@kyro-cms/core 0.5.5 → 0.7.0

package/dist/chunk-Y3N7UUDO.js

@@ -0,0 +1,349 @@
+import bcrypt from 'bcryptjs';
+import { randomUUID, randomBytes } from 'crypto';
+
+// src/database/mongodb/mongo-auth-adapter.ts
+var MongoDBAuthAdapter = class {
+  db;
+  prefix;
+  sessionTTL;
+  refreshTokenTTL;
+  indexesEnsured = false;
+  constructor(options) {
+    this.db = options.db;
+    this.prefix = options.collectionPrefix || "";
+    this.sessionTTL = options.sessionTTL || 86400;
+    this.refreshTokenTTL = options.refreshTokenTTL || 604800;
+  }
+  col(name) {
+    return this.db.collection(`${this.prefix}${name}`);
+  }
+  async connect() {
+    if (!this.indexesEnsured) {
+      await this.ensureIndexes();
+    }
+  }
+  async disconnect() {
+  }
+  async ensureIndexes() {
+    await this.col("users").createIndex({ email: 1 }, { unique: true });
+    await this.col("users").createIndex({ tenantId: 1 });
+    await this.col("users").createIndex({ role: 1 });
+    await this.col("sessions").createIndex({ token: 1 }, { unique: true });
+    await this.col("sessions").createIndex({ refreshToken: 1 });
+    await this.col("sessions").createIndex({ userId: 1 });
+    await this.col("sessions").createIndex({ expiresAt: 1 }, { expireAfterSeconds: 0 });
+    await this.col("audit_logs").createIndex({ timestamp: -1 });
+    await this.col("audit_logs").createIndex({ userId: 1 });
+    await this.col("audit_logs").createIndex({ action: 1 });
+    await this.col("audit_logs").createIndex({ resource: 1 });
+    await this.col("password_history").createIndex({ userId: 1, createdAt: -1 });
+    await this.col("lockouts").createIndex({ userId: 1 }, { unique: true });
+    await this.col("lockouts").createIndex({ lockedUntil: 1 });
+    this.indexesEnsured = true;
+  }
+  async createUser(data) {
+    const id = randomUUID();
+    const now = /* @__PURE__ */ new Date();
+    const passwordHash = await this.hashPassword(data.password);
+    const user = {
+      _id: id,
+      name: data.name || null,
+      email: data.email.toLowerCase(),
+      passwordHash,
+      role: data.role || "customer",
+      tenantId: data.tenantId || null,
+      emailVerified: false,
+      locked: false,
+      lastLogin: null,
+      failedLoginAttempts: 0,
+      createdAt: now,
+      updatedAt: now
+    };
+    await this.col("users").insertOne(user);
+    return this.docToAuthUser(user);
+  }
+  async findUserByEmail(email) {
+    const doc = await this.col("users").findOne({ email: email.toLowerCase() });
+    return doc ? this.docToAuthUser(doc) : null;
+  }
+  async findUserById(id) {
+    const doc = await this.col("users").findOne({ _id: id });
+    return doc ? this.docToAuthUser(doc) : null;
+  }
+  async updateUser(id, data) {
+    const setData = { updatedAt: /* @__PURE__ */ new Date() };
+    if (data.name !== void 0) setData.name = data.name;
+    if (data.email !== void 0) setData.email = data.email;
+    if (data.passwordHash !== void 0) setData.passwordHash = data.passwordHash;
+    if (data.role !== void 0) setData.role = data.role;
+    if (data.tenantId !== void 0) setData.tenantId = data.tenantId;
+    if (data.emailVerified !== void 0) setData.emailVerified = data.emailVerified;
+    if (data.locked !== void 0) setData.locked = data.locked;
+    if (data.lastLogin !== void 0) setData.lastLogin = data.lastLogin ? new Date(data.lastLogin) : null;
+    if (data.failedLoginAttempts !== void 0) setData.failedLoginAttempts = data.failedLoginAttempts;
+    const result = await this.col("users").findOneAndUpdate(
+      { _id: id },
+      { $set: setData },
+      { returnDocument: "after" }
+    );
+    return result ? this.docToAuthUser(result) : null;
+  }
+  async deleteUser(id) {
+    const result = await this.col("users").deleteOne({ _id: id });
+    return result.deletedCount > 0;
+  }
+  async verifyPassword(email, password) {
+    const user = await this.findUserByEmail(email);
+    if (!user) return null;
+    const doc = await this.col("users").findOne(
+      { email: email.toLowerCase() },
+      { projection: { passwordHash: 1 } }
+    );
+    if (!doc?.passwordHash) return null;
+    const valid = await bcrypt.compare(password, doc.passwordHash);
+    return valid ? user : null;
+  }
+  async hashPassword(password) {
+    return bcrypt.hash(password, 12);
+  }
+  async createSession(userId, data) {
+    const id = randomUUID();
+    const token = randomBytes(32).toString("base64url");
+    const refreshToken = randomBytes(32).toString("base64url");
+    const now = /* @__PURE__ */ new Date();
+    const expiresAt = new Date(now.getTime() + this.sessionTTL * 1e3);
+    const session = {
+      _id: id,
+      userId,
+      token,
+      refreshToken,
+      ipAddress: data?.ipAddress || null,
+      userAgent: data?.userAgent || null,
+      expiresAt,
+      createdAt: now
+    };
+    await this.col("sessions").insertOne(session);
+    return this.docToSession(session);
+  }
+  async findSessionByToken(token) {
+    const doc = await this.col("sessions").findOne({
+      token,
+      expiresAt: { $gt: /* @__PURE__ */ new Date() }
+    });
+    return doc ? this.docToSession(doc) : null;
+  }
+  async findSessionByRefreshToken(refreshToken) {
+    const doc = await this.col("sessions").findOne({
+      refreshToken,
+      expiresAt: { $gt: /* @__PURE__ */ new Date() }
+    });
+    return doc ? this.docToSession(doc) : null;
+  }
+  async deleteSession(sessionId) {
+    const result = await this.col("sessions").deleteOne({ _id: sessionId });
+    return result.deletedCount > 0;
+  }
+  async deleteUserSessions(userId) {
+    const result = await this.col("sessions").deleteMany({ userId });
+    return result.deletedCount;
+  }
+  async hasAnyUsers() {
+    const count = await this.col("users").countDocuments();
+    return count > 0;
+  }
+  async addPasswordToHistory(userId, passwordHash) {
+    await this.col("password_history").insertOne({
+      userId,
+      passwordHash,
+      createdAt: /* @__PURE__ */ new Date()
+    });
+  }
+  async getPasswordHistory(userId, count = 5) {
+    const docs = await this.col("password_history").find({ userId }).sort({ createdAt: -1 }).limit(count).toArray();
+    return docs.map((d) => d.passwordHash);
+  }
+  async isPasswordInHistory(password, userId, historyCount = 5) {
+    const history = await this.getPasswordHistory(userId, historyCount);
+    for (const hash of history) {
+      if (await bcrypt.compare(password, hash)) {
+        return true;
+      }
+    }
+    return false;
+  }
+  async findAuditLogs(filter) {
+    const {
+      limit = 50,
+      offset = 0,
+      userId,
+      action,
+      resource,
+      resourceId,
+      success,
+      startDate,
+      endDate
+    } = filter;
+    const query = {};
+    if (userId) query.userId = userId;
+    if (action) {
+      if (Array.isArray(action)) {
+        query.action = { $in: action };
+      } else {
+        query.action = action;
+      }
+    }
+    if (resource) query.resource = resource;
+    if (resourceId) query.resourceId = resourceId;
+    if (success !== void 0) query.success = success;
+    if (startDate || endDate) {
+      query.timestamp = {};
+      if (startDate) query.timestamp.$gte = startDate;
+      if (endDate) query.timestamp.$lte = endDate;
+    }
+    const total = await this.col("audit_logs").countDocuments(query);
+    const docs = await this.col("audit_logs").find(query).sort({ timestamp: -1 }).skip(offset).limit(limit).toArray();
+    return {
+      logs: docs.map((doc) => ({
+        id: doc._id,
+        timestamp: doc.timestamp,
+        action: doc.action,
+        userId: doc.userId || void 0,
+        userEmail: doc.userEmail || void 0,
+        role: doc.role || void 0,
+        resource: doc.resource,
+        resourceId: doc.resourceId || void 0,
+        changes: doc.changes || void 0,
+        ipAddress: doc.ipAddress || void 0,
+        userAgent: doc.userAgent || void 0,
+        success: doc.success,
+        error: doc.error || void 0,
+        metadata: doc.metadata || void 0
+      })),
+      total
+    };
+  }
+  async createAuditLog(data) {
+    const id = randomUUID();
+    const timestamp = /* @__PURE__ */ new Date();
+    await this.col("audit_logs").insertOne({
+      _id: id,
+      action: data.action,
+      userId: data.userId || null,
+      userEmail: data.userEmail || null,
+      role: data.role || null,
+      resource: data.resource,
+      resourceId: data.resourceId || null,
+      changes: data.changes || null,
+      ipAddress: data.ipAddress || null,
+      userAgent: data.userAgent || null,
+      success: data.success,
+      error: data.error || null,
+      metadata: data.metadata || null,
+      timestamp
+    });
+    return {
+      ...data,
+      id,
+      timestamp
+    };
+  }
+  docToAuthUser(doc) {
+    return {
+      id: doc._id,
+      name: doc.name || void 0,
+      email: doc.email,
+      passwordHash: doc.passwordHash || void 0,
+      role: doc.role,
+      tenantId: doc.tenantId || void 0,
+      emailVerified: doc.emailVerified || false,
+      locked: doc.locked || false,
+      lastLogin: doc.lastLogin?.toISOString?.() || doc.lastLogin || void 0,
+      failedLoginAttempts: doc.failedLoginAttempts || 0,
+      createdAt: doc.createdAt?.toISOString?.() || doc.createdAt,
+      updatedAt: doc.updatedAt?.toISOString?.() || doc.updatedAt
+    };
+  }
+  docToSession(doc) {
+    return {
+      id: doc._id,
+      userId: doc.userId,
+      token: doc.token,
+      refreshToken: doc.refreshToken || void 0,
+      expiresAt: doc.expiresAt?.toISOString?.() || doc.expiresAt,
+      createdAt: doc.createdAt?.toISOString?.() || doc.createdAt,
+      ipAddress: doc.ipAddress || void 0,
+      userAgent: doc.userAgent || void 0
+    };
+  }
+  async createEmailVerificationToken(userId) {
+    const token = randomBytes(32).toString("hex");
+    const expiresAt = new Date(Date.now() + 24 * 60 * 60 * 1e3);
+    await this.db.collection("email_verifications").insertOne({
+      userId: new (await import('mongodb')).ObjectId(userId),
+      token,
+      expiresAt,
+      createdAt: /* @__PURE__ */ new Date()
+    });
+    return { token, expiresAt };
+  }
+  async verifyEmailToken(token) {
+    const verification = await this.db.collection("email_verifications").findOne({ token });
+    if (!verification) {
+      return { success: false, error: "Invalid verification token" };
+    }
+    if (verification.expiresAt < /* @__PURE__ */ new Date()) {
+      return { success: false, error: "Verification token has expired" };
+    }
+    await this.db.collection("users").updateOne(
+      { _id: verification.userId },
+      { $set: { emailVerified: true } }
+    );
+    await this.db.collection("email_verifications").deleteOne({ _id: verification._id });
+    return { success: true, userId: verification.userId.toString() };
+  }
+  async createPasswordResetToken(email) {
+    const user = await this.findUserByEmail(email);
+    if (!user) {
+      return { token: "", expiresAt: /* @__PURE__ */ new Date(), error: "User not found" };
+    }
+    const token = randomBytes(32).toString("hex");
+    const expiresAt = new Date(Date.now() + 60 * 60 * 1e3);
+    await this.db.collection("password_resets").insertOne({
+      userId: new (await import('mongodb')).ObjectId(user.id),
+      token,
+      expiresAt,
+      createdAt: /* @__PURE__ */ new Date()
+    });
+    return { token, expiresAt };
+  }
+  async resetPasswordWithToken(token, newPassword) {
+    const reset = await this.db.collection("password_resets").findOne({ token });
+    if (!reset) {
+      return { success: false, error: "Invalid reset token" };
+    }
+    if (reset.expiresAt < /* @__PURE__ */ new Date()) {
+      return { success: false, error: "Reset token has expired" };
+    }
+    if (reset.usedAt) {
+      return { success: false, error: "Reset token has already been used" };
+    }
+    const passwordHash = await this.hashPassword(newPassword);
+    await this.db.collection("users").updateOne(
+      { _id: reset.userId },
+      { $set: { passwordHash, updatedAt: /* @__PURE__ */ new Date() } }
+    );
+    await this.db.collection("password_resets").updateOne(
+      { _id: reset._id },
+      { $set: { usedAt: /* @__PURE__ */ new Date() } }
+    );
+    await this.db.collection("sessions").deleteMany({ userId: reset.userId });
+    return { success: true };
+  }
+};
+function createMongoDBAuthAdapter(options) {
+  return new MongoDBAuthAdapter(options);
+}
+
+export { MongoDBAuthAdapter, createMongoDBAuthAdapter };
+//# sourceMappingURL=chunk-Y3N7UUDO.js.map
+//# sourceMappingURL=chunk-Y3N7UUDO.js.map

