npm - @payez/next-mvp - Versions diffs - 3.0.0 - Mend

@payez/next-mvp 3.0.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (654) hide show

package/README.md +782 -0
package/dist/api/auth-handler.d.ts +67 -0
package/dist/api/auth-handler.js +397 -0
package/dist/api/index.d.ts +10 -0
package/dist/api/index.js +19 -0
package/dist/api-handlers/account/change-password.d.ts +9 -0
package/dist/api-handlers/account/change-password.js +112 -0
package/dist/api-handlers/account/masked-info.d.ts +2 -0
package/dist/api-handlers/account/masked-info.js +41 -0
package/dist/api-handlers/account/profile.d.ts +3 -0
package/dist/api-handlers/account/profile.js +63 -0
package/dist/api-handlers/account/recovery/initiate.d.ts +2 -0
package/dist/api-handlers/account/recovery/initiate.js +26 -0
package/dist/api-handlers/account/recovery/send-code.d.ts +2 -0
package/dist/api-handlers/account/recovery/send-code.js +28 -0
package/dist/api-handlers/account/recovery/verify-code.d.ts +2 -0
package/dist/api-handlers/account/recovery/verify-code.js +28 -0
package/dist/api-handlers/account/reset-password.d.ts +2 -0
package/dist/api-handlers/account/reset-password.js +26 -0
package/dist/api-handlers/account/send-code.d.ts +24 -0
package/dist/api-handlers/account/send-code.js +60 -0
package/dist/api-handlers/account/update-phone.d.ts +27 -0
package/dist/api-handlers/account/update-phone.js +64 -0
package/dist/api-handlers/account/validate-password.d.ts +17 -0
package/dist/api-handlers/account/validate-password.js +81 -0
package/dist/api-handlers/account/verify-email.d.ts +26 -0
package/dist/api-handlers/account/verify-email.js +106 -0
package/dist/api-handlers/account/verify-sms.d.ts +26 -0
package/dist/api-handlers/account/verify-sms.js +106 -0
package/dist/api-handlers/admin/analytics.d.ts +20 -0
package/dist/api-handlers/admin/analytics.js +379 -0
package/dist/api-handlers/admin/audit.d.ts +20 -0
package/dist/api-handlers/admin/audit.js +214 -0
package/dist/api-handlers/admin/index.d.ts +21 -0
package/dist/api-handlers/admin/index.js +41 -0
package/dist/api-handlers/admin/redis-sessions.d.ts +36 -0
package/dist/api-handlers/admin/redis-sessions.js +204 -0
package/dist/api-handlers/admin/sessions.d.ts +21 -0
package/dist/api-handlers/admin/sessions.js +284 -0
package/dist/api-handlers/admin/site-logs.d.ts +46 -0
package/dist/api-handlers/admin/site-logs.js +318 -0
package/dist/api-handlers/admin/users.d.ts +20 -0
package/dist/api-handlers/admin/users.js +222 -0
package/dist/api-handlers/admin/vibe-data.d.ts +80 -0
package/dist/api-handlers/admin/vibe-data.js +268 -0
package/dist/api-handlers/anon/preferences.d.ts +37 -0
package/dist/api-handlers/anon/preferences.js +96 -0
package/dist/api-handlers/auth/jwks.d.ts +2 -0
package/dist/api-handlers/auth/jwks.js +24 -0
package/dist/api-handlers/auth/login.d.ts +42 -0
package/dist/api-handlers/auth/login.js +178 -0
package/dist/api-handlers/auth/refresh.d.ts +74 -0
package/dist/api-handlers/auth/refresh.js +635 -0
package/dist/api-handlers/auth/signout.d.ts +37 -0
package/dist/api-handlers/auth/signout.js +187 -0
package/dist/api-handlers/auth/status.d.ts +8 -0
package/dist/api-handlers/auth/status.js +26 -0
package/dist/api-handlers/auth/update-session.d.ts +37 -0
package/dist/api-handlers/auth/update-session.js +95 -0
package/dist/api-handlers/auth/validate.d.ts +6 -0
package/dist/api-handlers/auth/validate.js +43 -0
package/dist/api-handlers/auth/verify-code.d.ts +43 -0
package/dist/api-handlers/auth/verify-code.js +94 -0
package/dist/api-handlers/session/refresh-viability.d.ts +14 -0
package/dist/api-handlers/session/refresh-viability.js +39 -0
package/dist/api-handlers/session/viability.d.ts +13 -0
package/dist/api-handlers/session/viability.js +146 -0
package/dist/api-handlers/test/force-expire.d.ts +23 -0
package/dist/api-handlers/test/force-expire.js +65 -0
package/dist/auth/auth-decision.d.ts +39 -0
package/dist/auth/auth-decision.js +182 -0
package/dist/auth/auth-options.d.ts +57 -0
package/dist/auth/auth-options.js +213 -0
package/dist/auth/callbacks/index.d.ts +6 -0
package/dist/auth/callbacks/index.js +12 -0
package/dist/auth/callbacks/jwt.d.ts +45 -0
package/dist/auth/callbacks/jwt.js +305 -0
package/dist/auth/callbacks/session.d.ts +60 -0
package/dist/auth/callbacks/session.js +170 -0
package/dist/auth/callbacks/signin.d.ts +23 -0
package/dist/auth/callbacks/signin.js +44 -0
package/dist/auth/events/index.d.ts +4 -0
package/dist/auth/events/index.js +8 -0
package/dist/auth/events/signout.d.ts +17 -0
package/dist/auth/events/signout.js +32 -0
package/dist/auth/providers/credentials.d.ts +32 -0
package/dist/auth/providers/credentials.js +223 -0
package/dist/auth/providers/index.d.ts +5 -0
package/dist/auth/providers/index.js +21 -0
package/dist/auth/providers/oauth.d.ts +26 -0
package/dist/auth/providers/oauth.js +105 -0
package/dist/auth/route-config.d.ts +66 -0
package/dist/auth/route-config.js +190 -0
package/dist/auth/types/auth-types.d.ts +417 -0
package/dist/auth/types/auth-types.js +53 -0
package/dist/auth/types/index.d.ts +6 -0
package/dist/auth/types/index.js +22 -0
package/dist/auth/unauthenticated-routes.d.ts +1 -0
package/dist/auth/unauthenticated-routes.js +19 -0
package/dist/auth/utils/idp-client.d.ts +94 -0
package/dist/auth/utils/idp-client.js +383 -0
package/dist/auth/utils/index.d.ts +5 -0
package/dist/auth/utils/index.js +21 -0
package/dist/auth/utils/token-utils.d.ts +84 -0
package/dist/auth/utils/token-utils.js +219 -0
package/dist/client/AuthContext.d.ts +19 -0
package/dist/client/AuthContext.js +112 -0
package/dist/client/fetch-with-auth.d.ts +11 -0
package/dist/client/fetch-with-auth.js +44 -0
package/dist/client/fetchWithSession.d.ts +3 -0
package/dist/client/fetchWithSession.js +24 -0
package/dist/client/index.d.ts +9 -0
package/dist/client/index.js +20 -0
package/dist/client/useAnonSession.d.ts +36 -0
package/dist/client/useAnonSession.js +99 -0
package/dist/components/SessionSync.d.ts +13 -0
package/dist/components/SessionSync.js +119 -0
package/dist/components/SignalRHealthCheck.d.ts +10 -0
package/dist/components/SignalRHealthCheck.js +97 -0
package/dist/components/account/UserAvatarMenu.d.ts +20 -0
package/dist/components/account/UserAvatarMenu.js +80 -0
package/dist/components/account/index.d.ts +7 -0
package/dist/components/account/index.js +10 -0
package/dist/components/admin/AlertSettingsTab.d.ts +48 -0
package/dist/components/admin/AlertSettingsTab.js +351 -0
package/dist/components/admin/AnalyticsTab.d.ts +22 -0
package/dist/components/admin/AnalyticsTab.js +167 -0
package/dist/components/admin/DataBrowserTab.d.ts +19 -0
package/dist/components/admin/DataBrowserTab.js +252 -0
package/dist/components/admin/LoggingSettingsTab.d.ts +73 -0
package/dist/components/admin/LoggingSettingsTab.js +339 -0
package/dist/components/admin/SessionsTab.d.ts +37 -0
package/dist/components/admin/SessionsTab.js +165 -0
package/dist/components/admin/StatsTab.d.ts +53 -0
package/dist/components/admin/StatsTab.js +161 -0
package/dist/components/admin/VibeAdminContext.d.ts +32 -0
package/dist/components/admin/VibeAdminContext.js +38 -0
package/dist/components/admin/VibeAdminLayout.d.ts +11 -0
package/dist/components/admin/VibeAdminLayout.js +69 -0
package/dist/components/admin/index.d.ts +29 -0
package/dist/components/admin/index.js +44 -0
package/dist/components/auth/FederatedAuthSection.d.ts +8 -0
package/dist/components/auth/FederatedAuthSection.js +45 -0
package/dist/components/auth/ModeAwareLoginPage.d.ts +10 -0
package/dist/components/auth/ModeAwareLoginPage.js +42 -0
package/dist/components/auth/ModeAwareSignupPage.d.ts +9 -0
package/dist/components/auth/ModeAwareSignupPage.js +78 -0
package/dist/components/auth/TraditionalAuthSection.d.ts +14 -0
package/dist/components/auth/TraditionalAuthSection.js +20 -0
package/dist/components/recovery/CompleteStep.d.ts +5 -0
package/dist/components/recovery/CompleteStep.js +8 -0
package/dist/components/recovery/InitiateRecoveryStep.d.ts +8 -0
package/dist/components/recovery/InitiateRecoveryStep.js +20 -0
package/dist/components/recovery/SelectMethodStep.d.ts +8 -0
package/dist/components/recovery/SelectMethodStep.js +8 -0
package/dist/components/recovery/SetPasswordStep.d.ts +6 -0
package/dist/components/recovery/SetPasswordStep.js +20 -0
package/dist/components/recovery/VerifyCodeStep.d.ts +10 -0
package/dist/components/recovery/VerifyCodeStep.js +24 -0
package/dist/components/reserved/ReservedRecoveryWarning.d.ts +38 -0
package/dist/components/reserved/ReservedRecoveryWarning.js +92 -0
package/dist/components/reserved/ReservedStatusBox.d.ts +30 -0
package/dist/components/reserved/ReservedStatusBox.js +71 -0
package/dist/components/ui/BetaBadge.d.ts +29 -0
package/dist/components/ui/BetaBadge.js +38 -0
package/dist/components/ui/Footer.d.ts +37 -0
package/dist/components/ui/Footer.js +41 -0
package/dist/config/env.d.ts +66 -0
package/dist/config/env.js +57 -0
package/dist/config/logger.d.ts +57 -0
package/dist/config/logger.js +73 -0
package/dist/config/logging-config.d.ts +30 -0
package/dist/config/logging-config.js +122 -0
package/dist/config/unauthenticated-routes.d.ts +17 -0
package/dist/config/unauthenticated-routes.js +24 -0
package/dist/config/vibe-log-transport.d.ts +79 -0
package/dist/config/vibe-log-transport.js +203 -0
package/dist/edge/internal-api-url.d.ts +53 -0
package/dist/edge/internal-api-url.js +63 -0
package/dist/edge/middleware.d.ts +14 -0
package/dist/edge/middleware.js +32 -0
package/dist/hooks/useAuth.d.ts +23 -0
package/dist/hooks/useAuth.js +81 -0
package/dist/hooks/useAuthSettings.d.ts +59 -0
package/dist/hooks/useAuthSettings.js +93 -0
package/dist/hooks/useAvailableProviders.d.ts +45 -0
package/dist/hooks/useAvailableProviders.js +108 -0
package/dist/hooks/usePasswordValidation.d.ts +27 -0
package/dist/hooks/usePasswordValidation.js +102 -0
package/dist/hooks/useProfile.d.ts +15 -0
package/dist/hooks/useProfile.js +59 -0
package/dist/hooks/usePublicAuthSettings.d.ts +56 -0
package/dist/hooks/usePublicAuthSettings.js +131 -0
package/dist/hooks/useSessionExpiration.d.ts +57 -0
package/dist/hooks/useSessionExpiration.js +72 -0
package/dist/hooks/useViabilitySession.d.ts +75 -0
package/dist/hooks/useViabilitySession.js +268 -0
package/dist/index.d.ts +12 -0
package/dist/index.js +54 -0
package/dist/lib/anon-session.d.ts +74 -0
package/dist/lib/anon-session.js +169 -0
package/dist/lib/api-handler.d.ts +123 -0
package/dist/lib/api-handler.js +478 -0
package/dist/lib/app-slug.d.ts +95 -0
