@nwire/auth 0.7.0

package/LICENSE

@@ -0,0 +1,21 @@
+MIT License
+
+Copyright (c) 2026 Alex Gefter / 200apps Ltd.
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.

package/README.md

@@ -0,0 +1,77 @@
+# @nwire/auth
+
+> Identity + authorization contract — `User`, `IdpAdapter`, canonical sign-in/out resolvers.
+
+## What it does
+
+Defines the `User` type (with declaration merging for app-specific fields), the `IdpAdapter` interface every authentication backend implements, the `identityPlugin` that wires an adapter into the container, and canonical resolvers (`SignIn`, `SignOut`, `Refresh`, `Register`, `Me`) so apps don't reinvent the boring parts. The `authzMiddleware` reads `action.policy` and a per-request `Authorizer` to enforce access.
+
+## Install
+
+```bash
+pnpm add @nwire/auth
+```
+
+## Quick start
+
+```ts
+import { defineApp } from "@nwire/forge";
+import { identityPlugin, authPlugin } from "@nwire/auth";
+import { betterAuthAdapter } from "@nwire/auth-better-auth";
+
+defineApp("my-app", {
+  plugins: [
+    identityPlugin({ adapter: betterAuthAdapter({ auth }) }),
+    authPlugin({
+      authorizer: {
+        authorize: async ({ action, ctx }) => {
+          if (action.policy === "admin" && !ctx.envelope.user?.roles?.includes("admin")) {
+            throw new ForbiddenError("admin only");
+          }
+        },
+      },
+    }),
+  ],
+});
+```
+
+## API surface
+
+- `User` — declaration-mergeable identity shape.
+- `IdpAdapter` — interface every auth backend (Logto, better-auth, custom) implements.
+- `identityPlugin({ adapter })` — registers the adapter; wires HTTP middleware to verify tokens.
+- `authPlugin({ authorizer })` / `authzMiddleware({ authorizer })` — enforces `action.policy`.
+- Canonical resolvers: `SignIn`, `SignOut`, `Refresh`, `Register`, `Me`.
+- Error types: `UnauthorizedError`, `ForbiddenError`.
+
+## When to use
+
+Whenever you need real users, sessions, or tenant-scoped authorization. Fits L3 and up.
+
+## Standalone use
+
+For developers using `@nwire/auth` **without the rest of Nwire** — pair it with any TypeScript project, any container, any HTTP framework.
+
+```ts
+// See the package's main entry (src/) for the standalone surface.
+// The exports below work without @nwire/app or @nwire/forge.
+import {} from /* ...standalone exports... */ "@nwire/auth";
+```
+
+## Within nwire-app
+
+For developers using this package as part of the Nwire stack — register it via `app.use(...)` or it auto-wires when you compose `createApp({ modules })`.
+
+```ts
+import { createApp } from "@nwire/forge";
+
+const app = createApp({
+  /* ...config... */
+});
+// Adapter/plugin wiring happens here when applicable.
+```
+
+## See also
+
+- [Architecture sketch §05 — Adapters tier](../../architecture-sketch.html#packages)
+- Sibling packages: [@nwire/auth-better-auth](../nwire-auth-better-auth), [@nwire/auth-logto](../nwire-auth-logto), [@nwire/rbac](../nwire-rbac)

package/dist/__tests__/auth.test.d.ts

@@ -0,0 +1,6 @@
+/**
+ * authzMiddleware contract — runs an Authorizer before the handler. Allows
+ * by returning, denies by throwing. Optional opt-out for policy-less actions.
+ */
+export {};
+//# sourceMappingURL=auth.test.d.ts.map

package/dist/__tests__/auth.test.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"auth.test.d.ts","sourceRoot":"","sources":["../../src/__tests__/auth.test.ts"],"names":[],"mappings":"AAAA;;;GAGG"}

package/dist/__tests__/auth.test.js

@@ -0,0 +1,91 @@
+/**
+ * authzMiddleware contract — runs an Authorizer before the handler. Allows
+ * by returning, denies by throwing. Optional opt-out for policy-less actions.
+ */
+import { describe, it, expect } from "vitest";
+import { z } from "zod";
+import { defineAction, defineHandler, Runtime } from "@nwire/forge";
+import { seedEnvelope } from "@nwire/envelope";
+import { authzMiddleware, UnauthorizedError, ForbiddenError } from "../auth.js";
+describe("authzMiddleware", () => {
+    it("runs the handler when the authorizer returns", async () => {
+        const action = defineAction({ name: "auth.ok", schema: z.object({}) });
+        let ran = false;
+        const handler = defineHandler(action, async () => {
+            ran = true;
+            return undefined;
+        });
+        const allowAll = { async authorize() { } };
+        const runtime = new Runtime();
+        runtime.registerHandler(handler);
+        runtime.use(authzMiddleware({ authorizer: allowAll }));
+        await runtime.dispatch(action, {});
+        expect(ran).toBe(true);
+    });
+    it("blocks the handler when the authorizer throws", async () => {
+        const action = defineAction({ name: "auth.deny", schema: z.object({}) });
+        let ran = false;
+        const handler = defineHandler(action, async () => {
+            ran = true;
+            return undefined;
+        });
+        const denyAll = {
+            async authorize() {
+                throw new UnauthorizedError("no token");
+            },
+        };
+        const runtime = new Runtime();
+        runtime.registerHandler(handler);
+        runtime.use(authzMiddleware({ authorizer: denyAll }));
+        await expect(runtime.dispatch(action, {})).rejects.toThrow(UnauthorizedError);
+        expect(ran).toBe(false);
+    });
+    it("reads action.policy and ctx.envelope.userId to decide", async () => {
+        const adminOnly = defineAction({
+            name: "auth.admin",
+            schema: z.object({}),
+            policy: "admin-only",
+        });
+        const handler = defineHandler(adminOnly, async () => undefined);
+        const adminAuthorizer = {
+            async authorize(action, ctx) {
+                if (action.policy === "admin-only" && ctx.envelope.userId !== "miri") {
+                    throw new ForbiddenError("admins only");
+                }
+            },
+        };
+        const runtime = new Runtime();
+        runtime.registerHandler(handler);
+        runtime.use(authzMiddleware({ authorizer: adminAuthorizer }));
+        // Wrong user → forbidden
+        await expect(runtime.dispatch(adminOnly, {}, seedEnvelope({ userId: "avi" }))).rejects.toThrow(ForbiddenError);
+        // Right user → allowed
+        await runtime.dispatch(adminOnly, {}, seedEnvelope({ userId: "miri" }));
+    });
+    it("with enforceAll: false, skips actions that have no policy", async () => {
+        const publicAction = defineAction({ name: "auth.public", schema: z.object({}) });
+        const guardedAction = defineAction({
+            name: "auth.guarded",
+            schema: z.object({}),
+            policy: "login-required",
+        });
+        const handlerA = defineHandler(publicAction, async () => undefined);
+        const handlerB = defineHandler(guardedAction, async () => undefined);
+        let authorizerCalls = 0;
+        const authorizer = {
+            async authorize() {
+                authorizerCalls++;
+                throw new UnauthorizedError();
+            },
+        };
+        const runtime = new Runtime();
+        runtime.registerHandler(handlerA);
+        runtime.registerHandler(handlerB);
+        runtime.use(authzMiddleware({ authorizer, enforceAll: false }));
+        await runtime.dispatch(publicAction, {}); // skipped
+        expect(authorizerCalls).toBe(0);
+        await expect(runtime.dispatch(guardedAction, {})).rejects.toThrow(UnauthorizedError);
+        expect(authorizerCalls).toBe(1);
+    });
+});
+//# sourceMappingURL=auth.test.js.map

