npm - @nauth-toolkit/core - Versions diffs - 0.1.0 → 0.1.3 - Mend

@nauth-toolkit/core 0.1.0 → 0.1.3

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (184) hide show

package/LICENSE +90 -0
package/README.md +30 -0
package/package.json +7 -2
package/jest.config.js +0 -15
package/jest.setup.ts +0 -6
package/src/adapters/database-columns.ts +0 -165
package/src/adapters/express.adapter.ts +0 -385
package/src/adapters/fastify.adapter.ts +0 -416
package/src/adapters/index.ts +0 -16
package/src/adapters/storage.factory.ts +0 -143
package/src/bootstrap.ts +0 -374
package/src/dto/auth-challenge.dto.ts +0 -231
package/src/dto/auth-response.dto.ts +0 -253
package/src/dto/challenge-response.dto.ts +0 -234
package/src/dto/change-password-request.dto.ts +0 -50
package/src/dto/change-password-response.dto.ts +0 -29
package/src/dto/change-password.dto.ts +0 -57
package/src/dto/error-response.dto.ts +0 -136
package/src/dto/get-available-methods.dto.ts +0 -55
package/src/dto/get-challenge-data-response.dto.ts +0 -28
package/src/dto/get-challenge-data.dto.ts +0 -69
package/src/dto/get-client-info.dto.ts +0 -104
package/src/dto/get-device-token-response.dto.ts +0 -25
package/src/dto/get-events-by-type.dto.ts +0 -76
package/src/dto/get-ip-address-response.dto.ts +0 -24
package/src/dto/get-mfa-status.dto.ts +0 -94
package/src/dto/get-risk-assessment-history.dto.ts +0 -39
package/src/dto/get-session-id-response.dto.ts +0 -25
package/src/dto/get-setup-data-response.dto.ts +0 -31
package/src/dto/get-setup-data.dto.ts +0 -75
package/src/dto/get-suspicious-activity.dto.ts +0 -42
package/src/dto/get-user-agent-response.dto.ts +0 -23
package/src/dto/get-user-auth-history.dto.ts +0 -95
package/src/dto/get-user-by-email.dto.ts +0 -61
package/src/dto/get-user-by-id.dto.ts +0 -46
package/src/dto/get-user-devices.dto.ts +0 -53
package/src/dto/get-user-response.dto.ts +0 -17
package/src/dto/has-provider.dto.ts +0 -56
package/src/dto/index.ts +0 -57
package/src/dto/is-trusted-device-response.dto.ts +0 -34
package/src/dto/list-providers-response.dto.ts +0 -23
package/src/dto/login.dto.ts +0 -95
package/src/dto/logout-all-response.dto.ts +0 -24
package/src/dto/logout-all.dto.ts +0 -65
package/src/dto/logout-response.dto.ts +0 -25
package/src/dto/logout.dto.ts +0 -64
package/src/dto/refresh-token.dto.ts +0 -36
package/src/dto/remove-devices.dto.ts +0 -85
package/src/dto/resend-code-response.dto.ts +0 -32
package/src/dto/resend-code.dto.ts +0 -51
package/src/dto/reset-password.dto.ts +0 -115
package/src/dto/respond-challenge.dto.ts +0 -272
package/src/dto/set-mfa-exemption.dto.ts +0 -112
package/src/dto/set-must-change-password-response.dto.ts +0 -27
package/src/dto/set-must-change-password.dto.ts +0 -46
package/src/dto/set-preferred-method.dto.ts +0 -80
package/src/dto/setup-mfa.dto.ts +0 -98
package/src/dto/signup.dto.ts +0 -174
package/src/dto/social-auth.dto.ts +0 -422
package/src/dto/trust-device-response.dto.ts +0 -30
package/src/dto/trust-device.dto.ts +0 -9
package/src/dto/update-user-attributes-request.dto.ts +0 -51
package/src/dto/user-response.dto.ts +0 -138
package/src/dto/user-update.dto.ts +0 -222
package/src/dto/verify-email.dto.ts +0 -313
package/src/dto/verify-mfa-code.dto.ts +0 -103
package/src/dto/verify-phone-by-sub.dto.ts +0 -78
package/src/dto/verify-phone.dto.ts +0 -245
package/src/entities/auth-audit.entity.ts +0 -232
package/src/entities/challenge-session.entity.ts +0 -116
package/src/entities/index.ts +0 -29
package/src/entities/login-attempt.entity.ts +0 -64
package/src/entities/mfa-device.entity.ts +0 -151
package/src/entities/rate-limit.entity.ts +0 -44
package/src/entities/session.entity.ts +0 -180
package/src/entities/social-account.entity.ts +0 -96
package/src/entities/storage-lock.entity.ts +0 -39
package/src/entities/trusted-device.entity.ts +0 -112
