@kyro-cms/core 0.3.2 → 0.3.4

package/dist/chunk-RRYXQMZG.js

@@ -1,935 +0,0 @@
-import { EmailTransport } from './chunk-HYC4GNHX.js';
-import bcrypt from 'bcryptjs';
-import { randomBytes } from 'crypto';
-import { mkdirSync } from 'fs';
-import { dirname } from 'path';
-
-var DEFAULT_BUSY_TIMEOUT = 5e3;
-var DEFAULT_WAL_CHECKPOINT = 1e3;
-var DEFAULT_CACHE_SIZE = -64e3;
-var DEFAULT_MMAP_SIZE = 268435456;
-var SQLiteAuthAdapter = class {
-  db = null;
-  path;
-  saltRounds;
-  externalDb;
-  busyTimeout;
-  walAutoCheckpoint;
-  cacheSize;
-  mmapSize;
-  preparedStatements = /* @__PURE__ */ new Map();
-  constructor(options = {}) {
-    this.path = options.path || "./data/auth.db";
-    this.saltRounds = options.saltRounds || 12;
-    this.externalDb = !!options.db;
-    this.busyTimeout = options.busyTimeout ?? DEFAULT_BUSY_TIMEOUT;
-    this.walAutoCheckpoint = options.walAutoCheckpoint ?? DEFAULT_WAL_CHECKPOINT;
-    this.cacheSize = options.cacheSize ?? DEFAULT_CACHE_SIZE;
-    this.mmapSize = options.mmapSize ?? DEFAULT_MMAP_SIZE;
-    if (options.db) {
-      this.db = options.db;
-    }
-  }
-  async connect() {
-    if (this.db) return;
-    const dir = dirname(this.path);
-    if (dir && dir !== ".") {
-      mkdirSync(dir, { recursive: true });
-    }
-    const Database = (await import('better-sqlite3')).default;
-    this.db = new Database(this.path, {
-      timeout: this.busyTimeout
-    });
-    this.db.pragma("journal_mode = WAL");
-    this.db.pragma("synchronous = NORMAL");
-    this.db.pragma("cache_size = " + this.cacheSize);
-    this.db.pragma("mmap_size = " + this.mmapSize);
-    this.db.pragma("wal_autocheckpoint = " + this.walAutoCheckpoint);
-    this.db.pragma("foreign_keys = ON");
-    this.db.pragma("temp_store = MEMORY");
-    this.ensureTables();
-    this.prepareStatements();
-  }
-  async disconnect() {
-    if (this.db && !this.externalDb) {
-      this.db.pragma("wal_checkpoint(TRUNCATE)");
-      this.db.close();
-      this.db = null;
-      this.preparedStatements.clear();
-    }
-  }
-  ensureTables() {
-    if (!this.db) return;
-    this.db.exec(`
-      CREATE TABLE IF NOT EXISTS kyro_users (
-        id TEXT PRIMARY KEY,
-        email TEXT UNIQUE NOT NULL,
-        password_hash TEXT NOT NULL,
-        role TEXT NOT NULL DEFAULT 'customer',
-        tenant_id TEXT,
-        email_verified INTEGER DEFAULT 0,
-        locked INTEGER DEFAULT 0,
-        last_login TEXT,
-        failed_login_attempts INTEGER DEFAULT 0,
-        locked_until TEXT,
-        created_at TEXT NOT NULL,
-        updated_at TEXT NOT NULL
-      );
-
-      CREATE TABLE IF NOT EXISTS kyro_sessions (
-        id TEXT PRIMARY KEY,
-        user_id TEXT NOT NULL,
-        token TEXT NOT NULL,
-        refresh_token TEXT,
-        expires_at TEXT NOT NULL,
-        created_at TEXT NOT NULL,
-        ip_address TEXT,
-        user_agent TEXT,
-        FOREIGN KEY (user_id) REFERENCES kyro_users(id) ON DELETE CASCADE
-      );
-
-      CREATE TABLE IF NOT EXISTS kyro_password_history (
-        id INTEGER PRIMARY KEY AUTOINCREMENT,
-        user_id TEXT NOT NULL,
-        password_hash TEXT NOT NULL,
-        created_at TEXT NOT NULL,
-        FOREIGN KEY (user_id) REFERENCES kyro_users(id) ON DELETE CASCADE
-      );
-
-      CREATE TABLE IF NOT EXISTS kyro_rate_limits (
-        id INTEGER PRIMARY KEY AUTOINCREMENT,
