@parsrun/auth 0.1.0

package/dist/index.d.ts

@@ -0,0 +1,1579 @@
+import { A as AuthProvider, b as AuthInput, c as AuthResult, a as ProviderInfo, T as TwoFactorProvider, e as TwoFactorSetupResult, h as AuthAdapter, i as ParsAuthConfig } from './base-BKyR8rcE.js';
+export { t as AdapterAuthMethod, v as AdapterMembership, s as AdapterSession, u as AdapterTenant, r as AdapterUser, q as AuthCallbacks, C as CookieConfig, y as CreateAuthMethodInput, z as CreateMembershipInput, x as CreateSessionInput, w as CreateUserInput, j as CsrfConfig, J as JwtConfig, M as MagicLinkConfig, O as OAuthProvider, o as OAuthProviderConfig, f as OAuthUserInfo, g as OtpConfig, n as PasswordConfig, P as ProviderType, p as SecurityConfig, S as SessionConfig, k as TenantConfig, l as TenantResolutionStrategy, m as TotpConfig, V as VerifyInput, d as VerifyResult, W as WebAuthnConfig, D as defaultConfig, E as mergeConfig, F as validateConfig } from './base-BKyR8rcE.js';
+import { P as ParsAuthEngine } from './index-DOGcetyD.js';
+export { t as AcceptInvitationInput, u as AcceptInvitationResult, X as AdapterAuthContext, k as AddMemberInput, A as AuthContext, Z as AuthResponse, Q as AuthVariables, Y as CookieOptions, C as CreateTenantInput, W as HonoAdapterConfig, p as InvitationConfig, q as InvitationRecord, I as InvitationService, v as InvitationStatusResult, M as MultiStrategyTenantResolver, R as RefreshTokenResult, r as SendInvitationInput, s as SendInvitationResult, d as SessionInfo, S as SignInInput, a as SignInResult, b as SignUpInput, c as SignUpResult, i as TenantManager, h as TenantResolutionResult, T as TenantResolver, g as TenantResolverConfig, m as TenantWithMembers, l as UpdateMemberInput, U as UpdateTenantInput, n as UserTenantMembership, V as VerifyTokenResult, B as createAuthCookies, w as createAuthMiddleware, y as createAuthRoutes, z as createHonoAuth, o as createInvitationService, D as createLogoutCookies, f as createMultiStrategyResolver, x as createOptionalAuthMiddleware, j as createTenantManager, e as createTenantResolver, K as requireAdmin, N as requireAll, O as requireAny, G as requireAnyPermission, L as requireOwnerOrPermission, F as requirePermission, E as requireRole, H as requireTenant, J as requireTenantAccess } from './index-DOGcetyD.js';
+export { ProviderRegistry } from './providers/index.js';
+export { e as OTPConfig, a as OTPManager, O as OTPProvider, f as OTPRecord, g as RateLimitCheck, R as RequestOTPInput, d as RequestOTPResult, S as StoreOTPResult, V as VerifyOTPResult, b as createOTPManager, c as createOTPProvider } from './index-C3kz9XqE.js';
+import { K as KVStorage } from './types-DSjafxJ4.js';
+export { C as CloudflareKVConfig, D as DenoKVConfig, M as MemoryConfig, R as RedisConfig, S as StorageConfig, a as StorageType } from './types-DSjafxJ4.js';
+export { a as JwtError, J as JwtManager, b as JwtManagerConfig, d as JwtPayload, K as KeyRotationResult, T as TokenPair, c as createJwtManager, e as extractBearerToken, p as parseDuration } from './jwt-manager-CH8H0kmm.js';
+export { BlocklistConfig, SessionBlocklist, TokenBlocklist, createSessionBlocklist, createTokenBlocklist } from './session/index.js';
+export { MemoryStorage, StorageKeys, createMemoryStorage, createStorage, createStorageSync } from './storage/index.js';
+export { CsrfManager, CsrfConfig as CsrfManagerConfig, CsrfTokenPair, CsrfUtils, DefaultLockoutConfig, LockoutConfig, LockoutManager, LockoutStatus, RateLimitConfig, RateLimitPresets, RateLimitResult, RateLimiter, createCsrfManager, createLockoutManager, createRateLimiter } from './security/index.js';
+export { b as AuthorizationContext, A as AuthorizationGuard, e as AuthorizationRequirements, d as AuthorizationResult, f as PermissionPattern, P as Permissions, R as Roles, T as TenantMembershipInfo, a as authorize, c as createAuthorizationGuard } from './authorization-By1Xp8Za.js';
+import 'hono/types';
+import 'hono';
+import 'jose';
+
+/**
+ * OAuth Types
+ */
+interface OAuthUserInfo {
+    /** Provider-specific user ID */
+    id: string;
+    /** User email */
+    email: string;
+    /** Display name */
+    name?: string;
+    /** Avatar URL */
+    avatarUrl?: string;
+    /** Whether email is verified */
+    emailVerified: boolean;
+    /** Raw provider response */
+    raw: Record<string, unknown>;
+}
+interface OAuthTokens {
+    accessToken: string;
+    refreshToken?: string;
+    expiresIn?: number;
+    idToken?: string;
+    tokenType?: string;
+    scope?: string;
+}
+interface OAuthProviderConfig {
+    clientId: string;
+    clientSecret: string;
+    redirectUri: string;
+    scopes?: string[];
+}
+interface GoogleConfig extends OAuthProviderConfig {
+}
+interface GitHubConfig extends OAuthProviderConfig {
+}
+interface MicrosoftConfig extends OAuthProviderConfig {
+    tenantId?: string;
+}
+interface AppleConfig {
+    clientId: string;
+    teamId: string;
+    keyId: string;
+    privateKey: string;
+    redirectUri: string;
+    scopes?: string[];
+}
+interface OAuthProvider {
+    readonly name: string;
+    getAuthorizationUrl(state: string, codeChallenge?: string): Promise<string>;
+    exchangeCode(code: string, codeVerifier?: string): Promise<OAuthTokens>;
+    getUserInfo(accessToken: string): Promise<OAuthUserInfo>;
+    /**
+     * Refresh access token using refresh token
+     * Not all providers support refresh tokens
+     */
+    refreshToken?(refreshToken: string): Promise<OAuthTokens>;
+}
+type OAuthProviderName = 'google' | 'github' | 'microsoft' | 'apple';
+interface OAuthState {
+    state: string;
+    provider: OAuthProviderName;
+    codeVerifier?: string;
+    tenantId?: string;
+    redirectUrl?: string;
+    expiresAt: Date;
+}
+
+/**
+ * Google OAuth Provider
+ */
+
