npm - @lastshotlabs/bunshot - Versions diffs - 0.0.27 → 0.1.0 - Mend

@lastshotlabs/bunshot 0.0.27 → 0.1.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (742) hide show

package/.oclif.manifest.json +39 -0
package/README.md +8282 -2147
package/dist/cli/commands/init.js +690 -0
package/dist/cli/index.js +6 -0
package/dist/cli.js +4 -4
package/dist/packages/bunshot-admin/src/index.d.ts +15 -0
package/dist/packages/bunshot-admin/src/index.js +11 -0
package/dist/packages/bunshot-admin/src/lib/resourceTypes.d.ts +8 -0
package/dist/packages/bunshot-admin/src/lib/resourceTypes.js +33 -0
package/dist/packages/bunshot-admin/src/lib/typedRoute.d.ts +14 -0
package/dist/packages/bunshot-admin/src/lib/typedRoute.js +17 -0
package/dist/packages/bunshot-admin/src/plugin.d.ts +4 -0
package/dist/packages/bunshot-admin/src/plugin.js +46 -0
package/dist/packages/bunshot-admin/src/providers/auth0Access.d.ts +6 -0
package/dist/packages/bunshot-admin/src/providers/auth0Access.js +32 -0
package/dist/packages/bunshot-admin/src/routes/admin.d.ts +10 -0
package/dist/packages/bunshot-admin/src/routes/admin.js +923 -0
package/dist/packages/bunshot-admin/src/routes/mail.d.ts +6 -0
package/dist/packages/bunshot-admin/src/routes/mail.js +114 -0
package/dist/packages/bunshot-admin/src/routes/permissions.d.ts +8 -0
package/dist/packages/bunshot-admin/src/routes/permissions.js +315 -0
package/dist/packages/bunshot-admin/src/types/config.d.ts +16 -0
package/dist/packages/bunshot-admin/src/types/config.js +37 -0
package/dist/packages/bunshot-admin/src/types/env.d.ts +14 -0
package/dist/packages/bunshot-admin/src/types/provider.d.ts +1 -0
package/dist/packages/bunshot-admin/src/types/provider.js +4 -0
package/dist/packages/bunshot-auth/src/adapters/memoryAuth.d.ts +66 -0
package/dist/packages/bunshot-auth/src/adapters/memoryAuth.js +1063 -0
package/dist/packages/bunshot-auth/src/adapters/mongoAuth.d.ts +2 -0
package/dist/packages/bunshot-auth/src/adapters/mongoAuth.js +536 -0
package/dist/packages/bunshot-auth/src/adapters/sqliteAuth.d.ts +88 -0
package/dist/packages/bunshot-auth/src/adapters/sqliteAuth.js +1366 -0
package/dist/packages/bunshot-auth/src/admin/bunshotAccess.d.ts +2 -0
package/dist/packages/bunshot-auth/src/admin/bunshotAccess.js +23 -0
package/dist/packages/bunshot-auth/src/admin/bunshotUsers.d.ts +5 -0
package/dist/packages/bunshot-auth/src/admin/bunshotUsers.js +131 -0
package/dist/packages/bunshot-auth/src/bootstrap.d.ts +38 -0
package/dist/packages/bunshot-auth/src/bootstrap.js +384 -0
package/dist/packages/bunshot-auth/src/config/appConfig.d.ts +3 -0
package/dist/packages/bunshot-auth/src/config/appConfig.js +4 -0
package/dist/packages/bunshot-auth/src/config/authConfig.d.ts +478 -0
package/dist/packages/bunshot-auth/src/config/authConfig.js +46 -0
package/dist/packages/bunshot-auth/src/config/configLock.d.ts +2 -0
package/dist/packages/bunshot-auth/src/config/configLock.js +10 -0
package/dist/packages/bunshot-auth/src/index.d.ts +25 -0
package/dist/packages/bunshot-auth/src/index.js +23 -0
package/dist/packages/bunshot-auth/src/infra/mongo.d.ts +15 -0
package/dist/packages/bunshot-auth/src/infra/mongo.js +44 -0
package/dist/packages/bunshot-auth/src/infra/queue.d.ts +14 -0
package/dist/packages/bunshot-auth/src/infra/queue.js +27 -0
package/dist/packages/bunshot-auth/src/infra/redis.d.ts +5 -0
package/dist/packages/bunshot-auth/src/infra/redis.js +15 -0
package/dist/packages/bunshot-auth/src/infra/signing.d.ts +7 -0
package/dist/packages/bunshot-auth/src/infra/signing.js +8 -0
package/dist/packages/bunshot-auth/src/lib/accountLockout.d.ts +34 -0
package/dist/packages/bunshot-auth/src/lib/accountLockout.js +244 -0
package/dist/packages/bunshot-auth/src/lib/adapterTiers.d.ts +1 -0
package/dist/packages/bunshot-auth/src/lib/adapterTiers.js +1 -0
package/dist/packages/bunshot-auth/src/lib/authAdapter.d.ts +1 -0
package/dist/packages/bunshot-auth/src/lib/authAdapter.js +1 -0
package/dist/packages/bunshot-auth/src/lib/authContext.d.ts +15 -0
package/dist/packages/bunshot-auth/src/lib/authContext.js +1 -0
package/dist/packages/bunshot-auth/src/lib/authEventBus.d.ts +4 -0
package/dist/packages/bunshot-auth/src/lib/authEventBus.js +15 -0
package/dist/packages/bunshot-auth/src/lib/authRateLimit.d.ts +28 -0
package/dist/packages/bunshot-auth/src/lib/authRateLimit.js +205 -0
package/dist/{lib → packages/bunshot-auth/src/lib}/breachedPassword.d.ts +8 -2
package/dist/{lib → packages/bunshot-auth/src/lib}/breachedPassword.js +22 -9
package/dist/packages/bunshot-auth/src/lib/cache.d.ts +12 -0
package/dist/packages/bunshot-auth/src/lib/cache.js +120 -0
package/dist/packages/bunshot-auth/src/lib/clientIp.d.ts +4 -0
package/dist/{lib → packages/bunshot-auth/src/lib}/clientIp.js +14 -7
package/dist/packages/bunshot-auth/src/lib/cookieOptions.d.ts +27 -0
package/dist/packages/bunshot-auth/src/lib/cookieOptions.js +33 -0
package/dist/packages/bunshot-auth/src/lib/credentialStuffing.d.ts +40 -0
package/dist/packages/bunshot-auth/src/lib/credentialStuffing.js +211 -0
package/dist/packages/bunshot-auth/src/lib/deletionCancelToken.d.ts +19 -0
package/dist/packages/bunshot-auth/src/lib/deletionCancelToken.js +148 -0
package/dist/packages/bunshot-auth/src/lib/emailTemplates.d.ts +23 -0
package/dist/packages/bunshot-auth/src/lib/emailTemplates.js +265 -0
package/dist/packages/bunshot-auth/src/lib/emailVerification.d.ts +30 -0
package/dist/packages/bunshot-auth/src/lib/emailVerification.js +200 -0
package/dist/packages/bunshot-auth/src/lib/env.d.ts +1 -0
package/dist/packages/bunshot-auth/src/lib/env.js +3 -0
package/dist/packages/bunshot-auth/src/lib/fingerprint.js +36 -0
package/dist/{lib → packages/bunshot-auth/src/lib}/groups.d.ts +15 -16
package/dist/{lib → packages/bunshot-auth/src/lib}/groups.js +22 -34
package/dist/packages/bunshot-auth/src/lib/jwks.d.ts +28 -0
package/dist/packages/bunshot-auth/src/lib/jwks.js +79 -0
package/dist/packages/bunshot-auth/src/lib/jwt.d.ts +12 -0
package/dist/packages/bunshot-auth/src/lib/jwt.js +86 -0
package/dist/{lib → packages/bunshot-auth/src/lib}/logger.js +3 -3
package/dist/{lib → packages/bunshot-auth/src/lib}/m2m.d.ts +5 -4
package/dist/{lib → packages/bunshot-auth/src/lib}/m2m.js +6 -10
package/dist/packages/bunshot-auth/src/lib/magicLink.d.ts +13 -0
package/dist/packages/bunshot-auth/src/lib/magicLink.js +145 -0
package/dist/packages/bunshot-auth/src/lib/mfaChallenge.d.ts +60 -0
package/dist/packages/bunshot-auth/src/lib/mfaChallenge.js +419 -0
package/dist/packages/bunshot-auth/src/lib/oauth.d.ts +82 -0
package/dist/packages/bunshot-auth/src/lib/oauth.js +177 -0
package/dist/packages/bunshot-auth/src/lib/oauthCode.d.ts +19 -0
package/dist/packages/bunshot-auth/src/lib/oauthCode.js +182 -0
package/dist/packages/bunshot-auth/src/lib/oauthReauth.d.ts +19 -0
package/dist/packages/bunshot-auth/src/lib/oauthReauth.js +255 -0
package/dist/packages/bunshot-auth/src/lib/organization.d.ts +66 -0
package/dist/packages/bunshot-auth/src/lib/organization.js +225 -0
package/dist/packages/bunshot-auth/src/lib/passwordHistory.d.ts +12 -0
package/dist/packages/bunshot-auth/src/lib/passwordHistory.js +31 -0
package/dist/packages/bunshot-auth/src/lib/resetPassword.d.ts +20 -0
package/dist/packages/bunshot-auth/src/lib/resetPassword.js +148 -0
package/dist/packages/bunshot-auth/src/lib/roles.d.ts +9 -0
package/dist/packages/bunshot-auth/src/lib/roles.js +93 -0
package/dist/packages/bunshot-auth/src/lib/saml.d.ts +29 -0
package/dist/packages/bunshot-auth/src/lib/saml.js +73 -0
package/dist/packages/bunshot-auth/src/lib/samlRequestId.d.ts +13 -0
package/dist/packages/bunshot-auth/src/lib/samlRequestId.js +129 -0
package/dist/{lib → packages/bunshot-auth/src/lib}/scim.d.ts +7 -7
package/dist/{lib → packages/bunshot-auth/src/lib}/scim.js +15 -13
package/dist/packages/bunshot-auth/src/lib/securityEventWiring.d.ts +22 -0
package/dist/packages/bunshot-auth/src/lib/securityEventWiring.js +65 -0
package/dist/packages/bunshot-auth/src/lib/session.d.ts +45 -0
package/dist/packages/bunshot-auth/src/lib/session.js +1211 -0
package/dist/packages/bunshot-auth/src/lib/storeInfra.d.ts +26 -0
package/dist/packages/bunshot-auth/src/lib/storeInfra.js +18 -0
package/dist/{lib → packages/bunshot-auth/src/lib}/suspension.d.ts +3 -2
package/dist/{lib → packages/bunshot-auth/src/lib}/suspension.js +2 -5
package/dist/packages/bunshot-auth/src/lib/validateAdapter.d.ts +16 -0
package/dist/packages/bunshot-auth/src/lib/validateAdapter.js +161 -0
package/dist/packages/bunshot-auth/src/middleware/bearerAuth.d.ts +13 -0
package/dist/packages/bunshot-auth/src/middleware/bearerAuth.js +58 -0
package/dist/{middleware → packages/bunshot-auth/src/middleware}/csrf.d.ts +5 -4
package/dist/packages/bunshot-auth/src/middleware/csrf.js +138 -0
package/dist/packages/bunshot-auth/src/middleware/identify.d.ts +4 -0
package/dist/packages/bunshot-auth/src/middleware/identify.js +124 -0
package/dist/{middleware → packages/bunshot-auth/src/middleware}/requireMfaSetup.d.ts +2 -2
package/dist/{middleware → packages/bunshot-auth/src/middleware}/requireMfaSetup.js +10 -8
package/dist/{middleware → packages/bunshot-auth/src/middleware}/requireRole.d.ts +2 -2
package/dist/{middleware → packages/bunshot-auth/src/middleware}/requireRole.js +20 -16
package/dist/{middleware → packages/bunshot-auth/src/middleware}/requireScope.d.ts +2 -2
package/dist/{middleware → packages/bunshot-auth/src/middleware}/requireScope.js +6 -6
package/dist/{middleware → packages/bunshot-auth/src/middleware}/requireStepUp.d.ts +2 -2
package/dist/{middleware → packages/bunshot-auth/src/middleware}/requireStepUp.js +8 -7
package/dist/{middleware → packages/bunshot-auth/src/middleware}/requireVerifiedEmail.d.ts +2 -2
package/dist/{middleware → packages/bunshot-auth/src/middleware}/requireVerifiedEmail.js +7 -6
package/dist/packages/bunshot-auth/src/middleware/scimAuth.d.ts +8 -0
package/dist/packages/bunshot-auth/src/middleware/scimAuth.js +29 -0
package/dist/packages/bunshot-auth/src/middleware/userAuth.d.ts +3 -0
package/dist/packages/bunshot-auth/src/middleware/userAuth.js +6 -0
package/dist/{models → packages/bunshot-auth/src/models}/AuthUser.d.ts +12 -8
package/dist/packages/bunshot-auth/src/models/AuthUser.js +53 -0
package/dist/packages/bunshot-auth/src/models/Group.d.ts +19 -0
package/dist/packages/bunshot-auth/src/models/Group.js +22 -0
package/dist/{models → packages/bunshot-auth/src/models}/GroupMembership.d.ts +6 -8
package/dist/packages/bunshot-auth/src/models/GroupMembership.js +19 -0
package/dist/{models → packages/bunshot-auth/src/models}/M2MClient.d.ts +1 -1
package/dist/{models → packages/bunshot-auth/src/models}/M2MClient.js +5 -5
package/dist/packages/bunshot-auth/src/models/TenantRole.d.ts +13 -0
package/dist/packages/bunshot-auth/src/models/TenantRole.js +17 -0
package/dist/packages/bunshot-auth/src/plugin.d.ts +4 -0
package/dist/packages/bunshot-auth/src/plugin.js +277 -0
package/dist/packages/bunshot-auth/src/routes/auth.d.ts +15 -0
package/dist/packages/bunshot-auth/src/routes/auth.js +1624 -0
package/dist/packages/bunshot-auth/src/routes/groups.d.ts +4 -0