package/dist/lib/app-slug.js +172 -0
package/dist/lib/demo-mode.d.ts +6 -0
package/dist/lib/demo-mode.js +16 -0
package/dist/lib/geolocation.d.ts +64 -0
package/dist/lib/geolocation.js +235 -0
package/dist/lib/idp-client-config.d.ts +75 -0
package/dist/lib/idp-client-config.js +351 -0
package/dist/lib/idp-fetch.d.ts +14 -0
package/dist/lib/idp-fetch.js +91 -0
package/dist/lib/internal-api.d.ts +87 -0
package/dist/lib/internal-api.js +122 -0
package/dist/lib/jwt-decode-client.d.ts +10 -0
package/dist/lib/jwt-decode-client.js +46 -0
package/dist/lib/jwt-decode.d.ts +48 -0
package/dist/lib/jwt-decode.js +57 -0
package/dist/lib/nextauth-secret.d.ts +10 -0
package/dist/lib/nextauth-secret.js +104 -0
package/dist/lib/rate-limit-service.d.ts +23 -0
package/dist/lib/rate-limit-service.js +6 -0
package/dist/lib/redis.d.ts +5 -0
package/dist/lib/redis.js +28 -0
package/dist/lib/refresh-token-validator.d.ts +13 -0
package/dist/lib/refresh-token-validator.js +117 -0
package/dist/lib/roles.d.ts +145 -0
package/dist/lib/roles.js +168 -0
package/dist/lib/secret-validation.d.ts +4 -0
package/dist/lib/secret-validation.js +14 -0
package/dist/lib/session-store.d.ts +166 -0
package/dist/lib/session-store.js +537 -0
package/dist/lib/session.d.ts +21 -0
package/dist/lib/session.js +26 -0
package/dist/lib/site-logger.d.ts +214 -0
package/dist/lib/site-logger.js +210 -0
package/dist/lib/standardized-client-api.d.ts +161 -0
package/dist/lib/standardized-client-api.js +786 -0
package/dist/lib/startup-init.d.ts +40 -0
package/dist/lib/startup-init.js +261 -0
package/dist/lib/test-aware-get-token.d.ts +2 -0
package/dist/lib/test-aware-get-token.js +81 -0
package/dist/lib/token-expiry.d.ts +14 -0
package/dist/lib/token-expiry.js +39 -0
package/dist/lib/token-lifecycle.d.ts +52 -0
package/dist/lib/token-lifecycle.js +398 -0
package/dist/lib/types/api-responses.d.ts +128 -0
package/dist/lib/types/api-responses.js +171 -0
package/dist/lib/user-agent-parser.d.ts +50 -0
package/dist/lib/user-agent-parser.js +220 -0
package/dist/logging/api/admin-analytics.d.ts +3 -0
package/dist/logging/api/admin-analytics.js +45 -0
package/dist/logging/api/audit-log.d.ts +3 -0
package/dist/logging/api/audit-log.js +52 -0
package/dist/logging/components/AdminAnalyticsLayout.d.ts +10 -0
package/dist/logging/components/AdminAnalyticsLayout.js +11 -0
package/dist/logging/components/AuditLogViewer.d.ts +7 -0
package/dist/logging/components/AuditLogViewer.js +51 -0
package/dist/logging/components/ErrorMetricsCard.d.ts +7 -0
package/dist/logging/components/ErrorMetricsCard.js +16 -0
package/dist/logging/components/HealthMetricsCard.d.ts +7 -0
package/dist/logging/components/HealthMetricsCard.js +19 -0
package/dist/logging/hooks/useAdminAnalytics.d.ts +24 -0
package/dist/logging/hooks/useAdminAnalytics.js +22 -0
package/dist/logging/hooks/useAuditLog.d.ts +6 -0
package/dist/logging/hooks/useAuditLog.js +25 -0
package/dist/logging/hooks/useErrorMetrics.d.ts +6 -0
package/dist/logging/hooks/useErrorMetrics.js +38 -0
package/dist/logging/hooks/useHealthMetrics.d.ts +6 -0
package/dist/logging/hooks/useHealthMetrics.js +41 -0
package/dist/logging/index.d.ts +11 -0
package/dist/logging/index.js +40 -0
package/dist/logging/types/analytics.d.ts +68 -0
package/dist/logging/types/analytics.js +3 -0
package/dist/logging/types/audit.d.ts +29 -0
package/dist/logging/types/audit.js +2 -0
package/dist/logging/types/index.d.ts +2 -0
package/dist/logging/types/index.js +19 -0
package/dist/middleware/auth-decision.d.ts +33 -0
package/dist/middleware/auth-decision.js +65 -0
package/dist/middleware/create-middleware.d.ts +100 -0
package/dist/middleware/create-middleware.js +445 -0
package/dist/middleware/rbac-check.d.ts +44 -0
package/dist/middleware/rbac-check.js +191 -0
package/dist/middleware/twofa-presets.d.ts +134 -0
package/dist/middleware/twofa-presets.js +175 -0
package/dist/models/DecodedAccessToken.d.ts +17 -0
package/dist/models/DecodedAccessToken.js +2 -0
package/dist/models/SessionModel.d.ts +122 -0
package/dist/models/SessionModel.js +136 -0
package/dist/pages/admin-login/page.d.ts +31 -0
package/dist/pages/admin-login/page.js +83 -0
package/dist/pages/admin-roles/RolesAdminPage.d.ts +15 -0
package/dist/pages/admin-roles/RolesAdminPage.js +78 -0
package/dist/pages/admin-roles/index.d.ts +8 -0
package/dist/pages/admin-roles/index.js +15 -0
package/dist/pages/admin-roles/modals.d.ts +72 -0
package/dist/pages/admin-roles/modals.js +154 -0
package/dist/pages/client-admin/ClientSiteAdminPage.d.ts +79 -0
package/dist/pages/client-admin/ClientSiteAdminPage.js +177 -0
package/dist/pages/client-admin/index.d.ts +32 -0
package/dist/pages/client-admin/index.js +37 -0
package/dist/pages/login/page.d.ts +22 -0
package/dist/pages/login/page.js +239 -0
package/dist/pages/profile/EnhancedProfilePage.d.ts +13 -0
package/dist/pages/profile/EnhancedProfilePage.js +150 -0
package/dist/pages/profile/index.d.ts +8 -0
package/dist/pages/profile/index.js +16 -0
package/dist/pages/profile/page.d.ts +19 -0
package/dist/pages/profile/page.js +47 -0
package/dist/pages/profile/profile-patch.d.ts +1 -0
package/dist/pages/profile/profile-patch.js +281 -0
package/dist/pages/recovery/page.d.ts +1 -0
package/dist/pages/recovery/page.js +142 -0
package/dist/pages/roles/MyRolesPage.d.ts +24 -0
package/dist/pages/roles/MyRolesPage.js +71 -0
package/dist/pages/roles/components.d.ts +63 -0
package/dist/pages/roles/components.js +108 -0
package/dist/pages/roles/index.d.ts +8 -0
package/dist/pages/roles/index.js +19 -0
package/dist/pages/security/EnhancedSecurityPage.d.ts +14 -0
package/dist/pages/security/EnhancedSecurityPage.js +248 -0
package/dist/pages/security/index.d.ts +8 -0
package/dist/pages/security/index.js +16 -0
package/dist/pages/security/page.d.ts +21 -0
package/dist/pages/security/page.js +212 -0
package/dist/pages/security/security-patch.d.ts +1 -0
package/dist/pages/security/security-patch.js +302 -0
package/dist/pages/settings/EnhancedSettingsPage.d.ts +46 -0
package/dist/pages/settings/EnhancedSettingsPage.js +231 -0
package/dist/pages/settings/index.d.ts +8 -0
package/dist/pages/settings/index.js +16 -0
package/dist/pages/settings/page.d.ts +7 -0
package/dist/pages/settings/page.js +26 -0
package/dist/pages/showcase/ShowcasePage.d.ts +13 -0
package/dist/pages/showcase/ShowcasePage.js +140 -0
package/dist/pages/showcase/index.d.ts +12 -0
package/dist/pages/showcase/index.js +17 -0
package/dist/pages/test-env/EmergencyLogoutPage.d.ts +14 -0
package/dist/pages/test-env/EmergencyLogoutPage.js +98 -0
package/dist/pages/test-env/JwtInspectPage.d.ts +14 -0
package/dist/pages/test-env/JwtInspectPage.js +114 -0
package/dist/pages/test-env/RefreshTokenPage.d.ts +15 -0
package/dist/pages/test-env/RefreshTokenPage.js +91 -0
package/dist/pages/test-env/TestEnvPage.d.ts +13 -0
package/dist/pages/test-env/TestEnvPage.js +49 -0
package/dist/pages/test-env/index.d.ts +24 -0
package/dist/pages/test-env/index.js +32 -0
package/dist/pages/verify-code/page.d.ts +30 -0
package/dist/pages/verify-code/page.js +408 -0
package/dist/routes/account/index.d.ts +28 -0
package/dist/routes/account/index.js +71 -0
package/dist/routes/account/masked-info.d.ts +33 -0
package/dist/routes/account/masked-info.js +39 -0
package/dist/routes/account/send-code.d.ts +37 -0
package/dist/routes/account/send-code.js +42 -0
package/dist/routes/account/update-phone.d.ts +13 -0
package/dist/routes/account/update-phone.js +17 -0
package/dist/routes/account/verify-email.d.ts +38 -0
package/dist/routes/account/verify-email.js +43 -0
package/dist/routes/account/verify-sms.d.ts +38 -0
package/dist/routes/account/verify-sms.js +43 -0
package/dist/routes/auth/index.d.ts +19 -0
package/dist/routes/auth/index.js +64 -0
package/dist/routes/auth/logout.d.ts +31 -0
package/dist/routes/auth/logout.js +113 -0
package/dist/routes/auth/nextauth.d.ts +19 -0
package/dist/routes/auth/nextauth.js +72 -0
package/dist/routes/auth/refresh.d.ts +30 -0
package/dist/routes/auth/refresh.js +51 -0
package/dist/routes/auth/session.d.ts +72 -0
package/dist/routes/auth/session.js +180 -0
package/dist/routes/auth/settings.d.ts +25 -0
package/dist/routes/auth/settings.js +55 -0
package/dist/routes/auth/viability.d.ts +52 -0
package/dist/routes/auth/viability.js +201 -0
package/dist/routes/index.d.ts +12 -0
package/dist/routes/index.js +54 -0
package/dist/routes/session/index.d.ts +6 -0
package/dist/routes/session/index.js +10 -0
package/dist/routes/session/refresh-viability.d.ts +16 -0
package/dist/routes/session/refresh-viability.js +20 -0
package/dist/services/signalrActivityService.d.ts +44 -0
package/dist/services/signalrActivityService.js +257 -0
package/dist/stores/authStore.d.ts +154 -0
package/dist/stores/authStore.js +1531 -0
package/dist/theme/ThemeProvider.d.ts +14 -0
package/dist/theme/ThemeProvider.js +28 -0
package/dist/theme/default.d.ts +8 -0
package/dist/theme/default.js +33 -0
package/dist/theme/index.d.ts +15 -0
package/dist/theme/index.js +25 -0
package/dist/theme/types.d.ts +56 -0
package/dist/theme/types.js +8 -0
package/dist/theme/useTheme.d.ts +60 -0
package/dist/theme/useTheme.js +63 -0
package/dist/theme/utils.d.ts +13 -0
package/dist/theme/utils.js +39 -0
package/dist/types/api.d.ts +134 -0
package/dist/types/api.js +44 -0
package/dist/types/auth.d.ts +19 -0
package/dist/types/auth.js +2 -0
package/dist/types/logging.d.ts +42 -0
package/dist/types/logging.js +2 -0
package/dist/types/recovery.d.ts +48 -0
package/dist/types/recovery.js +2 -0
package/dist/types/security.d.ts +1 -0
package/dist/types/security.js +2 -0
package/dist/utils/api.d.ts +85 -0
package/dist/utils/api.js +287 -0
package/dist/utils/circuitBreaker.d.ts +43 -0
package/dist/utils/circuitBreaker.js +91 -0
package/dist/utils/error-message.d.ts +1 -0
package/dist/utils/error-message.js +103 -0
package/dist/utils/layout/reservedSpace.d.ts +59 -0
package/dist/utils/layout/reservedSpace.js +102 -0
package/dist/utils/logout.d.ts +14 -0
package/dist/utils/logout.js +32 -0
package/dist/vibe/client.d.ts +261 -0
package/dist/vibe/client.js +445 -0
package/dist/vibe/errors.d.ts +83 -0
package/dist/vibe/errors.js +146 -0
package/dist/vibe/generic.d.ts +234 -0
package/dist/vibe/generic.js +369 -0
package/dist/vibe/hooks/index.d.ts +169 -0
package/dist/vibe/hooks/index.js +252 -0
package/dist/vibe/index.d.ts +23 -0
package/dist/vibe/index.js +67 -0
package/dist/vibe/sessions.d.ts +161 -0
package/dist/vibe/sessions.js +391 -0
package/dist/vibe/types.d.ts +353 -0
package/dist/vibe/types.js +315 -0
