@lastshotlabs/bunshot 0.0.10 → 0.0.16

package/dist/lib/createRoute.js

@@ -0,0 +1,147 @@
+import { createRoute as _createRoute } from "@hono/zod-openapi";
+import { getRefId, zodToOpenAPIRegistry } from "@asteasolutions/zod-to-openapi";
+const STATUS_SUFFIX = {
+    "200": "Response",
+    "201": "Response",
+    "204": "Response",
+    "400": "BadRequestError",
+    "401": "UnauthorizedError",
+    "403": "ForbiddenError",
+    "404": "NotFoundError",
+    "409": "ConflictError",
+    "422": "ValidationError",
+    "429": "RateLimitError",
+    "500": "InternalError",
+    "501": "NotImplementedError",
+    "503": "UnavailableError",
+};
+const METHOD_VERB = {
+    get: "Get",
+    post: "Create",
+    put: "Replace",
+    patch: "Update",
+    delete: "Delete",
+};
+/**
+ * Converts a route method + path into a PascalCase base name for auto-generated schema names.
+ * Examples:
+ *   POST /ledger-items       → CreateLedgerItems
+ *   GET  /ledger-items/{id}  → GetLedgerItemsById
+ *   DELETE /auth/sessions/{sessionId} → DeleteAuthSessionsBySessionId
+ */
+function toBaseName(method, path) {
+    const m = METHOD_VERB[method.toLowerCase()] ?? (method.charAt(0).toUpperCase() + method.slice(1).toLowerCase());
+    const segments = path
+        .split("/")
+        .filter(Boolean)
+        .map((seg) => {
+        if (seg.startsWith("{") && seg.endsWith("}")) {
+            const param = seg.slice(1, -1);
+            return "By" + param.charAt(0).toUpperCase() + param.slice(1);
+        }
+        // kebab-case and plain segments → PascalCase
+        return seg.replace(/-([a-z])/g, (_, c) => c.toUpperCase()).replace(/^[a-z]/, (c) => c.toUpperCase());
+    });
+    return m + segments.join("");
+}
+function maybeRegister(schema, name) {
+    if (!schema || typeof schema !== "object" || !("_def" in schema))
+        return;
+    if (getRefId(schema))
+        return; // already named via .openapi()
+    // Write directly to the registry instead of calling schema.openapi(name) — the
+    // .openapi() method requires extendZodWithOpenApi() to have been called on the
+    // same zod instance that created the schema, which isn't guaranteed in tenant apps.
+    zodToOpenAPIRegistry.add(schema, { _internal: { refId: name } });
+}
+/**
+ * Registers a Zod schema as a named entry in `components/schemas`.
+ *
+ * Use this for shared schemas (e.g. shared error types, reusable response shapes)
+ * that aren't directly attached to a specific route. Schemas already registered
+ * under the same name are silently skipped.
+ *
+ * @example
+ * export const MySchema = registerSchema("MySchema", z.object({ id: z.string() }));
+ */
+export const registerSchema = (name, schema) => {
+    if (!getRefId(schema)) {
+        zodToOpenAPIRegistry.add(schema, { _internal: { refId: name } });
+    }
+    return schema;
+};
+/**
+ * Registers multiple Zod schemas at once as named entries in `components/schemas`.
+ * Object keys become the schema names. Returns the same object so you can
+ * destructure or re-export the schemas normally.
+ *
+ * Schemas already registered (e.g. via a prior `registerSchema` call) are skipped.
+ *
+ * @example
+ * export const { LedgerItem, Product } = registerSchemas({
+ *   LedgerItem: z.object({ id: z.string(), amount: z.number() }),
+ *   Product:    z.object({ id: z.string(), price: z.number() }),
+ * });
+ */
+export const registerSchemas = (schemas) => {
+    for (const [name, schema] of Object.entries(schemas)) {
+        if (!getRefId(schema)) {
+            zodToOpenAPIRegistry.add(schema, { _internal: { refId: name } });
+        }
+    }
+    return schemas;
+};
+/**
+ * Auto-registers a module export as a named OpenAPI schema.
+ * Used internally by modelSchemas auto-discovery in createApp.
+ * Strips a trailing "Schema" suffix from the export name.
+ * Skips non-Zod values and already-registered schemas.
+ */
+export function maybeAutoRegister(exportName, value) {
+    if (!value || typeof value !== "object" || !("_def" in value))
+        return;
+    if (getRefId(value))
+        return;
+    const name = exportName.endsWith("Schema")
+        ? exportName.slice(0, -"Schema".length)
+        : exportName;
+    zodToOpenAPIRegistry.add(value, { _internal: { refId: name } });
+}
+/**
+ * Adds an OpenAPI `security` requirement to a route without affecting TypeScript
+ * type inference on the handler. Pass each security scheme as a separate object.
+ *
+ * Use this instead of inlining `security` in `createRoute(...)` — inlining a
+ * field typed as `{ [name: string]: string[] }` breaks `c.req.valid()` inference.
+ *
+ * @example
+ * router.openapi(
+ *   withSecurity(createRoute({ method: "get", path: "/me", ... }), { cookieAuth: [] }, { userToken: [] }),
+ *   async (c) => { ... }
+ * )
+ */
+export const withSecurity = (route, ...schemes) => Object.assign(route, { security: schemes });
+/**
+ * Drop-in replacement for `createRoute` from `@hono/zod-openapi`.
+ *
+ * Automatically registers unnamed request body and response schemas as named
+ * OpenAPI components so they appear in `components/schemas` instead of being
+ * inlined at every use site. Generated names follow the convention:
+ *
+ *   {Method}{PathSegments}Body         — request body
+ *   {Method}{PathSegments}{StatusCode} — response body
+ *
+ * Schemas already named via `.openapi("Name")` are never overwritten.
+ */
+export const createRoute = (config) => {
+    const base = toBaseName(config.method, config.path);
+    // Auto-name the JSON request body schema if present and unnamed
+    const bodySchema = config.request?.body?.content?.["application/json"]?.schema;
+    maybeRegister(bodySchema, `${base}Request`);
+    // Auto-name each JSON response schema if present and unnamed
+    for (const [status, response] of Object.entries(config.responses ?? {})) {
+        const resSchema = response?.content?.["application/json"]?.schema;
+        maybeRegister(resSchema, `${base}${STATUS_SUFFIX[status] ?? status}`);
+    }
+    return _createRoute(config);
+};