package/dist/__tests__/auth.test.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"auth.test.js","sourceRoot":"","sources":["../../src/__tests__/auth.test.ts"],"names":[],"mappings":"AAAA;;;GAGG;AAEH,OAAO,EAAE,QAAQ,EAAE,EAAE,EAAE,MAAM,EAAE,MAAM,QAAQ,CAAC;AAC9C,OAAO,EAAE,CAAC,EAAE,MAAM,KAAK,CAAC;AACxB,OAAO,EAAE,YAAY,EAAE,aAAa,EAAE,OAAO,EAAE,MAAM,cAAc,CAAC;AACpE,OAAO,EAAE,YAAY,EAAE,MAAM,iBAAiB,CAAC;AAC/C,OAAO,EAAE,eAAe,EAAE,iBAAiB,EAAE,cAAc,EAAmB,MAAM,SAAS,CAAC;AAE9F,QAAQ,CAAC,iBAAiB,EAAE,GAAG,EAAE;IAC/B,EAAE,CAAC,8CAA8C,EAAE,KAAK,IAAI,EAAE;QAC5D,MAAM,MAAM,GAAG,YAAY,CAAC,EAAE,IAAI,EAAE,SAAS,EAAE,MAAM,EAAE,CAAC,CAAC,MAAM,CAAC,EAAE,CAAC,EAAE,CAAC,CAAC;QACvE,IAAI,GAAG,GAAG,KAAK,CAAC;QAChB,MAAM,OAAO,GAAG,aAAa,CAAC,MAAM,EAAE,KAAK,IAAI,EAAE;YAC/C,GAAG,GAAG,IAAI,CAAC;YACX,OAAO,SAAS,CAAC;QACnB,CAAC,CAAC,CAAC;QAEH,MAAM,QAAQ,GAAe,EAAE,KAAK,CAAC,SAAS,KAAI,CAAC,EAAE,CAAC;QACtD,MAAM,OAAO,GAAG,IAAI,OAAO,EAAE,CAAC;QAC9B,OAAO,CAAC,eAAe,CAAC,OAAO,CAAC,CAAC;QACjC,OAAO,CAAC,GAAG,CAAC,eAAe,CAAC,EAAE,UAAU,EAAE,QAAQ,EAAE,CAAC,CAAC,CAAC;QAEvD,MAAM,OAAO,CAAC,QAAQ,CAAC,MAAM,EAAE,EAAE,CAAC,CAAC;QACnC,MAAM,CAAC,GAAG,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;IACzB,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,+CAA+C,EAAE,KAAK,IAAI,EAAE;QAC7D,MAAM,MAAM,GAAG,YAAY,CAAC,EAAE,IAAI,EAAE,WAAW,EAAE,MAAM,EAAE,CAAC,CAAC,MAAM,CAAC,EAAE,CAAC,EAAE,CAAC,CAAC;QACzE,IAAI,GAAG,GAAG,KAAK,CAAC;QAChB,MAAM,OAAO,GAAG,aAAa,CAAC,MAAM,EAAE,KAAK,IAAI,EAAE;YAC/C,GAAG,GAAG,IAAI,CAAC;YACX,OAAO,SAAS,CAAC;QACnB,CAAC,CAAC,CAAC;QAEH,MAAM,OAAO,GAAe;YAC1B,KAAK,CAAC,SAAS;gBACb,MAAM,IAAI,iBAAiB,CAAC,UAAU,CAAC,CAAC;YAC1C,CAAC;SACF,CAAC;QACF,MAAM,OAAO,GAAG,IAAI,OAAO,EAAE,CAAC;QAC9B,OAAO,CAAC,eAAe,CAAC,OAAO,CAAC,CAAC;QACjC,OAAO,CAAC,GAAG,CAAC,eAAe,CAAC,EAAE,UAAU,EAAE,OAAO,EAAE,CAAC,CAAC,CAAC;QAEtD,MAAM,MAAM,CAAC,OAAO,CAAC,QAAQ,CAAC,MAAM,EAAE,EAAE,CAAC,CAAC,CAAC,OAAO,CAAC,OAAO,CAAC,iBAAiB,CAAC,CAAC;QAC9E,MAAM,CAAC,GAAG,CAAC,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC;IAC1B,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,uDAAuD,EAAE,KAAK,IAAI,EAAE;QACrE,MAAM,SAAS,GAAG,YAAY,CAAC;YAC7B,IAAI,EAAE,YAAY;YAClB,MAAM,EAAE,CAAC,CAAC,MAAM,CAAC,EAAE,CAAC;YACpB,MAAM,EAAE,YAAY;SACrB,CAAC,CAAC;QACH,MAAM,OAAO,GAAG,aAAa,CAAC,SAAS,EAAE,KAAK,IAAI,EAAE,CAAC,SAAS,CAAC,CAAC;QAEhE,MAAM,eAAe,GAAe;YAClC,KAAK,CAAC,SAAS,CAAC,MAAM,EAAE,GAAG;gBACzB,IAAI,MAAM,CAAC,MAAM,KAAK,YAAY,IAAI,GAAG,CAAC,QAAQ,CAAC,MAAM,KAAK,MAAM,EAAE,CAAC;oBACrE,MAAM,IAAI,cAAc,CAAC,aAAa,CAAC,CAAC;gBAC1C,CAAC;YACH,CAAC;SACF,CAAC;QAEF,MAAM,OAAO,GAAG,IAAI,OAAO,EAAE,CAAC;QAC9B,OAAO,CAAC,eAAe,CAAC,OAAO,CAAC,CAAC;QACjC,OAAO,CAAC,GAAG,CAAC,eAAe,CAAC,EAAE,UAAU,EAAE,eAAe,EAAE,CAAC,CAAC,CAAC;QAE9D,yBAAyB;QACzB,MAAM,MAAM,CAAC,OAAO,CAAC,QAAQ,CAAC,SAAS,EAAE,EAAE,EAAE,YAAY,CAAC,EAAE,MAAM,EAAE,KAAK,EAAE,CAAC,CAAC,CAAC,CAAC,OAAO,CAAC,OAAO,CAC5F,cAAc,CACf,CAAC;QAEF,uBAAuB;QACvB,MAAM,OAAO,CAAC,QAAQ,CAAC,SAAS,EAAE,EAAE,EAAE,YAAY,CAAC,EAAE,MAAM,EAAE,MAAM,EAAE,CAAC,CAAC,CAAC;IAC1E,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,2DAA2D,EAAE,KAAK,IAAI,EAAE;QACzE,MAAM,YAAY,GAAG,YAAY,CAAC,EAAE,IAAI,EAAE,aAAa,EAAE,MAAM,EAAE,CAAC,CAAC,MAAM,CAAC,EAAE,CAAC,EAAE,CAAC,CAAC;QACjF,MAAM,aAAa,GAAG,YAAY,CAAC;YACjC,IAAI,EAAE,cAAc;YACpB,MAAM,EAAE,CAAC,CAAC,MAAM,CAAC,EAAE,CAAC;YACpB,MAAM,EAAE,gBAAgB;SACzB,CAAC,CAAC;QACH,MAAM,QAAQ,GAAG,aAAa,CAAC,YAAY,EAAE,KAAK,IAAI,EAAE,CAAC,SAAS,CAAC,CAAC;QACpE,MAAM,QAAQ,GAAG,aAAa,CAAC,aAAa,EAAE,KAAK,IAAI,EAAE,CAAC,SAAS,CAAC,CAAC;QAErE,IAAI,eAAe,GAAG,CAAC,CAAC;QACxB,MAAM,UAAU,GAAe;YAC7B,KAAK,CAAC,SAAS;gBACb,eAAe,EAAE,CAAC;gBAClB,MAAM,IAAI,iBAAiB,EAAE,CAAC;YAChC,CAAC;SACF,CAAC;QAEF,MAAM,OAAO,GAAG,IAAI,OAAO,EAAE,CAAC;QAC9B,OAAO,CAAC,eAAe,CAAC,QAAQ,CAAC,CAAC;QAClC,OAAO,CAAC,eAAe,CAAC,QAAQ,CAAC,CAAC;QAClC,OAAO,CAAC,GAAG,CAAC,eAAe,CAAC,EAAE,UAAU,EAAE,UAAU,EAAE,KAAK,EAAE,CAAC,CAAC,CAAC;QAEhE,MAAM,OAAO,CAAC,QAAQ,CAAC,YAAY,EAAE,EAAE,CAAC,CAAC,CAAC,UAAU;QACpD,MAAM,CAAC,eAAe,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;QAChC,MAAM,MAAM,CAAC,OAAO,CAAC,QAAQ,CAAC,aAAa,EAAE,EAAE,CAAC,CAAC,CAAC,OAAO,CAAC,OAAO,CAAC,iBAAiB,CAAC,CAAC;QACrF,MAAM,CAAC,eAAe,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;IAClC,CAAC,CAAC,CAAC;AACL,CAAC,CAAC,CAAC"}

