@murumets-ee/auth 0.3.0 → 0.4.0

package/LICENSE

@@ -0,0 +1,94 @@
+Elastic License 2.0 (ELv2)
+
+URL: https://www.elastic.co/licensing/elastic-license
+
+## Acceptance
+
+By using the software, you agree to all of the terms and conditions below.
+
+## Copyright License
+
+The licensor grants you a non-exclusive, royalty-free, worldwide,
+non-sublicensable, non-transferable license to use, copy, distribute, make
+available, and prepare derivative works of the software, in each case subject
+to the limitations and conditions below.
+
+## Limitations
+
+You may not provide the software to third parties as a hosted or managed
+service, where the service provides users with access to any substantial set
+of the features or functionality of the software.
+
+You may not move, change, disable, or circumvent the license key functionality
+in the software, and you may not remove or obscure any functionality in the
+software that is protected by the license key.
+
+You may not alter, remove, or obscure any licensing, copyright, or other
+notices of the licensor in the software. Any use of the licensor's trademarks
+is subject to applicable law.
+
+## Patents
+
+The licensor grants you a license, under any patent claims the licensor can
+license, or becomes able to license, to make, have made, use, sell, offer for
+sale, import and have imported the software, in each case subject to the
+limitations and conditions in this license. This license does not cover any
+patent claims that you cause to be infringed by modifications or additions to
+the software. If you or your company make any written claim that the software
+infringes or contributes to infringement of any patent, your patent license
+for the software granted under these terms ends immediately. If your company
+makes such a claim, your patent license ends immediately for work on behalf
+of your company.
+
+## Notices
+
+You must ensure that anyone who gets a copy of any part of the software from
+you also gets a copy of these terms.
+
+If you modify the software, you must include in any modified copies of the
+software prominent notices stating that you have modified the software.
+
+## No Other Rights
+
+These terms do not imply any licenses other than those expressly granted in
+these terms.
+
+## Termination
+
+If you use the software in violation of these terms, such use is not licensed,
+and your licenses will automatically terminate. If the licensor provides you
+with a notice of your violation, and you cease all violation of this license
+no later than 30 days after you receive that notice, your licenses will be
+reinstated retroactively. However, if you violate these terms after such
+reinstatement, any additional violation of these terms will cause your
+licenses to terminate automatically and permanently.
+
+## No Liability
+
+As far as the law allows, the software comes as is, without any warranty or
+condition, and the licensor will not be liable to you for any damages arising
+out of these terms or the use or nature of the software, under any kind of
+legal claim.
+
+## Definitions
+
+The **licensor** is the entity offering these terms, and the **software** is
+the software the licensor makes available under these terms, including any
+portion of it.
+
+**you** refers to the individual or entity agreeing to these terms.
+
+**your company** is any legal entity, sole proprietorship, or other kind of
+organization that you work for, plus all organizations that have control over,
+are under the control of, or are under common control with that organization.
+**control** means ownership of substantially all the assets of an entity, or
+the power to direct the management and policies of an entity (for example, by
+voting right, contract, or otherwise). Control can be direct or indirect.
+
+**your licenses** are all the licenses granted to you for the software under
+these terms.
+
+**use** means anything you do with the software requiring one of your
+licenses.
+
+**trademark** means trademarks, service marks, and similar rights.

package/dist/client.d.mts

@@ -1,4 +1,4 @@
-import { t as AdminUser } from "./types-Dxs8Jhxs.mjs";
+import { t as AdminUser } from "./types-Dl_sE_9S.mjs";
 import { createAuthClient } from "better-auth/react";
 
 //#region src/client.d.ts

package/dist/index.d.mts

@@ -1,5 +1,5 @@
-import { n as AuthConfig, t as AdminUser } from "./types-Dxs8Jhxs.mjs";
-import { i as AuthAdminApi, n as getAuth, r as Auth, t as auth } from "./plugin-DlfYYNXb.mjs";
+import { n as AuthConfig, t as AdminUser } from "./types-Dl_sE_9S.mjs";
+import { a as AuthAdminApi, i as Auth, n as getAuth, r as isSignupEnabled, t as auth } from "./plugin-BY4sYim9.mjs";
 import { createAccessControl } from "better-auth/plugins/access";
 import * as _$better_auth_plugins0 from "better-auth/plugins";
 import { PermissionChecker, RequestContext } from "@murumets-ee/core";
@@ -101,5 +101,5 @@ declare function buildDefaultRoles(ac: ReturnType<typeof createAccessControl>, e
   };
 };
 //#endregion
-export { ACTIONS, ACTIONS_WITH_PUBLISH, type AdminUser, type Auth, type AuthAdminApi, type AuthConfig, BUILT_IN_ROLES, METHOD_TO_ACTION, auth, buildDefaultRoles, buildInitialRoleDefinitions, buildPermissionChecker, buildResourceCatalog, buildStatements, createAccessControl, getAuth, resolveAuthContext };
+export { ACTIONS, ACTIONS_WITH_PUBLISH, type AdminUser, type Auth, type AuthAdminApi, type AuthConfig, BUILT_IN_ROLES, METHOD_TO_ACTION, auth, buildDefaultRoles, buildInitialRoleDefinitions, buildPermissionChecker, buildResourceCatalog, buildStatements, createAccessControl, getAuth, isSignupEnabled, resolveAuthContext };
 //# sourceMappingURL=index.d.mts.map

package/dist/index.mjs

@@ -1,2 +1,2 @@
-import{a as e,c as t,i as n,l as r,n as i,o as a,r as o,s,t as c,u as l}from"./permissions-DREmJByu.mjs";import{auth as u,getAuth as d}from"./plugin.mjs";import"server-only";async function f(e,t){let n=await e.api.getSession({headers:t});return n?{user:{id:n.user.id,groups:[n.user.role??`viewer`],name:n.user.name??void 0,email:n.user.email??void 0},requestId:crypto.randomUUID()}:{requestId:crypto.randomUUID()}}export{c as ACTIONS,i as ACTIONS_WITH_PUBLISH,o as BUILT_IN_ROLES,n as METHOD_TO_ACTION,u as auth,e as buildDefaultRoles,a as buildInitialRoleDefinitions,s as buildPermissionChecker,t as buildResourceCatalog,r as buildStatements,l as createAccessControl,d as getAuth,f as resolveAuthContext};
+import{a as e,c as t,i as n,l as r,n as i,o as a,r as o,s,t as c,u as l}from"./permissions-DREmJByu.mjs";import{auth as u,getAuth as d,isSignupEnabled as f}from"./plugin.mjs";import"server-only";async function p(e,t){let n=await e.api.getSession({headers:t});return n?{user:{id:n.user.id,groups:[n.user.role??`viewer`],name:n.user.name??void 0,email:n.user.email??void 0},requestId:crypto.randomUUID()}:{requestId:crypto.randomUUID()}}export{c as ACTIONS,i as ACTIONS_WITH_PUBLISH,o as BUILT_IN_ROLES,n as METHOD_TO_ACTION,u as auth,e as buildDefaultRoles,a as buildInitialRoleDefinitions,s as buildPermissionChecker,t as buildResourceCatalog,r as buildStatements,l as createAccessControl,d as getAuth,f as isSignupEnabled,p as resolveAuthContext};
 //# sourceMappingURL=index.mjs.map

package/dist/index.mjs.map

@@ -1 +1 @@
-{"version":3,"file":"index.mjs","names":[],"sources":["../src/context.ts"],"sourcesContent":["/**\n * Bridge between better-auth sessions and the toolkit's RequestContext.\n *\n * This is the critical integration point: it resolves a better-auth session\n * from request headers and returns a toolkit RequestContext that the entity\n * system's AdminClient, QueryClient, and auditable behavior can read.\n */\n\nimport type { RequestContext } from '@murumets-ee/core'\nimport type { Auth } from './server.js'\n\n/**\n * Resolve a better-auth session into a toolkit RequestContext.\n *\n * Call this from your Next.js middleware or server component to populate\n * the toolkit's AsyncLocalStorage context.\n *\n * @example\n * ```typescript\n * // middleware.ts (user writes this — documented copy-paste)\n * import { getAuth, resolveAuthContext } from '@murumets-ee/auth'\n * import { runWithContext } from '@murumets-ee/core'\n *\n * export async function middleware(request: NextRequest) {\n *   const auth = getAuth()\n *   const ctx = await resolveAuthContext(auth, request.headers)\n *   return runWithContext(ctx, () => NextResponse.next())\n * }\n * ```\n */\nexport async function resolveAuthContext(auth: Auth, headers: Headers): Promise<RequestContext> {\n  const session = await auth.api.getSession({ headers })\n\n  if (!session) {\n    return { requestId: crypto.randomUUID() }\n  }\n\n  return {\n    user: {\n      id: session.user.id,\n      // The admin plugin stores role on the user object\n      groups: [((session.user as Record<string, unknown>).role as string) ?? 'viewer'],\n      name: session.user.name ?? undefined,\n      email: session.user.email ?? undefined,\n    },\n    requestId: crypto.randomUUID(),\n  }\n}\n"],"mappings":"8KA8BA,eAAsB,EAAmB,EAAY,EAA2C,CAC9F,IAAM,EAAU,MAAM,EAAK,IAAI,WAAW,CAAE,UAAS,CAAC,CAMtD,OAJK,EAIE,CACL,KAAM,CACJ,GAAI,EAAQ,KAAK,GAEjB,OAAQ,CAAG,EAAQ,KAAiC,MAAmB,SAAS,CAChF,KAAM,EAAQ,KAAK,MAAQ,IAAA,GAC3B,MAAO,EAAQ,KAAK,OAAS,IAAA,GAC9B,CACD,UAAW,OAAO,YAAY,CAC/B,CAZQ,CAAE,UAAW,OAAO,YAAY,CAAE"}
+{"version":3,"file":"index.mjs","names":[],"sources":["../src/context.ts"],"sourcesContent":["/**\n * Bridge between better-auth sessions and the toolkit's RequestContext.\n *\n * This is the critical integration point: it resolves a better-auth session\n * from request headers and returns a toolkit RequestContext that the entity\n * system's AdminClient, QueryClient, and auditable behavior can read.\n */\n\nimport type { RequestContext } from '@murumets-ee/core'\nimport type { Auth } from './server.js'\n\n/**\n * Resolve a better-auth session into a toolkit RequestContext.\n *\n * Call this from your Next.js middleware or server component to populate\n * the toolkit's AsyncLocalStorage context.\n *\n * @example\n * ```typescript\n * // middleware.ts (user writes this — documented copy-paste)\n * import { getAuth, resolveAuthContext } from '@murumets-ee/auth'\n * import { runWithContext } from '@murumets-ee/core'\n *\n * export async function middleware(request: NextRequest) {\n *   const auth = getAuth()\n *   const ctx = await resolveAuthContext(auth, request.headers)\n *   return runWithContext(ctx, () => NextResponse.next())\n * }\n * ```\n */\nexport async function resolveAuthContext(auth: Auth, headers: Headers): Promise<RequestContext> {\n  const session = await auth.api.getSession({ headers })\n\n  if (!session) {\n    return { requestId: crypto.randomUUID() }\n  }\n\n  return {\n    user: {\n      id: session.user.id,\n      // The admin plugin stores role on the user object\n      groups: [((session.user as Record<string, unknown>).role as string) ?? 'viewer'],\n      name: session.user.name ?? undefined,\n      email: session.user.email ?? undefined,\n    },\n    requestId: crypto.randomUUID(),\n  }\n}\n"],"mappings":"mMA8BA,eAAsB,EAAmB,EAAY,EAA2C,CAC9F,IAAM,EAAU,MAAM,EAAK,IAAI,WAAW,CAAE,UAAS,CAAC,CAMtD,OAJK,EAIE,CACL,KAAM,CACJ,GAAI,EAAQ,KAAK,GAEjB,OAAQ,CAAG,EAAQ,KAAiC,MAAmB,SAAS,CAChF,KAAM,EAAQ,KAAK,MAAQ,IAAA,GAC3B,MAAO,EAAQ,KAAK,OAAS,IAAA,GAC9B,CACD,UAAW,OAAO,YAAY,CAC/B,CAZQ,CAAE,UAAW,OAAO,YAAY,CAAE"}

package/dist/{plugin-DlfYYNXb.d.mts → plugin-BY4sYim9.d.mts}

@@ -1,4 +1,4 @@
-import { n as AuthConfig, t as AdminUser } from "./types-Dxs8Jhxs.mjs";
+import { n as AuthConfig, t as AdminUser } from "./types-Dl_sE_9S.mjs";
 import { Auth } from "better-auth";
 import { Plugin } from "@murumets-ee/core";
 //#region src/server.d.ts
@@ -48,6 +48,18 @@ type AuthWithAdmin = Auth$1 & {
  * ```
  */
 declare function getAuth(): AuthWithAdmin;
+/**
+ * Is public sign-up allowed in this deployment?
