@mars-stack/core 0.4.0

package/cursor/skills/mars-test-api-route/SKILL.md

@@ -0,0 +1,219 @@
+# Skill: Test an API Route
+
+Write unit tests for a MARS API route using Vitest, mock-auth, and Prisma mocking.
+
+## When to Use
+
+Use this skill when the user asks to test an API endpoint, write backend tests, or add test coverage for a route handler.
+
+## Architecture
+
+MARS API route tests:
+- Import and call the exported handler function directly (no HTTP server needed)
+- Mock Prisma, auth session, and external services
+- Assert response status and body
+- Test all paths: success, validation errors, auth errors, database errors
+
+## Template: Full API Route Test
+
+```typescript
+// src/app/api/protected/projects/route.test.ts
+import { describe, it, expect, vi, beforeEach } from 'vitest';
+import { GET, POST } from './route';
+import { mockAuth, createTestRequest, createTestRequestWithBody } from '@mars-stack/core/test-utils';
+
+// Mock database
+const mockFindMany = vi.fn();
+const mockCreate = vi.fn();
+
+vi.mock('@/lib/prisma', () => ({
+  prisma: {
+    project: {
+      findMany: (...args: unknown[]) => mockFindMany(...args),
+      create: (...args: unknown[]) => mockCreate(...args),
+    },
+  },
+  isDatabaseError: vi.fn(() => false),
+  formatDatabaseError: vi.fn(),
+}));
+
+// Mock auth -- return a valid session
+vi.mock('@/lib/mars', () => ({
+  verifySessionForAPI: vi.fn(() => Promise.resolve(mockAuth)),
+}));
+
+describe('GET /api/protected/projects', () => {
+  beforeEach(() => {
+    vi.clearAllMocks();
+  });
+
+  it('returns projects for the authenticated user', async () => {
+    const projects = [
+      { id: '1', name: 'Project A', userId: mockAuth.userId },
+      { id: '2', name: 'Project B', userId: mockAuth.userId },
+    ];
+    mockFindMany.mockResolvedValue(projects);
+
+    const request = createTestRequest('GET', '/api/protected/projects');
+    const response = await GET(request);
+    const body = await response.json();
+
+    expect(response.status).toBe(200);
+    expect(body).toHaveLength(2);
+    expect(mockFindMany).toHaveBeenCalledWith(
+      expect.objectContaining({
+        where: { userId: mockAuth.userId },
+      }),
+    );
+  });
+
+  it('returns 401 when not authenticated', async () => {
+    const { verifySessionForAPI } = await import('@/lib/mars');
+    vi.mocked(verifySessionForAPI).mockResolvedValueOnce(null);
+
+    const request = createTestRequest('GET', '/api/protected/projects');
+    const response = await GET(request);
+
+    expect(response.status).toBe(401);
+  });
+});
+
+describe('POST /api/protected/projects', () => {
+  beforeEach(() => {
+    vi.clearAllMocks();
+  });
+
+  it('creates a project with valid data', async () => {
+    const newProject = { id: '3', name: 'New Project', userId: mockAuth.userId };
+    mockCreate.mockResolvedValue(newProject);
+
+    const request = createTestRequestWithBody('POST', '/api/protected/projects', {
+      name: 'New Project',
+    });
+    const response = await POST(request);
+    const body = await response.json();
+
+    expect(response.status).toBe(201);
+    expect(body.name).toBe('New Project');
+    expect(mockCreate).toHaveBeenCalledWith(
+      expect.objectContaining({
+        data: expect.objectContaining({
+          name: 'New Project',
+          userId: mockAuth.userId,
+        }),
+      }),
+    );
+  });
+
