@lastshotlabs/bunshot 0.0.27 → 0.1.0

package/dist/packages/bunshot-auth/src/testing.d.ts

@@ -0,0 +1,31 @@
+export { createMemoryAuthAdapter } from './adapters/memoryAuth';
+export type { MemoryAuthStores } from './adapters/memoryAuth';
+export { createAuthRateLimitService, createMemoryAuthRateLimitRepository, } from './lib/authRateLimit';
+export type { AuthRateLimitService, IAuthRateLimitRepository } from './lib/authRateLimit';
+export { createLockoutService } from './lib/accountLockout';
+export { createMemoryLockoutRepository } from './lib/accountLockout';
+export type { LockoutService, ILockoutRepository } from './lib/accountLockout';
+export { createCredentialStuffingService, createMemoryCredentialStuffingRepository, } from './lib/credentialStuffing';
+export type { CredentialStuffingService, ICredentialStuffingRepository, } from './lib/credentialStuffing';
+export { createMemoryMfaChallengeRepository } from './lib/mfaChallenge';
+export type { IMfaChallengeRepository } from './lib/mfaChallenge';
+export { createMemorySamlRequestIdRepository } from './lib/samlRequestId';
+export type { ISamlRequestIdRepository } from './lib/samlRequestId';
+export { createMemoryOAuthCodeRepository } from './lib/oauthCode';
+export type { IOAuthCodeRepository } from './lib/oauthCode';
+export { createMemoryOAuthReauthRepository } from './lib/oauthReauth';
+export type { IOAuthReauthRepository } from './lib/oauthReauth';
+export { createMemoryOAuthStateStore } from './lib/oauth';
+export type { OAuthStateStore } from './lib/oauth';
+export { createMemoryMagicLinkRepository } from './lib/magicLink';
+export type { IMagicLinkRepository } from './lib/magicLink';
+export { createMemoryDeletionCancelTokenRepository } from './lib/deletionCancelToken';
+export type { IDeletionCancelTokenRepository } from './lib/deletionCancelToken';
+export { createMemoryVerificationTokenRepository } from './lib/emailVerification';
+export type { IVerificationTokenRepository } from './lib/emailVerification';
+export { createMemoryResetTokenRepository } from './lib/resetPassword';
+export type { IResetTokenRepository } from './lib/resetPassword';
+export { createMemorySessionRepository } from './lib/session';
+export type { ISessionRepository } from './lib/session';
+export { resolveRepo } from '../../bunshot-core/src/index.js';
+export type { StoreInfra, RepoFactories } from '../../bunshot-core/src/index.js';

package/dist/packages/bunshot-auth/src/testing.js

@@ -0,0 +1,23 @@
+// ---------------------------------------------------------------------------
+// @lastshotlabs/bunshot-auth/testing — Test utilities
+//
+// All state is now per-instance (factory pattern). Create fresh instances
+// in each test — no global clear functions needed.
+// ---------------------------------------------------------------------------
+export { createMemoryAuthAdapter } from './adapters/memoryAuth';
+export { createAuthRateLimitService, createMemoryAuthRateLimitRepository, } from './lib/authRateLimit';
+export { createLockoutService } from './lib/accountLockout';
+export { createMemoryLockoutRepository } from './lib/accountLockout';
+export { createCredentialStuffingService, createMemoryCredentialStuffingRepository, } from './lib/credentialStuffing';
+// Repository factories for test setup
+export { createMemoryMfaChallengeRepository } from './lib/mfaChallenge';
+export { createMemorySamlRequestIdRepository } from './lib/samlRequestId';
+export { createMemoryOAuthCodeRepository } from './lib/oauthCode';
+export { createMemoryOAuthReauthRepository } from './lib/oauthReauth';
+export { createMemoryOAuthStateStore } from './lib/oauth';
+export { createMemoryMagicLinkRepository } from './lib/magicLink';
+export { createMemoryDeletionCancelTokenRepository } from './lib/deletionCancelToken';
+export { createMemoryVerificationTokenRepository } from './lib/emailVerification';
+export { createMemoryResetTokenRepository } from './lib/resetPassword';
+export { createMemorySessionRepository } from './lib/session';
+export { resolveRepo } from '../../bunshot-core/src/index.js';

