@lastshotlabs/bunshot 0.0.27 → 0.0.28

package/dist/lib/queue.d.ts

@@ -1,37 +0,0 @@
-import type { Queue as QueueType, Worker as WorkerType, Processor, QueueOptions, WorkerOptions, Job } from "bullmq";
-export declare const createQueue: <T = unknown, R = unknown>(name: string, options?: Omit<QueueOptions, "connection">) => QueueType<T, R>;
-export declare const createWorker: <T = unknown, R = unknown>(name: string, processor: Processor<T, R>, options?: Omit<WorkerOptions, "connection">) => WorkerType<T, R>;
-export declare const getRegisteredCronNames: () => ReadonlySet<string>;
-export interface CronSchedule {
-    /** Cron expression. Mutually exclusive with `every`. */
-    cron?: string;
-    /** Interval in milliseconds. Mutually exclusive with `cron`. */
-    every?: number;
-    /** Timezone for cron expressions. */
-    timezone?: string;
-}
-export declare const createCronWorker: <T = void, R = unknown>(name: string, processor: Processor<T, R>, schedule: CronSchedule, options?: Omit<WorkerOptions, "connection">) => {
-    worker: WorkerType<T, R>;
-    queue: QueueType<T, R>;
-};
-/**
- * Remove job schedulers that are no longer registered.
- * Called automatically after worker discovery in createServer.
- * Can also be called manually for workers managed outside workersDir.
- */
-export declare const cleanupStaleSchedulers: (activeNames: string[]) => Promise<void>;
-export interface DLQOptions<T = unknown> {
-    /** Max jobs to keep in the DLQ. Default: 1000. */
-    maxSize?: number;
-    /** Called when a job is moved to the DLQ. */
-    onDeadLetter?: (job: Job<T>, error: Error) => Promise<void>;
-    /** Auto-retry delay in ms. No auto-retry by default. */
-    retryAfter?: number;
-    /** Preserve original job options on retry. Default: true. */
-    preserveJobOptions?: boolean;
-}
-export declare const createDLQHandler: <T = unknown>(sourceWorker: WorkerType<T>, sourceQueueName: string, options?: DLQOptions<T>) => {
-    dlqQueue: QueueType<T>;
-    retryJob: (jobId: string) => Promise<void>;
-};
-export type { Job };

