@nauth-toolkit/client 0.1.49 → 0.1.53

package/dist/angular/index.d.mts

@@ -1,2030 +0,0 @@
-import { InjectionToken, Injector, ModuleWithProviders } from '@angular/core';
-import * as rxjs from 'rxjs';
-import { Observable } from 'rxjs';
-import * as _angular_common_http from '@angular/common/http';
-import { HttpInterceptorFn, HttpRequest as HttpRequest$1, HttpHandlerFn } from '@angular/common/http';
-import { CanActivateFn, Router, UrlTree } from '@angular/router';
-
-/**
- * Full user profile returned from profile endpoints.
- */
-interface AuthUser {
-    sub: string;
-    email: string;
-    username?: string | null;
-    firstName?: string | null;
-    lastName?: string | null;
-    phone?: string | null;
-    isEmailVerified: boolean;
-    isPhoneVerified: boolean;
-    isActive?: boolean;
-    mfaEnabled?: boolean;
-    socialProviders?: string[] | null;
-    hasPasswordHash: boolean;
-    /**
-     * Authentication method used to create the current session.
-     *
-     * This is session-scoped (how the user logged in this time), not an account capability.
-     * Use `hasPasswordHash` and `socialProviders` to determine what login methods the account supports.
-     */
-    sessionAuthMethod?: string | null;
-    createdAt?: string | Date;
-    updatedAt?: string | Date;
-}
-/**
- * Profile update request.
- */
-interface UpdateProfileRequest {
-    firstName?: string;
-    lastName?: string;
-    email?: string;
-    phone?: string;
-}
-/**
- * Forgot password response payload.
- */
-interface ForgotPasswordResponse {
-    success: boolean;
-    destination?: string;
-    deliveryMedium?: 'email' | 'sms';
-    expiresIn?: number;
-}
-/**
- * Confirm forgot password response payload.
- */
-interface ConfirmForgotPasswordResponse {
-    success: boolean;
-    mustChangePassword: boolean;
-}
-
-/**
- * Standardized error codes mirroring backend AuthErrorCode.
- */
-declare enum NAuthErrorCode {
-    AUTH_INVALID_CREDENTIALS = "AUTH_INVALID_CREDENTIALS",
-    AUTH_ACCOUNT_LOCKED = "AUTH_ACCOUNT_LOCKED",
-    AUTH_ACCOUNT_INACTIVE = "AUTH_ACCOUNT_INACTIVE",
-    AUTH_TOKEN_EXPIRED = "AUTH_TOKEN_EXPIRED",
-    AUTH_TOKEN_INVALID = "AUTH_TOKEN_INVALID",
-    AUTH_BEARER_NOT_ALLOWED = "AUTH_BEARER_NOT_ALLOWED",
-    AUTH_COOKIES_NOT_ALLOWED = "AUTH_COOKIES_NOT_ALLOWED",
-    AUTH_CSRF_TOKEN_INVALID = "AUTH_CSRF_TOKEN_INVALID",
-    AUTH_CSRF_TOKEN_MISSING = "AUTH_CSRF_TOKEN_MISSING",
-    AUTH_TOKEN_REUSE_DETECTED = "AUTH_TOKEN_REUSE_DETECTED",
-    AUTH_SESSION_NOT_FOUND = "AUTH_SESSION_NOT_FOUND",
-    AUTH_SESSION_EXPIRED = "AUTH_SESSION_EXPIRED",
-    SIGNUP_DISABLED = "SIGNUP_DISABLED",
-    SIGNUP_EMAIL_EXISTS = "SIGNUP_EMAIL_EXISTS",
-    SIGNUP_USERNAME_EXISTS = "SIGNUP_USERNAME_EXISTS",
-    SIGNUP_PHONE_EXISTS = "SIGNUP_PHONE_EXISTS",
-    SIGNUP_WEAK_PASSWORD = "SIGNUP_WEAK_PASSWORD",
-    SIGNUP_PHONE_REQUIRED = "SIGNUP_PHONE_REQUIRED",
-    SIGNUP_NOT_ALLOWED = "SIGNUP_NOT_ALLOWED",
-    VERIFY_CODE_INVALID = "VERIFY_CODE_INVALID",
-    VERIFY_CODE_EXPIRED = "VERIFY_CODE_EXPIRED",
-    VERIFY_TOO_MANY_ATTEMPTS = "VERIFY_TOO_MANY_ATTEMPTS",
-    VERIFY_ALREADY_VERIFIED = "VERIFY_ALREADY_VERIFIED",
-    MFA_SETUP_REQUIRED = "MFA_SETUP_REQUIRED",
-    RATE_LIMIT_SMS = "RATE_LIMIT_SMS",
-    RATE_LIMIT_EMAIL = "RATE_LIMIT_EMAIL",
-    RATE_LIMIT_LOGIN = "RATE_LIMIT_LOGIN",
-    RATE_LIMIT_RESEND = "RATE_LIMIT_RESEND",
-    SOCIAL_TOKEN_INVALID = "SOCIAL_TOKEN_INVALID",
-    SOCIAL_ACCOUNT_LINKED = "SOCIAL_ACCOUNT_LINKED",
-    SOCIAL_CONFIG_MISSING = "SOCIAL_CONFIG_MISSING",
-    SOCIAL_EMAIL_REQUIRED = "SOCIAL_EMAIL_REQUIRED",
-    SOCIAL_ACCOUNT_NOT_FOUND = "SOCIAL_ACCOUNT_NOT_FOUND",
-    CHALLENGE_EXPIRED = "CHALLENGE_EXPIRED",
-    CHALLENGE_INVALID = "CHALLENGE_INVALID",
-    CHALLENGE_TYPE_MISMATCH = "CHALLENGE_TYPE_MISMATCH",
-    CHALLENGE_MAX_ATTEMPTS = "CHALLENGE_MAX_ATTEMPTS",
-    CHALLENGE_ALREADY_COMPLETED = "CHALLENGE_ALREADY_COMPLETED",
-    VALIDATION_FAILED = "VALIDATION_FAILED",
-    VALIDATION_INVALID_PHONE = "VALIDATION_INVALID_PHONE",
-    VALIDATION_INVALID_EMAIL = "VALIDATION_INVALID_EMAIL",
-    VALIDATION_INVALID_PASSWORD = "VALIDATION_INVALID_PASSWORD",
-    PASSWORD_INCORRECT = "PASSWORD_INCORRECT",
-    PASSWORD_REUSED = "PASSWORD_REUSED",
-    PASSWORD_CHANGE_NOT_ALLOWED = "PASSWORD_CHANGE_NOT_ALLOWED",
-    WEAK_PASSWORD = "SIGNUP_WEAK_PASSWORD",
-    PASSWORD_RESET_CODE_INVALID = "PASSWORD_RESET_CODE_INVALID",
-    PASSWORD_RESET_CODE_EXPIRED = "PASSWORD_RESET_CODE_EXPIRED",
-    PASSWORD_RESET_MAX_ATTEMPTS = "PASSWORD_RESET_MAX_ATTEMPTS",
-    RATE_LIMIT_PASSWORD_RESET = "RATE_LIMIT_PASSWORD_RESET",
-    SIGNIN_BLOCKED_HIGH_RISK = "SIGNIN_BLOCKED_HIGH_RISK",
-    RESOURCE_NOT_FOUND = "RESOURCE_NOT_FOUND",
-    FORBIDDEN = "FORBIDDEN",
-    INTERNAL_ERROR = "INTERNAL_ERROR",
-    SERVICE_UNAVAILABLE = "SERVICE_UNAVAILABLE"
-}
-/**
- * Structured client error.
- */
-interface NAuthError {
-    code: NAuthErrorCode;
-    message: string;
-    details?: Record<string, unknown>;
-    timestamp?: string;
-    statusCode?: number;
-}
-
-/**
- * Storage adapter interface used by the client SDK.
- */
-interface NAuthStorageAdapter {
-    /**
-     * Retrieve a value by key.
-     */
-    getItem(key: string): Promise<string | null>;
-    /**
-     * Persist a value.
-     */
-    setItem(key: string, value: string): Promise<void>;
-    /**
-     * Remove a stored value.
-     */
-    removeItem(key: string): Promise<void>;
-    /**
-     * Clear all stored values.
-     */
-    clear(): Promise<void>;
-}
-
-/**
- * HTTP request configuration.
- *
- * Platform-agnostic request format that can be implemented by any HTTP client.
