@kyro-cms/core 0.6.0 → 0.7.0

package/dist/chunk-H727JIG7.js

@@ -0,0 +1,809 @@
+import bcrypt from 'bcryptjs';
+import { randomBytes } from 'crypto';
+import { mkdirSync } from 'fs';
+import { dirname } from 'path';
+import { createRequire } from 'module';
+
+// src/auth/sqlite-adapter.ts
+var _require = createRequire(import.meta.url);
+var modPath = "node:sqlite";
+var { DatabaseSync } = _require(modPath);
+var DEFAULT_BUSY_TIMEOUT = 5e3;
+var DEFAULT_WAL_CHECKPOINT = 1e3;
+var DEFAULT_CACHE_SIZE = -64e3;
+var DEFAULT_MMAP_SIZE = 268435456;
+var SQLiteAuthAdapter = class {
+  db = null;
+  path;
+  saltRounds;
+  externalDb;
+  busyTimeout;
+  walAutoCheckpoint;
+  cacheSize;
+  mmapSize;
+  preparedStatements = /* @__PURE__ */ new Map();
+  constructor(options = {}) {
+    this.path = options.path || "./data/auth.db";
+    this.saltRounds = options.saltRounds || 12;
+    this.externalDb = !!options.db;
+    this.busyTimeout = options.busyTimeout ?? DEFAULT_BUSY_TIMEOUT;
+    this.walAutoCheckpoint = options.walAutoCheckpoint ?? DEFAULT_WAL_CHECKPOINT;
+    this.cacheSize = options.cacheSize ?? DEFAULT_CACHE_SIZE;
+    this.mmapSize = options.mmapSize ?? DEFAULT_MMAP_SIZE;
+    if (options.db) {
+      this.db = options.db;
+    }
+  }
+  async connect() {
+    if (this.db) return;
+    const dir = dirname(this.path);
+    if (dir && dir !== ".") {
+      mkdirSync(dir, { recursive: true });
+    }
+    this.db = new DatabaseSync(this.path);
+    this.db.exec(`PRAGMA busy_timeout = ${this.busyTimeout}`);
+    this.db.exec("PRAGMA journal_mode = WAL");
+    this.db.exec("PRAGMA synchronous = NORMAL");
+    this.db.exec("PRAGMA cache_size = " + this.cacheSize);
+    this.db.exec("PRAGMA mmap_size = " + this.mmapSize);
+    this.db.exec("PRAGMA wal_autocheckpoint = " + this.walAutoCheckpoint);
+    this.db.exec("PRAGMA foreign_keys = ON");
+    this.db.exec("PRAGMA temp_store = MEMORY");
+    this.ensureTables();
+    this.prepareStatements();
+  }
+  async disconnect() {
+    if (this.db && !this.externalDb) {
+      this.db.exec("PRAGMA wal_checkpoint(TRUNCATE)");
+      this.db.close();
+      this.db = null;
+      this.preparedStatements.clear();
+    }
+  }
+  async ensureConnected() {
+    if (!this.db) {
+      await this.connect();
+    }
+    if (!this.db) {
+      throw new Error("Failed to connect to SQLite database");
+    }
+    return this.db;
+  }
+  ensureTables() {
+    if (!this.db) return;
+    this.db.exec(`
+      CREATE TABLE IF NOT EXISTS kyro_users (
+        id TEXT PRIMARY KEY,
+        name TEXT,
+        email TEXT UNIQUE NOT NULL,
+        password_hash TEXT NOT NULL,
+        role TEXT NOT NULL DEFAULT 'customer',
+        tenant_id TEXT,
+        email_verified INTEGER DEFAULT 0,
+        locked INTEGER DEFAULT 0,
+        last_login TEXT,
+        failed_login_attempts INTEGER DEFAULT 0,
+        locked_until TEXT,
+        created_at TEXT NOT NULL,
+        updated_at TEXT NOT NULL
+      );
+
+      CREATE TABLE IF NOT EXISTS kyro_sessions (
+        id TEXT PRIMARY KEY,
+        user_id TEXT NOT NULL,
+        token TEXT NOT NULL,
