@panguard-ai/panguard-auth 0.1.0

package/dist/auth.d.ts

@@ -0,0 +1,32 @@
+/**
+ * Authentication utilities: password hashing and token generation.
+ * Uses only node:crypto — zero external dependencies.
+ * @module @panguard-ai/panguard-auth/auth
+ */
+/**
+ * Hash a password using scrypt with a random salt.
+ * Returns `salt:hash` in hex.
+ */
+export declare function hashPassword(password: string): Promise<string>;
+/**
+ * Verify a password against a stored `salt:hash` string.
+ */
+export declare function verifyPassword(password: string, stored: string): Promise<boolean>;
+/**
+ * Generate a cryptographically secure session token (64 hex chars).
+ */
+export declare function generateSessionToken(): string;
+/**
+ * Generate a verification token (UUID v4).
+ */
+export declare function generateVerifyToken(): string;
+/**
+ * Hash a session token with SHA-256 for secure storage.
+ * The plaintext token is sent to the client; only the hash is stored in DB.
+ */
+export declare function hashToken(token: string): string;
+/**
+ * Calculate session expiry (24 hours from now).
+ */
+export declare function sessionExpiry(hours?: number): string;
+//# sourceMappingURL=auth.d.ts.map

package/dist/auth.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"auth.d.ts","sourceRoot":"","sources":["../src/auth.ts"],"names":[],"mappings":"AAAA;;;;GAIG;AASH;;;GAGG;AACH,wBAAgB,YAAY,CAAC,QAAQ,EAAE,MAAM,GAAG,OAAO,CAAC,MAAM,CAAC,CAc9D;AAED;;GAEG;AACH,wBAAgB,cAAc,CAAC,QAAQ,EAAE,MAAM,EAAE,MAAM,EAAE,MAAM,GAAG,OAAO,CAAC,OAAO,CAAC,CAiBjF;AAED;;GAEG;AACH,wBAAgB,oBAAoB,IAAI,MAAM,CAE7C;AAED;;GAEG;AACH,wBAAgB,mBAAmB,IAAI,MAAM,CAE5C;AAED;;;GAGG;AACH,wBAAgB,SAAS,CAAC,KAAK,EAAE,MAAM,GAAG,MAAM,CAE/C;AAED;;GAEG;AACH,wBAAgB,aAAa,CAAC,KAAK,SAAK,GAAG,MAAM,CAIhD"}

package/dist/auth.js

@@ -0,0 +1,68 @@
+/**
+ * Authentication utilities: password hashing and token generation.
+ * Uses only node:crypto — zero external dependencies.
+ * @module @panguard-ai/panguard-auth/auth
+ */
+import { scrypt, randomBytes, randomUUID, timingSafeEqual, createHash } from 'node:crypto';
+const SCRYPT_KEYLEN = 64;
+const SCRYPT_COST = 16384; // N
+const SCRYPT_BLOCK = 8; // r
+const SCRYPT_PARALLEL = 1; // p
+/**
+ * Hash a password using scrypt with a random salt.
+ * Returns `salt:hash` in hex.
+ */
+export function hashPassword(password) {
+    return new Promise((resolve, reject) => {
+        const salt = randomBytes(16).toString('hex');
+        scrypt(password, salt, SCRYPT_KEYLEN, { N: SCRYPT_COST, r: SCRYPT_BLOCK, p: SCRYPT_PARALLEL }, (err, derived) => {
+            if (err)
+                return reject(err);
+            resolve(`${salt}:${derived.toString('hex')}`);
+        });
+    });
+}
+/**
+ * Verify a password against a stored `salt:hash` string.
+ */
+export function verifyPassword(password, stored) {
+    return new Promise((resolve, reject) => {
+        const [salt, hash] = stored.split(':');
+        if (!salt || !hash)
+            return resolve(false);
+        scrypt(password, salt, SCRYPT_KEYLEN, { N: SCRYPT_COST, r: SCRYPT_BLOCK, p: SCRYPT_PARALLEL }, (err, derived) => {
+            if (err)
+                return reject(err);
+            const storedBuf = Buffer.from(hash, 'hex');
+            resolve(timingSafeEqual(derived, storedBuf));
+        });
+    });
+}
+/**
+ * Generate a cryptographically secure session token (64 hex chars).
+ */
+export function generateSessionToken() {
+    return randomBytes(32).toString('hex');
+}
+/**
+ * Generate a verification token (UUID v4).
+ */
+export function generateVerifyToken() {
+    return randomUUID();
+}
+/**
+ * Hash a session token with SHA-256 for secure storage.
+ * The plaintext token is sent to the client; only the hash is stored in DB.
+ */
+export function hashToken(token) {
+    return createHash('sha256').update(token).digest('hex');
+}
+/**
+ * Calculate session expiry (24 hours from now).
+ */
+export function sessionExpiry(hours = 24) {
+    const d = new Date();
+    d.setHours(d.getHours() + hours);
+    return d.toISOString().replace('T', ' ').slice(0, 19);
+}
+//# sourceMappingURL=auth.js.map