package/dist/chunk-Y3N7UUDO.js.map

@@ -0,0 +1 @@
+{"version":3,"sources":["../src/database/mongodb/mongo-auth-adapter.ts"],"names":[],"mappings":";;;;AAoBO,IAAM,qBAAN,MAAgD;AAAA,EAC7C,EAAA;AAAA,EACA,MAAA;AAAA,EACA,UAAA;AAAA,EACA,eAAA;AAAA,EACA,cAAA,GAAiB,KAAA;AAAA,EAEzB,YAAY,OAAA,EAAoC;AAC9C,IAAA,IAAA,CAAK,KAAK,OAAA,CAAQ,EAAA;AAClB,IAAA,IAAA,CAAK,MAAA,GAAS,QAAQ,gBAAA,IAAoB,EAAA;AAC1C,IAAA,IAAA,CAAK,UAAA,GAAa,QAAQ,UAAA,IAAc,KAAA;AACxC,IAAA,IAAA,CAAK,eAAA,GAAkB,QAAQ,eAAA,IAAmB,MAAA;AAAA,EACpD;AAAA,EAEQ,IAAI,IAAA,EAAmB;AAC7B,IAAA,OAAO,IAAA,CAAK,GAAG,UAAA,CAAW,CAAA,EAAG,KAAK,MAAM,CAAA,EAAG,IAAI,CAAA,CAAE,CAAA;AAAA,EACnD;AAAA,EAEA,MAAM,OAAA,GAAyB;AAC7B,IAAA,IAAI,CAAC,KAAK,cAAA,EAAgB;AACxB,MAAA,MAAM,KAAK,aAAA,EAAc;AAAA,IAC3B;AAAA,EACF;AAAA,EAEA,MAAM,UAAA,GAA4B;AAAA,EAClC;AAAA,EAEA,MAAc,aAAA,GAA+B;AAC3C,IAAA,MAAM,IAAA,CAAK,GAAA,CAAI,OAAO,CAAA,CAAE,WAAA,CAAY,EAAE,KAAA,EAAO,CAAA,EAAE,EAAG,EAAE,MAAA,EAAQ,IAAA,EAAM,CAAA;AAClE,IAAA,MAAM,IAAA,CAAK,IAAI,OAAO,CAAA,CAAE,YAAY,EAAE,QAAA,EAAU,GAAG,CAAA;AACnD,IAAA,MAAM,IAAA,CAAK,IAAI,OAAO,CAAA,CAAE,YAAY,EAAE,IAAA,EAAM,GAAG,CAAA;AAE/C,IAAA,MAAM,IAAA,CAAK,GAAA,CAAI,UAAU,CAAA,CAAE,WAAA,CAAY,EAAE,KAAA,EAAO,CAAA,EAAE,EAAG,EAAE,MAAA,EAAQ,IAAA,EAAM,CAAA;AACrE,IAAA,MAAM,IAAA,CAAK,IAAI,UAAU,CAAA,CAAE,YAAY,EAAE,YAAA,EAAc,GAAG,CAAA;AAC1D,IAAA,MAAM,IAAA,CAAK,IAAI,UAAU,CAAA,CAAE,YAAY,EAAE,MAAA,EAAQ,GAAG,CAAA;AACpD,IAAA,MAAM,IAAA,CAAK,GAAA,CAAI,UAAU,CAAA,CAAE,WAAA,CAAY,EAAE,SAAA,EAAW,CAAA,EAAE,EAAG,EAAE,kBAAA,EAAoB,CAAA,EAAG,CAAA;AAElF,IAAA,MAAM,IAAA,CAAK,IAAI,YAAY,CAAA,CAAE,YAAY,EAAE,SAAA,EAAW,IAAI,CAAA;AAC1D,IAAA,MAAM,IAAA,CAAK,IAAI,YAAY,CAAA,CAAE,YAAY,EAAE,MAAA,EAAQ,GAAG,CAAA;AACtD,IAAA,MAAM,IAAA,CAAK,IAAI,YAAY,CAAA,CAAE,YAAY,EAAE,MAAA,EAAQ,GAAG,CAAA;AACtD,IAAA,MAAM,IAAA,CAAK,IAAI,YAAY,CAAA,CAAE,YAAY,EAAE,QAAA,EAAU,GAAG,CAAA;AAExD,IAAA,MAAM,IAAA,CAAK,GAAA,CAAI,kBAAkB,CAAA,CAAE,WAAA,CAAY,EAAE,MAAA,EAAQ,CAAA,EAAG,SAAA,EAAW,EAAA,EAAI,CAAA;AAE3E,IAAA,MAAM,IAAA,CAAK,GAAA,CAAI,UAAU,CAAA,CAAE,WAAA,CAAY,EAAE,MAAA,EAAQ,CAAA,EAAE,EAAG,EAAE,MAAA,EAAQ,IAAA,EAAM,CAAA;AACtE,IAAA,MAAM,IAAA,CAAK,IAAI,UAAU,CAAA,CAAE,YAAY,EAAE,WAAA,EAAa,GAAG,CAAA;AAEzD,IAAA,IAAA,CAAK,cAAA,GAAiB,IAAA;AAAA,EACxB;AAAA,EAEA,MAAM,WAAW,IAAA,EAMK;AACpB,IAAA,MAAM,KAAK,UAAA,EAAW;AACtB,IAAA,MAAM,GAAA,uBAAU,IAAA,EAAK;AACrB,IAAA,MAAM,YAAA,GAAe,MAAM,IAAA,CAAK,YAAA,CAAa,KAAK,QAAQ,CAAA;AAC1D,IAAA,MAAM,IAAA,GAAO;AAAA,MACX,GAAA,EAAK,EAAA;AAAA,MACL,IAAA,EAAM,KAAK,IAAA,IAAQ,IAAA;AAAA,MACnB,KAAA,EAAO,IAAA,CAAK,KAAA,CAAM,WAAA,EAAY;AAAA,MAC9B,YAAA;AAAA,MACA,IAAA,EAAM,KAAK,IAAA,IAAQ,UAAA;AAAA,MACnB,QAAA,EAAU,KAAK,QAAA,IAAY,IAAA;AAAA,MAC3B,aAAA,EAAe,KAAA;AAAA,MACf,MAAA,EAAQ,KAAA;AAAA,MACR,SAAA,EAAW,IAAA;AAAA,MACX,mBAAA,EAAqB,CAAA;AAAA,MACrB,SAAA,EAAW,GAAA;AAAA,MACX,SAAA,EAAW;AAAA,KACb;AACA,IAAA,MAAM,IAAA,CAAK,GAAA,CAAI,OAAO,CAAA,CAAE,UAAU,IAAI,CAAA;AACtC,IAAA,OAAO,IAAA,CAAK,cAAc,IAAI,CAAA;AAAA,EAChC;AAAA,EAEA,MAAM,gBAAgB,KAAA,EAAyC;AAC7D,IAAA,MAAM,GAAA,GAAM,MAAM,IAAA,CAAK,GAAA,CAAI,OAAO,CAAA,CAAE,OAAA,CAAQ,EAAE,KAAA,EAAO,KAAA,CAAM,WAAA,EAAY,EAAG,CAAA;AAC1E,IAAA,OAAO,GAAA,GAAM,IAAA,CAAK,aAAA,CAAc,GAAG,CAAA,GAAI,IAAA;AAAA,EACzC;AAAA,EAEA,MAAM,aAAa,EAAA,EAAsC;AACvD,IAAA,MAAM,GAAA,GAAM,MAAM,IAAA,CAAK,GAAA,CAAI,OAAO,EAAE,OAAA,CAAQ,EAAE,GAAA,EAAK,EAAA,EAAI,CAAA;AACvD,IAAA,OAAO,GAAA,GAAM,IAAA,CAAK,aAAA,CAAc,GAAG,CAAA,GAAI,IAAA;AAAA,EACzC;AAAA,EAEA,MAAM,UAAA,CACJ,EAAA,EACA,IAAA,EAC0B;AAC1B,IAAA,MAAM,OAAA,GAAmC,EAAE,SAAA,kBAAW,IAAI,MAAK,EAAE;AACjE,IAAA,IAAI,IAAA,CAAK,IAAA,KAAS,MAAA,EAAW,OAAA,CAAQ,OAAO,IAAA,CAAK,IAAA;AACjD,IAAA,IAAI,IAAA,CAAK,KAAA,KAAU,MAAA,EAAW,OAAA,CAAQ,QAAQ,IAAA,CAAK,KAAA;AACnD,IAAA,IAAI,IAAA,CAAK,YAAA,KAAiB,MAAA,EAAW,OAAA,CAAQ,eAAe,IAAA,CAAK,YAAA;AACjE,IAAA,IAAI,IAAA,CAAK,IAAA,KAAS,MAAA,EAAW,OAAA,CAAQ,OAAO,IAAA,CAAK,IAAA;AACjD,IAAA,IAAI,IAAA,CAAK,QAAA,KAAa,MAAA,EAAW,OAAA,CAAQ,WAAW,IAAA,CAAK,QAAA;AACzD,IAAA,IAAI,IAAA,CAAK,aAAA,KAAkB,MAAA,EAAW,OAAA,CAAQ,gBAAgB,IAAA,CAAK,aAAA;AACnE,IAAA,IAAI,IAAA,CAAK,MAAA,KAAW,MAAA,EAAW,OAAA,CAAQ,SAAS,IAAA,CAAK,MAAA;AACrD,IAAA,IAAI,IAAA,CAAK,SAAA,KAAc,MAAA,EAAW,OAAA,CAAQ,SAAA,GAAY,IAAA,CAAK,SAAA,GAAY,IAAI,IAAA,CAAK,IAAA,CAAK,SAAS,CAAA,GAAI,IAAA;AAClG,IAAA,IAAI,IAAA,CAAK,mBAAA,KAAwB,MAAA,EAAW,OAAA,CAAQ,sBAAsB,IAAA,CAAK,mBAAA;AAE/E,IAAA,MAAM,MAAA,GAAS,MAAM,IAAA,CAAK,GAAA,CAAI,OAAO,CAAA,CAAE,gBAAA;AAAA,MACrC,EAAE,KAAK,EAAA,EAAG;AAAA,MACV,EAAE,MAAM,OAAA,EAAQ;AAAA,MAChB,EAAE,gBAAgB,OAAA;AAAQ,KAC5B;AACA,IAAA,OAAO,MAAA,GAAS,IAAA,CAAK,aAAA,CAAc,MAAM,CAAA,GAAI,IAAA;AAAA,EAC/C;AAAA,EAEA,MAAM,WAAW,EAAA,EAA8B;AAC7C,IAAA,MAAM,MAAA,GAAS,MAAM,IAAA,CAAK,GAAA,CAAI,OAAO,EAAE,SAAA,CAAU,EAAE,GAAA,EAAK,EAAA,EAAI,CAAA;AAC5D,IAAA,OAAO,OAAO,YAAA,GAAe,CAAA;AAAA,EAC/B;AAAA,EAEA,MAAM,cAAA,CACJ,KAAA,EACA,QAAA,EAC0B;AAC1B,IAAA,MAAM,IAAA,GAAO,MAAM,IAAA,CAAK,eAAA,CAAgB,KAAK,CAAA;AAC7C,IAAA,IAAI,CAAC,MAAM,OAAO,IAAA;AAClB,IAAA,MAAM,GAAA,GAAM,MAAM,IAAA,CAAK,GAAA,CAAI,OAAO,CAAA,CAAE,OAAA;AAAA,MAClC,EAAE,KAAA,EAAO,KAAA,CAAM,WAAA,EAAY,EAAE;AAAA,MAC7B,EAAE,UAAA,EAAY,EAAE,YAAA,EAAc,GAAE;AAAE,KACpC;AACA,IAAA,IAAI,CAAC,GAAA,EAAK,YAAA,EAAc,OAAO,IAAA;AAC/B,IAAA,MAAM,QAAQ,MAAM,MAAA,CAAO,OAAA,CAAQ,QAAA,EAAU,IAAI,YAAY,CAAA;AAC7D,IAAA,OAAO,QAAQ,IAAA,GAAO,IAAA;AAAA,EACxB;AAAA,EAEA,MAAM,aAAa,QAAA,EAAmC;AACpD,IAAA,OAAO,MAAA,CAAO,IAAA,CAAK,QAAA,EAAU,EAAE,CAAA;AAAA,EACjC;AAAA,EAEA,MAAM,aAAA,CACJ,MAAA,EACA,IAAA,EACkB;AAClB,IAAA,MAAM,KAAK,UAAA,EAAW;AACtB,IAAA,MAAM,KAAA,GAAQ,WAAA,CAAY,EAAE,CAAA,CAAE,SAAS,WAAW,CAAA;AAClD,IAAA,MAAM,YAAA,GAAe,WAAA,CAAY,EAAE,CAAA,CAAE,SAAS,WAAW,CAAA;AACzD,IAAA,MAAM,GAAA,uBAAU,IAAA,EAAK;AACrB,IAAA,MAAM,SAAA,GAAY,IAAI,IAAA,CAAK,GAAA,CAAI,SAAQ,GAAI,IAAA,CAAK,aAAa,GAAI,CAAA;AAEjE,IAAA,MAAM,OAAA,GAAU;AAAA,MACd,GAAA,EAAK,EAAA;AAAA,MACL,MAAA;AAAA,MACA,KAAA;AAAA,MACA,YAAA;AAAA,MACA,SAAA,EAAW,MAAM,SAAA,IAAa,IAAA;AAAA,MAC9B,SAAA,EAAW,MAAM,SAAA,IAAa,IAAA;AAAA,MAC9B,SAAA;AAAA,MACA,SAAA,EAAW;AAAA,KACb;AAEA,IAAA,MAAM,IAAA,CAAK,GAAA,CAAI,UAAU,CAAA,CAAE,UAAU,OAAO,CAAA;AAC5C,IAAA,OAAO,IAAA,CAAK,aAAa,OAAO,CAAA;AAAA,EAClC;AAAA,EAEA,MAAM,mBAAmB,KAAA,EAAwC;AAC/D,IAAA,MAAM,MAAM,MAAM,IAAA,CAAK,GAAA,CAAI,UAAU,EAAE,OAAA,CAAQ;AAAA,MAC7C,KAAA;AAAA,MACA,SAAA,EAAW,EAAE,GAAA,kBAAK,IAAI,MAAK;AAAE,KAC9B,CAAA;AACD,IAAA,OAAO,GAAA,GAAM,IAAA,CAAK,YAAA,CAAa,GAAG,CAAA,GAAI,IAAA;AAAA,EACxC;AAAA,EAEA,MAAM,0BACJ,YAAA,EACyB;AACzB,IAAA,MAAM,MAAM,MAAM,IAAA,CAAK,GAAA,CAAI,UAAU,EAAE,OAAA,CAAQ;AAAA,MAC7C,YAAA;AAAA,MACA,SAAA,EAAW,EAAE,GAAA,kBAAK,IAAI,MAAK;AAAE,KAC9B,CAAA;AACD,IAAA,OAAO,GAAA,GAAM,IAAA,CAAK,YAAA,CAAa,GAAG,CAAA,GAAI,IAAA;AAAA,EACxC;AAAA,EAEA,MAAM,cAAc,SAAA,EAAqC;AACvD,IAAA,MAAM,MAAA,GAAS,MAAM,IAAA,CAAK,GAAA,CAAI,UAAU,EAAE,SAAA,CAAU,EAAE,GAAA,EAAK,SAAA,EAAW,CAAA;AACtE,IAAA,OAAO,OAAO,YAAA,GAAe,CAAA;AAAA,EAC/B;AAAA,EAEA,MAAM,mBAAmB,MAAA,EAAiC;AACxD,IAAA,MAAM,MAAA,GAAS,MAAM,IAAA,CAAK,GAAA,CAAI,UAAU,CAAA,CAAE,UAAA,CAAW,EAAE,MAAA,EAAQ,CAAA;AAC/D,IAAA,OAAO,MAAA,CAAO,YAAA;AAAA,EAChB;AAAA,EAEA,MAAM,WAAA,GAAgC;AACpC,IAAA,MAAM,QAAQ,MAAM,IAAA,CAAK,GAAA,CAAI,OAAO,EAAE,cAAA,EAAe;AACrD,IAAA,OAAO,KAAA,GAAQ,CAAA;AAAA,EACjB;AAAA,EAEA,MAAM,oBAAA,CACJ,MAAA,EACA,YAAA,EACe;AACf,IAAA,MAAM,IAAA,CAAK,GAAA,CAAI,kBAAkB,CAAA,CAAE,SAAA,CAAU;AAAA,MAC3C,MAAA;AAAA,MACA,YAAA;AAAA,MACA,SAAA,sBAAe,IAAA;AAAK,KACrB,CAAA;AAAA,EACH;AAAA,EAEA,MAAM,kBAAA,CACJ,MAAA,EACA,KAAA,GAAgB,CAAA,EACG;AACnB,IAAA,MAAM,IAAA,GAAO,MAAM,IAAA,CAAK,GAAA,CAAI,kBAAkB,CAAA,CAC3C,IAAA,CAAK,EAAE,MAAA,EAAQ,EACf,IAAA,CAAK,EAAE,WAAW,EAAA,EAAI,EACtB,KAAA,CAAM,KAAK,EACX,OAAA,EAAQ;AACX,IAAA,OAAO,IAAA,CAAK,GAAA,CAAI,CAAC,CAAA,KAAW,EAAE,YAAY,CAAA;AAAA,EAC5C;AAAA,EAEA,MAAM,mBAAA,CACJ,QAAA,EACA,MAAA,EACA,eAAuB,CAAA,EACL;AAClB,IAAA,MAAM,OAAA,GAAU,MAAM,IAAA,CAAK,kBAAA,CAAmB,QAAQ,YAAY,CAAA;AAClE,IAAA,KAAA,MAAW,QAAQ,OAAA,EAAS;AAC1B,MAAA,IAAI,MAAM,MAAA,CAAO,OAAA,CAAQ,QAAA,EAAU,IAAI,CAAA,EAAG;AACxC,QAAA,OAAO,IAAA;AAAA,MACT;AAAA,IACF;AACA,IAAA,OAAO,KAAA;AAAA,EACT;AAAA,EAEA,MAAM,cACJ,MAAA,EAC8C;AAC9C,IAAA,MAAM;AAAA,MACJ,KAAA,GAAQ,EAAA;AAAA,MACR,MAAA,GAAS,CAAA;AAAA,MACT,MAAA;AAAA,MACA,MAAA;AAAA,MACA,QAAA;AAAA,MACA,UAAA;AAAA,MACA,OAAA;AAAA,MACA,SAAA;AAAA,MACA;AAAA,KACF,GAAI,MAAA;AAEJ,IAAA,MAAM,QAA6B,EAAC;AACpC,IAAA,IAAI,MAAA,QAAc,MAAA,GAAS,MAAA;AAC3B,IAAA,IAAI,MAAA,EAAQ;AACV,MAAA,IAAI,KAAA,CAAM,OAAA,CAAQ,MAAM,CAAA,EAAG;AACzB,QAAA,KAAA,CAAM,MAAA,GAAS,EAAE,GAAA,EAAK,MAAA,EAAO;AAAA,MAC/B,CAAA,MAAO;AACL,QAAA,KAAA,CAAM,MAAA,GAAS,MAAA;AAAA,MACjB;AAAA,IACF;AACA,IAAA,IAAI,QAAA,QAAgB,QAAA,GAAW,QAAA;AAC/B,IAAA,IAAI,UAAA,QAAkB,UAAA,GAAa,UAAA;AACnC,IAAA,IAAI,OAAA,KAAY,MAAA,EAAW,KAAA,CAAM,OAAA,GAAU,OAAA;AAC3C,IAAA,IAAI,aAAa,OAAA,EAAS;AACxB,MAAA,KAAA,CAAM,YAAY,EAAC;AACnB,MAAA,IAAI,SAAA,EAAW,KAAA,CAAM,SAAA,CAAU,IAAA,GAAO,SAAA;AACtC,MAAA,IAAI,OAAA,EAAS,KAAA,CAAM,SAAA,CAAU,IAAA,GAAO,OAAA;AAAA,IACtC;AAEA,IAAA,MAAM,QAAQ,MAAM,IAAA,CAAK,IAAI,YAAY,CAAA,CAAE,eAAe,KAAK,CAAA;AAC/D,IAAA,MAAM,IAAA,GAAO,MAAM,IAAA,CAAK,GAAA,CAAI,YAAY,CAAA,CACrC,IAAA,CAAK,KAAK,CAAA,CACV,IAAA,CAAK,EAAE,SAAA,EAAW,EAAA,EAAI,CAAA,CACtB,IAAA,CAAK,MAAM,CAAA,CACX,KAAA,CAAM,KAAK,CAAA,CACX,OAAA,EAAQ;AAEX,IAAA,OAAO;AAAA,MACL,IAAA,EAAM,IAAA,CAAK,GAAA,CAAI,CAAC,GAAA,MAAc;AAAA,QAC5B,IAAI,GAAA,CAAI,GAAA;AAAA,QACR,WAAW,GAAA,CAAI,SAAA;AAAA,QACf,QAAQ,GAAA,CAAI,MAAA;AAAA,QACZ,MAAA,EAAQ,IAAI,MAAA,IAAU,MAAA;AAAA,QACtB,SAAA,EAAW,IAAI,SAAA,IAAa,MAAA;AAAA,QAC5B,IAAA,EAAM,IAAI,IAAA,IAAQ,MAAA;AAAA,QAClB,UAAU,GAAA,CAAI,QAAA;AAAA,QACd,UAAA,EAAY,IAAI,UAAA,IAAc,MAAA;AAAA,QAC9B,OAAA,EAAS,IAAI,OAAA,IAAW,MAAA;AAAA,QACxB,SAAA,EAAW,IAAI,SAAA,IAAa,MAAA;AAAA,QAC5B,SAAA,EAAW,IAAI,SAAA,IAAa,MAAA;AAAA,QAC5B,SAAS,GAAA,CAAI,OAAA;AAAA,QACb,KAAA,EAAO,IAAI,KAAA,IAAS,MAAA;AAAA,QACpB,QAAA,EAAU,IAAI,QAAA,IAAY;AAAA,OAC5B,CAAE,CAAA;AAAA,MACF;AAAA,KACF;AAAA,EACF;AAAA,EAEA,MAAM,eACJ,IAAA,EACmB;AACnB,IAAA,MAAM,KAAK,UAAA,EAAW;AACtB,IAAA,MAAM,SAAA,uBAAgB,IAAA,EAAK;AAE3B,IAAA,MAAM,IAAA,CAAK,GAAA,CAAI,YAAY,CAAA,CAAE,SAAA,CAAU;AAAA,MACrC,GAAA,EAAK,EAAA;AAAA,MACL,QAAQ,IAAA,CAAK,MAAA;AAAA,MACb,MAAA,EAAQ,KAAK,MAAA,IAAU,IAAA;AAAA,MACvB,SAAA,EAAW,KAAK,SAAA,IAAa,IAAA;AAAA,MAC7B,IAAA,EAAM,KAAK,IAAA,IAAQ,IAAA;AAAA,MACnB,UAAU,IAAA,CAAK,QAAA;AAAA,MACf,UAAA,EAAY,KAAK,UAAA,IAAc,IAAA;AAAA,MAC/B,OAAA,EAAS,KAAK,OAAA,IAAW,IAAA;AAAA,MACzB,SAAA,EAAW,KAAK,SAAA,IAAa,IAAA;AAAA,MAC7B,SAAA,EAAW,KAAK,SAAA,IAAa,IAAA;AAAA,MAC7B,SAAS,IAAA,CAAK,OAAA;AAAA,MACd,KAAA,EAAO,KAAK,KAAA,IAAS,IAAA;AAAA,MACrB,QAAA,EAAU,KAAK,QAAA,IAAY,IAAA;AAAA,MAC3B;AAAA,KACD,CAAA;AAED,IAAA,OAAO;AAAA,MACL,GAAG,IAAA;AAAA,MACH,EAAA;AAAA,MACA;AAAA,KACF;AAAA,EACF;AAAA,EAEQ,cAAc,GAAA,EAAoB;AACxC,IAAA,OAAO;AAAA,MACL,IAAI,GAAA,CAAI,GAAA;AAAA,MACR,IAAA,EAAM,IAAI,IAAA,IAAQ,MAAA;AAAA,MAClB,OAAO,GAAA,CAAI,KAAA;AAAA,MACX,YAAA,EAAc,IAAI,YAAA,IAAgB,MAAA;AAAA,MAClC,MAAM,GAAA,CAAI,IAAA;AAAA,MACV,QAAA,EAAU,IAAI,QAAA,IAAY,MAAA;AAAA,MAC1B,aAAA,EAAe,IAAI,aAAA,IAAiB,KAAA;AAAA,MACpC,MAAA,EAAQ,IAAI,MAAA,IAAU,KAAA;AAAA,MACtB,WAAW,GAAA,CAAI,SAAA,EAAW,WAAA,IAAc,IAAK,IAAI,SAAA,IAAa,MAAA;AAAA,MAC9D,mBAAA,EAAqB,IAAI,mBAAA,IAAuB,CAAA;AAAA,MAChD,SAAA,EAAW,GAAA,CAAI,SAAA,EAAW,WAAA,QAAmB,GAAA,CAAI,SAAA;AAAA,MACjD,SAAA,EAAW,GAAA,CAAI,SAAA,EAAW,WAAA,QAAmB,GAAA,CAAI;AAAA,KACnD;AAAA,EACF;AAAA,EAEQ,aAAa,GAAA,EAAmB;AACtC,IAAA,OAAO;AAAA,MACL,IAAI,GAAA,CAAI,GAAA;AAAA,MACR,QAAQ,GAAA,CAAI,MAAA;AAAA,MACZ,OAAO,GAAA,CAAI,KAAA;AAAA,MACX,YAAA,EAAc,IAAI,YAAA,IAAgB,MAAA;AAAA,MAClC,SAAA,EAAW,GAAA,CAAI,SAAA,EAAW,WAAA,QAAmB,GAAA,CAAI,SAAA;AAAA,MACjD,SAAA,EAAW,GAAA,CAAI,SAAA,EAAW,WAAA,QAAmB,GAAA,CAAI,SAAA;AAAA,MACjD,SAAA,EAAW,IAAI,SAAA,IAAa,MAAA;AAAA,MAC5B,SAAA,EAAW,IAAI,SAAA,IAAa;AAAA,KAC9B;AAAA,EACF;AAAA,EAEA,MAAM,6BAA6B,MAAA,EAA6D;AAC9F,IAAA,MAAM,KAAA,GAAQ,WAAA,CAAY,EAAE,CAAA,CAAE,SAAS,KAAK,CAAA;AAC5C,IAAA,MAAM,SAAA,GAAY,IAAI,IAAA,CAAK,IAAA,CAAK,KAAI,GAAI,EAAA,GAAK,EAAA,GAAK,EAAA,GAAK,GAAI,CAAA;AAE3D,IAAA,MAAM,IAAA,CAAK,EAAA,CAAG,UAAA,CAAW,qBAAqB,EAAE,SAAA,CAAU;AAAA,MACxD,QAAQ,IAAA,CAAK,MAAM,OAAO,SAAS,CAAA,EAAG,SAAS,MAAM,CAAA;AAAA,MACrD,KAAA;AAAA,MACA,SAAA;AAAA,MACA,SAAA,sBAAe,IAAA;AAAK,KACrB,CAAA;AAED,IAAA,OAAO,EAAE,OAAO,SAAA,EAAU;AAAA,EAC5B;AAAA,EAEA,MAAM,iBAAiB,KAAA,EAA+E;AACpG,IAAA,MAAM,YAAA,GAAe,MAAM,IAAA,CAAK,EAAA,CAAG,UAAA,CAAW,qBAAqB,CAAA,CAAE,OAAA,CAAQ,EAAE,KAAA,EAAO,CAAA;AAEtF,IAAA,IAAI,CAAC,YAAA,EAAc;AACjB,MAAA,OAAO,EAAE,OAAA,EAAS,KAAA,EAAO,KAAA,EAAO,4BAAA,EAA6B;AAAA,IAC/D;AAEA,IAAA,IAAI,YAAA,CAAa,SAAA,mBAAY,IAAI,IAAA,EAAK,EAAG;AACvC,MAAA,OAAO,EAAE,OAAA,EAAS,KAAA,EAAO,KAAA,EAAO,gCAAA,EAAiC;AAAA,IACnE;AAEA,IAAA,MAAM,IAAA,CAAK,EAAA,CAAG,UAAA,CAAW,OAAO,CAAA,CAAE,SAAA;AAAA,MAChC,EAAE,GAAA,EAAK,YAAA,CAAa,MAAA,EAAO;AAAA,MAC3B,EAAE,IAAA,EAAM,EAAE,aAAA,EAAe,MAAK;AAAE,KAClC;AAEA,IAAA,MAAM,IAAA,CAAK,EAAA,CAAG,UAAA,CAAW,qBAAqB,CAAA,CAAE,UAAU,EAAE,GAAA,EAAK,YAAA,CAAa,GAAA,EAAK,CAAA;AAEnF,IAAA,OAAO,EAAE,OAAA,EAAS,IAAA,EAAM,QAAQ,YAAA,CAAa,MAAA,CAAO,UAAS,EAAE;AAAA,EACjE;AAAA,EAEA,MAAM,yBAAyB,KAAA,EAA4E;AACzG,IAAA,MAAM,IAAA,GAAO,MAAM,IAAA,CAAK,eAAA,CAAgB,KAAK,CAAA;AAC7C,IAAA,IAAI,CAAC,IAAA,EAAM;AACT,MAAA,OAAO,EAAE,OAAO,EAAA,EAAI,SAAA,sBAAe,IAAA,EAAK,EAAG,OAAO,gBAAA,EAAiB;AAAA,IACrE;AAEA,IAAA,MAAM,KAAA,GAAQ,WAAA,CAAY,EAAE,CAAA,CAAE,SAAS,KAAK,CAAA;AAC5C,IAAA,MAAM,SAAA,GAAY,IAAI,IAAA,CAAK,IAAA,CAAK,KAAI,GAAI,EAAA,GAAK,KAAK,GAAI,CAAA;AAEtD,IAAA,MAAM,IAAA,CAAK,EAAA,CAAG,UAAA,CAAW,iBAAiB,EAAE,SAAA,CAAU;AAAA,MACpD,MAAA,EAAQ,KAAK,MAAM,OAAO,SAAS,CAAA,EAAG,QAAA,CAAS,KAAK,EAAE,CAAA;AAAA,MACtD,KAAA;AAAA,MACA,SAAA;AAAA,MACA,SAAA,sBAAe,IAAA;AAAK,KACrB,CAAA;AAED,IAAA,OAAO,EAAE,OAAO,SAAA,EAAU;AAAA,EAC5B;AAAA,EAEA,MAAM,sBAAA,CAAuB,KAAA,EAAe,WAAA,EAAoE;AAC9G,IAAA,MAAM,KAAA,GAAQ,MAAM,IAAA,CAAK,EAAA,CAAG,UAAA,CAAW,iBAAiB,CAAA,CAAE,OAAA,CAAQ,EAAE,KAAA,EAAO,CAAA;AAE3E,IAAA,IAAI,CAAC,KAAA,EAAO;AACV,MAAA,OAAO,EAAE,OAAA,EAAS,KAAA,EAAO,KAAA,EAAO,qBAAA,EAAsB;AAAA,IACxD;AAEA,IAAA,IAAI,KAAA,CAAM,SAAA,mBAAY,IAAI,IAAA,EAAK,EAAG;AAChC,MAAA,OAAO,EAAE,OAAA,EAAS,KAAA,EAAO,KAAA,EAAO,yBAAA,EAA0B;AAAA,IAC5D;AAEA,IAAA,IAAI,MAAM,MAAA,EAAQ;AAChB,MAAA,OAAO,EAAE,OAAA,EAAS,KAAA,EAAO,KAAA,EAAO,mCAAA,EAAoC;AAAA,IACtE;AAEA,IAAA,MAAM,YAAA,GAAe,MAAM,IAAA,CAAK,YAAA,CAAa,WAAW,CAAA;AAExD,IAAA,MAAM,IAAA,CAAK,EAAA,CAAG,UAAA,CAAW,OAAO,CAAA,CAAE,SAAA;AAAA,MAChC,EAAE,GAAA,EAAK,KAAA,CAAM,MAAA,EAAO;AAAA,MACpB,EAAE,MAAM,EAAE,YAAA,EAAc,2BAAW,IAAI,IAAA,IAAO;AAAE,KAClD;AAEA,IAAA,MAAM,IAAA,CAAK,EAAA,CAAG,UAAA,CAAW,iBAAiB,CAAA,CAAE,SAAA;AAAA,MAC1C,EAAE,GAAA,EAAK,KAAA,CAAM,GAAA,EAAI;AAAA,MACjB,EAAE,IAAA,EAAM,EAAE,wBAAQ,IAAI,IAAA,IAAO;AAAE,KACjC;AAEA,IAAA,MAAM,IAAA,CAAK,EAAA,CAAG,UAAA,CAAW,UAAU,CAAA,CAAE,WAAW,EAAE,MAAA,EAAQ,KAAA,CAAM,MAAA,EAAQ,CAAA;AAExE,IAAA,OAAO,EAAE,SAAS,IAAA,EAAK;AAAA,EACzB;AACF;AAEO,SAAS,yBACd,OAAA,EACoB;AACpB,EAAA,OAAO,IAAI,mBAAmB,OAAO,CAAA;AACvC","file":"chunk-Y3N7UUDO.js","sourcesContent":["import bcrypt from \"bcryptjs\";\nimport { randomBytes, randomUUID } from \"crypto\";\nimport type {\n  AuthAdapter,\n  AuthUser,\n  Session,\n  UserRole,\n} from \"../../auth/types.js\";\nimport type {\n  AuditLog,\n  