package/dist/lib/queue.js

@@ -1,117 +0,0 @@
-import { getRedisConnectionOptions } from "./redis";
-function requireBullMQ() {
-    try {
-        // Bun supports require() in ESM; this defers the import to call time
-        // eslint-disable-next-line @typescript-eslint/no-require-imports
-        return require("bullmq");
-    }
-    catch {
-        throw new Error("bullmq is not installed. Run: bun add bullmq");
-    }
-}
-export const createQueue = (name, options) => {
-    const { Queue } = requireBullMQ();
-    return new Queue(name, { connection: getRedisConnectionOptions(), ...options });
-};
-export const createWorker = (name, processor, options) => {
-    const { Worker } = requireBullMQ();
-    return new Worker(name, processor, { connection: getRedisConnectionOptions(), ...options });
-};
-// ---------------------------------------------------------------------------
-// Cron worker
-// ---------------------------------------------------------------------------
-/** Tracks all registered cron scheduler names for ghost job cleanup. */
-const _registeredCronNames = new Set();
-export const getRegisteredCronNames = () => _registeredCronNames;
-export const createCronWorker = (name, processor, schedule, options) => {
-    const { Queue, Worker } = requireBullMQ();
-    const connection = getRedisConnectionOptions();
-    const queue = new Queue(name, { connection });
-    const worker = new Worker(name, processor, { connection, ...options });
-    _registeredCronNames.add(name);
-    // Use upsertJobScheduler — idempotent across restarts
-    if (schedule.cron) {
-        queue.upsertJobScheduler(name, { pattern: schedule.cron, tz: schedule.timezone }, { name });
-    }
-    else if (schedule.every) {
-        queue.upsertJobScheduler(name, { every: schedule.every }, { name });
-    }
-    return { worker, queue };
-};
-/**
- * Remove job schedulers that are no longer registered.
- * Called automatically after worker discovery in createServer.
- * Can also be called manually for workers managed outside workersDir.
- */
-export const cleanupStaleSchedulers = async (activeNames) => {
-    const { Queue } = requireBullMQ();
-    const connection = getRedisConnectionOptions();
-    const activeSet = new Set(activeNames);
-    // Check all known queue names for stale schedulers
-    for (const name of _registeredCronNames) {
-        if (activeSet.has(name))
-            continue;
-        const queue = new Queue(name, { connection });
-        try {
-            await queue.removeJobScheduler(name);
-        }
-        catch { /* scheduler may not exist */ }
-        await queue.close();
-    }
-};
-export const createDLQHandler = (sourceWorker, sourceQueueName, options) => {
-    const { Queue } = requireBullMQ();
-    const connection = getRedisConnectionOptions();
-    const dlqName = `${sourceQueueName}-dlq`;
-    const dlqQueue = new Queue(dlqName, { connection });
-    const maxSize = options?.maxSize ?? 1000;
-    const preserveJobOptions = options?.preserveJobOptions ?? true;
-    sourceWorker.on("failed", async (job, error) => {
-        if (!job)
-            return;
-        // Only move to DLQ when all attempts are exhausted
-        if (job.attemptsMade < (job.opts?.attempts ?? 1))
-            return;
-        await dlqQueue.add(`dlq:${job.name}`, job.data, {
-            ...(preserveJobOptions ? {
-                delay: job.opts?.delay,
-                priority: job.opts?.priority,
-                attempts: job.opts?.attempts,
-                backoff: job.opts?.backoff,
-            } : {}),
-            jobId: `dlq:${job.id}`,
-        });
-        if (options?.onDeadLetter) {
-            try {
-                await options.onDeadLetter(job, error);
-            }
-            catch (e) {
-                console.error(`[dlq:${sourceQueueName}] onDeadLetter callback error:`, e);
-            }
-        }
-        // Trim DLQ to maxSize
-        const waitingCount = await dlqQueue.getWaitingCount();
-        if (waitingCount > maxSize) {
-            const excess = waitingCount - maxSize;
-            const jobs = await dlqQueue.getWaiting(0, excess - 1);
-            for (const j of jobs) {
-                await j.remove();
-            }
-        }
-    });
-    const sourceQueue = new Queue(sourceQueueName, { connection });
-    const retryJob = async (jobId) => {
-        const job = await dlqQueue.getJob(jobId);
-        if (!job)
-            throw new Error(`Job ${jobId} not found in DLQ`);
-        const opts = preserveJobOptions ? {
-            delay: job.opts?.delay,
-            priority: job.opts?.priority,
-            attempts: job.opts?.attempts,
-            backoff: job.opts?.backoff,
-        } : {};
-        await sourceQueue.add(job.name, job.data, opts);
-        await job.remove();
-    };
-    return { dlqQueue, retryJob };
-};

package/dist/lib/redis.d.ts

@@ -1,9 +0,0 @@
-import type { default as RedisClass, RedisOptions } from "ioredis";
-export declare const getRedisConnectionOptions: () => RedisOptions;
-export declare const connectRedis: () => Promise<void>;
-/**
- * Gracefully close the Redis connection.
- * Useful for one-off scripts that need a clean exit.
- */
-export declare const disconnectRedis: () => Promise<void>;
-export declare const getRedis: () => RedisClass;

package/dist/lib/redis.js

@@ -1,61 +0,0 @@
-import { log } from "./logger";
-const isProd = process.env.NODE_ENV === "production";
-function requireIoredis() {
-    try {
-        // Bun supports require() in ESM; this defers the import to call time
-        // eslint-disable-next-line @typescript-eslint/no-require-imports
-        const mod = require("ioredis");
-        return mod.default ?? mod;
-    }
-    catch {
-        throw new Error("ioredis is not installed. Run: bun add ioredis");
-    }
-}
-export const getRedisConnectionOptions = () => {
-    const host_port = isProd ? process.env.REDIS_HOST_PROD : process.env.REDIS_HOST_DEV;
-    if (!host_port)
-        throw new Error(`Missing env var: ${isProd ? "REDIS_HOST_PROD" : "REDIS_HOST_DEV"}`);
-    const [host, port] = host_port.split(":");
-    if (!host || !port)
-        throw new Error(`Invalid Redis host format — expected "host:port", got "${host_port}"`);
-    const username = isProd ? process.env.REDIS_USER_PROD : process.env.REDIS_USER_DEV;
-    const password = isProd ? process.env.REDIS_PW_PROD : process.env.REDIS_PW_DEV;
-    return {
-        host,
-        port: Number(port),
-        ...(username && { username }),
-        ...(password && { password }),
-    };
-};
-let client = null;
-export const connectRedis = () => {
-    if (client)
-        return Promise.resolve();
-    const Redis = requireIoredis();
-    client = new Redis(getRedisConnectionOptions());
-    client.on("error", (err) => log(`[redis] error: ${err.message}`));
-    return new Promise((resolve, reject) => {
-        client.once("ready", () => {
-            const opts = getRedisConnectionOptions();
-            log(`[redis] connected to ${opts.host}:${opts.port} as ${opts.username || "default user"}`);
-            resolve();
-        });
-        client.once("error", reject);
-    });
-};
-/**
- * Gracefully close the Redis connection.
- * Useful for one-off scripts that need a clean exit.
- */
-export const disconnectRedis = async () => {
-    if (!client)
-        return;
-    await client.quit();
-    client = null;
-    log("[redis] disconnected");
-};
-export const getRedis = () => {
-    if (!client)
-        throw new Error("Redis not connected — call connectRedis() first");
-    return client;
-};