+        refresh_token TEXT,
+        expires_at TEXT NOT NULL,
+        created_at TEXT NOT NULL,
+        ip_address TEXT,
+        user_agent TEXT,
+        FOREIGN KEY (user_id) REFERENCES kyro_users(id) ON DELETE CASCADE
+      );
+
+      CREATE TABLE IF NOT EXISTS kyro_password_history (
+        id INTEGER PRIMARY KEY AUTOINCREMENT,
+        user_id TEXT NOT NULL,
+        password_hash TEXT NOT NULL,
+        created_at TEXT NOT NULL,
+        FOREIGN KEY (user_id) REFERENCES kyro_users(id) ON DELETE CASCADE
+      );
+
+      CREATE TABLE IF NOT EXISTS kyro_rate_limits (
+        id INTEGER PRIMARY KEY AUTOINCREMENT,
+        key TEXT NOT NULL,
+        window_start INTEGER NOT NULL,
+        count INTEGER NOT NULL DEFAULT 1,
+        UNIQUE(key, window_start)
+      );
+
+      CREATE TABLE IF NOT EXISTS kyro_lockouts (
+        user_id TEXT PRIMARY KEY,
+        attempts INTEGER NOT NULL DEFAULT 0,
+        last_attempt INTEGER,
+        locked_at INTEGER,
+        locked_until INTEGER
+      );
+
+      CREATE TABLE IF NOT EXISTS kyro_audit_logs (
+        id TEXT PRIMARY KEY,
+        timestamp TEXT NOT NULL,
+        action TEXT NOT NULL,
+        user_id TEXT,
+        user_email TEXT,
+        role TEXT,
+        resource TEXT NOT NULL,
+        resource_id TEXT,
+        ip_address TEXT,
+        user_agent TEXT,
+        success INTEGER NOT NULL,
+        error TEXT,
+        metadata TEXT,
+        created_at TEXT NOT NULL DEFAULT (datetime('now'))
+      );
+
+      CREATE INDEX IF NOT EXISTS idx_kyro_users_email ON kyro_users(email);
+      CREATE INDEX IF NOT EXISTS idx_kyro_sessions_user_id ON kyro_sessions(user_id);
+      CREATE INDEX IF NOT EXISTS idx_kyro_sessions_token ON kyro_sessions(token);
+      CREATE INDEX IF NOT EXISTS idx_kyro_sessions_refresh_token ON kyro_sessions(refresh_token);
+      CREATE INDEX IF NOT EXISTS idx_kyro_sessions_expires ON kyro_sessions(expires_at);
+      CREATE INDEX IF NOT EXISTS idx_kyro_password_history_user_id ON kyro_password_history(user_id);
+      CREATE INDEX IF NOT EXISTS idx_kyro_rate_limits_key ON kyro_rate_limits(key);
+      CREATE INDEX IF NOT EXISTS idx_kyro_rate_limits_window ON kyro_rate_limits(window_start);
+      CREATE INDEX IF NOT EXISTS idx_kyro_lockouts_locked_until ON kyro_lockouts(locked_until);
+      CREATE INDEX IF NOT EXISTS idx_kyro_audit_logs_timestamp ON kyro_audit_logs(timestamp);
+      CREATE INDEX IF NOT EXISTS idx_kyro_audit_logs_action ON kyro_audit_logs(action);
+      CREATE INDEX IF NOT EXISTS idx_kyro_audit_logs_user_id ON kyro_audit_logs(user_id);
+      CREATE INDEX IF NOT EXISTS idx_kyro_audit_logs_resource ON kyro_audit_logs(resource);
+
+      CREATE TABLE IF NOT EXISTS kyro_email_verifications (
+        id TEXT PRIMARY KEY,
+        user_id TEXT NOT NULL,
+        token TEXT UNIQUE NOT NULL,
+        expires_at TEXT NOT NULL,
+        created_at TEXT NOT NULL DEFAULT (datetime('now')),
+        FOREIGN KEY (user_id) REFERENCES kyro_users(id) ON DELETE CASCADE
+      );
+
+      CREATE TABLE IF NOT EXISTS kyro_password_resets (
+        id TEXT PRIMARY KEY,