package/dist/__tests__/identity.test.d.ts

@@ -0,0 +1,12 @@
+/**
+ * Identity contract — proves canonical resolvers delegate to whatever
+ * IdpAdapter is registered, and that the identityPlugin wires the adapter
+ * onto the container in time for resolvers to use it.
+ *
+ * We don't ship a real adapter at this layer (those live in
+ * @nwire/auth-better-auth / @nwire/auth-logto / @nwire/auth-passport).
+ * The test uses a hand-rolled fake adapter that captures calls so we can
+ * assert routing without depending on an external IdP.
+ */
+export {};
+//# sourceMappingURL=identity.test.d.ts.map

package/dist/__tests__/identity.test.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"identity.test.d.ts","sourceRoot":"","sources":["../../src/__tests__/identity.test.ts"],"names":[],"mappings":"AAAA;;;;;;;;;GASG"}

package/dist/__tests__/identity.test.js

@@ -0,0 +1,141 @@
+/**
+ * Identity contract — proves canonical resolvers delegate to whatever
+ * IdpAdapter is registered, and that the identityPlugin wires the adapter
+ * onto the container in time for resolvers to use it.
+ *
+ * We don't ship a real adapter at this layer (those live in
+ * @nwire/auth-better-auth / @nwire/auth-logto / @nwire/auth-passport).
+ * The test uses a hand-rolled fake adapter that captures calls so we can
+ * assert routing without depending on an external IdP.
+ */
+import { describe, it, expect } from "vitest";
+import { createApp, defineModule } from "@nwire/forge";
+import { identityPlugin, SignIn, SignOut, Refresh, Register, Me, } from "../auth.js";
+function fakeAdapter() {
+    const calls = [];
+    const users = new Map();
+    return {
+        calls,
+        users,
+        async verifyToken(token) {
+            calls.push({ name: "verifyToken", args: [token] });
+            return users.get(token) ?? null;
+        },
+        async signIn(input) {
+            calls.push({ name: "signIn", args: [input] });
+            const user = { id: "u_1", email: input.email ?? "x@y.z" };
+            users.set("tok-1", user);
+            return { user, tokens: { accessToken: "tok-1", refreshToken: "ref-1" } };
+        },
+        async signOut(token) {
+            calls.push({ name: "signOut", args: [token] });
+            users.delete(token);
+        },
+        async refresh(refreshToken) {
+            calls.push({ name: "refresh", args: [refreshToken] });
+            return { accessToken: "tok-2" };
+        },
+        async register(input) {
+            calls.push({ name: "register", args: [input] });
+            const user = { id: "u_new", email: input.email };
+            return { user, tokens: { accessToken: "tok-new" } };
+        },
+    };
+}
+const empty = defineModule("empty", {});
+describe("identityPlugin + canonical resolvers", () => {
+    it("registers the adapter on the container under 'idp'", async () => {
+        const adapter = fakeAdapter();
+        const app = createApp({
+            modules: [empty],
+            plugins: [identityPlugin({ adapter })],
+        });
+        await app.start();
+        const resolved = app.runtime.getContainer().resolve("idp");
+        expect(resolved).toBe(adapter);
+        await app.stop();
+    });
+    it("SignIn delegates to adapter.signIn and returns user + tokens", async () => {
+        const adapter = fakeAdapter();
+        const app = createApp({
+            modules: [empty],
+            plugins: [identityPlugin({ adapter })],
+        });
+        await app.start();
+        const result = await app.callResolver(SignIn, {
+            input: { email: "alice@example.com", password: "secret123" },
+        });
+        expect(adapter.calls[0]?.name).toBe("signIn");
+        expect(result.body.user.id).toBe("u_1");
+        expect(result.body.tokens.accessToken).toBe("tok-1");
+        await app.stop();
+    });
+    it("SignOut + verify roundtrip — Me returns user before sign-out, NotFound after", async () => {
+        const adapter = fakeAdapter();
+        const app = createApp({
+            modules: [empty],
+            plugins: [identityPlugin({ adapter })],
+        });
+        await app.start();
+        await app.callResolver(SignIn, {
+            input: { email: "alice@example.com", password: "secret123" },
+        });
+        const me1 = await app.callResolver(Me, { input: { token: "tok-1" } });
+        expect(me1.body.id).toBe("u_1");
+        await app.callResolver(SignOut, { input: { token: "tok-1" } });
+        await expect(app.callResolver(Me, { input: { token: "tok-1" } })).rejects.toThrow();
+        await app.stop();
+    });
+    it("Refresh delegates when adapter supports it", async () => {
+        const adapter = fakeAdapter();
+        const app = createApp({
+            modules: [empty],
+            plugins: [identityPlugin({ adapter })],
+        });
+        await app.start();
+        const result = await app.callResolver(Refresh, { input: { refreshToken: "ref-1" } });
+        expect(result.body.accessToken).toBe("tok-2");
+        await app.stop();
+    });
+    it("Register returns user + initial tokens", async () => {
+        const adapter = fakeAdapter();
+        const app = createApp({
+            modules: [empty],
+            plugins: [identityPlugin({ adapter })],
+        });
+        await app.start();
+        const result = await app.callResolver(Register, {
+            input: { email: "new@example.com", password: "long-enough-password" },
+        });
+        expect(result.body.user.email).toBe("new@example.com");
+        expect(result.body.tokens.accessToken).toBe("tok-new");
+        await app.stop();
+    });
+    it("Refresh throws NotFound when adapter omits refresh()", async () => {
+        const adapter = fakeAdapter();
+        // eslint-disable-next-line @typescript-eslint/no-explicit-any
+        delete adapter.refresh;
+        const app = createApp({
+            modules: [empty],
+            plugins: [identityPlugin({ adapter })],
+        });
+        await app.start();
+        await expect(app.callResolver(Refresh, { input: { refreshToken: "x" } })).rejects.toThrow();
+        await app.stop();
+    });
+    it("adapter.shutdown is called on app.stop()", async () => {
+        let shutdownCalled = false;
+        const adapter = {
+            ...fakeAdapter(),
+            shutdown: async () => { shutdownCalled = true; },
+        };
+        const app = createApp({
+            modules: [empty],
+            plugins: [identityPlugin({ adapter })],
+        });
+        await app.start();
+        await app.stop();
+        expect(shutdownCalled).toBe(true);
+    });
+});
+//# sourceMappingURL=identity.test.js.map

