@longzai-intelligence-auth/core 0.0.5 → 0.0.7

package/dist/index.js

@@ -0,0 +1 @@
+import{z as e}from"zod";import{DomainError as t}from"@longzai-intelligence/error";const n=e.object({secret:e.string().min(1,`JWT 密钥不能为空`),accessExpiresIn:e.string().default(`15m`),refreshExpiresIn:e.string().default(`7d`)}),r=e.object({minLength:e.number().int().positive().default(8),requireUppercase:e.boolean().default(!0),requireLowercase:e.boolean().default(!0),requireNumber:e.boolean().default(!0),requireSpecial:e.boolean().default(!1),historyCount:e.number().int().nonnegative().default(5),expireDays:e.number().int().nonnegative().default(0)}),i=e.object({windowSeconds:e.number().int().positive().default(60),maxRequests:e.number().int().positive().default(100)}),a=e.object({jwt:n,passwordPolicy:r,defaultTenantId:e.string().min(1).default(`default`)}),o=e.object({sub:e.string(),type:e.literal(`access`),tenantId:e.string().optional(),iss:e.string().optional(),aud:e.string().optional(),jti:e.string().optional(),roles:e.array(e.string()).optional(),permissions:e.array(e.string()).optional()}),s=e.object({sub:e.string(),sessionId:e.string(),type:e.literal(`refresh`)}),c=e.object({sub:e.string(),type:e.literal(`password_reset`)}),l=e.object({sub:e.string(),type:e.literal(`mfa_pending`)}),u=e.string().regex(/^[a-zA-Z0-9_-]+:[a-zA-Z0-9_-]+$/,`权限格式应为 resource:action`),d=e.object({resource:e.string().min(1),action:e.string().min(1)}),f=e.object({email:e.string().email(`邮箱格式无效`),username:e.string().min(3,`用户名至少 3 个字符`).max(50,`用户名最多 50 个字符`),password:e.string().min(8,`密码至少 8 个字符`).max(128,`密码最多 128 个字符`),displayName:e.string().optional()}),p=e.object({displayName:e.string().optional(),avatarUrl:e.string().url(`头像 URL 格式无效`).optional()}),m=e.object({currentPassword:e.string(`请输入当前密码`),newPassword:e.string().min(8,`新密码至少 8 个字符`).max(128,`新密码最多 128 个字符`)}),h=e.object({email:e.string().email(`邮箱格式无效`),password:e.string(`请输入密码`)}),g=e.object({refreshToken:e.string(`请输入刷新令牌`)}),_=`dev-secret-key`;function v(){let e=process.env.JWT_SECRET??_;return e===_&&console.warn(`[Auth] JWT_SECRET 环境变量未设置，正在使用开发密钥。请勿在生产环境中使用！`),process.env.JWT_ALGORITHM,{secret:e,accessExpiresIn:process.env.JWT_ACCESS_EXPIRES_IN??`15m`,refreshExpiresIn:process.env.JWT_REFRESH_EXPIRES_IN??`7d`}}function y(){return{windowSeconds:60,maxRequests:100}}function b(){return{minLength:8,requireUppercase:!0,requireLowercase:!0,requireNumber:!0,requireSpecial:!1,historyCount:0,expireDays:0}}var x=class extends t{constructor(e=`认证令牌已过期`){super(e,`TOKEN_EXPIRED`)}},S=class extends t{constructor(e=`无效的认证令牌`){super(e,`TOKEN_INVALID`)}},C=class extends t{constructor(e=`未认证，请先登录`){super(e,`TOKEN_MISSING`)}},w=class extends t{constructor(e=`需要多因素认证验证`){super(e,`MFA_REQUIRED`)}},T=class extends t{constructor(e=`用户名或密码错误`){super(e,`INVALID_CREDENTIALS`)}},E=class extends t{constructor(e=`账户已被禁用`){super(e,`ACCOUNT_DISABLED`)}},D=class extends t{constructor(e=`用户不存在`){super(e,`USER_NOT_FOUND`)}},O=class extends t{constructor(e=`用户已存在`){super(e,`USER_ALREADY_EXISTS`)}},k=class extends t{constructor(e=`密码不符合策略要求`){super(e,`PASSWORD_POLICY_VIOLATION`)}},A=class extends t{constructor(e=`会话不存在`){super(e,`SESSION_NOT_FOUND`)}},j=class extends t{constructor(e=`会话已过期`){super(e,`SESSION_EXPIRED`)}},M=class extends t{constructor(e=`请求过于频繁，请稍后再试`){super(e,`RATE_LIMIT_EXCEEDED`)}};export{E as