@nauth-toolkit/core 0.1.87 → 0.1.89

package/dist/dto/admin-reset-password.dto.js

@@ -3,11 +3,11 @@
  * Admin Reset Password Request DTO
  *
  * Request DTO for admin-initiated password reset workflow.
- * Allows resetting a user's password by identifier (email, username, phone, or sub).
+ * Allows resetting a user's password by sub (UUID).
  *
  * Security:
  * - Admin-only operation (should be protected by admin guard)
- * - User identifier validated
+ * - User sub validated
  * - Code + optional link delivery (like email verification)
  * - Configurable expiry (default: 1 hour)
  * - Optional immediate session revocation
@@ -17,7 +17,7 @@
  * ```typescript
  * // With link for consumer app custom UI
  * await authService.adminResetPassword({
- *   identifier: 'user@example.com',
+ *   sub: 'a21b654c-2746-4168-acee-c175083a65cd',
  *   baseUrl: 'https://myapp.com/reset-password',
  *   deliveryMethod: 'email',
  *   revokeSessions: true
@@ -25,7 +25,7 @@
  *
  * // Code only (no link)
  * await authService.adminResetPassword({
- *   identifier: 'user@example.com',
+ *   sub: 'a21b654c-2746-4168-acee-c175083a65cd',
  *   deliveryMethod: 'email'
  * });
  * ```
@@ -48,20 +48,18 @@ const class_transformer_1 = require("class-transformer");
  */
 class AdminResetPasswordDTO {
     /**
-     * User identifier (email, username, phone, or sub/UUID)
+     * User sub (UUID)
      *
      * Validation:
-     * - Must be a string
-     * - Min 1 character
-     * - Max 255 characters
+     * - Must be a valid UUID v4
      *
      * Sanitization:
      * - Trimmed
-     * - Lowercased if email format detected
+     * - Lowercased for consistency
      *
-     * @example "user@example.com" | "johndoe" | "+1234567890" | "uuid"
+     * @example "a21b654c-2746-4168-acee-c175083a65cd"
      */
-    identifier;
+    sub;
     /**
      * Delivery method for reset code
      *
@@ -136,23 +134,15 @@ class AdminResetPasswordDTO {
 }
 exports.AdminResetPasswordDTO = AdminResetPasswordDTO;
 __decorate([
-    (0, class_validator_1.IsString)({ message: 'Identifier must be a string' }),
-    (0, class_validator_1.IsNotEmpty)({ message: 'Identifier is required' }),
-    (0, class_validator_1.MinLength)(1, { message: 'Identifier is required' }),
-    (0, class_validator_1.MaxLength)(255, { message: 'Identifier must not exceed 255 characters' }),
+    (0, class_validator_1.IsUUID)('4', { message: 'User sub must be a valid UUID v4 format' }),
     (0, class_transformer_1.Transform)(({ value }) => {
         if (typeof value === 'string') {
-            const trimmed = value.trim();
-            // If it contains @, treat as email and lowercase
-            if (trimmed.includes('@')) {
-                return trimmed.toLowerCase();
-            }
-            return trimmed;
+            return value.trim().toLowerCase();
         }
         return value;
     }),
     __metadata("design:type", String)
-], AdminResetPasswordDTO.prototype, "identifier", void 0);
+], AdminResetPasswordDTO.prototype, "sub", void 0);
 __decorate([
     (0, class_validator_1.IsOptional)(),
     (0, class_validator_1.IsIn)(['email', 'sms'], { message: 'Delivery method must be email or sms' }),
@@ -256,7 +246,7 @@ exports.AdminResetPasswordResponseDTO = AdminResetPasswordResponseDTO;
  * @example
  * ```typescript
  * await authService.confirmAdminResetPassword({
- *   identifier: 'user@example.com',
+ *   sub: 'a21b654c-2746-4168-acee-c175083a65cd',
  *   code: '123456',
  *   newPassword: 'NewSecurePass123!'
  * });
@@ -264,20 +254,18 @@ exports.AdminResetPasswordResponseDTO = AdminResetPasswordResponseDTO;
  */
 class ConfirmAdminResetPasswordDTO {
     /**
-     * User identifier (email, username, phone, or sub/UUID)
+     * User sub (UUID)
      *
      * Validation:
-     * - Must be a string
-     * - Min 1 character
-     * - Max 255 characters
+     * - Must be a valid UUID v4
      *
      * Sanitization:
      * - Trimmed
-     * - Lowercased if email format detected
+     * - Lowercased for consistency
      *
-     * @example "user@example.com"
+     * @example "a21b654c-2746-4168-acee-c175083a65cd"
      */
-    identifier;
+    sub;
     /**
