@murumets-ee/auth 0.5.1 → 0.6.1

package/dist/index.d.mts

@@ -1,5 +1,5 @@
 import { n as AuthConfig, t as AdminUser } from "./types-Dl_sE_9S.mjs";
-import { a as AuthAdminApi, i as Auth, n as getAuth, r as isSignupEnabled, t as auth } from "./plugin-BY4sYim9.mjs";
+import { a as isSignupEnabled, c as createAuthServer, i as getAuth, n as _setAuth, o as Auth, r as _setAuthConfig, s as AuthAdminApi } from "./runtime-DRrHqQiA.mjs";
 import { createAccessControl } from "better-auth/plugins/access";
 import * as _$better_auth_plugins0 from "better-auth/plugins";
 import { PermissionChecker, RequestContext } from "@murumets-ee/core";
@@ -155,5 +155,5 @@ interface UpsertResult {
  */
 declare function upsertBuiltInRoles(read: () => Promise<RoleMap | null | undefined>, write: (roles: RoleMap) => Promise<void>): Promise<UpsertResult>;
 //#endregion
-export { ACTIONS, ACTIONS_WITH_PUBLISH, type AdminUser, type Auth, type AuthAdminApi, type AuthConfig, BUILT_IN_ROLES, METHOD_TO_ACTION, type RoleMap, type UpsertResult, auth, buildDefaultRoles, buildInitialRoleDefinitions, buildPermissionChecker, buildResourceCatalog, buildStatements, createAccessControl, getAuth, isSignupEnabled, resolveAuthContext, upsertBuiltInRoles };
+export { ACTIONS, ACTIONS_WITH_PUBLISH, type AdminUser, type Auth, type AuthAdminApi, type AuthConfig, BUILT_IN_ROLES, METHOD_TO_ACTION, type RoleMap, type UpsertResult, _setAuth, _setAuthConfig, buildDefaultRoles, buildInitialRoleDefinitions, buildPermissionChecker, buildResourceCatalog, buildStatements, createAccessControl, createAuthServer, getAuth, isSignupEnabled, resolveAuthContext, upsertBuiltInRoles };
 //# sourceMappingURL=index.d.mts.map

package/dist/index.mjs

@@ -1,2 +1,2 @@
-import{a as e,c as t,i as n,l as r,n as i,o as a,r as o,s,t as c,u as l}from"./permissions-DYBlqpv3.mjs";import{auth as u,getAuth as d,isSignupEnabled as f}from"./plugin.mjs";import"server-only";async function p(e,t){let n=await e.api.getSession({headers:t});return n?{user:{id:n.user.id,groups:[n.user.role??`viewer`],name:n.user.name??void 0,email:n.user.email??void 0},requestId:crypto.randomUUID()}:{requestId:crypto.randomUUID()}}async function m(e,t){let n=await e()??{},r=a(),i={...n},o=[];for(let[e,t]of Object.entries(r))e in i||(i[e]=t,o.push(e));return o.length>0&&await t(i),{created:o.length,roles:o}}export{c as ACTIONS,i as ACTIONS_WITH_PUBLISH,o as BUILT_IN_ROLES,n as METHOD_TO_ACTION,u as auth,e as buildDefaultRoles,a as buildInitialRoleDefinitions,s as buildPermissionChecker,t as buildResourceCatalog,r as buildStatements,l as createAccessControl,d as getAuth,f as isSignupEnabled,p as resolveAuthContext,m as upsertBuiltInRoles};
+import{a as e,c as t,i as n,l as r,n as i,o as a,r as o,s,t as c,u as l}from"./permissions-DYBlqpv3.mjs";import{a as u,i as d,n as f,r as p,t as m}from"./runtime-CGqmBcZB.mjs";import"server-only";async function h(e,t){let n=await e.api.getSession({headers:t});return n?{user:{id:n.user.id,groups:[n.user.role??`viewer`],name:n.user.name??void 0,email:n.user.email??void 0},requestId:crypto.randomUUID()}:{requestId:crypto.randomUUID()}}async function g(e,t){let n=await e()??{},r=a(),i={...n},o=[];for(let[e,t]of Object.entries(r))e in i||(i[e]=t,o.push(e));return o.length>0&&await t(i),{created:o.length,roles:o}}export{c as ACTIONS,i as ACTIONS_WITH_PUBLISH,o as BUILT_IN_ROLES,n as METHOD_TO_ACTION,m as _setAuth,f as _setAuthConfig,e as buildDefaultRoles,a as buildInitialRoleDefinitions,s as buildPermissionChecker,t as buildResourceCatalog,r as buildStatements,l as createAccessControl,u as createAuthServer,p as getAuth,d as isSignupEnabled,h as resolveAuthContext,g as upsertBuiltInRoles};
 //# sourceMappingURL=index.mjs.map