AccountDisabledError,T as InvalidCredentialsError,w as MfaRequiredError,k as PasswordPolicyViolationError,M as RateLimitExceededError,j as SessionExpiredError,A as SessionNotFoundError,x as TokenExpiredError,S as TokenInvalidError,C as TokenMissingError,O as UserAlreadyExistsError,D as UserNotFoundError,o as accessTokenPayloadSchema,a as authConfigSchema,m as changePasswordSchema,v as createDefaultJwtConfig,b as createDefaultPasswordPolicy,y as createDefaultRateLimitConfig,f as createUserSchema,n as jwtConfigSchema,h as loginSchema,l as mfaPendingTokenPayloadSchema,r as passwordPolicyConfigSchema,c as passwordResetTokenPayloadSchema,u as permissionStringSchema,i as rateLimitConfigSchema,s as refreshTokenPayloadSchema,g as refreshTokenSchema,d as resourceActionSchema,p as updateUserSchema};

package/package.json

@@ -1,22 +1,15 @@
 {
   "name": "@longzai-intelligence-auth/core",
-  "version": "0.0.5",
+  "version": "0.0.7",
   "license": "UNLICENSED",
   "type": "module",
   "sideEffects": false,
-  "main": "./dist/index.cjs",
-  "module": "./dist/index.js",
+  "main": "./dist/index.js",
   "types": "./dist/index.d.ts",
   "exports": {
     ".": {
-      "import": {
-        "types": "./dist/index.d.ts",
-        "default": "./dist/index.js"
-      },
-      "require": {
-        "types": "./dist/index.d.cts",
-        "default": "./dist/index.cjs"
-      }
+      "types": "./dist/index.d.ts",
+      "import": "./dist/index.js"
     }
   },
   "files": [
@@ -35,8 +28,7 @@
     "zod": "^4.4.3"
   },
   "scripts": {
-    "build": "bun build src/index.ts --outdir dist --target bun",
-    "build:declaration": "tsgo --declaration --emitDeclarationOnly --outDir dist -p tsconfig/app.json",
+    "build": "tsgo --build tsconfig/build.json && resolve-aliases -p tsconfig/build.json",
     "build:prod": "NODE_ENV=production tsdown",
     "prepublishOnly": "bun run build:prod",
     "typecheck": "bun run typecheck:app && bun run typecheck:node && bun run typecheck:test",
@@ -50,9 +42,6 @@
     "test:coverage": "bun test --coverage",
     "test:unit": "bun test src/__tests__/unit/",
     "test:integration": "bun test src/__tests__/integration/",
-    "clean": "rm -rf dist out .cache"
-  },
-  "devDependencies": {
-    "@types/bun": "^1.3.14"
+    "clean": "rimraf dist out .cache"
   }
 }

package/dist/index.cjs

@@ -1 +0,0 @@
-Object.defineProperty(exports,Symbol.toStringTag,{value:`Module`});let e=require("zod"),t=require("@longzai-intelligence/error");const n=e.z.object({secret:e.z.string().min(1,`JWT 密钥不能为空`),accessExpiresIn:e.z.string().default(`15m`),refreshExpiresIn:e.z.string().default(`7d`)}),r=e.z.object({minLength:e.z.number().int().positive().default(8),requireUppercase:e.z.boolean().default(!0),requireLowercase:e.z.boolean().default(!0),requireNumber:e.z.boolean().default(!0),requireSpecial:e.z.boolean().default(!1),historyCount:e.z.number().int().nonnegative().default(5),expireDays:e.z.number().int().nonnegative().default(0)}),i=e.z.object({windowSeconds:e.z.number().int().positive().default(60),maxRequests:e.z.number().int().positive().default(100)}),a=e.z.object({jwt:n,passwordPolicy:r,defaultTenantId:e.z.string().min(1).default(`default`)}),o=e.z.object({sub:e.z.string(),type:e.z.literal(`access`),tenantId:e.z.string().optional(),iss:e.z.string().optional(),aud:e.z.string().optional(),jti:e.z.string().optional(),roles:e.z.array(e.z.string()).optional(),permissions:e.z.array(e.z.string()).optional()}),s=e.z.object({sub:e.z.string(),sessionId:e.z.string(),type:e.z.literal(`refresh`)}),c=e.z.object({sub:e.z.string(),type:e.z.literal(`password_reset`)}),l=e.z.object({sub:e.z.string(),type:e.z.literal(`mfa_pending`)}),u=e.z.string().regex(/^[a-zA-Z0-9_-]+:[a-zA-Z0-9_-]+$/,`权限格式应为 