+  it('returns 400 for invalid input', async () => {
+    const request = createTestRequestWithBody('POST', '/api/protected/projects', {
+      name: '', // Empty name should fail validation
+    });
+    const response = await POST(request);
+
+    expect(response.status).toBe(400);
+  });
+
+  it('returns 503 when database is unavailable', async () => {
+    const dbError = new Error("Can't reach database server");
+    Object.defineProperty(dbError, 'name', { value: 'PrismaClientInitializationError' });
+    mockCreate.mockRejectedValue(dbError);
+
+    const { isDatabaseError } = await import('@/lib/prisma');
+    vi.mocked(isDatabaseError).mockReturnValueOnce(true);
+
+    const request = createTestRequestWithBody('POST', '/api/protected/projects', {
+      name: 'Test Project',
+    });
+    const response = await POST(request);
+
+    expect(response.status).toBe(503);
+  });
+});
+```
+
+## Mock Auth Utilities
+
+MARS provides mock auth utilities via `@mars-stack/core/test-utils`:
+
+```typescript
+import { mockAuth, mockAuthAsAdmin, mockAuthAsUser } from '@mars-stack/core/test-utils';
+import { createTestRequest, createTestRequestWithBody } from '@mars-stack/core/test-utils';
+
+// mockAuth — default mock session object
+// mockAuthAsAdmin / mockAuthAsUser — role-specific variants
+// createTestRequest(method, path) — build a NextRequest without a body
+// createTestRequestWithBody(method, path, body) — build a NextRequest with JSON body
+```
+
+## Testing Patterns
+
+### Test Auth Required
+
+```typescript
+it('returns 401 when not authenticated', async () => {
+  const { verifySessionForAPI } = await import('@/lib/mars');
+  vi.mocked(verifySessionForAPI).mockResolvedValueOnce(null);
+  // ...assert 401
+});
+```
+
+### Test Role Requirement
+
+```typescript
+it('returns 403 for non-admin users', async () => {
+  const { verifySessionForAPI } = await import('@/lib/mars');
+  vi.mocked(verifySessionForAPI).mockResolvedValueOnce({ ...mockAuth, role: 'user' });
+
+  // For withRole, also mock the DB role check
+  mockFindUnique.mockResolvedValueOnce({ role: 'user' });
+
+  // ...assert 403
+});
+```
+
+### Test Validation Errors
+
+```typescript
+it('returns 400 with validation errors', async () => {
+  const request = createTestRequestWithBody('POST', '/api/protected/resource', {
+    email: 'not-an-email',
+  });
+  const response = await handler(request);
+  const body = await response.json();
+
+  expect(response.status).toBe(400);
+  expect(body.error).toBeDefined();
+});
+```
+
+### Test Database Errors
+
+```typescript
+it('returns 503 when database is down', async () => {
+  mockFindMany.mockRejectedValueOnce(new Error("Can't reach database"));
+  // ... assert 503
+});
+```
+
+## Running Tests
+
+```bash
+yarn test                     # Run all tests
+yarn test src/app/api/        # Run only API tests
+yarn test:watch               # Watch mode
+yarn test:coverage            # With coverage report
+```
+
+## Checklist
+
+- [ ] Test file created next to route (`route.test.ts`)
+- [ ] Prisma mocked with `vi.mock('@/lib/prisma')`
+- [ ] Auth session mocked with `vi.mock('@/lib/mars')`
+- [ ] `vi.clearAllMocks()` in `beforeEach`
+- [ ] Success path tested
+- [ ] 401 unauthorized tested
+- [ ] 400 validation error tested
+- [ ] 403 forbidden tested (if role-gated)
+- [ ] 503 database error tested
+- [ ] Response status AND body assertions