+declare class GoogleProvider implements OAuthProvider {
+    readonly name = "google";
+    private config;
+    constructor(config: GoogleConfig);
+    getAuthorizationUrl(state: string, codeChallenge?: string): Promise<string>;
+    exchangeCode(code: string, codeVerifier?: string): Promise<OAuthTokens>;
+    getUserInfo(accessToken: string): Promise<OAuthUserInfo>;
+    refreshToken(refreshToken: string): Promise<OAuthTokens>;
+}
+
+/**
+ * GitHub OAuth Provider
+ */
+
+declare class GitHubProvider implements OAuthProvider {
+    readonly name = "github";
+    private config;
+    constructor(config: GitHubConfig);
+    getAuthorizationUrl(state: string, _codeChallenge?: string): Promise<string>;
+    exchangeCode(code: string, _codeVerifier?: string): Promise<OAuthTokens>;
+    getUserInfo(accessToken: string): Promise<OAuthUserInfo>;
+}
+
+/**
+ * Microsoft OAuth Provider
+ */
+
+declare class MicrosoftProvider implements OAuthProvider {
+    readonly name = "microsoft";
+    private config;
+    private baseUrl;
+    constructor(config: MicrosoftConfig);
+    getAuthorizationUrl(state: string, codeChallenge?: string): Promise<string>;
+    exchangeCode(code: string, codeVerifier?: string): Promise<OAuthTokens>;
+    getUserInfo(accessToken: string): Promise<OAuthUserInfo>;
+    refreshToken(refreshToken: string): Promise<OAuthTokens>;
+}
+
+/**
+ * Apple OAuth Provider
+ * Uses Sign in with Apple
+ */
+
+declare class AppleProvider implements OAuthProvider {
+    readonly name = "apple";
+    private config;
+    constructor(config: AppleConfig);
+    getAuthorizationUrl(state: string, _codeChallenge?: string): Promise<string>;
+    exchangeCode(code: string, _codeVerifier?: string): Promise<OAuthTokens>;
+    getUserInfo(accessToken: string): Promise<OAuthUserInfo>;
+    /**
+     * Parse user info from id_token and form post data
+     * Apple sends user info only on first authorization
+     */
+    parseUserFromCallback(idToken: string, userData?: {
+        name?: {
+            firstName?: string;
+            lastName?: string;
+        };
+        email?: string;
+    }): OAuthUserInfo;
+    /**
+     * Generate client secret JWT for Apple
+     * Apple requires a JWT signed with your private key
+     */
+    private generateClientSecret;
+    private pemToArrayBuffer;
+    private base64UrlEncode;
+}
+
+/**
+ * OAuth Provider
+ * Manages OAuth2 authentication flows with PKCE support
+ */
+
+/**
+ * OAuth configuration
+ */
+interface OAuthConfig {
+    google?: GoogleConfig;
+    github?: GitHubConfig;
+    microsoft?: MicrosoftConfig;
+    apple?: AppleConfig;
+}
+/**
+ * OAuth flow result
+ */
+interface OAuthFlowResult {
+    authorizationUrl: string;
+    state: string;
+}
+/**
+ * OAuth callback result
+ */
+interface OAuthCallbackResult {
+    userInfo: OAuthUserInfo;
+    tokens: OAuthTokens;
+    tenantId?: string;
+    redirectUrl?: string;
+}
+/**
+ * Generate PKCE code verifier and challenge
+ */
+declare function generatePKCE(): Promise<{
+    codeVerifier: string;
+    codeChallenge: string;
+}>;
+/**
+ * Generate secure random state
+ */
+declare function generateState(): string;
+/**
+ * OAuth Manager
+ * Handles OAuth flows with state management via KVStorage
+ */
+declare class OAuthManager {
+    private storage;
+    private providers;
+    private stateExpirySeconds;
+    constructor(storage: KVStorage, config: OAuthConfig, options?: {
+        stateExpirySeconds?: number;
+    });
+    /**
+     * Get available providers
+     */
+    getAvailableProviders(): OAuthProviderName[];
+    /**
+     * Check if a provider is configured
+     */
+    hasProvider(name: string): boolean;
+    /**
+     * Get a provider by name
+     */
+    getProvider(name: string): OAuthProvider | undefined;
+    /**
+     * Start OAuth flow - returns authorization URL
+     */
+    startFlow(providerName: OAuthProviderName, options?: {
+        tenantId?: string;
+        redirectUrl?: string;
+    }): Promise<OAuthFlowResult>;
+    /**
+     * Handle OAuth callback
+     */
+    handleCallback(providerName: OAuthProviderName, code: string, state: string): Promise<OAuthCallbackResult>;
+    /**
+     * Refresh OAuth tokens (if supported by provider)
+     */
+    refreshTokens(providerName: OAuthProviderName, refreshToken: string): Promise<OAuthTokens>;
+    /**
+     * Check if provider supports token refresh
+     */
+    supportsRefresh(providerName: OAuthProviderName): boolean;
+}
+/**
+ * Create OAuth manager
+ */
+declare function createOAuthManager(storage: KVStorage, config: OAuthConfig, options?: {
+    stateExpirySeconds?: number;
+}): OAuthManager;
+
+/**
+ * Magic Link Provider
+ * Passwordless email authentication via secure links
+ */
+
+/**
+ * Magic Link configuration
+ */
+interface MagicLinkConfig {
+    /** Base URL for magic links (e.g., https://app.example.com) */
+    baseUrl: string;
+    /** Path for callback (default: /auth/magic-link/callback) */
+    callbackPath?: string;
+    /** Token expiration in seconds (default: 900 = 15 minutes) */
+    expiresIn?: number;
+    /** Token length in bytes (default: 32) */
+    tokenLength?: number;
+    /** Email sender function */
+    send: (email: string, url: string, expiresIn: number) => Promise<void>;
+}
+/**
+ * Send magic link result
+ */
+interface SendMagicLinkResult {
+    success: boolean;
+    expiresAt?: Date;
+    error?: string;
+}
+/**
+ * Verify magic link result
+ */
+interface VerifyMagicLinkResult {
+    success: boolean;
+    email?: string;
+    tenantId?: string;
+    redirectUrl?: string;
+    error?: string;
+}
+/**
+ * Magic Link Provider
+ */
+declare class MagicLinkProvider implements AuthProvider {
+    readonly name = "magic-link";