package/src/entities/user.entity.ts +0 -243
package/src/entities/verification-token.entity.ts +0 -141
package/src/enums/auth-audit-event-type.enum.ts +0 -360
package/src/enums/error-codes.enum.ts +0 -420
package/src/enums/mfa-method.enum.ts +0 -97
package/src/enums/risk-factor.enum.ts +0 -111
package/src/exceptions/nauth.exception.ts +0 -231
package/src/handlers/auth.handler.ts +0 -260
package/src/handlers/client-info.handler.ts +0 -101
package/src/handlers/csrf.handler.ts +0 -156
package/src/handlers/token-delivery.handler.ts +0 -118
package/src/index.ts +0 -118
package/src/interfaces/client-info.interface.ts +0 -85
package/src/interfaces/config.interface.ts +0 -2135
package/src/interfaces/entities.interface.ts +0 -226
package/src/interfaces/index.ts +0 -15
package/src/interfaces/logger.interface.ts +0 -283
package/src/interfaces/mfa-provider.interface.ts +0 -154
package/src/interfaces/oauth.interface.ts +0 -148
package/src/interfaces/provider.interface.ts +0 -47
package/src/interfaces/social-auth-provider.interface.ts +0 -131
package/src/interfaces/storage-adapter.interface.ts +0 -82
package/src/interfaces/template.interface.ts +0 -510
package/src/interfaces/token-verifier.interface.ts +0 -110
package/src/internal.ts +0 -178
package/src/platform/interfaces.ts +0 -299
package/src/schemas/auth-config.schema.ts +0 -646
package/src/services/adaptive-mfa-decision.service.spec.ts +0 -1058
package/src/services/adaptive-mfa-decision.service.ts +0 -457
package/src/services/auth-audit.service.spec.ts +0 -675
package/src/services/auth-audit.service.ts +0 -558
package/src/services/auth-challenge-helper.service.spec.ts +0 -3227
package/src/services/auth-challenge-helper.service.ts +0 -825
package/src/services/auth-flow-context-builder.service.ts +0 -520
package/src/services/auth-flow-rules.ts +0 -202
package/src/services/auth-flow-state-definitions.ts +0 -190
package/src/services/auth-flow-state-machine.service.ts +0 -207
package/src/services/auth-flow-state-machine.types.ts +0 -316
package/src/services/auth.service.spec.ts +0 -4195
package/src/services/auth.service.ts +0 -3727
package/src/services/challenge.service.spec.ts +0 -1363
package/src/services/challenge.service.ts +0 -696
package/src/services/client-info.service.spec.ts +0 -572
package/src/services/client-info.service.ts +0 -374
package/src/services/csrf.service.ts +0 -54
package/src/services/email-verification.service.spec.ts +0 -1229
package/src/services/email-verification.service.ts +0 -578
package/src/services/geo-location.service.spec.ts +0 -603
package/src/services/geo-location.service.ts +0 -599
package/src/services/index.ts +0 -13
package/src/services/jwt.service.spec.ts +0 -882
package/src/services/jwt.service.ts +0 -621
package/src/services/mfa-base.service.spec.ts +0 -246
package/src/services/mfa-base.service.ts +0 -611
package/src/services/mfa.service.spec.ts +0 -693
package/src/services/mfa.service.ts +0 -960
package/src/services/password.service.spec.ts +0 -166
package/src/services/password.service.ts +0 -309
package/src/services/phone-verification.service.spec.ts +0 -1120
package/src/services/phone-verification.service.ts +0 -751
package/src/services/risk-detection.service.spec.ts +0 -1292
package/src/services/risk-detection.service.ts +0 -1012
package/src/services/risk-scoring.service.spec.ts +0 -204
package/src/services/risk-scoring.service.ts +0 -131
package/src/services/session.service.spec.ts +0 -1293
package/src/services/session.service.ts +0 -803
package/src/services/social-account.service.spec.ts +0 -725
package/src/services/social-auth-base.service.spec.ts +0 -418
package/src/services/social-auth-base.service.ts +0 -581
package/src/services/social-auth.service.spec.ts +0 -238
package/src/services/social-auth.service.ts +0 -436