+ *
+ * Defaults to `false` — first admin is bootstrapped via `lumi create-admin`.
+ * Set `auth({ signup: { enabled: true } })` in toolkit.config.ts to open.
+ *
+ * Use this to gate sign-up routes, hide "Sign up" links, and decide whether
+ * the sign-up form should render at all. Security-critical: when the flag is
+ * off, the signup HTTP gate also rejects `/sign-up/email` — this helper and
+ * the server-side gate must agree.
+ */
+declare function isSignupEnabled(): boolean;
 /**
  * Create the auth toolkit plugin.
  *
@@ -67,5 +79,5 @@ declare function getAuth(): AuthWithAdmin;
  */
 declare function auth(config?: AuthConfig): Plugin;
 //#endregion
-export { AuthAdminApi as i, getAuth as n, Auth$1 as r, auth as t };
-//# sourceMappingURL=plugin-DlfYYNXb.d.mts.map
+export { AuthAdminApi as a, Auth$1 as i, getAuth as n, isSignupEnabled as r, auth as t };
+//# sourceMappingURL=plugin-BY4sYim9.d.mts.map

package/dist/plugin-BY4sYim9.d.mts.map

@@ -0,0 +1 @@
+{"version":3,"file":"plugin-BY4sYim9.d.mts","names":[],"sources":["../src/server.ts","../src/plugin.ts"],"mappings":";;;;;;;KAgYY,MAAA,GAAO,IAAA;;AC7WyB;;;;;;;;UDwX3B,YAAA;EACf,SAAA,GAAY,IAAA;IACV,OAAA,EAAS,OAAA;IACT,KAAA;MACE,KAAA;MACA,MAAA;MACA,aAAA;IAAA;EAAA,MAEE,OAAA;IAAU,KAAA,EAAO,SAAA;IAAa,KAAA;EAAA;AAAA;;;;KC7XjC,aAAA,GAAgB,MAAA;EAAS,GAAA,EAAK,YAAA;AAAA;;;;;;;;;;;;;;iBAuBnB,OAAA,CAAA,GAAW,aAAA;;;;;;;;;;AA1BiB;;iBA4C5B,eAAA,CAAA;;;;;;;AAlBhB;;;;;AAkBA;;;;;AAqBA;iBAAgB,IAAA,CAAK,MAAA,GAAQ,UAAA,GAAkB,MAAA"}

package/dist/plugin.d.mts

@@ -1,2 +1,2 @@
-import { n as getAuth, t as auth } from "./plugin-DlfYYNXb.mjs";
-export { auth, getAuth };
+import { n as getAuth, r as isSignupEnabled, t as auth } from "./plugin-BY4sYim9.mjs";
+export { auth, getAuth, isSignupEnabled };

package/dist/plugin.mjs

@@ -1,2 +1,2 @@
-import{a as e,f as t,m as n,r,s as i,t as a,u as o}from"./schema-Je6e5yt2.mjs";let s=null;function c(){if(!s)throw Error(`@murumets-ee/auth not initialized. Add auth() to your toolkit config plugins.`);return s}function l(c={}){return{name:`@murumets-ee/auth`,tables:{user:t,session:o,account:a,verification:n,organization:i,member:e,invitation:r},init:async e=>{let{createAuthServer:t}=await import(`./server-B7Gdv2He.mjs`),n;if(c.audit!==!1){let{createAuditLogger:t,createAuditDbWriter:r,createLogger:i}=await import(`@murumets-ee/logging`);n=t({logger:i({name:`auth-audit`}),dbWriter:r(e.db.readWrite)})}s=t(c,e,n),e.logger.info(`Auth plugin initialized`)}}}export{l as auth,c as getAuth};
+import{a as e,f as t,m as n,r,s as i,t as a,u as o}from"./schema-Je6e5yt2.mjs";let s=null,c=null;function l(){if(!s)throw Error(`@murumets-ee/auth not initialized. Add auth() to your toolkit config plugins.`);return s}function u(){return c?.signup?.enabled===!0}function d(l={}){return c=l,{name:`@murumets-ee/auth`,tables:{user:t,session:o,account:a,verification:n,organization:i,member:e,invitation:r},init:async e=>{let{createAuthServer:t}=await import(`./server-BKbmzuzv.mjs`),n;if(l.audit!==!1){let{createAuditLogger:t,createAuditDbWriter:r,createLogger:i}=await import(`@murumets-ee/logging`);n=t({logger:i({name:`auth-audit`}),dbWriter:r(e.db.readWrite)})}s=t(l,e,n),e.logger.info(`Auth plugin initialized`)}}}export{d as auth,l as getAuth,u as isSignupEnabled};
 //# sourceMappingURL=plugin.mjs.map

package/dist/plugin.mjs.map

@@ -1 +1 @@
-{"version":3,"file":"plugin.mjs","names":[],"sources":["../src/plugin.ts"],"sourcesContent":["/**\n * Toolkit plugin implementation for @murumets-ee/auth.\n *\n * Implements the Plugin interface from @murumets-ee/core.\n * Creates and stores the better-auth server instance during init.\n */\n\nimport type { Plugin } from '@murumets-ee/core'\nimport type { AuditLogger } from '@murumets-ee/logging'\nimport {\n  account,\n  invitation,\n  member,\n  organization,\n  session,\n  user,\n  verification,\n} from './schema.js'\nimport type { Auth, AuthAdminApi } from './server.js'\nimport type { AuthConfig } from './types.js'\n\n/** Auth with admin API — admin plugin is always loaded in createAuthServer */\ntype AuthWithAdmin = Auth & { api: AuthAdminApi }\n\n/** The initialized auth server instance (set during plugin init) */\nlet _auth: AuthWithAdmin | null = null\n\n/**\n * Get the auth server instance.\n * Throws if the auth plugin hasn't been initialized yet.\n *\n * @example\n * ```typescript\n * // app/api/auth/[...all]/route.ts (user writes this)\n * import { toNextJsHandler } from 'better-auth/next-js'\n * import { getAuth } from '@murumets-ee/auth'\n *\n * export const { GET, POST } = toNextJsHandler(getAuth())\n * ```\n */\nexport function getAuth(): AuthWithAdmin {\n  if (!_auth) {\n    throw new Error('@murumets-ee/auth not initialized. Add auth() to your toolkit config plugins.')\n  }\n  return _auth\n}\n\n/**\n * Create the auth toolkit plugin.\n *\n * @example\n * ```typescript\n * import { defineConfig } from '@murumets-ee/core'\n * import { auth } from '@murumets-ee/auth'\n *\n * export default defineConfig({\n *   db: { url: process.env.DATABASE_URL! },\n *   entities: [Article, Category],\n *   plugins: [\n *     auth({ providers: ['email'] }),\n *   ],\n * })\n * ```\n */\nexport function auth(config: AuthConfig = {}): Plugin {\n  return {\n    name: '@murumets-ee/auth',\n    // Expose better-auth's Drizzle tables so `lumi migrate` picks them up\n    // automatically. The canonical schema lives in\n    // `@murumets-ee/auth/schema` — committed, not codegen-generated.\n    tables: { user, session, account, verification, organization, member, invitation },\n    init: async (app) => {\n      const { createAuthServer } = await import('./server.js')\n\n      // Create audit logger for auth events (login, signup, ban, etc.)\n      // unless explicitly disabled via `audit: false`\n      let auditLogger: AuditLogger | undefined\n      if (config.audit !== false) {\n        const { createAuditLogger, createAuditDbWriter, createLogger } = await import(\n          '@murumets-ee/logging'\n        )\n        auditLogger = createAuditLogger({\n          logger: createLogger({ name: 'auth-audit' }),\n          dbWriter: createAuditDbWriter(app.db.readWrite),\n        })\n      }\n\n      // createAuthServer always loads the admin plugin, so listUsers etc.\n      // exist at runtime. The return type is widened to BetterAuthBase for\n      // DTS portability (TS2742 — zod@4 internal paths). This single\n      // assertion bridges the gap so getAuth() consumers get typed admin API.\n      _auth = createAuthServer(config, app, auditLogger) as AuthWithAdmin\n      app.logger.info('Auth plugin initialized')\n    },\n  }\n}\n"],"mappings":"+EAyBA,IAAI,EAA8B,KAelC,SAAgB,GAAyB,CACvC,GAAI,CAAC,EACH,MAAU,MAAM,gFAAgF,CAElG,OAAO,EAoBT,SAAgB,EAAK,EAAqB,EAAE,CAAU,CACpD,MAAO,CACL,KAAM,oBAIN,OAAQ,CAAE,OAAM,UAAS,UAAS,eAAc,eAAc,SAAQ,aAAY,CAClF,KAAM,KAAO,IAAQ,CACnB,GAAM,CAAE,oBAAqB,MAAM,OAAO,yBAItC,EACJ,GAAI,EAAO,QAAU,GAAO,CAC1B,GAAM,CAAE,oBAAmB,sBAAqB,gBAAiB,MAAM,OACrE,wBAEF,EAAc,EAAkB,CAC9B,OAAQ,EAAa,CAAE,KAAM,aAAc,CAAC,CAC5C,SAAU,EAAoB,EAAI,GAAG,UAAU,CAChD,CAAC,CAOJ,EAAQ,EAAiB,EAAQ,EAAK,EAAY,CAClD,EAAI,OAAO,KAAK,0BAA0B,EAE7C"}
+{"version":3,"file":"plugin.mjs","names":[],"sources":["../src/plugin.ts"],"sourcesContent":["/**\n * Toolkit plugin implementation for @murumets-ee/auth.\n *\n * Implements the Plugin interface from @murumets-ee/core.\n * Creates and stores the better-auth server instance during init.\n */\n\nimport type { Plugin } from '@murumets-ee/core'\nimport type { AuditLogger } from '@murumets-ee/logging'\nimport {\n  account,\n  invitation,\n  member,\n  organization,\n  session,\n  user,\n  verification,\n} from './schema.js'\nimport type { Auth, AuthAdminApi } from './server.js'\nimport type { AuthConfig } from './types.js'\n\n/** Auth with admin API — admin plugin is always loaded in createAuthServer */\ntype AuthWithAdmin = Auth & { api: AuthAdminApi }\n\n/** The initialized auth server instance (set during plugin init) */\nlet _auth: AuthWithAdmin | null = null\n\n/** The auth plugin config — captured at plugin() call so server-side code\n *  (page.tsx guards, admin UIs) can read runtime flags like `signup.enabled`\n *  without threading config through every layer. */\nlet _authConfig: AuthConfig | null = null\n\n/**\n * Get the auth server instance.\n * Throws if the auth plugin hasn't been initialized yet.\n *\n * @example\n * ```typescript\n * // app/api/auth/[...all]/route.ts (user writes this)\n * import { toNextJsHandler } from 'better-auth/next-js'\n * import { getAuth } from '@murumets-ee/auth'\n *\n * export const { GET, POST } = toNextJsHandler(getAuth())\n * ```\n */\nexport function getAuth(): AuthWithAdmin {\n  if (!_auth) {\n    throw new Error('@murumets-ee/auth not initialized. Add auth() to your toolkit config plugins.')\n  }\n  return _auth\n}\n\n/**\n * Is public sign-up allowed in this deployment?\n *\n * Defaults to `false` — first admin is bootstrapped via `lumi create-admin`.\n * Set `auth({ signup: { enabled: true } })` in toolkit.config.ts to open.\n *\n * Use this to gate sign-up routes, hide \"Sign up\" links, and decide whether\n * the sign-up form should render at all. Security-critical: when the flag is\n * off, the signup HTTP gate also rejects `/sign-up/email` — this helper and\n * the server-side gate must agree.