package/cursor/skills/mars-update-architecture-docs/SKILL.md

@@ -0,0 +1,189 @@
+# Skill: Update Architecture Docs
+
+Keep the Mars project documentation in sync with code changes. Covers when and how to update ARCHITECTURE.md, AGENTS.md, QUALITY_SCORE.md, and generated docs.
+
+## When to Use
+
+Use this skill when:
+- You have just added a new feature, service, or package
+- You have changed the database schema
+- You have added or removed a skill or rule
+- You have completed an execution plan
+- The user asks to update docs, sync docs, or refresh documentation
+- Another skill's checklist includes "update docs"
+
+## Prerequisites
+
+- Read `ARCHITECTURE.md` to understand the current documented state.
+- Read `AGENTS.md` for the project-level agent guide.
+- Read `docs/QUALITY_SCORE.md` for current quality grades.
+
+## Document Index
+
+| Document | Location | Purpose | Update frequency |
+|----------|----------|---------|------------------|
+| `AGENTS.md` | Repo root | First file any agent reads. Overview + pointers | On structure changes |
+| `ARCHITECTURE.md` | Repo root | Detailed technical architecture | On arch changes |
+| `docs/QUALITY_SCORE.md` | Docs | Quality grades by domain | After every improvement |
+| `docs/generated/package-map.md` | Docs | Auto-generated package structure | Regenerate on package changes |
+| `docs/generated/skill-inventory.md` | Docs | Auto-generated skill list | Regenerate on skill changes |
+| `template/AGENTS.md` | Template | Consumer-facing project guide | On template structure changes |
+| `packages/core/cursor/manifest.json` | Core | Skill index with triggers | On skill add/remove |
+
+## When to Update Each Document
+
+### ARCHITECTURE.md
+
+Update when:
+- A new package is added to the monorepo
+- The build pipeline changes (new build step, tool change)
+- A new export path is added to a package
+- The security model changes (new auth pattern, new middleware)
+- The skill/rule system changes
+
+What to update:
+1. Package layering diagram (if dependency graph changed)
+2. Package export table (if new exports added)
+3. Build pipeline section (if build process changed)
+4. Security architecture section (if auth patterns changed)
+5. Skills and rules section (if skill system changed)
+
+### AGENTS.md (Root)
+
+Update when:
+- A new top-level directory is added
+- A new CLI command is added
+- The "How to Run" commands change
+- A new "How to" section is needed (e.g., "How to Add a Plugin")
+
+Keep it concise — AGENTS.md should fit in a single context window.
+
+### template/AGENTS.md
+
+Update when:
+- The template directory structure changes
+- New route groups are added
+- New feature modules are added to the template
+- The config structure changes
+- New "How to Run" commands are added
+
+### docs/QUALITY_SCORE.md
+
+Update when:
+- A quality grade changes (feature implemented, bug fixed, test added)
+- A new domain is added to the grading table
+- An execution plan is completed
+
+How to update:
+1. Find the relevant row in the appropriate table
+2. Update the grade (A/B/C/D/F)
+3. Update the notes to reflect current state
+4. Add date reference if significant change
+
+```markdown
+| Dashboard | B | Basic layout with stat cards. Missing: chart widgets, date range filter |
+```
+
+### Generated Docs
+
+Regenerate `docs/generated/package-map.md` when:
+- A package's exports change
+- A new package is added
+- A package is removed
+
+Regenerate `docs/generated/skill-inventory.md` when:
+- A skill is added, removed, or renamed
+- Skill triggers or dependencies change
+
+### manifest.json
+
+Update when:
+- A new skill is added (add entry with triggers, dependencies, capabilities)
+- A skill is removed (remove entry)
+- Skill triggers change (update triggers array)
+- Skill dependencies change (update dependencies array)
+
+## Step-by-Step: After Adding a Feature
+
+1. **QUALITY_SCORE.md** — Update the grade for the relevant domain:
+
+```markdown
+| Billing | B | Stripe checkout, portal, webhook. Missing: usage-based billing |
+```
+
+2. **ARCHITECTURE.md** — If the feature introduces a new architectural pattern:
+
+```markdown
+### Billing Architecture
+
+The billing system uses Stripe as the payment provider...
+```
+
+3. **template/AGENTS.md** — If the feature adds new directories or conventions:
+
+```markdown
+├── features/
+│   └── billing/         # Subscription management
+```
+
+4. **Execution plan** — Mark tasks complete, update verification:
+
+```markdown
+- [x] **3.1 Billing page** — Done. `src/app/(protected)/billing/page.tsx`
+```
+
+## Step-by-Step: After Adding a Skill
+
+1. **manifest.json** — Add the skill entry:
+
+```json
+"new-skill-name": {
+  "file": "skills/mars-new-skill-name/SKILL.md",
+  "triggers": ["trigger phrase 1", "trigger phrase 2"],
+  "dependencies": ["dependency-skill"],
+  "capabilities": ["file-edit", "terminal"]
+}
+```
+
+2. **skill-inventory.md** — Regenerate or manually add:
+
+```markdown
+| new-skill-name | Add a new thing | file-edit, terminal |
+```
+
+3. **AGENTS.md** — If the skill represents a new "How to" workflow:
+
+```markdown
+## How to Add a New Thing
+
+1. Create the skill file
+2. Add to manifest
+3. ...
+```
+
+## Step-by-Step: After a Schema Change
+
+1. **ARCHITECTURE.md** — Update if the change affects the data model section
+2. **template/AGENTS.md** — Update the schema file listing if new files added
+3. **QUALITY_SCORE.md** — Update database-related grades
+
+## Validation
+
+After updating docs, verify:
+
+1. **No broken links** — Check that referenced files exist
+2. **Consistent terminology** — Use the same names as the code
+3. **Up-to-date grades** — Quality scores reflect actual state
+4. **AGENTS.md fits in context** — Keep it under ~200 lines
+
+## Checklist
+
+- [ ] Identified which documents need updating
+- [ ] ARCHITECTURE.md updated (if architectural change)
+- [ ] AGENTS.md updated (if structure or workflow change)
+- [ ] template/AGENTS.md updated (if template structure change)
+- [ ] QUALITY_SCORE.md grades updated
+- [ ] manifest.json updated (if skill change)
+- [ ] Generated docs regenerated (if package or skill change)
+- [ ] No broken internal links
+- [ ] Execution plan marked as complete (if applicable)