package/dist/index.mjs.map

@@ -1 +1 @@
-{"version":3,"file":"index.mjs","names":[],"sources":["../src/context.ts","../src/seed-roles.ts"],"sourcesContent":["/**\n * Bridge between better-auth sessions and the toolkit's RequestContext.\n *\n * This is the critical integration point: it resolves a better-auth session\n * from request headers and returns a toolkit RequestContext that the entity\n * system's AdminClient, QueryClient, and auditable behavior can read.\n */\n\nimport type { RequestContext } from '@murumets-ee/core'\nimport type { Auth } from './server.js'\n\n/**\n * Resolve a better-auth session into a toolkit RequestContext.\n *\n * Call this from your Next.js middleware or server component to populate\n * the toolkit's AsyncLocalStorage context.\n *\n * @example\n * ```typescript\n * // middleware.ts (user writes this — documented copy-paste)\n * import { getAuth, resolveAuthContext } from '@murumets-ee/auth'\n * import { runWithContext } from '@murumets-ee/core'\n *\n * export async function middleware(request: NextRequest) {\n *   const auth = getAuth()\n *   const ctx = await resolveAuthContext(auth, request.headers)\n *   return runWithContext(ctx, () => NextResponse.next())\n * }\n * ```\n */\nexport async function resolveAuthContext(auth: Auth, headers: Headers): Promise<RequestContext> {\n  const session = await auth.api.getSession({ headers })\n\n  if (!session) {\n    return { requestId: crypto.randomUUID() }\n  }\n\n  return {\n    user: {\n      id: session.user.id,\n      // The admin plugin stores role on the user object\n      groups: [((session.user as Record<string, unknown>).role as string) ?? 'viewer'],\n      name: session.user.name ?? undefined,\n      email: session.user.email ?? undefined,\n    },\n    requestId: crypto.randomUUID(),\n  }\n}\n","/**\n * Idempotent seeder that adds missing built-in roles (e.g. `agent`) to an\n * existing deployment's permission settings.\n *\n * `buildInitialRoleDefinitions` only runs on first-time admin-api-init —\n * deployments created before a new built-in role was added (like the\n * ticketing `agent` role shipped 2026-04-20) will never get it automatically.\n * This helper lets consumers wire a one-shot seeder on the Seed page that\n * merges any missing roles into their saved settings without overwriting\n * customizations.\n *\n * Usage (app-side seeder):\n *\n * ```ts\n * import { upsertBuiltInRoles } from '@murumets-ee/auth'\n * import { createSettingsClient } from '@murumets-ee/settings'\n * import { getApp } from '@murumets-ee/core'\n * import { permissionSettings } from '@/settings'\n *\n * export async function seedRoles(): Promise<{ created: number }> {\n *   const client = createSettingsClient(permissionSettings, { app: getApp() })\n *   const { created } = await upsertBuiltInRoles(\n *     () => client.get('roles'),\n *     (roles) => client.set('roles', roles),\n *   )\n *   return { created }\n * }\n * ```\n */\n\nimport { buildInitialRoleDefinitions } from './permissions.js'\n\nexport type RoleMap = Record<string, Record<string, string[]>>\n\nexport interface UpsertResult {\n  /** Number of role keys added (0 if all built-ins were already present). */\n  created: number\n  /** Names of roles that were added. */\n  roles: string[]\n}\n\n/**\n * Merge the default built-in role definitions into the caller's persisted\n * role map, adding any missing ones. Existing entries are left untouched —\n * the point is to bootstrap new built-ins, not to reset customizations.\n */\nexport async function upsertBuiltInRoles(\n  read: () => Promise<RoleMap | null | undefined>,\n  write: (roles: RoleMap) => Promise<void>,\n): Promise<UpsertResult> {\n  const saved = (await read()) ?? {}\n  const defaults = buildInitialRoleDefinitions()\n  const next: RoleMap = { ...saved }\n  const added: string[] = []\n  for (const [name, perms] of Object.entries(defaults)) {\n    if (!(name in next)) {\n      next[name] = perms\n      added.push(name)\n    }\n  }\n  if (added.length > 0) {\n    await write(next)\n  }\n  return { created: added.length, roles: added }\n}\n"],"mappings":"mMA8BA,eAAsB,EAAmB,EAAY,EAA2C,CAC9F,IAAM,EAAU,MAAM,EAAK,IAAI,WAAW,CAAE,UAAS,CAAC,CAMtD,OAJK,EAIE,CACL,KAAM,CACJ,GAAI,EAAQ,KAAK,GAEjB,OAAQ,CAAG,EAAQ,KAAiC,MAAmB,SAAS,CAChF,KAAM,EAAQ,KAAK,MAAQ,IAAA,GAC3B,MAAO,EAAQ,KAAK,OAAS,IAAA,GAC9B,CACD,UAAW,OAAO,YAAY,CAC/B,CAZQ,CAAE,UAAW,OAAO,YAAY,CAAE,CCY7C,eAAsB,EACpB,EACA,EACuB,CACvB,IAAM,EAAS,MAAM,GAAM,EAAK,EAAE,CAC5B,EAAW,GAA6B,CACxC,EAAgB,CAAE,GAAG,EAAO,CAC5B,EAAkB,EAAE,CAC1B,IAAK,GAAM,CAAC,EAAM,KAAU,OAAO,QAAQ,EAAS,CAC5C,KAAQ,IACZ,EAAK,GAAQ,EACb,EAAM,KAAK,EAAK,EAMpB,OAHI,EAAM,OAAS,GACjB,MAAM,EAAM,EAAK,CAEZ,CAAE,QAAS,EAAM,OAAQ,MAAO,EAAO"}
+{"version":3,"file":"index.mjs","names":[],"sources":["../src/context.ts","../src/seed-roles.ts"],"sourcesContent":["/**\n * Bridge between better-auth sessions and the toolkit's RequestContext.\n *\n * This is the critical integration point: it resolves a better-auth session\n * from request headers and returns a toolkit RequestContext that the entity\n * system's AdminClient, QueryClient, and auditable behavior can read.\n */\n\nimport type { RequestContext } from '@murumets-ee/core'\nimport type { Auth } from './server.js'\n\n/**\n * Resolve a better-auth session into a toolkit RequestContext.\n *\n * Call this from your Next.js middleware or server component to populate\n * the toolkit's AsyncLocalStorage context.\n *\n * @example\n * ```typescript\n * // middleware.ts (user writes this — documented copy-paste)\n * import { getAuth, resolveAuthContext } from '@murumets-ee/auth'\n * import { runWithContext } from '@murumets-ee/core'\n *\n * export async function middleware(request: NextRequest) {\n *   const auth = getAuth()\n *   const ctx = await resolveAuthContext(auth, request.headers)\n *   return runWithContext(ctx, () => NextResponse.next())\n * }\n * ```\n */\nexport async function resolveAuthContext(auth: Auth, headers: Headers): Promise<RequestContext> {\n  const session = await auth.api.getSession({ headers })\n\n  if (!session) {\n    return { requestId: crypto.randomUUID() }\n  }\n\n  return {\n    user: {\n      id: session.user.id,\n      // The admin plugin stores role on the user object\n      groups: [((session.user as Record<string, unknown>).role as string) ?? 'viewer'],\n      name: session.user.name ?? undefined,\n      email: session.user.email ?? undefined,\n    },\n    requestId: crypto.randomUUID(),\n  }\n}\n","/**\n * Idempotent seeder that adds missing built-in roles (e.g. `agent`) to an\n * existing deployment's permission settings.\n *\n * `buildInitialRoleDefinitions` only runs on first-time admin-api-init —\n * deployments created before a new built-in role was added (like the\n * ticketing `agent` role shipped 2026-04-20) will never get it automatically.\n * This helper lets consumers wire a one-shot seeder on the Seed page that\n * merges any missing roles into their saved settings without overwriting\n * customizations.\n *\n * Usage (app-side seeder):\n *\n * ```ts\n * import { upsertBuiltInRoles } from '@murumets-ee/auth'\n * import { createSettingsClient } from '@murumets-ee/settings'\n * import { getApp } from '@murumets-ee/core'\n * import { permissionSettings } from '@/settings'\n *\n * export async function seedRoles(): Promise<{ created: number }> {\n *   const client = createSettingsClient(permissionSettings, { app: getApp() })\n *   const { created } = await upsertBuiltInRoles(\n *     () => client.get('roles'),\n *     (roles) => client.set('roles', roles),\n *   )\n *   return { created }\n * }\n * ```\n */\n\nimport { buildInitialRoleDefinitions } from './permissions.js'\n\nexport type RoleMap = Record<string, Record<string, string[]>>\n\nexport interface UpsertResult {\n  /** Number of role keys added (0 if all built-ins were already present). */\n  created: number\n  /** Names of roles that were added. */\n  roles: string[]\n}\n\n/**\n * Merge the default built-in role definitions into the caller's persisted\n * role map, adding any missing ones. Existing entries are left untouched —\n * the point is to bootstrap new built-ins, not to reset customizations.\n */\nexport async function upsertBuiltInRoles(\n  read: () => Promise<RoleMap | null | undefined>,\n  write: (roles: RoleMap) => Promise<void>,\n): Promise<UpsertResult> {\n  const saved = (await read()) ?? {}\n  const defaults = buildInitialRoleDefinitions()\n  const next: RoleMap = { ...saved }\n  const added: string[] = []\n  for (const [name, perms] of Object.entries(defaults)) {\n    if (!(name in next)) {\n      next[name] = perms\n      added.push(name)\n    }\n  }\n  if (added.length > 0) {\n    await write(next)\n  }\n  return { created: added.length, roles: added }\n}\n"],"mappings":"oMA8BA,eAAsB,EAAmB,EAAY,EAA2C,CAC9F,IAAM,EAAU,MAAM,EAAK,IAAI,WAAW,CAAE,UAAS,CAAC,CAMtD,OAJK,EAIE,CACL,KAAM,CACJ,GAAI,EAAQ,KAAK,GAEjB,OAAQ,CAAG,EAAQ,KAAiC,MAAmB,SAAS,CAChF,KAAM,EAAQ,KAAK,MAAQ,IAAA,GAC3B,MAAO,EAAQ,KAAK,OAAS,IAAA,GAC9B,CACD,UAAW,OAAO,YAAY,CAC/B,CAZQ,CAAE,UAAW,OAAO,YAAY,CAAE,CCY7C,eAAsB,EACpB,EACA,EACuB,CACvB,IAAM,EAAS,MAAM,GAAM,EAAK,EAAE,CAC5B,EAAW,GAA6B,CACxC,EAAgB,CAAE,GAAG,EAAO,CAC5B,EAAkB,EAAE,CAC1B,IAAK,GAAM,CAAC,EAAM,KAAU,OAAO,QAAQ,EAAS,CAC5C,KAAQ,IACZ,EAAK,GAAQ,EACb,EAAM,KAAK,EAAK,EAMpB,OAHI,EAAM,OAAS,GACjB,MAAM,EAAM,EAAK,CAEZ,CAAE,QAAS,EAAM,OAAQ,MAAO,EAAO"}