-        key TEXT NOT NULL,
-        window_start INTEGER NOT NULL,
-        count INTEGER NOT NULL DEFAULT 1,
-        UNIQUE(key, window_start)
-      );
-
-      CREATE TABLE IF NOT EXISTS kyro_lockouts (
-        user_id TEXT PRIMARY KEY,
-        attempts INTEGER NOT NULL DEFAULT 0,
-        last_attempt INTEGER,
-        locked_at INTEGER,
-        locked_until INTEGER
-      );
-
-      CREATE TABLE IF NOT EXISTS kyro_audit_logs (
-        id TEXT PRIMARY KEY,
-        timestamp TEXT NOT NULL,
-        action TEXT NOT NULL,
-        user_id TEXT,
-        user_email TEXT,
-        role TEXT,
-        resource TEXT NOT NULL,
-        resource_id TEXT,
-        ip_address TEXT,
-        user_agent TEXT,
-        success INTEGER NOT NULL,
-        error TEXT,
-        metadata TEXT,
-        created_at TEXT NOT NULL DEFAULT (datetime('now'))
-      );
-
-      CREATE INDEX IF NOT EXISTS idx_kyro_users_email ON kyro_users(email);
-      CREATE INDEX IF NOT EXISTS idx_kyro_sessions_user_id ON kyro_sessions(user_id);
-      CREATE INDEX IF NOT EXISTS idx_kyro_sessions_token ON kyro_sessions(token);
-      CREATE INDEX IF NOT EXISTS idx_kyro_sessions_refresh_token ON kyro_sessions(refresh_token);
-      CREATE INDEX IF NOT EXISTS idx_kyro_sessions_expires ON kyro_sessions(expires_at);
-      CREATE INDEX IF NOT EXISTS idx_kyro_password_history_user_id ON kyro_password_history(user_id);
-      CREATE INDEX IF NOT EXISTS idx_kyro_rate_limits_key ON kyro_rate_limits(key);
-      CREATE INDEX IF NOT EXISTS idx_kyro_rate_limits_window ON kyro_rate_limits(window_start);
-      CREATE INDEX IF NOT EXISTS idx_kyro_lockouts_locked_until ON kyro_lockouts(locked_until);
-      CREATE INDEX IF NOT EXISTS idx_kyro_audit_logs_timestamp ON kyro_audit_logs(timestamp);
-      CREATE INDEX IF NOT EXISTS idx_kyro_audit_logs_action ON kyro_audit_logs(action);
-      CREATE INDEX IF NOT EXISTS idx_kyro_audit_logs_user_id ON kyro_audit_logs(user_id);
-      CREATE INDEX IF NOT EXISTS idx_kyro_audit_logs_resource ON kyro_audit_logs(resource);
-    `);
-  }
-  prepareStatements() {
-    if (!this.db) return;
-    this.preparedStatements.set(
-      "findUserByEmail",
-      this.db.prepare("SELECT * FROM kyro_users WHERE email = ?")
-    );
-    this.preparedStatements.set(
-      "findUserById",
-      this.db.prepare("SELECT * FROM kyro_users WHERE id = ?")
-    );
-    this.preparedStatements.set(
-      "findSessionByToken",
-      this.db.prepare("SELECT * FROM kyro_sessions WHERE token = ?")
-    );
-    this.preparedStatements.set(
-      "findSessionByRefreshToken",
-      this.db.prepare("SELECT * FROM kyro_sessions WHERE refresh_token = ?")
-    );
-    this.preparedStatements.set(
-      "deleteSession",
-      this.db.prepare("DELETE FROM kyro_sessions WHERE id = ? OR token = ?")
-    );
-    this.preparedStatements.set(
-      "deleteUserSessions",
-      this.db.prepare("DELETE FROM kyro_sessions WHERE user_id = ?")
-    );
-    this.preparedStatements.set(
-      "countUsers",
-      this.db.prepare("SELECT COUNT(*) as count FROM kyro_users")
-    );
-    this.preparedStatements.set(
-      "deleteUser",
-      this.db.prepare("DELETE FROM kyro_users WHERE id = ?")
-    );
-    this.preparedStatements.set(
-      "getPasswordHistory",
-      this.db.prepare(
-        "SELECT password_hash FROM kyro_password_history WHERE user_id = ? ORDER BY created_at DESC LIMIT ?"