package/dist/auth.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"auth.js","sourceRoot":"","sources":["../src/auth.ts"],"names":[],"mappings":"AAAA;;;;GAIG;AAEH,OAAO,EAAE,MAAM,EAAE,WAAW,EAAE,UAAU,EAAE,eAAe,EAAE,UAAU,EAAE,MAAM,aAAa,CAAC;AAE3F,MAAM,aAAa,GAAG,EAAE,CAAC;AACzB,MAAM,WAAW,GAAG,KAAK,CAAC,CAAC,IAAI;AAC/B,MAAM,YAAY,GAAG,CAAC,CAAC,CAAC,IAAI;AAC5B,MAAM,eAAe,GAAG,CAAC,CAAC,CAAC,IAAI;AAE/B;;;GAGG;AACH,MAAM,UAAU,YAAY,CAAC,QAAgB;IAC3C,OAAO,IAAI,OAAO,CAAC,CAAC,OAAO,EAAE,MAAM,EAAE,EAAE;QACrC,MAAM,IAAI,GAAG,WAAW,CAAC,EAAE,CAAC,CAAC,QAAQ,CAAC,KAAK,CAAC,CAAC;QAC7C,MAAM,CACJ,QAAQ,EACR,IAAI,EACJ,aAAa,EACb,EAAE,CAAC,EAAE,WAAW,EAAE,CAAC,EAAE,YAAY,EAAE,CAAC,EAAE,eAAe,EAAE,EACvD,CAAC,GAAG,EAAE,OAAO,EAAE,EAAE;YACf,IAAI,GAAG;gBAAE,OAAO,MAAM,CAAC,GAAG,CAAC,CAAC;YAC5B,OAAO,CAAC,GAAG,IAAI,IAAI,OAAO,CAAC,QAAQ,CAAC,KAAK,CAAC,EAAE,CAAC,CAAC;QAChD,CAAC,CACF,CAAC;IACJ,CAAC,CAAC,CAAC;AACL,CAAC;AAED;;GAEG;AACH,MAAM,UAAU,cAAc,CAAC,QAAgB,EAAE,MAAc;IAC7D,OAAO,IAAI,OAAO,CAAC,CAAC,OAAO,EAAE,MAAM,EAAE,EAAE;QACrC,MAAM,CAAC,IAAI,EAAE,IAAI,CAAC,GAAG,MAAM,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC;QACvC,IAAI,CAAC,IAAI,IAAI,CAAC,IAAI;YAAE,OAAO,OAAO,CAAC,KAAK,CAAC,CAAC;QAE1C,MAAM,CACJ,QAAQ,EACR,IAAI,EACJ,aAAa,EACb,EAAE,CAAC,EAAE,WAAW,EAAE,CAAC,EAAE,YAAY,EAAE,CAAC,EAAE,eAAe,EAAE,EACvD,CAAC,GAAG,EAAE,OAAO,EAAE,EAAE;YACf,IAAI,GAAG;gBAAE,OAAO,MAAM,CAAC,GAAG,CAAC,CAAC;YAC5B,MAAM,SAAS,GAAG,MAAM,CAAC,IAAI,CAAC,IAAI,EAAE,KAAK,CAAC,CAAC;YAC3C,OAAO,CAAC,eAAe,CAAC,OAAO,EAAE,SAAS,CAAC,CAAC,CAAC;QAC/C,CAAC,CACF,CAAC;IACJ,CAAC,CAAC,CAAC;AACL,CAAC;AAED;;GAEG;AACH,MAAM,UAAU,oBAAoB;IAClC,OAAO,WAAW,CAAC,EAAE,CAAC,CAAC,QAAQ,CAAC,KAAK,CAAC,CAAC;AACzC,CAAC;AAED;;GAEG;AACH,MAAM,UAAU,mBAAmB;IACjC,OAAO,UAAU,EAAE,CAAC;AACtB,CAAC;AAED;;;GAGG;AACH,MAAM,UAAU,SAAS,CAAC,KAAa;IACrC,OAAO,UAAU,CAAC,QAAQ,CAAC,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC;AAC1D,CAAC;AAED;;GAEG;AACH,MAAM,UAAU,aAAa,CAAC,KAAK,GAAG,EAAE;IACtC,MAAM,CAAC,GAAG,IAAI,IAAI,EAAE,CAAC;IACrB,CAAC,CAAC,QAAQ,CAAC,CAAC,CAAC,QAAQ,EAAE,GAAG,KAAK,CAAC,CAAC;IACjC,OAAO,CAAC,CAAC,WAAW,EAAE,CAAC,OAAO,CAAC,GAAG,EAAE,GAAG,CAAC,CAAC,KAAK,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC;AACxD,CAAC"}

package/dist/crypto.d.ts

@@ -0,0 +1,21 @@
+/**
+ * Encryption utilities for sensitive data at rest.
+ * Uses AES-256-GCM with random IV for each encryption.
+ *
+ * @module @panguard-ai/panguard-auth/crypto
+ */
+/**
+ * Encrypt a plaintext string using AES-256-GCM.
+ * Returns format: iv:authTag:ciphertext (all hex-encoded).
+ */
+export declare function encryptSecret(plaintext: string): string;
+/**
+ * Decrypt a ciphertext string produced by encryptSecret.
+ * Input format: iv:authTag:ciphertext (all hex-encoded).
+ */
+export declare function decryptSecret(ciphertext: string): string;
+/**
+ * Check if a value looks like an encrypted secret (iv:tag:cipher format).
+ */
+export declare function isEncrypted(value: string): boolean;
+//# sourceMappingURL=crypto.d.ts.map

package/dist/crypto.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"crypto.d.ts","sourceRoot":"","sources":["../src/crypto.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AAuBH;;;GAGG;AACH,wBAAgB,aAAa,CAAC,SAAS,EAAE,MAAM,GAAG,MAAM,CASvD;AAED;;;GAGG;AACH,wBAAgB,aAAa,CAAC,UAAU,EAAE,MAAM,GAAG,MAAM,CAgBxD;AAED;;GAEG;AACH,wBAAgB,WAAW,CAAC,KAAK,EAAE,MAAM,GAAG,OAAO,CAGlD"}