package/src/services/social-provider-registry.service.spec.ts +0 -238
package/src/services/social-provider-registry.service.ts +0 -122
package/src/services/trusted-device.service.spec.ts +0 -505
package/src/services/trusted-device.service.ts +0 -339
package/src/storage/account-lockout-storage.service.spec.ts +0 -310
package/src/storage/account-lockout-storage.service.ts +0 -89
package/src/storage/index.ts +0 -3
package/src/storage/memory-storage.adapter.ts +0 -443
package/src/storage/rate-limit-storage.service.spec.ts +0 -247
package/src/storage/rate-limit-storage.service.ts +0 -38
package/src/templates/html-template.engine.spec.ts +0 -161
package/src/templates/html-template.engine.ts +0 -688
package/src/templates/index.ts +0 -7
package/src/utils/common-passwords.spec.ts +0 -230
package/src/utils/common-passwords.ts +0 -170
package/src/utils/context-storage.ts +0 -188
package/src/utils/cookie-names.util.ts +0 -67
package/src/utils/cookies.util.ts +0 -94
package/src/utils/index.ts +0 -12
package/src/utils/ip-extractor.spec.ts +0 -330
package/src/utils/ip-extractor.ts +0 -220
package/src/utils/nauth-logger.spec.ts +0 -388
package/src/utils/nauth-logger.ts +0 -215
package/src/utils/pii-redactor.spec.ts +0 -130
package/src/utils/pii-redactor.ts +0 -288
package/src/utils/setup/get-repositories.ts +0 -140
package/src/utils/setup/init-services.ts +0 -422
package/src/utils/setup/init-social.ts +0 -189
package/src/utils/setup/init-storage.ts +0 -94
package/src/utils/setup/register-mfa.ts +0 -165
package/src/utils/setup/run-nauth-migrations.ts +0 -61
package/src/utils/token-delivery-policy.ts +0 -38
package/src/validators/template.validator.ts +0 -219
package/tsconfig.json +0 -37
package/tsconfig.lint.json +0 -6

package/src/services/auth-flow-rules.ts DELETED Viewed

@@ -1,202 +0,0 @@
-import { AuthFlowContext, Rule } from './auth-flow-state-machine.types';
-/**
- * Rule Builder
- *
- * Utility class for composing complex rules using combinators.
- * Supports logical operations: all, any, not.
- *
- * @example
- * ```typescript
- * const complexRule = RuleBuilder.all([
- *   Rules.mustChangePassword,
- *   RuleBuilder.not(Rules.isMFAExempt)
- * ]);
- * ```
- */
-export class RuleBuilder {
-  /**
-   * Combine multiple rules with AND logic
-   * All rules must evaluate to true
-   *
-   * @param rules - Array of rules to combine
-   * @returns Combined rule that returns true only if all rules are true
-   *
-   * @example
-   * ```typescript
-   * const rule = RuleBuilder.all([
-   *   Rules.emailVerificationPending,
-   *   Rules.isNotSocialLogin
-   * ]);
-   * ```
-   */
-  static all(rules: Rule[]): Rule {
-    return (context: AuthFlowContext): boolean => {
-      return rules.every((rule) => rule(context));
-    };
-  }
-  /**
-   * Combine multiple rules with OR logic
-   * At least one rule must evaluate to true
-   *
-   * @param rules - Array of rules to combine
-   * @returns Combined rule that returns true if any rule is true
-   *
-   * @example
-   * ```typescript
-   * const rule = RuleBuilder.any([
-   *   Rules.isDeviceTrusted,
-   *   Rules.isMFAExempt
-   * ]);
-   * ```
-   */
-  static any(rules: Rule[]): Rule {
-    return (context: AuthFlowContext): boolean => {
-      return rules.some((rule) => rule(context));
-    };
-  }
-  /**
-   * Negate a rule
-   * Returns true when the rule returns false
-   *
-   * @param rule - Rule to negate
-   * @returns Negated rule
-   *
-   * @example
-   * ```typescript
-   * const rule = RuleBuilder.not(Rules.isMFAExempt);
-   * ```
-   */
-  static not(rule: Rule): Rule {
-    return (context: AuthFlowContext): boolean => {
-      return !rule(context);
-    };
-  }
-}
-/**
- * Authentication Flow Rules
- *
- * Declarative rules for evaluating authentication flow states.