package/dist/lib/resetPassword.d.ts

@@ -1,12 +0,0 @@
-type ResetStore = "redis" | "mongo" | "sqlite" | "memory";
-export declare const setPasswordResetStore: (store: ResetStore) => void;
-/** Create a reset token. Returns the raw token (to embed in the email link).
- *  Only the SHA-256 hash is persisted in the store. */
-export declare const createResetToken: (userId: string, email: string) => Promise<string>;
-/** Atomically consume a reset token — returns its payload and deletes it in one operation.
- *  Returns null if the token is invalid, expired, or already used. */
-export declare const consumeResetToken: (token: string) => Promise<{
-    userId: string;
-    email: string;
-} | null>;
-export {};

package/dist/lib/resetPassword.js

@@ -1,93 +0,0 @@
-import { getRedis } from "./redis";
-import { appConnection, mongoose } from "./mongo";
-import { getAppName, getResetTokenExpiry } from "./appConfig";
-import { sqliteCreateResetToken, sqliteConsumeResetToken, } from "../adapters/sqliteAuth";
-import { memoryCreateResetToken, memoryConsumeResetToken, } from "../adapters/memoryAuth";
-import { sha256 as hashToken } from "./crypto";
-function getResetModel() {
-    if (appConnection.models["PasswordReset"])
-        return appConnection.models["PasswordReset"];
-    const { Schema } = mongoose;
-    const resetSchema = new Schema({
-        token: { type: String, required: true, unique: true },
-        userId: { type: String, required: true },
-        email: { type: String, required: true },
-        expiresAt: { type: Date, required: true, index: { expireAfterSeconds: 0 } },
-    }, { collection: "password_resets" });
-    return appConnection.model("PasswordReset", resetSchema);
-}
-// ---------------------------------------------------------------------------
-// Redis helpers
-// ---------------------------------------------------------------------------
-/** Atomically GET+DEL a key. Uses native GETDEL (Redis >= 6.2) with a Lua fallback. */
-async function redisGetDel(key) {
-    const redis = getRedis();
-    if (typeof redis.getdel === "function") {
-        try {
-            return await redis.getdel(key);
-        }
-        catch (err) {
-            const msg = err?.message ?? "";
-            if (!/unknown command|ERR unknown command/i.test(msg))
-                throw err;
-            // Fall through to Lua on "unknown command"
-        }
-    }
-    const result = await redis.eval("local v = redis.call('GET', KEYS[1])\nif v then redis.call('DEL', KEYS[1]) end\nreturn v", 1, key);
-    return result ?? null;
-}
-let _store = "redis";
-export const setPasswordResetStore = (store) => { _store = store; };
-// ---------------------------------------------------------------------------
-// Public API
-// ---------------------------------------------------------------------------
-/** Create a reset token. Returns the raw token (to embed in the email link).
- *  Only the SHA-256 hash is persisted in the store. */
-export const createResetToken = async (userId, email) => {
-    const bytes = new Uint8Array(32);
-    crypto.getRandomValues(bytes);
-    const token = Buffer.from(bytes).toString("base64url");
-    const hash = hashToken(token);
-    const ttl = getResetTokenExpiry();
-    if (_store === "memory") {
-        memoryCreateResetToken(hash, userId, email, ttl);
-        return token;
-    }
-    if (_store === "sqlite") {
-        sqliteCreateResetToken(hash, userId, email, ttl);
-        return token;
-    }
-    if (_store === "mongo") {
-        await getResetModel().create({
-            token: hash,
-            userId,
-            email,
-            expiresAt: new Date(Date.now() + ttl * 1000),
-        });
-        return token;
-    }
-    await getRedis().set(`reset:${getAppName()}:${hash}`, JSON.stringify({ userId, email }), "EX", ttl);
-    return token;
-};
-/** Atomically consume a reset token — returns its payload and deletes it in one operation.
- *  Returns null if the token is invalid, expired, or already used. */
-export const consumeResetToken = async (token) => {
-    const hash = hashToken(token);
-    if (_store === "memory")
-        return memoryConsumeResetToken(hash);
-    if (_store === "sqlite")
-        return sqliteConsumeResetToken(hash);
-    if (_store === "mongo") {
-        const doc = await getResetModel()
-            .findOneAndDelete({ token: hash, expiresAt: { $gt: new Date() } })
-            .lean();
-        if (!doc)
-            return null;
-        return { userId: doc.userId, email: doc.email };
-    }
-    // Redis: atomically return and remove the key (GETDEL or Lua fallback)
-    const raw = await redisGetDel(`reset:${getAppName()}:${hash}`);
-    if (!raw)
-        return null;
-    return JSON.parse(raw);
-};

