@payez/next-mvp 4.0.1 → 4.0.3

package/dist/lib/internal-api.js

@@ -0,0 +1,122 @@
+"use strict";
+/**
+ * Centralized internal API helper for the app to call ITSELF.
+ *
+ * IMPORTANT: All calls from the Next.js server to its own API routes MUST use
+ * these functions. Never use req.url, req.nextUrl.origin, or construct URLs
+ * from the incoming request.
+ *
+ * WHY HTTP IS REQUIRED (not optional):
+ * - This is the app calling its OWN backend within the same pod/container
+ * - NextAuth cookies are encrypted based on request protocol
+ * - TLS is terminated at ingress, so the pod receives HTTP internally
+ * - Using HTTPS here causes cookie decryption failures and 403 errors
+ * - This is NOT about "K8s traffic doesn't need TLS" - it's about
+ *   protocol consistency for cookie/session encryption
+ *
+ * Environment:
+ * - INTERNAL_API_URL: Required in production (e.g., http://service.namespace.svc.cluster.local:80)
+ * - Falls back to http://localhost:3200 in development only
+ */
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.getInternalApiUrl = getInternalApiUrl;
+exports.internalFetch = internalFetch;
+exports.internalRefresh = internalRefresh;
+/**
+ * Get the internal API base URL for the app to call itself.
+ *
+ * @throws Error in production if INTERNAL_API_URL is not set
+ * @returns The base URL (no trailing slash)
+ */
+function getInternalApiUrl() {
+    const url = process.env.INTERNAL_API_URL;
+    if (url)
+        return url.replace(/\/$/, ''); // strip trailing slash
+    if (process.env.NODE_ENV !== 'production') {
+        return 'http://localhost:3200';
+    }
+    throw new Error('[INTERNAL_API_URL] FATAL: INTERNAL_API_URL environment variable is REQUIRED in production. ' +
+        'This is for the app to call ITSELF. MUST be HTTP (not HTTPS) due to cookie encryption. ' +
+        'Set to http://service.namespace.svc.cluster.local:80');
+}
+/**
+ * Make a fetch call to an internal API route (app calling itself).
+ *
+ * @param path - The API path (e.g., '/api/auth/refresh')
+ * @param options - Fetch options
+ * @returns The fetch result with parsed data
+ *
+ * @example
+ * ```ts
+ * // Simple GET
+ * const result = await internalFetch('/api/health');
+ *
+ * // POST with session
+ * const result = await internalFetch('/api/auth/refresh', {
+ *   method: 'POST',
+ *   cookie: req.headers.get('cookie') || '',
+ *   sessionToken: token.redisSessionId,
+ *   body: JSON.stringify({ refresh_token: refreshToken }),
+ * });
+ * ```
+ */
+async function internalFetch(path, options = {}) {
+    const { headers: extraHeaders = {}, cookie, sessionToken, requestId, parseJson = true, ...fetchOptions } = options;
+    const baseUrl = getInternalApiUrl();
+    const url = `${baseUrl}${path.startsWith('/') ? path : `/${path}`}`;
+    // Build headers
+    const headers = {
+        'Accept': 'application/json',
+        'Content-Type': 'application/json',
+        ...extraHeaders,
+    };
+    if (cookie) {
+        headers['Cookie'] = cookie;
+    }
+    if (sessionToken) {
+        headers['X-Session-Token'] = sessionToken;
+    }
+    if (requestId) {
+        headers['X-Request-Id'] = requestId;
+    }
+    const response = await fetch(url, {
+        ...fetchOptions,
+        headers,
+    });
+    let data = null;
+    if (parseJson) {
+        try {
+            data = await response.json();
+        }
+        catch {
+            data = null;
+        }
+    }
+    return {
+        ok: response.ok,
+        status: response.status,
+        statusText: response.statusText,
+        data,
+        response,
+    };
+}
+/**
+ * Trigger a token refresh via the internal API.
+ * This is a convenience wrapper for the common refresh pattern.
+ *
+ * @param cookie - The cookie header from the incoming request
+ * @param sessionToken - The session token
+ * @param refreshToken - Optional refresh token to include in body
+ * @param requestId - Optional request ID for tracing
+ * @returns Whether the refresh was successful
+ */
+async function internalRefresh(cookie, sessionToken, refreshToken, requestId) {
+    const result = await internalFetch('/api/auth/refresh', {
+        method: 'POST',
+        cookie,
+        sessionToken,
+        requestId,
+        body: refreshToken ? JSON.stringify({ refresh_token: refreshToken }) : undefined,
+    });
+    return { ok: result.ok, status: result.status };
+}