package/dist/lib/jwt.d.ts

@@ -1,2 +1,2 @@
-export declare const signToken: (userId: string, sessionId: string) => Promise<string>;
+export declare const signToken: (userId: string, sessionId: string, expirySeconds?: number) => Promise<string>;
 export declare const verifyToken: (token: string) => Promise<import("jose").JWTPayload>;

package/dist/lib/jwt.js

@@ -1,9 +1,9 @@
 import { SignJWT, jwtVerify } from "jose";
 const isProd = process.env.NODE_ENV === "production";
 const secret = new TextEncoder().encode(isProd ? process.env.JWT_SECRET_PROD : process.env.JWT_SECRET_DEV);
-export const signToken = async (userId, sessionId) => new SignJWT({ sub: userId, sid: sessionId })
+export const signToken = async (userId, sessionId, expirySeconds) => new SignJWT({ sub: userId, sid: sessionId })
     .setProtectedHeader({ alg: "HS256" })
-    .setExpirationTime("7d")
+    .setExpirationTime(expirySeconds ? `${expirySeconds}s` : "7d")
     .sign(secret);
 export const verifyToken = async (token) => {
     const { payload } = await jwtVerify(token, secret);

package/dist/lib/mfaChallenge.d.ts

@@ -0,0 +1,20 @@
+export interface MfaChallengeData {
+    userId: string;
+    emailOtpHash?: string;
+}
+/** Must be called when store is "sqlite" to inject the db instance. */
+export declare const setMfaChallengeSqliteDb: (db: any) => void;
+type MfaChallengeStore = "redis" | "mongo" | "sqlite" | "memory";
+export declare const setMfaChallengeStore: (store: MfaChallengeStore) => void;
+export declare const createMfaChallenge: (userId: string, emailOtpHash?: string) => Promise<string>;
+export declare const consumeMfaChallenge: (token: string) => Promise<MfaChallengeData | null>;
+/**
+ * Replace the email OTP hash on an existing challenge without consuming it.
+ * Used for the resend flow. Increments resendCount and caps the challenge lifetime.
+ * Returns { userId, resendCount } on success, null if challenge not found/expired/max resends reached.
+ */
+export declare const replaceMfaChallengeOtp: (token: string, newEmailOtpHash: string) => Promise<{
+    userId: string;
+    resendCount: number;
+} | null>;
+export {};