      * Verification code from email/SMS (6-10 digits)
      *
@@ -313,23 +301,15 @@ class ConfirmAdminResetPasswordDTO {
 }
 exports.ConfirmAdminResetPasswordDTO = ConfirmAdminResetPasswordDTO;
 __decorate([
-    (0, class_validator_1.IsString)({ message: 'Identifier must be a string' }),
-    (0, class_validator_1.IsNotEmpty)({ message: 'Identifier is required' }),
-    (0, class_validator_1.MinLength)(1, { message: 'Identifier is required' }),
-    (0, class_validator_1.MaxLength)(255, { message: 'Identifier must not exceed 255 characters' }),
+    (0, class_validator_1.IsUUID)('4', { message: 'User sub must be a valid UUID v4 format' }),
     (0, class_transformer_1.Transform)(({ value }) => {
         if (typeof value === 'string') {
-            const trimmed = value.trim();
-            // If it contains @, treat as email and lowercase
-            if (trimmed.includes('@')) {
-                return trimmed.toLowerCase();
-            }
-            return trimmed;
+            return value.trim().toLowerCase();
         }
         return value;
     }),
     __metadata("design:type", String)
-], ConfirmAdminResetPasswordDTO.prototype, "identifier", void 0);
+], ConfirmAdminResetPasswordDTO.prototype, "sub", void 0);
 __decorate([
     (0, class_validator_1.IsString)({ message: 'Code must be a string' }),
     (0, class_validator_1.IsNotEmpty)({ message: 'Code is required' }),

package/dist/dto/admin-reset-password.dto.js.map

@@ -1 +1 @@
-{"version":3,"file":"admin-reset-password.dto.js","sourceRoot":"","sources":["../../src/dto/admin-reset-password.dto.ts"],"names":[],"mappings":";AAAA;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GA8BG;;;;;;;;;;;;AAEH,qDAayB;AACzB,yDAA8C;AAE9C;;GAEG;AACH,MAAa,qBAAqB;IAChC;;;;;;;;;;;;;OAaG;IAgBH,UAAU,CAAU;IAEpB;;;;;;;;;OASG;IAGH,cAAc,CAAmB;IAEjC;;;;;;;;;;;;;;;;;OAiBG;IAaH,OAAO,CAAU;IAEjB;;;;;;;;;;;OAWG;IAKH,aAAa,CAAU;IAEvB;;;;;;;;;;;;OAYG;IAGH,cAAc,CAAW;IAEzB;;;;;;;;;;;;OAYG;IAUH,MAAM,CAAU;CACjB;AAxID,sDAwIC;AA1GC;IAfC,IAAA,0BAAQ,EAAC,EAAE,OAAO,EAAE,6BAA6B,EAAE,CAAC;IACpD,IAAA,4BAAU,EAAC,EAAE,OAAO,EAAE,wBAAwB,EAAE,CAAC;IACjD,IAAA,2BAAS,EAAC,CAAC,EAAE,EAAE,OAAO,EAAE,wBAAwB,EAAE,CAAC;IACnD,IAAA,2BAAS,EAAC,GAAG,EAAE,EAAE,OAAO,EAAE,2CAA2C,EAAE,CAAC;IACxE,IAAA,6BAAS,EAAC,CAAC,EAAE,KAAK,EAAsB,EAAE,EAAE;QAC3C,IAAI,OAAO,KAAK,KAAK,QAAQ,EAAE,CAAC;YAC9B,MAAM,OAAO,GAAG,KAAK,CAAC,IAAI,EAAE,CAAC;YAC7B,iDAAiD;YACjD,IAAI,OAAO,CAAC,QAAQ,CAAC,GAAG,CAAC,EAAE,CAAC;gBAC1B,OAAO,OAAO,CAAC,WAAW,EAAE,CAAC;YAC/B,CAAC;YACD,OAAO,OAAO,CAAC;QACjB,CAAC;QACD,OAAO,KAAK,CAAC;IACf,CAAC,CAAC;;yDACkB;AAcpB;IAFC,IAAA,4BAAU,GAAE;IACZ,IAAA,sBAAI,EAAC,CAAC,OAAO,EAAE,KAAK,CAAC,EAAE,EAAE,OAAO,EAAE,sCAAsC,EAAE,CAAC;;6DAC3C;AAgCjC;IAZC,IAAA,4BAAU,GAAE;IACZ,IAAA,uBAAK,EACJ,EAAE,gBAAgB,EAAE,IAAI,EAAE,SAAS,EAAE,CAAC,MAAM,EAAE,OAAO,CAAC,EAAE,WAAW,EAAE,KAAK,EAAE,EAC5E,EAAE,OAAO,EAAE,qDAAqD,EAAE,CACnE;IACA,IAAA,2BAAS,EAAC,IAAI,EAAE,EAAE,OAAO,EAAE,0CAA0C,EAAE,CAAC;IACxE,IAAA,6BAAS,EAAC,CAAC,EAAE,KAAK,EAAsB,EAAE,EAAE;QAC3C,IAAI,OAAO,KAAK,KAAK,QAAQ,EAAE,CAAC;YAC9B,OAAO,KAAK,CAAC,IAAI,EAAE,CAAC;QACtB,CAAC;QACD,OAAO,KAAK,CAAC;IACf,CAAC,CAAC;;sDACe;AAkBjB;IAJC,IAAA,4BAAU,GAAE;IACZ,IAAA,0BAAQ,EAAC,EAAE,EAAE,EAAE,OAAO,EAAE,8BAA8B,EAAE,CAAC;IACzD,IAAA,qBAAG,EAAC,GAAG,EAAE,EAAE,OAAO,EAAE,sDAAsD,EAAE,CAAC;IAC7E,IAAA,qBAAG,EAAC,KAAK,EAAE,EAAE,OAAO,EAAE,sDAAsD,EAAE,CAAC;;4DACzD;AAiBvB;IAFC,IAAA,4BAAU,GAAE;IACZ,IAAA,2BAAS,EAAC,EAAE,OAAO,EAAE,kCAAkC,EAAE,CAAC;;6DAClC;AAwBzB;IATC,IAAA,4BAAU,GAAE;IACZ,IAAA,0BAAQ,EAAC,EAAE,OAAO,EAAE,yBAAyB,EAAE,CAAC;IAChD,IAAA,2BAAS,EAAC,GAAG,EAAE,EAAE,OAAO,EAAE,uCAAuC,EAAE,CAAC;IACpE,IAAA,6BAAS,EAAC,CAAC,EAAE,KAAK,EAAsB,EAAE,EAAE;QAC3C,IAAI,OAAO,KAAK,KAAK,QAAQ,EAAE,CAAC;YAC9B,OAAO,KAAK,CAAC,IAAI,EAAE,CAAC;QACtB,CAAC;QACD,OAAO,KAAK,CAAC;IACf,CAAC,CAAC;;qDACc;AAGlB;;;;;;;;;;;;;;;GAeG;AACH,MAAa,6BAA6B;IACxC;;;OAGG;IACH,OAAO,CAAW;IAElB;;;OAGG;IACH,WAAW,CAAU;IAErB;;;OAGG;IACH,cAAc,CAAmB;IAEjC;;;OAGG;IACH,SAAS,CAAU;IAEnB;;;OAGG;IACH,eAAe,CAAU;CAC1B;AA9BD,sEA8BC;AAED;;;;;;;;;;;;;;;;;;;;;;;GAuBG;AACH,MAAa,4BAA4B;IACvC;;;;;;;;;;;;;OAaG;IAgBH,UAAU,CAAU;IAEpB;;;;;;;;;;;;;;OAcG;IAUH,IAAI,CAAU;IAEd;;;;;;;;;;;;;;OAcG;IAKH,WAAW,CAAU;CACtB;AA9ED,oEA8EC;AAhDC;IAfC,IAAA,0BAAQ,EAAC,EAAE,OAAO,EAAE,6BAA6B,EAAE,CAAC;IACpD,IAAA,4BAAU,