package/dist/{server-juwZw1e-.mjs → runtime-CGqmBcZB.mjs}

@@ -1,2 +1,2 @@
-import{l as e}from"./schema-Je6e5yt2.mjs";import{a as t,l as n}from"./permissions-DYBlqpv3.mjs";import{createAccessControl as r}from"better-auth/plugins/access";import{betterAuth as i}from"better-auth";import{drizzleAdapter as a}from"better-auth/adapters/drizzle";import{APIError as o,createAuthMiddleware as s}from"better-auth/api";import{nextCookies as c}from"better-auth/next-js";import{admin as l}from"better-auth/plugins";import{organization as u}from"better-auth/plugins/organization";function d(e){let t=e?.context?.session,n=t?.user;return{id:n?.id??t?.userId,name:n?.name}}const f=new Set([`updatedAt`,`createdAt`]);function p(e){function t(t){e?.log(t).catch(()=>{})}let n=null;return{user:{create:{after:async e=>{t({action:`auth.signup`,entityType:`user`,entityId:e.id,userId:e.id,userName:e.name,changes:{fields:{name:e.name,email:e.email}}})}},update:{before:async e=>{let t={};for(let[n,r]of Object.entries(e))f.has(n)||n===`id`||(t[n]=r);n=Object.keys(t).length>0?t:null},after:async(e,r)=>{let i=d(r),a=n;n=null,t({action:`auth.user.update`,entityType:`user`,entityId:e.id,userId:i.id,userName:i.name,changes:a?{fields:a}:void 0,metadata:{targetUser:e.name}})}},delete:{after:async(e,n)=>{let r=d(n);t({action:`auth.user.delete`,entityType:`user`,entityId:e.id,userId:r.id,userName:r.name,metadata:{targetUser:e.name}})}}}}}const m=[`/sign-in/email`,`/sign-in/social`],h={"/change-password":`auth.password.change`,"/forget-password":`auth.password.reset_request`,"/reset-password":`auth.password.reset`},g={"/admin/set-role":`auth.admin.set_role`,"/admin/ban-user":`auth.admin.ban`,"/admin/unban-user":`auth.admin.unban`,"/admin/create-user":`auth.admin.create_user`,"/admin/remove-user":`auth.admin.remove_user`,"/admin/impersonate-user":`auth.admin.impersonate`,"/admin/stop-impersonating":`auth.admin.stop_impersonating`,"/admin/revoke-session":`auth.admin.revoke_session`,"/admin/revoke-sessions":`auth.admin.revoke_sessions`};function _(e){function t(t){e.log(t).catch(()=>{})}return{after:s(async e=>{if(m.some(t=>e.path.startsWith(t))){let n=e.context.returned?.status;if(!n)return;if(n>=400){let r=e.body?.email;t({action:`auth.login.failed`,metadata:{...typeof r==`string`?{email:r}:{},status:n,path:e.path}})}else{let n=e.context.newSession;n?.user?.id&&t({action:`auth.login`,entityType:`user`,entityId:n.user.id,userId:n.user.id,userName:n.user.name})}return}if(e.path===`/sign-out`){let n=e.context.returned;if(!n?.status||n.status<400){let n=d(e);n.id&&t({action:`auth.logout`,entityType:`user`,entityId:n.id,userId:n.id,userName:n.name})}return}let n=h[e.path];if(n){let r=e.context.returned;if(!r?.status||r.status<400){let r=d(e),i=e.body;t({action:n,entityType:`user`,userId:r.id,userName:r.name,metadata:{...typeof i?.email==`string`?{email:i.email}:{},path:e.path}})}return}let r=g[e.path];if(!r)return;let i=e.context.returned;if(i?.status&&i.status>=400)return;let a=d(e),o=e.body;t({action:r,entityType:`user`,entityId:o?.userId??void 0,userId:a.id,userName:a.name,metadata:{targetUserId:o?.userId,...o?.role?{role:o.role}:{},path:e.path}})})}}function v(e){return s(async t=>{if(t.path===`/sign-up/email`&&!e)throw new o(`FORBIDDEN`,{message:`Sign-up is closed`})})}function y(o,s,d){let f=[...s.entities.values()],m=r(n(f)),h=t(m,f),g={};o.social?.google&&(g.google=o.social.google),o.social?.github&&(g.github=o.social.github);let y=o.schema??e;return i({database:a(s.db.readWrite,{provider:`pg`,schema:y}),emailAndPassword:{enabled:o.providers?.includes(`email`)??!0},socialProviders:g,session:{expiresIn:o.session?.expiresIn??3600*2,updateAge:o.session?.updateAge??3600},rateLimit:{enabled:!0,window:60,max:100,storage:`memory`,customRules:{"/sign-in/email":{window:60,max:5},"/sign-in/social":{window:60,max:10},"/sign-up/email":{window:60,max:3},"/forget-password":{window:60,max:3},"/reset-password":{window:60,max:5},"/admin/*":{window:60,max:20}}},databaseHooks:p(d),hooks:{before:v(o.signup?.enabled??!1),...d?_(d):{}},plugins:[l({ac:m,roles:h,defaultRole:`authenticated`}),...o.organizations?[u({ac:m,roles:h})]:[],...o.betterAuthPlugins??[],c()]})}export{y as createAuthServer};
-//# sourceMappingURL=server-juwZw1e-.mjs.map
+import{l as e}from"./schema-Je6e5yt2.mjs";import{a as t,l as n}from"./permissions-DYBlqpv3.mjs";import{createAccessControl as r}from"better-auth/plugins/access";import{betterAuth as i}from"better-auth";import{drizzleAdapter as a}from"better-auth/adapters/drizzle";import{APIError as o,createAuthMiddleware as s}from"better-auth/api";import{nextCookies as c}from"better-auth/next-js";import{admin as l}from"better-auth/plugins";import{organization as u}from"better-auth/plugins/organization";function d(e){let t=e?.context?.session,n=t?.user;return{id:n?.id??t?.userId,name:n?.name}}const f=new Set([`updatedAt`,`createdAt`]);function p(e){function t(t){e?.log(t).catch(()=>{})}let n=null;return{user:{create:{after:async e=>{t({action:`auth.signup`,entityType:`user`,entityId:e.id,userId:e.id,userName:e.name,changes:{fields:{name:e.name,email:e.email}}})}},update:{before:async e=>{let t={};for(let[n,r]of Object.entries(e))f.has(n)||n===`id`||(t[n]=r);n=Object.keys(t).length>0?t:null},after:async(e,r)=>{let i=d(r),a=n;n=null,t({action:`auth.user.update`,entityType:`user`,entityId:e.id,userId:i.id,userName:i.name,changes:a?{fields:a}:void 0,metadata:{targetUser:e.name}})}},delete:{after:async(e,n)=>{let r=d(n);t({action:`auth.user.delete`,entityType:`user`,entityId:e.id,userId:r.id,userName:r.name,metadata:{targetUser:e.name}})}}}}}const m=[`/sign-in/email`,`/sign-in/social`],h={"/change-password":`auth.password.change`,"/forget-password":`auth.password.reset_request`,"/reset-password":`auth.password.reset`},g={"/admin/set-role":`auth.admin.set_role`,"/admin/ban-user":`auth.admin.ban`,"/admin/unban-user":`auth.admin.unban`,"/admin/create-user":`auth.admin.create_user`,"/admin/remove-user":`auth.admin.remove_user`,"/admin/impersonate-user":`auth.admin.impersonate`,"/admin/stop-impersonating":`auth.admin.stop_impersonating`,"/admin/revoke-session":`auth.admin.revoke_session`,"/admin/revoke-sessions":`auth.admin.revoke_sessions`};function _(e){function t(t){e.log(t).catch(()=>{})}return{after:s(async e=>{if(m.some(t=>e.path.startsWith(t))){let n=e.context.returned?.status;if(!n)return;if(n>=400){let r=e.body?.email;t({action:`auth.login.failed`,metadata:{...typeof r==`string`?{email:r}:{},status:n,path:e.path}})}else{let n=e.context.newSession;n?.user?.id&&t({action:`auth.login`,entityType:`user`,entityId:n.user.id,userId:n.user.id,userName:n.user.name})}return}if(e.path===`/sign-out`){let n=e.context.returned;if(!n?.status||n.status<400){let n=d(e);n.id&&t({action:`auth.logout`,entityType:`user`,entityId:n.id,userId:n.id,userName:n.name})}return}let n=h[e.path];if(n){let r=e.context.returned;if(!r?.status||r.status<400){let r=d(e),i=e.body;t({action:n,entityType:`user`,userId:r.id,userName:r.name,metadata:{...typeof i?.email==`string`?{email:i.email}:{},path:e.path}})}return}let r=g[e.path];if(!r)return;let i=e.context.returned;if(i?.status&&i.status>=400)return;let a=d(e),o=e.body;t({action:r,entityType:`user`,entityId:o?.userId??void 0,userId:a.id,userName:a.name,metadata:{targetUserId:o?.userId,...o?.role?{role:o.role}:{},path:e.path}})})}}function v(e){return s(async t=>{if(t.path===`/sign-up/email`&&!e)throw new o(`FORBIDDEN`,{message:`Sign-up is closed`})})}function y(o,s,d){if(globalThis.window!==void 0)throw Error(`@murumets-ee/auth: createAuthServer must not run in a browser environment. Construct the auth server from server code only (RSC, route handlers, CLI, worker).`);let f=[...s.entities.values()],m=r(n(f)),h=t(m,f),g={};o.social?.google&&(g.google=o.social.google),o.social?.github&&(g.github=o.social.github);let y=o.schema??e;return i({database:a(s.db.readWrite,{provider:`pg`,schema:y}),emailAndPassword:{enabled:o.providers?.includes(`email`)??!0},socialProviders:g,session:{expiresIn:o.session?.expiresIn??3600*2,updateAge:o.session?.updateAge??3600},rateLimit:{enabled:!0,window:60,max:100,storage:`memory`,customRules:{"/sign-in/email":{window:60,max:5},"/sign-in/social":{window:60,max:10},"/sign-up/email":{window:60,max:3},"/forget-password":{window:60,max:3},"/reset-password":{window:60,max:5},"/admin/*":{window:60,max:20}}},databaseHooks:p(d),hooks:{before:v(o.signup?.enabled??!1),...d?_(d):{}},plugins:[l({ac:m,roles:h,defaultRole:`authenticated`}),...o.organizations?[u({ac:m,roles:h})]:[],...o.betterAuthPlugins??[],c()]})}let b=null,x=null;function S(e){b=e}function C(e){x=e}function w(){if(!b)throw Error(`@murumets-ee/auth not initialized. Add auth() to your plugins array.`);return b}function T(){return x?.signup?.enabled===!0}export{y as a,T as i,C as n,w as r,S as t};
+//# sourceMappingURL=runtime-CGqmBcZB.mjs.map