package/dist/lib/mfaChallenge.js

@@ -0,0 +1,184 @@
+import { getRedis } from "./redis";
+import { appConnection, mongoose } from "./mongo";
+import { getAppName, getMfaChallengeTtl } from "./appConfig";
+const MAX_RESENDS = 3;
+function getMfaChallengeModel() {
+    if (appConnection.models["MfaChallenge"])
+        return appConnection.models["MfaChallenge"];
+    const { Schema } = mongoose;
+    const schema = new Schema({
+        token: { type: String, required: true, unique: true },
+        userId: { type: String, required: true },
+        emailOtpHash: { type: String },
+        createdAt: { type: Date, required: true },
+        resendCount: { type: Number, required: true, default: 0 },
+        expiresAt: { type: Date, required: true, index: { expireAfterSeconds: 0 } },
+    }, { collection: "mfa_challenges" });
+    return appConnection.model("MfaChallenge", schema);
+}
+// ---------------------------------------------------------------------------
+// In-memory store
+// ---------------------------------------------------------------------------
+const _memoryChallenges = new Map();
+// ---------------------------------------------------------------------------
+// SQLite store (reuses the existing SQLite DB instance)
+// ---------------------------------------------------------------------------
+let _sqliteDb = null;
+let _sqliteTableCreated = false;
+/** Must be called when store is "sqlite" to inject the db instance. */
+export const setMfaChallengeSqliteDb = (db) => { _sqliteDb = db; };
+function ensureSqliteMfaTable() {
+    if (_sqliteTableCreated || !_sqliteDb)
+        return;
+    _sqliteDb.run(`CREATE TABLE IF NOT EXISTS mfa_challenges (
+    token        TEXT PRIMARY KEY,
+    userId       TEXT NOT NULL,
+    emailOtpHash TEXT,
+    createdAt    INTEGER NOT NULL,
+    resendCount  INTEGER NOT NULL DEFAULT 0,
+    expiresAt    INTEGER NOT NULL
+  )`);
+    // Migrate pre-existing tables that lack the new columns
+    try {
+        _sqliteDb.run("ALTER TABLE mfa_challenges ADD COLUMN emailOtpHash TEXT");
+    }
+    catch { /* already exists */ }
+    try {
+        _sqliteDb.run("ALTER TABLE mfa_challenges ADD COLUMN createdAt INTEGER NOT NULL DEFAULT 0");
+    }
+    catch { /* already exists */ }
+    try {
+        _sqliteDb.run("ALTER TABLE mfa_challenges ADD COLUMN resendCount INTEGER NOT NULL DEFAULT 0");
+    }
+    catch { /* already exists */ }
+    _sqliteTableCreated = true;
+}
+let _store = "redis";
+export const setMfaChallengeStore = (store) => { _store = store; };
+// ---------------------------------------------------------------------------
+// Public API
+// ---------------------------------------------------------------------------
+export const createMfaChallenge = async (userId, emailOtpHash) => {
+    const token = crypto.randomUUID();
+    const ttl = getMfaChallengeTtl();
+    const now = Date.now();
+    if (_store === "memory") {
+        _memoryChallenges.set(token, { userId, emailOtpHash, createdAt: now, resendCount: 0, expiresAt: now + ttl * 1000 });
+        return token;
+    }
+    if (_store === "sqlite") {
+        ensureSqliteMfaTable();
+        _sqliteDb.run("INSERT INTO mfa_challenges (token, userId, emailOtpHash, createdAt, resendCount, expiresAt) VALUES (?, ?, ?, ?, 0, ?)", [token, userId, emailOtpHash ?? null, now, now + ttl * 1000]);
+        return token;
+    }
+    if (_store === "mongo") {
+        await getMfaChallengeModel().create({
+            token,
+            userId,
+            emailOtpHash,
+            createdAt: new Date(now),
+            resendCount: 0,
+            expiresAt: new Date(now + ttl * 1000),
+        });
+        return token;
+    }
+    // redis
+    await getRedis().set(`mfachallenge:${getAppName()}:${token}`, JSON.stringify({ userId, emailOtpHash, createdAt: now, resendCount: 0 }), "EX", ttl);
+    return token;
+};
+export const consumeMfaChallenge = async (token) => {
+    if (_store === "memory") {
+        const entry = _memoryChallenges.get(token);
+        if (!entry || entry.expiresAt <= Date.now()) {
+            _memoryChallenges.delete(token);
+            return null;
+        }
+        _memoryChallenges.delete(token);
