@mesob/auth-hono 0.0.3

package/dist/index.js

@@ -0,0 +1,2397 @@
+var __defProp = Object.defineProperty;
+var __export = (target, all) => {
+  for (var name in all)
+    __defProp(target, name, { get: all[name], enumerable: true });
+};
+
+// src/db/index.ts
+import { drizzle } from "drizzle-orm/node-postgres";
+import { Pool } from "pg";
+
+// src/db/relations.ts
+var relations_exports = {};
+__export(relations_exports, {
+  accountChangesInIamRelations: () => accountChangesInIamRelations,
+  accountsInIamRelations: () => accountsInIamRelations,
+  domainsInIamRelations: () => domainsInIamRelations,
+  permissionsInIamRelations: () => permissionsInIamRelations,
+  rolePermissionsInIamRelations: () => rolePermissionsInIamRelations,
+  rolesInIamRelations: () => rolesInIamRelations,
+  sessionsInIamRelations: () => sessionsInIamRelations,
+  tenantsInIamRelations: () => tenantsInIamRelations,
+  userRolesInIamRelations: () => userRolesInIamRelations,
+  usersInIamRelations: () => usersInIamRelations,
+  verificationsInIamRelations: () => verificationsInIamRelations
+});
+import { relations } from "drizzle-orm/relations";
+
+// src/db/schema.ts
+var schema_exports = {};
+__export(schema_exports, {
+  accountChangesInIam: () => accountChangesInIam,
+  accountsInIam: () => accountsInIam,
+  domainsInIam: () => domainsInIam,
+  iam: () => iam,
+  permissionsInIam: () => permissionsInIam,
+  rolePermissionsInIam: () => rolePermissionsInIam,
+  rolesInIam: () => rolesInIam,
+  sessionsInIam: () => sessionsInIam,
+  tenantsInIam: () => tenantsInIam,
+  userRolesInIam: () => userRolesInIam,
+  usersInIam: () => usersInIam,
+  verificationsInIam: () => verificationsInIam
+});
+import { pgSchema, uniqueIndex, foreignKey, unique, pgPolicy, check, uuid, varchar, timestamp, text, boolean, smallint, index, inet, jsonb } from "drizzle-orm/pg-core";
+import { sql } from "drizzle-orm";
+var iam = pgSchema("iam");
+var usersInIam = iam.table("users", {
+  id: uuid().default(sql`uuid_generate_v7()`).primaryKey().notNull(),
+  tenantId: varchar("tenant_id", { length: 30 }).notNull(),
+  createdAt: timestamp("created_at", { withTimezone: true, mode: "string" }).default(sql`CURRENT_TIMESTAMP`).notNull(),
+  updatedAt: timestamp("updated_at", { withTimezone: true, mode: "string" }).default(sql`CURRENT_TIMESTAMP`).notNull(),
+  fullName: text("full_name").notNull(),
+  image: text(),
+  phone: text(),
+  email: text(),
+  handle: text().notNull(),
+  emailVerified: boolean("email_verified").default(false).notNull(),
+  phoneVerified: boolean("phone_verified").default(false).notNull(),
+  bannedUntil: timestamp("banned_until", { withTimezone: true, mode: "string" }),
+  lastSignInAt: timestamp("last_sign_in_at", { withTimezone: true, mode: "string" }),
+  loginAttempt: smallint("login_attempt").default(0).notNull()
+}, (table) => [
+  uniqueIndex("users_tenant_lower_email_idx").using("btree", sql`tenant_id`, sql`lower(email)`),
+  uniqueIndex("users_tenant_lower_handle_idx").using("btree", sql`tenant_id`, sql`lower(handle)`),
+  foreignKey({
+    columns: [table.tenantId],
+    foreignColumns: [tenantsInIam.id],
+    name: "users_tenant_id_fkey"
+  }).onUpdate("cascade").onDelete("cascade"),
+  unique("users_tenant_phone_key").on(table.tenantId, table.phone),
+  pgPolicy("tenant_isolation", { as: "permissive", for: "all", to: ["public"], using: sql`((tenant_id)::text = (iam.current_tenant_id())::text)`, withCheck: sql`((tenant_id)::text = (iam.current_tenant_id())::text)` }),
+  check("users_login_attempt_nonnegative_check", sql`login_attempt >= 0`),
+  check("users_contact_required_check", sql`(email IS NOT NULL) OR (phone IS NOT NULL)`)
+]);
+var sessionsInIam = iam.table("sessions", {
+  id: uuid().default(sql`uuid_generate_v7()`).primaryKey().notNull(),
+  tenantId: varchar("tenant_id", { length: 30 }).notNull(),
+  createdAt: timestamp("created_at", { withTimezone: true, mode: "string" }).default(sql`CURRENT_TIMESTAMP`).notNull(),
+  updatedAt: timestamp("updated_at", { withTimezone: true, mode: "string" }).default(sql`CURRENT_TIMESTAMP`).notNull(),
+  userId: uuid("user_id").notNull(),
+  expiresAt: timestamp("expires_at", { withTimezone: true, mode: "string" }).notNull(),
+  userAgent: text("user_agent"),
+  ip: inet(),
+  meta: jsonb(),
+  token: text().notNull(),
+  rotatedAt: timestamp("rotated_at", { withTimezone: true, mode: "string" }).default(sql`CURRENT_TIMESTAMP`)
+}, (table) => [
+  index("sessions_expires_at_idx").using("btree", table.expiresAt.asc().nullsLast().op("timestamptz_ops")),
+  index("sessions_tenant_user_idx").using("btree", table.tenantId.asc().nullsLast().op("uuid_ops"), table.userId.asc().nullsLast().op("text_ops")),
+  foreignKey({
+    columns: [table.tenantId],
+    foreignColumns: [tenantsInIam.id],
+    name: "sessions_tenant_id_fkey"
+  }).onUpdate("cascade").onDelete("cascade"),
+  foreignKey({
+    columns: [table.userId],
+    foreignColumns: [usersInIam.id],
+    name: "sessions_user_id_fkey"
+  }).onUpdate("cascade").onDelete("cascade"),
+  unique("sessions_token_key").on(table.token),
+  pgPolicy("tenant_isolation", { as: "permissive", for: "all", to: ["public"], using: sql`((tenant_id)::text = (iam.current_tenant_id())::text)`, withCheck: sql`((tenant_id)::text = (iam.current_tenant_id())::text)` }),
+  check("sessions_expires_after_created_check", sql`expires_at > created_at`)
+]);
+var verificationsInIam = iam.table("verifications", {
+  id: uuid().default(sql`uuid_generate_v7()`).primaryKey().notNull(),
+  tenantId: varchar("tenant_id", { length: 30 }).notNull(),
+  createdAt: timestamp("created_at", { withTimezone: true, mode: "string" }).default(sql`CURRENT_TIMESTAMP`).notNull(),
+  updatedAt: timestamp("updated_at", { withTimezone: true, mode: "string" }).default(sql`CURRENT_TIMESTAMP`).notNull(),
+  userId: uuid("user_id").notNull(),
+  code: text().notNull(),
+  expiresAt: timestamp("expires_at", { withTimezone: true, mode: "string" }).notNull(),
+  type: text(),
+  attempt: smallint().default(0),
+  to: text()
+}, (table) => [
+  index("verifications_expires_at_idx").using("btree", table.expiresAt.asc().nullsLast().op("timestamptz_ops")),
+  index("verifications_lookup_idx").using("btree", table.tenantId.asc().nullsLast().op("text_ops"), table.userId.asc().nullsLast().op("text_ops"), table.type.asc().nullsLast().op("uuid_ops"), table.to.asc().nullsLast().op("text_ops"), table.code.asc().nullsLast().op("text_ops")),
+  foreignKey({
+    columns: [table.tenantId],
+    foreignColumns: [tenantsInIam.id],
+    name: "verifications_tenant_id_fkey"
+  }).onUpdate("cascade").onDelete("cascade"),
+  foreignKey({
+    columns: [table.userId],
+    foreignColumns: [usersInIam.id],
+    name: "verifications_user_id_fkey"
+  }).onUpdate("cascade").onDelete("cascade"),
+  pgPolicy("tenant_isolation", { as: "permissive", for: "all", to: ["public"], using: sql`((tenant_id)::text = (iam.current_tenant_id())::text)`, withCheck: sql`((tenant_id)::text = (iam.current_tenant_id())::text)` }),
+  check("verifications_attempt_nonnegative_check", sql`attempt >= 0`),
+  check("verifications_expires_after_created_check", sql`expires_at > created_at`)
+]);
+var accountChangesInIam = iam.table("account_changes", {
+  id: uuid().default(sql`uuid_generate_v7()`).primaryKey().notNull(),
+  tenantId: varchar("tenant_id", { length: 30 }).notNull(),
+  userId: uuid("user_id").notNull(),
+  createdAt: timestamp("created_at", { withTimezone: true, mode: "string" }).default(sql`CURRENT_TIMESTAMP`).notNull(),
+  updatedAt: timestamp("updated_at", { withTimezone: true, mode: "string" }).default(sql`CURRENT_TIMESTAMP`).notNull(),
+  changeType: text("change_type").notNull(),
+  oldEmail: varchar("old_email"),
+  newEmail: varchar("new_email"),
+  oldPhone: text("old_phone"),
+  newPhone: text("new_phone"),
+  status: varchar().notNull(),
+  expiresAt: timestamp("expires_at", { withTimezone: true, mode: "string" }).notNull(),
+  confirmedAt: timestamp("confirmed_at", { withTimezone: true, mode: "string" }),
+  cancelledAt: timestamp("cancelled_at", { withTimezone: true, mode: "string" }),
+  reason: text()
+}, (table) => [
+  index("account_changes_expires_at_idx").using("btree", table.expiresAt.asc().nullsLast().op("timestamptz_ops")),
+  index("account_changes_tenant_user_status_idx").using("btree", table.tenantId.asc().nullsLast().op("uuid_ops"), table.userId.asc().nullsLast().op("text_ops"), table.status.asc().nullsLast().op("text_ops")),
+  foreignKey({
+    columns: [table.tenantId],
+    foreignColumns: [tenantsInIam.id],
+    name: "account_changes_tenant_id_fkey"
+  }).onUpdate("cascade").onDelete("cascade"),
+  foreignKey({
+    columns: [table.userId],
+    foreignColumns: [usersInIam.id],
+    name: "account_changes_user_id_fkey"
+  }).onUpdate("cascade").onDelete("cascade"),
+  pgPolicy("tenant_isolation", { as: "permissive", for: "all", to: ["public"], using: sql`((tenant_id)::text = (iam.current_tenant_id())::text)`, withCheck: sql`((tenant_id)::text = (iam.current_tenant_id())::text)` }),
+  check("account_changes_status_check", sql`(status)::text = ANY ((ARRAY['pending'::character varying, 'applied'::character varying, 'cancelled'::character varying, 'expired'::character varying])::text[])`),
+  check("account_changes_change_type_check", sql`((change_type = 'email'::text) AND (old_email IS NOT NULL) AND (new_email IS NOT NULL) AND (old_phone IS NULL) AND (new_phone IS NULL)) OR ((change_type = 'phone'::text) AND (old_phone IS NOT NULL) AND (new_phone IS NOT NULL) AND (old_email IS NULL) AND (new_email IS NULL))`),
+  check("account_changes_expires_after_created_check", sql`expires_at > created_at`)
+]);
+var tenantsInIam = iam.table("tenants", {
+  id: varchar({ length: 30 }).primaryKey().notNull(),
+  createdAt: timestamp("created_at", { withTimezone: true, mode: "string" }).default(sql`CURRENT_TIMESTAMP`).notNull(),
+  updatedAt: timestamp("updated_at", { withTimezone: true, mode: "string" }).default(sql`CURRENT_TIMESTAMP`).notNull(),
+  name: jsonb().notNull(),
+  description: jsonb(),
+  theme: jsonb(),
+  supportedLanguages: jsonb("supported_languages"),
+  defaultLanguage: text("default_language"),