EAAC,EAAE,OAAO,EAAE,wBAAwB,EAAE,CAAC;IACjD,IAAA,2BAAS,EAAC,CAAC,EAAE,EAAE,OAAO,EAAE,wBAAwB,EAAE,CAAC;IACnD,IAAA,2BAAS,EAAC,GAAG,EAAE,EAAE,OAAO,EAAE,2CAA2C,EAAE,CAAC;IACxE,IAAA,6BAAS,EAAC,CAAC,EAAE,KAAK,EAAsB,EAAE,EAAE;QAC3C,IAAI,OAAO,KAAK,KAAK,QAAQ,EAAE,CAAC;YAC9B,MAAM,OAAO,GAAG,KAAK,CAAC,IAAI,EAAE,CAAC;YAC7B,iDAAiD;YACjD,IAAI,OAAO,CAAC,QAAQ,CAAC,GAAG,CAAC,EAAE,CAAC;gBAC1B,OAAO,OAAO,CAAC,WAAW,EAAE,CAAC;YAC/B,CAAC;YACD,OAAO,OAAO,CAAC;QACjB,CAAC;QACD,OAAO,KAAK,CAAC;IACf,CAAC,CAAC;;gEACkB;AA0BpB;IATC,IAAA,0BAAQ,EAAC,EAAE,OAAO,EAAE,uBAAuB,EAAE,CAAC;IAC9C,IAAA,4BAAU,EAAC,EAAE,OAAO,EAAE,kBAAkB,EAAE,CAAC;IAC3C,IAAA,wBAAM,EAAC,CAAC,EAAE,EAAE,EAAE,EAAE,OAAO,EAAE,0CAA0C,EAAE,CAAC;IACtE,IAAA,6BAAS,EAAC,CAAC,EAAE,KAAK,EAAE,EAAE,EAAE;QACvB,IAAI,OAAO,KAAK,KAAK,QAAQ,EAAE,CAAC;YAC9B,OAAO,KAAK,CAAC,IAAI,EAAE,CAAC;QACtB,CAAC;QACD,OAAO,KAAK,CAAC;IACf,CAAC,CAAC;;0DACY;AAqBd;IAJC,IAAA,0BAAQ,EAAC,EAAE,OAAO,EAAE,+BAA+B,EAAE,CAAC;IACtD,IAAA,4BAAU,EAAC,EAAE,OAAO,EAAE,0BAA0B,EAAE,CAAC;IACnD,IAAA,2BAAS,EAAC,CAAC,EAAE,EAAE,OAAO,EAAE,wCAAwC,EAAE,CAAC;IACnE,IAAA,2BAAS,EAAC,GAAG,EAAE,EAAE,OAAO,EAAE,yCAAyC,EAAE,CAAC;;iEAClD;AAGvB;;;;;;;;;;;GAWG;AACH,MAAa,oCAAoC;IAC/C;;;OAGG;IACH,OAAO,CAAW;CACnB;AAND,oFAMC"}
+{"version":3,"file":"admin-reset-password.dto.js","sourceRoot":"","sources":["../../src/dto/admin-reset-password.dto.ts"],"names":[],"mappings":";AAAA;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GA8BG;;;;;;;;;;;;AAEH,qDAcyB;AACzB,yDAA8C;AAE9C;;GAEG;AACH,MAAa,qBAAqB;IAChC;;;;;;;;;;;OAWG;IAQH,GAAG,CAAU;IAEb;;;;;;;;;OASG;IAGH,cAAc,CAAmB;IAEjC;;;;;;;;;;;;;;;;;OAiBG;IAaH,OAAO,CAAU;IAEjB;;;;;;;;;;;OAWG;IAKH,aAAa,CAAU;IAEvB;;;;;;;;;;;;OAYG;IAGH,cAAc,CAAW;IAEzB;;;;;;;;;;;;OAYG;IAUH,MAAM,CAAU;CACjB;AA9HD,sDA8HC;AA1GC;IAPC,IAAA,wBAAM,EAAC,GAAG,EAAE,EAAE,OAAO,EAAE,yCAAyC,EAAE,CAAC;IACnE,IAAA,6BAAS,EAAC,CAAC,EAAE,KAAK,EAAsB,EAAE,EAAE;QAC3C,IAAI,OAAO,KAAK,KAAK,QAAQ,EAAE,CAAC;YAC9B,OAAO,KAAK,CAAC,IAAI,EAAE,CAAC,WAAW,EAAE,CAAC;QACpC,CAAC;QACD,OAAO,KAAK,CAAC;IACf,CAAC,CAAC;;kDACW;AAcb;IAFC,IAAA,4BAAU,GAAE;IACZ,IAAA,sBAAI,EAAC,CAAC,OAAO,EAAE,KAAK,CAAC,EAAE,EAAE,OAAO,EAAE,sCAAsC,EAAE,CAAC;;6DAC3C;AAgCjC;IAZC,IAAA,4BAAU,GAAE;IACZ,IAAA,uBAAK,EACJ,EAAE,gBAAgB,EAAE,IAAI,EAAE,SAAS,EAAE,CAAC,MAAM,EAAE,OAAO,CAAC,EAAE,WAAW,EAAE,KAAK,EAAE,EAC5E,EAAE,OAAO,EAAE,qDAAqD,EAAE,CACnE;IACA,IAAA,2BAAS,EAAC,IAAI,EAAE,EAAE,OAAO,EAAE,0CAA0C,EAAE,CAAC;IACxE,IAAA,6BAAS,EAAC,CAAC,EAAE,KAAK,EAAsB,EAAE,EAAE;QAC3C,IAAI,OAAO,KAAK,KAAK,QAAQ,EAAE,CAAC;YAC9B,OAAO,KAAK,CAAC,IAAI,EAAE,CAAC;QACtB,CAAC;QACD,OAAO,KAAK,CAAC;IACf,CAAC,CAAC;;sDACe;AAkBjB;IAJC,IAAA,4BAAU,GAAE;IACZ,IAAA,0BAAQ,EAAC,EAAE,EAAE,EAAE,OAAO,EAAE,8BAA8B,EAAE,CAAC;IACzD,IAAA,qBAAG,EAAC,GAAG,EAAE,EAAE,OAAO,EAAE,sDAAsD,EAAE,CAAC;IAC7E,IAAA,qBAAG,EAAC,KAAK,EAAE,EAAE,OAAO,EAAE,sDAAsD,EAAE,CAAC;;4DACzD;AAiBvB;IAFC,IAAA,4BAAU,GAAE;IACZ,IAAA,2BAAS,EAAC,EAAE,OAAO,EAAE,kCAAkC,EAAE,CAAC;;6DAClC;AAwBzB;IATC,IAAA,4BAAU,GAAE;IACZ,IAAA,0BAAQ,EAAC,EAAE,OAAO,EAAE,yBAAyB,EAAE,CAAC;IAChD,IAAA,2BAAS,EAAC,GAAG,EAAE,EAAE,OAAO,EAAE,uCAAuC,EAAE,CAAC;IACpE,IAAA,6BAAS,EAAC,CAAC,EAAE,KAAK,EAAsB,EAAE,EAAE;QAC3C,IAAI,OAAO,KAAK,KAAK,QAAQ,EAAE,CAAC;YAC9B,OAAO,KAAK,CAAC,IAAI,EAAE,CAAC;QACtB,CAAC;QACD,OAAO,KAAK,CAAC;IACf,CAAC,CAAC;;qDACc;AAGlB;;;;;;;;;;;;;;;GAeG;AACH,MAAa,6BAA6B;IACxC;;;OAGG;IACH,OAAO,CAAW;IAElB;;;OAGG;IACH,WAAW,CAAU;IAErB;;;OAGG;IACH,cAAc,CAAmB;IAEjC;;;OAGG;IACH,SAAS,CAAU;IAEnB;;;OAGG;IACH,eAAe,CAAU;CAC1B;AA9BD,sEA8BC;AAED;;;;;;;;;;;;;;;;;;;;;;;GAuBG;AACH,MAAa,4BAA4B;IACvC;;;;;;;;;;;OAWG;IAQH,GAAG,CAAU;IAEb;;;;;;;;;;;;;;OAcG;IAUH,IAAI,CAAU;IAEd;;;;;;;;;;;;;;OAcG;IAKH,WAAW,CAAU;CACtB;AApED,oEAoEC;AAhDC;IAPC,IAAA,wBAAM,EAAC,GAAG,EAAE,EAAE,OAAO,EAAE,yCAAyC,EAAE,CAAC;IACnE,IAAA,6BAAS,EAAC,CAAC,EAAE,KAAK,EAAsB,EAAE,EAAE;QAC3C,IAAI,OAAO,KAAK,KAAK,QAAQ,EAAE,CAAC;YAC9B,OAAO,KAAK,CAAC,IAAI,EAAE,CAAC,WAAW,EAAE,CAAC;QACpC,CAAC;QACD,OAAO,KAAK,CAAC;IACf,CAAC,CAAC;;yDACW;AA0Bb;IATC,IAAA,0BAAQ,EAAC,EAAE,OAAO,EAAE,uBAAuB,EAAE,CAAC;IAC9C,IAAA,4BAAU,EAAC,EAAE,OAAO,EAAE,kBAAkB,EAAE,CAAC;IAC3C,IAAA,wBAAM,EAAC,CAAC,EAAE,EAAE,EAAE,EAAE,OAAO,EAAE,0CAA0C,EAAE,CAAC;IACtE,IAAA,6BAAS,EAAC,CAAC,EAAE,KAAK,EAAE,EAAE,EAAE;QACvB,IAAI,OAAO,KAAK,KAAK,QAAQ,EAAE,CAAC;YAC9B,OAAO,KAAK,CAAC,IAAI,EAAE,CAAC;QACtB,CAAC;QACD,OAAO,KAAK,CAAC;IACf,CAAC,CAAC;;0DACY;AAqBd;IAJC,IAAA,0BAAQ,EAAC,EAAE,OAAO,EAAE,+BAA+B,EAAE,CAAC;IACtD,IAAA,4BAAU,EAAC,EAAE,OAAO,EAAE,0BAA0B,EAAE,CAAC;IACnD,IAAA,2BAAS,EAAC,CAAC,EAAE,EAAE,OAAO,EAAE,wCAAwC,EAAE,CAAC;IACnE,IAAA,2BAAS,EAAC,GAAG,EAAE,EAAE,OAAO,EAAE,yCAAyC,EAAE,CAAC;;iEAClD;AAGvB;;;;;;;;;;;GAWG;AACH,MAAa,oCAAoC;IAC/C;;;OAGG;IACH,OAAO,CAAW;CACnB;AAND,oFAMC"}

