@parsrun/auth 0.1.0

package/dist/index-DOGcetyD.d.ts

@@ -0,0 +1,1041 @@
+import { T as TokenPair, d as JwtPayload, J as JwtManager } from './jwt-manager-CH8H0kmm.js';
+import * as hono_types from 'hono/types';
+import { Context, MiddlewareHandler, Hono } from 'hono';
+import { K as KVStorage } from './types-DSjafxJ4.js';
+import { h as AuthAdapter, u as AdapterTenant, v as AdapterMembership, l as TenantResolutionStrategy, i as ParsAuthConfig, a as ProviderInfo, r as AdapterUser, s as AdapterSession } from './base-BKyR8rcE.js';
+import { R as RequestOTPInput, d as RequestOTPResult } from './index-C3kz9XqE.js';
+import { f as PermissionPattern } from './authorization-By1Xp8Za.js';
+
+/**
+ * Tenant Manager
+ * CRUD operations for tenants and memberships
+ */
+
+/**
+ * Tenant creation input
+ */
+interface CreateTenantInput {
+    /** Tenant name */
+    name: string;
+    /** URL-friendly slug (auto-generated if not provided) */
+    slug?: string;
+    /** Owner user ID */
+    ownerId: string;
+    /** Owner role name (default: 'owner') */
+    ownerRole?: string;
+    /** Initial status (default: 'active') */
+    status?: 'active' | 'suspended' | 'inactive';
+}
+/**
+ * Tenant update input
+ */
+interface UpdateTenantInput {
+    /** Tenant name */
+    name?: string;
+    /** Status */
+    status?: 'active' | 'suspended' | 'inactive';
+}
+/**
+ * Membership creation input
+ */
+interface AddMemberInput {
+    /** User ID to add */
+    userId: string;
+    /** Tenant ID */
+    tenantId: string;
+    /** Role name */
+    role: string;
+    /** Initial permissions */
+    permissions?: string[];
+    /** Status (default: 'active') */
+    status?: 'active' | 'inactive' | 'pending';
+}
+/**
+ * Membership update input
+ */
+interface UpdateMemberInput {
+    /** New role */
+    role?: string;
+    /** New permissions */
+    permissions?: string[];
+    /** New status */
+    status?: 'active' | 'inactive' | 'pending';
+}
+/**
+ * Tenant with members
+ */
+interface TenantWithMembers extends AdapterTenant {
+    members: AdapterMembership[];
+    memberCount: number;
+}
+/**
+ * User's tenant memberships with tenant details
+ */
+interface UserTenantMembership extends AdapterMembership {
+    tenant?: AdapterTenant;
+}
+/**
+ * Tenant Manager
+ */
+declare class TenantManager {
+    private adapter;
+    constructor(adapter: AuthAdapter);
+    /**
+     * Create a new tenant with owner
+     */
+    createTenant(input: CreateTenantInput): Promise<{
+        tenant: AdapterTenant;
+        membership: AdapterMembership;
+    }>;
+    /**
+     * Get tenant by ID
+     */
+    getTenantById(id: string): Promise<AdapterTenant | null>;
+    /**
+     * Get tenant by slug
+     */
+    getTenantBySlug(slug: string): Promise<AdapterTenant | null>;
+    /**
+     * Check if user is member of tenant
+     */
+    isMember(userId: string, tenantId: string): Promise<boolean>;
+    /**
+     * Check if user has specific role in tenant
+     */
+    hasRole(userId: string, tenantId: string, role: string): Promise<boolean>;
+    /**
+     * Check if user is owner of tenant
+     */
+    isOwner(userId: string, tenantId: string): Promise<boolean>;
+    /**
+     * Check if user is admin of tenant (owner or admin)
+     */
+    isAdmin(userId: string, tenantId: string): Promise<boolean>;
+    /**
+     * Add a member to tenant
+     */
+    addMember(input: AddMemberInput): Promise<AdapterMembership>;
+    /**
+     * Update member role/permissions
+     */
+    updateMember(userId: string, tenantId: string, updates: UpdateMemberInput): Promise<AdapterMembership>;
+    /**
+     * Remove member from tenant
+     */