+  supportedCurrency: jsonb("supported_currency"),
+  defaultCurrency: text("default_currency"),
+  timezone: text(),
+  isActive: boolean("is_active").default(true).notNull(),
+  locale: jsonb(),
+  settings: jsonb(),
+  seo: jsonb()
+}, (table) => [
+  index("tenants_is_active_idx").using("btree", table.isActive.asc().nullsLast().op("bool_ops"))
+]);
+var rolesInIam = iam.table("roles", {
+  id: uuid().default(sql`uuid_generate_v7()`).primaryKey().notNull(),
+  tenantId: varchar("tenant_id", { length: 30 }).notNull(),
+  createdAt: timestamp("created_at", { withTimezone: true, mode: "string" }).default(sql`CURRENT_TIMESTAMP`).notNull(),
+  updatedAt: timestamp("updated_at", { withTimezone: true, mode: "string" }).default(sql`CURRENT_TIMESTAMP`).notNull(),
+  name: jsonb().notNull(),
+  description: jsonb().notNull(),
+  code: text().notNull()
+}, (table) => [
+  foreignKey({
+    columns: [table.tenantId],
+    foreignColumns: [tenantsInIam.id],
+    name: "roles_tenant_id_fkey"
+  }).onUpdate("cascade").onDelete("cascade"),
+  unique("roles_tenant_code_unique").on(table.tenantId, table.code),
+  pgPolicy("tenant_isolation", { as: "permissive", for: "all", to: ["public"], using: sql`((tenant_id)::text = (iam.current_tenant_id())::text)`, withCheck: sql`((tenant_id)::text = (iam.current_tenant_id())::text)` })
+]);
+var permissionsInIam = iam.table("permissions", {
+  id: text().primaryKey().notNull(),
+  description: jsonb().notNull(),
+  activity: text().notNull(),
+  application: text().notNull(),
+  feature: text().notNull()
+}, (table) => [
+  unique("permissions_activity_application_feature_key").on(table.activity, table.application, table.feature)
+]);
+var rolePermissionsInIam = iam.table("role_permissions", {
+  id: uuid().default(sql`uuid_generate_v7()`).primaryKey().notNull(),
+  tenantId: varchar("tenant_id", { length: 30 }).notNull(),
+  roleId: uuid("role_id").notNull(),
+  permissionId: text("permission_id").notNull()
+}, (table) => [
+  foreignKey({
+    columns: [table.tenantId],
+    foreignColumns: [tenantsInIam.id],
+    name: "role_permissions_tenant_id_fkey"
+  }).onUpdate("cascade").onDelete("cascade"),
+  foreignKey({
+    columns: [table.roleId],
+    foreignColumns: [rolesInIam.id],
+    name: "role_permissions_role_id_fkey"
+  }).onUpdate("cascade").onDelete("cascade"),
+  foreignKey({
+    columns: [table.permissionId],
+    foreignColumns: [permissionsInIam.id],
+    name: "role_permissions_permission_id_fkey"
+  }).onUpdate("cascade").onDelete("cascade"),
+  unique("role_permissions_unique").on(table.roleId, table.permissionId),
+  pgPolicy("tenant_isolation", { as: "permissive", for: "all", to: ["public"], using: sql`((tenant_id)::text = (iam.current_tenant_id())::text)`, withCheck: sql`((tenant_id)::text = (iam.current_tenant_id())::text)` })
+]);
+var userRolesInIam = iam.table("user_roles", {
+  id: uuid().default(sql`uuid_generate_v7()`).primaryKey().notNull(),
+  tenantId: varchar("tenant_id", { length: 30 }).notNull(),
+  userId: uuid("user_id").notNull(),
+  roleId: uuid("role_id").notNull()
+}, (table) => [
+  foreignKey({
+    columns: [table.tenantId],
+    foreignColumns: [tenantsInIam.id],
+    name: "user_roles_tenant_id_fkey"
+  }).onUpdate("cascade").onDelete("cascade"),
+  foreignKey({
+    columns: [table.userId],
+    foreignColumns: [usersInIam.id],
+    name: "user_roles_user_id_fkey"
+  }).onUpdate("cascade").onDelete("cascade"),
+  foreignKey({
+    columns: [table.roleId],
+    foreignColumns: [rolesInIam.id],
+    name: "user_roles_role_id_fkey"
+  }).onUpdate("cascade").onDelete("cascade"),
+  unique("user_roles_unique").on(table.userId, table.roleId),
+  pgPolicy("tenant_isolation", { as: "permissive", for: "all", to: ["public"], using: sql`((tenant_id)::text = (iam.current_tenant_id())::text)`, withCheck: sql`((tenant_id)::text = (iam.current_tenant_id())::text)` })
+]);
+var accountsInIam = iam.table("accounts", {
+  id: uuid().default(sql`uuid_generate_v7()`).primaryKey().notNull(),
+  tenantId: varchar("tenant_id", { length: 30 }).notNull(),
+  userId: uuid("user_id").notNull(),
+  provider: text().notNull(),
+  providerAccountId: text("provider_account_id").notNull(),
+  password: text(),
+  passwordLastChangedAt: timestamp("password_last_changed_at", { withTimezone: true, mode: "string" }),
+  idToken: text("id_token"),
+  accessToken: text("access_token"),
+  accessTokenExpiresAt: timestamp("access_token_expires_at", { withTimezone: true, mode: "string" }),
+  refreshToken: text("refresh_token"),
+  refreshTokenExpiresAt: timestamp("refresh_token_expires_at", { withTimezone: true, mode: "string" }),
+  scope: text(),
+  expiresAt: timestamp("expires_at", { withTimezone: true, mode: "string" }),
+  meta: jsonb()
+}, (table) => [
+  foreignKey({
+    columns: [table.tenantId],
+    foreignColumns: [tenantsInIam.id],
+    name: "accounts_tenant_id_fkey"
+  }).onUpdate("cascade").onDelete("cascade"),
+  foreignKey({
+    columns: [table.userId],
+    foreignColumns: [usersInIam.id],
+    name: "accounts_user_id_fkey"
+  }).onUpdate("cascade").onDelete("cascade"),
+  unique("accounts_provider_account_unique").on(table.provider, table.providerAccountId),
+  pgPolicy("tenant_isolation", { as: "permissive", for: "all", to: ["public"], using: sql`((tenant_id)::text = (iam.current_tenant_id())::text)`, withCheck: sql`((tenant_id)::text = (iam.current_tenant_id())::text)` })
+]);
+var domainsInIam = iam.table("domains", {
+  id: uuid().default(sql`uuid_generate_v7()`).primaryKey().notNull(),
+  tenantId: varchar("tenant_id", { length: 30 }).notNull(),
+  domain: text().notNull(),
+  status: text().default("pending").notNull(),
+  meta: jsonb(),
+  isPrimary: boolean("is_primary").default(false).notNull(),
+  createdAt: timestamp("created_at", { withTimezone: true, mode: "string" }).default(sql`CURRENT_TIMESTAMP`).notNull(),
+  updatedAt: timestamp("updated_at", { withTimezone: true, mode: "string" }).default(sql`CURRENT_TIMESTAMP`).notNull(),
+  createdBy: uuid("created_by"),
+  updatedBy: uuid("updated_by")
+}, (table) => [
+  uniqueIndex("domains_domain_unique_idx").using("btree", sql`lower(domain)`),
+  uniqueIndex("domains_primary_per_tenant_idx").using("btree", table.tenantId.asc().nullsLast().op("text_ops")).where(sql`(is_primary = true)`),
+  index("domains_tenant_id_idx").using("btree", table.tenantId.asc().nullsLast().op("text_ops")),
+  index("domains_tenant_status_idx").using("btree", table.tenantId.asc().nullsLast().op("text_ops"), table.status.asc().nullsLast().op("text_ops")),
+  foreignKey({
+    columns: [table.tenantId],
+    foreignColumns: [tenantsInIam.id],
+    name: "domains_tenant_id_fkey"
+  }).onUpdate("cascade").onDelete("cascade"),
+  pgPolicy("tenant_isolation", { as: "permissive", for: "all", to: ["public"], using: sql`((tenant_id)::text = (iam.current_tenant_id())::text)`, withCheck: sql`((tenant_id)::text = (iam.current_tenant_id())::text)` }),
+  check("domains_status_check", sql`status = ANY (ARRAY['pending'::text, 'active'::text, 'disabled'::text, 'deleted'::text])`),
+  check("domains_domain_format_check", sql`domain ~ '^[a-zA-Z0-9]([a-zA-Z0-9-]*[a-zA-Z0-9])?(\.[a-zA-Z0-9]([a-zA-Z0-9-]*[a-zA-Z0-9])?)+$'::text`)
+]);
+
+// src/db/relations.ts
+var usersInIamRelations = relations(usersInIam, ({ one, many }) => ({
+  tenantsInIam: one(tenantsInIam, {
+    fields: [usersInIam.tenantId],
+    references: [tenantsInIam.id]
+  }),
+  sessionsInIam: many(sessionsInIam),
+  verificationsInIam: many(verificationsInIam),
+  accountChangesInIam: many(accountChangesInIam),
+  userRolesInIam: many(userRolesInIam),
+  accountsInIam: many(accountsInIam)
+}));
+var tenantsInIamRelations = relations(tenantsInIam, ({ many }) => ({
+  usersInIam: many(usersInIam),
+  sessionsInIam: many(sessionsInIam),
+  verificationsInIam: many(verificationsInIam),
+  accountChangesInIam: many(accountChangesInIam),
+  rolesInIam: many(rolesInIam),
+  rolePermissionsInIam: many(rolePermissionsInIam),
+  userRolesInIam: many(userRolesInIam),
+  accountsInIam: many(accountsInIam),
+  domainsInIam: many(domainsInIam)
+}));
+var sessionsInIamRelations = relations(sessionsInIam, ({ one }) => ({
+  tenantsInIam: one(tenantsInIam, {
+    fields: [sessionsInIam.tenantId],
+    references: [tenantsInIam.id]
+  }),
+  usersInIam: one(usersInIam, {
+    fields: [sessionsInIam.userId],
+    references: [usersInIam.id]
+  })
+}));
+var verificationsInIamRelations = relations(verificationsInIam, ({ one }) => ({
+  tenantsInIam: one(tenantsInIam, {
+    fields: [verificationsInIam.tenantId],
+    references: [tenantsInIam.id]
+  }),
+  usersInIam: one(usersInIam, {
+    fields: [verificationsInIam.userId],
+    references: [usersInIam.id]
+  })
+}));
+var accountChangesInIamRelations = relations(accountChangesInIam, ({ one }) => ({
+  tenantsInIam: one(tenantsInIam, {
+    fields: [accountChangesInIam.tenantId],
+    references: [tenantsInIam.id]
+  }),
+  usersInIam: one(usersInIam, {
+    fields: [accountChangesInIam.userId],
+    references: [usersInIam.id]
+  })
+}));
+var rolesInIamRelations = relations(rolesInIam, ({ one, many }) => ({
+  tenantsInIam: one(tenantsInIam, {
+    fields: [rolesInIam.tenantId],
+    references: [tenantsInIam.id]
+  }),
+  rolePermissionsInIam: many(rolePermissionsInIam),
+  userRolesInIam: many(userRolesInIam)
+}));
+var rolePermissionsInIamRelations = relations(rolePermissionsInIam, ({ one }) => ({
+  tenantsInIam: one(tenantsInIam, {
+    fields: [rolePermissionsInIam.tenantId],
+    references: [tenantsInIam.id]
+  }),
+  rolesInIam: one(rolesInIam, {
+    fields: [rolePermissionsInIam.roleId],
+    references: [rolesInIam.id]
+  }),
+  permissionsInIam: one(permissionsInIam, {
+    fields: [rolePermissionsInIam.permissionId],
+    references: [permissionsInIam.id]
+  })
+}));
+var permissionsInIamRelations = relations(permissionsInIam, ({ many }) => ({
+  rolePermissionsInIam: many(rolePermissionsInIam)
+}));
+var userRolesInIamRelations = relations(userRolesInIam, ({ one }) => ({
+  tenantsInIam: one(tenantsInIam, {
+    fields: [userRolesInIam.tenantId],
+    references: [tenantsInIam.id]