package/dist/packages/bunshot-auth/src/types/adapter.d.ts

@@ -0,0 +1 @@
+export type { ResolvedStores } from '../../../bunshot-core/src/index.js';

package/dist/packages/bunshot-auth/src/types/adapter.js

@@ -0,0 +1 @@
+export {};

package/dist/packages/bunshot-auth/src/types/config.d.ts

@@ -0,0 +1,152 @@
+import { z } from 'zod';
+import type { CsrfConfig, StoreType } from '../../../bunshot-core/src/index.js';
+import type { AccountDeletionConfig, AuthCookieConfig, AuthHooksConfig, AuthRateLimitConfig, AuthSessionPolicyConfig, BreachedPasswordConfig, ConcealRegistrationConfig, CsrfCookieConfig, EmailVerificationConfig, JwtConfig, M2MConfig, MagicLinkConfig, MfaConfig, OAuthReauthConfig, OidcConfig, PasswordPolicyConfig, PasswordResetConfig, PrimaryField, RefreshTokenConfig, SamlConfig, ScimConfig, StepUpConfig } from '../config/authConfig';
+import type { LockoutConfig } from '../lib/accountLockout';
+import type { AuthAdapter } from '../lib/authAdapter';
+import type { OAuthProviderConfig } from '../lib/oauth';
+import type { GroupsConfig } from './groups';
+export type { StoreType };
+export interface AuthDbConfig {
+    /** Absolute path to the SQLite database file. Required when any store is 'sqlite'. */
+    sqlite?: string;
+    /**
+     * Auto-connect MongoDB before starting.
+     * - 'single': calls connectMongo() — auth and app share one server
+     * - 'separate': calls connectAuthMongo() + connectAppMongo()
+     * - false: skip auto-connect
+     */
+    mongo?: 'single' | 'separate' | false;
+    /** Auto-connect Redis before starting. Defaults to true when redis is available. */
+    redis?: boolean;
+    /** Where to store JWT sessions. Default: 'memory' in standalone mode. */
+    sessions?: StoreType;
+    /** Where to store OAuth state. Default: follows sessions. */
+    oauthState?: StoreType;
+    /** Which built-in auth adapter to use. Default: 'memory' in standalone mode. */
+    auth?: 'mongo' | 'sqlite' | 'memory';
+}
+export interface AuthSecurityConfig {
+    signing?: import('../../../bunshot-core/src/index.js').SigningConfig;
+    trustProxy?: false | number;
+    csrf?: CsrfConfig;
+    bearerAuth?: boolean | {
+        bypass?: string[];
+    };
+    bearerTokens?: import('../config/authConfig').BearerAuthConfig;
+    captcha?: import('../../../bunshot-core/src/index.js').CaptchaConfig;
+    cors?: string | string[];
+}
+export interface OAuthConfig {
+    providers?: OAuthProviderConfig;
+    postRedirect?: string;
+    allowedRedirectUrls?: string[];
+    reauth?: OAuthReauthConfig;
+}
+export interface AuthConfig {
+    enabled?: boolean;
+    adapter?: AuthAdapter;
+    roles?: string[];
+    defaultRole?: string;
+    oauth?: OAuthConfig;
+    primaryField?: PrimaryField;
+    emailVerification?: EmailVerificationConfig;
+    passwordReset?: PasswordResetConfig;
+    passwordPolicy?: PasswordPolicyConfig;
+    rateLimit?: AuthRateLimitConfig;
+    sessionPolicy?: AuthSessionPolicyConfig;
+    accountDeletion?: AccountDeletionConfig;
+    refreshTokens?: RefreshTokenConfig;
+    mfa?: MfaConfig;
+    jwt?: JwtConfig;
+    checkSuspensionOnIdentify?: boolean;
+    breachedPasswordCheck?: BreachedPasswordConfig;
+    stepUp?: StepUpConfig;
+    m2m?: M2MConfig;
+    oidc?: OidcConfig;
+    saml?: SamlConfig;
+    scim?: ScimConfig;
+    lockout?: LockoutConfig;
+    cookieConfig?: AuthCookieConfig;
+    csrfCookieConfig?: CsrfCookieConfig;
+    concealRegistration?: ConcealRegistrationConfig;
+    magicLink?: MagicLinkConfig;
+    hooks?: AuthHooksConfig;
+}
+export declare const authPluginConfigSchema: z.ZodObject<{
+    auth: z.ZodOptional<z.ZodObject<{
+        enabled: z.ZodOptional<z.ZodBoolean>;
+        adapter: z.ZodOptional<z.ZodCustom<AuthAdapter, AuthAdapter>>;
+        roles: z.ZodOptional<z.ZodArray<z.ZodString>>;
+        defaultRole: z.ZodOptional<z.ZodString>;
+        oauth: z.ZodOptional<z.ZodCustom<OAuthConfig, OAuthConfig>>;
+        primaryField: z.ZodOptional<z.ZodEnum<{
+            email: "email";
+            username: "username";
+            phone: "phone";
+        }>>;