+    readonly type: "magic-link";
+    private storage;
+    private config;
+    private _enabled;
+    constructor(storage: KVStorage, config: MagicLinkConfig);
+    get enabled(): boolean;
+    /**
+     * Send magic link to email
+     */
+    sendMagicLink(email: string, options?: {
+        tenantId?: string;
+        redirectUrl?: string;
+    }): Promise<SendMagicLinkResult>;
+    /**
+     * Verify magic link token
+     */
+    verifyMagicLink(token: string): Promise<VerifyMagicLinkResult>;
+    /**
+     * Authenticate with magic link token (implements AuthProvider)
+     */
+    authenticate(input: AuthInput): Promise<AuthResult>;
+    /**
+     * Get provider info
+     */
+    getInfo(): ProviderInfo;
+    /**
+     * Request magic link (for use in auth routes)
+     */
+    requestMagicLink(email: string, options?: {
+        tenantId?: string;
+        redirectUrl?: string;
+    }): Promise<SendMagicLinkResult>;
+}
+/**
+ * Create Magic Link provider
+ */
+declare function createMagicLinkProvider(storage: KVStorage, config: MagicLinkConfig): MagicLinkProvider;
+
+/**
+ * TOTP Provider (Time-based One-Time Password)
+ * RFC 6238 compliant, Google Authenticator compatible
+ */
+
+/**
+ * TOTP Configuration
+ */
+interface TOTPConfig {
+    /** Issuer name (your app name) */
+    issuer: string;
+    /** Hash algorithm (default: SHA1 for compatibility) */
+    algorithm?: 'SHA1' | 'SHA256' | 'SHA512';
+    /** Number of digits (default: 6) */
+    digits?: 6 | 8;
+    /** Time period in seconds (default: 30) */
+    period?: number;
+    /** Time window for drift tolerance (default: 1) */
+    window?: number;
+    /** Number of backup codes (default: 10) */
+    backupCodeCount?: number;
+    /** Encryption key for storing secrets */
+    encryptionKey?: string;
+}
+/**
+ * TOTP setup result
+ */
+interface TOTPSetupData {
+    /** Base32 encoded secret */
+    secret: string;
+    /** QR code URL */
+    qrCodeUrl: string;
+    /** Backup codes */
+    backupCodes: string[];
+    /** otpauth:// URI */
+    otpauthUri: string;
+}
+/**
+ * TOTP verify result
+ */
+interface TOTPVerifyResult {
+    valid: boolean;
+    usedBackupCode?: boolean;
+}
+/**
+ * TOTP Provider
+ */
+declare class TOTPProvider implements TwoFactorProvider {
+    readonly name = "totp";
+    readonly type: "totp";
+    private storage;
+    private config;
+    private _enabled;
+    constructor(storage: KVStorage, config: TOTPConfig);
+    get enabled(): boolean;
+    /**
+     * Setup TOTP for a user
+     * Note: Use setupWithEmail for full setup including QR code URL
+     */
+    setup(userId: string): Promise<TwoFactorSetupResult>;
+    /**
+     * Setup TOTP for a user with email for QR code label
+     */
+    setupWithEmail(userId: string, userEmail: string): Promise<TwoFactorSetupResult & {
+        qrCodeUrl: string;
+        otpauthUri: string;
+    }>;
+    /**
+     * Verify TOTP and activate 2FA (for TwoFactorProvider interface)
+     */
+    verifySetup(userId: string, token: string): Promise<boolean>;
+    /**
+     * Verify TOTP during login (for TwoFactorProvider interface)
+     */
+    verifyLogin(userId: string, code: string): Promise<boolean>;
+    /**
+     * Authenticate (for AuthProvider interface)
+     */
+    authenticate(_input: AuthInput): Promise<AuthResult>;
+    /**
+     * Verify TOTP token
+     */
+    verifyCode(userId: string, token: string): Promise<TOTPVerifyResult>;
+    /**
+     * Disable TOTP for user
+     */
+    disable(userId: string): Promise<void>;
+    /**
+     * Regenerate backup codes
+     */
+    regenerateBackupCodes(userId: string): Promise<string[]>;
+    /**
+     * Get remaining backup codes count
+     */
+    getBackupCodesCount(userId: string): Promise<number>;
+    /**
+     * Check if TOTP is enabled for user
+     */
+    isEnabled(userId: string): Promise<boolean>;
+    /**
+     * Generate current TOTP (for testing)
+     */
+    generateCurrent(userId: string): Promise<string>;
+    /**
+     * Get provider info
+     */
+    getInfo(): ProviderInfo;
+    /**
+     * Create otpauth URI for QR code
+     */
+    private createOtpauthUri;
+}
+/**
+ * Create TOTP provider
+ */
+declare function createTOTPProvider(storage: KVStorage, config: TOTPConfig): TOTPProvider;
+
+/**
+ * WebAuthn Provider (Passkeys)
+ * FIDO2 passwordless authentication
+ */
+
+/**
+ * WebAuthn Configuration
+ */
+interface WebAuthnConfig {
+    /** Relying Party name (your app name) */
+    rpName: string;
+    /** Relying Party ID (domain without protocol) */
+    rpId: string;
+    /** Full origin (e.g., https://example.com) */
+    origin: string;
+    /** Timeout in milliseconds (default: 60000) */
+    timeout?: number;
+    /** Attestation preference (default: none) */
+    attestation?: 'none' | 'indirect' | 'direct';
+    /** User verification preference (default: preferred) */
+    userVerification?: 'required' | 'preferred' | 'discouraged';
+}
+/**
+ * Registration options returned to client
+ */
+interface RegistrationOptions {
+    challenge: string;
+    rp: {
+        name: string;
+        id: string;
+    };
+    user: {
+        id: string;
+        name: string;
+        displayName: string;
+    };
+    pubKeyCredParams: Array<{
+        type: 'public-key';
+        alg: number;
+    }>;
+    timeout: number;
+    attestation: 'none' | 'indirect' | 'direct';
+    authenticatorSelection: {
+        authenticatorAttachment?: 'platform' | 'cross-platform';
+        residentKey: 'required' | 'preferred' | 'discouraged';
+        userVerification: 'required' | 'preferred' | 'discouraged';
+    };
+    excludeCredentials: Array<{
+        id: string;
+        type: 'public-key';
+        transports?: string[];
