@kyro-cms/core 0.3.2 → 0.3.4

package/dist/chunk-RYDGMBIG.js

@@ -0,0 +1,1737 @@
+import { settings } from './chunk-YT7HXXVN.js';
+import bcrypt from 'bcryptjs';
+import { randomBytes } from 'crypto';
+import { mkdirSync } from 'fs';
+import { dirname } from 'path';
+
+// src/config/ConfigService.ts
+var ConfigService = class _ConfigService {
+  db;
+  cache = {};
+  static SENSITIVE_KEYS = [
+    "storage.s3.secret_access_key",
+    "storage.r2.secret_access_key",
+    "storage.gcs.private_key",
+    "storage.backblaze.application_key",
+    "storage.wasabi.secret_access_key",
+    "storage.ftp.password",
+    "storage.bunny.api_key",
+    "storage.cloudinary.api_secret",
+    "storage.imgix.sign_key",
+    "email.smtp.pass",
+    "auth.jwt_secret",
+    "auth.github_secret",
+    "auth.google_secret",
+    "auth.app_secret",
+    "database.url",
+    "redis.url",
+    "auth.admin_password"
+  ];
+  constructor(db) {
+    this.db = db;
+  }
+  /**
+   * Initialize the service by loading all settings from the database
+   */
+  async load() {
+    try {
+      if (typeof this.db?.select === "function") {
+        const allSettings = await this.db.select().from(settings);
+        this.cache = allSettings.reduce((acc, row) => {
+          acc[row.key] = row.value;
+          return acc;
+        }, {});
+      } else {
+        await this.loadFromGlobals();
+      }
+    } catch (error) {
+      console.warn(
+        "ConfigService: Could not load settings from database, using environment fallbacks.",
+        error
+      );
+    }
+  }
+  /**
+   * Load settings from the _globals_storage-settings table (SQLite fallback)
+   * Maps nested global structure to flat key-value cache
+   */
+  async loadFromGlobals() {
+    try {
+      const row = this.db.prepare(`SELECT * FROM "_globals_storage-settings" LIMIT 1`).get();
+      if (!row) return;
+      const parseJSON = (val) => {
+        if (!val) return null;
+        if (typeof val === "string") {
+          try {
+            return JSON.parse(val);
+          } catch {
+            return null;
+          }
+        }
+        return val;
+      };
+      const provider = row.provider || "local";
+      this.cache["storage.type"] = provider === "aws" ? "s3" : provider;
+      if (provider === "local") {
+        const local = parseJSON(row.local);
+        this.cache["storage.local.dir"] = local?.uploadDir || "./public/uploads";
+        this.cache["storage.local.url"] = local?.baseUrl || "/uploads";
+      }
+      if (provider === "aws") {
+        const aws = parseJSON(row.aws);
+        this.cache["storage.s3.bucket"] = aws?.bucket || "";
+        this.cache["storage.s3.region"] = aws?.region || "us-east-1";
+        this.cache["storage.s3.access_key_id"] = aws?.accessKeyId || "";
+        this.cache["storage.s3.secret_access_key"] = aws?.secretAccessKey || "";
+        this.cache["storage.s3.endpoint"] = aws?.endpoint || "";
+        this.cache["storage.s3.cdn_url"] = aws?.cdnUrl || "";
+        this.cache["storage.s3.prefix"] = aws?.prefix || "";
+      }
+      if (provider === "r2") {
+        const r2 = parseJSON(row.r2);
+        this.cache["storage.r2.account_id"] = r2?.accountId || "";
+        this.cache["storage.r2.access_key_id"] = r2?.accessKeyId || "";
+        this.cache["storage.r2.secret_access_key"] = r2?.secretAccessKey || "";
+        this.cache["storage.r2.bucket"] = r2?.bucket || "";
+        this.cache["storage.r2.cdn_url"] = r2?.cdnUrl || "";
+        this.cache["storage.r2.prefix"] = r2?.prefix || "";
+      }
+      if (provider === "cloudinary") {
+        const cloudinary = parseJSON(row.cloudinary);
+        this.cache["storage.cloudinary.cloud_name"] = cloudinary?.cloudName || "";
+        this.cache["storage.cloudinary.api_key"] = cloudinary?.apiKey || "";
+        this.cache["storage.cloudinary.api_secret"] = cloudinary?.apiSecret || "";
+        this.cache["storage.cloudinary.folder"] = cloudinary?.folder || "";
+      }
+      if (provider === "ftp") {
+        const ftp = parseJSON(row.ftp);
+        this.cache["storage.ftp.host"] = ftp?.host || "";
+        this.cache["storage.ftp.port"] = String(ftp?.port || "21");
+        this.cache["storage.ftp.user"] = ftp?.user || "";
+        this.cache["storage.ftp.password"] = ftp?.password || "";
+        this.cache["storage.ftp.secure"] = ftp?.secure ? "true" : "false";
+        this.cache["storage.ftp.base_url"] = ftp?.baseUrl || "";
+        this.cache["storage.ftp.prefix"] = ftp?.prefix || "";
+      }
+    } catch (error) {
+      console.warn("ConfigService: Could not load from globals table:", error);
+    }
+  }
+  /**
+   * Get a settings value with environment fallback
+   */
+  get(key, envKey, defaultValue) {
+    if (this.cache[key]) return this.cache[key];
+    if (envKey && process.env[envKey]) return process.env[envKey];
+    return defaultValue;
+  }
+  /**
+   * Get storage configuration
+   */
+  getStorageConfig() {
+    return {
+      type: this.get("storage.type", "STORAGE_TYPE", "local"),
+      s3: {
+        bucket: this.get("storage.s3.bucket", "STORAGE_BUCKET"),
+        region: this.get("storage.s3.region", "STORAGE_REGION", "us-east-1"),
+        accessKeyId: this.get(
+          "storage.s3.access_key_id",
+          "STORAGE_ACCESS_KEY_ID"
+        ),
+        secretAccessKey: this.get(
+          "storage.s3.secret_access_key",
+          "STORAGE_SECRET_ACCESS_KEY"
+        ),
+        endpoint: this.get("storage.s3.endpoint", "STORAGE_ENDPOINT"),
+        cdnUrl: this.get("storage.s3.cdn_url", "STORAGE_CDN_URL"),
+        prefix: this.get("storage.s3.prefix", "STORAGE_PREFIX")
+      },
+      r2: {
+        accountId: this.get("storage.r2.account_id", "R2_ACCOUNT_ID"),
+        accessKeyId: this.get("storage.r2.access_key_id", "R2_ACCESS_KEY_ID"),
+        secretAccessKey: this.get(
+          "storage.r2.secret_access_key",
+          "R2_SECRET_ACCESS_KEY"
+        ),
+        bucket: this.get("storage.r2.bucket", "R2_BUCKET"),
+        cdnUrl: this.get("storage.r2.cdn_url", "R2_CDN_URL"),
+        prefix: this.get("storage.r2.prefix", "R2_PREFIX")
+      },
+      gcs: {
+        bucket: this.get("storage.gcs.bucket", "GCS_BUCKET"),
+        projectId: this.get("storage.gcs.project_id", "GCS_PROJECT_ID"),
+        clientEmail: this.get("storage.gcs.client_email", "GCS_CLIENT_EMAIL"),
+        privateKey: this.get("storage.gcs.private_key", "GCS_PRIVATE_KEY"),
+        cdnUrl: this.get("storage.gcs.cdn_url", "GCS_CDN_URL"),
+        prefix: this.get("storage.gcs.prefix", "GCS_PREFIX")
+      },
+      digitalocean: {
+        bucket: this.get("storage.digitalocean.bucket", "DO_BUCKET"),
+        region: this.get("storage.digitalocean.region", "DO_REGION", "nyc3"),
+        accessKeyId: this.get(
+          "storage.digitalocean.access_key_id",
+          "DO_ACCESS_KEY_ID"
+        ),
+        secretAccessKey: this.get(
+          "storage.digitalocean.secret_access_key",
+          "DO_SECRET_ACCESS_KEY"
+        ),
+        cdnUrl: this.get("storage.digitalocean.cdn_url", "DO_CDN_URL"),
+        prefix: this.get("storage.digitalocean.prefix", "DO_PREFIX")
+      },
+      backblaze: {
+        bucket: this.get("storage.backblaze.bucket", "BB_BUCKET"),
+        accountId: this.get("storage.backblaze.account_id", "BB_ACCOUNT_ID"),