package/dist/__tests__/identity.test.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"identity.test.js","sourceRoot":"","sources":["../../src/__tests__/identity.test.ts"],"names":[],"mappings":"AAAA;;;;;;;;;GASG;AAEH,OAAO,EAAE,QAAQ,EAAE,EAAE,EAAE,MAAM,EAAE,MAAM,QAAQ,CAAC;AAC9C,OAAO,EAAE,SAAS,EAAE,YAAY,EAAE,MAAM,cAAc,CAAC;AACvD,OAAO,EACL,cAAc,EACd,MAAM,EACN,OAAO,EACP,OAAO,EACP,QAAQ,EACR,EAAE,GAGH,MAAM,SAAS,CAAC;AAEjB,SAAS,WAAW;IAIlB,MAAM,KAAK,GAAwC,EAAE,CAAC;IACtD,MAAM,KAAK,GAAG,IAAI,GAAG,EAAgB,CAAC;IACtC,OAAO;QACL,KAAK;QACL,KAAK;QACL,KAAK,CAAC,WAAW,CAAC,KAAK;YACrB,KAAK,CAAC,IAAI,CAAC,EAAE,IAAI,EAAE,aAAa,EAAE,IAAI,EAAE,CAAC,KAAK,CAAC,EAAE,CAAC,CAAC;YACnD,OAAO,KAAK,CAAC,GAAG,CAAC,KAAK,CAAC,IAAI,IAAI,CAAC;QAClC,CAAC;QACD,KAAK,CAAC,MAAM,CAAC,KAAK;YAChB,KAAK,CAAC,IAAI,CAAC,EAAE,IAAI,EAAE,QAAQ,EAAE,IAAI,EAAE,CAAC,KAAK,CAAC,EAAE,CAAC,CAAC;YAC9C,MAAM,IAAI,GAAS,EAAE,EAAE,EAAE,KAAK,EAAE,KAAK,EAAE,KAAK,CAAC,KAAK,IAAI,OAAO,EAAE,CAAC;YAChE,KAAK,CAAC,GAAG,CAAC,OAAO,EAAE,IAAI,CAAC,CAAC;YACzB,OAAO,EAAE,IAAI,EAAE,MAAM,EAAE,EAAE,WAAW,EAAE,OAAO,EAAE,YAAY,EAAE,OAAO,EAAE,EAAE,CAAC;QAC3E,CAAC;QACD,KAAK,CAAC,OAAO,CAAC,KAAK;YACjB,KAAK,CAAC,IAAI,CAAC,EAAE,IAAI,EAAE,SAAS,EAAE,IAAI,EAAE,CAAC,KAAK,CAAC,EAAE,CAAC,CAAC;YAC/C,KAAK,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC;QACtB,CAAC;QACD,KAAK,CAAC,OAAO,CAAC,YAAY;YACxB,KAAK,CAAC,IAAI,CAAC,EAAE,IAAI,EAAE,SAAS,EAAE,IAAI,EAAE,CAAC,YAAY,CAAC,EAAE,CAAC,CAAC;YACtD,OAAO,EAAE,WAAW,EAAE,OAAO,EAAE,CAAC;QAClC,CAAC;QACD,KAAK,CAAC,QAAQ,CAAC,KAAK;YAClB,KAAK,CAAC,IAAI,CAAC,EAAE,IAAI,EAAE,UAAU,EAAE,IAAI,EAAE,CAAC,KAAK,CAAC,EAAE,CAAC,CAAC;YAChD,MAAM,IAAI,GAAS,EAAE,EAAE,EAAE,OAAO,EAAE,KAAK,EAAE,KAAK,CAAC,KAAK,EAAE,CAAC;YACvD,OAAO,EAAE,IAAI,EAAE,MAAM,EAAE,EAAE,WAAW,EAAE,SAAS,EAAE,EAAE,CAAC;QACtD,CAAC;KACF,CAAC;AACJ,CAAC;AAED,MAAM,KAAK,GAAG,YAAY,CAAC,OAAO,EAAE,EAAE,CAAC,CAAC;AAExC,QAAQ,CAAC,sCAAsC,EAAE,GAAG,EAAE;IACpD,EAAE,CAAC,oDAAoD,EAAE,KAAK,IAAI,EAAE;QAClE,MAAM,OAAO,GAAG,WAAW,EAAE,CAAC;QAC9B,MAAM,GAAG,GAAG,SAAS,CAAC;YACpB,OAAO,EAAE,CAAC,KAAK,CAAC;YAChB,OAAO,EAAE,CAAC,cAAc,CAAC,EAAE,OAAO,EAAE,CAAC,CAAC;SACvC,CAAC,CAAC;QACH,MAAM,GAAG,CAAC,KAAK,EAAE,CAAC;QAClB,MAAM,QAAQ,GAAG,GAAG,CAAC,OAAO,CAAC,YAAY,EAAE,CAAC,OAAO,CAAC,KAAK,CAAC,CAAC;QAC3D,MAAM,CAAC,QAAQ,CAAC,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC;QAC/B,MAAM,GAAG,CAAC,IAAI,EAAE,CAAC;IACnB,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,8DAA8D,EAAE,KAAK,IAAI,EAAE;QAC5E,MAAM,OAAO,GAAG,WAAW,EAAE,CAAC;QAC9B,MAAM,GAAG,GAAG,SAAS,CAAC;YACpB,OAAO,EAAE,CAAC,KAAK,CAAC;YAChB,OAAO,EAAE,CAAC,cAAc,CAAC,EAAE,OAAO,EAAE,CAAC,CAAC;SACvC,CAAC,CAAC;QACH,MAAM,GAAG,CAAC,KAAK,EAAE,CAAC;QAElB,MAAM,MAAM,GAAG,MAAM,GAAG,CAAC,YAAY,CAAC,MAAM,EAAE;YAC5C,KAAK,EAAE,EAAE,KAAK,EAAE,mBAAmB,EAAE,QAAQ,EAAE,WAAW,EAAE;SAC7D,CAAC,CAAC;QACH,MAAM,CAAC,OAAO,CAAC,KAAK,CAAC,CAAC,CAAC,EAAE,IAAI,CAAC,CAAC,IAAI,CAAC,QAAQ,CAAC,CAAC;QAC9C,MAAM,CAAC,MAAM,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC;QACxC,MAAM,CAAC,MAAM,CAAC,IAAI,CAAC,MAAM,CAAC,WAAW,CAAC,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC;QACrD,MAAM,GAAG,CAAC,IAAI,EAAE,CAAC;IACnB,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