package/dist/runtime-CGqmBcZB.mjs.map

@@ -0,0 +1 @@
+{"version":3,"file":"runtime-CGqmBcZB.mjs","names":["defaultAuthSchema"],"sources":["../src/server.ts","../src/runtime.ts"],"sourcesContent":["/**\n * Server-side auth instance factory.\n *\n * Creates a configured `betterAuth()` instance using the toolkit's database\n * connection and entity definitions. This is server-only code.\n */\n\nimport type { ToolkitApp } from '@murumets-ee/core'\nimport type { AuditLogger } from '@murumets-ee/logging'\nimport type { Auth as BetterAuthBase, BetterAuthOptions } from 'better-auth'\nimport { betterAuth } from 'better-auth'\nimport { drizzleAdapter } from 'better-auth/adapters/drizzle'\nimport { APIError, createAuthMiddleware } from 'better-auth/api'\nimport { nextCookies } from 'better-auth/next-js'\nimport { admin } from 'better-auth/plugins'\nimport type { Role } from 'better-auth/plugins/access'\nimport { createAccessControl } from 'better-auth/plugins/access'\nimport { organization } from 'better-auth/plugins/organization'\nimport { buildDefaultRoles, buildStatements } from './permissions.js'\nimport * as defaultAuthSchema from './schema.js'\nimport type { AdminUser, AuthConfig } from './types.js'\n\n// ---------------------------------------------------------------------------\n// Audit hooks — wired into better-auth's databaseHooks\n// ---------------------------------------------------------------------------\n\n/** Extract acting admin's id and name from better-auth hook context.\n *  ctx is GenericEndpointContext | null — we access session safely via optional chaining. */\nfunction getActor(ctx: unknown) {\n  const session = (ctx as { context?: { session?: Record<string, unknown> } } | null)?.context\n    ?.session\n  const user = session?.user as { id?: string; name?: string } | undefined\n  return {\n    id: user?.id ?? (session?.userId as string | undefined),\n    name: user?.name,\n  }\n}\n\n/** Fields to strip from user update audit payloads */\nconst SKIP_FIELDS = new Set(['updatedAt', 'createdAt'])\n\nfunction buildDatabaseHooks(auditLogger?: AuditLogger) {\n  /** Fire-and-forget audit — never block auth operations */\n  function audit(entry: Parameters<AuditLogger['log']>[0]) {\n    auditLogger?.log(entry).catch(() => {})\n  }\n\n  // `before` captures changed fields, `after` has full user + actor ctx.\n  // Bridge with a simple variable — updates are sequential per request.\n  let pendingFields: Record<string, unknown> | null = null\n\n  return {\n    user: {\n      create: {\n        after: async (user: Record<string, unknown>) => {\n          // Signup — actor is the new user themselves.\n          // NOTE: first-user auto-promotion was removed. Bootstrap the first\n          // admin via `lumi create-admin` (requires shell access). Public\n          // signup is closed by default; see AuthConfig.signup.enabled.\n          audit({\n            action: 'auth.signup',\n            entityType: 'user',\n            entityId: user.id as string,\n            userId: user.id as string,\n            userName: user.name as string,\n            changes: {\n              fields: { name: user.name, email: user.email },\n            },\n          })\n        },\n      },\n      update: {\n        // `before` receives only the changed fields — capture them\n        before: async (userData: Record<string, unknown>) => {\n          const fields: Record<string, unknown> = {}\n          for (const [key, value] of Object.entries(userData)) {\n            if (SKIP_FIELDS.has(key) || key === 'id') continue\n            fields[key] = value\n          }\n          pendingFields = Object.keys(fields).length > 0 ? fields : null\n        },\n        // `after` has full user (name) + ctx (actor session) — log everything\n        after: async (user: Record<string, unknown>, ctx: unknown) => {\n          const actor = getActor(ctx)\n          const fields = pendingFields\n          pendingFields = null\n          audit({\n            action: 'auth.user.update',\n            entityType: 'user',\n            entityId: user.id as string,\n            userId: actor.id,\n            userName: actor.name,\n            changes: fields ? { fields } : undefined,\n            metadata: {\n              targetUser: user.name as string | undefined,\n            },\n          })\n        },\n      },\n      delete: {\n        after: async (user: Record<string, unknown>, ctx: unknown) => {\n          const actor = getActor(ctx)\n          audit({\n            action: 'auth.user.delete',\n            entityType: 'user',\n            entityId: user.id as string,\n            userId: actor.id,\n            userName: actor.name,\n            metadata: {\n              targetUser: user.name as string | undefined,\n            },\n          })\n        },\n      },\n    },\n  }\n}\n\n// ---------------------------------------------------------------------------\n// Request-level hooks — catches failed logins, password changes, etc.\n// ---------------------------------------------------------------------------\n\n/** Auth paths where a non-2xx response means a failed attempt worth logging */\nconst SIGN_IN_PATHS = ['/sign-in/email', '/sign-in/social']\n\n/** Auth paths for session/password lifecycle events */\nconst SIGN_OUT_PATH = '/sign-out'\nconst PASSWORD_PATHS: Record<string, string> = {\n  '/change-password': 'auth.password.change',\n  '/forget-password': 'auth.password.reset_request',\n  '/reset-password': 'auth.password.reset',\n}\n\n/** Paths that should be audit-logged when successful */\nconst AUDIT_ADMIN_PATHS: Record<string, string> = {\n  '/admin/set-role': 'auth.admin.set_role',\n  '/admin/ban-user': 'auth.admin.ban',\n  '/admin/unban-user': 'auth.admin.unban',\n  '/admin/create-user': 'auth.admin.create_user',\n  '/admin/remove-user': 'auth.admin.remove_user',\n  '/admin/impersonate-user': 'auth.admin.impersonate',\n  '/admin/stop-impersonating': 'auth.admin.stop_impersonating',\n  '/admin/revoke-session': 'auth.admin.revoke_session',\n  '/admin/revoke-sessions': 'auth.admin.revoke_sessions',\n}\n\nfunction buildRequestHooks(auditLogger: AuditLogger) {\n  function audit(entry: Parameters<AuditLogger['log']>[0]) {\n    auditLogger.log(entry).catch(() => {})\n  }\n\n  return {\n    after: createAuthMiddleware(async (ctx) => {\n      // --- Login attempt logging ---\n      const isSignIn = SIGN_IN_PATHS.some((p) => ctx.path.startsWith(p))\n      if (isSignIn) {\n        const returned = ctx.context.returned as { status?: number } | undefined\n        const status = returned?.status\n        if (!status) return\n\n        if (status >= 400) {\n          const email = (ctx.body as Record<string, unknown> | undefined)?.email\n          audit({\n            action: 'auth.login.failed',\n            metadata: {\n              ...