+        return { userId: entry.userId, emailOtpHash: entry.emailOtpHash };
+    }
+    if (_store === "sqlite") {
+        ensureSqliteMfaTable();
+        const row = _sqliteDb.query("DELETE FROM mfa_challenges WHERE token = ? AND expiresAt > ? RETURNING userId, emailOtpHash").get(token, Date.now());
+        return row ? { userId: row.userId, emailOtpHash: row.emailOtpHash ?? undefined } : null;
+    }
+    if (_store === "mongo") {
+        const doc = await getMfaChallengeModel().findOneAndDelete({ token, expiresAt: { $gt: new Date() } });
+        return doc ? { userId: doc.userId, emailOtpHash: doc.emailOtpHash } : null;
+    }
+    // redis
+    const key = `mfachallenge:${getAppName()}:${token}`;
+    const raw = await getRedis().get(key);
+    if (!raw)
+        return null;
+    await getRedis().del(key);
+    const data = JSON.parse(raw);
+    return { userId: data.userId, emailOtpHash: data.emailOtpHash };
+};
+/**
+ * Replace the email OTP hash on an existing challenge without consuming it.
+ * Used for the resend flow. Increments resendCount and caps the challenge lifetime.
+ * Returns { userId, resendCount } on success, null if challenge not found/expired/max resends reached.
+ */
+export const replaceMfaChallengeOtp = async (token, newEmailOtpHash) => {
+    const ttl = getMfaChallengeTtl();
+    if (_store === "memory") {
+        const entry = _memoryChallenges.get(token);
+        if (!entry || entry.expiresAt <= Date.now()) {
+            _memoryChallenges.delete(token);
+            return null;
+        }
+        if (entry.resendCount >= MAX_RESENDS)
+            return null;
+        entry.emailOtpHash = newEmailOtpHash;
+        entry.resendCount++;
+        // Cap lifetime: min(now + ttl, createdAt + ttl * 3)
+        const maxExpiry = entry.createdAt + ttl * 3 * 1000;
+        entry.expiresAt = Math.min(Date.now() + ttl * 1000, maxExpiry);
+        return { userId: entry.userId, resendCount: entry.resendCount };
+    }
+    if (_store === "sqlite") {
+        ensureSqliteMfaTable();
+        const now = Date.now();
+        const existing = _sqliteDb.query("SELECT createdAt, resendCount FROM mfa_challenges WHERE token = ? AND expiresAt > ?").get(token, now);
+        if (!existing || existing.resendCount >= MAX_RESENDS)
+            return null;
+        const newExpiry = Math.min(now + ttl * 1000, existing.createdAt + ttl * 3 * 1000);
+        const newCount = existing.resendCount + 1;
+        const row = _sqliteDb.query("UPDATE mfa_challenges SET emailOtpHash = ?, resendCount = ?, expiresAt = ? WHERE token = ? RETURNING userId").get(newEmailOtpHash, newCount, newExpiry, token);
+        return row ? { userId: row.userId, resendCount: newCount } : null;
+    }
+    if (_store === "mongo") {
+        const now = new Date();
+        const doc = await getMfaChallengeModel().findOneAndUpdate({ token, expiresAt: { $gt: now }, resendCount: { $lt: MAX_RESENDS } }, [
+            {
+                $set: {
+                    emailOtpHash: newEmailOtpHash,
+                    resendCount: { $add: ["$resendCount", 1] },
+                    expiresAt: {
+                        $min: [
+                            new Date(Date.now() + ttl * 1000),
+                            { $add: ["$createdAt", ttl * 3 * 1000] },
+                        ],
+                    },
+                },
+            },
+        ], { new: true });
+        return doc ? { userId: doc.userId, resendCount: doc.resendCount } : null;
+    }
+    // redis
+    const key = `mfachallenge:${getAppName()}:${token}`;
+    const raw = await getRedis().get(key);
+    if (!raw)
+        return null;
+    const data = JSON.parse(raw);
+    if (data.resendCount >= MAX_RESENDS)
+        return null;
+    data.emailOtpHash = newEmailOtpHash;
+    data.resendCount++;
+    // Cap lifetime
+    const maxExpiry = data.createdAt + ttl * 3 * 1000;
+    const newExpiry = Math.min(Date.now() + ttl * 1000, maxExpiry);
+    const remainingTtl = Math.max(1, Math.ceil((newExpiry - Date.now()) / 1000));
+    await getRedis().set(key, JSON.stringify(data), "EX", remainingTtl);
+    return { userId: data.userId, resendCount: data.resendCount };
+};