+        applicationKeyId: this.get(
+          "storage.backblaze.application_key_id",
+          "BB_APPLICATION_KEY_ID"
+        ),
+        applicationKey: this.get(
+          "storage.backblaze.application_key",
+          "BB_APPLICATION_KEY"
+        ),
+        cdnUrl: this.get("storage.backblaze.cdn_url", "BB_CDN_URL"),
+        prefix: this.get("storage.backblaze.prefix", "BB_PREFIX")
+      },
+      wasabi: {
+        bucket: this.get("storage.wasabi.bucket", "WASABI_BUCKET"),
+        region: this.get("storage.wasabi.region", "WASABI_REGION", "us-east-1"),
+        accessKeyId: this.get(
+          "storage.wasabi.access_key_id",
+          "WASABI_ACCESS_KEY_ID"
+        ),
+        secretAccessKey: this.get(
+          "storage.wasabi.secret_access_key",
+          "WASABI_SECRET_ACCESS_KEY"
+        ),
+        cdnUrl: this.get("storage.wasabi.cdn_url", "WASABI_CDN_URL"),
+        prefix: this.get("storage.wasabi.prefix", "WASABI_PREFIX")
+      },
+      bunny: {
+        storageZone: this.get(
+          "storage.bunny.storage_zone",
+          "BUNNY_STORAGE_ZONE"
+        ),
+        apiKey: this.get("storage.bunny.api_key", "BUNNY_API_KEY"),
+        cdnUrl: this.get("storage.bunny.cdn_url", "BUNNY_CDN_URL"),
+        prefix: this.get("storage.bunny.prefix", "BUNNY_PREFIX")
+      },
+      ftp: {
+        host: this.get("storage.ftp.host", "FTP_HOST"),
+        port: parseInt(this.get("storage.ftp.port", "FTP_PORT", "21"), 10),
+        user: this.get("storage.ftp.user", "FTP_USER"),
+        password: this.get("storage.ftp.password", "FTP_PASSWORD"),
+        secure: this.get("storage.ftp.secure", "FTP_SECURE") === "true",
+        baseUrl: this.get("storage.ftp.base_url", "FTP_BASE_URL"),
+        prefix: this.get("storage.ftp.prefix", "FTP_PREFIX")
+      },
+      cloudinary: {
+        cloudName: this.get(
+          "storage.cloudinary.cloud_name",
+          "CLOUDINARY_CLOUD_NAME"
+        ),
+        apiKey: this.get("storage.cloudinary.api_key", "CLOUDINARY_API_KEY"),
+        apiSecret: this.get(
+          "storage.cloudinary.api_secret",
+          "CLOUDINARY_API_SECRET"
+        ),
+        folder: this.get("storage.cloudinary.folder", "CLOUDINARY_FOLDER")
+      },
+      imgix: {
+        domain: this.get("storage.imgix.domain", "IMGIX_DOMAIN"),
+        signKey: this.get("storage.imgix.sign_key", "IMGIX_SIGN_KEY")
+      },
+      local: {
+        uploadDir: this.get("storage.local.dir", "STORAGE_LOCAL_DIR"),
+        baseUrl: this.get("storage.local.url", "STORAGE_LOCAL_URL", "/uploads")
+      }
+    };
+  }
+  /**
+   * Get email configuration
+   */
+  getEmailConfig() {
+    return {
+      provider: this.get("email.provider", "EMAIL_PROVIDER", "smtp"),
+      host: this.get("email.smtp.host", "SMTP_HOST"),
+      port: parseInt(this.get("email.smtp.port", "SMTP_PORT", "587"), 10),
+      secure: this.get("email.smtp.secure", "SMTP_SECURE") === "true",
+      user: this.get("email.smtp.user", "SMTP_USER"),
+      pass: this.get("email.smtp.pass", "SMTP_PASS"),
+      from: this.get("email.smtp.from", "SMTP_FROM", "noreply@example.com"),
+      fromName: this.get("email.smtp.from_name", "SMTP_FROM_NAME", "Kyro CMS"),
+      replyTo: this.get("email.smtp.reply_to", "SMTP_REPLY_TO")
+    };
+  }
+  /**
+   * Mask sensitive values for display
+   */
+  maskSensitive(key, value) {
+    if (!value) return value;
+    if (_ConfigService.SENSITIVE_KEYS.includes(key)) {
+      return "********";
+    }
+    return value;
+  }
+  /**
+   * Update a setting in the database
+   */
+  async set(key, value, description) {
+    await this.db.insert(settings).values({
+      key,
+      value,
+      description,
+      updatedAt: /* @__PURE__ */ new Date()
+    }).onConflictDoUpdate({
+      target: [settings.key],
+      set: { value, description, updatedAt: /* @__PURE__ */ new Date() }
+    });
+    this.cache[key] = value;
+  }
+};
+
+// src/auth/nodemailer-transport.ts
+var defaultTemplates = {
+  verifyEmail: (link, userName = "User") => ({
+    subject: "Verify your email address",
+    html: `
+      <!DOCTYPE html>
+      <html>
+      <head>
+        <meta charset="utf-8">
+        <meta name="viewport" content="width=device-width, initial-scale=1">
+        <title>Verify Email</title>
+        <style>
+          body { font-family: -apple-system, BlinkMacSystemFont, 'Segoe UI', Roboto, sans-serif; line-height: 1.6; color: #333; }
+          .container { max-width: 600px; margin: 0 auto; padding: 20px; }
+          .button { display: inline-block; padding: 12px 24px; background: #0b1222; color: white; text-decoration: none; border-radius: 6px; font-weight: 600; }
+          .footer { margin-top: 30px; font-size: 12px; color: #666; }
+        </style>
+      </head>
+      <body>
+        <div class="container">
+          <h1>Welcome, ${userName}!</h1>
+          <p>Please verify your email address by clicking the button below:</p>
+          <p style="text-align: center; margin: 30px 0;">
+            <a href="${link}" class="button">Verify Email</a>
+          </p>
+          <p>Or copy and paste this link into your browser:</p>
+          <p style="word-break: break-all; color: #666;">${link}</p>
+          <p>This link will expire in 24 hours.</p>
+          <div class="footer">
+            <p>If you didn't create an account, you can safely ignore this email.</p>
+          </div>
+        </div>
+      </body>
+      </html>
+    `,
+    text: `Welcome ${userName}!
+
+Please verify your email by clicking this link: ${link}
+
+This link will expire in 24 hours.
+
+If you didn't create an account, you can safely ignore this email.`
+  }),
+  resetPassword: (link, userName = "User") => ({
+    subject: "Reset your password",
+    html: `
+      <!DOCTYPE html>
+      <html>
+      <head>
+        <meta charset="utf-8">
+        <meta name="viewport" content="width=device-width, initial-scale=1">
+        <title>Reset Password</title>
+        <style>
+          body { font-family: -apple-system, BlinkMacSystemFont, 'Segoe UI', Roboto, sans-serif; line-height: 1.6; color: #333; }
+          .container { max-width: 600px; margin: 0 auto; padding: 20px; }
+          .button { display: inline-block; padding: 12px 24px; background: #dc2626; color: white; text-decoration: none; border-radius: 6px; font-weight: 600; }
+          .warning { background: #fef3c7; border: 1px solid #f59e0b; padding: 12px; border-radius: 6px; margin: 20px 0; }
+          .footer { margin-top: 30px; font-size: 12px; color: #666; }
+        </style>
+      </head>
+      <body>
+        <div class="container">
+          <h1>Password Reset Request</h1>
+          <p>Hello ${userName},</p>
+          <p>We received a request to reset your password. Click the button below to create a new password:</p>
+          <p style="text-align: center; margin: 30px 0;">
+            <a href="${link}" class="button">Reset Password</a>
+          </p>
+          <p>Or copy and paste this link into your browser:</p>
+          <p style="word-break: break-all; color: #666;">${link}</p>
+          <div class="warning">
+            <strong>\u26A0\uFE0F Important:</strong> This link will expire in 1 hour. If you didn't request a password reset, please ignore this email or contact support if you have concerns.