package/dist/crypto.js

@@ -0,0 +1,60 @@
+/**
+ * Encryption utilities for sensitive data at rest.
+ * Uses AES-256-GCM with random IV for each encryption.
+ *
+ * @module @panguard-ai/panguard-auth/crypto
+ */
+import { createCipheriv, createDecipheriv, randomBytes } from 'node:crypto';
+const ALGORITHM = 'aes-256-gcm';
+const IV_LENGTH = 12; // 96 bits, recommended for GCM
+const AUTH_TAG_LENGTH = 16; // 128 bits
+/**
+ * Get the encryption key from environment.
+ * Must be a 64-character hex string (32 bytes).
+ */
+function getEncryptionKey() {
+    const keyHex = process.env['TOTP_ENCRYPTION_KEY'];
+    if (!keyHex || keyHex.length !== 64) {
+        throw new Error('TOTP_ENCRYPTION_KEY must be set as a 64-character hex string (32 bytes). ' +
+            "Generate one with: node -e \"console.log(require('crypto').randomBytes(32).toString('hex'))\"");
+    }
+    return Buffer.from(keyHex, 'hex');
+}
+/**
+ * Encrypt a plaintext string using AES-256-GCM.
+ * Returns format: iv:authTag:ciphertext (all hex-encoded).
+ */
+export function encryptSecret(plaintext) {
+    const key = getEncryptionKey();
+    const iv = randomBytes(IV_LENGTH);
+    const cipher = createCipheriv(ALGORITHM, key, iv, { authTagLength: AUTH_TAG_LENGTH });
+    const encrypted = Buffer.concat([cipher.update(plaintext, 'utf8'), cipher.final()]);
+    const authTag = cipher.getAuthTag();
+    return `${iv.toString('hex')}:${authTag.toString('hex')}:${encrypted.toString('hex')}`;
+}
+/**
+ * Decrypt a ciphertext string produced by encryptSecret.
+ * Input format: iv:authTag:ciphertext (all hex-encoded).
+ */
+export function decryptSecret(ciphertext) {
+    const parts = ciphertext.split(':');
+    if (parts.length !== 3) {
+        throw new Error('Invalid encrypted secret format');
+    }
+    const key = getEncryptionKey();
+    const iv = Buffer.from(parts[0], 'hex');
+    const authTag = Buffer.from(parts[1], 'hex');
+    const encrypted = Buffer.from(parts[2], 'hex');
+    const decipher = createDecipheriv(ALGORITHM, key, iv, { authTagLength: AUTH_TAG_LENGTH });
+    decipher.setAuthTag(authTag);
+    const decrypted = Buffer.concat([decipher.update(encrypted), decipher.final()]);
+    return decrypted.toString('utf8');
+}
+/**
+ * Check if a value looks like an encrypted secret (iv:tag:cipher format).
+ */
+export function isEncrypted(value) {
+    const parts = value.split(':');
+    return parts.length === 3 && parts.every((p) => /^[0-9a-f]+$/.test(p));
+}
+//# sourceMappingURL=crypto.js.map

package/dist/crypto.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"crypto.js","sourceRoot":"","sources":["../src/crypto.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AAEH,OAAO,EAAE,cAAc,EAAE,gBAAgB,EAAE,WAAW,EAAE,MAAM,aAAa,CAAC;AAE5E,MAAM,SAAS,GAAG,aAAa,CAAC;AAChC,MAAM,SAAS,GAAG,EAAE,CAAC,CAAC,+BAA+B;AACrD,MAAM,eAAe,GAAG,EAAE,CAAC,CAAC,WAAW;AAEvC;;;GAGG;AACH,SAAS,gBAAgB;IACvB,MAAM,MAAM,GAAG,OAAO,CAAC,GAAG,CAAC,qBAAqB,CAAC,CAAC;IAClD,IAAI,CAAC,MAAM,IAAI,MAAM,CAAC,MAAM,KAAK,EAAE,EAAE,CAAC;QACpC,MAAM,IAAI,KAAK,CACb,2EAA2E;YACzE,+FAA+F,CAClG,CAAC;IACJ,CAAC;IACD,OAAO,MAAM,CAAC,IAAI,CAAC,MAAM,EAAE,KAAK,CAAC,CAAC;AACpC,CAAC;AAED;;;GAGG;AACH,MAAM,UAAU,aAAa,CAAC,SAAiB;IAC7C,MAAM,GAAG,GAAG,gBAAgB,EAAE,CAAC;IAC/B,MAAM,EAAE,GAAG,WAAW,CAAC,SAAS,CAAC,CAAC;IAClC,MAAM,MAAM,GAAG,cAAc,CAAC,SAAS,EAAE,GAAG,EAAE,EAAE,EAAE,EAAE,aAAa,EAAE,eAAe,EAAE,CAAC,CAAC;IAEtF,MAAM,SAAS,GAAG,MAAM,CAAC,MAAM,CAAC,CAAC,MAAM,CAAC,MAAM,CAAC,SAAS,EAAE,MAAM,CAAC,EAAE,MAAM,CAAC,KAAK,EAAE,CAAC,CAAC,CAAC;IACpF,MAAM,OAAO,GAAG,MAAM,CAAC,UAAU,EAAE,CAAC;IAEpC,OAAO,GAAG,EAAE,CAAC,QAAQ,CAAC,KAAK,CAAC,IAAI,OAAO,CAAC,QAAQ,CAAC,KAAK,CAAC,IAAI,SAAS,CAAC,QAAQ,CAAC,KAAK,CAAC,EAAE,CAAC;AACzF,CAAC;AAED;;;GAGG;AACH,MAAM,UAAU,aAAa,CAAC,UAAkB;IAC9C,MAAM,KAAK,GAAG,UAAU,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC;IACpC,IAAI,KAAK,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;QACvB,MAAM,IAAI,KAAK,CAAC,iCAAiC,CAAC,CAAC;IACrD,CAAC;IAED,MAAM,GAAG,GAAG,gBAAgB,EAAE,CAAC;IAC/B,MAAM,EAAE,GAAG,MAAM,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC,CAAE,EAAE,KAAK,CAAC,CAAC;IACzC,MAAM,OAAO,GAAG,MAAM,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC,CAAE,EAAE,KAAK,CAAC,CAAC;IAC9C,MAAM,SAAS,GAAG,MAAM,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC,CAAE,EAAE,KAAK,CAAC,CAAC;IAEhD,MAAM,QAAQ,GAAG,gBAAgB,CAAC,SAAS,EAAE,GAAG,EAAE,EAAE,EAAE,EAAE,aAAa,EAAE,eAAe,EAAE,CAAC,CAAC;IAC1F,QAAQ,CAAC,UAAU,CAAC,OAAO,CAAC,CAAC;IAE7B,MAAM,SAAS,GAAG,MAAM,CAAC,MAAM,CAAC,CAAC,QAAQ,CAAC,MAAM,CAAC,SAAS,CAAC,EAAE,QAAQ,CAAC,KAAK,EAAE,CAAC,CAAC,CAAC;IAChF,OAAO,SAAS,CAAC,QAAQ,CAAC,MAAM,CAAC,CAAC;AACpC,CAAC;AAED;;GAEG;AACH,MAAM,UAAU,WAAW,CAAC,KAAa;IACvC,MAAM,KAAK,GAAG,KAAK,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC;IAC/B,OAAO,KAAK,CAAC,MAAM,KAAK,CAAC,IAAI,KAAK,CAAC,KAAK,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,aAAa,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC,CAAC;AACzE,CAAC"}

