@parsrun/auth 0.1.0

package/dist/index.js

@@ -0,0 +1,4294 @@
+import './chunk-7GOBAL4G.js';
+export { createAuthCookies, createAuthMiddleware, createAuthRoutes, createHonoAuth, createLogoutCookies, createOptionalAuthMiddleware, requireAdmin, requireAll, requireAny, requireAnyPermission, requireOwnerOrPermission, requirePermission, requireRole, requireTenant, requireTenantAccess } from './chunk-RHNVRCF3.js';
+import { ProviderRegistry } from './chunk-G5I3T73A.js';
+export { ProviderRegistry } from './chunk-G5I3T73A.js';
+import { generateRandomHex, sha256Hex } from './chunk-YTCPXJR5.js';
+export { CsrfManager, CsrfUtils, DefaultLockoutConfig, LockoutManager, RateLimitPresets, RateLimiter, base64UrlDecode, base64UrlEncode, bytesToHex, createCsrfManager, createLockoutManager, createRateLimiter, generateRandomBase64Url, generateRandomHex, hexToBytes, randomInt, sha256, sha256Hex, timingSafeEqual, timingSafeEqualBytes } from './chunk-YTCPXJR5.js';
+export { AuthorizationGuard, Permissions, Roles, authorize, createAuthorizationGuard } from './chunk-NK4TJV2W.js';
+import { JwtManager, SessionBlocklist } from './chunk-MOG4Y6I7.js';
+export { JwtError, JwtManager, SessionBlocklist, TokenBlocklist, createJwtManager, createSessionBlocklist, createTokenBlocklist, extractBearerToken, parseDuration } from './chunk-MOG4Y6I7.js';
+import { OTPProvider } from './chunk-IB4WUQDZ.js';
+export { OTPManager, OTPProvider, createOTPManager, createOTPProvider } from './chunk-IB4WUQDZ.js';
+import { createStorage } from './chunk-42MGHABB.js';
+export { MemoryStorage, StorageKeys, createMemoryStorage, createStorage, createStorageSync, detectRuntime, getEnv, isBun, isCloudflare, isDeno, isEdge, isNode } from './chunk-42MGHABB.js';
+import { eq, and, isNull, desc } from 'drizzle-orm';
+
+// src/config.ts
+var defaultConfig = {
+  providers: {
+    otp: {
+      enabled: true,
+      email: {
+        enabled: true,
+        expiresIn: 600,
+        length: 6,
+        maxAttempts: 3,
+        rateLimit: 5,
+        rateLimitWindow: 900,
+        // send function must be provided by user
+        send: async () => {
+          throw new Error("[Pars Auth] Email OTP send function not configured");
+        }
+      },
+      sms: {
+        enabled: false,
+        expiresIn: 300,
+        length: 6,
+        maxAttempts: 3,
+        rateLimit: 3,
+        rateLimitWindow: 900,
+        send: async () => {
+          throw new Error("[Pars Auth] SMS OTP send function not configured");
+        }
+      }
+    },
+    password: {
+      enabled: false
+      // EXPLICITLY DISABLED BY DEFAULT
+    }
+  },
+  session: {
+    accessTokenExpiry: 900,
+    // 15 minutes
+    refreshTokenExpiry: 604800,
+    // 7 days
+    slidingWindow: true,
+    maxSessions: 5,
+    invalidateOnPasswordChange: true
+  },
+  jwt: {
+    algorithm: "HS256"
+  },
+  cookies: {
+    prefix: "pars",
+    path: "/",
+    sameSite: "lax",
+    httpOnly: true
+  },
+  security: {
+    rateLimit: {
+      enabled: true,
+      loginAttempts: 5,
+      windowSize: 900
+    },
+    lockout: {
+      enabled: true,
+      maxAttempts: 5,
+      duration: 900
+    },
+    csrf: {
+      enabled: true,
+      headerName: "x-csrf-token",
+      cookieName: "csrf"
+    }
+  },
+  tenant: {
+    enabled: true,
+    strategy: "header",
+    headerName: "x-tenant-id"
+  }
+};
+function mergeConfig(config) {
+  return {
+    secret: config.secret,
+    baseUrl: config.baseUrl ?? "",
+    storage: config.storage ?? {},
+    providers: {
+      ...defaultConfig.providers,
+      ...config.providers,
+      otp: {
+        ...defaultConfig.providers?.otp,
+        ...config.providers?.otp,
+        email: {
+          ...defaultConfig.providers?.otp?.email,
+          ...config.providers?.otp?.email
+        },
+        sms: {
+          ...defaultConfig.providers?.otp?.sms,
+          ...config.providers?.otp?.sms
+        }
+      },
+      password: {
+        ...defaultConfig.providers?.password,
+        ...config.providers?.password
+      }
+    },
+    session: { ...defaultConfig.session, ...config.session },
+    jwt: { ...defaultConfig.jwt, ...config.jwt },
+    cookies: { ...defaultConfig.cookies, ...config.cookies },
+    security: {
+      ...defaultConfig.security,
+      ...config.security,
+      rateLimit: { ...defaultConfig.security?.rateLimit, ...config.security?.rateLimit },
+      lockout: { ...defaultConfig.security?.lockout, ...config.security?.lockout },
+      csrf: { ...defaultConfig.security?.csrf, ...config.security?.csrf }
+    },
+    tenant: { ...defaultConfig.tenant, ...config.tenant },
+    adapter: config.adapter,
+    callbacks: config.callbacks ?? {}
+  };
+}
+function validateConfig(config) {
+  if (!config.secret) {
+    throw new Error("[Pars Auth] Secret is required");
+  }
+  if (config.secret.length < 32) {
+    console.warn(
+      "[Pars Auth] Secret should be at least 32 characters for security"
+    );
+  }
+  if (!config.adapter) {
+    throw new Error("[Pars Auth] Database adapter is required");
+  }
+  if (config.providers?.password?.enabled) {
+    console.warn(
+      "[Pars Auth] Password authentication is enabled. Consider using passwordless authentication (OTP, Magic Link, WebAuthn) for better security."
+    );
+  }
+  if (config.providers?.otp?.email?.enabled !== false && !config.providers?.otp?.email?.send) {
+    console.warn(
+      "[Pars Auth] Email OTP is enabled but send function is not configured"
+    );
+  }
+}
+
+// src/core/tenant-manager.ts
+var TenantManager = class {
+  adapter;
+  constructor(adapter) {
+    this.adapter = adapter;
+  }
+  // ============================================
+  // Tenant Operations
+  // ============================================
+  /**
+   * Create a new tenant with owner
+   */
+  async createTenant(input) {
+    if (!this.adapter.findTenantById) {
+      throw new Error("Tenant operations not supported by adapter");
+    }
+    const slug = input.slug ?? this.generateSlug(input.name);
+    const existingTenant = await this.adapter.findTenantBySlug?.(slug);
+    if (existingTenant) {
+      throw new Error(`Tenant with slug '${slug}' already exists`);
+    }
+    throw new Error(
+      "createTenant not implemented in adapter. Please implement createTenant in your adapter or use direct database access."
+    );
+  }
+  /**
+   * Get tenant by ID
+   */
+  async getTenantById(id) {
+    if (!this.adapter.findTenantById) {
+      return null;
+    }
+    return this.adapter.findTenantById(id);
+  }
+  /**
+   * Get tenant by slug
+   */
+  async getTenantBySlug(slug) {
+    if (!this.adapter.findTenantBySlug) {
+      return null;
+    }
+    return this.adapter.findTenantBySlug(slug);
+  }
+  /**
+   * Check if user is member of tenant
+   */
+  async isMember(userId, tenantId) {
+    if (!this.adapter.findMembership) {
+      return false;
+    }
+    const membership = await this.adapter.findMembership(userId, tenantId);
+    return membership !== null && membership.status === "active";
+  }
+  /**
+   * Check if user has specific role in tenant
+   */
+  async hasRole(userId, tenantId, role) {
+    if (!this.adapter.findMembership) {
+      return false;
+    }
+    const membership = await this.adapter.findMembership(userId, tenantId);
+    return membership !== null && membership.role === role && membership.status === "active";
+  }
+  /**
+   * Check if user is owner of tenant
+   */
+  async isOwner(userId, tenantId) {
+    return this.hasRole(userId, tenantId, "owner");
+  }
+  /**
+   * Check if user is admin of tenant (owner or admin)
+   */
+  async isAdmin(userId, tenantId) {
+    if (!this.adapter.findMembership) {
+      return false;
+    }
+    const membership = await this.adapter.findMembership(userId, tenantId);
+    if (!membership || membership.status !== "active") {
+      return false;
+    }
+    return membership.role === "owner" || membership.role === "admin";
+  }
+  // ============================================
+  // Membership Operations
+  // ============================================
+  /**
+   * Add a member to tenant
+   */
+  async addMember(input) {
+    if (!this.adapter.createMembership) {
+      throw new Error("Membership operations not supported by adapter");
+    }
+    const existing = await this.adapter.findMembership?.(input.userId, input.tenantId);
+    if (existing) {
+      throw new Error("User is already a member of this tenant");
+    }
+    return this.adapter.createMembership({
+      userId: input.userId,
+      tenantId: input.tenantId,
+      role: input.role,
+      permissions: input.permissions
+    });
+  }
+  /**
+   * Update member role/permissions
+   */
+  async updateMember(userId, tenantId, updates) {
+    if (!this.adapter.findMembership || !this.adapter.updateMembership) {
+      throw new Error("Membership operations not supported by adapter");
+    }
+    const membership = await this.adapter.findMembership(userId, tenantId);
+    if (!membership) {
+      throw new Error("Membership not found");
+    }
+    return this.adapter.updateMembership(membership.id, updates);
+  }
+  /**
+   * Remove member from tenant
+   */
+  async removeMember(userId, tenantId) {
+    if (!this.adapter.findMembership || !this.adapter.deleteMembership) {
+      throw new Error("Membership operations not supported by adapter");
+    }
+    const membership = await this.adapter.findMembership(userId, tenantId);
+    if (!membership) {
+      throw new Error("Membership not found");
+    }
+    if (membership.role === "owner") {
+      const allMemberships = await this.getMembersByTenant(tenantId);
+      const owners = allMemberships.filter((m) => m.role === "owner");
+      if (owners.length <= 1) {
+        throw new Error("Cannot remove the last owner of a tenant");
+      }
+    }
+    await this.adapter.deleteMembership(membership.id);
+  }
+  /**
+   * Get membership for user in tenant
+   */
+  async getMembership(userId, tenantId) {
+    if (!this.adapter.findMembership) {
+      return null;
+    }
+    return this.adapter.findMembership(userId, tenantId);
+  }
+  /**
+   * Get all tenants for a user
+   */
+  async getUserTenants(userId) {
+    if (!this.adapter.findMembershipsByUserId) {
+      return [];
+    }
+    const memberships = await this.adapter.findMembershipsByUserId(userId);
+    const enriched = await Promise.all(
+      memberships.map(async (membership) => {
+        const tenant = await this.adapter.findTenantById?.(membership.tenantId);
+        return {
+          ...membership,
+          tenant: tenant ?? void 0
+        };
+      })
+    );
+    return enriched;
+  }
+  /**
+   * Get all members of a tenant
+   * Note: This requires iterating through users, which is not efficient
+   * Consider adding findMembershipsByTenantId to the adapter
+   */
+  async getMembersByTenant(_tenantId) {
+    console.warn(
+      "getMembersByTenant: Consider implementing findMembershipsByTenantId in adapter"
+    );
+    return [];
+  }
+  /**
+   * Transfer ownership to another member
+   */
+  async transferOwnership(tenantId, currentOwnerId, newOwnerId) {
+    if (!this.adapter.findMembership || !this.adapter.updateMembership) {
+      throw new Error("Membership operations not supported by adapter");
+    }
+    const currentOwnership = await this.adapter.findMembership(currentOwnerId, tenantId);
+    if (!currentOwnership || currentOwnership.role !== "owner") {
+      throw new Error("Current user is not the owner");
+    }
+    const newOwnership = await this.adapter.findMembership(newOwnerId, tenantId);
+    if (!newOwnership) {
+      throw new Error("New owner must be an existing member");
+    }
+    await this.adapter.updateMembership(newOwnership.id, { role: "owner" });
+    await this.adapter.updateMembership(currentOwnership.id, { role: "admin" });
+  }
+  // ============================================
+  // Tenant Switching
+  // ============================================
+  /**
+   * Validate tenant switch
+   * Returns the tenant if switch is allowed
+   */
+  async validateTenantSwitch(userId, targetTenantId) {
+    const tenant = await this.getTenantById(targetTenantId);
+    if (!tenant) {
+      throw new Error("Tenant not found");
+    }
+    if (tenant.status !== "active") {
+      throw new Error("Tenant is not active");
+    }
+    const membership = await this.getMembership(userId, targetTenantId);
+    if (!membership) {
+      throw new Error("User is not a member of this tenant");
+    }
+    if (membership.status !== "active") {
+      throw new Error("Membership is not active");
+    }
+    return { tenant, membership };
+  }
+  /**
+   * Get default tenant for user
+   * Returns the first active tenant membership
+   */
+  async getDefaultTenant(userId) {
+    const tenants = await this.getUserTenants(userId);
+    const active = tenants.find(
+      (t) => t.status === "active" && t.tenant?.status === "active"
+    );
+    return active ?? null;
+  }
+  // ============================================
+  // Utility Methods
+  // ============================================
+  /**
+   * Generate URL-friendly slug from name
+   */
+  generateSlug(name) {
+    return name.toLowerCase().trim().replace(/[^a-z0-9]+/g, "-").replace(/^-+|-+$/g, "");
+  }
+  /**
+   * Generate unique tenant slug
+   */
+  async generateUniqueSlug(name) {
+    const baseSlug = this.generateSlug(name);
+    let slug = baseSlug;
+    let counter = 1;
+    while (await this.adapter.findTenantBySlug?.(slug)) {
+      slug = `${baseSlug}-${counter}`;
+      counter++;
+    }
+    return slug;
+  }
+};
+function createTenantManager(adapter) {
+  return new TenantManager(adapter);
+}
+
+// src/core/tenant-resolver.ts
+var TenantResolver = class {
+  config;
+  constructor(config) {
+    this.config = {
+      headerName: "x-tenant-id",
+      pathPrefix: "/t/",
+      queryParam: "tenant",
+      required: false,
+      ...config
+    };
+  }
+  /**
+   * Resolve tenant from request
+   */
+  async resolve(request) {
+    const { strategy } = this.config;
+    let result = {
+      tenantId: null,
+      resolvedFrom: null
+    };
+    switch (strategy) {
+      case "subdomain":
+        result = this.resolveFromSubdomain(request);
+        break;
+      case "header":
+        result = this.resolveFromHeader(request);
+        break;
+      case "path":
+        result = this.resolveFromPath(request);
+        break;
+      case "query":
+        result = this.resolveFromQuery(request);
+        break;
+      case "custom":
+        result = await this.resolveFromCustom(request);
+        break;
+    }
+    if (!result.tenantId && this.config.fallbackTenantId) {
+      result = {
+        tenantId: this.config.fallbackTenantId,
+        resolvedFrom: "fallback"
+      };
+    }
+    return result;
+  }
+  /**
+   * Resolve tenant from subdomain
+   * e.g., acme.example.com -> 'acme'
+   */
+  resolveFromSubdomain(request) {
+    const url = new URL(request.url);
+    const host = url.hostname;
+    const parts = host.split(".");
+    if (parts.length >= 3 || parts.length === 2 && parts[1] === "localhost") {
+      const subdomain = parts[0];
+      const skipSubdomains = ["www", "api", "app", "admin", "mail", "ftp"];
+      if (!skipSubdomains.includes(subdomain.toLowerCase())) {
+        return {
+          tenantId: subdomain,
+          resolvedFrom: "subdomain",
+          originalValue: subdomain
+        };
+      }
+    }
+    return { tenantId: null, resolvedFrom: null };
+  }
+  /**
+   * Resolve tenant from header
+   * e.g., X-Tenant-ID: acme
+   */
+  resolveFromHeader(request) {
+    const headerValue = request.headers.get(this.config.headerName);
+    if (headerValue) {
+      return {
+        tenantId: headerValue,
+        resolvedFrom: "header",
+        originalValue: headerValue
+      };
+    }
+    return { tenantId: null, resolvedFrom: null };
+  }
+  /**
+   * Resolve tenant from URL path
+   * e.g., /t/acme/api/users -> 'acme'
+   */
+  resolveFromPath(request) {
+    const url = new URL(request.url);
+    const pathname = url.pathname;
+    const prefix = this.config.pathPrefix;
+    if (pathname.startsWith(prefix)) {
+      const rest = pathname.slice(prefix.length);
+      const slashIndex = rest.indexOf("/");
+      const tenantSlug = slashIndex > 0 ? rest.slice(0, slashIndex) : rest;
+      if (tenantSlug) {
+        return {
+          tenantId: tenantSlug,
+          resolvedFrom: "path",
+          originalValue: tenantSlug
+        };
+      }
+    }
+    return { tenantId: null, resolvedFrom: null };
+  }
+  /**
+   * Resolve tenant from query parameter
+   * e.g., /api/users?tenant=acme -> 'acme'
+   */
+  resolveFromQuery(request) {
+    const url = new URL(request.url);
+    const tenantId = url.searchParams.get(this.config.queryParam);
+    if (tenantId) {
+      return {
+        tenantId,
+        resolvedFrom: "query",
+        originalValue: tenantId
+      };
+    }
+    return { tenantId: null, resolvedFrom: null };
+  }
+  /**
+   * Resolve tenant using custom resolver
+   */
+  async resolveFromCustom(request) {
+    if (!this.config.resolver) {
+      return { tenantId: null, resolvedFrom: null };
+    }
+    const tenantId = await this.config.resolver(request);
+    if (tenantId) {
+      return {
+        tenantId,
+        resolvedFrom: "custom",
+        originalValue: tenantId
+      };
+    }
+    return { tenantId: null, resolvedFrom: null };
+  }
+  /**
+   * Check if tenant is required but not found
+   */
+  isRequired() {
+    return this.config.required;
+  }
+  /**
+   * Get the path without tenant prefix (for path strategy)
+   */
+  stripTenantFromPath(pathname) {
+    if (this.config.strategy !== "path") {
+      return pathname;
+    }
+    const prefix = this.config.pathPrefix;
+    if (pathname.startsWith(prefix)) {
+      const rest = pathname.slice(prefix.length);
+      const slashIndex = rest.indexOf("/");
+      if (slashIndex > 0) {
+        return rest.slice(slashIndex);
+      }
+      return "/";
+    }
+    return pathname;
+  }
+};
+function createTenantResolver(config) {
+  return new TenantResolver(config);
+}
+var MultiStrategyTenantResolver = class {
+  resolvers;
+  fallbackTenantId;
+  constructor(strategies, options) {
+    this.resolvers = strategies.map((s) => new TenantResolver(s));
+    this.fallbackTenantId = options?.fallbackTenantId;
+  }
+  /**