package/dist/packages/bunshot-auth/src/routes/groups.js +481 -0
package/dist/packages/bunshot-auth/src/routes/m2m.d.ts +2 -0
package/dist/packages/bunshot-auth/src/routes/m2m.js +145 -0
package/dist/packages/bunshot-auth/src/routes/mfa.d.ts +6 -0
package/dist/packages/bunshot-auth/src/routes/mfa.js +991 -0
package/dist/packages/bunshot-auth/src/routes/oauth.d.ts +3 -0
package/dist/packages/bunshot-auth/src/routes/oauth.js +1727 -0
package/dist/packages/bunshot-auth/src/routes/oidc.d.ts +2 -0
package/dist/packages/bunshot-auth/src/routes/oidc.js +84 -0
package/dist/packages/bunshot-auth/src/routes/organizations.d.ts +3 -0
package/dist/packages/bunshot-auth/src/routes/organizations.js +741 -0
package/dist/packages/bunshot-auth/src/routes/passkey.d.ts +2 -0
package/dist/packages/bunshot-auth/src/routes/passkey.js +199 -0
package/dist/packages/bunshot-auth/src/routes/saml.d.ts +2 -0
package/dist/packages/bunshot-auth/src/routes/saml.js +226 -0
package/dist/packages/bunshot-auth/src/routes/scim.d.ts +3 -0
package/dist/packages/bunshot-auth/src/routes/scim.js +588 -0
package/dist/packages/bunshot-auth/src/runtime.d.ts +52 -0
package/dist/packages/bunshot-auth/src/runtime.js +11 -0
package/dist/{schemas → packages/bunshot-auth/src/schemas}/auth.d.ts +4 -5
package/dist/packages/bunshot-auth/src/schemas/auth.js +24 -0
package/dist/packages/bunshot-auth/src/schemas/error.d.ts +10 -0
package/dist/packages/bunshot-auth/src/schemas/error.js +10 -0
package/dist/packages/bunshot-auth/src/schemas/success.d.ts +10 -0
package/dist/packages/bunshot-auth/src/schemas/success.js +10 -0
package/dist/packages/bunshot-auth/src/services/auth.d.ts +39 -0
package/dist/packages/bunshot-auth/src/services/auth.js +378 -0
package/dist/{services → packages/bunshot-auth/src/services}/mfa.d.ts +41 -17
package/dist/{services → packages/bunshot-auth/src/services}/mfa.js +259 -183
package/dist/packages/bunshot-auth/src/testing.d.ts +31 -0
package/dist/packages/bunshot-auth/src/testing.js +23 -0
package/dist/packages/bunshot-auth/src/types/adapter.d.ts +1 -0
package/dist/packages/bunshot-auth/src/types/adapter.js +1 -0
package/dist/packages/bunshot-auth/src/types/config.d.ts +152 -0
package/dist/packages/bunshot-auth/src/types/config.js +179 -0
package/dist/{routes → packages/bunshot-auth/src/types}/groups.d.ts +2 -3
package/dist/packages/bunshot-auth/src/types/groups.js +1 -0
package/dist/packages/bunshot-auth/src/types/oauthCode.d.ts +6 -0
package/dist/packages/bunshot-auth/src/types/oauthCode.js +1 -0
package/dist/packages/bunshot-auth/src/types/oauthReauth.d.ts +13 -0
package/dist/packages/bunshot-auth/src/types/oauthReauth.js +1 -0
package/dist/packages/bunshot-auth/src/types/redis.d.ts +1 -0
package/dist/packages/bunshot-auth/src/types/redis.js +1 -0
package/dist/packages/bunshot-auth/src/types/saml.d.ts +10 -0
package/dist/packages/bunshot-auth/src/types/saml.js +1 -0
package/dist/packages/bunshot-auth/src/types/session.d.ts +18 -0
package/dist/packages/bunshot-auth/src/types/session.js +1 -0
package/dist/packages/bunshot-auth/src/types/store.d.ts +1 -0
package/dist/packages/bunshot-auth/src/types/store.js +1 -0
package/dist/packages/bunshot-core/src/adminProvider.d.ts +95 -0
package/dist/packages/bunshot-core/src/adminProvider.js +1 -0
package/dist/packages/bunshot-core/src/auditLog.d.ts +34 -0
package/dist/packages/bunshot-core/src/auditLog.js +1 -0
package/dist/packages/bunshot-core/src/auth-adapter.d.ts +227 -0
package/dist/packages/bunshot-core/src/auth-adapter.js +4 -0
package/dist/packages/bunshot-core/src/authVariables.d.ts +14 -0
package/dist/packages/bunshot-core/src/authVariables.js +4 -0
package/dist/packages/bunshot-core/src/cache.d.ts +12 -0
package/dist/packages/bunshot-core/src/cache.js +21 -0
package/dist/{lib → packages/bunshot-core/src}/captcha.d.ts +1 -10
package/dist/packages/bunshot-core/src/captcha.js +1 -0
package/dist/packages/bunshot-core/src/clearRegistry.d.ts +6 -0
package/dist/packages/bunshot-core/src/clearRegistry.js +17 -0
package/dist/packages/bunshot-core/src/clientIp.d.ts +3 -0
package/dist/packages/bunshot-core/src/clientIp.js +45 -0
package/dist/packages/bunshot-core/src/configLock.d.ts +4 -0
package/dist/packages/bunshot-core/src/configLock.js +7 -0
package/dist/packages/bunshot-core/src/configValidation.d.ts +22 -0
package/dist/packages/bunshot-core/src/configValidation.js +39 -0
package/dist/packages/bunshot-core/src/constants.js +10 -0
package/dist/packages/bunshot-core/src/context/bunshotContext.d.ts +232 -0
package/dist/packages/bunshot-core/src/context/bunshotContext.js +1 -0
package/dist/packages/bunshot-core/src/context/contextAccess.d.ts +3 -0
package/dist/packages/bunshot-core/src/context/contextAccess.js +16 -0
package/dist/packages/bunshot-core/src/context/contextStore.d.ts +16 -0
package/dist/packages/bunshot-core/src/context/contextStore.js +31 -0
package/dist/packages/bunshot-core/src/context/frameworkConfig.d.ts +38 -0
package/dist/packages/bunshot-core/src/context/frameworkConfig.js +1 -0
package/dist/packages/bunshot-core/src/context/index.d.ts +4 -0
package/dist/packages/bunshot-core/src/context/index.js +2 -0
package/dist/packages/bunshot-core/src/context.d.ts +40 -0
package/dist/packages/bunshot-core/src/context.js +35 -0
package/dist/packages/bunshot-core/src/coreContracts.d.ts +47 -0
package/dist/packages/bunshot-core/src/coreContracts.js +1 -0
package/dist/packages/bunshot-core/src/coreRegistrar.d.ts +6 -0
package/dist/packages/bunshot-core/src/coreRegistrar.js +42 -0
package/dist/{lib → packages/bunshot-core/src}/createRoute.d.ts +4 -30
package/dist/{lib → packages/bunshot-core/src}/createRoute.js +39 -88
package/dist/packages/bunshot-core/src/cronRegistry.d.ts +11 -0
package/dist/packages/bunshot-core/src/cronRegistry.js +1 -0
package/dist/packages/bunshot-core/src/crypto.d.ts +43 -0
package/dist/packages/bunshot-core/src/crypto.js +74 -0
package/dist/packages/bunshot-core/src/csrf.d.ts +8 -0
package/dist/packages/bunshot-core/src/csrf.js +1 -0
package/dist/packages/bunshot-core/src/defaults/defaultFingerprint.d.ts +7 -0
package/dist/packages/bunshot-core/src/defaults/defaultFingerprint.js +19 -0
package/dist/packages/bunshot-core/src/defaults/memoryCacheAdapter.d.ts +6 -0
package/dist/packages/bunshot-core/src/defaults/memoryCacheAdapter.js +40 -0
package/dist/packages/bunshot-core/src/defaults/memoryRateLimit.d.ts +6 -0
package/dist/packages/bunshot-core/src/defaults/memoryRateLimit.js +24 -0
package/dist/packages/bunshot-core/src/emailTemplates.d.ts +5 -0
package/dist/packages/bunshot-core/src/emailTemplates.js +10 -0
package/dist/{lib/HttpError.d.ts → packages/bunshot-core/src/errors.d.ts} +4 -1
package/dist/{lib/HttpError.js → packages/bunshot-core/src/errors.js} +7 -1
package/dist/packages/bunshot-core/src/eventBus.d.ts +270 -0
package/dist/packages/bunshot-core/src/eventBus.js +143 -0
package/dist/packages/bunshot-core/src/idempotency.d.ts +18 -0
package/dist/packages/bunshot-core/src/idempotency.js +1 -0
package/dist/packages/bunshot-core/src/index.d.ts +60 -0
package/dist/packages/bunshot-core/src/index.js +34 -0
package/dist/packages/bunshot-core/src/mail.d.ts +14 -0
package/dist/packages/bunshot-core/src/mail.js +8 -0
package/dist/packages/bunshot-core/src/memoryEviction.d.ts +24 -0
package/dist/packages/bunshot-core/src/memoryEviction.js +52 -0
package/dist/packages/bunshot-core/src/pagination.d.ts +45 -0
package/dist/packages/bunshot-core/src/pagination.js +61 -0
package/dist/packages/bunshot-core/src/permissions.d.ts +64 -0
package/dist/packages/bunshot-core/src/permissions.js +27 -0
package/dist/packages/bunshot-core/src/plugin.d.ts +44 -0
package/dist/packages/bunshot-core/src/plugin.js +1 -0
package/dist/packages/bunshot-core/src/rateLimit.d.ts +5 -0
package/dist/packages/bunshot-core/src/rateLimit.js +18 -0
package/dist/packages/bunshot-core/src/redis.d.ts +21 -0
package/dist/packages/bunshot-core/src/redis.js +1 -0
package/dist/packages/bunshot-core/src/routeAuth.d.ts +5 -0
package/dist/packages/bunshot-core/src/routeAuth.js +11 -0
package/dist/packages/bunshot-core/src/routeOverrides.d.ts +24 -0
package/dist/packages/bunshot-core/src/routeOverrides.js +25 -0
package/dist/packages/bunshot-core/src/routerAdapter.d.ts +6 -0
package/dist/packages/bunshot-core/src/routerAdapter.js +56 -0
package/dist/packages/bunshot-core/src/secrets.d.ts +48 -0
package/dist/packages/bunshot-core/src/secrets.js +8 -0
package/dist/packages/bunshot-core/src/signing.d.ts +41 -0
package/dist/packages/bunshot-core/src/signing.js +1 -0
package/dist/packages/bunshot-core/src/sse.d.ts +36 -0
package/dist/packages/bunshot-core/src/sse.js +1 -0
package/dist/packages/bunshot-core/src/storageAdapter.js +1 -0
package/dist/packages/bunshot-core/src/storeInfra.d.ts +44 -0
package/dist/packages/bunshot-core/src/storeInfra.js +18 -0
package/dist/packages/bunshot-core/src/storeType.d.ts +7 -0
package/dist/packages/bunshot-core/src/storeType.js +1 -0
package/dist/packages/bunshot-core/src/testing.d.ts +1 -0
package/dist/packages/bunshot-core/src/testing.js +1 -0
package/dist/packages/bunshot-core/src/uploadRegistry.d.ts +23 -0
package/dist/packages/bunshot-core/src/uploadRegistry.js +4 -0
package/dist/packages/bunshot-core/src/userResolver.d.ts +5 -0
package/dist/packages/bunshot-core/src/userResolver.js +14 -0
package/dist/packages/bunshot-core/src/wsMessages.d.ts +42 -0
package/dist/packages/bunshot-core/src/wsMessages.js +4 -0
package/dist/packages/bunshot-permissions/src/adapters/memory.d.ts +7 -0
package/dist/packages/bunshot-permissions/src/adapters/memory.js +73 -0
package/dist/packages/bunshot-permissions/src/index.d.ts +10 -0
package/dist/packages/bunshot-permissions/src/index.js +5 -0
package/dist/packages/bunshot-permissions/src/lib/bootstrap.d.ts +7 -0
package/dist/packages/bunshot-permissions/src/lib/bootstrap.js +12 -0
package/dist/packages/bunshot-permissions/src/lib/evaluator.d.ts +10 -0
package/dist/packages/bunshot-permissions/src/lib/evaluator.js +165 -0
package/dist/packages/bunshot-permissions/src/lib/registry.d.ts +2 -0
package/dist/packages/bunshot-permissions/src/lib/registry.js +31 -0
package/dist/packages/bunshot-permissions/src/lib/validation.d.ts +1 -0
package/dist/packages/bunshot-permissions/src/lib/validation.js +1 -0
package/dist/packages/bunshot-permissions/src/types/adapter.d.ts +1 -0
package/dist/packages/bunshot-permissions/src/types/adapter.js +1 -0
package/dist/packages/bunshot-permissions/src/types/evaluator.d.ts +1 -0
package/dist/packages/bunshot-permissions/src/types/evaluator.js +1 -0
package/dist/packages/bunshot-permissions/src/types/models.d.ts +1 -0
package/dist/packages/bunshot-permissions/src/types/models.js +1 -0
package/dist/packages/bunshot-permissions/src/types/registry.d.ts +1 -0
package/dist/packages/bunshot-permissions/src/types/registry.js +1 -0
package/dist/packages/bunshot-postgres/src/adapter.d.ts +6 -0
package/dist/packages/bunshot-postgres/src/adapter.js +794 -0
package/dist/packages/bunshot-postgres/src/connection.d.ts +15 -0
package/dist/packages/bunshot-postgres/src/connection.js +16 -0
package/dist/packages/bunshot-postgres/src/index.d.ts +4 -0