resource:action`),d=e.z.object({resource:e.z.string().min(1),action:e.z.string().min(1)}),f=e.z.object({email:e.z.string().email(`邮箱格式无效`),username:e.z.string().min(3,`用户名至少 3 个字符`).max(50,`用户名最多 50 个字符`),password:e.z.string().min(8,`密码至少 8 个字符`).max(128,`密码最多 128 个字符`),displayName:e.z.string().optional()}),p=e.z.object({displayName:e.z.string().optional(),avatarUrl:e.z.string().url(`头像 URL 格式无效`).optional()}),m=e.z.object({currentPassword:e.z.string(`请输入当前密码`),newPassword:e.z.string().min(8,`新密码至少 8 个字符`).max(128,`新密码最多 128 个字符`)}),h=e.z.object({email:e.z.string().email(`邮箱格式无效`),password:e.z.string(`请输入密码`)}),g=e.z.object({refreshToken:e.z.string(`请输入刷新令牌`)});var _=class extends t.DomainError{constructor(e=`认证令牌已过期`){super(e,`TOKEN_EXPIRED`)}},v=class extends t.DomainError{constructor(e=`无效的认证令牌`){super(e,`TOKEN_INVALID`)}},y=class extends t.DomainError{constructor(e=`未认证，请先登录`){super(e,`TOKEN_MISSING`)}},b=class extends t.DomainError{constructor(e=`需要多因素认证验证`){super(e,`MFA_REQUIRED`)}},x=class extends t.DomainError{constructor(e=`用户名或密码错误`){super(e,`INVALID_CREDENTIALS`)}},S=class extends t.DomainError{constructor(e=`账户已被禁用`){super(e,`ACCOUNT_DISABLED`)}},C=class extends t.DomainError{constructor(e=`用户不存在`){super(e,`USER_NOT_FOUND`)}},w=class extends t.DomainError{constructor(e=`用户已存在`){super(e,`USER_ALREADY_EXISTS`)}},T=class extends t.DomainError{constructor(e=`密码不符合策略要求`){super(e,`PASSWORD_POLICY_VIOLATION`)}},E=class extends t.DomainError{constructor(e=`会话不存在`){super(e,`SESSION_NOT_FOUND`)}},D=class extends t.DomainError{constructor(e=`会话已过期`){super(e,`SESSION_EXPIRED`)}},O=class extends t.DomainError{constructor(e=`请求过于频繁，请稍后再试`){super(e,`RATE_LIMIT_EXCEEDED`)}};exports.AccountDisabledError=S,exports.InvalidCredentialsError=x,exports.MfaRequiredError=b,exports.PasswordPolicyViolationError=T,exports.RateLimitExceededError=O,exports.SessionExpiredError=D,exports.SessionNotFoundError=E,exports.TokenExpiredError=_,exports.TokenInvalidError=v,exports.TokenMissingError=y,exports.UserAlreadyExistsError=w,exports.UserNotFoundError=C,exports.accessTokenPayloadSchema=o,exports.authConfigSchema=a,exports.changePasswordSchema=m,exports.createUserSchema=f,exports.jwtConfigSchema=n,exports.loginSchema=h,exports.mfaPendingTokenPayloadSchema=l,exports.passwordPolicyConfigSchema=r,exports.passwordResetTokenPayloadSchema=c,exports.permissionStringSchema=u,exports.rateLimitConfigSchema=i,exports.refreshTokenPayloadSchema=s,exports.refreshTokenSchema=g,exports.resourceActionSchema=d,exports.updateUserSchema=p;

package/dist/index.d.cts

@@ -1,532 +0,0 @@
-import { z } from "zod";
-import { DomainError } from "@longzai-intelligence/error";
-
-//#region src/types/token.types.d.ts
-type AccessTokenPayload = {
-  sub: string;
-  type: "access";
-  tenantId?: string;
-  iss?: string;
-  aud?: string;
-  jti?: string;
-  roles?: string[];
-  permissions?: string[];
-};
-type RefreshTokenPayload = {
-  sub: string;
-  sessionId: string;
-  type: "refresh";
