@payez/next-mvp 3.3.0 → 3.5.0

package/dist/auth/providers/credentials.js

@@ -1,223 +1,223 @@
-"use strict";
-/**
- * Credentials Provider
- *
- * Handles email/password authentication via PayEz IDP.
- * Creates Redis session and returns minimal user object to NextAuth.
- *
- * FLOW:
- * 1. User submits email/password
- * 2. We call IDP /api/ExternalAuth/login
- * 3. IDP returns tokens if credentials valid
- * 4. We create Redis session with tokens
- * 5. Return user object with redisSessionId to NextAuth
- *
- * @version 1.0.0
- * @since auth-refactor-2026-01
- */
-var __importDefault = (this && this.__importDefault) || function (mod) {
-    return (mod && mod.__esModule) ? mod : { "default": mod };
-};
-Object.defineProperty(exports, "__esModule", { value: true });
-exports.createCredentialsProvider = createCredentialsProvider;
-const credentials_1 = __importDefault(require("next-auth/providers/credentials"));
-const session_store_1 = require("../../lib/session-store");
-const idp_client_1 = require("../utils/idp-client");
-const token_utils_1 = require("../utils/token-utils");
-const auth_types_1 = require("../types/auth-types");
-// NOTE: Using any for sessionData until Phase 3 normalizes types
-// ============================================================================
-// CREDENTIALS PROVIDER
-// ============================================================================
-/**
- * Create the CredentialsProvider for NextAuth.
- *
- * This provider handles email/password login. The authorize function
- * is called when a user submits the login form.
- */
-function createCredentialsProvider() {
-    return (0, credentials_1.default)({
-        id: 'credentials',
-        name: 'Credentials',
-        credentials: {
-            email: { label: 'Email', type: 'email' },
-            password: { label: 'Password', type: 'password' },
-        },
-        authorize: authorizeCredentials,
-    });
-}
-/**
- * Authorize user with email/password.
- *
- * This is the core authentication function. It:
- * 1. Validates credentials with IDP
- * 2. Decodes the returned tokens
- * 3. Creates a Redis session
- * 4. Returns user info for NextAuth JWT
- *
- * @param credentials - Email and password from login form
- * @param req - The incoming request (for IP/UA forwarding)
- * @returns User object for NextAuth, or null/throws on failure
- */
-async function authorizeCredentials(credentials, req) {
-    // -------------------------------------------------------------------------
-    // Validate Input
-    // -------------------------------------------------------------------------
-    if (!credentials?.email || !credentials?.password) {
-        throw new Error('Email and password required');
-    }
-    const loginCredentials = {
-        email: credentials.email,
-        password: credentials.password,
-    };
-    // Extract client info for audit logging
-    const clientHeaders = extractClientHeaders(req);
-    // -------------------------------------------------------------------------
-    // Call IDP
-    // -------------------------------------------------------------------------
-    const loginResult = await (0, idp_client_1.idpLogin)(loginCredentials, clientHeaders);
-    if (!loginResult.success || !loginResult.result) {
-        // Build structured error for frontend
-        const errorResponse = buildAuthError(loginResult.error);
-        throw new Error(JSON.stringify(errorResponse));
-    }
-    const { access_token, refresh_token, user: idpUser } = loginResult.result;
-    // -------------------------------------------------------------------------
-    // Decode Token
-    // -------------------------------------------------------------------------
-    const decoded = (0, token_utils_1.decodeIdpAccessToken)(access_token);
-    if (!decoded) {
-        throw new Error('Failed to decode token');
-    }
-    // Extract kid from JWT header (CRITICAL: this is different from client_id in payload)
-    const bearerKeyId = (0, token_utils_1.extractKidFromToken)(access_token);
-    if (bearerKeyId) {
-        console.log('[CREDENTIALS] Extracted bearerKeyId (kid) from JWT header:', bearerKeyId);
-    }
-    else {
-        console.warn('[CREDENTIALS] No kid found in JWT header - token may be unsigned or malformed');
-    }
-    // Extract claims from token
-    const email = (0, token_utils_1.extractEmailFromToken)(decoded);
-    const roles = (0, token_utils_1.extractRolesFromToken)(decoded);