package/dist/packages/bunshot-postgres/src/index.js +2 -0
package/dist/packages/bunshot-postgres/src/schema.d.ts +997 -0
package/dist/packages/bunshot-postgres/src/schema.js +105 -0
package/dist/src/app.d.ts +230 -0
package/dist/src/app.js +182 -0
package/dist/src/cli/commands/init.d.ts +10 -0
package/dist/src/cli/commands/init.js +709 -0
package/dist/src/cli/index.d.ts +1 -0
package/dist/src/cli/index.js +3 -0
package/dist/src/entrypoints/mongo.d.ts +6 -0
package/dist/src/entrypoints/mongo.js +4 -0
package/dist/src/entrypoints/queue.d.ts +2 -0
package/dist/src/entrypoints/queue.js +1 -0
package/dist/src/entrypoints/redis.d.ts +1 -0
package/dist/src/entrypoints/redis.js +1 -0
package/dist/{adapters → src/framework/adapters}/localStorage.d.ts +1 -1
package/dist/{adapters → src/framework/adapters}/localStorage.js +10 -10
package/dist/src/framework/adapters/memoryStorage.d.ts +2 -0
package/dist/src/framework/adapters/memoryStorage.js +45 -0
package/dist/{adapters → src/framework/adapters}/s3Storage.d.ts +1 -1
package/dist/{adapters → src/framework/adapters}/s3Storage.js +12 -12
package/dist/src/framework/admin/bunshotAccess.d.ts +2 -0
package/dist/src/framework/admin/bunshotAccess.js +23 -0
package/dist/src/framework/admin/bunshotUsers.d.ts +2 -0
package/dist/src/framework/admin/bunshotUsers.js +103 -0
package/dist/src/framework/admin/index.d.ts +7 -0
package/dist/src/framework/admin/index.js +21 -0
package/dist/src/framework/boundaryAdapters/cacheFactories.d.ts +13 -0
package/dist/src/framework/boundaryAdapters/cacheFactories.js +86 -0
package/dist/src/framework/boundaryAdapters/index.d.ts +2 -0
package/dist/src/framework/boundaryAdapters/index.js +1 -0
package/dist/src/framework/boundaryAdapters.d.ts +17 -0
package/dist/src/framework/boundaryAdapters.js +62 -0
package/dist/src/framework/buildContext.d.ts +33 -0
package/dist/src/framework/buildContext.js +119 -0
package/dist/src/framework/config/schema.d.ts +447 -0
package/dist/src/framework/config/schema.js +528 -0
package/dist/src/framework/createInfrastructure.d.ts +76 -0
package/dist/src/framework/createInfrastructure.js +221 -0
package/dist/src/framework/lib/auditLog.d.ts +23 -0
package/dist/src/framework/lib/auditLog.js +416 -0
package/dist/src/framework/lib/captcha.d.ts +11 -0
package/dist/{lib → src/framework/lib}/captcha.js +13 -10
package/dist/{lib → src/framework/lib}/createDtoMapper.js +4 -4
package/dist/src/framework/lib/createRoute.d.ts +1 -0
package/dist/src/framework/lib/createRoute.js +2 -0
package/dist/{lib → src/framework/lib}/idempotency.d.ts +2 -6
package/dist/src/framework/lib/idempotency.js +74 -0
package/dist/src/framework/lib/logger.d.ts +3 -0
package/dist/src/framework/lib/logger.js +14 -0
package/dist/src/framework/lib/metrics.d.ts +34 -0
package/dist/{lib → src/framework/lib}/metrics.js +49 -57
package/dist/src/framework/lib/pagination.d.ts +42 -0
package/dist/src/framework/lib/pagination.js +51 -0
package/dist/src/framework/lib/redisTransport.d.ts +38 -0
package/dist/src/framework/lib/redisTransport.js +107 -0
package/dist/src/framework/lib/resolveUserId.d.ts +2 -0
package/dist/src/framework/lib/resolveUserId.js +5 -0
package/dist/src/framework/lib/sseCollision.d.ts +6 -0
package/dist/src/framework/lib/sseCollision.js +26 -0
package/dist/src/framework/lib/storageAdapter.d.ts +1 -0
package/dist/src/framework/lib/storageAdapter.js +1 -0
package/dist/{lib → src/framework/lib}/stripUnreferencedSchemas.js +4 -4
package/dist/src/framework/lib/tenant.d.ts +21 -0
package/dist/src/framework/lib/tenant.js +70 -0
package/dist/{lib → src/framework/lib}/upload.d.ts +11 -10
package/dist/src/framework/lib/upload.js +132 -0
package/dist/src/framework/lib/uploadRegistry.d.ts +23 -0
package/dist/src/framework/lib/uploadRegistry.js +34 -0
package/dist/{lib → src/framework/lib}/validate.d.ts +1 -1
package/dist/{lib → src/framework/lib}/validate.js +2 -2
package/dist/src/framework/lib/ws.d.ts +19 -0
package/dist/src/framework/lib/ws.js +130 -0
package/dist/src/framework/lib/wsHeartbeat.d.ts +12 -0
package/dist/src/framework/lib/wsHeartbeat.js +53 -0
package/dist/src/framework/lib/wsMessages.d.ts +25 -0
package/dist/src/framework/lib/wsMessages.js +45 -0
package/dist/src/framework/lib/wsNamespace.d.ts +17 -0
package/dist/src/framework/lib/wsNamespace.js +19 -0
package/dist/src/framework/lib/wsPresence.d.ts +17 -0
package/dist/src/framework/lib/wsPresence.js +84 -0
package/dist/src/framework/lib/wsTransport.d.ts +38 -0
package/dist/src/framework/lib/wsTransport.js +9 -0
package/dist/{lib → src/framework/lib}/zodToMongoose.d.ts +1 -1
package/dist/{lib → src/framework/lib}/zodToMongoose.js +11 -11
package/dist/{middleware → src/framework/middleware}/auditLog.d.ts +4 -3
package/dist/src/framework/middleware/auditLog.js +42 -0
package/dist/{middleware → src/framework/middleware}/botProtection.d.ts +2 -2
package/dist/{middleware → src/framework/middleware}/botProtection.js +8 -9
package/dist/src/framework/middleware/cacheResponse.d.ts +35 -0
package/dist/src/framework/middleware/cacheResponse.js +126 -0
package/dist/{middleware → src/framework/middleware}/captcha.d.ts +2 -3
package/dist/src/framework/middleware/captcha.js +37 -0
package/dist/{middleware → src/framework/middleware}/errorHandler.d.ts +1 -1
package/dist/{middleware → src/framework/middleware}/errorHandler.js +2 -2
package/dist/src/framework/middleware/index.js +1 -0
package/dist/{middleware → src/framework/middleware}/logger.d.ts +1 -1
package/dist/src/framework/middleware/metrics.d.ts +12 -0
package/dist/src/framework/middleware/metrics.js +26 -0
package/dist/{middleware → src/framework/middleware}/rateLimit.d.ts +2 -2
package/dist/src/framework/middleware/rateLimit.js +22 -0
package/dist/src/framework/middleware/requestId.d.ts +3 -0
package/dist/{middleware → src/framework/middleware}/requestId.js +2 -2
package/dist/{middleware → src/framework/middleware}/requestLogger.d.ts +3 -3
package/dist/{middleware → src/framework/middleware}/requestLogger.js +17 -12
package/dist/{middleware → src/framework/middleware}/requestSigning.d.ts +2 -2
package/dist/{middleware → src/framework/middleware}/requestSigning.js +18 -20
package/dist/src/framework/middleware/tenant.d.ts +14 -0
package/dist/{middleware → src/framework/middleware}/tenant.js +31 -27
package/dist/src/framework/middleware/upload.d.ts +5 -0
package/dist/{middleware → src/framework/middleware}/upload.js +4 -4
package/dist/{middleware → src/framework/middleware}/webhookAuth.d.ts +3 -3
package/dist/{middleware → src/framework/middleware}/webhookAuth.js +11 -12
package/dist/src/framework/models/AuditLog.d.ts +21 -0
package/dist/src/framework/models/AuditLog.js +31 -0
package/dist/src/framework/mountMiddleware.d.ts +91 -0
package/dist/src/framework/mountMiddleware.js +128 -0
package/dist/src/framework/mountOptionalEndpoints.d.ts +103 -0
package/dist/src/framework/mountOptionalEndpoints.js +64 -0
package/dist/src/framework/mountRoutes.d.ts +21 -0
package/dist/src/framework/mountRoutes.js +144 -0
package/dist/src/framework/persistence/cronRegistry.d.ts +28 -0
package/dist/src/framework/persistence/cronRegistry.js +139 -0
package/dist/src/framework/persistence/idempotency.d.ts +26 -0
package/dist/src/framework/persistence/idempotency.js +178 -0
package/dist/src/framework/persistence/index.d.ts +6 -0
package/dist/src/framework/persistence/index.js +8 -0
package/dist/src/framework/persistence/storeInfra.d.ts +9 -0
package/dist/src/framework/persistence/storeInfra.js +1 -0
package/dist/src/framework/persistence/uploadRegistry.d.ts +35 -0
package/dist/src/framework/persistence/uploadRegistry.js +235 -0
package/dist/src/framework/persistence/wsMessages.d.ts +22 -0
package/dist/src/framework/persistence/wsMessages.js +296 -0
package/dist/src/framework/preloadSchemas.d.ts +24 -0
package/dist/src/framework/preloadSchemas.js +42 -0
package/dist/src/framework/registerBoundaryAdapters.d.ts +23 -0
package/dist/src/framework/registerBoundaryAdapters.js +46 -0
package/dist/src/framework/routes/admin.d.ts +9 -0
package/dist/src/framework/routes/admin.js +361 -0
package/dist/src/framework/routes/health.d.ts +1 -0
package/dist/src/framework/routes/health.js +21 -0
package/dist/src/framework/routes/home.d.ts +1 -0
package/dist/src/framework/routes/home.js +18 -0
package/dist/src/framework/routes/jobs.d.ts +3 -0
package/dist/{routes → src/framework/routes}/jobs.js +128 -103
package/dist/src/framework/routes/metrics.d.ts +10 -0
package/dist/src/framework/routes/metrics.js +57 -0
package/dist/{routes → src/framework/routes}/uploads.d.ts +3 -3
package/dist/src/framework/routes/uploads.js +262 -0
package/dist/src/framework/runPluginLifecycle.d.ts +27 -0
package/dist/src/framework/runPluginLifecycle.js +121 -0
package/dist/src/framework/secrets/frameworkSecretSchema.d.ts +58 -0
package/dist/src/framework/secrets/frameworkSecretSchema.js +20 -0
package/dist/src/framework/secrets/index.d.ts +9 -0
package/dist/src/framework/secrets/index.js +7 -0
package/dist/src/framework/secrets/providers/envProvider.d.ts +15 -0
package/dist/src/framework/secrets/providers/envProvider.js +18 -0
package/dist/src/framework/secrets/providers/fileProvider.d.ts +8 -0
package/dist/src/framework/secrets/providers/fileProvider.js +82 -0
package/dist/src/framework/secrets/providers/ssmProvider.d.ts +20 -0
package/dist/src/framework/secrets/providers/ssmProvider.js +127 -0
package/dist/src/framework/secrets/resolveSecretBundle.d.ts +53 -0
package/dist/src/framework/secrets/resolveSecretBundle.js +84 -0
package/dist/src/framework/secrets/resolveSecrets.d.ts +18 -0
package/dist/src/framework/secrets/resolveSecrets.js +34 -0
package/dist/src/framework/sse/index.d.ts +21 -0
package/dist/src/framework/sse/index.js +109 -0
package/dist/src/framework/ws/index.d.ts +11 -0
package/dist/src/framework/ws/index.js +8 -0
package/dist/src/index.d.ts +87 -0
package/dist/src/index.js +58 -0
package/dist/src/lib/appConfig.d.ts +7 -0
package/dist/src/lib/appConfig.js +27 -0
package/dist/src/lib/appMeta.d.ts +7 -0
package/dist/src/lib/appMeta.js +3 -0
package/dist/src/lib/authConfig.d.ts +532 -0
package/dist/{lib/appConfig.js → src/lib/authConfig.js} +75 -17
package/dist/{lib → src/lib}/context.d.ts +6 -12
package/dist/{lib → src/lib}/context.js +5 -5
package/dist/src/lib/logger.d.ts +1 -0
package/dist/src/lib/logger.js +1 -0
package/dist/src/lib/mongo.d.ts +58 -0
package/dist/src/lib/mongo.js +96 -0
package/dist/src/lib/queue.d.ts +72 -0
package/dist/src/lib/queue.js +152 -0
package/dist/src/lib/redis.d.ts +28 -0
package/dist/src/lib/redis.js +72 -0
package/dist/{lib → src/lib}/signing.d.ts +2 -2
package/dist/src/lib/signing.js +210 -0
package/dist/src/lib/signingConfig.d.ts +40 -0
package/dist/src/lib/signingConfig.js +28 -0
package/dist/src/server.d.ts +146 -0
package/dist/src/server.js +469 -0
package/dist/src/shared/lib/HttpError.d.ts +1 -0
package/dist/src/shared/lib/HttpError.js +2 -0
package/dist/src/shared/lib/constants.d.ts +10 -0
package/dist/src/shared/lib/crypto.d.ts +43 -0
package/dist/src/shared/lib/crypto.js +74 -0
package/dist/src/shared/lib/signing.d.ts +52 -0