-};
-type PasswordResetTokenPayload = {
-  sub: string;
-  type: "password_reset";
-};
-type MfaPendingTokenPayload = {
-  sub: string;
-  type: "mfa_pending";
-};
-type TokenPayload = AccessTokenPayload | RefreshTokenPayload | PasswordResetTokenPayload | MfaPendingTokenPayload;
-//#endregion
-//#region src/types/auth-context.types.d.ts
-type UserInfo = {
-  userId: string;
-  tenantId?: string;
-};
-type AuthContext = {
-  userId: string;
-  tenantId?: string;
-};
-//#endregion
-//#region src/types/permission.types.d.ts
-type ResourceAction = {
-  resource: string;
-  action: string;
-};
-type PermissionCheckFn = (userId: string, resource: string, action: string) => Promise<void>;
-type TenantPermissionCheckFn = (userId: string, tenantId: string, resource: string, action: string) => Promise<void>;
-//#endregion
-//#region src/types/config.types.d.ts
-type JwtConfig = {
-  secret: string;
-  accessExpiresIn: string;
-  refreshExpiresIn: string;
-};
-type PasswordPolicyConfig = {
-  minLength: number;
-  requireUppercase: boolean;
-  requireLowercase: boolean;
-  requireNumber: boolean;
-  requireSpecial: boolean;
-  historyCount: number;
-  expireDays: number;
-};
-type AuthConfig = {
-  jwt: JwtConfig;
-  passwordPolicy: PasswordPolicyConfig;
-  defaultTenantId: string;
-};
-//#endregion
-//#region src/types/password.types.d.ts
-type PasswordValidationResult = {
-  valid: boolean;
-  errors: string[];
-};
-//#endregion
-//#region src/types/rate-limit.types.d.ts
-type RateLimitConfig = {
-  windowSeconds: number;
-  maxRequests: number;
-};
-//#endregion
-//#region src/types/logger.types.d.ts
-type LoggerService = {
-  debug(message: string, context?: Record<string, unknown>): void;
-  info(message: string, context?: Record<string, unknown>): void;
-  warn(message: string, context?: Record<string, unknown>): void;
-  error(message: string, context?: Record<string, unknown>): void;
-};
-//#endregion
-//#region src/types/auth-api.types.d.ts
-type LoginRequest = {
-  email: string;
-  password: string;
-};
-type LoginResponse = {
-  accessToken: string;
-  refreshToken: string;
-};
-type RegisterRequest = {
-  email: string;
-  password: string;
-  name: string;
-};
-type RegisterResponse = {
-  userId: string;
-  message: string;
-};
-type RefreshTokenRequest = {
-  refreshToken: string;
-};
-type RefreshTokenResponse = {
-  accessToken: string;
-  refreshToken: string;
-};
-type PasswordResetRequest = {
-  email: string;
-};
-type PasswordResetConfirmRequest = {
-  token: string;
-  password: string;
-};
-type ChangePasswordRequest = {
-  oldPassword: string;
-  newPassword: string;
-};
-type MessageResponse = {
-  message: string;
-};
-type MeResponse = {
-  userId: string;
-  tenantId?: string;
-};
-//#endregion
-//#region src/types/user.types.d.ts
-type UserStatus = "active" | "disabled" | "locked";
-type User = {
-  id: string;
-  email: string;
-  username: string;
-  passwordHash: string;
-  displayName: string | null;
-  avatarUrl: string | null;
-  status: UserStatus;
-  mfaEnabled: boolean;
-  mfaSecret: string | null;
-  failedLoginAttempts: number;
-  lockedUntil: string | null;
-  passwordChangedAt: string | null;
-  lastLoginAt: string | null;
-  createdAt: string;
-  updatedAt: string;
-};
-type CreateUserInput = {
-  email: string;
-  username: string;
-  passwordHash: string;