+        user_id TEXT NOT NULL,
+        token TEXT UNIQUE NOT NULL,
+        expires_at TEXT NOT NULL,
+        used_at TEXT,
+        created_at TEXT NOT NULL DEFAULT (datetime('now')),
+        FOREIGN KEY (user_id) REFERENCES kyro_users(id) ON DELETE CASCADE
+      );
+
+      CREATE INDEX IF NOT EXISTS idx_kyro_email_verifications_token ON kyro_email_verifications(token);
+      CREATE INDEX IF NOT EXISTS idx_kyro_password_resets_token ON kyro_password_resets(token);
+    `);
+    try {
+      this.db.exec(`ALTER TABLE kyro_users ADD COLUMN name TEXT`);
+    } catch {
+    }
+  }
+  prepareStatements() {
+    if (!this.db) return;
+    this.preparedStatements.set(
+      "findUserByEmail",
+      this.db.prepare("SELECT * FROM kyro_users WHERE email = ?")
+    );
+    this.preparedStatements.set(
+      "findUserById",
+      this.db.prepare("SELECT * FROM kyro_users WHERE id = ?")
+    );
+    this.preparedStatements.set(
+      "findSessionByToken",
+      this.db.prepare("SELECT * FROM kyro_sessions WHERE token = ?")
+    );
+    this.preparedStatements.set(
+      "findSessionByRefreshToken",
+      this.db.prepare("SELECT * FROM kyro_sessions WHERE refresh_token = ?")
+    );
+    this.preparedStatements.set(
+      "deleteSession",
+      this.db.prepare("DELETE FROM kyro_sessions WHERE id = ? OR token = ?")
+    );
+    this.preparedStatements.set(
+      "deleteUserSessions",
+      this.db.prepare("DELETE FROM kyro_sessions WHERE user_id = ?")
+    );
+    this.preparedStatements.set(
+      "countUsers",
+      this.db.prepare("SELECT COUNT(*) as count FROM kyro_users")
+    );
+    this.preparedStatements.set(
+      "deleteUser",
+      this.db.prepare("DELETE FROM kyro_users WHERE id = ?")
+    );
+    this.preparedStatements.set(
+      "findUsersPaginated",
+      this.db.prepare(
+        "SELECT * FROM kyro_users ORDER BY created_at DESC LIMIT ? OFFSET ?"
+      )
+    );
+    this.preparedStatements.set(
+      "findUsersWithSearch",
+      this.db.prepare(
+        "SELECT * FROM kyro_users WHERE email LIKE ? ORDER BY created_at DESC LIMIT ? OFFSET ?"
+      )
+    );
+    this.preparedStatements.set(
+      "countUsersWithSearch",
+      this.db.prepare(
+        "SELECT COUNT(*) as count FROM kyro_users WHERE email LIKE ?"
+      )
+    );
+    this.preparedStatements.set(
+      "getPasswordHistory",
+      this.db.prepare(
+        "SELECT password_hash FROM kyro_password_history WHERE user_id = ? ORDER BY created_at DESC LIMIT ?"
+      )
+    );
+    this.preparedStatements.set(
+      "addPasswordHistory",
+      this.db.prepare(
+        "INSERT INTO kyro_password_history (user_id, password_hash, created_at) VALUES (?, ?, ?)"
+      )
+    );
+    this.preparedStatements.set(
+      "trimPasswordHistory",
+      this.db.prepare(
+        `DELETE FROM kyro_password_history WHERE id IN (
+          SELECT id FROM kyro_password_history WHERE user_id = ? ORDER BY created_at DESC LIMIT -1 OFFSET 5
+        )`
+      )
+    );
+    this.preparedStatements.set(
+      "deleteExpiredSessions",
+      this.db.prepare("DELETE FROM kyro_sessions WHERE expires_at < ?")