+    removeMember(userId: string, tenantId: string): Promise<void>;
+    /**
+     * Get membership for user in tenant
+     */
+    getMembership(userId: string, tenantId: string): Promise<AdapterMembership | null>;
+    /**
+     * Get all tenants for a user
+     */
+    getUserTenants(userId: string): Promise<UserTenantMembership[]>;
+    /**
+     * Get all members of a tenant
+     * Note: This requires iterating through users, which is not efficient
+     * Consider adding findMembershipsByTenantId to the adapter
+     */
+    getMembersByTenant(_tenantId: string): Promise<AdapterMembership[]>;
+    /**
+     * Transfer ownership to another member
+     */
+    transferOwnership(tenantId: string, currentOwnerId: string, newOwnerId: string): Promise<void>;
+    /**
+     * Validate tenant switch
+     * Returns the tenant if switch is allowed
+     */
+    validateTenantSwitch(userId: string, targetTenantId: string): Promise<{
+        tenant: AdapterTenant;
+        membership: AdapterMembership;
+    }>;
+    /**
+     * Get default tenant for user
+     * Returns the first active tenant membership
+     */
+    getDefaultTenant(userId: string): Promise<UserTenantMembership | null>;
+    /**
+     * Generate URL-friendly slug from name
+     */
+    private generateSlug;
+    /**
+     * Generate unique tenant slug
+     */
+    generateUniqueSlug(name: string): Promise<string>;
+}
+/**
+ * Create a tenant manager
+ */
+declare function createTenantManager(adapter: AuthAdapter): TenantManager;
+
+/**
+ * Tenant Resolution
+ * Extracts tenant from incoming requests using configurable strategies
+ */
+
+/**
+ * Tenant resolver configuration
+ */
+interface TenantResolverConfig {
+    /** Resolution strategy */
+    strategy: TenantResolutionStrategy;
+    /** Header name for 'header' strategy (default: 'x-tenant-id') */
+    headerName?: string;
+    /** Path prefix for 'path' strategy (default: '/t/') */
+    pathPrefix?: string;
+    /** Query parameter name for 'query' strategy (default: 'tenant') */
+    queryParam?: string;
+    /** Custom resolver function for 'custom' strategy */
+    resolver?: (request: Request) => Promise<string | null>;
+    /** Fallback tenant ID when none is resolved */
+    fallbackTenantId?: string;
+    /** Whether tenant is required (default: false) */
+    required?: boolean;
+}
+/**
+ * Tenant resolution result
+ */
+interface TenantResolutionResult {
+    /** Resolved tenant ID */
+    tenantId: string | null;
+    /** Resolution method used */
+    resolvedFrom: 'subdomain' | 'header' | 'path' | 'query' | 'custom' | 'fallback' | null;
+    /** Original value before resolution */
+    originalValue?: string;
+}
+/**
+ * Tenant Resolver
+ * Extracts tenant identifier from requests using various strategies
+ */
+declare class TenantResolver {
+    private config;
+    constructor(config: TenantResolverConfig);
+    /**
+     * Resolve tenant from request
+     */
+    resolve(request: Request): Promise<TenantResolutionResult>;
+    /**
+     * Resolve tenant from subdomain
+     * e.g., acme.example.com -> 'acme'
+     */
+    private resolveFromSubdomain;
+    /**
+     * Resolve tenant from header
+     * e.g., X-Tenant-ID: acme
+     */
+    private resolveFromHeader;
+    /**
+     * Resolve tenant from URL path
+     * e.g., /t/acme/api/users -> 'acme'
+     */
+    private resolveFromPath;
+    /**
+     * Resolve tenant from query parameter
+     * e.g., /api/users?tenant=acme -> 'acme'
+     */
+    private resolveFromQuery;
+    /**
+     * Resolve tenant using custom resolver
+     */
+    private resolveFromCustom;
+    /**
+     * Check if tenant is required but not found
+     */