package/dist/api-error/index.d.ts

@@ -0,0 +1,27 @@
+import { NextResponse } from 'next/server';
+interface ApiErrorHandlerConfig {
+    logger: {
+        error: (...args: unknown[]) => void;
+    };
+}
+export interface ApiErrorOptions {
+    endpoint: string;
+    fallbackMessage?: string;
+}
+/**
+ * Creates an API error handler that maps Zod validation errors, database errors,
+ * and unhandled exceptions to appropriate JSON responses with status codes.
+ *
+ * @param config - Configuration with a structured logger
+ * @returns An object containing the `handleApiError` function
+ * @example
+ * const { handleApiError } = createApiErrorHandler({ logger: console });
+ * try { ... } catch (error) {
+ *   return handleApiError(error, { endpoint: '/api/users' });
+ * }
+ */
+export declare function createApiErrorHandler(config: ApiErrorHandlerConfig): {
+    handleApiError: (error: unknown, options: ApiErrorOptions) => NextResponse;
+};
+export {};
+//# sourceMappingURL=index.d.ts.map

package/dist/api-error/index.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../src/api-error/index.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,YAAY,EAAE,MAAM,aAAa,CAAC;AAI3C,UAAU,qBAAqB;IAC7B,MAAM,EAAE;QAAE,KAAK,EAAE,CAAC,GAAG,IAAI,EAAE,OAAO,EAAE,KAAK,IAAI,CAAA;KAAE,CAAC;CACjD;AAED,MAAM,WAAW,eAAe;IAC9B,QAAQ,EAAE,MAAM,CAAC;IACjB,eAAe,CAAC,EAAE,MAAM,CAAC;CAC1B;AA0BD;;;;;;;;;;;GAWG;AACH,wBAAgB,qBAAqB,CAAC,MAAM,EAAE,qBAAqB;4BAClC,OAAO,WAAW,eAAe,KAAG,YAAY;EAyBhF"}

package/dist/api-error/index.js

@@ -0,0 +1,2 @@
+export { createApiErrorHandler } from '../chunk-U4NZQ366.js';
+import '../chunk-QAH2Y5WK.js';

package/dist/auth/credential-tag.d.ts

@@ -0,0 +1,5 @@
+import 'server-only';
+/** Tag for users without a password (e.g. OAuth-only). Sessions cannot be individually revoked. */
+export declare const NO_PASSWORD_TAG = "no-password";
+export declare function buildCredentialTag(passwordHash: string | null | undefined, _revocationSeed?: string): Promise<string>;
+//# sourceMappingURL=credential-tag.d.ts.map

package/dist/auth/credential-tag.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"credential-tag.d.ts","sourceRoot":"","sources":["../../src/auth/credential-tag.ts"],"names":[],"mappings":"AAAA,OAAO,aAAa,CAAC;AAMrB,mGAAmG;AACnG,eAAO,MAAM,eAAe,gBAAgB,CAAC;AAE7C,wBAAsB,kBAAkB,CACtC,YAAY,EAAE,MAAM,GAAG,IAAI,GAAG,SAAS,EACvC,eAAe,CAAC,EAAE,MAAM,GACvB,OAAO,CAAC,MAAM,CAAC,CAOjB"}

package/dist/auth/credential-tag.js

@@ -0,0 +1,2 @@
+export { NO_PASSWORD_TAG, buildCredentialTag } from '../chunk-GVLH2GQP.js';
+import '../chunk-MXQ66RUN.js';