+   * Resolve tenant trying each strategy in order
+   */
+  async resolve(request) {
+    for (const resolver of this.resolvers) {
+      const result = await resolver.resolve(request);
+      if (result.tenantId) {
+        return result;
+      }
+    }
+    if (this.fallbackTenantId) {
+      return {
+        tenantId: this.fallbackTenantId,
+        resolvedFrom: "fallback"
+      };
+    }
+    return { tenantId: null, resolvedFrom: null };
+  }
+};
+function createMultiStrategyResolver(strategies, options) {
+  return new MultiStrategyTenantResolver(strategies, options);
+}
+
+// src/core/invitation.ts
+var InvitationService = class {
+  storage;
+  adapter;
+  config;
+  constructor(storage, adapter, config) {
+    this.storage = storage;
+    this.adapter = adapter;
+    this.config = {
+      callbackPath: "/auth/invitation",
+      expiresIn: 604800,
+      // 7 days
+      tokenLength: 32,
+      ...config
+    };
+  }
+  /**
+   * Send an invitation to join a tenant
+   */
+  async sendInvitation(input) {
+    const normalizedEmail = input.email.toLowerCase().trim();
+    const existingUser = await this.adapter.findUserByEmail(normalizedEmail);
+    if (existingUser) {
+      const membership = await this.adapter.findMembership?.(existingUser.id, input.tenantId);
+      if (membership && membership.status === "active") {
+        return { success: false, error: "User is already a member of this tenant" };
+      }
+    }
+    const existingInvitation = await this.getInvitationByEmail(normalizedEmail, input.tenantId);
+    if (existingInvitation && existingInvitation.status === "pending") {
+      await this.cancelInvitation(existingInvitation.id);
+    }
+    const token = await generateRandomHex(this.config.tokenLength);
+    const tokenHash = await sha256Hex(token);
+    const id = await generateRandomHex(16);
+    const expiresAt = new Date(Date.now() + this.config.expiresIn * 1e3);
+    const invitation = {
+      id,
+      email: normalizedEmail,
+      tenantId: input.tenantId,
+      role: input.role,
+      permissions: input.permissions,
+      invitedBy: input.invitedBy,
+      tokenHash,
+      expiresAt: expiresAt.toISOString(),
+      status: "pending",
+      createdAt: (/* @__PURE__ */ new Date()).toISOString(),
+      message: input.message
+    };
+    await this.storage.set(
+      `invitation:hash:${tokenHash}`,
+      invitation,
+      this.config.expiresIn
+    );
+    await this.storage.set(
+      `invitation:id:${id}`,
+      invitation,
+      this.config.expiresIn
+    );
+    await this.storage.set(
+      `invitation:email:${normalizedEmail}:${input.tenantId}`,
+      id,
+      this.config.expiresIn
+    );
+    const params = new URLSearchParams({ token });
+    const invitationUrl = `${this.config.baseUrl}${this.config.callbackPath}?${params}`;
+    return {
+      success: true,
+      invitation,
+      invitationUrl,
+      token
+    };
+  }
+  /**
+   * Accept an invitation
+   */
+  async acceptInvitation(input) {
+    const tokenHash = await sha256Hex(input.token);
+    const invitation = await this.storage.get(`invitation:hash:${tokenHash}`);
+    if (!invitation) {
+      return { success: false, error: "Invalid or expired invitation" };
+    }
+    if (invitation.status !== "pending") {
+      return { success: false, error: `Invitation is ${invitation.status}` };
+    }
+    if (new Date(invitation.expiresAt) < /* @__PURE__ */ new Date()) {
+      invitation.status = "expired";
+      await this.updateInvitation(invitation);
+      return { success: false, error: "Invitation has expired" };
+    }
+    const existingMembership = await this.adapter.findMembership?.(
+      input.userId,
+      invitation.tenantId
+    );
+    if (existingMembership && existingMembership.status === "active") {
+      return { success: false, error: "You are already a member of this tenant" };
+    }
+    let membership;
+    if (existingMembership) {
+      membership = await this.adapter.updateMembership(existingMembership.id, {
+        role: invitation.role,
+        permissions: invitation.permissions,
+        status: "active"
+      });
+    } else {
+      membership = await this.adapter.createMembership({
+        userId: input.userId,
+        tenantId: invitation.tenantId,
+        role: invitation.role,
+        permissions: invitation.permissions
+      });
+    }
+    invitation.status = "accepted";
+    invitation.acceptedAt = (/* @__PURE__ */ new Date()).toISOString();
+    invitation.acceptedBy = input.userId;
+    await this.updateInvitation(invitation);
+    const tenant = await this.adapter.findTenantById?.(invitation.tenantId);
+    return {
+      success: true,
+      membership,
+      tenant: tenant ?? void 0
+    };
+  }
+  /**
+   * Check invitation status
+   */
+  async checkInvitation(token) {
+    const tokenHash = await sha256Hex(token);
+    const invitation = await this.storage.get(`invitation:hash:${tokenHash}`);
+    if (!invitation) {
+      return { valid: false, error: "Invalid or expired invitation" };
+    }
+    if (invitation.status !== "pending") {
+      return { valid: false, error: `Invitation is ${invitation.status}`, invitation };
+    }
+    if (new Date(invitation.expiresAt) < /* @__PURE__ */ new Date()) {
+      invitation.status = "expired";
+      await this.updateInvitation(invitation);
+      return { valid: false, error: "Invitation has expired", invitation };
+    }
+    const tenant = await this.adapter.findTenantById?.(invitation.tenantId);
+    return {
+      valid: true,
+      invitation,
+      tenant: tenant ?? void 0
+    };
+  }
+  /**
+   * Cancel an invitation
+   */
+  async cancelInvitation(invitationId) {
+    const invitation = await this.storage.get(`invitation:id:${invitationId}`);
+    if (!invitation) {
+      return false;
+    }
+    if (invitation.status !== "pending") {
+      return false;
+    }
+    invitation.status = "cancelled";
+    await this.updateInvitation(invitation);
+    return true;
+  }
+  /**
+   * Get invitation by ID
+   */
+  async getInvitationById(id) {
+    return this.storage.get(`invitation:id:${id}`);
+  }
+  /**
+   * Get invitation by email and tenant
+   */
+  async getInvitationByEmail(email, tenantId) {
+    const normalizedEmail = email.toLowerCase().trim();
+    const invitationId = await this.storage.get(
+      `invitation:email:${normalizedEmail}:${tenantId}`
+    );
+    if (!invitationId) {
+      return null;
+    }
+    return this.getInvitationById(invitationId);
+  }
+  /**
+   * Resend invitation (generates new token)
+   */
+  async resendInvitation(invitationId, invitedBy) {
+    const invitation = await this.getInvitationById(invitationId);
+    if (!invitation) {
+      return { success: false, error: "Invitation not found" };
+    }
+    if (invitation.status !== "pending") {
+      return { success: false, error: `Cannot resend ${invitation.status} invitation` };
+    }
+    await this.cancelInvitation(invitationId);
+    return this.sendInvitation({
+      email: invitation.email,
+      tenantId: invitation.tenantId,
+      role: invitation.role,
+      permissions: invitation.permissions,
+      invitedBy,
+      message: invitation.message
+    });
+  }
+  /**
+   * Get pending invitations for a tenant
+   * Note: This requires listing keys which may not be efficient for all storage backends
+   */
+  async getPendingInvitations(_tenantId) {
+    console.warn(
+      "getPendingInvitations: Consider implementing list operation in storage"
+    );
+    return [];
+  }
+  /**
+   * Update invitation record
+   */
+  async updateInvitation(invitation) {
+    const ttl = Math.max(
+      0,
+      Math.floor((new Date(invitation.expiresAt).getTime() - Date.now()) / 1e3)
+    );
+    await this.storage.set(`invitation:id:${invitation.id}`, invitation, ttl || 300);
+    await this.storage.set(
+      `invitation:hash:${invitation.tokenHash}`,
+      invitation,
+      ttl || 300
+    );
+  }
+};
+function createInvitationService(storage, adapter, config) {
+  return new InvitationService(storage, adapter, config);
+}
+
+// src/core/auth-engine.ts
+var ParsAuthEngine = class {
+  config;
+  storage;
+  providers;
+  jwtManager;
+  sessionBlocklist;
+  adapter;
+  callbacks;
+  initialized = false;
+  // Multi-tenant components
+  tenantManager;
+  tenantResolver;
+  invitationService;
+  constructor(config) {
+    validateConfig(config);
+    this.config = mergeConfig(config);
+    this.adapter = config.adapter;
+    this.callbacks = config.callbacks ?? {};
+    this.providers = new ProviderRegistry();
+    const sessionConfig = this.config.session;
+    const jwtIssuer = this.config.jwt.issuer;
+    const issuer = Array.isArray(jwtIssuer) ? jwtIssuer[0] ?? "pars-auth" : jwtIssuer ?? "pars-auth";
+    const jwtAudience = this.config.jwt.audience;
+    const audience = Array.isArray(jwtAudience) ? jwtAudience[0] ?? "pars-client" : jwtAudience ?? "pars-client";
+    this.jwtManager = new JwtManager({
+      secret: this.config.secret,
+      issuer,
+      audience,
+      accessTokenTTL: `${sessionConfig.accessTokenExpiry}s`,
+      refreshTokenTTL: `${sessionConfig.refreshTokenExpiry}s`
+    });
+  }
+  /**
+   * Initialize the auth engine (async operations)
+   * Must be called before using the engine
+   */
+  async initialize() {
+    if (this.initialized) return;
+    this.storage = await createStorage(this.config.storage);
+    this.sessionBlocklist = new SessionBlocklist(this.storage);
+    if (this.config.providers.otp?.enabled !== false) {
+      const otpProvider = new OTPProvider(this.storage, this.config.providers.otp);
+      this.providers.register(otpProvider);
+    }
+    this.tenantManager = createTenantManager(this.adapter);
+    if (this.config.tenant?.enabled !== false) {
+      this.tenantResolver = createTenantResolver({
+        strategy: this.config.tenant.strategy ?? "header",
+        headerName: this.config.tenant.headerName ?? "x-tenant-id"
+      });
+    }
+    if (this.config.baseUrl) {
+      this.invitationService = createInvitationService(
+        this.storage,
+        this.adapter,
+        { baseUrl: this.config.baseUrl }
+      );
+    }
+    this.initialized = true;
+  }
+  /**
+   * Ensure engine is initialized
+   */
+  ensureInitialized() {
+    if (!this.initialized) {
+      throw new Error("[Pars Auth] Engine not initialized. Call initialize() first.");
+    }
+  }
+  /**
+   * Get all registered providers
+   */
+  getProviders() {
+    return this.providers.getEnabled().map((p) => p.getInfo());
+  }
+  /**
+   * Check if a provider is enabled
+   */
+  isProviderEnabled(name) {
+    const provider = this.providers.get(name);
+    return provider?.enabled ?? false;
+  }
+  /**
+   * Request OTP (for OTP provider)
+   */
+  async requestOTP(input) {
+    this.ensureInitialized();
+    const otpProvider = this.providers.get("otp");
+    if (!otpProvider) {
+      return {
+        success: false,
+        error: "OTP provider not enabled"
+      };
+    }
+    return otpProvider.requestOTP(input);
+  }
+  /**
+   * Sign in with any provider
+   */
+  async signIn(input) {
+    this.ensureInitialized();
+    const { provider: providerName, identifier, credential, data, metadata } = input;
+    const provider = this.providers.get(providerName);
+    if (!provider) {
+      return {
+        success: false,
+        error: `Provider '${providerName}' not found`,
+        errorCode: "PROVIDER_NOT_FOUND"
+      };
+    }
+    if (!provider.enabled) {
+      return {
+        success: false,
+        error: `Provider '${providerName}' is not enabled`,
+        errorCode: "PROVIDER_DISABLED"
+      };
+    }
+    const authResult = await provider.authenticate({
+      identifier,
+      credential: credential ?? "",
+      data
+    });
+    if (!authResult.success) {
+      return {
+        success: false,
+        error: authResult.error,
+        errorCode: authResult.errorCode
+      };
+    }
+    let user = await this.findUserByIdentifier(identifier, providerName);
+    if (!user) {
+      if (providerName === "otp") {
+        const otpType = data?.["type"];
+        const createResult = await this.signUp({
+          email: otpType === "email" || !otpType ? identifier : void 0,
+          phone: otpType === "sms" ? identifier : void 0,
+          metadata
+        });
+        if (!createResult.success) {
+          return {
+            success: false,
+            error: createResult.error,
+            errorCode: createResult.errorCode
+          };
+        }
+        user = createResult.user;
+      } else {
+        return {
+          success: false,
+          error: "User not found",
+          errorCode: "USER_NOT_FOUND"
+        };
+      }
+    }
+    if (this.callbacks.validateSignIn) {
+      const allowed = await this.callbacks.validateSignIn(user);
+      if (!allowed) {
+        return {
+          success: false,
+          error: "Sign in not allowed",
+          errorCode: "SIGN_IN_REJECTED"
+        };
+      }
+    }
+    if (user.twoFactorEnabled && providerName !== "totp") {
+      return {
+        success: true,
+        user,
+        requiresTwoFactor: true,
+        twoFactorChallengeId: ""
+        // Generate challenge ID
+      };
+    }
+    const session = await this.createSession(user.id, metadata);
+    if (!session) {
+      return {
+        success: false,
+        error: "Failed to create session",
+        errorCode: "SESSION_CREATE_FAILED"
+      };
+    }
+    const tokens = await this.jwtManager.generateTokenPair({
+      userId: user.id,
+      tenantId: metadata?.tenantId,
+      sessionId: session.id
+    });
+    if (this.callbacks.onSignIn) {
+      await this.callbacks.onSignIn(user, session);
+    }
+    return {
+      success: true,
+      user,
+      session,
+      tokens
+    };
+  }
+  /**
+   * Sign up a new user
+   */
+  async signUp(input) {
+    this.ensureInitialized();
+    const { email, phone, name, avatar, metadata } = input;
+    if (!email && !phone) {
+      return {
+        success: false,
+        error: "Email or phone is required",
+        errorCode: "INVALID_INPUT"
+      };
+    }
+    if (email) {
+      const existing = await this.adapter.findUserByEmail(email);
+      if (existing) {
+        return {
+          success: false,
+          error: "User with this email already exists",
+          errorCode: "USER_EXISTS"
+        };
+      }
+    }
+    if (phone) {
+      const existing = await this.adapter.findUserByPhone(phone);
+      if (existing) {
+        return {
+          success: false,
+          error: "User with this phone already exists",
+          errorCode: "USER_EXISTS"
+        };
+      }
+    }
+    const user = await this.adapter.createUser({
+      email,
+      phone,
+      name,
+      avatar,
+      emailVerified: !!email,
+      // OTP verification counts as email verification
+      phoneVerified: !!phone
+    });
+    const session = await this.createSession(user.id, metadata);
+    const tokens = session ? await this.jwtManager.generateTokenPair({
+      userId: user.id,
+      tenantId: metadata?.tenantId,
+      sessionId: session.id
+    }) : void 0;
+    if (this.callbacks.onSignUp) {
+      await this.callbacks.onSignUp(user);
+    }
+    return {
+      success: true,
+      user,
+      session: session ?? void 0,
+      tokens
+    };
+  }
+  /**
+   * Sign out (revoke session)
+   */
+  async signOut(sessionId, options) {
+    this.ensureInitialized();
+    if (options?.revokeAll && options?.userId) {
+      const sessions = await this.adapter.findSessionsByUserId(options.userId);
+      await this.adapter.deleteSessionsByUserId(options.userId);
+      const tokenExpiry = new Date(
+        Date.now() + this.config.session.refreshTokenExpiry * 1e3
+      );
+      await this.sessionBlocklist.blockAllUserSessions(
+        options.userId,
+        sessions.map((s) => s.id),
+        tokenExpiry,
+        "Sign out all"
+      );
+      if (this.callbacks.onSignOut) {
+        for (const session of sessions) {
+          await this.callbacks.onSignOut(options.userId, session.id);
+        }
+      }
+    } else {
+      const session = await this.adapter.findSessionById(sessionId);
+      if (session) {
+        await this.adapter.deleteSession(sessionId);
+        const tokenExpiry = new Date(
+          Date.now() + this.config.session.refreshTokenExpiry * 1e3
+        );
+        await this.sessionBlocklist.blockSession(sessionId, tokenExpiry, {
+          reason: "Sign out",
+          userId: session.userId
+        });
+        if (this.callbacks.onSignOut) {
+          await this.callbacks.onSignOut(session.userId, sessionId);
+        }
+      }
+    }
+  }
+  /**
+   * Verify access token
+   */
+  async verifyAccessToken(token) {
+    this.ensureInitialized();
+    try {
+      const payload = await this.jwtManager.verifyAccessToken(token);
+      if (payload.sid) {
+        const isBlocked = await this.sessionBlocklist.isBlocked(payload.sid);
+        if (isBlocked) {
+          return {
+            valid: false,
+            error: "Session has been revoked"
+          };
+        }
+      }
+      return {
+        valid: true,
+        payload
+      };
+    } catch (error) {
+      return {
+        valid: false,
+        error: error instanceof Error ? error.message : "Invalid token"
+      };
+    }
+  }
+  /**
+   * Refresh tokens
+   */
+  async refreshTokens(refreshToken) {
+    this.ensureInitialized();
+    try {
+      const { userId, sessionId, tenantId } = await this.jwtManager.verifyRefreshToken(refreshToken);
+      if (sessionId) {
+        const isBlocked = await this.sessionBlocklist.isBlocked(sessionId);
+        if (isBlocked) {
+          return {
+            success: false,
+            error: "Session has been revoked"
+          };
+        }
+      }
+      if (sessionId) {
+        const session = await this.adapter.findSessionById(sessionId);
+        if (!session || session.status !== "active") {
+          return {
+            success: false,
+            error: "Session not found or inactive"
+          };
+        }
+        if (this.config.session.slidingWindow) {
+          const newExpiresAt = new Date(
+            Date.now() + this.config.session.refreshTokenExpiry * 1e3
+          );
+          await this.adapter.updateSession(sessionId, {
+            expiresAt: newExpiresAt