- */
-interface HttpRequest {
-    /**
-     * HTTP method
-     */
-    method: 'GET' | 'POST' | 'PUT' | 'DELETE' | 'PATCH';
-    /**
-     * Full URL (already resolved with baseUrl)
-     */
-    url: string;
-    /**
-     * Request headers
-     */
-    headers?: Record<string, string>;
-    /**
-     * Request body (will be JSON stringified by adapter)
-     */
-    body?: unknown;
-    /**
-     * Credentials mode for cookies
-     * - 'include': Send cookies (for cookies mode)
-     * - 'omit': Don't send cookies (for JSON mode)
-     */
-    credentials?: 'include' | 'omit' | 'same-origin';
-    /**
-     * Abort signal for request cancellation
-     */
-    signal?: AbortSignal;
-}
-/**
- * HTTP response returned by adapter.
- */
-interface HttpResponse<T> {
-    /**
-     * Response data (already parsed)
-     */
-    data: T;
-    /**
-     * HTTP status code
-     */
-    status: number;
-    /**
-     * Response headers
-     */
-    headers: Record<string, string>;
-}
-/**
- * Platform-agnostic HTTP adapter interface.
- *
- * Implementations:
- * - FetchAdapter: For vanilla JS, Node.js (uses native fetch)
- * - AngularHttpAdapter: For Angular (uses HttpClient)
- * - AxiosAdapter: For React/Vue (uses Axios)
- *
- * @example
- * ```typescript
- * class MyAdapter implements HttpAdapter {
- *   async request<T>(config: HttpRequest): Promise<HttpResponse<T>> {
- *     // Use any HTTP client
- *     const response = await myHttpClient.request(config);
- *     return { data: response.data, status: response.status, headers: {} };
- *   }
- * }
- * ```
- */
-interface HttpAdapter {
-    /**
-     * Execute an HTTP request.
-     *
-     * @param config - Request configuration
-     * @returns Response with data, status, and headers
-     * @throws Error if request fails (adapter should throw descriptive errors)
-     */
-    request<T>(config: HttpRequest): Promise<HttpResponse<T>>;
-}
-
-/**
- * Token delivery mode for the frontend SDK.
- *
- * - `'cookies'` - For web applications. Tokens sent as httpOnly cookies by backend.
- *   Uses `withCredentials`, CSRF tokens, no Authorization header.
- *
- * - `'json'` - For mobile/native apps (Capacitor, React Native). Tokens returned
- *   in response body, stored locally, sent via Authorization header.
- *
- * Note: "Hybrid" is a backend deployment pattern (supporting both web and mobile
- * via separate endpoints), not a frontend mode. The frontend chooses ONE mode
- * based on whether it's a web or mobile build.
- */
-type TokenDeliveryMode = 'json' | 'cookies';
-/**
- * Endpoint paths for the client SDK.
- */
-interface NAuthEndpoints {
-    login: string;
-    signup: string;
-    logout: string;
-    logoutAll: string;
-    refresh: string;
-    respondChallenge: string;
-    resendCode: string;
-    getSetupData: string;
-    getChallengeData: string;
-    profile: string;
-    changePassword: string;
-    requestPasswordChange: string;
-    forgotPassword: string;
-    confirmForgotPassword: string;
-    mfaStatus: string;
-    mfaDevices: string;
-    mfaSetupData: string;
-    mfaVerifySetup: string;
-    mfaRemove: string;
-    mfaPreferred: string;
-    mfaBackupCodes: string;
-    mfaExemption: string;
-    socialLinked: string;
-    socialLink: string;
-    socialUnlink: string;
-    socialVerify: string;
-    socialRedirectStart: string;
-    socialExchange: string;
-    trustDevice: string;
-    isTrustedDevice: string;
-    auditHistory: string;
-    updateProfile: string;
-}
-/**
- * Client configuration.
- */
-interface NAuthClientConfig {
-    /**
-     * Base URL for authentication API.
-     *
-     * For web apps using cookies: `'https://api.example.com/auth'`
-     * For mobile apps using JSON: `'https://api.example.com/mobile/auth'`
-     *
-     * When backend uses hybrid deployment, mobile apps should use a different
-     * base URL that points to the JSON-based mobile auth endpoints.
-     */
-    baseUrl: string;
-    /**
-     * How tokens are delivered between client and server.
-     *
-     * - `'cookies'` - For web apps. Backend sets httpOnly cookies.
-     * - `'json'` - For mobile apps. Tokens in response body, stored locally.
-     */
-    tokenDelivery: TokenDeliveryMode;
-    /** Custom storage adapter. Defaults to localStorage (web) or memory (SSR). */
-    storage?: NAuthStorageAdapter;
-    /**
-     * CSRF configuration (required for cookies mode).
-     * Default cookie name: 'csrf_token', header name: 'x-csrf-token'
-     */
-    csrf?: {
-        cookieName?: string;
-        headerName?: string;
-    };
-    /** Custom endpoint paths (merged with defaults). */
-    endpoints?: Partial<NAuthEndpoints>;
-    /** Device trust configuration for "remember this device" feature. */
-    deviceTrust?: {
-        headerName?: string;
-        storageKey?: string;
-    };
-    /** Additional headers to include in all requests. */
-    headers?: Record<string, string>;
-    /** Request timeout in milliseconds. Default: 30000 */
-    timeout?: number;
-    /**
-     * Redirect URLs for various authentication scenarios.
-     * Used by guards and interceptors to handle routing in a platform-agnostic way.
-     */
-    redirects?: {
-        /**
-         * URL to redirect to after successful authentication (login, signup, or OAuth).
-         * @default '/'
-         */
-        success?: string;
-        /**
-         * URL to redirect to when session expires (refresh fails with 401).
-         * @default '/login'
-         */
-        sessionExpired?: string;
-        /**
-         * URL to redirect to when OAuth authentication fails.
-         * @default '/login'
-         */
-        oauthError?: string;
-        /**
-         * Base URL for challenge routes (email verification, MFA, etc.).
-         * The challenge type will be appended (e.g., '/auth/challenge/verify-email').
-         * @default '/auth/challenge'
-         */
-        challengeBase?: string;
-    };
-    /**
-     * Called when session expires (refresh fails with 401).
-     */
-    onSessionExpired?: () => void;
-    /** Called after successful token refresh. */
-    onTokenRefresh?: () => void;
-    /** Called when authentication state changes (login/logout). */
-    onAuthStateChange?: (user: AuthUser | null) => void;
-    /** Called on authentication errors. */
-    onError?: (error: NAuthError) => void;
-    /** Enable debug logging. */
-    debug?: boolean;
-    /**
-     * HTTP adapter for making requests.
-     *
-     * - **Auto-provided in Angular**: Uses HttpClient (works with interceptors)
-     * - **Manual setup in React/Vue**: Provide AxiosAdapter or custom adapter
-     * - **Defaults to FetchAdapter**: If not provided, uses native fetch
-     *
-     * @example
-     * ```typescript
-     * // Angular (automatic)
-     * // AuthService auto-injects AngularHttpAdapter
-     *
-     * // React with Axios
-     * const client = new NAuthClient({
-     *   httpAdapter: new AxiosAdapter(axiosInstance),
-     * });
-     *
-     * // Vanilla JS (auto-defaults to fetch)
-     * const client = new NAuthClient({
-     *   // httpAdapter auto-defaults to FetchAdapter
-     * });
-     * ```
-     */
-    httpAdapter?: HttpAdapter;
-}
-
-/**
- * Injection token for providing NAuthClientConfig in Angular apps.
- */
-declare const NAUTH_CLIENT_CONFIG: InjectionToken<NAuthClientConfig>;
-
-/**
- * MFA device method type (methods that require device setup).
- * Excludes 'backup' as it's not a device method.
- */
-type MFADeviceMethod = 'sms' | 'email' | 'totp' | 'passkey';
-/**
- * All MFA methods including backup codes (for verification).
- */
-type MFAMethod = MFADeviceMethod | 'backup';
-/**
- * MFA challenge method subset (for challenge-data retrieval).
- */
-type MFAChallengeMethod = 'passkey' | 'sms' | 'email' | 'totp' | 'backup';
-/**
- * MFA status for authenticated user.
- */
-interface MFAStatus {
-    enabled: boolean;
-    required: boolean;
-    methods: MFADeviceMethod[];
-    availableMethods: MFAMethod[];
-    hasBackupCodes: boolean;
-    preferredMethod?: MFADeviceMethod;
-    mfaExempt: boolean;
-    mfaExemptReason: string | null;
-    mfaExemptGrantedAt: string | Date | null;
-}
-/**
- * MFA device information.