+          </div>
+          <div class="footer">
+            <p>For security reasons, please don't share this email with anyone.</p>
+          </div>
+        </div>
+      </body>
+      </html>
+    `,
+    text: `Password Reset Request
+
+Hello ${userName},
+
+We received a request to reset your password. Click this link to create a new password: ${link}
+
+This link will expire in 1 hour.
+
+If you didn't request a password reset, please ignore this email.`
+  }),
+  welcome: (userName = "User") => ({
+    subject: "Welcome to Kyro CMS",
+    html: `
+      <!DOCTYPE html>
+      <html>
+      <head>
+        <meta charset="utf-8">
+        <meta name="viewport" content="width=device-width, initial-scale=1">
+        <title>Welcome</title>
+        <style>
+          body { font-family: -apple-system, BlinkMacSystemFont, 'Segoe UI', Roboto, sans-serif; line-height: 1.6; color: #333; }
+          .container { max-width: 600px; margin: 0 auto; padding: 20px; }
+          .button { display: inline-block; padding: 12px 24px; background: #0b1222; color: white; text-decoration: none; border-radius: 6px; font-weight: 600; }
+        </style>
+      </head>
+      <body>
+        <div class="container">
+          <h1>Welcome to Kyro CMS, ${userName}!</h1>
+          <p>Your account has been created successfully.</p>
+          <p>You can now:</p>
+          <ul>
+            <li>Manage your content collections</li>
+            <li>Upload and organize media</li>
+            <li>Configure settings</li>
+            <li>And much more...</li>
+          </ul>
+          <p style="text-align: center; margin: 30px 0;">
+            <a href="#" class="button">Get Started</a>
+          </p>
+          <p>If you have any questions, feel free to reach out to our support team.</p>
+        </div>
+      </body>
+      </html>
+    `,
+    text: `Welcome to Kyro CMS, ${userName}!
+
+Your account has been created successfully.
+
+You can now:
+- Manage your content collections
+- Upload and organize media
+- Configure settings
+- And much more...
+
+Get started by logging into your dashboard.`
+  }),
+  accountLocked: (attempts, duration, userName = "User") => ({
+    subject: "Account Security Alert - Account Locked",
+    html: `
+      <!DOCTYPE html>
+      <html>
+      <head>
+        <meta charset="utf-8">
+        <meta name="viewport" content="width=device-width, initial-scale=1">
+        <title>Account Locked</title>
+        <style>
+          body { font-family: -apple-system, BlinkMacSystemFont, 'Segoe UI', Roboto, sans-serif; line-height: 1.6; color: #333; }
+          .container { max-width: 600px; margin: 0 auto; padding: 20px; }
+          .alert { background: #fef2f2; border: 1px solid #ef4444; padding: 16px; border-radius: 8px; margin: 20px 0; }
+          .footer { margin-top: 30px; font-size: 12px; color: #666; }
+        </style>
+      </head>
+      <body>
+        <div class="container">
+          <h1>Account Security Alert</h1>
+          <p>Hello ${userName},</p>
+          <div class="alert">
+            <p><strong>\u26A0\uFE0F Your account has been temporarily locked due to multiple failed login attempts.</strong></p>
+            <p>Failed attempts: ${attempts}</p>
+            <p>Lockout duration: ${Math.round(duration / 6e4)} minutes</p>
+          </div>
+          <p>Your account will automatically unlock after the lockout period expires.</p>
+          <p>If this wasn't you, we recommend:</p>
+          <ul>
+            <li>Using a strong, unique password</li>
+            <li>Enabling two-factor authentication (coming soon)</li>
+            <li>Reviewing your recent account activity</li>
+          </ul>
+          <div class="footer">
+            <p>If you need immediate assistance, please contact support.</p>
+          </div>
+        </div>
+      </body>
+      </html>
+    `,
+    text: `Account Security Alert
+
+Hello ${userName},
+
+Your account has been temporarily locked due to multiple failed login attempts (${attempts}).
+
+Lockout duration: ${Math.round(duration / 6e4)} minutes
+
+Your account will automatically unlock after this period.
+
+If this wasn't you, we recommend using a strong, unique password.`
+  }),
+  passwordChanged: (userName = "User") => ({
+    subject: "Your password has been changed",
+    html: `
+      <!DOCTYPE html>
+      <html>
+      <head>
+        <meta charset="utf-8">
+        <meta name="viewport" content="width=device-width, initial-scale=1">
+        <title>Password Changed</title>
+        <style>
+          body { font-family: -apple-system, BlinkMacSystemFont, 'Segoe UI', Roboto, sans-serif; line-height: 1.6; color: #333; }
+          .container { max-width: 600px; margin: 0 auto; padding: 20px; }
+          .info { background: #f0fdf4; border: 1px solid #22c55e; padding: 12px; border-radius: 6px; margin: 20px 0; }
+        </style>
+      </head>
+      <body>
+        <div class="container">
+          <h1>Password Changed</h1>
+          <p>Hello ${userName},</p>
+          <div class="info">
+            <p>Your password was recently changed.</p>
+          </div>
+          <p>If you did this, you can safely ignore this email.</p>
+          <p><strong>If you didn't change your password</strong>, please contact our support team immediately as your account may have been compromised.</p>
+        </div>
+      </body>
+      </html>
+    `,
+    text: `Password Changed
+
+Hello ${userName},
+
+Your password was recently changed.
+
+If you did this, you can safely ignore this email.
+
+If you didn't change your password, please contact support immediately.`
+  }),
+  newLogin: (location, time, userName = "User") => ({
+    subject: "New login to your account",
+    html: `
+      <!DOCTYPE html>
+      <html>
+      <head>
+        <meta charset="utf-8">
+        <meta name="viewport" content="width=device-width, initial-scale=1">
+        <title>New Login</title>
+        <style>
+          body { font-family: -apple-system, BlinkMacSystemFont, 'Segoe UI', Roboto, sans-serif; line-height: 1.6; color: #333; }
+          .container { max-width: 600px; margin: 0 auto; padding: 20px; }
+          .info-box { background: #f8fafc; border: 1px solid #e2e8f0; padding: 16px; border-radius: 8px; margin: 20px 0; }
+          .footer { margin-top: 30px; font-size: 12px; color: #666; }
+        </style>
+      </head>
+      <body>
+        <div class="container">
+          <h1>New Login Detected</h1>
+          <p>Hello ${userName},</p>
+          <p>We detected a new login to your account:</p>
+          <div class="info-box">
+            <p><strong>Location:</strong> ${location}</p>
+            <p><strong>Time:</strong> ${time}</p>
+          </div>
+          <p><strong>If this was you</strong>, no action is needed.</p>
+          <p><strong>If this wasn't you</strong>, your account may be compromised. Please:</p>
+          <ol>
+            <li>Change your password immediately</li>
+            <li>Review your recent account activity</li>
+            <li>Contact support if needed</li>
+          </ol>
+          <div class="footer">
+            <p>This is an automated security notification.</p>
+          </div>
+        </div>
+      </body>
+      </html>
+    `,
+    text: `New Login Detected
+
+Hello ${userName},
+
+We detected a new login to your account:
+
+Location: ${location}
+Time: ${time}
+
+If this wasn't you, please change your password immediately and contact support.`
+  })
+};
+var EmailTransport = class _EmailTransport {
+  transporter;
+  config;
+  templates;
+  transporterInitialized = false;
+  constructor(config, templates) {
+    this.config = config;
+    this.templates = { ...defaultTemplates, ...templates };
+  }
+  async ensureTransporter() {
+    if (this.transporterInitialized) {
