@pureq/auth 0.2.0

package/dist/core/kit.js

@@ -0,0 +1,145 @@
+import { createReactAuthHooks, createAuthSessionStore, createVueAuthSessionComposable } from "../hooks";
+import { createAuth } from "./index";
+function mergeSessionStoreOptions(base, next) {
+    return {
+        ...(base ?? {}),
+        ...(next ?? {}),
+    };
+}
+function getSecurityPreset(mode) {
+    if (mode === "browser-spa") {
+        return {
+            bridge: {
+                secure: true,
+                httpOnly: false,
+                sameSite: "lax",
+            },
+            session: {
+                rotationPolicy: "preserve-refresh-token",
+                minRefreshIntervalMs: 5000,
+            },
+        };
+    }
+    if (mode === "edge") {
+        return {
+            bridge: {
+                secure: true,
+                httpOnly: true,
+                sameSite: "lax",
+            },
+            session: {
+                rotationPolicy: "require-refresh-token",
+                minRefreshIntervalMs: 8000,
+            },
+        };
+    }
+    return {
+        bridge: {
+            secure: true,
+            httpOnly: true,
+            sameSite: "lax",
+        },
+        session: {
+            rotationPolicy: "require-refresh-token",
+            minRefreshIntervalMs: 10000,
+        },
+    };
+}
+function reportPolicyOverride(onPolicyOverride, event) {
+    if (!onPolicyOverride) {
+        return;
+    }
+    void onPolicyOverride(event);
+}
+/**
+ * AuthKit alpha: one entrypoint that wires core auth and framework session integrations.
+ */
+export function createAuthKit(config = {}) {
+    const defaultSessionStore = config.sessionStore;
+    const mode = config.security?.mode ?? "ssr-bff";
+    const preset = getSecurityPreset(mode);
+    const bridge = {
+        ...(config.bridge ?? {}),
+        ...(config.bridge?.secure === undefined ? { secure: preset.bridge.secure } : {}),
+        ...(config.bridge?.httpOnly === undefined ? { httpOnly: preset.bridge.httpOnly } : {}),
+        ...(config.bridge?.sameSite === undefined ? { sameSite: preset.bridge.sameSite } : {}),
+    };
+    const session = {
+        ...(config.session ?? {}),
+        ...(config.session?.rotationPolicy === undefined ? { rotationPolicy: preset.session.rotationPolicy } : {}),
+        ...(config.session?.minRefreshIntervalMs === undefined
+            ? { minRefreshIntervalMs: preset.session.minRefreshIntervalMs }
+            : {}),
+    };
+    if (config.bridge?.secure !== undefined && config.bridge.secure !== preset.bridge.secure) {