-      )
-    );
-    this.preparedStatements.set(
-      "addPasswordHistory",
-      this.db.prepare(
-        "INSERT INTO kyro_password_history (user_id, password_hash, created_at) VALUES (?, ?, ?)"
-      )
-    );
-    this.preparedStatements.set(
-      "trimPasswordHistory",
-      this.db.prepare(
-        `DELETE FROM kyro_password_history WHERE id IN (
-          SELECT id FROM kyro_password_history WHERE user_id = ? ORDER BY created_at DESC LIMIT -1 OFFSET 5
-        )`
-      )
-    );
-    this.preparedStatements.set(
-      "deleteExpiredSessions",
-      this.db.prepare("DELETE FROM kyro_sessions WHERE expires_at < ?")
-    );
-    this.preparedStatements.set(
-      "cleanupOldAuditLogs",
-      this.db.prepare("DELETE FROM kyro_audit_logs WHERE timestamp < ?")
-    );
-    this.preparedStatements.set(
-      "cleanupExpiredLockouts",
-      this.db.prepare(
-        "UPDATE kyro_lockouts SET attempts = 0, locked_at = NULL, locked_until = NULL WHERE locked_until < ?"
-      )
-    );
-    this.preparedStatements.set(
-      "getLockout",
-      this.db.prepare("SELECT * FROM kyro_lockouts WHERE user_id = ?")
-    );
-    this.preparedStatements.set(
-      "upsertLockout",
-      this.db.prepare(`
-        INSERT INTO kyro_lockouts (user_id, attempts, last_attempt, locked_at, locked_until)
-        VALUES (?, ?, ?, ?, ?)
-        ON CONFLICT(user_id) DO UPDATE SET
-          attempts = excluded.attempts,
-          last_attempt = excluded.last_attempt,
-          locked_at = excluded.locked_at,
-          locked_until = excluded.locked_until
-      `)
-    );
-    this.preparedStatements.set(
-      "resetLockout",
-      this.db.prepare(
-        "UPDATE kyro_lockouts SET attempts = 0, locked_at = NULL, locked_until = NULL WHERE user_id = ?"
-      )
-    );
-  }
-  stmt(name) {
-    const stmt = this.preparedStatements.get(name);
-    if (!stmt) throw new Error(`Prepared statement not found: ${name}`);
-    return stmt;
-  }
-  async cleanupExpiredSessions() {
-    if (!this.db) throw new Error("Not connected");
-    const result = this.stmt("deleteExpiredSessions").run(
-      (/* @__PURE__ */ new Date()).toISOString()
-    );
-    return result.changes;
-  }
-  async cleanupOldAuditLogs(retentionDays = 30) {
-    if (!this.db) throw new Error("Not connected");
-    const cutoff = new Date(
-      Date.now() - retentionDays * 24 * 60 * 60 * 1e3
-    ).toISOString();
-    const result = this.stmt("cleanupOldAuditLogs").run(cutoff);
-    return result.changes;
-  }
-  async getStats() {
-    if (!this.db) throw new Error("Not connected");
-    const userCount = this.stmt("countUsers").get().count;
-    const activeSessionCount = this.db.prepare(
-      "SELECT COUNT(*) as count FROM kyro_sessions WHERE expires_at > ?"