+    );
+    this.preparedStatements.set(
+      "cleanupOldAuditLogs",
+      this.db.prepare("DELETE FROM kyro_audit_logs WHERE timestamp < ?")
+    );
+    this.preparedStatements.set(
+      "cleanupExpiredLockouts",
+      this.db.prepare(
+        "UPDATE kyro_lockouts SET attempts = 0, locked_at = NULL, locked_until = NULL WHERE locked_until < ?"
+      )
+    );
+    this.preparedStatements.set(
+      "getLockout",
+      this.db.prepare("SELECT * FROM kyro_lockouts WHERE user_id = ?")
+    );
+    this.preparedStatements.set(
+      "upsertLockout",
+      this.db.prepare(`
+        INSERT INTO kyro_lockouts (user_id, attempts, last_attempt, locked_at, locked_until)
+        VALUES (?, ?, ?, ?, ?)
+        ON CONFLICT(user_id) DO UPDATE SET
+          attempts = excluded.attempts,
+          last_attempt = excluded.last_attempt,
+          locked_at = excluded.locked_at,
+          locked_until = excluded.locked_until
+      `)
+    );
+    this.preparedStatements.set(
+      "resetLockout",
+      this.db.prepare(
+        "UPDATE kyro_lockouts SET attempts = 0, locked_at = NULL, locked_until = NULL WHERE user_id = ?"
+      )
+    );
+  }
+  stmt(name) {
+    const stmt = this.preparedStatements.get(name);
+    if (!stmt) throw new Error(`Prepared statement not found: ${name}`);
+    return stmt;
+  }
+  async cleanupExpiredSessions() {
+    await this.ensureConnected();
+    const result = this.stmt("deleteExpiredSessions").run(
+      (/* @__PURE__ */ new Date()).toISOString()
+    );
+    return result.changes;
+  }
+  async cleanupOldAuditLogs(retentionDays = 30) {
+    await this.ensureConnected();
+    const cutoff = new Date(
+      Date.now() - retentionDays * 24 * 60 * 60 * 1e3
+    ).toISOString();
+    const result = this.stmt("cleanupOldAuditLogs").run(cutoff);
+    return result.changes;
+  }
+  async getStats() {
+    await this.ensureConnected();
+    const userCount = this.stmt("countUsers").get().count;
+    const activeSessionCount = this.db.prepare(
+      "SELECT COUNT(*) as count FROM kyro_sessions WHERE expires_at > ?"
+    ).get((/* @__PURE__ */ new Date()).toISOString()).count;
+    const auditLogCount = this.db.prepare(
+      "SELECT COUNT(*) as count FROM kyro_audit_logs"
+    ).get().count;
+    return { userCount, activeSessionCount, auditLogCount };
+  }
+  async createUser(data) {
+    await this.ensureConnected();
+    const id = randomBytes(16).toString("hex");
+    const now = (/* @__PURE__ */ new Date()).toISOString();
+    const passwordHash = await this.hashPassword(data.password);
+    const user = {
+      id,
+      name: data.name,
+      email: data.email.toLowerCase(),
+      passwordHash,
+      role: data.role || "customer",
+      tenantId: data.tenantId,
+      createdAt: now,
+      updatedAt: now
+    };
+    this.db.prepare(
+      `INSERT INTO kyro_users (id, name, email, password_hash, role, tenant_id, created_at, updated_at)
+          VALUES (?, ?, ?, ?, ?, ?, ?, ?)`
+    ).run(
+      id,
+      user.name || null,
+      user.email,
+      user.passwordHash,
+      user.role,
+      user.tenantId,
+      now,
+      now
+    );
+    return user;
+  }
+  async findUserByEmail(email) {
+    await this.ensureConnected();
+    const row = this.stmt("findUserByEmail").get(email.toLowerCase());
+    if (!row) return null;
+    return this.rowToUser(row);
+  }
+  async findUserById(userId) {
+    await this.ensureConnected();
+    const row = this.stmt("findUserById").get(userId);
+    if (!row) return null;
+    return this.rowToUser(row);
+  }
+  async updateUser(userId, data) {
+    await this.ensureConnected();
+    const existing = await this.findUserById(userId);
+    if (!existing) return null;
+    const updates = [];
+    const values = [];
+    if (data.email !== void 0) {
+      updates.push("email = ?");
+      values.push(data.email.toLowerCase());
+    }
+    if (data.name !== void 0) {