,8EAA8E,EAAE,KAAK,IAAI,EAAE;QAC5F,MAAM,OAAO,GAAG,WAAW,EAAE,CAAC;QAC9B,MAAM,GAAG,GAAG,SAAS,CAAC;YACpB,OAAO,EAAE,CAAC,KAAK,CAAC;YAChB,OAAO,EAAE,CAAC,cAAc,CAAC,EAAE,OAAO,EAAE,CAAC,CAAC;SACvC,CAAC,CAAC;QACH,MAAM,GAAG,CAAC,KAAK,EAAE,CAAC;QAElB,MAAM,GAAG,CAAC,YAAY,CAAC,MAAM,EAAE;YAC7B,KAAK,EAAE,EAAE,KAAK,EAAE,mBAAmB,EAAE,QAAQ,EAAE,WAAW,EAAE;SAC7D,CAAC,CAAC;QACH,MAAM,GAAG,GAAG,MAAM,GAAG,CAAC,YAAY,CAAC,EAAE,EAAE,EAAE,KAAK,EAAE,EAAE,KAAK,EAAE,OAAO,EAAE,EAAE,CAAC,CAAC;QACtE,MAAM,CAAC,GAAG,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC;QAEhC,MAAM,GAAG,CAAC,YAAY,CAAC,OAAO,EAAE,EAAE,KAAK,EAAE,EAAE,KAAK,EAAE,OAAO,EAAE,EAAE,CAAC,CAAC;QAE/D,MAAM,MAAM,CACV,GAAG,CAAC,YAAY,CAAC,EAAE,EAAE,EAAE,KAAK,EAAE,EAAE,KAAK,EAAE,OAAO,EAAE,EAAE,CAAC,CACpD,CAAC,OAAO,CAAC,OAAO,EAAE,CAAC;QACpB,MAAM,GAAG,CAAC,IAAI,EAAE,CAAC;IACnB,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,4CAA4C,EAAE,KAAK,IAAI,EAAE;QAC1D,MAAM,OAAO,GAAG,WAAW,EAAE,CAAC;QAC9B,MAAM,GAAG,GAAG,SAAS,CAAC;YACpB,OAAO,EAAE,CAAC,KAAK,CAAC;YAChB,OAAO,EAAE,CAAC,cAAc,CAAC,EAAE,OAAO,EAAE,CAAC,CAAC;SACvC,CAAC,CAAC;QACH,MAAM,GAAG,CAAC,KAAK,EAAE,CAAC;QAElB,MAAM,MAAM,GAAG,MAAM,GAAG,CAAC,YAAY,CAAC,OAAO,EAAE,EAAE,KAAK,EAAE,EAAE,YAAY,EAAE,OAAO,EAAE,EAAE,CAAC,CAAC;QACrF,MAAM,CAAC,MAAM,CAAC,IAAI,CAAC,WAAW,CAAC,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC;QAC9C,MAAM,GAAG,CAAC,IAAI,EAAE,CAAC;IACnB,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,wCAAwC,EAAE,KAAK,IAAI,EAAE;QACtD,MAAM,OAAO,GAAG,WAAW,EAAE,CAAC;QAC9B,MAAM,GAAG,GAAG,SAAS,CAAC;YACpB,OAAO,EAAE,CAAC,KAAK,CAAC;YAChB,OAAO,EAAE,CAAC,cAAc,CAAC,EAAE,OAAO,EAAE,CAAC,CAAC;SACvC,CAAC,CAAC;QACH,MAAM,GAAG,CAAC,KAAK,EAAE,CAAC;QAElB,MAAM,MAAM,GAAG,MAAM,GAAG,CAAC,YAAY,CAAC,QAAQ,EAAE;YAC9C,KAAK,EAAE,EAAE,KAAK,EAAE,iBAAiB,EAAE,QAAQ,EAAE,sBAAsB,EAAE;SACtE,CAAC,CAAC;QACH,MAAM,CAAC,MAAM,CAAC,IAAI,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC,IAAI,CAAC,iBAAiB,CAAC,CAAC;QACvD,MAAM,CAAC,MAAM,CAAC,IAAI,CAAC,MAAM,CAAC,WAAW,CAAC,CAAC,IAAI,CAAC,SAAS,CAAC,CAAC;QACvD,MAAM,GAAG,CAAC,IAAI,EAAE,CAAC;IACnB,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,sDAAsD,EAAE,KAAK,IAAI,EAAE;QACpE,MAAM,OAAO,GAAG,WAAW,EAAE,CAAC;QAC9B,8DAA8D;QAC9D,OAAQ,OAAe,CAAC,OAAO,CAAC;QAEhC,MAAM,GAAG,GAAG,SAAS,CAAC;YACpB,OAAO,EAAE,CAAC,KAAK,CAAC;YAChB,OAAO,EAAE,CAAC,cAAc,CAAC,EAAE,OAAO,EAAE,CAAC,CAAC;SACvC,CAAC,CAAC;QACH,MAAM,GAAG,CAAC,KAAK,EAAE,CAAC;QAClB,MAAM,MAAM,CACV,GAAG,CAAC,YAAY,CAAC,OAAO,EAAE,EAAE,KAAK,EAAE,EAAE,YAAY,EAAE,GAAG,EAAE,EAAE,CAAC,CAC5D,CAAC,OAAO,CAAC,OAAO,EAAE,CAAC;QACpB,MAAM,GAAG,CAAC,IAAI,EAAE,CAAC;IACnB,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,0CAA0C,EAAE,KAAK,IAAI,EAAE;QACxD,IAAI,cAAc,GAAG,KAAK,CAAC;QAC3B,MAAM,OAAO,GAAe;YAC1B,GAAG,WAAW,EAAE;YAChB,QAAQ,EAAE,KAAK,IAAI,EAAE,GAAG,cAAc,GAAG,IAAI,CAAC,CAAC,CAAC;SACjD,CAAC;QACF,MAAM,GAAG,GAAG,SAAS,CAAC;YACpB,OAAO,EAAE,CAAC,KAAK,CAAC;YAChB,OAAO,EAAE,CAAC,cAAc,CAAC,EAAE,OAAO,EAAE,CAAC,CAAC;SACvC,CAAC,CAAC;QACH,MAAM,GAAG,CAAC,KAAK,EAAE,CAAC;QAClB,MAAM,GAAG,CAAC,IAAI,EAAE,CAAC;QACjB,MAAM,CAAC,cAAc,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;IACpC,CAAC,CAAC,CAAC;AACL,CAAC,CAAC,CAAC"}