+  }),
+  usersInIam: one(usersInIam, {
+    fields: [userRolesInIam.userId],
+    references: [usersInIam.id]
+  }),
+  rolesInIam: one(rolesInIam, {
+    fields: [userRolesInIam.roleId],
+    references: [rolesInIam.id]
+  })
+}));
+var accountsInIamRelations = relations(accountsInIam, ({ one }) => ({
+  tenantsInIam: one(tenantsInIam, {
+    fields: [accountsInIam.tenantId],
+    references: [tenantsInIam.id]
+  }),
+  usersInIam: one(usersInIam, {
+    fields: [accountsInIam.userId],
+    references: [usersInIam.id]
+  })
+}));
+var domainsInIamRelations = relations(domainsInIam, ({ one }) => ({
+  tenantsInIam: one(tenantsInIam, {
+    fields: [domainsInIam.tenantId],
+    references: [tenantsInIam.id]
+  })
+}));
+
+// src/db/index.ts
+var schemaConfig = { schema: { ...schema_exports, ...relations_exports } };
+var createDatabase = (connectionString) => {
+  const pool = new Pool({ connectionString });
+  return drizzle({ client: pool, ...schemaConfig });
+};
+
+// src/db/orm/iam/sessions/find-session-by-token.ts
+import { and, eq, gt } from "drizzle-orm";
+var findSessionByToken = (db, hashedToken) => {
+  return db.select({
+    id: sessionsInIam.id,
+    tenantId: sessionsInIam.tenantId,
+    userId: sessionsInIam.userId,
+    expiresAt: sessionsInIam.expiresAt,
+    createdAt: sessionsInIam.createdAt,
+    updatedAt: sessionsInIam.updatedAt,
+    userAgent: sessionsInIam.userAgent,
+    ip: sessionsInIam.ip
+  }).from(sessionsInIam).where(
+    and(
+      eq(sessionsInIam.token, hashedToken),
+      gt(sessionsInIam.expiresAt, (/* @__PURE__ */ new Date()).toISOString())
+    )
+  ).limit(1).then(([session]) => session || null);
+};
+
+// src/db/orm/iam/users/find-user-by-id.ts
+import { and as and2, eq as eq2 } from "drizzle-orm";
+var findUserById = (db, tenantId, userId) => {
+  return db.select({
+    id: usersInIam.id,
+    tenantId: usersInIam.tenantId,
+    fullName: usersInIam.fullName,
+    email: usersInIam.email,
+    phone: usersInIam.phone,
+    handle: usersInIam.handle,
+    image: usersInIam.image,
+    emailVerified: usersInIam.emailVerified,
+    phoneVerified: usersInIam.phoneVerified,
+    lastSignInAt: usersInIam.lastSignInAt
+  }).from(usersInIam).where(and2(eq2(usersInIam.id, userId), eq2(usersInIam.tenantId, tenantId))).limit(1).then(([user]) => user || null);
+};
+
+// src/handler.ts
+import { OpenAPIHono as OpenAPIHono2 } from "@hono/zod-openapi";
+import { getCookie as getCookie2 } from "hono/cookie";
+import { HTTPException as HTTPException11 } from "hono/http-exception";
+
+// src/lib/crypto.ts
+import { scrypt } from "@noble/hashes/scrypt.js";
+import { randomBytes } from "@noble/hashes/utils.js";
+var encoder = new TextEncoder();
+var toHex = (buffer) => {
+  return Array.from(
+    buffer,
+    (b) => b.toString(16).padStart(2, "0")
+  ).join("");
+};
+var hexToBytes = (hex) => {
+  const bytes = new Uint8Array(hex.length / 2);
+  for (let i = 0; i < hex.length; i += 2) {
+    bytes[i / 2] = Number.parseInt(hex.slice(i, i + 2), 16);
+  }
+  return bytes;
+};
+var SCRYPT_KEYLEN = 64;
+var SCRYPT_COST = 16384;
+var SCRYPT_BLOCK_SIZE = 8;
+var SCRYPT_PARALLELISM = 1;
+var hashPassword = async (password) => {
+  const salt = randomBytes(16);
+  const saltHex = toHex(salt);
+  const passwordBytes = encoder.encode(password);
+  const derivedKey = await Promise.resolve(
+    scrypt(passwordBytes, salt, {
+      N: SCRYPT_COST,
+      r: SCRYPT_BLOCK_SIZE,
+      p: SCRYPT_PARALLELISM,
+      dkLen: SCRYPT_KEYLEN
+    })
+  );
+  return `${saltHex}:${toHex(derivedKey)}`;
+};
+var verifyPassword = async (password, hashed) => {
+  if (!hashed) {
+    return false;
+  }
+  const [saltHex, keyHex] = hashed.split(":");
+  if (!(saltHex && keyHex)) {
+    return false;
+  }
+  const salt = hexToBytes(saltHex);
+  const passwordBytes = encoder.encode(password);
+  const derivedKey = await Promise.resolve(
+    scrypt(passwordBytes, salt, {
+      N: SCRYPT_COST,
+      r: SCRYPT_BLOCK_SIZE,
+      p: SCRYPT_PARALLELISM,
+      dkLen: SCRYPT_KEYLEN
+    })
+  );
+  const derived = toHex(derivedKey);
+  if (derived.length !== keyHex.length) {
+    return false;
+  }
+  let result = 0;
+  for (let i = 0; i < derived.length; i++) {
+    result |= derived.charCodeAt(i) ^ keyHex.charCodeAt(i);
+  }
+  return result === 0;
+};
+var hashToken = async (token, secret) => {
+  const key = await crypto.subtle.importKey(
+    "raw",
+    encoder.encode(secret),
+    { name: "HMAC", hash: "SHA-256" },
+    false,
+    ["sign"]
+  );
+  const signature = await crypto.subtle.sign(
+    "HMAC",
+    key,
+    encoder.encode(token)
+  );
+  return toHex(new Uint8Array(signature));
+};
+
+// src/routes/auth.route.ts
+import { createRoute, OpenAPIHono } from "@hono/zod-openapi";
+import { z as z2 } from "zod";
+
+// src/routes/auth.schema.ts
+import { z } from "zod";
+var emailField = z.string().trim().email("Invalid email address").max(255, "Email too long");
+var phoneField = z.string().trim().min(6, "Phone too short").max(30, "Phone too long").regex(/^[+()\d\s-]+$/, "Invalid phone number format");
+var passwordField = z.string().min(8, "Password must be at least 8 characters").max(128, "Password too long");
+var userSchema = z.object({
+  id: z.string().uuid(),
+  tenantId: z.string(),
+  fullName: z.string(),
+  email: z.string().email().nullable(),
+  phone: z.string().nullable(),
+  handle: z.string(),
+  image: z.string().nullable(),
+  emailVerified: z.boolean(),
+  phoneVerified: z.boolean(),
+  lastSignInAt: z.string().datetime().nullable()
+});
+var sessionSchema = z.object({
+  id: z.string().uuid(),
+  expiresAt: z.string().datetime(),
+  createdAt: z.string().datetime().optional(),
+  userAgent: z.string().nullable().optional(),
+  ip: z.string().nullable().optional()
+});
+var authSuccessSchema = z.object({
+  user: userSchema,
+  session: sessionSchema,
+  sessionToken: z.string(),
+  sessionExpiresAt: z.string().datetime()
+});
+var messageSchema = z.object({
+  message: z.string()
+});
+var errorResponseSchema = z.object({
+  error: z.string().describe("Error message"),
+  code: z.string().optional().describe("Error code"),
+  details: z.record(z.string(), z.any()).optional()
+});
+var signUpSchema = z.object({
+  email: emailField.optional(),
+  phone: phoneField.optional(),
+  password: passwordField,
+  fullName: z.string().min(2),
+  handle: z.string().optional(),
+  image: z.string().url().optional()
+}).refine((data) => data.email || data.phone, {
+  message: "Either email or phone is required",
+  path: ["email"]
+});
+var signInSchema = z.object({
+  identifier: z.string(),
+  password: passwordField
+});
+var signUpResponseSchema = authSuccessSchema.extend({
+  verificationId: z.string().uuid().optional(),
+  requiresVerification: z.boolean().optional(),
+  debugCode: z.string().optional()
+});
+var signInResponseSchema = authSuccessSchema.extend({
+  verificationId: z.string().uuid().optional(),
+  requiresVerification: z.boolean().optional()
+});
+var emailVerificationRequestSchema = z.object({
+  email: emailField.optional()
+});
+var emailVerificationConfirmSchema = z.object({
+  verificationId: z.string().uuid(),
+  code: z.string().length(6)
+});
+var phoneVerificationRequestSchema = z.object({
+  phone: phoneField,
+  context: z.enum(["sign-up", "sign-in", "change-phone"])
+});
+var phoneVerificationConfirmSchema = z.object({
+  verificationId: z.string().uuid(),
+  code: z.string(),
+  context: z.enum(["sign-up", "sign-in", "change-phone"])
+});
+var forgotPasswordSchema = z.object({
+  identifier: z.string()
+});
+var resetPasswordSchema = z.object({
+  verificationId: z.string().uuid(),
+  code: z.string(),
+  password: passwordField
+});
+var changePasswordSchema = z.object({
+  currentPassword: passwordField,
+  newPassword: passwordField
+});
+var messageWithVerificationIdSchema = messageSchema.extend({
+  verificationId: z.string().uuid().optional()
+});
+var checkUserSchema = z.object({
+  identifier: z.string()
+});
+var checkUserResponseSchema = z.object({
+  exists: z.boolean()
+});
+
+// src/db/orm/iam/users/find-user-by-email.ts
+import { and as and3, eq as eq3, sql as sql2 } from "drizzle-orm";
+var findUserByEmail = (db, tenantId, email) => {
+  return db.select({
+    id: usersInIam.id,
+    tenantId: usersInIam.tenantId,
+    fullName: usersInIam.fullName,
+    email: usersInIam.email,
+    phone: usersInIam.phone,
+    handle: usersInIam.handle,
+    image: usersInIam.image,
+    emailVerified: usersInIam.emailVerified,
+    phoneVerified: usersInIam.phoneVerified,
+    lastSignInAt: usersInIam.lastSignInAt
+  }).from(usersInIam).where(
+    and3(
+      eq3(usersInIam.tenantId, tenantId),
+      sql2`lower(${usersInIam.email}) = lower(${email})`
+    )
+  ).limit(1).then(([user]) => user || null);
+};
+
+// src/db/orm/iam/users/find-user-by-phone.ts
+import { and as and4, eq as eq4 } from "drizzle-orm";
+var findUserByPhone = (db, tenantId, phone) => {
+  return db.select({
+    id: usersInIam.id,
+    tenantId: usersInIam.tenantId,
+    fullName: usersInIam.fullName,
+    email: usersInIam.email,
+    phone: usersInIam.phone,
+    handle: usersInIam.handle,
+    image: usersInIam.image,
+    emailVerified: usersInIam.emailVerified,
+    phoneVerified: usersInIam.phoneVerified,
+    lastSignInAt: usersInIam.lastSignInAt
+  }).from(usersInIam).where(and4(eq4(usersInIam.tenantId, tenantId), eq4(usersInIam.phone, phone))).limit(1).then(([user]) => user || null);
+};
+
+// src/db/orm/iam/users/find-user-by-identifier.ts
+var findUserByIdentifier = async (db, tenantId, identifier) => {
+  const isEmail = identifier.includes("@");
+  if (isEmail) {
+    const user2 = await findUserByEmail(db, tenantId, identifier);
+    return { user: user2, type: "email" };
+  }
+  const user = await findUserByPhone(db, tenantId, identifier);
+  return { user, type: "phone" };
+};
+
+// src/lib/tenant.ts
+import { HTTPException } from "hono/http-exception";
+var ensureTenantId = (config, tenantId) => {
+  if (config.enableTenant) {
+    if (!tenantId) {
+      throw new HTTPException(400, {
+        message: "Missing tenantId. Tenant isolation is enabled."