-  displayName?: string;
-  avatarUrl?: string;
-};
-type UpdateUserInput = {
-  displayName?: string;
-  avatarUrl?: string;
-};
-//#endregion
-//#region src/types/session.types.d.ts
-type Session = {
-  id: string;
-  userId: string;
-  tenantId: string;
-  refreshTokenHash: string;
-  deviceInfo: string | null;
-  ipAddress: string | null;
-  userAgent: string | null;
-  expiresAt: string;
-  createdAt: string;
-};
-type CreateSessionInput = {
-  userId: string;
-  tenantId: string;
-  refreshTokenHash: string;
-  deviceInfo?: string;
-  ipAddress?: string;
-  userAgent?: string;
-  expiresAt: string;
-};
-type SessionInfo = Session;
-//#endregion
-//#region src/types/tenant.types.d.ts
-type TenantStatus = "active" | "suspended";
-type Tenant = {
-  id: string;
-  name: string;
-  slug: string;
-  status: TenantStatus;
-  maxUsers: number;
-  settings: string | null;
-  createdAt: string;
-  updatedAt: string;
-};
-type CreateTenantInput = {
-  name: string;
-  slug: string;
-  maxUsers?: number;
-  settings?: string;
-};
-type UpdateTenantInput = {
-  name?: string;
-  maxUsers?: number;
-  settings?: string;
-};
-//#endregion
-//#region src/types/tenant-member.types.d.ts
-type TenantMemberRole = "owner" | "admin" | "member";
-type TenantMember = {
-  id: string;
-  tenantId: string;
-  userId: string;
-  role: TenantMemberRole;
-  joinedAt: string;
-};
-type CreateTenantMemberInput = {
-  tenantId: string;
-  userId: string;
-  role?: TenantMemberRole;
-};
-//#endregion
-//#region src/schemas/auth-config.schema.d.ts
-declare const jwtConfigSchema: z.ZodObject<{
-  secret: z.ZodString;
-  accessExpiresIn: z.ZodDefault<z.ZodString>;
-  refreshExpiresIn: z.ZodDefault<z.ZodString>;
-}, z.core.$strip>;
-declare const passwordPolicyConfigSchema: z.ZodObject<{
-  minLength: z.ZodDefault<z.ZodNumber>;
-  requireUppercase: z.ZodDefault<z.ZodBoolean>;
-  requireLowercase: z.ZodDefault<z.ZodBoolean>;
-  requireNumber: z.ZodDefault<z.ZodBoolean>;
-  requireSpecial: z.ZodDefault<z.ZodBoolean>;
-  historyCount: z.ZodDefault<z.ZodNumber>;
-  expireDays: z.ZodDefault<z.ZodNumber>;
-}, z.core.$strip>;
-declare const rateLimitConfigSchema: z.ZodObject<{
-  windowSeconds: z.ZodDefault<z.ZodNumber>;
-  maxRequests: z.ZodDefault<z.ZodNumber>;
-}, z.core.$strip>;
-declare const authConfigSchema: z.ZodObject<{
-  jwt: z.ZodObject<{
-    secret: z.ZodString;
-    accessExpiresIn: z.ZodDefault<z.ZodString>;
-    refreshExpiresIn: z.ZodDefault<z.ZodString>;
-  }, z.core.$strip>;
-  passwordPolicy: z.ZodObject<{
-    minLength: z.ZodDefault<z.ZodNumber>;
-    requireUppercase: z.ZodDefault<z.ZodBoolean>;
-    requireLowercase: z.ZodDefault<z.ZodBoolean>;
-    requireNumber: z.ZodDefault<z.ZodBoolean>;
-    requireSpecial: z.ZodDefault<z.ZodBoolean>;
-    historyCount: z.ZodDefault<z.ZodNumber>;
-    expireDays: z.ZodDefault<z.ZodNumber>;
-  }, z.core.$strip>;
-  defaultTenantId: z.ZodDefault<z.ZodString>;
-}, z.core.$strip>;
-//#endregion
-//#region src/schemas/token.schema.d.ts
-declare const accessTokenPayloadSchema: z.ZodObject<{
-  sub: z.ZodString;
-  type: z.ZodLiteral<"access">;
-  tenantId: z.ZodOptional<z.ZodString>;
-  iss: z.ZodOptional<z.ZodString>;
-  aud: z.ZodOptional<z.ZodString>;
-  jti: z.ZodOptional<z.ZodString>;
-  roles: z.ZodOptional<z.ZodArray<z.ZodString>>;
-  permissions: z.ZodOptional<z.ZodArray<z.ZodString>>;