-    const amrClaims = (0, token_utils_1.extractAmrFromToken)(decoded);
-    const acrLevel = decoded.acr || '1';
-    const userId = decoded.sub;
-    // Check if 2FA is complete based on ACR level
-    // ACR=1: Provisional token (requires 2FA)
-    // ACR=2: Full authentication (2FA complete)
-    const mfaVerified = acrLevel === '2';
-    // Decode refresh token expiry if available
-    let refreshTokenExpires;
-    try {
-        const refreshDecoded = (0, token_utils_1.decodeIdpAccessToken)(refresh_token);
-        if (refreshDecoded?.exp) {
-            refreshTokenExpires = (0, token_utils_1.expClaimToMs)(refreshDecoded.exp);
-        }
-    }
-    catch {
-        // Ignore - will use default expiry
-    }
-    // -------------------------------------------------------------------------
-    // Create Redis Session
-    // -------------------------------------------------------------------------
-    // Using normalized field names (session-store handles backward compatibility)
-    const sessionData = {
-        userId,
-        email,
-        roles,
-        // IDP tokens (normalized names)
-        idpAccessToken: access_token,
-        idpRefreshToken: refresh_token,
-        idpAccessTokenExpires: (0, token_utils_1.expClaimToMs)(decoded.exp),
-        idpRefreshTokenExpires: refreshTokenExpires,
-        decodedAccessToken: decoded,
-        // Bearer key ID from JWT header (NOT client_id from payload)
-        bearerKeyId,
-        // MFA state (normalized names)
-        mfaVerified,
-        authenticationMethods: amrClaims,
-        authenticationLevel: acrLevel,
-        // MFA timing info from token
-        mfaCompletedAt: decoded.mfa_time ? (0, token_utils_1.expClaimToMs)(decoded.mfa_time) : undefined,
-        mfaExpiresAt: decoded.mfa_expires ? (0, token_utils_1.expClaimToMs)(decoded.mfa_expires) : undefined,
-        mfaValidityHours: decoded.mfa_validity_hours,
-    };
-    // Determine MFA method from IDP user info
-    let mfaMethod;
-    if (idpUser?.isEmailConfirmed) {
-        mfaMethod = 'email';
-    }
-    else if (idpUser?.isSmsConfirmed) {
-        mfaMethod = 'sms';
-    }
-    if (mfaMethod) {
-        sessionData.mfaMethod = mfaMethod;
-    }
-    // Create the Redis session
-    const redisSessionId = await (0, session_store_1.createSession)(sessionData);
-    // -------------------------------------------------------------------------
-    // Return User Object for NextAuth
-    // -------------------------------------------------------------------------
-    // NextAuth requires 'id' field - we use userId from IDP
-    // The redisSessionId is passed through to the JWT callback
-    return {
-        id: userId,
-        email,
-        roles,
-        redisSessionId: (0, auth_types_1.toRedisSessionId)(redisSessionId),
-        mfaRequired: !mfaVerified,
-        mfaMethod,
-    };
-}
-// ============================================================================
-// HELPER FUNCTIONS
-// ============================================================================
-/**
- * Extract client headers from request for audit logging.
- */
-function extractClientHeaders(req) {
-    const headers = {};
-    // Extract client IP
-    const forwardedFor = req?.headers?.['x-forwarded-for'];
-    const realIp = req?.headers?.['x-real-ip'];
-    if (forwardedFor) {
-        const ip = Array.isArray(forwardedFor) ? forwardedFor[0] : forwardedFor.split(',')[0].trim();
-        headers.ip = ip;
-    }
-    else if (realIp) {
-        headers.ip = Array.isArray(realIp) ? realIp[0] : realIp;
-    }
-    // Extract User-Agent
-    const userAgent = req?.headers?.['user-agent'];
-    if (userAgent) {
-        headers.userAgent = Array.isArray(userAgent) ? userAgent[0] : userAgent;
-    }
-    return headers;
-}
-/**
- * Build structured error response for frontend.
- *
- * The frontend expects a specific error structure to display
- * appropriate messages and handle things like lockout.
- */
-function buildAuthError(error) {
-    if (!error) {
-        return {
-            success: false,
-            error: {
-                code: 'AUTH_ERROR',
-                message: 'Authentication failed',
-                details: {},
-            },
-        };
-    }
-    return {
-        success: false,
-        error: {
-            code: error.code || 'AUTH_ERROR',
-            message: error.message || 'Authentication failed',