- * Each rule is a pure function that evaluates to true or false based on context.
- *
- * Rules are used in state definitions to determine which state applies.
- */
-export const Rules = {
-  /**
-   * User must change password
-   * Priority: 1 (highest)
-   *
-   * @param context - Authentication flow context
-   * @returns True if user must change password
-   */
-  mustChangePassword: (context: AuthFlowContext): boolean => {
-    return context.user.mustChangePassword === true;
-  },
-  /**
-   * Email verification is pending
-   * Priority: 2
-   *
-   * @param context - Authentication flow context
-   * @returns True if email verification is required and not completed
-   */
-  emailVerificationPending: (context: AuthFlowContext): boolean => {
-    return context.computed.isEmailVerificationRequired;
-  },
-  /**
-   * Phone collection is needed
-   * Priority: 3
-   *
-   * @param context - Authentication flow context
-   * @returns True if phone collection is needed (user has no phone)
-   */
-  phoneCollectionNeeded: (context: AuthFlowContext): boolean => {
-    return context.computed.isPhoneCollectionNeeded;
-  },
-  /**
-   * Phone verification is pending
-   * Priority: 4
-   *
-   * @param context - Authentication flow context
-   * @returns True if phone verification is required and not completed
-   */
-  phoneVerificationPending: (context: AuthFlowContext): boolean => {
-    return context.computed.isPhoneVerificationRequired;
-  },
-  /**
-   * MFA setup is required
-   * Priority: 5
-   *
-   * @param context - Authentication flow context
-   * @returns True if MFA setup is required
-   */
-  mfaSetupRequired: (context: AuthFlowContext): boolean => {
-    return context.computed.isMFASetupRequired;
-  },
-  /**
-   * MFA verification is required
-   * Priority: 6
-   *
-   * @param context - Authentication flow context
-   * @returns True if MFA verification is required
-   */
-  mfaVerificationRequired: (context: AuthFlowContext): boolean => {
-    return context.computed.isMFAVerificationRequired;
-  },
-  /**
-   * Grace period is active (ADAPTIVE mode with MFA not enabled)
-   * Priority: 7
-   *
-   * This rule applies when:
-   * - Enforcement is ADAPTIVE
-   * - Grace period is active
-   * - MFA is not enabled
-   * - User is not blocked
-   *
-   * @param context - Authentication flow context
-   * @returns True if grace period is active and MFA not enabled
-   */
-  gracePeriodActiveAdaptive: (context: AuthFlowContext): boolean => {
-    const enforcement = context.config.mfa?.enforcement || 'OPTIONAL';
-    return (
-      enforcement === 'ADAPTIVE' &&
-      context.computed.isGracePeriodActive &&
-      !context.user.mfaEnabled &&
-      !context.computed.isBlocked
-    );
-  },
-  /**
-   * User is blocked from signing in
-   * Priority: 8
-   *
-   * @param context - Authentication flow context
-   * @returns True if user is blocked
-   */
-  isBlocked: (context: AuthFlowContext): boolean => {
-    return context.computed.isBlocked;
-  },
-  /**
-   * User is authenticated (no challenges pending)
-   * Priority: 9 (lowest - default state)
-   *
-   * This rule applies when no other state rules match.
-   * It's the default state when all challenges are complete.
-   *
-   * @param _context - Authentication flow context (unused - always returns true)
-   * @returns True if user is authenticated (always true as fallback)
-   */
-  authenticated: (_context: AuthFlowContext): boolean => {
-    // Always true - this is the default state when no other rules match
-    return true;
-  },
-};

package/src/services/auth-flow-state-definitions.ts DELETED Viewed

@@ -1,190 +0,0 @@
-import { AuthFlowState, StateDefinition, AuthFlowContext, ResponseMetadata } from './auth-flow-state-machine.types';
-import { AuthChallenge } from '../dto/auth-challenge.dto';
-import { Rules } from './auth-flow-rules';
-import { MFAMethod } from '../enums/mfa-method.enum';
-/**
- * Authentication Flow State Definitions
- *
- * Defines all possible states in the authentication flow with their:
- * - Priority (evaluation order, 1-9)
- * - Condition rules (when state applies)
- * - Challenge mappings (which AuthChallenge this state maps to)
- * - Metadata builders (optional additional response data)
- * - OnEnter hooks (optional actions when state is entered)
- *
- * States are evaluated in priority order. The first state whose condition
- * evaluates to true is selected.
