@objectstack/spec 0.1.2 → 0.3.0

package/dist/system/auth.zod.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"auth.zod.d.ts","sourceRoot":"","sources":["../../src/system/auth.zod.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,CAAC,EAAE,MAAM,KAAK,CAAC;AAExB;;;;;;;;;GASG;AAEH;;GAEG;AACH,eAAO,MAAM,YAAY,qFAOvB,CAAC;AAEH,MAAM,MAAM,YAAY,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,YAAY,CAAC,CAAC;AAExD;;;GAGG;AACH,eAAO,MAAM,mBAAmB;;;;;;;;;;;;;;;;;;;;;;;;;;;EA0B9B,CAAC;AAEH,MAAM,MAAM,aAAa,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,mBAAmB,CAAC,CAAC;AAEhE;;GAEG;AACH,eAAO,MAAM,yBAAyB;;;;;;;;;;;;;;;;;;;;;EAYpC,CAAC;AAEH,MAAM,MAAM,mBAAmB,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,yBAAyB,CAAC,CAAC;AAE5E;;GAEG;AACH,eAAO,MAAM,qBAAqB;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;EAchC,CAAC;AAEH,MAAM,MAAM,eAAe,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,qBAAqB,CAAC,CAAC;AAEpE;;GAEG;AACH,eAAO,MAAM,mBAAmB;;;;;;;;;;;;;;;;;;;;;EAY9B,CAAC;AAEH,MAAM,MAAM,aAAa,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,mBAAmB,CAAC,CAAC;AAEhE;;GAEG;AACH,eAAO,MAAM,mBAAmB;;;;;;;;;;;;;;;;;;;;;;;;;;;EAgB9B,CAAC;AAEH,MAAM,MAAM,aAAa,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,mBAAmB,CAAC,CAAC;AAEhE;;GAEG;AACH,eAAO,MAAM,qBAAqB;;;;;;;;;;;;;;;;;;EAUhC,CAAC;AAEH,MAAM,MAAM,eAAe,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,qBAAqB,CAAC,CAAC;AAEpE;;GAEG;AACH,eAAO,MAAM,gBAAgB;;;;;;;;;;;;;;;EAQ3B,CAAC;AAEH,MAAM,MAAM,UAAU,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,gBAAgB,CAAC,CAAC;AAE1D;;;GAGG;AACH,eAAO,MAAM,0BAA0B;;;;;;;;;;;;EAMrC,CAAC;AAEH,MAAM,MAAM,oBAAoB,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,0BAA0B,CAAC,CAAC;AAE9E;;GAEG;AACH,eAAO,MAAM,qBAAqB;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;EAWhC,CAAC;AAEH,MAAM,MAAM,eAAe,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,qBAAqB,CAAC,CAAC;AAEpE;;;GAGG;AACH,eAAO,MAAM,gBAAgB;;;;;;;;;;;;;;;;;;;;;;;;;;;EAgB3B,CAAC;AAEH,MAAM,MAAM,UAAU,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,gBAAgB,CAAC,CAAC;AAE1D;;;GAGG;AACH,eAAO,MAAM,gBAAgB;;;;;;;;;;;;;;;;;;;;;;;;;;;EAgB3B,CAAC;AAEH,MAAM,MAAM,UAAU,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,gBAAgB,CAAC,CAAC;AAE1D;;;GAGG;AACH,eAAO,MAAM,gBAAgB;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;EAkB3B,CAAC;AAEH,MAAM,MAAM,UAAU,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,gBAAgB,CAAC,CAAC;AAE1D;;;GAGG;AACH,eAAO,MAAM,0BAA0B;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;EAMrC,CAAC;AAEH,MAAM,MAAM,oBAAoB,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,0BAA0B,CAAC,CAAC;AAE9E;;;GAGG;AACH,eAAO,MAAM,sBAAsB;;;;;;;;;;;;;;;;;;;;;;;;EAQjC,CAAC;AAEH,MAAM,MAAM,gBAAgB,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,sBAAsB,CAAC,CAAC;AAEtE;;GAEG;AACH,eAAO,MAAM,qBAAqB;;;;;;;;;;;;;;;EAQhC,CAAC;AAEH,MAAM,MAAM,eAAe,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,qBAAqB,CAAC,CAAC;AAEpE;;;;GAIG;AACH,eAAO,MAAM,0BAA0B;;;;;;;;;CAS7B,CAAC;AAEX;;;;;;;;;;;;;;;;;;;;;GAqBG;AACH,eAAO,MAAM,qBAAqB;IAChC;;;OAGG;;IAGH;;;OAGG;;IAGH;;;OAGG;;IAGH;;;OAGG;;;;;;;;;;;;EAEH,CAAC;AAEH,MAAM,MAAM,eAAe,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,qBAAqB,CAAC,CAAC;AAEpE;;;GAGG;AACH,eAAO,MAAM,sBAAsB;;;;;;;;;;;;EAMjC,CAAC;AAEH,MAAM,MAAM,gBAAgB,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,sBAAsB,CAAC,CAAC;AAEtE;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GA+BG;AACH,eAAO,MAAM,gBAAgB;IAC3B;;;OAGG;;IAKH;;OAEG;;IAGH;;;;OAIG;;IAGH;;OAEG;;IAGH;;OAEG;;IAGH;;;OAGG;;IAGH;;OAEG;;;;;;;;;;;;;;;;;;;;;;;IAGH;;OAEG;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;IAGH;;OAEG;;;;;;;;;;;;;;;;;;;;;;;IAGH;;OAEG;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;IAKH;;OAEG;;;;;;;;;;;;;;;;;;;;;;;;;;;;;IAGH;;OAEG;;;;;;;;;;;;;;;;;;;;IAGH;;OAEG;;;;;;;;;;;;;;;;;IAGH;;OAEG;;;;;;;;;;;;;;IAGH;;OAEG;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;IAGH;;;OAGG;;;;;;;;;;;;;;;;;IAWH;;OAEG;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;IAGH;;OAEG;;;;;;;;;;;;;;;;;;;;;;;;;;IAGH;;OAEG;;;;;;;;;;;;;;;;;IAGH;;;;;;;OAOG;;QAjMH;;;WAGG;;QAGH;;;WAGG;;QAGH;;;WAGG;;QAGH;;;WAGG;;;;;;;;;;;;;IA+KH;;OAEG;;;;;;;;;;;;;;IAGH;;OAEG;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;IAuCH;;OAEG;;;;;;;;;;;;;;;;;;;;IAaH;;OAEG;;;;;;;;;;;;;;;;;IAWH;;OAEG;;;;;;;;;;;;;;;;;IAWH;;OAEG;;IAGH;;OAEG;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;EAEH,CAAC;AAEH;;GAEG;AACH,MAAM,MAAM,UAAU,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,gBAAgB,CAAC,CAAC;AAE1D;;;GAGG;AACH,eAAO,MAAM,0BAA0B;;;QArOrC;;;WAGG;;QAKH;;WAEG;;QAGH;;;;WAIG;;QAGH;;WAEG;;QAGH;;WAEG;;QAGH;;;WAGG;;QAGH;;WAEG;;;;;;;;;;;;;;;;;;;;;;;QAGH;;WAEG;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;QAGH;;WAEG;;;;;;;;;;;;;;;;;;;;;;;QAGH;;WAEG;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;QAKH;;WAEG;;;;;;;;;;;;;;;;;;;;;;;;;;;;;QAGH;;WAEG;;;;;;;;;;;;;;;;;;;;QAGH;;WAEG;;;;;;;;;;;;;;;;;QAGH;;WAEG;;;;;;;;;;;;;;QAGH;;WAEG;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;QAGH;;;WAGG;;;;;;;;;;;;;;;;;QAWH;;WAEG;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;QAGH;;WAEG;;;;;;;;;;;;;;;;;;;;;;;;;;QAGH;;WAEG;;;;;;;;;;;;;;;;;QAGH;;;;;;;WAOG;;YAjMH;;;eAGG;;YAGH;;;eAGG;;YAGH;;;eAGG;;YAGH;;;eAGG;;;;;;;;;;;;;QA+KH;;WAEG;;;;;;;;;;;;;;QAGH;;WAEG;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;QAuCH;;WAEG;;;;;;;;;;;;;;;;;;;;QAaH;;WAEG;;;;;;;;;;;;;;;;;QAWH;;WAEG;;;;;;;;;;;;;;;;;QAWH;;WAEG;;QAGH;;WAEG;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;EAiBH,CAAC;AAEH,MAAM,MAAM,oBAAoB,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,0BAA0B,CAAC,CAAC"}

package/dist/system/auth.zod.js

@@ -0,0 +1,499 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.StandardAuthProviderSchema = exports.AuthConfigSchema = exports.AuthPluginConfigSchema = exports.DatabaseMappingSchema = exports.BETTER_AUTH_FIELD_MAPPINGS = exports.DatabaseAdapterSchema = exports.UserFieldMappingSchema = exports.EnterpriseAuthConfigSchema = exports.LDAPConfigSchema = exports.SAMLConfigSchema = exports.OIDCConfigSchema = exports.TwoFactorConfigSchema = exports.AccountLinkingConfigSchema = exports.CSRFConfigSchema = exports.RateLimitConfigSchema = exports.SessionConfigSchema = exports.PasskeyConfigSchema = exports.MagicLinkConfigSchema = exports.EmailPasswordConfigSchema = exports.OAuthProviderSchema = exports.AuthStrategy = void 0;
+const zod_1 = require("zod");
+/**
+ * Authentication Protocol
+ *
+ * Defines the standard authentication specification for the ObjectStack ecosystem.
+ * This protocol supports multiple authentication strategies, session management,
+ * and comprehensive security features.
+ *
+ * This is a framework-agnostic specification that can be implemented with any
+ * authentication library (better-auth, Auth.js, Passport, etc.)
+ */
+/**
+ * Supported authentication strategies
+ */
+exports.AuthStrategy = zod_1.z.enum([
+    'email_password', // Traditional email & password authentication
+    'magic_link', // Passwordless email magic link