-            details: error.details || {},
-        },
-    };
-}
+"use strict";
+/**
+ * Credentials Provider
+ *
+ * Handles email/password authentication via PayEz IDP.
+ * Creates Redis session and returns minimal user object to NextAuth.
+ *
+ * FLOW:
+ * 1. User submits email/password
+ * 2. We call IDP /api/ExternalAuth/login
+ * 3. IDP returns tokens if credentials valid
+ * 4. We create Redis session with tokens
+ * 5. Return user object with redisSessionId to NextAuth
+ *
+ * @version 1.0.0
+ * @since auth-refactor-2026-01
+ */
+var __importDefault = (this && this.__importDefault) || function (mod) {
+    return (mod && mod.__esModule) ? mod : { "default": mod };
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.createCredentialsProvider = createCredentialsProvider;
+const credentials_1 = __importDefault(require("next-auth/providers/credentials"));
+const session_store_1 = require("../../lib/session-store");
+const idp_client_1 = require("../utils/idp-client");
+const token_utils_1 = require("../utils/token-utils");
+const auth_types_1 = require("../types/auth-types");
+// NOTE: Using any for sessionData until Phase 3 normalizes types
+// ============================================================================
+// CREDENTIALS PROVIDER
+// ============================================================================
+/**
+ * Create the CredentialsProvider for NextAuth.
+ *
+ * This provider handles email/password login. The authorize function
+ * is called when a user submits the login form.
+ */
+function createCredentialsProvider() {
+    return (0, credentials_1.default)({
+        id: 'credentials',
+        name: 'Credentials',
+        credentials: {
+            email: { label: 'Email', type: 'email' },
+            password: { label: 'Password', type: 'password' },
+        },
+        authorize: authorizeCredentials,
+    });
+}
+/**
+ * Authorize user with email/password.
+ *
+ * This is the core authentication function. It:
+ * 1. Validates credentials with IDP
+ * 2. Decodes the returned tokens
+ * 3. Creates a Redis session
+ * 4. Returns user info for NextAuth JWT
+ *
+ * @param credentials - Email and password from login form
+ * @param req - The incoming request (for IP/UA forwarding)
+ * @returns User object for NextAuth, or null/throws on failure
+ */
+async function authorizeCredentials(credentials, req) {
+    // -------------------------------------------------------------------------
+    // Validate Input
+    // -------------------------------------------------------------------------
+    if (!credentials?.email || !credentials?.password) {
+        throw new Error('Email and password required');
+    }
+    const loginCredentials = {
+        email: credentials.email,
+        password: credentials.password,
+    };
+    // Extract client info for audit logging
+    const clientHeaders = extractClientHeaders(req);
+    // -------------------------------------------------------------------------
+    // Call IDP
+    // -------------------------------------------------------------------------
+    const loginResult = await (0, idp_client_1.idpLogin)(loginCredentials, clientHeaders);
+    if (!loginResult.success || !loginResult.result) {
+        // Build structured error for frontend
+        const errorResponse = buildAuthError(loginResult.error);
+        throw new Error(JSON.stringify(errorResponse));
+    }
+    const { access_token, refresh_token, user: idpUser } = loginResult.result;
+    // -------------------------------------------------------------------------
+    // Decode Token
+    // -------------------------------------------------------------------------
+    const decoded = (0, token_utils_1.decodeIdpAccessToken)(access_token);
+    if (!decoded) {
+        throw new Error('Failed to decode token');
+    }
+    // Extract kid from JWT header (CRITICAL: this is different from client_id in payload)
+    const bearerKeyId = (0, token_utils_1.extractKidFromToken)(access_token);
+    if (bearerKeyId) {
+        console.log('[CREDENTIALS] Extracted bearerKeyId (kid) from JWT header:', bearerKeyId);
+    }
+    else {
+        console.warn('[CREDENTIALS] No kid found in JWT header - token may be unsigned or malformed');
+    }
+    // Extract claims from token
+    const email = (0, token_utils_1.extractEmailFromToken)(decoded);
+    const roles = (0, token_utils_1.extractRolesFromToken)(decoded);
+    const amrClaims = (0, token_utils_1.extractAmrFromToken)(decoded);