-    ).get((/* @__PURE__ */ new Date()).toISOString()).count;
-    const auditLogCount = this.db.prepare("SELECT COUNT(*) as count FROM kyro_audit_logs").get().count;
-    return { userCount, activeSessionCount, auditLogCount };
-  }
-  async createUser(data) {
-    if (!this.db) throw new Error("Not connected");
-    const id = randomBytes(16).toString("hex");
-    const now = (/* @__PURE__ */ new Date()).toISOString();
-    const passwordHash = await this.hashPassword(data.password);
-    const user = {
-      id,
-      email: data.email.toLowerCase(),
-      passwordHash,
-      role: data.role || "customer",
-      tenantId: data.tenantId,
-      createdAt: now,
-      updatedAt: now
-    };
-    this.db.prepare(
-      `INSERT INTO kyro_users (id, email, password_hash, role, tenant_id, created_at, updated_at)
-         VALUES (?, ?, ?, ?, ?, ?, ?)`
-    ).run(
-      id,
-      user.email,
-      user.passwordHash,
-      user.role,
-      user.tenantId,
-      now,
-      now
-    );
-    return user;
-  }
-  async findUserByEmail(email) {
-    if (!this.db) throw new Error("Not connected");
-    const row = this.stmt("findUserByEmail").get(email.toLowerCase());
-    if (!row) return null;
-    return this.rowToUser(row);
-  }
-  async findUserById(userId) {
-    if (!this.db) throw new Error("Not connected");
-    const row = this.stmt("findUserById").get(userId);
-    if (!row) return null;
-    return this.rowToUser(row);
-  }
-  async updateUser(userId, data) {
-    if (!this.db) throw new Error("Not connected");
-    const existing = await this.findUserById(userId);
-    if (!existing) return null;
-    const updates = [];
-    const values = [];
-    if (data.email !== void 0) {
-      updates.push("email = ?");
-      values.push(data.email.toLowerCase());
-    }
-    if (data.passwordHash !== void 0) {
-      updates.push("password_hash = ?");
-      values.push(data.passwordHash);
-    }
-    if (data.role !== void 0) {
-      updates.push("role = ?");
-      values.push(data.role);
-    }
-    if (data.tenantId !== void 0) {
-      updates.push("tenant_id = ?");
-      values.push(data.tenantId);
-    }
-    if (data.emailVerified !== void 0) {
-      updates.push("email_verified = ?");
-      values.push(data.emailVerified ? 1 : 0);
-    }
-    if (data.locked !== void 0) {
-      updates.push("locked = ?");
-      values.push(data.locked ? 1 : 0);
-    }
-    if (data.lastLogin !== void 0) {
-      updates.push("last_login = ?");
-      values.push(data.lastLogin);
-    }
-    if (data.failedLoginAttempts !== void 0) {
-      updates.push("failed_login_attempts = ?");
-      values.push(data.failedLoginAttempts);
-    }
-    updates.push("updated_at = ?");
-    values.push((/* @__PURE__ */ new Date()).toISOString());
-    values.push(userId);
-    this.db.prepare(`UPDATE kyro_users SET ${updates.join(", ")} WHERE id = ?`).run(...values);
-    return this.findUserById(userId);
-  }
-  async deleteUser(userId) {
-    if (!this.db) throw new Error("Not connected");
-    const result = this.stmt("deleteUser").run(userId);
-    return result.changes > 0;
-  }
-  async hashPassword(password) {
-    return bcrypt.hash(password, this.saltRounds);
-  }
-  async verifyPassword(email, password) {
-    if (!this.db) throw new Error("Not connected");
-    const user = await this.findUserByEmail(email);
-    if (!user) return null;
-    const stored = this.db.prepare("SELECT password_hash FROM users WHERE id = ?").get(user.id);
-    if (!stored?.password_hash) return null;
-    const valid = await bcrypt.compare(password, stored.password_hash);
-    return valid ? user : null;
-  }
-  async createSession(userId, data = {}) {
-    if (!this.db) throw new Error("Not connected");
-    const id = randomBytes(32).toString("hex");
-    const token = randomBytes(32).toString("base64url");
-    const refreshToken = randomBytes(32).toString("base64url");
-    const now = /* @__PURE__ */ new Date();
-    const expiresAt = new Date(now.getTime() + 864e5).toISOString();
-    const session = {
-      id,
-      userId,
-      token,
-      refreshToken,
-      expiresAt,
-      createdAt: now.toISOString(),
-      ipAddress: data.ipAddress,
-      userAgent: data.userAgent
-    };
-    this.db.prepare(
-      `INSERT INTO kyro_sessions (id, user_id, token, refresh_token, expires_at, created_at, ip_address, user_agent)