AuditLogFilter,\n} from \"../../auth/security/audit-log.js\";\n\nexport interface MongoDBAuthAdapterOptions {\n  db: any;\n  collectionPrefix?: string;\n  sessionTTL?: number;\n  refreshTokenTTL?: number;\n}\n\nexport class MongoDBAuthAdapter implements AuthAdapter {\n  private db: any;\n  private prefix: string;\n  private sessionTTL: number;\n  private refreshTokenTTL: number;\n  private indexesEnsured = false;\n\n  constructor(options: MongoDBAuthAdapterOptions) {\n    this.db = options.db;\n    this.prefix = options.collectionPrefix || \"\";\n    this.sessionTTL = options.sessionTTL || 86400;\n    this.refreshTokenTTL = options.refreshTokenTTL || 604800;\n  }\n\n  private col(name: string): any {\n    return this.db.collection(`${this.prefix}${name}`);\n  }\n\n  async connect(): Promise<void> {\n    if (!this.indexesEnsured) {\n      await this.ensureIndexes();\n    }\n  }\n\n  async disconnect(): Promise<void> {\n  }\n\n  private async ensureIndexes(): Promise<void> {\n    await this.col(\"users\").createIndex({ email: 1 }, { unique: true });\n    await this.col(\"users\").createIndex({ tenantId: 1 });\n    await this.col(\"users\").createIndex({ role: 1 });\n\n    await this.col(\"sessions\").createIndex({ token: 1 }, { unique: true });\n    await this.col(\"sessions\").createIndex({ refreshToken: 1 });\n    await this.col(\"sessions\").createIndex({ userId: 1 });\n    await this.col(\"sessions\").createIndex({ expiresAt: 1 }, { expireAfterSeconds: 0 });\n\n    await this.col(\"audit_logs\").createIndex({ timestamp: -1 });\n    await this.col(\"audit_logs\").createIndex({ userId: 1 });\n    await this.col(\"audit_logs\").createIndex({ action: 1 });\n    await this.col(\"audit_logs\").createIndex({ resource: 1 });\n\n    await this.col(\"password_history\").createIndex({ userId: 1, createdAt: -1 });\n\n    await this.col(\"lockouts\").createIndex({ userId: 1 }, { unique: true });\n    await this.col(\"lockouts\").createIndex({ lockedUntil: 1 });\n\n    this.indexesEnsured = true;\n  }\n\n  async createUser(data: {\n    email: string;\n    password: string;\n    name?: string;\n    role?: UserRole;\n    tenantId?: string;\n  }): Promise<AuthUser> {\n    const id = randomUUID();\n    const now = new Date();\n    const passwordHash = await this.hashPassword(data.password);\n    const user = {\n      _id: id,\n      name: data.name || null,\n      email: data.email.toLowerCase(),\n      passwordHash,\n      role: data.role || \"customer\",\n      tenantId: data.tenantId || null,\n      emailVerified: false,\n      locked: false,\n      lastLogin: null,\n      failedLoginAttempts: 0,\n      createdAt: now,\n      updatedAt: now,\n    };\n    await this.col(\"users\").insertOne(user);\n    return this.docToAuthUser(user);\n  }\n\n  async findUserByEmail(email: string): Promise<AuthUser | null> {\n    const doc = await this.col(\"users\").findOne({ email: email.toLowerCase() });\n    return doc ? this.docToAuthUser(doc) : null;\n  }\n\n  async findUserById(id: string): Promise<AuthUser | null> {\n    const doc = await this.col(\"users\").findOne({ _id: id });\n    return doc ? this.docToAuthUser(doc) : null;\n  }\n\n  async updateUser(\n    id: string,\n    data: Partial<AuthUser>,\n  ): Promise<AuthUser | null> {\n    const setData: Record<string, unknown> = { updatedAt: new Date() };\n    if (data.name !== undefined) setData.name = data.name;\n    if (data.email !== undefined) setData.email = data.email;\n    if (data.passwordHash !== undefined) setData.passwordHash = data.passwordHash;\n    if (data.role !== undefined) setData.role = data.role;\n    if (data.tenantId !== undefined) setData.tenantId = data.tenantId;\n    if (data.emailVerified !== undefined) setData.emailVerified = data.emailVerified;\n    if (data.locked !== undefined) setData.locked = data.locked;\n    if (data.lastLogin !== undefined) setData.lastLogin = data.lastLogin ? new Date(data.lastLogin) : null;\n    if (data.failedLoginAttempts !== undefined) setData.failedLoginAttempts = data.failedLoginAttempts;\n\n    const result = await this.col(\"users\").findOneAndUpdate(\n      { _id: id },\n      { $set: setData },\n      { returnDocument: \"after\" },\n    );\n    return result ? this.docToAuthUser(result) : null;\n  }\n\n  async deleteUser(id: string): Promise<boolean> {\n    const result = await this.col(\"users\").deleteOne({ _id: id });\n    return result.deletedCount > 0;\n  }\n\n  async verifyPassword(\n    email: string,\n    password: string,\n  ): Promise<AuthUser | null> {\n    const user = await this.findUserByEmail(email);\n    if (!user) return null;\n    const doc = await this.col(\"users\").findOne(\n      { email: email.toLowerCase() },\n      { projection: { passwordHash: 1 } },\n    );\n    if (!doc?.passwordHash) return null;\n    const valid = await bcrypt.compare(password, doc.passwordHash);\n    return valid ? user : null;\n  }\n\n  async hashPassword(password: string): Promise<string> {\n    return bcrypt.hash(password, 12);\n  }\n\n  async createSession(\n    userId: string,\n    data?: { ipAddress?: string; userAgent?: string },\n  ): Promise<Session> {\n    const id = randomUUID();\n    const token = randomBytes(32).toString(\"base64url\");\n    const refreshToken = randomBytes(32).toString(\"base64url\");\n    const now = new Date();\n    const expiresAt = new Date(now.getTime() + this.sessionTTL * 1000);\n\n    const session = {\n      _id: id,\n      userId,\n      token,\n      refreshToken,\n      ipAddress: data?.ipAddress || null,\n      userAgent: data?.userAgent || null,\n      expiresAt,\n      createdAt: now,\n    };\n\n    await this.col(\"sessions\").insertOne(session);\n    return this.docToSession(session);\n  }\n\n  async findSessionByToken(token: string): Promise<Session | null> {\n    const doc = await this.col(\"sessions\").findOne({\n      token,\n      expiresAt: { $gt: new Date() },\n    });\n    return doc ? this.docToSession(doc) : null;\n  }\n\n  async findSessionByRefreshToken(\n    refreshToken: string,\n  ): Promise<Session | null> {\n    const doc = await this.col(\"sessions\").findOne({\n      refreshToken,\n      expiresAt: { $gt: new Date() },\n    });\n    return doc ? this.docToSession(doc) : null;\n  }\n\n  async deleteSession(sessionId: string): Promise<boolean> {\n    const result = await this.col(\"sessions\").deleteOne({ _id: sessionId });\n    return result.deletedCount > 0;\n  }\n\n  async deleteUserSessions(userId: string): Promise<number> {\n    const result = await this.col(\"sessions\").deleteMany({ userId });\n    return result.deletedCount;\n  }\n\n  async hasAnyUsers(): Promise<boolean> {\n    const count = await this.col(\"users\").countDocuments();\n    return count > 0;\n  }\n\n  async addPasswordToHistory(\n    userId: string,\n    passwordHash: string,\n  ): Promise<void> {\n    await this.col(\"password_history\").insertOne({\n      userId,\n      passwordHash,\n      createdAt: new Date(),\n    });\n  }\n\n  async getPasswordHistory(\n    userId: string,\n    count: number = 5,\n  ): Promise<string[]> {\n    const docs = await this.col(\"password_history\")\n      .find({ userId })\n      .sort({ createdAt: -1 })\n      .limit(count)\n      .toArray();\n    return docs.map((d: any) => d.passwordHash);\n  }\n\n  async isPasswordInHistory(\n    password: string,\n    userId: string,\n    historyCount: number = 5,\n  ): Promise<boolean> {\n    const history = await this.getPasswordHistory(userId, historyCount);\n    for (const hash of history) {\n      if (await bcrypt.compare(password, hash)) {\n        return true;\n      }\n    }\n    return false;\n  }\n\n  async findAuditLogs(\n    filter: AuditLogFilter,\n  ): Promise<{ logs: AuditLog[]; total: number }> {\n    const {\n      limit = 50,\n      offset = 0,\n      userId,\n      action,\n      resource,\n      resourceId,\n      success,\n      startDate,\n      endDate,\n    } = filter;\n\n    const query: Record<string, any> = {};\n    if (userId) query.userId = userId;\n    if (action) {\n      if (Array.isArray(action)) {\n        query.action = { $in: action };\n      } else {\n        query.action = action;\n      }\n    }\n    if (resource) query.resource = resource;\n    if (resourceId) query.resourceId = resourceId;\n    if (success !== undefined) query.success = success;\n    if (startDate || endDate) {\n      query.timestamp = {};\n      if (startDate) query.timestamp.$gte = startDate;\n      if (endDate) query.timestamp.$lte = endDate;\n    }\n\n    const total = await this.col(\"audit_logs\").countDocuments(query);\n    const docs = await this.col(\"audit_logs\")\n      .find(query)\n      .sort({ timestamp: -1 })\n      .skip(offset)\n      .limit(limit)\n      .toArray();\n\n    return {\n      logs: docs.map((doc: any) => ({\n        id: doc._id,\n        timestamp: doc.timestamp,\n        action: doc.action as AuditLog[\"action\"],\n        userId: doc.userId || undefined,\n        userEmail: doc.userEmail || undefined,\n        role: doc.role || undefined,\n        resource: doc.resource,\n        resourceId: doc.resourceId || undefined,\n        changes: doc.changes || undefined,\n        ipAddress: doc.ipAddress || undefined,\n        userAgent: doc.userAgent || undefined,\n        success: doc.success,\n        error: doc.error || undefined,\n        metadata: doc.metadata || undefined,\n      })),\n      total,\n    };\n  }\n\n  async createAuditLog(\n    data: Omit<AuditLog, \"id\" | \"timestamp\">,\n  ): Promise<AuditLog> {\n    const id = randomUUID();\n    const timestamp = new Date();\n\n    await this.col(\"audit_logs\").insertOne({\n      _id: id,\n      action: data.action,\n      userId: data.userId || null,\n      userEmail: data.userEmail || null,\n      role: data.role || null,\n      resource: data.resource,\n      resourceId: data.resourceId || null,\n      changes: data.changes || null,\n      ipAddress: data.ipAddress || null,\n      userAgent: data.userAgent || null,\n      success: data.success,\n      error: data.error || null,\n      metadata: data.metadata || null,\n      timestamp,\n    });\n\n    return {\n      ...data,\n      id,\n      timestamp,\n    };\n  }\n\n  private docToAuthUser(doc: any): AuthUser {\n    return {\n      id: doc._id,\n      name: doc.name || undefined,\n      email: doc.email,\n      passwordHash: doc.passwordHash || undefined,\n      role: doc.role as UserRole,\n      tenantId: doc.tenantId || undefined,\n      emailVerified: doc.emailVerified || false,\n      locked: doc.locked || false,\n      lastLogin: doc.lastLogin?.toISOString?.() || doc.lastLogin || undefined,\n      failedLoginAttempts: doc.failedLoginAttempts || 0,\n      createdAt: doc.createdAt?.toISOString?.() || doc.createdAt,\n      updatedAt: doc.updatedAt?.toISOString?.() || doc.updatedAt,\n    };\n  }\n\n  private docToSession(doc: any): Session {\n    return {\n      id: doc._id,\n      userId: doc.userId,\n      token: doc.token,\n      refreshToken: doc.refreshToken || undefined,\n      expiresAt: doc.expiresAt?.toISOString?.() || doc.expiresAt,\n      createdAt: doc.createdAt?.toISOString?.() || doc.createdAt,\n      ipAddress: doc.ipAddress || undefined,\n      userAgent: doc.userAgent || undefined,\n    };\n  }\n\n  async createEmailVerificationToken(userId: string): Promise<{ token: string; expiresAt: Date }> {\n    const token = randomBytes(32).toString(\"hex\");\n    const expiresAt = new Date(Date.now() + 24 * 60 * 60 * 1000);\n\n    await this.db.collection(\"email_verifications\").insertOne({\n      userId: new (await import(\"mongodb\")).ObjectId(userId),\n      token,\n      expiresAt,\n      createdAt: new Date(),\n    });\n\n    return { token, expiresAt };\n  }\n\n  async verifyEmailToken(token: string): Promise<{ success: boolean; userId?: string; error?: string }> {\n    const verification = await this.db.collection(\"email_verifications\").findOne({ token });\n\n    if (!verification) {\n      return { success: false, error: \"Invalid verification token\" };\n    }\n\n    if (verification.expiresAt < new Date()) {\n      return { success: false, error: \"Verification token has expired\" };\n    }\n\n    await this.db.collection(\"users\").updateOne(\n      { _id: verification.userId },\n      { $set: { emailVerified: true } }\n    );\n\n    await this.db.collection(\"email_verifications\").deleteOne({ _id: verification._id });\n\n    return { success: true, userId: verification.userId.toString() };\n  }\n\n  async createPasswordResetToken(email: string): Promise<{ token: string; expiresAt: Date; error?: string }> {\n    const user = await this.findUserByEmail(email);\n    if (!user) {\n      return { token: \"\", expiresAt: new Date(), error: \"User not found\" };\n    }\n\n    const token = randomBytes(32).toString(\"hex\");\n    const expiresAt = new Date(Date.now() + 60 * 60 * 1000);\n\n    await this.db.collection(\"password_resets\").insertOne({\n      userId: new (await import(\"mongodb\")).ObjectId(user.id),\n      token,\n      expiresAt,\n      createdAt: new Date(),\n    });\n\n    return { token, expiresAt };\n  }\n\n  async resetPasswordWithToken(token: string, newPassword: string): Promise<{ success: boolean; error?: string }> {\n    const reset = await this.db.collection(\"password_resets\").findOne({ token });\n\n    if (!reset) {\n      return { success: false, error: \"Invalid reset token\" };\n    }\n\n    if (reset.expiresAt < new Date()) {\n      return { success: false, error: \"Reset token has expired\" };\n    }\n\n    if (reset.usedAt) {\n      return { success: false, error: \"Reset token has already been used\" };\n    }\n\n    const passwordHash = await this.hashPassword(newPassword);\n\n    await this.db.collection(\"users\").updateOne(\n      { _id: reset.userId },\n      { $set: { passwordHash, updatedAt: new Date() } }\n    );\n\n    await this.db.collection(\"password_resets\").updateOne(\n      { _id: reset._id },\n      { $set: { usedAt: new Date() } }\n    );\n\n    await this.db.collection(\"sessions\").deleteMany({ userId: reset.userId });\n\n    return { success: true };\n  }\n}\n\nexport function createMongoDBAuthAdapter(\n  options: MongoDBAuthAdapterOptions,\n): MongoDBAuthAdapter {\n  return new MongoDBAuthAdapter(options);\n}\n"]}