package/dist/auth/crypto-utils.d.ts

@@ -0,0 +1,43 @@
+import 'server-only';
+/**
+ * Constant-time string comparison to prevent timing attacks.
+ * Pads comparison to max length so length mismatch does not leak information.
+ *
+ * @param a - First string to compare
+ * @param b - Second string to compare
+ * @returns True if the strings are identical
+ * @example
+ * if (constantTimeEqual(suppliedToken, expectedToken)) { /* valid *\/ }
+ */
+export declare function constantTimeEqual(a: string, b: string): boolean;
+/**
+ * Converts a byte array to a lowercase hex-encoded string.
+ *
+ * @param bytes - The byte array to convert
+ * @returns The hex-encoded string
+ * @example
+ * const hex = bytesToHex(new Uint8Array([0xde, 0xad])); // 'dead'
+ */
+export declare function bytesToHex(bytes: Uint8Array): string;
+/**
+ * Escapes HTML special characters to prevent XSS in email templates.
+ *
+ * @param str - The raw string to escape
+ * @returns The HTML-safe string with &, <, >, ", ' escaped
+ * @example
+ * const safe = escapeHtml('<script>alert("xss")</script>');
+ * // '&lt;script&gt;alert(&quot;xss&quot;)&lt;/script&gt;'
+ */
+export declare function escapeHtml(str: string): string;
+/**
+ * Hashes a token with a domain separator for secure storage.
+ * Uses SHA-256(domain + ":" + token) to prevent cross-protocol hash collisions.
+ *
+ * @param token - The raw token to hash
+ * @param domain - A domain separator string (e.g. 'email-verification')
+ * @returns The hex-encoded SHA-256 hash
+ * @example
+ * const hashed = await hashToken(rawToken, 'password-reset');
+ */
+export declare function hashToken(token: string, domain: string): Promise<string>;
+//# sourceMappingURL=crypto-utils.d.ts.map

package/dist/auth/crypto-utils.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"crypto-utils.d.ts","sourceRoot":"","sources":["../../src/auth/crypto-utils.ts"],"names":[],"mappings":"AAAA,OAAO,aAAa,CAAC;AAErB;;;;;;;;;GASG;AACH,wBAAgB,iBAAiB,CAAC,CAAC,EAAE,MAAM,EAAE,CAAC,EAAE,MAAM,GAAG,OAAO,CAU/D;AAED;;;;;;;GAOG;AACH,wBAAgB,UAAU,CAAC,KAAK,EAAE,UAAU,GAAG,MAAM,CAIpD;AAED;;;;;;;;GAQG;AACH,wBAAgB,UAAU,CAAC,GAAG,EAAE,MAAM,GAAG,MAAM,CAO9C;AAED;;;;;;;;;GASG;AACH,wBAAsB,SAAS,CAAC,KAAK,EAAE,MAAM,EAAE,MAAM,EAAE,MAAM,GAAG,OAAO,CAAC,MAAM,CAAC,CAK9E"}

package/dist/auth/crypto-utils.js

@@ -0,0 +1 @@
+export { bytesToHex, constantTimeEqual, escapeHtml, hashToken } from '../chunk-MXQ66RUN.js';

package/dist/auth/csrf.d.ts

@@ -0,0 +1,32 @@
+import 'server-only';
+import { NextRequest } from 'next/server';
+interface CSRFProtectionConfig {
+    getJWTSecret: () => string;
+    logViolation: (event: {
+        ipAddress?: string;
+        userAgent?: string;
+        endpoint?: string;
+    }) => void;
+}
+/**
+ * Creates a CSRF protection module with token generation, verification, and
+ * request validation. Derives a separate HMAC key from the JWT secret to
+ * prevent key reuse across protocols.
+ *
+ * @param config - Configuration with JWT secret accessor and violation logger
+ * @returns An object with CSRF token lifecycle and request validation methods
+ * @example
+ * const csrf = createCSRFProtection({
+ *   getJWTSecret: () => env.JWT_SECRET,
+ *   logViolation: (event) => logger.warn('CSRF violation', event),
+ * });
+ * const token = await csrf.generateCSRFToken(session.fingerprint);
+ */
+export declare function createCSRFProtection(config: CSRFProtectionConfig): {
+    generateCSRFToken: (sessionFingerprint?: string) => Promise<string>;
+    verifyCSRFToken: (token: string, expectedFingerprint?: string) => Promise<boolean>;
+    requireCSRFToken: (sessionFingerprint?: string) => Promise<string>;
+    validateCSRFRequest: (request: NextRequest, sessionFingerprint?: string) => Promise<boolean>;
+};
+export {};
+//# sourceMappingURL=csrf.d.ts.map