+        emailVerification: z.ZodOptional<z.ZodCustom<EmailVerificationConfig, EmailVerificationConfig>>;
+        passwordReset: z.ZodOptional<z.ZodCustom<PasswordResetConfig, PasswordResetConfig>>;
+        passwordPolicy: z.ZodOptional<z.ZodCustom<PasswordPolicyConfig, PasswordPolicyConfig>>;
+        rateLimit: z.ZodOptional<z.ZodCustom<AuthRateLimitConfig, AuthRateLimitConfig>>;
+        sessionPolicy: z.ZodOptional<z.ZodCustom<AuthSessionPolicyConfig, AuthSessionPolicyConfig>>;
+        accountDeletion: z.ZodOptional<z.ZodCustom<AccountDeletionConfig, AccountDeletionConfig>>;
+        refreshTokens: z.ZodOptional<z.ZodCustom<RefreshTokenConfig, RefreshTokenConfig>>;
+        mfa: z.ZodOptional<z.ZodCustom<MfaConfig, MfaConfig>>;
+        jwt: z.ZodOptional<z.ZodCustom<JwtConfig, JwtConfig>>;
+        checkSuspensionOnIdentify: z.ZodOptional<z.ZodBoolean>;
+        breachedPasswordCheck: z.ZodOptional<z.ZodCustom<BreachedPasswordConfig, BreachedPasswordConfig>>;
+        stepUp: z.ZodOptional<z.ZodCustom<StepUpConfig, StepUpConfig>>;
+        m2m: z.ZodOptional<z.ZodCustom<M2MConfig, M2MConfig>>;
+        oidc: z.ZodOptional<z.ZodCustom<OidcConfig, OidcConfig>>;
+        saml: z.ZodOptional<z.ZodCustom<SamlConfig, SamlConfig>>;
+        scim: z.ZodOptional<z.ZodCustom<ScimConfig, ScimConfig>>;
+        lockout: z.ZodOptional<z.ZodCustom<LockoutConfig, LockoutConfig>>;
+        cookieConfig: z.ZodOptional<z.ZodCustom<AuthCookieConfig, AuthCookieConfig>>;
+        csrfCookieConfig: z.ZodOptional<z.ZodCustom<CsrfCookieConfig, CsrfCookieConfig>>;
+        concealRegistration: z.ZodOptional<z.ZodCustom<ConcealRegistrationConfig, ConcealRegistrationConfig>>;
+        magicLink: z.ZodOptional<z.ZodCustom<MagicLinkConfig, MagicLinkConfig>>;
+        hooks: z.ZodOptional<z.ZodCustom<AuthHooksConfig, AuthHooksConfig>>;
+    }, z.core.$strip>>;
+    db: z.ZodOptional<z.ZodObject<{
+        sqlite: z.ZodOptional<z.ZodString>;
+        mongo: z.ZodOptional<z.ZodUnion<readonly [z.ZodEnum<{
+            single: "single";
+            separate: "separate";
+        }>, z.ZodLiteral<false>]>>;
+        redis: z.ZodOptional<z.ZodBoolean>;
+        sessions: z.ZodOptional<z.ZodEnum<{
+            redis: "redis";
+            mongo: "mongo";
+            sqlite: "sqlite";
+            memory: "memory";
+        }>>;
+        oauthState: z.ZodOptional<z.ZodEnum<{
+            redis: "redis";
+            mongo: "mongo";
+            sqlite: "sqlite";
+            memory: "memory";
+        }>>;
+        auth: z.ZodOptional<z.ZodEnum<{
+            mongo: "mongo";
+            sqlite: "sqlite";
+            memory: "memory";
+        }>>;
+    }, z.core.$loose>>;
+    security: z.ZodOptional<z.ZodObject<{
+        signing: z.ZodOptional<z.ZodCustom<import("../../../bunshot-core/src/index.js").SigningConfig, import("../../../bunshot-core/src/index.js").SigningConfig>>;
+        trustProxy: z.ZodOptional<z.ZodUnion<readonly [z.ZodLiteral<false>, z.ZodNumber]>>;
+        csrf: z.ZodOptional<z.ZodCustom<CsrfConfig, CsrfConfig>>;
+        bearerAuth: z.ZodOptional<z.ZodUnion<readonly [z.ZodBoolean, z.ZodObject<{
+            bypass: z.ZodOptional<z.ZodArray<z.ZodString>>;
+        }, z.core.$loose>]>>;
+        bearerTokens: z.ZodOptional<z.ZodAny>;
+        captcha: z.ZodOptional<z.ZodCustom<import("../../../../src/app.js").CaptchaConfig, import("../../../../src/app.js").CaptchaConfig>>;
+        cors: z.ZodOptional<z.ZodUnion<readonly [z.ZodString, z.ZodArray<z.ZodString>]>>;
+    }, z.core.$loose>>;
+    securityEvents: z.ZodOptional<z.ZodCustom<import("..").SecurityEventsConfig, import("..").SecurityEventsConfig>>;
+    emailTemplates: z.ZodOptional<z.ZodCustom<import("../config/authConfig").EmailTemplatesConfig, import("../config/authConfig").EmailTemplatesConfig>>;
+    groups: z.ZodOptional<z.ZodCustom<GroupsConfig, GroupsConfig>>;
+    organizations: z.ZodOptional<z.ZodCustom<import("../../../../src/app.js").OrganizationConfig, import("../../../../src/app.js").OrganizationConfig>>;
+    appName: z.ZodOptional<z.ZodString>;
+}, z.core.$loose>;
+export type AuthPluginConfig = z.infer<typeof authPluginConfigSchema>;