+    const acrLevel = decoded.acr || '1';
+    const userId = decoded.sub;
+    // Check if 2FA is complete based on ACR level
+    // ACR=1: Provisional token (requires 2FA)
+    // ACR=2: Full authentication (2FA complete)
+    const mfaVerified = acrLevel === '2';
+    // Decode refresh token expiry if available
+    let refreshTokenExpires;
+    try {
+        const refreshDecoded = (0, token_utils_1.decodeIdpAccessToken)(refresh_token);
+        if (refreshDecoded?.exp) {
+            refreshTokenExpires = (0, token_utils_1.expClaimToMs)(refreshDecoded.exp);
+        }
+    }
+    catch {
+        // Ignore - will use default expiry
+    }
+    // -------------------------------------------------------------------------
+    // Create Redis Session
+    // -------------------------------------------------------------------------
+    // Using normalized field names (session-store handles backward compatibility)
+    const sessionData = {
+        userId,
+        email,
+        roles,
+        // IDP tokens (normalized names)
+        idpAccessToken: access_token,
+        idpRefreshToken: refresh_token,
+        idpAccessTokenExpires: (0, token_utils_1.expClaimToMs)(decoded.exp),
+        idpRefreshTokenExpires: refreshTokenExpires,
+        decodedAccessToken: decoded,
+        // Bearer key ID from JWT header (NOT client_id from payload)
+        bearerKeyId,
+        // MFA state (normalized names)
+        mfaVerified,
+        authenticationMethods: amrClaims,
+        authenticationLevel: acrLevel,
+        // MFA timing info from token
+        mfaCompletedAt: decoded.mfa_time ? (0, token_utils_1.expClaimToMs)(decoded.mfa_time) : undefined,
+        mfaExpiresAt: decoded.mfa_expires ? (0, token_utils_1.expClaimToMs)(decoded.mfa_expires) : undefined,
+        mfaValidityHours: decoded.mfa_validity_hours,
+    };
+    // Determine MFA method from IDP user info
+    let mfaMethod;
+    if (idpUser?.isEmailConfirmed) {
+        mfaMethod = 'email';
+    }
+    else if (idpUser?.isSmsConfirmed) {
+        mfaMethod = 'sms';
+    }
+    if (mfaMethod) {
+        sessionData.mfaMethod = mfaMethod;
+    }
+    // Create the Redis session
+    const redisSessionId = await (0, session_store_1.createSession)(sessionData);
+    // -------------------------------------------------------------------------
+    // Return User Object for NextAuth
+    // -------------------------------------------------------------------------
+    // NextAuth requires 'id' field - we use userId from IDP
+    // The redisSessionId is passed through to the JWT callback
+    return {
+        id: userId,
+        email,
+        roles,
+        redisSessionId: (0, auth_types_1.toRedisSessionId)(redisSessionId),
+        mfaRequired: !mfaVerified,
+        mfaMethod,
+    };
+}
+// ============================================================================
+// HELPER FUNCTIONS
+// ============================================================================
+/**
+ * Extract client headers from request for audit logging.
+ */
+function extractClientHeaders(req) {
+    const headers = {};
+    // Extract client IP
+    const forwardedFor = req?.headers?.['x-forwarded-for'];
+    const realIp = req?.headers?.['x-real-ip'];
+    if (forwardedFor) {
+        const ip = Array.isArray(forwardedFor) ? forwardedFor[0] : forwardedFor.split(',')[0].trim();
+        headers.ip = ip;
+    }
+    else if (realIp) {
+        headers.ip = Array.isArray(realIp) ? realIp[0] : realIp;
+    }
+    // Extract User-Agent
+    const userAgent = req?.headers?.['user-agent'];
+    if (userAgent) {
+        headers.userAgent = Array.isArray(userAgent) ? userAgent[0] : userAgent;
+    }
+    return headers;
+}
+/**
+ * Build structured error response for frontend.
+ *
+ * The frontend expects a specific error structure to display
+ * appropriate messages and handle things like lockout.
+ */
+function buildAuthError(error) {
+    if (!error) {
+        return {
+            success: false,
+            error: {
+                code: 'AUTH_ERROR',
+                message: 'Authentication failed',
+                details: {},
+            },
+        };
+    }
+    return {
+        success: false,
+        error: {
+            code: error.code || 'AUTH_ERROR',
+            message: error.message || 'Authentication failed',
+            details: error.details || {},
+        },
+    };
+}