\n */\nexport function isSignupEnabled(): boolean {\n  return _authConfig?.signup?.enabled === true\n}\n\n/**\n * Create the auth toolkit plugin.\n *\n * @example\n * ```typescript\n * import { defineConfig } from '@murumets-ee/core'\n * import { auth } from '@murumets-ee/auth'\n *\n * export default defineConfig({\n *   db: { url: process.env.DATABASE_URL! },\n *   entities: [Article, Category],\n *   plugins: [\n *     auth({ providers: ['email'] }),\n *   ],\n * })\n * ```\n */\nexport function auth(config: AuthConfig = {}): Plugin {\n  // Capture the config eagerly so isSignupEnabled() works before init()\n  // runs (server components that read it during render may resolve before\n  // the plugin's async init completes on cold boot — the config is known\n  // synchronously from the moment auth() is called).\n  _authConfig = config\n  return {\n    name: '@murumets-ee/auth',\n    // Expose better-auth's Drizzle tables so `lumi migrate` picks them up\n    // automatically. The canonical schema lives in\n    // `@murumets-ee/auth/schema` — committed, not codegen-generated.\n    tables: { user, session, account, verification, organization, member, invitation },\n    init: async (app) => {\n      const { createAuthServer } = await import('./server.js')\n\n      // Create audit logger for auth events (login, signup, ban, etc.)\n      // unless explicitly disabled via `audit: false`\n      let auditLogger: AuditLogger | undefined\n      if (config.audit !== false) {\n        const { createAuditLogger, createAuditDbWriter, createLogger } = await import(\n          '@murumets-ee/logging'\n        )\n        auditLogger = createAuditLogger({\n          logger: createLogger({ name: 'auth-audit' }),\n          dbWriter: createAuditDbWriter(app.db.readWrite),\n        })\n      }\n\n      // createAuthServer always loads the admin plugin, so listUsers etc.\n      // exist at runtime. The return type is widened to BetterAuthBase for\n      // DTS portability (TS2742 — zod@4 internal paths). This single\n      // assertion bridges the gap so getAuth() consumers get typed admin API.\n      _auth = createAuthServer(config, app, auditLogger) as AuthWithAdmin\n      app.logger.info('Auth plugin initialized')\n    },\n  }\n}\n"],"mappings":"+EAyBA,IAAI,EAA8B,KAK9B,EAAiC,KAerC,SAAgB,GAAyB,CACvC,GAAI,CAAC,EACH,MAAU,MAAM,gFAAgF,CAElG,OAAO,EAcT,SAAgB,GAA2B,CACzC,OAAO,GAAa,QAAQ,UAAY,GAoB1C,SAAgB,EAAK,EAAqB,EAAE,CAAU,CAMpD,MADA,GAAc,EACP,CACL,KAAM,oBAIN,OAAQ,CAAE,OAAM,UAAS,UAAS,eAAc,eAAc,SAAQ,aAAY,CAClF,KAAM,KAAO,IAAQ,CACnB,GAAM,CAAE,oBAAqB,MAAM,OAAO,yBAItC,EACJ,GAAI,EAAO,QAAU,GAAO,CAC1B,GAAM,CAAE,oBAAmB,sBAAqB,gBAAiB,MAAM,OACrE,wBAEF,EAAc,EAAkB,CAC9B,OAAQ,EAAa,CAAE,KAAM,aAAc,CAAC,CAC5C,SAAU,EAAoB,EAAI,GAAG,UAAU,CAChD,CAAC,CAOJ,EAAQ,EAAiB,EAAQ,EAAK,EAAY,CAClD,EAAI,OAAO,KAAK,0BAA0B,EAE7C"}

package/dist/server-BKbmzuzv.mjs

@@ -0,0 +1,2 @@
+import{l as e}from"./schema-Je6e5yt2.mjs";import{a as t,l as n}from"./permissions-DREmJByu.mjs";import{createAccessControl as r}from"better-auth/plugins/access";import{betterAuth as i}from"better-auth";import{drizzleAdapter as a}from"better-auth/adapters/drizzle";import{APIError as o,createAuthMiddleware as s}from"better-auth/api";import{nextCookies as c}from"better-auth/next-js";import{admin as l}from"better-auth/plugins";import{organization as u}from"better-auth/plugins/organization";function d(e){let t=e?.context?.session,n=t?.user;return{id:n?.id??t?.userId,name:n?.name}}const f=new Set([`updatedAt`,`createdAt`]);function p(e){function t(t){e?.log(t).catch(()=>{})}let n=null;return{user:{create:{after:async e=>{t({action:`auth.signup`,entityType:`user`,entityId:e.id,userId:e.id,userName:e.name,changes:{fields:{name:e.name,email:e.email}}})}},update:{before:async e=>{let t={};for(let[n,r]of Object.entries(e))f.has(n)||n===`id`||(t[n]=r);n=Object.keys(t).length>0?t:null},after:async(e,r)=>{let i=d(r),a=n;n=null,t({action:`auth.user.update`,entityType:`user`,entityId:e.id,userId:i.id,userName:i.name,changes:a?{fields:a}:void 0,metadata:{targetUser:e.name}})}},delete:{after:async(e,n)=>{let r=d(n);t({action:`auth.user.delete`,entityType:`user`,entityId:e.id,userId:r.id,userName:r.name,metadata:{targetUser:e.name}})}}}}}const m=[`/sign-in/email`,`/sign-in/social`],h={"/change-password":`auth.password.change`,"/forget-password":`auth.password.reset_request`,"/reset-password":`auth.password.reset`},g={"/admin/set-role":`auth.admin.set_role`,"/admin/ban-user":`auth.admin.ban`,"/admin/unban-user":`auth.admin.unban`,"/admin/create-user":`auth.admin.create_user`,"/admin/remove-user":`auth.admin.remove_user`,"/admin/impersonate-user":`auth.admin.impersonate`,"/admin/stop-impersonating":`auth.admin.stop_impersonating`,"/admin/revoke-session":`auth.admin.revoke_session`,"/admin/revoke-sessions":`auth.admin.revoke_sessions`};function _(e){function t(t){e.log(t).catch(()=>{})}return{after:s(async e=>{if(m.some(t=>e.path.startsWith(t))){let n=e.context.returned?.status;if(!n)return;if(n>=400){let r=e.body?.email;t({action:`auth.login.failed`,metadata:{...typeof r==`string`?{email:r}:{},status:n,path:e.path}})}else{let n=e.context.newSession;n?.user?.id&&t({action:`auth.login`,entityType:`user`,entityId:n.user.id,userId:n.user.id,userName:n.user.name})}return}if(e.path===`/sign-out`){let n=e.context.returned;if(!n?.status||n.status<400){let n=d(e);n.id&&t({action:`auth.logout`,entityType:`user`,entityId:n.id,userId:n.id,userName:n.name})}return}let n=h[e.path];if(n){let r=e.context.returned;if(!r?.status||r.status<400){let r=d(e),i=e.body;t({action:n,entityType:`user`,userId:r.id,userName:r.name,metadata:{...typeof i?.email==`string`?{email:i.email}:{},path:e.path}})}return}let r=g[e.path];if(!r)return;let i=e.context.returned;if(i?.status&&i.status>=400)return;let a=d(e),o=e.body;t({action:r,entityType:`user`,entityId:o?.userId??void 0,userId:a.id,userName:a.name,metadata:{targetUserId:o?.userId,...o?.role?{role:o.role}:{},path:e.path}})})}}function v(e){return s(async t=>{if(t.path===`/sign-up/email`&&!e)throw new o(`FORBIDDEN`,{message:`Sign-up is closed`})})}function y(o,s,d){let f=[...s.entities.values()],m=r(n(f)),h=t(m,f),g={};o.social?.google&&(g.google=o.social.google),o.social?.github&&(g.github=o.social.github);let y=o.schema??e;return i({database:a(s.db.readWrite,{provider:`pg`,schema:y}),emailAndPassword:{enabled:o.providers?.includes(`email`)??!0},socialProviders:g,session:{expiresIn:o.session?.expiresIn??3600*2,updateAge:o.session?.updateAge??3600},rateLimit:{enabled:!0,window:60,max:100,storage:`memory`,customRules:{"/sign-in/email":{window:60,max:5},"/sign-in/social":{window:60,max:10},"/sign-up/email":{window:60,max:3},"/forget-password":{window:60,max:3},"/reset-password":{window:60,max:5},"/admin/*":{window:60,max:20}}},databaseHooks:p(d),hooks:{before:v(o.signup?.enabled??!1),...d?_(d):{}},plugins:[l({ac:m,roles:h,defaultRole:`authenticated`}),...o.organizations?[u({ac:m,roles:h})]:[],...o.betterAuthPlugins??[],c()]})}export{y as createAuthServer};
+//# sourceMappingURL=server-BKbmzuzv.mjs.map

package/dist/server-BKbmzuzv.mjs.map

@@ -0,0 +1 @@
+{"version":3,"file":"server-BKbmzuzv.mjs","names":["defaultAuthSchema"],"sources":["../src/server.ts"],"sourcesContent":["/**\n * Server-side auth instance factory.\n *\n * Creates a configured `betterAuth()` instance using the toolkit's database\n * connection and entity definitions. This is server-only code.\n */\n\nimport type { ToolkitApp } from '@murumets-ee/core'\nimport type { AuditLogger } from '@murumets-ee/logging'\nimport type { Auth as BetterAuthBase, BetterAuthOptions } from 'better-auth'\nimport { betterAuth } from 'better-auth'\nimport { drizzleAdapter } from 'better-auth/adapters/drizzle'\nimport { APIError, createAuthMiddleware } from 'better-auth/api'\nimport { nextCookies } from 'better-auth/next-js'\nimport { admin } from 'better-auth/plugins'\nimport type { Role } from 'better-auth/plugins/access'\nimport { createAccessControl } from 'better-auth/plugins/access'\nimport { organization } from 'better-auth/plugins/organization'\nimport { buildDefaultRoles, buildStatements } from './permissions.js'\nimport * as defaultAuthSchema from './schema.js'\nimport type { AdminUser, AuthConfig } from './types.js'\n\n// ---------------------------------------------------------------------------\n// Audit hooks — wired into better-auth's databaseHooks\n// ---------------------------------------------------------------------------\n\n/** Extract acting admin's id and name from better-auth hook context.\n *  ctx is GenericEndpointContext | null — we access session safely via optional chaining. */\nfunction getActor(ctx: unknown) {\n  const session = (ctx as { context?: { session?: Record<string, unknown> } } | null)?.context\n    ?.session\n  const user = session?.user as { id?: string; name?: string } | undefined\n  return {\n    id: user?.id ?? (session?.userId as string | undefined),\n    name: user?.name,\n  }\n}\n\n/** Fields to strip from user update audit payloads */\nconst SKIP_FIELDS = new Set(['updatedAt', 'createdAt'])\n\nfunction buildDatabaseHooks(auditLogger?: AuditLogger) {\n  /** Fire-and-forget audit — never block auth operations */\n  function audit(entry: Parameters<AuditLogger['log']>[0]) {\n    auditLogger?.log(entry).catch(() => {})\n  }\n\n  // `before` captures changed fields, `after` has full user + actor ctx.