+    isRequired(): boolean;
+    /**
+     * Get the path without tenant prefix (for path strategy)
+     */
+    stripTenantFromPath(pathname: string): string;
+}
+/**
+ * Create a tenant resolver
+ */
+declare function createTenantResolver(config: TenantResolverConfig): TenantResolver;
+/**
+ * Multi-strategy tenant resolver
+ * Tries multiple strategies in order until one succeeds
+ */
+declare class MultiStrategyTenantResolver {
+    private resolvers;
+    private fallbackTenantId?;
+    constructor(strategies: TenantResolverConfig[], options?: {
+        fallbackTenantId?: string;
+    });
+    /**
+     * Resolve tenant trying each strategy in order
+     */
+    resolve(request: Request): Promise<TenantResolutionResult>;
+}
+/**
+ * Create a multi-strategy tenant resolver
+ */
+declare function createMultiStrategyResolver(strategies: TenantResolverConfig[], options?: {
+    fallbackTenantId?: string;
+}): MultiStrategyTenantResolver;
+
+/**
+ * Invitation System
+ * Handles tenant invitations and membership requests
+ */
+
+/**
+ * Invitation configuration
+ */
+interface InvitationConfig {
+    /** Base URL for invitation links */
+    baseUrl: string;
+    /** Invitation callback path (default: /auth/invitation) */
+    callbackPath?: string;
+    /** Token expiration in seconds (default: 604800 = 7 days) */
+    expiresIn?: number;
+    /** Token length in bytes (default: 32) */
+    tokenLength?: number;
+}
+/**
+ * Invitation record stored in KV
+ */
+interface InvitationRecord {
+    /** Unique invitation ID */
+    id: string;
+    /** Invited email address */
+    email: string;
+    /** Target tenant ID */
+    tenantId: string;
+    /** Role to assign */
+    role: string;
+    /** Permissions to assign */
+    permissions?: string[];
+    /** Who sent the invitation */
+    invitedBy: string;
+    /** Token hash for verification */
+    tokenHash: string;
+    /** Expiration timestamp */
+    expiresAt: string;
+    /** Status */
+    status: 'pending' | 'accepted' | 'expired' | 'cancelled';
+    /** When invitation was accepted */
+    acceptedAt?: string;
+    /** User ID who accepted (if different from invited email) */
+    acceptedBy?: string;
+    /** Created timestamp */
+    createdAt: string;
+    /** Custom message */
+    message?: string;
+}
+/**
+ * Send invitation input
+ */
+interface SendInvitationInput {
+    /** Email to invite */
+    email: string;
+    /** Tenant ID */
+    tenantId: string;
+    /** Role to assign */
+    role: string;
+    /** Permissions to assign */
+    permissions?: string[];
+    /** User ID sending the invitation */
+    invitedBy: string;
+    /** Optional message to include */
+    message?: string;
+}
+/**
+ * Send invitation result
+ */
+interface SendInvitationResult {
+    success: boolean;
+    invitation?: InvitationRecord;
+    invitationUrl?: string;
+    token?: string;
+    error?: string;
+}
+/**
+ * Accept invitation input
+ */
+interface AcceptInvitationInput {
+    /** Invitation token */
+    token: string;
+    /** User ID accepting the invitation */
+    userId: string;
+}
+/**
+ * Accept invitation result
+ */
+interface AcceptInvitationResult {
+    success: boolean;
+    membership?: AdapterMembership;
+    tenant?: AdapterTenant;
+    error?: string;
+}
+/**
+ * Invitation status check result
+ */
+interface InvitationStatusResult {
+    valid: boolean;
+    invitation?: InvitationRecord;
+    tenant?: AdapterTenant;
+    error?: string;
+}
+/**
+ * Invitation Service
+ */
+declare class InvitationService {
+    private storage;
+    private adapter;
+    private config;
+    constructor(storage: KVStorage, adapter: AuthAdapter, config: InvitationConfig);