-}, z.core.$strip>;
-declare const refreshTokenPayloadSchema: z.ZodObject<{
-  sub: z.ZodString;
-  sessionId: z.ZodString;
-  type: z.ZodLiteral<"refresh">;
-}, z.core.$strip>;
-declare const passwordResetTokenPayloadSchema: z.ZodObject<{
-  sub: z.ZodString;
-  type: z.ZodLiteral<"password_reset">;
-}, z.core.$strip>;
-declare const mfaPendingTokenPayloadSchema: z.ZodObject<{
-  sub: z.ZodString;
-  type: z.ZodLiteral<"mfa_pending">;
-}, z.core.$strip>;
-//#endregion
-//#region src/schemas/permission.schema.d.ts
-declare const permissionStringSchema: z.ZodString;
-declare const resourceActionSchema: z.ZodObject<{
-  resource: z.ZodString;
-  action: z.ZodString;
-}, z.core.$strip>;
-//#endregion
-//#region src/schemas/user.schema.d.ts
-declare const createUserSchema: z.ZodObject<{
-  email: z.ZodString;
-  username: z.ZodString;
-  password: z.ZodString;
-  displayName: z.ZodOptional<z.ZodString>;
-}, z.core.$strip>;
-declare const updateUserSchema: z.ZodObject<{
-  displayName: z.ZodOptional<z.ZodString>;
-  avatarUrl: z.ZodOptional<z.ZodString>;
-}, z.core.$strip>;
-declare const changePasswordSchema: z.ZodObject<{
-  currentPassword: z.ZodString;
-  newPassword: z.ZodString;
-}, z.core.$strip>;
-//#endregion
-//#region src/schemas/session.schema.d.ts
-declare const loginSchema: z.ZodObject<{
-  email: z.ZodString;
-  password: z.ZodString;
-}, z.core.$strip>;
-declare const refreshTokenSchema: z.ZodObject<{
-  refreshToken: z.ZodString;
-}, z.core.$strip>;
-//#endregion
-//#region src/ports/auth-backend.port.d.ts
-type UserAuthInfo = {
-  userId: string;
-  email: string;
-  tenantId: string;
-  status: UserStatus;
-  passwordHash: string;
-  mfaEnabled: boolean;
-  mfaSecret: string | null;
-  failedLoginAttempts: number;
-  lockedUntil: string | null;
-};
-type VerifyPasswordResult = {
-  success: boolean;
-  user?: User;
-  error?: string;
-};
-type TenantValidateResult = {
-  valid: boolean;
-  tenant?: Tenant;
-  error?: string;
-};
-type UserPort = {
-  findById(userId: string): Promise<User | null>;
-  findByEmail(email: string): Promise<User | null>;
-  findByUsername(username: string): Promise<User | null>;
-  findAuthInfo(userId: string): Promise<UserAuthInfo | null>;
-  findAuthInfoByEmail(email: string): Promise<UserAuthInfo | null>;
-  findPermissions(userId: string, tenantId: string): Promise<ResourceAction[]>;
-  isSuperAdmin(userId: string, tenantId: string): Promise<boolean>;
-  create(input: CreateUserInput): Promise<User>;
-  update(userId: string, input: UpdateUserInput): Promise<User>;
-  verifyPassword(email: string, password: string): Promise<VerifyPasswordResult>;
-  updatePassword(userId: string, newPasswordHash: string): Promise<void>;
-};
-type SessionPort = {
-  create(input: CreateSessionInput): Promise<Session>;
-  findById(sessionId: string): Promise<Session | null>;
-  findByRefreshTokenHash(hash: string): Promise<Session | null>;
-  revoke(sessionId: string): Promise<void>;
-  revokeAllByUser(userId: string): Promise<void>;
-};
-type TokenPort = {
-  signAccessToken(payload: AccessTokenPayload): Promise<string>;
-  signRefreshToken(payload: RefreshTokenPayload): Promise<string>;
-  verifyAccessToken(token: string): Promise<AccessTokenPayload>;
-  verifyRefreshToken(token: string): Promise<RefreshTokenPayload>;
-};
-type AuthBackendPort = {
-  user: UserPort;