\n  // Bridge with a simple variable — updates are sequential per request.\n  let pendingFields: Record<string, unknown> | null = null\n\n  return {\n    user: {\n      create: {\n        after: async (user: Record<string, unknown>) => {\n          // Signup — actor is the new user themselves.\n          // NOTE: first-user auto-promotion was removed. Bootstrap the first\n          // admin via `lumi create-admin` (requires shell access). Public\n          // signup is closed by default; see AuthConfig.signup.enabled.\n          audit({\n            action: 'auth.signup',\n            entityType: 'user',\n            entityId: user.id as string,\n            userId: user.id as string,\n            userName: user.name as string,\n            changes: {\n              fields: { name: user.name, email: user.email },\n            },\n          })\n        },\n      },\n      update: {\n        // `before` receives only the changed fields — capture them\n        before: async (userData: Record<string, unknown>) => {\n          const fields: Record<string, unknown> = {}\n          for (const [key, value] of Object.entries(userData)) {\n            if (SKIP_FIELDS.has(key) || key === 'id') continue\n            fields[key] = value\n          }\n          pendingFields = Object.keys(fields).length > 0 ? fields : null\n        },\n        // `after` has full user (name) + ctx (actor session) — log everything\n        after: async (user: Record<string, unknown>, ctx: unknown) => {\n          const actor = getActor(ctx)\n          const fields = pendingFields\n          pendingFields = null\n          audit({\n            action: 'auth.user.update',\n            entityType: 'user',\n            entityId: user.id as string,\n            userId: actor.id,\n            userName: actor.name,\n            changes: fields ? { fields } : undefined,\n            metadata: {\n              targetUser: user.name as string | undefined,\n            },\n          })\n        },\n      },\n      delete: {\n        after: async (user: Record<string, unknown>, ctx: unknown) => {\n          const actor = getActor(ctx)\n          audit({\n            action: 'auth.user.delete',\n            entityType: 'user',\n            entityId: user.id as string,\n            userId: actor.id,\n            userName: actor.name,\n            metadata: {\n              targetUser: user.name as string | undefined,\n            },\n          })\n        },\n      },\n    },\n  }\n}\n\n// ---------------------------------------------------------------------------\n// Request-level hooks — catches failed logins, password changes, etc.\n// ---------------------------------------------------------------------------\n\n/** Auth paths where a non-2xx response means a failed attempt worth logging */\nconst SIGN_IN_PATHS = ['/sign-in/email', '/sign-in/social']\n\n/** Auth paths for session/password lifecycle events */\nconst SIGN_OUT_PATH = '/sign-out'\nconst PASSWORD_PATHS: Record<string, string> = {\n  '/change-password': 'auth.password.change',\n  '/forget-password': 'auth.password.reset_request',\n  '/reset-password': 'auth.password.reset',\n}\n\n/** Paths that should be audit-logged when successful */\nconst AUDIT_ADMIN_PATHS: Record<string, string> = {\n  '/admin/set-role': 'auth.admin.set_role',\n  '/admin/ban-user': 'auth.admin.ban',\n  '/admin/unban-user': 'auth.admin.unban',\n  '/admin/create-user': 'auth.admin.create_user',\n  '/admin/remove-user': 'auth.admin.remove_user',\n  '/admin/impersonate-user': 'auth.admin.impersonate',\n  '/admin/stop-impersonating': 'auth.admin.stop_impersonating',\n  '/admin/revoke-session': 'auth.admin.revoke_session',\n  '/admin/revoke-sessions': 'auth.admin.revoke_sessions',\n}\n\nfunction buildRequestHooks(auditLogger: AuditLogger) {\n  function audit(entry: Parameters<AuditLogger['log']>[0]) {\n    auditLogger.log(entry).catch(() => {})\n  }\n\n  return {\n    after: createAuthMiddleware(async (ctx) => {\n      // --- Login attempt logging ---\n      const isSignIn = SIGN_IN_PATHS.some((p) => ctx.path.startsWith(p))\n      if (isSignIn) {\n        const returned = ctx.context.returned as { status?: number } | undefined\n        const status = returned?.status\n        if (!status) return\n\n        if (status >= 400) {\n          const email = (ctx.body as Record<string, unknown> | undefined)?.email\n          audit({\n            action: 'auth.login.failed',\n            metadata: {\n              ...(typeof email === 'string' ? { email } : {}),\n              status,\n              path: ctx.path,\n            },\n          })\n        } else {\n          const newSession = ctx.context.newSession as\n            | { user?: { id?: string; name?: string } }\n            | undefined\n          if (newSession?.user?.id) {\n            audit({\n              action: 'auth.login',\n              entityType: 'user',\n              entityId: newSession.user.id,\n              userId: newSession.user.id,\n              userName: newSession.user.name,\n            })\n          }\n        }\n        return\n      }\n\n      // --- Logout logging ---\n      if (ctx.path === SIGN_OUT_PATH) {\n        const returned = ctx.context.returned as { status?: number } | undefined\n        if (!returned?.status || returned.status < 400) {\n          const actor = getActor(ctx)\n          if (actor.id) {\n            audit({\n              action: 'auth.logout',\n              entityType: 'user',\n              entityId: actor.id,\n              userId: actor.id,\n              userName: actor.name,\n            })\n          }\n        }\n        return\n      }\n\n      // --- Password change/reset logging ---\n      const passwordAction = PASSWORD_PATHS[ctx.path]\n      if (passwordAction) {\n        const returned = ctx.context.returned as { status?: number } | undefined\n        if (!returned?.status || returned.status < 400) {\n          const actor = getActor(ctx)\n          const body = ctx.body as Record<string, unknown> | undefined\n          audit({\n            action: passwordAction,\n            entityType: 'user',\n            userId: actor.id,\n            userName: actor.name,\n            metadata: {\n              // For reset requests, log the email (not sensitive — it's the input)\n              ...(typeof body?.email === 'string' ? { email: body.email } : {}),\n              path: ctx.path,\n            },\n          })\n        }\n        return\n      }\n\n      // --- Admin operation audit logging (impersonation, role changes, bans, etc.) ---\n      const auditAction = AUDIT_ADMIN_PATHS[ctx.path]\n      if (!auditAction) return\n\n      const returned = ctx.context.returned as { status?: number } | undefined\n      if (returned?.status && returned.status >= 400) return // failed — skip\n\n      const actor = getActor(ctx)\n      const body = ctx.body as Record<string, unknown> | undefined\n      audit({\n        action: auditAction,\n        entityType: 'user',\n        entityId: (body?.userId as string) ?? undefined,\n        userId: actor.id,\n        userName: actor.name,\n        metadata: {\n          targetUserId: body?.userId as string | undefined,\n          ...(body?.role ? { role: body.role as string } : {}),\n          path: ctx.path,\n        },\n      })\n    }),\n  }\n}\n\n// ---------------------------------------------------------------------------\n// Signup gate — rejects public registration unless explicitly enabled.\n//\n// Closed by default. The first admin is created via `lumi create-admin`\n// (runs below the HTTP/middleware layer via auth.$context.internalAdapter,\n// so this gate never fires for CLI bootstrap). To open public registration\n// later, set `auth({ signup: { enabled: true } })` in the toolkit config.\n// ---------------------------------------------------------------------------\n\nfunction buildSignupGate(signupEnabled: boolean) {\n  return createAuthMiddleware(async (ctx) => {\n    if (ctx.path !== '/sign-up/email') return\n    if (!signupEnabled) {\n      throw new APIError('FORBIDDEN', { message: 'Sign-up is closed' })\n    }\n  })\n}\n\n// ---------------------------------------------------------------------------\n// Server factory\n// ---------------------------------------------------------------------------\n\n/**\n * Create a better-auth server instance wired to the toolkit.\n *\n * Called during plugin init — the returned instance powers:\n * - `auth.api.getSession()` for session resolution\n * - `auth.api.listUsers()` for admin user management\n * - Route handler via `toNextJsHandler(auth)`\n *\n * IMPORTANT: Plugins are inlined in the `betterAuth()` call so TypeScript\n * preserves the literal plugin types. Extracting them into a `BetterAuthPlugin[]`\n * variable erases specific endpoint types (admin, organization, etc.).\n *\n * The explicit `BetterAuthBase` return type annotation is required because\n * better-auth 1.6's internals use zod@4 types that tsdown's dts generator\n * cannot name portably across pnpm's `.pnpm/zod@4.x` symlink paths (TS2742).