-         VALUES (?, ?, ?, ?, ?, ?, ?, ?)`
-    ).run(
-      session.id,
-      session.userId,
-      session.token,
-      session.refreshToken,
-      session.expiresAt,
-      session.createdAt,
-      session.ipAddress,
-      session.userAgent
-    );
-    return session;
-  }
-  async findSessionByToken(token) {
-    if (!this.db) throw new Error("Not connected");
-    const row = this.stmt("findSessionByToken").get(token);
-    if (!row) return null;
-    return this.rowToSession(row);
-  }
-  async findSessionByRefreshToken(refreshToken) {
-    if (!this.db) throw new Error("Not connected");
-    const row = this.stmt("findSessionByRefreshToken").get(refreshToken);
-    if (!row) return null;
-    return this.rowToSession(row);
-  }
-  async deleteSession(sessionId) {
-    if (!this.db) throw new Error("Not connected");
-    const result = this.stmt("deleteSession").run(sessionId, sessionId);
-    return result.changes > 0;
-  }
-  async deleteUserSessions(userId) {
-    if (!this.db) throw new Error("Not connected");
-    const result = this.stmt("deleteUserSessions").run(userId);
-    return result.changes;
-  }
-  async hasAnyUsers() {
-    if (!this.db) throw new Error("Not connected");
-    const row = this.stmt("countUsers").get();
-    return row.count > 0;
-  }
-  async addPasswordToHistory(userId, passwordHash) {
-    if (!this.db) throw new Error("Not connected");
-    this.stmt("addPasswordHistory").run(
-      userId,
-      passwordHash,
-      (/* @__PURE__ */ new Date()).toISOString()
-    );
-    this.stmt("trimPasswordHistory").run(userId);
-  }
-  async getPasswordHistory(userId, count = 5) {
-    if (!this.db) throw new Error("Not connected");
-    const rows = this.stmt("getPasswordHistory").all(userId, count);
-    return rows.map((r) => r.password_hash);
-  }
-  async isPasswordInHistory(password, userId, historyCount = 5) {
-    const history = await this.getPasswordHistory(userId, historyCount);
-    for (const hash of history) {
-      if (await bcrypt.compare(password, hash)) {
-        return true;
-      }
-    }
-    return false;
-  }
-  async recordFailedAttempt(userId) {
-    if (!this.db) throw new Error("Not connected");
-    const now = Date.now();
-    const lockout = this.stmt("getLockout").get(userId);
-    const attempts = (lockout?.attempts || 0) + 1;
-    const lockedUntil = attempts >= 5 ? now + 15 * 60 * 1e3 : lockout?.locked_until || null;
-    this.stmt("upsertLockout").run(
-      userId,
-      attempts,
-      now,
-      lockedUntil !== null ? now : null,
-      lockedUntil
-    );
-  }
-  async resetAttempts(userId) {
-    if (!this.db) throw new Error("Not connected");
-    this.stmt("resetLockout").run(userId);
-  }
-  async checkLockout(userId) {
-    if (!this.db) throw new Error("Not connected");
-    this.stmt("cleanupExpiredLockouts").run(Date.now());
-    const lockout = this.stmt("getLockout").get(userId);
-    if (!lockout) {
-      return {
-        locked: false,
-        attemptsRemaining: 5,
-        totalAttempts: 0
-      };
-    }
-    if (lockout.locked_until !== null && lockout.locked_until > Date.now()) {
-      return {
-        locked: true,
-        attemptsRemaining: 0,
-        lockedUntil: new Date(lockout.locked_until),
-        totalAttempts: lockout.attempts
-      };
-    }
-    return {
-      locked: false,
-      attemptsRemaining: Math.max(0, 5 - lockout.attempts),
-      totalAttempts: lockout.attempts
-    };
-  }
-  async logAudit(data) {
-    if (!this.db) throw new Error("Not connected");
-    const id = randomBytes(16).toString("hex");
-    const timestamp = (/* @__PURE__ */ new Date()).toISOString();
-    this.db.prepare(
-      `INSERT INTO kyro_audit_logs (
-          id, timestamp, action, user_id, user_email, role, resource, resource_id,
-          ip_address, user_agent, success, error, metadata, created_at
-        ) VALUES (?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?)`
-    ).run(
-      id,
-      timestamp,
-      data.action,
-      data.userId || null,
-      data.userEmail || null,
-      data.role || null,
-      data.resource,
-      data.resourceId || null,
-      data.ipAddress || null,
-      data.userAgent || null,
-      data.success ? 1 : 0,
-      data.error || null,
-      data.metadata ? JSON.stringify(data.metadata) : null,