package/dist/packages/bunshot-auth/src/types/config.js

@@ -0,0 +1,179 @@
+// packages/bunshot-auth/src/types/config.ts
+import { z } from 'zod';
+// --- Zod sub-schemas for top-level sections ---
+const authDbConfigSchema = z
+    .object({
+    sqlite: z.string().optional(),
+    mongo: z.union([z.enum(['single', 'separate']), z.literal(false)]).optional(),
+    redis: z.boolean().optional(),
+    sessions: z.enum(['redis', 'mongo', 'sqlite', 'memory']).optional(),
+    oauthState: z.enum(['redis', 'mongo', 'sqlite', 'memory']).optional(),
+    auth: z.enum(['mongo', 'sqlite', 'memory']).optional(),
+})
+    .passthrough();
+const authSecurityConfigSchema = z
+    .object({
+    signing: z
+        .custom(v => v == null || typeof v === 'object', { message: 'Expected a SigningConfig object' })
+        .optional(),
+    trustProxy: z.union([z.literal(false), z.number()]).optional(),
+    csrf: z
+        .custom(v => v == null || typeof v === 'object', {
+        message: 'Expected a CsrfConfig object',
+    })
+        .optional(),
+    bearerAuth: z
+        .union([z.boolean(), z.object({ bypass: z.array(z.string()).optional() }).passthrough()])
+        .optional(),
+    bearerTokens: z.any().optional(),
+    captcha: z
+        .custom(v => v == null || typeof v === 'object', { message: 'Expected a CaptchaConfig object' })
+        .optional(),
+    cors: z.union([z.string(), z.array(z.string())]).optional(),
+})
+    .passthrough();
+// AuthConfig has many deeply nested sub-configs — use z.custom for most
+const authConfigSchema = z.object({
+    enabled: z.boolean().optional(),
+    adapter: z
+        .custom(v => v == null || typeof v === 'object', {
+        message: 'Expected an AuthAdapter instance',
+    })
+        .optional(),
+    roles: z.array(z.string()).optional(),
+    defaultRole: z.string().optional(),
+    oauth: z
+        .custom(v => v == null || typeof v === 'object', {
+        message: 'Expected an OAuthConfig object',
+    })
+        .optional(),
+    primaryField: z.enum(['email', 'username', 'phone']).optional(),
+    emailVerification: z
+        .custom(v => v == null || typeof v === 'object', {
+        message: 'Expected an EmailVerificationConfig object',
+    })
+        .optional(),
+    passwordReset: z
+        .custom(v => v == null || typeof v === 'object', {
+        message: 'Expected a PasswordResetConfig object',
+    })
+        .optional(),
+    passwordPolicy: z
+        .custom(v => v == null || typeof v === 'object', {
+        message: 'Expected a PasswordPolicyConfig object',
+    })
+        .optional(),
+    rateLimit: z
+        .custom(v => v == null || typeof v === 'object', {
+        message: 'Expected an AuthRateLimitConfig object',
+    })
+        .optional(),
+    sessionPolicy: z
+        .custom(v => v == null || typeof v === 'object', {
+        message: 'Expected an AuthSessionPolicyConfig object',
+    })
+        .optional(),
+    accountDeletion: z
+        .custom(v => v == null || typeof v === 'object', {
+        message: 'Expected an AccountDeletionConfig object',
+    })
+        .optional(),
+    refreshTokens: z
+        .custom(v => v == null || typeof v === 'object', {
+        message: 'Expected a RefreshTokenConfig object',