package/package.json +855 -0
package/scripts/check-internal-url-usage.sh +73 -0
package/scripts/dev-broker.ps1 +35 -0
package/scripts/dev-local.ps1 +45 -0
package/src/api/auth-handler.ts +550 -0
package/src/api/index.ts +18 -0
package/src/api-handlers/account/change-password.ts +145 -0
package/src/api-handlers/account/masked-info.ts +45 -0
package/src/api-handlers/account/profile.ts +80 -0
package/src/api-handlers/account/recovery/initiate.ts +23 -0
package/src/api-handlers/account/recovery/send-code.ts +25 -0
package/src/api-handlers/account/recovery/verify-code.ts +25 -0
package/src/api-handlers/account/reset-password.ts +23 -0
package/src/api-handlers/account/send-code.ts +76 -0
package/src/api-handlers/account/update-phone.ts +79 -0
package/src/api-handlers/account/validate-password.ts +118 -0
package/src/api-handlers/account/verify-email.ts +125 -0
package/src/api-handlers/account/verify-sms.ts +125 -0
package/src/api-handlers/admin/analytics.ts +445 -0
package/src/api-handlers/admin/audit.ts +225 -0
package/src/api-handlers/admin/index.ts +59 -0
package/src/api-handlers/admin/redis-sessions.ts +253 -0
package/src/api-handlers/admin/sessions.ts +320 -0
package/src/api-handlers/admin/site-logs.ts +367 -0
package/src/api-handlers/admin/users.ts +244 -0
package/src/api-handlers/admin/vibe-data.ts +326 -0
package/src/api-handlers/anon/preferences.ts +123 -0
package/src/api-handlers/auth/jwks.ts +20 -0
package/src/api-handlers/auth/login.ts +240 -0
package/src/api-handlers/auth/refresh.ts +687 -0
package/src/api-handlers/auth/signout.ts +212 -0
package/src/api-handlers/auth/status.ts +23 -0
package/src/api-handlers/auth/update-session.ts +125 -0
package/src/api-handlers/auth/validate.ts +44 -0
package/src/api-handlers/auth/verify-code.ts +129 -0
package/src/api-handlers/session/refresh-viability.ts +36 -0
package/src/api-handlers/session/viability.ts +166 -0
package/src/api-handlers/test/force-expire.ts +67 -0
package/src/auth/auth-decision.ts +230 -0
package/src/auth/auth-options.ts +237 -0
package/src/auth/callbacks/index.ts +7 -0
package/src/auth/callbacks/jwt.ts +382 -0
package/src/auth/callbacks/session.ts +243 -0
package/src/auth/callbacks/signin.ts +56 -0
package/src/auth/events/index.ts +5 -0
package/src/auth/events/signout.ts +33 -0
package/src/auth/providers/credentials.ts +256 -0
package/src/auth/providers/index.ts +6 -0
package/src/auth/providers/oauth.ts +114 -0
package/src/auth/route-config.ts +220 -0
package/src/auth/types/auth-types.ts +555 -0
package/src/auth/types/index.ts +7 -0
package/src/auth/unauthenticated-routes.ts +3 -0
package/src/auth/utils/idp-client.ts +444 -0
package/src/auth/utils/index.ts +6 -0
package/src/auth/utils/token-utils.ts +244 -0
package/src/client/AuthContext.tsx +140 -0
package/src/client/fetch-with-auth.ts +48 -0
package/src/client/fetchWithSession.ts +21 -0
package/src/client/index.ts +13 -0
package/src/client/useAnonSession.ts +131 -0
package/src/components/SessionSync.tsx +137 -0
package/src/components/SignalRHealthCheck.tsx +131 -0
package/src/components/account/UserAvatarMenu.tsx +217 -0
package/src/components/account/index.ts +8 -0
package/src/components/admin/AlertSettingsTab.tsx +728 -0
package/src/components/admin/AnalyticsTab.tsx +703 -0
package/src/components/admin/DataBrowserTab.tsx +505 -0
package/src/components/admin/LoggingSettingsTab.tsx +665 -0
package/src/components/admin/SessionsTab.tsx +414 -0
package/src/components/admin/StatsTab.tsx +379 -0
package/src/components/admin/VibeAdminContext.tsx +87 -0
package/src/components/admin/VibeAdminLayout.tsx +185 -0
package/src/components/admin/index.ts +59 -0
package/src/components/auth/FederatedAuthSection.tsx +95 -0
package/src/components/auth/ModeAwareLoginPage.tsx +135 -0
package/src/components/auth/ModeAwareSignupPage.tsx +267 -0
package/src/components/auth/TraditionalAuthSection.tsx +99 -0
package/src/components/recovery/CompleteStep.tsx +36 -0
package/src/components/recovery/InitiateRecoveryStep.tsx +68 -0
package/src/components/recovery/SelectMethodStep.tsx +73 -0
package/src/components/recovery/SetPasswordStep.tsx +97 -0
package/src/components/recovery/VerifyCodeStep.tsx +90 -0
package/src/components/reserved/ReservedRecoveryWarning.tsx +160 -0
package/src/components/reserved/ReservedStatusBox.tsx +118 -0
package/src/components/ui/BetaBadge.tsx +58 -0
package/src/components/ui/Footer.tsx +93 -0
package/src/config/env.ts +57 -0
package/src/config/logger.ts +62 -0
package/src/config/logging-config.ts +82 -0
package/src/config/unauthenticated-routes.ts +19 -0
package/src/config/vibe-log-transport.ts +250 -0
package/src/edge/internal-api-url.ts +65 -0
package/src/edge/middleware.ts +42 -0
package/src/hooks/useAuth.ts +115 -0
package/src/hooks/useAuthSettings.ts +97 -0
package/src/hooks/useAvailableProviders.ts +118 -0
package/src/hooks/usePasswordValidation.ts +127 -0
package/src/hooks/useProfile.ts +75 -0
package/src/hooks/usePublicAuthSettings.ts +149 -0
package/src/hooks/useSessionExpiration.ts +102 -0
package/src/hooks/useViabilitySession.ts +335 -0
package/src/index.ts +63 -0
package/src/lib/anon-session.ts +213 -0
package/src/lib/api-handler.ts +625 -0
package/src/lib/app-slug.ts +178 -0
package/src/lib/demo-mode.ts +13 -0
package/src/lib/geolocation.ts +265 -0
package/src/lib/idp-client-config.ts +442 -0
package/src/lib/idp-fetch.ts +101 -0
package/src/lib/internal-api.ts +171 -0
package/src/lib/jwt-decode-client.ts +45 -0
package/src/lib/jwt-decode.ts +83 -0
package/src/lib/nextauth-secret.ts +126 -0
package/src/lib/rate-limit-service.ts +9 -0
package/src/lib/redis.ts +27 -0
package/src/lib/refresh-token-validator.ts +64 -0
package/src/lib/roles.ts +177 -0
package/src/lib/secret-validation.ts +8 -0
package/src/lib/session-store.ts +637 -0
package/src/lib/session.ts +34 -0
package/src/lib/site-logger.ts +245 -0
package/src/lib/standardized-client-api.ts +896 -0
package/src/lib/startup-init.ts +247 -0
package/src/lib/test-aware-get-token.ts +30 -0
package/src/lib/token-expiry.ts +40 -0
package/src/lib/token-lifecycle.ts +477 -0
package/src/lib/types/api-responses.ts +336 -0
package/src/lib/user-agent-parser.ts +252 -0
package/src/logging/api/admin-analytics.ts +51 -0
package/src/logging/api/audit-log.ts +53 -0
package/src/logging/components/AdminAnalyticsLayout.tsx +49 -0
package/src/logging/components/AuditLogViewer.tsx +125 -0
package/src/logging/components/ErrorMetricsCard.tsx +98 -0
package/src/logging/components/HealthMetricsCard.tsx +70 -0
package/src/logging/hooks/useAdminAnalytics.ts +22 -0
package/src/logging/hooks/useAuditLog.ts +24 -0
package/src/logging/hooks/useErrorMetrics.ts +40 -0
package/src/logging/hooks/useHealthMetrics.ts +44 -0
package/src/logging/index.ts +18 -0
package/src/logging/types/analytics.ts +81 -0
package/src/logging/types/audit.ts +31 -0
package/src/logging/types/index.ts +3 -0
package/src/middleware/auth-decision.ts +43 -0
package/src/middleware/create-middleware.ts +626 -0
package/src/middleware/rbac-check.ts +244 -0
package/src/middleware/twofa-presets.ts +224 -0
package/src/models/DecodedAccessToken.ts +17 -0
package/src/models/SessionModel.ts +258 -0
package/src/pages/admin-login/page.tsx +229 -0
package/src/pages/admin-roles/RolesAdminPage.tsx +357 -0
package/src/pages/admin-roles/index.ts +9 -0
package/src/pages/admin-roles/modals.tsx +469 -0
package/src/pages/client-admin/ClientSiteAdminPage.tsx +380 -0
package/src/pages/client-admin/index.ts +33 -0
package/src/pages/login/page.tsx +463 -0
package/src/pages/profile/EnhancedProfilePage.tsx +479 -0
package/src/pages/profile/index.ts +9 -0
package/src/pages/profile/page.tsx +166 -0
package/src/pages/recovery/page.tsx +234 -0
package/src/pages/roles/MyRolesPage.tsx +211 -0
package/src/pages/roles/components.tsx +294 -0
package/src/pages/roles/index.ts +17 -0
package/src/pages/security/EnhancedSecurityPage.tsx +574 -0
package/src/pages/security/index.ts +9 -0
package/src/pages/security/page.tsx +507 -0
package/src/pages/settings/EnhancedSettingsPage.tsx +642 -0
package/src/pages/settings/index.ts +9 -0
package/src/pages/settings/page.tsx +47 -0
package/src/pages/showcase/ShowcasePage.tsx +530 -0
package/src/pages/showcase/index.ts +13 -0
package/src/pages/test-env/EmergencyLogoutPage.tsx +179 -0
package/src/pages/test-env/JwtInspectPage.tsx +418 -0
package/src/pages/test-env/RefreshTokenPage.tsx +155 -0
package/src/pages/test-env/TestEnvPage.tsx +116 -0
package/src/pages/test-env/index.ts +25 -0
package/src/pages/verify-code/page.tsx +648 -0
package/src/routes/account/index.ts +32 -0
package/src/routes/account/masked-info.ts +37 -0
package/src/routes/account/send-code.ts +40 -0
package/src/routes/account/update-phone.ts +13 -0
package/src/routes/account/verify-email.ts +41 -0
package/src/routes/account/verify-sms.ts +41 -0
package/src/routes/auth/index.ts +23 -0
package/src/routes/auth/logout.ts +127 -0
package/src/routes/auth/nextauth.ts +71 -0
package/src/routes/auth/refresh.ts +54 -0
package/src/routes/auth/session.ts +193 -0
package/src/routes/auth/settings.ts +75 -0
package/src/routes/auth/viability.ts +220 -0
package/src/routes/index.ts +18 -0
package/src/routes/session/index.ts +7 -0
package/src/routes/session/refresh-viability.ts +17 -0
package/src/services/signalrActivityService.ts +258 -0
package/src/stores/authStore.ts +1904 -0
package/src/templates/instrumentation.ts +41 -0
package/src/theme/ThemeProvider.tsx +39 -0
package/src/theme/default.ts +33 -0
package/src/theme/index.ts +31 -0
package/src/theme/types.ts +69 -0
package/src/theme/useTheme.ts +57 -0
package/src/theme/utils.ts +40 -0
package/src/types/api.ts +13 -0
package/src/types/auth.d.ts +15 -0
package/src/types/auth.ts +22 -0
package/src/types/logging.ts +11 -0
package/src/types/next-auth.d.ts +15 -0
package/src/types/recovery.ts +54 -0
package/src/types/security.ts +1 -0
package/src/utils/api.ts +353 -0
package/src/utils/circuitBreaker.ts +40 -0
package/src/utils/error-message.ts +108 -0
package/src/utils/layout/reservedSpace.ts +124 -0
package/src/utils/logout.ts +30 -0
package/src/vibe/client.ts +590 -0
package/src/vibe/errors.ts +185 -0
package/src/vibe/generic.ts +429 -0
package/src/vibe/hooks/index.ts +367 -0
package/src/vibe/index.ts +121 -0
package/src/vibe/sessions.ts +551 -0
package/src/vibe/types.ts +577 -0

package/src/stores/authStore.ts ADDED Viewed

@@ -0,0 +1,1904 @@
+/**
+ * 🚀 CENTRALIZED AUTH STORE - THE SINGLE SOURCE OF TRUTH
+ *
+ * This Zustand store replaces ALL scattered useState patterns for auth-related state.