+          });
+        }
+      }
+      const tokens = await this.jwtManager.generateTokenPair({
+        userId,
+        tenantId,
+        sessionId
+      });
+      return {
+        success: true,
+        tokens
+      };
+    } catch (error) {
+      return {
+        success: false,
+        error: error instanceof Error ? error.message : "Invalid refresh token"
+      };
+    }
+  }
+  /**
+   * Get user sessions
+   */
+  async getSessions(userId, currentSessionId) {
+    this.ensureInitialized();
+    const sessions = await this.adapter.findSessionsByUserId(userId);
+    return sessions.filter((s) => s.status === "active").map((s) => ({
+      id: s.id,
+      userId: s.userId,
+      tenantId: s.tenantId ?? void 0,
+      deviceType: s.deviceType ?? void 0,
+      deviceName: s.deviceName ?? void 0,
+      ipAddress: s.ipAddress ?? void 0,
+      createdAt: s.createdAt,
+      expiresAt: s.expiresAt,
+      isCurrent: s.id === currentSessionId
+    }));
+  }
+  /**
+   * Revoke a specific session
+   */
+  async revokeSession(sessionId) {
+    await this.signOut(sessionId);
+  }
+  /**
+   * Revoke all sessions for a user
+   */
+  async revokeAllSessions(userId) {
+    await this.signOut("", { revokeAll: true, userId });
+  }
+  /**
+   * Get the underlying storage instance
+   */
+  getStorage() {
+    this.ensureInitialized();
+    return this.storage;
+  }
+  /**
+   * Get the JWT manager
+   */
+  getJwtManager() {
+    return this.jwtManager;
+  }
+  /**
+   * Get the database adapter
+   */
+  getAdapter() {
+    return this.adapter;
+  }
+  /**
+   * Get configuration
+   */
+  getConfig() {
+    return this.config;
+  }
+  /**
+   * Find user by identifier based on provider
+   */
+  async findUserByIdentifier(identifier, provider) {
+    switch (provider) {
+      case "otp":
+        const userByEmail = await this.adapter.findUserByEmail(identifier);
+        if (userByEmail) return userByEmail;
+        return this.adapter.findUserByPhone(identifier);
+      case "password":
+        return this.adapter.findUserByEmail(identifier);
+      default:
+        const authMethod = await this.adapter.findAuthMethod(provider, identifier);
+        if (authMethod) {
+          return this.adapter.findUserById(authMethod.userId);
+        }
+        return null;
+    }
+  }
+  /**
+   * Create a new session
+   */
+  async createSession(userId, metadata) {
+    const existingSessions = await this.adapter.findSessionsByUserId(userId);
+    const activeSessions = existingSessions.filter((s) => s.status === "active");
+    if (activeSessions.length >= this.config.session.maxSessions) {
+      const oldest = activeSessions.sort(
+        (a, b) => a.createdAt.getTime() - b.createdAt.getTime()
+      )[0];
+      if (oldest) {
+        await this.adapter.deleteSession(oldest.id);
+        await this.sessionBlocklist.blockSession(
+          oldest.id,
+          new Date(Date.now() + this.config.session.refreshTokenExpiry * 1e3),
+          { reason: "Session limit reached", userId }
+        );
+      }
+    }
+    const expiresAt = new Date(
+      Date.now() + this.config.session.accessTokenExpiry * 1e3
+    );
+    const refreshExpiresAt = new Date(
+      Date.now() + this.config.session.refreshTokenExpiry * 1e3
+    );
+    const session = await this.adapter.createSession({
+      userId,
+      tenantId: metadata?.tenantId,
+      expiresAt,
+      refreshExpiresAt,
+      deviceType: metadata?.deviceType,
+      deviceName: metadata?.deviceName,
+      userAgent: metadata?.userAgent,
+      ipAddress: metadata?.ipAddress
+    });
+    if (this.callbacks.onSessionCreated) {
+      await this.callbacks.onSessionCreated({ id: session.id, userId });
+    }
+    return session;
+  }
+  // ============================================
+  // MULTI-TENANT OPERATIONS
+  // ============================================
+  /**
+   * Resolve tenant from request
+   */
+  async resolveTenant(request) {
+    this.ensureInitialized();
+    if (!this.tenantResolver) {
+      return { tenantId: null, resolvedFrom: null };
+    }
+    return this.tenantResolver.resolve(request);
+  }
+  /**
+   * Switch current session to a different tenant
+   */
+  async switchTenant(sessionId, targetTenantId) {
+    this.ensureInitialized();
+    const session = await this.adapter.findSessionById(sessionId);
+    if (!session) {
+      return { success: false, error: "Session not found" };
+    }
+    try {
+      await this.tenantManager.validateTenantSwitch(session.userId, targetTenantId);
+    } catch (error) {
+      return {
+        success: false,
+        error: error instanceof Error ? error.message : "Tenant switch not allowed"
+      };
+    }
+    await this.adapter.updateSession(sessionId, {
+      tenantId: targetTenantId
+    });
+    const tokens = await this.jwtManager.generateTokenPair({
+      userId: session.userId,
+      tenantId: targetTenantId,
+      sessionId: session.id
+    });
+    return { success: true, tokens };
+  }
+  /**
+   * Get all tenants for current user
+   */
+  async getUserTenants(userId) {
+    this.ensureInitialized();
+    const memberships = await this.tenantManager.getUserTenants(userId);
+    return memberships.filter((m) => m.tenant && m.status === "active").map((m) => ({
+      tenant: m.tenant,
+      membership: m
+    }));
+  }
+  /**
+   * Check if user is member of tenant
+   */
+  async isTenantMember(userId, tenantId) {
+    this.ensureInitialized();
+    return this.tenantManager.isMember(userId, tenantId);
+  }
+  /**
+   * Check if user has role in tenant
+   */
+  async hasRoleInTenant(userId, tenantId, role) {
+    this.ensureInitialized();
+    return this.tenantManager.hasRole(userId, tenantId, role);
+  }
+  /**
+   * Get user's membership in a tenant
+   */
+  async getTenantMembership(userId, tenantId) {
+    this.ensureInitialized();
+    return this.tenantManager.getMembership(userId, tenantId);
+  }
+  /**
+   * Add member to tenant
+   */
+  async addTenantMember(input) {
+    this.ensureInitialized();
+    return this.tenantManager.addMember(input);
+  }
+  /**
+   * Update member's role/permissions in tenant
+   */
+  async updateTenantMember(userId, tenantId, updates) {
+    this.ensureInitialized();
+    return this.tenantManager.updateMember(userId, tenantId, updates);
+  }
+  /**
+   * Remove member from tenant
+   */
+  async removeTenantMember(userId, tenantId) {
+    this.ensureInitialized();
+    return this.tenantManager.removeMember(userId, tenantId);
+  }
+  /**
+   * Send invitation to join tenant
+   */
+  async inviteToTenant(input) {
+    this.ensureInitialized();
+    if (!this.invitationService) {
+      return { success: false, error: "Invitation service not configured. Set baseUrl in config." };
+    }
+    return this.invitationService.sendInvitation(input);
+  }
+  /**
+   * Accept an invitation
+   */
+  async acceptInvitation(token, userId) {
+    this.ensureInitialized();
+    if (!this.invitationService) {
+      return { success: false, error: "Invitation service not configured" };
+    }
+    return this.invitationService.acceptInvitation({ token, userId });
+  }
+  /**
+   * Check invitation status
+   */
+  async checkInvitation(token) {
+    this.ensureInitialized();
+    if (!this.invitationService) {
+      return { valid: false, error: "Invitation service not configured" };
+    }
+    const result = await this.invitationService.checkInvitation(token);
+    if (!result.valid) {
+      return { valid: false, error: result.error };
+    }
+    return {
+      valid: true,
+      tenantName: result.tenant?.name,
+      role: result.invitation?.role,
+      email: result.invitation?.email
+    };
+  }
+  /**
+   * Get tenant manager instance
+   */
+  getTenantManager() {
+    this.ensureInitialized();
+    return this.tenantManager;
+  }
+  /**
+   * Get invitation service instance
+   */
+  getInvitationService() {
+    this.ensureInitialized();
+    return this.invitationService;
+  }
+  /**
+   * Get tenant resolver instance
+   */
+  getTenantResolver() {
+    return this.tenantResolver;
+  }
+};
+function createAuthEngine(config) {
+  return new ParsAuthEngine(config);
+}
+
+// src/providers/oauth/google.ts
+var GoogleProvider = class {
+  name = "google";
+  config;
+  constructor(config) {
+    this.config = config;
+  }
+  async getAuthorizationUrl(state, codeChallenge) {
+    const params = new URLSearchParams({
+      client_id: this.config.clientId,
+      redirect_uri: this.config.redirectUri,
+      response_type: "code",
+      scope: this.config.scopes?.join(" ") ?? "openid email profile",
+      state,
+      access_type: "offline",
+      prompt: "consent"
+    });
+    if (codeChallenge) {
+      params.set("code_challenge", codeChallenge);
+      params.set("code_challenge_method", "S256");
+    }
+    return `https://accounts.google.com/o/oauth2/v2/auth?${params}`;
+  }
+  async exchangeCode(code, codeVerifier) {
+    const params = {
+      client_id: this.config.clientId,
+      client_secret: this.config.clientSecret,
+      code,
+      grant_type: "authorization_code",
+      redirect_uri: this.config.redirectUri
+    };
+    if (codeVerifier) {
+      params["code_verifier"] = codeVerifier;
+    }
+    const response = await fetch("https://oauth2.googleapis.com/token", {
+      method: "POST",
+      headers: { "Content-Type": "application/x-www-form-urlencoded" },
+      body: new URLSearchParams(params)
+    });
+    if (!response.ok) {
+      const error = await response.text();
+      throw new Error(`Google token exchange failed: ${error}`);
+    }
+    const data = await response.json();
+    return {
+      accessToken: data["access_token"],
+      refreshToken: data["refresh_token"],
+      expiresIn: data["expires_in"],
+      idToken: data["id_token"],
+      tokenType: data["token_type"],
+      scope: data["scope"]
+    };
+  }
+  async getUserInfo(accessToken) {
+    const response = await fetch("https://www.googleapis.com/oauth2/v3/userinfo", {
+      headers: { Authorization: `Bearer ${accessToken}` }
+    });
+    if (!response.ok) {
+      throw new Error("Failed to fetch Google user info");
+    }
+    const data = await response.json();
+    return {
+      id: data["sub"],
+      email: data["email"],
+      name: data["name"],
+      avatarUrl: data["picture"],
+      emailVerified: data["email_verified"] ?? false,
+      raw: data
+    };
+  }
+  async refreshToken(refreshToken) {
+    const response = await fetch("https://oauth2.googleapis.com/token", {
+      method: "POST",
+      headers: { "Content-Type": "application/x-www-form-urlencoded" },
+      body: new URLSearchParams({
+        client_id: this.config.clientId,
+        client_secret: this.config.clientSecret,
+        refresh_token: refreshToken,
+        grant_type: "refresh_token"
+      })
+    });
+    if (!response.ok) {
+      const error = await response.text();
+      throw new Error(`Google token refresh failed: ${error}`);
+    }
+    const data = await response.json();
+    return {
+      accessToken: data["access_token"],
+      refreshToken: data["refresh_token"] ?? refreshToken,
+      expiresIn: data["expires_in"],
+      idToken: data["id_token"],
+      tokenType: data["token_type"],
+      scope: data["scope"]
+    };
+  }
+};
+
+// src/providers/oauth/github.ts
+var GitHubProvider = class {
+  name = "github";
+  config;
+  constructor(config) {
+    this.config = config;
+  }
+  async getAuthorizationUrl(state, _codeChallenge) {
+    const params = new URLSearchParams({
+      client_id: this.config.clientId,
+      redirect_uri: this.config.redirectUri,
+      scope: this.config.scopes?.join(" ") ?? "read:user user:email",
+      state
+    });
+    return `https://github.com/login/oauth/authorize?${params}`;
+  }
+  async exchangeCode(code, _codeVerifier) {
+    const response = await fetch("https://github.com/login/oauth/access_token", {
+      method: "POST",
+      headers: {
+        "Content-Type": "application/json",
+        Accept: "application/json"
+      },
+      body: JSON.stringify({
+        client_id: this.config.clientId,
+        client_secret: this.config.clientSecret,
+        code,
+        redirect_uri: this.config.redirectUri
+      })
+    });
+    if (!response.ok) {
+      const error = await response.text();
+      throw new Error(`GitHub token exchange failed: ${error}`);
+    }
+    const data = await response.json();
+    if (data["error"]) {
+      throw new Error(`GitHub OAuth error: ${data["error_description"] ?? data["error"]}`);
+    }
+    return {
+      accessToken: data["access_token"],
+      tokenType: data["token_type"],
+      scope: data["scope"]
+    };
+  }
+  async getUserInfo(accessToken) {
+    const userResponse = await fetch("https://api.github.com/user", {
+      headers: {
+        Authorization: `Bearer ${accessToken}`,
+        Accept: "application/vnd.github.v3+json"
+      }
+    });
+    if (!userResponse.ok) {
+      throw new Error("Failed to fetch GitHub user info");
+    }
+    const userData = await userResponse.json();
+    let email = userData["email"];
+    let emailVerified = false;
+    if (!email) {
+      try {
+        const emailsResponse = await fetch("https://api.github.com/user/emails", {
+          headers: {
+            Authorization: `Bearer ${accessToken}`,
+            Accept: "application/vnd.github.v3+json"
+          }
+        });
+        if (emailsResponse.ok) {
+          const emails = await emailsResponse.json();
+          const primaryEmail = emails.find((e) => e.primary && e.verified);
+          if (primaryEmail) {
+            email = primaryEmail.email;
+            emailVerified = primaryEmail.verified;
+          }
+        }
+      } catch {
+      }
+    }
+    return {
+      id: String(userData["id"]),
+      email: email ?? "",
+      name: userData["name"] ?? userData["login"],
+      avatarUrl: userData["avatar_url"],
+      emailVerified,
+      raw: userData
+    };
+  }
+};
+
+// src/providers/oauth/microsoft.ts
+var MicrosoftProvider = class {
+  name = "microsoft";
+  config;
+  baseUrl;
+  constructor(config) {
+    this.config = config;
+    const tenant = config.tenantId ?? "common";
+    this.baseUrl = `https://login.microsoftonline.com/${tenant}/oauth2/v2.0`;
+  }
+  async getAuthorizationUrl(state, codeChallenge) {
+    const params = new URLSearchParams({
+      client_id: this.config.clientId,
+      redirect_uri: this.config.redirectUri,
+      response_type: "code",
+      scope: this.config.scopes?.join(" ") ?? "openid email profile User.Read",
+      state,
+      response_mode: "query"
+    });
+    if (codeChallenge) {
+      params.set("code_challenge", codeChallenge);
+      params.set("code_challenge_method", "S256");
+    }
+    return `${this.baseUrl}/authorize?${params}`;
+  }
+  async exchangeCode(code, codeVerifier) {
+    const params = {
+      client_id: this.config.clientId,
+      client_secret: this.config.clientSecret,
+      code,
+      grant_type: "authorization_code",
+      redirect_uri: this.config.redirectUri
+    };
+    if (codeVerifier) {
+      params["code_verifier"] = codeVerifier;
+    }
+    const response = await fetch(`${this.baseUrl}/token`, {
+      method: "POST",
+      headers: { "Content-Type": "application/x-www-form-urlencoded" },
+      body: new URLSearchParams(params)
+    });
+    if (!response.ok) {
+      const error = await response.text();
+      throw new Error(`Microsoft token exchange failed: ${error}`);
+    }
+    const data = await response.json();
+    return {
+      accessToken: data["access_token"],
+      refreshToken: data["refresh_token"],
+      expiresIn: data["expires_in"],
+      idToken: data["id_token"],
+      tokenType: data["token_type"],
+      scope: data["scope"]
+    };
+  }
+  async getUserInfo(accessToken) {
+    const response = await fetch("https://graph.microsoft.com/v1.0/me", {
+      headers: { Authorization: `Bearer ${accessToken}` }
+    });
+    if (!response.ok) {
+      throw new Error("Failed to fetch Microsoft user info");
+    }
+    const data = await response.json();
+    return {
+      id: data["id"],
+      email: data["mail"] ?? data["userPrincipalName"],
+      name: data["displayName"],
+      avatarUrl: void 0,
+      // Would need separate call to get photo
+      emailVerified: true,
+      // Microsoft accounts are verified
+      raw: data
+    };
+  }
+  async refreshToken(refreshToken) {
+    const response = await fetch(`${this.baseUrl}/token`, {
+      method: "POST",
+      headers: { "Content-Type": "application/x-www-form-urlencoded" },
+      body: new URLSearchParams({
+        client_id: this.config.clientId,
+        client_secret: this.config.clientSecret,
+        refresh_token: refreshToken,
+        grant_type: "refresh_token",
+        scope: this.config.scopes?.join(" ") ?? "openid email profile User.Read"
+      })
+    });
+    if (!response.ok) {
+      const error = await response.text();
+      throw new Error(`Microsoft token refresh failed: ${error}`);
+    }
+    const data = await response.json();
+    return {
+      accessToken: data["access_token"],
+      refreshToken: data["refresh_token"] ?? refreshToken,
+      expiresIn: data["expires_in"],
+      idToken: data["id_token"],
+      tokenType: data["token_type"],
+      scope: data["scope"]
+    };
+  }
+};
+
+// src/providers/oauth/apple.ts
+var AppleProvider = class {
+  name = "apple";
+  config;
+  constructor(config) {
+    this.config = config;
+  }
+  async getAuthorizationUrl(state, _codeChallenge) {
+    const params = new URLSearchParams({
+      client_id: this.config.clientId,
+      redirect_uri: this.config.redirectUri,
+      response_type: "code id_token",
+      response_mode: "form_post",
+      scope: this.config.scopes?.join(" ") ?? "name email",
+      state
+    });
+    return `https://appleid.apple.com/auth/authorize?${params}`;
+  }
+  async exchangeCode(code, _codeVerifier) {
+    const clientSecret = await this.generateClientSecret();
+    const params = new URLSearchParams({
+      client_id: this.config.clientId,
+      client_secret: clientSecret,
+      code,
+      grant_type: "authorization_code",
+      redirect_uri: this.config.redirectUri
+    });
+    const response = await fetch("https://appleid.apple.com/auth/token", {
+      method: "POST",