\n * The annotation widens to better-auth's generic `Auth` type — specific\n * plugin endpoint types (`auth.api.listUsers` etc.) are still accessible\n * because better-auth's `InferAPI` helper resolves them at the consumer's\n * compile time against their installed better-auth version.\n */\nexport function createAuthServer(\n  config: AuthConfig,\n  app: ToolkitApp,\n  auditLogger?: AuditLogger,\n): BetterAuthBase {\n  const entities = [...app.entities.values()]\n  const statement = buildStatements(entities)\n  const ac = createAccessControl(statement)\n  const roles: Record<string, Role> = buildDefaultRoles(ac, entities)\n\n  // Build social provider config\n  const socialProviders: Record<string, { clientId: string; clientSecret: string }> = {}\n  if (config.social?.google) {\n    socialProviders.google = config.social.google\n  }\n  if (config.social?.github) {\n    socialProviders.github = config.social.github\n  }\n\n  // Plugins are inlined so TS infers the literal tuple type.\n  // DO NOT extract into a typed variable — `BetterAuthPlugin[]` erases endpoint types.\n  // nextCookies() must be last — required for Next.js server actions.\n  // Default to the pre-baked schema from `@murumets-ee/auth/schema` so\n  // consumers don't need to generate one with `@better-auth/cli`. They\n  // can still override via `auth({ schema: customSchema })` if they've\n  // extended better-auth with plugins that add tables.\n  const schema = config.schema ?? defaultAuthSchema\n\n  // Widen the config to BetterAuthOptions so betterAuth() returns\n  // Auth<BetterAuthOptions> (= BetterAuthBase). This is required because:\n  //   1. Without a return type annotation, tsdown fails with TS2742\n  //      (zod@4 internal types can't be named portably in .d.mts)\n  //   2. The admin plugin with custom ac/roles makes Auth<SpecificConfig>\n  //      structurally incompatible with Auth (better-auth#8855)\n  // Widening the config erases plugin-specific API types at compile time,\n  // but plugin endpoints (listUsers, etc.) are fully functional at runtime.\n  // Consumers already access them via typed wrappers in AdminPagesConfig.\n  const authOptions: BetterAuthOptions = {\n    database: drizzleAdapter(app.db.readWrite, {\n      provider: 'pg',\n      schema,\n    }),\n\n    emailAndPassword: {\n      enabled: config.providers?.includes('email') ?? true,\n    },\n\n    socialProviders,\n\n    session: {\n      expiresIn: config.session?.expiresIn ?? 60 * 60 * 2, // 2 hours (admin CMS — short-lived)\n      updateAge: config.session?.updateAge ?? 60 * 60, // 1 hour\n    },\n\n    // Rate limiting — strict on sensitive paths, relaxed global default\n    rateLimit: {\n      enabled: true,\n      window: 60, // 60s global window\n      max: 100, // 100 req/min default\n      storage: 'memory',\n      customRules: {\n        '/sign-in/email': { window: 60, max: 5 }, // 5 login attempts/min\n        '/sign-in/social': { window: 60, max: 10 },\n        '/sign-up/email': { window: 60, max: 3 }, // 3 signups/min\n        '/forget-password': { window: 60, max: 3 }, // 3 resets/min\n        '/reset-password': { window: 60, max: 5 },\n        '/admin/*': { window: 60, max: 20 }, // admin ops capped\n      },\n    },\n\n    databaseHooks: buildDatabaseHooks(auditLogger),\n    hooks: {\n      before: buildSignupGate(config.signup?.enabled ?? false),\n      ...(auditLogger ? buildRequestHooks(auditLogger) : {}),\n    },\n\n    plugins: [\n      admin({ ac, roles, defaultRole: 'authenticated' }),\n      ...(config.organizations ? [organization({ ac, roles })] : []),\n      ...(config.betterAuthPlugins ?? []),\n      nextCookies(),\n    ],\n  }\n\n  return betterAuth(authOptions)\n}\n\n/** Type of the auth server instance. Aliased from better-auth's generic\n *  `Auth` because the explicit annotation on `createAuthServer` means\n *  `ReturnType<typeof createAuthServer>` is already `BetterAuthBase`. */\nexport type Auth = BetterAuthBase\n\n/**\n * Structural interface for the server-side admin API methods.\n *\n * The widened `Auth` type (BetterAuthBase) doesn't expose admin plugin\n * endpoints. This interface describes just the methods consumers need\n * so they can access them without `as any`.\n *\n * Usage: `(auth.api as AuthAdminApi).listUsers(...)`\n */\nexport interface AuthAdminApi {\n  listUsers: (opts: {\n    headers: Headers\n    query: {\n      limit: number\n      sortBy: string\n      sortDirection: 'asc' | 'desc'\n    }\n  }) => Promise<{ users: AdminUser[]; total: number }>\n}\n"],"mappings":"2eA4BA,SAAS,EAAS,EAAc,CAC9B,IAAM,EAAW,GAAoE,SACjF,QACE,EAAO,GAAS,KACtB,MAAO,CACL,GAAI,GAAM,IAAO,GAAS,OAC1B,KAAM,GAAM,KACb,CAIH,MAAM,EAAc,IAAI,IAAI,CAAC,YAAa,YAAY,CAAC,CAEvD,SAAS,EAAmB,EAA2B,CAErD,SAAS,EAAM,EAA0C,CACvD,GAAa,IAAI,EAAM,CAAC,UAAY,GAAG,CAKzC,IAAI,EAAgD,KAEpD,MAAO,CACL,KAAM,CACJ,OAAQ,CACN,MAAO,KAAO,IAAkC,CAK9C,EAAM,CACJ,OAAQ,cACR,WAAY,OACZ,SAAU,EAAK,GACf,OAAQ,EAAK,GACb,SAAU,EAAK,KACf,QAAS,CACP,OAAQ,CAAE,KAAM,EAAK,KAAM,MAAO,EAAK,MAAO,CAC/C,CACF,CAAC,EAEL,CACD,OAAQ,CAEN,OAAQ,KAAO,IAAsC,CACnD,IAAM,EAAkC,EAAE,CAC1C,IAAK,GAAM,CAAC,EAAK,KAAU,OAAO,QAAQ,EAAS,CAC7C,EAAY,IAAI,EAAI,EAAI,IAAQ,OACpC,EAAO,GAAO,GAEhB,EAAgB,OAAO,KAAK,EAAO,CAAC,OAAS,EAAI,EAAS,MAG5D,MAAO,MAAO,EAA+B,IAAiB,CAC5D,IAAM,EAAQ,EAAS,EAAI,CACrB,EAAS,EACf,EAAgB,KAChB,EAAM,CACJ,OAAQ,mBACR,WAAY,OACZ,SAAU,EAAK,GACf,OAAQ,EAAM,GACd,SAAU,EAAM,KAChB,QAAS,EAAS,CAAE,SAAQ,CAAG,IAAA,GAC/B,SAAU,CACR,WAAY,EAAK,KAClB,CACF,CAAC,EAEL,CACD,OAAQ,CACN,MAAO,MAAO,EAA+B,IAAiB,CAC5D,IAAM,EAAQ,EAAS,EAAI,CAC3B,EAAM,CACJ,OAAQ,mBACR,WAAY,OACZ,SAAU,EAAK,GACf,OAAQ,EAAM,GACd,SAAU,EAAM,KAChB,SAAU,CACR,WAAY,EAAK,KAClB,CACF,CAAC,EAEL,CACF,CACF,CAQH,MAAM,EAAgB,CAAC,iBAAkB,kBAAkB,CAIrD,EAAyC,CAC7C,mBAAoB,uBACpB,mBAAoB,8BACpB,kBAAmB,sBACpB,CAGK,EAA4C,CAChD,kBAAmB,sBACnB,kBAAmB,iBACnB,oBAAqB,mBACrB,qBAAsB,yBACtB,qBAAsB,yBACtB,0BAA2B,yBAC3B,4BAA6B,gCAC7B,wBAAyB,4BACzB,yBAA0B,6BAC3B,CAED,SAAS,EAAkB,EAA0B,CACnD,SAAS,EAAM,EAA0C,CACvD,EAAY,IAAI,EAAM,CAAC,UAAY,GAAG,CAGxC,MAAO,CACL,MAAO,EAAqB,KAAO,IAAQ,CAGzC,GADiB,EAAc,KAAM,GAAM,EAAI,KAAK,WAAW,EAAE,CAAC,CACpD,CAEZ,IAAM,EADW,EAAI,QAAQ,UACJ,OACzB,GAAI,CAAC,EAAQ,OAEb,GAAI,GAAU,IAAK,CACjB,IAAM,EAAS,EAAI,MAA8C,MACjE,EAAM,CACJ,OAAQ,oBACR,SAAU,CACR,GAAI,OAAO,GAAU,SAAW,CAAE,QAAO,CAAG,EAAE,CAC9C,SACA,KAAM,EAAI,KACX,CACF,CAAC,KACG,CACL,IAAM,EAAa,EAAI,QAAQ,WAG3B,GAAY,MAAM,IACpB,EAAM,CACJ,OAAQ,aACR,WAAY,OACZ,SAAU,EAAW,KAAK,GAC1B,OAAQ,EAAW,KAAK,GACxB,SAAU,EAAW,KAAK,KAC3B,CAAC,CAGN,OAIF,GAAI,EAAI,OAAS,YAAe,CAC9B,IAAM,EAAW,EAAI,QAAQ,SAC7B,GAAI,CAAC,GAAU,QAAU,EAAS,OAAS,IAAK,CAC9C,IAAM,EAAQ,EAAS,EAAI,CACvB,EAAM,IACR,EAAM,CACJ,OAAQ,cACR,WAAY,OACZ,SAAU,EAAM,GAChB,OAAQ,EAAM,GACd,SAAU,EAAM,KACjB,CAAC,CAGN,OAIF,IAAM,EAAiB,EAAe,EAAI,MAC1C,GAAI,EAAgB,CAClB,IAAM,EAAW,EAAI,QAAQ,SAC7B,GAAI,CAAC,GAAU,QAAU,EAAS,OAAS,IAAK,CAC9C,IAAM,EAAQ,EAAS,EAAI,CACrB,EAAO,EAAI,KACjB,EAAM,CACJ,OAAQ,EACR,WAAY,OACZ,OAAQ,EAAM,GACd,SAAU,EAAM,KAChB,SAAU,CAER,GAAI,OAAO,GAAM,OAAU,SAAW,CAAE,MAAO,EAAK,MAAO,CAAG,EAAE,CAChE,KAAM,EAAI,KACX,CACF,CAAC,CAEJ,OAIF,IAAM,EAAc,EAAkB,EAAI,MAC1C,GAAI,CAAC,EAAa,OAElB,IAAM,EAAW,EAAI,QAAQ,SAC7B,GAAI,GAAU,QAAU,EAAS,QAAU,IAAK,OAEhD,IAAM,EAAQ,EAAS,EAAI,CACrB,EAAO,EAAI,KACjB,EAAM,CACJ,OAAQ,EACR,WAAY,OACZ,SAAW,GAAM,QAAqB,IAAA,GACtC,OAAQ,EAAM,GACd,SAAU,EAAM,KAChB,SAAU,CACR,aAAc,GAAM,OACpB,GAAI,GAAM,KAAO,CAAE,KAAM,EAAK,KAAgB,CAAG,EAAE,CACnD,KAAM,EAAI,KACX,CACF,CAAC,EACF,CACH,CAYH,SAAS,EAAgB,EAAwB,CAC/C,OAAO,EAAqB,KAAO,IAAQ,CACrC,KAAI,OAAS,kBACb,CAAC,EACH,MAAM,IAAI,EAAS,YAAa,CAAE,QAAS,oBAAqB,CAAC,EAEnE,CA2BJ,SAAgB,EACd,EACA,EACA,EACgB,CAChB,IAAM,EAAW,CAAC,GAAG,EAAI,SAAS,QAAQ,CAAC,CAErC,EAAK,EADO,EAAgB,EAAS,CACF,CACnC,EAA8B,EAAkB,EAAI,EAAS,CAG7D,EAA8E,EAAE,CAClF,EAAO,QAAQ,SACjB,EAAgB,OAAS,EAAO,OAAO,QAErC,EAAO,QAAQ,SACjB,EAAgB,OAAS,EAAO,OAAO,QAUzC,IAAM,EAAS,EAAO,QAAUA,EA0DhC,OAAO,EA/CgC,CACrC,SAAU,EAAe,EAAI,GAAG,UAAW,CACzC,SAAU,KACV,SACD,CAAC,CAEF,iBAAkB,CAChB,QAAS,EAAO,WAAW,SAAS,QAAQ,EAAI,GACjD,CAED,kBAEA,QAAS,CACP,UAAW,EAAO,SAAS,WAAa,KAAU,EAClD,UAAW,EAAO,SAAS,WAAa,KACzC,CAGD,UAAW,CACT,QAAS,GACT,OAAQ,GACR,IAAK,IACL,QAAS,SACT,YAAa,CACX,iBAAkB,CAAE,OAAQ,GAAI,IAAK,EAAG,CACxC,kBAAmB,CAAE,OAAQ,GAAI,IAAK,GAAI,CAC1C,iBAAkB,CAAE,OAAQ,GAAI,IAAK,EAAG,CACxC,mBAAoB,CAAE,OAAQ,GAAI,IAAK,EAAG,CAC1C,kBAAmB,CAAE,OAAQ,GAAI,IAAK,EAAG,CACzC,WAAY,CAAE,OAAQ,GAAI,IAAK,GAAI,CACpC,CACF,CAED,cAAe,EAAmB,EAAY,CAC9C,MAAO,CACL,OAAQ,EAAgB,EAAO,QAAQ,SAAW,GAAM,CACxD,GAAI,EAAc,EAAkB,EAAY,CAAG,EAAE,CACtD,CAED,QAAS,CACP,EAAM,CAAE,KAAI,QAAO,YAAa,gBAAiB,CAAC,CAClD,GAAI,EAAO,cAAgB,CAAC,EAAa,CAAE,KAAI,QAAO,CAAC,CAAC,CAAG,EAAE,CAC7D,GAAI,EAAO,mBAAqB,EAAE,CAClC,GAAa,CACd,CACF,CAE6B"}

package/dist/{types-Dxs8Jhxs.d.mts → types-Dl_sE_9S.d.mts}

@@ -65,7 +65,21 @@ interface AuthConfig {
    * Set to `false` to disable.
    */
   audit?: false;
+  /**
+   * Public sign-up configuration.
+   *
+   * Default: closed. Public registration is off unless explicitly enabled.
+   * The first admin user must be created via `lumi create-admin` (runs on
+   * the server, requires shell access — no public-facing registration window).
+   *
+   * Open registration carries real risk (anyone reaching the signup page
+   * becomes a user), so this is opt-in per-deployment rather than runtime-
+   * togglable via settings.