- */
-interface MFADevice {
-    id: number;
-    type: MFADeviceMethod;
-    name: string;
-    isPrimary: boolean;
-    isActive: boolean;
-    createdAt: string | Date;
-}
-/**
- * Response from getSetupData API call.
- * Contains provider-specific MFA setup information.
- */
-interface GetSetupDataResponse {
-    setupData: Record<string, unknown>;
-}
-/**
- * Response from getChallengeData API call.
- * Contains challenge-specific data (e.g., passkey options).
- */
-interface GetChallengeDataResponse {
-    challengeData: Record<string, unknown>;
-}
-
-/**
- * Authentication challenge types returned by the backend.
- */
-declare enum AuthChallenge {
-    VERIFY_EMAIL = "VERIFY_EMAIL",
-    VERIFY_PHONE = "VERIFY_PHONE",
-    MFA_REQUIRED = "MFA_REQUIRED",
-    MFA_SETUP_REQUIRED = "MFA_SETUP_REQUIRED",
-    FORCE_CHANGE_PASSWORD = "FORCE_CHANGE_PASSWORD"
-}
-
-interface AuthResponse {
-    user?: AuthUserSummary;
-    accessToken?: string;
-    refreshToken?: string;
-    accessTokenExpiresAt?: number;
-    refreshTokenExpiresAt?: number;
-    /**
-     * Authentication method used to create the current session.
-     *
-     * Examples:
-     * - `password`
-     * - `google`
-     * - `apple`
-     * - `facebook`
-     */
-    authMethod?: string;
-    trusted?: boolean;
-    deviceToken?: string;
-    challengeName?: AuthChallenge;
-    session?: string;
-    challengeParameters?: Record<string, unknown>;
-    userSub?: string;
-}
-/**
- * Minimal user information returned inside auth responses.
- */
-interface AuthUserSummary {
-    sub: string;
-    email: string;
-    firstName?: string | null;
-    lastName?: string | null;
-    phone?: string | null;
-    isEmailVerified: boolean;
-    isPhoneVerified?: boolean;
-    socialProviders?: string[] | null;
-    hasPasswordHash?: boolean;
-}
-/**
- * Token response returned by refresh endpoint.
- */
-interface TokenResponse {
-    accessToken: string;
-    refreshToken: string;
-    accessTokenExpiresAt: number;
-    refreshTokenExpiresAt: number;
-}
-/**
- * Signup request payload.
- */
-interface SignupRequest {
-    email: string;
-    password: string;
-    firstName?: string;
-    lastName?: string;
-    phone?: string;
-    metadata?: Record<string, unknown>;
-}
-/**
- * MFA setup data request payload during challenge flows.
- */
-interface GetSetupDataRequest {
-    session: string;
-    method: MFAMethod;
-}
-/**
- * Challenge data request payload (e.g., passkey options).
- */
-interface GetChallengeDataRequest {
-    session: string;
-    method: MFAChallengeMethod;
-}
-/**
- * Unified challenge response discriminated union.
- */
-type ChallengeResponse = VerifyEmailResponse | VerifyPhoneCollectResponse | VerifyPhoneCodeResponse | MFACodeResponse | MFAPasskeyResponse | MFASetupResponse | ForceChangePasswordResponse;
-/**
- * Base challenge response shape.
- */
-interface BaseChallengeResponse {
-    session: string;
-}
-interface VerifyEmailResponse extends BaseChallengeResponse {
-    type: AuthChallenge.VERIFY_EMAIL;
-    code: string;
-}
-interface VerifyPhoneCollectResponse extends BaseChallengeResponse {
-    type: AuthChallenge.VERIFY_PHONE;
-    phone: string;
-}
-interface VerifyPhoneCodeResponse extends BaseChallengeResponse {
-    type: AuthChallenge.VERIFY_PHONE;
-    code: string;
-}
-interface MFACodeResponse extends BaseChallengeResponse {
-    type: AuthChallenge.MFA_REQUIRED;
-    method: MFAMethod;
-    code: string;
-}
-interface MFAPasskeyResponse extends BaseChallengeResponse {
-    type: AuthChallenge.MFA_REQUIRED;
-    method: 'passkey';
-    credential: Record<string, unknown>;
-}
-interface MFASetupResponse extends BaseChallengeResponse {
-    type: AuthChallenge.MFA_SETUP_REQUIRED;
-    method: MFAMethod;
-    setupData: Record<string, unknown>;
-}
-interface ForceChangePasswordResponse extends BaseChallengeResponse {
-    type: AuthChallenge.FORCE_CHANGE_PASSWORD;
-    newPassword: string;
-}
-
-/**
- * Client-side error wrapper for SDK operations.
- *
- * Mirrors the backend NAuthException structure for consistent error handling.
- *
- * @example
- * ```typescript
- * try {
- *   await client.login({ identifier: 'user@example.com', password: 'wrong' });
- * } catch (error) {
- *   if (error instanceof NAuthClientError) {
- *     console.log(error.code); // 'AUTH_INVALID_CREDENTIALS'
- *     console.log(error.message); // 'Invalid credentials'
- *     console.log(error.timestamp); // '2025-12-06T...'
- *
- *     // Check specific error code
- *     if (error.isCode(NAuthErrorCode.RATE_LIMIT_LOGIN)) {
- *       const retryAfter = error.details?.retryAfter as number;
- *       console.log(`Rate limited. Retry in ${retryAfter}s`);
- *     }
- *   }
- * }
- * ```
- */
-declare class NAuthClientError extends Error implements NAuthError {
-    readonly code: NAuthErrorCode;
-    readonly details?: Record<string, unknown>;
-    readonly statusCode?: number;
-    readonly timestamp: string;
-    readonly isNetworkError: boolean;
-    /**
-     * Create a new client error.
-     *
-     * @param code - Error code from NAuthErrorCode enum
-     * @param message - Human-readable error message
-     * @param options - Optional metadata including details, statusCode, timestamp, and network error flag
-     */
-    constructor(code: NAuthErrorCode, message: string, options?: {
-        details?: Record<string, unknown>;
-        statusCode?: number;
-        timestamp?: string;
-        isNetworkError?: boolean;
-    });
-    /**
-     * Check if error matches a specific error code.
-     *
-     * @param code - Error code to check against
-     * @returns True if the error code matches
-     *
-     * @example
-     * ```typescript
-     * if (error.isCode(NAuthErrorCode.RATE_LIMIT_SMS)) {
-     *   // Handle SMS rate limit
-     * }
-     * ```
-     */
-    isCode(code: NAuthErrorCode): boolean;
-    /**
-     * Get error details/metadata.
-     *
-     * @returns Error details object or undefined
-     *
-     * @example
-     * ```typescript
-     * const details = error.getDetails();
-     * if (details?.retryAfter) {
-     *   console.log(`Retry after ${details.retryAfter} seconds`);
-     * }
-     * ```
-     */
-    getDetails(): Record<string, unknown> | undefined;
-    /**
-     * Get the error code.
-     *
-     * @returns The error code enum value
-     */
-    getCode(): NAuthErrorCode;
-    /**
-     * Serialize error to JSON object.
-     *
-     * @returns Plain object representation
-     *
-     * @example
-     * ```typescript
-     * const errorJson = error.toJSON();
-     * // { code: 'AUTH_INVALID_CREDENTIALS', message: '...', timestamp: '...', details: {...} }
-     * ```
-     */
-    toJSON(): {
-        code: string;
-        message: string;
-        timestamp: string;
-        details?: Record<string, unknown>;
-        statusCode?: number;
-    };
-}
-
-/**
- * Authentication event types emitted by NAuthClient
- *
- * Events are emitted throughout the authentication lifecycle,
- * allowing applications to react to auth state changes.
- */
-type AuthEventType = 'auth:login' | 'auth:signup' | 'auth:success' | 'auth:challenge' | 'auth:error' | 'auth:logout' | 'auth:refresh' | 'oauth:started' | 'oauth:callback' | 'oauth:completed' | 'oauth:error';
-/**
- * Discriminated union of all authentication events with type-safe payloads
- *
- * Each event has a specific payload type for better type safety.