package/dist/{lib → src/shared/lib}/signing.js +35 -8
package/dist/src/testing.d.ts +34 -0
package/dist/src/testing.js +93 -0
package/package.json +100 -26
package/dist/adapters/memoryAuth.d.ts +0 -52
package/dist/adapters/memoryAuth.js +0 -749
package/dist/adapters/memoryStorage.d.ts +0 -3
package/dist/adapters/memoryStorage.js +0 -44
package/dist/adapters/mongoAuth.d.ts +0 -2
package/dist/adapters/mongoAuth.js +0 -403
package/dist/adapters/sqliteAuth.d.ts +0 -72
package/dist/adapters/sqliteAuth.js +0 -858
package/dist/app.d.ts +0 -559
package/dist/app.js +0 -651
package/dist/entrypoints/mongo.d.ts +0 -5
package/dist/entrypoints/mongo.js +0 -4
package/dist/entrypoints/queue.d.ts +0 -2
package/dist/entrypoints/queue.js +0 -1
package/dist/entrypoints/redis.d.ts +0 -1
package/dist/entrypoints/redis.js +0 -1
package/dist/index.d.ts +0 -117
package/dist/index.js +0 -88
package/dist/lib/appConfig.d.ts +0 -275
package/dist/lib/auditLog.d.ts +0 -58
package/dist/lib/auditLog.js +0 -218
package/dist/lib/authAdapter.d.ts +0 -246
package/dist/lib/authAdapter.js +0 -7
package/dist/lib/authRateLimit.d.ts +0 -13
package/dist/lib/authRateLimit.js +0 -117
package/dist/lib/clientIp.d.ts +0 -14
package/dist/lib/credentialStuffing.d.ts +0 -31
package/dist/lib/credentialStuffing.js +0 -77
package/dist/lib/crypto.d.ts +0 -11
package/dist/lib/crypto.js +0 -22
package/dist/lib/deletionCancelToken.d.ts +0 -12
package/dist/lib/deletionCancelToken.js +0 -88
package/dist/lib/emailVerification.d.ts +0 -19
package/dist/lib/emailVerification.js +0 -129
package/dist/lib/fingerprint.js +0 -36
package/dist/lib/idempotency.js +0 -182
package/dist/lib/jwks.d.ts +0 -25
package/dist/lib/jwks.js +0 -51
package/dist/lib/jwt.d.ts +0 -15
package/dist/lib/jwt.js +0 -111
package/dist/lib/metrics.d.ts +0 -14
package/dist/lib/mfaChallenge.d.ts +0 -55
package/dist/lib/mfaChallenge.js +0 -398
package/dist/lib/mongo.d.ts +0 -39
package/dist/lib/mongo.js +0 -124
package/dist/lib/oauth.d.ts +0 -40
package/dist/lib/oauth.js +0 -101
package/dist/lib/oauthCode.d.ts +0 -15
package/dist/lib/oauthCode.js +0 -95
package/dist/lib/pagination.d.ts +0 -119
package/dist/lib/pagination.js +0 -166
package/dist/lib/queue.d.ts +0 -37
package/dist/lib/queue.js +0 -117
package/dist/lib/redis.d.ts +0 -9
package/dist/lib/redis.js +0 -61
package/dist/lib/resetPassword.d.ts +0 -12
package/dist/lib/resetPassword.js +0 -93
package/dist/lib/roles.d.ts +0 -7
package/dist/lib/roles.js +0 -49
package/dist/lib/saml.d.ts +0 -25
package/dist/lib/saml.js +0 -64
package/dist/lib/securityEvents.d.ts +0 -28
package/dist/lib/securityEvents.js +0 -26
package/dist/lib/session.d.ts +0 -49
package/dist/lib/session.js +0 -597
package/dist/lib/tenant.d.ts +0 -15
package/dist/lib/tenant.js +0 -65
package/dist/lib/upload.js +0 -112
package/dist/lib/uploadRegistry.d.ts +0 -18
package/dist/lib/uploadRegistry.js +0 -83
package/dist/lib/ws.d.ts +0 -22
package/dist/lib/ws.js +0 -96
package/dist/lib/wsHeartbeat.d.ts +0 -12
package/dist/lib/wsHeartbeat.js +0 -57
package/dist/lib/wsMessages.d.ts +0 -40
package/dist/lib/wsMessages.js +0 -330
package/dist/lib/wsPresence.d.ts +0 -25
package/dist/lib/wsPresence.js +0 -99
package/dist/middleware/auditLog.js +0 -39
package/dist/middleware/bearerAuth.d.ts +0 -2
package/dist/middleware/bearerAuth.js +0 -11
package/dist/middleware/cacheResponse.d.ts +0 -15
package/dist/middleware/cacheResponse.js +0 -178
package/dist/middleware/captcha.js +0 -36
package/dist/middleware/csrf.js +0 -129
package/dist/middleware/identify.d.ts +0 -3
package/dist/middleware/identify.js +0 -122
package/dist/middleware/index.js +0 -1
package/dist/middleware/metrics.d.ts +0 -9
package/dist/middleware/metrics.js +0 -26
package/dist/middleware/rateLimit.js +0 -22
package/dist/middleware/requestId.d.ts +0 -3
package/dist/middleware/scimAuth.d.ts +0 -8
package/dist/middleware/scimAuth.js +0 -29
package/dist/middleware/tenant.d.ts +0 -5
package/dist/middleware/upload.d.ts +0 -5
package/dist/middleware/userAuth.d.ts +0 -3
package/dist/middleware/userAuth.js +0 -6
package/dist/models/AuditLog.d.ts +0 -30
package/dist/models/AuditLog.js +0 -39
package/dist/models/AuthUser.js +0 -55
package/dist/models/Group.d.ts +0 -21
package/dist/models/Group.js +0 -28
package/dist/models/GroupMembership.js +0 -25
package/dist/models/TenantRole.d.ts +0 -15
package/dist/models/TenantRole.js +0 -23
package/dist/routes/auth.d.ts +0 -12
package/dist/routes/auth.js +0 -744
package/dist/routes/groups.js +0 -346
package/dist/routes/health.d.ts +0 -1
package/dist/routes/health.js +0 -22
package/dist/routes/home.d.ts +0 -1
package/dist/routes/home.js +0 -16
package/dist/routes/jobs.d.ts +0 -2
package/dist/routes/m2m.d.ts +0 -2
package/dist/routes/m2m.js +0 -72
package/dist/routes/metrics.d.ts +0 -8
package/dist/routes/metrics.js +0 -55
package/dist/routes/mfa.d.ts +0 -5
package/dist/routes/mfa.js +0 -628
package/dist/routes/oauth.d.ts +0 -2
package/dist/routes/oauth.js +0 -520
package/dist/routes/oidc.d.ts +0 -2
package/dist/routes/oidc.js +0 -29
package/dist/routes/passkey.d.ts +0 -1
package/dist/routes/passkey.js +0 -157
package/dist/routes/saml.d.ts +0 -2
package/dist/routes/saml.js +0 -86
package/dist/routes/scim.d.ts +0 -2
package/dist/routes/scim.js +0 -255
package/dist/routes/uploads.js +0 -227
package/dist/schemas/auth.js +0 -30
package/dist/server.d.ts +0 -57
package/dist/server.js +0 -112
package/dist/services/auth.d.ts +0 -29
package/dist/services/auth.js +0 -238
package/dist/ws/index.d.ts +0 -10
package/dist/ws/index.js +0 -39
package/docs/sections/adding-middleware/full.md +0 -35
package/docs/sections/adding-models/full.md +0 -125
package/docs/sections/adding-models/overview.md +0 -13
package/docs/sections/adding-routes/full.md +0 -182
package/docs/sections/adding-routes/overview.md +0 -23
package/docs/sections/auth-flow/full.md +0 -790
package/docs/sections/auth-flow/overview.md +0 -10
package/docs/sections/auth-security-examples/full.md +0 -388
package/docs/sections/authentication/full.md +0 -130
package/docs/sections/authentication/overview.md +0 -5
package/docs/sections/cli/full.md +0 -42
package/docs/sections/configuration/full.md +0 -172
package/docs/sections/configuration/overview.md +0 -18
package/docs/sections/configuration-example/full.md +0 -117
package/docs/sections/configuration-example/overview.md +0 -30
package/docs/sections/documentation/full.md +0 -171
package/docs/sections/environment-variables/full.md +0 -55
package/docs/sections/exports/full.md +0 -123
package/docs/sections/extending-context/full.md +0 -59
package/docs/sections/header.md +0 -3
package/docs/sections/installation/full.md +0 -6
package/docs/sections/jobs/full.md +0 -140
package/docs/sections/jobs/overview.md +0 -15
package/docs/sections/logging/full.md +0 -83
package/docs/sections/metrics/full.md +0 -131
package/docs/sections/mongodb-connections/full.md +0 -45
package/docs/sections/mongodb-connections/overview.md +0 -7
package/docs/sections/multi-tenancy/full.md +0 -66
package/docs/sections/multi-tenancy/overview.md +0 -15
package/docs/sections/oauth/full.md +0 -189
package/docs/sections/oauth/overview.md +0 -16
package/docs/sections/package-development/full.md +0 -7
package/docs/sections/pagination/full.md +0 -93
package/docs/sections/passkey-login/full.md +0 -90
package/docs/sections/passkey-login/overview.md +0 -1
package/docs/sections/peer-dependencies/full.md +0 -47
package/docs/sections/quick-start/full.md +0 -43
package/docs/sections/response-caching/full.md +0 -117
package/docs/sections/response-caching/overview.md +0 -13
package/docs/sections/roles/full.md +0 -225
package/docs/sections/roles/overview.md +0 -14
package/docs/sections/running-without-redis/full.md +0 -16
package/docs/sections/running-without-redis-or-mongodb/full.md +0 -60
package/docs/sections/signing/full.md +0 -203
package/docs/sections/stack/full.md +0 -10
package/docs/sections/uploads/full.md +0 -208
package/docs/sections/versioning/full.md +0 -85
package/docs/sections/webhook-auth/full.md +0 -100
package/docs/sections/websocket/full.md +0 -196
package/docs/sections/websocket/overview.md +0 -5
package/docs/sections/websocket-rooms/full.md +0 -102
package/docs/sections/websocket-rooms/overview.md +0 -5
/package/dist/{lib/storageAdapter.js → packages/bunshot-admin/src/types/env.js} +0 -0
/package/dist/{lib → packages/bunshot-auth/src/lib}/fingerprint.d.ts +0 -0
/package/dist/{lib → packages/bunshot-auth/src/lib}/logger.d.ts +0 -0
/package/dist/{lib → packages/bunshot-core/src}/constants.d.ts +0 -0
/package/dist/{lib → packages/bunshot-core/src}/storageAdapter.d.ts +0 -0
/package/dist/{lib → src/framework/lib}/createDtoMapper.d.ts +0 -0
/package/dist/{lib → src/framework/lib}/stripUnreferencedSchemas.d.ts +0 -0
/package/dist/{middleware → src/framework/middleware}/cors.d.ts +0 -0
/package/dist/{middleware → src/framework/middleware}/cors.js +0 -0
/package/dist/{middleware → src/framework/middleware}/index.d.ts +0 -0
/package/dist/{middleware → src/framework/middleware}/logger.js +0 -0
/package/dist/{lib → src/shared/lib}/constants.js +0 -0

package/dist/packages/bunshot-auth/src/lib/session.js ADDED Viewed

@@ -0,0 +1,1211 @@
+import { DEFAULT_MAX_ENTRIES, hashToken, timingSafeEqual } from '../../../bunshot-core/src/index.js';
+import { DEFAULT_AUTH_CONFIG } from '../config/authConfig';
+// ---------------------------------------------------------------------------
+// TTL helpers
+// ---------------------------------------------------------------------------
+const DEFAULT_SESSION_TTL_SECONDS = 60 * 60 * 24 * 7; // 7 days
+function getSessionTtlSeconds(cfg) {
+    return (cfg ?? DEFAULT_AUTH_CONFIG).sessionPolicy.absoluteTimeout ?? DEFAULT_SESSION_TTL_SECONDS;
+}
+function getSessionTtlMs(cfg) {
+    return getSessionTtlSeconds(cfg) * 1000;
+}
+function shouldPersistSessionMetadata(cfg) {
+    return (cfg ?? DEFAULT_AUTH_CONFIG).persistSessionMetadata;
+}
+function isIdleExpired(lastActiveAt, cfg) {
+    const idleTimeout = (cfg ?? DEFAULT_AUTH_CONFIG).sessionPolicy.idleTimeout;
+    if (!idleTimeout)
+        return false;
+    const idleSecs = (Date.now() - lastActiveAt) / 1000;
+    return idleSecs > idleTimeout;
+}
+export function createMemorySessionRepository() {
+    const sessions = new Map();
+    const userSessionIds = new Map();
+    const refreshTokenIndex = new Map();
+    function removeUserSessionId(userId, sessionId) {
+        const ids = userSessionIds.get(userId);
+        if (!ids)
+            return;
+        ids.delete(sessionId);
+        if (ids.size === 0) {
+            userSessionIds.delete(userId);
+        }
+    }
+    function purgeSessionImpl(sessionId) {
+        const entry = sessions.get(sessionId);
+        if (!entry)
+            return;
+        if (entry.refreshToken)
+            refreshTokenIndex.delete(entry.refreshToken);
+        if (entry.prevRefreshToken)
+            refreshTokenIndex.delete(entry.prevRefreshToken);
+        sessions.delete(sessionId);
+        removeUserSessionId(entry.userId, sessionId);
+    }
+    // Purge tombstoned sessions (token === null) whose natural TTL has passed.