+ * No more prop drilling, no more duplicate loading states, no more auth chaos.
+ *
+ * Features:
+ * - Centralized session, token, and user state
+ * - Built-in API calling with auto token refresh
+ * - Loading state management for all async operations
+ * - Type-safe throughout
+ * - Integrates seamlessly with existing NextAuth
+ */
+import { create } from 'zustand';
+import { devtools } from 'zustand/middleware';
+import { signOut } from 'next-auth/react';
+import { AppSession, isValidSession, sanitizeSession } from '../lib/session';
+import { authLogger } from '../config/logger';
+import { ENV_CONFIG } from '../config/env';
+import { HubConnectionBuilder, HubConnection, HubConnectionState } from '@microsoft/signalr';
+import { signalRActivityService } from '../services/signalrActivityService';
+import {
+  getSessionCookieName,
+  getSecureSessionCookieName,
+  getCsrfCookieName,
+  getSecureCsrfCookieName
+} from '../lib/app-slug';
+// ===============================
+// INTERFACES & TYPES
+// ===============================
+export interface User {
+  id: string;
+  email: string;
+  roles: string[];
+  twoFactorSessionVerified: boolean;
+  requiresTwoFactor: boolean;
+  twoFactorMethod?: string;
+  authenticationMethods?: string[];
+  authenticationLevel?: string;
+  // Administrative States (from user_state_management.md)
+  isApproved: boolean;
+  isSuspended: boolean;
+  lockoutEnabled: boolean;
+  lockoutEnd?: Date | null;
+  // Suspension Metadata
+  pausedAt?: Date | null;
+  pausedBy?: string | null;
+  suspensionReason?: string | null;
+}
+// SignalR Event Types
+export interface UserStateChangeEvent {
+  userId: string;
+  action: 'APPROVE' | 'DISAPPROVE' | 'PAUSE' | 'RESUME' | 'HALT' | 'UNLOCK';
+  newState: {
+    isApproved?: boolean;
+    isSuspended?: boolean;
+    lockoutEnabled?: boolean;
+    lockoutEnd?: string | null;
+    pausedAt?: string | null;
+    pausedBy?: string | null;
+    suspensionReason?: string | null;
+  };
+  reason?: string;
+  changedBy: string;
+  timestamp: string;
+}
+export interface SecurityNotificationEvent {
+  type: 'USER_LOCKOUT' | 'IP_THROTTLE' | 'BRUTE_FORCE' | 'DISTRIBUTED_ATTACK';
+  userId?: string;
+  ipAddress?: string;
+  message: string;
+  severity: 'LOW' | 'MEDIUM' | 'HIGH' | 'CRITICAL';
+  timestamp: string;
+}
+export interface AuthState {
+  // Core Auth State
+  session: AppSession | null;
+  user: User | null;
+  accessToken: string | null;
+  refreshToken: string | null;
+  isAuthenticated: boolean;
+  isInitialized: boolean;
+  // Loading States (replaces useState hell)
+  isLoading: boolean;
+  isRefreshingToken: boolean;
+  // Data Loading States
+  isLoadingUserStats: boolean;
+  isLoadingClients: boolean;
+  isLoadingRoles: boolean;
+  isLoadingUsers: boolean;
+  isLoadingUserDetails: Record<string, boolean>;
+  isLoadingRoleCategories: boolean;
+  isLoadingUserAssignments: Record<string, boolean>;
+  isLoadingClientAuthorizations: Record<string, boolean>;
+  // Error States
+  error: string | null;
+  tokenError: string | null;
+  // Cached Data (eliminates redundant API calls)
+  userStats: any | null;
+  clients: any[] | null;
+  roles: any[] | null;
+  users: any[] | null;
+  userDetails: Record<string, any>;
+  userAssignments: Record<string, any>;
+  roleCategories: any[] | null;
+  clientAuthorizations: Record<string, any[] | undefined>;
+  // Cache timestamps
+  userStatsLastFetch: number | null;
+  clientsLastFetch: number | null;
+  rolesLastFetch: number | null;
+  usersLastFetch: number | null;
+  roleCategoriesLastFetch: number | null;
+  // Real-time SignalR Connection
+  signalrConnection: HubConnection | null;
+  signalrConnectionState: HubConnectionState;
+  isConnectedToSignalR: boolean;
+}
+export interface AuthActions {
+  // Session Management
+  setSession: (session: AppSession | null) => void;
+  clearSession: () => void;
+  refreshSession: () => Promise<void>;
+  refreshTokens: () => Promise<void>;
+  rehydrateSessionAfterRefresh: () => Promise<void>;
+  // Authentication Actions
+  signIn: (credentials: { email: string; password: string }) => Promise<boolean>;
+  signOut: () => Promise<void>;
+  forceLogoutAndRedirect: (reason: string) => Promise<void>;
+  // API Actions with Built-in Token Management
+  apiCall: <T = any>(url: string, options?: RequestInit, maxRetries?: number) => Promise<T>;
+  makeApiCall: <T = any>(url: string, options?: RequestInit, attempt?: number) => Promise<T>;
+  // Data Fetching Actions (replaces useEffect + useState patterns)
+  fetchUserStats: (force?: boolean) => Promise<void>;
+  fetchClients: (force?: boolean) => Promise<void>;
+  fetchRoles: (force?: boolean) => Promise<void>;
+  fetchUsers: (params?: any, force?: boolean) => Promise<void>;
+  fetchUserDetails: (userId: string, force?: boolean) => Promise<void>;
+  fetchUserClientAuthorizations: (userId: string, force?: boolean) => Promise<void>;
+  fetchUserRoleAssignments: (userId: string, force?: boolean) => Promise<void>;
+  fetchRoleCategories: (force?: boolean) => Promise<void>;
+  // CRUD Operations (replaces direct API calls)
+  createUser: (userData: any) => Promise<any>;
+  updateUser: (userId: string, updates: any) => Promise<any>;
+  deleteUser: (userId: string) => Promise<void>;
+  createRole: (roleData: any) => Promise<any>;
+  updateRole: (roleId: string, updates: any) => Promise<any>;
+  deleteRole: (roleId: string) => Promise<void>;
+  assignUserToRole: (userId: string, roleId: string) => Promise<void>;
+  removeUserFromRole: (userId: string, roleId: string) => Promise<void>;
+  assignUserToClient: (userId: string, clientId: string) => Promise<void>;
+  removeUserFromClient: (userId: string, clientId: string) => Promise<void>;
+  // Utility Actions
+  hasRole: (role: string) => boolean;
+  hasAnyRole: (roles: string[]) => boolean;
+  hasAllRoles: (roles: string[]) => boolean;
+  isFullyAuthenticated: () => boolean;
+  // Error Management
+  setError: (error: string | null) => void;
+  clearError: () => void;
+  // Admin User State Management Actions
+  approveUser: (userId: string, reason?: string) => Promise<void>;
+  disapproveUser: (userId: string, reason?: string) => Promise<void>;
+  pauseUser: (userId: string, reason?: string) => Promise<void>;
+  resumeUser: (userId: string) => Promise<void>;
+  haltUser: (userId: string, reason?: string) => Promise<void>;
+  unlockUser: (userId: string) => Promise<void>;
+  // User State Utilities
+  canUserAccess: () => boolean;
+  getUserStateDisplay: () => string;
+  isUserLocked: () => boolean;
+  // Real-time SignalR Management
+  initializeSignalR: () => Promise<void>;
+  disconnectSignalR: () => Promise<void>;
+  handleUserStateChanged: (data: UserStateChangeEvent) => void;
+}
+export type AuthStore = AuthState & AuthActions;
+// ===============================
+// CACHE CONFIGURATION
+// ===============================
+const CACHE_DURATION = {
+  USER_STATS: 5 * 60 * 1000,     // 5 minutes
+  CLIENTS: 10 * 60 * 1000,       // 10 minutes
+  ROLES: 15 * 60 * 1000,         // 15 minutes
+  USERS: 5 * 60 * 1000,          // 5 minutes (dynamic data)
+  USER_DETAILS: 2 * 60 * 1000,   // 2 minutes (detailed data)
+  ROLE_CATEGORIES: 30 * 60 * 1000, // 30 minutes (stable data)
+  USER_ASSIGNMENTS: 2 * 60 * 1000, // 2 minutes (assignment data changes frequently)
+};
+// ===============================
+// ZUSTAND STORE IMPLEMENTATION
+// ===============================
+export const useAuthStore = create<AuthStore>()(
+  devtools(
+    (set, get) => ({
+      // ===============================
+      // INITIAL STATE
+      // ===============================
+      session: null,
+      user: null,
+      accessToken: null,
+      refreshToken: null,
+      isAuthenticated: false,
+      isInitialized: false,
+      // Loading States
+      isLoading: true,
+      isRefreshingToken: false,
+      isLoadingUserStats: false,
+      isLoadingClients: false,
+      isLoadingRoles: false,
+      isLoadingUsers: false,
+      isLoadingUserDetails: {},
+      isLoadingRoleCategories: false,
+      isLoadingUserAssignments: {},
+      isLoadingClientAuthorizations: {},
+      // Error States
+      error: null,
+      tokenError: null,
+      // Cached Data
+      userStats: null,
+      clients: null,
+      roles: null,
+      users: null,
+      userDetails: {},
+      userAssignments: {},
+      roleCategories: null,
+      clientAuthorizations: {},
+      // Cache Timestamps
+      userStatsLastFetch: null,
+      clientsLastFetch: null,
+      rolesLastFetch: null,
+      usersLastFetch: null,
+      roleCategoriesLastFetch: null,
+      // SignalR Connection State
+      signalrConnection: null,
+      signalrConnectionState: HubConnectionState.Disconnected,
+      isConnectedToSignalR: false,
+      // ===============================
+      // SESSION MANAGEMENT ACTIONS
+      // ===============================
+      setSession: (session: AppSession | null) => {
+        // CRITICAL FIX: Validate and sanitize the session before setting it
+        // This prevents storing sessions with empty user IDs or other invalid data
+        const cleanSession = sanitizeSession(session);
+        if (!cleanSession) {
+          // Session is invalid (empty userId, empty email, or missing accessToken)
+          authLogger.warn('[AuthStore] Rejecting invalid session', {
+            hasSession: false,
+            reason: 'invalid_or_partial_session',
+            hasIncomingSession: !!session,
+            incomingUserId: session?.user?.id || '(empty)',
+            incomingUserEmail: session?.user?.email || '(empty)',
+            hasAccessToken: !!session?.accessToken
+          });
+          // Clear the session state completely
+          set({
+            session: null,
+            user: null,
+            accessToken: null,
+            refreshToken: null,
+            isAuthenticated: false,
+            isInitialized: true,
+            isLoading: false,
+            error: 'Invalid session data',
+          });
+          return;
+        }
+        // Session is valid - proceed with setting it
+        authLogger.info('[AuthStore] Setting valid session:', {
+          hasSession: true,
+          userId: cleanSession.user?.id,
+          userEmail: cleanSession.user?.email
+        });
+        const user: User = {
+          id: cleanSession.user?.id || '',
+          email: cleanSession.user?.email || '',
+          roles: Array.isArray((cleanSession.user as any)?.roles) ? (cleanSession.user as any).roles : [],
+          twoFactorSessionVerified: (cleanSession.user as any)?.twoFactorSessionVerified || false,
+          requiresTwoFactor: (cleanSession.user as any)?.requiresTwoFactor || false,
+          twoFactorMethod: (cleanSession.user as any)?.twoFactorMethod,
+          authenticationMethods: (cleanSession.user as any).authenticationMethods,
+          authenticationLevel: (cleanSession.user as any).authenticationLevel,
+          // Administrative States (with safe defaults)
+          isApproved: (cleanSession.user as any).isApproved ?? true,
+          isSuspended: (cleanSession.user as any).isSuspended ?? false,
+          lockoutEnabled: (cleanSession.user as any).lockoutEnabled ?? false,
+          lockoutEnd: (cleanSession.user as any).lockoutEnd ? new Date((cleanSession.user as any).lockoutEnd) : null,
+          // Suspension Metadata
+          pausedAt: (cleanSession.user as any).pausedAt ? new Date((cleanSession.user as any).pausedAt) : null,
+          pausedBy: (cleanSession.user as any).pausedBy || null,
+          suspensionReason: (cleanSession.user as any).suspensionReason || null,
+        };
+        set({
+          session: cleanSession,
+          user,
+          accessToken: cleanSession.accessToken || null,
+          refreshToken: cleanSession.refreshToken || null,
+          // FIXED: Use strict validation - both accessToken AND user.id must be non-empty
+          isAuthenticated: true, // Already validated by sanitizeSession
+          isInitialized: true,
+          isLoading: false,
+          error: cleanSession.error || null,
+        });
+        // Auto-initialize SignalR for authenticated users
+        // Use a longer delay and add error handling to prevent login blocking
+        setTimeout(async () => {
+          try {
+            await get().initializeSignalR();
+          } catch (error) {
+            // Don't let SignalR initialization errors block the login process
+            authLogger.warn('[AuthStore] SignalR initialization failed (non-blocking):', error);
+          }
+        }, 500); // Longer delay to ensure login flow completes first
+      },
+      clearSession: () => {
+        authLogger.debug('[AuthStore] Clearing session');
+        // Disconnect SignalR before clearing session
+        get().disconnectSignalR();
+        set({
+          session: null,
+          user: null,
+          accessToken: null,
+          refreshToken: null,
+          isAuthenticated: false,
+          error: null,
+          tokenError: null,
+          // Keep cache data but clear sensitive auth data
+        });
+      },
+      refreshSession: async () => {
+        const state = get();
+        if (!state.session?.sessionToken || !state.user?.id || state.isRefreshingToken) {
+          return;
+        }
+        set({ isRefreshingToken: true, tokenError: null });
+        try {
+          // Call refresh endpoint directly (no middleware chaos)
+          const stateBefore = get();
+          const refreshResponse = await fetch('/api/auth/refresh', {
+            method: 'POST',
+            headers: {
+              'Content-Type': 'application/json',
+              'X-Session-Token': stateBefore.session?.sessionToken || '',
+              'X-Request-Source': 'authStore.refreshSession'
+            },
+            credentials: 'include'
+          });
+          if (!refreshResponse.ok) {
+            const refreshError = await refreshResponse.json().catch(() => ({ message: 'Token refresh failed' }));
+            throw new Error(refreshError.message || 'Token refresh failed');
+          }
+          // TODO: Get updated session from Redis after successful refresh (temp disabled for client build)
+          // For now, assume refresh was successful
+          // TODO: Update session with new tokens from Redis (temp disabled)
+          // For now, assume session tokens are already updated by the refresh endpoint
+          authLogger.info('[AuthStore] Token refresh successful via direct /api/session/refresh');
+        } catch (error) {
+          const errorMessage = error instanceof Error ? error.message : 'Token refresh failed';