+      return this.transporter;
+    }
+    const { default: nodemailer } = await import('nodemailer');
+    if (this.config.provider === "smtp" && this.config.smtp) {
+      this.transporter = nodemailer.createTransport({
+        host: this.config.smtp.host,
+        port: this.config.smtp.port,
+        secure: this.config.smtp.secure,
+        auth: this.config.smtp.auth
+      });
+    } else if (this.config.provider === "ses" && this.config.ses) {
+      this.transporter = nodemailer.createTransport({
+        host: `email-smtp.${this.config.ses.region}.amazonaws.com`,
+        port: 587,
+        secure: false,
+        auth: {
+          user: this.config.ses.accessKeyId,
+          pass: this.config.ses.secretAccessKey
+        }
+      });
+    }
+    this.transporterInitialized = true;
+    return this.transporter;
+  }
+  async send(options) {
+    const { provider, from, fromName, replyTo: configReplyTo } = this.config;
+    const fromFull = `"${fromName || "Kyro CMS"}" <${from}>`;
+    const replyTo = options.replyTo || configReplyTo;
+    console.log(`[EmailTransport] Sending email via ${provider}...`);
+    console.log(
+      `[EmailTransport] To: ${Array.isArray(options.to) ? options.to.join(", ") : options.to}`
+    );
+    console.log(`[EmailTransport] Subject: ${options.subject}`);
+    try {
+      let result;
+      switch (provider) {
+        case "smtp":
+        case "ses":
+          {
+            const transporter = await this.ensureTransporter();
+            if (!transporter)
+              throw new Error(`${provider} transporter not initialized`);
+            result = await transporter.sendMail({
+              from: fromFull,
+              to: Array.isArray(options.to) ? options.to.join(", ") : options.to,
+              subject: options.subject,
+              html: options.html,
+              text: options.text,
+              replyTo
+            });
+          }
+          break;
+        case "resend":
+          result = await this.sendViaResend(fromFull, options, replyTo);
+          break;
+        case "sendgrid":
+          result = await this.sendViaSendGrid(fromFull, options, replyTo);
+          break;
+        case "mailgun":
+          result = await this.sendViaMailgun(fromFull, options, replyTo);
+          break;
+        default:
+          throw new Error(`Unsupported email provider: ${provider}`);
+      }
+      console.log(`[EmailTransport] Success! Provider response received.`);
+      return result;
+    } catch (error) {
+      console.error(`[EmailTransport] FAILED to send email:`, error.message);
+      if (error.response) {
+        console.error(
+          `[EmailTransport] Provider Error Detail:`,
+          JSON.stringify(error.response, null, 2)
+        );
+      }
+      throw error;
+    }
+  }
+  async sendViaResend(from, options, replyTo) {
+    const apiKey = this.config.resend?.apiKey;
+    if (!apiKey) throw new Error("Resend API Key missing");
+    const body = {
+      from,
+      to: options.to,
+      subject: options.subject,
+      html: options.html,
+      text: options.text,
+      reply_to: replyTo
+    };
+    console.log(`[EmailTransport] Calling Resend API...`);
+    const resp = await fetch("https://api.resend.com/emails", {
+      method: "POST",
+      headers: {
+        Authorization: `Bearer ${apiKey}`,
+        "Content-Type": "application/json"
+      },
+      body: JSON.stringify(body)
+    });
+    if (!resp.ok) {
+      const error = await resp.json();
+      throw new Error(`Resend Error: ${JSON.stringify(error)}`);
+    }
+    return resp.json();
+  }
+  async sendViaSendGrid(from, options, replyTo) {
+    const apiKey = this.config.sendgrid?.apiKey;
+    if (!apiKey) throw new Error("SendGrid API Key missing");
+    const body = {
+      personalizations: [
+        {
+          to: Array.isArray(options.to) ? options.to.map((email) => ({ email })) : [{ email: options.to }]
+        }
+      ],
+      from: {
+        email: from.match(/<(.+)>/)?.[1] || from,
+        name: from.match(/"(.+)"/)?.[1]
+      },
+      subject: options.subject,
+      content: [
+        { type: "text/plain", value: options.text || "" },
+        { type: "text/html", value: options.html }
+      ],
+      reply_to: replyTo ? { email: replyTo } : void 0
+    };
+    console.log(`[EmailTransport] Calling SendGrid API...`);
+    const resp = await fetch("https://api.sendgrid.com/v3/mail/send", {
+      method: "POST",
+      headers: {
+        Authorization: `Bearer ${apiKey}`,
+        "Content-Type": "application/json"
+      },
+      body: JSON.stringify(body)
+    });
+    if (!resp.ok) {
+      const error = await resp.json();
+      throw new Error(`SendGrid Error: ${JSON.stringify(error)}`);
+    }
+    return { success: true };
+  }
+  async sendViaMailgun(from, options, replyTo) {
+    const { apiKey, domain, region } = this.config.mailgun || {};
+    if (!apiKey || !domain) throw new Error("Mailgun config missing");
+    const base = region === "eu" ? "api.eu.mailgun.net" : "api.mailgun.net";
+    const auth = btoa(`api:${apiKey}`);
+    const formData = new URLSearchParams();
+    formData.append("from", from);
+    const to = Array.isArray(options.to) ? options.to.join(", ") : options.to;
+    formData.append("to", to);
+    formData.append("subject", options.subject);
+    formData.append("html", options.html);
+    if (options.text) formData.append("text", options.text);
+    if (replyTo) formData.append("h:Reply-To", replyTo);
+    console.log(`[EmailTransport] Calling Mailgun API (${region || "us"})...`);
+    const resp = await fetch(`https://${base}/v3/${domain}/messages`, {
+      method: "POST",
+      headers: {
+        Authorization: `Basic ${auth}`,
+        "Content-Type": "application/x-www-form-urlencoded"
+      },
+      body: formData
+    });
+    if (!resp.ok) {
+      const error = await resp.json();
+      throw new Error(`Mailgun Error: ${JSON.stringify(error)}`);
+    }
+    return resp.json();
+  }
+  getTemplates() {
+    return this.templates;
+  }
+  async verifyConnection() {
+    if (this.config.provider === "smtp" || this.config.provider === "ses") {
+      try {
+        const transporter = await this.ensureTransporter();
+        if (transporter) {
+          await transporter.verify();
+          return true;
+        }
+      } catch {
+        return false;
+      }
+    }
+    return !!(this.config.resend?.apiKey || this.config.sendgrid?.apiKey || this.config.mailgun?.apiKey);
+  }
+  static async fromConfig(db) {
+    const configService = new ConfigService(db);
+    await configService.load();
+    const config = configService.getEmailConfig();
+    if (!config.provider) {
+      return this.fromEnv();
+    }
+    const transformed = {
+      provider: config.provider || "smtp",
+      from: config.from || "noreply@example.com",
+      fromName: config.fromName,
+      replyTo: config.replyTo,
+      smtp: config.provider === "smtp" ? {
+        host: config.host || "",
+        port: config.port || 587,
+        secure: config.secure || false,
+        auth: { user: config.user || "", pass: config.pass || "" }
+      } : void 0,
+      resend: config.provider === "resend" ? { apiKey: config.pass || "" } : void 0,
+      sendgrid: config.provider === "sendgrid" ? { apiKey: config.pass || "" } : void 0,
+      mailgun: config.provider === "mailgun" ? {
+        apiKey: config.pass || "",
+        domain: config.host || "",
+        region: config.secure ? "eu" : "us"
+      } : void 0,
+      ses: config.provider === "ses" ? {
+        accessKeyId: config.user || "",
+        secretAccessKey: config.pass || "",
+        region: config.host || "us-east-1"
+      } : void 0
+    };
+    return new _EmailTransport(transformed);
+  }
+  static fromEnv() {