package/dist/lib/queue.d.ts

@@ -1,4 +1,37 @@
 import type { Queue as QueueType, Worker as WorkerType, Processor, QueueOptions, WorkerOptions, Job } from "bullmq";
 export declare const createQueue: <T = unknown, R = unknown>(name: string, options?: Omit<QueueOptions, "connection">) => QueueType<T, R>;
 export declare const createWorker: <T = unknown, R = unknown>(name: string, processor: Processor<T, R>, options?: Omit<WorkerOptions, "connection">) => WorkerType<T, R>;
+export declare const getRegisteredCronNames: () => ReadonlySet<string>;
+export interface CronSchedule {
+    /** Cron expression. Mutually exclusive with `every`. */
+    cron?: string;
+    /** Interval in milliseconds. Mutually exclusive with `cron`. */
+    every?: number;
+    /** Timezone for cron expressions. */
+    timezone?: string;
+}
+export declare const createCronWorker: <T = void, R = unknown>(name: string, processor: Processor<T, R>, schedule: CronSchedule, options?: Omit<WorkerOptions, "connection">) => {
+    worker: WorkerType<T, R>;
+    queue: QueueType<T, R>;
+};
+/**
+ * Remove job schedulers that are no longer registered.
+ * Called automatically after worker discovery in createServer.
+ * Can also be called manually for workers managed outside workersDir.
+ */
+export declare const cleanupStaleSchedulers: (activeNames: string[]) => Promise<void>;
+export interface DLQOptions<T = unknown> {
+    /** Max jobs to keep in the DLQ. Default: 1000. */
+    maxSize?: number;
+    /** Called when a job is moved to the DLQ. */
+    onDeadLetter?: (job: Job<T>, error: Error) => Promise<void>;
+    /** Auto-retry delay in ms. No auto-retry by default. */
+    retryAfter?: number;
+    /** Preserve original job options on retry. Default: true. */
+    preserveJobOptions?: boolean;
+}
+export declare const createDLQHandler: <T = unknown>(sourceWorker: WorkerType<T>, sourceQueueName: string, options?: DLQOptions<T>) => {
+    dlqQueue: QueueType<T>;
+    retryJob: (jobId: string) => Promise<void>;
+};
 export type { Job };