+    // Called opportunistically on delete and on new-session creation so expired
+    // tombstones do not accumulate indefinitely in the in-memory dev store.
+    function sweepExpiredTombstones() {
+        const now = Date.now();
+        for (const [sessionId, s] of sessions) {
+            if (!s.token && s.expiresAt <= now) {
+                purgeSessionImpl(sessionId);
+            }
+        }
+    }
+    function deleteSessionImpl(sessionId, cfg) {
+        const entry = sessions.get(sessionId);
+        if (!entry)
+            return;
+        if (shouldPersistSessionMetadata(cfg)) {
+            if (entry.refreshToken)
+                refreshTokenIndex.delete(entry.refreshToken);
+            if (entry.prevRefreshToken)
+                refreshTokenIndex.delete(entry.prevRefreshToken);
+            entry.token = null;
+            entry.refreshToken = null;
+            entry.prevRefreshToken = null;
+            entry.prevTokenExpiresAt = null;
+            entry.refreshTokenPlain = null;
+            sweepExpiredTombstones();
+        }
+        else {
+            purgeSessionImpl(sessionId);
+        }
+    }
+    function trimSessionsToCapacity() {
+        sweepExpiredTombstones();
+        while (sessions.size >= DEFAULT_MAX_ENTRIES) {
+            const oldestSessionId = sessions.keys().next().value;
+            if (oldestSessionId === undefined)
+                break;
+            purgeSessionImpl(oldestSessionId);
+        }
+    }
+    function createSessionImpl(userId, token, sessionId, metadata, cfg) {
+        const now = Date.now();
+        const session = {
+            sessionId,
+            userId,
+            token,
+            createdAt: now,
+            lastActiveAt: now,
+            expiresAt: now + getSessionTtlMs(cfg),
+            ipAddress: metadata?.ipAddress,
+            userAgent: metadata?.userAgent,
+        };
+        trimSessionsToCapacity();
+        sessions.set(sessionId, session);
+        if (!userSessionIds.has(userId))
+            userSessionIds.set(userId, new Set());
+        userSessionIds.get(userId).add(sessionId);
+    }
+    return {
+        async createSession(userId, token, sessionId, metadata, cfg) {
+            createSessionImpl(userId, token, sessionId, metadata, cfg);
+        },
+        async atomicCreateSession(userId, token, sessionId, maxSessions, metadata, cfg) {
+            const now = Date.now();
+            const ids = userSessionIds.get(userId);
+            if (ids) {
+                let activeCount = 0;
+                let oldest = null;
+                for (const sid of ids) {
+                    const s = sessions.get(sid);
+                    if (s && s.token && s.expiresAt > now) {
+                        activeCount++;
+                        if (!oldest || s.createdAt < oldest.createdAt)
+                            oldest = s;
+                    }
+                }
+                while (activeCount >= maxSessions && oldest) {
+                    deleteSessionImpl(oldest.sessionId, cfg);
+                    activeCount--;
+                    oldest = null;
+                    for (const sid of ids) {
+                        const s = sessions.get(sid);
+                        if (s && s.token && s.expiresAt > now) {
+                            if (!oldest || s.createdAt < oldest.createdAt)
+                                oldest = s;
+                        }
+                    }
+                }
+            }
+            createSessionImpl(userId, token, sessionId, metadata, cfg);
+        },
+        async getSession(sessionId, cfg) {
+            const entry = sessions.get(sessionId);
+            if (!entry || !entry.token || entry.expiresAt <= Date.now())
+                return null;
+            if (isIdleExpired(entry.lastActiveAt, cfg)) {
+                deleteSessionImpl(sessionId, cfg);
+                return null;
+            }
+            return entry.token;
+        },
+        async deleteSession(sessionId, cfg) {
+            deleteSessionImpl(sessionId, cfg);
+        },
+        async getUserSessions(userId, cfg) {
+            const ids = userSessionIds.get(userId);
+            if (!ids)
+                return [];
+            const now = Date.now();
+            const config = cfg ?? DEFAULT_AUTH_CONFIG;
+            const includeInactive = config.includeInactiveSessions;
+            const persist = config.persistSessionMetadata;
+            const results = [];
+            for (const sessionId of ids) {
+                const s = sessions.get(sessionId);
+                if (!s)
+                    continue;
+                const isActive = !!s.token && s.expiresAt > now;
+                if (!isActive && !persist)
+                    continue;
+                if (!isActive && !includeInactive)
+                    continue;
+                results.push({
+                    sessionId: s.sessionId,
+                    createdAt: s.createdAt,
+                    lastActiveAt: s.lastActiveAt,
+                    expiresAt: s.expiresAt,
+                    ipAddress: s.ipAddress,
+                    userAgent: s.userAgent,
+                    isActive,
+                });
+            }
+            return results;
+        },
+        async getActiveSessionCount(userId) {
+            const ids = userSessionIds.get(userId);
+            if (!ids)
+                return 0;
+            const now = Date.now();
+            let count = 0;
+            for (const sessionId of ids) {
+                const s = sessions.get(sessionId);
+                if (s && s.token && s.expiresAt > now)
+                    count++;
+            }
+            return count;
+        },
+        async evictOldestSession(userId, cfg) {
+            const ids = userSessionIds.get(userId);
+            if (!ids)
+                return;
+            const now = Date.now();
+            let oldest = null;
+            for (const sessionId of ids) {
+                const s = sessions.get(sessionId);
+                if (!s || !s.token || s.expiresAt <= now)
+                    continue;
+                if (!oldest || s.createdAt < oldest.createdAt)
+                    oldest = s;
+            }
+            if (oldest)
+                deleteSessionImpl(oldest.sessionId, cfg);
+        },
+        async updateSessionLastActive(sessionId) {
+            const entry = sessions.get(sessionId);
+            if (entry)
+                entry.lastActiveAt = Date.now();
+        },
+        async setRefreshToken(sessionId, refreshToken) {
+            const entry = sessions.get(sessionId);
+            if (!entry)
+                return;
+            const tokenHash = hashToken(refreshToken);
+            if (entry.refreshToken && entry.refreshToken !== tokenHash) {
+                refreshTokenIndex.delete(entry.refreshToken);
+            }
+            entry.refreshToken = tokenHash;
+            refreshTokenIndex.set(tokenHash, sessionId);
+        },
+        async getSessionByRefreshToken(refreshToken, cfg) {
+            const tokenHash = hashToken(refreshToken);
+            const sessionId = refreshTokenIndex.get(tokenHash);
+            if (!sessionId)
+                return null;
+            const entry = sessions.get(sessionId);
+            if (!entry)
+                return null;
+            if (isIdleExpired(entry.lastActiveAt, cfg)) {
+                deleteSessionImpl(sessionId, cfg);
+                return null;
+            }
+            if (entry.refreshToken && timingSafeEqual(entry.refreshToken, tokenHash)) {
+                return { sessionId: entry.sessionId, userId: entry.userId, newRefreshToken: refreshToken };
+            }
+            if (entry.prevRefreshToken &&
+                timingSafeEqual(entry.prevRefreshToken, tokenHash) &&
+                entry.prevTokenExpiresAt &&
+                entry.prevTokenExpiresAt > Date.now()) {
+                return {
+                    sessionId: entry.sessionId,
+                    userId: entry.userId,
+                    newRefreshToken: entry.refreshTokenPlain ?? entry.refreshToken,
+                };
+            }
+            if (entry.prevRefreshToken && timingSafeEqual(entry.prevRefreshToken, tokenHash)) {
+                deleteSessionImpl(sessionId, cfg);
+                return null;
+            }
+            return null;
+        },
+        async rotateRefreshToken(sessionId, newRefreshToken, newAccessToken, cfg) {
+            const entry = sessions.get(sessionId);
+            if (!entry)
+                return;
+            const graceSeconds = (cfg ?? DEFAULT_AUTH_CONFIG).refreshToken?.rotationGraceSeconds ?? 30;
+            const newHash = hashToken(newRefreshToken);
+            const oldHash = entry.refreshToken;
+            if (entry.prevRefreshToken && entry.prevRefreshToken !== oldHash) {
+                refreshTokenIndex.delete(entry.prevRefreshToken);
+            }
+            entry.prevRefreshToken = oldHash;
+            entry.prevTokenExpiresAt = Date.now() + graceSeconds * 1000;
+            entry.refreshToken = newHash;
+            entry.refreshTokenPlain = newRefreshToken;
+            entry.token = newAccessToken;
+            refreshTokenIndex.set(newHash, sessionId);
+        },
+        async getSessionFingerprint(sessionId) {
+            return sessions.get(sessionId)?.fingerprint ?? null;
+        },
+        async setSessionFingerprint(sessionId, fingerprint) {
+            const entry = sessions.get(sessionId);
+            if (entry)
+                entry.fingerprint = fingerprint;
+        },
+        async setMfaVerifiedAt(sessionId) {
+            const entry = sessions.get(sessionId);
+            if (entry)
+                entry.mfaVerifiedAt = Math.floor(Date.now() / 1000);
+        },
+        async getMfaVerifiedAt(sessionId) {
+            return sessions.get(sessionId)?.mfaVerifiedAt ?? null;
+        },
+    };
+}
+// ---------------------------------------------------------------------------
+// SQLite repository factory
+// ---------------------------------------------------------------------------
+export function createSqliteSessionRepository(db) {
+    let initialized = false;
+    function init() {
+        if (initialized)
+            return;
+        // Sessions table is created by sqliteAuth adapter's initSchema.