+    const provider = process.env.EMAIL_PROVIDER || "smtp";
+    const from = process.env.SMTP_FROM || process.env.DEFAULT_FROM || "noreply@example.com";
+    const fromName = process.env.SMTP_FROM_NAME || "Kyro CMS";
+    const replyTo = process.env.SMTP_REPLY_TO;
+    if (provider === "smtp") {
+      const host = process.env.SMTP_HOST;
+      const user = process.env.SMTP_USER;
+      const pass = process.env.SMTP_PASS;
+      if (!host || !user || !pass) return null;
+      return new _EmailTransport({
+        provider: "smtp",
+        from,
+        fromName,
+        replyTo,
+        smtp: {
+          host,
+          port: parseInt(process.env.SMTP_PORT || "587", 10),
+          secure: process.env.SMTP_SECURE === "true",
+          auth: { user, pass }
+        }
+      });
+    }
+    if (provider === "resend") {
+      const apiKey = process.env.RESEND_API_KEY || process.env.SMTP_PASS;
+      if (!apiKey) return null;
+      return new _EmailTransport({
+        provider: "resend",
+        from,
+        fromName,
+        replyTo,
+        resend: { apiKey }
+      });
+    }
+    if (provider === "sendgrid") {
+      const apiKey = process.env.SENDGRID_API_KEY || process.env.SMTP_PASS;
+      if (!apiKey) return null;
+      return new _EmailTransport({
+        provider: "sendgrid",
+        from,
+        fromName,
+        replyTo,
+        sendgrid: { apiKey }
+      });
+    }
+    if (provider === "mailgun") {
+      const apiKey = process.env.MAILGUN_API_KEY || process.env.SMTP_PASS;
+      const domain = process.env.MAILGUN_DOMAIN || process.env.SMTP_HOST;
+      if (!apiKey || !domain) return null;
+      return new _EmailTransport({
+        provider: "mailgun",
+        from,
+        fromName,
+        replyTo,
+        mailgun: {
+          apiKey,
+          domain,
+          region: process.env.MAILGUN_REGION || (process.env.SMTP_SECURE === "true" ? "eu" : "us")
+        }
+      });
+    }
+    if (provider === "ses") {
+      const accessKeyId = process.env.AWS_ACCESS_KEY_ID || process.env.SMTP_USER;
+      const secretAccessKey = process.env.AWS_SECRET_ACCESS_KEY || process.env.SMTP_PASS;
+      const region = process.env.AWS_REGION || process.env.SMTP_HOST || "us-east-1";
+      if (!accessKeyId || !secretAccessKey) return null;
+      return new _EmailTransport({
+        provider: "ses",
+        from,
+        fromName,
+        replyTo,
+        ses: { accessKeyId, secretAccessKey, region }
+      });
+    }
+    return null;
+  }
+};
+
+// src/auth/security/password-policy.ts
+var DEFAULT_PASSWORD_POLICY = {
+  minLength: 12,
+  requireUppercase: true,
+  requireLowercase: true,
+  requireNumbers: true,
+  requireSpecialChars: true,
+  preventReuse: 5,
+  maxLength: 128
+};
+var PasswordPolicy = class {
+  config;
+  constructor(config = {}) {
+    this.config = { ...DEFAULT_PASSWORD_POLICY, ...config };
+  }
+  validate(password) {
+    const errors = [];
+    if (this.config.maxLength && password.length > this.config.maxLength) {
+      errors.push(
+        `Password must not exceed ${this.config.maxLength} characters`
+      );
+    }
+    if (password.length < this.config.minLength) {
+      errors.push(
+        `Password must be at least ${this.config.minLength} characters`
+      );
+    }
+    if (this.config.requireUppercase && !/[A-Z]/.test(password)) {
+      errors.push("Password must contain at least one uppercase letter");
+    }
+    if (this.config.requireLowercase && !/[a-z]/.test(password)) {
+      errors.push("Password must contain at least one lowercase letter");
+    }
+    if (this.config.requireNumbers && !/[0-9]/.test(password)) {
+      errors.push("Password must contain at least one number");
+    }
+    if (this.config.requireSpecialChars && !/[!@#$%^&*()_+\-=\[\]{};':"\\|,.<>\/?]/.test(password)) {
+      errors.push("Password must contain at least one special character");
+    }
+    const commonPasswords = [
+      "password",
+      "123456",
+      "12345678",
+      "qwerty",
+      "abc123",
+      "monkey",
+      "1234567",
+      "letmein",
+      "trustno1",
+      "dragon",
+      "baseball",
+      "iloveyou",
+      "master",
+      "sunshine",
+      "ashley",
+      "football",
+      "password1",
+      "shadow",
+      "123123",
+      "654321"
+    ];
+    if (commonPasswords.includes(password.toLowerCase())) {
+      errors.push(
+        "This password is too common. Please choose a more secure password"
+      );
+    }
+    if (/^[a-zA-Z]+$/.test(password) || /^[0-9]+$/.test(password)) {
+      errors.push(
+        "Password must contain a mix of letters, numbers, and/or special characters"
+      );
+    }
+    if (/(.)\1{2,}/.test(password)) {
+      errors.push(
+        "Password must not contain more than 2 consecutive identical characters"
+      );
+    }
+    if (/^(012|123|234|345|456|567|678|789|890|098|987|876|765|654|543|432|321|210)+$/i.test(
+      password
+    )) {
+      errors.push("Password must not contain sequential numbers or letters");
+    }
+    return {
+      valid: errors.length === 0,
+      errors
+    };
+  }
+  async checkReuse(passwordHash, history, verifyFn) {
+    return {
+      valid: true,
+      errors: []
+    };
+  }
+  async isInHistory(password, history, verifyFn) {
+    for (const hash of history) {
+      if (await verifyFn(password, hash)) {
+        return true;
+      }
+    }
+    return false;
+  }
+  generatePassword(length = 16) {
+    const uppercase = "ABCDEFGHIJKLMNOPQRSTUVWXYZ";
+    const lowercase = "abcdefghijklmnopqrstuvwxyz";
+    const numbers = "0123456789";
+    const special = "!@#$%^&*()_+-=[]{}|;:,.<>?";
+    let password = "";
+    password += uppercase[Math.floor(Math.random() * uppercase.length)];
+    password += lowercase[Math.floor(Math.random() * lowercase.length)];
+    password += numbers[Math.floor(Math.random() * numbers.length)];
+    password += special[Math.floor(Math.random() * special.length)];
+    const allChars = uppercase + lowercase + numbers + special;
+    for (let i = password.length; i < length; i++) {
+      password += allChars[Math.floor(Math.random() * allChars.length)];
+    }
+    return password.split("").sort(() => Math.random() - 0.5).join("");
+  }
+  getStrength(password) {
+    let score = 0;
+    const feedback = [];
+    if (password.length >= 8) score += 1;
+    if (password.length >= 12) score += 1;
+    if (password.length >= 16) score += 1;
+    if (/[a-z]/.test(password)) score += 1;
+    if (/[A-Z]/.test(password)) score += 1;
+    if (/[0-9]/.test(password)) score += 1;
+    if (/[!@#$%^&*()_+\-=\[\]{}|;:,.<>?]/.test(password)) score += 1;
+    if (password.length > 8) score += 1;
+    if (password.length > 12) score += 1;
+    const uniqueChars = new Set(password).size;
+    if (uniqueChars > 6) score += 1;
+    if (uniqueChars > 10) score += 1;
+    let label;
+    if (score <= 3) {
+      label = "Weak";
+      feedback.push("Add more characters");
+      feedback.push("Include uppercase and lowercase letters");
+    } else if (score <= 5) {
+      label = "Fair";
+      feedback.push("Add special characters");
+      feedback.push("Consider making it longer");
+    } else if (score <= 7) {
+      label = "Good";
+      feedback.push("Consider making it longer for extra security");
+    } else {
+      label = "Strong";
+    }
+    return { score, label, feedback };
+  }
+  setConfig(config) {
+    this.config = { ...this.config, ...config };
+  }
+  getConfig() {
+    return { ...this.config };
+  }
+};
+var DEFAULT_BUSY_TIMEOUT = 5e3;
+var DEFAULT_WAL_CHECKPOINT = 1e3;
+var DEFAULT_CACHE_SIZE = -64e3;
+var DEFAULT_MMAP_SIZE = 268435456;
+var SQLiteAuthAdapter = class {
+  db = null;
+  path;
+  saltRounds;
+  externalDb;
+  busyTimeout;
+  walAutoCheckpoint;
+  cacheSize;
+  mmapSize;
