findUserById").get(userId);
+    if (!row) return null;
+    return this.rowToUser(row);
   }
   async updateUser(userId, data) {
+    if (!this.db) throw new Error("Not connected");
     const existing = await this.findUserById(userId);
     if (!existing) return null;
-    const updated = {
-      ...existing,
-      ...data,
-      id: userId,
-      updatedAt: (/* @__PURE__ */ new Date()).toISOString()
-    };
-    if (data.email && data.email !== existing.email) {
-      const pipeline = this.redis.pipeline();
-      pipeline.del(this.userByEmailKey(existing.email));
-      pipeline.set(this.userByEmailKey(data.email), userId);
-      await pipeline.exec();
+    const updates = [];
+    const values = [];
+    if (data.email !== void 0) {
+      updates.push("email = ?");
+      values.push(data.email.toLowerCase());
+    }
+    if (data.passwordHash !== void 0) {
+      updates.push("password_hash = ?");
+      values.push(data.passwordHash);
+    }
+    if (data.role !== void 0) {
+      updates.push("role = ?");
+      values.push(data.role);
+    }
+    if (data.tenantId !== void 0) {
+      updates.push("tenant_id = ?");
+      values.push(data.tenantId);
+    }
+    if (data.emailVerified !== void 0) {
+      updates.push("email_verified = ?");
+      values.push(data.emailVerified ? 1 : 0);
     }
-    await this.redis.hset(this.userKey(userId), this.userToHash(updated));
-    return updated;
+    if (data.locked !== void 0) {
+      updates.push("locked = ?");
+      values.push(data.locked ? 1 : 0);
+    }
+    if (data.lastLogin !== void 0) {
+      updates.push("last_login = ?");
+      values.push(data.lastLogin);
+    }
+    if (data.failedLoginAttempts !== void 0) {
+      updates.push("failed_login_attempts = ?");
+      values.push(data.failedLoginAttempts);
+    }
+    updates.push("updated_at = ?");
+    values.push((/* @__PURE__ */ new Date()).toISOString());
+    values.push(userId);
+    this.db.prepare(`UPDATE kyro_users SET ${updates.join(", ")} WHERE id = ?`).run(...values);
+    return this.findUserById(userId);
   }
   async deleteUser(userId) {
-    const user = await this.findUserById(userId);
-    if (!user) return false;
-    const pipeline = this.redis.pipeline();
-    pipeline.del(this.userKey(userId));
-    pipeline.del(this.userByEmailKey(user.email));
-    pipeline.del(this.passwordHistoryKey(userId));
-    await pipeline.exec();
-    return true;
+    if (!this.db) throw new Error("Not connected");
+    const result = this.stmt("deleteUser").run(userId);
+    return result.changes > 0;
   }
   async hashPassword(password) {
-    return bcrypt__default.default.hash(password, 12);
+    return bcrypt__default.default.hash(password, this.saltRounds);
   }
   async verifyPassword(password, hash) {
     return bcrypt__default.default.compare(password, hash);
   }
   async createSession(userId, data = {}) {
-    const sessionId = crypto.randomBytes(32).toString("hex");
+    if (!this.db) throw new Error("Not connected");
+    const id = crypto.randomBytes(32).toString("hex");
     const token = crypto.randomBytes(32).toString("base64url");
     const refreshToken = crypto.randomBytes(32).toString("base64url");
     const now = /* @__PURE__ */ new Date();
+    const expiresAt = new Date(now.getTime() + 864e5).toISOString();
     const session = {
-      id: sessionId,
+      id,
       userId,
       token,
       refreshToken,
-      expiresAt: new Date(
-        now.getTime() + this.tokenExpiration * 1e3
-      ).toISOString(),
+      expiresAt,
       createdAt: now.toISOString(),
       ipAddress: data.ipAddress,