package/dist/components/account/UserAvatarMenu.js

@@ -44,7 +44,11 @@ function UserAvatarMenu({ basePath = '', showProfile = true, showSettings = true
     if (!session?.user) {
         return null;
     }
-    const userInitial = session.user.email?.charAt(0).toUpperCase() || 'U';
+    // Derive display initial from name or email — ignore anon/internal IDs
+    const userName = session.user?.name;
+    const userEmail = session.user.email;
+    const displaySource = userName || userEmail;
+    const userInitial = displaySource?.charAt(0).toUpperCase() || '?';
     const handleNavigation = (path) => {
         setIsOpen(false);
         router.push(path);
@@ -69,7 +73,7 @@ function UserAvatarMenu({ basePath = '', showProfile = true, showSettings = true
             router.push(item.href);
         }
     };
-    return ((0, jsx_runtime_1.jsxs)("div", { ref: menuRef, className: "relative", children: [(0, jsx_runtime_1.jsx)("button", { onClick: () => setIsOpen(!isOpen), className: "flex items-center justify-center h-10 w-10 rounded-full bg-[#349AD5] text-white font-semibold text-lg hover:bg-[#2980b9] transition-colors focus:outline-none focus:ring-2 focus:ring-[#349AD5] focus:ring-offset-2 dark:focus:ring-offset-slate-900", "aria-label": "User menu", "aria-expanded": isOpen, "aria-haspopup": "true", children: userInitial }), isOpen && ((0, jsx_runtime_1.jsxs)("div", { className: "absolute right-0 mt-2 w-56 rounded-md shadow-lg z-50\r\n            bg-white dark:bg-slate-900\r\n            border border-gray-200 dark:border-slate-700", role: "menu", "aria-orientation": "vertical", children: [(0, jsx_runtime_1.jsx)("div", { className: "px-4 py-3 border-b border-gray-200 dark:border-slate-700", children: (0, jsx_runtime_1.jsx)("p", { className: "text-sm text-gray-500 dark:text-slate-400 truncate", children: session.user.email }) }), (0, jsx_runtime_1.jsxs)("div", { className: "py-1", children: [showProfile && ((0, jsx_runtime_1.jsx)(MenuItem, { icon: (0, jsx_runtime_1.jsx)(lucide_react_1.User, { className: "h-4 w-4" }), label: "Profile", onClick: () => handleNavigation(`${basePath}/profile`) })), showSettings && ((0, jsx_runtime_1.jsx)(MenuItem, { icon: (0, jsx_runtime_1.jsx)(lucide_react_1.Settings, { className: "h-4 w-4" }), label: "Settings", onClick: () => handleNavigation(`${basePath}/settings`) })), showSecurity && ((0, jsx_runtime_1.jsx)(MenuItem, { icon: (0, jsx_runtime_1.jsx)(lucide_react_1.Shield, { className: "h-4 w-4" }), label: "Security", onClick: () => handleNavigation(`${basePath}/security`) })), customItems?.map((item, index) => ((0, jsx_runtime_1.jsx)(MenuItem, { icon: item.icon, label: item.label, onClick: () => handleItemClick(item) }, index)))] }), (0, jsx_runtime_1.jsx)("div", { className: "border-t border-gray-200 dark:border-slate-700 py-1", children: (0, jsx_runtime_1.jsx)(MenuItem, { icon: (0, jsx_runtime_1.jsx)(lucide_react_1.LogOut, { className: "h-4 w-4" }), label: "Sign Out", onClick: handleSignOut, variant: "danger" }) })] }))] }));