+        // Only create if it doesn't exist (standalone usage).
+        db.run(`CREATE TABLE IF NOT EXISTS sessions (
+      sessionId         TEXT PRIMARY KEY,
+      userId            TEXT NOT NULL,
+      token             TEXT,
+      createdAt         INTEGER NOT NULL,
+      lastActiveAt      INTEGER NOT NULL,
+      expiresAt         INTEGER NOT NULL,
+      ipAddress         TEXT,
+      userAgent         TEXT,
+      refreshToken      TEXT,
+      prevRefreshToken   TEXT,
+      prevTokenExpiresAt INTEGER,
+      fingerprint       TEXT,
+      mfaVerifiedAt     INTEGER,
+      refreshTokenPlain  TEXT
+    )`);
+        db.run('CREATE INDEX IF NOT EXISTS idx_sessions_userId ON sessions(userId)');
+        db.run('CREATE UNIQUE INDEX IF NOT EXISTS idx_sessions_refreshToken ON sessions(refreshToken) WHERE refreshToken IS NOT NULL');
+        initialized = true;
+    }
+    function deleteSessionImpl(sessionId, cfg) {
+        init();
+        if ((cfg ?? DEFAULT_AUTH_CONFIG).persistSessionMetadata) {
+            db.run('UPDATE sessions SET token = NULL, refreshToken = NULL, prevRefreshToken = NULL, prevTokenExpiresAt = NULL WHERE sessionId = ?', [sessionId]);
+        }
+        else {
+            db.run('DELETE FROM sessions WHERE sessionId = ?', [sessionId]);
+        }
+    }
+    return {
+        async createSession(userId, token, sessionId, metadata, cfg) {
+            init();
+            const now = Date.now();
+            const expiresAt = now + getSessionTtlMs(cfg);
+            db.run('INSERT INTO sessions (sessionId, userId, token, createdAt, lastActiveAt, expiresAt, ipAddress, userAgent) VALUES (?, ?, ?, ?, ?, ?, ?, ?)', [
+                sessionId,
+                userId,
+                token,
+                now,
+                now,
+                expiresAt,
+                metadata?.ipAddress ?? null,
+                metadata?.userAgent ?? null,
+            ]);
+        },
+        async atomicCreateSession(userId, token, sessionId, maxSessions, metadata, cfg) {
+            init();
+            const now = Date.now();
+            const ttlMs = getSessionTtlMs(cfg);
+            const expiresAt = now + ttlMs;
+            db.transaction(() => {
+                const countRow = db
+                    .query('SELECT COUNT(*) AS count FROM sessions WHERE userId = ? AND token IS NOT NULL AND expiresAt > ?')
+                    .get(userId, now);
+                let activeCount = countRow?.count ?? 0;
+                while (activeCount >= maxSessions) {
+                    const oldest = db
+                        .query('SELECT sessionId FROM sessions WHERE userId = ? AND token IS NOT NULL AND expiresAt > ? ORDER BY createdAt ASC LIMIT 1')
+                        .get(userId, now);
+                    if (!oldest)
+                        break;
+                    deleteSessionImpl(oldest.sessionId, cfg);
+                    activeCount--;
+                }
+                db.run('INSERT INTO sessions (sessionId, userId, token, createdAt, lastActiveAt, expiresAt, ipAddress, userAgent) VALUES (?, ?, ?, ?, ?, ?, ?, ?)', [
+                    sessionId,
+                    userId,
+                    token,
+                    now,
+                    now,
+                    expiresAt,
+                    metadata?.ipAddress ?? null,
+                    metadata?.userAgent ?? null,
+                ]);
+            })();
+        },
+        async getSession(sessionId, cfg) {
+            init();
+            const row = db
+                .query('SELECT token, lastActiveAt FROM sessions WHERE sessionId = ? AND expiresAt > ?')
+                .get(sessionId, Date.now());
+            if (!row || !row.token)
+                return null;
+            if (isIdleExpired(row.lastActiveAt, cfg)) {
+                deleteSessionImpl(sessionId, cfg);
+                return null;
+            }
+            return row.token;
+        },
+        async deleteSession(sessionId, cfg) {
+            deleteSessionImpl(sessionId, cfg);
+        },
+        async getUserSessions(userId, cfg) {
+            init();
+            const now = Date.now();
+            const rows = db
+                .query('SELECT sessionId, token, createdAt, lastActiveAt, expiresAt, ipAddress, userAgent FROM sessions WHERE userId = ? ORDER BY createdAt ASC')
+                .all(userId);
+            const config = cfg ?? DEFAULT_AUTH_CONFIG;
+            const includeInactive = config.includeInactiveSessions;
+            const persist = config.persistSessionMetadata;
+            const results = [];
+            for (const row of rows) {
+                const isActive = !!row.token && row.expiresAt > now;
+                if (!isActive && !persist)
+                    continue;
+                if (!isActive && !includeInactive)
+                    continue;
+                results.push({
+                    sessionId: row.sessionId,
+                    createdAt: row.createdAt,
+                    lastActiveAt: row.lastActiveAt,
+                    expiresAt: row.expiresAt,
+                    ipAddress: row.ipAddress ?? undefined,
+                    userAgent: row.userAgent ?? undefined,
+                    isActive,
+                });
+            }
+            return results;
+        },
+        async getActiveSessionCount(userId) {
+            init();
+            const row = db
+                .query('SELECT COUNT(*) AS count FROM sessions WHERE userId = ? AND token IS NOT NULL AND expiresAt > ?')
+                .get(userId, Date.now());
+            return row?.count ?? 0;
+        },
+        async evictOldestSession(userId, cfg) {
+            init();
+            const now = Date.now();
+            const oldest = db
+                .query('SELECT sessionId FROM sessions WHERE userId = ? AND token IS NOT NULL AND expiresAt > ? ORDER BY createdAt ASC LIMIT 1')
+                .get(userId, now);
+            if (oldest)
+                deleteSessionImpl(oldest.sessionId, cfg);
+        },
+        async updateSessionLastActive(sessionId) {
+            init();
+            db.run('UPDATE sessions SET lastActiveAt = ? WHERE sessionId = ?', [Date.now(), sessionId]);
+        },
+        async setRefreshToken(sessionId, refreshToken) {
+            init();
+            const tokenHash = hashToken(refreshToken);
+            db.run('UPDATE sessions SET refreshToken = ? WHERE sessionId = ?', [tokenHash, sessionId]);
+        },
+        async getSessionByRefreshToken(refreshToken, cfg) {
+            init();
+            const tokenHash = hashToken(refreshToken);
+            let row = db
+                .query('SELECT sessionId, userId, refreshToken, lastActiveAt FROM sessions WHERE refreshToken = ?')
+                .get(tokenHash);
+            if (row) {
+                if (isIdleExpired(row.lastActiveAt, cfg)) {
+                    deleteSessionImpl(row.sessionId, cfg);
+                    return null;
+                }
+                return { sessionId: row.sessionId, userId: row.userId, newRefreshToken: refreshToken };
+            }
+            const graceRow = db
+                .query('SELECT sessionId, userId, refreshToken, refreshTokenPlain, prevTokenExpiresAt, lastActiveAt FROM sessions WHERE prevRefreshToken = ?')
+                .get(tokenHash);
+            if (!graceRow)
+                return null;
+            if (isIdleExpired(graceRow.lastActiveAt, cfg)) {
+                deleteSessionImpl(graceRow.sessionId, cfg);
+                return null;
+            }
+            if (graceRow.prevTokenExpiresAt && graceRow.prevTokenExpiresAt > Date.now()) {
+                return {
+                    sessionId: graceRow.sessionId,
+                    userId: graceRow.userId,
+                    newRefreshToken: graceRow.refreshTokenPlain ?? graceRow.refreshToken,
+                };
+            }
+            deleteSessionImpl(graceRow.sessionId, cfg);
+            return null;
+        },
+        async rotateRefreshToken(sessionId, newRefreshToken, newAccessToken, cfg) {
+            init();
+            const graceSeconds = (cfg ?? DEFAULT_AUTH_CONFIG).refreshToken?.rotationGraceSeconds ?? 30;
+            const prevTokenExpiresAt = Date.now() + graceSeconds * 1000;
+            const newHash = hashToken(newRefreshToken);
+            db.run('UPDATE sessions SET prevRefreshToken = refreshToken, prevTokenExpiresAt = ?, refreshToken = ?, refreshTokenPlain = ?, token = ? WHERE sessionId = ?', [prevTokenExpiresAt, newHash, newRefreshToken, newAccessToken, sessionId]);
+        },
+        async getSessionFingerprint(sessionId) {
+            init();
+            const row = db
+                .query('SELECT fingerprint FROM sessions WHERE sessionId = ?')
+                .get(sessionId);
+            return row?.fingerprint ?? null;
+        },
+        async setSessionFingerprint(sessionId, fingerprint) {
+            init();
+            db.run('UPDATE sessions SET fingerprint = ? WHERE sessionId = ?', [fingerprint, sessionId]);
+        },
+        async setMfaVerifiedAt(sessionId) {
+            init();
+            const now = Math.floor(Date.now() / 1000);
+            db.run('UPDATE sessions SET mfaVerifiedAt = ? WHERE sessionId = ?', [now, sessionId]);
+        },
+        async getMfaVerifiedAt(sessionId) {
+            init();
+            const row = db
+                .query('SELECT mfaVerifiedAt FROM sessions WHERE sessionId = ?')