+      });
+    }
+    return tenantId;
+  }
+  if (!config.tenantId) {
+    throw new HTTPException(500, {
+      message: "tenantId must be provided in config when enableTenant is false."
+    });
+  }
+  return config.tenantId;
+};
+
+// src/routes/handler/check-user.ts
+var checkUserHandler = async (c) => {
+  const body = c.req.valid("json");
+  const { config, database, tenantId } = c.var;
+  const resolvedTenantId = ensureTenantId(config, tenantId);
+  const { identifier } = body;
+  const lookup = await findUserByIdentifier(
+    database,
+    resolvedTenantId,
+    identifier
+  );
+  return c.json({ exists: !!lookup.user });
+};
+
+// src/routes/handler/email-verification-confirm.ts
+import { setCookie } from "hono/cookie";
+import { HTTPException as HTTPException2 } from "hono/http-exception";
+
+// src/db/orm/iam/sessions/insert-session.ts
+var insertSession = (db, data) => {
+  return db.insert(sessionsInIam).values({
+    tenantId: data.tenantId,
+    userId: data.userId,
+    token: data.token,
+    expiresAt: data.expiresAt,
+    userAgent: data.userAgent || null,
+    ip: data.ip || null,
+    meta: data.meta || null
+  }).returning({
+    id: sessionsInIam.id,
+    tenantId: sessionsInIam.tenantId,
+    userId: sessionsInIam.userId,
+    expiresAt: sessionsInIam.expiresAt,
+    createdAt: sessionsInIam.createdAt,
+    updatedAt: sessionsInIam.updatedAt,
+    userAgent: sessionsInIam.userAgent,
+    ip: sessionsInIam.ip
+  }).then(([session]) => session);
+};
+
+// src/db/orm/iam/users/update-user-verified.ts
+import { and as and5, eq as eq5 } from "drizzle-orm";
+var updateUserVerified = (db, tenantId, userId, type) => {
+  return db.update(usersInIam).set({
+    [type === "email" ? "emailVerified" : "phoneVerified"]: true,
+    lastSignInAt: (/* @__PURE__ */ new Date()).toISOString()
+  }).where(and5(eq5(usersInIam.id, userId), eq5(usersInIam.tenantId, tenantId)));
+};
+
+// src/db/orm/iam/verifications/consume-verification.ts
+import { eq as eq6 } from "drizzle-orm";
+var consumeVerification = (db, verificationId) => {
+  return db.delete(verificationsInIam).where(eq6(verificationsInIam.id, verificationId));
+};
+
+// src/db/orm/iam/verifications/find-verification-by-id.ts
+import { eq as eq7 } from "drizzle-orm";
+var findVerificationById = (db, verificationId) => {
+  return db.select({
+    id: verificationsInIam.id,
+    tenantId: verificationsInIam.tenantId,
+    userId: verificationsInIam.userId,
+    type: verificationsInIam.type,
+    code: verificationsInIam.code,
+    to: verificationsInIam.to,
+    expiresAt: verificationsInIam.expiresAt,
+    createdAt: verificationsInIam.createdAt,
+    attempt: verificationsInIam.attempt
+  }).from(verificationsInIam).where(eq7(verificationsInIam.id, verificationId)).limit(1).then(([verification]) => verification || null);
+};
+
+// src/db/orm/iam/verifications/update-verification-attempt.ts
+import { eq as eq8 } from "drizzle-orm";
+var updateVerificationAttempt = async (db, verificationId) => {
+  const verification = await findVerificationById(db, verificationId);
+  if (!verification) {
+    return;
+  }
+  await db.update(verificationsInIam).set({ attempt: (verification.attempt || 0) + 1 }).where(eq8(verificationsInIam.id, verificationId));
+};
+
+// src/errors.ts
+var AUTH_ERRORS = {
+  USER_NOT_FOUND: "USER_NOT_FOUND",
+  INVALID_PASSWORD: "INVALID_PASSWORD",
+  USER_EXISTS: "USER_EXISTS",
+  VERIFICATION_EXPIRED: "VERIFICATION_EXPIRED",
+  VERIFICATION_MISMATCH: "VERIFICATION_MISMATCH",
+  VERIFICATION_NOT_FOUND: "VERIFICATION_NOT_FOUND",
+  TOO_MANY_ATTEMPTS: "TOO_MANY_ATTEMPTS",
+  REQUIRES_VERIFICATION: "REQUIRES_VERIFICATION",
+  UNAUTHORIZED: "UNAUTHORIZED",
+  ACCESS_DENIED: "ACCESS_DENIED",
+  HAS_NO_PASSWORD: "HAS_NO_PASSWORD"
+};
+
+// src/lib/session.ts
+import { dayjs } from "@mesob/common";
+var generateHandle = (seed) => {
+  const base = seed?.replace(/[^a-zA-Z0-9]/g, "").toLowerCase() || `user${Math.random().toString(36).slice(2, 8)}`;
+  return `${base}-${Math.random().toString(36).slice(2, 6)}`;
+};
+var parseDuration = (duration) => {
+  const match = duration.match(/^(\d+)([smhd])$/);
+  if (!match) {
+    throw new Error(`Invalid duration format: ${duration}`);
+  }
+  const value = Number.parseInt(match[1], 10);
+  const unit = match[2];
+  const multipliers = {
+    s: 1,
+    m: 60,
+    h: 3600,
+    d: 86400
+  };
+  return value * (multipliers[unit] || 1);
+};
+var addDuration = (duration) => {
+  const seconds = parseDuration(duration);
+  return dayjs().add(seconds, "second").toISOString();
+};
+var generateOtpCode = (length = 6) => {
+  const digits = "0123456789";
+  let code = "";
+  for (let i = 0; i < length; i++) {
+    code += digits[Math.floor(Math.random() * digits.length)];
+  }
+  return code;
+};
+
+// src/routes/handler/email-verification-confirm.ts
+var emailVerificationConfirmHandler = async (c) => {
+  const body = c.req.valid("json");
+  const { config, database, tenantId } = c.var;
+  const resolvedTenantId = ensureTenantId(config, tenantId);
+  const { verificationId, code } = body;
+  const verification = await findVerificationById(database, verificationId);
+  if (!verification) {
+    throw new HTTPException2(400, {
+      message: AUTH_ERRORS.VERIFICATION_NOT_FOUND
+    });
+  }
+  if (new Date(verification.expiresAt) < /* @__PURE__ */ new Date()) {
+    throw new HTTPException2(400, {
+      message: AUTH_ERRORS.VERIFICATION_EXPIRED
+    });
+  }
+  const hashedCode = await hashToken(code, config.secret);
+  if (verification.code !== hashedCode) {
+    await updateVerificationAttempt(database, verificationId);
+    throw new HTTPException2(400, {
+      message: AUTH_ERRORS.VERIFICATION_MISMATCH
+    });
+  }
+  await updateUserVerified(
+    database,
+    resolvedTenantId,
+    verification.userId,
+    "email"
+  );
+  await consumeVerification(database, verificationId);
+  const user = await findUserById(
+    database,
+    resolvedTenantId,
+    verification.userId
+  );
+  if (!user) {
+    throw new HTTPException2(500, { message: "User not found" });
+  }
+  const sessionToken = crypto.randomUUID();
+  const hashedToken = await hashToken(sessionToken, config.secret);
+  const expiresAt = addDuration(config.session.expiresIn);
+  const session = await insertSession(database, {
+    tenantId: resolvedTenantId,
+    userId: user.id,
+    token: hashedToken,
+    expiresAt,
+    userAgent: c.req.header("user-agent") || null,
+    ip: c.req.header("cf-connecting-ip") || c.req.header("x-forwarded-for") || null,
+    meta: { action: "email-verification" }
+  });
+  setCookie(c, "session_token", sessionToken, {
+    httpOnly: true,
+    secure: process.env.NODE_ENV === "production",
+    sameSite: "Lax",
+    path: "/",
+    expires: new Date(expiresAt)
+  });
+  return c.json({
+    user,
+    session: {
+      id: session.id,
+      expiresAt: session.expiresAt,
+      createdAt: session.createdAt,
+      userAgent: session.userAgent,
+      ip: session.ip
+    },
+    sessionToken,
+    sessionExpiresAt: session.expiresAt
+  });
+};
+
+// src/routes/handler/email-verification-request.ts
+import { HTTPException as HTTPException3 } from "hono/http-exception";
+
+// src/db/orm/iam/verifications/delete-verifications-by-user-and-type.ts
+import { and as and6, eq as eq9 } from "drizzle-orm";
+var deleteVerificationsByUserAndType = (db, tenantId, userId, type) => {
+  return db.delete(verificationsInIam).where(
+    and6(
+      eq9(verificationsInIam.tenantId, tenantId),
+      eq9(verificationsInIam.userId, userId),
+      eq9(verificationsInIam.type, type)
+    )
+  );
+};
+
+// src/db/orm/iam/verifications/insert-verification.ts
+var insertVerification = async (db, data) => {
+  return await db.insert(verificationsInIam).values({
+    tenantId: data.tenantId,
+    userId: data.userId,
+    type: data.type,
+    code: data.code,
+    expiresAt: data.expiresAt,
+    to: data.to || null,
+    attempt: 0
+  }).returning({
+    id: verificationsInIam.id,
+    tenantId: verificationsInIam.tenantId,
+    userId: verificationsInIam.userId,
+    type: verificationsInIam.type,
+    code: verificationsInIam.code,
+    to: verificationsInIam.to,
+    expiresAt: verificationsInIam.expiresAt,
+    createdAt: verificationsInIam.createdAt,
+    attempt: verificationsInIam.attempt
+  }).then(([verification]) => verification);
+};
+
+// src/lib/send-email.ts
+import { Resend } from "resend";
+var SendEmail = async ({
+  key,
+  provider,
+  to,
+  subject,
+  html,
+  text: text2,
+  from
+}) => {
+  switch (provider) {
+    case "resend":
+      return await sendEmailWithResend(key, to, subject, html, text2, from);
+    default:
+      throw new Error(`Unsupported email provider: ${provider}`);
+  }
+};
+var sendEmailWithResend = async (key, to, subject, html, text2, from) => {
+  const resend = new Resend(key);
+  return await resend.emails.send({
+    from,
+    to,
+    subject,
+    html,
+    text: text2
+  });
+};
+
+// src/providers/resend-email.ts
+var ResendEmailProvider = class {
+  config;
+  constructor(config) {
+    this.config = config;
+  }
+  async sendVerificationEmail(email, code, tenantName) {
+    const subject = this.config.verificationSubject || `Verify your email${tenantName ? ` for ${tenantName}` : ""}`;
+    const verificationPath = this.config.verificationPath || "/verify-email";
+    const verificationUrl = `${this.config.frontendBaseUrl}${verificationPath}?token=${code}`;
+    const html = `
+      <!DOCTYPE html>
+      <html>
+        <head>
+          <meta charset="utf-8">
+          <meta name="viewport" content="width=device-width, initial-scale=1.0">
+          <title>${subject}</title>
+        </head>
+        <body style="font-family: Arial, sans-serif; line-height: 1.6; color: #333;">
+          <div style="max-width: 600px; margin: 0 auto; padding: 20px;">
+            <h1 style="color: #2563eb;">Verify Your Email</h1>
+            <p>Your verification code is:</p>
+            <div style="background: #f3f4f6; padding: 20px; text-align: center; font-size: 32px; font-weight: bold; letter-spacing: 8px; margin: 20px 0;">
+              ${code}
+            </div>
+            <p>Or click the link below:</p>
+            <p>
+              <a href="${verificationUrl}" style="background: #2563eb; color: white; padding: 12px 24px; text-decoration: none; border-radius: 6px; display: inline-block;">
+                Verify Email
+              </a>
+            </p>
+            <p style="color: #6b7280; font-size: 14px; margin-top: 30px;">
+              This code will expire in 1 hour. If you didn't request this, please ignore this email.