+          authLogger.error('[AuthStore] Token refresh failed:', error);
+          set({
+            tokenError: errorMessage,
+            isAuthenticated: false,
+          });
+          // If refresh fails, sign out
+          await get().signOut();
+        } finally {
+          set({ isRefreshingToken: false });
+        }
+      },
+      // ===============================
+      // AUTHENTICATION ACTIONS
+      // ===============================
+      signIn: async (credentials: { email: string; password: string }) => {
+        set({ isLoading: true, error: null });
+        try {
+          // Use NextAuth signIn - this will trigger our auth callbacks
+          const { signIn } = await import('next-auth/react');
+          const result = await signIn('credentials', {
+            ...credentials,
+            redirect: false,
+          });
+          if (result?.ok) {
+            authLogger.info('[AuthStore] Sign in successful');
+            return true;
+          } else {
+            const errorMessage = result?.error || 'Sign in failed';
+            set({ error: errorMessage, isLoading: false });
+            return false;
+          }
+        } catch (error) {
+          const errorMessage = error instanceof Error ? error.message : 'Sign in failed';
+          authLogger.error('[AuthStore] Sign in error:', error);
+          set({ error: errorMessage, isLoading: false });
+          return false;
+        }
+      },
+      signOut: async () => {
+        authLogger.info('[AuthStore] Starting sign out process');
+        // Clear local state immediately
+        get().clearSession();
+        // Clear cached data
+        set({
+          userStats: null,
+          clients: null,
+          roles: null,
+          userStatsLastFetch: null,
+          clientsLastFetch: null,
+          rolesLastFetch: null,
+        });
+        try {
+          // Use NextAuth signOut
+          await signOut({ redirect: false });
+          authLogger.info('[AuthStore] Sign out completed');
+        } catch (error) {
+          authLogger.error('[AuthStore] Sign out error:', error);
+          // Even if signOut fails, we've cleared local state
+        }
+      },
+      forceLogoutAndRedirect: async (reason: string) => {
+        const state = get();
+        // AGGRESSIVE LOGGING TO TRACK EXECUTION
+        console.error('🚨 FORCE LOGOUT INITIATED 🚨', {
+          reason,
+          userId: state.user?.id,
+          sessionToken: state.session?.sessionToken,
+          timestamp: new Date().toISOString()
+        });
+        authLogger.error('[AuthStore] Force logout initiated', {
+          reason,
+          userId: state.user?.id,
+          sessionToken: state.session?.sessionToken
+        });
+        try {
+          // TODO: Step 1: Mark session as force-invalidated in Redis (temp disabled for client build)
+          // Step 2: Clear local state immediately
+          get().clearSession();
+          // Step 3: Clear all cached data
+          set({
+            userStats: null,
+            clients: null,
+            roles: null,
+            userStatsLastFetch: null,
+            clientsLastFetch: null,
+            rolesLastFetch: null,
+          });
+          // Step 4: Clear session cache (temp disabled for client build)
+          // TODO: Re-enable when session-cache module is available
+          // const { SessionCache } = await import('@/lib/session-cache');
+          // SessionCache.clearCache();
+          // SessionCache.clearServerSessionData();
+          // Step 5: AGGRESSIVELY clear NextAuth cookies immediately before signOut (app-slug prefixed)
+          if (typeof document !== 'undefined') {
+            const cookiesToClear = [
+              getSessionCookieName(),
+              getSecureSessionCookieName(),
+              getCsrfCookieName(),
+              getSecureCsrfCookieName()
+            ];
+            authLogger.info('[AuthStore] Aggressively clearing NextAuth cookies immediately');
+            cookiesToClear.forEach(cookieName => {
+              try {
+                const expiredDate = 'Thu, 01 Jan 1970 00:00:00 GMT';
+                const clearPatterns = [
+                  `${cookieName}=; expires=${expiredDate}; path=/`,
+                  `${cookieName}=; expires=${expiredDate}; path=/; domain=${window.location.hostname}`,
+                  `${cookieName}=; expires=${expiredDate}; path=/; domain=.${window.location.hostname}`,
+                ];
+                if (window.location.protocol === 'https:') {
+                  clearPatterns.push(
+                    `${cookieName}=; expires=${expiredDate}; path=/; secure`,
+                    `${cookieName}=; expires=${expiredDate}; path=/; domain=${window.location.hostname}; secure`,
+                    `${cookieName}=; expires=${expiredDate}; path=/; domain=.${window.location.hostname}; secure`
+                  );
+                }
+                clearPatterns.forEach(pattern => {
+                  document.cookie = pattern;
+                });
+              } catch (cookieError) {
+                authLogger.warn(`Failed to clear cookie ${cookieName}:`, cookieError);
+              }
+            });
+          }
+          // Step 6: Force NextAuth signOut (this should clear the session cookie)
+          const { signOut } = await import('next-auth/react');
+          await signOut({ redirect: false });
+          authLogger.info('[AuthStore] Force logout completed, redirecting to login');
+          // Step 7: Longer delay to ensure everything is processed
+          await new Promise(resolve => setTimeout(resolve, 1000));
+          // Step 8: Force redirect with cache busting - use window.location.href for immediate effect
+          const loginUrl = `/account-auth/login?error=SessionExpired&reason=${reason}&t=${Date.now()}`;
+          authLogger.info('[AuthStore] Redirecting to login:', loginUrl);
+          // Double redirect approach to ensure it works
+          window.location.replace(loginUrl);
+          window.location.href = loginUrl;
+        } catch (error) {
+          authLogger.error('[AuthStore] Error during force logout:', error);
+          // Fallback: still redirect even if cleanup fails
+          const loginUrl = `/account-auth/login?error=ForceLogoutError&reason=${reason}&t=${Date.now()}`;
+          window.location.replace(loginUrl);
+        }
+      },
+      // ===============================
+      // API CALLING WITH AUTO TOKEN REFRESH
+      // ===============================
+      // Single centralized refresh method with coordinated server-side coordination
+      refreshTokens: async (): Promise<void> => {
+        const state = get();
+        // If already refreshing, wait for it to complete
+        if (state.isRefreshingToken) {
+          authLogger.info('[AuthStore] Client-side token refresh already in progress, waiting for completion');
+          // Wait for the refresh to complete by polling the flag
+          const maxWaitMs = 15000; // 15 seconds max wait
+          const startTime = Date.now();
+          while (get().isRefreshingToken && (Date.now() - startTime) < maxWaitMs) {
+            await new Promise(resolve => setTimeout(resolve, 100));
+          }
+          // Check if refresh was successful by verifying we still have a valid session
+          const updatedState = get();
+          if (updatedState.isRefreshingToken) {
+            authLogger.warn('[AuthStore] Client-side token refresh timed out');
+            throw new Error('Token refresh timed out - another refresh operation is stuck');
+          }
+          if (!updatedState.isAuthenticated || !updatedState.session) {
+            authLogger.error('[AuthStore] Token refresh failed - session invalid after refresh');
+            throw new Error('Token refresh failed - session invalid after refresh');
+          }
+          authLogger.info('[AuthStore] Token refresh completed by another caller');
+          return;
+        }
+        // Set refreshing flag for client-side coordination
+        set({ isRefreshingToken: true });
+        authLogger.info('[AuthStore] Starting coordinated token refresh');
+        try {
+          // COORDINATED REFRESH: The server now handles distributed locking
+          // We just need to make the refresh call and let the server coordinate
+          // Resolve session token for header
+          const resolveSessionTokenForHeader = async (): Promise<string | undefined> => {
+            let token = get().session?.sessionToken as string | undefined;
+            if (token) return token;
+            try {
+              const { getSession } = await import('next-auth/react');
+              for (let attempt = 1; attempt <= 3 && !token; attempt++) {
+                const s: any = await getSession();
+                token = s?.sessionToken;
+                if (!token) {
+                  await new Promise(r => setTimeout(r, 150));
+                }
+              }
+            } catch {
+              authLogger.warn('[AuthStore] Failed to resolve session token from NextAuth during refresh');
+            }
+            return token;
+          };
+          const sessionTokenHeader = await resolveSessionTokenForHeader();
+          const refreshResponse = await fetch('/api/auth/refresh', {
+            method: 'POST',
+            headers: {
+              'Content-Type': 'application/json',
+              'X-Client-Refresh': 'true',
+              'X-Request-Source': 'authStore',
+              ...(sessionTokenHeader ? { 'X-Session-Token': sessionTokenHeader } : {})
+            },
+            credentials: 'include'
+          });
+          if (!refreshResponse.ok) {
+            if (refreshResponse.status === 429 || refreshResponse.status === 409) {
+              const retryAfter = refreshResponse.headers.get('Retry-After');
+              const waitMs = retryAfter ? parseInt(retryAfter) * 1000 : 2000;
+              authLogger.info('[AuthStore] Server coordinated refresh in progress, waiting and retrying', {
+                status: refreshResponse.status,
+                retryAfterMs: waitMs
+              });
+              await new Promise(resolve => setTimeout(resolve, Math.min(waitMs, 5000)));
+              await get().rehydrateSessionAfterRefresh();
+              authLogger.info('[AuthStore] Successfully coordinated with server-side refresh');
+              return;
+            }
+            const refreshError = await refreshResponse.json().catch(() => ({ message: 'Token refresh failed' }));
+            authLogger.error('[AuthStore] Token refresh failed:', refreshError);
+            set({
+              session: null,
+              accessToken: null,
+              refreshToken: null,
+              isAuthenticated: false,
+              user: null
+            });
+            await get().forceLogoutAndRedirect('TokenRefreshFailed');
+            throw new Error(`Token refresh failed: ${refreshError.message}`);
+          }
+          authLogger.info('[AuthStore] Coordinated token refresh successful on backend, rehydrating session');
+          await get().rehydrateSessionAfterRefresh();
+        } catch (error) {
+          authLogger.error('[AuthStore] Coordinated token refresh exception:', error);
+          const errorMessage = error instanceof Error ? error.message : String(error);
+          const isCoordinationError = errorMessage.includes('coordination') ||
+                                      errorMessage.includes('timeout') ||
+                                      errorMessage.includes('another refresh');
+          if (!isCoordinationError) {
+            set({
+              session: null,
+              accessToken: null,
+              refreshToken: null,
+              isAuthenticated: false,
+              user: null
+            });
+            await get().forceLogoutAndRedirect('TokenRefreshException');
+          }
+          throw error;
+        } finally {
+          set({ isRefreshingToken: false });
+        }
+      },
+      // Atomic session rehydration after token refresh
+      // This ensures the authStore gets the fresh tokens from the session store
+      rehydrateSessionAfterRefresh: async (): Promise<void> => {
+        const maxRetries = 3;
+        const retryDelay = 500; // 500ms between retries
+        authLogger.info('[AuthStore] Starting session rehydration after token refresh');
+        for (let attempt = 1; attempt <= maxRetries; attempt++) {
+          try {
+            // Force NextAuth to reload the session from the session store
+            // This triggers the JWT callback which reads fresh data from Redis
+            const { getSession } = await import('next-auth/react');
+            authLogger.debug(`[AuthStore] Rehydration attempt ${attempt}/${maxRetries}`);
+            // Force session refresh - this calls NextAuth's session endpoint
+            // which triggers JWT callback to read fresh tokens from Redis
+            const freshSession = await getSession();
+            if (!freshSession) {
+              throw new Error('No session returned from NextAuth after refresh');
+            }
+            if (!freshSession.accessToken) {
+              throw new Error('Fresh session missing access token');
+            }
+            // Verify the token is actually fresh (not expired)
+            try {
+              const { jwtDecode } = await import('@/lib/jwt-decode');
+              const decoded = jwtDecode(freshSession.accessToken);
+              if (!decoded?.exp) {
+                throw new Error('Fresh token missing expiration claim');
+              }
+              const tokenExpiry = decoded.exp * 1000;
+              const now = Date.now();
+              const timeUntilExpiry = tokenExpiry - now;
+              // Token should be fresh (not expiring in next 5 minutes)
+              if (timeUntilExpiry < (5 * 60 * 1000)) {
+                throw new Error(`Fresh token still expires soon: ${timeUntilExpiry}ms`);
+              }
+              authLogger.info('[AuthStore] Session rehydration successful', {
+                attempt,
+                tokenExpiresAt: new Date(tokenExpiry).toISOString(),
+                timeUntilExpiry: `${Math.round(timeUntilExpiry / 1000)}s`,
+                subject: decoded.sub
+              });
+              // Update the authStore with the fresh session atomically
+              get().setSession(freshSession);
+              authLogger.info('[AuthStore] AuthStore updated with fresh tokens');
+              return; // Success!