package/dist/__tests__/routes.test.d.ts

@@ -0,0 +1,12 @@
+/**
+ * End-to-end test for the new `{name}Route` + `{name}Handler` shape that
+ * supersedes the resolver-based exports. Boots a real http.Server, mounts
+ * every canonical auth route via `mountAuth(api)`, and exercises sign-in
+ * → me → sign-out via fetch.
+ *
+ * The fake adapter is the same one identity.test.ts uses — exercises the
+ * full path: routing → middleware → schema validation → container resolve
+ * → adapter call → resource projection → response.
+ */
+export {};
+//# sourceMappingURL=routes.test.d.ts.map

package/dist/__tests__/routes.test.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"routes.test.d.ts","sourceRoot":"","sources":["../../src/__tests__/routes.test.ts"],"names":[],"mappings":"AAAA;;;;;;;;;GASG"}

package/dist/__tests__/routes.test.js

@@ -0,0 +1,99 @@
+/**
+ * End-to-end test for the new `{name}Route` + `{name}Handler` shape that
+ * supersedes the resolver-based exports. Boots a real http.Server, mounts
+ * every canonical auth route via `mountAuth(api)`, and exercises sign-in
+ * → me → sign-out via fetch.
+ *
+ * The fake adapter is the same one identity.test.ts uses — exercises the
+ * full path: routing → middleware → schema validation → container resolve
+ * → adapter call → resource projection → response.
+ */
+import { describe, it, expect, beforeAll, afterAll } from "vitest";
+import http from "node:http";
+import { createApp, defineModule } from "@nwire/forge";
+import { httpInterface } from "@nwire/http";
+import { identityPlugin, mountAuth } from "../auth.js";
+function fakeAdapter() {
+    const users = new Map();
+    return {
+        users,
+        async verifyToken(token) {
+            return users.get(token) ?? null;
+        },
+        async signIn(input) {
+            const user = { id: "u_1", email: input.email ?? "x@y.z" };
+            users.set("tok-1", user);
+            return { user, tokens: { accessToken: "tok-1", refreshToken: "ref-1" } };
+        },
+        async signOut(token) {
+            users.delete(token);
+        },
+    };
+}
+const empty = defineModule("empty", {});
+let server;
+let baseUrl;
+let adapter;
+beforeAll(async () => {
+    adapter = fakeAdapter();
+    const app = createApp({
+        modules: [empty],
+        plugins: [identityPlugin({ adapter })],
+    });
+    await app.start();
+    const api = mountAuth(httpInterface({ prefix: "/api/v1" }).provide(app.runtime.getContainer()));
+    server = http.createServer(api.compile());
+    await new Promise((resolve) => server.listen(0, "127.0.0.1", resolve));
+    const addr = server.address();
+    baseUrl = `http://127.0.0.1:${addr.port}/api/v1`;
+});
+afterAll(async () => {
+    await new Promise((resolve, reject) => server.close((err) => (err ? reject(err) : resolve())));
+});
+async function req(method, path, body) {
+    const res = await fetch(`${baseUrl}${path}`, {
+        method,
+        headers: { "content-type": "application/json" },
+        body: body !== undefined ? JSON.stringify(body) : undefined,
+    });
+    const text = await res.text();
+    let parsed = text;
+    try {
+        parsed = text ? JSON.parse(text) : undefined;
+    }
+    catch {
+        /* leave as text */
+    }
+    return { status: res.status, body: parsed };
+}
+describe("mountAuth — canonical auth routes over real HTTP", () => {
+    it("POST /auth/sign-in returns the user + tokens", async () => {
+        const res = await req("POST", "/auth/sign-in", {
+            email: "alice@example.com",
+            password: "secret123",
+        });
+        expect(res.status).toBe(200);
+        expect(res.body.user.id).toBe("u_1");
+        expect(res.body.tokens.accessToken).toBe("tok-1");
+    });
+    it("POST /auth/sign-in with bad body returns 400", async () => {
+        const res = await req("POST", "/auth/sign-in", { email: "not-an-email", password: "x" });
+        expect(res.status).toBe(400);
+        expect(res.body.error.code).toBe("validation_failed");
+    });
+    it("POST /auth/sign-out + GET /auth/me — token invalidates", async () => {
+        // Make sure we have a valid token first
+        await req("POST", "/auth/sign-in", { email: "alice@example.com", password: "secret123" });
+        const me1 = await req("POST", "/auth/me", { token: "tok-1" });
+        // NOTE: meRoute is GET in the spec but takes a token in body; fetch
+        // with GET + body is non-standard. The route definition uses GET +
+        // body, which Koa accepts. Use POST for the test to keep it portable.
+        // (We test the route's URL not the verb here; verb portability is
+        // a separate concern handled in G5b-3 cleanup.)
+        void me1;
+        const so = await req("POST", "/auth/sign-out", { token: "tok-1" });
+        expect(so.status).toBe(202);
+        expect(adapter.users.has("tok-1")).toBe(false);
+    });
+});
+//# sourceMappingURL=routes.test.js.map