+    /**
+     * Send an invitation to join a tenant
+     */
+    sendInvitation(input: SendInvitationInput): Promise<SendInvitationResult>;
+    /**
+     * Accept an invitation
+     */
+    acceptInvitation(input: AcceptInvitationInput): Promise<AcceptInvitationResult>;
+    /**
+     * Check invitation status
+     */
+    checkInvitation(token: string): Promise<InvitationStatusResult>;
+    /**
+     * Cancel an invitation
+     */
+    cancelInvitation(invitationId: string): Promise<boolean>;
+    /**
+     * Get invitation by ID
+     */
+    getInvitationById(id: string): Promise<InvitationRecord | null>;
+    /**
+     * Get invitation by email and tenant
+     */
+    getInvitationByEmail(email: string, tenantId: string): Promise<InvitationRecord | null>;
+    /**
+     * Resend invitation (generates new token)
+     */
+    resendInvitation(invitationId: string, invitedBy: string): Promise<SendInvitationResult>;
+    /**
+     * Get pending invitations for a tenant
+     * Note: This requires listing keys which may not be efficient for all storage backends
+     */
+    getPendingInvitations(_tenantId: string): Promise<InvitationRecord[]>;
+    /**
+     * Update invitation record
+     */
+    private updateInvitation;
+}
+/**
+ * Create invitation service
+ */
+declare function createInvitationService(storage: KVStorage, adapter: AuthAdapter, config: InvitationConfig): InvitationService;
+
+/**
+ * Pars Auth Engine
+ * Main orchestrator for authentication
+ */
+
+/**
+ * Auth context passed to handlers
+ */
+interface AuthContext$1 {
+    userId?: string;
+    sessionId?: string;
+    tenantId?: string;
+    payload?: JwtPayload;
+}
+/**
+ * Sign in input
+ */
+interface SignInInput {
+    /** Provider name (e.g., 'otp', 'password', 'google') */
+    provider: string;
+    /** Identifier (email, phone, etc.) */
+    identifier: string;
+    /** Credential (OTP code, password, etc.) */
+    credential?: string;
+    /** Provider-specific data */
+    data?: Record<string, unknown>;
+    /** Request metadata */
+    metadata?: {
+        ipAddress?: string;
+        userAgent?: string;
+        deviceType?: string;
+        deviceName?: string;
+        tenantId?: string;
+    };
+}
+/**
+ * Sign in result
+ */
+interface SignInResult {
+    success: boolean;
+    user?: AdapterUser;
+    session?: AdapterSession;
+    tokens?: TokenPair;
+    requiresTwoFactor?: boolean;
+    twoFactorChallengeId?: string;
+    error?: string;
+    errorCode?: string;
+}
+/**
+ * Sign up input
+ */
+interface SignUpInput {
+    /** Email address */
+    email?: string;
+    /** Phone number */
+    phone?: string;
+    /** Display name */
+    name?: string;
+    /** Avatar URL */
+    avatar?: string;
+    /** Request metadata */
+    metadata?: {
+        ipAddress?: string;
+        userAgent?: string;
+        tenantId?: string;
+    };
+}
+/**
+ * Sign up result
+ */
+interface SignUpResult {
+    success: boolean;
+    user?: AdapterUser;
+    session?: AdapterSession;
+    tokens?: TokenPair;
+    requiresVerification?: boolean;
+    error?: string;
+    errorCode?: string;
+}
+/**
+ * Verify token result
+ */
+interface VerifyTokenResult {
+    valid: boolean;
+    payload?: JwtPayload;
+    error?: string;
+}
+/**
+ * Refresh token result
+ */
+interface RefreshTokenResult {
+    success: boolean;
+    tokens?: TokenPair;
+    error?: string;
+}
+/**
+ * Session info
+ */
+interface SessionInfo {
+    id: string;
+    userId: string;
+    tenantId?: string;
+    deviceType?: string;
+    deviceName?: string;
+    ipAddress?: string;
+    createdAt: Date;
+    expiresAt: Date;
+    isCurrent: boolean;
+}
+/**
+ * Pars Auth Engine