package/dist/database.d.ts

@@ -0,0 +1,266 @@
+/**
+ * SQLite database layer for Panguard Auth
+ * @module @panguard-ai/panguard-auth/database
+ */
+import type { WaitlistEntry, WaitlistInput, WaitlistStats, User, RegisterInput, Session, UserAdmin, SessionAdmin, ActivityItem, AuditLogFilter } from './types.js';
+export declare class AuthDB {
+    private readonly db;
+    constructor(dbPath: string);
+    private initialize;
+    addToWaitlist(input: WaitlistInput, verifyToken: string): WaitlistEntry;
+    getWaitlistByEmail(email: string): WaitlistEntry | undefined;
+    getWaitlistById(id: number): WaitlistEntry | undefined;
+    verifyWaitlistToken(token: string): WaitlistEntry | undefined;
+    getWaitlistStats(): WaitlistStats;
+    getAllWaitlist(): WaitlistEntry[];
+    createUser(input: RegisterInput, passwordHash: string): User;
+    getUserByEmail(email: string): User | undefined;
+    getUserById(id: number): User | undefined;
+    updateLastLogin(userId: number): void;
+    createSession(userId: number, token: string, expiresAt: string): Session;
+    getSession(token: string): (Session & {
+        user: User;
+    }) | undefined;
+    deleteSession(token: string): void;
+    cleanExpiredSessions(): number;
+    createReportPurchase(userId: number, addonId: string, pricingModel: string, expiresAt?: string): ReportPurchase;
+    getReportPurchaseById(id: number): ReportPurchase | undefined;
+    getUserReportPurchases(userId: number): ReportPurchase[];
+    hasActiveReportPurchase(userId: number, addonId: string): boolean;
+    getAllUsersAdmin(): UserAdmin[];
+    searchUsers(query: string): UserAdmin[];
+    getActiveSessions(): SessionAdmin[];
+    deleteSessionById(sessionId: number): boolean;
+    getRecentActivity(limit?: number): ActivityItem[];
+    getAdminDashboardStats(): {
+        users: {
+            total: number;
+            byTier: Record<string, number>;
+            byRole: Record<string, number>;
+            recentSignups: number;
+            verifiedCount: number;
+            signupsByDay: Array<{
+                date: string;
+                count: number;
+            }>;
+        };
+        waitlist: WaitlistStats & {
+            signupsByDay: Array<{
+                date: string;
+                count: number;
+            }>;
+        };
+        sessions: {
+            active: number;
+            total: number;
+        };
+        reportPurchases: {
+            total: number;
+            active: number;
+        };
+    };
+    getAllUsers(): User[];
+    updateUserTier(userId: number, tier: string, planExpiresAt?: string): void;
+    updateUserRole(userId: number, role: string): void;
+    getUserStats(): {
+        total: number;
+        byTier: Record<string, number>;
+        byRole: Record<string, number>;
+        recentSignups: number;
+    };
+    approveWaitlistEntry(id: number): void;
+    rejectWaitlistEntry(id: number): void;
+    addAuditLog(action: string, actorId: number | null, targetId: number | null, details?: string): void;
+    getAuditLog(limit?: number): AuditLogEntry[];
+    upsertSubscription(data: {
+        userId: number;
+        lsSubscriptionId: string;
+        lsCustomerId: string;
+        lsVariantId: string;
+        tier: string;
+        status: string;
+        renewsAt: string | null;
+        endsAt: string | null;
+    }): void;
+    getSubscriptionByLsId(lsSubscriptionId: string): Subscription | undefined;
+    getActiveSubscription(userId: number): Subscription | undefined;
+    updateSubscriptionStatus(lsSubscriptionId: string, status: string, endsAt: string | null): void;
+    /**
+     * Downgrade all users whose plan_expires_at has passed to free tier.
+     * Returns the list of downgraded user emails (for notification).
+     */
+    checkExpiredPlans(): Array<{
+        id: number;
+        email: string;
+        tier: string;
+    }>;
+    /**
+     * Get users whose plans expire within the given number of days.
+     * Used for sending expiration warning emails.
+     */
+    getExpiringPlans(withinDays: number): Array<{
+        id: number;
+        email: string;
+        name: string;
+        tier: string;
+        planExpiresAt: string;
+    }>;
+    /**
+     * Store a hashed reset token for a user. Invalidates any previous tokens.
+     * Returns the token expiry time.
+     */
+    createResetToken(userId: number, tokenHash: string): string;
+    /**
+     * Validate a reset token hash. Returns the user_id if valid, undefined otherwise.