package/dist/__tests__/routes.test.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"routes.test.js","sourceRoot":"","sources":["../../src/__tests__/routes.test.ts"],"names":[],"mappings":"AAAA;;;;;;;;;GASG;AAEH,OAAO,EAAE,QAAQ,EAAE,EAAE,EAAE,MAAM,EAAE,SAAS,EAAE,QAAQ,EAAE,MAAM,QAAQ,CAAC;AACnE,OAAO,IAAI,MAAM,WAAW,CAAC;AAE7B,OAAO,EAAE,SAAS,EAAE,YAAY,EAAE,MAAM,cAAc,CAAC;AACvD,OAAO,EAAE,aAAa,EAAE,MAAM,aAAa,CAAC;AAC5C,OAAO,EAAE,cAAc,EAAE,SAAS,EAA8B,MAAM,SAAS,CAAC;AAEhF,SAAS,WAAW;IAClB,MAAM,KAAK,GAAG,IAAI,GAAG,EAAgB,CAAC;IACtC,OAAO;QACL,KAAK;QACL,KAAK,CAAC,WAAW,CAAC,KAAK;YACrB,OAAO,KAAK,CAAC,GAAG,CAAC,KAAK,CAAC,IAAI,IAAI,CAAC;QAClC,CAAC;QACD,KAAK,CAAC,MAAM,CAAC,KAAK;YAChB,MAAM,IAAI,GAAS,EAAE,EAAE,EAAE,KAAK,EAAE,KAAK,EAAE,KAAK,CAAC,KAAK,IAAI,OAAO,EAAE,CAAC;YAChE,KAAK,CAAC,GAAG,CAAC,OAAO,EAAE,IAAI,CAAC,CAAC;YACzB,OAAO,EAAE,IAAI,EAAE,MAAM,EAAE,EAAE,WAAW,EAAE,OAAO,EAAE,YAAY,EAAE,OAAO,EAAE,EAAE,CAAC;QAC3E,CAAC;QACD,KAAK,CAAC,OAAO,CAAC,KAAK;YACjB,KAAK,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC;QACtB,CAAC;KACF,CAAC;AACJ,CAAC;AAED,MAAM,KAAK,GAAG,YAAY,CAAC,OAAO,EAAE,EAAE,CAAC,CAAC;AAExC,IAAI,MAAc,CAAC;AACnB,IAAI,OAAe,CAAC;AACpB,IAAI,OAAuC,CAAC;AAE5C,SAAS,CAAC,KAAK,IAAI,EAAE;IACnB,OAAO,GAAG,WAAW,EAAE,CAAC;IACxB,MAAM,GAAG,GAAG,SAAS,CAAC;QACpB,OAAO,EAAE,CAAC,KAAK,CAAC;QAChB,OAAO,EAAE,CAAC,cAAc,CAAC,EAAE,OAAO,EAAE,CAAC,CAAC;KACvC,CAAC,CAAC;IACH,MAAM,GAAG,CAAC,KAAK,EAAE,CAAC;IAElB,MAAM,GAAG,GAAG,SAAS,CAAC,aAAa,CAAC,EAAE,MAAM,EAAE,SAAS,EAAE,CAAC,CAAC,OAAO,CAAC,GAAG,CAAC,OAAO,CAAC,YAAY,EAAE,CAAC,CAAC,CAAC;IAEhG,MAAM,GAAG,IAAI,CAAC,YAAY,CAAC,GAAG,CAAC,OAAO,EAAE,CAAC,CAAC;IAC1C,MAAM,IAAI,OAAO,CAAO,CAAC,OAAO,EAAE,EAAE,CAAC,MAAM,CAAC,MAAM,CAAC,CAAC,EAAE,WAAW,EAAE,OAAO,CAAC,CAAC,CAAC;IAC7E,MAAM,IAAI,GAAG,MAAM,CAAC,OAAO,EAAsB,CAAC;IAClD,OAAO,GAAG,oBAAoB,IAAI,CAAC,IAAI,SAAS,CAAC;AACnD,CAAC,CAAC,CAAC;AAEH,QAAQ,CAAC,KAAK,IAAI,EAAE;IAClB,MAAM,IAAI,OAAO,CAAO,CAAC,OAAO,EAAE,MAAM,EAAE,EAAE,CAC1C,MAAM,CAAC,KAAK,CAAC,CAAC,GAAG,EAAE,EAAE,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,OAAO,EAAE,CAAC,CAAC,CACvD,CAAC;AACJ,CAAC,CAAC,CAAC;AAEH,KAAK,UAAU,GAAG,CAChB,MAAc,EACd,IAAY,EACZ,IAAc;IAEd,MAAM,GAAG,GAAG,MAAM,KAAK,CAAC,GAAG,OAAO,GAAG,IAAI,EAAE,EAAE;QAC3C,MAAM;QACN,OAAO,EAAE,EAAE,cAAc,EAAE,kBAAkB,EAAE;QAC/C,IAAI,EAAE,IAAI,KAAK,SAAS,CAAC,CAAC,CAAC,IAAI,CAAC,SAAS,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC,SAAS;KAC5D,CAAC,CAAC;IACH,MAAM,IAAI,GAAG,MAAM,GAAG,CAAC,IAAI,EAAE,CAAC;IAC9B,IAAI,MAAM,GAAY,IAAI,CAAC;IAC3B,IAAI,CAAC;QACH,MAAM,GAAG,IAAI,CAAC,CAAC,CAAC,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC,SAAS,CAAC;IAC/C,CAAC;IAAC,MAAM,CAAC;QACP,mBAAmB;IACrB,CAAC;IACD,OAAO,EAAE,MAAM,EAAE,GAAG,CAAC,MAAM,EAAE,IAAI,EAAE,MAAM,EAAE,CAAC;AAC9C,CAAC;AAED,QAAQ,CAAC,kDAAkD,EAAE,GAAG,EAAE;IAChE,EAAE,CAAC,8CAA8C,EAAE,KAAK,IAAI,EAAE;QAC5D,MAAM,GAAG,GAAG,MAAM,GAAG,CAAC,MAAM,EAAE,eAAe,EAAE;YAC7C,KAAK,EAAE,mBAAmB;YAC1B,QAAQ,EAAE,WAAW;SACtB,CAAC,CAAC;QACH,MAAM,CAAC,GAAG,CAAC,MAAM,CAAC,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC;QAC7B,MAAM,CAAE,GAAG,CAAC,IAAiC,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC;QACnE,MAAM,CAAE,GAAG,CAAC,IAA4C,CAAC,MAAM,CAAC,WAAW,CAAC,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC;IAC7F,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,8CAA8C,EAAE,KAAK,IAAI,EAAE;QAC5D,MAAM,GAAG,GAAG,MAAM,GAAG,CAAC,MAAM,EAAE,eAAe,EAAE,EAAE,KAAK,EAAE,cAAc,EAAE,QAAQ,EAAE,GAAG,EAAE,CAAC,CAAC;QACzF,MAAM,CAAC,GAAG,CAAC,MAAM,CAAC,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC;QAC7B,MAAM,CAAE,GAAG,CAAC,IAAoC,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC,IAAI,CAAC,mBAAmB,CAAC,CAAC;IACzF,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,wDAAwD,EAAE,KAAK,IAAI,EAAE;QACtE,wCAAwC;QACxC,MAAM,GAAG,CAAC,MAAM,EAAE,eAAe,EAAE,EAAE,KAAK,EAAE,mBAAmB,EAAE,QAAQ,EAAE,WAAW,EAAE,CAAC,CAAC;QAE1F,MAAM,GAAG,GAAG,MAAM,GAAG,CAAC,MAAM,EAAE,UAAU,EAAE,EAAE,KAAK,EAAE,OAAO,EAAE,CAAC,CAAC;QAC9D,oEAAoE;QACpE,mEAAmE;QACnE,sEAAsE;QACtE,kEAAkE;QAClE,gDAAgD;QAChD,KAAK,GAAG,CAAC;QAET,MAAM,EAAE,GAAG,MAAM,GAAG,CAAC,MAAM,EAAE,gBAAgB,EAAE,EAAE,KAAK,EAAE,OAAO,EAAE,CAAC,CAAC;QACnE,MAAM,CAAC,EAAE,CAAC,MAAM,CAAC,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC;QAC5B,MAAM,CAAC,OAAO,CAAC,KAAK,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC;IACjD,CAAC,CAAC,CAAC;AACL,CAAC,CAAC,CAAC"}

package/dist/auth.d.ts

@@ -0,0 +1,46 @@
+/**
+ * `@nwire/auth` — identity + authorization contract.
+ *
+ * Plugin form (`authPlugin`) or middleware factory (`authzMiddleware`):
+ * both read `action.policy` and per-request state from `ctx.envelope` /
+ * container, delegating the decision to the consumer-provided
+ * `Authorizer`. The framework does not impose a policy model.
+ *
+ * See: architecture-sketch.html §05 (Adapters tier).
+ */
+import type { ActionDefinition, DispatchMiddleware, HandlerContext, PluginDefinition } from "@nwire/forge";
+export interface Authorizer {
+    /**
+     * Decide whether the current envelope/user may invoke `action`.
+     * Throw to deny (typically with `UnauthorizedError` or `ForbiddenError`);
+     * return (or resolve `void`) to allow.
+     */
+    authorize(action: ActionDefinition, ctx: HandlerContext): Promise<void> | void;
+}
+export declare class UnauthorizedError extends Error {
+    readonly $kind: "auth.unauthorized";
+    constructor(message?: string);
+}
+export declare class ForbiddenError extends Error {
+    readonly $kind: "auth.forbidden";
+    constructor(message?: string);
+}
+export interface AuthzMiddlewareOptions {
+    readonly authorizer: Authorizer;
+    /**
+     * If `true` (default), every action passes through the authorizer.
+     * If `false`, only actions with a `policy` field are checked — anonymous
+     * actions get a free pass. Useful in transitional codebases.
+     */
+    readonly enforceAll?: boolean;
+}
+export declare function authzMiddleware(options: AuthzMiddlewareOptions): DispatchMiddleware;
+/**
+ * Plugin form — the recommended shape for new code.
+ *   createApp({ plugins: [authPlugin({ authorizer })] })
+ */
+export declare function authPlugin(options: AuthzMiddlewareOptions): PluginDefinition;
+export type { User } from "./user.js";
+export { identityPlugin, type IdpAdapter, type IdentityPluginOptions, type SignInInput, type RegisterInput, type AuthTokens, } from "./identity.js";
+export { mountAuth, signInRoute, signInHandler, signOutRoute, signOutHandler, refreshRoute, refreshHandler, registerRoute, registerHandler, requestPasswordResetRoute, requestPasswordResetHandler, resetPasswordRoute, resetPasswordHandler, verifyEmailRoute, verifyEmailHandler, meRoute, meHandler, type MountAuthOptions, } from "./routes.js";
+//# sourceMappingURL=auth.d.ts.map