+   */
+  signup?: {
+    /** Allow public POST to /sign-up/email. Default: false (closed). */enabled?: boolean;
+  };
 }
 //#endregion
 export { AuthConfig as n, AdminUser as t };
-//# sourceMappingURL=types-Dxs8Jhxs.d.mts.map
+//# sourceMappingURL=types-Dl_sE_9S.d.mts.map

package/dist/{types-Dxs8Jhxs.d.mts.map → types-Dl_sE_9S.d.mts.map}

@@ -1 +1 @@
-{"version":3,"file":"types-Dxs8Jhxs.d.mts","names":[],"sources":["../src/types.ts"],"mappings":";;;;;AAUA;;;;;;UAAiB,SAAA;EACf,EAAA;EACA,SAAA,EAAW,IAAA;EACX,SAAA,EAAW,IAAA;EACX,KAAA;EACA,aAAA;EACA,IAAA;EACA,KAAA;EACA,IAAA;EACA,MAAA;EACA,SAAA;EACA,UAAA,GAAa,IAAA;AAAA;;;;UAME,UAAA;EANE;EAQjB,SAAA;EAFyB;EAKzB,MAAA;IACE,MAAA;MAAW,QAAA;MAAkB,YAAA;IAAA;IAC7B,MAAA;MAAW,QAAA;MAAkB,YAAA;IAAA;EAAA;EAI/B;EAAA,OAAA;IAIE,2DAFA,SAAA,WAeF;IAbE,SAAA;EAAA;EAmBkB;EAfpB,aAAA;EAsBK;;;;;;;EAbL,MAAA,GAAS,MAAA;;;;;EAMT,iBAAA,GAAoB,gBAAA;;;;;;EAOpB,KAAA;AAAA"}
+{"version":3,"file":"types-Dl_sE_9S.d.mts","names":[],"sources":["../src/types.ts"],"mappings":";;;;;AAUA;;;;;;UAAiB,SAAA;EACf,EAAA;EACA,SAAA,EAAW,IAAA;EACX,SAAA,EAAW,IAAA;EACX,KAAA;EACA,aAAA;EACA,IAAA;EACA,KAAA;EACA,IAAA;EACA,MAAA;EACA,SAAA;EACA,UAAA,GAAa,IAAA;AAAA;;;;UAME,UAAA;EANE;EAQjB,SAAA;EAFyB;EAKzB,MAAA;IACE,MAAA;MAAW,QAAA;MAAkB,YAAA;IAAA;IAC7B,MAAA;MAAW,QAAA;MAAkB,YAAA;IAAA;EAAA;EAI/B;EAAA,OAAA;IAIE,2DAFA,SAAA,WAeF;IAbE,SAAA;EAAA;EAmBkB;EAfpB,aAAA;EAmCA;;;;;;;EA1BA,MAAA,GAAS,MAAA;;;;;EAMT,iBAAA,GAAoB,gBAAA;;;;;;EAOpB,KAAA;;;;;;;;;;;;EAaA,MAAA;wEAEE,OAAA;EAAA;AAAA"}

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@murumets-ee/auth",
-  "version": "0.3.0",
+  "version": "0.4.0",
   "license": "Elastic-2.0",
   "type": "module",
   "exports": {
@@ -28,25 +28,25 @@
   "files": [
     "dist"
   ],
-  "scripts": {
-    "build": "tsdown",
-    "dev": "tsdown --watch",
-    "test": "vitest",
-    "gen:schema": "npx @better-auth/cli generate --config scripts/schema-source.ts --output src/schema.ts -y"
-  },
   "dependencies": {
-    "@murumets-ee/core": "workspace:*",
-    "@murumets-ee/db": "workspace:*",
-    "@murumets-ee/entity": "workspace:*",
-    "@murumets-ee/logging": "workspace:*",
     "better-auth": "^1.6.2",
     "drizzle-orm": "^0.45.0",
-    "server-only": "^0.0.1"
+    "server-only": "^0.0.1",
+    "@murumets-ee/core": "0.4.0",
+    "@murumets-ee/db": "0.4.0",
+    "@murumets-ee/entity": "0.4.0",
+    "@murumets-ee/logging": "0.4.0"
   },
   "devDependencies": {
     "@types/node": "^22.10.5",
     "tsdown": "^0.21.7",
     "typescript": "^5.7.3",
     "vitest": "^2.1.8"
+  },
+  "scripts": {
+    "build": "tsdown",
+    "dev": "tsdown --watch",
+    "test": "vitest",
+    "gen:schema": "npx @better-auth/cli generate --config scripts/schema-source.ts --output src/schema.ts -y"
   }
-}
+}

package/dist/plugin-DlfYYNXb.d.mts.map

@@ -1 +0,0 @@
-{"version":3,"file":"plugin-DlfYYNXb.d.mts","names":[],"sources":["../src/server.ts","../src/plugin.ts"],"mappings":";;;;;;;KAsYY,MAAA,GAAO,IAAA;;ACnXyB;;;;;;;;UD8X3B,YAAA;EACf,SAAA,GAAY,IAAA;IACV,OAAA,EAAS,OAAA;IACT,KAAA;MACE,KAAA;MACA,MAAA;MACA,aAAA;IAAA;EAAA,MAEE,OAAA;IAAU,KAAA,EAAO,SAAA;IAAa,KAAA;EAAA;AAAA;;;;KCnYjC,aAAA,GAAgB,MAAA;EAAS,GAAA,EAAK,YAAA;AAAA;;;;;;;;;;;;;;iBAkBnB,OAAA,CAAA,GAAW,aAAA;;;;;;;;;;AArBiB;;;;;;;;iBA6C5B,IAAA,CAAK,MAAA,GAAQ,UAAA,GAAkB,MAAA"}

package/dist/server-B7Gdv2He.mjs

@@ -1,2 +0,0 @@
-import{l as e}from"./schema-Je6e5yt2.mjs";import{a as t,l as n}from"./permissions-DREmJByu.mjs";import{createAccessControl as r}from"better-auth/plugins/access";import{sql as i}from"drizzle-orm";import{betterAuth as a}from"better-auth";import{drizzleAdapter as o}from"better-auth/adapters/drizzle";import{APIError as s,createAuthMiddleware as c}from"better-auth/api";import{nextCookies as l}from"better-auth/next-js";import{admin as u}from"better-auth/plugins";import{organization as d}from"better-auth/plugins/organization";function f(e){let t=e?.context?.session,n=t?.user;return{id:n?.id??t?.userId,name:n?.name}}const p=new Set([`updatedAt`,`createdAt`]);function m(e,t){function n(e){t?.log(e).catch(()=>{})}let r=null;return{user:{create:{after:async t=>{try{await e.readWrite.execute(i`UPDATE "user" SET role = 'admin' WHERE id = ${t.id} AND (SELECT COUNT(*) FROM "user") = 1`)}catch{}n({action:`auth.signup`,entityType:`user`,entityId:t.id,userId:t.id,userName:t.name,changes:{fields:{name:t.name,email:t.email}}})}},update:{before:async e=>{let t={};for(let[n,r]of Object.entries(e))p.has(n)||n===`id`||(t[n]=r);r=Object.keys(t).length>0?t:null},after:async(e,t)=>{let i=f(t),a=r;r=null,n({action:`auth.user.update`,entityType:`user`,entityId:e.id,userId:i.id,userName:i.name,changes:a?{fields:a}:void 0,metadata:{targetUser:e.name}})}},delete:{after:async(e,t)=>{let r=f(t);n({action:`auth.user.delete`,entityType:`user`,entityId:e.id,userId:r.id,userName:r.name,metadata:{targetUser:e.name}})}}}}}const h=[`/sign-in/email`,`/sign-in/social`],g={"/change-password":`auth.password.change`,"/forget-password":`auth.password.reset_request`,"/reset-password":`auth.password.reset`},_={"/admin/set-role":`auth.admin.set_role`,"/admin/ban-user":`auth.admin.ban`,"/admin/unban-user":`auth.admin.unban`,"/admin/create-user":`auth.admin.create_user`,"/admin/remove-user":`auth.admin.remove_user`,"/admin/impersonate-user":`auth.admin.impersonate`,"/admin/stop-impersonating":`auth.admin.stop_impersonating`,"/admin/revoke-session":`auth.admin.revoke_session`,"/admin/revoke-sessions":`auth.admin.revoke_sessions`};function v(e){function t(t){e.log(t).catch(()=>{})}return{after:c(async e=>{if(h.some(t=>e.path.startsWith(t))){let n=e.context.returned?.status;if(!n)return;if(n>=400){let r=e.body?.email;t({action:`auth.login.failed`,metadata:{...typeof r==`string`?{email:r}:{},status:n,path:e.path}})}else{let n=e.context.newSession;n?.user?.id&&t({action:`auth.login`,entityType:`user`,entityId:n.user.id,userId:n.user.id,userName:n.user.name})}return}if(e.path===`/sign-out`){let n=e.context.returned;if(!n?.status||n.status<400){let n=f(e);n.id&&t({action:`auth.logout`,entityType:`user`,entityId:n.id,userId:n.id,userName:n.name})}return}let n=g[e.path];if(n){let r=e.context.returned;if(!r?.status||r.status<400){let r=f(e),i=e.body;t({action:n,entityType:`user`,userId:r.id,userName:r.name,metadata:{...typeof i?.email==`string`?{email:i.email}:{},path:e.path}})}return}let r=_[e.path];if(!r)return;let i=e.context.returned;if(i?.status&&i.status>=400)return;let a=f(e),o=e.body;t({action:r,entityType:`user`,entityId:o?.userId??void 0,userId:a.id,userName:a.name,metadata:{targetUserId:o?.userId,...o?.role?{role:o.role}:{},path:e.path}})})}}function y(e){return c(async t=>{if(t.path!==`/sign-up/email`)return;let n=await e.readWrite.execute(i`SELECT COUNT(*)::text as count FROM "user"`);if(Number(n[0]?.count)>0)throw new s(`FORBIDDEN`,{message:`Sign-up is closed`})})}function b(i,s,c){let f=[...s.entities.values()],p=r(n(f)),h=t(p,f),g={};i.social?.google&&(g.google=i.social.google),i.social?.github&&(g.github=i.social.github);let _=i.schema??e;return a({database:o(s.db.readWrite,{provider:`pg`,schema:_}),emailAndPassword:{enabled:i.providers?.includes(`email`)??!0},socialProviders:g,session:{expiresIn:i.session?.expiresIn??3600*2,updateAge:i.session?.updateAge??3600},rateLimit:{enabled:!0,window:60,max:100,storage:`memory`,customRules:{"/sign-in/email":{window:60,max:5},"/sign-in/social":{window:60,max:10},"/sign-up/email":{window:60,max:3},"/forget-password":{window:60,max:3},"/reset-password":{window:60,max:5},"/admin/*":{window:60,max:20}}},databaseHooks:m(s.db,c),hooks:{before:y(s.db),...c?v(c):{}},plugins:[u({ac:p,roles:h,defaultRole:`authenticated`}),...i.organizations?[d({ac:p,roles:h})]:[],...i.betterAuthPlugins??[],l()]})}export{b as createAuthServer};
-//# sourceMappingURL=server-B7Gdv2He.mjs.map

package/dist/server-B7Gdv2He.mjs.map

@@ -1 +0,0 @@
-{"version":3,"file":"server-B7Gdv2He.mjs","names":["defaultAuthSchema"],"sources":["../src/server.ts"],"sourcesContent":["/**\n * Server-side auth instance factory.\n *\n * Creates a configured `betterAuth()` instance using the toolkit's database\n * connection and entity definitions. This is server-only code.\n */\n\nimport type { ToolkitApp } from '@murumets-ee/core'\nimport type { AuditLogger } from '@murumets-ee/logging'\nimport type { Auth as BetterAuthBase, BetterAuthOptions } from 'better-auth'\nimport { betterAuth } from 'better-auth'\nimport { drizzleAdapter } from 'better-auth/adapters/drizzle'\nimport { APIError, createAuthMiddleware } from 'better-auth/api'\nimport { nextCookies } from 'better-auth/next-js'\nimport { admin } from 'better-auth/plugins'\nimport type { Role } from 'better-auth/plugins/access'\nimport { createAccessControl } from 'better-auth/plugins/access'\nimport { organization } from 'better-auth/plugins/organization'\nimport { sql as drizzleSql } from 'drizzle-orm'\nimport { buildDefaultRoles, buildStatements } from './permissions.js'\nimport * as defaultAuthSchema from './schema.js'\nimport type { AdminUser, AuthConfig } from './types.js'\n\n// ---------------------------------------------------------------------------\n// Audit hooks — wired into better-auth's databaseHooks\n// ---------------------------------------------------------------------------\n\n/** Extract acting admin's id and name from better-auth hook context.