- */
-type AuthEvent = AuthLoginEvent | AuthSignupEvent | AuthSuccessEvent | AuthChallengeEvent | AuthErrorEvent | AuthLogoutEvent | AuthRefreshEvent | OAuthStartedEvent | OAuthCallbackEvent | OAuthCompletedEvent | OAuthErrorEvent;
-/**
- * Login initiated event
- */
-interface AuthLoginEvent {
-    type: 'auth:login';
-    data: {
-        identifier: string;
-    };
-    timestamp: number;
-}
-/**
- * Signup initiated event
- */
-interface AuthSignupEvent {
-    type: 'auth:signup';
-    data: {
-        email: string;
-    };
-    timestamp: number;
-}
-/**
- * Successful authentication event
- */
-interface AuthSuccessEvent {
-    type: 'auth:success';
-    data: AuthResponse;
-    timestamp: number;
-}
-/**
- * Challenge required event
- */
-interface AuthChallengeEvent {
-    type: 'auth:challenge';
-    data: AuthResponse;
-    timestamp: number;
-}
-/**
- * Authentication error event
- */
-interface AuthErrorEvent {
-    type: 'auth:error';
-    data: NAuthClientError;
-    timestamp: number;
-}
-/**
- * User logged out event
- */
-interface AuthLogoutEvent {
-    type: 'auth:logout';
-    data: {
-        forgetDevice?: boolean;
-        global?: boolean;
-    };
-    timestamp: number;
-}
-/**
- * Token refreshed event
- */
-interface AuthRefreshEvent {
-    type: 'auth:refresh';
-    data: {
-        success: boolean;
-    };
-    timestamp: number;
-}
-/**
- * OAuth flow started event
- */
-interface OAuthStartedEvent {
-    type: 'oauth:started';
-    data: {
-        provider: string;
-    };
-    timestamp: number;
-}
-/**
- * OAuth callback received event
- */
-interface OAuthCallbackEvent {
-    type: 'oauth:callback';
-    data: {
-        provider: string;
-    };
-    timestamp: number;
-}
-/**
- * OAuth flow completed event
- */
-interface OAuthCompletedEvent {
-    type: 'oauth:completed';
-    data: AuthResponse;
-    timestamp: number;
-}
-/**
- * OAuth error event
- */
-interface OAuthErrorEvent {
-    type: 'oauth:error';
-    data: NAuthClientError;
-    timestamp: number;
-}
-/**
- * Event listener callback function
- */
-type AuthEventListener = (event: AuthEvent) => void;
-
-/**
- * Social provider identifiers.
- */
-type SocialProvider = 'google' | 'apple' | 'facebook';
-/**
- * Options for starting a redirect-first social login flow.
- *
- * This is a web-first API:
- * - Browser navigates to backend `/auth/social/:provider/redirect`
- * - Backend completes OAuth, sets cookies (or returns exchange token), and redirects back
- */
-interface SocialLoginOptions {
-    /**
-     * Frontend route (recommended) or URL to redirect to after the backend callback completes.
-     * Default: config.redirects.success || '/'
-     */
-    returnTo?: string;
-    /**
-     * Optional application state to round-trip back to the frontend.
-     * Must be treated as non-secret.
-     */
-    appState?: string;
-    /**
-     * Optional flow action.
-     * Default: 'login'
-     */
-    action?: 'login' | 'link';
-}
-/**
- * Linked social accounts response.
- */
-interface LinkedAccountsResponse {
-    providers: SocialProvider[];
-}
-/**
- * Native social verification request (mobile).
- */
-interface SocialVerifyRequest {
-    provider: SocialProvider;
-    idToken?: string;
-    accessToken?: string;
-    authorizationCode?: string;
-}
-
-/**
- * Audit event types.
- */
-declare enum AuthAuditEventType {
-    LOGIN_SUCCESS = "LOGIN_SUCCESS",
-    LOGIN_FAILED = "LOGIN_FAILED",
-    LOGOUT = "LOGOUT",
-    TOKEN_REFRESH = "TOKEN_REFRESH",
-    TOKEN_REVOKED = "TOKEN_REVOKED",
-    SIGNUP_SUCCESS = "SIGNUP_SUCCESS",
-    SIGNUP_FAILED = "SIGNUP_FAILED",
-    EMAIL_VERIFIED = "EMAIL_VERIFIED",
-    PHONE_VERIFIED = "PHONE_VERIFIED",
-    VERIFICATION_FAILED = "VERIFICATION_FAILED",
-    MFA_ENABLED = "MFA_ENABLED",
-    MFA_DISABLED = "MFA_DISABLED",
-    MFA_VERIFIED = "MFA_VERIFIED",
-    MFA_FAILED = "MFA_FAILED",
-    MFA_BACKUP_CODE_USED = "MFA_BACKUP_CODE_USED",
-    PASSWORD_CHANGED = "PASSWORD_CHANGED",
-    PASSWORD_RESET_REQUESTED = "PASSWORD_RESET_REQUESTED",
-    PASSWORD_RESET_COMPLETED = "PASSWORD_RESET_COMPLETED",
-    ACCOUNT_LOCKED = "ACCOUNT_LOCKED",
-    ACCOUNT_UNLOCKED = "ACCOUNT_UNLOCKED",
-    SUSPICIOUS_ACTIVITY = "SUSPICIOUS_ACTIVITY",
-    ADAPTIVE_MFA_TRIGGERED = "ADAPTIVE_MFA_TRIGGERED",
-    SOCIAL_LINK_SUCCESS = "SOCIAL_LINK_SUCCESS",
-    SOCIAL_LINK_FAILED = "SOCIAL_LINK_FAILED",
-    SOCIAL_UNLINK = "SOCIAL_UNLINK"
-}
-/**
- * Audit event status.
- */
-type AuthAuditEventStatus = 'SUCCESS' | 'FAILURE' | 'INFO' | 'SUSPICIOUS';
-/**
- * Individual audit event record.
- */
-interface AuthAuditEvent {
-    id: number;
-    userId: number;
-    eventType: AuthAuditEventType;
-    eventStatus: AuthAuditEventStatus;
-    riskFactor?: number | null;
-    riskFactors?: string[] | null;
-    adaptiveMfaTriggered?: boolean | null;
-    ipAddress?: string | null;
-    ipCountry?: string | null;
-    ipCity?: string | null;
-    ipLatitude?: number | null;
-    ipLongitude?: number | null;
-    userAgent?: string | null;
-    platform?: string | null;
-    browser?: string | null;
-    deviceId?: string | null;
-    deviceName?: string | null;
-    deviceType?: string | null;
-    sessionId?: number | null;
-    challengeSessionId?: number | null;
-    authMethod?: string | null;
-    performedBy?: string | null;
-    reason?: string | null;
-    description?: string | null;
-    metadata?: Record<string, unknown> | null;
-    createdAt: string | Date;
-}
-/**
- * Paginated audit history response.
- */
-interface AuditHistoryResponse {
-    data: AuthAuditEvent[];
-    total: number;
-    page: number;
-    limit: number;
-    totalPages: number;
-}
-
-/**
- * Primary client for interacting with nauth-toolkit backend.
- */
-declare class NAuthClient {
-    private readonly config;
-    private readonly tokenManager;
-    private readonly eventEmitter;
-    private currentUser;
-    /**
-     * Create a new client instance.
-     *
-     * @param userConfig - Client configuration
-     */
-    constructor(userConfig: NAuthClientConfig);
-    /**
-     * Clean up resources.
-     */
-    dispose(): void;
-    /**
-     * Login with identifier and password.
-     */
-    login(identifier: string, password: string): Promise<AuthResponse>;
-    /**
-     * Signup with credentials.
-     */
-    signup(payload: SignupRequest): Promise<AuthResponse>;
-    /**
-     * Refresh tokens manually.
-     */
-    refreshTokens(): Promise<TokenResponse>;
-    /**
-     * Logout current session.
-     *
-     * Uses GET request to avoid CSRF token issues.
-     *
-     * @param forgetDevice - If true, also untrust the device (require MFA on next login)
-     */
-    logout(forgetDevice?: boolean): Promise<void>;
-    /**
-     * Logout all sessions.
-     *
-     * Revokes all active sessions for the current user across all devices.
-     * Optionally revokes all trusted devices if forgetDevices is true.
-     *
-     * @param forgetDevices - If true, also revokes all trusted devices (default: false)
-     * @returns Number of sessions revoked
-     */
-    logoutAll(forgetDevices?: boolean): Promise<{
-        revokedCount: number;
-    }>;
-    /**
-     * Respond to a challenge.