+    'oauth', // OAuth2 providers (Google, GitHub, etc.)
+    'passkey', // WebAuthn / FIDO2 passkeys
+    'otp', // One-time password (SMS, Email)
+    'anonymous', // Anonymous/guest sessions
+]);
+/**
+ * OAuth Provider Configuration
+ * Supports popular OAuth2 providers
+ */
+exports.OAuthProviderSchema = zod_1.z.object({
+    provider: zod_1.z.enum([
+        'google',
+        'github',
+        'facebook',
+        'twitter',
+        'linkedin',
+        'microsoft',
+        'apple',
+        'discord',
+        'gitlab',
+        'custom',
+    ]).describe('OAuth provider type'),
+    clientId: zod_1.z.string().describe('OAuth client ID'),
+    clientSecret: zod_1.z.string().describe('OAuth client secret (typically from ENV)'),
+    scopes: zod_1.z.array(zod_1.z.string()).optional().describe('Requested OAuth scopes'),
+    redirectUri: zod_1.z.string().url().optional().describe('OAuth callback URL'),
+    enabled: zod_1.z.boolean().default(true).describe('Whether this provider is enabled'),
+    displayName: zod_1.z.string().optional().describe('Display name for the provider button'),
+    icon: zod_1.z.string().optional().describe('Icon URL or identifier'),
+});
+/**
+ * Email & Password Strategy Configuration
+ */
+exports.EmailPasswordConfigSchema = zod_1.z.object({
+    enabled: zod_1.z.boolean().default(true),
+    requireEmailVerification: zod_1.z.boolean().default(true).describe('Require email verification before login'),
+    minPasswordLength: zod_1.z.number().min(6).max(128).default(8).describe('Minimum password length'),
+    requirePasswordComplexity: zod_1.z.boolean().default(true).describe('Require uppercase, lowercase, numbers, symbols'),
+    allowPasswordReset: zod_1.z.boolean().default(true).describe('Enable password reset functionality'),
+    passwordResetExpiry: zod_1.z.number().default(3600).describe('Password reset token expiry in seconds'),
+});
+/**
+ * Magic Link Strategy Configuration
+ */
+exports.MagicLinkConfigSchema = zod_1.z.object({
+    enabled: zod_1.z.boolean().default(true),
+    expiryTime: zod_1.z.number().default(900).describe('Magic link expiry time in seconds (default 15 min)'),
+    sendEmail: zod_1.z.function()
+        .args(zod_1.z.object({
+        to: zod_1.z.string().email(),
+        link: zod_1.z.string().url(),
+        token: zod_1.z.string(),
+    }))
+        .returns(zod_1.z.promise(zod_1.z.void()))
+        .optional()
+        .describe('Custom email sending function'),
+});
+/**
+ * Passkey (WebAuthn) Strategy Configuration
+ */
+exports.PasskeyConfigSchema = zod_1.z.object({
+    enabled: zod_1.z.boolean().default(false),
+    rpName: zod_1.z.string().describe('Relying Party name'),
+    rpId: zod_1.z.string().optional().describe('Relying Party ID (defaults to domain)'),
+    allowedOrigins: zod_1.z.array(zod_1.z.string().url()).optional().describe('Allowed origins for WebAuthn'),
+    userVerification: zod_1.z.enum(['required', 'preferred', 'discouraged']).default('preferred'),
+    attestation: zod_1.z.enum(['none', 'indirect', 'direct', 'enterprise']).default('none'),
+});
+/**
+ * Session Configuration
+ */
+exports.SessionConfigSchema = zod_1.z.object({
+    expiresIn: zod_1.z.number().default(86400 * 7).describe('Session expiry in seconds (default 7 days)'),
+    updateAge: zod_1.z.number().default(86400).describe('Session update interval in seconds (default 1 day)'),
+    cookieName: zod_1.z.string().default('session_token').describe('Session cookie name'),