+    }>;
+}
+/**
+ * Authentication options returned to client
+ */
+interface AuthenticationOptions {
+    challenge: string;
+    timeout: number;
+    rpId: string;
+    allowCredentials: Array<{
+        id: string;
+        type: 'public-key';
+        transports?: string[];
+    }>;
+    userVerification: 'required' | 'preferred' | 'discouraged';
+}
+/**
+ * Registration response from client
+ */
+interface RegistrationResponse {
+    id: string;
+    rawId: string;
+    type: 'public-key';
+    response: {
+        clientDataJSON: string;
+        attestationObject: string;
+        transports?: string[];
+    };
+}
+/**
+ * Authentication response from client
+ */
+interface AuthenticationResponse {
+    id: string;
+    rawId: string;
+    type: 'public-key';
+    response: {
+        clientDataJSON: string;
+        authenticatorData: string;
+        signature: string;
+        userHandle?: string;
+    };
+}
+/**
+ * Client data JSON structure
+ */
+interface ClientDataJSON {
+    type: 'webauthn.create' | 'webauthn.get';
+    challenge: string;
+    origin: string;
+    crossOrigin?: boolean;
+}
+/**
+ * Authenticator data structure
+ */
+interface AuthenticatorData {
+    rpIdHash: Uint8Array;
+    flags: {
+        userPresent: boolean;
+        userVerified: boolean;
+        attestedCredentialData: boolean;
+        extensionDataIncluded?: boolean;
+    };
+    signCount: number;
+    attestedCredentialData?: {
+        aaguid: Uint8Array;
+        credentialId: Uint8Array;
+        publicKey: Uint8Array;
+    };
+}
+/**
+ * Stored credential (exported as WebAuthnCredential)
+ */
+interface WebAuthnCredential {
+    id: string;
+    credentialId: string;
+    userId: string;
+    publicKey: string;
+    counter: number;
+    transports: string[];
+    name: string;
+    deviceType?: string;
+    createdAt: string;
+    lastUsedAt?: string;
+}
+/**
+ * WebAuthn Provider
+ */
+declare class WebAuthnProvider implements TwoFactorProvider {
+    readonly name = "webauthn";
+    readonly type: "webauthn";
+    private storage;
+    private config;
+    private _enabled;
+    constructor(storage: KVStorage, config: WebAuthnConfig);
+    get enabled(): boolean;
+    /**
+     * Generate registration options
+     */
+    generateRegistrationOptions(userId: string, userName: string, userDisplayName: string, authenticatorType?: 'platform' | 'cross-platform'): Promise<RegistrationOptions>;
+    /**
+     * Verify registration response
+     */
+    verifyRegistration(response: RegistrationResponse, challenge: string, credentialName?: string): Promise<{
+        success: boolean;
+        credentialId?: string;
+        error?: string;
+    }>;
+    /**
+     * Generate authentication options
+     */
+    generateAuthenticationOptions(userId?: string): Promise<AuthenticationOptions>;
+    /**
+     * Verify authentication response
+     */
+    verifyAuthentication(response: AuthenticationResponse, challenge: string): Promise<{
+        success: boolean;
+        userId?: string;
+        credentialId?: string;
+        error?: string;
+    }>;
+    /**
+     * Get user's credentials
+     */
+    getUserCredentials(userId: string): Promise<WebAuthnCredential[]>;
+    /**
+     * Remove a credential
+     */
+    removeCredential(userId: string, credentialId: string): Promise<boolean>;
+    /**
+     * Check if user has any passkeys
+     */
+    hasPasskeys(userId: string): Promise<boolean>;
+    /**
+     * Setup (for TwoFactorProvider interface)
+     */
+    setup(userId: string): Promise<TwoFactorSetupResult>;
+    /**
+     * Verify setup (for TwoFactorProvider interface)
+     */
+    verifySetup(userId: string, _code: string): Promise<boolean>;
+    /**
+     * Verify login (for TwoFactorProvider interface)
+     */
+    verifyLogin(userId: string, _code: string): Promise<boolean>;
+    /**
+     * Disable 2FA for user
+     */
+    disable(userId: string): Promise<void>;
+    /**
+     * Authenticate (for AuthProvider interface)
+     */
+    authenticate(_input: AuthInput): Promise<AuthResult>;
+    /**
+     * Get provider info
+     */
+    getInfo(): ProviderInfo;
+}
+/**
+ * Create WebAuthn provider
+ */
+declare function createWebAuthnProvider(storage: KVStorage, config: WebAuthnConfig): WebAuthnProvider;
+
+/**
+ * Password Provider
+ * Traditional password-based authentication
+ * DISABLED BY DEFAULT - use passwordless methods when possible
+ */
+
+/**
+ * Password configuration
+ */
+interface PasswordConfig {
+    /** Minimum password length (default: 8) */
+    minLength?: number;
+    /** Maximum password length (default: 128) */
+    maxLength?: number;
+    /** Require uppercase letter (default: true) */
+    requireUppercase?: boolean;
+    /** Require lowercase letter (default: true) */
+    requireLowercase?: boolean;
+    /** Require number (default: true) */
+    requireNumber?: boolean;
+    /** Require special character (default: false) */
+    requireSpecial?: boolean;
+    /** Bcrypt cost factor (default: 12) */
+    bcryptCost?: number;
+    /** Password hash function (for custom implementations) */
+    hashPassword?: (password: string) => Promise<string>;
+    /** Password verify function (for custom implementations) */
+    verifyPassword?: (password: string, hash: string) => Promise<boolean>;
+}
+/**
+ * Password validation result
+ */
+interface PasswordValidationResult {
+    valid: boolean;
+    errors: string[];
+}
+/**
+ * Password strength levels
+ */
+type PasswordStrength = 'weak' | 'fair' | 'strong' | 'very-strong';
+/**
+ * Password Provider
+ * WARNING: This provider is disabled by default.
+ * Consider using passwordless authentication (OTP, Magic Link, OAuth) for better security.