+      updates.push("name = ?");
+      values.push(data.name);
+    }
+    if (data.passwordHash !== void 0) {
+      updates.push("password_hash = ?");
+      values.push(data.passwordHash);
+    }
+    if (data.role !== void 0) {
+      updates.push("role = ?");
+      values.push(data.role);
+    }
+    if (data.tenantId !== void 0) {
+      updates.push("tenant_id = ?");
+      values.push(data.tenantId);
+    }
+    if (data.emailVerified !== void 0) {
+      updates.push("email_verified = ?");
+      values.push(data.emailVerified ? 1 : 0);
+    }
+    if (data.locked !== void 0) {
+      updates.push("locked = ?");
+      values.push(data.locked ? 1 : 0);
+    }
+    if (data.lastLogin !== void 0) {
+      updates.push("last_login = ?");
+      values.push(data.lastLogin);
+    }
+    if (data.failedLoginAttempts !== void 0) {
+      updates.push("failed_login_attempts = ?");
+      values.push(data.failedLoginAttempts);
+    }
+    updates.push("updated_at = ?");
+    values.push((/* @__PURE__ */ new Date()).toISOString());
+    values.push(userId);
+    this.db.prepare(
+      `UPDATE kyro_users SET ${updates.join(", ")} WHERE id = ?`
+    ).run(...values);
+    return this.findUserById(userId);
+  }
+  async deleteUser(userId) {
+    await this.ensureConnected();
+    const result = this.stmt("deleteUser").run(userId);
+    return result.changes > 0;
+  }
+  async hashPassword(password) {
+    return bcrypt.hash(password, this.saltRounds);
+  }
+  async verifyPassword(email, password) {
+    await this.ensureConnected();
+    const user = await this.findUserByEmail(email);
+    if (!user) return null;
+    const stored = this.db.prepare(
+      "SELECT password_hash FROM kyro_users WHERE id = ?"
+    ).get(user.id);
+    if (!stored?.password_hash) return null;
+    const valid = await bcrypt.compare(password, stored.password_hash);
+    return valid ? user : null;
+  }
+  async createSession(userId, data = {}) {
+    await this.ensureConnected();
+    const id = randomBytes(32).toString("hex");
+    const token = randomBytes(32).toString("base64url");
+    const refreshToken = randomBytes(32).toString("base64url");
+    const now = /* @__PURE__ */ new Date();
+    const expiresAt = new Date(now.getTime() + 864e5).toISOString();
+    const session = {
+      id,
+      userId,
+      token,
+      refreshToken,
+      expiresAt,
+      createdAt: now.toISOString(),
+      ipAddress: data.ipAddress,
+      userAgent: data.userAgent
+    };
+    this.db.prepare(
+      `INSERT INTO kyro_sessions (id, user_id, token, refresh_token, expires_at, created_at, ip_address, user_agent)
+         VALUES (?, ?, ?, ?, ?, ?, ?, ?)`
+    ).run(
+      session.id,
+      session.userId,
+      session.token,
+      session.refreshToken,
+      session.expiresAt,
+      session.createdAt,
+      session.ipAddress,
+      session.userAgent
+    );
+    return session;
+  }
+  async findSessionByToken(token) {
+    await this.ensureConnected();
+    const row = this.stmt("findSessionByToken").get(token);
+    if (!row) return null;
+    return this.rowToSession(row);
+  }
+  async findSessionByRefreshToken(refreshToken) {
+    await this.ensureConnected();
+    const row = this.stmt("findSessionByRefreshToken").get(refreshToken);
+    if (!row) return null;
+    return this.rowToSession(row);
+  }
+  async deleteSession(sessionId) {
+    await this.ensureConnected();
+    const result = this.stmt("deleteSession").run(sessionId, sessionId);
+    return result.changes > 0;
+  }
+  async deleteUserSessions(userId) {
+    await this.ensureConnected();
+    const result = this.stmt("deleteUserSessions").run(userId);
+    return result.changes;
+  }
+  async hasAnyUsers() {
+    await this.ensureConnected();
+    const row = this.stmt("countUsers").get();
+    return row.count > 0;
+  }
+  async findUsers(options = {}) {
+    await this.ensureConnected();