(typeof email === 'string' ? { email } : {}),\n              status,\n              path: ctx.path,\n            },\n          })\n        } else {\n          const newSession = ctx.context.newSession as\n            | { user?: { id?: string; name?: string } }\n            | undefined\n          if (newSession?.user?.id) {\n            audit({\n              action: 'auth.login',\n              entityType: 'user',\n              entityId: newSession.user.id,\n              userId: newSession.user.id,\n              userName: newSession.user.name,\n            })\n          }\n        }\n        return\n      }\n\n      // --- Logout logging ---\n      if (ctx.path === SIGN_OUT_PATH) {\n        const returned = ctx.context.returned as { status?: number } | undefined\n        if (!returned?.status || returned.status < 400) {\n          const actor = getActor(ctx)\n          if (actor.id) {\n            audit({\n              action: 'auth.logout',\n              entityType: 'user',\n              entityId: actor.id,\n              userId: actor.id,\n              userName: actor.name,\n            })\n          }\n        }\n        return\n      }\n\n      // --- Password change/reset logging ---\n      const passwordAction = PASSWORD_PATHS[ctx.path]\n      if (passwordAction) {\n        const returned = ctx.context.returned as { status?: number } | undefined\n        if (!returned?.status || returned.status < 400) {\n          const actor = getActor(ctx)\n          const body = ctx.body as Record<string, unknown> | undefined\n          audit({\n            action: passwordAction,\n            entityType: 'user',\n            userId: actor.id,\n            userName: actor.name,\n            metadata: {\n              // For reset requests, log the email (not sensitive — it's the input)\n              ...(typeof body?.email === 'string' ? { email: body.email } : {}),\n              path: ctx.path,\n            },\n          })\n        }\n        return\n      }\n\n      // --- Admin operation audit logging (impersonation, role changes, bans, etc.) ---\n      const auditAction = AUDIT_ADMIN_PATHS[ctx.path]\n      if (!auditAction) return\n\n      const returned = ctx.context.returned as { status?: number } | undefined\n      if (returned?.status && returned.status >= 400) return // failed — skip\n\n      const actor = getActor(ctx)\n      const body = ctx.body as Record<string, unknown> | undefined\n      audit({\n        action: auditAction,\n        entityType: 'user',\n        entityId: (body?.userId as string) ?? undefined,\n        userId: actor.id,\n        userName: actor.name,\n        metadata: {\n          targetUserId: body?.userId as string | undefined,\n          ...(body?.role ? { role: body.role as string } : {}),\n          path: ctx.path,\n        },\n      })\n    }),\n  }\n}\n\n// ---------------------------------------------------------------------------\n// Signup gate — rejects public registration unless explicitly enabled.\n//\n// Closed by default. The first admin is created via `lumi create-admin`\n// (runs below the HTTP/middleware layer via auth.$context.internalAdapter,\n// so this gate never fires for CLI bootstrap). To open public registration\n// later, set `auth({ signup: { enabled: true } })` in `lumi.config.ts`.\n// ---------------------------------------------------------------------------\n\nfunction buildSignupGate(signupEnabled: boolean) {\n  return createAuthMiddleware(async (ctx) => {\n    if (ctx.path !== '/sign-up/email') return\n    if (!signupEnabled) {\n      throw new APIError('FORBIDDEN', { message: 'Sign-up is closed' })\n    }\n  })\n}\n\n// ---------------------------------------------------------------------------\n// Server factory\n// ---------------------------------------------------------------------------\n\n/**\n * Create a better-auth server instance wired to the toolkit.\n *\n * Called during plugin init — the returned instance powers:\n * - `auth.api.getSession()` for session resolution\n * - `auth.api.listUsers()` for admin user management\n * - Route handler via `toNextJsHandler(auth)`\n *\n * IMPORTANT: Plugins are inlined in the `betterAuth()` call so TypeScript\n * preserves the literal plugin types. Extracting them into a `BetterAuthPlugin[]`\n * variable erases specific endpoint types (admin, organization, etc.).\n *\n * The explicit `BetterAuthBase` return type annotation is required because\n * better-auth 1.6's internals use zod@4 types that tsdown's dts generator\n * cannot name portably across pnpm's `.pnpm/zod@4.x` symlink paths (TS2742).\n * The annotation widens to better-auth's generic `Auth` type — specific\n * plugin endpoint types (`auth.api.listUsers` etc.) are still accessible\n * because better-auth's `InferAPI` helper resolves them at the consumer's\n * compile time against their installed better-auth version.