package/dist/dto/admin-revoke-session.dto.d.ts

@@ -0,0 +1,22 @@
+/**
+ * DTO for revoking a specific user session (admin-only)
+ *
+ * @example
+ * ```typescript
+ * const dto = new AdminRevokeSessionDTO();
+ * dto.sub = 'user-uuid-123';
+ * dto.sessionId = '456';
+ * await adminAuthService.revokeUserSession(dto);
+ * ```
+ */
+export declare class AdminRevokeSessionDTO {
+    /**
+     * User sub (UUID) - must match the session owner
+     */
+    sub: string;
+    /**
+     * Session ID to revoke
+     */
+    sessionId: string;
+}
+//# sourceMappingURL=admin-revoke-session.dto.d.ts.map

package/dist/dto/admin-revoke-session.dto.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"admin-revoke-session.dto.d.ts","sourceRoot":"","sources":["../../src/dto/admin-revoke-session.dto.ts"],"names":[],"mappings":"AAGA;;;;;;;;;;GAUG;AACH,qBAAa,qBAAqB;IAChC;;OAEG;IAIH,GAAG,EAAG,MAAM,CAAC;IAEb;;OAEG;IAGH,SAAS,EAAG,MAAM,CAAC;CACpB"}

package/dist/dto/admin-revoke-session.dto.js

@@ -0,0 +1,48 @@
+"use strict";
+var __decorate = (this && this.__decorate) || function (decorators, target, key, desc) {
+    var c = arguments.length, r = c < 3 ? target : desc === null ? desc = Object.getOwnPropertyDescriptor(target, key) : desc, d;
+    if (typeof Reflect === "object" && typeof Reflect.decorate === "function") r = Reflect.decorate(decorators, target, key, desc);
+    else for (var i = decorators.length - 1; i >= 0; i--) if (d = decorators[i]) r = (c < 3 ? d(r) : c > 3 ? d(target, key, r) : d(target, key)) || r;
+    return c > 3 && r && Object.defineProperty(target, key, r), r;
+};
+var __metadata = (this && this.__metadata) || function (k, v) {
+    if (typeof Reflect === "object" && typeof Reflect.metadata === "function") return Reflect.metadata(k, v);
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.AdminRevokeSessionDTO = void 0;
+const class_validator_1 = require("class-validator");
+const class_transformer_1 = require("class-transformer");
+/**
+ * DTO for revoking a specific user session (admin-only)
+ *
+ * @example
+ * ```typescript
+ * const dto = new AdminRevokeSessionDTO();
+ * dto.sub = 'user-uuid-123';
+ * dto.sessionId = '456';
+ * await adminAuthService.revokeUserSession(dto);
+ * ```
+ */
+class AdminRevokeSessionDTO {
+    /**
+     * User sub (UUID) - must match the session owner
+     */
+    sub;
+    /**
+     * Session ID to revoke
+     */
+    sessionId;
+}
+exports.AdminRevokeSessionDTO = AdminRevokeSessionDTO;
+__decorate([
+    (0, class_validator_1.IsUUID)('4'),
+    (0, class_validator_1.IsNotEmpty)(),
+    (0, class_transformer_1.Transform)(({ value }) => value?.trim().toLowerCase()),
+    __metadata("design:type", String)
+], AdminRevokeSessionDTO.prototype, "sub", void 0);
+__decorate([
+    (0, class_validator_1.IsString)(),
+    (0, class_validator_1.IsNotEmpty)(),
+    __metadata("design:type", String)
+], AdminRevokeSessionDTO.prototype, "sessionId", void 0);
+//# sourceMappingURL=admin-revoke-session.dto.js.map

package/dist/dto/admin-revoke-session.dto.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"admin-revoke-session.dto.js","sourceRoot":"","sources":["../../src/dto/admin-revoke-session.dto.ts"],"names":[],"mappings":";;;;;;;;;;;;AAAA,qDAA+D;AAC/D,yDAA8C;AAE9C;;;;;;;;;;GAUG;AACH,MAAa,qBAAqB;IAChC;;OAEG;IAIH,GAAG,CAAU;IAEb;;OAEG;IAGH,SAAS,CAAU;CACpB;AAfD,sDAeC;AARC;IAHC,IAAA,wBAAM,EAAC,GAAG,CAAC;IACX,IAAA,4BAAU,GAAE;IACZ,IAAA,6BAAS,EAAC,CAAC,EAAE,KAAK,EAAE,EAAE,EAAE,CAAC,KAAK,EAAE,IAAI,EAAE,CAAC,WAAW,EAAE,CAAC;;kDACzC;AAOb;IAFC,IAAA,0BAAQ,GAAE;IACV,IAAA,4BAAU,GAAE;;wDACM"}

package/dist/dto/admin-set-password.dto.d.ts

@@ -2,18 +2,18 @@
  * Admin Set Password Request DTO
  *
  * Request DTO for admin-initiated password reset.
- * Allows resetting a user's password by identifier (email, username, phone, or sub).
+ * Allows resetting a user's password by sub (UUID).