+            </p>
+          </div>
+        </body>
+      </html>
+    `;
+    const text2 = `Your verification code is: ${code}
+
+Or visit: ${verificationUrl}
+
+This code will expire in 1 hour.`;
+    await this.sendEmail({
+      to: [email],
+      subject,
+      html,
+      text: text2
+    });
+  }
+  async sendPasswordResetEmail(email, code, tenantName) {
+    const subject = this.config.resetPasswordSubject || `Reset your password${tenantName ? ` for ${tenantName}` : ""}`;
+    const resetPath = this.config.resetPasswordPath || "/reset-password";
+    const resetUrl = `${this.config.frontendBaseUrl}${resetPath}?token=${code}`;
+    const html = `
+      <!DOCTYPE html>
+      <html>
+        <head>
+          <meta charset="utf-8">
+          <meta name="viewport" content="width=device-width, initial-scale=1.0">
+          <title>${subject}</title>
+        </head>
+        <body style="font-family: Arial, sans-serif; line-height: 1.6; color: #333;">
+          <div style="max-width: 600px; margin: 0 auto; padding: 20px;">
+            <h1 style="color: #2563eb;">Reset Your Password</h1>
+            <p>Your password reset code is:</p>
+            <div style="background: #f3f4f6; padding: 20px; text-align: center; font-size: 32px; font-weight: bold; letter-spacing: 8px; margin: 20px 0;">
+              ${code}
+            </div>
+            <p>Or click the link below:</p>
+            <p>
+              <a href="${resetUrl}" style="background: #2563eb; color: white; padding: 12px 24px; text-decoration: none; border-radius: 6px; display: inline-block;">
+                Reset Password
+              </a>
+            </p>
+            <p style="color: #6b7280; font-size: 14px; margin-top: 30px;">
+              This code will expire in 1 hour. If you didn't request this, please ignore this email.
+            </p>
+          </div>
+        </body>
+      </html>
+    `;
+    const text2 = `Your password reset code is: ${code}
+
+Or visit: ${resetUrl}
+
+This code will expire in 1 hour.`;
+    await this.sendEmail({
+      to: [email],
+      subject,
+      html,
+      text: text2
+    });
+  }
+  async sendEmail(data) {
+    const res = await SendEmail({
+      key: this.config.apiKey,
+      provider: "resend",
+      to: data.to,
+      subject: data.subject,
+      html: data.html,
+      text: data.text,
+      from: this.config.from
+    });
+    if (res.error) {
+      throw new Error(res.error.message);
+    }
+  }
+};
+
+// src/routes/handler/email-verification-request.ts
+var emailVerificationRequestHandler = async (c) => {
+  const body = c.req.valid("json");
+  const { config, database, tenantId, user } = c.var;
+  const resolvedTenantId = ensureTenantId(config, tenantId);
+  const email = body.email || user?.email;
+  if (!email) {
+    throw new HTTPException3(400, { message: "Email required" });
+  }
+  let userId = user?.id;
+  if (!userId) {
+    const lookup = await findUserByIdentifier(
+      database,
+      resolvedTenantId,
+      email
+    );
+    if (!lookup.user) {
+      throw new HTTPException3(404, { message: AUTH_ERRORS.USER_NOT_FOUND });
+    }
+    userId = lookup.user.id;
+  }
+  await deleteVerificationsByUserAndType(
+    database,
+    resolvedTenantId,
+    userId,
+    "email-verification"
+  );
+  const code = generateOtpCode(6);
+  const hashedCode = await hashToken(code, config.secret);
+  const expiresAt = addDuration(config.email.verificationExpiresIn);
+  const verification = await insertVerification(database, {
+    tenantId: resolvedTenantId,
+    userId,
+    type: "email-verification",
+    code: hashedCode,
+    expiresAt,
+    to: email
+  });
+  const emailProvider = new ResendEmailProvider(config.email.resend);
+  await emailProvider.sendVerificationEmail(email, code);
+  return c.json({ verificationId: verification.id });
+};
+
+// src/routes/handler/me.ts
+import { HTTPException as HTTPException4 } from "hono/http-exception";
+var meHandler = (c) => {
+  const { user } = c.var;
+  if (!user) {
+    throw new HTTPException4(401, { message: "Unauthorized" });
+  }
+  return c.json({ user });
+};
+
+// src/routes/handler/password-change.ts
+import { HTTPException as HTTPException5 } from "hono/http-exception";
+
+// src/db/orm/iam/accounts/find-account-by-provider.ts
+import { and as and7, eq as eq10 } from "drizzle-orm";
+var findAccountByProvider = (db, tenantId, userId, provider) => {
+  return db.select({
+    id: accountsInIam.id,
+    tenantId: accountsInIam.tenantId,
+    userId: accountsInIam.userId,
+    provider: accountsInIam.provider,
+    providerAccountId: accountsInIam.providerAccountId,
+    password: accountsInIam.password
+  }).from(accountsInIam).where(
+    and7(
+      eq10(accountsInIam.tenantId, tenantId),
+      eq10(accountsInIam.userId, userId),
+      eq10(accountsInIam.provider, provider)
+    )
+  ).limit(1).then(([account]) => account || null);
+};
+
+// src/db/orm/iam/accounts/update-account-password.ts
+import { and as and8, eq as eq11 } from "drizzle-orm";
+var updateAccountPassword = (db, tenantId, userId, password) => {
+  return db.update(accountsInIam).set({ password }).where(
+    and8(
+      eq11(accountsInIam.tenantId, tenantId),
+      eq11(accountsInIam.userId, userId),
+      eq11(accountsInIam.provider, "credentials")
+    )
+  );
+};
+
+// src/db/orm/iam/sessions/delete-session-by-id.ts
+import { eq as eq12 } from "drizzle-orm";
+var deleteSessionById = (db, sessionId) => {
+  return db.delete(sessionsInIam).where(eq12(sessionsInIam.id, sessionId));
+};
+
+// src/db/orm/iam/sessions/list-sessions-for-user.ts
+import { and as and9, asc, eq as eq13, gt as gt2 } from "drizzle-orm";
+var listSessionsForUser = (db, tenantId, userId) => {
+  return db.select({
+    id: sessionsInIam.id,
+    tenantId: sessionsInIam.tenantId,
+    userId: sessionsInIam.userId,
+    expiresAt: sessionsInIam.expiresAt,
+    createdAt: sessionsInIam.createdAt,
+    updatedAt: sessionsInIam.updatedAt,
+    userAgent: sessionsInIam.userAgent,
+    ip: sessionsInIam.ip
+  }).from(sessionsInIam).where(
+    and9(
+      eq13(sessionsInIam.tenantId, tenantId),
+      eq13(sessionsInIam.userId, userId),
+      gt2(sessionsInIam.expiresAt, (/* @__PURE__ */ new Date()).toISOString())
+    )
+  ).orderBy(asc(sessionsInIam.createdAt)).then((sessions) => sessions);
+};
+
+// src/routes/handler/password-change.ts
+var changePasswordHandler = async (c) => {
+  const body = c.req.valid("json");
+  const { config, database, tenantId, userId, user } = c.var;
+  if (!userId) {
+    throw new HTTPException5(401, { message: AUTH_ERRORS.UNAUTHORIZED });
+  }
+  if (!user) {
+    throw new HTTPException5(401, { message: AUTH_ERRORS.UNAUTHORIZED });
+  }
+  const resolvedTenantId = ensureTenantId(config, tenantId);
+  const { currentPassword, newPassword } = body;
+  const account = await findAccountByProvider(
+    database,
+    resolvedTenantId,
+    userId,
+    "credentials"
+  );
+  if (!account?.password) {
+    throw new HTTPException5(401, { message: AUTH_ERRORS.HAS_NO_PASSWORD });
+  }
+  const passwordValid = await verifyPassword(currentPassword, account.password);
+  if (!passwordValid) {
+    throw new HTTPException5(401, { message: AUTH_ERRORS.INVALID_PASSWORD });
+  }
+  const passwordHash = await hashPassword(newPassword);
+  await updateAccountPassword(database, resolvedTenantId, userId, passwordHash);
+  const sessions = await listSessionsForUser(
+    database,
+    resolvedTenantId,
+    userId
+  );
+  const currentSessionToken = c.req.cookie("session_token");
+  if (currentSessionToken) {
+    const hashedToken = await hashToken(currentSessionToken, config.secret);
+    const currentSession = await findSessionByToken(database, hashedToken);
+    if (currentSession) {
+      for (const session of sessions) {
+        if (session.id !== currentSession.id) {
+          await deleteSessionById(database, session.id);
+        }
+      }
+    }
+  }
+  return c.json({ message: "Password updated" });
+};
+
+// src/providers/afro-sms.ts
+var AfroSmsProvider = class {
+  config;
+  constructor(config) {
+    this.config = config;
+  }
+  async sendVerificationSms(phone, code) {
+    const template = this.config.templateVerification || "Your verification code is {{code}}";
+    const message = template.replace("{{code}}", code);
+    const sms = {
+      to: phone,
+      message
+    };
+    await this.sendSms(this.config, sms);
+  }
+  async sendLoginSms(phone, code) {
+    const template = this.config.templateLogin || "Your login code is {{code}}";
+    const message = template.replace("{{code}}", code);
+    const sms = {
+      to: phone,
+      message
+    };
+    await this.sendSms(this.config, sms);
+  }
+  async sendSms(config, sms) {
+    const baseUrl = `${config.baseUrl}/send`;
+    const identifierId = config?.identifierId;
+    const senderName = config?.senderName;
+    const key = config?.apiKey;
+    if (!(baseUrl && identifierId && senderName && key)) {
+      throw new Error("SMS configuration is not set");
+    }
+    const myHeaders = new Headers();
+    myHeaders.append("Authorization", `Bearer ${key}`);
+    myHeaders.append("Content-Type", "application/json");
+    const sendSMS = {
+      from: identifierId,
+      sender: "",
+      to: sms.to,
+      message: sms.message,
+      callback: sms?.callback
+    };
+    const requestOptions = {
+      method: "POST",
+      headers: myHeaders,
+      body: JSON.stringify(sendSMS)
+    };
+    const response = await fetch(baseUrl, requestOptions);
+    if (!response.ok) {
+      throw new Error(`Failed to send SMS: ${response.statusText}`);
+    }
+    return response;
+  }
+};
+
+// src/routes/handler/password-forgot.ts
+var forgotPasswordHandler = async (c) => {
+  const body = c.req.valid("json");
+  const { config, database, tenantId } = c.var;
+  const resolvedTenantId = ensureTenantId(config, tenantId);
+  const { identifier } = body;
+  const lookup = await findUserByIdentifier(
+    database,
+    resolvedTenantId,
+    identifier
+  );
+  if (!lookup.user) {
+    return c.json({ message: "If account exists, reset code sent" });
+  }
+  const isEmail = lookup.type === "email";
+  let verificationId;
+  if (isEmail) {
+    const code = generateOtpCode(6);
+    const hashedCode = await hashToken(code, config.secret);
+    const expiresAt = addDuration(config.email.resetPasswordExpiresIn);
+    const verification = await insertVerification(database, {
+      tenantId: resolvedTenantId,