       userAgent: data.userAgent
     };
-    const pipeline = this.redis.pipeline();
-    pipeline.hset(this.sessionKey(sessionId), this.sessionToHash(session));
-    pipeline.setex(
-      this.refreshKey(refreshToken),
-      this.refreshExpiration,
-      sessionId
+    this.db.prepare(
+      `INSERT INTO kyro_sessions (id, user_id, token, refresh_token, expires_at, created_at, ip_address, user_agent)
+         VALUES (?, ?, ?, ?, ?, ?, ?, ?)`
+    ).run(
+      session.id,
+      session.userId,
+      session.token,
+      session.refreshToken,
+      session.expiresAt,
+      session.createdAt,
+      session.ipAddress,
+      session.userAgent
     );
-    await pipeline.exec();
     return session;
   }
   async findSessionByToken(token) {
-    const data = await this.redis.hgetall(this.sessionKey(token));
-    if (!data || Object.keys(data).length === 0) return null;
-    return this.hashToSession(data);
+    if (!this.db) throw new Error("Not connected");
+    const row = this.stmt("findSessionByToken").get(token);
+    if (!row) return null;
+    return this.rowToSession(row);
+  }
+  async findSessionByRefreshToken(refreshToken) {
+    if (!this.db) throw new Error("Not connected");
+    const row = this.stmt("findSessionByRefreshToken").get(refreshToken);
+    if (!row) return null;
+    return this.rowToSession(row);
   }
   async deleteSession(sessionId) {
-    const session = await this.redis.hgetall(this.sessionKey(sessionId));
-    if (!session || Object.keys(session).length === 0) return false;
-    const pipeline = this.redis.pipeline();
-    pipeline.del(this.sessionKey(sessionId));
-    if (session.refreshToken) {
-      pipeline.del(this.refreshKey(session.refreshToken));
-    }
-    await pipeline.exec();
-    return true;
+    if (!this.db) throw new Error("Not connected");
+    const result = this.stmt("deleteSession").run(sessionId, sessionId);
+    return result.changes > 0;
   }
   async deleteUserSessions(userId) {
-    const pattern = `${this.prefix}sessions:*`;
-    let cursor = "0";
-    let deleted = 0;
-    do {
-      const [nextCursor, keys] = await this.redis.scan(
-        cursor,
-        "MATCH",
-        pattern,
-        "COUNT",
-        100
-      );
-      cursor = nextCursor;
-      for (const key of keys) {
-        const sessionData = await this.redis.hgetall(key);
-        if (sessionData.userId === userId) {
-          const sessionId = key.replace(`${this.prefix}sessions:`, "");
-          await this.deleteSession(sessionId);
-          deleted++;
-        }
-      }
-    } while (cursor !== "0");
-    return deleted;
+    if (!this.db) throw new Error("Not connected");
+    const result = this.stmt("deleteUserSessions").run(userId);
+    return result.changes;
+  }
+  async hasAnyUsers() {
+    if (!this.db) throw new Error("Not connected");
+    const row = this.stmt("countUsers").get();
+    return row.count > 0;
   }
   async addPasswordToHistory(userId, passwordHash) {
-    await this.redis.lpush(this.passwordHistoryKey(userId), passwordHash);
-    await this.redis.ltrim(this.passwordHistoryKey(userId), 0, 4);
+    if (!this.db) throw new Error("Not connected");
+    this.stmt("addPasswordHistory").run(
+      userId,
+      passwordHash,
+      (/* @__PURE__ */ new Date()).toISOString()
+    );
+    this.stmt("trimPasswordHistory").run(userId);
   }
   async getPasswordHistory(userId, count = 5) {
-    return this.redis.lrange(this.passwordHistoryKey(userId), 0, count - 1);
+    if (!this.db) throw new Error("Not connected");
+    const rows = this.stmt("getPasswordHistory").all(userId, count);
+    return rows.map((r) => r.password_hash);