+     * Marks the token as used atomically.
+     */
+    validateResetToken(tokenHash: string): number | undefined;
+    /**
+     * Update a user's password hash.
+     */
+    updateUserPassword(userId: number, passwordHash: string): void;
+    deleteSessionsByUserId(userId: number): number;
+    /**
+     * Delete a user and ALL associated data (GDPR right to erasure).
+     * Uses a transaction to ensure atomicity.
+     */
+    deleteUser(userId: number): {
+        deleted: boolean;
+        tablesAffected: string[];
+    };
+    /**
+     * Export all user data (GDPR right to data portability).
+     * Returns a structured object with all data belonging to the user.
+     */
+    exportUserData(userId: number): Record<string, unknown> | null;
+    /**
+     * Store TOTP secret and backup codes for a user.
+     */
+    saveTotpSecret(userId: number, secret: string, backupCodes: string): void;
+    /**
+     * Enable TOTP for a user (after they verify it works).
+     */
+    enableTotp(userId: number): void;
+    /**
+     * Update the last used TOTP time step (for replay protection).
+     */
+    updateLastUsedStep(userId: number, step: number): void;
+    /**
+     * Disable and remove TOTP for a user.
+     */
+    disableTotp(userId: number): void;
+    /**
+     * Get TOTP secret for a user.
+     */
+    getTotpSecret(userId: number): TotpSecret | undefined;
+    /**
+     * Consume a backup code. Returns true if the code was valid and consumed.
+     */
+    consumeBackupCode(userId: number, code: string): boolean;
+    /**
+     * Get usage count for a resource in a given period.
+     */
+    getUsage(userId: number, resource: string, period: string): number;
+    /**
+     * Increment usage counter for a resource.
+     */
+    incrementUsage(userId: number, resource: string, period: string, amount?: number): void;
+    /**
+     * Set absolute usage value for a resource (for count-based resources).
+     */
+    setUsage(userId: number, resource: string, period: string, count: number): void;
+    /**
+     * Get all usage meters for a user.
+     */
+    getUserUsage(userId: number): Array<{
+        resource: string;
+        period: string;
+        count: number;
+    }>;
+    /**
+     * Delete old usage meters (periods older than given cutoff).
+     * Used for cleanup of historical data.
+     */
+    cleanupOldUsage(cutoffPeriod: string): number;
+    suspendUser(userId: number): void;
+    unsuspendUser(userId: number): void;
+    getAuditLogFiltered(filter: AuditLogFilter): {
+        items: AuditLogEntry[];
+        total: number;
+    };
+    getDistinctAuditActions(): string[];
+    getUserDetailById(userId: number): {
+        user: UserAdmin;
+        subscription: {
+            status: string;
+            tier: string;
+            renewsAt: string | null;
+            endsAt: string | null;
+        } | null;
+        usage: Array<{
+            resource: string;
+            period: string;
+            count: number;
+        }>;
+        sessions: Array<{
+            id: number;
+            expiresAt: string;
+            createdAt: string;
+        }>;
+        recentAudit: AuditLogEntry[];
+        totpEnabled: boolean;
+    } | null;
+    getAdminUsageAggregate(): Array<{
+        userId: number;
+        email: string;
+        name: string;
+        tier: string;
+        resource: string;
+        period: string;
+        count: number;
+    }>;
+    /** Lightweight DB connectivity probe for health checks. */
+    healthCheck(): void;
+    close(): void;
+}
+export interface ReportPurchase {
+    id: number;
+    userId: number;
+    addonId: string;
+    pricingModel: string;
+    status: string;
+    purchasedAt: string;
+    expiresAt: string | null;
+}
+export interface Subscription {
+    id: number;
+    userId: number;
+    lsSubscriptionId: string;
+    lsCustomerId: string;
+    lsVariantId: string;
+    tier: string;
+    status: string;
+    renewsAt: string | null;
+    endsAt: string | null;
+    createdAt: string;
+    updatedAt: string;
+}
+export interface TotpSecret {
+    id: number;
+    userId: number;
+    encryptedSecret: string;
+    backupCodes: string;
+    enabled: number;
+    lastUsedStep: number;
+    createdAt: string;
+    updatedAt: string;
+}
+export interface AuditLogEntry {
+    id: number;
+    action: string;
+    actorId: number | null;
+    targetId: number | null;
+    details: string | null;
+    createdAt: string;
+}
+//# sourceMappingURL=database.d.ts.map