package/dist/lib/jwt-decode-client.d.ts

@@ -0,0 +1,10 @@
+/**
+ * Client-safe JWT decode (no Node.js dependencies)
+ * This is a lightweight version for browser usage
+ */
+/**
+ * Simple JWT decode for client-side use (no signature verification)
+ * @param token - JWT token string
+ * @returns Decoded payload or null if invalid
+ */
+export declare function jwtDecode<T = any>(token: string): T | null;

package/dist/lib/jwt-decode-client.js

@@ -0,0 +1,46 @@
+"use strict";
+/**
+ * Client-safe JWT decode (no Node.js dependencies)
+ * This is a lightweight version for browser usage
+ */
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.jwtDecode = jwtDecode;
+// Decode base64url
+function base64urlDecode(base64url) {
+    try {
+        // Convert base64url to base64
+        let base64 = base64url.replace(/-/g, '+').replace(/_/g, '/');
+        // Add padding if needed
+        while (base64.length % 4) {
+            base64 += '=';
+        }
+        return atob(base64);
+    }
+    catch (e) {
+        throw new Error('Invalid base64url encoding');
+    }
+}
+/**
+ * Simple JWT decode for client-side use (no signature verification)
+ * @param token - JWT token string
+ * @returns Decoded payload or null if invalid
+ */
+function jwtDecode(token) {
+    if (!token)
+        return null;
+    try {
+        const parts = token.split('.');
+        if (parts.length < 2) {
+            console.error('[JWT] Invalid token format');
+            return null;
+        }
+        const payload = parts[1];
+        const decoded = base64urlDecode(payload);
+        const parsedPayload = JSON.parse(decoded);
+        return parsedPayload;
+    }
+    catch (e) {
+        console.error('[JWT] Decode failed:', e instanceof Error ? e.message : 'Unknown error');
+        return null;
+    }
+}

package/dist/lib/jwt-decode.d.ts

@@ -0,0 +1,48 @@
+export interface JwtPayload {
+    iss?: string;
+    sub?: string;
+    aud?: string[] | string;
+    exp?: number;
+    nbf?: number;
+    iat?: number;
+    jti?: string;
+}
+/**
+ * JWT Header structure.
+ * Contains metadata about the token including the signing key ID.
+ */
+export interface JwtHeader {
+    /** Algorithm used to sign the token (e.g., 'RS256', 'HS256') */
+    alg: string;
+    /** Token type (typically 'JWT') */
+    typ?: string;
+    /** Key ID - identifies which key was used to sign this token */
+    kid?: string;
+    /** Content type */
+    cty?: string;
+}
+/**
+ * Decode JWT payload (standard claims).
+ * This is a thin wrapper around jwt-decode library.
+ */
+export declare function jwtDecode<T = JwtPayload>(token: string): T;
+/**
+ * Decode JWT header to extract kid, alg, and other header claims.
+ *
+ * The JWT header contains critical information:
+ * - kid: Key ID used to sign the token (needed for key governance)
+ * - alg: Algorithm used for signing
+ * - typ: Token type
+ *
+ * @param token - The JWT token string
+ * @returns Decoded header or null if decoding fails
+ */
+export declare function decodeJwtHeader(token: string): JwtHeader | null;
+/**
+ * Extract just the kid (Key ID) from a JWT token.
+ * Convenience function for when you only need the key ID.
+ *
+ * @param token - The JWT token string
+ * @returns The kid value or undefined if not present/decodable
+ */
+export declare function extractKidFromToken(token: string): string | undefined;