- *
- * @example
- * ```typescript
- * const state = STATE_DEFINITIONS.find(def => def.condition(context));
- * ```
- */
-export const STATE_DEFINITIONS: StateDefinition[] = [
-  /**
-   * Priority 1: Force Password Change
-   * Highest priority - must be completed before any other challenges
-   */
-  {
-    state: AuthFlowState.PENDING_PASSWORD_CHANGE,
-    priority: 1,
-    condition: Rules.mustChangePassword,
-    challenge: AuthChallenge.FORCE_CHANGE_PASSWORD,
-  },
-  /**
-   * Priority 2: Email Verification
-   * Required before phone verification (sequential flow)
-   */
-  {
-    state: AuthFlowState.PENDING_EMAIL_VERIFICATION,
-    priority: 2,
-    condition: Rules.emailVerificationPending,
-    challenge: AuthChallenge.VERIFY_EMAIL,
-  },
-  /**
-   * Priority 3: Phone Collection
-   * User must provide phone number before verification
-   */
-  {
-    state: AuthFlowState.PENDING_PHONE_COLLECTION,
-    priority: 3,
-    condition: Rules.phoneCollectionNeeded,
-    challenge: AuthChallenge.VERIFY_PHONE,
-  },
-  /**
-   * Priority 4: Phone Verification
-   * Required after email verification (sequential flow)
-   */
-  {
-    state: AuthFlowState.PENDING_PHONE_VERIFICATION,
-    priority: 4,
-    condition: Rules.phoneVerificationPending,
-    challenge: AuthChallenge.VERIFY_PHONE,
-  },
-  /**
-   * Priority 5: MFA Setup Required
-   * Required when enforcement is REQUIRED/ADAPTIVE and grace period expired
-   */
-  {
-    state: AuthFlowState.PENDING_MFA_SETUP,
-    priority: 5,
-    condition: Rules.mfaSetupRequired,
-    challenge: AuthChallenge.MFA_SETUP_REQUIRED,
-    /**
-     * OnEnter hook: Auto-complete SMS MFA setup if phone is already verified
-     *
-     * Special case: If user's phone is already verified and they choose SMS MFA,
-     * we can skip the SMS verification step during setup (improves UX).
-     * The phone was already verified, so we trust it for MFA setup.
-     *
-     * This sets skipMFAVerification flag which will be checked during MFA setup completion.
-     */
-    onEnter: async (context: AuthFlowContext): Promise<void> => {
-      // Check if phone is verified and preferred method is SMS
-      if (context.user.isPhoneVerified && context.user.phone && context.user.preferredMfaMethod === MFAMethod.SMS) {
-        // Auto-complete: Set skipMFAVerification flag
-        // This will be used during MFA setup completion to skip SMS verification
-        context.skipMFAVerification = true;
-      }
-    },
-  },
-  /**
-   * Priority 6: MFA Verification Required
-   * Required when MFA is enabled and verification is needed
-   */
-  {
-    state: AuthFlowState.PENDING_MFA_VERIFICATION,
-    priority: 6,
-    condition: Rules.mfaVerificationRequired,
-    challenge: AuthChallenge.MFA_REQUIRED,
-  },
-  /**
-   * Priority 7: Grace Period Active
-   * ADAPTIVE mode with grace period active and MFA not enabled
-   * This is a special state that allows login but includes metadata about grace period
-   */
-  {
-    state: AuthFlowState.GRACE_PERIOD_ACTIVE,
-    priority: 7,
-    condition: Rules.gracePeriodActiveAdaptive,
-    /**
-     * Build metadata for grace period state
-     * Includes grace period end timestamp and risk information
-     */
-    buildMetadata: (context: AuthFlowContext): ResponseMetadata | undefined => {
-      return {
-        gracePeriodEndsAt: context.computed.gracePeriodEndsAt,
-        riskScore: context.computed.riskScore,
-        riskLevel: context.computed.riskLevel,
-      };
-    },
-  },
-  /**
-   * Priority 8: Blocked
-   * User is blocked from signing in due to high risk
-   */
-  {
-    state: AuthFlowState.BLOCKED,
-    priority: 8,
-    condition: Rules.isBlocked,
-    /**
-     * Build metadata for blocked state
-     * Includes block expiration and reason
-     */
-    buildMetadata: (context: AuthFlowContext): ResponseMetadata | undefined => {
-      return {
-        blockedUntil: context.computed.blockedUntil,
-        reason: context.computed.blockReason,
-      };
-    },
-  },
-  /**
-   * Priority 9: Authenticated
-   * Default state when all challenges are complete
-   * This rule always evaluates to true, so it's the fallback state
-   */
-  {
-    state: AuthFlowState.AUTHENTICATED,
-    priority: 9,
-    condition: Rules.authenticated,
-  },
-];
-/**
- * Get state definition by state
- *
- * @param state - State to get definition for
- * @returns State definition or undefined if not found
- *
- * @example
- * ```typescript
- * const def = getStateDefinition(AuthFlowState.PENDING_EMAIL_VERIFICATION);
- * ```
- */
-export function getStateDefinition(state: AuthFlowState): StateDefinition | undefined {
-  return STATE_DEFINITIONS.find((def) => def.state === state);
-}
-/**
- * Get state definitions sorted by priority
- *
- * @returns State definitions sorted by priority (1-9)
- *
- * @example
- * ```typescript
- * const sorted = getStateDefinitionsByPriority();
- * // Evaluates states in order: PENDING_PASSWORD_CHANGE, PENDING_EMAIL_VERIFICATION, ...