+  preparedStatements = /* @__PURE__ */ new Map();
+  constructor(options = {}) {
+    this.path = options.path || "./data/auth.db";
+    this.saltRounds = options.saltRounds || 12;
+    this.externalDb = !!options.db;
+    this.busyTimeout = options.busyTimeout ?? DEFAULT_BUSY_TIMEOUT;
+    this.walAutoCheckpoint = options.walAutoCheckpoint ?? DEFAULT_WAL_CHECKPOINT;
+    this.cacheSize = options.cacheSize ?? DEFAULT_CACHE_SIZE;
+    this.mmapSize = options.mmapSize ?? DEFAULT_MMAP_SIZE;
+    if (options.db) {
+      this.db = options.db;
+    }
+  }
+  async connect() {
+    if (this.db) return;
+    const dir = dirname(this.path);
+    if (dir && dir !== ".") {
+      mkdirSync(dir, { recursive: true });
+    }
+    const { DatabaseSync } = await import('sqlite');
+    this.db = new DatabaseSync(this.path);
+    this.db.exec(`PRAGMA busy_timeout = ${this.busyTimeout}`);
+    this.db.exec("PRAGMA journal_mode = WAL");
+    this.db.exec("PRAGMA synchronous = NORMAL");
+    this.db.exec("PRAGMA cache_size = " + this.cacheSize);
+    this.db.exec("PRAGMA mmap_size = " + this.mmapSize);
+    this.db.exec("PRAGMA wal_autocheckpoint = " + this.walAutoCheckpoint);
+    this.db.exec("PRAGMA foreign_keys = ON");
+    this.db.exec("PRAGMA temp_store = MEMORY");
+    this.ensureTables();
+    this.prepareStatements();
+  }
+  async disconnect() {
+    if (this.db && !this.externalDb) {
+      this.db.exec("PRAGMA wal_checkpoint(TRUNCATE)");
+      this.db.close();
+      this.db = null;
+      this.preparedStatements.clear();
+    }
+  }
+  async ensureConnected() {
+    if (!this.db) {
+      await this.connect();
+    }
+    if (!this.db) {
+      throw new Error("Failed to connect to SQLite database");
+    }
+    return this.db;
+  }
+  ensureTables() {
+    if (!this.db) return;
+    this.db.exec(`
+      CREATE TABLE IF NOT EXISTS kyro_users (
+        id TEXT PRIMARY KEY,
+        name TEXT,
+        email TEXT UNIQUE NOT NULL,
+        password_hash TEXT NOT NULL,
+        role TEXT NOT NULL DEFAULT 'customer',
+        tenant_id TEXT,
+        email_verified INTEGER DEFAULT 0,
+        locked INTEGER DEFAULT 0,
+        last_login TEXT,
+        failed_login_attempts INTEGER DEFAULT 0,
+        locked_until TEXT,
+        created_at TEXT NOT NULL,
+        updated_at TEXT NOT NULL
+      );
+
+      CREATE TABLE IF NOT EXISTS kyro_sessions (
+        id TEXT PRIMARY KEY,
+        user_id TEXT NOT NULL,
+        token TEXT NOT NULL,
+        refresh_token TEXT,
+        expires_at TEXT NOT NULL,
+        created_at TEXT NOT NULL,
+        ip_address TEXT,
+        user_agent TEXT,
+        FOREIGN KEY (user_id) REFERENCES kyro_users(id) ON DELETE CASCADE
+      );
+
+      CREATE TABLE IF NOT EXISTS kyro_password_history (
+        id INTEGER PRIMARY KEY AUTOINCREMENT,
+        user_id TEXT NOT NULL,
+        password_hash TEXT NOT NULL,
+        created_at TEXT NOT NULL,
+        FOREIGN KEY (user_id) REFERENCES kyro_users(id) ON DELETE CASCADE
+      );
+
+      CREATE TABLE IF NOT EXISTS kyro_rate_limits (
+        id INTEGER PRIMARY KEY AUTOINCREMENT,
+        key TEXT NOT NULL,
+        window_start INTEGER NOT NULL,
+        count INTEGER NOT NULL DEFAULT 1,
+        UNIQUE(key, window_start)
+      );
+
+      CREATE TABLE IF NOT EXISTS kyro_lockouts (
+        user_id TEXT PRIMARY KEY,
+        attempts INTEGER NOT NULL DEFAULT 0,
+        last_attempt INTEGER,
+        locked_at INTEGER,
+        locked_until INTEGER
+      );
+
+      CREATE TABLE IF NOT EXISTS kyro_audit_logs (
+        id TEXT PRIMARY KEY,
+        timestamp TEXT NOT NULL,
+        action TEXT NOT NULL,
+        user_id TEXT,
+        user_email TEXT,
+        role TEXT,
+        resource TEXT NOT NULL,
+        resource_id TEXT,
+        ip_address TEXT,
+        user_agent TEXT,
+        success INTEGER NOT NULL,
+        error TEXT,
+        metadata TEXT,
+        created_at TEXT NOT NULL DEFAULT (datetime('now'))
+      );
+
+      CREATE INDEX IF NOT EXISTS idx_kyro_users_email ON kyro_users(email);
+      CREATE INDEX IF NOT EXISTS idx_kyro_sessions_user_id ON kyro_sessions(user_id);
+      CREATE INDEX IF NOT EXISTS idx_kyro_sessions_token ON kyro_sessions(token);
+      CREATE INDEX IF NOT EXISTS idx_kyro_sessions_refresh_token ON kyro_sessions(refresh_token);
+      CREATE INDEX IF NOT EXISTS idx_kyro_sessions_expires ON kyro_sessions(expires_at);
+      CREATE INDEX IF NOT EXISTS idx_kyro_password_history_user_id ON kyro_password_history(user_id);
+      CREATE INDEX IF NOT EXISTS idx_kyro_rate_limits_key ON kyro_rate_limits(key);
+      CREATE INDEX IF NOT EXISTS idx_kyro_rate_limits_window ON kyro_rate_limits(window_start);
+      CREATE INDEX IF NOT EXISTS idx_kyro_lockouts_locked_until ON kyro_lockouts(locked_until);
+      CREATE INDEX IF NOT EXISTS idx_kyro_audit_logs_timestamp ON kyro_audit_logs(timestamp);
+      CREATE INDEX IF NOT EXISTS idx_kyro_audit_logs_action ON kyro_audit_logs(action);
+      CREATE INDEX IF NOT EXISTS idx_kyro_audit_logs_user_id ON kyro_audit_logs(user_id);
+      CREATE INDEX IF NOT EXISTS idx_kyro_audit_logs_resource ON kyro_audit_logs(resource);
+    `);
+    try {
+      this.db.exec(`ALTER TABLE kyro_users ADD COLUMN name TEXT`);
+    } catch {
+    }
+  }
+  prepareStatements() {
+    if (!this.db) return;
+    this.preparedStatements.set(
+      "findUserByEmail",
+      this.db.prepare("SELECT * FROM kyro_users WHERE email = ?")
+    );
+    this.preparedStatements.set(
+      "findUserById",
+      this.db.prepare("SELECT * FROM kyro_users WHERE id = ?")
+    );
+    this.preparedStatements.set(
+      "findSessionByToken",
+      this.db.prepare("SELECT * FROM kyro_sessions WHERE token = ?")
+    );
+    this.preparedStatements.set(
+      "findSessionByRefreshToken",
+      this.db.prepare("SELECT * FROM kyro_sessions WHERE refresh_token = ?")
+    );
+    this.preparedStatements.set(
+      "deleteSession",
+      this.db.prepare("DELETE FROM kyro_sessions WHERE id = ? OR token = ?")
+    );
+    this.preparedStatements.set(
+      "deleteUserSessions",
+      this.db.prepare("DELETE FROM kyro_sessions WHERE user_id = ?")
+    );
+    this.preparedStatements.set(
+      "countUsers",
+      this.db.prepare("SELECT COUNT(*) as count FROM kyro_users")
+    );
+    this.preparedStatements.set(
+      "deleteUser",
+      this.db.prepare("DELETE FROM kyro_users WHERE id = ?")
+    );
+    this.preparedStatements.set(
+      "findUsersPaginated",
+      this.db.prepare(
+        "SELECT * FROM kyro_users ORDER BY created_at DESC LIMIT ? OFFSET ?"
+      )
+    );
+    this.preparedStatements.set(
+      "findUsersWithSearch",
+      this.db.prepare(
+        "SELECT * FROM kyro_users WHERE email LIKE ? ORDER BY created_at DESC LIMIT ? OFFSET ?"
+      )
+    );
+    this.preparedStatements.set(
+      "countUsersWithSearch",
+      this.db.prepare(
+        "SELECT COUNT(*) as count FROM kyro_users WHERE email LIKE ?"
+      )
+    );
+    this.preparedStatements.set(
+      "getPasswordHistory",
+      this.db.prepare(
+        "SELECT password_hash FROM kyro_password_history WHERE user_id = ? ORDER BY created_at DESC LIMIT ?"
+      )
+    );
+    this.preparedStatements.set(
+      "addPasswordHistory",
+      this.db.prepare(
+        "INSERT INTO kyro_password_history (user_id, password_hash, created_at) VALUES (?, ?, ?)"
+      )
+    );
+    this.preparedStatements.set(
+      "trimPasswordHistory",
+      this.db.prepare(
+        `DELETE FROM kyro_password_history WHERE id IN (
+          SELECT id FROM kyro_password_history WHERE user_id = ? ORDER BY created_at DESC LIMIT -1 OFFSET 5
+        )`
+      )
+    );
+    this.preparedStatements.set(
+      "deleteExpiredSessions",
+      this.db.prepare("DELETE FROM kyro_sessions WHERE expires_at < ?")