+    const page = options.page ?? 1;
+    const limit = options.limit ?? 10;
+    const offset = (page - 1) * limit;
+    const search = options.search;
+    let total;
+    let rows;
+    if (search) {
+      const searchPattern = `%${search}%`;
+      total = this.stmt("countUsersWithSearch").get(searchPattern).count;
+      rows = this.stmt("findUsersWithSearch").all(
+        searchPattern,
+        limit,
+        offset
+      );
+    } else {
+      total = this.stmt("countUsers").get().count;
+      rows = this.stmt("findUsersPaginated").all(limit, offset);
+    }
+    return {
+      users: rows.map((row) => this.rowToUser(row)),
+      total
+    };
+  }
+  async addPasswordToHistory(userId, passwordHash) {
+    await this.ensureConnected();
+    this.stmt("addPasswordHistory").run(
+      userId,
+      passwordHash,
+      (/* @__PURE__ */ new Date()).toISOString()
+    );
+    this.stmt("trimPasswordHistory").run(userId);
+  }
+  async getPasswordHistory(userId, count = 5) {
+    await this.ensureConnected();
+    const rows = this.stmt("getPasswordHistory").all(userId, count);
+    return rows.map((r) => r.password_hash);
+  }
+  async isPasswordInHistory(password, userId, historyCount = 5) {
+    const history = await this.getPasswordHistory(userId, historyCount);
+    for (const hash of history) {
+      if (await bcrypt.compare(password, hash)) {
+        return true;
+      }
+    }
+    return false;
+  }
+  async recordFailedAttempt(userId) {
+    await this.ensureConnected();
+    const now = Date.now();
+    const lockout = this.stmt("getLockout").get(userId);
+    const attempts = (lockout?.attempts || 0) + 1;
+    const lockedUntil = attempts >= 5 ? now + 15 * 60 * 1e3 : lockout?.locked_until || null;
+    this.stmt("upsertLockout").run(
+      userId,
+      attempts,
+      now,
+      lockedUntil !== null ? now : null,
+      lockedUntil
+    );
+  }
+  async resetAttempts(userId) {
+    await this.ensureConnected();
+    this.stmt("resetLockout").run(userId);
+  }
+  async checkLockout(userId) {
+    await this.ensureConnected();
+    this.stmt("cleanupExpiredLockouts").run(Date.now());
+    const lockout = this.stmt("getLockout").get(userId);
+    if (!lockout) {
+      return {
+        locked: false,
+        attemptsRemaining: 5,
+        totalAttempts: 0
+      };
+    }
+    if (lockout.locked_until !== null && lockout.locked_until > Date.now()) {
+      return {
+        locked: true,
+        attemptsRemaining: 0,
+        lockedUntil: new Date(lockout.locked_until),
+        totalAttempts: lockout.attempts
+      };
+    }
+    return {
+      locked: false,
+      attemptsRemaining: Math.max(0, 5 - lockout.attempts),
+      totalAttempts: lockout.attempts
+    };
+  }
+  async logAudit(data) {
+    await this.ensureConnected();
+    const id = randomBytes(16).toString("hex");
+    const timestamp = (/* @__PURE__ */ new Date()).toISOString();
+    this.db.prepare(
+      `INSERT INTO kyro_audit_logs (
+          id, timestamp, action, user_id, user_email, role, resource, resource_id,
+          ip_address, user_agent, success, error, metadata, created_at
+        ) VALUES (?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?)`
+    ).run(
+      id,
+      timestamp,
+      data.action,
+      data.userId || null,
+      data.userEmail || null,
+      data.role || null,
+      data.resource,
+      data.resourceId || null,
+      data.ipAddress || null,
+      data.userAgent || null,
+      data.success ? 1 : 0,
+      data.error || null,
+      data.metadata ? JSON.stringify(data.metadata) : null,
+      (/* @__PURE__ */ new Date()).toISOString()
+    );
+    return id;
+  }
+  async queryAuditLogs(options = {}) {
+    await this.ensureConnected();
+    const conditions = [];
+    const params = [];
+    if (options.action) {
+      conditions.push("action = ?");
+      params.push(options.action);
+    }
+    if (options.userId) {