+            } catch (tokenError) {
+              throw new Error(`Token validation failed: ${tokenError instanceof Error ? tokenError.message : String(tokenError)}`);
+            }
+          } catch (error) {
+            const errorMessage = error instanceof Error ? error.message : String(error);
+            authLogger.warn(`[AuthStore] Rehydration attempt ${attempt} failed:`, errorMessage);
+            // If this is the last attempt, throw the error
+            if (attempt === maxRetries) {
+              authLogger.error('[AuthStore] Session rehydration failed after all retries');
+              throw new Error(`Session rehydration failed after ${maxRetries} attempts: ${errorMessage}`);
+            }
+            // Wait before retrying
+            authLogger.debug(`[AuthStore] Waiting ${retryDelay}ms before retry ${attempt + 1}`);
+            await new Promise(resolve => setTimeout(resolve, retryDelay));
+          }
+        }
+      },
+      apiCall: async <T = any>(url: string, options: RequestInit = {}, maxRetries = 3): Promise<T> => {
+        // UNIVERSAL RETRY WRAPPER: Handle 503 retries at the store level
+        for (let attempt = 1; attempt <= maxRetries; attempt++) {
+          try {
+            return await get().makeApiCall<T>(url, options, attempt);
+          } catch (error: any) {
+            const isRetryableError = error.isRetryable || error.message?.includes('Token refresh in progress');
+            if (isRetryableError && attempt < maxRetries) {
+              const retryAfter = error.retryAfter || 1;
+              authLogger.info(`[AuthStore] API call attempt ${attempt} failed with retryable error, retrying in ${retryAfter}s`, {
+                url,
+                error: error.message,
+                attempt,
+                maxRetries
+              });
+              await new Promise(resolve => setTimeout(resolve, retryAfter * 1000));
+              continue;
+            }
+            // Not retryable or max attempts reached
+            throw error;
+          }
+        }
+        // This should never be reached but TypeScript needs it
+        throw new Error('API call failed after all retry attempts');
+      },
+      makeApiCall: async <T = any>(url: string, options: RequestInit = {}, attempt = 1): Promise<T> => {
+        const state = get();
+        // COORDINATED AUTH: Check authentication and refresh coordination
+        if (!state.isAuthenticated || !state.session?.sessionToken || !state.user?.id) {
+          throw new Error('Not authenticated');
+        }
+        // COORDINATED REFRESH: Check if token refresh is in progress
+        if (state.isRefreshingToken) {
+          authLogger.info('[AuthStore] API call detected refresh in progress, waiting for completion', { url, attempt });
+          // Wait for refresh to complete before making API call
+          const maxWaitMs = 10000; // 10 seconds max wait
+          const startTime = Date.now();
+          while (get().isRefreshingToken && (Date.now() - startTime) < maxWaitMs) {
+            await new Promise(resolve => setTimeout(resolve, 100));
+          }
+          const updatedState = get();
+          if (updatedState.isRefreshingToken) {
+            authLogger.warn('[AuthStore] API call timed out waiting for refresh', { url, attempt });
+            throw new Error('Request failed - token refresh in progress');
+          }
+          if (!updatedState.isAuthenticated || !updatedState.session) {
+            authLogger.error('[AuthStore] Session lost during refresh wait', { url, attempt });
+            throw new Error('Authentication lost during token refresh');
+          }
+          authLogger.info('[AuthStore] API call proceeding after refresh completion', { url, attempt });
+        }
+        // COORDINATED API CALL: Make API call using NextAuth session cookies
+        // Server-side handlers will coordinate any needed token refresh
+        const response = await fetch(url, {
+          ...options,
+          credentials: 'include', // Ensure session cookies are sent
+          headers: {
+            'Content-Type': 'application/json',
+            'X-Client-Call': 'true', // Indicate this is a client-initiated call
+            'X-Request-Source': 'authStore',
+            ...options.headers,
+          },
+        });
+        if (!response.ok) {
+          // COORDINATED ERROR HANDLING: Handle various coordination scenarios
+          if (response.status === 401) {
+            authLogger.info('[AuthStore] Received 401, attempting coordinated refresh and retry', { url, attempt });
+            // If not currently refreshing and we haven't retried yet, attempt refresh then retry once
+            if (!get().isRefreshingToken && (attempt ?? 1) < 2) {
+              try {
+                await get().refreshTokens();
+                authLogger.info('[AuthStore] Refresh complete, retrying API call once', { url, nextAttempt: (attempt ?? 1) + 1 });
+                return await get().makeApiCall<T>(url, options, (attempt ?? 1) + 1);
+              } catch (refreshError) {
+                authLogger.error('[AuthStore] Refresh attempt failed after 401', refreshError);
+                // fall through to force logout below
+              }
+            } else if (get().isRefreshingToken) {
+              authLogger.info('[AuthStore] 401 received during in-progress refresh - treating as coordination issue');
+            }
+            // If we reach here, refresh was not attempted or failed; force logout
+            await get().forceLogoutAndRedirect('ApiCall401');
+            throw new Error('Authentication failed');
+          }
+          // Handle server coordination responses
+          if (response.status === 503) {
+            const retryAfter = response.headers.get('Retry-After');
+            authLogger.info('[AuthStore] Received 503 (service unavailable), likely token refresh in progress', {
+              url,
+              retryAfter
+            });
+            // This is a retryable condition - let the calling code handle retries
+            const error = new Error('Token refresh in progress');
+            (error as any).retryAfter = parseInt(retryAfter || '1', 10);
+            (error as any).isRetryable = true;
+            throw error;
+          }
+          if (response.status === 429) {
+            const retryAfter = response.headers.get('Retry-After');
+            authLogger.info('[AuthStore] Received 429 (rate limit/coordination), server busy', {
+              url,
+              retryAfter
+            });
+            throw new Error(`Server busy - retry after ${retryAfter || '1'} second(s)`);
+          }
+          if (response.status === 409) {
+            // Distinguish business conflict (e.g., duplicate email/username) from refresh coordination
+            let body: any = null;
+            try {
+              body = await response.clone().json();
+            } catch {}
+            const code = body?.error?.code || body?.code;
+            const message: string | undefined = body?.error?.message || body?.message;
+            const msgLower = typeof message === 'string' ? message.toLowerCase() : '';
+            // PayEz-standard conflicts we want to surface to the UI
+            if (
+              code === 'RESOURCE_CONFLICT' ||
+              code === 'USERNAME_ALREADY_EXISTS' ||
+              code === 'EMAIL_ALREADY_EXISTS' ||
+              (msgLower.includes('duplicate') || msgLower.includes('already taken'))
+            ) {
+              const err = new Error(message || 'Resource conflict');
+              (err as any).status = 409;
+              (err as any).data = body;
+              throw err;
+            }
+            // Otherwise treat as coordination conflict (e.g., refresh lock)
+            authLogger.info('[AuthStore] Received 409 (conflict) without recognizable business code; treating as refresh coordination issue', { url });
+            const err = new Error('Request conflict - token refresh in progress on server');
+            (err as any).status = 409;
+            (err as any).data = body;
+            throw err;
+          }
+          // Handle other HTTP errors: throw an error with details
+          const errorData = await response.json().catch(() => ({}));
+          const errorMessage = errorData.message || errorData.error || response.statusText || 'Request failed';
+          const error = new Error(errorMessage);
+          (error as any).status = response.status;
+          (error as any).data = errorData;
+          throw error;
+        }
+        return await response.json();
+      },
+      // ===============================
+      // DATA FETCHING ACTIONS
+      // ===============================
+      fetchUserStats: async (force = false) => {
+        const state = get();
+        const now = Date.now();
+        // Check cache unless forced
+        if (!force && state.userStats && state.userStatsLastFetch) {
+          const age = now - state.userStatsLastFetch;
+          if (age < CACHE_DURATION.USER_STATS) {
+            authLogger.debug('[AuthStore] Using cached user stats');
+            return;
+          }
+        }
+        set({ isLoadingUserStats: true });
+        try {
+          const data = await get().apiCall('/api/activity/user-stats');
+          set({
+            userStats: data.data || data,
+            userStatsLastFetch: now,
+            isLoadingUserStats: false,
+          });
+          authLogger.debug('[AuthStore] User stats fetched successfully');
+        } catch (error) {
+          const errorMessage = error instanceof Error ? error.message : String(error);
+          // Don't log errors if we're already signed out (forced logout scenario)
+          if (!errorMessage.includes('Session expired') && !errorMessage.includes('Authentication failed')) {
+            authLogger.error('[AuthStore] Failed to fetch user stats:', error);
+          }
+          set({ isLoadingUserStats: false });
+          // Don't throw if we're in a forced logout scenario
+          if (!errorMessage.includes('Session expired') && !errorMessage.includes('Authentication failed')) {
+            throw error;
+          }
+        }
+      },
+      fetchClients: async (force = false) => {
+        const state = get();
+        const now = Date.now();
+        // Check cache unless forced
+        if (!force && state.clients && state.clientsLastFetch) {
+          const age = now - state.clientsLastFetch;
+          if (age < CACHE_DURATION.CLIENTS) {
+            authLogger.debug('[AuthStore] Using cached clients');
+            return;
+          }
+        }
+        set({ isLoadingClients: true });
+        try {
+          const data = await get().apiCall('/api/admin/clients');
+          // API returns pure array - no envelope
+          set({
+            clients: Array.isArray(data) ? data : [],
+            clientsLastFetch: now,
+            isLoadingClients: false,
+          });
+          authLogger.debug('[AuthStore] Clients fetched successfully');
+        } catch (error) {
+          const errorMessage = error instanceof Error ? error.message : String(error);
+          // Don't log errors if we're already signed out (forced logout scenario)
+          if (!errorMessage.includes('Session expired') && !errorMessage.includes('Authentication failed')) {
+            authLogger.error('[AuthStore] Failed to fetch clients:', error);
+          }
+          set({ isLoadingClients: false });
+          // Don't throw if we're in a forced logout scenario
+          if (!errorMessage.includes('Session expired') && !errorMessage.includes('Authentication failed')) {
+            throw error;
+          }
+        }
+      },
+      fetchRoles: async (force = false) => {
+        const state = get();
+        const now = Date.now();
+        // Check cache unless forced
+        if (!force && state.roles && state.rolesLastFetch) {
+          const age = now - state.rolesLastFetch;
+          if (age < CACHE_DURATION.ROLES) {
+            authLogger.debug('[AuthStore] Using cached roles');
+            return;
+          }
+        }
+        set({ isLoadingRoles: true });
+        try {
+          const data = await get().apiCall('/api/admin/roles');
+          // API returns pure array - no envelope
+          set({
+            roles: Array.isArray(data) ? data : [],
+            rolesLastFetch: now,
+            isLoadingRoles: false,
+          });
+          authLogger.debug('[AuthStore] Roles fetched successfully');
+        } catch (error) {
+          const errorMessage = error instanceof Error ? error.message : String(error);
+          // Don't log errors if we're already signed out (forced logout scenario)
+          if (!errorMessage.includes('Session expired') && !errorMessage.includes('Authentication failed')) {
+            authLogger.error('[AuthStore] Failed to fetch roles:', error);
+          }
+          set({ isLoadingRoles: false });
+          // Don't throw if we're in a forced logout scenario
+          if (!errorMessage.includes('Session expired') && !errorMessage.includes('Authentication failed')) {
+            throw error;
+          }
+        }
+      },
+      fetchUsers: async (params: any = {}, force = false) => {
+        const state = get();
+        const now = Date.now();
+        // Check cache unless forced (users data changes frequently, shorter cache)
+        if (!force && state.users && state.usersLastFetch) {
+          const age = now - state.usersLastFetch;
+          if (age < CACHE_DURATION.USERS) {
+            authLogger.debug('[AuthStore] Using cached users');
+            return;
+          }
+        }
+        set({ isLoadingUsers: true });