package/dist/lib/roles.d.ts

@@ -1,7 +0,0 @@
-export declare const setUserRoles: (userId: string, roles: string[]) => Promise<void>;
-export declare const addUserRole: (userId: string, role: string) => Promise<void>;
-export declare const removeUserRole: (userId: string, role: string) => Promise<void>;
-export declare const getTenantRoles: (userId: string, tenantId: string) => Promise<string[]>;
-export declare const setTenantRoles: (userId: string, tenantId: string, roles: string[]) => Promise<void>;
-export declare const addTenantRole: (userId: string, tenantId: string, role: string) => Promise<void>;
-export declare const removeTenantRole: (userId: string, tenantId: string, role: string) => Promise<void>;

package/dist/lib/roles.js

@@ -1,49 +0,0 @@
-import { getAuthAdapter } from "./authAdapter";
-const requireMethod = (method) => {
-    throw new Error(`Auth adapter does not implement ${method} — add it to your adapter to manage roles`);
-};
-export const setUserRoles = async (userId, roles) => {
-    const adapter = getAuthAdapter();
-    if (!adapter.setRoles)
-        requireMethod("setRoles");
-    await adapter.setRoles(userId, roles);
-};
-export const addUserRole = async (userId, role) => {
-    const adapter = getAuthAdapter();
-    if (!adapter.addRole)
-        requireMethod("addRole");
-    await adapter.addRole(userId, role);
-};
-export const removeUserRole = async (userId, role) => {
-    const adapter = getAuthAdapter();
-    if (!adapter.removeRole)
-        requireMethod("removeRole");
-    await adapter.removeRole(userId, role);
-};
-// ---------------------------------------------------------------------------
-// Tenant-scoped role helpers
-// ---------------------------------------------------------------------------
-export const getTenantRoles = async (userId, tenantId) => {
-    const adapter = getAuthAdapter();
-    if (!adapter.getTenantRoles)
-        requireMethod("getTenantRoles");
-    return adapter.getTenantRoles(userId, tenantId);
-};
-export const setTenantRoles = async (userId, tenantId, roles) => {
-    const adapter = getAuthAdapter();
-    if (!adapter.setTenantRoles)
-        requireMethod("setTenantRoles");
-    await adapter.setTenantRoles(userId, tenantId, roles);
-};
-export const addTenantRole = async (userId, tenantId, role) => {
-    const adapter = getAuthAdapter();
-    if (!adapter.addTenantRole)
-        requireMethod("addTenantRole");
-    await adapter.addTenantRole(userId, tenantId, role);
-};
-export const removeTenantRole = async (userId, tenantId, role) => {
-    const adapter = getAuthAdapter();
-    if (!adapter.removeTenantRole)
-        requireMethod("removeTenantRole");
-    await adapter.removeTenantRole(userId, tenantId, role);
-};