+      headers: { "Content-Type": "application/x-www-form-urlencoded" },
+      body: params
+    });
+    if (!response.ok) {
+      const error = await response.text();
+      throw new Error(`Apple token exchange failed: ${error}`);
+    }
+    const data = await response.json();
+    return {
+      accessToken: data["access_token"],
+      refreshToken: data["refresh_token"],
+      expiresIn: data["expires_in"],
+      idToken: data["id_token"],
+      tokenType: data["token_type"]
+    };
+  }
+  async getUserInfo(accessToken) {
+    return {
+      id: "",
+      email: "",
+      emailVerified: false,
+      raw: { accessToken }
+    };
+  }
+  /**
+   * Parse user info from id_token and form post data
+   * Apple sends user info only on first authorization
+   */
+  parseUserFromCallback(idToken, userData) {
+    const parts = idToken.split(".");
+    if (parts.length !== 3) {
+      throw new Error("Invalid id_token format");
+    }
+    const payload = JSON.parse(
+      Buffer.from(parts[1], "base64url").toString("utf-8")
+    );
+    const name = userData?.name ? [userData.name.firstName, userData.name.lastName].filter(Boolean).join(" ") : void 0;
+    return {
+      id: payload["sub"],
+      email: userData?.email ?? payload["email"],
+      name,
+      emailVerified: payload["email_verified"] === "true" || payload["email_verified"] === true,
+      raw: payload
+    };
+  }
+  /**
+   * Generate client secret JWT for Apple
+   * Apple requires a JWT signed with your private key
+   */
+  async generateClientSecret() {
+    const now = Math.floor(Date.now() / 1e3);
+    const expiry = now + 86400 * 180;
+    const header = {
+      alg: "ES256",
+      kid: this.config.keyId,
+      typ: "JWT"
+    };
+    const payload = {
+      iss: this.config.teamId,
+      iat: now,
+      exp: expiry,
+      aud: "https://appleid.apple.com",
+      sub: this.config.clientId
+    };
+    const privateKey = await crypto.subtle.importKey(
+      "pkcs8",
+      this.pemToArrayBuffer(this.config.privateKey),
+      { name: "ECDSA", namedCurve: "P-256" },
+      false,
+      ["sign"]
+    );
+    const headerB64 = this.base64UrlEncode(JSON.stringify(header));
+    const payloadB64 = this.base64UrlEncode(JSON.stringify(payload));
+    const signingInput = `${headerB64}.${payloadB64}`;
+    const signature = await crypto.subtle.sign(
+      { name: "ECDSA", hash: "SHA-256" },
+      privateKey,
+      new TextEncoder().encode(signingInput)
+    );
+    const signatureB64 = this.base64UrlEncode(
+      String.fromCharCode(...new Uint8Array(signature))
+    );
+    return `${signingInput}.${signatureB64}`;
+  }
+  pemToArrayBuffer(pem) {
+    const pemContents = pem.replace(/-----BEGIN PRIVATE KEY-----/, "").replace(/-----END PRIVATE KEY-----/, "").replace(/\s/g, "");
+    const binaryString = atob(pemContents);
+    const bytes = new Uint8Array(binaryString.length);
+    for (let i = 0; i < binaryString.length; i++) {
+      bytes[i] = binaryString.charCodeAt(i);
+    }
+    return bytes.buffer;
+  }
+  base64UrlEncode(str) {
+    return btoa(str).replace(/\+/g, "-").replace(/\//g, "_").replace(/=+$/, "");
+  }
+};
+
+// src/providers/oauth/index.ts
+async function generatePKCE() {
+  const array = new Uint8Array(32);
+  crypto.getRandomValues(array);
+  const codeVerifier = btoa(String.fromCharCode(...array)).replace(/\+/g, "-").replace(/\//g, "_").replace(/=+$/, "");
+  const encoder = new TextEncoder();
+  const data = encoder.encode(codeVerifier);
+  const digest = await crypto.subtle.digest("SHA-256", data);
+  const codeChallenge = btoa(String.fromCharCode(...new Uint8Array(digest))).replace(/\+/g, "-").replace(/\//g, "_").replace(/=+$/, "");
+  return { codeVerifier, codeChallenge };
+}
+function generateState() {
+  const array = new Uint8Array(32);
+  crypto.getRandomValues(array);
+  return btoa(String.fromCharCode(...array)).replace(/\+/g, "-").replace(/\//g, "_").replace(/=+$/, "");
+}
+var OAuthManager = class {
+  storage;
+  providers = /* @__PURE__ */ new Map();
+  stateExpirySeconds;
+  constructor(storage, config, options) {
+    this.storage = storage;
+    this.stateExpirySeconds = options?.stateExpirySeconds ?? 600;
+    if (config.google) {
+      this.providers.set("google", new GoogleProvider(config.google));
+    }
+    if (config.github) {
+      this.providers.set("github", new GitHubProvider(config.github));
+    }
+    if (config.microsoft) {
+      this.providers.set("microsoft", new MicrosoftProvider(config.microsoft));
+    }
+    if (config.apple) {
+      this.providers.set("apple", new AppleProvider(config.apple));
+    }
+  }
+  /**
+   * Get available providers
+   */
+  getAvailableProviders() {
+    return Array.from(this.providers.keys());
+  }
+  /**
+   * Check if a provider is configured
+   */
+  hasProvider(name) {
+    return this.providers.has(name);
+  }
+  /**
+   * Get a provider by name
+   */
+  getProvider(name) {
+    return this.providers.get(name);
+  }
+  /**
+   * Start OAuth flow - returns authorization URL
+   */
+  async startFlow(providerName, options) {
+    const provider = this.providers.get(providerName);
+    if (!provider) {
+      throw new Error(`OAuth provider '${providerName}' not configured`);
+    }
+    const state = generateState();
+    const { codeVerifier, codeChallenge } = await generatePKCE();
+    const stateData = {
+      state,
+      provider: providerName,
+      codeVerifier,
+      tenantId: options?.tenantId,
+      redirectUrl: options?.redirectUrl,
+      expiresAt: new Date(Date.now() + this.stateExpirySeconds * 1e3)
+    };
+    await this.storage.set(
+      `oauth:state:${state}`,
+      stateData,
+      this.stateExpirySeconds
+    );
+    const authorizationUrl = await provider.getAuthorizationUrl(state, codeChallenge);
+    return { authorizationUrl, state };
+  }
+  /**
+   * Handle OAuth callback
+   */
+  async handleCallback(providerName, code, state) {
+    const provider = this.providers.get(providerName);
+    if (!provider) {
+      throw new Error(`OAuth provider '${providerName}' not configured`);
+    }
+    const storedState = await this.storage.get(`oauth:state:${state}`);
+    if (!storedState) {
+      throw new Error("Invalid OAuth state");
+    }
+    if (storedState.expiresAt < /* @__PURE__ */ new Date()) {
+      await this.storage.delete(`oauth:state:${state}`);
+      throw new Error("OAuth state expired");
+    }
+    if (storedState.provider !== providerName) {
+      throw new Error("Provider mismatch");
+    }
+    const tokens = await provider.exchangeCode(code, storedState.codeVerifier);
+    const userInfo = await provider.getUserInfo(tokens.accessToken);
+    await this.storage.delete(`oauth:state:${state}`);
+    return {
+      userInfo,
+      tokens,
+      tenantId: storedState.tenantId,
+      redirectUrl: storedState.redirectUrl
+    };
+  }
+  /**
+   * Refresh OAuth tokens (if supported by provider)
+   */
+  async refreshTokens(providerName, refreshToken) {
+    const provider = this.providers.get(providerName);
+    if (!provider) {
+      throw new Error(`OAuth provider '${providerName}' not configured`);
+    }
+    if (!provider.refreshToken) {
+      throw new Error(`Token refresh not supported for ${providerName}`);
+    }
+    return provider.refreshToken(refreshToken);
+  }
+  /**
+   * Check if provider supports token refresh
+   */
+  supportsRefresh(providerName) {
+    const provider = this.providers.get(providerName);
+    return provider ? typeof provider.refreshToken === "function" : false;
+  }
+};
+function createOAuthManager(storage, config, options) {
+  return new OAuthManager(storage, config, options);
+}
+
+// src/providers/magic-link/index.ts
+var MagicLinkProvider = class {
+  name = "magic-link";
+  type = "magic-link";
+  storage;
+  config;
+  _enabled;
+  constructor(storage, config) {
+    this.storage = storage;
+    this.config = {
+      callbackPath: "/auth/magic-link/callback",
+      expiresIn: 900,
+      // 15 minutes
+      tokenLength: 32,
+      ...config
+    };
+    this._enabled = true;
+  }
+  get enabled() {
+    return this._enabled;
+  }
+  /**
+   * Send magic link to email
+   */
+  async sendMagicLink(email, options) {
+    const normalizedEmail = email.toLowerCase().trim();
+    const token = await generateRandomHex(this.config.tokenLength);
+    const tokenHash = await sha256Hex(token);
+    const expiresAt = new Date(Date.now() + this.config.expiresIn * 1e3);
+    await this.storage.delete(`magic:email:${normalizedEmail}`);
+    const tokenData = {
+      email: normalizedEmail,
+      tokenHash,
+      tenantId: options?.tenantId,
+      redirectUrl: options?.redirectUrl,
+      expiresAt: expiresAt.toISOString()
+    };
+    await this.storage.set(
+      `magic:token:${tokenHash}`,
+      tokenData,
+      this.config.expiresIn
+    );
+    await this.storage.set(
+      `magic:email:${normalizedEmail}`,
+      tokenHash,
+      this.config.expiresIn
+    );
+    const params = new URLSearchParams({ token });
+    if (options?.redirectUrl) {
+      params.set("redirect", options.redirectUrl);
+    }
+    const magicLink = `${this.config.baseUrl}${this.config.callbackPath}?${params}`;
+    try {
+      await this.config.send(normalizedEmail, magicLink, this.config.expiresIn);
+      return { success: true, expiresAt };
+    } catch (error) {
+      await this.storage.delete(`magic:token:${tokenHash}`);
+      await this.storage.delete(`magic:email:${normalizedEmail}`);
+      return {
+        success: false,
+        error: error instanceof Error ? error.message : "Failed to send email"
+      };
+    }
+  }
+  /**
+   * Verify magic link token
+   */
+  async verifyMagicLink(token) {
+    const tokenHash = await sha256Hex(token);
+    const tokenData = await this.storage.get(`magic:token:${tokenHash}`);
+    if (!tokenData) {
+      return { success: false, error: "Invalid or expired magic link" };
+    }
+    if (tokenData.usedAt) {
+      return { success: false, error: "Magic link already used" };
+    }
+    if (new Date(tokenData.expiresAt) < /* @__PURE__ */ new Date()) {
+      await this.storage.delete(`magic:token:${tokenHash}`);
+      return { success: false, error: "Magic link expired" };
+    }
+    tokenData.usedAt = (/* @__PURE__ */ new Date()).toISOString();
+    await this.storage.set(`magic:token:${tokenHash}`, tokenData, 60);
+    await this.storage.delete(`magic:email:${tokenData.email}`);
+    return {
+      success: true,
+      email: tokenData.email,
+      tenantId: tokenData.tenantId,
+      redirectUrl: tokenData.redirectUrl
+    };
+  }
+  /**
+   * Authenticate with magic link token (implements AuthProvider)
+   */
+  async authenticate(input) {
+    const { credential } = input;
+    if (!credential) {
+      return {
+        success: false,
+        error: "Token is required",
+        errorCode: "INVALID_INPUT"
+      };
+    }
+    const result = await this.verifyMagicLink(credential);
+    if (!result.success) {
+      return {
+        success: false,
+        error: result.error,
+        errorCode: "INVALID_TOKEN"
+      };
+    }
+    return {
+      success: true
+      // Auth engine will handle user lookup/creation based on email
+    };
+  }
+  /**
+   * Get provider info
+   */
+  getInfo() {
+    return {
+      name: this.name,
+      type: this.type,
+      enabled: this.enabled,
+      displayName: "Magic Link"
+    };
+  }
+  /**
+   * Request magic link (for use in auth routes)
+   */
+  async requestMagicLink(email, options) {
+    return this.sendMagicLink(email, options);
+  }
+};
+function createMagicLinkProvider(storage, config) {
+  return new MagicLinkProvider(storage, config);
+}
+
+// src/providers/totp/index.ts
+var DEFAULT_CONFIG = {
+  algorithm: "SHA1",
+  digits: 6,
+  period: 30,
+  window: 1,
+  backupCodeCount: 10
+};
+function bytesToBase32(bytes) {
+  const alphabet = "ABCDEFGHIJKLMNOPQRSTUVWXYZ234567";
+  let result = "";
+  let bits = 0;
+  let value = 0;
+  for (const byte of bytes) {
+    value = value << 8 | byte;
+    bits += 8;
+    while (bits >= 5) {
+      result += alphabet[value >>> bits - 5 & 31];
+      bits -= 5;
+    }
+  }
+  if (bits > 0) {
+    result += alphabet[value << 5 - bits & 31];
+  }
+  return result;
+}
+function base32ToBytes(base32) {
+  const alphabet = "ABCDEFGHIJKLMNOPQRSTUVWXYZ234567";
+  const cleaned = base32.toUpperCase().replace(/[^A-Z2-7]/g, "");
+  const bytes = [];
+  let bits = 0;
+  let value = 0;
+  for (const char of cleaned) {
+    const index = alphabet.indexOf(char);
+    if (index === -1) continue;
+    value = value << 5 | index;
+    bits += 5;
+    if (bits >= 8) {
+      bytes.push(value >>> bits - 8 & 255);
+      bits -= 8;
+    }
+  }
+  return new Uint8Array(bytes);
+}
+async function hotp(secret, counter, algorithm, digits) {
+  const counterBytes = new Uint8Array(8);
+  const view = new DataView(counterBytes.buffer);
+  view.setBigUint64(0, counter, false);
+  const hashName = algorithm === "SHA1" ? "SHA-1" : `SHA-${algorithm.slice(3)}`;
+  const key = await crypto.subtle.importKey(
+    "raw",
+    secret,
+    { name: "HMAC", hash: hashName },
+    false,
+    ["sign"]
+  );
+  const signature = await crypto.subtle.sign("HMAC", key, counterBytes);
+  const hmac = new Uint8Array(signature);
+  const offset = hmac[hmac.length - 1] & 15;
+  const binary = (hmac[offset] & 127) << 24 | (hmac[offset + 1] & 255) << 16 | (hmac[offset + 2] & 255) << 8 | hmac[offset + 3] & 255;
+  const otp = binary % Math.pow(10, digits);
+  return otp.toString().padStart(digits, "0");
+}
+async function generateTOTP(secret, algorithm, digits, period) {
+  const counter = BigInt(Math.floor(Date.now() / 1e3 / period));
+  return hotp(secret, counter, algorithm, digits);
+}
+async function verifyTOTP(token, secret, algorithm, digits, period, window) {
+  const now = Math.floor(Date.now() / 1e3 / period);
+  for (let i = -window; i <= window; i++) {
+    const counter = BigInt(now + i);
+    const expected = await hotp(secret, counter, algorithm, digits);
+    if (token === expected) {
+      return true;
+    }
+  }
+  return false;
+}
+async function generateBackupCodes(count) {
+  const codes = [];
+  for (let i = 0; i < count; i++) {
+    const hex = await generateRandomHex(4);
+    codes.push(`${hex.slice(0, 4).toUpperCase()}-${hex.slice(4, 8).toUpperCase()}`);
+  }
+  return codes;
+}
+async function encryptSecret(secret, keyString) {
+  const encoder = new TextEncoder();
+  const data = encoder.encode(secret);
+  const keyData = encoder.encode(keyString.padEnd(32, "0").slice(0, 32));
+  const key = await crypto.subtle.importKey(
+    "raw",
+    keyData,
+    { name: "AES-GCM" },
+    false,
+    ["encrypt"]
+  );
+  const iv = crypto.getRandomValues(new Uint8Array(12));
+  const encrypted = await crypto.subtle.encrypt({ name: "AES-GCM", iv }, key, data);
+  const result = new Uint8Array(iv.length + encrypted.byteLength);
+  result.set(iv);
+  result.set(new Uint8Array(encrypted), iv.length);
+  return btoa(String.fromCharCode(...result));
+}
+async function decryptSecret(encrypted, keyString) {
+  const encoder = new TextEncoder();
+  const keyData = encoder.encode(keyString.padEnd(32, "0").slice(0, 32));
+  const data = Uint8Array.from(atob(encrypted), (c) => c.charCodeAt(0));
+  const iv = data.slice(0, 12);
+  const ciphertext = data.slice(12);
+  const key = await crypto.subtle.importKey(
+    "raw",
+    keyData,
+    { name: "AES-GCM" },
+    false,
+    ["decrypt"]
+  );
+  const decrypted = await crypto.subtle.decrypt({ name: "AES-GCM", iv }, key, ciphertext);
+  return new TextDecoder().decode(decrypted);
+}
+var TOTPProvider = class {
+  name = "totp";
+  type = "totp";
+  storage;
+  config;
+  _enabled = true;
+  constructor(storage, config) {
+    this.storage = storage;
+    this.config = {
+      ...DEFAULT_CONFIG,
+      encryptionKey: "change-me-in-production",
+      ...config
+    };
+  }
+  get enabled() {
+    return this._enabled;
+  }
+  /**
+   * Setup TOTP for a user
+   * Note: Use setupWithEmail for full setup including QR code URL
+   */
+  async setup(userId) {
+    return this.setupWithEmail(userId, userId);
+  }
+  /**
+   * Setup TOTP for a user with email for QR code label
+   */
+  async setupWithEmail(userId, userEmail) {
+    const secretBytes = crypto.getRandomValues(new Uint8Array(20));
+    const secret = bytesToBase32(secretBytes);
+    const backupCodes = await generateBackupCodes(this.config.backupCodeCount);
+    const otpauthUri = this.createOtpauthUri(secret, userEmail);
+    const qrCodeUrl = `https://chart.googleapis.com/chart?chs=200x200&chld=M|0&cht=qr&chl=${encodeURIComponent(otpauthUri)}`;
+    const encryptedSecret = await encryptSecret(secret, this.config.encryptionKey);
+    const encryptedBackupCodes = await encryptSecret(
+      JSON.stringify(backupCodes),
+      this.config.encryptionKey
+    );
+    const totpData = {
+      userId,
+      encryptedSecret,
+      backupCodes: encryptedBackupCodes,
+      verified: false,
+      createdAt: (/* @__PURE__ */ new Date()).toISOString(),
+      updatedAt: (/* @__PURE__ */ new Date()).toISOString()
+    };
+    await this.storage.set(`totp:user:${userId}`, totpData);
+    return {
+      secret,
+      qrCode: qrCodeUrl,
+      backupCodes,
+      qrCodeUrl,
+      otpauthUri
+    };
+  }
+  /**
+   * Verify TOTP and activate 2FA (for TwoFactorProvider interface)
+   */
+  async verifySetup(userId, token) {
+    const totpData = await this.storage.get(`totp:user:${userId}`);
+    if (!totpData) {
+      throw new Error("TOTP not set up for this user");
+    }
+    const secret = await decryptSecret(totpData.encryptedSecret, this.config.encryptionKey);
+    const secretBytes = base32ToBytes(secret);
+    const valid = await verifyTOTP(
+      token,
+      secretBytes,
+      this.config.algorithm,
+      this.config.digits,
+      this.config.period,
+      this.config.window
+    );
+    if (valid) {
+      totpData.verified = true;
+      totpData.updatedAt = (/* @__PURE__ */ new Date()).toISOString();
+      await this.storage.set(`totp:user:${userId}`, totpData);
+      return true;
+    }
+    return false;
+  }
+  /**
+   * Verify TOTP during login (for TwoFactorProvider interface)
+   */
+  async verifyLogin(userId, code) {
+    const result = await this.verifyCode(userId, code);
+    return result.valid;
+  }
+  /**
+   * Authenticate (for AuthProvider interface)