+    cookieSecure: zod_1.z.boolean().default(true).describe('Use secure cookies (HTTPS only)'),
+    cookieSameSite: zod_1.z.enum(['strict', 'lax', 'none']).default('lax').describe('SameSite cookie attribute'),
+    cookieDomain: zod_1.z.string().optional().describe('Cookie domain'),
+    cookiePath: zod_1.z.string().default('/').describe('Cookie path'),
+    cookieHttpOnly: zod_1.z.boolean().default(true).describe('HttpOnly cookie attribute'),
+});
+/**
+ * Rate Limiting Configuration
+ */
+exports.RateLimitConfigSchema = zod_1.z.object({
+    enabled: zod_1.z.boolean().default(true),
+    maxAttempts: zod_1.z.number().default(5).describe('Maximum login attempts'),
+    windowMs: zod_1.z.number().default(900000).describe('Time window in milliseconds (default 15 min)'),
+    blockDuration: zod_1.z.number().default(900000).describe('Block duration after max attempts in ms'),
+    skipSuccessfulRequests: zod_1.z.boolean().default(false).describe('Only count failed requests'),
+});
+/**
+ * CSRF Protection Configuration
+ */
+exports.CSRFConfigSchema = zod_1.z.object({
+    enabled: zod_1.z.boolean().default(true),
+    tokenLength: zod_1.z.number().default(32).describe('CSRF token length'),
+    cookieName: zod_1.z.string().default('csrf_token').describe('CSRF cookie name'),
+    headerName: zod_1.z.string().default('X-CSRF-Token').describe('CSRF header name'),
+});
+/**
+ * Account Linking Configuration
+ * Allows linking multiple auth methods to a single user account
+ */
+exports.AccountLinkingConfigSchema = zod_1.z.object({
+    enabled: zod_1.z.boolean().default(true).describe('Allow account linking'),
+    autoLink: zod_1.z.boolean().default(false).describe('Automatically link accounts with same email'),
+    requireVerification: zod_1.z.boolean().default(true).describe('Require email verification before linking'),
+});
+/**
+ * Two-Factor Authentication (2FA) Configuration
+ */
+exports.TwoFactorConfigSchema = zod_1.z.object({
+    enabled: zod_1.z.boolean().default(false),
+    issuer: zod_1.z.string().optional().describe('TOTP issuer name'),
+    qrCodeSize: zod_1.z.number().default(200).describe('QR code size in pixels'),
+    backupCodes: zod_1.z.object({
+        enabled: zod_1.z.boolean().default(true),
+        count: zod_1.z.number().default(10).describe('Number of backup codes to generate'),
+    }).optional(),
+});
+/**
+ * OIDC / OAuth2 Enterprise Configuration
+ * OpenID Connect configuration for enterprise SSO
+ */
+exports.OIDCConfigSchema = zod_1.z.object({
+    enabled: zod_1.z.boolean().default(false),
+    issuer: zod_1.z.string().url().describe('OIDC Issuer URL (.well-known/openid-configuration)'),
+    clientId: zod_1.z.string().describe('OIDC client ID'),
+    clientSecret: zod_1.z.string().describe('OIDC client secret'),
+    scopes: zod_1.z.array(zod_1.z.string()).default(['openid', 'profile', 'email']).describe('OIDC scopes'),
+    attributeMapping: zod_1.z.record(zod_1.z.string()).optional().describe('Map IdP claims to User fields'),
+    displayName: zod_1.z.string().optional().describe('Display name for the provider button'),
+    icon: zod_1.z.string().optional().describe('Icon URL or identifier'),
+});
+/**
+ * SAML 2.0 Enterprise Configuration
+ * SAML configuration for legacy enterprise SSO
+ */
+exports.SAMLConfigSchema = zod_1.z.object({
+    enabled: zod_1.z.boolean().default(false),
+    entryPoint: zod_1.z.string().url().describe('IdP SSO URL'),
+    cert: zod_1.z.string().describe('IdP Public Certificate (PEM format)'),