package/dist/lib/saml.d.ts

@@ -1,25 +0,0 @@
-import type { IdentityProfile } from "./authAdapter";
-export interface SamlProfile {
-    nameId: string;
-    nameIdFormat?: string;
-    email?: string;
-    firstName?: string;
-    lastName?: string;
-    displayName?: string;
-    groups?: string[];
-    attributes: Record<string, string | string[]>;
-}
-export interface SamlAttributeMapping {
-    email?: string;
-    firstName?: string;
-    lastName?: string;
-    groups?: string;
-}
-export declare function initSaml(config: import("./appConfig").SamlConfig): Promise<void>;
-export declare function createAuthnRequest(): {
-    redirectUrl: string;
-    id: string;
-};
-export declare function validateSamlResponse(body: string, config: import("./appConfig").SamlConfig): Promise<SamlProfile>;
-export declare function samlProfileToIdentityProfile(profile: SamlProfile): IdentityProfile;
-export declare function getSamlSpMetadata(): string;

package/dist/lib/saml.js

@@ -1,64 +0,0 @@
-let _sp = null;
-let _idp = null;
-export async function initSaml(config) {
-    const samlify = await import("samlify");
-    _sp = samlify.ServiceProvider({
-        entityID: config.entityId,
-        assertionConsumerService: [{
-                Binding: samlify.Constants.BindingNamespace.Post,
-                Location: config.acsUrl,
-            }],
-        signingCert: config.signingCert,
-        privateKey: config.signingKey,
-        allowCreate: true,
-    });
-    // Load IdP metadata
-    if (config.idpMetadata.startsWith("http")) {
-        // URL — fetch it
-        const res = await fetch(config.idpMetadata);
-        const xml = await res.text();
-        _idp = samlify.IdentityProvider({ metadata: xml });
-    }
-    else {
-        // XML string
-        _idp = samlify.IdentityProvider({ metadata: config.idpMetadata });
-    }
-}
-export function createAuthnRequest() {
-    if (!_sp || !_idp)
-        throw new Error("SAML not initialized");
-    const { context, entityEndpoint } = _sp.createLoginRequest(_idp, "redirect");
-    return { redirectUrl: entityEndpoint + "?" + context, id: context };
-}
-export async function validateSamlResponse(body, config) {
-    if (!_sp || !_idp)
-        throw new Error("SAML not initialized");
-    const { extract } = await _sp.parseLoginResponse(_idp, "post", { body: { SAMLResponse: body } });
-    const mapping = config.attributeMapping ?? {};
-    const attrs = extract.attributes ?? {};
-    const emailKey = mapping.email ?? "email";
-    const firstNameKey = mapping.firstName ?? "firstName";
-    const lastNameKey = mapping.lastName ?? "lastName";
-    const groupsKey = mapping.groups ?? "groups";
-    const nameId = extract.nameID;
-    const email = attrs[emailKey] ?? nameId;
-    const firstName = attrs[firstNameKey];
-    const lastName = attrs[lastNameKey];
-    const displayName = firstName && lastName ? `${firstName} ${lastName}` : undefined;
-    const rawGroups = attrs[groupsKey];
-    const groups = rawGroups ? (Array.isArray(rawGroups) ? rawGroups : [rawGroups]) : undefined;
-    return { nameId, email, firstName, lastName, displayName, groups, attributes: attrs };
-}
-export function samlProfileToIdentityProfile(profile) {
-    return {
-        email: profile.email,
-        displayName: profile.displayName,
-        firstName: profile.firstName,
-        lastName: profile.lastName,
-    };
-}
-export function getSamlSpMetadata() {
-    if (!_sp)
-        throw new Error("SAML not initialized");
-    return _sp.getMetadata();
-}

package/dist/lib/securityEvents.d.ts

@@ -1,28 +0,0 @@
-export type SecurityEventType = "auth.login.success" | "auth.login.failure" | "auth.login.blocked" | "auth.register.success" | "auth.register.failure" | "auth.logout" | "auth.password.reset" | "auth.password.change" | "auth.mfa.setup" | "auth.mfa.verify.success" | "auth.mfa.verify.failure" | "auth.step_up.success" | "auth.step_up.failure" | "auth.session.created" | "auth.session.revoked" | "auth.account.suspended" | "auth.account.deleted" | "auth.oauth.link" | "auth.oauth.unlink" | "security.rate_limit.exceeded" | "security.credential_stuffing.detected" | "security.captcha.failed" | "security.csrf.failed" | "security.breached_password.detected" | "admin.role.changed" | "admin.user.modified";
-export interface SecurityEvent {
-    eventType: SecurityEventType;
-    severity: "info" | "warn" | "critical";
-    timestamp: string;
-    requestId?: string;
-    userId?: string;
-    sessionId?: string;
-    tenantId?: string;
-    ip?: string;
-    userAgent?: string;
-    meta?: Record<string, unknown>;
-}
-export interface SecurityEventConfig {
-    /** Called for each security event. Non-blocking — errors are swallowed. */
-    onEvent: (event: SecurityEvent) => void | Promise<void>;
-    /** Only emit events of these types. If omitted, all events are emitted. */
-    include?: SecurityEventType[];
-    /** Skip events of these types. Applied after include. */
-    exclude?: SecurityEventType[];
-}
-export declare function setSecurityEventConfig(config: SecurityEventConfig | null): void;
-export declare function getSecurityEventConfig(): SecurityEventConfig | null;
-/**
- * Emit a security event. Non-blocking — the call returns immediately.
- * If onEvent throws, the error is silently swallowed (never propagates to the caller).
- */
-export declare function emitSecurityEvent(event: SecurityEvent): void;