\n *  ctx is GenericEndpointContext | null — we access session safely via optional chaining. */\nfunction getActor(ctx: unknown) {\n  const session = (ctx as { context?: { session?: Record<string, unknown> } } | null)?.context\n    ?.session\n  const user = session?.user as { id?: string; name?: string } | undefined\n  return {\n    id: user?.id ?? (session?.userId as string | undefined),\n    name: user?.name,\n  }\n}\n\n/** Fields to strip from user update audit payloads */\nconst SKIP_FIELDS = new Set(['updatedAt', 'createdAt'])\n\nfunction buildDatabaseHooks(db: ToolkitApp['db'], auditLogger?: AuditLogger) {\n  /** Fire-and-forget audit — never block auth operations */\n  function audit(entry: Parameters<AuditLogger['log']>[0]) {\n    auditLogger?.log(entry).catch(() => {})\n  }\n\n  // `before` captures changed fields, `after` has full user + actor ctx.\n  // Bridge with a simple variable — updates are sequential per request.\n  let pendingFields: Record<string, unknown> | null = null\n\n  return {\n    user: {\n      create: {\n        after: async (user: Record<string, unknown>) => {\n          // Auto-promote first user to admin (fresh DB setup).\n          // Single atomic statement — if two signups race, only one sees count=1.\n          try {\n            await db.readWrite.execute(\n              drizzleSql`UPDATE \"user\" SET role = 'admin' WHERE id = ${user.id as string} AND (SELECT COUNT(*) FROM \"user\") = 1`,\n            )\n          } catch {\n            // Non-fatal — don't block signup if promotion fails\n          }\n\n          // Signup — actor is the new user themselves\n          audit({\n            action: 'auth.signup',\n            entityType: 'user',\n            entityId: user.id as string,\n            userId: user.id as string,\n            userName: user.name as string,\n            changes: {\n              fields: { name: user.name, email: user.email },\n            },\n          })\n        },\n      },\n      update: {\n        // `before` receives only the changed fields — capture them\n        before: async (userData: Record<string, unknown>) => {\n          const fields: Record<string, unknown> = {}\n          for (const [key, value] of Object.entries(userData)) {\n            if (SKIP_FIELDS.has(key) || key === 'id') continue\n            fields[key] = value\n          }\n          pendingFields = Object.keys(fields).length > 0 ? fields : null\n        },\n        // `after` has full user (name) + ctx (actor session) — log everything\n        after: async (user: Record<string, unknown>, ctx: unknown) => {\n          const actor = getActor(ctx)\n          const fields = pendingFields\n          pendingFields = null\n          audit({\n            action: 'auth.user.update',\n            entityType: 'user',\n            entityId: user.id as string,\n            userId: actor.id,\n            userName: actor.name,\n            changes: fields ? { fields } : undefined,\n            metadata: {\n              targetUser: user.name as string | undefined,\n            },\n          })\n        },\n      },\n      delete: {\n        after: async (user: Record<string, unknown>, ctx: unknown) => {\n          const actor = getActor(ctx)\n          audit({\n            action: 'auth.user.delete',\n            entityType: 'user',\n            entityId: user.id as string,\n            userId: actor.id,\n            userName: actor.name,\n            metadata: {\n              targetUser: user.name as string | undefined,\n            },\n          })\n        },\n      },\n    },\n  }\n}\n\n// ---------------------------------------------------------------------------\n// Request-level hooks — catches failed logins, password changes, etc.\n// ---------------------------------------------------------------------------\n\n/** Auth paths where a non-2xx response means a failed attempt worth logging */\nconst SIGN_IN_PATHS = ['/sign-in/email', '/sign-in/social']\n\n/** Auth paths for session/password lifecycle events */\nconst SIGN_OUT_PATH = '/sign-out'\nconst PASSWORD_PATHS: Record<string, string> = {\n  '/change-password': 'auth.password.change',\n  '/forget-password': 'auth.password.reset_request',\n  '/reset-password': 'auth.password.reset',\n}\n\n/** Paths that should be audit-logged when successful */\nconst AUDIT_ADMIN_PATHS: Record<string, string> = {\n  '/admin/set-role': 'auth.admin.set_role',\n  '/admin/ban-user': 'auth.admin.ban',\n  '/admin/unban-user': 'auth.admin.unban',\n  '/admin/create-user': 'auth.admin.create_user',\n  '/admin/remove-user': 'auth.admin.remove_user',\n  '/admin/impersonate-user': 'auth.admin.impersonate',\n  '/admin/stop-impersonating': 'auth.admin.stop_impersonating',\n  '/admin/revoke-session': 'auth.admin.revoke_session',\n  '/admin/revoke-sessions': 'auth.admin.revoke_sessions',\n}\n\nfunction buildRequestHooks(auditLogger: AuditLogger) {\n  function audit(entry: Parameters<AuditLogger['log']>[0]) {\n    auditLogger.log(entry).catch(() => {})\n  }\n\n  return {\n    after: createAuthMiddleware(async (ctx) => {\n      // --- Login attempt logging ---\n      const isSignIn = SIGN_IN_PATHS.some((p) => ctx.path.startsWith(p))\n      if (isSignIn) {\n        const returned = ctx.context.returned as { status?: number } | undefined\n        const status = returned?.status\n        if (!status) return\n\n        if (status >= 400) {\n          const email = (ctx.body as Record<string, unknown> | undefined)?.email\n          audit({\n            action: 'auth.login.failed',\n            metadata: {\n              ...(typeof email === 'string' ? { email } : {}),\n              status,\n              path: ctx.path,\n            },\n          })\n        } else {\n          const newSession = ctx.context.newSession as\n            | { user?: { id?: string; name?: string } }\n            | undefined\n          if (newSession?.user?.id) {\n            audit({\n              action: 'auth.login',\n              entityType: 'user',\n              entityId: newSession.user.id,\n              userId: newSession.user.id,\n              userName: newSession.user.name,\n            })\n          }\n        }\n        return\n      }\n\n      // --- Logout logging ---\n      if (ctx.path === SIGN_OUT_PATH) {\n        const returned = ctx.context.returned as { status?: number } | undefined\n        if (!returned?.status || returned.status < 400) {\n          const actor = getActor(ctx)\n          if (actor.id) {\n            audit({\n              action: 'auth.logout',\n              entityType: 'user',\n              entityId: actor.id,\n              userId: actor.id,\n              userName: actor.name,\n            })\n          }\n        }\n        return\n      }\n\n      // --- Password change/reset logging ---\n      const passwordAction = PASSWORD_PATHS[ctx.path]\n      if (passwordAction) {\n        const returned = ctx.context.returned as { status?: number } | undefined\n        if (!returned?.status || returned.status < 400) {\n          const actor = getActor(ctx)\n          const body = ctx.body as Record<string, unknown> | undefined\n          audit({\n            action: passwordAction,\n            entityType: 'user',\n            userId: actor.id,\n            userName: actor.name,\n            metadata: {\n              // For reset requests, log the email (not sensitive — it's the input)\n              ...(typeof body?.email === 'string' ? { email: body.email } : {}),\n              path: ctx.path,\n            },\n          })\n        }\n        return\n      }\n\n      // --- Admin operation audit logging (impersonation, role changes, bans, etc.) ---\n      const auditAction = AUDIT_ADMIN_PATHS[ctx.path]\n      if (!auditAction) return\n\n      const returned = ctx.context.returned as { status?: number } | undefined\n      if (returned?.status && returned.status >= 400) return // failed — skip\n\n      const actor = getActor(ctx)\n      const body = ctx.body as Record<string, unknown> | undefined\n      audit({\n        action: auditAction,\n        entityType: 'user',\n        entityId: (body?.userId as string) ?? undefined,\n        userId: actor.id,\n        userName: actor.name,\n        metadata: {\n          targetUserId: body?.userId as string | undefined,\n          ...(body?.role ? { role: body.role as string } : {}),\n          path: ctx.path,\n        },\n      })\n    }),\n  }\n}\n\n// ---------------------------------------------------------------------------\n// Signup gate — closes registration after the first user exists\n// ---------------------------------------------------------------------------\n\nfunction buildSignupGate(db: ToolkitApp['db']) {\n  return createAuthMiddleware(async (ctx) => {\n    if (ctx.path !== '/sign-up/email') return\n    const result = await db.readWrite.execute<{ count: string }>(\n      drizzleSql`SELECT COUNT(*)::text as count FROM \"user\"`,\n    )\n    if (Number(result[0]?.count) > 0) {\n      throw new APIError('FORBIDDEN', { message: 'Sign-up is closed' })\n    }\n  })\n}\n\n// ---------------------------------------------------------------------------\n// Server factory\n// ---------------------------------------------------------------------------\n\n/**\n * Create a better-auth server instance wired to the toolkit.