+   */
+  async authenticate(_input) {
+    return {
+      success: false,
+      error: "TOTP is used for two-factor authentication, not primary auth",
+      errorCode: "USE_TWO_FACTOR_METHODS"
+    };
+  }
+  /**
+   * Verify TOTP token
+   */
+  async verifyCode(userId, token) {
+    const totpData = await this.storage.get(`totp:user:${userId}`);
+    if (!totpData || !totpData.verified) {
+      throw new Error("TOTP not enabled for this user");
+    }
+    const secret = await decryptSecret(totpData.encryptedSecret, this.config.encryptionKey);
+    const secretBytes = base32ToBytes(secret);
+    const validTOTP = await verifyTOTP(
+      token,
+      secretBytes,
+      this.config.algorithm,
+      this.config.digits,
+      this.config.period,
+      this.config.window
+    );
+    if (validTOTP) {
+      return { valid: true, usedBackupCode: false };
+    }
+    const backupCodesJson = await decryptSecret(
+      totpData.backupCodes,
+      this.config.encryptionKey
+    );
+    const backupCodes = JSON.parse(backupCodesJson);
+    const normalizedToken = token.toUpperCase().replace(/[^A-Z0-9]/g, "");
+    const backupIndex = backupCodes.findIndex(
+      (code) => code.replace("-", "") === normalizedToken
+    );
+    if (backupIndex !== -1) {
+      backupCodes.splice(backupIndex, 1);
+      const encryptedBackupCodes = await encryptSecret(
+        JSON.stringify(backupCodes),
+        this.config.encryptionKey
+      );
+      totpData.backupCodes = encryptedBackupCodes;
+      totpData.updatedAt = (/* @__PURE__ */ new Date()).toISOString();
+      await this.storage.set(`totp:user:${userId}`, totpData);
+      return { valid: true, usedBackupCode: true };
+    }
+    return { valid: false };
+  }
+  /**
+   * Disable TOTP for user
+   */
+  async disable(userId) {
+    await this.storage.delete(`totp:user:${userId}`);
+  }
+  /**
+   * Regenerate backup codes
+   */
+  async regenerateBackupCodes(userId) {
+    const totpData = await this.storage.get(`totp:user:${userId}`);
+    if (!totpData || !totpData.verified) {
+      throw new Error("TOTP not enabled for this user");
+    }
+    const backupCodes = await generateBackupCodes(this.config.backupCodeCount);
+    const encryptedBackupCodes = await encryptSecret(
+      JSON.stringify(backupCodes),
+      this.config.encryptionKey
+    );
+    totpData.backupCodes = encryptedBackupCodes;
+    totpData.updatedAt = (/* @__PURE__ */ new Date()).toISOString();
+    await this.storage.set(`totp:user:${userId}`, totpData);
+    return backupCodes;
+  }
+  /**
+   * Get remaining backup codes count
+   */
+  async getBackupCodesCount(userId) {
+    const totpData = await this.storage.get(`totp:user:${userId}`);
+    if (!totpData) {
+      return 0;
+    }
+    const backupCodesJson = await decryptSecret(
+      totpData.backupCodes,
+      this.config.encryptionKey
+    );
+    const backupCodes = JSON.parse(backupCodesJson);
+    return backupCodes.length;
+  }
+  /**
+   * Check if TOTP is enabled for user
+   */
+  async isEnabled(userId) {
+    const totpData = await this.storage.get(`totp:user:${userId}`);
+    return !!totpData?.verified;
+  }
+  /**
+   * Generate current TOTP (for testing)
+   */
+  async generateCurrent(userId) {
+    const totpData = await this.storage.get(`totp:user:${userId}`);
+    if (!totpData) {
+      throw new Error("TOTP not set up for this user");
+    }
+    const secret = await decryptSecret(totpData.encryptedSecret, this.config.encryptionKey);
+    const secretBytes = base32ToBytes(secret);
+    return generateTOTP(
+      secretBytes,
+      this.config.algorithm,
+      this.config.digits,
+      this.config.period
+    );
+  }
+  /**
+   * Get provider info
+   */
+  getInfo() {
+    return {
+      name: this.name,
+      type: this.type,
+      enabled: this.enabled,
+      displayName: "Authenticator App"
+    };
+  }
+  /**
+   * Create otpauth URI for QR code
+   */
+  createOtpauthUri(secret, userEmail) {
+    const params = new URLSearchParams({
+      secret,
+      issuer: this.config.issuer,
+      algorithm: this.config.algorithm,
+      digits: String(this.config.digits),
+      period: String(this.config.period)
+    });
+    const label = encodeURIComponent(`${this.config.issuer}:${userEmail}`);
+    return `otpauth://totp/${label}?${params}`;
+  }
+};
+function createTOTPProvider(storage, config) {
+  return new TOTPProvider(storage, config);
+}
+
+// src/providers/webauthn/index.ts
+function base64UrlEncode2(bytes) {
+  return btoa(String.fromCharCode(...bytes)).replace(/\+/g, "-").replace(/\//g, "_").replace(/=+$/, "");
+}
+function base64UrlDecode2(str) {
+  const base64 = str.replace(/-/g, "+").replace(/_/g, "/");
+  const padding = "=".repeat((4 - base64.length % 4) % 4);
+  const binary = atob(base64 + padding);
+  return Uint8Array.from(binary, (c) => c.charCodeAt(0));
+}
+function generateChallenge() {
+  const bytes = new Uint8Array(32);
+  crypto.getRandomValues(bytes);
+  return base64UrlEncode2(bytes);
+}
+function parseAuthenticatorData(data) {
+  const rpIdHash = data.slice(0, 32);
+  const flagsByte = data[32];
+  const flags = {
+    userPresent: (flagsByte & 1) !== 0,
+    userVerified: (flagsByte & 4) !== 0,
+    attestedCredentialData: (flagsByte & 64) !== 0
+  };
+  const signCount = new DataView(data.buffer, data.byteOffset + 33, 4).getUint32(0, false);
+  let attestedCredentialData;
+  if (flags.attestedCredentialData && data.length > 37) {
+    const aaguid = data.slice(37, 53);
+    const credentialIdLength = new DataView(data.buffer, data.byteOffset + 53, 2).getUint16(0, false);
+    const credentialId = data.slice(55, 55 + credentialIdLength);
+    const publicKey = data.slice(55 + credentialIdLength);
+    attestedCredentialData = { aaguid, credentialId, publicKey };
+  }
+  return { rpIdHash, flags, signCount, attestedCredentialData };
+}
+function parseCBORMap(data) {
+  const result = {};
+  let offset = 0;
+  const initial = data[offset++];
+  if ((initial & 224) !== 160) {
+    throw new Error("Expected CBOR map");
+  }
+  const mapSize = initial & 31;
+  for (let i = 0; i < mapSize; i++) {
+    const keyInitial = data[offset++];
+    const keyLength = keyInitial & 31;
+    const key = new TextDecoder().decode(data.slice(offset, offset + keyLength));
+    offset += keyLength;
+    const valueInitial = data[offset++];
+    let valueLength;
+    if ((valueInitial & 31) < 24) {
+      valueLength = valueInitial & 31;
+    } else if ((valueInitial & 31) === 24) {
+      valueLength = data[offset++];
+    } else if ((valueInitial & 31) === 25) {
+      valueLength = data[offset++] << 8 | data[offset++];
+    } else {
+      throw new Error("Unsupported CBOR value length");
+    }
+    result[key] = data.slice(offset, offset + valueLength);
+    offset += valueLength;
+  }
+  return result;
+}
+function arrayBufferEqual(a, b) {
+  if (a.byteLength !== b.byteLength) return false;
+  const viewA = new Uint8Array(a);
+  const viewB = new Uint8Array(b);
+  for (let i = 0; i < viewA.length; i++) {
+    if (viewA[i] !== viewB[i]) return false;
+  }
+  return true;
+}
+var WebAuthnProvider = class {
+  name = "webauthn";
+  type = "webauthn";
+  storage;
+  config;
+  _enabled = true;
+  constructor(storage, config) {
+    this.storage = storage;
+    this.config = {
+      timeout: 6e4,
+      attestation: "none",
+      userVerification: "preferred",
+      ...config
+    };
+  }
+  get enabled() {
+    return this._enabled;
+  }
+  /**
+   * Generate registration options
+   */
+  async generateRegistrationOptions(userId, userName, userDisplayName, authenticatorType) {
+    const challenge = generateChallenge();
+    const existingCredentials = await this.getUserCredentials(userId);
+    const challengeData = {
+      challenge,
+      userId,
+      type: "registration",
+      expiresAt: new Date(Date.now() + this.config.timeout).toISOString()
+    };
+    await this.storage.set(`webauthn:challenge:${challenge}`, challengeData, this.config.timeout / 1e3);
+    return {
+      challenge,
+      rp: {
+        name: this.config.rpName,
+        id: this.config.rpId
+      },
+      user: {
+        id: base64UrlEncode2(new TextEncoder().encode(userId)),
+        name: userName,
+        displayName: userDisplayName
+      },
+      pubKeyCredParams: [
+        { type: "public-key", alg: -7 },
+        // ES256
+        { type: "public-key", alg: -257 }
+        // RS256
+      ],
+      timeout: this.config.timeout,
+      attestation: this.config.attestation,
+      authenticatorSelection: {
+        authenticatorAttachment: authenticatorType,
+        residentKey: "preferred",
+        userVerification: this.config.userVerification
+      },
+      excludeCredentials: existingCredentials.map((cred) => ({
+        id: cred.credentialId,
+        type: "public-key",
+        transports: cred.transports
+      }))
+    };
+  }
+  /**
+   * Verify registration response
+   */
+  async verifyRegistration(response, challenge, credentialName) {
+    const pending = await this.storage.get(`webauthn:challenge:${challenge}`);
+    if (!pending || new Date(pending.expiresAt) < /* @__PURE__ */ new Date()) {
+      return { success: false, error: "Invalid or expired challenge" };
+    }
+    const userId = pending.userId;
+    if (!userId) {
+      return { success: false, error: "No user ID in challenge" };
+    }
+    const clientDataJSON = base64UrlDecode2(response.response.clientDataJSON);
+    const clientData = JSON.parse(new TextDecoder().decode(clientDataJSON));
+    if (clientData["type"] !== "webauthn.create") {
+      return { success: false, error: "Invalid client data type" };
+    }
+    if (clientData["challenge"] !== challenge) {
+      return { success: false, error: "Challenge mismatch" };
+    }
+    if (clientData["origin"] !== this.config.origin) {
+      return { success: false, error: "Origin mismatch" };
+    }
+    const attestationObject = base64UrlDecode2(response.response.attestationObject);
+    let authData;
+    try {
+      const attestation = parseCBORMap(attestationObject);
+      authData = attestation["authData"];
+    } catch {
+      return { success: false, error: "Failed to parse attestation object" };
+    }
+    const parsedAuthData = parseAuthenticatorData(authData);
+    const expectedRpIdHash = await crypto.subtle.digest(
+      "SHA-256",
+      new TextEncoder().encode(this.config.rpId)
+    );
+    if (!arrayBufferEqual(parsedAuthData.rpIdHash.buffer, expectedRpIdHash)) {
+      return { success: false, error: "RP ID hash mismatch" };
+    }
+    if (!parsedAuthData.flags.userPresent) {
+      return { success: false, error: "User not present" };
+    }
+    if (!parsedAuthData.attestedCredentialData) {
+      return { success: false, error: "No credential data" };
+    }
+    const { credentialId, publicKey } = parsedAuthData.attestedCredentialData;
+    const credentialIdBase64 = base64UrlEncode2(credentialId);
+    const publicKeyBase64 = base64UrlEncode2(publicKey);
+    const existing = await this.storage.get(`webauthn:cred:${credentialIdBase64}`);
+    if (existing) {
+      return { success: false, error: "Credential already registered" };
+    }
+    const credential = {
+      id: crypto.randomUUID(),
+      credentialId: credentialIdBase64,
+      userId,
+      publicKey: publicKeyBase64,
+      counter: parsedAuthData.signCount,
+      transports: response.response.transports ?? [],
+      name: credentialName ?? "Passkey",
+      createdAt: (/* @__PURE__ */ new Date()).toISOString()
+    };
+    await this.storage.set(`webauthn:cred:${credentialIdBase64}`, credential);
+    const userCredIds = await this.storage.get(`webauthn:user:${userId}`) ?? [];
+    userCredIds.push(credentialIdBase64);
+    await this.storage.set(`webauthn:user:${userId}`, userCredIds);
+    await this.storage.delete(`webauthn:challenge:${challenge}`);
+    return { success: true, credentialId: credentialIdBase64 };
+  }
+  /**
+   * Generate authentication options
+   */
+  async generateAuthenticationOptions(userId) {
+    const challenge = generateChallenge();
+    const challengeData = {
+      challenge,
+      userId,
+      type: "authentication",
+      expiresAt: new Date(Date.now() + this.config.timeout).toISOString()
+    };
+    await this.storage.set(`webauthn:challenge:${challenge}`, challengeData, this.config.timeout / 1e3);
+    let allowCredentials = [];
+    if (userId) {
+      const userCredentials = await this.getUserCredentials(userId);
+      allowCredentials = userCredentials.map((cred) => ({
+        id: cred.credentialId,
+        type: "public-key",
+        transports: cred.transports
+      }));
+    }
+    return {
+      challenge,
+      timeout: this.config.timeout,
+      rpId: this.config.rpId,
+      allowCredentials,
+      userVerification: this.config.userVerification
+    };
+  }
+  /**
+   * Verify authentication response
+   */
+  async verifyAuthentication(response, challenge) {
+    const pending = await this.storage.get(`webauthn:challenge:${challenge}`);
+    if (!pending || new Date(pending.expiresAt) < /* @__PURE__ */ new Date()) {
+      return { success: false, error: "Invalid or expired challenge" };
+    }
+    const credential = await this.storage.get(`webauthn:cred:${response.id}`);
+    if (!credential) {
+      return { success: false, error: "Credential not found" };
+    }
+    const clientDataJSON = base64UrlDecode2(response.response.clientDataJSON);
+    const clientData = JSON.parse(new TextDecoder().decode(clientDataJSON));
+    if (clientData["type"] !== "webauthn.get") {
+      return { success: false, error: "Invalid client data type" };
+    }
+    if (clientData["challenge"] !== challenge) {
+      return { success: false, error: "Challenge mismatch" };
+    }
+    if (clientData["origin"] !== this.config.origin) {
+      return { success: false, error: "Origin mismatch" };
+    }
+    const authenticatorData = base64UrlDecode2(response.response.authenticatorData);
+    const parsedAuthData = parseAuthenticatorData(authenticatorData);
+    const expectedRpIdHash = await crypto.subtle.digest(
+      "SHA-256",
+      new TextEncoder().encode(this.config.rpId)
+    );
+    if (!arrayBufferEqual(parsedAuthData.rpIdHash.buffer, expectedRpIdHash)) {
+      return { success: false, error: "RP ID hash mismatch" };
+    }
+    if (!parsedAuthData.flags.userPresent) {
+      return { success: false, error: "User not present" };
+    }
+    if (parsedAuthData.signCount > 0 && parsedAuthData.signCount <= credential.counter) {
+      return { success: false, error: "Possible credential cloning detected" };
+    }
+    credential.counter = parsedAuthData.signCount;
+    credential.lastUsedAt = (/* @__PURE__ */ new Date()).toISOString();
+    await this.storage.set(`webauthn:cred:${response.id}`, credential);
+    await this.storage.delete(`webauthn:challenge:${challenge}`);
+    return {
+      success: true,
+      userId: credential.userId,
+      credentialId: credential.credentialId
+    };
+  }
+  /**
+   * Get user's credentials
+   */
+  async getUserCredentials(userId) {
+    const credIds = await this.storage.get(`webauthn:user:${userId}`) ?? [];
+    const credentials = [];
+    for (const credId of credIds) {
+      const cred = await this.storage.get(`webauthn:cred:${credId}`);
+      if (cred) {
+        credentials.push(cred);
+      }
+    }
+    return credentials;
+  }
+  /**
+   * Remove a credential
+   */
+  async removeCredential(userId, credentialId) {
+    const credential = await this.storage.get(`webauthn:cred:${credentialId}`);
+    if (!credential || credential.userId !== userId) {
+      return false;
+    }
+    await this.storage.delete(`webauthn:cred:${credentialId}`);
+    const credIds = await this.storage.get(`webauthn:user:${userId}`) ?? [];
+    const filtered = credIds.filter((id) => id !== credentialId);
+    await this.storage.set(`webauthn:user:${userId}`, filtered);
+    return true;
+  }
+  /**
+   * Check if user has any passkeys
+   */
+  async hasPasskeys(userId) {
+    const credentials = await this.getUserCredentials(userId);
+    return credentials.length > 0;
+  }
+  /**
+   * Setup (for TwoFactorProvider interface)
+   */
+  async setup(userId) {
+    const options = await this.generateRegistrationOptions(userId, userId, userId);
+    return {
+      secret: options.challenge,
+      qrCode: "",
+      // Not applicable for WebAuthn
+      backupCodes: [],
+      challenge: options.challenge
+    };
+  }
+  /**
+   * Verify setup (for TwoFactorProvider interface)
+   */
+  async verifySetup(userId, _code) {
+    const credentials = await this.getUserCredentials(userId);
+    return credentials.length > 0;
+  }
+  /**
+   * Verify login (for TwoFactorProvider interface)
+   */
+  async verifyLogin(userId, _code) {
+    const credentials = await this.getUserCredentials(userId);
+    return credentials.length > 0;
+  }
+  /**
+   * Disable 2FA for user
+   */
+  async disable(userId) {
+    const credentials = await this.getUserCredentials(userId);
+    for (const cred of credentials) {
+      await this.removeCredential(userId, cred.credentialId);
+    }
+  }
+  /**
+   * Authenticate (for AuthProvider interface)
+   */
+  async authenticate(_input) {
+    return {
+      success: false,
+      error: "Use generateAuthenticationOptions and verifyAuthentication for WebAuthn authentication",
+      errorCode: "USE_WEBAUTHN_METHODS"
+    };
+  }
+  /**
+   * Get provider info
+   */
+  getInfo() {
+    return {
+      name: this.name,
+      type: this.type,
+      enabled: this.enabled,
+      displayName: "Passkey"
+    };
+  }
+};
+function createWebAuthnProvider(storage, config) {
+  return new WebAuthnProvider(storage, config);
+}
+
+// src/providers/password/index.ts
+var DEFAULT_CONFIG2 = {
+  minLength: 8,
+  maxLength: 128,
+  requireUppercase: true,
+  requireLowercase: true,
+  requireNumber: true,
+  requireSpecial: false,
+  bcryptCost: 12
+};
+var PasswordProvider = class {
+  name = "password";
+  type = "password";
+  storage;
+  config;
+  _enabled;
+  constructor(storage, config) {
+    this.storage = storage;
+    this.config = {
+      ...DEFAULT_CONFIG2,
+      ...config
+    };
+    this._enabled = false;
+    console.warn(
+      "[Pars Auth] Password provider initialized. Consider using passwordless authentication for better security."