package/dist/lib/queue.js

@@ -17,3 +17,101 @@ export const createWorker = (name, processor, options) => {
     const { Worker } = requireBullMQ();
     return new Worker(name, processor, { connection: getRedisConnectionOptions(), ...options });
 };
+// ---------------------------------------------------------------------------
+// Cron worker
+// ---------------------------------------------------------------------------
+/** Tracks all registered cron scheduler names for ghost job cleanup. */
+const _registeredCronNames = new Set();
+export const getRegisteredCronNames = () => _registeredCronNames;
+export const createCronWorker = (name, processor, schedule, options) => {
+    const { Queue, Worker } = requireBullMQ();
+    const connection = getRedisConnectionOptions();
+    const queue = new Queue(name, { connection });
+    const worker = new Worker(name, processor, { connection, ...options });
+    _registeredCronNames.add(name);
+    // Use upsertJobScheduler — idempotent across restarts
+    if (schedule.cron) {
+        queue.upsertJobScheduler(name, { pattern: schedule.cron, tz: schedule.timezone }, { name });
+    }
+    else if (schedule.every) {
+        queue.upsertJobScheduler(name, { every: schedule.every }, { name });
+    }
+    return { worker, queue };
+};
+/**
+ * Remove job schedulers that are no longer registered.
+ * Called automatically after worker discovery in createServer.
+ * Can also be called manually for workers managed outside workersDir.
+ */
+export const cleanupStaleSchedulers = async (activeNames) => {
+    const { Queue } = requireBullMQ();
+    const connection = getRedisConnectionOptions();
+    const activeSet = new Set(activeNames);
+    // Check all known queue names for stale schedulers
+    for (const name of _registeredCronNames) {
+        if (activeSet.has(name))
+            continue;
+        const queue = new Queue(name, { connection });
+        try {
+            await queue.removeJobScheduler(name);
+        }
+        catch { /* scheduler may not exist */ }
+        await queue.close();
+    }
+};
+export const createDLQHandler = (sourceWorker, sourceQueueName, options) => {
+    const { Queue } = requireBullMQ();
+    const connection = getRedisConnectionOptions();
+    const dlqName = `${sourceQueueName}-dlq`;
+    const dlqQueue = new Queue(dlqName, { connection });
+    const maxSize = options?.maxSize ?? 1000;
+    const preserveJobOptions = options?.preserveJobOptions ?? true;
+    sourceWorker.on("failed", async (job, error) => {
+        if (!job)
+            return;
+        // Only move to DLQ when all attempts are exhausted
+        if (job.attemptsMade < (job.opts?.attempts ?? 1))
+            return;
+        await dlqQueue.add(`dlq:${job.name}`, job.data, {
+            ...(preserveJobOptions ? {
+                delay: job.opts?.delay,
+                priority: job.opts?.priority,
+                attempts: job.opts?.attempts,
+                backoff: job.opts?.backoff,
+            } : {}),
+            jobId: `dlq:${job.id}`,
+        });
+        if (options?.onDeadLetter) {
+            try {
+                await options.onDeadLetter(job, error);
+            }
+            catch (e) {
+                console.error(`[dlq:${sourceQueueName}] onDeadLetter callback error:`, e);
+            }
+        }
+        // Trim DLQ to maxSize
+        const waitingCount = await dlqQueue.getWaitingCount();
+        if (waitingCount > maxSize) {
+            const excess = waitingCount - maxSize;
+            const jobs = await dlqQueue.getWaiting(0, excess - 1);
+            for (const j of jobs) {
+                await j.remove();
+            }
+        }
+    });
+    const sourceQueue = new Queue(sourceQueueName, { connection });
+    const retryJob = async (jobId) => {
+        const job = await dlqQueue.getJob(jobId);
+        if (!job)
+            throw new Error(`Job ${jobId} not found in DLQ`);
+        const opts = preserveJobOptions ? {
+            delay: job.opts?.delay,
+            priority: job.opts?.priority,
+            attempts: job.opts?.attempts,
+            backoff: job.opts?.backoff,
+        } : {};
+        await sourceQueue.add(job.name, job.data, opts);
+        await job.remove();
+    };
+    return { dlqQueue, retryJob };
+};