+        try {
+          // Always use POST for /api/admin/users with appropriate payload
+          const url = `/api/admin/users`;
+          // Build proper UserGridRequest with all required fields
+          const gridParams = {
+            page_number: params.page || 1,
+            page_size: params.pageSize || 25,
+            search: "",
+            search_field: "",
+            sort_field: "",
+            sort_order: "",
+            status: null,
+            merchant_id: "",
+            client_assignment_status: null
+          };
+          const options = { method: 'POST', body: JSON.stringify(gridParams) };
+          const data = await get().apiCall(url, options);
+          // API returns pure array - no envelope
+          const users = Array.isArray(data) ? data : [];
+          set({
+            users: Array.isArray(users) ? users : [],
+            usersLastFetch: now,
+            isLoadingUsers: false,
+          });
+          authLogger.debug('[AuthStore] Users fetched successfully');
+        } catch (error) {
+          const errorMessage = error instanceof Error ? error.message : String(error);
+          authLogger.error('[AuthStore] Failed to fetch users:', error);
+          set({ isLoadingUsers: false });
+          if (!errorMessage.includes('Session expired') && !errorMessage.includes('Authentication failed')) {
+            throw error;
+          }
+        }
+      },
+      fetchUserDetails: async (userId: string, force = false) => {
+        const state = get();
+        const now = Date.now();
+        // Check cache unless forced
+        const cacheKey = `user_${userId}`;
+        const lastFetch = state.userDetails[`${cacheKey}_lastFetch`];
+        if (!force && state.userDetails[userId] && lastFetch) {
+          const age = now - lastFetch;
+          if (age < CACHE_DURATION.USER_DETAILS) {
+            authLogger.debug(`[AuthStore] Using cached user details for ${userId}`);
+            return;
+          }
+        }
+        set({
+          isLoadingUserDetails: { ...state.isLoadingUserDetails, [userId]: true }
+        });
+        try {
+          const data = await get().apiCall(`/api/admin/users/${userId}`);
+          set({
+            userDetails: {
+              ...state.userDetails,
+              [userId]: data.data || data,
+              [`${cacheKey}_lastFetch`]: now
+            },
+            isLoadingUserDetails: { ...state.isLoadingUserDetails, [userId]: false }
+          });
+          authLogger.debug(`[AuthStore] User details fetched for ${userId}`);
+        } catch (error) {
+          const errorMessage = error instanceof Error ? error.message : String(error);
+          authLogger.error(`[AuthStore] Failed to fetch user details for ${userId}:`, error);
+          set({
+            isLoadingUserDetails: { ...state.isLoadingUserDetails, [userId]: false }
+          });
+          if (!errorMessage.includes('Session expired') && !errorMessage.includes('Authentication failed')) {
+            throw error;
+          }
+        }
+      },
+      fetchUserClientAuthorizations: async (userId: string, force = false) => {
+        const state = get();
+        const now = Date.now();
+        const cacheKey = `auth_${userId}`;
+        // Check if already loading
+        if (state.isLoadingClientAuthorizations[userId]) {
+          return;
+        }
+        // Check cache unless forced
+        if (!force && state.clientAuthorizations[userId]) {
+          authLogger.debug(`[AuthStore] Using cached client authorizations for ${userId}`);
+          return;
+        }
+        set({
+          isLoadingClientAuthorizations: { ...state.isLoadingClientAuthorizations, [userId]: true }
+        });
+        try {
+          const data = await get().apiCall(`/api/admin/users/client-authorizations?user_id=${userId}`);
+          // Handle various response formats
+          let authorizations: any[] = [];
+          if (data.data) {
+            authorizations = data.data.authorizations || data.data || [];
+          } else {
+            authorizations = data.authorizations || data || [];
+          }
+          set({
+            clientAuthorizations: {
+              ...state.clientAuthorizations,
+              [userId]: Array.isArray(authorizations) ? authorizations : []
+            },
+            isLoadingClientAuthorizations: { ...state.isLoadingClientAuthorizations, [userId]: false }
+          });
+          authLogger.debug(`[AuthStore] Client authorizations fetched for ${userId}`);
+        } catch (error) {
+          const errorMessage = error instanceof Error ? error.message : String(error);
+          authLogger.error(`[AuthStore] Failed to fetch client authorizations for ${userId}:`, error);
+          set({
+            clientAuthorizations: {
+              ...state.clientAuthorizations,
+              [userId]: []
+            },
+            isLoadingClientAuthorizations: { ...state.isLoadingClientAuthorizations, [userId]: false }
+          });
+          if (!errorMessage.includes('Session expired') && !errorMessage.includes('Authentication failed')) {
+            throw error;
+          }
+        }
+      },
+      fetchUserRoleAssignments: async (userId: string, force = false) => {
+        const state = get();
+        const cacheKey = `assignments_${userId}`;
+        if (state.isLoadingUserAssignments[userId]) {
+          return;
+        }
+        if (!force && state.userAssignments[userId]) {
+          authLogger.debug(`[AuthStore] Using cached role assignments for ${userId}`);
+          return;
+        }
+        set({
+          isLoadingUserAssignments: { ...state.isLoadingUserAssignments, [userId]: true }
+        });
+        try {
+          const data = await get().apiCall(`/api/admin/users/role-assignments?user_id=${userId}`);
+          let assignments: any[] = [];
+          if (data.data) {
+            assignments = data.data.assignments || data.data || [];
+          } else {
+            assignments = data.assignments || data || [];
+          }
+          set({
+            userAssignments: {
+              ...state.userAssignments,
+              [userId]: Array.isArray(assignments) ? assignments : []
+            },
+            isLoadingUserAssignments: { ...state.isLoadingUserAssignments, [userId]: false }
+          });
+          authLogger.debug(`[AuthStore] Role assignments fetched for ${userId}`);
+        } catch (error) {
+          const errorMessage = error instanceof Error ? error.message : String(error);
+          authLogger.error(`[AuthStore] Failed to fetch role assignments for ${userId}:`, error);
+          set({
+            userAssignments: {
+              ...state.userAssignments,
+              [userId]: []
+            },
+            isLoadingUserAssignments: { ...state.isLoadingUserAssignments, [userId]: false }
+          });
+          if (!errorMessage.includes('Session expired') && !errorMessage.includes('Authentication failed')) {
+            throw error;
+          }
+        }
+      },
+      fetchRoleCategories: async (force = false) => {
+        const state = get();
+        const now = Date.now();
+        // Check cache unless forced (role categories are fairly stable)
+        if (!force && state.roleCategories && state.roleCategoriesLastFetch) {
+          const age = now - state.roleCategoriesLastFetch;
+          if (age < CACHE_DURATION.ROLE_CATEGORIES) {
+            authLogger.debug('[AuthStore] Using cached role categories');
+            return;
+          }
+        }
+        set({ isLoadingRoleCategories: true });
+        try {
+          const data = await get().apiCall('/api/admin/roles/categories');
+          set({
+            roleCategories: Array.isArray(data) ? data : (data.data || []),
+            roleCategoriesLastFetch: now,
+            isLoadingRoleCategories: false,
+          });
+          authLogger.debug('[AuthStore] Role categories fetched successfully');
+        } catch (error) {
+          const errorMessage = error instanceof Error ? error.message : String(error);
+          authLogger.error('[AuthStore] Failed to fetch role categories:', error);
+          set({ isLoadingRoleCategories: false });
+          if (!errorMessage.includes('Session expired') && !errorMessage.includes('Authentication failed')) {
+            throw error;
+          }
+        }
+      },
+      // ===============================
+      // CRUD OPERATIONS
+      // ===============================
+      createUser: async (userData: any) => {
+        try {
+          const result = await get().apiCall('/api/admin/users', {
+            method: 'POST',
+            body: JSON.stringify(userData)
+          });
+          // Invalidate users cache to force refresh
+          set({ usersLastFetch: null });
+          authLogger.info('[AuthStore] User created successfully');
+          return result;
+        } catch (error) {
+          authLogger.error('[AuthStore] Failed to create user:', error);
+          throw error;
+        }
+      },
+      updateUser: async (userId: string, updates: any) => {
+        try {
+          const result = await get().apiCall(`/api/admin/users/${userId}`, {
+            method: 'PUT',
+            body: JSON.stringify(updates)
+          });
+          // Invalidate relevant caches
+          const state = get();
+          set({
+            usersLastFetch: null,
+            userDetails: {
+              ...state.userDetails,
+              [userId]: undefined // Force refresh of this user's details
+            }
+          });
+          authLogger.info(`[AuthStore] User ${userId} updated successfully`);
+          return result;
+        } catch (error) {
+          authLogger.error(`[AuthStore] Failed to update user ${userId}:`, error);
+          throw error;
+        }
+      },
+      deleteUser: async (userId: string) => {
+        try {
+          await get().apiCall(`/api/admin/users/${userId}`, {
+            method: 'DELETE'
+          });
+          // Clean up all related data for this user
+          const state = get();
+          const newUserDetails = { ...state.userDetails };
+          const newUserAssignments = { ...state.userAssignments };
+          const newClientAuthorizations = { ...state.clientAuthorizations };
+          delete newUserDetails[userId];
+          delete newUserAssignments[userId];
+          delete newClientAuthorizations[userId];
+          set({
+            usersLastFetch: null, // Force refresh
+            userDetails: newUserDetails,
+            userAssignments: newUserAssignments,
+            clientAuthorizations: newClientAuthorizations
+          });
+          authLogger.info(`[AuthStore] User ${userId} deleted successfully`);
+        } catch (error) {
+          authLogger.error(`[AuthStore] Failed to delete user ${userId}:`, error);
+          throw error;
+        }
+      },
+      createRole: async (roleData: any) => {
+        try {
+          const result = await get().apiCall('/api/admin/roles', {
+            method: 'POST',
+            body: JSON.stringify(roleData)
+          });
+          // Invalidate roles cache
+          set({ rolesLastFetch: null });
+          authLogger.info('[AuthStore] Role created successfully');
+          return result;
+        } catch (error) {
+          authLogger.error('[AuthStore] Failed to create role:', error);
+          throw error;
+        }
+      },
+      updateRole: async (roleId: string, updates: any) => {
+        try {
+          const result = await get().apiCall(`/api/admin/roles/${roleId}`, {
+            method: 'PUT',
+            body: JSON.stringify(updates)
+          });
+          set({ rolesLastFetch: null });
+          authLogger.info(`[AuthStore] Role ${roleId} updated successfully`);
+          return result;
+        } catch (error) {
+          authLogger.error(`[AuthStore] Failed to update role ${roleId}:`, error);
+          throw error;
+        }
+      },
+      deleteRole: async (roleId: string) => {
+        try {
+          await get().apiCall(`/api/admin/roles/${roleId}`, {
+            method: 'DELETE'
+          });
+          set({ rolesLastFetch: null });
+          authLogger.info(`[AuthStore] Role ${roleId} deleted successfully`);
+        } catch (error) {
+          authLogger.error(`[AuthStore] Failed to delete role ${roleId}:`, error);
+          throw error;
+        }
+      },
+      assignUserToRole: async (userId: string, roleId: string) => {
+        try {
+          await get().apiCall('/api/admin/users/assign-role', {
+            method: 'POST',
+            body: JSON.stringify({ userId, roleId })
+          });
+          // Invalidate user assignments cache
+          const state = get();
+          set({
+            userAssignments: {
+              ...state.userAssignments,
+              [userId]: undefined // Force refresh
+            },
+            usersLastFetch: null // Also refresh users list
+          });
+          authLogger.info(`[AuthStore] User ${userId} assigned to role ${roleId}`);
+        } catch (error) {
+          authLogger.error(`[AuthStore] Failed to assign user ${userId} to role ${roleId}:`, error);
+          throw error;
+        }
+      },
+      removeUserFromRole: async (userId: string, roleId: string) => {
+        try {
+          await get().apiCall('/api/admin/users/remove-role', {
+            method: 'POST',
+            body: JSON.stringify({ userId, roleId })
+          });
+          // Invalidate user assignments cache
+          const state = get();
+          set({
+            userAssignments: {
+              ...state.userAssignments,
+              [userId]: undefined // Force refresh
+            },