+        reportPolicyOverride(config.security?.onPolicyOverride, {
+            key: "bridge.secure",
+            mode,
+            recommended: preset.bridge.secure,
+            actual: config.bridge.secure,
+        });
+    }
+    if (config.bridge?.httpOnly !== undefined && config.bridge.httpOnly !== preset.bridge.httpOnly) {
+        reportPolicyOverride(config.security?.onPolicyOverride, {
+            key: "bridge.httpOnly",
+            mode,
+            recommended: preset.bridge.httpOnly,
+            actual: config.bridge.httpOnly,
+        });
+    }
+    if (config.bridge?.sameSite !== undefined && config.bridge.sameSite !== preset.bridge.sameSite) {
+        reportPolicyOverride(config.security?.onPolicyOverride, {
+            key: "bridge.sameSite",
+            mode,
+            recommended: preset.bridge.sameSite,
+            actual: config.bridge.sameSite,
+        });
+    }
+    if (config.session?.rotationPolicy !== undefined && config.session.rotationPolicy !== preset.session.rotationPolicy) {
+        reportPolicyOverride(config.security?.onPolicyOverride, {
+            key: "session.rotationPolicy",
+            mode,
+            recommended: preset.session.rotationPolicy,
+            actual: config.session.rotationPolicy,
+        });
+    }
+    if (config.session?.minRefreshIntervalMs !== undefined &&
+        config.session.minRefreshIntervalMs !== preset.session.minRefreshIntervalMs) {
+        reportPolicyOverride(config.security?.onPolicyOverride, {
+            key: "session.minRefreshIntervalMs",
+            mode,
+            recommended: preset.session.minRefreshIntervalMs,
+            actual: config.session.minRefreshIntervalMs,
+        });
+    }
+    const auth = createAuth({
+        ...(config.providers !== undefined ? { providers: config.providers } : {}),
+        ...(config.adapter !== undefined ? { adapter: config.adapter } : {}),
+        ...(config.callbacks !== undefined ? { callbacks: config.callbacks } : {}),
+        ...(config.secret !== undefined ? { secret: config.secret } : {}),
+        session,
+        ...(config.storage !== undefined ? { storage: config.storage } : {}),
+        bridge,
+        ...(config.debug !== undefined ? { debug: config.debug } : {}),
+        ...(config.allowDangerousAccountLinking !== undefined
+            ? { allowDangerousAccountLinking: config.allowDangerousAccountLinking }
+            : {}),
+    });
+    const createSessionStore = (options) => {