+                .get(sessionId);
+            return row?.mfaVerifiedAt ?? null;
+        },
+    };
+}
+// ---------------------------------------------------------------------------
+// Redis repository factory
+// ---------------------------------------------------------------------------
+export function createRedisSessionRepository(getRedis, appName) {
+    function sessionKey(sessionId) {
+        return `session:${appName}:${sessionId}`;
+    }
+    function userSessionsKey(userId) {
+        return `usersessions:${appName}:${userId}`;
+    }
+    function refreshTokenKey(refreshToken) {
+        return `refreshtoken:${appName}:${refreshToken}`;
+    }
+    // Lua script: atomic session field update
+    const UPDATE_FIELD_LUA = `
+local key = KEYS[1]
+local field = ARGV[1]
+local value = ARGV[2]
+local valueType = ARGV[3]
+local persist = ARGV[4] == "1"
+local raw = redis.call('GET', key)
+if not raw then return 0 end
+local rec = cjson.decode(raw)
+if valueType == "number" then
+  rec[field] = tonumber(value)
+else
+  rec[field] = value
+end
+if persist then
+  redis.call('SET', key, cjson.encode(rec))
+else
+  local ttl = redis.call('PTTL', key)
+  if ttl > 0 then
+    redis.call('SET', key, cjson.encode(rec), 'PX', ttl)
+  else
+    redis.call('SET', key, cjson.encode(rec))
+  end
+end
+return 1
+`;
+    const WRITE_SESSION_LUA = `
+local key = KEYS[1]
+local rawJson = ARGV[1]
+local persist = ARGV[2] == "1"
+if persist then
+  redis.call('SET', key, rawJson)
+else
+  local ttl = redis.call('PTTL', key)
+  if ttl > 0 then
+    redis.call('SET', key, rawJson, 'PX', ttl)
+  else
+    redis.call('SET', key, rawJson)
+  end
+end
+return 1
+`;
+    // Lua script: atomic session creation
+    const ATOMIC_CREATE_SESSION_LUA = `
+local userSessionsKey = KEYS[1]
+local newSessionKey = KEYS[2]
+local maxSessions = tonumber(ARGV[1])
+local sessionId = ARGV[2]
+local sessionJson = ARGV[3]
+local createdAt = tonumber(ARGV[4])
+local ttlSeconds = tonumber(ARGV[5])
+local persist = ARGV[6] == "1"
+local members = redis.call('ZRANGE', userSessionsKey, 0, -1)
+local activeCount = 0
+local activeSessions = {}
+for i, sid in ipairs(members) do
+  local keyPrefix = ARGV[7]
+  local sKey = keyPrefix .. sid
+  local raw = redis.call('GET', sKey)
+  if raw then
+    local rec = cjson.decode(raw)
+    if rec.token and rec.expiresAt > createdAt then
+      activeCount = activeCount + 1
+      table.insert(activeSessions, { sid = sid, key = sKey, createdAt = rec.createdAt })
+    end
+  else
+    redis.call('ZREM', userSessionsKey, sid)
+  end
+end
+table.sort(activeSessions, function(a, b) return a.createdAt < b.createdAt end)
+local evicted = 0
+while activeCount >= maxSessions and evicted < #activeSessions do
+  evicted = evicted + 1
+  local victim = activeSessions[evicted]
+  redis.call('DEL', victim.key)
+  redis.call('ZREM', userSessionsKey, victim.sid)
+  activeCount = activeCount - 1
+end
+if persist then
+  redis.call('SET', newSessionKey, sessionJson)
+else
+  redis.call('SET', newSessionKey, sessionJson, 'EX', ttlSeconds)
+end
+redis.call('ZADD', userSessionsKey, createdAt, sessionId)
+return evicted
+`;
+    async function updateSessionField(sessionId, field, value, persist, cfg) {
+        const redis = getRedis();
+        const key = sessionKey(sessionId);
+        const valueType = typeof value === 'number' ? 'number' : 'string';
+        const persistFlag = (persist ?? (cfg ?? DEFAULT_AUTH_CONFIG).persistSessionMetadata) ? '1' : '0';
+        const result = await redis.eval(UPDATE_FIELD_LUA, 1, key, field, String(value), valueType, persistFlag);
+        return result === 1;
+    }
+    async function writeSessionRecord(sessionId, record, cfg) {
+        const redis = getRedis();
+        const persistFlag = shouldPersistSessionMetadata(cfg) ? '1' : '0';
+        await redis.eval(WRITE_SESSION_LUA, 1, sessionKey(sessionId), JSON.stringify(record), persistFlag);
+    }
+    async function deleteSessionImpl(sessionId, cfg) {
+        const c = cfg ?? DEFAULT_AUTH_CONFIG;
+        const redis = getRedis();
+        const raw = await redis.get(sessionKey(sessionId));
+        if (!raw)
+            return;
+        const rec = JSON.parse(raw);
+        const persist = c.persistSessionMetadata;
+        if (rec.refreshToken)
+            await redis.del(refreshTokenKey(rec.refreshToken));
+        if (rec.prevRefreshToken)
+            await redis.del(refreshTokenKey(rec.prevRefreshToken));
+        if (persist) {
+            const updated = {
+                ...rec,
+                token: null,
+                refreshToken: null,
+                prevRefreshToken: null,
+                prevTokenExpiresAt: null,
+            };
+            await redis.set(sessionKey(sessionId), JSON.stringify(updated));
+        }
+        else {
+            await redis.del(sessionKey(sessionId));
+        }
+        if (!persist) {
+            await redis.zrem(userSessionsKey(rec.userId), sessionId);
+        }
+    }
+    async function getUserSessionsImpl(userId, cfg) {
+        const c = cfg ?? DEFAULT_AUTH_CONFIG;
+        const redis = getRedis();
+        const sessionIds = await redis.zrange(userSessionsKey(userId), 0, -1);
+        if (!sessionIds.length)
+            return [];
+        const now = Date.now();
+        const raws = await redis.mget(...sessionIds.map(sessionKey));
+        const results = [];
+        const toRemove = [];
+        for (let i = 0; i < sessionIds.length; i++) {
+            const raw = raws[i];
+            if (!raw) {
+                toRemove.push(sessionIds[i]);
+                continue;
+            }
+            const rec = JSON.parse(raw);
+            const isActive = !!rec.token && rec.expiresAt > now;
+            if (!isActive && !c.persistSessionMetadata) {
+                toRemove.push(sessionIds[i]);
+                continue;
+            }
+            if (!isActive && !c.includeInactiveSessions)
+                continue;
+            results.push({
+                sessionId: rec.sessionId,
+                createdAt: Number(rec.createdAt),
+                lastActiveAt: Number(rec.lastActiveAt),
+                expiresAt: Number(rec.expiresAt),
+                ipAddress: rec.ipAddress,
+                userAgent: rec.userAgent,
+                isActive,
+            });
+        }
+        if (toRemove.length) {
+            await redis.zrem(userSessionsKey(userId), ...toRemove);
+        }
+        return results;
+    }
+    return {
+        async createSession(userId, token, sessionId, metadata, cfg) {
+            const c = cfg ?? DEFAULT_AUTH_CONFIG;
+            const now = Date.now();
+            const ttlSeconds = getSessionTtlSeconds(c);
+            const expiresAt = now + getSessionTtlMs(c);
+            const record = JSON.stringify({
+                sessionId,
+                userId,
+                token,
+                createdAt: now,
+                lastActiveAt: now,
+                expiresAt,
+                ipAddress: metadata?.ipAddress,
+                userAgent: metadata?.userAgent,
+            });
+            const redis = getRedis();
+            const persist = c.persistSessionMetadata;
+            if (persist) {
+                await redis.set(sessionKey(sessionId), record);
+            }
+            else {
+                await redis.set(sessionKey(sessionId), record, 'EX', ttlSeconds);
+            }
+            await redis.zadd(userSessionsKey(userId), now, sessionId);
+        },
+        async atomicCreateSession(userId, token, sessionId, maxSessions, metadata, cfg) {
+            const c = cfg ?? DEFAULT_AUTH_CONFIG;
+            const now = Date.now();
+            const ttlSeconds = getSessionTtlSeconds(c);
+            const expiresAt = now + getSessionTtlMs(c);
+            const record = JSON.stringify({
+                sessionId,
+                userId,
+                token,
+                createdAt: now,
+                lastActiveAt: now,
+                expiresAt,
+                ipAddress: metadata?.ipAddress,
+                userAgent: metadata?.userAgent,
+            });
+            const redis = getRedis();
+            const persist = c.persistSessionMetadata;
+            const sessionKeyPrefix = `session:${appName}:`;
+            await redis.eval(ATOMIC_CREATE_SESSION_LUA, 2, userSessionsKey(userId), sessionKey(sessionId), maxSessions, sessionId, record, now, ttlSeconds, persist ? '1' : '0', sessionKeyPrefix);
+        },
+        async getSession(sessionId, cfg) {
+            const raw = await getRedis().get(sessionKey(sessionId));
+            if (!raw)
+                return null;
+            const rec = JSON.parse(raw);
+            if (!rec.token)
+                return null;
+            if (rec.expiresAt <= Date.now())
+                return null;
+            if (typeof rec.lastActiveAt === 'number' && isIdleExpired(rec.lastActiveAt, cfg)) {
+                await deleteSessionImpl(sessionId, cfg);
+                return null;
+            }
+            return rec.token;
+        },
+        async deleteSession(sessionId, cfg) {
+            await deleteSessionImpl(sessionId, cfg);
+        },
+        async getUserSessions(userId, cfg) {
+            return getUserSessionsImpl(userId, cfg);
+        },
+        async getActiveSessionCount(userId, cfg) {
+            const sessions = await getUserSessionsImpl(userId, cfg);
+            return sessions.filter(s => s.isActive).length;
+        },
+        async evictOldestSession(userId, cfg) {
+            const redis = getRedis();
+            const sessionIds = await redis.zrange(userSessionsKey(userId), 0, -1);
+            const now = Date.now();
+            for (const sid of sessionIds) {
+                const raw = await redis.get(sessionKey(sid));
+                if (!raw) {
+                    await redis.zrem(userSessionsKey(userId), sid);
+                    continue;
+                }
+                const rec = JSON.parse(raw);
+                if (rec.token && rec.expiresAt > now) {
+                    await deleteSessionImpl(sid, cfg);
+                    return;
+                }
+            }
+        },
+        async updateSessionLastActive(sessionId, cfg) {
+            const c = cfg ?? DEFAULT_AUTH_CONFIG;
+            const now = Date.now();
+            const updated = await updateSessionField(sessionId, 'lastActiveAt', now, undefined, c);
+            if (!updated)
+                return;
+            if (!c.persistSessionMetadata) {
+                const redis = getRedis();
+                const raw = await redis.get(sessionKey(sessionId));
+                if (raw) {
+                    const rec = JSON.parse(raw);
+                    if (rec.expiresAt <= now) {
+                        await deleteSessionImpl(sessionId, c);
+                    }
+                }
+            }
+        },
+        async setRefreshToken(sessionId, refreshToken, cfg) {
+            const redis = getRedis();
+            const raw = await redis.get(sessionKey(sessionId));
+            if (!raw)
+                return;
+            const rec = JSON.parse(raw);
+            const tokenHash = hashToken(refreshToken);
+            const oldHash = typeof rec.refreshToken === 'string' ? rec.refreshToken : null;
+            rec.refreshToken = tokenHash;
+            const refreshExpiry = (cfg ?? DEFAULT_AUTH_CONFIG).refreshToken?.refreshTokenExpiry ?? 2_592_000;
+            await writeSessionRecord(sessionId, rec, cfg);
+            if (oldHash && oldHash !== tokenHash) {
+                await redis.del(refreshTokenKey(oldHash));
+            }
+            await redis.set(refreshTokenKey(tokenHash), sessionId, 'EX', refreshExpiry);
+        },
+        async getSessionByRefreshToken(refreshToken, cfg) {
+            const redis = getRedis();
+            const tokenHash = hashToken(refreshToken);
+            const sessionId = await redis.get(refreshTokenKey(tokenHash));
+            if (!sessionId)
+                return null;
+            const raw = await redis.get(sessionKey(sessionId));
+            if (!raw)
+                return null;
+            const rec = JSON.parse(raw);
+            if (typeof rec.lastActiveAt === 'number' && isIdleExpired(rec.lastActiveAt, cfg)) {
+                await deleteSessionImpl(sessionId, cfg);
+                return null;
+            }
+            if (timingSafeEqual(rec.refreshToken ?? '', tokenHash)) {
+                return { sessionId: rec.sessionId, userId: rec.userId, newRefreshToken: refreshToken };
+            }
+            if (timingSafeEqual(rec.prevRefreshToken ?? '', tokenHash) &&
+                rec.prevTokenExpiresAt &&
+                rec.prevTokenExpiresAt > Date.now()) {
+                return {
+                    sessionId: rec.sessionId,
+                    userId: rec.userId,
+                    newRefreshToken: rec.refreshTokenPlain ?? rec.refreshToken,
+                };
+            }
+            if (timingSafeEqual(rec.prevRefreshToken ?? '', tokenHash)) {
+                await deleteSessionImpl(sessionId, cfg);
+                return null;
+            }
+            return null;
+        },
+        async rotateRefreshToken(sessionId, newRefreshToken, newAccessToken, cfg) {
+            const c = cfg ?? DEFAULT_AUTH_CONFIG;
+            const redis = getRedis();
+            const raw = await redis.get(sessionKey(sessionId));
+            if (!raw)
+                return;
+            const rec = JSON.parse(raw);
+            const graceSeconds = c.refreshToken?.rotationGraceSeconds ?? 30;
+            const refreshExpiry = c.refreshToken?.refreshTokenExpiry ?? 2_592_000;
+            const newHash = hashToken(newRefreshToken);
+            const oldHash = rec.refreshToken;
+            const oldPrevHash = rec.prevRefreshToken;
+            rec.prevRefreshToken = oldHash;
+            rec.prevTokenExpiresAt = Date.now() + graceSeconds * 1000;
+            rec.refreshToken = newHash;
+            rec.refreshTokenPlain = newRefreshToken;
+            rec.token = newAccessToken;
+            await writeSessionRecord(sessionId, rec, c);
+            await redis.set(refreshTokenKey(newHash), sessionId, 'EX', refreshExpiry);
+            if (oldPrevHash && oldPrevHash !== oldHash) {
+                await redis.del(refreshTokenKey(oldPrevHash));
+            }
+            if (oldHash) {
+                const oldKeyTtl = Math.max(graceSeconds, 60);
+                await redis.expire(refreshTokenKey(oldHash), oldKeyTtl);
+            }
+        },
+        async getSessionFingerprint(sessionId) {
+            const redis = getRedis();
+            const raw = await redis.get(sessionKey(sessionId));
+            if (!raw)
+                return null;
+            const rec = JSON.parse(raw);
+            return rec.fingerprint ?? null;
+        },
+        async setSessionFingerprint(sessionId, fingerprint) {