   }
   async isPasswordInHistory(password, userId, historyCount = 5) {
     const history = await this.getPasswordHistory(userId, historyCount);
     for (const hash of history) {
-      if (await this.verifyPassword(password, hash)) {
+      if (await bcrypt__default.default.compare(password, hash)) {
         return true;
       }
     }
     return false;
   }
-  userToHash(user) {
-    const hash = {
-      id: user.id,
-      email: user.email,
-      passwordHash: user.passwordHash || "",
-      role: user.role,
-      createdAt: user.createdAt,
-      updatedAt: user.updatedAt
+  async recordFailedAttempt(userId) {
+    if (!this.db) throw new Error("Not connected");
+    const now = Date.now();
+    const lockout = this.stmt("getLockout").get(userId);
+    const attempts = (lockout?.attempts || 0) + 1;
+    const lockedUntil = attempts >= 5 ? now + 15 * 60 * 1e3 : lockout?.locked_until || null;
+    this.stmt("upsertLockout").run(
+      userId,
+      attempts,
+      now,
+      lockedUntil !== null ? now : null,
+      lockedUntil
+    );
+  }
+  async resetAttempts(userId) {
+    if (!this.db) throw new Error("Not connected");
+    this.stmt("resetLockout").run(userId);
+  }
+  async checkLockout(userId) {
+    if (!this.db) throw new Error("Not connected");
+    this.stmt("cleanupExpiredLockouts").run(Date.now());
+    const lockout = this.stmt("getLockout").get(userId);
+    if (!lockout) {
+      return {
+        locked: false,
+        attemptsRemaining: 5,
+        totalAttempts: 0
+      };
+    }
+    if (lockout.locked_until !== null && lockout.locked_until > Date.now()) {
+      return {
+        locked: true,
+        attemptsRemaining: 0,
+        lockedUntil: new Date(lockout.locked_until),
+        totalAttempts: lockout.attempts
+      };
+    }
+    return {
+      locked: false,
+      attemptsRemaining: Math.max(0, 5 - lockout.attempts),
+      totalAttempts: lockout.attempts
     };
-    if (user.tenantId) hash.tenantId = user.tenantId;
-    if (user.emailVerified !== void 0)
-      hash.emailVerified = String(user.emailVerified);
-    if (user.locked !== void 0) hash.locked = String(user.locked);
-    if (user.lastLogin) hash.lastLogin = user.lastLogin;
-    if (user.failedLoginAttempts !== void 0)
-      hash.failedLoginAttempts = String(user.failedLoginAttempts);
-    return hash;
-  }
-  hashToUser(hash) {
+  }
+  async logAudit(data) {
+    if (!this.db) throw new Error("Not connected");
+    const id = crypto.randomBytes(16).toString("hex");
+    const timestamp = (/* @__PURE__ */ new Date()).toISOString();
+    this.db.prepare(
+      `INSERT INTO kyro_audit_logs (
+          id, timestamp, action, user_id, user_email, role, resource, resource_id,
+          ip_address, user_agent, success, error, metadata, created_at
+        ) VALUES (?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?)`
+    ).run(
+      id,
+      timestamp,
+      data.action,
+      data.userId || null,
+      data.userEmail || null,
+      data.role || null,
+      data.resource,
+      data.resourceId || null,
+      data.ipAddress || null,
+      data.userAgent || null,
+      data.success ? 1 : 0,
+      data.error || null,
+      data.metadata ? JSON.stringify(data.metadata) : null,
+      (/* @__PURE__ */ new Date()).toISOString()
+    );
+    return id;
+  }
+  async queryAuditLogs(options = {}) {
+    if (!this.db) throw new Error("Not connected");
+    const conditions = [];
+    const params = [];
+    if (options.action) {
+      conditions.push("action = ?");
+      params.push(options.action);
+    }
+    if (options.userId) {