package/dist/lib/jwt-decode.js

@@ -0,0 +1,57 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.jwtDecode = jwtDecode;
+exports.decodeJwtHeader = decodeJwtHeader;
+exports.extractKidFromToken = extractKidFromToken;
+const jwt_decode_1 = require("jwt-decode");
+/**
+ * Decode JWT payload (standard claims).
+ * This is a thin wrapper around jwt-decode library.
+ */
+function jwtDecode(token) {
+    return (0, jwt_decode_1.jwtDecode)(token);
+}
+/**
+ * Decode JWT header to extract kid, alg, and other header claims.
+ *
+ * The JWT header contains critical information:
+ * - kid: Key ID used to sign the token (needed for key governance)
+ * - alg: Algorithm used for signing
+ * - typ: Token type
+ *
+ * @param token - The JWT token string
+ * @returns Decoded header or null if decoding fails
+ */
+function decodeJwtHeader(token) {
+    try {
+        if (!token || typeof token !== 'string') {
+            return null;
+        }
+        const parts = token.split('.');
+        if (parts.length !== 3) {
+            console.warn('[JWT_DECODE] Invalid JWT structure - expected 3 parts, got', parts.length);
+            return null;
+        }
+        // Decode base64url header (part 0)
+        const headerB64 = parts[0].replace(/-/g, '+').replace(/_/g, '/');
+        const headerJson = typeof atob !== 'undefined'
+            ? atob(headerB64)
+            : Buffer.from(headerB64, 'base64').toString('utf-8');
+        return JSON.parse(headerJson);
+    }
+    catch (error) {
+        console.error('[JWT_DECODE] Failed to decode JWT header:', error);
+        return null;
+    }
+}
+/**
+ * Extract just the kid (Key ID) from a JWT token.
+ * Convenience function for when you only need the key ID.
+ *
+ * @param token - The JWT token string
+ * @returns The kid value or undefined if not present/decodable
+ */
+function extractKidFromToken(token) {
+    const header = decodeJwtHeader(token);
+    return header?.kid;
+}

package/dist/lib/rate-limit-service.d.ts

@@ -0,0 +1,23 @@
+export interface RateLimitRule {
+    endpoint: string;
+    period: string;
+    limit: number;
+}
+export interface RateLimitResult {
+    isAllowed: boolean;
+    requestCount: number;
+    limit: number;
+    retryAfterSeconds?: number;
+    failedAttempts?: number;
+}
+export declare function createPayEzRateLimitResponse(retryAfterSeconds: number, remainingAttempts?: number): {
+    success: boolean;
+    message: string;
+    user_info: null;
+    errors: {
+        code: string;
+        message: string;
+        resolution: string;
+        remainingAttempts: number;
+    }[];
+};

package/dist/lib/rate-limit-service.js

@@ -0,0 +1,6 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.createPayEzRateLimitResponse = createPayEzRateLimitResponse;
+function createPayEzRateLimitResponse(retryAfterSeconds, remainingAttempts = 0) {
+    return { success: false, message: 'Too many failed attempts', user_info: null, errors: [{ code: 'RateLimitExceeded', message: 'Too many failed authentication attempts', resolution: `Please try again in ${retryAfterSeconds} seconds`, remainingAttempts }] };
+}

package/dist/lib/redis.d.ts

@@ -0,0 +1,5 @@
+import Redis from 'ioredis';
+export declare function getRedis(): Redis;
+declare const redis: Redis;
+export { redis };
+export default redis;

package/dist/lib/redis.js

@@ -0,0 +1,28 @@
+"use strict";
+var __importDefault = (this && this.__importDefault) || function (mod) {
+    return (mod && mod.__esModule) ? mod : { "default": mod };
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.redis = void 0;
+exports.getRedis = getRedis;
+// E:\Repos\PayEz-Next-MVP\packages\next-mvp\src\lib\redis.ts
+const ioredis_1 = __importDefault(require("ioredis"));
+let client = null;
+function createClient() {
+    const url = process.env.REDIS_URL;
+    if (url && url.trim() !== '') {
+        // Use a standard configuration for better Docker compatibility
+        return new ioredis_1.default(url);
+    }
+    // No REDIS_URL set, create a client that will fail fast.
+    return new ioredis_1.default({ lazyConnect: true });
+}
+function getRedis() {
+    if (!client) {
+        client = createClient();
+    }
+    return client;
+}
+const redis = getRedis();
+exports.redis = redis;
+exports.default = redis;