-  session: SessionPort;
-  token: TokenPort;
-};
-//#endregion
-//#region src/ports/identity.port.d.ts
-type TenantPort = {
-  findById(tenantId: string): Promise<Tenant | null>;
-  findBySlug(slug: string): Promise<Tenant | null>;
-  create(input: CreateTenantInput): Promise<Tenant>;
-  validateStatus(tenantId: string): Promise<TenantValidateResult>;
-};
-type TenantMemberPort = {
-  getMember(tenantId: string, userId: string): Promise<TenantMember | null>;
-  addMember(tenantId: string, userId: string, role: string): Promise<TenantMember>;
-  removeMember(tenantId: string, userId: string): Promise<void>;
-  isMember(tenantId: string, userId: string): Promise<boolean>;
-};
-type AuditLogEntry = {
-  id: string;
-  action: string;
-  resource: string;
-  resourceId?: string;
-  userId?: string;
-  tenantId?: string;
-  success: boolean;
-  metadata?: Record<string, unknown>;
-  ipAddress?: string;
-  userAgent?: string;
-  createdAt: string;
-  hashChain?: string;
-  previousHash?: string;
-};
-type AuditLogQueryParams = {
-  page?: number;
-  pageSize?: number;
-  action?: string;
-  resource?: string;
-  userId?: string;
-  tenantId?: string;
-  startDate?: string;
-  endDate?: string;
-};
-type PaginatedResult<T> = {
-  items: T[];
-  pagination: {
-    page: number;
-    pageSize: number;
-    total: number;
-    totalPages: number;
-    hasPrev: boolean;
-    hasNext: boolean;
-  };
-};
-type AuditStatistics = {
-  totalEntries: number;
-  successCount: number;
-  failureCount: number;
-  topActions: {
-    action: string;
-    count: number;
-  }[];
-  topResources: {
-    resource: string;
-    count: number;
-  }[];
-};
-type IntegrityVerificationResult = {
-  valid: boolean;
-  brokenAt: string | null;
-  totalChecked: number;
-};
-type AuditLogPort = {
-  save(entry: AuditLogEntry): Promise<AuditLogEntry>;
-  findById(id: string): Promise<AuditLogEntry | null>;
-  query(params: AuditLogQueryParams): Promise<PaginatedResult<AuditLogEntry>>;
-  getStatistics(filter: AuditStatsFilter): Promise<AuditStatistics>;
-  deleteOlderThan(date: Date): Promise<number>;
-  verifyIntegrity(startId?: string): Promise<IntegrityVerificationResult>;
-};
-type AuditStatsFilter = {
-  startDate?: string;
-  endDate?: string;
-  tenantId?: string;
-};
-type IdentityAuthBackend = AuthBackendPort & {
-  tenant: TenantPort;
-  tenantMember: TenantMemberPort;
-  audit: AuditLogPort;
-};
-type TenantValidateFn = (tenantId: string) => Promise<TenantValidateResult>;
-//#endregion
-//#region src/ports/password-hash.port.d.ts
-type PasswordHasher = {
-  hash(password: string): Promise<string>;
-  verify(password: string, hash: string): Promise<boolean>;
-};
-//#endregion
-//#region src/ports/strategy.port.d.ts
-type TokenVerifyResult<T> = {
-  success: boolean;
-  payload?: T;
-  error?: string;
-};
-type TokenSigner = {
-  signAccessToken(payload: AccessTokenPayload): Promise<string>;
-  signRefreshToken(payload: RefreshTokenPayload): Promise<string>;
-};
-type TokenVerifier = {
-  verifyAccessToken(token: string): Promise<TokenVerifyResult<AccessTokenPayload>>;
-  verifyRefreshToken(token: string): Promise<TokenVerifyResult<RefreshTokenPayload>>;
-};
-type AuthStrategy = {
-  name: string;
-  verify(credentials: unknown): Promise<AccessTokenPayload>;
-};
-type RateLimiter = {
-  check(key: string): Promise<{