+        return createAuthSessionStore(auth.session, mergeSessionStoreOptions(defaultSessionStore, options));
+    };
+    return {
+        auth,
+        handlers: auth.handlers,
+        createSessionStore,
+        createReactHooks(useSyncExternalStore, options) {
+            const sessionStore = createSessionStore(options);
+            return createReactAuthHooks(sessionStore, useSyncExternalStore);
+        },
+        createVueSessionComposable(runtime, options) {
+            const sessionStore = createSessionStore(options);
+            return createVueAuthSessionComposable(sessionStore, runtime);
+        },
+    };
+}
+//# sourceMappingURL=kit.js.map

package/dist/core/kit.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"kit.js","sourceRoot":"","sources":["../../src/core/kit.ts"],"names":[],"mappings":"AAWA,OAAO,EAAE,oBAAoB,EAAE,sBAAsB,EAAE,8BAA8B,EAAE,MAAM,UAAU,CAAC;AACxG,OAAO,EAAE,UAAU,EAAE,MAAM,SAAS,CAAC;AAErC,SAAS,wBAAwB,CAC/B,IAAyC,EACzC,IAAyC;IAEzC,OAAO;QACL,GAAG,CAAC,IAAI,IAAI,EAAE,CAAC;QACf,GAAG,CAAC,IAAI,IAAI,EAAE,CAAC;KAChB,CAAC;AACJ,CAAC;AAcD,SAAS,iBAAiB,CAAC,IAAwB;IACjD,IAAI,IAAI,KAAK,aAAa,EAAE,CAAC;QAC3B,OAAO;YACL,MAAM,EAAE;gBACN,MAAM,EAAE,IAAI;gBACZ,QAAQ,EAAE,KAAK;gBACf,QAAQ,EAAE,KAAK;aAChB;YACD,OAAO,EAAE;gBACP,cAAc,EAAE,wBAAwB;gBACxC,oBAAoB,EAAE,IAAK;aAC5B;SACF,CAAC;IACJ,CAAC;IAED,IAAI,IAAI,KAAK,MAAM,EAAE,CAAC;QACpB,OAAO;YACL,MAAM,EAAE;gBACN,MAAM,EAAE,IAAI;gBACZ,QAAQ,EAAE,IAAI;gBACd,QAAQ,EAAE,KAAK;aAChB;YACD,OAAO,EAAE;gBACP,cAAc,EAAE,uBAAuB;gBACvC,oBAAoB,EAAE,IAAK;aAC5B;SACF,CAAC;IACJ,CAAC;IAED,OAAO;QACL,MAAM,EAAE;YACN,MAAM,EAAE,IAAI;YACZ,QAAQ,EAAE,IAAI;YACd,QAAQ,EAAE,KAAK;SAChB;QACD,OAAO,EAAE;YACP,cAAc,EAAE,uBAAuB;YACvC,oBAAoB,EAAE,KAAM;SAC7B;KACF,CAAC;AACJ,CAAC;AAED,SAAS,oBAAoB,CAC3B,gBAA2F,EAC3F,KAAiC;IAEjC,IAAI,CAAC,gBAAgB,EAAE,CAAC;QACtB,OAAO;IACT,CAAC;IACD,KAAK,gBAAgB,CAAC,KAAK,CAAC,CAAC;AAC/B,CAAC;AAED;;GAEG;AACH,MAAM,UAAU,aAAa,CAAC,SAAwB,EAAE;IACtD,MAAM,mBAAmB,GAAG,MAAM,CAAC,YAAY,CAAC;IAChD,MAAM,IAAI,GAAG,MAAM,CAAC,QAAQ,EAAE,IAAI,IAAI,SAAS,CAAC;IAChD,MAAM,MAAM,GAAG,iBAAiB,CAAC,IAAI,CAAC,CAAC;IAEvC,MAAM,MAAM,GAAG;QACb,GAAG,CAAC,MAAM,CAAC,MAAM,IAAI,EAAE,CAAC;QACxB,GAAG,CAAC,MAAM,CAAC,MAAM,EAAE,MAAM,KAAK,SAAS,CAAC,CAAC,CAAC,EAAE,MAAM,EAAE,MAAM,CAAC,MAAM,CAAC,MAAM,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC;QAChF,GAAG,CAAC,MAAM,CAAC,MAAM,EAAE,QAAQ,KAAK,SAAS,CAAC,CAAC,CAAC,EAAE,QAAQ,EAAE,MAAM,CAAC,MAAM,CAAC,QAAQ,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC;QACtF,GAAG,CAAC,MAAM,CAAC,MAAM,EAAE,QAAQ,KAAK,SAAS,CAAC,CAAC,CAAC,EAAE,QAAQ,EAAE,MAAM,CAAC,MAAM,CAAC,QAAQ,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC;KACvF,CAAC;IAEF,MAAM,OAAO,GAAG;QACd,GAAG,CAAC,MAAM,CAAC,OAAO,IAAI,EAAE,CAAC;QACzB,GAAG,CAAC,MAAM,CAAC,OAAO,EAAE,cAAc,KAAK,SAAS,CAAC,CAAC,CAAC,EAAE,cAAc,EAAE,MAAM,CAAC,OAAO,CAAC,cAAc,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC;QAC1G,GAAG,CAAC,MAAM,CAAC,OAAO,EAAE,oBAAoB,KAAK,SAAS;YACpD,CAAC,CAAC,EAAE,oBAAoB,EAAE,MAAM,CAAC,OAAO,CAAC,oBAAoB,EAAE;YAC/D,CAAC,CAAC,EAAE,CAAC;KACR,CAAC;IAEF,IAAI,MAAM,CAAC,MAAM,EAAE,MAAM,KAAK,SAAS,IAAI,MAAM,CAAC,MAAM,CAAC,MAAM,KAAK,MAAM,CAAC,MAAM,CAAC,MAAM,EAAE,CAAC;QACzF,oBAAoB,CAAC,MAAM,CAAC,QAAQ,EAAE,gBAAgB,EAAE;YACtD,GAAG,EAAE,eAAe;YACpB,IAAI;YACJ,WAAW,EAAE,MAAM,CAAC,MAAM,CAAC,MAAM;YACjC,MAAM,EAAE,MAAM,CAAC,MAAM,CAAC,MAAM;SAC7B,CAAC,CAAC;IACL,CAAC;IACD,IAAI,MAAM,CAAC,MAAM,EAAE,QAAQ,KAAK,SAAS,IAAI,MAAM,CAAC,MAAM,CAAC,QAAQ,KAAK,MAAM,CAAC,MAAM,CAAC,QAAQ,EAAE,CAAC;QAC/F,oBAAoB,CAAC,MAAM,CAAC,QAAQ,EAAE,gBAAgB,EAAE;YACtD,GAAG,EAAE,iBAAiB;YACtB,IAAI;YACJ,WAAW,EAAE,MAAM,CAAC,MAAM,CAAC,QAAQ;YACnC,MAAM,EAAE,MAAM,CAAC,MAAM,CAAC,QAAQ;SAC/B,CAAC,CAAC;IACL,CAAC;IACD,IAAI,MAAM,CAAC,MAAM,EAAE,QAAQ,KAAK,SAAS,IAAI,MAAM,CAAC,MAAM,CAAC,QAAQ,KAAK,MAAM,CAAC,MAAM,CAAC,QAAQ,EAAE,CAAC;QAC/F,oBAAoB,CAAC,MAAM,CAAC,QAAQ,EAAE,gBAAgB,EAAE;YACtD,GAAG,EAAE,iBAAiB;YACtB,IAAI;YACJ,WAAW,EAAE,MAAM,CAAC,MAAM,CAAC,QAAQ;YACnC,MAAM,EAAE,MAAM,CAAC,MAAM,CAAC,QAAQ;SAC/B,CAAC,CAAC;IACL,CAAC;IACD,IAAI,MAAM,CAAC,OAAO,EAAE,cAAc,KAAK,SAAS,IAAI,MAAM,CAAC,OAAO,CAAC,cAAc,KAAK,MAAM,CAAC,OAAO,CAAC,cAAc,EAAE,CAAC;QACpH,oBAAoB,CAAC,MAAM,CAAC,QAAQ,EAAE,gBAAgB,EAAE;YACtD,GAAG,EAAE,wBAAwB;YAC7B,IAAI;YACJ,WAAW,EAAE,MAAM,CAAC,OAAO,CAAC,cAAc;YAC1C,MAAM,EAAE,MAAM,CAAC,OAAO,CAAC,cAAc;SACtC,CAAC,CAAC;IACL,CAAC;IACD,IACE,MAAM,CAAC,OAAO,EAAE,oBAAoB,KAAK,SAAS;QAClD,MAAM,CAAC,OAAO,CAAC,oBAAoB,KAAK,MAAM,CAAC,OAAO,CAAC,oBAAoB,EAC3E,CAAC;QACD,oBAAoB,CAAC,MAAM,CAAC,QAAQ,EAAE,gBAAgB,EAAE;YACtD,GAAG,EAAE,8BAA8B;YACnC,IAAI;YACJ,WAAW,EAAE,MAAM,CAAC,OAAO,CAAC,oBAAoB;YAChD,MAAM,EAAE,MAAM,CAAC,OAAO,CAAC,oBAAoB;SAC5C,CAAC,CAAC;IACL,CAAC;IAED,MAAM,IAAI,GAAG,UAAU,CAAC;QACtB,GAAG,CAAC,MAAM,CAAC,SAAS,KAAK,SAAS,CAAC,CAAC,CAAC,EAAE,SAAS,EAAE,MAAM,CAAC,SAAS,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC;QAC1E,GAAG,CAAC,MAAM,CAAC,OAAO,KAAK,SAAS,CAAC,CAAC,CAAC,EAAE,OAAO,EAAE,MAAM,CAAC,OAAO,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC;QACpE,GAAG,CAAC,MAAM,CAAC,SAAS,KAAK,SAAS,CAAC,CAAC,CAAC,EAAE,SAAS,EAAE,MAAM,CAAC,SAAS,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC;QAC1E,GAAG,CAAC,MAAM,CAAC,MAAM,KAAK,SAAS,CAAC,CAAC,CAAC,EAAE,MAAM,EAAE,MAAM,CAAC,MAAM,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC;QACjE,OAAO;QACP,GAAG,CAAC,MAAM,CAAC,