+ */
+declare class PasswordProvider implements AuthProvider {
+    readonly name = "password";
+    readonly type: "password";
+    private storage;
+    private config;
+    private _enabled;
+    constructor(storage: KVStorage, config?: PasswordConfig);
+    get enabled(): boolean;
+    /**
+     * Enable the password provider
+     * Must be explicitly called to enable password authentication
+     */
+    enable(): void;
+    /**
+     * Disable the password provider
+     */
+    disable(): void;
+    /**
+     * Validate password against policy
+     */
+    validatePassword(password: string): PasswordValidationResult;
+    /**
+     * Check password strength
+     */
+    checkStrength(password: string): PasswordStrength;
+    /**
+     * Hash a password
+     * Uses Web Crypto API for PBKDF2 (bcrypt alternative for edge runtime)
+     */
+    hashPassword(password: string): Promise<string>;
+    /**
+     * Verify a password against a hash
+     */
+    verifyPassword(password: string, hash: string): Promise<boolean>;
+    /**
+     * Authenticate with password (implements AuthProvider)
+     */
+    authenticate(input: AuthInput): Promise<AuthResult>;
+    /**
+     * Store password hash for a user
+     */
+    setPassword(userId: string, password: string): Promise<{
+        success: boolean;
+        errors?: string[];
+    }>;
+    /**
+     * Verify password for a user
+     */
+    verifyUserPassword(userId: string, password: string): Promise<boolean>;
+    /**
+     * Check if user has password set
+     */
+    hasPassword(userId: string): Promise<boolean>;
+    /**
+     * Remove password for a user (switch to passwordless)
+     */
+    removePassword(userId: string): Promise<void>;
+    /**
+     * Get provider info
+     */
+    getInfo(): ProviderInfo;
+    /**
+     * Constant-time comparison to prevent timing attacks
+     */
+    private constantTimeEquals;
+}
+/**
+ * Create Password provider
+ */
+declare function createPasswordProvider(storage: KVStorage, config?: PasswordConfig): PasswordProvider;
+
+/**
+ * Runtime detection utilities for multi-runtime support
+ * Supports: Node.js, Deno, Cloudflare Workers, Bun
+ */
+type Runtime = 'node' | 'deno' | 'cloudflare' | 'bun' | 'unknown';
+/**
+ * Detect the current JavaScript runtime environment
+ */
+declare function detectRuntime(): Runtime;
+/**
+ * Check if running in Node.js
+ */
+declare function isNode(): boolean;
+/**
+ * Check if running in Deno
+ */
+declare function isDeno(): boolean;
+/**
+ * Check if running in Cloudflare Workers
+ */
+declare function isCloudflare(): boolean;
+/**
+ * Check if running in Bun
+ */
+declare function isBun(): boolean;
+/**
+ * Check if running in an edge runtime (CF Workers, Deno Deploy, etc.)
+ */
+declare function isEdge(): boolean;
+/**
+ * Get environment variable across runtimes
+ */
+declare function getEnv(key: string): string | undefined;
+
+/**
+ * Runtime-agnostic Crypto Utilities
+ * Uses Web Crypto API (works in Node.js, Deno, Bun, Cloudflare Workers)
+ */
+/**
+ * Generate cryptographically secure random bytes as hex string
+ */
+declare function generateRandomHex(byteLength?: number): string;
+/**
+ * Generate cryptographically secure random bytes as base64url string
+ */
+declare function generateRandomBase64Url(byteLength?: number): string;
+/**
+ * Generate a random integer between min (inclusive) and max (exclusive)
+ * Uses rejection sampling for uniform distribution
+ */
+declare function randomInt(min: number, max: number): number;
+/**
+ * Hash data using SHA-256 and return as hex string
+ */
+declare function sha256Hex(data: string): Promise<string>;
+/**
+ * Hash data using SHA-256 and return as Uint8Array
+ */
+declare function sha256(data: string): Promise<Uint8Array>;
+/**
+ * Timing-safe comparison of two strings
+ * Prevents timing attacks by always comparing all bytes
+ */
+declare function timingSafeEqual(a: string, b: string): boolean;
+/**
+ * Timing-safe comparison of two Uint8Arrays
+ */
+declare function timingSafeEqualBytes(a: Uint8Array, b: Uint8Array): boolean;
+/**
+ * Base64URL encode (URL-safe base64 without padding)
+ */
+declare function base64UrlEncode(data: Uint8Array): string;
+/**
+ * Base64URL decode
+ */
+declare function base64UrlDecode(str: string): Uint8Array;
+/**
+ * Hex string to Uint8Array
+ */
+declare function hexToBytes(hex: string): Uint8Array;
+/**
+ * Uint8Array to hex string
+ */
+declare function bytesToHex(bytes: Uint8Array): string;
+
+/**
+ * Drizzle Adapter Types
+ * Database table definitions for auth (PostgreSQL)
+ */
+/**
+ * Database schema types - these should match your actual Drizzle schema
+ * Import these from your database package when using the adapter
+ */
+interface DrizzleAuthSchema {
+    /** Users table */
+    users: any;
+    /** Sessions table */
+    sessions: any;
+    /** Auth methods table (email, phone, oauth) */
+    authMethods: any;
+    /** Tenants table */
+    tenants?: any;
+    /** Tenant memberships table */
+    tenantMemberships?: any;
+    /** Roles table */
+    roles?: any;
+    /** Email verification tokens table */
+    emailVerificationTokens?: any;
+    /** TOTP secrets table */
+    totpSecrets?: any;
+    /** WebAuthn credentials table */
+    webauthnCredentials?: any;
+    /** OAuth states table */
+    oauthStates?: any;
+    /** Magic link tokens table */
+    magicLinkTokens?: any;
+    /** Audit log table */
+    authAuditLog?: any;
+}
+/**
+ * User model
+ */
+interface DrizzleUser {
+    id: string;
+    displayName: string | null;
+    avatarUrl: string | null;
+    emailVerified: boolean;
+    phoneVerified: boolean;
+    twoFactorEnabled: boolean;
+    twoFactorSecret: string | null;
+    status: string;
+    metadata: Record<string, unknown> | null;
+    insertedAt: Date;
+    updatedAt: Date;
+    deletedAt: Date | null;
+}
+/**
+ * Session model
+ */
+interface DrizzleSession {
+    id: string;
+    userId: string;