- * ```
- */
-export function getStateDefinitionsByPriority(): StateDefinition[] {
-  return [...STATE_DEFINITIONS].sort((a, b) => a.priority - b.priority);
-}

package/src/services/auth-flow-state-machine.service.ts DELETED Viewed

@@ -1,207 +0,0 @@
-import { AuthFlowState, AuthFlowContext, StateDefinition, ResponseMetadata } from './auth-flow-state-machine.types';
-import { AuthFlowContextBuilder } from './auth-flow-context-builder.service';
-import { NAuthLogger } from '../utils/nauth-logger';
-import { getStateDefinitionsByPriority, getStateDefinition } from './auth-flow-state-definitions';
-/**
- * Authentication Flow State Machine Service
- *
- * Core engine for evaluating authentication flow states using declarative rules.
- * Replaces imperative if/else logic with a rule-based state machine.
- *
- * **How it works:**
- * 1. Build context with pre-computed values
- * 2. Evaluate states in priority order (1-9)
- * 3. Select first state whose condition rule evaluates to true
- * 4. Execute onEnter hook if defined
- * 5. Return state with metadata
- *
- * **Benefits:**
- * - Declarative and maintainable
- * - Easy to test (pure functions)
- * - Extensible (add new states/rules easily)
- * - Clear priority ordering
- *
- * @example
- * ```typescript
- * const state = await stateMachine.evaluateState(context);
- * const definition = stateMachine.getStateDefinition(state);
- * ```
- */
-export class AuthFlowStateMachineService {
-  constructor(
-    private readonly contextBuilder: AuthFlowContextBuilder,
-    private readonly logger?: NAuthLogger,
-  ) {}
-  /**
-   * Evaluate authentication flow state
-   *
-   * Evaluates states in priority order and returns the first matching state.
-   * Executes onEnter hook if defined for the selected state.