+      conditions.push("user_id = ?");
+      params.push(options.userId);
+    }
+    if (options.resource) {
+      conditions.push("resource = ?");
+      params.push(options.resource);
+    }
+    if (options.success !== void 0) {
+      conditions.push("success = ?");
+      params.push(options.success ? 1 : 0);
+    }
+    if (options.startDate) {
+      conditions.push("timestamp >= ?");
+      params.push(options.startDate.toISOString());
+    }
+    if (options.endDate) {
+      conditions.push("timestamp <= ?");
+      params.push(options.endDate.toISOString());
+    }
+    const where = conditions.length > 0 ? "WHERE " + conditions.join(" AND ") : "";
+    const limit = options.limit || 50;
+    const offset = options.offset || 0;
+    const totalResult = this.db.prepare(`SELECT COUNT(*) as count FROM kyro_audit_logs ${where}`).get(...params);
+    const rows = this.db.prepare(
+      `SELECT * FROM kyro_audit_logs ${where} ORDER BY timestamp DESC LIMIT ? OFFSET ?`
+    ).all(...params, limit, offset);
     return {
-      id: hash.id,
-      email: hash.email,
-      passwordHash: hash.passwordHash,
-      role: hash.role,
-      tenantId: hash.tenantId,
-      createdAt: hash.createdAt,
-      updatedAt: hash.updatedAt,
-      emailVerified: hash.emailVerified === "true",
-      locked: hash.locked === "true",
-      lastLogin: hash.lastLogin,
-      failedLoginAttempts: hash.failedLoginAttempts ? parseInt(hash.failedLoginAttempts, 10) : 0
+      total: totalResult.count,
+      logs: rows.map((row) => ({
+        id: row.id,
+        timestamp: new Date(row.timestamp),
+        action: row.action,
+        userId: row.user_id || void 0,
+        userEmail: row.user_email || void 0,
+        resource: row.resource,
+        resourceId: row.resource_id || void 0,
+        ipAddress: row.ip_address || void 0,
+        userAgent: row.user_agent || void 0,
+        success: row.success === 1,
+        error: row.error || void 0,
+        metadata: row.metadata ? JSON.parse(row.metadata) : void 0
+      }))
     };
   }
-  sessionToHash(session) {
-    const hash = {
-      id: session.id,
-      userId: session.userId,
-      token: session.token,
-      expiresAt: session.expiresAt,
-      createdAt: session.createdAt
+  rowToUser(row) {
+    return {
+      id: row.id,
+      email: row.email,
+      passwordHash: row.password_hash,
+      role: row.role,
+      tenantId: row.tenant_id,
+      emailVerified: row.email_verified === 1,
+      locked: row.locked === 1,
+      lastLogin: row.last_login,
+      failedLoginAttempts: row.failed_login_attempts || 0,
+      createdAt: row.created_at,
+      updatedAt: row.updated_at
     };
-    if (session.refreshToken) hash.refreshToken = session.refreshToken;
-    if (session.ipAddress) hash.ipAddress = session.ipAddress;
-    if (session.userAgent) hash.userAgent = session.userAgent;
-    return hash;
   }
-  hashToSession(hash) {
+  rowToSession(row) {
     return {
-      id: hash.id,
-      userId: hash.userId,
-      token: hash.token,
-      refreshToken: hash.refreshToken,
-      expiresAt: hash.expiresAt,
-      createdAt: hash.createdAt,
-      ipAddress: hash.ipAddress,
-      userAgent: hash.userAgent
+      id: row.id,
+      userId: row.user_id,
+      token: row.token,
+      refreshToken: row.refresh_token,
+      expiresAt: row.expires_at,
+      createdAt: row.created_at,
+      ipAddress: row.ip_address,
+      userAgent: row.user_agent
     };
   }
 };
@@ -751,10 +1091,6 @@ var PasswordPolicy = class {
 // src/auth/bootstrap.ts
 async function bootstrapAdmin(config) {
   const {