-    allowed: boolean;
-    remaining: number;
-    resetAt: Date;
-  }>;
-  reset(key: string): Promise<void>;
-};
-//#endregion
-//#region src/errors/auth.errors.d.ts
-declare class TokenExpiredError extends DomainError {
-  constructor(message?: string);
-}
-declare class TokenInvalidError extends DomainError {
-  constructor(message?: string);
-}
-declare class TokenMissingError extends DomainError {
-  constructor(message?: string);
-}
-declare class MfaRequiredError extends DomainError {
-  constructor(message?: string);
-}
-declare class InvalidCredentialsError extends DomainError {
-  constructor(message?: string);
-}
-declare class AccountDisabledError extends DomainError {
-  constructor(message?: string);
-}
-declare class UserNotFoundError extends DomainError {
-  constructor(message?: string);
-}
-declare class UserAlreadyExistsError extends DomainError {
-  constructor(message?: string);
-}
-declare class PasswordPolicyViolationError extends DomainError {
-  constructor(message?: string);
-}
-declare class SessionNotFoundError extends DomainError {
-  constructor(message?: string);
-}
-declare class SessionExpiredError extends DomainError {
-  constructor(message?: string);
-}
-declare class RateLimitExceededError extends DomainError {
-  constructor(message?: string);
-}
-//#endregion
-export { type AccessTokenPayload, AccountDisabledError, type AuditLogEntry, type AuditLogPort, type AuditLogQueryParams, type AuditStatistics, type AuditStatsFilter, type AuthBackendPort, type AuthConfig, type AuthContext, type AuthStrategy, type ChangePasswordRequest, type CreateSessionInput, type CreateTenantInput, type CreateTenantMemberInput, type CreateUserInput, type IdentityAuthBackend, type IntegrityVerificationResult, InvalidCredentialsError, type JwtConfig, type LoggerService, type LoginRequest, type LoginResponse, type MeResponse, type MessageResponse, type MfaPendingTokenPayload, MfaRequiredError, type PaginatedResult, type PasswordHasher, type PasswordPolicyConfig, PasswordPolicyViolationError, type PasswordResetConfirmRequest, type PasswordResetRequest, type PasswordResetTokenPayload, type PasswordValidationResult, type PermissionCheckFn, type RateLimitConfig, RateLimitExceededError, type RateLimiter, type RefreshTokenPayload, type RefreshTokenRequest, type RefreshTokenResponse, type RegisterRequest, type RegisterResponse, type ResourceAction, type Session, SessionExpiredError, type SessionInfo, SessionNotFoundError, type SessionPort, type Tenant, type TenantMember, type TenantMemberPort, type TenantMemberRole, type TenantPermissionCheckFn, type TenantPort, type TenantStatus, type TenantValidateFn, type TenantValidateResult, TokenExpiredError, TokenInvalidError, TokenMissingError, type TokenPayload, type TokenPort, type TokenSigner, type TokenVerifier, type TokenVerifyResult, type UpdateTenantInput, type UpdateUserInput, type User, UserAlreadyExistsError, type UserAuthInfo, type UserInfo, UserNotFoundError, type UserPort, type UserStatus, type VerifyPasswordResult, accessTokenPayloadSchema, authConfigSchema, changePasswordSchema, createUserSchema, jwtConfigSchema, loginSchema, mfaPendingTokenPayloadSchema, passwordPolicyConfigSchema, passwordResetTokenPayloadSchema, permissionStringSchema, rateLimitConfigSchema, refreshTokenPayloadSchema, refreshTokenSchema, resourceActionSchema, updateUserSchema };