+    authMethodId: string | null;
+    currentTenantId: string | null;
+    accessTokenHash: string | null;
+    refreshTokenHash: string | null;
+    csrfTokenHash: string;
+    expiresAt: Date;
+    refreshExpiresAt: Date | null;
+    deviceType: string | null;
+    deviceName: string | null;
+    userAgent: string | null;
+    ipAddress: string | null;
+    locationData: Record<string, unknown> | null;
+    deviceFingerprint: string | null;
+    status: string;
+    lastActivityAt: Date;
+    revokedAt: Date | null;
+    revokedReason: string | null;
+    insertedAt: Date;
+    updatedAt: Date;
+    deletedAt: Date | null;
+}
+/**
+ * Auth method model
+ */
+interface DrizzleAuthMethod {
+    id: string;
+    userId: string;
+    provider: string;
+    providerId: string;
+    verified: boolean;
+    metadata: Record<string, unknown> | null;
+    insertedAt: Date;
+    updatedAt: Date;
+    deletedAt: Date | null;
+}
+/**
+ * Tenant model
+ */
+interface DrizzleTenant {
+    id: string;
+    name: string;
+    slug: string;
+    status: string;
+    subscriptionPlan: string;
+    settings: Record<string, unknown>;
+    insertedAt: Date;
+    updatedAt: Date;
+    deletedAt: Date | null;
+}
+/**
+ * Tenant membership model
+ */
+interface DrizzleTenantMembership {
+    id: string;
+    userId: string;
+    tenantId: string;
+    roleId: string | null;
+    status: string;
+    permissions: Record<string, unknown>;
+    accessLevel: string;
+    resourceRestrictions: Record<string, unknown>;
+    ipRestrictions: Record<string, unknown> | null;
+    timeRestrictions: Record<string, unknown> | null;
+    expiresAt: Date | null;
+    invitedBy: string | null;
+    invitedAt: Date | null;
+    joinedAt: Date | null;
+    lastLoginAt: Date | null;
+    insertedAt: Date;
+    updatedAt: Date;
+    deletedAt: Date | null;
+}
+/**
+ * Role model
+ */
+interface DrizzleRole {
+    id: string;
+    tenantId: string;
+    name: string;
+    description: string | null;
+    isSystem: boolean;
+    isActive: boolean;
+    color: string | null;
+    insertedAt: Date;
+    updatedAt: Date;
+    deletedAt: Date | null;
+}
+/**
+ * Email verification token model
+ */
+interface DrizzleEmailVerificationToken {
+    id: string;
+    email: string;
+    tokenHash: string;
+    expiresAt: Date;
+    usedAt: Date | null;
+    createdBy: string | null;
+    insertedAt: Date;
+    updatedAt: Date;
+}
+/**
+ * Drizzle database instance type
+ */
+type DrizzleDatabase = {
+    select: (fields?: any) => any;
+    insert: (table: any) => any;
+    update: (table: any) => any;
+    delete: (table: any) => any;
+    query: Record<string, any>;
+};
+
+/**
+ * Drizzle ORM Adapter for @parsrun/auth
+ * Implements AuthAdapter interface using Drizzle ORM with PostgreSQL
+ */
+
+/**
+ * Drizzle adapter configuration
+ */
+interface DrizzleAdapterConfig {
+    /** Drizzle database instance */
+    db: DrizzleDatabase;
+    /** Database schema with auth tables */
+    schema: DrizzleAuthSchema;
+    /** Enable soft deletes (default: true) */
+    softDelete?: boolean;
+    /** Enable audit logging (default: false) */
+    enableAuditLog?: boolean;
+}
+/**
+ * Create Drizzle adapter
+ */
+declare function createDrizzleAdapter(config: DrizzleAdapterConfig): AuthAdapter;
+
+/**
+ * Email Service Types
+ */
+/**
+ * Email provider interface
+ */
+interface EmailProvider {
+    /** Send an email */
+    sendEmail(options: EmailOptions): Promise<EmailResult>;
+}
+/**
+ * Email options
+ */
+interface EmailOptions {
+    /** Recipient email address */
+    to: string;
+    /** Email subject */
+    subject: string;
+    /** HTML content */
+    html?: string;
+    /** Plain text content */
+    text?: string;
+    /** From email (overrides default) */
+    from?: string;
+    /** Reply-to address */
+    replyTo?: string;
+    /** CC recipients */
+    cc?: string[];
+    /** BCC recipients */
+    bcc?: string[];
+    /** Custom headers */
+    headers?: Record<string, string>;
+    /** Attachments */
+    attachments?: EmailAttachment[];
+}
+/**
+ * Email attachment
+ */
+interface EmailAttachment {
+    filename: string;
+    content: string | Buffer;
+    contentType?: string;
+}
+/**
+ * Email send result
+ */
+interface EmailResult {
+    success: boolean;
+    messageId?: string;
+    error?: string;
+}
+/**
+ * Email service configuration
+ */
+interface EmailServiceConfig {
+    /** Email provider instance */
+    provider?: EmailProvider;
+    /** API key for default provider */
+    apiKey?: string;
+    /** Default from email */
+    fromEmail?: string;
+    /** Default from name */
+    fromName?: string;
+    /** Development mode (logs emails instead of sending) */
+    devMode?: boolean;
+}
+/**
+ * OTP email options
+ */
+interface OTPEmailOptions {
+    /** Recipient email */
+    email: string;
+    /** OTP code */
+    code: string;
+    /** Expiration in minutes (default: 10) */
+    expiresInMinutes?: number;
+    /** User name (for personalization) */
+    userName?: string;
+    /** App name */
+    appName?: string;
+}
+/**
+ * Verification email options
+ */
+interface VerificationEmailOptions {
+    /** Recipient email */
+    email: string;
+    /** Verification URL */
+    verificationUrl: string;
+    /** User name (for personalization) */
+    userName?: string;
+    /** Expiration in hours (default: 24) */
+    expiresInHours?: number;
+    /** App name */
+    appName?: string;
+}
+/**
+ * Welcome email options
+ */
+interface WelcomeEmailOptions {
+    /** Recipient email */
+    email: string;
+    /** User name */
+    userName?: string;
+    /** App name */
+    appName?: string;
+    /** Login URL */
+    loginUrl?: string;
+}
+/**
+ * Magic link email options
+ */
+interface MagicLinkEmailOptions {
+    /** Recipient email */
+    email: string;
+    /** Magic link URL */
+    magicLinkUrl: string;
+    /** Expiration in minutes (default: 15) */
+    expiresInMinutes?: number;