-     *
-     * Validates challenge response data before sending to backend.
-     * Provides helpful error messages for common validation issues.
-     *
-     * @param response - Challenge response data
-     * @returns Auth response from backend
-     * @throws {NAuthClientError} If validation fails
-     */
-    respondToChallenge(response: ChallengeResponse): Promise<AuthResponse>;
-    /**
-     * Resend a challenge code.
-     */
-    resendCode(session: string): Promise<{
-        destination: string;
-    }>;
-    /**
-     * Get setup data for MFA.
-     *
-     * Returns method-specific setup information:
-     * - TOTP: { secret, qrCode, manualEntryKey }
-     * - SMS: { maskedPhone }
-     * - Email: { maskedEmail }
-     * - Passkey: WebAuthn registration options
-     *
-     * @param session - Challenge session token
-     * @param method - MFA method to set up
-     * @returns Setup data wrapped in GetSetupDataResponse
-     */
-    getSetupData(session: string, method: GetSetupDataRequest['method']): Promise<GetSetupDataResponse>;
-    /**
-     * Get challenge data (e.g., WebAuthn options).
-     *
-     * Returns challenge-specific data for verification flows.
-     *
-     * @param session - Challenge session token
-     * @param method - Challenge method to get data for
-     * @returns Challenge data wrapped in GetChallengeDataResponse
-     */
-    getChallengeData(session: string, method: GetChallengeDataRequest['method']): Promise<GetChallengeDataResponse>;
-    /**
-     * Get current user profile.
-     */
-    getProfile(): Promise<AuthUser>;
-    /**
-     * Update user profile.
-     */
-    updateProfile(updates: UpdateProfileRequest): Promise<AuthUser>;
-    /**
-     * Change user password.
-     */
-    changePassword(oldPassword: string, newPassword: string): Promise<void>;
-    /**
-     * Request a password reset code (forgot password).
-     */
-    forgotPassword(identifier: string): Promise<ForgotPasswordResponse>;
-    /**
-     * Confirm a password reset code and set a new password.
-     */
-    confirmForgotPassword(identifier: string, code: string, newPassword: string): Promise<ConfirmForgotPasswordResponse>;
-    /**
-     * Request password change (must change on next login).
-     */
-    requestPasswordChange(): Promise<void>;
-    /**
-     * Get MFA status.
-     */
-    getMfaStatus(): Promise<MFAStatus>;
-    /**
-     * Get MFA devices.
-     */
-    getMfaDevices(): Promise<unknown[]>;
-    /**
-     * Setup MFA device (authenticated user).
-     */
-    setupMfaDevice(method: string): Promise<unknown>;
-    /**
-     * Verify MFA setup (authenticated user).
-     */
-    verifyMfaSetup(method: string, setupData: Record<string, unknown>, deviceName?: string): Promise<{
-        deviceId: number;
-    }>;
-    /**
-     * Remove MFA method.
-     */
-    removeMfaDevice(method: string): Promise<{
-        message: string;
-    }>;
-    /**
-     * Set preferred MFA method.
-     *
-     * @param method - Device method to set as preferred ('totp', 'sms', 'email', or 'passkey'). Cannot be 'backup'.
-     * @returns Success message
-     */
-    setPreferredMfaMethod(method: 'totp' | 'sms' | 'email' | 'passkey'): Promise<{
-        message: string;
-    }>;
-    /**
-     * Generate backup codes.
-     */
-    generateBackupCodes(): Promise<string[]>;
-    /**
-     * Set MFA exemption (admin/test scenarios).
-     */
-    setMfaExemption(exempt: boolean, reason?: string): Promise<void>;
-    /**
-     * Subscribe to authentication events.
-     *
-     * Emits events throughout the auth lifecycle for custom logic, analytics, or UI updates.
-     *
-     * @param event - Event type to listen for, or '*' for all events
-     * @param listener - Callback function to handle the event
-     * @returns Unsubscribe function
-     *
-     * @example
-     * ```typescript
-     * // Listen to successful authentication
-     * const unsubscribe = client.on('auth:success', (event) => {
-     *   console.log('User logged in:', event.data.user);
-     *   analytics.track('login_success');
-     * });
-     *
-     * // Listen to all events
-     * client.on('*', (event) => {
-     *   console.log('Auth event:', event.type, event.data);
-     * });
-     *
-     * // Unsubscribe when done
-     * unsubscribe();
-     * ```
-     */
-    on(event: AuthEventType | '*', listener: AuthEventListener): () => void;
-    /**
-     * Unsubscribe from authentication events.
-     *
-     * @param event - Event type
-     * @param listener - Callback function to remove
-     */
-    off(event: AuthEventType | '*', listener: AuthEventListener): void;
-    /**
-     * Start redirect-first social OAuth flow (web).
-     *
-     * This performs a browser navigation to:
-     * `GET {baseUrl}/social/:provider/redirect?returnTo=...&appState=...`
-     *
-     * The backend:
-     * - generates and stores CSRF state (cluster-safe)
-     * - redirects the user to the provider
-     * - completes OAuth on callback and sets cookies (or issues an exchange token)
-     * - redirects back to `returnTo` with `appState` (and `exchangeToken` for json/hybrid)
-     *
-     * @param provider - OAuth provider ('google', 'apple', 'facebook')
-     * @param options - Optional redirect options
-     *
-     * @example
-     * ```typescript
-     * await client.loginWithSocial('google', { returnTo: '/auth/callback', appState: '12345' });
-     * ```
-     */
-    loginWithSocial(provider: SocialProvider, options?: SocialLoginOptions): Promise<void>;
-    /**
-     * Exchange an `exchangeToken` (from redirect callback URL) into an AuthResponse.
-     *
-     * Used for `tokenDelivery: 'json'` or hybrid flows where the backend redirects back
-     * with `exchangeToken` instead of setting cookies.
-     *
-     * @param exchangeToken - One-time exchange token from the callback URL
-     * @returns AuthResponse
-     */
-    exchangeSocialRedirect(exchangeToken: string): Promise<AuthResponse>;
-    /**
-     * Verify native social token (mobile).
-     */
-    verifyNativeSocial(request: SocialVerifyRequest): Promise<AuthResponse>;
-    /**
-     * Get linked accounts.
-     */
-    getLinkedAccounts(): Promise<LinkedAccountsResponse>;
-    /**
-     * Link social account.
-     */
-    linkSocialAccount(provider: string, code: string, state: string): Promise<{
-        message: string;
-    }>;
-    /**
-     * Unlink social account.
-     */
-    unlinkSocialAccount(provider: string): Promise<{
-        message: string;
-    }>;
-    /**
-     * Trust current device.
-     */
-    trustDevice(): Promise<{
-        deviceToken: string;
-    }>;
-    /**
-     * Check if the current device is trusted.
-     *
-     * Returns whether the current device is trusted based on the device token
-     * (from cookie in cookies mode, or header in JSON mode).
-     *
-     * This performs a server-side validation of the device token and checks:
-     * - Device token exists and is valid
-     * - Device token matches a trusted device record in the database
-     * - Trust has not expired
-     *
-     * @returns Object with trusted status
-     *
-     * @example
-     * ```typescript
-     * const result = await client.isTrustedDevice();
-     * if (result.trusted) {
-     *   console.log('This device is trusted');
-     * }
-     * ```
-     */
-    isTrustedDevice(): Promise<{
-        trusted: boolean;
-    }>;
-    /**
-     * Get paginated audit history for the current user.
-     *
-     * Returns authentication and security events with full audit details including:
-     * - Event type (login, logout, MFA, etc.)
-     * - Event status (success, failure, suspicious)
-     * - Device information, location, risk factors
-     *
-     * @param params - Query parameters for filtering and pagination
-     * @returns Paginated audit history response
-     *
-     * @example
-     * ```typescript
-     * const history = await client.getAuditHistory({
-     *   page: 1,
-     *   limit: 20,
-     *   eventType: 'LOGIN_SUCCESS'
-     * });
-     * ```
-     */
-    getAuditHistory(params?: Record<string, string | number | boolean>): Promise<AuditHistoryResponse>;
-    /**
-     * Initialize client by hydrating state from storage.
-     * Call this on app startup to restore auth state.
-     */
-    initialize(): Promise<void>;
-    /**
-     * Determine if user is authenticated (async - checks tokens).
-     */
-    isAuthenticated(): Promise<boolean>;
-    /**
-     * Determine if user is authenticated (sync - checks cached user).