+    );
+  }
+  get enabled() {
+    return this._enabled;
+  }
+  /**
+   * Enable the password provider
+   * Must be explicitly called to enable password authentication
+   */
+  enable() {
+    this._enabled = true;
+    console.warn(
+      "[Pars Auth] Password provider enabled. Ensure you have proper security measures in place (rate limiting, account lockout, etc.)"
+    );
+  }
+  /**
+   * Disable the password provider
+   */
+  disable() {
+    this._enabled = false;
+  }
+  /**
+   * Validate password against policy
+   */
+  validatePassword(password) {
+    const errors = [];
+    if (password.length < this.config.minLength) {
+      errors.push(`Password must be at least ${this.config.minLength} characters`);
+    }
+    if (password.length > this.config.maxLength) {
+      errors.push(`Password must be at most ${this.config.maxLength} characters`);
+    }
+    if (this.config.requireUppercase && !/[A-Z]/.test(password)) {
+      errors.push("Password must contain at least one uppercase letter");
+    }
+    if (this.config.requireLowercase && !/[a-z]/.test(password)) {
+      errors.push("Password must contain at least one lowercase letter");
+    }
+    if (this.config.requireNumber && !/\d/.test(password)) {
+      errors.push("Password must contain at least one number");
+    }
+    if (this.config.requireSpecial && !/[!@#$%^&*()_+\-=\[\]{};':"\\|,.<>\/?]/.test(password)) {
+      errors.push("Password must contain at least one special character");
+    }
+    return {
+      valid: errors.length === 0,
+      errors
+    };
+  }
+  /**
+   * Check password strength
+   */
+  checkStrength(password) {
+    let score = 0;
+    if (password.length >= 8) score++;
+    if (password.length >= 12) score++;
+    if (password.length >= 16) score++;
+    if (/[a-z]/.test(password)) score++;
+    if (/[A-Z]/.test(password)) score++;
+    if (/\d/.test(password)) score++;
+    if (/[!@#$%^&*()_+\-=\[\]{};':"\\|,.<>\/?]/.test(password)) score++;
+    if (/(?=.*[a-z])(?=.*[A-Z])(?=.*\d)/.test(password)) score++;
+    if (score <= 3) return "weak";
+    if (score <= 5) return "fair";
+    if (score <= 7) return "strong";
+    return "very-strong";
+  }
+  /**
+   * Hash a password
+   * Uses Web Crypto API for PBKDF2 (bcrypt alternative for edge runtime)
+   */
+  async hashPassword(password) {
+    if (this.config.hashPassword) {
+      return this.config.hashPassword(password);
+    }
+    const encoder = new TextEncoder();
+    const salt = crypto.getRandomValues(new Uint8Array(16));
+    const keyMaterial = await crypto.subtle.importKey(
+      "raw",
+      encoder.encode(password),
+      "PBKDF2",
+      false,
+      ["deriveBits"]
+    );
+    const iterations = 1e5 * (this.config.bcryptCost / 10);
+    const derivedBits = await crypto.subtle.deriveBits(
+      {
+        name: "PBKDF2",
+        salt,
+        iterations,
+        hash: "SHA-256"
+      },
+      keyMaterial,
+      256
+    );
+    const hashArray = new Uint8Array(derivedBits);
+    const saltB64 = btoa(String.fromCharCode(...salt));
+    const hashB64 = btoa(String.fromCharCode(...hashArray));
+    return `$pbkdf2-sha256$${iterations}$${saltB64}$${hashB64}`;
+  }
+  /**
+   * Verify a password against a hash
+   */
+  async verifyPassword(password, hash) {
+    if (this.config.verifyPassword) {
+      return this.config.verifyPassword(password, hash);
+    }
+    const parts = hash.split("$");
+    if (parts.length !== 5 || parts[1] !== "pbkdf2-sha256") {
+      return false;
+    }
+    const iterations = parseInt(parts[2], 10);
+    const salt = Uint8Array.from(atob(parts[3]), (c) => c.charCodeAt(0));
+    const storedHash = Uint8Array.from(atob(parts[4]), (c) => c.charCodeAt(0));
+    const encoder = new TextEncoder();
+    const keyMaterial = await crypto.subtle.importKey(
+      "raw",
+      encoder.encode(password),
+      "PBKDF2",
+      false,
+      ["deriveBits"]
+    );
+    const derivedBits = await crypto.subtle.deriveBits(
+      {
+        name: "PBKDF2",
+        salt,
+        iterations,
+        hash: "SHA-256"
+      },
+      keyMaterial,
+      256
+    );
+    const computedHash = new Uint8Array(derivedBits);
+    return this.constantTimeEquals(storedHash, computedHash);
+  }
+  /**
+   * Authenticate with password (implements AuthProvider)
+   */
+  async authenticate(input) {
+    if (!this._enabled) {
+      return {
+        success: false,
+        error: "Password authentication is disabled",
+        errorCode: "PROVIDER_DISABLED"
+      };
+    }
+    const { identifier, credential } = input;
+    if (!identifier || !credential) {
+      return {
+        success: false,
+        error: "Email and password are required",
+        errorCode: "INVALID_INPUT"
+      };
+    }
+    const validation = this.validatePassword(credential);
+    if (!validation.valid) {
+      return {
+        success: false,
+        error: validation.errors.join(", "),
+        errorCode: "INVALID_PASSWORD"
+      };
+    }
+    return {
+      success: true
+      // Auth engine will handle user lookup and password verification
+    };
+  }
+  /**
+   * Store password hash for a user
+   */
+  async setPassword(userId, password) {
+    const validation = this.validatePassword(password);
+    if (!validation.valid) {
+      return { success: false, errors: validation.errors };
+    }
+    const hash = await this.hashPassword(password);
+    await this.storage.set(`password:user:${userId}`, {
+      hash,
+      updatedAt: (/* @__PURE__ */ new Date()).toISOString()
+    });
+    return { success: true };
+  }
+  /**
+   * Verify password for a user
+   */
+  async verifyUserPassword(userId, password) {
+    const data = await this.storage.get(`password:user:${userId}`);
+    if (!data) {
+      return false;
+    }
+    return this.verifyPassword(password, data.hash);
+  }
+  /**
+   * Check if user has password set
+   */
+  async hasPassword(userId) {
+    return this.storage.has(`password:user:${userId}`);
+  }
+  /**
+   * Remove password for a user (switch to passwordless)
+   */
+  async removePassword(userId) {
+    await this.storage.delete(`password:user:${userId}`);
+  }
+  /**
+   * Get provider info
+   */
+  getInfo() {
+    return {
+      name: this.name,
+      type: this.type,
+      enabled: this.enabled,
+      displayName: "Password"
+    };
+  }
+  /**
+   * Constant-time comparison to prevent timing attacks
+   */
+  constantTimeEquals(a, b) {
+    if (a.length !== b.length) {
+      return false;
+    }
+    let result = 0;
+    for (let i = 0; i < a.length; i++) {
+      result |= a[i] ^ b[i];
+    }
+    return result === 0;
+  }
+};
+function createPasswordProvider(storage, config) {
+  return new PasswordProvider(storage, config);
+}
+function toAdapterUser(user, authMethod) {
+  return {
+    id: user.id,
+    email: authMethod?.provider === "email" ? authMethod.providerId : null,
+    phone: authMethod?.provider === "phone" ? authMethod.providerId : null,
+    name: user.displayName ?? null,
+    avatar: user.avatarUrl ?? null,
+    emailVerified: user.emailVerified,
+    phoneVerified: user.phoneVerified,
+    twoFactorEnabled: user.twoFactorEnabled,
+    status: user.status,
+    createdAt: user.insertedAt,
+    updatedAt: user.updatedAt
+  };
+}
+function toAdapterSession(session) {
+  return {
+    id: session.id,
+    userId: session.userId,
+    tenantId: session.currentTenantId ?? null,
+    expiresAt: session.expiresAt,
+    refreshExpiresAt: session.refreshExpiresAt ?? null,
+    deviceType: session.deviceType ?? null,
+    deviceName: session.deviceName ?? null,
+    userAgent: session.userAgent ?? null,
+    ipAddress: session.ipAddress ?? null,
+    status: session.status,
+    createdAt: session.insertedAt,
+    updatedAt: session.updatedAt
+  };
+}
+function toAdapterAuthMethod(method) {
+  return {
+    id: method.id,
+    userId: method.userId,
+    provider: method.provider,
+    providerId: method.providerId,
+    verified: method.verified,
+    metadata: method.metadata ?? void 0,
+    createdAt: method.insertedAt,
+    updatedAt: method.updatedAt
+  };
+}
+function toAdapterTenant(tenant) {
+  return {
+    id: tenant.id,
+    name: tenant.name,
+    slug: tenant.slug,
+    status: tenant.status,
+    createdAt: tenant.insertedAt,
+    updatedAt: tenant.updatedAt
+  };
+}
+function toAdapterMembership(membership, roleName) {
+  return {
+    id: membership.id,
+    userId: membership.userId,
+    tenantId: membership.tenantId,
+    role: roleName ?? "member",
+    permissions: membership.permissions ? Object.keys(membership.permissions) : void 0,
+    status: membership.status,
+    createdAt: membership.insertedAt,
+    updatedAt: membership.updatedAt
+  };
+}
+function createDrizzleAdapter(config) {
+  const { db, schema, softDelete = true } = config;
+  const { users, sessions, authMethods, tenants, tenantMemberships, roles } = schema;
+  return {
+    // ============================================
+    // User Operations
+    // ============================================
+    async createUser(input) {
+      const [user] = await db.insert(users).values({
+        displayName: input.name,
+        avatarUrl: input.avatar,
+        emailVerified: input.emailVerified ?? false,
+        phoneVerified: input.phoneVerified ?? false,
+        twoFactorEnabled: false,
+        status: "active",
+        metadata: {}
+      }).returning();
+      let authMethod;
+      if (input.email) {
+        [authMethod] = await db.insert(authMethods).values({
+          userId: user.id,
+          provider: "email",
+          providerId: input.email.toLowerCase(),
+          verified: input.emailVerified ?? false
+        }).returning();
+      } else if (input.phone) {
+        [authMethod] = await db.insert(authMethods).values({
+          userId: user.id,
+          provider: "phone",
+          providerId: input.phone,
+          verified: input.phoneVerified ?? false
+        }).returning();
+      }
+      return toAdapterUser(user, authMethod);
+    },
+    async findUserById(id) {
+      const [result] = await db.select().from(users).where(and(eq(users.id, id), softDelete ? isNull(users.deletedAt) : void 0)).limit(1);
+      if (!result) return null;
+      const [authMethod] = await db.select().from(authMethods).where(and(eq(authMethods.userId, id), isNull(authMethods.deletedAt))).limit(1);
+      return toAdapterUser(result, authMethod);
+    },
+    async findUserByEmail(email) {
+      const normalizedEmail = email.toLowerCase().trim();
+      const [result] = await db.select({
+        user: users,
+        authMethod: authMethods
+      }).from(authMethods).innerJoin(users, eq(authMethods.userId, users.id)).where(
+        and(
+          eq(authMethods.provider, "email"),
+          eq(authMethods.providerId, normalizedEmail),
+          softDelete ? isNull(users.deletedAt) : void 0
+        )
+      ).limit(1);
+      if (!result) return null;
+      return toAdapterUser(result.user, result.authMethod);
+    },
+    async findUserByPhone(phone) {
+      const [result] = await db.select({
+        user: users,
+        authMethod: authMethods
+      }).from(authMethods).innerJoin(users, eq(authMethods.userId, users.id)).where(
+        and(
+          eq(authMethods.provider, "phone"),
+          eq(authMethods.providerId, phone),
+          softDelete ? isNull(users.deletedAt) : void 0
+        )
+      ).limit(1);
+      if (!result) return null;
+      return toAdapterUser(result.user, result.authMethod);
+    },
+    async updateUser(id, data) {
+      const updateData = {
+        updatedAt: /* @__PURE__ */ new Date()
+      };
+      if (data.name !== void 0) updateData["displayName"] = data.name;
+      if (data.avatar !== void 0) updateData["avatarUrl"] = data.avatar;
+      if (data.emailVerified !== void 0) updateData["emailVerified"] = data.emailVerified;
+      if (data.phoneVerified !== void 0) updateData["phoneVerified"] = data.phoneVerified;
+      if (data.twoFactorEnabled !== void 0) updateData["twoFactorEnabled"] = data.twoFactorEnabled;
+      if (data.status !== void 0) updateData["status"] = data.status;
+      const [user] = await db.update(users).set(updateData).where(eq(users.id, id)).returning();
+      const [authMethod] = await db.select().from(authMethods).where(eq(authMethods.userId, id)).limit(1);
+      return toAdapterUser(user, authMethod);
+    },
+    async deleteUser(id) {
+      if (softDelete) {
+        await db.update(users).set({ deletedAt: /* @__PURE__ */ new Date() }).where(eq(users.id, id));
+      } else {
+        await db.delete(users).where(eq(users.id, id));
+      }
+    },
+    // ============================================
+    // Session Operations
+    // ============================================
+    async createSession(input) {
+      const [session] = await db.insert(sessions).values({
+        userId: input.userId,
+        currentTenantId: input.tenantId,
+        expiresAt: input.expiresAt,
+        refreshExpiresAt: input.refreshExpiresAt,
+        deviceType: input.deviceType,
+        deviceName: input.deviceName,
+        userAgent: input.userAgent,
+        ipAddress: input.ipAddress,
+        status: "active",
+        csrfTokenHash: "",
+        lastActivityAt: /* @__PURE__ */ new Date()
+      }).returning();
+      return toAdapterSession(session);
+    },
+    async findSessionById(id) {
+      const [session] = await db.select().from(sessions).where(and(eq(sessions.id, id), eq(sessions.status, "active"))).limit(1);
+      if (!session) return null;
+      return toAdapterSession(session);
+    },
+    async findSessionsByUserId(userId) {
+      const result = await db.select().from(sessions).where(and(eq(sessions.userId, userId), eq(sessions.status, "active"))).orderBy(desc(sessions.lastActivityAt));
+      return result.map(toAdapterSession);
+    },
+    async updateSession(id, data) {
+      const updateData = {
+        updatedAt: /* @__PURE__ */ new Date()
+      };
+      if (data.tenantId !== void 0) updateData["currentTenantId"] = data.tenantId;
+      if (data.expiresAt !== void 0) updateData["expiresAt"] = data.expiresAt;
+      if (data.refreshExpiresAt !== void 0) updateData["refreshExpiresAt"] = data.refreshExpiresAt;
+      if (data.status !== void 0) updateData["status"] = data.status;
+      const [session] = await db.update(sessions).set(updateData).where(eq(sessions.id, id)).returning();
+      return toAdapterSession(session);
+    },
+    async deleteSession(id) {
+      await db.update(sessions).set({ status: "revoked", revokedAt: /* @__PURE__ */ new Date() }).where(eq(sessions.id, id));
+    },
+    async deleteSessionsByUserId(userId) {
+      await db.update(sessions).set({ status: "revoked", revokedAt: /* @__PURE__ */ new Date() }).where(eq(sessions.userId, userId));
+    },
+    // ============================================
+    // Auth Method Operations
+    // ============================================
+    async createAuthMethod(input) {
+      const [method] = await db.insert(authMethods).values({
+        userId: input.userId,
+        provider: input.provider,
+        providerId: input.providerId,
+        verified: input.verified ?? false,
+        metadata: input.metadata ?? {}
+      }).returning();
+      return toAdapterAuthMethod(method);
+    },
+    async findAuthMethod(provider, providerId) {
+      const [method] = await db.select().from(authMethods).where(
+        and(
+          eq(authMethods.provider, provider),
+          eq(authMethods.providerId, providerId),
+          softDelete ? isNull(authMethods.deletedAt) : void 0
+        )
+      ).limit(1);
+      if (!method) return null;
+      return toAdapterAuthMethod(method);
+    },
+    async findAuthMethodsByUserId(userId) {
+      const result = await db.select().from(authMethods).where(
+        and(eq(authMethods.userId, userId), softDelete ? isNull(authMethods.deletedAt) : void 0)
+      );
+      return result.map(toAdapterAuthMethod);
+    },
+    async deleteAuthMethod(id) {
+      if (softDelete) {
+        await db.update(authMethods).set({ deletedAt: /* @__PURE__ */ new Date() }).where(eq(authMethods.id, id));
+      } else {
+        await db.delete(authMethods).where(eq(authMethods.id, id));
+      }
+    },
+    // ============================================
+    // Tenant Operations (Optional)
+    // ============================================
+    async findTenantById(id) {
+      if (!tenants) return null;