package/dist/{chunk-S3FG2NY7.js → chunk-Y3QQN7PN.js}

@@ -1,4 +1,5 @@
-import { SQLiteAuthAdapter, PasswordPolicy, EmailTransport } from './chunk-TP5YQFIX.js';
+import { PasswordPolicy, EmailTransport } from './chunk-57P6MJKC.js';
+import { SQLiteAuthAdapter } from './chunk-H727JIG7.js';
 
 // src/auth/bootstrap.ts
 async function bootstrapAdmin(config) {
@@ -139,5 +140,5 @@ async function bootstrapWithRetry(config, maxRetries = 3, retryDelayMs = 2e3) {
 }
 
 export { autoBootstrap, bootstrapAdmin, bootstrapWithRetry, checkBootstrapRequired, getBootstrapFromEnv };
-//# sourceMappingURL=chunk-S3FG2NY7.js.map
-//# sourceMappingURL=chunk-S3FG2NY7.js.map
+//# sourceMappingURL=chunk-Y3QQN7PN.js.map
+//# sourceMappingURL=chunk-Y3QQN7PN.js.map

package/dist/chunk-Y3QQN7PN.js.map

@@ -0,0 +1 @@
+{"version":3,"sources":["../src/auth/bootstrap.ts"],"names":[],"mappings":";;;;AAsBA,eAAsB,eACpB,MAAA,EAC0B;AAC1B,EAAA,MAAM;AAAA,IACJ,UAAA;AAAA,IACA,aAAA;AAAA,IACA,SAAA,GAAY,aAAA;AAAA,IACZ,QAAA;AAAA,IACA,WAAA;AAAA,IACA,gBAAA,GAAmB;AAAA,GACrB,GAAI,MAAA;AAEJ,EAAA,MAAM,WAAA,GACJ,MAAA,CAAO,WAAA,IACP,IAAI,iBAAA,CAAkB;AAAA,IACpB,IAAA,EAAM,OAAO,UAAA,IAAc;AAAA,GAC5B,CAAA;AAEH,EAAA,IAAI;AACF,IAAA,MAAM,YAAY,OAAA,IAAU;AAAA,EAC9B,SAAS,KAAA,EAAO;AACd,IAAA,OAAO;AAAA,MACL,OAAA,EAAS,KAAA;AAAA,MACT,KAAA,EAAO;AAAA,KACT;AAAA,EACF;AAEA,EAAA,MAAM,cAAA,GAAiB,IAAI,cAAA,EAAe;AAC1C,EAAA,MAAM,kBAAA,GAAqB,cAAA,CAAe,QAAA,CAAS,aAAa,CAAA;AAChE,EAAA,IAAI,CAAC,mBAAmB,KAAA,EAAO;AAC7B,IAAA,MAAM,YAAY,UAAA,IAAa;AAC/B,IAAA,OAAO;AAAA,MACL,OAAA,EAAS,KAAA;AAAA,MACT,OAAO,CAAA,kBAAA,EAAqB,kBAAA,CAAmB,MAAA,CAAO,IAAA,CAAK,IAAI,CAAC,CAAA;AAAA,KAClE;AAAA,EACF;AAEA,EAAA,MAAM,YAAA,GAAe,MAAM,WAAA,CAAY,eAAA,CAAgB,UAAU,CAAA;AACjE,EAAA,IAAI,YAAA,EAAc;AAChB,IAAA,MAAM,YAAY,UAAA,IAAa;AAC/B,IAAA,OAAO;AAAA,MACL,OAAA,EAAS,KAAA;AAAA,MACT,KAAA,EAAO;AAAA,KACT;AAAA,EACF;AAEA,EAAA,IAAI;AACF,IAAA,MAAM,IAAA,GAAO,MAAM,WAAA,CAAY,UAAA,CAAW;AAAA,MACxC,KAAA,EAAO,UAAA;AAAA,MACP,QAAA,EAAU,aAAA;AAAA,MACV,MAAO,SAAA,IAA0B,OAAA;AAAA,MACjC;AAAA,KACD,CAAA;AAED,IAAA,IAAI,oBAAoB,WAAA,EAAa;AACnC,MAAA,MAAM,cAAA,GAAiB,IAAI,cAAA,CAAe,WAAW,CAAA;AACrD,MAAA,MAAM,SAAA,GAAY,eAAe,YAAA,EAAa;AAC9C,MAAA,MAAM,eAAA,GAAkB,UAAU,OAAA,CAAQ,UAAA,CAAW,MAAM,GAAG,CAAA,CAAE,CAAC,CAAC,CAAA;AAClE,MAAA,MAAM,eAAe,IAAA,CAAK;AAAA,QACxB,EAAA,EAAI,UAAA;AAAA,QACJ,GAAG;AAAA,OACJ,CAAA;AAAA,IACH;AAEA,IAAA,MAAM,YAAY,UAAA,IAAa;AAC/B,IAAA,OAAO;AAAA,MACL,OAAA,EAAS,IAAA;AAAA,MACT;AAAA,KACF;AAAA,EACF,SAAS,KAAA,EAAO;AACd,IAAA,MAAM,YAAY,UAAA,IAAa;AAC/B,IAAA,OAAO;AAAA,MACL,OAAA,EAAS,KAAA;AAAA,MACT,KAAA,EACE,KAAA,YAAiB,KAAA,GAAQ,KAAA,CAAM,OAAA,GAAU;AAAA,KAC7C;AAAA,EACF;AACF;AAEA,eAAsB,sBAAA,CACpB,aACA,UAAA,EACkB;AAClB,EAAA,MAAM,YAAA,GAAe,MAAM,WAAA,CAAY,eAAA,CAAgB,UAAU,CAAA;AACjE,EAAA,OAAO,CAAC,YAAA;AACV;AAEO,SAAS,mBAAA,GAA8C;AAC5D,EAAA,MAAM,KAAA,GAAQ,QAAQ,GAAA,CAAI,gBAAA;AAC1B,EAAA,MAAM,QAAA,GAAW,QAAQ,GAAA,CAAI,mBAAA;AAE7B,EAAA,IAAI,CAAC,KAAA,IAAS,CAAC,QAAA,EAAU;AACvB,IAAA,OAAO,IAAA;AAAA,EACT;AAEA,EAAA,OAAO;AAAA,IACL,UAAA,EAAY,OAAA,CAAQ,GAAA,CAAI,iBAAA,IAAqB,gBAAA;AAAA,IAC7C,UAAA,EAAY,KAAA;AAAA,IACZ,aAAA,EAAe,QAAA;AAAA,IACf,SAAA,EAAW,OAAA,CAAQ,GAAA,CAAI,eAAA,IAAmB,aAAA;AAAA,IAC1C,QAAA,EAAU,QAAQ,GAAA,CAAI,oBAAA;AAAA,IACtB,WAAA,EAAa,OAAA,CAAQ,GAAA,CAAI,SAAA,GACrB;AAAA,MACE,QAAA,EAAU,MAAA;AAAA,MACV,IAAA,EAAM;AAAA,QACJ,IAAA,EAAM,QAAQ,GAAA,CAAI,SAAA;AAAA,QAClB,MAAM,QAAA,CAAS,OAAA,CAAQ,GAAA,CAAI,SAAA,IAAa,OAAO,EAAE,CAAA;AAAA,QACjD,MAAA,EAAQ,OAAA,CAAQ,GAAA,CAAI,WAAA,KAAgB,MAAA;AAAA,QACpC,IAAA,EAAM;AAAA,UACJ,IAAA,EAAM,OAAA,CAAQ,GAAA,CAAI,SAAA,IAAa,EAAA;AAAA,UAC/B,IAAA,EAAM,OAAA,CAAQ,GAAA,CAAI,SAAA,IAAa;AAAA;AACjC,OACF;AAAA,MACA,IAAA,EAAM,OAAA,CAAQ,GAAA,CAAI,SAAA,IAAa,qBAAA;AAAA,MAC/B,QAAA,EAAU,QAAQ,GAAA,CAAI;AAAA,KACxB,GACA,MAAA;AAAA,IACJ,gBAAA,EAAkB,OAAA,CAAQ,GAAA,CAAI,uBAAA,KAA4B;AAAA,GAC5D;AACF;AAEA,eAAsB,cACpB,WAAA,EACiC;AACjC,EAAA,MAAM,SAAS,mBAAA,EAAoB;AACnC,EAAA,IAAI,CAAC,MAAA,EAAQ;AACX,IAAA,OAAO,IAAA;AAAA,EACT;AAEA,EAAA,IAAI,WAAA,EAAa;AACf,IAAA,MAAA,CAAO,WAAA,GAAc,WAAA;AAAA,EACvB;AAEA,EAAA,OAAA,CAAQ,IAAI,kCAAkC,CAAA;AAC9C,EAAA,MAAM,MAAA,GAAS,MAAM,cAAA,CAAe,MAAM,CAAA;AAE1C,EAAA,IAAI,OAAO,OAAA,EAAS;AAClB,IAAA,OAAA,CAAQ,GAAA,CAAI,CAAA,oBAAA,EAAuB,MAAA,CAAO,UAAU,CAAA,CAAE,CAAA;AAAA,EACxD,CAAA,MAAO;AACL,IAAA,OAAA,CAAQ,KAAA,CAAM,CAAA,kBAAA,EAAqB,MAAA,CAAO,KAAK,CAAA,CAAE,CAAA;AAAA,EACnD;AAEA,EAAA,OAAO,MAAA;AACT;AAEA,eAAsB,kBAAA,CACpB,MAAA,EACA,UAAA,GAAqB,CAAA,EACrB,eAAuB,GAAA,EACG;AAC1B,EAAA,IAAI,SAAA,GAAoB,EAAA;AAExB,EAAA,KAAA,IAAS,CAAA,GAAI,CAAA,EAAG,CAAA,GAAI,UAAA,EAAY,CAAA,EAAA,EAAK;AACnC,IAAA,MAAM,MAAA,GAAS,MAAM,cAAA,CAAe,MAAM,CAAA;AAE1C,IAAA,IAAI,OAAO,OAAA,EAAS;AAClB,MAAA,OAAO,MAAA;AAAA,IACT;AAEA,IAAA,SAAA,GAAY,OAAO,KAAA,IAAS,eAAA;AAE5B,IAAA,IAAI,SAAA,CAAU,QAAA,CAAS,gBAAgB,CAAA,EAAG;AACxC,MAAA,OAAO,MAAA;AAAA,IACT;AAEA,IAAA,IAAI,CAAA,GAAI,aAAa,CAAA,EAAG;AACtB,MAAA,MAAM,IAAI,OAAA,CAAQ,CAAC,YAAY,UAAA,CAAW,OAAA,EAAS,YAAY,CAAC,CAAA;AAAA,IAClE;AAAA,EACF;AAEA,EAAA,OAAO;AAAA,IACL,OAAA,EAAS,KAAA;AAAA,IACT,KAAA,EAAO,CAAA,aAAA,EAAgB,UAAU,CAAA,UAAA,EAAa,SAAS,CAAA;AAAA,GACzD;AACF","file":"chunk-Y3QQN7PN.js","sourcesContent":["import { SQLiteAuthAdapter } from \"./sqlite-adapter.js\";\nimport { EmailTransport, type EmailConfig } from \"./nodemailer-transport.js\";\nimport { PasswordPolicy } from \"./security/password-policy.js\";\nimport type { AuthUser, UserRole, AuthAdapter } from \"./types.js\";\n\nexport interface BootstrapConfig {\n  authAdapter?: AuthAdapter;\n  authDbPath?: string;\n  adminEmail: string;\n  adminPassword: string;\n  adminRole?: string;\n  tenantId?: string;\n  emailConfig?: EmailConfig;\n  sendWelcomeEmail?: boolean;\n}\n\nexport interface BootstrapResult {\n  success: boolean;\n  user?: AuthUser;\n  error?: string;\n}\n\nexport async function bootstrapAdmin(\n  config: BootstrapConfig,\n): Promise<BootstrapResult> {\n  const {\n    adminEmail,\n    adminPassword,\n    adminRole = \"super_admin\",\n    tenantId,\n    emailConfig,\n    sendWelcomeEmail = false,\n  } = config;\n\n  const authAdapter =\n    config.authAdapter ||\n    new SQLiteAuthAdapter({\n      path: config.authDbPath || \"./data/auth.db\",\n    });\n\n  try {\n    await authAdapter.connect?.();\n  } catch (error) {\n    return {\n      success: false,\n      error: \"Failed to connect to auth storage\",\n    };\n  }\n\n  const passwordPolicy = new PasswordPolicy();\n  const passwordValidation = passwordPolicy.validate(adminPassword);\n  if (!passwordValidation.valid) {\n    await authAdapter.disconnect?.();\n    return {\n      success: false,\n      error: `Invalid password: ${passwordValidation.errors.join(\", \")}`,\n    };\n  }\n\n  const existingUser = await authAdapter.findUserByEmail(adminEmail);\n  if (existingUser) {\n    await authAdapter.disconnect?.();\n    return {\n      success: false,\n      error: \"Admin user already exists\",\n    };\n  }\n\n  try {\n    const user = await authAdapter.createUser({\n      email: adminEmail,\n      password: adminPassword,\n      role: (adminRole as UserRole) || \"admin\",\n      tenantId,\n    });\n\n    if (sendWelcomeEmail && emailConfig) {\n      const emailTransport = new EmailTransport(emailConfig);\n      const templates = emailTransport.getTemplates();\n      const welcomeTemplate = templates.welcome(adminEmail.split(\"@\")[0]);\n      await emailTransport.send({\n        to: adminEmail,\n        ...welcomeTemplate,\n      });\n    }\n\n    await authAdapter.disconnect?.();\n    return {\n      success: true,\n      user,\n    };\n  } catch (error) {\n    await authAdapter.disconnect?.();\n    return {\n      success: false,\n      error:\n        error instanceof Error ? error.message : \"Failed to create admin user\",\n    };\n  }\n}\n\nexport async function checkBootstrapRequired(\n  authAdapter: AuthAdapter,\n  adminEmail: string,\n): Promise<boolean> {\n  const existingUser = await authAdapter.findUserByEmail(adminEmail);\n  return !existingUser;\n}\n\nexport function getBootstrapFromEnv(): BootstrapConfig | null {\n  const email = process.env.KYRO_ADMIN_EMAIL;\n  const password = process.env.KYRO_ADMIN_PASSWORD;\n\n  if (!email || !password) {\n    return null;\n  }\n\n  return {\n    authDbPath: process.env.KYRO_AUTH_DB_PATH || \"./data/auth.db\",\n    adminEmail: email,\n    adminPassword: password,\n    adminRole: process.env.KYRO_ADMIN_ROLE || \"super_admin\",\n    tenantId: process.env.KYRO_ADMIN_TENANT_ID,\n    emailConfig: process.env.SMTP_HOST\n      ? {\n          provider: \"smtp\",\n          smtp: {\n            host: process.env.SMTP_HOST,\n            port: parseInt(process.env.SMTP_PORT || \"587\", 10),\n            secure: process.env.SMTP_SECURE === \"true\",\n            auth: {\n              user: process.env.SMTP_USER || \"\",\n              pass: process.env.SMTP_PASS || \"\",\n            },\n          },\n          from: process.env.SMTP_FROM || \"noreply@example.com\",\n          fromName: process.env.SMTP_FROM_NAME,\n        }\n      : undefined,\n    sendWelcomeEmail: process.env.KYRO_ADMIN_SEND_WELCOME === \"true\",\n  };\n}\n\nexport async function autoBootstrap(\n  authAdapter?: AuthAdapter,\n): Promise<BootstrapResult | null> {\n  const config = getBootstrapFromEnv();\n  if (!config) {\n    return null;\n  }\n\n  if (authAdapter) {\n    config.authAdapter = authAdapter;\n  }\n\n  console.log(\"Auto-bootstrapping admin user...\");\n  const result = await bootstrapAdmin(config);\n\n  if (result.success) {\n    console.log(`Admin user created: ${config.adminEmail}`);\n  } else {\n    console.error(`Bootstrap failed: ${result.error}`);\n  }\n\n  return result;\n}\n\nexport async function bootstrapWithRetry(\n  config: BootstrapConfig,\n  maxRetries: number = 3,\n  retryDelayMs: number = 2000,\n): Promise<BootstrapResult> {\n  let lastError: string = \"\";\n\n  for (let i = 0; i < maxRetries; i++) {\n    const result = await bootstrapAdmin(config);\n\n    if (result.success) {\n      return result;\n    }\n\n    lastError = result.error || \"Unknown error\";\n\n    if (lastError.includes(\"already exists\")) {\n      return result;\n    }\n\n    if (i < maxRetries - 1) {\n      await new Promise((resolve) => setTimeout(resolve, retryDelayMs));\n    }\n  }\n\n  return {\n    success: false,\n    error: `Failed after ${maxRetries} retries: ${lastError}`,\n  };\n}\n"]}