-      (/* @__PURE__ */ new Date()).toISOString()
-    );
-    return id;
-  }
-  async queryAuditLogs(options = {}) {
-    if (!this.db) throw new Error("Not connected");
-    const conditions = [];
-    const params = [];
-    if (options.action) {
-      conditions.push("action = ?");
-      params.push(options.action);
-    }
-    if (options.userId) {
-      conditions.push("user_id = ?");
-      params.push(options.userId);
-    }
-    if (options.resource) {
-      conditions.push("resource = ?");
-      params.push(options.resource);
-    }
-    if (options.success !== void 0) {
-      conditions.push("success = ?");
-      params.push(options.success ? 1 : 0);
-    }
-    if (options.startDate) {
-      conditions.push("timestamp >= ?");
-      params.push(options.startDate.toISOString());
-    }
-    if (options.endDate) {
-      conditions.push("timestamp <= ?");
-      params.push(options.endDate.toISOString());
-    }
-    const where = conditions.length > 0 ? "WHERE " + conditions.join(" AND ") : "";
-    const limit = options.limit || 50;
-    const offset = options.offset || 0;
-    const totalResult = this.db.prepare(`SELECT COUNT(*) as count FROM kyro_audit_logs ${where}`).get(...params);
-    const rows = this.db.prepare(
-      `SELECT * FROM kyro_audit_logs ${where} ORDER BY timestamp DESC LIMIT ? OFFSET ?`
-    ).all(...params, limit, offset);
-    return {
-      total: totalResult.count,
-      logs: rows.map((row) => ({
-        id: row.id,
-        timestamp: new Date(row.timestamp),
-        action: row.action,
-        userId: row.user_id || void 0,
-        userEmail: row.user_email || void 0,
-        resource: row.resource,
-        resourceId: row.resource_id || void 0,
-        ipAddress: row.ip_address || void 0,
-        userAgent: row.user_agent || void 0,
-        success: row.success === 1,
-        error: row.error || void 0,
-        metadata: row.metadata ? JSON.parse(row.metadata) : void 0
-      }))
-    };
-  }
-  rowToUser(row) {
-    return {
-      id: row.id,
-      email: row.email,
-      passwordHash: row.password_hash,
-      role: row.role,
-      tenantId: row.tenant_id,
-      emailVerified: row.email_verified === 1,
-      locked: row.locked === 1,
-      lastLogin: row.last_login,
-      failedLoginAttempts: row.failed_login_attempts || 0,
-      createdAt: row.created_at,
-      updatedAt: row.updated_at
-    };
-  }
-  rowToSession(row) {
-    return {
-      id: row.id,
-      userId: row.user_id,
-      token: row.token,
-      refreshToken: row.refresh_token,
-      expiresAt: row.expires_at,
-      createdAt: row.created_at,
-      ipAddress: row.ip_address,
-      userAgent: row.user_agent
-    };
-  }
-  async findAuditLogs(filter) {
-    const result = await this.queryAuditLogs({
-      action: filter.action,
-      userId: filter.userId,
-      resource: filter.resource,
-      success: filter.success,
-      startDate: filter.startDate,
-      endDate: filter.endDate,
-      limit: filter.limit,
-      offset: filter.offset
-    });
-    return {
-      logs: result.logs.map((log) => ({
-        ...log,
-        action: log.action
-      })),
-      total: result.total
-    };
-  }
-  async createAuditLog(data) {
-    const id = await this.logAudit({
-      action: data.action,
-      userId: data.userId,
-      userEmail: data.userEmail,
-      role: data.role,
-      resource: data.resource,
-      resourceId: data.resourceId,
-      ipAddress: data.ipAddress,
-      userAgent: data.userAgent,
-      success: data.success,
-      error: data.error,
-      metadata: data.metadata
-    });
-    const row = this.db?.prepare("SELECT * FROM kyro_audit_logs WHERE id = ?").get(id);
-    return {
-      ...data,
-      id,
-      timestamp: row ? new Date(row.timestamp) : /* @__PURE__ */ new Date()
-    };
-  }
-};
-
-// src/auth/security/password-policy.ts
-var DEFAULT_PASSWORD_POLICY = {
-  minLength: 12,
-  requireUppercase: true,
-  requireLowercase: true,
-  requireNumbers: true,
-  requireSpecialChars: true,
-  preventReuse: 5,
-  maxLength: 128
-};
-var PasswordPolicy = class {
-  config;
-  constructor(config = {}) {
-    this.config = { ...DEFAULT_PASSWORD_POLICY, ...config };
-  }
-  validate(password) {
-    const errors = [];
-    if (this.config.maxLength && password.length > this.config.maxLength) {
-      errors.push(