+    })
+        .optional(),
+    mfa: z
+        .custom(v => v == null || typeof v === 'object', {
+        message: 'Expected an MfaConfig object',
+    })
+        .optional(),
+    jwt: z
+        .custom(v => v == null || typeof v === 'object', {
+        message: 'Expected a JwtConfig object',
+    })
+        .optional(),
+    checkSuspensionOnIdentify: z.boolean().optional(),
+    breachedPasswordCheck: z
+        .custom(v => v == null || typeof v === 'object', {
+        message: 'Expected a BreachedPasswordConfig object',
+    })
+        .optional(),
+    stepUp: z
+        .custom(v => v == null || typeof v === 'object', {
+        message: 'Expected a StepUpConfig object',
+    })
+        .optional(),
+    m2m: z
+        .custom(v => v == null || typeof v === 'object', {
+        message: 'Expected an M2MConfig object',
+    })
+        .optional(),
+    oidc: z
+        .custom(v => v == null || typeof v === 'object', {
+        message: 'Expected an OidcConfig object',
+    })
+        .optional(),
+    saml: z
+        .custom(v => v == null || typeof v === 'object', {
+        message: 'Expected a SamlConfig object',
+    })
+        .optional(),
+    scim: z
+        .custom(v => v == null || typeof v === 'object', {
+        message: 'Expected a ScimConfig object',
+    })
+        .optional(),
+    lockout: z
+        .custom(v => v == null || typeof v === 'object', {
+        message: 'Expected a LockoutConfig object',
+    })
+        .optional(),
+    cookieConfig: z
+        .custom(v => v == null || typeof v === 'object', {
+        message: 'Expected an AuthCookieConfig object',
+    })
+        .optional(),
+    csrfCookieConfig: z
+        .custom(v => v == null || typeof v === 'object', {
+        message: 'Expected a CsrfCookieConfig object',
+    })
+        .optional(),
+    concealRegistration: z
+        .custom(v => v == null || typeof v === 'object', {
+        message: 'Expected a ConcealRegistrationConfig object',
+    })
+        .optional(),
+    magicLink: z
+        .custom(v => v == null || typeof v === 'object', {
+        message: 'Expected a MagicLinkConfig object',
+    })
+        .optional(),
+    hooks: z
+        .custom(v => v == null || typeof v === 'object', {
+        message: 'Expected an AuthHooksConfig object',
+    })
+        .optional(),
+});
+export const authPluginConfigSchema = z
+    .object({
+    auth: authConfigSchema.optional(),
+    db: authDbConfigSchema.optional(),
+    security: authSecurityConfigSchema.optional(),
+    securityEvents: z
+        .custom(v => v == null || typeof v === 'object', { message: 'Expected a SecurityEventsConfig object' })
+        .optional(),
+    emailTemplates: z
+        .custom(v => v == null || typeof v === 'object', { message: 'Expected an EmailTemplatesConfig object' })
+        .optional(),
+    groups: z
+        .custom(v => v == null || typeof v === 'object', {
+        message: 'Expected a GroupsConfig object',
+    })
+        .optional(),
+    organizations: z
+        .custom(v => v == null || typeof v === 'object', { message: 'Expected an OrganizationConfig object' })
+        .optional(),
+    appName: z.string().optional(),
+})
+    .passthrough();