OAAO,KAAK,SAAS,CAAC,CAAC,CAAC,EAAE,OAAO,EAAE,MAAM,CAAC,OAAO,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC;QACpE,MAAM;QACN,GAAG,CAAC,MAAM,CAAC,KAAK,KAAK,SAAS,CAAC,CAAC,CAAC,EAAE,KAAK,EAAE,MAAM,CAAC,KAAK,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC;QAC9D,GAAG,CAAC,MAAM,CAAC,4BAA4B,KAAK,SAAS;YACnD,CAAC,CAAC,EAAE,4BAA4B,EAAE,MAAM,CAAC,4BAA4B,EAAE;YACvE,CAAC,CAAC,EAAE,CAAC;KACR,CAAC,CAAC;IAEH,MAAM,kBAAkB,GAAG,CAAC,OAAiC,EAAoB,EAAE;QACjF,OAAO,sBAAsB,CAAC,IAAI,CAAC,OAAO,EAAE,wBAAwB,CAAC,mBAAmB,EAAE,OAAO,CAAC,CAAC,CAAC;IACtG,CAAC,CAAC;IAEF,OAAO;QACL,IAAI;QACJ,QAAQ,EAAE,IAAI,CAAC,QAAQ;QACvB,kBAAkB;QAClB,gBAAgB,CAAC,oBAA+C,EAAE,OAAiC;YACjG,MAAM,YAAY,GAAG,kBAAkB,CAAC,OAAO,CAAC,CAAC;YACjD,OAAO,oBAAoB,CAAC,YAAY,EAAE,oBAAoB,CAAC,CAAC;QAClE,CAAC;QACD,0BAA0B,CAAC,OAA2B,EAAE,OAAiC;YACvF,MAAM,YAAY,GAAG,kBAAkB,CAAC,OAAO,CAAC,CAAC;YACjD,OAAO,8BAA8B,CAAC,YAAY,EAAE,OAAO,CAAC,CAAC;QAC/D,CAAC;KACF,CAAC;AACJ,CAAC"}

package/dist/core/starter.d.ts

@@ -0,0 +1,28 @@
+import type { AuthFrameworkContext, AuthFrameworkContextOptions, AuthKit, AuthKitConfig, AuthRequestAdapter, AuthRouteHandlerRecipe, AuthServerActionRecipe, AuthSessionStore, AuthSessionStoreOptions, ReactAuthHooks, ReactUseSyncExternalStore, VueAuthSessionComposable, VueRuntimeBindings } from "../shared";
+import type { AdapterReadinessReport } from "../adapter";
+export interface AuthStarterConfig extends AuthKitConfig, AuthFrameworkContextOptions {
+    readonly sessionStore?: AuthSessionStoreOptions;
+    readonly adapterReadiness?: {
+        readonly deployment?: "development" | "production";
+        readonly requireEmailProviderSupport?: boolean;
+        readonly failOnNeedsAttention?: boolean;
+        readonly onReport?: (report: AdapterReadinessReport) => void;
+    };
+}
+export interface AuthStarter {
+    readonly kit: AuthKit;
+    readonly request: AuthRequestAdapter;
+    readonly context: AuthFrameworkContext;
+    readonly route: AuthRouteHandlerRecipe;
+    readonly action: AuthServerActionRecipe;
+    readonly adapterReadiness?: AdapterReadinessReport;
+    createSessionStore(options?: AuthSessionStoreOptions): AuthSessionStore;
+    createReactHooks(useSyncExternalStore: ReactUseSyncExternalStore, options?: AuthSessionStoreOptions): ReactAuthHooks;
+    createVueSessionComposable(runtime: VueRuntimeBindings, options?: AuthSessionStoreOptions): () => VueAuthSessionComposable;
+}
+/**
+ * Convenience starter for the smallest supported end-to-end auth setup.
+ * It keeps the golden path in one place without hiding the lower-level primitives.