package/dist/auth.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"auth.d.ts","sourceRoot":"","sources":["../src/auth.ts"],"names":[],"mappings":"AAAA;;;;;;;;;GASG;AAEH,OAAO,KAAK,EACV,gBAAgB,EAChB,kBAAkB,EAClB,cAAc,EACd,gBAAgB,EACjB,MAAM,cAAc,CAAC;AAGtB,MAAM,WAAW,UAAU;IACzB;;;;OAIG;IACH,SAAS,CAAC,MAAM,EAAE,gBAAgB,EAAE,GAAG,EAAE,cAAc,GAAG,OAAO,CAAC,IAAI,CAAC,GAAG,IAAI,CAAC;CAChF;AAED,qBAAa,iBAAkB,SAAQ,KAAK;IAC1C,QAAQ,CAAC,KAAK,EAAG,mBAAmB,CAAU;gBAClC,OAAO,SAAiB;CAIrC;AAED,qBAAa,cAAe,SAAQ,KAAK;IACvC,QAAQ,CAAC,KAAK,EAAG,gBAAgB,CAAU;gBAC/B,OAAO,SAAc;CAIlC;AAED,MAAM,WAAW,sBAAsB;IACrC,QAAQ,CAAC,UAAU,EAAE,UAAU,CAAC;IAChC;;;;OAIG;IACH,QAAQ,CAAC,UAAU,CAAC,EAAE,OAAO,CAAC;CAC/B;AAED,wBAAgB,eAAe,CAAC,OAAO,EAAE,sBAAsB,GAAG,kBAAkB,CASnF;AAED;;;GAGG;AACH,wBAAgB,UAAU,CAAC,OAAO,EAAE,sBAAsB,GAAG,gBAAgB,CAI5E;AAMD,YAAY,EAAE,IAAI,EAAE,MAAM,QAAQ,CAAC;AACnC,OAAO,EACL,cAAc,EACd,KAAK,UAAU,EACf,KAAK,qBAAqB,EAC1B,KAAK,WAAW,EAChB,KAAK,aAAa,EAClB,KAAK,UAAU,GAChB,MAAM,YAAY,CAAC;AAKpB,OAAO,EACL,SAAS,EACT,WAAW,EACX,aAAa,EACb,YAAY,EACZ,cAAc,EACd,YAAY,EACZ,cAAc,EACd,aAAa,EACb,eAAe,EACf,yBAAyB,EACzB,2BAA2B,EAC3B,kBAAkB,EAClB,oBAAoB,EACpB,gBAAgB,EAChB,kBAAkB,EAClB,OAAO,EACP,SAAS,EACT,KAAK,gBAAgB,GACtB,MAAM,UAAU,CAAC"}

package/dist/auth.js

@@ -0,0 +1,51 @@
+/**
+ * `@nwire/auth` — identity + authorization contract.
+ *
+ * Plugin form (`authPlugin`) or middleware factory (`authzMiddleware`):
+ * both read `action.policy` and per-request state from `ctx.envelope` /
+ * container, delegating the decision to the consumer-provided
+ * `Authorizer`. The framework does not impose a policy model.
+ *
+ * See: architecture-sketch.html §05 (Adapters tier).
+ */
+import { definePlugin } from "@nwire/forge";
+export class UnauthorizedError extends Error {
+    $kind = "auth.unauthorized";
+    constructor(message = "unauthorized") {
+        super(message);
+        this.name = "UnauthorizedError";
+    }
+}
+export class ForbiddenError extends Error {
+    $kind = "auth.forbidden";
+    constructor(message = "forbidden") {
+        super(message);
+        this.name = "ForbiddenError";
+    }
+}
+export function authzMiddleware(options) {
+    const enforceAll = options.enforceAll ?? true;
+    return async (next, action, _input, ctx) => {
+        if (!enforceAll && action.policy === undefined) {
+            return next();
+        }
+        await options.authorizer.authorize(action, ctx);
+        return next();
+    };
+}
+/**
+ * Plugin form — the recommended shape for new code.
+ *   createApp({ plugins: [authPlugin({ authorizer })] })
+ */
+export function authPlugin(options) {
+    return definePlugin("auth", {
+        middleware: [authzMiddleware(options)],
+    });
+}
+export { identityPlugin, } from "./identity.js";
+// ─── HTTP routes — canonical auth surface ──────────────────────────
+// `mountAuth(api)` wires every canonical auth operation onto an
+// httpInterface in one call; individual `{name}Route` + `{name}Handler`
+// pairs are exported for apps that wire by hand.
+export { mountAuth, signInRoute, signInHandler, signOutRoute, signOutHandler, refreshRoute, refreshHandler, registerRoute, registerHandler, requestPasswordResetRoute, requestPasswordResetHandler, resetPasswordRoute, resetPasswordHandler, verifyEmailRoute, verifyEmailHandler, meRoute, meHandler, } from "./routes.js";
+//# sourceMappingURL=auth.js.map

package/dist/auth.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"auth.js","sourceRoot":"","sources":["../src/auth.ts"],"names":[],"mappings":"AAAA;;;;;;;;;GASG;AAQH,OAAO,EAAE,YAAY,EAAE,MAAM,cAAc,CAAC;AAW5C,MAAM,OAAO,iBAAkB,SAAQ,KAAK;IACjC,KAAK,GAAG,mBAA4B,CAAC;IAC9C,YAAY,OAAO,GAAG,cAAc;QAClC,KAAK,CAAC,OAAO,CAAC,CAAC;QACf,IAAI,CAAC,IAAI,GAAG,mBAAmB,CAAC;IAClC,CAAC;CACF;AAED,MAAM,OAAO,cAAe,SAAQ,KAAK;IAC9B,KAAK,GAAG,gBAAyB,CAAC;IAC3C,YAAY,OAAO,GAAG,WAAW;QAC/B,KAAK,CAAC,OAAO,CAAC,CAAC;QACf,IAAI,CAAC,IAAI,GAAG,gBAAgB,CAAC;IAC/B,CAAC;CACF;AAYD,MAAM,UAAU,eAAe,CAAC,OAA+B;IAC7D,MAAM,UAAU,GAAG,OAAO,CAAC,UAAU,IAAI,IAAI,CAAC;IAC9C,OAAO,KAAK,EAAE,IAAI,EAAE,MAAM,EAAE,MAAM,EAAE,GAAG,EAAE,EAAE;QACzC,IAAI,CAAC,UAAU,IAAI,MAAM,CAAC,MAAM,KAAK,SAAS,EAAE,CAAC;YAC/C,OAAO,IAAI,EAAE,CAAC;QAChB,CAAC;QACD,MAAM,OAAO,CAAC,UAAU,CAAC,SAAS,CAAC,MAAM,EAAE,GAAG,CAAC,CAAC;QAChD,OAAO,IAAI,EAAE,CAAC;IAChB,CAAC,CAAC;AACJ,CAAC;AAED;;;GAGG;AACH,MAAM,UAAU,UAAU,CAAC,OAA+B;IACxD,OAAO,YAAY,CAAC,MAAM,EAAE;QAC1B,UAAU,EAAE,CAAC,eAAe,CAAC,OAAO,CAAC,CAAC;KACvC,CAAC,CAAC;AACL,CAAC;AAOD,OAAO,EACL,cAAc,GAMf,MAAM,YAAY,CAAC;AACpB,sEAAsE;AACtE,gEAAgE;AAChE,wEAAwE;AACxE,iDAAiD;AACjD,OAAO,EACL,SAAS,EACT,WAAW,EACX,aAAa,EACb,YAAY,EACZ,cAAc,EACd,YAAY,EACZ,cAAc,EACd,aAAa,EACb,eAAe,EACf,yBAAyB,EACzB,2BAA2B,EAC3B,kBAAkB,EAClB,oBAAoB,EACpB,gBAAgB,EAChB,kBAAkB,EAClB,OAAO,EACP,SAAS,GAEV,MAAM,UAAU,CAAC"}