package/dist/database.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"database.d.ts","sourceRoot":"","sources":["../src/database.ts"],"names":[],"mappings":"AAAA;;;GAGG;AAGH,OAAO,KAAK,EACV,aAAa,EACb,aAAa,EACb,aAAa,EACb,IAAI,EACJ,aAAa,EACb,OAAO,EACP,SAAS,EACT,YAAY,EACZ,YAAY,EACZ,cAAc,EACf,MAAM,YAAY,CAAC;AAKpB,qBAAa,MAAM;IACjB,OAAO,CAAC,QAAQ,CAAC,EAAE,CAAoB;gBAE3B,MAAM,EAAE,MAAM;IAO1B,OAAO,CAAC,UAAU;IA6JlB,aAAa,CAAC,KAAK,EAAE,aAAa,EAAE,WAAW,EAAE,MAAM,GAAG,aAAa;IAgBvE,kBAAkB,CAAC,KAAK,EAAE,MAAM,GAAG,aAAa,GAAG,SAAS;IAY5D,eAAe,CAAC,EAAE,EAAE,MAAM,GAAG,aAAa,GAAG,SAAS;IAYtD,mBAAmB,CAAC,KAAK,EAAE,MAAM,GAAG,aAAa,GAAG,SAAS;IAyB7D,gBAAgB,IAAI,aAAa;IAqCjC,cAAc,IAAI,aAAa,EAAE;IAcjC,UAAU,CAAC,KAAK,EAAE,aAAa,EAAE,YAAY,EAAE,MAAM,GAAG,IAAI;IAS5D,cAAc,CAAC,KAAK,EAAE,MAAM,GAAG,IAAI,GAAG,SAAS;IAY/C,WAAW,CAAC,EAAE,EAAE,MAAM,GAAG,IAAI,GAAG,SAAS;IAYzC,eAAe,CAAC,MAAM,EAAE,MAAM,GAAG,IAAI;IAMrC,aAAa,CAAC,MAAM,EAAE,MAAM,EAAE,KAAK,EAAE,MAAM,EAAE,SAAS,EAAE,MAAM,GAAG,OAAO;IAmBxE,UAAU,CAAC,KAAK,EAAE,MAAM,GAAG,CAAC,OAAO,GAAG;QAAE,IAAI,EAAE,IAAI,CAAA;KAAE,CAAC,GAAG,SAAS;IAmBjE,aAAa,CAAC,KAAK,EAAE,MAAM,GAAG,IAAI;IAKlC,oBAAoB,IAAI,MAAM;IAS9B,oBAAoB,CAClB,MAAM,EAAE,MAAM,EACd,OAAO,EAAE,MAAM,EACf,YAAY,EAAE,MAAM,EACpB,SAAS,CAAC,EAAE,MAAM,GACjB,cAAc;IASjB,qBAAqB,CAAC,EAAE,EAAE,MAAM,GAAG,cAAc,GAAG,SAAS;IAY7D,sBAAsB,CAAC,MAAM,EAAE,MAAM,GAAG,cAAc,EAAE;IAaxD,uBAAuB,CAAC,MAAM,EAAE,MAAM,EAAE,OAAO,EAAE,MAAM,GAAG,OAAO;IAejE,gBAAgB,IAAI,SAAS,EAAE;IAY/B,WAAW,CAAC,KAAK,EAAE,MAAM,GAAG,SAAS,EAAE;IAcvC,iBAAiB,IAAI,YAAY,EAAE;IAcnC,iBAAiB,CAAC,SAAS,EAAE,MAAM,GAAG,OAAO;IAK7C,iBAAiB,CAAC,KAAK,GAAE,MAAW,GAAG,YAAY,EAAE;IAerD,sBAAsB,IAAI;QACxB,KAAK,EAAE;YACL,KAAK,EAAE,MAAM,CAAC;YACd,MAAM,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;YAC/B,MAAM,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;YAC/B,aAAa,EAAE,MAAM,CAAC;YACtB,aAAa,EAAE,MAAM,CAAC;YACtB,YAAY,EAAE,KAAK,CAAC;gBAAE,IAAI,EAAE,MAAM,CAAC;gBAAC,KAAK,EAAE,MAAM,CAAA;aAAE,CAAC,CAAC;SACtD,CAAC;QACF,QAAQ,EAAE,aAAa,GAAG;YAAE,YAAY,EAAE,KAAK,CAAC;gBAAE,IAAI,EAAE,MAAM,CAAC;gBAAC,KAAK,EAAE,MAAM,CAAA;aAAE,CAAC,CAAA;SAAE,CAAC;QACnF,QAAQ,EAAE;YAAE,MAAM,EAAE,MAAM,CAAC;YAAC,KAAK,EAAE,MAAM,CAAA;SAAE,CAAC;QAC5C,eAAe,EAAE;YAAE,KAAK,EAAE,MAAM,CAAC;YAAC,MAAM,EAAE,MAAM,CAAA;SAAE,CAAC;KACpD;IAgDD,WAAW,IAAI,IAAI,EAAE;IAYrB,cAAc,CAAC,MAAM,EAAE,MAAM,EAAE,IAAI,EAAE,MAAM,EAAE,aAAa,CAAC,EAAE,MAAM,GAAG,IAAI;IAM1E,cAAc,CAAC,