-    redisUrl,
-    redisHost,
-    redisPort,
-    redisPassword,
     adminEmail,
     adminPassword,
     adminRole = "super_admin",
@@ -762,34 +1098,21 @@ async function bootstrapAdmin(config) {
     emailConfig,
     sendWelcomeEmail = false
   } = config;
-  let redis;
-  if (redisUrl) {
-    redis = new Redis2__default.default(redisUrl);
-  } else {
-    redis = new Redis2__default.default({
-      host: redisHost || "localhost",
-      port: redisPort || 6379,
-      password: redisPassword,
-      lazyConnect: true
-    });
-  }
+  const authAdapter = config.authAdapter || new SQLiteAuthAdapter({
+    path: config.authDbPath || "./data/auth.db"
+  });
   try {
-    await redis.connect();
+    await authAdapter.connect?.();
   } catch (error) {
     return {
       success: false,
-      error: "Failed to connect to Redis"
+      error: "Failed to connect to auth storage"
     };
   }
-  const authAdapter = new RedisAuthAdapter({
-    url: redisUrl,
-    host: redisHost,
-    port: redisPort,
-    password: redisPassword
-  });
   const passwordPolicy = new PasswordPolicy();
   const passwordValidation = passwordPolicy.validate(adminPassword);
   if (!passwordValidation.valid) {
+    await authAdapter.disconnect?.();
     return {
       success: false,
       error: `Invalid password: ${passwordValidation.errors.join(", ")}`
@@ -797,6 +1120,7 @@ async function bootstrapAdmin(config) {
   }
   const existingUser = await authAdapter.findUserByEmail(adminEmail);
   if (existingUser) {
+    await authAdapter.disconnect?.();
     return {
       success: false,
       error: "Admin user already exists"
@@ -819,23 +1143,21 @@ async function bootstrapAdmin(config) {
         ...welcomeTemplate
       });
     }
+    await authAdapter.disconnect?.();
     return {
       success: true,
       user
     };
   } catch (error) {
+    await authAdapter.disconnect?.();
     return {
       success: false,
       error: error instanceof Error ? error.message : "Failed to create admin user"
     };
-  } finally {
-    await redis.quit();
   }
 }
-async function checkBootstrapRequired(redis, adminEmail) {
-  const existingUser = await redis.get(
-    `kyro:auth:users:email:${adminEmail.toLowerCase()}`
-  );
+async function checkBootstrapRequired(authAdapter, adminEmail) {
+  const existingUser = await authAdapter.findUserByEmail(adminEmail);
   return !existingUser;
 }
 function getBootstrapFromEnv() {
@@ -845,10 +1167,7 @@ function getBootstrapFromEnv() {
     return null;
   }
   return {
-    redisUrl: process.env.REDIS_URL,
-    redisHost: process.env.REDIS_HOST,
-    redisPort: process.env.REDIS_PORT ? parseInt(process.env.REDIS_PORT, 10) : void 0,
-    redisPassword: process.env.REDIS_PASSWORD,
+    authDbPath: process.env.KYRO_AUTH_DB_PATH || "./data/auth.db",
     adminEmail: email,
     adminPassword: password,
     adminRole: process.env.KYRO_ADMIN_ROLE || "super_admin",
@@ -904,11 +1223,11 @@ async function bootstrapWithRetry(config, maxRetries = 3, retryDelayMs = 2e3) {
 
 exports.EmailTransport = EmailTransport;
 exports.PasswordPolicy = PasswordPolicy;
-exports.RedisAuthAdapter = RedisAuthAdapter;
+exports.SQLiteAuthAdapter = SQLiteAuthAdapter;
 exports.autoBootstrap = autoBootstrap;
 exports.bootstrapAdmin = bootstrapAdmin;
 exports.bootstrapWithRetry = bootstrapWithRetry;
 exports.checkBootstrapRequired = checkBootstrapRequired;
 exports.getBootstrapFromEnv = getBootstrapFromEnv;
-//# sourceMappingURL=chunk-I4BORBXT.cjs.map
-//# sourceMappingURL=chunk-I4BORBXT.cjs.map
+//# sourceMappingURL=chunk-3EVLFWH2.cjs.map
+//# sourceMappingURL=chunk-3EVLFWH2.cjs.map