  *
  * Security:
  * - Admin-only operation (should be protected by admin guard)
- * - User identifier validated
+ * - User sub validated
  * - Password policy enforced
  * - Session revocation configurable
  *
  * @example
  * ```typescript
  * await authService.adminSetPassword({
- *   identifier: 'user@example.com',
+ *   sub: 'a21b654c-2746-4168-acee-c175083a65cd',
  *   newPassword: 'NewSecurePassword123!',
  *   mustChangePassword: true,
  *   revokeSessions: true
@@ -25,20 +25,18 @@
  */
 export declare class AdminSetPasswordDTO {
     /**
-     * User identifier (email, username, phone, or sub/UUID)
+     * User sub (UUID)
      *
      * Validation:
-     * - Must be a string
-     * - Min 1 character
-     * - Max 255 characters
+     * - Must be a valid UUID v4
      *
      * Sanitization:
      * - Trimmed
-     * - Lowercased if email format detected
+     * - Lowercased for consistency
      *
-     * @example "user@example.com" | "johndoe" | "+1234567890" | "a21b654c-2746-4168-acee-c175083a65cd"
+     * @example "a21b654c-2746-4168-acee-c175083a65cd"
      */
-    identifier: string;
+    sub: string;
     /**
      * New password
      *

package/dist/dto/admin-set-password.dto.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"admin-set-password.dto.d.ts","sourceRoot":"","sources":["../../src/dto/admin-set-password.dto.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;GAqBG;AAKH;;GAEG;AACH,qBAAa,mBAAmB;IAC9B;;;;;;;;;;;;;OAaG;IAgBH,UAAU,EAAG,MAAM,CAAC;IAEpB;;;;;;;;;;;;OAYG;IAKH,WAAW,EAAG,MAAM,CAAC;IAErB;;;;;;OAMG;IAGH,kBAAkB,CAAC,EAAE,OAAO,CAAC;IAE7B;;;;;;OAMG;IAGH,cAAc,CAAC,EAAE,OAAO,CAAC;CAC1B;AAED;;;;;;;;;;;;;GAaG;AACH,qBAAa,2BAA2B;IACtC;;;OAGG;IACH,OAAO,EAAG,OAAO,CAAC;IAElB;;OAEG;IACH,kBAAkB,EAAG,OAAO,CAAC;IAE7B;;OAEG;IACH,eAAe,EAAG,MAAM,CAAC;CAC1B"}
+{"version":3,"file":"admin-set-password.dto.d.ts","sourceRoot":"","sources":["../../src/dto/admin-set-password.dto.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;GAqBG;AAKH;;GAEG;AACH,qBAAa,mBAAmB;IAC9B;;;;;;;;;;;OAWG;IAQH,GAAG,EAAG,MAAM,CAAC;IAEb;;;;;;;;;;;;OAYG;IAKH,WAAW,EAAG,MAAM,CAAC;IAErB;;;;;;OAMG;IAGH,kBAAkB,CAAC,EAAE,OAAO,CAAC;IAE7B;;;;;;OAMG;IAGH,cAAc,CAAC,EAAE,OAAO,CAAC;CAC1B;AAED;;;;;;;;;;;;;GAaG;AACH,qBAAa,2BAA2B;IACtC;;;OAGG;IACH,OAAO,EAAG,OAAO,CAAC;IAElB;;OAEG;IACH,kBAAkB,EAAG,OAAO,CAAC;IAE7B;;OAEG;IACH,eAAe,EAAG,MAAM,CAAC;CAC1B"}

package/dist/dto/admin-set-password.dto.js

@@ -3,18 +3,18 @@
  * Admin Set Password Request DTO
  *
  * Request DTO for admin-initiated password reset.
- * Allows resetting a user's password by identifier (email, username, phone, or sub).
+ * Allows resetting a user's password by sub (UUID).
  *
  * Security:
  * - Admin-only operation (should be protected by admin guard)
- * - User identifier validated
+ * - User sub validated
  * - Password policy enforced
  * - Session revocation configurable
  *
  * @example
  * ```typescript
  * await authService.adminSetPassword({
- *   identifier: 'user@example.com',
+ *   sub: 'a21b654c-2746-4168-acee-c175083a65cd',
  *   newPassword: 'NewSecurePassword123!',
  *   mustChangePassword: true,
  *   revokeSessions: true
@@ -39,20 +39,18 @@ const class_transformer_1 = require("class-transformer");
  */
 class AdminSetPasswordDTO {
     /**
-     * User identifier (email, username, phone, or sub/UUID)
+     * User sub (UUID)
      *
      * Validation:
-     * - Must be a string
-     * - Min 1 character
-     * - Max 255 characters
+     * - Must be a valid UUID v4
      *
      * Sanitization:
      * - Trimmed
-     * - Lowercased if email format detected
+     * - Lowercased for consistency
      *
-     * @example "user@example.com" | "johndoe" | "+1234567890" | "a21b654c-2746-4168-acee-c175083a65cd"
+     * @example "a21b654c-2746-4168-acee-c175083a65cd"
      */
-    identifier;
+    sub;
     /**
      * New password
      *
@@ -86,23 +84,15 @@ class AdminSetPasswordDTO {
 }
 exports.AdminSetPasswordDTO = AdminSetPasswordDTO;
 __decorate([
-    (0, class_validator_1.IsString)({ message: 'Identifier must be a string' }),
-    (0, class_validator_1.IsNotEmpty)({ message: 'Identifier is required' }),
-    (0, class_validator_1.MinLength)(1, { message: 'Identifier is required' }),
-    (0, class_validator_1.MaxLength)(255, { message: 'Identifier must not exceed 255 characters' }),
+    (0, class_validator_1.IsUUID)('4', { message: 'User sub must be a valid UUID v4 format' }),
     (0, class_transformer_1.Transform)(({ value }) => {
         if (typeof value === 'string') {
-            const trimmed = value.trim();
-            // If it contains @, treat as email and lowercase
-            if (trimmed.includes('@')) {
-                return trimmed.toLowerCase();
-            }
-            return trimmed;
+            return value.trim().toLowerCase();
         }
         return value;
     }),
     __metadata("design:type", String)
-], AdminSetPasswordDTO.prototype, "identifier", void 0);
+], AdminSetPasswordDTO.prototype, "sub", void 0);
 __decorate([
     (0, class_validator_1.IsString)({ message: 'New password must be a string' }),
     (0, class_validator_1.IsNotEmpty)({ message: 'New password is required' }),

package/dist/dto/admin-set-password.dto.js.map

@@ -1 +1 @@