\n */\nexport function createAuthServer(\n  config: AuthConfig,\n  app: ToolkitApp,\n  auditLogger?: AuditLogger,\n): BetterAuthBase {\n  // Runtime belt-and-suspenders: `createAuthServer` is exposed via the\n  // `/runtime` subpath (which has no `server-only` marker so the CLI / worker\n  // can load `lumi.config.ts` under jiti / tsx). The marker-less export trades\n  // a clean build-time error for a cryptic bundler error if a client\n  // component ever tries to import it. This guard adds a runtime failure\n  // with a clear message in case that reaches a browser somehow.\n  if (typeof (globalThis as { window?: unknown }).window !== 'undefined') {\n    throw new Error(\n      '@murumets-ee/auth: createAuthServer must not run in a browser environment. ' +\n        'Construct the auth server from server code only (RSC, route handlers, CLI, worker).',\n    )\n  }\n\n  const entities = [...app.entities.values()]\n  const statement = buildStatements(entities)\n  const ac = createAccessControl(statement)\n  const roles: Record<string, Role> = buildDefaultRoles(ac, entities)\n\n  // Build social provider config\n  const socialProviders: Record<string, { clientId: string; clientSecret: string }> = {}\n  if (config.social?.google) {\n    socialProviders.google = config.social.google\n  }\n  if (config.social?.github) {\n    socialProviders.github = config.social.github\n  }\n\n  // Plugins are inlined so TS infers the literal tuple type.\n  // DO NOT extract into a typed variable — `BetterAuthPlugin[]` erases endpoint types.\n  // nextCookies() must be last — required for Next.js server actions.\n  // Default to the pre-baked schema from `@murumets-ee/auth/schema` so\n  // consumers don't need to generate one with `@better-auth/cli`. They\n  // can still override via `auth({ schema: customSchema })` if they've\n  // extended better-auth with plugins that add tables.\n  const schema = config.schema ?? defaultAuthSchema\n\n  // Widen the config to BetterAuthOptions so betterAuth() returns\n  // Auth<BetterAuthOptions> (= BetterAuthBase). This is required because:\n  //   1. Without a return type annotation, tsdown fails with TS2742\n  //      (zod@4 internal types can't be named portably in .d.mts)\n  //   2. The admin plugin with custom ac/roles makes Auth<SpecificConfig>\n  //      structurally incompatible with Auth (better-auth#8855)\n  // Widening the config erases plugin-specific API types at compile time,\n  // but plugin endpoints (listUsers, etc.) are fully functional at runtime.\n  // Consumers already access them via typed wrappers in AdminPagesConfig.\n  const authOptions: BetterAuthOptions = {\n    database: drizzleAdapter(app.db.readWrite, {\n      provider: 'pg',\n      schema,\n    }),\n\n    emailAndPassword: {\n      enabled: config.providers?.includes('email') ?? true,\n    },\n\n    socialProviders,\n\n    session: {\n      expiresIn: config.session?.expiresIn ?? 60 * 60 * 2, // 2 hours (admin CMS — short-lived)\n      updateAge: config.session?.updateAge ?? 60 * 60, // 1 hour\n    },\n\n    // Rate limiting — strict on sensitive paths, relaxed global default\n    rateLimit: {\n      enabled: true,\n      window: 60, // 60s global window\n      max: 100, // 100 req/min default\n      storage: 'memory',\n      customRules: {\n        '/sign-in/email': { window: 60, max: 5 }, // 5 login attempts/min\n        '/sign-in/social': { window: 60, max: 10 },\n        '/sign-up/email': { window: 60, max: 3 }, // 3 signups/min\n        '/forget-password': { window: 60, max: 3 }, // 3 resets/min\n        '/reset-password': { window: 60, max: 5 },\n        '/admin/*': { window: 60, max: 20 }, // admin ops capped\n      },\n    },\n\n    databaseHooks: buildDatabaseHooks(auditLogger),\n    hooks: {\n      before: buildSignupGate(config.signup?.enabled ?? false),\n      ...(auditLogger ? buildRequestHooks(auditLogger) : {}),\n    },\n\n    plugins: [\n      admin({ ac, roles, defaultRole: 'authenticated' }),\n      ...(config.organizations ? [organization({ ac, roles })] : []),\n      ...(config.betterAuthPlugins ?? []),\n      nextCookies(),\n    ],\n  }\n\n  return betterAuth(authOptions)\n}\n\n/** Type of the auth server instance. Aliased from better-auth's generic\n *  `Auth` because the explicit annotation on `createAuthServer` means\n *  `ReturnType<typeof createAuthServer>` is already `BetterAuthBase`. */\nexport type Auth = BetterAuthBase\n\n/**\n * Structural interface for the server-side admin API methods.\n *\n * The widened `Auth` type (BetterAuthBase) doesn't expose admin plugin\n * endpoints. This interface describes just the methods consumers need\n * so they can access them without `as any`.\n *\n * Usage: `(auth.api as AuthAdminApi).listUsers(...)`\n */\nexport interface AuthAdminApi {\n  listUsers: (opts: {\n    headers: Headers\n    query: {\n      limit: number\n      sortBy: string\n      sortDirection: 'asc' | 'desc'\n    }\n  }) => Promise<{ users: AdminUser[]; total: number }>\n}\n","/**\n * Auth runtime — CLI-safe subpath for the plugin factory and for code that\n * needs to read auth singleton state without pulling in the `server-only`\n * marker from the main `@murumets-ee/auth` entry. Imported by:\n *\n *  - `@murumets-ee/auth-ui/plugin` (the factory — needs `createAuthServer`\n *    + the state setters + the schema tables)\n *  - `@murumets-ee/cli` `create-admin` command (needs `getAuth` under jiti\n *    without triggering `server-only`)\n *\n * Everything re-exported here is `server-only`-clean by construction:\n *  - `createAuthServer`, `Auth`, `AuthAdminApi` — from `./server.js`\n *  - `AuthConfig`, `AdminUser` — from `./types.js`\n *  - better-auth Drizzle tables — from `./schema.js`\n */\n\nexport { createAuthServer } from './server.js'\nexport type { Auth, AuthAdminApi } from './server.js'\nexport type { AdminUser, AuthConfig } from './types.js'\nexport {\n  account,\n  invitation,\n  member,\n  organization,\n  session,\n  user,\n  verification,\n} from './schema.js'\n\nimport type { Auth, AuthAdminApi } from './server.js'\nimport type { AuthConfig } from './types.js'\n\n/** Auth with admin API — admin plugin is always loaded in createAuthServer */\nexport type AuthWithAdmin = Auth & { api: AuthAdminApi }\n\n/** The initialized auth server instance (set during plugin init) */\nlet _auth: AuthWithAdmin | null = null\n\n/** The auth plugin config — captured at plugin() call so server-side code\n *  (page.tsx guards, admin UIs) can read runtime flags like `signup.enabled`\n *  without threading config through every layer. */\nlet _authConfig: AuthConfig | null = null\n\n/**\n * Internal: store the resolved better-auth server instance. Called from the\n * `auth()` plugin factory's `server.init`; not part of the public API.