+    return ((0, jsx_runtime_1.jsxs)("div", { ref: menuRef, className: "relative", children: [(0, jsx_runtime_1.jsx)("button", { onClick: () => setIsOpen(!isOpen), className: "flex items-center justify-center h-10 w-10 rounded-full bg-[#349AD5] text-white font-semibold text-lg hover:bg-[#2980b9] transition-colors focus:outline-none focus:ring-2 focus:ring-[#349AD5] focus:ring-offset-2 dark:focus:ring-offset-slate-900", "aria-label": "User menu", "aria-expanded": isOpen, "aria-haspopup": "true", children: userInitial }), isOpen && ((0, jsx_runtime_1.jsxs)("div", { className: "absolute right-0 mt-2 w-56 rounded-md shadow-lg z-50\r\n            bg-white dark:bg-slate-900\r\n            border border-gray-200 dark:border-slate-700", role: "menu", "aria-orientation": "vertical", children: [(0, jsx_runtime_1.jsxs)("div", { className: "px-4 py-3 border-b border-gray-200 dark:border-slate-700", children: [userName && ((0, jsx_runtime_1.jsx)("p", { className: "text-sm font-medium text-gray-700 dark:text-slate-200 truncate", children: userName })), userEmail && ((0, jsx_runtime_1.jsx)("p", { className: "text-sm text-gray-500 dark:text-slate-400 truncate", children: userEmail })), !userName && !userEmail && ((0, jsx_runtime_1.jsx)("p", { className: "text-sm text-gray-500 dark:text-slate-400", children: "Signed in" }))] }), (0, jsx_runtime_1.jsxs)("div", { className: "py-1", children: [showProfile && ((0, jsx_runtime_1.jsx)(MenuItem, { icon: (0, jsx_runtime_1.jsx)(lucide_react_1.User, { className: "h-4 w-4" }), label: "Profile", onClick: () => handleNavigation(`${basePath}/profile`) })), showSettings && ((0, jsx_runtime_1.jsx)(MenuItem, { icon: (0, jsx_runtime_1.jsx)(lucide_react_1.Settings, { className: "h-4 w-4" }), label: "Settings", onClick: () => handleNavigation(`${basePath}/settings`) })), showSecurity && ((0, jsx_runtime_1.jsx)(MenuItem, { icon: (0, jsx_runtime_1.jsx)(lucide_react_1.Shield, { className: "h-4 w-4" }), label: "Security", onClick: () => handleNavigation(`${basePath}/security`) })), customItems?.map((item, index) => ((0, jsx_runtime_1.jsx)(MenuItem, { icon: item.icon, label: item.label, onClick: () => handleItemClick(item) }, index)))] }), (0, jsx_runtime_1.jsx)("div", { className: "border-t border-gray-200 dark:border-slate-700 py-1", children: (0, jsx_runtime_1.jsx)(MenuItem, { icon: (0, jsx_runtime_1.jsx)(lucide_react_1.LogOut, { className: "h-4 w-4" }), label: "Sign Out", onClick: handleSignOut, variant: "danger" }) })] }))] }));
 }
 function MenuItem({ icon, label, onClick, variant = 'default' }) {
     const baseClasses = "flex items-center w-full px-4 py-2 text-sm cursor-pointer transition-colors";