+      conditions.push("user_id = ?");
+      params.push(options.userId);
+    }
+    if (options.resource) {
+      conditions.push("resource = ?");
+      params.push(options.resource);
+    }
+    if (options.success !== void 0) {
+      conditions.push("success = ?");
+      params.push(options.success ? 1 : 0);
+    }
+    if (options.startDate) {
+      conditions.push("timestamp >= ?");
+      params.push(options.startDate.toISOString());
+    }
+    if (options.endDate) {
+      conditions.push("timestamp <= ?");
+      params.push(options.endDate.toISOString());
+    }
+    const where = conditions.length > 0 ? "WHERE " + conditions.join(" AND ") : "";
+    const limit = options.limit || 50;
+    const offset = options.offset || 0;
+    const totalResult = this.db.prepare(
+      `SELECT COUNT(*) as count FROM kyro_audit_logs ${where}`
+    ).get(...params);
+    const rows = this.db.prepare(
+      `SELECT * FROM kyro_audit_logs ${where} ORDER BY timestamp DESC LIMIT ? OFFSET ?`
+    ).all(...params, limit, offset);
+    return {
+      total: totalResult.count,
+      logs: rows.map((row) => ({
+        id: row.id,
+        timestamp: new Date(row.timestamp),
+        action: row.action,
+        userId: row.user_id || void 0,
+        userEmail: row.user_email || void 0,
+        resource: row.resource,
+        resourceId: row.resource_id || void 0,
+        ipAddress: row.ip_address || void 0,
+        userAgent: row.user_agent || void 0,
+        success: row.success === 1,
+        error: row.error || void 0,
+        metadata: row.metadata ? JSON.parse(row.metadata) : void 0
+      }))
+    };
+  }
+  rowToUser(row) {
+    return {
+      id: row.id,
+      name: row.name || void 0,
+      email: row.email,
+      passwordHash: row.password_hash,
+      role: row.role,
+      tenantId: row.tenant_id,
+      emailVerified: row.email_verified === 1,
+      locked: row.locked === 1,
+      lastLogin: row.last_login,
+      failedLoginAttempts: row.failed_login_attempts || 0,
+      createdAt: row.created_at,
+      updatedAt: row.updated_at
+    };
+  }
+  rowToSession(row) {
+    return {
+      id: row.id,
+      userId: row.user_id,
+      token: row.token,
+      refreshToken: row.refresh_token,
+      expiresAt: row.expires_at,
+      createdAt: row.created_at,
+      ipAddress: row.ip_address,
+      userAgent: row.user_agent
+    };
+  }
+  async findAuditLogs(filter) {
+    const result = await this.queryAuditLogs({
+      action: filter.action,
+      userId: filter.userId,
+      resource: filter.resource,
+      success: filter.success,
+      startDate: filter.startDate,
+      endDate: filter.endDate,
+      limit: filter.limit,
+      offset: filter.offset
+    });
+    return {
+      logs: result.logs.map((log) => ({
+        ...log,
+        action: log.action
+      })),
+      total: result.total
+    };
+  }
+  async createAuditLog(data) {
+    const id = await this.logAudit({
+      action: data.action,
+      userId: data.userId,
+      userEmail: data.userEmail,
+      role: data.role,
+      resource: data.resource,
+      resourceId: data.resourceId,
+      ipAddress: data.ipAddress,
+      userAgent: data.userAgent,
+      success: data.success,
+      error: data.error,
+      metadata: data.metadata
+    });
+    const row = this.db?.prepare("SELECT * FROM kyro_audit_logs WHERE id = ?").get(id);
+    return {
+      ...data,
+      id,
+      timestamp: row ? new Date(row.timestamp) : /* @__PURE__ */ new Date()
+    };
+  }
+  async createEmailVerificationToken(userId) {
+    await this.ensureConnected();
+    const id = randomBytes(16).toString("hex");
+    const token = randomBytes(32).toString("hex");
+    const expiresAt = new Date(Date.now() + 24 * 60 * 60 * 1e3);
+    this.db.prepare(
+      "INSERT INTO kyro_email_verifications (id, user_id, token, expires_at, created_at) VALUES (?, ?, ?, ?, ?)"