package/dist/lib/roles.d.ts

@@ -1,3 +1,7 @@
 export declare const setUserRoles: (userId: string, roles: string[]) => Promise<void>;
 export declare const addUserRole: (userId: string, role: string) => Promise<void>;
 export declare const removeUserRole: (userId: string, role: string) => Promise<void>;
+export declare const getTenantRoles: (userId: string, tenantId: string) => Promise<string[]>;
+export declare const setTenantRoles: (userId: string, tenantId: string, roles: string[]) => Promise<void>;
+export declare const addTenantRole: (userId: string, tenantId: string, role: string) => Promise<void>;
+export declare const removeTenantRole: (userId: string, tenantId: string, role: string) => Promise<void>;

package/dist/lib/roles.js

@@ -20,3 +20,30 @@ export const removeUserRole = async (userId, role) => {
         requireMethod("removeRole");
     await adapter.removeRole(userId, role);
 };
+// ---------------------------------------------------------------------------
+// Tenant-scoped role helpers
+// ---------------------------------------------------------------------------
+export const getTenantRoles = async (userId, tenantId) => {
+    const adapter = getAuthAdapter();
+    if (!adapter.getTenantRoles)
+        requireMethod("getTenantRoles");
+    return adapter.getTenantRoles(userId, tenantId);
+};
+export const setTenantRoles = async (userId, tenantId, roles) => {
+    const adapter = getAuthAdapter();
+    if (!adapter.setTenantRoles)
+        requireMethod("setTenantRoles");
+    await adapter.setTenantRoles(userId, tenantId, roles);
+};
+export const addTenantRole = async (userId, tenantId, role) => {
+    const adapter = getAuthAdapter();
+    if (!adapter.addTenantRole)
+        requireMethod("addTenantRole");
+    await adapter.addTenantRole(userId, tenantId, role);
+};
+export const removeTenantRole = async (userId, tenantId, role) => {
+    const adapter = getAuthAdapter();
+    if (!adapter.removeTenantRole)
+        requireMethod("removeTenantRole");
+    await adapter.removeTenantRole(userId, tenantId, role);
+};

package/dist/lib/session.d.ts

@@ -11,6 +11,11 @@ export interface SessionInfo {
     userAgent?: string;
     isActive: boolean;
 }
+export interface RefreshResult {
+    sessionId: string;
+    userId: string;
+    newRefreshToken: string;
+}
 type SessionStore = "redis" | "mongo" | "sqlite" | "memory";
 export declare const setSessionStore: (store: SessionStore) => void;
 export declare const createSession: (userId: string, token: string, sessionId: string, metadata?: SessionMetadata) => Promise<void>;
@@ -19,5 +24,12 @@ export declare const deleteSession: (sessionId: string) => Promise<void>;
 export declare const getUserSessions: (userId: string) => Promise<SessionInfo[]>;
 export declare const getActiveSessionCount: (userId: string) => Promise<number>;
 export declare const evictOldestSession: (userId: string) => Promise<void>;
+export declare const deleteUserSessions: (userId: string) => Promise<void>;
 export declare const updateSessionLastActive: (sessionId: string) => Promise<void>;
+/** Store a refresh token on an existing session (called after session creation). */
+export declare const setRefreshToken: (sessionId: string, refreshToken: string) => Promise<void>;
+/** Look up a session by refresh token. Handles grace window and theft detection. */
+export declare const getSessionByRefreshToken: (refreshToken: string) => Promise<RefreshResult | null>;
+/** Rotate the refresh token: move current to prev with grace window, set new token + access token. */
+export declare const rotateRefreshToken: (sessionId: string, newRefreshToken: string, newAccessToken: string) => Promise<void>;
 export {};