package/dist/{chunk-5HA5OMFH.cjs → chunk-YVUJBEXE.cjs}

@@ -1,6 +1,7 @@
 'use strict';
 
-var chunkRDRJVCL5_cjs = require('./chunk-RDRJVCL5.cjs');
+var chunkIA6AU5PI_cjs = require('./chunk-IA6AU5PI.cjs');
+var chunkI7HHI6QV_cjs = require('./chunk-I7HHI6QV.cjs');
 
 // src/auth/bootstrap.ts
 async function bootstrapAdmin(config) {
@@ -12,7 +13,7 @@ async function bootstrapAdmin(config) {
     emailConfig,
     sendWelcomeEmail = false
   } = config;
-  const authAdapter = config.authAdapter || new chunkRDRJVCL5_cjs.SQLiteAuthAdapter({
+  const authAdapter = config.authAdapter || new chunkI7HHI6QV_cjs.SQLiteAuthAdapter({
     path: config.authDbPath || "./data/auth.db"
   });
   try {
@@ -23,7 +24,7 @@ async function bootstrapAdmin(config) {
       error: "Failed to connect to auth storage"
     };
   }
-  const passwordPolicy = new chunkRDRJVCL5_cjs.PasswordPolicy();
+  const passwordPolicy = new chunkIA6AU5PI_cjs.PasswordPolicy();
   const passwordValidation = passwordPolicy.validate(adminPassword);
   if (!passwordValidation.valid) {
     await authAdapter.disconnect?.();
@@ -48,7 +49,7 @@ async function bootstrapAdmin(config) {
       tenantId
     });
     if (sendWelcomeEmail && emailConfig) {
-      const emailTransport = new chunkRDRJVCL5_cjs.EmailTransport(emailConfig);
+      const emailTransport = new chunkIA6AU5PI_cjs.EmailTransport(emailConfig);
       const templates = emailTransport.getTemplates();
       const welcomeTemplate = templates.welcome(adminEmail.split("@")[0]);
       await emailTransport.send({
@@ -145,5 +146,5 @@ exports.bootstrapAdmin = bootstrapAdmin;
 exports.bootstrapWithRetry = bootstrapWithRetry;
 exports.checkBootstrapRequired = checkBootstrapRequired;
 exports.getBootstrapFromEnv = getBootstrapFromEnv;
-//# sourceMappingURL=chunk-5HA5OMFH.cjs.map
-//# sourceMappingURL=chunk-5HA5OMFH.cjs.map
+//# sourceMappingURL=chunk-YVUJBEXE.cjs.map
+//# sourceMappingURL=chunk-YVUJBEXE.cjs.map