+      userId: lookup.user.id,
+      type: "password-reset",
+      code: hashedCode,
+      expiresAt,
+      to: lookup.user.email
+    });
+    verificationId = verification.id;
+    const emailProvider = new ResendEmailProvider(config.email.resend);
+    await emailProvider.sendPasswordResetEmail(lookup.user.email, code);
+  } else {
+    const code = generateOtpCode(config.phone.otpLength);
+    const hashedCode = await hashToken(code, config.secret);
+    const expiresAt = addDuration(config.phone.otpExpiresIn);
+    const verification = await insertVerification(database, {
+      tenantId: resolvedTenantId,
+      userId: lookup.user.id,
+      type: "password-reset-otp",
+      code: hashedCode,
+      expiresAt,
+      to: lookup.user.phone
+    });
+    verificationId = verification.id;
+    const smsProvider = new AfroSmsProvider(config.phone.smsConfig);
+    await smsProvider.sendVerificationSms(lookup.user.phone, code);
+  }
+  return c.json({
+    message: "If account exists, reset code sent",
+    verificationId
+  });
+};
+
+// src/routes/handler/password-reset.ts
+import { setCookie as setCookie2 } from "hono/cookie";
+import { HTTPException as HTTPException6 } from "hono/http-exception";
+var resetPasswordHandler = async (c) => {
+  const body = c.req.valid("json");
+  const { config, database, tenantId } = c.var;
+  const resolvedTenantId = ensureTenantId(config, tenantId);
+  const { verificationId, code, password } = body;
+  const verification = await findVerificationById(database, verificationId);
+  if (!verification) {
+    throw new HTTPException6(400, {
+      message: AUTH_ERRORS.VERIFICATION_NOT_FOUND
+    });
+  }
+  if (new Date(verification.expiresAt) < /* @__PURE__ */ new Date()) {
+    throw new HTTPException6(400, { message: AUTH_ERRORS.VERIFICATION_EXPIRED });
+  }
+  const hashedCode = await hashToken(code, config.secret);
+  if (verification.code !== hashedCode) {
+    await updateVerificationAttempt(database, verificationId);
+    throw new HTTPException6(400, {
+      message: AUTH_ERRORS.VERIFICATION_MISMATCH
+    });
+  }
+  const passwordHash = await hashPassword(password);
+  await updateAccountPassword(
+    database,
+    resolvedTenantId,
+    verification.userId,
+    passwordHash
+  );
+  const sessions = await listSessionsForUser(
+    database,
+    resolvedTenantId,
+    verification.userId
+  );
+  for (const session2 of sessions) {
+    await deleteSessionById(database, session2.id);
+  }
+  await consumeVerification(database, verificationId);
+  const sessionToken = crypto.randomUUID();
+  const hashedToken = await hashToken(sessionToken, config.secret);
+  const expiresAt = addDuration(config.session.expiresIn);
+  const session = await insertSession(database, {
+    tenantId: resolvedTenantId,
+    userId: verification.userId,
+    token: hashedToken,
+    expiresAt,
+    userAgent: c.req.header("user-agent") || null,
+    ip: c.req.header("cf-connecting-ip") || c.req.header("x-forwarded-for") || null,
+    meta: { action: "password-reset" }
+  });
+  const user = await findUserById(
+    database,
+    resolvedTenantId,
+    verification.userId
+  );
+  if (!user) {
+    throw new HTTPException6(500, { message: "User not found" });
+  }
+  setCookie2(c, "session_token", sessionToken, {
+    httpOnly: true,
+    secure: process.env.NODE_ENV === "production",
+    sameSite: "Lax",
+    path: "/",
+    expires: new Date(expiresAt)
+  });
+  return c.json({
+    user,
+    session: {
+      id: session.id,
+      expiresAt: session.expiresAt,
+      createdAt: session.createdAt,
+      userAgent: session.userAgent,
+      ip: session.ip
+    },
+    sessionToken,
+    sessionExpiresAt: session.expiresAt
+  });
+};
+
+// src/routes/handler/phone-verification-confirm.ts
+import { setCookie as setCookie3 } from "hono/cookie";
+import { HTTPException as HTTPException7 } from "hono/http-exception";
+var phoneVerificationConfirmHandler = async (c) => {
+  const body = c.req.valid("json");
+  const { config, database, tenantId } = c.var;
+  const resolvedTenantId = ensureTenantId(config, tenantId);
+  const { verificationId, code, context } = body;
+  const verification = await findVerificationById(database, verificationId);
+  if (!verification) {
+    throw new HTTPException7(400, {
+      message: AUTH_ERRORS.VERIFICATION_NOT_FOUND
+    });
+  }
+  if (new Date(verification.expiresAt) < /* @__PURE__ */ new Date()) {
+    throw new HTTPException7(400, { message: AUTH_ERRORS.VERIFICATION_EXPIRED });
+  }
+  const hashedCode = await hashToken(code, config.secret);
+  if (verification.code !== hashedCode) {
+    await updateVerificationAttempt(database, verificationId);
+    throw new HTTPException7(400, {
+      message: AUTH_ERRORS.VERIFICATION_MISMATCH
+    });
+  }
+  await consumeVerification(database, verificationId);
+  if (context === "change-phone" && verification.userId) {
+    await updateUserVerified(
+      database,
+      resolvedTenantId,
+      verification.userId,
+      "phone"
+    );
+  } else if (context === "sign-in" && verification.userId) {
+    await updateUserVerified(
+      database,
+      resolvedTenantId,
+      verification.userId,
+      "phone"
+    );
+  } else if (context === "sign-up" && verification.userId) {
+    await updateUserVerified(
+      database,
+      resolvedTenantId,
+      verification.userId,
+      "phone"
+    );
+  }
+  const user = verification.userId ? await findUserById(database, resolvedTenantId, verification.userId) : null;
+  if (!user) {
+    throw new HTTPException7(500, { message: "User not found" });
+  }
+  if (context === "sign-in" || context === "change-phone" || context === "sign-up") {
+    const sessionToken = crypto.randomUUID();
+    const hashedToken = await hashToken(sessionToken, config.secret);
+    const expiresAt = addDuration(config.session.expiresIn);
+    const session = await insertSession(database, {
+      tenantId: resolvedTenantId,
+      userId: user.id,
+      token: hashedToken,
+      expiresAt,
+      userAgent: c.req.header("user-agent") || null,
+      ip: c.req.header("cf-connecting-ip") || c.req.header("x-forwarded-for") || null,
+      meta: {
+        action: context === "sign-up" ? "phone-verification-sign-up" : `phone-verification-${context}`
+      }
+    });
+    setCookie3(c, "session_token", sessionToken, {
+      httpOnly: true,
+      secure: process.env.NODE_ENV === "production",
+      sameSite: "Lax",
+      path: "/",
+      expires: new Date(expiresAt)
+    });
+    return c.json({
+      user,
+      session: {
+        id: session.id,
+        expiresAt: session.expiresAt,
+        createdAt: session.createdAt,
+        userAgent: session.userAgent,
+        ip: session.ip
+      },
+      sessionToken,
+      sessionExpiresAt: session.expiresAt
+    });
+  }
+  return c.json({
+    user: user || null,
+    session: null,
+    verified: true
+  });
+};
+
+// src/routes/handler/phone-verification-request.ts
+import { HTTPException as HTTPException8 } from "hono/http-exception";
+var phoneVerificationRequestHandler = async (c) => {
+  const body = c.req.valid("json");
+  const { config, database, tenantId, user } = c.var;
+  const resolvedTenantId = ensureTenantId(config, tenantId);
+  const { phone, context } = body;
+  if (!phone) {
+    throw new HTTPException8(400, { message: "Phone required" });
+  }
+  let userId = user?.id;
+  if (!userId) {
+    const lookup = await findUserByIdentifier(
+      database,
+      resolvedTenantId,
+      phone
+    );
+    if (!lookup.user) {
+      throw new HTTPException8(404, { message: AUTH_ERRORS.USER_NOT_FOUND });
+    }
+    userId = lookup.user.id;
+  }
+  if (!userId) {
+    throw new HTTPException8(404, { message: AUTH_ERRORS.USER_NOT_FOUND });
+  }
+  await deleteVerificationsByUserAndType(
+    database,
+    resolvedTenantId,
+    userId,
+    `phone-otp-${context}`
+  );
+  const code = generateOtpCode(config.phone.otpLength);
+  const hashedCode = await hashToken(code, config.secret);
+  const expiresAt = addDuration(config.phone.otpExpiresIn);
+  const verification = await insertVerification(database, {
+    tenantId: resolvedTenantId,
+    userId,
+    type: `phone-otp-${context}`,
+    code: hashedCode,
+    expiresAt,
+    to: phone
+  });
+  const smsProvider = new AfroSmsProvider(config.phone.smsConfig);
+  await smsProvider.sendVerificationSms(phone, code);
+  return c.json({ verificationId: verification.id });
+};
+
+// src/routes/handler/session.ts
+var sessionHandler = (c) => {
+  const { user, session } = c.var;
+  return c.json({
+    user: user || null,
+    session: session ? {
+      id: session.id,
+      expiresAt: session.expiresAt,
+      createdAt: session.createdAt,
+      userAgent: session.userAgent,
+      ip: session.ip
+    } : null
+  });
+};
+
+// src/routes/handler/sign-in.ts
+import { setCookie as setCookie4 } from "hono/cookie";
+import { HTTPException as HTTPException9 } from "hono/http-exception";
+
+// src/db/orm/iam/sessions/delete-oldest-sessions.ts
+var deleteOldestSessions = async (db, tenantId, userId, keepCount) => {
+  const sessions = await listSessionsForUser(db, tenantId, userId);
+  if (sessions.length <= keepCount) {
+    return;
+  }
+  const toDelete = sessions.slice(0, sessions.length - keepCount);
+  for (const session of toDelete) {
+    await deleteSessionById(db, session.id);
+  }
+};
+
+// src/db/orm/iam/users/update-last-sign-in.ts
+import { and as and10, eq as eq14 } from "drizzle-orm";
+var updateLastSignIn = (db, tenantId, userId) => {
+  return db.update(usersInIam).set({ lastSignInAt: (/* @__PURE__ */ new Date()).toISOString(), loginAttempt: 0 }).where(and10(eq14(usersInIam.id, userId), eq14(usersInIam.tenantId, tenantId)));
+};
+
+// src/routes/handler/sign-in.ts
+var signInHandler = async (c) => {
+  const body = c.req.valid("json");
+  const { config, database, tenantId } = c.var;
+  const resolvedTenantId = ensureTenantId(config, tenantId);
+  const { identifier, password } = body;
+  const lookup = await findUserByIdentifier(
+    database,
+    resolvedTenantId,
+    identifier
+  );
+  if (!lookup.user) {
+    throw new HTTPException9(401, { message: AUTH_ERRORS.USER_NOT_FOUND });
+  }
+  const account = await findAccountByProvider(
+    database,
+    resolvedTenantId,
+    lookup.user.id,
+    "credentials"
+  );
+  if (!account?.password) {
+    throw new HTTPException9(401, { message: AUTH_ERRORS.HAS_NO_PASSWORD });
+  }