package/dist/auth/csrf.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"csrf.d.ts","sourceRoot":"","sources":["../../src/auth/csrf.ts"],"names":[],"mappings":"AAAA,OAAO,aAAa,CAAC;AAGrB,OAAO,EAAE,WAAW,EAAE,MAAM,aAAa,CAAC;AAiC1C,UAAU,oBAAoB;IAC5B,YAAY,EAAE,MAAM,MAAM,CAAC;IAC3B,YAAY,EAAE,CAAC,KAAK,EAAE;QAAE,SAAS,CAAC,EAAE,MAAM,CAAC;QAAC,SAAS,CAAC,EAAE,MAAM,CAAC;QAAC,QAAQ,CAAC,EAAE,MAAM,CAAA;KAAE,KAAK,IAAI,CAAC;CAC9F;AAED;;;;;;;;;;;;;GAaG;AACH,wBAAgB,oBAAoB,CAAC,MAAM,EAAE,oBAAoB;6CAUT,MAAM,KAAG,OAAO,CAAC,MAAM,CAAC;6BAYrE,MAAM,wBACS,MAAM,KAC3B,OAAO,CAAC,OAAO,CAAC;4CAkCkC,MAAM,KAAG,OAAO,CAAC,MAAM,CAAC;mCA2ClE,WAAW,uBACC,MAAM,KAC1B,OAAO,CAAC,OAAO,CAAC;EA4CpB"}

package/dist/auth/csrf.js

@@ -0,0 +1,2 @@
+export { createCSRFProtection } from '../chunk-PZE3JGXO.js';
+import '../chunk-MXQ66RUN.js';

package/dist/auth/hooks/index.d.ts

@@ -0,0 +1,4 @@
+export { useCSRF } from './useCSRF';
+export { usePasswordStrength } from './usePasswordStrength';
+export type { PasswordRequirements, PasswordStrength, UsePasswordStrengthResult } from './usePasswordStrength';
+//# sourceMappingURL=index.d.ts.map

package/dist/auth/hooks/index.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../../src/auth/hooks/index.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,OAAO,EAAE,MAAM,WAAW,CAAC;AACpC,OAAO,EAAE,mBAAmB,EAAE,MAAM,uBAAuB,CAAC;AAC5D,YAAY,EAAE,oBAAoB,EAAE,gBAAgB,EAAE,yBAAyB,EAAE,MAAM,uBAAuB,CAAC"}

package/dist/auth/hooks/index.js

@@ -0,0 +1,68 @@
+import { useState, useEffect, useMemo } from 'react';
+
+// src/auth/hooks/useCSRF.ts
+function useCSRF() {
+  const [csrfToken, setCSRFToken] = useState(null);
+  const [isLoading, setIsLoading] = useState(true);
+  useEffect(() => {
+    const fetchCSRFToken = async () => {
+      try {
+        const response = await fetch("/api/csrf", {
+          method: "GET",
+          credentials: "include"
+        });
+        if (response.ok) {
+          const data = await response.json();
+          setCSRFToken(data.token);
+        }
+      } catch (error) {
+        console.error("Failed to fetch CSRF token:", error);
+      } finally {
+        setIsLoading(false);
+      }
+    };
+    fetchCSRFToken();
+  }, []);
+  function getCSRFHeaders() {
+    if (!csrfToken) return {};
+    return { "X-CSRF-Token": csrfToken };
+  }
+  function getCSRFFormData() {
+    if (!csrfToken) return {};
+    return { csrfToken };
+  }
+  return { csrfToken, isLoading, getCSRFHeaders, getCSRFFormData };
+}
+function usePasswordStrength(password) {
+  return useMemo(() => {
+    if (!password) {
+      return {
+        strength: "Weak",
+        requirements: {
+          length: false,
+          lowercase: false,
+          uppercase: false,
+          number: false,
+          special: false,
+          noPassword: false,
+          noSequential: false
+        },
+        score: 0
+      };
+    }
+    const requirements = {
+      length: password.length >= 8 && password.length <= 100,
+      lowercase: /[a-z]/.test(password),
+      uppercase: /[A-Z]/.test(password),
+      number: /[0-9]/.test(password),
+      special: /[^A-Za-z0-9]/.test(password),
+      noPassword: !password.toLowerCase().includes("password"),
+      noSequential: !password.includes("123")
+    };
+    const score = Object.values(requirements).filter(Boolean).length;
+    const strength = score >= 6 ? "Strong" : score >= 4 ? "Medium" : "Weak";
+    return { strength, requirements, score };
+  }, [password]);
+}
+
+export { useCSRF, usePasswordStrength };