package/dist/config/vibe-log-transport.d.ts

@@ -10,8 +10,10 @@
  * - Redis buffering with 1-week TTL
  * - Graceful degradation on failure
  */
-import Transport from 'winston-transport';
-export interface VibeLogTransportOptions extends Transport.TransportStreamOptions {
+declare let TransportBase: any;
+export interface VibeLogTransportOptions {
+    /** Winston transport level */
+    level?: string;
     /** Redis URL (optional, uses REDIS_URL env var by default) */
     redisUrl?: string;
     /** Vibe client ID (for log metadata) */
@@ -30,7 +32,7 @@ export interface VibeLogTransportOptions extends Transport.TransportStreamOption
 /**
  * Winston transport that buffers logs to Redis for Vibe drain processing
  */
-export declare class VibeLogTransport extends Transport {
+export declare class VibeLogTransport extends TransportBase {
     private vibeClientId;
     private appSlug;
     private minLevelNum;

package/dist/config/vibe-log-transport.js

@@ -11,14 +11,23 @@
  * - Redis buffering with 1-week TTL
  * - Graceful degradation on failure
  */
-var __importDefault = (this && this.__importDefault) || function (mod) {
-    return (mod && mod.__esModule) ? mod : { "default": mod };
-};
 Object.defineProperty(exports, "__esModule", { value: true });
 exports.VibeLogTransport = void 0;
 exports.createVibeLogTransport = createVibeLogTransport;
-const winston_transport_1 = __importDefault(require("winston-transport"));
 const redis_1 = require("../lib/redis");
+// Dynamic import — winston is a peerDependency and may not be installed.
+// We resolve the base class lazily so builds don't break without it.
+let TransportBase;
+try {
+    TransportBase = require('winston-transport');
+}
+catch {
+    // Fallback: minimal base class for when winston is not installed
+    TransportBase = class {
+        constructor(_opts) { }
+        emit(_event, _info) { }
+    };
+}
 /** Redis key for pending log entries */
 const REDIS_LOG_KEY = 'vibe:logs:pending';
 /** TTL in seconds: 1 week */
@@ -33,7 +42,7 @@ const LEVEL_ORDER = {
 /**
  * Winston transport that buffers logs to Redis for Vibe drain processing
  */
-class VibeLogTransport extends winston_transport_1.default {
+class VibeLogTransport extends TransportBase {
     vibeClientId;
     appSlug;
     minLevelNum;

package/dist/lib/session-store.d.ts

@@ -34,6 +34,10 @@ export declare function createSession(data: SessionData): Promise<string>;
  * @returns The session data, or null if not found.
  */
 export declare function getSession(sessionToken: string): Promise<SessionData | null>;
+/**
+ * Refresh session TTL without reading/writing data (sliding window expiry).
+ */
+export declare function touchSession(token: string): Promise<void>;
 /**
  * Retrieves a session along with a version identifier for optimistic locking.
  * @param sessionToken The session token to look up.