+  const passwordValid = await verifyPassword(password, account.password);
+  if (!passwordValid) {
+    throw new HTTPException9(401, { message: AUTH_ERRORS.INVALID_PASSWORD });
+  }
+  const isEmail = lookup.type === "email";
+  const isVerified = isEmail ? lookup.user.emailVerified : lookup.user.phoneVerified;
+  if (isEmail && config.email.verificationRequired && !isVerified) {
+    const code = generateOtpCode(6);
+    const hashedCode = await hashToken(code, config.secret);
+    const expiresAt2 = addDuration(config.email.verificationExpiresIn);
+    const verification = await insertVerification(database, {
+      tenantId: resolvedTenantId,
+      userId: lookup.user.id,
+      type: "email-verification",
+      code: hashedCode,
+      expiresAt: expiresAt2,
+      to: lookup.user.email
+    });
+    const emailProvider = new ResendEmailProvider(config.email.resend);
+    await emailProvider.sendVerificationEmail(lookup.user.email, code);
+    return c.json({
+      verificationId: verification.id,
+      requiresVerification: true
+    });
+  }
+  if (!isEmail && config.phone.verificationRequired && !isVerified) {
+    const code = generateOtpCode(config.phone.otpLength);
+    const hashedCode = await hashToken(code, config.secret);
+    const expiresAt2 = addDuration(config.phone.otpExpiresIn);
+    const verification = await insertVerification(database, {
+      tenantId: resolvedTenantId,
+      userId: lookup.user.id,
+      type: "phone-otp",
+      code: hashedCode,
+      expiresAt: expiresAt2,
+      to: lookup.user.phone
+    });
+    const smsProvider = new AfroSmsProvider(config.phone.smsConfig);
+    await smsProvider.sendVerificationSms(lookup.user.phone, code);
+    return c.json({
+      verificationId: verification.id,
+      requiresVerification: true
+    });
+  }
+  if (config.session.maxPerUser) {
+    await deleteOldestSessions(
+      database,
+      resolvedTenantId,
+      lookup.user.id,
+      config.session.maxPerUser
+    );
+  }
+  await updateLastSignIn(database, resolvedTenantId, lookup.user.id);
+  const sessionToken = crypto.randomUUID();
+  const hashedToken = await hashToken(sessionToken, config.secret);
+  const expiresAt = addDuration(config.session.expiresIn);
+  const session = await insertSession(database, {
+    tenantId: resolvedTenantId,
+    userId: lookup.user.id,
+    token: hashedToken,
+    expiresAt,
+    userAgent: c.req.header("user-agent") || null,
+    ip: c.req.header("cf-connecting-ip") || c.req.header("x-forwarded-for") || null,
+    meta: { action: "sign-in" }
+  });
+  setCookie4(c, "session_token", sessionToken, {
+    httpOnly: true,
+    secure: process.env.NODE_ENV === "production",
+    sameSite: "Lax",
+    path: "/",
+    expires: new Date(expiresAt)
+  });
+  return c.json({
+    user: lookup.user,
+    session: {
+      id: session.id,
+      expiresAt: session.expiresAt,
+      createdAt: session.createdAt,
+      userAgent: session.userAgent,
+      ip: session.ip
+    },
+    sessionToken,
+    sessionExpiresAt: session.expiresAt
+  });
+};
+
+// src/routes/handler/sign-out.ts
+import { deleteCookie, getCookie } from "hono/cookie";
+var signOutHandler = async (c) => {
+  const { config, database, tenantId } = c.var;
+  ensureTenantId(config, tenantId);
+  const sessionToken = getCookie(c, "session_token");
+  if (!sessionToken) {
+    return c.json({ message: "Signed out" });
+  }
+  const hashedToken = await hashToken(sessionToken, config.secret);
+  const session = await findSessionByToken(database, hashedToken);
+  if (session) {
+    await deleteSessionById(database, session.id);
+  }
+  deleteCookie(c, "session_token", {
+    httpOnly: true,
+    secure: process.env.NODE_ENV === "production",
+    sameSite: "Lax",
+    path: "/",
+    expires: /* @__PURE__ */ new Date(0)
+  });
+  return c.json({ message: "Signed out" });
+};
+
+// src/routes/handler/sign-up.ts
+import { setCookie as setCookie5 } from "hono/cookie";
+import { HTTPException as HTTPException10 } from "hono/http-exception";
+
+// src/db/orm/iam/accounts/insert-credentials-account.ts
+var insertCredentialsAccount = (db, data) => {
+  return db.insert(accountsInIam).values({
+    tenantId: data.tenantId,
+    userId: data.userId,
+    provider: "credentials",
+    providerAccountId: data.providerAccountId,
+    password: data.password
+  });
+};
+
+// src/db/orm/iam/users/find-user-by-handle.ts
+import { and as and11, eq as eq15, sql as sql3 } from "drizzle-orm";
+var findUserByHandle = (db, tenantId, handle) => {
+  return db.select({
+    id: usersInIam.id,
+    tenantId: usersInIam.tenantId,
+    fullName: usersInIam.fullName,
+    email: usersInIam.email,
+    phone: usersInIam.phone,
+    handle: usersInIam.handle,
+    image: usersInIam.image,
+    emailVerified: usersInIam.emailVerified,
+    phoneVerified: usersInIam.phoneVerified,
+    lastSignInAt: usersInIam.lastSignInAt
+  }).from(usersInIam).where(
+    and11(
+      eq15(usersInIam.tenantId, tenantId),
+      sql3`lower(${usersInIam.handle}) = lower(${handle})`
+    )
+  ).limit(1).then(([user]) => user || null);
+};
+
+// src/db/orm/iam/users/insert-user.ts
+var insertUser = (db, data) => {
+  return db.insert(usersInIam).values({
+    tenantId: data.tenantId,
+    fullName: data.fullName,
+    handle: data.handle,
+    email: data.email || null,
+    phone: data.phone || null,
+    image: data.image || null,
+    emailVerified: Boolean(data.emailVerified),
+    phoneVerified: Boolean(data.phoneVerified)
+  }).returning({
+    id: usersInIam.id,
+    tenantId: usersInIam.tenantId,
+    fullName: usersInIam.fullName,
+    email: usersInIam.email,
+    phone: usersInIam.phone,
+    handle: usersInIam.handle,
+    image: usersInIam.image,
+    emailVerified: usersInIam.emailVerified,
+    phoneVerified: usersInIam.phoneVerified,
+    lastSignInAt: usersInIam.lastSignInAt
+  }).then(([user]) => user);
+};
+
+// src/routes/handler/sign-up.ts
+var signUpHandler = async (c) => {
+  const body = c.req.valid("json");
+  const { config, database, tenantId } = c.var;
+  const resolvedTenantId = ensureTenantId(config, tenantId);
+  const { email, phone, password, fullName, handle } = body;
+  if (!(email || phone)) {
+    throw new HTTPException10(400, {
+      message: "Either email or phone is required"
+    });
+  }
+  const identifier = email || phone;
+  const existing = await findUserByIdentifier(
+    database,
+    resolvedTenantId,
+    identifier
+  );
+  if (existing.user) {
+    throw new HTTPException10(409, { message: AUTH_ERRORS.USER_EXISTS });
+  }
+  const userHandle = handle || generateHandle(email || phone);
+  const existingHandle = await findUserByHandle(
+    database,
+    resolvedTenantId,
+    userHandle
+  );
+  if (existingHandle) {
+    throw new HTTPException10(409, { message: "Handle already taken" });
+  }
+  const user = await insertUser(database, {
+    tenantId: resolvedTenantId,
+    fullName,
+    handle: userHandle,
+    email: email || null,
+    phone: phone || null,
+    emailVerified: email ? !config.email.verificationRequired : false,
+    phoneVerified: phone ? !config.phone.verificationRequired : false
+  });
+  const passwordHash = await hashPassword(password);
+  await insertCredentialsAccount(database, {
+    tenantId: resolvedTenantId,
+    userId: user.id,
+    providerAccountId: identifier,
+    password: passwordHash
+  });
+  if (phone && config.phone.verificationRequired) {
+    const code = generateOtpCode(config.phone.otpLength);
+    const hashedCode = await hashToken(code, config.secret);
+    const expiresAt2 = addDuration(config.phone.otpExpiresIn);
+    const verification = await insertVerification(database, {
+      tenantId: resolvedTenantId,
+      userId: user.id,
+      type: "phone-otp-sign-up",
+      code: hashedCode,
+      expiresAt: expiresAt2,
+      to: phone
+    });
+    const smsProvider = new AfroSmsProvider(config.phone.smsConfig);
+    await smsProvider.sendVerificationSms(phone, code);
+    return c.json({
+      user: { id: user.id, phone },
+      session: null,
+      verificationId: verification.id,
+      requiresVerification: true
+    });
+  }
+  if (email && config.email.verificationRequired) {
+    const code = generateOtpCode(6);
+    const hashedCode = await hashToken(code, config.secret);
+    const expiresAt2 = addDuration(config.email.verificationExpiresIn);
+    const verification = await insertVerification(database, {
+      tenantId: resolvedTenantId,
+      userId: user.id,
+      type: "email-verification",
+      code: hashedCode,
+      expiresAt: expiresAt2,
+      to: email
+    });
+    const emailProvider = new ResendEmailProvider(config.email.resend);
+    await emailProvider.sendVerificationEmail(email, code);
+    return c.json({
+      user: { id: user.id, email },
+      session: null,
+      verificationId: verification.id,
+      requiresVerification: true
+    });
+  }
+  const sessionToken = crypto.randomUUID();
+  const hashedToken = await hashToken(sessionToken, config.secret);
+  const expiresAt = addDuration(config.session.expiresIn);
+  const session = await insertSession(database, {
+    tenantId: resolvedTenantId,
+    userId: user.id,
+    token: hashedToken,
+    expiresAt,
+    userAgent: c.req.header("user-agent") || null,
+    ip: c.req.header("cf-connecting-ip") || c.req.header("x-forwarded-for") || null,
+    meta: { action: "sign-up" }
+  });
+  setCookie5(c, "session_token", sessionToken, {
+    httpOnly: true,
+    secure: process.env.NODE_ENV === "production",
+    sameSite: "Lax",
+    path: "/",
+    expires: new Date(expiresAt)
+  });
+  return c.json({
+    user,
+    session: {
+      id: session.id,
+      expiresAt: session.expiresAt,
+      createdAt: session.createdAt,
+      userAgent: session.userAgent,
+      ip: session.ip
+    },
+    sessionToken,
+    sessionExpiresAt: session.expiresAt
+  });
+};
+
+// src/routes/auth.route.ts
+var signUpRoute = createRoute({
+  method: "post",
+  path: "/sign-up",
+  tags: ["Auth"],
+  summary: "Sign up with email or phone",
+  request: {
+    body: {
+      content: {
+        "application/json": {
+          schema: signUpSchema
+        }
+      }
+    }
+  },
+  responses: {
+    201: {
+      content: {
+        "application/json": {
+          schema: signUpResponseSchema
+        }
+      },
+      description: "Account created"
+    },
+    409: {
+      content: {
+        "application/json": {
+          schema: errorResponseSchema
+        }
+      },