package/dist/chunk-YVUJBEXE.cjs.map

@@ -0,0 +1 @@
+{"version":3,"sources":["../src/auth/bootstrap.ts"],"names":["SQLiteAuthAdapter","PasswordPolicy","EmailTransport"],"mappings":";;;;;;AAsBA,eAAsB,eACpB,MAAA,EAC0B;AAC1B,EAAA,MAAM;AAAA,IACJ,UAAA;AAAA,IACA,aAAA;AAAA,IACA,SAAA,GAAY,aAAA;AAAA,IACZ,QAAA;AAAA,IACA,WAAA;AAAA,IACA,gBAAA,GAAmB;AAAA,GACrB,GAAI,MAAA;AAEJ,EAAA,MAAM,WAAA,GACJ,MAAA,CAAO,WAAA,IACP,IAAIA,mCAAA,CAAkB;AAAA,IACpB,IAAA,EAAM,OAAO,UAAA,IAAc;AAAA,GAC5B,CAAA;AAEH,EAAA,IAAI;AACF,IAAA,MAAM,YAAY,OAAA,IAAU;AAAA,EAC9B,SAAS,KAAA,EAAO;AACd,IAAA,OAAO;AAAA,MACL,OAAA,EAAS,KAAA;AAAA,MACT,KAAA,EAAO;AAAA,KACT;AAAA,EACF;AAEA,EAAA,MAAM,cAAA,GAAiB,IAAIC,gCAAA,EAAe;AAC1C,EAAA,MAAM,kBAAA,GAAqB,cAAA,CAAe,QAAA,CAAS,aAAa,CAAA;AAChE,EAAA,IAAI,CAAC,mBAAmB,KAAA,EAAO;AAC7B,IAAA,MAAM,YAAY,UAAA,IAAa;AAC/B,IAAA,OAAO;AAAA,MACL,OAAA,EAAS,KAAA;AAAA,MACT,OAAO,CAAA,kBAAA,EAAqB,kBAAA,CAAmB,MAAA,CAAO,IAAA,CAAK,IAAI,CAAC,CAAA;AAAA,KAClE;AAAA,EACF;AAEA,EAAA,MAAM,YAAA,GAAe,MAAM,WAAA,CAAY,eAAA,CAAgB,UAAU,CAAA;AACjE,EAAA,IAAI,YAAA,EAAc;AAChB,IAAA,MAAM,YAAY,UAAA,IAAa;AAC/B,IAAA,OAAO;AAAA,MACL,OAAA,EAAS,KAAA;AAAA,MACT,KAAA,EAAO;AAAA,KACT;AAAA,EACF;AAEA,EAAA,IAAI;AACF,IAAA,MAAM,IAAA,GAAO,MAAM,WAAA,CAAY,UAAA,CAAW;AAAA,MACxC,KAAA,EAAO,UAAA;AAAA,MACP,QAAA,EAAU,aAAA;AAAA,MACV,MAAO,SAAA,IAA0B,OAAA;AAAA,MACjC;AAAA,KACD,CAAA;AAED,IAAA,IAAI,oBAAoB,WAAA,EAAa;AACnC,MAAA,MAAM,cAAA,GAAiB,IAAIC,gCAAA,CAAe,WAAW,CAAA;AACrD,MAAA,MAAM,SAAA,GAAY,eAAe,YAAA,EAAa;AAC9C,MAAA,MAAM,eAAA,GAAkB,UAAU,OAAA,CAAQ,UAAA,CAAW,MAAM,GAAG,CAAA,CAAE,CAAC,CAAC,CAAA;AAClE,MAAA,MAAM,eAAe,IAAA,CAAK;AAAA,QACxB,EAAA,EAAI,UAAA;AAAA,QACJ,GAAG;AAAA,OACJ,CAAA;AAAA,IACH;AAEA,IAAA,MAAM,YAAY,UAAA,IAAa;AAC/B,IAAA,OAAO;AAAA,MACL,OAAA,EAAS,IAAA;AAAA,MACT;AAAA,KACF;AAAA,EACF,SAAS,KAAA,EAAO;AACd,IAAA,MAAM,YAAY,UAAA,IAAa;AAC/B,IAAA,OAAO;AAAA,MACL,OAAA,EAAS,KAAA;AAAA,MACT,KAAA,EACE,KAAA,YAAiB,KAAA,GAAQ,KAAA,CAAM,OAAA,GAAU;AAAA,KAC7C;AAAA,EACF;AACF;AAEA,eAAsB,sBAAA,CACpB,aACA,UAAA,EACkB;AAClB,EAAA,MAAM,YAAA,GAAe,MAAM,WAAA,CAAY,eAAA,CAAgB,UAAU,CAAA;AACjE,EAAA,OAAO,CAAC,YAAA;AACV;AAEO,SAAS,mBAAA,GAA8C;AAC5D,EAAA,MAAM,KAAA,GAAQ,QAAQ,GAAA,CAAI,gBAAA;AAC1B,EAAA,MAAM,QAAA,GAAW,QAAQ,GAAA,CAAI,mBAAA;AAE7B,EAAA,IAAI,CAAC,KAAA,IAAS,CAAC,QAAA,EAAU;AACvB,IAAA,OAAO,IAAA;AAAA,EACT;AAEA,EAAA,OAAO;AAAA,IACL,UAAA,EAAY,OAAA,CAAQ,GAAA,CAAI,iBAAA,IAAqB,gBAAA;AAAA,IAC7C,UAAA,EAAY,KAAA;AAAA,IACZ,aAAA,EAAe,QAAA;AAAA,IACf,SAAA,EAAW,OAAA,CAAQ,GAAA,CAAI,eAAA,IAAmB,aAAA;AAAA,IAC1C,QAAA,EAAU,QAAQ,GAAA,CAAI,oBAAA;AAAA,IACtB,WAAA,EAAa,OAAA,CAAQ,GAAA,CAAI,SAAA,GACrB;AAAA,MACE,QAAA,EAAU,MAAA;AAAA,MACV,IAAA,EAAM;AAAA,QACJ,IAAA,EAAM,QAAQ,GAAA,CAAI,SAAA;AAAA,QAClB,MAAM,QAAA,CAAS,OAAA,CAAQ,GAAA,CAAI,SAAA,IAAa,OAAO,EAAE,CAAA;AAAA,QACjD,MAAA,EAAQ,OAAA,CAAQ,GAAA,CAAI,WAAA,KAAgB,MAAA;AAAA,QACpC,IAAA,EAAM;AAAA,UACJ,IAAA,EAAM,OAAA,CAAQ,GAAA,CAAI,SAAA,IAAa,EAAA;AAAA,UAC/B,IAAA,EAAM,OAAA,CAAQ,GAAA,CAAI,SAAA,IAAa;AAAA;AACjC,OACF;AAAA,MACA,IAAA,EAAM,OAAA,CAAQ,GAAA,CAAI,SAAA,IAAa,qBAAA;AAAA,MAC/B,QAAA,EAAU,QAAQ,GAAA,CAAI;AAAA,KACxB,GACA,MAAA;AAAA,IACJ,gBAAA,EAAkB,OAAA,CAAQ,GAAA,CAAI,uBAAA,KAA4B;AAAA,GAC5D;AACF;AAEA,eAAsB,cACpB,WAAA,EACiC;AACjC,EAAA,MAAM,SAAS,mBAAA,EAAoB;AACnC,EAAA,IAAI,CAAC,MAAA,EAAQ;AACX,IAAA,OAAO,IAAA;AAAA,EACT;AAEA,EAAA,IAAI,WAAA,EAAa;AACf,IAAA,MAAA,CAAO,WAAA,GAAc,WAAA;AAAA,EACvB;AAEA,EAAA,OAAA,CAAQ,IAAI,kCAAkC,CAAA;AAC9C,EAAA,MAAM,MAAA,GAAS,MAAM,cAAA,CAAe,MAAM,CAAA;AAE1C,EAAA,IAAI,OAAO,OAAA,EAAS;AAClB,IAAA,OAAA,CAAQ,GAAA,CAAI,CAAA,oBAAA,EAAuB,MAAA,CAAO,UAAU,CAAA,CAAE,CAAA;AAAA,EACxD,CAAA,MAAO;AACL,IAAA,OAAA,CAAQ,KAAA,CAAM,CAAA,kBAAA,EAAqB,MAAA,CAAO,KAAK,CAAA,CAAE,CAAA;AAAA,EACnD;AAEA,EAAA,OAAO,MAAA;AACT;AAEA,eAAsB,kBAAA,CACpB,MAAA,EACA,UAAA,GAAqB,CAAA,EACrB,eAAuB,GAAA,EACG;AAC1B,EAAA,IAAI,SAAA,GAAoB,EAAA;AAExB,EAAA,KAAA,IAAS,CAAA,GAAI,CAAA,EAAG,CAAA,GAAI,UAAA,EAAY,CAAA,EAAA,EAAK;AACnC,IAAA,MAAM,MAAA,GAAS,MAAM,cAAA,CAAe,MAAM,CAAA;AAE1C,IAAA,IAAI,OAAO,OAAA,EAAS;AAClB,MAAA,OAAO,MAAA;AAAA,IACT;AAEA,IAAA,SAAA,GAAY,OAAO,KAAA,IAAS,eAAA;AAE5B,IAAA,IAAI,SAAA,CAAU,QAAA,CAAS,gBAAgB,CAAA,EAAG;AACxC,MAAA,OAAO,MAAA;AAAA,IACT;AAEA,IAAA,IAAI,CAAA,GAAI,aAAa,CAAA,EAAG;AACtB,MAAA,MAAM,IAAI,OAAA,CAAQ,CAAC,YAAY,UAAA,CAAW,OAAA,EAAS,YAAY,CAAC,CAAA;AAAA,IAClE;AAAA,EACF;AAEA,EAAA,OAAO;AAAA,IACL,OAAA,EAAS,KAAA;AAAA,IACT,KAAA,EAAO,CAAA,aAAA,EAAgB,UAAU,CAAA,UAAA,EAAa,SAAS,CAAA;AAAA,GACzD;AACF","file":"chunk-YVUJBEXE.cjs","sourcesContent":["import { SQLiteAuthAdapter } from \"./sqlite-adapter.js\";\nimport { EmailTransport, type EmailConfig } from \"./nodemailer-transport.js\";\nimport { PasswordPolicy } from \"./security/password-policy.js\";\nimport type { AuthUser, UserRole, AuthAdapter } from \"./types.js\";\n\nexport interface BootstrapConfig {\n  authAdapter?: AuthAdapter;\n  authDbPath?: string;\n  adminEmail: string;\n  adminPassword: string;\n  adminRole?: string;\n  tenantId?: string;\n  emailConfig?: EmailConfig;\n  sendWelcomeEmail?: boolean;\n}\n\nexport interface BootstrapResult {\n  success: boolean;\n  user?: AuthUser;\n  error?: string;\n}\n\nexport async function bootstrapAdmin(\n  config: BootstrapConfig,\n): Promise<BootstrapResult> {\n  const {\n    adminEmail,\n    adminPassword,\n    adminRole = \"super_admin\",\n    tenantId,\n    emailConfig,\n    sendWelcomeEmail = false,\n  } = config;\n\n  const authAdapter =\n    config.authAdapter ||\n    new SQLiteAuthAdapter({\n      path: config.authDbPath || \"./data/auth.db\",\n    });\n\n  try {\n    await authAdapter.connect?.();\n  } catch (error) {\n    return {\n      success: false,\n      error: \"Failed to connect to auth storage\",\n    };\n  }\n\n  const passwordPolicy = new PasswordPolicy();\n  const passwordValidation = passwordPolicy.validate(adminPassword);\n  if (!passwordValidation.valid) {\n    await authAdapter.disconnect?.();\n    return {\n      success: false,\n      error: `Invalid password: ${passwordValidation.errors.join(\", \")}`,\n    };\n  }\n\n  const existingUser = await authAdapter.findUserByEmail(adminEmail);\n  if (existingUser) {\n    await authAdapter.disconnect?.();\n    return {\n      success: false,\n      error: \"Admin user already exists\",\n    };\n  }\n\n  try {\n    const user = await authAdapter.createUser({\n      email: adminEmail,\n      password: adminPassword,\n      role: (adminRole as UserRole) || \"admin\",\n      tenantId,\n    });\n\n    if (sendWelcomeEmail && emailConfig) {\n      const emailTransport = new EmailTransport(emailConfig);\n      const templates = emailTransport.getTemplates();\n      const welcomeTemplate = templates.welcome(adminEmail.split(\"@\")[0]);\n      await emailTransport.send({\n        to: adminEmail,\n        ...welcomeTemplate,\n      });\n    }\n\n    await authAdapter.disconnect?.();\n    return {\n      success: true,\n      user,\n    };\n  } catch (error) {\n    await authAdapter.disconnect?.();\n    return {\n      success: false,\n      error:\n        error instanceof Error ? error.message : \"Failed to create admin user\",\n    };\n  }\n}\n\nexport async function checkBootstrapRequired(\n  authAdapter: AuthAdapter,\n  adminEmail: string,\n): Promise<boolean> {\n  const existingUser = await authAdapter.findUserByEmail(adminEmail);\n  return !existingUser;\n}\n\nexport function getBootstrapFromEnv(): BootstrapConfig | null {\n  const email = process.env.KYRO_ADMIN_EMAIL;\n  const password = process.env.KYRO_ADMIN_PASSWORD;\n\n  if (!email || !password) {\n    return null;\n  }\n\n  return {\n    authDbPath: process.env.KYRO_AUTH_DB_PATH || \"./data/auth.db\",\n    adminEmail: email,\n    adminPassword: password,\n    adminRole: process.env.KYRO_ADMIN_ROLE || \"super_admin\",\n    tenantId: process.env.KYRO_ADMIN_TENANT_ID,\n    emailConfig: process.env.SMTP_HOST\n      ? {\n          provider: \"smtp\",\n          smtp: {\n            host: process.env.SMTP_HOST,\n            port: parseInt(process.env.SMTP_PORT || \"587\", 10),\n            secure: process.env.SMTP_SECURE === \"true\",\n            auth: {\n              user: process.env.SMTP_USER || \"\",\n              pass: process.env.SMTP_PASS || \"\",\n            },\n          },\n          from: process.env.SMTP_FROM || \"noreply@example.com\",\n          fromName: process.env.SMTP_FROM_NAME,\n        }\n      : undefined,\n    sendWelcomeEmail: process.env.KYRO_ADMIN_SEND_WELCOME === \"true\",\n  };\n}\n\nexport async function autoBootstrap(\n  authAdapter?: AuthAdapter,\n): Promise<BootstrapResult | null> {\n  const config = getBootstrapFromEnv();\n  if (!config) {\n    return null;\n  }\n\n  if (authAdapter) {\n    config.authAdapter = authAdapter;\n  }\n\n  console.log(\"Auto-bootstrapping admin user...\");\n  const result = await bootstrapAdmin(config);\n\n  if (result.success) {\n    console.log(`Admin user created: ${config.adminEmail}`);\n  } else {\n    console.error(`Bootstrap failed: ${result.error}`);\n  }\n\n  return result;\n}\n\nexport async function bootstrapWithRetry(\n  config: BootstrapConfig,\n  maxRetries: number = 3,\n  retryDelayMs: number = 2000,\n): Promise<BootstrapResult> {\n  let lastError: string = \"\";\n\n  for (let i = 0; i < maxRetries; i++) {\n    const result = await bootstrapAdmin(config);\n\n    if (result.success) {\n      return result;\n    }\n\n    lastError = result.error || \"Unknown error\";\n\n    if (lastError.includes(\"already exists\")) {\n      return result;\n    }\n\n    if (i < maxRetries - 1) {\n      await new Promise((resolve) => setTimeout(resolve, retryDelayMs));\n    }\n  }\n\n  return {\n    success: false,\n    error: `Failed after ${maxRetries} retries: ${lastError}`,\n  };\n}\n"]}