-{"version":3,"file":"admin-set-password.dto.js","sourceRoot":"","sources":["../../src/dto/admin-set-password.dto.ts"],"names":[],"mappings":";AAAA;;;;;;;;;;;;;;;;;;;;;GAqBG;;;;;;;;;;;;AAEH,qDAAoG;AACpG,yDAA8C;AAE9C;;GAEG;AACH,MAAa,mBAAmB;IAC9B;;;;;;;;;;;;;OAaG;IAgBH,UAAU,CAAU;IAEpB;;;;;;;;;;;;OAYG;IAKH,WAAW,CAAU;IAErB;;;;;;OAMG;IAGH,kBAAkB,CAAW;IAE7B;;;;;;OAMG;IAGH,cAAc,CAAW;CAC1B;AAxED,kDAwEC;AA1CC;IAfC,IAAA,0BAAQ,EAAC,EAAE,OAAO,EAAE,6BAA6B,EAAE,CAAC;IACpD,IAAA,4BAAU,EAAC,EAAE,OAAO,EAAE,wBAAwB,EAAE,CAAC;IACjD,IAAA,2BAAS,EAAC,CAAC,EAAE,EAAE,OAAO,EAAE,wBAAwB,EAAE,CAAC;IACnD,IAAA,2BAAS,EAAC,GAAG,EAAE,EAAE,OAAO,EAAE,2CAA2C,EAAE,CAAC;IACxE,IAAA,6BAAS,EAAC,CAAC,EAAE,KAAK,EAAE,EAAE,EAAE;QACvB,IAAI,OAAO,KAAK,KAAK,QAAQ,EAAE,CAAC;YAC9B,MAAM,OAAO,GAAG,KAAK,CAAC,IAAI,EAAE,CAAC;YAC7B,iDAAiD;YACjD,IAAI,OAAO,CAAC,QAAQ,CAAC,GAAG,CAAC,EAAE,CAAC;gBAC1B,OAAO,OAAO,CAAC,WAAW,EAAE,CAAC;YAC/B,CAAC;YACD,OAAO,OAAO,CAAC;QACjB,CAAC;QACD,OAAO,KAAK,CAAC;IACf,CAAC,CAAC;;uDACkB;AAmBpB;IAJC,IAAA,0BAAQ,EAAC,EAAE,OAAO,EAAE,+BAA+B,EAAE,CAAC;IACtD,IAAA,4BAAU,EAAC,EAAE,OAAO,EAAE,0BAA0B,EAAE,CAAC;IACnD,IAAA,2BAAS,EAAC,CAAC,EAAE,EAAE,OAAO,EAAE,wCAAwC,EAAE,CAAC;IACnE,IAAA,2BAAS,EAAC,GAAG,EAAE,EAAE,OAAO,EAAE,yCAAyC,EAAE,CAAC;;wDAClD;AAWrB;IAFC,IAAA,4BAAU,GAAE;IACZ,IAAA,2BAAS,EAAC,EAAE,OAAO,EAAE,sCAAsC,EAAE,CAAC;;+DAClC;AAW7B;IAFC,IAAA,4BAAU,GAAE;IACZ,IAAA,2BAAS,EAAC,EAAE,OAAO,EAAE,kCAAkC,EAAE,CAAC;;2DAClC;AAG3B;;;;;;;;;;;;;GAaG;AACH,MAAa,2BAA2B;IACtC;;;OAGG;IACH,OAAO,CAAW;IAElB;;OAEG;IACH,kBAAkB,CAAW;IAE7B;;OAEG;IACH,eAAe,CAAU;CAC1B;AAhBD,kEAgBC"}
+{"version":3,"file":"admin-set-password.dto.js","sourceRoot":"","sources":["../../src/dto/admin-set-password.dto.ts"],"names":[],"mappings":";AAAA;;;;;;;;;;;;;;;;;;;;;GAqBG;;;;;;;;;;;;AAEH,qDAA4G;AAC5G,yDAA8C;AAE9C;;GAEG;AACH,MAAa,mBAAmB;IAC9B;;;;;;;;;;;OAWG;IAQH,GAAG,CAAU;IAEb;;;;;;;;;;;;OAYG;IAKH,WAAW,CAAU;IAErB;;;;;;OAMG;IAGH,kBAAkB,CAAW;IAE7B;;;;;;OAMG;IAGH,cAAc,CAAW;CAC1B;AA9DD,kDA8DC;AA1CC;IAPC,IAAA,wBAAM,EAAC,GAAG,EAAE,EAAE,OAAO,EAAE,yCAAyC,EAAE,CAAC;IACnE,IAAA,6BAAS,EAAC,CAAC,EAAE,KAAK,EAAE,EAAE,EAAE;QACvB,IAAI,OAAO,KAAK,KAAK,QAAQ,EAAE,CAAC;YAC9B,OAAO,KAAK,CAAC,IAAI,EAAE,CAAC,WAAW,EAAE,CAAC;QACpC,CAAC;QACD,OAAO,KAAK,CAAC;IACf,CAAC,CAAC;;gDACW;AAmBb;IAJC,IAAA,0BAAQ,EAAC,EAAE,OAAO,EAAE,+BAA+B,EAAE,CAAC;IACtD,IAAA,4BAAU,EAAC,EAAE,OAAO,EAAE,0BAA0B,EAAE,CAAC;IACnD,IAAA,2BAAS,EAAC,CAAC,EAAE,EAAE,OAAO,EAAE,wCAAwC,EAAE,CAAC;IACnE,IAAA,2BAAS,EAAC,GAAG,EAAE,EAAE,OAAO,EAAE,yCAAyC,EAAE,CAAC;;wDAClD;AAWrB;IAFC,IAAA,4BAAU,GAAE;IACZ,IAAA,2BAAS,EAAC,EAAE,OAAO,EAAE,sCAAsC,EAAE,CAAC;;+DAClC;AAW7B;IAFC,IAAA,4BAAU,GAAE;IACZ,IAAA,2BAAS,EAAC,EAAE,OAAO,EAAE,kCAAkC,EAAE,CAAC;;2DAClC;AAG3B;;;;;;;;;;;;;GAaG;AACH,MAAa,2BAA2B;IACtC;;;OAGG;IACH,OAAO,CAAW;IAElB;;OAEG;IACH,kBAAkB,CAAW;IAE7B;;OAEG;IACH,eAAe,CAAU;CAC1B;AAhBD,kEAgBC"}

package/dist/dto/admin-set-preferred-method.dto.d.ts

@@ -0,0 +1,25 @@
+import { SetPreferredMethodDTO, SetPreferredMethodResponseDTO } from './set-preferred-method.dto';
+/**
+ * Admin DTO for setting preferred MFA method for a specific user
+ *
+ * Admin APIs must explicitly target a user via `sub`.
+ * This DTO mirrors {@link SetPreferredMethodDTO} but adds `sub`.
+ *
+ * @example
+ * ```typescript
+ * const result = await mfaService.adminSetPreferredMethod({
+ *   sub: 'a21b654c-2746-4168-acee-c175083a65cd',
+ *   methodType: 'sms',
+ * });
+ * ```
+ */
+export declare class AdminSetPreferredMethodDTO extends SetPreferredMethodDTO {
+    /**
+     * Target user's unique identifier (UUID v4)
+     *
+     * @example "a21b654c-2746-4168-acee-c175083a65cd"
+     */
+    sub: string;
+}
+export { SetPreferredMethodResponseDTO };
+//# sourceMappingURL=admin-set-preferred-method.dto.d.ts.map

package/dist/dto/admin-set-preferred-method.dto.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"admin-set-preferred-method.dto.d.ts","sourceRoot":"","sources":["../../src/dto/admin-set-preferred-method.dto.ts"],"names":[],"mappings":"AAEA,OAAO,EAAE,qBAAqB,EAAE,6BAA6B,EAAE,MAAM,4BAA4B,CAAC;AAElG;;;;;;;;;;;;;GAaG;AACH,qBAAa,0BAA2B,SAAQ,qBAAqB;IACnE;;;;OAIG;IAQH,GAAG,EAAG,MAAM,CAAC;CACd;AAED,OAAO,EAAE,6BAA6B,EAAE,CAAC"}

package/dist/dto/admin-set-preferred-method.dto.js

@@ -0,0 +1,50 @@
+"use strict";
+var __decorate = (this && this.__decorate) || function (decorators, target, key, desc) {
+    var c = arguments.length, r = c < 3 ? target : desc === null ? desc = Object.getOwnPropertyDescriptor(target, key) : desc, d;
+    if (typeof Reflect === "object" && typeof Reflect.decorate === "function") r = Reflect.decorate(decorators, target, key, desc);
+    else for (var i = decorators.length - 1; i >= 0; i--) if (d = decorators[i]) r = (c < 3 ? d(r) : c > 3 ? d(target, key, r) : d(target, key)) || r;
+    return c > 3 && r && Object.defineProperty(target, key, r), r;
+};
+var __metadata = (this && this.__metadata) || function (k, v) {
+    if (typeof Reflect === "object" && typeof Reflect.metadata === "function") return Reflect.metadata(k, v);
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.SetPreferredMethodResponseDTO = exports.AdminSetPreferredMethodDTO = void 0;
+const class_validator_1 = require("class-validator");
+const class_transformer_1 = require("class-transformer");
+const set_preferred_method_dto_1 = require("./set-preferred-method.dto");
+Object.defineProperty(exports, "SetPreferredMethodResponseDTO", { enumerable: true, get: function () { return set_preferred_method_dto_1.SetPreferredMethodResponseDTO; } });
+/**
+ * Admin DTO for setting preferred MFA method for a specific user
+ *
+ * Admin APIs must explicitly target a user via `sub`.