-        `Password must not exceed ${this.config.maxLength} characters`
-      );
-    }
-    if (password.length < this.config.minLength) {
-      errors.push(
-        `Password must be at least ${this.config.minLength} characters`
-      );
-    }
-    if (this.config.requireUppercase && !/[A-Z]/.test(password)) {
-      errors.push("Password must contain at least one uppercase letter");
-    }
-    if (this.config.requireLowercase && !/[a-z]/.test(password)) {
-      errors.push("Password must contain at least one lowercase letter");
-    }
-    if (this.config.requireNumbers && !/[0-9]/.test(password)) {
-      errors.push("Password must contain at least one number");
-    }
-    if (this.config.requireSpecialChars && !/[!@#$%^&*()_+\-=\[\]{};':"\\|,.<>\/?]/.test(password)) {
-      errors.push("Password must contain at least one special character");
-    }
-    const commonPasswords = [
-      "password",
-      "123456",
-      "12345678",
-      "qwerty",
-      "abc123",
-      "monkey",
-      "1234567",
-      "letmein",
-      "trustno1",
-      "dragon",
-      "baseball",
-      "iloveyou",
-      "master",
-      "sunshine",
-      "ashley",
-      "football",
-      "password1",
-      "shadow",
-      "123123",
-      "654321"
-    ];
-    if (commonPasswords.includes(password.toLowerCase())) {
-      errors.push(
-        "This password is too common. Please choose a more secure password"
-      );
-    }
-    if (/^[a-zA-Z]+$/.test(password) || /^[0-9]+$/.test(password)) {
-      errors.push(
-        "Password must contain a mix of letters, numbers, and/or special characters"
-      );
-    }
-    if (/(.)\1{2,}/.test(password)) {
-      errors.push(
-        "Password must not contain more than 2 consecutive identical characters"
-      );
-    }
-    if (/^(012|123|234|345|456|567|678|789|890|098|987|876|765|654|543|432|321|210)+$/i.test(
-      password
-    )) {
-      errors.push("Password must not contain sequential numbers or letters");
-    }
-    return {
-      valid: errors.length === 0,
-      errors
-    };
-  }
-  async checkReuse(passwordHash, history, verifyFn) {
-    return {
-      valid: true,
-      errors: []
-    };
-  }
-  async isInHistory(password, history, verifyFn) {
-    for (const hash of history) {
-      if (await verifyFn(password, hash)) {
-        return true;
-      }
-    }
-    return false;
-  }
-  generatePassword(length = 16) {
-    const uppercase = "ABCDEFGHIJKLMNOPQRSTUVWXYZ";
-    const lowercase = "abcdefghijklmnopqrstuvwxyz";
-    const numbers = "0123456789";
-    const special = "!@#$%^&*()_+-=[]{}|;:,.<>?";
-    let password = "";
-    password += uppercase[Math.floor(Math.random() * uppercase.length)];
-    password += lowercase[Math.floor(Math.random() * lowercase.length)];
-    password += numbers[Math.floor(Math.random() * numbers.length)];
-    password += special[Math.floor(Math.random() * special.length)];
-    const allChars = uppercase + lowercase + numbers + special;
-    for (let i = password.length; i < length; i++) {
-      password += allChars[Math.floor(Math.random() * allChars.length)];
-    }
-    return password.split("").sort(() => Math.random() - 0.5).join("");
-  }
-  getStrength(password) {
-    let score = 0;
-    const feedback = [];
-    if (password.length >= 8) score += 1;
-    if (password.length >= 12) score += 1;
-    if (password.length >= 16) score += 1;
-    if (/[a-z]/.test(password)) score += 1;
-    if (/[A-Z]/.test(password)) score += 1;
-    if (/[0-9]/.test(password)) score += 1;
-    if (/[!@#$%^&*()_+\-=\[\]{}|;:,.<>?]/.test(password)) score += 1;
-    if (password.length > 8) score += 1;
-    if (password.length > 12) score += 1;
-    const uniqueChars = new Set(password).size;
-    if (uniqueChars > 6) score += 1;
-    if (uniqueChars > 10) score += 1;
-    let label;
-    if (score <= 3) {
-      label = "Weak";
-      feedback.push("Add more characters");
-      feedback.push("Include uppercase and lowercase letters");
-    } else if (score <= 5) {
-      label = "Fair";
-      feedback.push("Add special characters");
-      feedback.push("Consider making it longer");
-    } else if (score <= 7) {
-      label = "Good";
-      feedback.push("Consider making it longer for extra security");
-    } else {
-      label = "Strong";
-    }
-    return { score, label, feedback };
-  }
-  setConfig(config) {