+      const [tenant] = await db.select().from(tenants).where(and(eq(tenants.id, id), softDelete ? isNull(tenants.deletedAt) : void 0)).limit(1);
+      if (!tenant) return null;
+      return toAdapterTenant(tenant);
+    },
+    async findTenantBySlug(slug) {
+      if (!tenants) return null;
+      const [tenant] = await db.select().from(tenants).where(and(eq(tenants.slug, slug), softDelete ? isNull(tenants.deletedAt) : void 0)).limit(1);
+      if (!tenant) return null;
+      return toAdapterTenant(tenant);
+    },
+    // ============================================
+    // Membership Operations (Optional)
+    // ============================================
+    async findMembership(userId, tenantId) {
+      if (!tenantMemberships) return null;
+      const [membership] = await db.select().from(tenantMemberships).where(
+        and(
+          eq(tenantMemberships.userId, userId),
+          eq(tenantMemberships.tenantId, tenantId),
+          softDelete ? isNull(tenantMemberships.deletedAt) : void 0
+        )
+      ).limit(1);
+      if (!membership) return null;
+      let roleName;
+      if (roles && membership.roleId) {
+        const [role] = await db.select().from(roles).where(eq(roles.id, membership.roleId)).limit(1);
+        roleName = role?.name;
+      }
+      return toAdapterMembership(membership, roleName);
+    },
+    async findMembershipsByUserId(userId) {
+      if (!tenantMemberships) return [];
+      const result = await db.select().from(tenantMemberships).where(
+        and(
+          eq(tenantMemberships.userId, userId),
+          eq(tenantMemberships.status, "active"),
+          softDelete ? isNull(tenantMemberships.deletedAt) : void 0
+        )
+      );
+      const membershipsWithRoles = await Promise.all(
+        result.map(async (membership) => {
+          let roleName;
+          if (roles && membership.roleId) {
+            const [role] = await db.select().from(roles).where(eq(roles.id, membership.roleId)).limit(1);
+            roleName = role?.name;
+          }
+          return toAdapterMembership(membership, roleName);
+        })
+      );
+      return membershipsWithRoles;
+    },
+    async createMembership(input) {
+      if (!tenantMemberships) {
+        throw new Error("Tenant memberships table not configured");
+      }
+      let roleId;
+      if (roles && input.role) {
+        const [role] = await db.select().from(roles).where(eq(roles.name, input.role)).limit(1);
+        roleId = role?.id;
+      }
+      const [membership] = await db.insert(tenantMemberships).values({
+        userId: input.userId,
+        tenantId: input.tenantId,
+        roleId: roleId ?? null,
+        status: "active",
+        permissions: input.permissions ? Object.fromEntries(input.permissions.map((p) => [p, true])) : {},
+        accessLevel: "full",
+        resourceRestrictions: {},
+        joinedAt: /* @__PURE__ */ new Date()
+      }).returning();
+      return toAdapterMembership(membership, input.role);
+    },
+    async updateMembership(id, data) {
+      if (!tenantMemberships) {
+        throw new Error("Tenant memberships table not configured");
+      }
+      const updateData = {
+        updatedAt: /* @__PURE__ */ new Date()
+      };
+      if (data.role !== void 0 && roles) {
+        const [role] = await db.select().from(roles).where(eq(roles.name, data.role)).limit(1);
+        updateData["roleId"] = role?.id ?? null;
+      }
+      if (data.status !== void 0) updateData["status"] = data.status;
+      if (data.permissions !== void 0) {
+        updateData["permissions"] = Object.fromEntries(data.permissions.map((p) => [p, true]));
+      }
+      const [membership] = await db.update(tenantMemberships).set(updateData).where(eq(tenantMemberships.id, id)).returning();
+      let roleName;
+      if (roles && membership.roleId) {
+        const [role] = await db.select().from(roles).where(eq(roles.id, membership.roleId)).limit(1);
+        roleName = role?.name;
+      }
+      return toAdapterMembership(membership, roleName);
+    },
+    async deleteMembership(id) {
+      if (!tenantMemberships) return;
+      if (softDelete) {
+        await db.update(tenantMemberships).set({ deletedAt: /* @__PURE__ */ new Date(), status: "inactive" }).where(eq(tenantMemberships.id, id));
+      } else {
+        await db.delete(tenantMemberships).where(eq(tenantMemberships.id, id));
+      }
+    }
+  };
+}
+
+// src/services/email/resend-provider.ts
+var ResendEmailProvider = class {
+  apiKey;
+  fromEmail;
+  fromName;
+  baseUrl;
+  constructor(config) {
+    this.apiKey = config.apiKey;
+    this.fromEmail = config.fromEmail ?? "noreply@example.com";
+    this.fromName = config.fromName ?? "App";
+    this.baseUrl = config.baseUrl ?? "https://api.resend.com";
+  }
+  /**
+   * Send email via Resend API
+   */
+  async sendEmail(options) {
+    const from = options.from ?? `${this.fromName} <${this.fromEmail}>`;
+    try {
+      const response = await fetch(`${this.baseUrl}/emails`, {
+        method: "POST",
+        headers: {
+          "Authorization": `Bearer ${this.apiKey}`,
+          "Content-Type": "application/json"
+        },
+        body: JSON.stringify({
+          from,
+          to: [options.to],
+          subject: options.subject,
+          html: options.html,
+          text: options.text,
+          reply_to: options.replyTo,
+          cc: options.cc,
+          bcc: options.bcc,
+          headers: options.headers,
+          attachments: options.attachments?.map((a) => ({
+            filename: a.filename,
+            content: typeof a.content === "string" ? a.content : a.content.toString("base64"),
+            content_type: a.contentType
+          }))
+        })
+      });
+      if (!response.ok) {
+        const errorData = await response.json().catch(() => ({}));
+        return {
+          success: false,
+          error: errorData["message"] ?? `HTTP ${response.status}: ${response.statusText}`
+        };
+      }
+      const data = await response.json();
+      return {
+        success: true,
+        messageId: data["id"]
+      };
+    } catch (error) {
+      return {
+        success: false,
+        error: error instanceof Error ? error.message : "Unknown error"
+      };
+    }
+  }
+};
+function createResendProvider(config) {
+  return new ResendEmailProvider(config);
+}
+
+// src/services/email/templates/otp.ts
+function generateOTPEmailHTML(options) {
+  const { code, expiresInMinutes, userName, appName } = options;
+  const greeting = userName ? `Hi ${userName}` : "Hello";
+  return `
+<!DOCTYPE html>
+<html lang="en">
+<head>
+  <meta charset="UTF-8">
+  <meta name="viewport" content="width=device-width, initial-scale=1.0">
+  <title>Your Verification Code</title>
+</head>
+<body style="margin: 0; padding: 0; font-family: -apple-system, BlinkMacSystemFont, 'Segoe UI', Roboto, 'Helvetica Neue', Arial, sans-serif; background-color: #f8fafc;">
+  <div style="max-width: 600px; margin: 0 auto; padding: 20px;">
+    <div style="background: white; border-radius: 12px; box-shadow: 0 4px 6px rgba(0, 0, 0, 0.07); overflow: hidden;">
+      <!-- Header -->
+      <div style="background: linear-gradient(135deg, #667eea 0%, #764ba2 100%); color: white; text-align: center; padding: 40px 20px;">
+        <h1 style="margin: 0; font-size: 24px; font-weight: 600;">${appName}</h1>
+        <p style="margin: 10px 0 0; opacity: 0.9;">Verification Code</p>
+      </div>
+
+      <!-- Content -->
+      <div style="padding: 40px 30px;">
+        <p style="font-size: 16px; margin-bottom: 20px;">${greeting},</p>
+        <p style="color: #4a5568;">Use the following code to verify your identity:</p>
+
+        <!-- Code Box -->
+        <div style="text-align: center; margin: 30px 0;">
+          <div style="background: linear-gradient(135deg, #f8fafc 0%, #e2e8f0 100%); border: 2px dashed #cbd5e0; border-radius: 12px; padding: 25px; display: inline-block;">
+            <span style="font-size: 36px; font-weight: 700; color: #4c51bf; letter-spacing: 8px; font-family: 'Monaco', 'Menlo', monospace;">
+              ${code}
+            </span>
+          </div>
+        </div>
+
+        <!-- Expiry Warning -->
+        <div style="background: #fef7e0; border: 1px solid #f6e05e; border-radius: 8px; padding: 12px; margin: 20px 0; color: #744210; text-align: center; font-weight: 500;">
+          \u23F1\uFE0F This code expires in ${expiresInMinutes} minutes
+        </div>
+
+        <!-- Security Notice -->
+        <div style="background: #fed7d7; border: 1px solid #fc8181; border-radius: 8px; padding: 12px; margin: 20px 0; color: #c53030; font-size: 14px;">
+          \u{1F512} Never share this code with anyone. ${appName} will never ask for your code.
+        </div>
+
+        <p style="color: #718096; font-size: 14px; margin-top: 30px;">
+          If you didn't request this code, you can safely ignore this email.
+        </p>
+      </div>
+
+      <!-- Footer -->
+      <div style="background: #f7fafc; padding: 20px 30px; text-align: center; border-top: 1px solid #e2e8f0;">
+        <p style="color: #a0aec0; font-size: 12px; margin: 0;">
+          &copy; ${(/* @__PURE__ */ new Date()).getFullYear()} ${appName}. All rights reserved.
+        </p>
+      </div>
+    </div>
+  </div>
+</body>
+</html>
+`;
+}
+function generateOTPEmailText(options) {
+  const { code, expiresInMinutes, userName, appName } = options;
+  const greeting = userName ? `Hi ${userName}` : "Hello";
+  return `${greeting},
+
+Your ${appName} verification code is: ${code}
+
+This code expires in ${expiresInMinutes} minutes.
+
+Never share this code with anyone. ${appName} will never ask for your code.
+
+If you didn't request this code, you can safely ignore this email.
+
+- The ${appName} Team`;
+}
+
+// src/services/email/templates/verification.ts
+function generateVerificationEmailHTML(options) {
+  const { verificationUrl, userName, expiresInHours, appName } = options;
+  const greeting = userName ? `Hi ${userName}` : "Hello";
+  return `
+<!DOCTYPE html>
+<html lang="en">
+<head>
+  <meta charset="UTF-8">
+  <meta name="viewport" content="width=device-width, initial-scale=1.0">
+  <title>Verify Your Email</title>
+</head>
+<body style="margin: 0; padding: 0; font-family: -apple-system, BlinkMacSystemFont, 'Segoe UI', Roboto, 'Helvetica Neue', Arial, sans-serif; background-color: #f8fafc;">
+  <div style="max-width: 600px; margin: 0 auto; padding: 20px;">
+    <div style="background: white; border-radius: 12px; box-shadow: 0 4px 6px rgba(0, 0, 0, 0.07); overflow: hidden;">
+      <!-- Header -->
+      <div style="background: linear-gradient(135deg, #10b981 0%, #059669 100%); color: white; text-align: center; padding: 40px 20px;">
+        <h1 style="margin: 0; font-size: 24px; font-weight: 600;">${appName}</h1>
+        <p style="margin: 10px 0 0; opacity: 0.9;">Email Verification</p>
+      </div>
+
+      <!-- Content -->
+      <div style="padding: 40px 30px;">
+        <p style="font-size: 16px; margin-bottom: 20px;">${greeting},</p>
+        <p style="color: #4a5568;">Please verify your email address by clicking the button below:</p>
+
+        <!-- Button -->
+        <div style="text-align: center; margin: 30px 0;">
+          <a href="${verificationUrl}" style="display: inline-block; padding: 14px 32px; background: linear-gradient(135deg, #10b981 0%, #059669 100%); color: white; text-decoration: none; border-radius: 8px; font-weight: 600; font-size: 16px;">
+            Verify Email Address
+          </a>
+        </div>
+
+        <!-- Expiry Notice -->
+        <div style="background: #fef7e0; border: 1px solid #f6e05e; border-radius: 8px; padding: 12px; margin: 20px 0; color: #744210; text-align: center;">
+          \u23F1\uFE0F This link expires in ${expiresInHours} hour${expiresInHours > 1 ? "s" : ""}
+        </div>
+
+        <!-- Alternative Link -->
+        <p style="color: #718096; font-size: 14px; margin-top: 20px;">
+          If the button doesn't work, copy and paste this link into your browser:
+        </p>
+        <p style="background: #f7fafc; padding: 12px; border-radius: 6px; word-break: break-all; font-size: 12px; color: #4a5568;">
+          ${verificationUrl}
+        </p>
+
+        <p style="color: #718096; font-size: 14px; margin-top: 30px;">
+          If you didn't create an account, you can safely ignore this email.
+        </p>
+      </div>
+
+      <!-- Footer -->
+      <div style="background: #f7fafc; padding: 20px 30px; text-align: center; border-top: 1px solid #e2e8f0;">
+        <p style="color: #a0aec0; font-size: 12px; margin: 0;">
+          &copy; ${(/* @__PURE__ */ new Date()).getFullYear()} ${appName}. All rights reserved.
+        </p>
+      </div>
+    </div>
+  </div>
+</body>
+</html>
+`;
+}
+function generateVerificationEmailText(options) {
+  const { verificationUrl, userName, expiresInHours, appName } = options;
+  const greeting = userName ? `Hi ${userName}` : "Hello";
+  return `${greeting},
+
+Please verify your email address by clicking the link below:
+
+${verificationUrl}
+
+This link expires in ${expiresInHours} hour${expiresInHours > 1 ? "s" : ""}.
+
+If you didn't create an account, you can safely ignore this email.
+
+- The ${appName} Team`;
+}
+
+// src/services/email/templates/magic-link.ts
+function generateMagicLinkEmailHTML(options) {
+  const { magicLinkUrl, expiresInMinutes, userName, appName } = options;
+  const greeting = userName ? `Hi ${userName}` : "Hello";
+  return `
+<!DOCTYPE html>
+<html lang="en">
+<head>
+  <meta charset="UTF-8">
+  <meta name="viewport" content="width=device-width, initial-scale=1.0">
+  <title>Sign in to ${appName}</title>
+</head>
+<body style="margin: 0; padding: 0; font-family: -apple-system, BlinkMacSystemFont, 'Segoe UI', Roboto, 'Helvetica Neue', Arial, sans-serif; background-color: #f8fafc;">
+  <div style="max-width: 600px; margin: 0 auto; padding: 20px;">
+    <div style="background: white; border-radius: 12px; box-shadow: 0 4px 6px rgba(0, 0, 0, 0.07); overflow: hidden;">
+      <!-- Header -->
+      <div style="background: linear-gradient(135deg, #4f46e5 0%, #7c3aed 100%); color: white; text-align: center; padding: 40px 20px;">
+        <h1 style="margin: 0; font-size: 24px; font-weight: 600;">${appName}</h1>
+        <p style="margin: 10px 0 0; opacity: 0.9;">Sign In Link</p>
+      </div>
+
+      <!-- Content -->
+      <div style="padding: 40px 30px;">
+        <p style="font-size: 16px; margin-bottom: 20px;">${greeting},</p>
+        <p style="color: #4a5568;">Click the button below to sign in to your account:</p>
+
+        <!-- Button -->
+        <div style="text-align: center; margin: 30px 0;">
+          <a href="${magicLinkUrl}" style="display: inline-block; padding: 14px 32px; background: linear-gradient(135deg, #4f46e5 0%, #7c3aed 100%); color: white; text-decoration: none; border-radius: 8px; font-weight: 600; font-size: 16px;">
+            Sign In to ${appName}
+          </a>
+        </div>
+
+        <!-- Expiry Notice -->
+        <div style="background: #fef7e0; border: 1px solid #f6e05e; border-radius: 8px; padding: 12px; margin: 20px 0; color: #744210; text-align: center;">
+          \u23F1\uFE0F This link expires in ${expiresInMinutes} minutes
+        </div>
+
+        <!-- Security Notice -->
+        <div style="background: #e0e7ff; border: 1px solid #818cf8; border-radius: 8px; padding: 12px; margin: 20px 0; color: #3730a3; font-size: 14px;">
+          \u{1F512} This is a single-use link. After you click it, you'll be signed in automatically.
+        </div>
+
+        <!-- Alternative Link -->
+        <p style="color: #718096; font-size: 14px; margin-top: 20px;">
+          If the button doesn't work, copy and paste this link into your browser:
+        </p>
+        <p style="background: #f7fafc; padding: 12px; border-radius: 6px; word-break: break-all; font-size: 12px; color: #4a5568;">
+          ${magicLinkUrl}
+        </p>
+
+        <p style="color: #718096; font-size: 14px; margin-top: 30px;">
+          If you didn't request this sign-in link, you can safely ignore this email.
+        </p>
+      </div>
+
+      <!-- Footer -->
+      <div style="background: #f7fafc; padding: 20px 30px; text-align: center; border-top: 1px solid #e2e8f0;">
+        <p style="color: #a0aec0; font-size: 12px; margin: 0;">
+          &copy; ${(/* @__PURE__ */ new Date()).getFullYear()} ${appName}. All rights reserved.