package/dist/lib/securityEvents.js

@@ -1,26 +0,0 @@
-let _config = null;
-export function setSecurityEventConfig(config) {
-    _config = config;
-}
-export function getSecurityEventConfig() {
-    return _config;
-}
-/**
- * Emit a security event. Non-blocking — the call returns immediately.
- * If onEvent throws, the error is silently swallowed (never propagates to the caller).
- */
-export function emitSecurityEvent(event) {
-    if (!_config)
-        return;
-    const { onEvent, include, exclude } = _config;
-    if (include && include.length > 0 && !include.includes(event.eventType))
-        return;
-    if (exclude && exclude.includes(event.eventType))
-        return;
-    // Fire and forget — never block the request
-    Promise.resolve()
-        .then(() => onEvent({ ...event, timestamp: event.timestamp ?? new Date().toISOString() }))
-        .catch(() => {
-        // Swallow errors — security event emission must never crash the app
-    });
-}

package/dist/lib/session.d.ts

@@ -1,49 +0,0 @@
-export interface SessionMetadata {
-    ipAddress?: string;
-    userAgent?: string;
-}
-export interface SessionInfo {
-    sessionId: string;
-    createdAt: number;
-    lastActiveAt: number;
-    expiresAt: number;
-    ipAddress?: string;
-    userAgent?: string;
-    isActive: boolean;
-}
-export interface RefreshResult {
-    sessionId: string;
-    userId: string;
-    newRefreshToken: string;
-}
-type SessionStore = "redis" | "mongo" | "sqlite" | "memory";
-export declare const setSessionStore: (store: SessionStore) => void;
-export declare const createSession: (userId: string, token: string, sessionId: string, metadata?: SessionMetadata) => Promise<void>;
-export declare const getSession: (sessionId: string) => Promise<string | null>;
-export declare const deleteSession: (sessionId: string) => Promise<void>;
-export declare const getUserSessions: (userId: string) => Promise<SessionInfo[]>;
-export declare const getActiveSessionCount: (userId: string) => Promise<number>;
-export declare const evictOldestSession: (userId: string) => Promise<void>;
-export declare const deleteUserSessions: (userId: string) => Promise<void>;
-export declare const updateSessionLastActive: (sessionId: string) => Promise<void>;
-/** Store a refresh token on an existing session (called after session creation). */
-export declare const setRefreshToken: (sessionId: string, refreshToken: string) => Promise<void>;
-/** Look up a session by refresh token. Handles grace window and theft detection. */
-export declare const getSessionByRefreshToken: (refreshToken: string) => Promise<RefreshResult | null>;
-/** Rotate the refresh token: move current to prev with grace window, set new token + access token. */
-export declare const rotateRefreshToken: (sessionId: string, newRefreshToken: string, newAccessToken: string) => Promise<void>;
-/** Read the stored fingerprint for a session. Returns null if not yet set. */
-export declare const getSessionFingerprint: (sessionId: string) => Promise<string | null>;
-/** Store a fingerprint on an existing session. No-op if the session does not exist. */
-export declare const setSessionFingerprint: (sessionId: string, fingerprint: string) => Promise<void>;
-/**
- * Store the timestamp when MFA was last verified in the session metadata.
- * Used by requireStepUp middleware.
- */
-export declare const setMfaVerifiedAt: (sessionId: string) => Promise<void>;
-/**
- * Get the Unix timestamp (seconds) when MFA was last verified for this session.
- * Returns null if MFA has never been verified or session not found.
- */
-export declare const getMfaVerifiedAt: (sessionId: string) => Promise<number | null>;
-export {};