MAAM,EAAE,MAAM,EAAE,IAAI,EAAE,MAAM,GAAG,IAAI;IAIlD,YAAY,IAAI;QACd,KAAK,EAAE,MAAM,CAAC;QACd,MAAM,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;QAC/B,MAAM,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;QAC/B,aAAa,EAAE,MAAM,CAAC;KACvB;IAyBD,oBAAoB,CAAC,EAAE,EAAE,MAAM,GAAG,IAAI;IAMtC,mBAAmB,CAAC,EAAE,EAAE,MAAM,GAAG,IAAI;IAQrC,WAAW,CACT,MAAM,EAAE,MAAM,EACd,OAAO,EAAE,MAAM,GAAG,IAAI,EACtB,QAAQ,EAAE,MAAM,GAAG,IAAI,EACvB,OAAO,CAAC,EAAE,MAAM,GACf,IAAI;IAWP,WAAW,CAAC,KAAK,GAAE,MAAW,GAAG,aAAa,EAAE;IAchD,kBAAkB,CAAC,IAAI,EAAE;QACvB,MAAM,EAAE,MAAM,CAAC;QACf,gBAAgB,EAAE,MAAM,CAAC;QACzB,YAAY,EAAE,MAAM,CAAC;QACrB,WAAW,EAAE,MAAM,CAAC;QACpB,IAAI,EAAE,MAAM,CAAC;QACb,MAAM,EAAE,MAAM,CAAC;QACf,QAAQ,EAAE,MAAM,GAAG,IAAI,CAAC;QACxB,MAAM,EAAE,MAAM,GAAG,IAAI,CAAC;KACvB,GAAG,IAAI;IAwBR,qBAAqB,CAAC,gBAAgB,EAAE,MAAM,GAAG,YAAY,GAAG,SAAS;IAYzE,qBAAqB,CAAC,MAAM,EAAE,MAAM,GAAG,YAAY,GAAG,SAAS;IAa/D,wBAAwB,CAAC,gBAAgB,EAAE,MAAM,EAAE,MAAM,EAAE,MAAM,EAAE,MAAM,EAAE,MAAM,GAAG,IAAI,GAAG,IAAI;IAW/F;;;OAGG;IACH,iBAAiB,IAAI,KAAK,CAAC;QAAE,EAAE,EAAE,MAAM,CAAC;QAAC,KAAK,EAAE,MAAM,CAAC;QAAC,IAAI,EAAE,MAAM,CAAA;KAAE,CAAC;IAiCvE;;;OAGG;IACH,gBAAgB,CACd,UAAU,EAAE,MAAM,GACjB,KAAK,CAAC;QAAE,EAAE,EAAE,MAAM,CAAC;QAAC,KAAK,EAAE,MAAM,CAAC;QAAC,IAAI,EAAE,MAAM,CAAC;QAAC,IAAI,EAAE,MAAM,CAAC;QAAC,aAAa,EAAE,MAAM,CAAA;KAAE,CAAC;IAoB1F;;;OAGG;IACH,gBAAgB,CAAC,MAAM,EAAE,MAAM,EAAE,SAAS,EAAE,MAAM,GAAG,MAAM;IAkB3D;;;OAGG;IACH,kBAAkB,CAAC,SAAS,EAAE,MAAM,GAAG,MAAM,GAAG,SAAS;IAezD;;OAEG;IACH,kBAAkB,CAAC,MAAM,EAAE,MAAM,EAAE,YAAY,EAAE,MAAM,GAAG,IAAI;IAM9D,sBAAsB,CAAC,MAAM,EAAE,MAAM,GAAG,MAAM;IAO9C;;;OAGG;IACH,UAAU,CAAC,MAAM,EAAE,MAAM,GAAG;QAAE,OAAO,EAAE,OAAO,CAAC;QAAC,cAAc,EAAE,MAAM,EAAE,CAAA;KAAE;IA+C1E;;;OAGG;IACH,cAAc,CAAC,MAAM,EAAE,MAAM,GAAG,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,GAAG,IAAI;IAwD9D;;OAEG;IACH,cAAc,CAAC,MAAM,EAAE,MAAM,EAAE,MAAM,EAAE,MAAM,EAAE,WAAW,EAAE,MAAM,GAAG,IAAI;IAezE;;OAEG;IACH,UAAU,CAAC,MAAM,EAAE,MAAM,GAAG,IAAI;IAQhC;;OAEG;IACH,kBAAkB,CAAC,MAAM,EAAE,MAAM,EAAE,IAAI,EAAE,MAAM,GAAG,IAAI;IAQtD;;OAEG;IACH,WAAW,CAAC,MAAM,EAAE,MAAM,GAAG,IAAI;IAIjC;;OAEG;IACH,aAAa,CAAC,MAAM,EAAE,MAAM,GAAG,UAAU,GAAG,SAAS;IAqBrD;;OAEG;IACH,iBAAiB,CAAC,MAAM,EAAE,MAAM,EAAE,IAAI,EAAE,MAAM,GAAG,OAAO;IAwBxD;;OAEG;IACH,QAAQ,CAAC,MAAM,EAAE,MAAM,EAAE,QAAQ,EAAE,MAAM,EAAE,MAAM,EAAE,MAAM,GAAG,MAAM;IAOlE;;OAEG;IACH,cAAc,CAAC,MAAM,EAAE,MAAM,EAAE,QAAQ,EAAE,MAAM,EAAE,