+    issuer: zod_1.z.string().describe('Entity ID of the IdP'),
+    signatureAlgorithm: zod_1.z.enum(['sha256', 'sha512']).default('sha256').describe('Signature algorithm'),
+    attributeMapping: zod_1.z.record(zod_1.z.string()).optional().describe('Map SAML attributes to User fields'),
+    displayName: zod_1.z.string().optional().describe('Display name for the provider button'),
+    icon: zod_1.z.string().optional().describe('Icon URL or identifier'),
+});
+/**
+ * LDAP / Active Directory Enterprise Configuration
+ * LDAP configuration for on-premise directory services
+ */
+exports.LDAPConfigSchema = zod_1.z.object({
+    enabled: zod_1.z.boolean().default(false),
+    url: zod_1.z.string().url().describe('LDAP Server URL (ldap:// or ldaps://)'),
+    bindDn: zod_1.z.string().describe('Bind DN for LDAP authentication'),
+    bindCredentials: zod_1.z.string().describe('Bind credentials'),
+    searchBase: zod_1.z.string().describe('Search base DN'),
+    searchFilter: zod_1.z.string().describe('Search filter'),
+    groupSearchBase: zod_1.z.string().optional().describe('Group search base DN'),
+    displayName: zod_1.z.string().optional().describe('Display name for the provider button'),
+    icon: zod_1.z.string().optional().describe('Icon URL or identifier'),
+});
+/**
+ * Enterprise Authentication Configuration
+ * Combines SAML, LDAP, and OIDC configurations for enterprise SSO
+ */
+exports.EnterpriseAuthConfigSchema = zod_1.z.object({
+    oidc: exports.OIDCConfigSchema.optional().describe('OpenID Connect configuration'),
+    saml: exports.SAMLConfigSchema.optional().describe('SAML 2.0 configuration'),
+    ldap: exports.LDAPConfigSchema.optional().describe('LDAP/Active Directory configuration'),
+});
+/**
+ * User Field Mapping Configuration
+ * Maps authentication user fields to ObjectStack user object fields
+ */
+exports.UserFieldMappingSchema = zod_1.z.object({
+    id: zod_1.z.string().default('id').describe('User ID field'),
+    email: zod_1.z.string().default('email').describe('Email field'),
+    name: zod_1.z.string().default('name').describe('Name field'),
+    image: zod_1.z.string().default('image').optional().describe('Profile image field'),
+    emailVerified: zod_1.z.string().default('email_verified').describe('Email verification status field'),
+    createdAt: zod_1.z.string().default('created_at').describe('Created timestamp field'),
+    updatedAt: zod_1.z.string().default('updated_at').describe('Updated timestamp field'),
+});
+/**
+ * Database Adapter Configuration
+ */
+exports.DatabaseAdapterSchema = zod_1.z.object({
+    type: zod_1.z.enum(['prisma', 'drizzle', 'kysely', 'custom']).describe('Database adapter type'),
+    connectionString: zod_1.z.string().optional().describe('Database connection string'),
+    tablePrefix: zod_1.z.string().default('auth_').describe('Prefix for auth tables'),
+    schema: zod_1.z.string().optional().describe('Database schema name'),
+});
+/**
+ * Default field mappings for better-auth compatibility
+ * These mappings bridge the gap between ObjectStack standard (Auth.js conventions)
+ * and better-auth's field naming conventions
+ */
+exports.BETTER_AUTH_FIELD_MAPPINGS = {
+    session: {
+        sessionToken: 'token',
+        expires: 'expiresAt',
+    },
+    account: {
+        providerAccountId: 'accountId',
+        provider: 'providerId',
+    },
+};
+/**
+ * Database Field Mapping Configuration
+ * Maps ObjectStack standard field names to driver-specific field names.