package/dist/{routes → packages/bunshot-auth/src/types}/groups.d.ts

@@ -1,5 +1,5 @@
-import type { MiddlewareHandler } from "hono";
-import type { AppEnv } from "../lib/context";
+import type { MiddlewareHandler } from 'hono';
+import type { AppEnv } from '../../../bunshot-core/src/index.js';
 export interface GroupsManagementConfig {
     /**
      * Role required to access all management routes.
@@ -18,4 +18,3 @@ export interface GroupsConfig {
     /** Mount group management routes. Pass `true` to use all defaults. */
     managementRoutes?: GroupsManagementConfig | true;
 }
-export declare const createGroupsRouter: (config: GroupsConfig) => import("@hono/zod-openapi").OpenAPIHono<AppEnv, {}, "/">;

package/dist/packages/bunshot-auth/src/types/groups.js

@@ -0,0 +1 @@
+export {};

package/dist/packages/bunshot-auth/src/types/oauthCode.d.ts

@@ -0,0 +1,6 @@
+export interface OAuthCodePayload {
+    token: string;
+    userId: string;
+    email?: string;
+    refreshToken?: string;
+}

package/dist/packages/bunshot-auth/src/types/oauthCode.js

@@ -0,0 +1 @@
+export {};

package/dist/packages/bunshot-auth/src/types/oauthReauth.d.ts

@@ -0,0 +1,13 @@
+export interface OAuthReauthState {
+    userId: string;
+    sessionId: string;
+    provider: string;
+    /** e.g. "delete_account", "change_password" */
+    purpose: string;
+    expiresAt: number;
+    returnUrl?: string;
+}
+export interface OAuthReauthConfirmation {
+    userId: string;
+    purpose: string;
+}

package/dist/packages/bunshot-auth/src/types/oauthReauth.js

@@ -0,0 +1 @@
+export {};

package/dist/packages/bunshot-auth/src/types/redis.d.ts

@@ -0,0 +1 @@
+export type { RedisLike } from '../../../bunshot-core/src/index.js';

package/dist/packages/bunshot-auth/src/types/redis.js

@@ -0,0 +1 @@
+export {};

package/dist/packages/bunshot-auth/src/types/saml.d.ts

@@ -0,0 +1,10 @@
+export interface SamlProfile {
+    nameId: string;
+    nameIdFormat?: string;
+    email?: string;
+    firstName?: string;
+    lastName?: string;
+    displayName?: string;
+    groups?: string[];
+    attributes: Record<string, string | string[]>;
+}

package/dist/packages/bunshot-auth/src/types/saml.js

@@ -0,0 +1 @@
+export {};

package/dist/packages/bunshot-auth/src/types/session.d.ts

@@ -0,0 +1,18 @@
+export interface SessionMetadata {
+    ipAddress?: string;
+    userAgent?: string;
+}
+export interface SessionInfo {
+    sessionId: string;
+    createdAt: number;
+    lastActiveAt: number;
+    expiresAt: number;
+    ipAddress?: string;
+    userAgent?: string;
+    isActive: boolean;
+}
+export interface RefreshResult {
+    sessionId: string;
+    userId: string;
+    newRefreshToken: string;
+}

package/dist/packages/bunshot-auth/src/types/session.js

@@ -0,0 +1 @@
+export {};

package/dist/packages/bunshot-auth/src/types/store.d.ts

@@ -0,0 +1 @@
+export type { ResolvedStores } from './adapter';

package/dist/packages/bunshot-auth/src/types/store.js

@@ -0,0 +1 @@
+export {};