-   *
-   * @param context - Authentication flow context
-   * @returns Evaluated state
-   *
-   * @example
-   * ```typescript
-   * const context = await contextBuilder.build({ user, config, authMethod: 'password' });
-   * const state = await stateMachine.evaluateState(context);
-   * // Returns: AuthFlowState.PENDING_EMAIL_VERIFICATION
-   * ```
-   */
-  async evaluateState(context: AuthFlowContext): Promise<AuthFlowState> {
-    // Get state definitions sorted by priority
-    const stateDefinitions = getStateDefinitionsByPriority();
-    this.logger?.debug?.(
-      `[StateMachine] Evaluating states for user ${context.user.sub} (priority 1-9, first match wins)`,
-    );
-    // Evaluate states in priority order
-    for (const definition of stateDefinitions) {
-      // Evaluate condition rule
-      const ruleResult = definition.condition(context);
-      this.logger?.debug?.(
-        `[StateMachine] Priority ${definition.priority}: ${definition.state} → ${ruleResult ? 'MATCH' : 'skip'}`,
-      );
-      if (ruleResult) {
-        // State matches - execute onEnter hook if defined
-        if (definition.onEnter) {
-          this.logger?.debug?.(`[StateMachine] Executing onEnter hook for ${definition.state}`);
-          try {
-            await definition.onEnter(context);
-          } catch (error) {
-            const errorMessage = error instanceof Error ? error.message : 'Unknown error';
-            this.logger?.warn?.(`onEnter hook failed for state ${definition.state}: ${errorMessage}`, {
-              error,
-              state: definition.state,
-              userId: context.user.id,
-            });
-            // Continue with state selection even if hook fails
-          }
-        }
-        this.logger?.debug?.(`[StateMachine] ✓ Selected state: ${definition.state} for user ${context.user.sub}`);
-        return definition.state;
-      }
-    }
-    // Fallback: Should never reach here (AUTHENTICATED always matches)
-    // But return AUTHENTICATED as safe default
-    this.logger?.warn?.(`No state matched for user ${context.user.sub} - falling back to AUTHENTICATED`, {
-      userId: context.user.id,
-    });
-    return AuthFlowState.AUTHENTICATED;
-  }
-  /**
-   * Get state definition by state
-   *
-   * @param state - State to get definition for
-   * @returns State definition or undefined if not found
-   *
-   * @example
-   * ```typescript
-   * const def = stateMachine.getStateDefinition(AuthFlowState.PENDING_EMAIL_VERIFICATION);
-   * ```
-   */
-  getStateDefinition(state: AuthFlowState): StateDefinition | undefined {
-    return getStateDefinition(state);
-  }
-  /**
-   * Build metadata for state response
-   *
-   * Calls buildMetadata function if defined for the state.
-   *
-   * @param state - State to build metadata for
-   * @param context - Authentication flow context
-   * @returns Metadata object or undefined
-   *
-   * @example
-   * ```typescript
-   * const metadata = await stateMachine.buildMetadata(state, context);
-   * // Returns: { gracePeriodEndsAt: Date, riskScore: 45, riskLevel: 'medium' }
-   * ```
-   */
-  buildMetadata(state: AuthFlowState, context: AuthFlowContext): ResponseMetadata | undefined {
-    const definition = this.getStateDefinition(state);
-    if (!definition || !definition.buildMetadata) {
-      return undefined;
-    }
-    try {
-      return definition.buildMetadata(context);
-    } catch (error) {
-      const errorMessage = error instanceof Error ? error.message : 'Unknown error';
-      this.logger?.warn?.(`buildMetadata failed for state ${state}: ${errorMessage}`, {
-        error,
-        state,
-        userId: context.user.id,
-      });
-      return undefined;
-    }
-  }
-  /**
-   * Transition after challenge completion
-   *
-   * Re-evaluates state after a challenge is completed.
-   * This is used in the challenge completion flow to determine the next state.
-   *
-   * @param params - Transition parameters
-   * @param params.completedChallenge - Challenge that was just completed
-   * @param params.context - Current authentication flow context
-   * @param params.updateFn - Function to update user data (e.g., mark email as verified)
-   * @returns New state after transition
-   *
-   * @example
-   * ```typescript
-   * const newState = await stateMachine.transitionAfterChallenge({
-   *   completedChallenge: AuthChallenge.VERIFY_EMAIL,
-   *   context,
-   *   updateFn: async (user) => {
-   *     user.isEmailVerified = true;
-   *     await userRepository.save(user);
-   *   }
-   * });
-   * ```
-   */
-  async transitionAfterChallenge(params: {
-    completedChallenge: string;
-    context: AuthFlowContext;
-    updateFn?: (user: AuthFlowContext['user']) => Promise<void>;
-  }): Promise<AuthFlowState> {
-    const { completedChallenge, context, updateFn } = params;
-    // Update user data if update function provided
-    if (updateFn) {
-      try {
-        await updateFn(context.user);
-      } catch (error) {
-        const errorMessage = error instanceof Error ? error.message : 'Unknown error';
-        this.logger?.error?.(`Failed to update user after challenge completion: ${errorMessage}`, {
-          error,
-          challenge: completedChallenge,
-          userId: context.user.id,
-        });
-        // Continue with re-evaluation even if update fails
-      }
-    }
-    // Re-build context with updated user data
-    const newContext = await this.contextBuilder.build({
-      user: context.user,
-      config: context.config,
-      authMethod: context.authMethod,
-      authProvider: context.authProvider,
-      deviceToken: context.deviceToken,
-      skipMFAVerification: context.skipMFAVerification,
-    });
-    // Re-evaluate state
-    return this.evaluateState(newContext);
-  }
-}