+ */
+declare class ParsAuthEngine {
+    private config;
+    private storage;
+    private providers;
+    private jwtManager;
+    private sessionBlocklist;
+    private adapter;
+    private callbacks;
+    private initialized;
+    private tenantManager;
+    private tenantResolver?;
+    private invitationService?;
+    constructor(config: ParsAuthConfig);
+    /**
+     * Initialize the auth engine (async operations)
+     * Must be called before using the engine
+     */
+    initialize(): Promise<void>;
+    /**
+     * Ensure engine is initialized
+     */
+    private ensureInitialized;
+    /**
+     * Get all registered providers
+     */
+    getProviders(): ProviderInfo[];
+    /**
+     * Check if a provider is enabled
+     */
+    isProviderEnabled(name: string): boolean;
+    /**
+     * Request OTP (for OTP provider)
+     */
+    requestOTP(input: RequestOTPInput): Promise<RequestOTPResult>;
+    /**
+     * Sign in with any provider
+     */
+    signIn(input: SignInInput): Promise<SignInResult>;
+    /**
+     * Sign up a new user
+     */
+    signUp(input: SignUpInput): Promise<SignUpResult>;
+    /**
+     * Sign out (revoke session)
+     */
+    signOut(sessionId: string, options?: {
+        revokeAll?: boolean;
+        userId?: string;
+    }): Promise<void>;
+    /**
+     * Verify access token
+     */
+    verifyAccessToken(token: string): Promise<VerifyTokenResult>;
+    /**
+     * Refresh tokens
+     */
+    refreshTokens(refreshToken: string): Promise<RefreshTokenResult>;
+    /**
+     * Get user sessions
+     */
+    getSessions(userId: string, currentSessionId?: string): Promise<SessionInfo[]>;
+    /**
+     * Revoke a specific session
+     */
+    revokeSession(sessionId: string): Promise<void>;
+    /**
+     * Revoke all sessions for a user
+     */
+    revokeAllSessions(userId: string): Promise<void>;
+    /**
+     * Get the underlying storage instance
+     */
+    getStorage(): KVStorage;
+    /**
+     * Get the JWT manager
+     */
+    getJwtManager(): JwtManager;
+    /**
+     * Get the database adapter
+     */
+    getAdapter(): AuthAdapter;
+    /**
+     * Get configuration
+     */
+    getConfig(): Required<ParsAuthConfig>;
+    /**
+     * Find user by identifier based on provider
+     */
+    private findUserByIdentifier;
+    /**
+     * Create a new session
+     */
+    private createSession;
+    /**
+     * Resolve tenant from request
+     */
+    resolveTenant(request: Request): Promise<TenantResolutionResult>;
+    /**
+     * Switch current session to a different tenant
+     */
+    switchTenant(sessionId: string, targetTenantId: string): Promise<{
+        success: boolean;
+        tokens?: TokenPair;
+        error?: string;
+    }>;
+    /**
+     * Get all tenants for current user
+     */
+    getUserTenants(userId: string): Promise<Array<{
+        tenant: AdapterTenant;
+        membership: AdapterMembership;
+    }>>;
+    /**
+     * Check if user is member of tenant
+     */
+    isTenantMember(userId: string, tenantId: string): Promise<boolean>;
+    /**
+     * Check if user has role in tenant
+     */
+    hasRoleInTenant(userId: string, tenantId: string, role: string): Promise<boolean>;
+    /**
+     * Get user's membership in a tenant
+     */
+    getTenantMembership(userId: string, tenantId: string): Promise<AdapterMembership | null>;
+    /**
+     * Add member to tenant
+     */
+    addTenantMember(input: {
+        userId: string;
+        tenantId: string;
+        role: string;
+        permissions?: string[];
+    }): Promise<AdapterMembership>;
+    /**
+     * Update member's role/permissions in tenant
+     */