+        </p>
+      </div>
+    </div>
+  </div>
+</body>
+</html>
+`;
+}
+function generateMagicLinkEmailText(options) {
+  const { magicLinkUrl, expiresInMinutes, userName, appName } = options;
+  const greeting = userName ? `Hi ${userName}` : "Hello";
+  return `${greeting},
+
+Click the link below to sign in to your ${appName} account:
+
+${magicLinkUrl}
+
+This link expires in ${expiresInMinutes} minutes.
+
+This is a single-use link. After you click it, you'll be signed in automatically.
+
+If you didn't request this sign-in link, you can safely ignore this email.
+
+- The ${appName} Team`;
+}
+
+// src/services/email/index.ts
+var EmailService = class {
+  provider;
+  fromEmail;
+  fromName;
+  devMode;
+  constructor(config) {
+    this.devMode = config.devMode ?? process.env["NODE_ENV"] !== "production";
+    this.fromEmail = config.fromEmail ?? process.env["EMAIL_FROM_ADDRESS"] ?? "noreply@example.com";
+    this.fromName = config.fromName ?? process.env["EMAIL_FROM_NAME"] ?? "App";
+    if (config.provider) {
+      this.provider = config.provider;
+    } else {
+      const apiKey = config.apiKey ?? process.env["RESEND_API_KEY"] ?? process.env["EMAIL_API_KEY"];
+      if (!apiKey) {
+        throw new Error("Email API key is required (RESEND_API_KEY or EMAIL_API_KEY)");
+      }
+      this.provider = new ResendEmailProvider({
+        apiKey,
+        fromEmail: this.fromEmail,
+        fromName: this.fromName
+      });
+    }
+  }
+  /**
+   * Send email
+   */
+  async sendEmail(options) {
+    if (this.devMode) {
+      console.log("\u{1F4E7} EMAIL (Development Mode):");
+      console.log("To:", options.to);
+      console.log("Subject:", options.subject);
+      console.log("From:", options.from ?? `${this.fromName} <${this.fromEmail}>`);
+      console.log("Content:", options.html?.substring(0, 200) ?? options.text?.substring(0, 200));
+      console.log("\u2500".repeat(50));
+      return { success: true, messageId: "dev-mode-" + Date.now() };
+    }
+    return this.provider.sendEmail(options);
+  }
+  /**
+   * Send OTP verification email
+   */
+  async sendOTPEmail(options) {
+    const { email, code, expiresInMinutes = 10, userName, appName = this.fromName } = options;
+    return this.sendEmail({
+      to: email,
+      subject: `Your ${appName} Verification Code`,
+      html: generateOTPEmailHTML({ code, expiresInMinutes, userName, appName }),
+      text: generateOTPEmailText({ code, expiresInMinutes, userName, appName })
+    });
+  }
+  /**
+   * Send email verification email
+   */
+  async sendVerificationEmail(options) {
+    const { email, verificationUrl, userName, expiresInHours = 24, appName = this.fromName } = options;
+    return this.sendEmail({
+      to: email,
+      subject: `Verify your ${appName} email`,
+      html: generateVerificationEmailHTML({ verificationUrl, userName, expiresInHours, appName }),
+      text: generateVerificationEmailText({ verificationUrl, userName, expiresInHours, appName })
+    });
+  }
+  /**
+   * Send magic link email
+   */
+  async sendMagicLinkEmail(options) {
+    const { email, magicLinkUrl, expiresInMinutes = 15, userName, appName = this.fromName } = options;
+    return this.sendEmail({
+      to: email,
+      subject: `Sign in to ${appName}`,
+      html: generateMagicLinkEmailHTML({ magicLinkUrl, expiresInMinutes, userName, appName }),
+      text: generateMagicLinkEmailText({ magicLinkUrl, expiresInMinutes, userName, appName })
+    });
+  }
+  /**
+   * Send welcome email
+   */
+  async sendWelcomeEmail(options) {
+    const { email, userName, appName = this.fromName, loginUrl } = options;
+    const greeting = userName ? `Hi ${userName}` : "Welcome";
+    return this.sendEmail({
+      to: email,
+      subject: `Welcome to ${appName}!`,
+      html: `
+        <div style="font-family: sans-serif; max-width: 600px; margin: 0 auto;">
+          <h1>${greeting},</h1>
+          <p>Thank you for joining ${appName}!</p>
+          <p>We're excited to have you on board.</p>
+          ${loginUrl ? `<p><a href="${loginUrl}" style="display: inline-block; padding: 12px 24px; background: #4F46E5; color: white; text-decoration: none; border-radius: 6px;">Get Started</a></p>` : ""}
+          <p>Best regards,<br>The ${appName} Team</p>
+        </div>
+      `,
+      text: `${greeting},
+
+Thank you for joining ${appName}!
+
+We're excited to have you on board.
+
+${loginUrl ? `Get Started: ${loginUrl}
+
+` : ""}Best regards,
+The ${appName} Team`
+    });
+  }
+  /**
+   * Send password reset email
+   */
+  async sendPasswordResetEmail(options) {
+    const { email, resetUrl, expiresInHours = 1, userName, appName = this.fromName } = options;
+    const greeting = userName ? `Hi ${userName}` : "Hello";
+    return this.sendEmail({
+      to: email,
+      subject: `Reset your ${appName} password`,
+      html: `
+        <div style="font-family: sans-serif; max-width: 600px; margin: 0 auto;">
+          <h1>${greeting},</h1>
+          <p>We received a request to reset your password.</p>
+          <p>Click the button below to reset it. This link expires in ${expiresInHours} hour${expiresInHours > 1 ? "s" : ""}.</p>
+          <p><a href="${resetUrl}" style="display: inline-block; padding: 12px 24px; background: #4F46E5; color: white; text-decoration: none; border-radius: 6px;">Reset Password</a></p>
+          <p style="color: #666; font-size: 14px;">If you didn't request this, you can safely ignore this email.</p>
+          <p>Best regards,<br>The ${appName} Team</p>
+        </div>
+      `,
+      text: `${greeting},
+
+We received a request to reset your password.
+
+Click the link below to reset it. This link expires in ${expiresInHours} hour${expiresInHours > 1 ? "s" : ""}.
+
+${resetUrl}
+
+If you didn't request this, you can safely ignore this email.
+
+Best regards,
+The ${appName} Team`
+    });
+  }
+  /**
+   * Send invitation email
+   */
+  async sendInvitationEmail(options) {
+    const {
+      email,
+      invitationUrl,
+      inviterName,
+      organizationName,
+      roleName,
+      expiresInDays = 7,
+      appName = this.fromName
+    } = options;
+    const roleText = roleName ? ` as a ${roleName}` : "";
+    return this.sendEmail({
+      to: email,
+      subject: `You're invited to join ${organizationName} on ${appName}`,
+      html: `
+        <div style="font-family: sans-serif; max-width: 600px; margin: 0 auto;">
+          <h1>You're Invited!</h1>
+          <p>${inviterName} has invited you to join <strong>${organizationName}</strong>${roleText}.</p>
+          <p>Click the button below to accept the invitation. This link expires in ${expiresInDays} day${expiresInDays > 1 ? "s" : ""}.</p>
+          <p><a href="${invitationUrl}" style="display: inline-block; padding: 12px 24px; background: #4F46E5; color: white; text-decoration: none; border-radius: 6px;">Accept Invitation</a></p>
+          <p style="color: #666; font-size: 14px;">If you don't want to join, you can safely ignore this email.</p>
+          <p>Best regards,<br>The ${appName} Team</p>
+        </div>
+      `,
+      text: `You're Invited!
+
+${inviterName} has invited you to join ${organizationName}${roleText}.
+
+Click the link below to accept the invitation. This link expires in ${expiresInDays} day${expiresInDays > 1 ? "s" : ""}.
+
+${invitationUrl}
+
+If you don't want to join, you can safely ignore this email.
+
+Best regards,
+The ${appName} Team`
+    });
+  }
+};
+function createEmailService(config) {
+  return new EmailService(config);
+}
+
+// src/services/sms/netgsm-provider.ts
+var NetGSMProvider = class {
+  config;
+  constructor(config) {
+    this.config = {
+      apiUrl: "https://api.netgsm.com.tr/sms/send/otp",
+      ...config
+    };
+  }
+  /**
+   * Send SMS via NetGSM API
+   */
+  async sendSMS(options) {
+    try {
+      const xmlData = `<?xml version='1.0' encoding='iso-8859-9'?>
+<mainbody>
+  <header>
+    <usercode>${this.escapeXml(this.config.username)}</usercode>
+    <password>${this.escapeXml(this.config.password)}</password>
+    <msgheader>${this.escapeXml(options.from ?? this.config.header)}</msgheader>
+    <encoding>TR</encoding>
+  </header>
+  <body>
+    <msg><![CDATA[${options.message}]]></msg>
+    <no>${this.sanitizePhoneNumber(options.to)}</no>
+  </body>
+</mainbody>`;
+      const response = await fetch(this.config.apiUrl, {
+        method: "POST",
+        headers: {
+          "Content-Type": "application/xml"
+        },
+        body: xmlData
+      });
+      if (!response.ok) {
+        return {
+          success: false,
+          error: `HTTP ${response.status}: ${response.statusText}`
+        };
+      }
+      const responseText = await response.text();
+      const result = this.parseResponse(responseText);
+      if (result.success) {
+        return {
+          success: true,
+          messageId: result.code
+        };
+      }
+      return {
+        success: false,
+        error: `NetGSM error code: ${result.code} - ${this.getErrorMessage(result.code ?? "")}`
+      };
+    } catch (error) {
+      return {
+        success: false,
+        error: error instanceof Error ? error.message : "Unknown error"
+      };
+    }
+  }
+  /**
+   * Parse NetGSM XML response
+   */
+  parseResponse(xml) {
+    try {
+      const codeMatch = xml.match(/<code>(.*?)<\/code>/);
+      if (!codeMatch) {
+        const trimmed = xml.trim();
+        if (trimmed.length < 20 && /^\d+$/.test(trimmed)) {
+          if (trimmed === "00" || trimmed === "0") {
+            return { success: true, code: trimmed };
+          }
+          return { success: false, code: trimmed };
+        }
+        return { success: false };
+      }
+      const code = codeMatch[1].trim();
+      if (code === "00" || code === "0" || code.length > 10) {
+        return { success: true, code };
+      }
+      return { success: false, code };
+    } catch {
+      return { success: false };
+    }
+  }
+  /**
+   * Get human-readable error message
+   */
+  getErrorMessage(code) {
+    const errors = {
+      "20": "Message text is missing",
+      "30": "Invalid credentials",
+      "40": "Sender ID not approved",
+      "50": "Invalid recipient number",
+      "51": "Duplicate recipient",
+      "60": "OTP sending blocked",
+      "70": "Incorrect parameter format",
+      "80": "Query limit exceeded",
+      "85": "Same content sent too frequently"
+    };
+    return errors[code] ?? "Unknown error";
+  }
+  /**
+   * Escape XML special characters
+   */
+  escapeXml(unsafe) {
+    return unsafe.replace(/&/g, "&amp;").replace(/</g, "&lt;").replace(/>/g, "&gt;").replace(/"/g, "&quot;").replace(/'/g, "&apos;");
+  }
+  /**
+   * Sanitize phone number
+   */
+  sanitizePhoneNumber(phone) {
+    let cleaned = phone.replace(/[\s\-\(\)]/g, "");
+    if (cleaned.startsWith("+")) {
+      cleaned = cleaned.substring(1);
+    }
+    if (cleaned.startsWith("5") && cleaned.length === 10) {
+      cleaned = "90" + cleaned;
+    }
+    return cleaned;
+  }
+};
+function createNetGSMProvider(config) {
+  return new NetGSMProvider(config);
+}
+
+// src/services/sms/index.ts
+var SMSService = class {
+  provider;
+  senderId;
+  devMode;
+  constructor(config) {
+    this.devMode = config.devMode ?? process.env["NODE_ENV"] !== "production";
+    this.senderId = config.senderId ?? process.env["SMS_SENDER_ID"] ?? "App";
+    this.provider = config.provider ?? null;
+  }
+  /**
+   * Send SMS
+   */
+  async sendSMS(options) {
+    if (this.devMode) {
+      console.log("\u{1F4F1} SMS (Development Mode):");
+      console.log("To:", options.to);
+      console.log("From:", options.from ?? this.senderId);
+      console.log("Message:", options.message);
+      console.log("\u2500".repeat(50));
+      return { success: true, messageId: "dev-mode-" + Date.now() };
+    }
+    if (!this.provider) {
+      return { success: false, error: "SMS provider not configured" };
+    }
+    return this.provider.sendSMS({
+      ...options,
+      from: options.from ?? this.senderId
+    });
+  }
+  /**
+   * Send OTP SMS
+   */
+  async sendOTPSMS(options) {
+    const { phone, code, expiresInMinutes = 10, appName = this.senderId } = options;
+    const message = `Your ${appName} verification code is: ${code}. Valid for ${expiresInMinutes} minutes.`;
+    return this.sendSMS({
+      to: phone,
+      message
+    });
+  }
+};
+function createSMSService(config) {
+  return new SMSService(config);
+}
+
+// src/services/email-verification/index.ts
+var EmailVerificationService = class {
+  storage;
+  config;
+  constructor(storage, config) {
+    this.storage = storage;
+    this.config = {
+      callbackPath: "/auth/verify-email",
+      expiresIn: 86400,
+      // 24 hours
+      tokenLength: 32,
+      ...config
+    };
+  }
+  /**
+   * Create verification token for an email
+   */
+  async createVerificationToken(email, options) {
+    const normalizedEmail = email.toLowerCase().trim();
+    const token = await generateRandomHex(this.config.tokenLength);
+    const tokenHash = await sha256Hex(token);
+    const expiresAt = new Date(Date.now() + this.config.expiresIn * 1e3);
+    await this.deleteTokensByEmail(normalizedEmail);
+    const tokenData = {
+      email: normalizedEmail,
+      tokenHash,
+      expiresAt: expiresAt.toISOString(),
+      createdBy: options?.createdBy
+    };
+    await this.storage.set(`email-verify:hash:${tokenHash}`, tokenData, this.config.expiresIn);
+    await this.storage.set(`email-verify:email:${normalizedEmail}`, tokenHash, this.config.expiresIn);
+    const params = new URLSearchParams({ token });
+    const verificationUrl = `${this.config.baseUrl}${this.config.callbackPath}?${params}`;
+    return {
+      success: true,
+      token,
+      verificationUrl,
+      expiresAt
+    };
+  }
+  /**
+   * Verify an email token
+   */
+  async verifyToken(token) {
+    const tokenHash = await sha256Hex(token);
+    const tokenData = await this.storage.get(`email-verify:hash:${tokenHash}`);
+    if (!tokenData) {
+      return { success: false, error: "Invalid or expired verification token" };
+    }
+    if (tokenData.usedAt) {
+      return { success: false, error: "Verification token already used" };
+    }
+    if (new Date(tokenData.expiresAt) < /* @__PURE__ */ new Date()) {
+      await this.deleteToken(tokenHash);
+      return { success: false, error: "Verification token expired" };
+    }
+    tokenData.usedAt = (/* @__PURE__ */ new Date()).toISOString();
+    await this.storage.set(`email-verify:hash:${tokenHash}`, tokenData, 300);
+    await this.storage.delete(`email-verify:email:${tokenData.email}`);
+    return {
+      success: true,
+      email: tokenData.email
+    };
+  }
+  /**
+   * Check verification status for an email
+   */
+  async getStatus(email) {
+    const normalizedEmail = email.toLowerCase().trim();
+    const tokenHash = await this.storage.get(`email-verify:email:${normalizedEmail}`);
+    if (tokenHash) {
+      const tokenData = await this.storage.get(`email-verify:hash:${tokenHash}`);
+      if (tokenData && !tokenData.usedAt) {
+        return {
+          email: normalizedEmail,
+          verified: false,
+          pendingVerification: true,
+          expiresAt: new Date(tokenData.expiresAt)
+        };
+      }
+    }
+    return {
+      email: normalizedEmail,
+      verified: false,
+      pendingVerification: false
+    };
+  }
+  /**
+   * Resend verification email
+   * Returns a new token for the same email
+   */
+  async resendVerification(email, options) {
+    return this.createVerificationToken(email, options);
+  }
+  /**
+   * Cancel pending verification
+   */
+  async cancelVerification(email) {
+    const normalizedEmail = email.toLowerCase().trim();
+    await this.deleteTokensByEmail(normalizedEmail);
+  }
+  /**
+   * Delete token by hash
+   */
+  async deleteToken(tokenHash) {
+    const tokenData = await this.storage.get(`email-verify:hash:${tokenHash}`);
+    if (tokenData) {
+      await this.storage.delete(`email-verify:email:${tokenData.email}`);
+    }
+    await this.storage.delete(`email-verify:hash:${tokenHash}`);
+  }
+  /**
+   * Delete all tokens for an email
+   */
+  async deleteTokensByEmail(email) {
+    const tokenHash = await this.storage.get(`email-verify:email:${email}`);
+    if (tokenHash) {
+      await this.storage.delete(`email-verify:hash:${tokenHash}`);
+    }
+    await this.storage.delete(`email-verify:email:${email}`);
+  }
+};
+function createEmailVerificationService(storage, config) {
+  return new EmailVerificationService(storage, config);
+}
+
+// src/index.ts
+function createAuth(config) {
+  return createAuthEngine(config);
+}
+
+export { AppleProvider, EmailService, EmailVerificationService, GitHubProvider, GoogleProvider, InvitationService, MagicLinkProvider, MicrosoftProvider, MultiStrategyTenantResolver, NetGSMProvider, OAuthManager, ParsAuthEngine, PasswordProvider, ResendEmailProvider, SMSService, TOTPProvider, TenantManager, TenantResolver, WebAuthnProvider, createAuth, createDrizzleAdapter, createEmailService, createEmailVerificationService, createInvitationService, createMagicLinkProvider, createMultiStrategyResolver, createNetGSMProvider, createOAuthManager, createPasswordProvider, createResendProvider, createSMSService, createTOTPProvider, createTenantManager, createTenantResolver, createWebAuthnProvider, defaultConfig, generatePKCE, generateState, mergeConfig, validateConfig };
+//# sourceMappingURL=index.js.map
+//# sourceMappingURL=index.js.map