package/dist/lib/refresh-token-validator.d.ts

@@ -0,0 +1,13 @@
+export declare function isRefreshTokenValid(token: string): boolean;
+export declare function isRefreshTokenExpiring(token: string, bufferMinutes?: number): boolean;
+export declare function getRefreshTokenExpiration(token: string): number | null;
+export declare function getRefreshTokenTimeRemaining(token: string): number | null;
+export interface RefreshViabilityCheck {
+    canRefresh: boolean;
+    reason: 'valid_refresh_token' | 'no_refresh_token' | 'refresh_token_expired' | 'session_missing';
+    timeRemaining?: number;
+    expiresAt?: string;
+    accessTokenExpired?: boolean;
+    accessTokenTimeRemaining?: number;
+}
+export declare function checkRefreshViability(sessionData: any): RefreshViabilityCheck;

package/dist/lib/refresh-token-validator.js

@@ -0,0 +1,117 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.isRefreshTokenValid = isRefreshTokenValid;
+exports.isRefreshTokenExpiring = isRefreshTokenExpiring;
+exports.getRefreshTokenExpiration = getRefreshTokenExpiration;
+exports.getRefreshTokenTimeRemaining = getRefreshTokenTimeRemaining;
+exports.checkRefreshViability = checkRefreshViability;
+const jwt_decode_1 = require("./jwt-decode");
+const logger_1 = require("../config/logger");
+function isRefreshTokenValid(token) {
+    if (!token)
+        return false;
+    try {
+        const decoded = (0, jwt_decode_1.jwtDecode)(token);
+        if (!decoded)
+            return false;
+        const now = Math.floor(Date.now() / 1000);
+        if (decoded.exp < now)
+            return false;
+        if (decoded.token_type !== 'refresh_token')
+            return false;
+        return true;
+    }
+    catch {
+        return false;
+    }
+}
+function isRefreshTokenExpiring(token, bufferMinutes = 60) {
+    if (!token)
+        return true;
+    try {
+        const decoded = (0, jwt_decode_1.jwtDecode)(token);
+        if (!decoded?.exp)
+            return true;
+        const now = Math.floor(Date.now() / 1000);
+        const buffer = bufferMinutes * 60;
+        return decoded.exp <= (now + buffer);
+    }
+    catch {
+        return true;
+    }
+}
+function getRefreshTokenExpiration(token) {
+    if (!token)
+        return null;
+    try {
+        const decoded = (0, jwt_decode_1.jwtDecode)(token);
+        if (!decoded?.exp)
+            return null;
+        return decoded.exp * 1000;
+    }
+    catch {
+        return null;
+    }
+}
+function getRefreshTokenTimeRemaining(token) {
+    if (!token)
+        return null;
+    try {
+        const decoded = (0, jwt_decode_1.jwtDecode)(token);
+        if (!decoded?.exp)
+            return null;
+        const now = Math.floor(Date.now() / 1000);
+        const timeRemaining = decoded.exp - now;
+        return timeRemaining > 0 ? timeRemaining : null;
+    }
+    catch {
+        return null;
+    }
+}
+function checkRefreshViability(sessionData) {
+    if (!sessionData)
+        return { canRefresh: false, reason: 'session_missing' };
+    let accessTokenExpired = false;
+    let accessTokenTimeRemaining;
+    if (sessionData.idpAccessTokenExpires) {
+        const now = Date.now();
+        let expiresAtMs = sessionData.idpAccessTokenExpires;
+        if (typeof expiresAtMs === 'string')
+            expiresAtMs = parseInt(expiresAtMs, 10);
+        if (expiresAtMs < 1000000000000)
+            expiresAtMs = expiresAtMs * 1000;
+        accessTokenTimeRemaining = Math.floor((expiresAtMs - now) / 1000);
+        const bufferSec = 5 * 60; // 5 minutes pre-expiry buffer
+        accessTokenExpired = accessTokenTimeRemaining <= bufferSec;
+        logger_1.tokenRefreshLogger.debug('[REFRESH_VIABILITY] Access token expiration check', { now, expiresAtMs, accessTokenTimeRemaining, bufferSec, accessTokenExpired });
+    }
+    if (!sessionData.idpRefreshToken)
+        return { canRefresh: false, reason: 'no_refresh_token', accessTokenExpired, accessTokenTimeRemaining };
+    if (sessionData.idpRefreshTokenExpires) {
+        let refreshExpMs = sessionData.idpRefreshTokenExpires;
+        if (typeof refreshExpMs === 'string')
+            refreshExpMs = parseInt(refreshExpMs, 10);
+        if (refreshExpMs < 1000000000000)
+            refreshExpMs = refreshExpMs * 1000;
+        const nowMs = Date.now();
+        const timeRemainingSec = Math.floor((refreshExpMs - nowMs) / 1000);
+        if (timeRemainingSec <= 0)
+            return { canRefresh: false, reason: 'refresh_token_expired', accessTokenExpired, accessTokenTimeRemaining };
+        return { canRefresh: true, reason: 'valid_refresh_token', timeRemaining: timeRemainingSec, expiresAt: new Date(refreshExpMs).toISOString(), accessTokenExpired, accessTokenTimeRemaining };
+    }
+    try {
+        const decoded = (0, jwt_decode_1.jwtDecode)(sessionData.idpRefreshToken);
+        const nowSec = Math.floor(Date.now() / 1000);
+        if (!decoded?.exp || decoded.token_type !== 'refresh_token')
+            return { canRefresh: false, reason: 'refresh_token_expired', accessTokenExpired, accessTokenTimeRemaining };
+        const timeRemaining = decoded.exp - nowSec;
+        if (timeRemaining <= 0)
+            return { canRefresh: false, reason: 'refresh_token_expired', accessTokenExpired, accessTokenTimeRemaining };
+        const expiresAtIso = new Date(decoded.exp * 1000).toISOString();
+        return { canRefresh: true, reason: 'valid_refresh_token', timeRemaining, expiresAt: expiresAtIso, accessTokenExpired, accessTokenTimeRemaining };
+    }
+    catch (error) {
+        logger_1.tokenRefreshLogger.debug('[REFRESH_VIABILITY] Failed to decode refresh token for viability', { error: error instanceof Error ? error.message : String(error) });
+        return { canRefresh: false, reason: 'refresh_token_expired', accessTokenExpired, accessTokenTimeRemaining };
+    }
+}