-     * Use this for guards and sync checks. Use `isAuthenticated()` for definitive check.
-     */
-    isAuthenticatedSync(): boolean;
-    /**
-     * Get current access token (may be null).
-     */
-    getAccessToken(): Promise<string | null>;
-    /**
-     * Get current user (cached, sync).
-     */
-    getCurrentUser(): AuthUser | null;
-    /**
-     * Get stored challenge session (for resuming challenge flows).
-     */
-    getStoredChallenge(): Promise<AuthResponse | null>;
-    /**
-     * Clear stored challenge session.
-     */
-    clearStoredChallenge(): Promise<void>;
-    /**
-     * Internal: handle auth response (tokens or challenge).
-     *
-     * In cookies mode: Tokens are set as httpOnly cookies by backend, not stored in client storage.
-     * In JSON mode: Tokens are stored in tokenManager for Authorization header.
-     */
-    private handleAuthResponse;
-    /**
-     * Persist challenge state.
-     */
-    private persistChallenge;
-    /**
-     * Clear challenge state.
-     */
-    private clearChallenge;
-    /**
-     * Persist user.
-     */
-    private setUser;
-    /**
-     * Clear all auth state.
-     *
-     * @param forgetDevice - If true, also clear device token (for JSON mode)
-     */
-    private clearAuthState;
-    /**
-     * Persist device token (json mode mobile).
-     */
-    private setDeviceToken;
-    /**
-     * Determine token delivery mode for this environment.
-     */
-    private getTokenDeliveryMode;
-    /**
-     * Build request URL by combining baseUrl with path.
-     * @private
-     */
-    private buildUrl;
-    /**
-     * Build request headers for authentication.
-     * @private
-     */
-    private buildHeaders;
-    /**
-     * Get CSRF token from cookie (browser only).
-     * @private
-     */
-    private getCsrfToken;
-    /**
-     * Execute GET request.
-     * Note: 401 refresh is handled by framework interceptors (Angular) or manually.
-     */
-    private get;
-    /**
-     * Execute POST request.
-     * Note: 401 refresh is handled by framework interceptors (Angular) or manually.
-     */
-    private post;
-    /**
-     * Execute PUT request.
-     * Note: 401 refresh is handled by framework interceptors (Angular) or manually.
-     */
-    private put;
-    /**
-     * Execute DELETE request.
-     * Note: 401 refresh is handled by framework interceptors (Angular) or manually.
-     */
-    private delete;
-    /**
-     * Handle cross-tab storage updates.
-     */
-    private readonly handleStorageEvent;
-}
-
-/**
- * Angular wrapper around NAuthClient that provides promise-based auth methods and reactive state.
- *
- * This service provides:
- * - Reactive state (currentUser$, isAuthenticated$, challenge$)
- * - All core auth methods as Promises (login, signup, logout, refresh)
- * - Profile management (getProfile, updateProfile, changePassword)
- * - Challenge flow methods (respondToChallenge, resendCode)
- * - MFA management (getMfaStatus, setupMfaDevice, etc.)
- * - Social authentication and account linking
- * - Device trust management
- * - Audit history
- *
- * @example
- * ```typescript
- * constructor(private auth: AuthService) {}
- *
- * // Reactive state
- * this.auth.currentUser$.subscribe(user => ...);
- * this.auth.isAuthenticated$.subscribe(isAuth => ...);
- *
- * // Auth operations with async/await
- * const response = await this.auth.login(email, password);
- *
- * // Profile management
- * await this.auth.changePassword(oldPassword, newPassword);
- * const user = await this.auth.updateProfile({ firstName: 'John' });
- *
- * // MFA operations
- * const status = await this.auth.getMfaStatus();
- * ```
- */
-declare class AuthService {
-    private injector?;
-    private readonly client;
-    private readonly config;
-    private readonly currentUserSubject;
-    private readonly isAuthenticatedSubject;
-    private readonly challengeSubject;
-    private readonly authEventsSubject;
-    private initialized;
-    /**
-     * @param config - Injected client configuration
-     *
-     * Note: AngularHttpAdapter is automatically injected via Angular DI.
-     * This ensures all requests go through Angular's HttpClient and interceptors.
-     */
-    constructor(config?: NAuthClientConfig, injector?: Injector | undefined);
-    /**
-     * Current user observable.
-     */
-    get currentUser$(): Observable<AuthUser | null>;
-    /**
-     * Authenticated state observable.
-     */
-    get isAuthenticated$(): Observable<boolean>;
-    /**
-     * Current challenge observable (for reactive challenge navigation).
-     */
-    get challenge$(): Observable<AuthResponse | null>;
-    /**
-     * Authentication events stream.
-     * Emits all auth lifecycle events for custom logic, analytics, or UI updates.
-     */
-    get authEvents$(): Observable<AuthEvent>;
-    /**
-     * Successful authentication events stream.
-     * Emits when user successfully authenticates (login, signup, social auth).
-     */
-    get authSuccess$(): Observable<AuthEvent>;
-    /**
-     * Authentication error events stream.
-     * Emits when authentication fails (login error, OAuth error, etc.).
-     */
-    get authError$(): Observable<AuthEvent>;
-    /**
-     * Check if authenticated (sync, uses cached state).
-     */
-    isAuthenticated(): boolean;
-    /**
-     * Get current user (sync, uses cached state).
-     */
-    getCurrentUser(): AuthUser | null;
-    /**
-     * Get current challenge (sync).
-     */
-    getCurrentChallenge(): AuthResponse | null;
-    /**
-     * Login with identifier and password.
-     *
-     * @param identifier - User email or username
-     * @param password - User password
-     * @returns Promise with auth response or challenge
-     *
-     * @example
-     * ```typescript
-     * const response = await this.auth.login('user@example.com', 'password');
-     * if (response.challengeName) {
-     *   // Handle challenge
-     * } else {
-     *   // Login successful
-     * }
-     * ```
-     */
-    login(identifier: string, password: string): Promise<AuthResponse>;
-    /**
-     * Signup with credentials.
-     *
-     * @param payload - Signup request payload
-     * @returns Promise with auth response or challenge
-     *
-     * @example
-     * ```typescript
-     * const response = await this.auth.signup({
-     *   email: 'new@example.com',
-     *   password: 'SecurePass123!',
-     *   firstName: 'John',
-     * });
-     * ```
-     */
-    signup(payload: Parameters<NAuthClient['signup']>[0]): Promise<AuthResponse>;
-    /**
-     * Logout current session.
-     *
-     * @param forgetDevice - If true, removes device trust
-     *
-     * @example
-     * ```typescript
-     * await this.auth.logout();
-     * ```
-     */
-    logout(forgetDevice?: boolean): Promise<void>;
-    /**
-     * Logout all sessions.
-     *
-     * Revokes all active sessions for the current user across all devices.
-     * Optionally revokes all trusted devices if forgetDevices is true.
-     *
-     * @param forgetDevices - If true, also revokes all trusted devices (default: false)
-     * @returns Promise with number of sessions revoked
-     *
-     * @example
-     * ```typescript
-     * const result = await this.auth.logoutAll();
-     * console.log(`Revoked ${result.revokedCount} sessions`);
-     * ```
-     */
-    logoutAll(forgetDevices?: boolean): Promise<{
-        revokedCount: number;
-    }>;
-    /**
-     * Refresh tokens.
-     *
-     * @returns Promise with new tokens
-     *
-     * @example
-     * ```typescript
-     * const tokens = await this.auth.refresh();
-     * ```
-     */
-    refresh(): Promise<TokenResponse>;
-    /**
-     * Request a password reset code (forgot password).
-     *
-     * @param identifier - User email, username, or phone
-     * @returns Promise with password reset response
-     *
-     * @example
-     * ```typescript
-     * await this.auth.forgotPassword('user@example.com');
-     * ```
-     */
-    forgotPassword(identifier: string): Promise<ForgotPasswordResponse>;
-    /**
-     * Confirm a password reset code and set a new password.
-     *
-     * @param identifier - User email, username, or phone
-     * @param code - One-time reset code
-     * @param newPassword - New password
-     * @returns Promise with confirmation response
-     *
-     * @example
-     * ```typescript
-     * await this.auth.confirmForgotPassword('user@example.com', '123456', 'NewPass123!');
-     * ```
-     */
-    confirmForgotPassword(identifier: string, code: string, newPassword: string): Promise<ConfirmForgotPasswordResponse>;
-    /**
-     * Change user password (requires current password).