+    /** User name (for personalization) */
+    userName?: string;
+    /** App name */
+    appName?: string;
+}
+/**
+ * Password reset email options
+ */
+interface PasswordResetEmailOptions {
+    /** Recipient email */
+    email: string;
+    /** Reset URL */
+    resetUrl: string;
+    /** Expiration in hours (default: 1) */
+    expiresInHours?: number;
+    /** User name (for personalization) */
+    userName?: string;
+    /** App name */
+    appName?: string;
+}
+/**
+ * Invitation email options
+ */
+interface InvitationEmailOptions {
+    /** Recipient email */
+    email: string;
+    /** Invitation URL */
+    invitationUrl: string;
+    /** Inviter name */
+    inviterName: string;
+    /** Organization/tenant name */
+    organizationName: string;
+    /** Role being assigned */
+    roleName?: string;
+    /** Expiration in days (default: 7) */
+    expiresInDays?: number;
+    /** App name */
+    appName?: string;
+}
+
+/**
+ * Resend Email Provider
+ * Uses Resend API for sending emails
+ */
+
+/**
+ * Resend provider configuration
+ */
+interface ResendProviderConfig {
+    /** Resend API key */
+    apiKey: string;
+    /** Default from email */
+    fromEmail?: string;
+    /** Default from name */
+    fromName?: string;
+    /** Resend API base URL (default: https://api.resend.com) */
+    baseUrl?: string;
+}
+/**
+ * Resend Email Provider
+ */
+declare class ResendEmailProvider implements EmailProvider {
+    private apiKey;
+    private fromEmail;
+    private fromName;
+    private baseUrl;
+    constructor(config: ResendProviderConfig);
+    /**
+     * Send email via Resend API
+     */
+    sendEmail(options: EmailOptions): Promise<EmailResult>;
+}
+/**
+ * Create Resend email provider
+ */
+declare function createResendProvider(config: ResendProviderConfig): ResendEmailProvider;
+
+/**
+ * Email Service
+ * Provides email sending functionality with templates
+ */
+
+/**
+ * Email Service
+ * Singleton service for sending emails
+ */
+declare class EmailService {
+    private provider;
+    private fromEmail;
+    private fromName;
+    private devMode;
+    constructor(config: EmailServiceConfig);
+    /**
+     * Send email
+     */
+    sendEmail(options: EmailOptions): Promise<EmailResult>;
+    /**
+     * Send OTP verification email
+     */
+    sendOTPEmail(options: OTPEmailOptions): Promise<EmailResult>;
+    /**
+     * Send email verification email
+     */
+    sendVerificationEmail(options: VerificationEmailOptions): Promise<EmailResult>;
+    /**
+     * Send magic link email
+     */
+    sendMagicLinkEmail(options: MagicLinkEmailOptions): Promise<EmailResult>;
+    /**
+     * Send welcome email
+     */
+    sendWelcomeEmail(options: WelcomeEmailOptions): Promise<EmailResult>;
+    /**
+     * Send password reset email
+     */
+    sendPasswordResetEmail(options: PasswordResetEmailOptions): Promise<EmailResult>;
+    /**
+     * Send invitation email
+     */
+    sendInvitationEmail(options: InvitationEmailOptions): Promise<EmailResult>;
+}
+/**
+ * Create email service
+ */
+declare function createEmailService(config: EmailServiceConfig): EmailService;
+
+/**
+ * NetGSM SMS Provider
+ * Turkish SMS gateway provider
+ */
+
+/**
+ * NetGSM configuration
+ */
+interface NetGSMConfig {
+    /** NetGSM username */
+    username: string;
+    /** NetGSM password */
+    password: string;
+    /** SMS header/sender ID */
+    header: string;
+    /** NetGSM API URL (default: https://api.netgsm.com.tr/sms/send/otp) */
+    apiUrl?: string;
+}
+/**
+ * NetGSM SMS Provider
+ */
+declare class NetGSMProvider implements SMSProvider {
+    private config;
+    constructor(config: NetGSMConfig);
+    /**
+     * Send SMS via NetGSM API
+     */
+    sendSMS(options: SMSOptions): Promise<SMSResult>;
+    /**
+     * Parse NetGSM XML response
+     */
+    private parseResponse;
+    /**
+     * Get human-readable error message
+     */
+    private getErrorMessage;
+    /**
+     * Escape XML special characters
+     */
+    private escapeXml;
+    /**
+     * Sanitize phone number
+     */
+    private sanitizePhoneNumber;
+}
+/**
+ * Create NetGSM provider
+ */
+declare function createNetGSMProvider(config: NetGSMConfig): NetGSMProvider;
+
+/**
+ * SMS Service
+ * Provides SMS sending functionality
+ */
+/**
+ * SMS provider interface
+ */
+interface SMSProvider {
+    /** Send an SMS */
+    sendSMS(options: SMSOptions): Promise<SMSResult>;
+}
+/**
+ * SMS options
+ */
+interface SMSOptions {
+    /** Recipient phone number (E.164 format) */
+    to: string;
+    /** Message content */
+    message: string;
+    /** Sender ID (alphanumeric, max 11 chars) */
+    from?: string;
+}
+/**
+ * SMS send result
+ */
+interface SMSResult {
+    success: boolean;
+    messageId?: string;
+    error?: string;
+}
+/**
+ * SMS service configuration
+ */
+interface SMSServiceConfig {
+    /** SMS provider instance */
+    provider?: SMSProvider;
+    /** Default sender ID */
+    senderId?: string;
+    /** Development mode (logs SMS instead of sending) */
+    devMode?: boolean;
+}
+/**
+ * OTP SMS options
+ */
+interface OTPSMSOptions {
+    /** Recipient phone number */
+    phone: string;
+    /** OTP code */
+    code: string;
+    /** Expiration in minutes (default: 10) */
+    expiresInMinutes?: number;
+    /** App name */
+    appName?: string;
+}
+/**
+ * SMS Service
+ */
+declare class SMSService {
+    private provider;
+    private senderId;
+    private devMode;
+    constructor(config: SMSServiceConfig);
+    /**
+     * Send SMS
+     */
+    sendSMS(options: SMSOptions): Promise<SMSResult>;
+    /**
+     * Send OTP SMS
+     */
+    sendOTPSMS(options: OTPSMSOptions): Promise<SMSResult>;
+}
+/**
+ * Create SMS service
+ */
+declare function createSMSService(config: SMSServiceConfig): SMSService;
+
+/**
+ * Email Verification Service
+ * Handles email verification tokens and status
+ */
+
+/**
+ * Email verification configuration