+ * This DTO mirrors {@link SetPreferredMethodDTO} but adds `sub`.
+ *
+ * @example
+ * ```typescript
+ * const result = await mfaService.adminSetPreferredMethod({
+ *   sub: 'a21b654c-2746-4168-acee-c175083a65cd',
+ *   methodType: 'sms',
+ * });
+ * ```
+ */
+class AdminSetPreferredMethodDTO extends set_preferred_method_dto_1.SetPreferredMethodDTO {
+    /**
+     * Target user's unique identifier (UUID v4)
+     *
+     * @example "a21b654c-2746-4168-acee-c175083a65cd"
+     */
+    sub;
+}
+exports.AdminSetPreferredMethodDTO = AdminSetPreferredMethodDTO;
+__decorate([
+    (0, class_validator_1.IsUUID)('4', { message: 'User sub must be a valid UUID v4 format' }),
+    (0, class_transformer_1.Transform)(({ value }) => {
+        if (typeof value === 'string') {
+            return value.trim().toLowerCase();
+        }
+        return value;
+    }),
+    __metadata("design:type", String)
+], AdminSetPreferredMethodDTO.prototype, "sub", void 0);
+//# sourceMappingURL=admin-set-preferred-method.dto.js.map

package/dist/dto/admin-set-preferred-method.dto.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"admin-set-preferred-method.dto.js","sourceRoot":"","sources":["../../src/dto/admin-set-preferred-method.dto.ts"],"names":[],"mappings":";;;;;;;;;;;;AAAA,qDAAyC;AACzC,yDAA8C;AAC9C,yEAAkG;AAgCzF,8GAhCuB,wDAA6B,OAgCvB;AA9BtC;;;;;;;;;;;;;GAaG;AACH,MAAa,0BAA2B,SAAQ,gDAAqB;IACnE;;;;OAIG;IAQH,GAAG,CAAU;CACd;AAdD,gEAcC;AADC;IAPC,IAAA,wBAAM,EAAC,GAAG,EAAE,EAAE,OAAO,EAAE,yCAAyC,EAAE,CAAC;IACnE,IAAA,6BAAS,EAAC,CAAC,EAAE,KAAK,EAAE,EAAE,EAAE;QACvB,IAAI,OAAO,KAAK,KAAK,QAAQ,EAAE,CAAC;YAC9B,OAAO,KAAK,CAAC,IAAI,EAAE,CAAC,WAAW,EAAE,CAAC;QACpC,CAAC;QACD,OAAO,KAAK,CAAC;IACf,CAAC,CAAC;;uDACW"}

package/dist/dto/admin-update-user-attributes.dto.d.ts

@@ -0,0 +1,41 @@
+/**
+ * Admin Update User Attributes DTO
+ *
+ * Request DTO for administrators to update a user's profile information.
+ *
+ * Security:
+ * - Requires target user sub (UUID)
+ * - All fields validated according to UserUpdateDTO rules
+ * - Uniqueness constraints enforced
+ *
+ * @example
+ * ```typescript
+ * const result = await adminAuthService.updateUserAttributes({
+ *   sub: 'user-uuid',
+ *   username: 'newusername',
+ *   firstName: 'John',
+ *   lastName: 'Doe',
+ * });
+ * ```
+ */
+import { UserUpdateDTO } from './user-update.dto';
+/**
+ * Request DTO for admin updating user attributes (includes sub)
+ */
+export declare class AdminUpdateUserAttributesDTO extends UserUpdateDTO {
+    /**
+     * User's unique identifier (UUID v4)
+     *
+     * Validation:
+     * - Must be a valid UUID v4 format
+     * - Matches DB constraint: char(36) or uuid
+     *
+     * Sanitization:
+     * - Trimmed
+     * - Lowercased for consistency
+     *
+     * @example "a21b654c-2746-4168-acee-c175083a65cd"
+     */
+    sub: string;
+}
+//# sourceMappingURL=admin-update-user-attributes.dto.d.ts.map

package/dist/dto/admin-update-user-attributes.dto.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"admin-update-user-attributes.dto.d.ts","sourceRoot":"","sources":["../../src/dto/admin-update-user-attributes.dto.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;GAmBG;AAIH,OAAO,EAAE,aAAa,EAAE,MAAM,mBAAmB,CAAC;AAElD;;GAEG;AACH,qBAAa,4BAA6B,SAAQ,aAAa;IAC7D;;;;;;;;;;;;OAYG;IAQH,GAAG,EAAG,MAAM,CAAC;CACd"}

package/dist/dto/{update-user-attributes-request.dto.js → admin-update-user-attributes.dto.js}

@@ -1,21 +1,21 @@
 "use strict";
 /**
- * Update User Attributes Request DTO
+ * Admin Update User Attributes DTO
  *
- * Request DTO for updating user profile information (includes user sub).
+ * Request DTO for administrators to update a user's profile information.
  *
  * Security:
- * - User sub validated (UUID)
+ * - Requires target user sub (UUID)
  * - All fields validated according to UserUpdateDTO rules
  * - Uniqueness constraints enforced
  *
  * @example
  * ```typescript
- * const result = await authService.updateUserAttributes({
+ * const result = await adminAuthService.updateUserAttributes({
  *   sub: 'user-uuid',
  *   username: 'newusername',
  *   firstName: 'John',
- *   lastName: 'Doe'
+ *   lastName: 'Doe',
  * });
  * ```
  */
@@ -29,22 +29,19 @@ var __metadata = (this && this.__metadata) || function (k, v) {
     if (typeof Reflect === "object" && typeof Reflect.metadata === "function") return Reflect.metadata(k, v);
 };
 Object.defineProperty(exports, "__esModule", { value: true });
-exports.UpdateUserAttributesRequestDTO = void 0;
+exports.AdminUpdateUserAttributesDTO = void 0;
 const class_validator_1 = require("class-validator");
 const class_transformer_1 = require("class-transformer");
 const user_update_dto_1 = require("./user-update.dto");
 /**
- * Request DTO for updating user attributes (includes user sub)
+ * Request DTO for admin updating user attributes (includes sub)
  */
-class UpdateUserAttributesRequestDTO extends user_update_dto_1.UserUpdateDTO {
+class AdminUpdateUserAttributesDTO extends user_update_dto_1.UserUpdateDTO {
     /**
      * User's unique identifier (UUID v4)
      *
-     * Optional at controller level - filled from authenticated user's JWT.
-     * Validated only when provided (service layer will ensure it's set).