+ *
+ * Useful when the underlying authentication driver (e.g., better-auth) uses
+ * different column names than the ObjectStack standard schemas (which follow
+ * Auth.js conventions).
+ *
+ * @example
+ * ```typescript
+ * mapping: {
+ *   session: {
+ *     sessionToken: 'token',      // better-auth uses 'token'
+ *     expires: 'expiresAt'        // better-auth uses 'expiresAt'
+ *   },
+ *   account: {
+ *     providerAccountId: 'accountId',  // better-auth uses 'accountId'
+ *     provider: 'providerId'           // better-auth uses 'providerId'
+ *   }
+ * }
+ * ```
+ */
+exports.DatabaseMappingSchema = zod_1.z.object({
+    /**
+     * User model field mapping
+     * Maps ObjectStack User fields to driver fields
+     */
+    user: zod_1.z.record(zod_1.z.string()).optional().describe('User field mapping (e.g., { "emailVerified": "email_verified" })'),
+    /**
+     * Session model field mapping
+     * Maps ObjectStack Session fields to driver fields
+     */
+    session: zod_1.z.record(zod_1.z.string()).default(exports.BETTER_AUTH_FIELD_MAPPINGS.session).describe('Session field mapping'),
+    /**
+     * Account model field mapping
+     * Maps ObjectStack Account fields to driver fields
+     */
+    account: zod_1.z.record(zod_1.z.string()).default(exports.BETTER_AUTH_FIELD_MAPPINGS.account).describe('Account field mapping'),
+    /**
+     * Verification token field mapping
+     * Maps ObjectStack VerificationToken fields to driver fields
+     */
+    verificationToken: zod_1.z.record(zod_1.z.string()).optional().describe('VerificationToken field mapping'),
+});
+/**
+ * Authentication Plugin Configuration
+ * Extends authentication with additional features
+ */
+exports.AuthPluginConfigSchema = zod_1.z.object({
+    name: zod_1.z.string().describe('Plugin name'),
+    enabled: zod_1.z.boolean().default(true),
+    options: zod_1.z.record(zod_1.z.any()).optional().describe('Plugin-specific options'),
+});
+/**
+ * Complete Authentication Configuration Schema
+ *
+ * This is the main configuration object for authentication
+ * in an ObjectStack application.