+ */
+interface EmailVerificationConfig {
+    /** Base URL for verification links */
+    baseUrl: string;
+    /** Verification callback path (default: /auth/verify-email) */
+    callbackPath?: string;
+    /** Token expiration in seconds (default: 86400 = 24 hours) */
+    expiresIn?: number;
+    /** Token length in bytes (default: 32) */
+    tokenLength?: number;
+}
+/**
+ * Request verification result
+ */
+interface RequestVerificationResult {
+    success: boolean;
+    token?: string;
+    verificationUrl?: string;
+    expiresAt?: Date;
+    error?: string;
+}
+/**
+ * Verify email result
+ */
+interface VerifyEmailResult {
+    success: boolean;
+    email?: string;
+    error?: string;
+}
+/**
+ * Verification status
+ */
+interface VerificationStatus {
+    email: string;
+    verified: boolean;
+    pendingVerification: boolean;
+    expiresAt?: Date;
+}
+/**
+ * Email Verification Service
+ */
+declare class EmailVerificationService {
+    private storage;
+    private config;
+    constructor(storage: KVStorage, config: EmailVerificationConfig);
+    /**
+     * Create verification token for an email
+     */
+    createVerificationToken(email: string, options?: {
+        createdBy?: string;
+    }): Promise<RequestVerificationResult>;
+    /**
+     * Verify an email token
+     */
+    verifyToken(token: string): Promise<VerifyEmailResult>;
+    /**
+     * Check verification status for an email
+     */
+    getStatus(email: string): Promise<VerificationStatus>;
+    /**
+     * Resend verification email
+     * Returns a new token for the same email
+     */
+    resendVerification(email: string, options?: {
+        createdBy?: string;
+    }): Promise<RequestVerificationResult>;
+    /**
+     * Cancel pending verification
+     */
+    cancelVerification(email: string): Promise<void>;
+    /**
+     * Delete token by hash
+     */
+    private deleteToken;
+    /**
+     * Delete all tokens for an email
+     */
+    private deleteTokensByEmail;
+}
+/**
+ * Create email verification service
+ */
+declare function createEmailVerificationService(storage: KVStorage, config: EmailVerificationConfig): EmailVerificationService;
+
+/**
+ * @parsrun/auth - Passwordless-First Authentication
+ *
+ * A provider-based, multi-runtime authentication library.
+ *
+ * @example
+ * ```typescript
+ * import { createAuth } from '@parsrun/auth';
+ *
+ * const auth = createAuth({
+ *   secret: process.env.AUTH_SECRET,
+ *   adapter: myDatabaseAdapter,
+ *   providers: {
+ *     otp: {
+ *       email: {
+ *         send: async (to, code) => {
+ *           await sendEmail(to, `Your code is: ${code}`);
+ *         },
+ *       },
+ *     },
+ *   },
+ * });
+ *
+ * await auth.initialize();
+ *
+ * // Request OTP
+ * await auth.requestOTP({ identifier: 'user@example.com', type: 'email' });
+ *
+ * // Sign in with OTP
+ * const result = await auth.signIn({
+ *   provider: 'otp',
+ *   identifier: 'user@example.com',
+ *   credential: '123456',
+ *   data: { type: 'email' },
+ * });
+ * ```
+ */
+
+/**
+ * Create a Pars Auth instance
+ *
+ * @param config - Auth configuration
+ * @returns ParsAuth instance (must call initialize() before use)
+ *
+ * @example
+ * ```typescript
+ * const auth = createAuth({
+ *   secret: 'your-secret-key',
+ *   adapter: drizzleAdapter(db),
+ *   providers: {
+ *     otp: {
+ *       email: {
+ *         send: async (to, code) => sendEmail(to, code),
+ *       },
+ *     },
+ *   },
+ * });
+ *
+ * await auth.initialize();
+ * ```
+ */
+declare function createAuth(config: ParsAuthConfig): ParsAuthEngine;
+
+export { type AppleConfig, AppleProvider, AuthAdapter, AuthInput, AuthProvider, AuthResult, type AuthenticationOptions, type AuthenticatorData, type ClientDataJSON, type DrizzleAdapterConfig, type DrizzleAuthMethod, type DrizzleAuthSchema, type DrizzleDatabase, type DrizzleEmailVerificationToken, type DrizzleRole, type DrizzleSession, type DrizzleTenant, type DrizzleTenantMembership, type DrizzleUser, type EmailAttachment, type EmailOptions, type EmailProvider, type EmailResult, EmailService, type EmailServiceConfig, type EmailVerificationConfig, EmailVerificationService, type GitHubConfig, GitHubProvider, type GoogleConfig, GoogleProvider, type InvitationEmailOptions, KVStorage, type MagicLinkEmailOptions, MagicLinkProvider, type MagicLinkConfig as MagicLinkProviderConfig, type MicrosoftConfig, MicrosoftProvider, type NetGSMConfig, NetGSMProvider, type OAuthCallbackResult, type OAuthConfig, type OAuthFlowResult, OAuthManager, type OAuthProviderName, type OAuthState, type OAuthTokens, type OAuthUserInfo as OAuthUser, type OTPEmailOptions, type OTPSMSOptions, ParsAuthConfig, ParsAuthEngine, PasswordProvider, type PasswordConfig as PasswordProviderConfig, type PasswordResetEmailOptions, type PasswordStrength, type PasswordValidationResult, ProviderInfo, type RegistrationOptions, type RequestVerificationResult, ResendEmailProvider, type Runtime, type SMSOptions, type SMSProvider, type SMSResult, SMSService, type SMSServiceConfig, type SendMagicLinkResult, TOTPProvider, type TOTPConfig as TOTPProviderConfig, type TOTPSetupData, type TOTPVerifyResult, TwoFactorProvider, TwoFactorSetupResult, type VerificationEmailOptions, type VerificationStatus, type VerifyEmailResult, type VerifyMagicLinkResult, type WebAuthnCredential, WebAuthnProvider, type WebAuthnConfig as WebAuthnProviderConfig, type WelcomeEmailOptions, base64UrlDecode, base64UrlEncode, bytesToHex, createAuth, createDrizzleAdapter, createEmailService, createEmailVerificationService, createMagicLinkProvider, createNetGSMProvider, createOAuthManager, createPasswordProvider, createResendProvider, createSMSService, createTOTPProvider, createWebAuthnProvider, detectRuntime, generatePKCE, generateRandomBase64Url, generateRandomHex, generateState, getEnv, hexToBytes, isBun, isCloudflare, isDeno, isEdge, isNode, randomInt, sha256, sha256Hex, timingSafeEqual, timingSafeEqualBytes };