\n *\n * Called during plugin init — the returned instance powers:\n * - `auth.api.getSession()` for session resolution\n * - `auth.api.listUsers()` for admin user management\n * - Route handler via `toNextJsHandler(auth)`\n *\n * IMPORTANT: Plugins are inlined in the `betterAuth()` call so TypeScript\n * preserves the literal plugin types. Extracting them into a `BetterAuthPlugin[]`\n * variable erases specific endpoint types (admin, organization, etc.).\n *\n * The explicit `BetterAuthBase` return type annotation is required because\n * better-auth 1.6's internals use zod@4 types that tsdown's dts generator\n * cannot name portably across pnpm's `.pnpm/zod@4.x` symlink paths (TS2742).\n * The annotation widens to better-auth's generic `Auth` type — specific\n * plugin endpoint types (`auth.api.listUsers` etc.) are still accessible\n * because better-auth's `InferAPI` helper resolves them at the consumer's\n * compile time against their installed better-auth version.\n */\nexport function createAuthServer(\n  config: AuthConfig,\n  app: ToolkitApp,\n  auditLogger?: AuditLogger,\n): BetterAuthBase {\n  const entities = [...app.entities.values()]\n  const statement = buildStatements(entities)\n  const ac = createAccessControl(statement)\n  const roles: Record<string, Role> = buildDefaultRoles(ac, entities)\n\n  // Build social provider config\n  const socialProviders: Record<string, { clientId: string; clientSecret: string }> = {}\n  if (config.social?.google) {\n    socialProviders.google = config.social.google\n  }\n  if (config.social?.github) {\n    socialProviders.github = config.social.github\n  }\n\n  // Plugins are inlined so TS infers the literal tuple type.\n  // DO NOT extract into a typed variable — `BetterAuthPlugin[]` erases endpoint types.\n  // nextCookies() must be last — required for Next.js server actions.\n  // Default to the pre-baked schema from `@murumets-ee/auth/schema` so\n  // consumers don't need to generate one with `@better-auth/cli`. They\n  // can still override via `auth({ schema: customSchema })` if they've\n  // extended better-auth with plugins that add tables.\n  const schema = config.schema ?? defaultAuthSchema\n\n  // Widen the config to BetterAuthOptions so betterAuth() returns\n  // Auth<BetterAuthOptions> (= BetterAuthBase). This is required because:\n  //   1. Without a return type annotation, tsdown fails with TS2742\n  //      (zod@4 internal types can't be named portably in .d.mts)\n  //   2. The admin plugin with custom ac/roles makes Auth<SpecificConfig>\n  //      structurally incompatible with Auth (better-auth#8855)\n  // Widening the config erases plugin-specific API types at compile time,\n  // but plugin endpoints (listUsers, etc.) are fully functional at runtime.\n  // Consumers already access them via typed wrappers in AdminPagesConfig.\n  const authOptions: BetterAuthOptions = {\n    database: drizzleAdapter(app.db.readWrite, {\n      provider: 'pg',\n      schema,\n    }),\n\n    emailAndPassword: {\n      enabled: config.providers?.includes('email') ?? true,\n    },\n\n    socialProviders,\n\n    session: {\n      expiresIn: config.session?.expiresIn ?? 60 * 60 * 2, // 2 hours (admin CMS — short-lived)\n      updateAge: config.session?.updateAge ?? 60 * 60, // 1 hour\n    },\n\n    // Rate limiting — strict on sensitive paths, relaxed global default\n    rateLimit: {\n      enabled: true,\n      window: 60, // 60s global window\n      max: 100, // 100 req/min default\n      storage: 'memory',\n      customRules: {\n        '/sign-in/email': { window: 60, max: 5 }, // 5 login attempts/min\n        '/sign-in/social': { window: 60, max: 10 },\n        '/sign-up/email': { window: 60, max: 3 }, // 3 signups/min\n        '/forget-password': { window: 60, max: 3 }, // 3 resets/min\n        '/reset-password': { window: 60, max: 5 },\n        '/admin/*': { window: 60, max: 20 }, // admin ops capped\n      },\n    },\n\n    databaseHooks: buildDatabaseHooks(app.db, auditLogger),\n    hooks: {\n      before: buildSignupGate(app.db),\n      ...(auditLogger ? buildRequestHooks(auditLogger) : {}),\n    },\n\n    plugins: [\n      admin({ ac, roles, defaultRole: 'authenticated' }),\n      ...(config.organizations ? [organization({ ac, roles })] : []),\n      ...(config.betterAuthPlugins ?? []),\n      nextCookies(),\n    ],\n  }\n\n  return betterAuth(authOptions)\n}\n\n/** Type of the auth server instance. Aliased from better-auth's generic\n *  `Auth` because the explicit annotation on `createAuthServer` means\n *  `ReturnType<typeof createAuthServer>` is already `BetterAuthBase`. */\nexport type Auth = BetterAuthBase\n\n/**\n * Structural interface for the server-side admin API methods.\n *\n * The widened `Auth` type (BetterAuthBase) doesn't expose admin plugin\n * endpoints. This interface describes just the methods consumers need\n * so they can access them without `as any`.\n *\n * Usage: `(auth.api as AuthAdminApi).listUsers(...)`\n */\nexport interface AuthAdminApi {\n  listUsers: (opts: {\n    headers: Headers\n    query: {\n      limit: number\n      sortBy: string\n      sortDirection: 'asc' | 'desc'\n    }\n  }) => Promise<{ users: AdminUser[]; total: number }>\n}\n"],"mappings":"6gBA6BA,SAAS,EAAS,EAAc,CAC9B,IAAM,EAAW,GAAoE,SACjF,QACE,EAAO,GAAS,KACtB,MAAO,CACL,GAAI,GAAM,IAAO,GAAS,OAC1B,KAAM,GAAM,KACb,CAIH,MAAM,EAAc,IAAI,IAAI,CAAC,YAAa,YAAY,CAAC,CAEvD,SAAS,EAAmB,EAAsB,EAA2B,CAE3E,SAAS,EAAM,EAA0C,CACvD,GAAa,IAAI,EAAM,CAAC,UAAY,GAAG,CAKzC,IAAI,EAAgD,KAEpD,MAAO,CACL,KAAM,CACJ,OAAQ,CACN,MAAO,KAAO,IAAkC,CAG9C,GAAI,CACF,MAAM,EAAG,UAAU,QACjB,CAAU,+CAA+C,EAAK,GAAa,wCAC5E,MACK,EAKR,EAAM,CACJ,OAAQ,cACR,WAAY,OACZ,SAAU,EAAK,GACf,OAAQ,EAAK,GACb,SAAU,EAAK,KACf,QAAS,CACP,OAAQ,CAAE,KAAM,EAAK,KAAM,MAAO,EAAK,MAAO,CAC/C,CACF,CAAC,EAEL,CACD,OAAQ,CAEN,OAAQ,KAAO,IAAsC,CACnD,IAAM,EAAkC,EAAE,CAC1C,IAAK,GAAM,CAAC,EAAK,KAAU,OAAO,QAAQ,EAAS,CAC7C,EAAY,IAAI,EAAI,EAAI,IAAQ,OACpC,EAAO,GAAO,GAEhB,EAAgB,OAAO,KAAK,EAAO,CAAC,OAAS,EAAI,EAAS,MAG5D,MAAO,MAAO,EAA+B,IAAiB,CAC5D,IAAM,EAAQ,EAAS,EAAI,CACrB,EAAS,EACf,EAAgB,KAChB,EAAM,CACJ,OAAQ,mBACR,WAAY,OACZ,SAAU,EAAK,GACf,OAAQ,EAAM,GACd,SAAU,EAAM,KAChB,QAAS,EAAS,CAAE,SAAQ,CAAG,IAAA,GAC/B,SAAU,CACR,WAAY,EAAK,KAClB,CACF,CAAC,EAEL,CACD,OAAQ,CACN,MAAO,MAAO,EAA+B,IAAiB,CAC5D,IAAM,EAAQ,EAAS,EAAI,CAC3B,EAAM,CACJ,OAAQ,mBACR,WAAY,OACZ,SAAU,EAAK,GACf,OAAQ,EAAM,GACd,SAAU,EAAM,KAChB,SAAU,CACR,WAAY,EAAK,KAClB,CACF,CAAC,EAEL,CACF,CACF,CAQH,MAAM,EAAgB,CAAC,iBAAkB,kBAAkB,CAIrD,EAAyC,CAC7C,mBAAoB,uBACpB,mBAAoB,8BACpB,kBAAmB,sBACpB,CAGK,EAA4C,CAChD,kBAAmB,sBACnB,kBAAmB,iBACnB,oBAAqB,mBACrB,qBAAsB,yBACtB,qBAAsB,yBACtB,0BAA2B,yBAC3B,4BAA6B,gCAC7B,wBAAyB,4BACzB,yBAA0B,6BAC3B,CAED,SAAS,EAAkB,EAA0B,CACnD,SAAS,EAAM,EAA0C,CACvD,EAAY,IAAI,EAAM,CAAC,UAAY,GAAG,CAGxC,MAAO,CACL,MAAO,EAAqB,KAAO,IAAQ,CAGzC,GADiB,EAAc,KAAM,GAAM,EAAI,KAAK,WAAW,EAAE,CAAC,CACpD,CAEZ,IAAM,EADW,EAAI,QAAQ,UACJ,OACzB,GAAI,CAAC,EAAQ,OAEb,GAAI,GAAU,IAAK,CACjB,IAAM,EAAS,EAAI,MAA8C,MACjE,EAAM,CACJ,OAAQ,oBACR,SAAU,CACR,GAAI,OAAO,GAAU,SAAW,CAAE,QAAO,CAAG,EAAE,CAC9C,SACA,KAAM,EAAI,KACX,CACF,CAAC,KACG,CACL,IAAM,EAAa,EAAI,QAAQ,WAG3B,GAAY,MAAM,IACpB,EAAM,CACJ,OAAQ,aACR,WAAY,OACZ,SAAU,EAAW,KAAK,GAC1B,OAAQ,EAAW,KAAK,GACxB,SAAU,EAAW,KAAK,KAC3B,CAAC,CAGN,OAIF,GAAI,EAAI,OAAS,YAAe,CAC9B,IAAM,EAAW,EAAI,QAAQ,SAC7B,GAAI,CAAC,GAAU,QAAU,EAAS,OAAS,IAAK,CAC9C,IAAM,EAAQ,EAAS,EAAI,CACvB,EAAM,IACR,EAAM,CACJ,OAAQ,cACR,WAAY,OACZ,SAAU,EAAM,GAChB,OAAQ,EAAM,GACd,SAAU,EAAM,KACjB,CAAC,CAGN,OAIF,IAAM,EAAiB,EAAe,EAAI,MAC1C,GAAI,EAAgB,CAClB,IAAM,EAAW,EAAI,QAAQ,SAC7B,GAAI,CAAC,GAAU,QAAU,EAAS,OAAS,IAAK,CAC9C,IAAM,EAAQ,EAAS,EAAI,CACrB,EAAO,EAAI,KACjB,EAAM,CACJ,OAAQ,EACR,WAAY,OACZ,OAAQ,EAAM,GACd,SAAU,EAAM,KAChB,SAAU,CAER,GAAI,OAAO,GAAM,OAAU,SAAW,CAAE,MAAO,EAAK,MAAO,CAAG,EAAE,CAChE,KAAM,EAAI,KACX,CACF,CAAC,CAEJ,OAIF,IAAM,EAAc,EAAkB,EAAI,MAC1C,GAAI,CAAC,EAAa,OAElB,IAAM,EAAW,EAAI,QAAQ,SAC7B,GAAI,GAAU,QAAU,EAAS,QAAU,IAAK,OAEhD,IAAM,EAAQ,EAAS,EAAI,CACrB,EAAO,EAAI,KACjB,EAAM,CACJ,OAAQ,EACR,WAAY,OACZ,SAAW,GAAM,QAAqB,IAAA,GACtC,OAAQ,EAAM,GACd,SAAU,EAAM,KAChB,SAAU,CACR,aAAc,GAAM,OACpB,GAAI,GAAM,KAAO,CAAE,KAAM,EAAK,KAAgB,CAAG,EAAE,CACnD,KAAM,EAAI,KACX,CACF,CAAC,EACF,CACH,CAOH,SAAS,EAAgB,EAAsB,CAC7C,OAAO,EAAqB,KAAO,IAAQ,CACzC,GAAI,EAAI,OAAS,iBAAkB,OACnC,IAAM,EAAS,MAAM,EAAG,UAAU,QAChC,CAAU,6CACX,CACD,GAAI,OAAO,EAAO,IAAI,MAAM,CAAG,EAC7B,MAAM,IAAI,EAAS,YAAa,CAAE,QAAS,oBAAqB,CAAC,EAEnE,CA2BJ,SAAgB,EACd,EACA,EACA,EACgB,CAChB,IAAM,EAAW,CAAC,GAAG,EAAI,SAAS,QAAQ,CAAC,CAErC,EAAK,EADO,EAAgB,EAAS,CACF,CACnC,EAA8B,EAAkB,EAAI,EAAS,CAG7D,EAA8E,EAAE,CAClF,EAAO,QAAQ,SACjB,EAAgB,OAAS,EAAO,OAAO,QAErC,EAAO,QAAQ,SACjB,EAAgB,OAAS,EAAO,OAAO,QAUzC,IAAM,EAAS,EAAO,QAAUA,EA0DhC,OAAO,EA/CgC,CACrC,SAAU,EAAe,EAAI,GAAG,UAAW,CACzC,SAAU,KACV,SACD,CAAC,CAEF,iBAAkB,CAChB,QAAS,EAAO,WAAW,SAAS,QAAQ,EAAI,GACjD,CAED,kBAEA,QAAS,CACP,UAAW,EAAO,SAAS,WAAa,KAAU,EAClD,UAAW,EAAO,SAAS,WAAa,KACzC,CAGD,UAAW,CACT,QAAS,GACT,OAAQ,GACR,IAAK,IACL,QAAS,SACT,YAAa,CACX,iBAAkB,CAAE,OAAQ,GAAI,IAAK,EAAG,CACxC,kBAAmB,CAAE,OAAQ,GAAI,IAAK,GAAI,CAC1C,iBAAkB,CAAE,OAAQ,GAAI,IAAK,EAAG,CACxC,mBAAoB,CAAE,OAAQ,GAAI,IAAK,EAAG,CAC1C,kBAAmB,CAAE,OAAQ,GAAI,IAAK,EAAG,CACzC,WAAY,CAAE,OAAQ,GAAI,IAAK,GAAI,CACpC,CACF,CAED,cAAe,EAAmB,EAAI,GAAI,EAAY,CACtD,MAAO,CACL,OAAQ,EAAgB,EAAI,GAAG,CAC/B,GAAI,EAAc,EAAkB,EAAY,CAAG,EAAE,CACtD,CAED,QAAS,CACP,EAAM,CAAE,KAAI,QAAO,YAAa,gBAAiB,CAAC,CAClD,GAAI,EAAO,cAAgB,CAAC,EAAa,CAAE,KAAI,QAAO,CAAC,CAAC,CAAG,EAAE,CAC7D,GAAI,EAAO,mBAAqB,EAAE,CAClC,GAAa,CACd,CACF,CAE6B"}