+            usersLastFetch: null // Also refresh users list
+          });
+          authLogger.info(`[AuthStore] User ${userId} removed from role ${roleId}`);
+        } catch (error) {
+          authLogger.error(`[AuthStore] Failed to remove user ${userId} from role ${roleId}:`, error);
+          throw error;
+        }
+      },
+      assignUserToClient: async (userId: string, clientId: string) => {
+        try {
+          await get().apiCall('/api/admin/users/assign-client', {
+            method: 'POST',
+            body: JSON.stringify({ userId, clientId })
+          });
+          // Invalidate user client authorizations cache
+          const state = get();
+          set({
+            clientAuthorizations: {
+              ...state.clientAuthorizations,
+              [userId]: undefined // Force refresh
+            },
+            usersLastFetch: null
+          });
+          authLogger.info(`[AuthStore] User ${userId} assigned to client ${clientId}`);
+        } catch (error) {
+          authLogger.error(`[AuthStore] Failed to assign user ${userId} to client ${clientId}:`, error);
+          throw error;
+        }
+      },
+      removeUserFromClient: async (userId: string, clientId: string) => {
+        try {
+          await get().apiCall('/api/admin/users/remove-client', {
+            method: 'POST',
+            body: JSON.stringify({ userId, clientId })
+          });
+          // Invalidate user client authorizations cache
+          const state = get();
+          set({
+            clientAuthorizations: {
+              ...state.clientAuthorizations,
+              [userId]: undefined // Force refresh
+            },
+            usersLastFetch: null
+          });
+          authLogger.info(`[AuthStore] User ${userId} removed from client ${clientId}`);
+        } catch (error) {
+          authLogger.error(`[AuthStore] Failed to remove user ${userId} from client ${clientId}:`, error);
+          throw error;
+        }
+      },
+      // ===============================
+      // UTILITY ACTIONS
+      // ===============================
+      hasRole: (role: string) => {
+        const state = get();
+        return state.user?.roles?.includes(role) || false;
+      },
+      hasAnyRole: (roles: string[]) => {
+        const state = get();
+        if (!state.user?.roles) return false;
+        return roles.some(role => state.user!.roles.includes(role));
+      },
+      hasAllRoles: (roles: string[]) => {
+        const state = get();
+        if (!state.user?.roles) return false;
+        return roles.every(role => state.user!.roles.includes(role));
+      },
+      isFullyAuthenticated: () => {
+        const state = get();
+        return state.isAuthenticated &&
+               (!state.user?.requiresTwoFactor || state.user.twoFactorSessionVerified);
+      },
+      // ===============================
+      // ERROR MANAGEMENT
+      // ===============================
+      setError: (error: string | null) => {
+        set({ error });
+      },
+      clearError: () => {
+        set({ error: null, tokenError: null });
+      },
+      // ===============================
+      // ADMIN USER STATE MANAGEMENT ACTIONS
+      // ===============================
+      approveUser: async (userId: string, reason?: string) => {
+        try {
+          await get().apiCall('/api/Admin/users/toggle-approval', {
+            method: 'POST',
+            body: JSON.stringify({
+              user_id: parseInt(userId),
+              is_approved: true,
+              reason: reason || 'Administrative approval'
+            })
+          });
+          authLogger.info('[AuthStore] User approved:', { userId, reason });
+          // The backend should broadcast the SignalR event, but we could also
+          // optimistically update local state here if needed
+        } catch (error) {
+          authLogger.error('[AuthStore] Failed to approve user:', error);
+          throw error;
+        }
+      },
+      disapproveUser: async (userId: string, reason?: string) => {
+        try {
+          await get().apiCall('/api/Admin/users/toggle-approval', {
+            method: 'POST',
+            body: JSON.stringify({
+              user_id: parseInt(userId),
+              is_approved: false,
+              reason: reason || 'Administrative disapproval'
+            })
+          });
+          authLogger.info('[AuthStore] User disapproved:', { userId, reason });
+        } catch (error) {
+          authLogger.error('[AuthStore] Failed to disapprove user:', error);
+          throw error;
+        }
+      },
+      pauseUser: async (userId: string, reason?: string) => {
+        try {
+          await get().apiCall('/api/Admin/users/pause', {
+            method: 'POST',
+            body: JSON.stringify({
+              user_id: parseInt(userId),
+              reason: reason || 'Administrative suspension'
+            })
+          });
+          authLogger.info('[AuthStore] User paused:', { userId, reason });
+        } catch (error) {
+          authLogger.error('[AuthStore] Failed to pause user:', error);
+          throw error;
+        }
+      },
+      resumeUser: async (userId: string) => {
+        try {
+          await get().apiCall('/api/Admin/users/resume', {
+            method: 'POST',
+            body: JSON.stringify({
+              user_id: parseInt(userId)
+            })
+          });
+          authLogger.info('[AuthStore] User resumed:', { userId });
+        } catch (error) {
+          authLogger.error('[AuthStore] Failed to resume user:', error);
+          throw error;
+        }
+      },
+      haltUser: async (userId: string, reason?: string) => {
+        try {
+          await get().apiCall('/api/Admin/users/halt', {
+            method: 'POST',
+            body: JSON.stringify({
+              user_id: parseInt(userId),
+              reason: reason || 'Security lockout'
+            })
+          });
+          authLogger.info('[AuthStore] User halted:', { userId, reason });
+        } catch (error) {
+          authLogger.error('[AuthStore] Failed to halt user:', error);
+          throw error;
+        }
+      },
+      unlockUser: async (userId: string) => {
+        try {
+          await get().apiCall('/api/Admin/users/unlock', {
+            method: 'POST',
+            body: JSON.stringify({
+              user_id: parseInt(userId)
+            })
+          });
+          authLogger.info('[AuthStore] User unlocked:', { userId });
+        } catch (error) {
+          authLogger.error('[AuthStore] Failed to unlock user:', error);
+          throw error;
+        }
+      },
+      // ===============================
+      // USER STATE UTILITY FUNCTIONS
+      // ===============================
+      canUserAccess: () => {
+        const state = get();
+        if (!state.user) return false;
+        // State priority: LOCKOUT > SUSPENSION > APPROVAL
+        if (state.user.lockoutEnabled) {
+          // Check if lockout has expired
+          if (state.user.lockoutEnd && new Date() > state.user.lockoutEnd) {
+            return true; // Lockout expired
+          }
+          return false; // Still locked
+        }
+        if (state.user.isSuspended) {
+          return false; // Suspended
+        }
+        return state.user.isApproved; // Must be approved
+      },
+      getUserStateDisplay: () => {
+        const state = get();
+        if (!state.user) return 'Unknown';
+        // State priority: LOCKOUT > SUSPENSION > APPROVAL
+        if (state.user.lockoutEnabled) {
+          if (state.user.lockoutEnd && new Date() > state.user.lockoutEnd) {
+            return 'Lockout Expired';
+          }
+          return 'Locked Out';
+        }
+        if (state.user.isSuspended) {
+          return 'Suspended';
+        }
+        return state.user.isApproved ? 'Approved' : 'Unapproved';
+      },
+      isUserLocked: () => {
+        const state = get();
+        if (!state.user) return false;
+        if (!state.user.lockoutEnabled) return false;
+        // Check if lockout has expired
+        if (state.user.lockoutEnd && new Date() > state.user.lockoutEnd) {
+          return false; // Lockout expired
+        }
+        return true; // Still locked
+      },
+      // ===============================
+      // REAL-TIME SIGNALR MANAGEMENT
+      // ===============================
+  initializeSignalR: async () => {
+    const state = get();
+    // Don't initialize if already connected or not authenticated
+    if (state.signalrConnection || !state.isAuthenticated || !state.accessToken) {
+      authLogger.debug('[AuthStore] Skipping SignalR - already connected or not authenticated');
+      return;
+    }
+    // Check if user has admin role for ActivityHub access
+    const hasAdminRole = state.user?.roles?.includes('payez_admin') || false;
+    if (!hasAdminRole) {
+      authLogger.info('[AuthStore] Skipping SignalR - user lacks admin role for ActivityHub');
+      return;
+    }
+    authLogger.info('[AuthStore] Initializing SignalR connection');
+    try {
+      // Use the existing signalRActivityService instead of creating a duplicate connection
+      // to the same health hub - this avoids connection errors flooding the console
+      // Start the health service if not already running (with timeout)
+      const idpBaseUrl = process.env.IDP_URL;
+      if (!idpBaseUrl) {
+        throw new Error('[IDP_URL] FATAL: IDP_URL environment variable is REQUIRED.');
+      }
+      const startPromise = signalRActivityService.start(idpBaseUrl);
+      const timeoutPromise = new Promise((_, reject) =>
+        setTimeout(() => reject(new Error('SignalR start timeout')), 5000)
+      );
+      await Promise.race([startPromise, timeoutPromise]);
+      // Subscribe to health status changes from the dedicated health service
+      const unsubscribe = signalRActivityService.subscribe((status) => {
+        // Map health service status to our connection state
+        const connectionState = status.isHealthy ?
+          HubConnectionState.Connected :
+          status.message.includes('reconnecting') ?
+            HubConnectionState.Reconnecting :
+            HubConnectionState.Disconnected;
+        authLogger.info('[AuthStore] Health status update:', {
+          isHealthy: status.isHealthy,
+          message: status.message,
+          connectionState
+        });
+        set({
+          signalrConnectionState: connectionState,
+          isConnectedToSignalR: status.isHealthy
+        });
+      });
+      // Store the unsubscribe function for cleanup
+      set({
+        signalrConnection: {
+          // Minimal connection-like interface that does nothing on stop()
+          // This allows existing code to still call connection.stop() without errors
+          stop: async () => {
+            unsubscribe();
+            authLogger.info('[AuthStore] Unsubscribed from health service');
+          }
+        } as any,
+        signalrConnectionState: signalRActivityService.getCurrentStatus().isHealthy ?
+          HubConnectionState.Connected : HubConnectionState.Disconnected,
+        isConnectedToSignalR: signalRActivityService.getCurrentStatus().isHealthy
+      });
+      authLogger.info('[AuthStore] SignalR connection established via health service');
+    } catch (error) {
+      // Don't let SignalR errors propagate up and potentially break login flow
+      const errorMessage = error instanceof Error ? error.message : String(error);
+      // Only log as error if it's not a timeout or expected connection failure
+      if (errorMessage.includes('timeout') || errorMessage.includes('unavailable')) {
+        authLogger.info('[AuthStore] SignalR connection not available (expected in some environments):', errorMessage);
+      } else {
+        authLogger.error('[AuthStore] SignalR connection failed:', error);
+      }
+      set({
+        signalrConnectionState: HubConnectionState.Disconnected,
+        isConnectedToSignalR: false
+      });
+    }
+      },
+      disconnectSignalR: async () => {
+        const state = get();
+        if (state.signalrConnection) {
+          authLogger.info('[AuthStore] Disconnecting SignalR');
+          try {
+            await state.signalrConnection.stop();
+          } catch (error) {
+            authLogger.error('[AuthStore] Error disconnecting SignalR:', error);
+          }
+          set({
+            signalrConnection: null,
+            signalrConnectionState: HubConnectionState.Disconnected,
+            isConnectedToSignalR: false
+          });
+        }
+      },
+      handleUserStateChanged: (data: UserStateChangeEvent) => {
+        // This method was designed for UserStateChanged events that don't exist in current backend
+        // Keeping for future reference or if we implement proper user state change events
+        const state = get();
+        // If this event is about the current user, update their state
+        if (data.userId === state.user?.id && state.session) {
+          authLogger.info('[AuthStore] Updating current user state from SignalR:', data);
+          // ... user state update logic would go here
+        }
+      },
+    }),
+    {
+      name: 'auth-store',
+    }
+  )
+);
+// ===============================
+// STORE INITIALIZATION HELPER
+// ===============================
+/**
+ * Initialize the auth store with a session (typically called in layout)
+ */
+export const initializeAuthStore = (session: AppSession | null) => {
+  const store = useAuthStore.getState();
+  if (!store.isInitialized) {
+    authLogger.debug('[AuthStore] Initializing with session:', { hasSession: !!session });
+    store.setSession(session);
+  }
+};
+export default useAuthStore;