+      description: "User already exists"
+    }
+  }
+});
+var signInRoute = createRoute({
+  method: "post",
+  path: "/sign-in",
+  tags: ["Auth"],
+  summary: "Sign in with email or phone",
+  request: {
+    body: {
+      content: {
+        "application/json": {
+          schema: signInSchema
+        }
+      }
+    }
+  },
+  responses: {
+    200: {
+      content: {
+        "application/json": {
+          schema: signInResponseSchema
+        }
+      },
+      description: "Signed in"
+    },
+    401: {
+      content: {
+        "application/json": {
+          schema: errorResponseSchema
+        }
+      },
+      description: "Invalid credentials"
+    }
+  }
+});
+var checkUserRoute = createRoute({
+  method: "post",
+  path: "/check-user",
+  tags: ["Auth"],
+  summary: "Check if user exists",
+  request: {
+    body: {
+      content: {
+        "application/json": {
+          schema: checkUserSchema
+        }
+      }
+    }
+  },
+  responses: {
+    200: {
+      content: {
+        "application/json": {
+          schema: checkUserResponseSchema
+        }
+      },
+      description: "User check result"
+    }
+  }
+});
+var signOutRoute = createRoute({
+  method: "post",
+  path: "/sign-out",
+  tags: ["Auth"],
+  summary: "Sign out current session",
+  responses: {
+    200: {
+      content: { "application/json": { schema: messageSchema } },
+      description: "Signed out"
+    }
+  }
+});
+var meRoute = createRoute({
+  method: "get",
+  path: "/me",
+  tags: ["Auth"],
+  summary: "Get current user",
+  responses: {
+    200: {
+      content: {
+        "application/json": {
+          schema: z2.object({ user: userSchema })
+        }
+      },
+      description: "Current user"
+    }
+  }
+});
+var sessionRoute = createRoute({
+  method: "get",
+  path: "/session",
+  tags: ["Auth"],
+  summary: "Get current session",
+  responses: {
+    200: {
+      content: {
+        "application/json": {
+          schema: z2.object({
+            user: userSchema.nullable(),
+            session: z2.object({
+              id: z2.string().uuid(),
+              expiresAt: z2.string().datetime(),
+              createdAt: z2.string().datetime(),
+              userAgent: z2.string().nullable(),
+              ip: z2.string().nullable()
+            }).nullable()
+          })
+        }
+      },
+      description: "Current session"
+    }
+  }
+});
+var emailVerificationRequestRoute = createRoute({
+  method: "post",
+  path: "/email/verification/request",
+  tags: ["Email"],
+  summary: "Request email verification",
+  request: {
+    body: {
+      content: {
+        "application/json": {
+          schema: emailVerificationRequestSchema
+        }
+      }
+    }
+  },
+  responses: {
+    200: {
+      content: {
+        "application/json": {
+          schema: messageWithVerificationIdSchema
+        }
+      },
+      description: "Verification code sent"
+    }
+  }
+});
+var emailVerificationConfirmRoute = createRoute({
+  method: "post",
+  path: "/email/verification/confirm",
+  tags: ["Email"],
+  summary: "Confirm email verification",
+  request: {
+    body: {
+      content: {
+        "application/json": {
+          schema: emailVerificationConfirmSchema
+        }
+      }
+    }
+  },
+  responses: {
+    200: {
+      content: {
+        "application/json": {
+          schema: authSuccessSchema
+        }
+      },
+      description: "Email verified"
+    }
+  }
+});
+var phoneVerificationRequestRoute = createRoute({
+  method: "post",
+  path: "/phone/verification/request",
+  tags: ["Phone"],
+  summary: "Request phone OTP",
+  request: {
+    body: {
+      content: {
+        "application/json": {
+          schema: phoneVerificationRequestSchema
+        }
+      }
+    }
+  },
+  responses: {
+    200: {
+      content: {
+        "application/json": {
+          schema: messageWithVerificationIdSchema
+        }
+      },
+      description: "OTP sent"
+    }
+  }
+});
+var phoneVerificationConfirmRoute = createRoute({
+  method: "post",
+  path: "/phone/verification/confirm",
+  tags: ["Phone"],
+  summary: "Confirm phone OTP",
+  request: {
+    body: {
+      content: {
+        "application/json": {
+          schema: phoneVerificationConfirmSchema
+        }
+      }
+    }
+  },
+  responses: {
+    200: {
+      content: {
+        "application/json": {
+          schema: authSuccessSchema
+        }
+      },
+      description: "Phone verified"
+    }
+  }
+});
+var forgotPasswordRoute = createRoute({
+  method: "post",
+  path: "/password/forgot",
+  tags: ["Password"],
+  summary: "Request password reset",
+  request: {
+    body: {
+      content: {
+        "application/json": {
+          schema: forgotPasswordSchema
+        }
+      }
+    }
+  },
+  responses: {
+    200: {
+      content: {
+        "application/json": {
+          schema: messageWithVerificationIdSchema
+        }
+      },
+      description: "Reset code sent if account exists"
+    }
+  }
+});
+var resetPasswordRoute = createRoute({
+  method: "post",
+  path: "/password/reset",
+  tags: ["Password"],
+  summary: "Reset password",
+  request: {
+    body: {
+      content: {
+        "application/json": {
+          schema: resetPasswordSchema
+        }
+      }
+    }
+  },
+  responses: {
+    200: {
+      content: {
+        "application/json": {
+          schema: authSuccessSchema
+        }
+      },
+      description: "Password reset and new session"
+    }
+  }
+});
+var changePasswordRoute = createRoute({
+  method: "post",
+  path: "/password/change",
+  tags: ["Password"],
+  summary: "Change password",
+  request: {
+    body: {
+      content: {
+        "application/json": {
+          schema: changePasswordSchema
+        }
+      }
+    }
+  },
+  responses: {
+    200: {
+      content: { "application/json": { schema: messageSchema } },
+      description: "Password updated"
+    },
+    401: {
+      content: { "application/json": { schema: errorResponseSchema } },
+      description: "Invalid password"
+    }
+  }
+});
+var createAuthRoutes = () => {
+  const authRoutes = new OpenAPIHono().openapi(signUpRoute, signUpHandler).openapi(signInRoute, signInHandler).openapi(checkUserRoute, checkUserHandler).openapi(signOutRoute, signOutHandler).openapi(meRoute, meHandler).openapi(sessionRoute, sessionHandler).openapi(emailVerificationRequestRoute, emailVerificationRequestHandler).openapi(emailVerificationConfirmRoute, emailVerificationConfirmHandler).openapi(phoneVerificationRequestRoute, phoneVerificationRequestHandler).openapi(phoneVerificationConfirmRoute, phoneVerificationConfirmHandler).openapi(forgotPasswordRoute, forgotPasswordHandler).openapi(resetPasswordRoute, resetPasswordHandler).openapi(changePasswordRoute, changePasswordHandler);
+  return authRoutes;
+};
+
+// src/handler.ts
+var createAuthMiddleware = (config, database, getTenantId) => {
+  const enableTenant = config.enableTenant ?? true;
+  return async (c, next) => {
+    const sessionToken = getCookie2(c, "session_token") || void 0;
+    let tenantId = getTenantId(c);
+    if (enableTenant) {
+      if (!tenantId) {
+        throw new HTTPException11(400, {
+          message: "Missing tenantId. Tenant isolation is enabled."
+        });
+      }
+    } else {
+      tenantId = config.tenantId;
+      if (!tenantId) {
+        throw new HTTPException11(500, {
+          message: "tenantId must be provided in config when enableTenant is false."
+        });
+      }
+    }
+    c.set("config", config);
+    c.set("database", database);
+    c.set("tenantId", tenantId);
+    c.set("userId", void 0);
+    c.set("user", void 0);
+    c.set("session", void 0);
+    if (sessionToken) {
+      try {
+        const hashedToken = await hashToken(sessionToken, config.secret);
+        const session = await findSessionByToken(database, hashedToken);
+        if (session) {
+          const user = await findUserById(
+            database,
+            session.tenantId,
+            session.userId
+          );
+          if (user) {
+            c.set("tenantId", enableTenant ? session.tenantId : tenantId);
+            c.set("userId", user.id);
+            c.set("user", user);
+            c.set("session", session);
+          }
+        }
+      } catch {
+      }
+    }
+    await next();
+  };
+};
+var createAuthHandler = (config) => {
+  const app = new OpenAPIHono2();
+  const database = createDatabase(config.connectionString);
+  app.use(
+    "*",
+    createAuthMiddleware(
+      config,
+      database,
+      (c) => c.req.header("x-tenant-id") || config.tenantId
+    )
+  );
+  app.route("/", createAuthRoutes());
+  return app;
+};
+var createAuthRoutes2 = (config) => {
+  const app = new OpenAPIHono2();
+  const database = createDatabase(config.connectionString);
+  app.use(
+    "*",
+    createAuthMiddleware(
+      config,
+      database,
+      (c) => c.get("tenantId") || config.tenantId
+    )
+  );
+  app.route("/", createAuthRoutes());
+  return app;
+};
+
+// src/index.ts
+var jiretAuth = (config) => {
+  const handler = createAuthHandler(config);
+  const routes = createAuthRoutes2(config);
+  const database = createDatabase(config.connectionString);
+  const getSession = async (headers) => {
+    const cookieHeader = headers.get("cookie");
+    if (!cookieHeader) {
+      return { session: null, user: null, sessionToken: null };
+    }
+    const cookies = Object.fromEntries(
+      cookieHeader.split("; ").map((c) => {
+        const [key, ...rest] = c.split("=");
+        return [key, rest.join("=")];
+      })
+    );
+    const sessionToken = cookies.session_token;
+    if (!sessionToken) {
+      return { session: null, user: null, sessionToken: null };
+    }
+    try {
+      const hashedToken = await hashToken(sessionToken, config.secret);
+      const session = await findSessionByToken(database, hashedToken);
+      if (!session) {
+        return { session: null, user: null, sessionToken: null };
+      }
+      const user = await findUserById(
+        database,
+        session.tenantId,
+        session.userId
+      );
+      if (!user) {
+        return { session: null, user: null, sessionToken: null };
+      }
+      return { session, user, sessionToken };
+    } catch {
+      return { session: null, user: null, sessionToken: null };
+    }
+  };
+  return {
+    handler,
+    routes,
+    getSession
+  };
+};
+export {
+  jiretAuth
+};
+//# sourceMappingURL=index.js.map