-    this.config = { ...this.config, ...config };
-  }
-  getConfig() {
-    return { ...this.config };
-  }
-};
-
-// src/auth/bootstrap.ts
-async function bootstrapAdmin(config) {
-  const {
-    adminEmail,
-    adminPassword,
-    adminRole = "super_admin",
-    tenantId,
-    emailConfig,
-    sendWelcomeEmail = false
-  } = config;
-  const authAdapter = config.authAdapter || new SQLiteAuthAdapter({
-    path: config.authDbPath || "./data/auth.db"
-  });
-  try {
-    await authAdapter.connect?.();
-  } catch (error) {
-    return {
-      success: false,
-      error: "Failed to connect to auth storage"
-    };
-  }
-  const passwordPolicy = new PasswordPolicy();
-  const passwordValidation = passwordPolicy.validate(adminPassword);
-  if (!passwordValidation.valid) {
-    await authAdapter.disconnect?.();
-    return {
-      success: false,
-      error: `Invalid password: ${passwordValidation.errors.join(", ")}`
-    };
-  }
-  const existingUser = await authAdapter.findUserByEmail(adminEmail);
-  if (existingUser) {
-    await authAdapter.disconnect?.();
-    return {
-      success: false,
-      error: "Admin user already exists"
-    };
-  }
-  try {
-    const user = await authAdapter.createUser({
-      email: adminEmail,
-      password: adminPassword,
-      role: adminRole || "admin",
-      tenantId
-    });
-    if (sendWelcomeEmail && emailConfig) {
-      const emailTransport = new EmailTransport(emailConfig);
-      const templates = emailTransport.getTemplates();
-      const welcomeTemplate = templates.welcome(adminEmail.split("@")[0]);
-      await emailTransport.send({
-        to: adminEmail,
-        ...welcomeTemplate
-      });
-    }
-    await authAdapter.disconnect?.();
-    return {
-      success: true,
-      user
-    };
-  } catch (error) {
-    await authAdapter.disconnect?.();
-    return {
-      success: false,
-      error: error instanceof Error ? error.message : "Failed to create admin user"
-    };
-  }
-}
-async function checkBootstrapRequired(authAdapter, adminEmail) {
-  const existingUser = await authAdapter.findUserByEmail(adminEmail);
-  return !existingUser;
-}
-function getBootstrapFromEnv() {
-  const email = process.env.KYRO_ADMIN_EMAIL;
-  const password = process.env.KYRO_ADMIN_PASSWORD;
-  if (!email || !password) {
-    return null;
-  }
-  return {
-    authDbPath: process.env.KYRO_AUTH_DB_PATH || "./data/auth.db",
-    adminEmail: email,
-    adminPassword: password,
-    adminRole: process.env.KYRO_ADMIN_ROLE || "super_admin",
-    tenantId: process.env.KYRO_ADMIN_TENANT_ID,
-    emailConfig: process.env.SMTP_HOST ? {
-      provider: "smtp",
-      smtp: {
-        host: process.env.SMTP_HOST,
-        port: parseInt(process.env.SMTP_PORT || "587", 10),
-        secure: process.env.SMTP_SECURE === "true",
-        auth: {
-          user: process.env.SMTP_USER || "",
-          pass: process.env.SMTP_PASS || ""
-        }
-      },
-      from: process.env.SMTP_FROM || "noreply@example.com",
-      fromName: process.env.SMTP_FROM_NAME
-    } : void 0,
-    sendWelcomeEmail: process.env.KYRO_ADMIN_SEND_WELCOME === "true"
-  };
-}
-async function autoBootstrap() {
-  const config = getBootstrapFromEnv();
-  if (!config) {
-    return null;
-  }
-  console.log("Auto-bootstrapping admin user...");
-  const result = await bootstrapAdmin(config);
-  if (result.success) {
-    console.log(`Admin user created: ${config.adminEmail}`);
-  } else {
-    console.error(`Bootstrap failed: ${result.error}`);
-  }
-  return result;
-}
-async function bootstrapWithRetry(config, maxRetries = 3, retryDelayMs = 2e3) {
-  let lastError = "";
-  for (let i = 0; i < maxRetries; i++) {
-    const result = await bootstrapAdmin(config);
-    if (result.success) {
-      return result;
-    }
-    lastError = result.error || "Unknown error";
-    if (lastError.includes("already exists")) {
-      return result;
-    }
-    if (i < maxRetries - 1) {
-      await new Promise((resolve) => setTimeout(resolve, retryDelayMs));
-    }
-  }
-  return {
-    success: false,
-    error: `Failed after ${maxRetries} retries: ${lastError}`
-  };
-}
-
-export { PasswordPolicy, SQLiteAuthAdapter, autoBootstrap, bootstrapAdmin, bootstrapWithRetry, checkBootstrapRequired, getBootstrapFromEnv };
-//# sourceMappingURL=chunk-RRYXQMZG.js.map
-//# sourceMappingURL=chunk-RRYXQMZG.js.map