+ */
+export declare function createAuthStarter(config?: AuthStarterConfig): Promise<AuthStarter>;
+//# sourceMappingURL=starter.d.ts.map

package/dist/core/starter.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"starter.d.ts","sourceRoot":"","sources":["../../src/core/starter.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EACV,oBAAoB,EACpB,2BAA2B,EAC3B,OAAO,EACP,aAAa,EACb,kBAAkB,EAClB,sBAAsB,EACtB,sBAAsB,EACtB,gBAAgB,EAChB,uBAAuB,EACvB,cAAc,EACd,yBAAyB,EACzB,wBAAwB,EACxB,kBAAkB,EACnB,MAAM,WAAW,CAAC;AAEnB,OAAO,KAAK,EAAE,sBAAsB,EAAE,MAAM,YAAY,CAAC;AAkBzD,MAAM,WAAW,iBAAkB,SAAQ,aAAa,EAAE,2BAA2B;IACnF,QAAQ,CAAC,YAAY,CAAC,EAAE,uBAAuB,CAAC;IAChD,QAAQ,CAAC,gBAAgB,CAAC,EAAE;QAC1B,QAAQ,CAAC,UAAU,CAAC,EAAE,aAAa,GAAG,YAAY,CAAC;QACnD,QAAQ,CAAC,2BAA2B,CAAC,EAAE,OAAO,CAAC;QAC/C,QAAQ,CAAC,oBAAoB,CAAC,EAAE,OAAO,CAAC;QACxC,QAAQ,CAAC,QAAQ,CAAC,EAAE,CAAC,MAAM,EAAE,sBAAsB,KAAK,IAAI,CAAC;KAC9D,CAAC;CACH;AAED,MAAM,WAAW,WAAW;IAC1B,QAAQ,CAAC,GAAG,EAAE,OAAO,CAAC;IACtB,QAAQ,CAAC,OAAO,EAAE,kBAAkB,CAAC;IACrC,QAAQ,CAAC,OAAO,EAAE,oBAAoB,CAAC;IACvC,QAAQ,CAAC,KAAK,EAAE,sBAAsB,CAAC;IACvC,QAAQ,CAAC,MAAM,EAAE,sBAAsB,CAAC;IACxC,QAAQ,CAAC,gBAAgB,CAAC,EAAE,sBAAsB,CAAC;IACnD,kBAAkB,CAAC,OAAO,CAAC,EAAE,uBAAuB,GAAG,gBAAgB,CAAC;IACxE,gBAAgB,CAAC,oBAAoB,EAAE,yBAAyB,EAAE,OAAO,CAAC,EAAE,uBAAuB,GAAG,cAAc,CAAC;IACrH,0BAA0B,CAAC,OAAO,EAAE,kBAAkB,EAAE,OAAO,CAAC,EAAE,uBAAuB,GAAG,MAAM,wBAAwB,CAAC;CAC5H;AAED;;;GAGG;AACH,wBAAsB,iBAAiB,CAAC,MAAM,GAAE,iBAAsB,GAAG,OAAO,CAAC,WAAW,CAAC,CA6D5F"}

package/dist/core/starter.js

@@ -0,0 +1,67 @@
+import { assessAdapterReadiness } from "../adapter";
+import { createAuthRequestAdapter } from "../adapters";
+import { createAuthFrameworkContext } from "../framework";
+import { createAuthRouteHandlerRecipe, createAuthServerActionRecipe } from "../framework/recipes";
+import { createAuthError } from "../shared";
+import { authMemoryStore } from "../storage";
+import { createAuthKit } from "./kit";
+function mergeSessionStoreOptions(base, next) {
+    return {
+        ...(base ?? {}),
+        ...(next ?? {}),
+    };
+}
+/**
+ * Convenience starter for the smallest supported end-to-end auth setup.
+ * It keeps the golden path in one place without hiding the lower-level primitives.