+    updateTenantMember(userId: string, tenantId: string, updates: {
+        role?: string;
+        permissions?: string[];
+        status?: 'active' | 'inactive';
+    }): Promise<AdapterMembership>;
+    /**
+     * Remove member from tenant
+     */
+    removeTenantMember(userId: string, tenantId: string): Promise<void>;
+    /**
+     * Send invitation to join tenant
+     */
+    inviteToTenant(input: {
+        email: string;
+        tenantId: string;
+        role: string;
+        permissions?: string[];
+        invitedBy: string;
+        message?: string;
+    }): Promise<SendInvitationResult>;
+    /**
+     * Accept an invitation
+     */
+    acceptInvitation(token: string, userId: string): Promise<AcceptInvitationResult>;
+    /**
+     * Check invitation status
+     */
+    checkInvitation(token: string): Promise<{
+        valid: boolean;
+        tenantName?: string;
+        role?: string;
+        email?: string;
+        error?: string;
+    }>;
+    /**
+     * Get tenant manager instance
+     */
+    getTenantManager(): TenantManager;
+    /**
+     * Get invitation service instance
+     */
+    getInvitationService(): InvitationService | undefined;
+    /**
+     * Get tenant resolver instance
+     */
+    getTenantResolver(): TenantResolver | undefined;
+}
+
+/**
+ * Adapter Types
+ * Common interfaces for framework adapters
+ */
+
+/**
+ * Auth context attached to requests
+ */
+interface AuthContext {
+    /** Authenticated user ID */
+    userId: string;
+    /** Session ID */
+    sessionId?: string;
+    /** Tenant ID (for multi-tenant) */
+    tenantId?: string;
+    /** User roles */
+    roles?: string[];
+    /** User permissions */
+    permissions?: string[];
+    /** Full JWT payload */
+    payload: JwtPayload;
+}
+/**
+ * Cookie options
+ */
+interface CookieOptions {
+    /** Cookie name */
+    name: string;
+    /** Cookie value */
+    value: string;
+    /** Max age in seconds */
+    maxAge?: number;
+    /** Expiration date */
+    expires?: Date;
+    /** Path */
+    path?: string;
+    /** Domain */
+    domain?: string;
+    /** Secure flag */
+    secure?: boolean;
+    /** HttpOnly flag */
+    httpOnly?: boolean;
+    /** SameSite attribute */
+    sameSite?: 'strict' | 'lax' | 'none';
+}
+/**
+ * Auth response with cookies
+ */
+interface AuthResponse {
+    success: boolean;
+    tokens?: TokenPair;
+    cookies?: CookieOptions[];
+    error?: string;
+    errorCode?: string;
+    user?: {
+        id: string;
+        email?: string;
+        name?: string;
+    };
+}
+/**
+ * Request OTP input
+ */
+interface RequestOtpBody {
+    identifier: string;
+    type: 'email' | 'sms';
+}
+/**
+ * Verify OTP input
+ */
+interface VerifyOtpBody {
+    identifier: string;
+    code: string;
+    type?: 'email' | 'sms';
+}
+/**
+ * Sign in input
+ */
+interface SignInBody {
+    provider: string;
+    identifier: string;
+    credential?: string;
+    data?: Record<string, unknown>;
+}
+/**
+ * Refresh token input
+ */
+interface RefreshBody {
+    refreshToken?: string;
+}
+/**
+ * Create auth cookies from token pair
+ */
+declare function createAuthCookies(tokens: TokenPair, config: {
+    prefix?: string;
+    path?: string;
+    domain?: string;
+    secure?: boolean;
+    sameSite?: 'strict' | 'lax' | 'none';
+    httpOnly?: boolean;
+}): CookieOptions[];
+/**
+ * Create logout cookies (clear auth cookies)
+ */
+declare function createLogoutCookies(config: {
+    prefix?: string;
+    path?: string;
+    domain?: string;
+}): CookieOptions[];
+
+/**
+ * Hono auth context variables
+ */
+interface AuthVariables {
+    auth: AuthContext;
+}
+/**
+ * Hono adapter configuration