\n *\n * @internal\n */\nexport function _setAuth(auth: AuthWithAdmin): void {\n  _auth = auth\n}\n\n/**\n * Internal: capture the plugin config. Invoked by the `auth()` factory at\n * construction time (not init) so `isSignupEnabled()` works during RSC\n * render on cold boot, before async init completes.\n *\n * @internal\n */\nexport function _setAuthConfig(config: AuthConfig): void {\n  _authConfig = config\n}\n\n/**\n * Get the auth server instance.\n * Throws if the auth plugin hasn't been initialized yet.\n *\n * @example\n * ```typescript\n * // app/api/auth/[...all]/route.ts\n * import { toNextJsHandler } from 'better-auth/next-js'\n * import { getAuth } from '@murumets-ee/auth'\n *\n * export const { GET, POST } = toNextJsHandler(getAuth())\n * ```\n */\nexport function getAuth(): AuthWithAdmin {\n  if (!_auth) {\n    throw new Error('@murumets-ee/auth not initialized. Add auth() to your plugins array.')\n  }\n  return _auth\n}\n\n/**\n * Is public sign-up allowed in this deployment?\n *\n * Defaults to `false` — first admin is bootstrapped via `lumi create-admin`.\n * Set `auth({ signup: { enabled: true } })` in lumi.config.ts to open.\n */\nexport function isSignupEnabled(): boolean {\n  return _authConfig?.signup?.enabled === true\n}\n"],"mappings":"2eA4BA,SAAS,EAAS,EAAc,CAC9B,IAAM,EAAW,GAAoE,SACjF,QACE,EAAO,GAAS,KACtB,MAAO,CACL,GAAI,GAAM,IAAO,GAAS,OAC1B,KAAM,GAAM,KACb,CAIH,MAAM,EAAc,IAAI,IAAI,CAAC,YAAa,YAAY,CAAC,CAEvD,SAAS,EAAmB,EAA2B,CAErD,SAAS,EAAM,EAA0C,CACvD,GAAa,IAAI,EAAM,CAAC,UAAY,GAAG,CAKzC,IAAI,EAAgD,KAEpD,MAAO,CACL,KAAM,CACJ,OAAQ,CACN,MAAO,KAAO,IAAkC,CAK9C,EAAM,CACJ,OAAQ,cACR,WAAY,OACZ,SAAU,EAAK,GACf,OAAQ,EAAK,GACb,SAAU,EAAK,KACf,QAAS,CACP,OAAQ,CAAE,KAAM,EAAK,KAAM,MAAO,EAAK,MAAO,CAC/C,CACF,CAAC,EAEL,CACD,OAAQ,CAEN,OAAQ,KAAO,IAAsC,CACnD,IAAM,EAAkC,EAAE,CAC1C,IAAK,GAAM,CAAC,EAAK,KAAU,OAAO,QAAQ,EAAS,CAC7C,EAAY,IAAI,EAAI,EAAI,IAAQ,OACpC,EAAO,GAAO,GAEhB,EAAgB,OAAO,KAAK,EAAO,CAAC,OAAS,EAAI,EAAS,MAG5D,MAAO,MAAO,EAA+B,IAAiB,CAC5D,IAAM,EAAQ,EAAS,EAAI,CACrB,EAAS,EACf,EAAgB,KAChB,EAAM,CACJ,OAAQ,mBACR,WAAY,OACZ,SAAU,EAAK,GACf,OAAQ,EAAM,GACd,SAAU,EAAM,KAChB,QAAS,EAAS,CAAE,SAAQ,CAAG,IAAA,GAC/B,SAAU,CACR,WAAY,EAAK,KAClB,CACF,CAAC,EAEL,CACD,OAAQ,CACN,MAAO,MAAO,EAA+B,IAAiB,CAC5D,IAAM,EAAQ,EAAS,EAAI,CAC3B,EAAM,CACJ,OAAQ,mBACR,WAAY,OACZ,SAAU,EAAK,GACf,OAAQ,EAAM,GACd,SAAU,EAAM,KAChB,SAAU,CACR,WAAY,EAAK,KAClB,CACF,CAAC,EAEL,CACF,CACF,CAQH,MAAM,EAAgB,CAAC,iBAAkB,kBAAkB,CAIrD,EAAyC,CAC7C,mBAAoB,uBACpB,mBAAoB,8BACpB,kBAAmB,sBACpB,CAGK,EAA4C,CAChD,kBAAmB,sBACnB,kBAAmB,iBACnB,oBAAqB,mBACrB,qBAAsB,yBACtB,qBAAsB,yBACtB,0BAA2B,yBAC3B,4BAA6B,gCAC7B,wBAAyB,4BACzB,yBAA0B,6BAC3B,CAED,SAAS,EAAkB,EAA0B,CACnD,SAAS,EAAM,EAA0C,CACvD,EAAY,IAAI,EAAM,CAAC,UAAY,GAAG,CAGxC,MAAO,CACL,MAAO,EAAqB,KAAO,IAAQ,CAGzC,GADiB,EAAc,KAAM,GAAM,EAAI,KAAK,WAAW,EAAE,CAAC,CACpD,CAEZ,IAAM,EADW,EAAI,QAAQ,UACJ,OACzB,GAAI,CAAC,EAAQ,OAEb,GAAI,GAAU,IAAK,CACjB,IAAM,EAAS,EAAI,MAA8C,MACjE,EAAM,CACJ,OAAQ,oBACR,SAAU,CACR,GAAI,OAAO,GAAU,SAAW,CAAE,QAAO,CAAG,EAAE,CAC9C,SACA,KAAM,EAAI,KACX,CACF,CAAC,KACG,CACL,IAAM,EAAa,EAAI,QAAQ,WAG3B,GAAY,MAAM,IACpB,EAAM,CACJ,OAAQ,aACR,WAAY,OACZ,SAAU,EAAW,KAAK,GAC1B,OAAQ,EAAW,KAAK,GACxB,SAAU,EAAW,KAAK,KAC3B,CAAC,CAGN,OAIF,GAAI,EAAI,OAAS,YAAe,CAC9B,IAAM,EAAW,EAAI,QAAQ,SAC7B,GAAI,CAAC,GAAU,QAAU,EAAS,OAAS,IAAK,CAC9C,IAAM,EAAQ,EAAS,EAAI,CACvB,EAAM,IACR,EAAM,CACJ,OAAQ,cACR,WAAY,OACZ,SAAU,EAAM,GAChB,OAAQ,EAAM,GACd,SAAU,EAAM,KACjB,CAAC,CAGN,OAIF,IAAM,EAAiB,EAAe,EAAI,MAC1C,GAAI,EAAgB,CAClB,IAAM,EAAW,EAAI,QAAQ,SAC7B,GAAI,CAAC,GAAU,QAAU,EAAS,OAAS,IAAK,CAC9C,IAAM,EAAQ,EAAS,EAAI,CACrB,EAAO,EAAI,KACjB,EAAM,CACJ,OAAQ,EACR,WAAY,OACZ,OAAQ,EAAM,GACd,SAAU,EAAM,KAChB,SAAU,CAER,GAAI,OAAO,GAAM,OAAU,SAAW,CAAE,MAAO,EAAK,MAAO,CAAG,EAAE,CAChE,KAAM,EAAI,KACX,CACF,CAAC,CAEJ,OAIF,IAAM,EAAc,EAAkB,EAAI,MAC1C,GAAI,CAAC,EAAa,OAElB,IAAM,EAAW,EAAI,QAAQ,SAC7B,GAAI,GAAU,QAAU,EAAS,QAAU,IAAK,OAEhD,IAAM,EAAQ,EAAS,EAAI,CACrB,EAAO,EAAI,KACjB,EAAM,CACJ,OAAQ,EACR,WAAY,OACZ,SAAW,GAAM,QAAqB,IAAA,GACtC,OAAQ,EAAM,GACd,SAAU,EAAM,KAChB,SAAU,CACR,aAAc,GAAM,OACpB,GAAI,GAAM,KAAO,CAAE,KAAM,EAAK,KAAgB,CAAG,EAAE,CACnD,KAAM,EAAI,KACX,CACF,CAAC,EACF,CACH,CAYH,SAAS,EAAgB,EAAwB,CAC/C,OAAO,EAAqB,KAAO,IAAQ,CACrC,KAAI,OAAS,kBACb,CAAC,EACH,MAAM,IAAI,EAAS,YAAa,CAAE,QAAS,oBAAqB,CAAC,EAEnE,CA2BJ,SAAgB,EACd,EACA,EACA,EACgB,CAOhB,GAAY,WAAoC,SAAW,OACzD,MAAU,MACR,iKAED,CAGH,IAAM,EAAW,CAAC,GAAG,EAAI,SAAS,QAAQ,CAAC,CAErC,EAAK,EADO,EAAgB,EAAS,CACF,CACnC,EAA8B,EAAkB,EAAI,EAAS,CAG7D,EAA8E,EAAE,CAClF,EAAO,QAAQ,SACjB,EAAgB,OAAS,EAAO,OAAO,QAErC,EAAO,QAAQ,SACjB,EAAgB,OAAS,EAAO,OAAO,QAUzC,IAAM,EAAS,EAAO,QAAUA,EA0DhC,OAAO,EA/CgC,CACrC,SAAU,EAAe,EAAI,GAAG,UAAW,CACzC,SAAU,KACV,SACD,CAAC,CAEF,iBAAkB,CAChB,QAAS,EAAO,WAAW,SAAS,QAAQ,EAAI,GACjD,CAED,kBAEA,QAAS,CACP,UAAW,EAAO,SAAS,WAAa,KAAU,EAClD,UAAW,EAAO,SAAS,WAAa,KACzC,CAGD,UAAW,CACT,QAAS,GACT,OAAQ,GACR,IAAK,IACL,QAAS,SACT,YAAa,CACX,iBAAkB,CAAE,OAAQ,GAAI,IAAK,EAAG,CACxC,kBAAmB,CAAE,OAAQ,GAAI,IAAK,GAAI,CAC1C,iBAAkB,CAAE,OAAQ,GAAI,IAAK,EAAG,CACxC,mBAAoB,CAAE,OAAQ,GAAI,IAAK,EAAG,CAC1C,kBAAmB,CAAE,OAAQ,GAAI,IAAK,EAAG,CACzC,WAAY,CAAE,OAAQ,GAAI,IAAK,GAAI,CACpC,CACF,CAED,cAAe,EAAmB,EAAY,CAC9C,MAAO,CACL,OAAQ,EAAgB,EAAO,QAAQ,SAAW,GAAM,CACxD,GAAI,EAAc,EAAkB,EAAY,CAAG,EAAE,CACtD,CAED,QAAS,CACP,EAAM,CAAE,KAAI,QAAO,YAAa,gBAAiB,CAAC,CAClD,GAAI,EAAO,cAAgB,CAAC,EAAa,CAAE,KAAI,QAAO,CAAC,CAAC,CAAG,EAAE,CAC7D,GAAI,EAAO,mBAAqB,EAAE,CAClC,GAAa,CACd,CACF,CAE6B,CCnWhC,IAAI,EAA8B,KAK9B,EAAiC,KAQrC,SAAgB,EAAS,EAA2B,CAClD,EAAQ,EAUV,SAAgB,EAAe,EAA0B,CACvD,EAAc,EAgBhB,SAAgB,GAAyB,CACvC,GAAI,CAAC,EACH,MAAU,MAAM,uEAAuE,CAEzF,OAAO,EAST,SAAgB,GAA2B,CACzC,OAAO,GAAa,QAAQ,UAAY"}