-     *
-     * @param oldPassword - Current password
-     * @param newPassword - New password (must meet requirements)
-     * @returns Promise that resolves when password is changed
-     *
-     * @example
-     * ```typescript
-     * await this.auth.changePassword('oldPassword123', 'newSecurePassword456!');
-     * ```
-     */
-    changePassword(oldPassword: string, newPassword: string): Promise<void>;
-    /**
-     * Request password change (must change on next login).
-     *
-     * @returns Promise that resolves when request is sent
-     *
-     * @example
-     * ```typescript
-     * await this.auth.requestPasswordChange();
-     * ```
-     */
-    requestPasswordChange(): Promise<void>;
-    /**
-     * Get current user profile.
-     *
-     * @returns Promise of current user profile
-     *
-     * @example
-     * ```typescript
-     * const user = await this.auth.getProfile();
-     * console.log('User profile:', user);
-     * ```
-     */
-    getProfile(): Promise<AuthUser>;
-    /**
-     * Update user profile.
-     *
-     * @param updates - Profile fields to update
-     * @returns Promise of updated user profile
-     *
-     * @example
-     * ```typescript
-     * const user = await this.auth.updateProfile({ firstName: 'John', lastName: 'Doe' });
-     * console.log('Profile updated:', user);
-     * ```
-     */
-    updateProfile(updates: UpdateProfileRequest): Promise<AuthUser>;
-    /**
-     * Respond to a challenge (VERIFY_EMAIL, VERIFY_PHONE, MFA_REQUIRED, etc.).
-     *
-     * @param response - Challenge response data
-     * @returns Promise with auth response or next challenge
-     *
-     * @example
-     * ```typescript
-     * const result = await this.auth.respondToChallenge({
-     *   session: challengeSession,
-     *   type: 'VERIFY_EMAIL',
-     *   code: '123456',
-     * });
-     * ```
-     */
-    respondToChallenge(response: ChallengeResponse): Promise<AuthResponse>;
-    /**
-     * Resend challenge code.
-     *
-     * @param session - Challenge session token
-     * @returns Promise with destination information
-     *
-     * @example
-     * ```typescript
-     * const result = await this.auth.resendCode(session);
-     * console.log('Code sent to:', result.destination);
-     * ```
-     */
-    resendCode(session: string): Promise<{
-        destination: string;
-    }>;
-    /**
-     * Get MFA setup data (for MFA_SETUP_REQUIRED challenge).
-     *
-     * Returns method-specific setup information:
-     * - TOTP: { secret, qrCode, manualEntryKey }
-     * - SMS: { maskedPhone }
-     * - Email: { maskedEmail }
-     * - Passkey: WebAuthn registration options
-     *
-     * @param session - Challenge session token
-     * @param method - MFA method to set up
-     * @returns Promise of setup data response
-     *
-     * @example
-     * ```typescript
-     * const setupData = await this.auth.getSetupData(session, 'totp');
-     * console.log('QR Code:', setupData.setupData.qrCode);
-     * ```
-     */
-    getSetupData(session: string, method: string): Promise<GetSetupDataResponse>;
-    /**
-     * Get MFA challenge data (for MFA_REQUIRED challenge - e.g., passkey options).
-     *
-     * @param session - Challenge session token
-     * @param method - Challenge method
-     * @returns Promise of challenge data response
-     *
-     * @example
-     * ```typescript
-     * const challengeData = await this.auth.getChallengeData(session, 'passkey');
-     * ```
-     */
-    getChallengeData(session: string, method: string): Promise<GetChallengeDataResponse>;
-    /**
-     * Clear stored challenge (when navigating away from challenge flow).
-     *
-     * @returns Promise that resolves when challenge is cleared
-     *
-     * @example
-     * ```typescript
-     * await this.auth.clearChallenge();
-     * ```
-     */
-    clearChallenge(): Promise<void>;
-    /**
-     * Initiate social OAuth login flow.
-     * Redirects the browser to backend `/auth/social/:provider/redirect`.
-     *
-     * @param provider - Social provider ('google', 'apple', 'facebook')
-     * @param options - Optional redirect options
-     * @returns Promise that resolves when redirect starts
-     *
-     * @example
-     * ```typescript
-     * await this.auth.loginWithSocial('google', { returnTo: '/auth/callback' });
-     * ```
-     */
-    loginWithSocial(provider: SocialProvider, options?: SocialLoginOptions): Promise<void>;
-    /**
-     * Exchange an exchangeToken (from redirect callback URL) into an AuthResponse.
-     *
-     * Used for `tokenDelivery: 'json'` or hybrid flows where the backend redirects back
-     * with `exchangeToken` instead of setting cookies.
-     *
-     * @param exchangeToken - One-time exchange token from the callback URL
-     * @returns Promise of AuthResponse
-     *
-     * @example
-     * ```typescript
-     * const response = await this.auth.exchangeSocialRedirect(exchangeToken);
-     * ```
-     */
-    exchangeSocialRedirect(exchangeToken: string): Promise<AuthResponse>;
-    /**
-     * Verify native social token (mobile).
-     *
-     * @param request - Social verification request with provider and token
-     * @returns Promise of AuthResponse
-     *
-     * @example
-     * ```typescript
-     * const result = await this.auth.verifyNativeSocial({
-     *   provider: 'google',
-     *   idToken: nativeIdToken,
-     * });
-     * ```
-     */
-    verifyNativeSocial(request: SocialVerifyRequest): Promise<AuthResponse>;
-    /**
-     * Get linked social accounts.
-     *
-     * @returns Promise of linked accounts response
-     *
-     * @example
-     * ```typescript
-     * const accounts = await this.auth.getLinkedAccounts();
-     * console.log('Linked providers:', accounts.providers);
-     * ```
-     */
-    getLinkedAccounts(): Promise<LinkedAccountsResponse>;
-    /**
-     * Link social account.
-     *
-     * @param provider - Social provider to link
-     * @param code - OAuth authorization code
-     * @param state - OAuth state parameter
-     * @returns Promise with success message
-     *
-     * @example
-     * ```typescript
-     * await this.auth.linkSocialAccount('google', code, state);
-     * ```
-     */
-    linkSocialAccount(provider: string, code: string, state: string): Promise<{
-        message: string;
-    }>;
-    /**
-     * Unlink social account.
-     *
-     * @param provider - Social provider to unlink
-     * @returns Promise with success message
-     *
-     * @example
-     * ```typescript
-     * await this.auth.unlinkSocialAccount('google');
-     * ```
-     */
-    unlinkSocialAccount(provider: string): Promise<{
-        message: string;
-    }>;
-    /**
-     * Get MFA status for the current user.
-     *
-     * @returns Promise of MFA status
-     *
-     * @example
-     * ```typescript
-     * const status = await this.auth.getMfaStatus();
-     * console.log('MFA enabled:', status.enabled);
-     * ```
-     */
-    getMfaStatus(): Promise<MFAStatus>;
-    /**
-     * Get MFA devices for the current user.
-     *
-     * @returns Promise of MFA devices array
-     *
-     * @example
-     * ```typescript
-     * const devices = await this.auth.getMfaDevices();
-     * ```
-     */
-    getMfaDevices(): Promise<MFADevice[]>;
-    /**
-     * Setup MFA device (authenticated user).
-     *
-     * @param method - MFA method to set up
-     * @returns Promise of setup data
-     *
-     * @example
-     * ```typescript
-     * const setupData = await this.auth.setupMfaDevice('totp');
-     * ```
-     */
-    setupMfaDevice(method: string): Promise<unknown>;
-    /**
-     * Verify MFA setup (authenticated user).
-     *
-     * @param method - MFA method
-     * @param setupData - Setup data from setupMfaDevice
-     * @param deviceName - Optional device name
-     * @returns Promise with device ID
-     *
-     * @example
-     * ```typescript
-     * const result = await this.auth.verifyMfaSetup('totp', { code: '123456' }, 'My Phone');
-     * ```
-     */
-    verifyMfaSetup(method: string, setupData: Record<string, unknown>, deviceName?: string): Promise<{
-        deviceId: number;
-    }>;
-    /**
-     * Remove MFA device.
-     *
-     * @param method - MFA method to remove
-     * @returns Promise with success message
-     *
-     * @example
-     * ```typescript
-     * await this.auth.removeMfaDevice('sms');
-     * ```
-     */
-    removeMfaDevice(method: string): Promise<{
-        message: string;
-    }>;
-    /**
-     * Set preferred MFA method.