+ *
+ * @example
+ * ```typescript
+ * const authConfig: AuthConfig = {
+ *   name: 'main_auth',
+ *   label: 'Main Authentication',
+ *   strategies: ['email_password', 'oauth'],
+ *   baseUrl: 'https://app.example.com',
+ *   secret: process.env.AUTH_SECRET,
+ *   driver: 'better-auth', // Optional, defaults to 'better-auth'
+ *   emailPassword: {
+ *     enabled: true,
+ *     minPasswordLength: 8,
+ *   },
+ *   oauth: {
+ *     providers: [{
+ *       provider: 'google',
+ *       clientId: process.env.GOOGLE_CLIENT_ID,
+ *       clientSecret: process.env.GOOGLE_CLIENT_SECRET,
+ *     }],
+ *   },
+ *   session: {
+ *     expiresIn: 604800, // 7 days
+ *   },
+ * };
+ * ```
+ */
+exports.AuthConfigSchema = zod_1.z.object({
+    /**
+     * Unique identifier for this auth configuration
+     * Must be in snake_case following ObjectStack conventions
+     */
+    name: zod_1.z.string()
+        .regex(/^[a-z_][a-z0-9_]*$/)
+        .describe('Configuration name (snake_case)'),
+    /**
+     * Human-readable label
+     */
+    label: zod_1.z.string().describe('Display label'),
+    /**
+     * The underlying authentication implementation driver
+     * Default: 'better-auth' (the reference implementation)
+     * Can be: 'better-auth', 'auth-js', 'passport', or custom driver name
+     */
+    driver: zod_1.z.string().default('better-auth').describe('The underlying authentication implementation driver'),
+    /**
+     * Enabled authentication strategies
+     */
+    strategies: zod_1.z.array(exports.AuthStrategy).min(1).describe('Enabled authentication strategies'),
+    /**
+     * Base URL for the application
+     */
+    baseUrl: zod_1.z.string().url().describe('Application base URL'),
+    /**
+     * Secret key for signing tokens and cookies
+     * Should be loaded from environment variables
+     */
+    secret: zod_1.z.string().min(32).describe('Secret key for signing (min 32 chars)'),
+    /**
+     * Email & Password configuration
+     */
+    emailPassword: exports.EmailPasswordConfigSchema.optional(),
+    /**
+     * Magic Link configuration
+     */
+    magicLink: exports.MagicLinkConfigSchema.optional(),
+    /**
+     * Passkey (WebAuthn) configuration
+     */
+    passkey: exports.PasskeyConfigSchema.optional(),
+    /**
+     * OAuth configuration
+     */
+    oauth: zod_1.z.object({
+        providers: zod_1.z.array(exports.OAuthProviderSchema).min(1),
+    }).optional(),
+    /**
+     * Session configuration
+     */
+    session: exports.SessionConfigSchema.default({}),
+    /**
+     * Rate limiting configuration
+     */
+    rateLimit: exports.RateLimitConfigSchema.default({}),
+    /**
+     * CSRF protection configuration
+     */
+    csrf: exports.CSRFConfigSchema.default({}),
+    /**
+     * Account linking configuration
+     */
+    accountLinking: exports.AccountLinkingConfigSchema.default({}),
+    /**
+     * Two-factor authentication configuration
+     */
+    twoFactor: exports.TwoFactorConfigSchema.optional(),
+    /**
+     * Organization (Multi-tenant) configuration
+     * Enables B2B SaaS scenarios where users belong to multiple teams/workspaces
+     */
+    organization: zod_1.z.object({
+        enabled: zod_1.z.boolean().default(false).describe('Enable organization/multi-tenant features'),
+        allowUserToCreateOrg: zod_1.z.boolean().default(true).describe('Allow users to create organizations'),
+        defaultRole: zod_1.z.string().default('member').describe('Default role for new members'),
+        creatorRole: zod_1.z.string().default('owner').describe('Role assigned to organization creator'),
+    }).optional().describe('Organization/multi-tenant configuration'),
+    /**
+     * Enterprise authentication configuration (SAML, LDAP, OIDC)
+     */
+    enterprise: exports.EnterpriseAuthConfigSchema.optional(),
+    /**
+     * User field mapping
+     */
+    userFieldMapping: exports.UserFieldMappingSchema.default({}),
+    /**
+     * Database adapter configuration
+     */
+    database: exports.DatabaseAdapterSchema.optional(),
+    /**
+     * Database field mapping configuration
+     * Maps ObjectStack standard field names to driver-specific field names.
+     *
+     * This is distinct from the database adapter configuration and provides
+     * instructions for the driver to map our standard schema fields to the
+     * underlying engine's fields (e.g., better-auth uses 'token' instead of 'sessionToken').