package/dist/runtime-DRrHqQiA.d.mts

@@ -0,0 +1,98 @@
+import { n as AuthConfig, t as AdminUser } from "./types-Dl_sE_9S.mjs";
+import { Auth } from "better-auth";
+import { ToolkitApp } from "@murumets-ee/core";
+import { AuditLogger } from "@murumets-ee/logging";
+
+//#region src/server.d.ts
+/**
+ * Create a better-auth server instance wired to the toolkit.
+ *
+ * Called during plugin init — the returned instance powers:
+ * - `auth.api.getSession()` for session resolution
+ * - `auth.api.listUsers()` for admin user management
+ * - Route handler via `toNextJsHandler(auth)`
+ *
+ * IMPORTANT: Plugins are inlined in the `betterAuth()` call so TypeScript
+ * preserves the literal plugin types. Extracting them into a `BetterAuthPlugin[]`
+ * variable erases specific endpoint types (admin, organization, etc.).
+ *
+ * The explicit `BetterAuthBase` return type annotation is required because
+ * better-auth 1.6's internals use zod@4 types that tsdown's dts generator
+ * cannot name portably across pnpm's `.pnpm/zod@4.x` symlink paths (TS2742).
+ * The annotation widens to better-auth's generic `Auth` type — specific
+ * plugin endpoint types (`auth.api.listUsers` etc.) are still accessible
+ * because better-auth's `InferAPI` helper resolves them at the consumer's
+ * compile time against their installed better-auth version.
+ */
+declare function createAuthServer(config: AuthConfig, app: ToolkitApp, auditLogger?: AuditLogger): Auth;
+/** Type of the auth server instance. Aliased from better-auth's generic
+ *  `Auth` because the explicit annotation on `createAuthServer` means
+ *  `ReturnType<typeof createAuthServer>` is already `BetterAuthBase`. */
+type Auth$1 = Auth;
+/**
+ * Structural interface for the server-side admin API methods.
+ *
+ * The widened `Auth` type (BetterAuthBase) doesn't expose admin plugin
+ * endpoints. This interface describes just the methods consumers need
+ * so they can access them without `as any`.
+ *
+ * Usage: `(auth.api as AuthAdminApi).listUsers(...)`
+ */
+interface AuthAdminApi {
+  listUsers: (opts: {
+    headers: Headers;
+    query: {
+      limit: number;
+      sortBy: string;
+      sortDirection: 'asc' | 'desc';
+    };
+  }) => Promise<{
+    users: AdminUser[];
+    total: number;
+  }>;
+}
+//#endregion
+//#region src/runtime.d.ts
+/** Auth with admin API — admin plugin is always loaded in createAuthServer */
+type AuthWithAdmin = Auth$1 & {
+  api: AuthAdminApi;
+};
+/**
+ * Internal: store the resolved better-auth server instance. Called from the
+ * `auth()` plugin factory's `server.init`; not part of the public API.
+ *
+ * @internal
+ */
+declare function _setAuth(auth: AuthWithAdmin): void;
+/**
+ * Internal: capture the plugin config. Invoked by the `auth()` factory at
+ * construction time (not init) so `isSignupEnabled()` works during RSC
+ * render on cold boot, before async init completes.
+ *
+ * @internal
+ */
+declare function _setAuthConfig(config: AuthConfig): void;
+/**
+ * Get the auth server instance.
+ * Throws if the auth plugin hasn't been initialized yet.
+ *
+ * @example
+ * ```typescript
+ * // app/api/auth/[...all]/route.ts
+ * import { toNextJsHandler } from 'better-auth/next-js'
+ * import { getAuth } from '@murumets-ee/auth'
+ *
+ * export const { GET, POST } = toNextJsHandler(getAuth())
+ * ```
+ */
+declare function getAuth(): AuthWithAdmin;
+/**
+ * Is public sign-up allowed in this deployment?
+ *
+ * Defaults to `false` — first admin is bootstrapped via `lumi create-admin`.
+ * Set `auth({ signup: { enabled: true } })` in lumi.config.ts to open.
+ */
+declare function isSignupEnabled(): boolean;
+//#endregion
+export { isSignupEnabled as a, createAuthServer as c, getAuth as i, _setAuth as n, Auth$1 as o, _setAuthConfig as r, AuthAdminApi as s, AuthWithAdmin as t };
+//# sourceMappingURL=runtime-DRrHqQiA.d.mts.map

package/dist/runtime-DRrHqQiA.d.mts.map

@@ -0,0 +1 @@
+{"version":3,"file":"runtime-DRrHqQiA.d.mts","names":[],"sources":["../src/server.ts","../src/runtime.ts"],"mappings":";;;;;;;;;;;;;;;;;;;;;AA6YA;;;;;iBAvGgB,gBAAA,CACd,MAAA,EAAQ,UAAA,EACR,GAAA,EAAK,UAAA,EACL,WAAA,GAAc,WAAA,GACb,IAAA;;;;KAmGS,MAAA,GAAO,IAAA;;;;;;;;;;UAWF,YAAA;EACf,SAAA,GAAY,IAAA;IACV,OAAA,EAAS,OAAA;IACT,KAAA;MACE,KAAA;MACA,MAAA;MACA,aAAA;IAAA;EAAA,MAEE,OAAA;IAAU,KAAA,EAAO,SAAA;IAAa,KAAA;EAAA;AAAA;;;;KC/X1B,aAAA,GAAgB,MAAA;EAAS,GAAA,EAAK,YAAA;AAAA;AD4W1C;;;;;AAWA;AAXA,iBC5VgB,QAAA,CAAS,IAAA,EAAM,aAAA;;;;;;;;iBAWf,cAAA,CAAe,MAAA,EAAQ,UAAA;;;;;;;;;;;;;;iBAiBvB,OAAA,CAAA,GAAW,aAAA;;AA5C3B;;;;;iBAyDgB,eAAA,CAAA"}

package/dist/runtime.d.mts

@@ -0,0 +1,4 @@
+import { n as AuthConfig, t as AdminUser } from "./types-Dl_sE_9S.mjs";
+import { a as isSignupEnabled, c as createAuthServer, i as getAuth, n as _setAuth, o as Auth, r as _setAuthConfig, s as AuthAdminApi, t as AuthWithAdmin } from "./runtime-DRrHqQiA.mjs";
+import { a as member, d as user, l as session, p as verification, r as invitation, s as organization, t as account } from "./schema-CSXsOlBD.mjs";
+export { AdminUser, Auth, AuthAdminApi, AuthConfig, AuthWithAdmin, _setAuth, _setAuthConfig, account, createAuthServer, getAuth, invitation, isSignupEnabled, member, organization, session, user, verification };

package/dist/runtime.mjs

@@ -0,0 +1 @@
+import{a as e,f as t,m as n,r,s as i,t as a,u as o}from"./schema-Je6e5yt2.mjs";import{a as s,i as c,n as l,r as u,t as d}from"./runtime-CGqmBcZB.mjs";export{d as _setAuth,l as _setAuthConfig,a as account,s as createAuthServer,u as getAuth,r as invitation,c as isSignupEnabled,e as member,i as organization,o as session,t as user,n as verification};