package/dist/lib/session-store.js

@@ -15,6 +15,7 @@ Object.defineProperty(exports, "__esModule", { value: true });
 exports.generateSessionToken = generateSessionToken;
 exports.createSession = createSession;
 exports.getSession = getSession;
+exports.touchSession = touchSession;
 exports.getSessionWithVersion = getSessionWithVersion;
 exports.isAccessTokenFresh = isAccessTokenFresh;
 exports.deleteSession = deleteSession;
@@ -95,6 +96,13 @@ async function getSession(sessionToken) {
         return null;
     }
 }
+/**
+ * Refresh session TTL without reading/writing data (sliding window expiry).
+ */
+async function touchSession(token) {
+    const key = getSessionKey(token);
+    await redis_1.default.expire(key, SESSION_TTL);
+}
 /**
  * Retrieves a session along with a version identifier for optimistic locking.
  * @param sessionToken The session token to look up.

package/dist/pages/coming-soon/page.d.ts

@@ -0,0 +1,8 @@
+import React from 'react';
+interface ComingSoonPageProps {
+    homeUrl?: string;
+    /** Override logo — pass a React node (e.g. inline SVG or themed <img>) */
+    logo?: React.ReactNode;
+}
+export default function ComingSoonPage(props: ComingSoonPageProps): import("react/jsx-runtime").JSX.Element;
+export {};

package/dist/pages/coming-soon/page.js

@@ -0,0 +1,28 @@
+"use strict";
+'use client';
+var __importDefault = (this && this.__importDefault) || function (mod) {
+    return (mod && mod.__esModule) ? mod : { "default": mod };
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.default = ComingSoonPage;
+const jsx_runtime_1 = require("react/jsx-runtime");
+const react_1 = require("react");
+const link_1 = __importDefault(require("next/link"));
+const useTheme_1 = require("../../theme/useTheme");
+function ComingSoonContent({ homeUrl = '/', logo }) {
+    const branding = (0, useTheme_1.useBranding)();
+    const colors = (0, useTheme_1.useColors)();
+    const fallbackLogo = branding.logo?.dark || branding.logo?.light;
+    const logoAlt = branding.logo?.alt || branding.appName || 'App Logo';
+    const logoHeight = branding.logo?.height || 48;
+    return ((0, jsx_runtime_1.jsx)("div", { className: "min-h-screen flex items-center justify-center p-4", children: (0, jsx_runtime_1.jsxs)("div", { className: "max-w-md w-full text-center rounded-xl p-8 shadow-lg border", style: {
+                backgroundColor: 'var(--bg-card, #ffffff)',
+                borderColor: 'var(--border-default, #e5e7eb)',
+            }, children: [(0, jsx_runtime_1.jsx)("div", { className: "mb-6 flex justify-center", children: logo || (fallbackLogo && ((0, jsx_runtime_1.jsx)("img", { src: fallbackLogo, alt: logoAlt, style: { height: logoHeight } }))) }), (0, jsx_runtime_1.jsx)("h1", { className: "text-2xl font-bold mb-2", style: { color: 'var(--text-primary, #111827)' }, children: branding.appName || 'Our App' }), (0, jsx_runtime_1.jsx)("span", { className: "inline-flex items-center px-3 py-1 text-xs font-medium rounded-full lowercase tracking-wide border mb-4", style: {
+                        borderColor: colors.primary || '#3b82f6',
+                        color: colors.primary || '#3b82f6',
+                    }, children: "coming soon" }), (0, jsx_runtime_1.jsx)("p", { className: "mb-6", style: { color: 'var(--text-secondary, #6b7280)' }, children: "We're currently in beta and access is limited to approved users. Check back soon \u2014 we're working hard to open the doors!" }), (0, jsx_runtime_1.jsx)(link_1.default, { href: homeUrl, className: "inline-block w-full font-medium py-3 px-4 rounded-lg transition-colors text-white", style: { backgroundColor: colors.primary || '#3b82f6' }, children: "Go to Home" })] }) }));
+}
+function ComingSoonPage(props) {
+    return ((0, jsx_runtime_1.jsx)(react_1.Suspense, { children: (0, jsx_runtime_1.jsx)(ComingSoonContent, { ...props }) }));
+}