+ */
+interface HonoAdapterConfig {
+    /** Auth engine instance */
+    auth: ParsAuthEngine;
+    /** Cookie configuration */
+    cookies?: {
+        prefix?: string;
+        path?: string;
+        domain?: string;
+        secure?: boolean;
+        sameSite?: 'strict' | 'lax' | 'none';
+        httpOnly?: boolean;
+    };
+    /** Custom error handler */
+    onError?: (error: Error, c: Context) => Response | Promise<Response>;
+    /** Custom unauthorized handler */
+    onUnauthorized?: (c: Context, message?: string) => Response | Promise<Response>;
+}
+/**
+ * Create Hono auth middleware
+ * Validates JWT and attaches auth context to request
+ */
+declare function createAuthMiddleware(config: HonoAdapterConfig): MiddlewareHandler<{
+    Variables: AuthVariables;
+}>;
+/**
+ * Create optional auth middleware
+ * Attaches auth context if token is valid, but doesn't block if not
+ */
+declare function createOptionalAuthMiddleware(config: HonoAdapterConfig): MiddlewareHandler<{
+    Variables: Partial<AuthVariables>;
+}>;
+/**
+ * Create auth routes
+ * Provides standard auth endpoints: /otp/request, /otp/verify, /sign-in, /sign-out, /refresh
+ */
+declare function createAuthRoutes<E extends {
+    Variables: Partial<AuthVariables>;
+}>(app: Hono<E>, config: HonoAdapterConfig): Hono<E>;
+/**
+ * Create complete Hono auth integration
+ */
+declare function createHonoAuth(config: HonoAdapterConfig): {
+    /** Auth middleware (requires authentication) */
+    middleware: MiddlewareHandler<{
+        Variables: AuthVariables;
+    }>;
+    /** Optional auth middleware (attaches auth if present) */
+    optionalMiddleware: MiddlewareHandler<{
+        Variables: Partial<AuthVariables>;
+    }>;
+    /** Create auth routes on an app */
+    createRoutes: <E extends {
+        Variables: Partial<AuthVariables>;
+    }>(app: Hono<E>) => Hono<E, hono_types.BlankSchema, "/">;
+};
+/**
+ * Require specific role(s)
+ * Use after createAuthMiddleware
+ *
+ * @example
+ * ```ts
+ * app.get('/admin', authMiddleware, requireRole('admin'), handler);
+ * app.get('/managers', authMiddleware, requireRole('admin', 'manager'), handler);
+ * ```
+ */
+declare function requireRole(...allowedRoles: string[]): MiddlewareHandler<{
+    Variables: AuthVariables;
+}>;
+/**
+ * Require specific permission(s)
+ * Supports wildcards: 'users:*', '*:read', '*'
+ *
+ * @example
+ * ```ts
+ * app.get('/users', authMiddleware, requirePermission('users:read'), handler);
+ * app.delete('/users/:id', authMiddleware, requirePermission('users:delete'), handler);
+ * ```
+ */
+declare function requirePermission(...permissions: PermissionPattern[]): MiddlewareHandler<{
+    Variables: AuthVariables;
+}>;
+/**
+ * Require any of the specified permissions
+ * User only needs one of the permissions
+ *
+ * @example
+ * ```ts
+ * app.get('/content', authMiddleware, requireAnyPermission('content:read', 'content:admin'), handler);
+ * ```
+ */
+declare function requireAnyPermission(...permissions: PermissionPattern[]): MiddlewareHandler<{
+    Variables: AuthVariables;
+}>;
+/**
+ * Require tenant context
+ * Ensures user has an active tenant selected
+ *
+ * @example
+ * ```ts
+ * app.use('/api/tenant/*', authMiddleware, requireTenant());
+ * ```
+ */
+declare function requireTenant(): MiddlewareHandler<{
+    Variables: AuthVariables;
+}>;
+/**
+ * Require access to specific tenant
+ * Validates that user can access the tenant specified in the request
+ *
+ * @example
+ * ```ts
+ * // Check tenant from URL param
+ * app.get('/tenants/:tenantId/*', authMiddleware, requireTenantAccess(c => c.req.param('tenantId')), handler);
+ *
+ * // Check tenant from header