-     *
-     * @param method - Device method to set as preferred ('totp', 'sms', 'email', or 'passkey')
-     * @returns Promise with success message
-     *
-     * @example
-     * ```typescript
-     * await this.auth.setPreferredMfaMethod('totp');
-     * ```
-     */
-    setPreferredMfaMethod(method: 'totp' | 'sms' | 'email' | 'passkey'): Promise<{
-        message: string;
-    }>;
-    /**
-     * Generate backup codes.
-     *
-     * @returns Promise of backup codes array
-     *
-     * @example
-     * ```typescript
-     * const codes = await this.auth.generateBackupCodes();
-     * console.log('Backup codes:', codes);
-     * ```
-     */
-    generateBackupCodes(): Promise<string[]>;
-    /**
-     * Set MFA exemption (admin/test scenarios).
-     *
-     * @param exempt - Whether to exempt user from MFA
-     * @param reason - Optional reason for exemption
-     * @returns Promise that resolves when exemption is set
-     *
-     * @example
-     * ```typescript
-     * await this.auth.setMfaExemption(true, 'Test account');
-     * ```
-     */
-    setMfaExemption(exempt: boolean, reason?: string): Promise<void>;
-    /**
-     * Trust current device.
-     *
-     * @returns Promise with device token
-     *
-     * @example
-     * ```typescript
-     * const result = await this.auth.trustDevice();
-     * console.log('Device trusted:', result.deviceToken);
-     * ```
-     */
-    trustDevice(): Promise<{
-        deviceToken: string;
-    }>;
-    /**
-     * Check if the current device is trusted.
-     *
-     * @returns Promise with trusted status
-     *
-     * @example
-     * ```typescript
-     * const result = await this.auth.isTrustedDevice();
-     * if (result.trusted) {
-     *   console.log('This device is trusted');
-     * }
-     * ```
-     */
-    isTrustedDevice(): Promise<{
-        trusted: boolean;
-    }>;
-    /**
-     * Get paginated audit history for the current user.
-     *
-     * @param params - Query parameters for filtering and pagination
-     * @returns Promise of audit history response
-     *
-     * @example
-     * ```typescript
-     * const history = await this.auth.getAuditHistory({
-     *   page: 1,
-     *   limit: 20,
-     *   eventType: 'LOGIN_SUCCESS'
-     * });
-     * console.log('Audit history:', history);
-     * ```
-     */
-    getAuditHistory(params?: Record<string, string | number | boolean>): Promise<AuditHistoryResponse>;
-    /**
-     * Expose underlying NAuthClient for advanced scenarios.
-     *
-     * @deprecated All core functionality is now exposed directly on AuthService as Promises.
-     * Use the direct methods on AuthService instead (e.g., `auth.changePassword()` instead of `auth.getClient().changePassword()`).
-     * This method is kept for backward compatibility only and may be removed in a future version.
-     *
-     * @returns The underlying NAuthClient instance
-     *
-     * @example
-     * ```typescript
-     * // Deprecated - use direct methods instead
-     * const status = await this.auth.getClient().getMfaStatus();
-     *
-     * // Preferred - use direct methods
-     * const status = await this.auth.getMfaStatus();
-     * ```
-     */
-    getClient(): NAuthClient;
-    /**
-     * Initialize by hydrating state from storage.
-     * Called automatically on construction.
-     */
-    private initialize;
-    /**
-     * Update challenge state after auth response.
-     */
-    private updateChallengeState;
-}
-
-/**
- * Angular HTTP interceptor for nauth-toolkit.
- *
- * Handles:
- * - Cookies mode: withCredentials + CSRF tokens + refresh via POST
- * - JSON mode: refresh via SDK, retry with new token
- */
-declare const authInterceptor: HttpInterceptorFn;
-/**
- * Class-based interceptor for NgModule compatibility.
- */
-declare class AuthInterceptor {
-    intercept(req: HttpRequest$1<unknown>, next: HttpHandlerFn): rxjs.Observable<_angular_common_http.HttpEvent<unknown>>;
-}
-
-/**
- * Functional route guard for authentication (Angular 17+).
- *
- * Protects routes by checking if user is authenticated.
- * Redirects to login page if not authenticated.
- *
- * @param redirectTo - Path to redirect to if not authenticated (default: '/login')
- * @returns CanActivateFn guard function
- *
- * @example
- * ```typescript
- * // In route configuration
- * const routes: Routes = [
- *   {
- *     path: 'home',
- *     component: HomeComponent,
- *     canActivate: [authGuard()]
- *   },
- *   {
- *     path: 'admin',
- *     component: AdminComponent,
- *     canActivate: [authGuard('/admin/login')]
- *   }
- * ];
- * ```
- */
-declare function authGuard(redirectTo?: string): CanActivateFn;
-/**
- * Class-based authentication guard for NgModule compatibility.
- *
- * @example
- * ```typescript
- * // In route configuration (NgModule)
- * const routes: Routes = [
- *   {
- *     path: 'home',
- *     component: HomeComponent,
- *     canActivate: [AuthGuard]
- *   }
- * ];
- *
- * // In module providers
- * @NgModule({
- *   providers: [AuthGuard]
- * })
- * ```
- */
-declare class AuthGuard {
-    private auth;
-    private router;
-    /**
-     * @param auth - Authentication service
-     * @param router - Angular router
-     */
-    constructor(auth: AuthService, router: Router);
-    /**
-     * Check if route can be activated.
-     *
-     * @returns True if authenticated, otherwise redirects to login
-     */
-    canActivate(): boolean | UrlTree;
-}
-
-/**
- * Social redirect callback route guard.
- *
- * This guard supports the redirect-first social flow where the backend redirects
- * back to the frontend with:
- * - `appState` (always optional)
- * - `exchangeToken` (present for json/hybrid flows, and for cookie flows that return a challenge)
- * - `error` / `error_description` (provider errors)
- *
- * Behavior:
- * - If `exchangeToken` exists: exchanges it via backend and redirects to success or challenge routes.
- * - If no `exchangeToken`: treat as cookie-success path and redirect to success route.
- * - If `error` exists: redirects to oauthError route.
- *
- * @example
- * ```typescript
- * import { socialRedirectCallbackGuard } from '@nauth-toolkit/client/angular';
- *
- * export const routes: Routes = [
- *   { path: 'auth/callback', canActivate: [socialRedirectCallbackGuard], component: CallbackComponent },
- * ];
- * ```
- */
-declare const socialRedirectCallbackGuard: CanActivateFn;
-
-/**
- * NgModule wrapper to provide configuration and interceptor.
- */
-declare class NAuthModule {
-    /**
-     * Configure the module with client settings.
-     *
-     * @param config - Client configuration
-     */
-    static forRoot(config: NAuthClientConfig): ModuleWithProviders<NAuthModule>;
-}
-
-/**
- * HTTP adapter for Angular using HttpClient.
- *
- * This adapter:
- * - Uses Angular's HttpClient for all requests
- * - Works with Angular's HTTP interceptors (including authInterceptor)
- * - Auto-provided via Angular DI (providedIn: 'root')
- * - Converts HttpClient responses to HttpResponse format
- * - Converts HttpErrorResponse to NAuthClientError
- *
- * Users don't need to configure this manually - it's automatically
- * injected when using AuthService in Angular apps.
- *
- * @example
- * ```typescript
- * // Automatic usage (no manual setup needed)
- * // AuthService automatically injects AngularHttpAdapter
- * constructor(private auth: AuthService) {}
- * ```
- */
-declare class AngularHttpAdapter implements HttpAdapter {
-    private readonly http;
-    /**
-     * Execute HTTP request using Angular's HttpClient.
-     *
-     * @param config - Request configuration
-     * @returns Response with parsed data
-     * @throws NAuthClientError if request fails
-     */
-    request<T>(config: HttpRequest): Promise<HttpResponse<T>>;
-}
-
-export { AngularHttpAdapter, AuthChallenge, type AuthEvent, type AuthEventListener, type AuthEventType, AuthGuard, AuthInterceptor, type AuthResponse, AuthService, type AuthUser, type ChallengeResponse, type HttpAdapter, type MFADeviceMethod, type MFAMethod, type MFAStatus, NAUTH_CLIENT_CONFIG, type NAuthClientConfig, NAuthModule, type SocialProvider, type TokenDeliveryMode, type TokenResponse, authGuard, authInterceptor, socialRedirectCallbackGuard };