MAAM,EAAE,MAAM,EAAE,MAAM,GAAE,MAAU,GAAG,IAAI;IAY1F;;OAEG;IACH,QAAQ,CAAC,MAAM,EAAE,MAAM,EAAE,QAAQ,EAAE,MAAM,EAAE,MAAM,EAAE,MAAM,EAAE,KAAK,EAAE,MAAM,GAAG,IAAI;IAY/E;;OAEG;IACH,YAAY,CAAC,MAAM,EAAE,MAAM,GAAG,KAAK,CAAC;QAAE,QAAQ,EAAE,MAAM,CAAC;QAAC,MAAM,EAAE,MAAM,CAAC;QAAC,KAAK,EAAE,MAAM,CAAA;KAAE,CAAC;IAQxF;;;OAGG;IACH,eAAe,CAAC,YAAY,EAAE,MAAM,GAAG,MAAM;IAS7C,WAAW,CAAC,MAAM,EAAE,MAAM,GAAG,IAAI;IAKjC,aAAa,CAAC,MAAM,EAAE,MAAM,GAAG,IAAI;IAMnC,mBAAmB,CAAC,MAAM,EAAE,cAAc,GAAG;QAAE,KAAK,EAAE,aAAa,EAAE,CAAC;QAAC,KAAK,EAAE,MAAM,CAAA;KAAE;IA0CtF,uBAAuB,IAAI,MAAM,EAAE;IASnC,iBAAiB,CAAC,MAAM,EAAE,MAAM,GAAG;QACjC,IAAI,EAAE,SAAS,CAAC;QAChB,YAAY,EAAE;YACZ,MAAM,EAAE,MAAM,CAAC;YACf,IAAI,EAAE,MAAM,CAAC;YACb,QAAQ,EAAE,MAAM,GAAG,IAAI,CAAC;YACxB,MAAM,EAAE,MAAM,GAAG,IAAI,CAAC;SACvB,GAAG,IAAI,CAAC;QACT,KAAK,EAAE,KAAK,CAAC;YAAE,QAAQ,EAAE,MAAM,CAAC;YAAC,MAAM,EAAE,MAAM,CAAC;YAAC,KAAK,EAAE,MAAM,CAAA;SAAE,CAAC,CAAC;QAClE,QAAQ,EAAE,KAAK,CAAC;YAAE,EAAE,EAAE,MAAM,CAAC;YAAC,SAAS,EAAE,MAAM,CAAC;YAAC,SAAS,EAAE,MAAM,CAAA;SAAE,CAAC,CAAC;QACtE,WAAW,EAAE,aAAa,EAAE,CAAC;QAC7B,WAAW,EAAE,OAAO,CAAC;KACtB,GAAG,IAAI;IA+CR,sBAAsB,IAAI,KAAK,CAAC;QAC9B,MAAM,EAAE,MAAM,CAAC;QACf,KAAK,EAAE,MAAM,CAAC;QACd,IAAI,EAAE,MAAM,CAAC;QACb,IAAI,EAAE,MAAM,CAAC;QACb,QAAQ,EAAE,MAAM,CAAC;QACjB,MAAM,EAAE,MAAM,CAAC;QACf,KAAK,EAAE,MAAM,CAAC;KACf,CAAC;IAoBF,2DAA2D;IAC3D,WAAW,IAAI,IAAI;IAInB,KAAK,IAAI,IAAI;CAGd;AAED,MAAM,WAAW,cAAc;IAC7B,EAAE,EAAE,MAAM,CAAC;IACX,MAAM,EAAE,MAAM,CAAC;IACf,OAAO,EAAE,MAAM,CAAC;IAChB,YAAY,EAAE,MAAM,CAAC;IACrB,MAAM,EAAE,MAAM,CAAC;IACf,WAAW,EAAE,MAAM,CAAC;IACpB,SAAS,EAAE,MAAM,GAAG,IAAI,CAAC;CAC1B;AAED,MAAM,WAAW,YAAY;IAC3B,EAAE,EAAE,MAAM,CAAC;IACX,MAAM,EAAE,MAAM,CAAC;IACf,gBAAgB,EAAE,MAAM,CAAC;IACzB,YAAY,EAAE,MAAM,CAAC;IACrB,WAAW,EAAE,MAAM,CAAC;IACpB,IAAI,EAAE,MAAM,CAAC;IACb,MAAM,EAAE,MAAM,CAAC;IACf,QAAQ,EAAE,MAAM,GAAG,IAAI,CAAC;IACxB,MAAM,EAAE,MAAM,GAAG,IAAI,CAAC;IACtB,SAAS,EAAE,MAAM,CAAC;IAClB,SAAS,EAAE,MAAM,CAAC;CACnB;AAED,MAAM,WAAW,UAAU;IACzB,EAAE,EAAE,MAAM,CAAC;IACX,MAAM,EAAE,MAAM,CAAC;IACf,eAAe,EAAE,MAAM,CAAC;IACxB,WAAW,EAAE,MAAM,CAAC;IACpB,OAAO,EAAE,MAAM,CAAC;IAChB,YAAY,EAAE,MAAM,CAAC;IACrB,SAAS,EAAE,MAAM,CAAC;IAClB,SAAS,EAAE,MAAM,CAAC;CACnB;AAED,MAAM,WAAW,aAAa;IAC5B,EAAE,EAAE,MAAM,CAAC;IACX,MAAM,EAAE,MAAM,CAAC;IACf,OAAO,EAAE,MAAM,GAAG,IAAI,CAAC;IACvB,QAAQ,EAAE,MAAM,GAAG,IAAI,CAAC;IACxB,OAAO,EAAE,MAAM,GAAG,IAAI,CAAC;IACvB,SAAS,EAAE,MAAM,CAAC;CACnB"}