+            await updateSessionField(sessionId, 'fingerprint', fingerprint);
+        },
+        async setMfaVerifiedAt(sessionId) {
+            const now = Math.floor(Date.now() / 1000);
+            await updateSessionField(sessionId, 'mfaVerifiedAt', now);
+        },
+        async getMfaVerifiedAt(sessionId) {
+            const redis = getRedis();
+            const raw = await redis.get(sessionKey(sessionId));
+            if (!raw)
+                return null;
+            const rec = JSON.parse(raw);
+            return rec.mfaVerifiedAt ?? null;
+        },
+    };
+}
+export function createMongoSessionRepository(conn, mg) {
+    function getSessionModel() {
+        if (conn.models['Session'])
+            return conn.models['Session'];
+        const { Schema } = mg;
+        const sessionSchema = new Schema({
+            sessionId: { type: String, required: true, unique: true },
+            userId: { type: String, required: true, index: true },
+            token: { type: String, default: null },
+            createdAt: { type: Date, required: true },
+            lastActiveAt: { type: Date, required: true },
+            expiresAt: { type: Date, required: true },
+            ipAddress: { type: String },
+            userAgent: { type: String },
+            refreshToken: { type: String, default: null },
+            prevRefreshToken: { type: String, default: null },
+            prevTokenExpiresAt: { type: Date, default: null },
+            refreshTokenPlain: { type: String, default: null },
+            fingerprint: { type: String, default: null },
+            mfaVerifiedAt: { type: Number, default: null },
+        }, { collection: 'sessions', timestamps: false });
+        sessionSchema.index({ refreshToken: 1 }, { unique: true, partialFilterExpression: { refreshToken: { $type: 'string' } } });
+        if (!DEFAULT_AUTH_CONFIG.persistSessionMetadata) {
+            sessionSchema.index({ expiresAt: 1 }, { expireAfterSeconds: 0 });
+        }
+        return conn.model('Session', sessionSchema);
+    }
+    function deleteSessionImpl(sessionId, cfg) {
+        const c = cfg ?? DEFAULT_AUTH_CONFIG;
+        const Session = getSessionModel();
+        if (c.persistSessionMetadata) {
+            return Session.updateOne({ sessionId }, {
+                $set: {
+                    token: null,
+                    refreshToken: null,
+                    prevRefreshToken: null,
+                    prevTokenExpiresAt: null,
+                },
+            }).then(() => { });
+        }
+        return Session.deleteOne({ sessionId }).then(() => { });
+    }
+    return {
+        async createSession(userId, token, sessionId, metadata, cfg) {
+            const now = new Date();
+            const expiresAt = new Date(Date.now() + getSessionTtlMs(cfg));
+            await getSessionModel().create({
+                sessionId,
+                userId,
+                token,
+                createdAt: now,
+                lastActiveAt: now,
+                expiresAt,
+                ipAddress: metadata?.ipAddress,
+                userAgent: metadata?.userAgent,
+            });
+        },
+        async atomicCreateSession(userId, token, sessionId, maxSessions, metadata, cfg) {
+            const c = cfg ?? DEFAULT_AUTH_CONFIG;
+            const session = await conn.startSession();
+            try {
+                await session.withTransaction(async () => {
+                    const Session = getSessionModel();
+                    const now = new Date();
+                    let activeCount = await Session.countDocuments({ userId, token: { $ne: null }, expiresAt: { $gt: now } }, { session });
+                    while (activeCount >= maxSessions) {
+                        const oldest = await Session.findOne({ userId, token: { $ne: null }, expiresAt: { $gt: now } }, 'sessionId', { session, sort: { createdAt: 1 } }).lean();
+                        if (!oldest)
+                            break;
+                        if (c.persistSessionMetadata) {
+                            await Session.updateOne({ sessionId: oldest.sessionId }, {
+                                $set: {
+                                    token: null,
+                                    refreshToken: null,
+                                    prevRefreshToken: null,
+                                    prevTokenExpiresAt: null,
+                                },
+                            }, { session });
+                        }
+                        else {
+                            await Session.deleteOne({ sessionId: oldest.sessionId }, { session });
+                        }
+                        activeCount--;
+                    }
+                    const expiresAt = new Date(Date.now() + getSessionTtlMs(c));
+                    await Session.create([
+                        {
+                            sessionId,
+                            userId,
+                            token,
+                            createdAt: now,
+                            lastActiveAt: now,
+                            expiresAt,
+                            ipAddress: metadata?.ipAddress,
+                            userAgent: metadata?.userAgent,
+                        },
+                    ], { session });
+                });
+            }
+            finally {
+                await session.endSession();
+            }
+        },
+        async getSession(sessionId, cfg) {
+            const doc = (await getSessionModel()
+                .findOne({ sessionId, expiresAt: { $gt: new Date() } }, 'token lastActiveAt')
+                .lean());
+            if (!doc?.token)
+                return null;
+            if (isIdleExpired(doc.lastActiveAt.getTime(), cfg)) {
+                await deleteSessionImpl(sessionId, cfg);
+                return null;
+            }
+            return doc.token;
+        },
+        async deleteSession(sessionId, cfg) {
+            await deleteSessionImpl(sessionId, cfg);
+        },
+        async getUserSessions(userId, cfg) {
+            const c = cfg ?? DEFAULT_AUTH_CONFIG;
+            const now = new Date();
+            const includeInactive = c.includeInactiveSessions;
+            const persist = c.persistSessionMetadata;
+            const query = { userId };
+            if (!includeInactive) {
+                query.token = { $ne: null };
+                query.expiresAt = { $gt: now };
+            }
+            const docs = await getSessionModel().find(query).lean();
+            const results = [];
+            for (const doc of docs) {
+                const isActive = !!doc.token && doc.expiresAt > now;
+                if (!isActive && !persist)
+                    continue;
+                if (!isActive && !includeInactive)
+                    continue;
+                results.push({
+                    sessionId: doc.sessionId,
+                    createdAt: doc.createdAt.getTime(),
+                    lastActiveAt: doc.lastActiveAt.getTime(),
+                    expiresAt: doc.expiresAt.getTime(),
+                    ipAddress: doc.ipAddress,
+                    userAgent: doc.userAgent,
+                    isActive,
+                });
+            }
+            return results;
+        },
+        async getActiveSessionCount(userId) {
+            const now = new Date();
+            return getSessionModel().countDocuments({
+                userId,
+                token: { $ne: null },
+                expiresAt: { $gt: now },
+            });
+        },
+        async evictOldestSession(userId, cfg) {
+            const now = new Date();
+            const oldest = await getSessionModel()
+                .findOne({ userId, token: { $ne: null }, expiresAt: { $gt: now } }, 'sessionId')
+                .sort({ createdAt: 1 })
+                .lean();
+            if (oldest)
+                await deleteSessionImpl(oldest.sessionId, cfg);
+        },
+        async updateSessionLastActive(sessionId) {
+            await getSessionModel().updateOne({ sessionId }, { $set: { lastActiveAt: new Date() } });
+        },
+        async setRefreshToken(sessionId, refreshToken) {
+            const tokenHash = hashToken(refreshToken);
+            await getSessionModel().updateOne({ sessionId }, { $set: { refreshToken: tokenHash } });
+        },
+        async getSessionByRefreshToken(refreshToken, cfg) {
+            const Session = getSessionModel();
+            const tokenHash = hashToken(refreshToken);
+            let doc = (await Session.findOne({ refreshToken: tokenHash }).lean());
+            if (doc) {
+                if (isIdleExpired(doc.lastActiveAt.getTime(), cfg)) {
+                    await deleteSessionImpl(doc.sessionId, cfg);
+                    return null;
+                }
+                return { sessionId: doc.sessionId, userId: doc.userId, newRefreshToken: refreshToken };
+            }
+            doc = (await Session.findOne({ prevRefreshToken: tokenHash }).lean());
+            if (!doc)
+                return null;
+            if (isIdleExpired(doc.lastActiveAt.getTime(), cfg)) {
+                await deleteSessionImpl(doc.sessionId, cfg);
+                return null;
+            }
+            if (doc.prevTokenExpiresAt && doc.prevTokenExpiresAt > new Date()) {
+                return {
+                    sessionId: doc.sessionId,
+                    userId: doc.userId,
+                    newRefreshToken: doc.refreshTokenPlain ?? doc.refreshToken,
+                };
+            }
+            await deleteSessionImpl(doc.sessionId, cfg);
+            return null;
+        },
+        async rotateRefreshToken(sessionId, newRefreshToken, newAccessToken, cfg) {
+            const graceSeconds = (cfg ?? DEFAULT_AUTH_CONFIG).refreshToken?.rotationGraceSeconds ?? 30;
+            const Session = getSessionModel();
+            const doc = await Session.findOne({ sessionId });
+            if (!doc)
+                return;
+            const newHash = hashToken(newRefreshToken);
+            doc.prevRefreshToken = doc.refreshToken;
+            doc.prevTokenExpiresAt = new Date(Date.now() + graceSeconds * 1000);
+            doc.refreshToken = newHash;
+            doc.refreshTokenPlain = newRefreshToken;
+            doc.token = newAccessToken;
+            await doc.save();
+        },
+        async getSessionFingerprint(sessionId) {
+            const doc = await getSessionModel().findOne({ sessionId }, 'fingerprint').lean();
+            return doc?.fingerprint ?? null;
+        },
+        async setSessionFingerprint(sessionId, fingerprint) {
+            await getSessionModel().updateOne({ sessionId }, { $set: { fingerprint } });
+        },
+        async setMfaVerifiedAt(sessionId) {
+            const now = Math.floor(Date.now() / 1000);
+            await getSessionModel().updateOne({ sessionId }, { $set: { mfaVerifiedAt: now } });
+        },
+        async getMfaVerifiedAt(sessionId) {
+            const doc = await getSessionModel().findOne({ sessionId }, 'mfaVerifiedAt').lean();
+            return doc?.mfaVerifiedAt ?? null;
+        },
+    };
+}
+// ---------------------------------------------------------------------------
+// Factory map
+// ---------------------------------------------------------------------------
+export const sessionFactories = {
+    memory: () => createMemorySessionRepository(),
+    sqlite: infra => createSqliteSessionRepository(infra.getSqliteDb()),
+    redis: infra => createRedisSessionRepository(infra.getRedis, infra.appName),
+    mongo: infra => {
+        const { conn, mg } = infra.getMongo();
+        return createMongoSessionRepository(conn, mg);
+    },
+    postgres: () => {
+        throw new Error('[bunshot-auth] postgres store is not yet supported for session repository');
+    },
+};
+// ---------------------------------------------------------------------------
+// Public API — thin wrappers delegating to ISessionRepository
+//
+// Callers pass the repo directly (resolved in bootstrap via sessionFactories).
+// ---------------------------------------------------------------------------
+export const createSession = async (repo, userId, token, sessionId, metadata, config) => {
+    await repo.createSession(userId, token, sessionId, metadata, config);
+};
+export const atomicCreateSession = async (repo, userId, token, sessionId, maxSessions, metadata, config) => {
+    await repo.atomicCreateSession(userId, token, sessionId, maxSessions, metadata, config);
+};
+export const getSession = async (repo, sessionId, config) => {
+    const cfg = config ?? DEFAULT_AUTH_CONFIG;
+    return repo.getSession(sessionId, cfg);
+};
+export const deleteSession = async (repo, sessionId, config) => {
+    await repo.deleteSession(sessionId, config);
+};
+export const getUserSessions = async (repo, userId, config) => {
+    return repo.getUserSessions(userId, config);
+};
+export const getActiveSessionCount = async (repo, userId, config) => {
+    return repo.getActiveSessionCount(userId, config);
+};
+export const evictOldestSession = async (repo, userId, config) => {
+    await repo.evictOldestSession(userId, config);
+};
+export const deleteUserSessions = async (repo, userId, config) => {
+    const sessions = await repo.getUserSessions(userId, config);
+    await Promise.all(sessions.map(s => repo.deleteSession(s.sessionId, config)));
+};
+export const deleteOtherSessions = async (repo, userId, currentSessionId, config) => {
+    const sessions = await repo.getUserSessions(userId, config);
+    const others = sessions.filter(s => s.sessionId !== currentSessionId);
+    await Promise.all(others.map(s => repo.deleteSession(s.sessionId, config)));
+};
+export const updateSessionLastActive = async (repo, sessionId, config) => {
+    await repo.updateSessionLastActive(sessionId, config);
+};
+export const setRefreshToken = async (repo, sessionId, refreshToken, config) => {
+    await repo.setRefreshToken(sessionId, refreshToken, config);
+};
+export const getSessionByRefreshToken = async (repo, refreshToken, config) => {
+    return repo.getSessionByRefreshToken(refreshToken, config);
+};
+export const rotateRefreshToken = async (repo, sessionId, newRefreshToken, newAccessToken, config) => {
+    await repo.rotateRefreshToken(sessionId, newRefreshToken, newAccessToken, config);
+    await repo.updateSessionLastActive(sessionId, config);
+};
+export const getSessionFingerprint = async (repo, sessionId) => {
+    return repo.getSessionFingerprint(sessionId);
+};
+export const setSessionFingerprint = async (repo, sessionId, fingerprint) => {
+    await repo.setSessionFingerprint(sessionId, fingerprint);
+};
+export const setMfaVerifiedAt = async (repo, sessionId) => {
+    await repo.setMfaVerifiedAt(sessionId);
+};
+export const getMfaVerifiedAt = async (repo, sessionId) => {
+    return repo.getMfaVerifiedAt(sessionId);
+};