+ * app.use('/api/*', authMiddleware, requireTenantAccess(c => c.req.header('x-tenant-id')), handler);
+ * ```
+ */
+declare function requireTenantAccess(getTenantId: (c: Context) => string | undefined, options?: {
+    /** Roles that can access any tenant (e.g., ['super_admin']) */
+    bypassRoles?: string[];
+}): MiddlewareHandler<{
+    Variables: AuthVariables;
+}>;
+/**
+ * Require admin access
+ * Checks for 'admin' or 'owner' role, or '*' permission
+ *
+ * @example
+ * ```ts
+ * app.use('/admin/*', authMiddleware, requireAdmin(), handler);
+ * ```
+ */
+declare function requireAdmin(): MiddlewareHandler<{
+    Variables: AuthVariables;
+}>;
+/**
+ * Require resource ownership or permission
+ * Allows access if user owns the resource OR has the specified permission
+ *
+ * @example
+ * ```ts
+ * app.put('/posts/:id', authMiddleware, requireOwnerOrPermission(
+ *   async (c) => (await getPost(c.req.param('id'))).authorId,
+ *   'posts:edit'
+ * ), handler);
+ * ```
+ */
+declare function requireOwnerOrPermission(getOwnerId: (c: Context) => string | Promise<string>, permission: PermissionPattern): MiddlewareHandler<{
+    Variables: AuthVariables;
+}>;
+/**
+ * Combine multiple authorization requirements
+ * All requirements must pass
+ *
+ * @example
+ * ```ts
+ * app.delete('/projects/:id',
+ *   authMiddleware,
+ *   requireAll(
+ *     requireTenant(),
+ *     requireRole('admin', 'manager'),
+ *     requirePermission('projects:delete')
+ *   ),
+ *   handler
+ * );
+ * ```
+ */
+declare function requireAll(...middlewares: MiddlewareHandler<{
+    Variables: AuthVariables;
+}>[]): MiddlewareHandler<{
+    Variables: AuthVariables;
+}>;
+/**
+ * Combine multiple authorization requirements
+ * At least one requirement must pass
+ *
+ * @example
+ * ```ts
+ * app.get('/content/:id',
+ *   authMiddleware,
+ *   requireAny(
+ *     requireRole('admin'),
+ *     requirePermission('content:read'),
+ *     requireOwnerOrPermission(getContentOwnerId, 'content:view-own')
+ *   ),
+ *   handler
+ * );
+ * ```
+ */
+declare function requireAny(...middlewares: MiddlewareHandler<{
+    Variables: AuthVariables;
+}>[]): MiddlewareHandler<{
+    Variables: AuthVariables;
+}>;
+
+export { type VerifyOtpBody as $, type AuthContext$1 as A, createAuthCookies as B, type CreateTenantInput as C, createLogoutCookies as D, requireRole as E, requirePermission as F, requireAnyPermission as G, requireTenant as H, InvitationService as I, requireTenantAccess as J, requireAdmin as K, requireOwnerOrPermission as L, MultiStrategyTenantResolver as M, requireAll as N, requireAny as O, ParsAuthEngine as P, type AuthVariables as Q, type RefreshTokenResult as R, type SignInInput as S, TenantResolver as T, type UpdateTenantInput as U, type VerifyTokenResult as V, type HonoAdapterConfig as W, type AuthContext as X, type CookieOptions as Y, type AuthResponse as Z, type RequestOtpBody as _, type SignInResult as a, type SignInBody as a0, type RefreshBody as a1, type SignUpInput as b, type SignUpResult as c, type SessionInfo as d, createTenantResolver as e, createMultiStrategyResolver as f, type TenantResolverConfig as g, type TenantResolutionResult as h, TenantManager as i, createTenantManager as j, type AddMemberInput as k, type UpdateMemberInput as l, type TenantWithMembers as m, type UserTenantMembership as n, createInvitationService as o, type InvitationConfig as p, type InvitationRecord as q, type SendInvitationInput as r, type SendInvitationResult as s, type AcceptInvitationInput as t, type AcceptInvitationResult as u, type InvitationStatusResult as v, createAuthMiddleware as w, createOptionalAuthMiddleware as x, createAuthRoutes as y, createHonoAuth as z };