+    );
+    this.preparedStatements.set(
+      "cleanupOldAuditLogs",
+      this.db.prepare("DELETE FROM kyro_audit_logs WHERE timestamp < ?")
+    );
+    this.preparedStatements.set(
+      "cleanupExpiredLockouts",
+      this.db.prepare(
+        "UPDATE kyro_lockouts SET attempts = 0, locked_at = NULL, locked_until = NULL WHERE locked_until < ?"
+      )
+    );
+    this.preparedStatements.set(
+      "getLockout",
+      this.db.prepare("SELECT * FROM kyro_lockouts WHERE user_id = ?")
+    );
+    this.preparedStatements.set(
+      "upsertLockout",
+      this.db.prepare(`
+        INSERT INTO kyro_lockouts (user_id, attempts, last_attempt, locked_at, locked_until)
+        VALUES (?, ?, ?, ?, ?)
+        ON CONFLICT(user_id) DO UPDATE SET
+          attempts = excluded.attempts,
+          last_attempt = excluded.last_attempt,
+          locked_at = excluded.locked_at,
+          locked_until = excluded.locked_until
+      `)
+    );
+    this.preparedStatements.set(
+      "resetLockout",
+      this.db.prepare(
+        "UPDATE kyro_lockouts SET attempts = 0, locked_at = NULL, locked_until = NULL WHERE user_id = ?"
+      )
+    );
+  }
+  stmt(name) {
+    const stmt = this.preparedStatements.get(name);
+    if (!stmt) throw new Error(`Prepared statement not found: ${name}`);
+    return stmt;
+  }
+  async cleanupExpiredSessions() {
+    await this.ensureConnected();
+    const result = this.stmt("deleteExpiredSessions").run(
+      (/* @__PURE__ */ new Date()).toISOString()
+    );
+    return result.changes;
+  }
+  async cleanupOldAuditLogs(retentionDays = 30) {
+    await this.ensureConnected();
+    const cutoff = new Date(
+      Date.now() - retentionDays * 24 * 60 * 60 * 1e3
+    ).toISOString();
+    const result = this.stmt("cleanupOldAuditLogs").run(cutoff);
+    return result.changes;
+  }
+  async getStats() {
+    await this.ensureConnected();
+    const userCount = this.stmt("countUsers").get().count;
+    const activeSessionCount = this.db.prepare(
+      "SELECT COUNT(*) as count FROM kyro_sessions WHERE expires_at > ?"
+    ).get((/* @__PURE__ */ new Date()).toISOString()).count;
+    const auditLogCount = this.db.prepare(
+      "SELECT COUNT(*) as count FROM kyro_audit_logs"
+    ).get().count;
+    return { userCount, activeSessionCount, auditLogCount };
+  }
+  async createUser(data) {
+    await this.ensureConnected();
+    const id = randomBytes(16).toString("hex");
+    const now = (/* @__PURE__ */ new Date()).toISOString();
+    const passwordHash = await this.hashPassword(data.password);
+    const user = {
+      id,
+      name: data.name,
+      email: data.email.toLowerCase(),
+      passwordHash,
+      role: data.role || "customer",
+      tenantId: data.tenantId,
+      createdAt: now,
+      updatedAt: now
+    };
+    this.db.prepare(
+      `INSERT INTO kyro_users (id, name, email, password_hash, role, tenant_id, created_at, updated_at)
+          VALUES (?, ?, ?, ?, ?, ?, ?, ?)`
+    ).run(
+      id,
+      user.name || null,
+      user.email,
+      user.passwordHash,
+      user.role,
+      user.tenantId,
+      now,
+      now
+    );
+    return user;
+  }
+  async findUserByEmail(email) {
+    await this.ensureConnected();
+    const row = this.stmt("findUserByEmail").get(email.toLowerCase());
+    if (!row) return null;
+    return this.rowToUser(row);
+  }
+  async findUserById(userId) {
+    await this.ensureConnected();
+    const row = this.stmt("findUserById").get(userId);
+    if (!row) return null;
+    return this.rowToUser(row);
+  }
+  async updateUser(userId, data) {
+    await this.ensureConnected();
+    const existing = await this.findUserById(userId);
+    if (!existing) return null;
+    const updates = [];
+    const values = [];
+    if (data.email !== void 0) {
+      updates.push("email = ?");
+      values.push(data.email.toLowerCase());
+    }
+    if (data.name !== void 0) {
+      updates.push("name = ?");
+      values.push(data.name);
+    }
+    if (data.passwordHash !== void 0) {
+      updates.push("password_hash = ?");
+      values.push(data.passwordHash);
+    }
+    if (data.role !== void 0) {
+      updates.push("role = ?");
+      values.push(data.role);
+    }
+    if (data.tenantId !== void 0) {
+      updates.push("tenant_id = ?");
+      values.push(data.tenantId);
+    }
+    if (data.emailVerified !== void 0) {
+      updates.push("email_verified = ?");
+      values.push(data.emailVerified ? 1 : 0);
+    }
+    if (data.locked !== void 0) {
+      updates.push("locked = ?");
+      values.push(data.locked ? 1 : 0);
+    }
+    if (data.lastLogin !== void 0) {
+      updates.push("last_login = ?");
+      values.push(data.lastLogin);
+    }
+    if (data.failedLoginAttempts !== void 0) {
+      updates.push("failed_login_attempts = ?");
+      values.push(data.failedLoginAttempts);
+    }
+    updates.push("updated_at = ?");
+    values.push((/* @__PURE__ */ new Date()).toISOString());
+    values.push(userId);
+    this.db.prepare(
+      `UPDATE kyro_users SET ${updates.join(", ")} WHERE id = ?`
+    ).run(...values);
+    return this.findUserById(userId);
+  }
+  async deleteUser(userId) {
+    await this.ensureConnected();
+    const result = this.stmt("deleteUser").run(userId);
+    return result.changes > 0;
+  }
+  async hashPassword(password) {
+    return bcrypt.hash(password, this.saltRounds);
+  }
+  async verifyPassword(email, password) {
+    await this.ensureConnected();
+    const user = await this.findUserByEmail(email);
+    if (!user) return null;
+    const stored = this.db.prepare(
+      "SELECT password_hash FROM kyro_users WHERE id = ?"