package/dist/auth/hooks/useCSRF.d.ts

@@ -0,0 +1,7 @@
+export declare function useCSRF(): {
+    csrfToken: string | null;
+    isLoading: boolean;
+    getCSRFHeaders: () => Record<string, string>;
+    getCSRFFormData: () => Record<string, string>;
+};
+//# sourceMappingURL=useCSRF.d.ts.map

package/dist/auth/hooks/useCSRF.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"useCSRF.d.ts","sourceRoot":"","sources":["../../../src/auth/hooks/useCSRF.ts"],"names":[],"mappings":"AAIA,wBAAgB,OAAO;;;0BA0BM,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC;2BAKrB,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC;EAMnD"}

package/dist/auth/hooks/usePasswordStrength.d.ts

@@ -0,0 +1,17 @@
+export interface PasswordRequirements {
+    length: boolean;
+    lowercase: boolean;
+    uppercase: boolean;
+    number: boolean;
+    special: boolean;
+    noPassword: boolean;
+    noSequential: boolean;
+}
+export type PasswordStrength = 'Weak' | 'Medium' | 'Strong';
+export interface UsePasswordStrengthResult {
+    strength: PasswordStrength;
+    requirements: PasswordRequirements;
+    score: number;
+}
+export declare function usePasswordStrength(password: string): UsePasswordStrengthResult;
+//# sourceMappingURL=usePasswordStrength.d.ts.map

package/dist/auth/hooks/usePasswordStrength.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"usePasswordStrength.d.ts","sourceRoot":"","sources":["../../../src/auth/hooks/usePasswordStrength.ts"],"names":[],"mappings":"AAIA,MAAM,WAAW,oBAAoB;IACnC,MAAM,EAAE,OAAO,CAAC;IAChB,SAAS,EAAE,OAAO,CAAC;IACnB,SAAS,EAAE,OAAO,CAAC;IACnB,MAAM,EAAE,OAAO,CAAC;IAChB,OAAO,EAAE,OAAO,CAAC;IACjB,UAAU,EAAE,OAAO,CAAC;IACpB,YAAY,EAAE,OAAO,CAAC;CACvB;AAED,MAAM,MAAM,gBAAgB,GAAG,MAAM,GAAG,QAAQ,GAAG,QAAQ,CAAC;AAE5D,MAAM,WAAW,yBAAyB;IACxC,QAAQ,EAAE,gBAAgB,CAAC;IAC3B,YAAY,EAAE,oBAAoB,CAAC;IACnC,KAAK,EAAE,MAAM,CAAC;CACf;AAED,wBAAgB,mBAAmB,CAAC,QAAQ,EAAE,MAAM,GAAG,yBAAyB,CAiC/E"}

package/dist/auth/internal-api-key.d.ts

@@ -0,0 +1,5 @@
+import 'server-only';
+export declare function getRequiredInternalApiKey(): string;
+export declare function getInternalApiKeys(): string[];
+export declare function isInternalApiRequestAuthorized(authHeader: string | null, expectedApiKeys: string | string[]): boolean;
+//# sourceMappingURL=internal-api-key.d.ts.map

package/dist/auth/internal-api-key.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"internal-api-key.d.ts","sourceRoot":"","sources":["../../src/auth/internal-api-key.ts"],"names":[],"mappings":"AAAA,OAAO,aAAa,CAAC;AAerB,wBAAgB,yBAAyB,IAAI,MAAM,CAMlD;AAED,wBAAgB,kBAAkB,IAAI,MAAM,EAAE,CAE7C;AAED,wBAAgB,8BAA8B,CAC5C,UAAU,EAAE,MAAM,GAAG,IAAI,EACzB,eAAe,EAAE,MAAM,GAAG,MAAM,EAAE,GACjC,OAAO,CAST"}