package/dist/lib/roles.d.ts

@@ -0,0 +1,145 @@
+/**
+ * Vibe Role Constants and Utilities
+ *
+ * Centralized role definitions for consistent authorization across the stack.
+ *
+ * @version 1.0
+ */
+/**
+ * Global platform roles (IDP-level)
+ * These roles are managed at the IDP and grant cross-client access.
+ */
+export declare const GlobalRoles: {
+    /** Platform super admin - full access to everything */
+    readonly PAYEZ_ADMIN: "payez_admin";
+    /** IDP client admin - manages IDP client configuration */
+    readonly IDP_CLIENT_ADMIN: "idp_client_admin";
+    /** Vibe platform admin - manages Vibe infrastructure globally */
+    readonly VIBE_APP_ADMIN: "vibe_app_admin";
+    /** Vibe client admin - manages Vibe for a specific tenant */
+    readonly VIBE_CLIENT_ADMIN: "vibe_client_admin";
+    /** Vibe agents user - AI agents operating via CLI/automation */
+    readonly VIBE_AGENTS_USER: "vibe_agents_user";
+};
+/**
+ * Application-level roles (per-client)
+ * These roles are scoped to a specific client/tenant.
+ */
+export declare const AppRoles: {
+    /** Standard authenticated user */
+    readonly VIBE_APP_USER: "vibe_app_user";
+};
+/**
+ * All Vibe roles combined
+ */
+export declare const VibeRoles: {
+    /** Standard authenticated user */
+    readonly VIBE_APP_USER: "vibe_app_user";
+    /** Platform super admin - full access to everything */
+    readonly PAYEZ_ADMIN: "payez_admin";
+    /** IDP client admin - manages IDP client configuration */
+    readonly IDP_CLIENT_ADMIN: "idp_client_admin";
+    /** Vibe platform admin - manages Vibe infrastructure globally */
+    readonly VIBE_APP_ADMIN: "vibe_app_admin";
+    /** Vibe client admin - manages Vibe for a specific tenant */
+    readonly VIBE_CLIENT_ADMIN: "vibe_client_admin";
+    /** Vibe agents user - AI agents operating via CLI/automation */
+    readonly VIBE_AGENTS_USER: "vibe_agents_user";
+};
+/**
+ * Roles that grant admin access to the /admin section.
+ * Any of these roles allows access to admin pages.
+ */
+export declare const ADMIN_ROLES: readonly string[];
+/**
+ * Roles that grant platform-wide admin access (not client-scoped).
+ * These can access/modify any client's data.
+ */
+export declare const PLATFORM_ADMIN_ROLES: readonly string[];
+/**
+ * Roles that grant client-scoped admin access.
+ * These can only access their own client's data.
+ */
+export declare const CLIENT_ADMIN_ROLES: readonly string[];
+/**
+ * Check if user has a specific role
+ */
+export declare function hasRole(userRoles: string[] | undefined, role: string): boolean;
+/**
+ * Check if user has any of the specified roles
+ */
+export declare function hasAnyRole(userRoles: string[] | undefined, roles: readonly string[]): boolean;
+/**
+ * Check if user has all of the specified roles
+ */
+export declare function hasAllRoles(userRoles: string[] | undefined, roles: readonly string[]): boolean;
+/**
+ * Check if user has admin access (any admin role)