package/dist/packages/bunshot-core/src/adminProvider.d.ts

@@ -0,0 +1,95 @@
+import type { Context } from 'hono';
+export interface AdminPrincipal {
+    subject: string;
+    email?: string;
+    displayName?: string;
+    roles?: string[];
+    permissions?: string[];
+    tenantId?: string;
+    provider: string;
+    rawClaims?: Record<string, unknown>;
+}
+export interface AdminAccessProvider {
+    name: string;
+    /** Verify the request and extract an admin principal. Context is untyped because providers only read HTTP headers/cookies. */
+    verifyRequest(c: Context<any>): Promise<AdminPrincipal | null>;
+}
+export interface ManagedUserRecord {
+    id: string;
+    email?: string;
+    displayName?: string;
+    firstName?: string;
+    lastName?: string;
+    externalId?: string;
+    status?: 'active' | 'suspended';
+    roles?: string[];
+    provider: string;
+    metadata?: Record<string, unknown>;
+}
+export interface ListUsersInput {
+    limit?: number;
+    cursor?: string;
+    search?: string;
+    status?: 'active' | 'suspended';
+    role?: string;
+    createdAfter?: string;
+    createdBefore?: string;
+    sortBy?: 'createdAt' | 'email';
+    sortDir?: 'asc' | 'desc';
+}
+export interface ListUsersResult {
+    items: ManagedUserRecord[];
+    nextCursor?: string;
+}
+export interface SuspendUserInput {
+    userId: string;
+    reason?: string;
+    actorId: string;
+}
+export interface UnsuspendUserInput {
+    userId: string;
+    actorId: string;
+}
+export interface UpdateUserInput {
+    userId: string;
+    displayName?: string;
+    firstName?: string;
+    lastName?: string;
+    externalId?: string;
+}
+export interface SessionRecord {
+    sessionId: string;
+    userId: string;
+    createdAt?: number;
+    lastActiveAt?: number;
+    ip?: string;
+    userAgent?: string;
+    active?: boolean;
+}
+export interface ManagedUserCapabilities {
+    canListUsers: boolean;
+    canSearchUsers: boolean;
+    canViewUser: boolean;
+    canEditUser?: boolean;
+    canSuspendUsers?: boolean;
+    canDeleteUsers?: boolean;
+    canViewSessions?: boolean;
+    canRevokeSessions?: boolean;
+    canManageRoles?: boolean;
+}
+export interface ManagedUserProvider {
+    name: string;
+    listUsers(input: ListUsersInput): Promise<ListUsersResult>;
+    getUser(userId: string): Promise<ManagedUserRecord | null>;
+    searchUsers?(query: string, input?: Omit<ListUsersInput, 'search'>): Promise<ListUsersResult>;
+    getCapabilities(): Promise<ManagedUserCapabilities>;
+    suspendUser?(input: SuspendUserInput): Promise<void>;
+    unsuspendUser?(input: UnsuspendUserInput): Promise<void>;
+    updateUser?(input: UpdateUserInput): Promise<ManagedUserRecord | null>;
+    deleteUser?(userId: string): Promise<void>;
+    listSessions?(userId: string): Promise<SessionRecord[]>;
+    revokeSession?(sessionId: string): Promise<void>;
+    revokeAllSessions?(userId: string): Promise<void>;
+    getRoles?(userId: string): Promise<string[]>;
+    setRoles?(userId: string, roles: string[]): Promise<void>;
+}

package/dist/packages/bunshot-core/src/adminProvider.js

@@ -0,0 +1 @@
+export {};

package/dist/packages/bunshot-core/src/auditLog.d.ts

@@ -0,0 +1,34 @@
+export interface AuditLogEntry {
+    id: string;
+    userId: string | null;
+    sessionId: string | null;
+    tenantId: string | null;
+    method: string;
+    path: string;
+    status: number;
+    ip: string | null;
+    userAgent: string | null;
+    action?: string;
+    resource?: string;
+    resourceId?: string;
+    meta?: Record<string, unknown>;
+    requestId?: string;
+    createdAt: string;
+    /** MongoDB TTL expiry — set when auditLogTtlDays is configured. */
+    expiresAt?: Date;
+}
+export interface AuditLogQuery {
+    userId?: string;
+    tenantId?: string;
+    after?: Date | string;
+    before?: Date | string;
+    limit?: number;
+    cursor?: string;
+}
+export interface AuditLogProvider {
+    logEntry(entry: AuditLogEntry): Promise<void>;
+    getLogs(query: AuditLogQuery): Promise<{
+        items: AuditLogEntry[];
+        nextCursor?: string;
+    }>;
+}

package/dist/packages/bunshot-core/src/auditLog.js

@@ -0,0 +1 @@
+export {};