+    ).run(id, userId, token, expiresAt.toISOString(), (/* @__PURE__ */ new Date()).toISOString());
+    return { token, expiresAt };
+  }
+  async verifyEmailToken(token) {
+    await this.ensureConnected();
+    const row = this.db.prepare(
+      "SELECT * FROM kyro_email_verifications WHERE token = ?"
+    ).get(token);
+    if (!row) {
+      return { success: false, error: "Invalid verification token" };
+    }
+    if (new Date(row.expires_at) < /* @__PURE__ */ new Date()) {
+      return { success: false, error: "Verification token has expired" };
+    }
+    this.db.prepare(
+      "UPDATE kyro_users SET email_verified = 1 WHERE id = ?"
+    ).run(row.user_id);
+    this.db.prepare(
+      "DELETE FROM kyro_email_verifications WHERE id = ?"
+    ).run(row.id);
+    return { success: true, userId: row.user_id };
+  }
+  async createPasswordResetToken(email) {
+    await this.ensureConnected();
+    const user = await this.findUserByEmail(email);
+    if (!user) {
+      return { token: "", expiresAt: /* @__PURE__ */ new Date(), error: "User not found" };
+    }
+    const id = randomBytes(16).toString("hex");
+    const token = randomBytes(32).toString("hex");
+    const expiresAt = new Date(Date.now() + 60 * 60 * 1e3);
+    this.db.prepare(
+      "INSERT INTO kyro_password_resets (id, user_id, token, expires_at, created_at) VALUES (?, ?, ?, ?, ?)"
+    ).run(id, user.id, token, expiresAt.toISOString(), (/* @__PURE__ */ new Date()).toISOString());
+    return { token, expiresAt };
+  }
+  async resetPasswordWithToken(token, newPassword) {
+    await this.ensureConnected();
+    const row = this.db.prepare(
+      "SELECT * FROM kyro_password_resets WHERE token = ?"
+    ).get(token);
+    if (!row) {
+      return { success: false, error: "Invalid reset token" };
+    }
+    if (new Date(row.expires_at) < /* @__PURE__ */ new Date()) {
+      return { success: false, error: "Reset token has expired" };
+    }
+    if (row.used_at) {
+      return { success: false, error: "Reset token has already been used" };
+    }
+    const passwordHash = await this.hashPassword(newPassword);
+    this.db.prepare(
+      "UPDATE kyro_users SET password_hash = ?, updated_at = ? WHERE id = ?"
+    ).run(passwordHash, (/* @__PURE__ */ new Date()).toISOString(), row.user_id);
+    this.db.prepare(
+      "UPDATE kyro_password_resets SET used_at = ? WHERE id = ?"
+    ).run((/* @__PURE__ */ new Date()).toISOString(), row.id);
+    this.db.prepare(
+      "DELETE FROM kyro_sessions WHERE user_id = ?"
+    ).run(row.user_id);
+    return { success: true };
+  }
+};
+
+export { SQLiteAuthAdapter };
+//# sourceMappingURL=chunk-H727JIG7.js.map
+//# sourceMappingURL=chunk-H727JIG7.js.map