+ */
+export declare function isAdmin(userRoles: string[] | undefined): boolean;
+/**
+ * Check if user has platform-wide admin access
+ */
+export declare function isPlatformAdmin(userRoles: string[] | undefined): boolean;
+/**
+ * Check if user is a client-scoped admin (not platform admin)
+ */
+export declare function isClientAdmin(userRoles: string[] | undefined): boolean;
+/**
+ * Role hierarchy (higher index = more access)
+ *
+ * payez_admin (4) - IDP super admin, can do anything
+ * vibe_app_admin (3) - Platform admin, manages Vibe globally
+ * vibe_client_admin (2) - Client admin, manages their own tenant
+ * idp_client_admin (2) - IDP client admin, manages IDP config
+ * vibe_app_user (1) - Regular authenticated user
+ * (anonymous) (0) - No authentication
+ */
+export declare const ROLE_HIERARCHY: Record<string, number>;
+/**
+ * Get the highest role level for a user
+ */
+export declare function getHighestRoleLevel(userRoles: string[] | undefined): number;
+declare const _default: {
+    VibeRoles: {
+        /** Standard authenticated user */
+        readonly VIBE_APP_USER: "vibe_app_user";
+        /** Platform super admin - full access to everything */
+        readonly PAYEZ_ADMIN: "payez_admin";
+        /** IDP client admin - manages IDP client configuration */
+        readonly IDP_CLIENT_ADMIN: "idp_client_admin";
+        /** Vibe platform admin - manages Vibe infrastructure globally */
+        readonly VIBE_APP_ADMIN: "vibe_app_admin";
+        /** Vibe client admin - manages Vibe for a specific tenant */
+        readonly VIBE_CLIENT_ADMIN: "vibe_client_admin";
+        /** Vibe agents user - AI agents operating via CLI/automation */
+        readonly VIBE_AGENTS_USER: "vibe_agents_user";
+    };
+    GlobalRoles: {
+        /** Platform super admin - full access to everything */
+        readonly PAYEZ_ADMIN: "payez_admin";
+        /** IDP client admin - manages IDP client configuration */
+        readonly IDP_CLIENT_ADMIN: "idp_client_admin";
+        /** Vibe platform admin - manages Vibe infrastructure globally */
+        readonly VIBE_APP_ADMIN: "vibe_app_admin";
+        /** Vibe client admin - manages Vibe for a specific tenant */
+        readonly VIBE_CLIENT_ADMIN: "vibe_client_admin";
+        /** Vibe agents user - AI agents operating via CLI/automation */
+        readonly VIBE_AGENTS_USER: "vibe_agents_user";
+    };
+    AppRoles: {
+        /** Standard authenticated user */
+        readonly VIBE_APP_USER: "vibe_app_user";
+    };
+    ADMIN_ROLES: readonly string[];
+    PLATFORM_ADMIN_ROLES: readonly string[];
+    CLIENT_ADMIN_ROLES: readonly string[];
+    hasRole: typeof hasRole;
+    hasAnyRole: typeof hasAnyRole;
+    hasAllRoles: typeof hasAllRoles;
+    isAdmin: typeof isAdmin;
+    isPlatformAdmin: typeof isPlatformAdmin;
+    isClientAdmin: typeof isClientAdmin;
+    getHighestRoleLevel: typeof getHighestRoleLevel;
+};
+export default _default;