+     */
+    mapping: exports.DatabaseMappingSchema.optional(),
+    /**
+     * Additional authentication plugins
+     */
+    plugins: zod_1.z.array(exports.AuthPluginConfigSchema).default([]),
+    /**
+     * Custom hooks for authentication events
+     */
+    hooks: zod_1.z.object({
+        beforeSignIn: zod_1.z.function()
+            .args(zod_1.z.object({ email: zod_1.z.string() }))
+            .returns(zod_1.z.promise(zod_1.z.void()))
+            .optional()
+            .describe('Called before user sign in'),
+        afterSignIn: zod_1.z.function()
+            .args(zod_1.z.object({ user: zod_1.z.any(), session: zod_1.z.any() }))
+            .returns(zod_1.z.promise(zod_1.z.void()))
+            .optional()
+            .describe('Called after user sign in'),
+        beforeSignUp: zod_1.z.function()
+            .args(zod_1.z.object({ email: zod_1.z.string(), name: zod_1.z.string().optional() }))
+            .returns(zod_1.z.promise(zod_1.z.void()))
+            .optional()
+            .describe('Called before user registration'),
+        afterSignUp: zod_1.z.function()
+            .args(zod_1.z.object({ user: zod_1.z.any() }))
+            .returns(zod_1.z.promise(zod_1.z.void()))
+            .optional()
+            .describe('Called after user registration'),
+        beforeSignOut: zod_1.z.function()
+            .args(zod_1.z.object({ sessionId: zod_1.z.string() }))
+            .returns(zod_1.z.promise(zod_1.z.void()))
+            .optional()
+            .describe('Called before user sign out'),
+        afterSignOut: zod_1.z.function()
+            .args(zod_1.z.object({ sessionId: zod_1.z.string() }))
+            .returns(zod_1.z.promise(zod_1.z.void()))
+            .optional()
+            .describe('Called after user sign out'),
+    }).optional().describe('Authentication lifecycle hooks'),
+    /**
+     * Advanced security settings
+     */
+    security: zod_1.z.object({
+        allowedOrigins: zod_1.z.array(zod_1.z.string()).optional().describe('CORS allowed origins'),
+        trustProxy: zod_1.z.boolean().default(false).describe('Trust proxy headers'),
+        ipRateLimiting: zod_1.z.boolean().default(true).describe('Enable IP-based rate limiting'),
+        sessionFingerprinting: zod_1.z.boolean().default(true).describe('Enable session fingerprinting'),
+        maxSessions: zod_1.z.number().default(5).describe('Maximum concurrent sessions per user'),
+    }).optional().describe('Advanced security settings'),
+    /**
+     * Email configuration for transactional emails
+     */
+    email: zod_1.z.object({
+        from: zod_1.z.string().email().describe('From email address'),
+        fromName: zod_1.z.string().optional().describe('From name'),
+        provider: zod_1.z.enum(['smtp', 'sendgrid', 'mailgun', 'ses', 'resend', 'custom']).describe('Email provider'),
+        config: zod_1.z.record(zod_1.z.any()).optional().describe('Provider-specific configuration'),
+    }).optional().describe('Email configuration'),
+    /**
+     * UI customization options
+     */
+    ui: zod_1.z.object({
+        brandName: zod_1.z.string().optional().describe('Brand name displayed in auth UI'),
+        logo: zod_1.z.string().optional().describe('Logo URL'),
+        primaryColor: zod_1.z.string().optional().describe('Primary brand color (hex)'),
+        customCss: zod_1.z.string().optional().describe('Custom CSS for auth pages'),
+    }).optional().describe('UI customization'),
+    /**
+     * Whether this auth provider is active
+     */
+    active: zod_1.z.boolean().default(true).describe('Whether this provider is active'),
+    /**
+     * Whether to allow new user registration
+     */
+    allowRegistration: zod_1.z.boolean().default(true).describe('Allow new user registration'),
+});
+/**
+ * Standard Authentication Provider Schema
+ * Wraps the configuration for use in the identity system
+ */
+exports.StandardAuthProviderSchema = zod_1.z.object({
+    type: zod_1.z.literal('standard_auth').describe('Provider type identifier'),
+    config: exports.AuthConfigSchema.describe('Standard authentication configuration'),
+});