-     *
      * Validation:
-     * - Must be a valid UUID v4 format when provided
+     * - Must be a valid UUID v4 format
      * - Matches DB constraint: char(36) or uuid
      *
      * Sanitization:
@@ -55,9 +52,8 @@ class UpdateUserAttributesRequestDTO extends user_update_dto_1.UserUpdateDTO {
      */
     sub;
 }
-exports.UpdateUserAttributesRequestDTO = UpdateUserAttributesRequestDTO;
+exports.AdminUpdateUserAttributesDTO = AdminUpdateUserAttributesDTO;
 __decorate([
-    (0, class_validator_1.ValidateIf)((o) => o.sub !== undefined && o.sub !== null && o.sub !== ''),
     (0, class_validator_1.IsUUID)('4', { message: 'User sub must be a valid UUID v4 format' }),
     (0, class_transformer_1.Transform)(({ value }) => {
         if (typeof value === 'string') {
@@ -65,7 +61,6 @@ __decorate([
         }
         return value;
     }),
-    (0, class_validator_1.IsOptional)(),
     __metadata("design:type", String)
-], UpdateUserAttributesRequestDTO.prototype, "sub", void 0);
-//# sourceMappingURL=update-user-attributes-request.dto.js.map
+], AdminUpdateUserAttributesDTO.prototype, "sub", void 0);
+//# sourceMappingURL=admin-update-user-attributes.dto.js.map

package/dist/dto/admin-update-user-attributes.dto.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"admin-update-user-attributes.dto.js","sourceRoot":"","sources":["../../src/dto/admin-update-user-attributes.dto.ts"],"names":[],"mappings":";AAAA;;;;;;;;;;;;;;;;;;;GAmBG;;;;;;;;;;;;AAEH,qDAAyC;AACzC,yDAA8C;AAC9C,uDAAkD;AAElD;;GAEG;AACH,MAAa,4BAA6B,SAAQ,+BAAa;IAC7D;;;;;;;;;;;;OAYG;IAQH,GAAG,CAAU;CACd;AAtBD,oEAsBC;AADC;IAPC,IAAA,wBAAM,EAAC,GAAG,EAAE,EAAE,OAAO,EAAE,yCAAyC,EAAE,CAAC;IACnE,IAAA,6BAAS,EAAC,CAAC,EAAE,KAAK,EAAE,EAAE,EAAE;QACvB,IAAI,OAAO,KAAK,KAAK,QAAQ,EAAE,CAAC;YAC9B,OAAO,KAAK,CAAC,IAAI,EAAE,CAAC,WAAW,EAAE,CAAC;QACpC,CAAC;QACD,OAAO,KAAK,CAAC;IACf,CAAC,CAAC;;yDACW"}

package/dist/dto/auth-challenge.dto.d.ts

@@ -63,7 +63,7 @@ export declare enum AuthChallenge {
  *     email: 'user@example.com',
  *     codeDeliveryDestination: 'u***@example.com'
  *   },
- *   userSub: 'a21b654c-2746-4168-acee-c175083a65cd'
+ *   sub: 'a21b654c-2746-4168-acee-c175083a65cd'
  * }
  * ```
  */
@@ -119,7 +119,7 @@ export declare class AuthChallengeResponseDTO {
      *
      * @example "a21b654c-2746-4168-acee-c175083a65cd"
      */
-    userSub: string;
+    sub: string;
 }
 /**
  * Challenge Completion Request DTO

package/dist/dto/auth-challenge.dto.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"auth-challenge.dto.d.ts","sourceRoot":"","sources":["../../src/dto/auth-challenge.dto.ts"],"names":[],"mappings":"AAGA;;;;;;;;;;;;;;;;GAgBG;AACH,oBAAY,aAAa;IACvB;;;OAGG;IACH,YAAY,iBAAiB;IAE7B;;;OAGG;IACH,YAAY,iBAAiB;IAE7B;;;;OAIG;IACH,YAAY,iBAAiB;IAE7B;;;;OAIG;IACH,kBAAkB,uBAAuB;IAEzC;;;;OAIG;IACH,qBAAqB,0BAA0B;CAChD;AAED;;;;;;;;;;;;;;;;;;;;;GAqBG;AACH,qBAAa,wBAAwB;IACnC;;;;;OAKG;IAIH,aAAa,EAAG,aAAa,CAAC;IAE9B;;;;;;;;;OASG;IAQH,OAAO,EAAG,MAAM,CAAC;IAEjB;;;;;;;;;;;;;;;;;;;;;OAqBG;IAEH,mBAAmB,EAAG,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC;IAE9C;;;;;;;;;OASG;IAQH,OAAO,EAAG,MAAM,CAAC;CAClB;AAED;;;;;;;;;;;;;;;;;;;;;;;;GAwBG;AACH,qBAAa,2BAA2B;IACtC;;;;;;;;;;;;OAYG;IAQH,OAAO,EAAG,MAAM,CAAC;IAEjB;;;;;OAKG;IAIH,aAAa,EAAG,aAAa,CAAC;IAE9B;;;;;;;;;;;;;;;OAeG;IAEH,kBAAkB,EAAG,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC;CAC9C"}
+{"version":3,"file":"auth-challenge.dto.d.ts","sourceRoot":"","sources":["../../src/dto/auth-challenge.dto.ts"],"names":[],"mappings":"AAGA;;;;;;;;;;;;;;;;GAgBG;AACH,oBAAY,aAAa;IACvB;;;OAGG;IACH,YAAY,iBAAiB;IAE7B;;;OAGG;IACH,YAAY,iBAAiB;IAE7B;;;;OAIG;IACH,YAAY,iBAAiB;IAE7B;;;;OAIG;IACH,kBAAkB,uBAAuB;IAEzC;;;;OAIG;IACH,qBAAqB,0BAA0B;CAChD;AAED;;;;;;;;;;;;;;;;;;;;;GAqBG;AACH,qBAAa,wBAAwB;IACnC;;;;;OAKG;IAIH,aAAa,EAAG,aAAa,CAAC;IAE9B;;;;;;;;;OASG;IAQH,OAAO,EAAG,MAAM,CAAC;IAEjB;;;;;;;;;;;;;;;;;;;;;OAqBG;IAEH,mBAAmB,EAAG,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC;IAE9C;;;;;;;;;OASG;IAQH,GAAG,EAAG,MAAM,CAAC;CACd;AAED;;;;;;;;;;;;;;;;;;;;;;;;GAwBG;AACH,qBAAa,2BAA2B;IACtC;;;;;;;;;;;;OAYG;IAQH,OAAO,EAAG,MAAM,CAAC;IAEjB;;;;;OAKG;IAIH,aAAa,EAAG,aAAa,CAAC;IAE9B;;;;;;;;;;;;;;;OAeG;IAEH,kBAAkB,EAAG,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC;CAC9C"}

package/dist/dto/auth-challenge.dto.js

@@ -78,7 +78,7 @@ var AuthChallenge;
  *     email: 'user@example.com',
  *     codeDeliveryDestination: 'u***@example.com'
  *   },
- *   userSub: 'a21b654c-2746-4168-acee-c175083a65cd'
+ *   sub: 'a21b654c-2746-4168-acee-c175083a65cd'
  * }
  * ```
  */
@@ -134,7 +134,7 @@ class AuthChallengeResponseDTO {
      *
      * @example "a21b654c-2746-4168-acee-c175083a65cd"
      */
-    userSub;
+    sub;
 }
 exports.AuthChallengeResponseDTO = AuthChallengeResponseDTO;
 __decorate([
@@ -166,7 +166,7 @@ __decorate([
         return value;
     }),
     __metadata("design:type", String)
-], AuthChallengeResponseDTO.prototype, "userSub", void 0);
+], AuthChallengeResponseDTO.prototype, "sub", void 0);
 /**
  * Challenge Completion Request DTO
  *