+    ).get(user.id);
+    if (!stored?.password_hash) return null;
+    const valid = await bcrypt.compare(password, stored.password_hash);
+    return valid ? user : null;
+  }
+  async createSession(userId, data = {}) {
+    await this.ensureConnected();
+    const id = randomBytes(32).toString("hex");
+    const token = randomBytes(32).toString("base64url");
+    const refreshToken = randomBytes(32).toString("base64url");
+    const now = /* @__PURE__ */ new Date();
+    const expiresAt = new Date(now.getTime() + 864e5).toISOString();
+    const session = {
+      id,
+      userId,
+      token,
+      refreshToken,
+      expiresAt,
+      createdAt: now.toISOString(),
+      ipAddress: data.ipAddress,
+      userAgent: data.userAgent
+    };
+    this.db.prepare(
+      `INSERT INTO kyro_sessions (id, user_id, token, refresh_token, expires_at, created_at, ip_address, user_agent)
+         VALUES (?, ?, ?, ?, ?, ?, ?, ?)`
+    ).run(
+      session.id,
+      session.userId,
+      session.token,
+      session.refreshToken,
+      session.expiresAt,
+      session.createdAt,
+      session.ipAddress,
+      session.userAgent
+    );
+    return session;
+  }
+  async findSessionByToken(token) {
+    await this.ensureConnected();
+    const row = this.stmt("findSessionByToken").get(token);
+    if (!row) return null;
+    return this.rowToSession(row);
+  }
+  async findSessionByRefreshToken(refreshToken) {
+    await this.ensureConnected();
+    const row = this.stmt("findSessionByRefreshToken").get(refreshToken);
+    if (!row) return null;
+    return this.rowToSession(row);
+  }
+  async deleteSession(sessionId) {
+    await this.ensureConnected();
+    const result = this.stmt("deleteSession").run(sessionId, sessionId);
+    return result.changes > 0;
+  }
+  async deleteUserSessions(userId) {
+    await this.ensureConnected();
+    const result = this.stmt("deleteUserSessions").run(userId);
+    return result.changes;
+  }
+  async hasAnyUsers() {
+    await this.ensureConnected();
+    const row = this.stmt("countUsers").get();
+    return row.count > 0;
+  }
+  async findUsers(options = {}) {
+    await this.ensureConnected();
+    const page = options.page ?? 1;
+    const limit = options.limit ?? 10;
+    const offset = (page - 1) * limit;
+    const search = options.search;
+    let total;
+    let rows;
+    if (search) {
+      const searchPattern = `%${search}%`;
+      total = this.stmt("countUsersWithSearch").get(searchPattern).count;
+      rows = this.stmt("findUsersWithSearch").all(
+        searchPattern,
+        limit,
+        offset
+      );
+    } else {
+      total = this.stmt("countUsers").get().count;
+      rows = this.stmt("findUsersPaginated").all(limit, offset);
+    }
+    return {
+      users: rows.map((row) => this.rowToUser(row)),
+      total
+    };
+  }
+  async addPasswordToHistory(userId, passwordHash) {
+    await this.ensureConnected();
+    this.stmt("addPasswordHistory").run(
+      userId,
+      passwordHash,
+      (/* @__PURE__ */ new Date()).toISOString()
+    );
+    this.stmt("trimPasswordHistory").run(userId);
+  }
+  async getPasswordHistory(userId, count = 5) {
+    await this.ensureConnected();
+    const rows = this.stmt("getPasswordHistory").all(userId, count);
+    return rows.map((r) => r.password_hash);
+  }
+  async isPasswordInHistory(password, userId, historyCount = 5) {
+    const history = await this.getPasswordHistory(userId, historyCount);
+    for (const hash of history) {
+      if (await bcrypt.compare(password, hash)) {
+        return true;
+      }
+    }
+    return false;
+  }
+  async recordFailedAttempt(userId) {
+    await this.ensureConnected();
+    const now = Date.now();
+    const lockout = this.stmt("getLockout").get(userId);
+    const attempts = (lockout?.attempts || 0) + 1;
+    const lockedUntil = attempts >= 5 ? now + 15 * 60 * 1e3 : lockout?.locked_until || null;
+    this.stmt("upsertLockout").run(
+      userId,
+      attempts,
+      now,
+      lockedUntil !== null ? now : null,
+      lockedUntil
+    );
+  }
+  async resetAttempts(userId) {
+    await this.ensureConnected();
+    this.stmt("resetLockout").run(userId);
+  }
+  async checkLockout(userId) {
+    await this.ensureConnected();
+    this.stmt("cleanupExpiredLockouts").run(Date.now());
+    const lockout = this.stmt("getLockout").get(userId);
+    if (!lockout) {
+      return {
+        locked: false,
+        attemptsRemaining: 5,
+        totalAttempts: 0
+      };
+    }
+    if (lockout.locked_until !== null && lockout.locked_until > Date.now()) {
+      return {
+        locked: true,
+        attemptsRemaining: 0,
+        lockedUntil: new Date(lockout.locked_until),
+        totalAttempts: lockout.attempts
+      };
+    }
+    return {
+      locked: false,
+      attemptsRemaining: Math.max(0, 5 - lockout.attempts),
+      totalAttempts: lockout.attempts
+    };
+  }
+  async logAudit(data) {
+    await this.ensureConnected();
+    const id = randomBytes(16).toString("hex");
+    const timestamp = (/* @__PURE__ */ new Date()).toISOString();
+    this.db.prepare(
+      `INSERT INTO kyro_audit_logs (
+          id, timestamp, action, user_id, user_email, role, resource, resource_id,
+          ip_address, user_agent, success, error, metadata, created_at
+        ) VALUES (?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?)`
+    ).run(
+      id,
+      timestamp,
+      data.action,
+      data.userId || null,
+      data.userEmail || null,
+      data.role || null,
+      data.resource,
+      data.resourceId || null,
+      data.ipAddress || null,
+      data.userAgent || null,
+      data.success ? 1 : 0,
+      data.error || null,
+      data.metadata ? JSON.stringify(data.metadata) : null,
+      (/* @__PURE__ */ new Date()).toISOString()
+    );
+    return id;
+  }
+  async queryAuditLogs(options = {}) {
+    await this.ensureConnected();
+    const conditions = [];
+    const params = [];
+    if (options.action) {
+      conditions.push("action = ?");
+      params.push(options.action);
+    }
+    if (options.userId) {
+      conditions.push("user_id = ?");
+      params.push(options.userId);
+    }
+    if (options.resource) {
+      conditions.push("resource = ?");
+      params.push(options.resource);
+    }
+    if (options.success !== void 0) {
+      conditions.push("success = ?");
+      params.push(options.success ? 1 : 0);
+    }
+    if (options.startDate) {
+      conditions.push("timestamp >= ?");
+      params.push(options.startDate.toISOString());
+    }
+    if (options.endDate) {
+      conditions.push("timestamp <= ?");
+      params.push(options.endDate.toISOString());
+    }
+    const where = conditions.length > 0 ? "WHERE " + conditions.join(" AND ") : "";
+    const limit = options.limit || 50;
+    const offset = options.offset || 0;
+    const totalResult = this.db.prepare(
+      `SELECT COUNT(*) as count FROM kyro_audit_logs ${where}`
+    ).get(...params);
+    const rows = this.db.prepare(
+      `SELECT * FROM kyro_audit_logs ${where} ORDER BY timestamp DESC LIMIT ? OFFSET ?`
+    ).all(...params, limit, offset);
+    return {
+      total: totalResult.count,
+      logs: rows.map((row) => ({
+        id: row.id,
+        timestamp: new Date(row.timestamp),
+        action: row.action,
+        userId: row.user_id || void 0,
+        userEmail: row.user_email || void 0,
+        resource: row.resource,
+        resourceId: row.resource_id || void 0,
+        ipAddress: row.ip_address || void 0,
+        userAgent: row.user_agent || void 0,
+        success: row.success === 1,
+        error: row.error || void 0,
+        metadata: row.metadata ? JSON.parse(row.metadata) : void 0
+      }))
+    };
+  }
+  rowToUser(row) {
+    return {
+      id: row.id,
+      name: row.name || void 0,
+      email: row.email,
+      passwordHash: row.password_hash,
+      role: row.role,
+      tenantId: row.tenant_id,
+      emailVerified: row.email_verified === 1,
+      locked: row.locked === 1,
+      lastLogin: row.last_login,
+      failedLoginAttempts: row.failed_login_attempts || 0,
+      createdAt: row.created_at,
+      updatedAt: row.updated_at
+    };
+  }
+  rowToSession(row) {
+    return {
+      id: row.id,
+      userId: row.user_id,
+      token: row.token,
+      refreshToken: row.refresh_token,
+      expiresAt: row.expires_at,
+      createdAt: row.created_at,
+      ipAddress: row.ip_address,
+      userAgent: row.user_agent
+    };
+  }
+  async findAuditLogs(filter) {
+    const result = await this.queryAuditLogs({
+      action: filter.action,
+      userId: filter.userId,
+      resource: filter.resource,
+      success: filter.success,
+      startDate: filter.startDate,
+      endDate: filter.endDate,
+      limit: filter.limit,
+      offset: filter.offset
+    });
+    return {
+      logs: result.logs.map((log) => ({
+        ...log,
+        action: log.action
+      })),
+      total: result.total
+    };
+  }
+  async createAuditLog(data) {
+    const id = await this.logAudit({
+      action: data.action,
+      userId: data.userId,
+      userEmail: data.userEmail,
+      role: data.role,
+      resource: data.resource,
+      resourceId: data.resourceId,
+      ipAddress: data.ipAddress,
+      userAgent: data.userAgent,
+      success: data.success,
+      error: data.error,
+      metadata: data.metadata
+    });
+    const row = this.db?.prepare("SELECT * FROM kyro_audit_logs WHERE id = ?").get(id);
+    return {
+      ...data,
+      id,
+      timestamp: row ? new Date(row.timestamp) : /* @__PURE__ */ new Date()
+    };
+  }
+};
+
+export { ConfigService, EmailTransport, PasswordPolicy, SQLiteAuthAdapter };
+//# sourceMappingURL=chunk-RYDGMBIG.js.map
+//# sourceMappingURL=chunk-RYDGMBIG.js.map