+ */
+export async function createAuthStarter(config = {}) {
+    const sharedStorage = config.storage ?? authMemoryStore();
+    const starterConfig = {
+        ...config,
+        storage: sharedStorage,
+    };
+    const kit = createAuthKit(starterConfig);
+    const request = createAuthRequestAdapter(starterConfig);
+    const context = await createAuthFrameworkContext(starterConfig);
+    const route = createAuthRouteHandlerRecipe(context);
+    const action = createAuthServerActionRecipe(context);
+    const defaultSessionStore = config.sessionStore;
+    let adapterReadiness;
+    if (starterConfig.adapter) {
+        adapterReadiness = assessAdapterReadiness(starterConfig.adapter, {
+            ...(starterConfig.adapterReadiness?.deployment !== undefined
+                ? { deployment: starterConfig.adapterReadiness.deployment }
+                : {}),
+            ...(starterConfig.adapterReadiness?.requireEmailProviderSupport !== undefined
+                ? { requireEmailProviderSupport: starterConfig.adapterReadiness.requireEmailProviderSupport }
+                : {}),
+        });
+        starterConfig.adapterReadiness?.onReport?.(adapterReadiness);
+        if (adapterReadiness.status === "blocked") {
+            throw createAuthError("PUREQ_ADAPTER_NOT_READY", `pureq: adapter is blocked for starter (${adapterReadiness.blockers.join("; ")})`);
+        }
+        if (adapterReadiness.status === "needs-attention" && starterConfig.adapterReadiness?.failOnNeedsAttention) {
+            throw createAuthError("PUREQ_ADAPTER_NEEDS_ATTENTION", `pureq: adapter needs attention for starter (${adapterReadiness.warnings.join("; ")})`);
+        }
+    }
+    const createSessionStore = (options) => {
+        return kit.createSessionStore(mergeSessionStoreOptions(defaultSessionStore, options));
+    };
+    return {
+        kit,
+        request,
+        context,
+        route,
+        action,
+        ...(adapterReadiness !== undefined ? { adapterReadiness } : {}),
+        createSessionStore,
+        createReactHooks(useSyncExternalStore, options) {
+            return kit.createReactHooks(useSyncExternalStore, mergeSessionStoreOptions(defaultSessionStore, options));
+        },
+        createVueSessionComposable(runtime, options) {
+            return kit.createVueSessionComposable(runtime, mergeSessionStoreOptions(defaultSessionStore, options));
+        },
+    };
+}
+//# sourceMappingURL=starter.js.map

package/dist/core/starter.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"starter.js","sourceRoot":"","sources":["../../src/core/starter.ts"],"names":[],"mappings":"AAeA,OAAO,EAAE,sBAAsB,EAAE,MAAM,YAAY,CAAC;AAEpD,OAAO,EAAE,wBAAwB,EAAE,MAAM,aAAa,CAAC;AACvD,OAAO,EAAE,0BAA0B,EAAE,MAAM,cAAc,CAAC;AAC1D,OAAO,EAAE,4BAA4B,EAAE,4BAA4B,EAAE,MAAM,sBAAsB,CAAC;AAClG,OAAO,EAAE,eAAe,EAAE,MAAM,WAAW,CAAC;AAC5C,OAAO,EAAE,eAAe,EAAE,MAAM,YAAY,CAAC;AAC7C,OAAO,EAAE,aAAa,EAAE,MAAM,OAAO,CAAC;AAEtC,SAAS,wBAAwB,CAC/B,IAAyC,EACzC,IAAyC;IAEzC,OAAO;QACL,GAAG,CAAC,IAAI,IAAI,EAAE,CAAC;QACf,GAAG,CAAC,IAAI,IAAI,EAAE,CAAC;KAChB,CAAC;AACJ,CAAC;AAwBD;;;GAGG;AACH,MAAM,CAAC,KAAK,UAAU,iBAAiB,CAAC,SAA4B,EAAE;IACpE,MAAM,aAAa,GAAG,MAAM,CAAC,OAAO,IAAI,eAAe,EAAE,CAAC;IAC1D,MAAM,aAAa,GAAsB;QACvC,GAAG,MAAM;QACT,OAAO,EAAE,aAAa;KACvB,CAAC;IAEF,MAAM,GAAG,GAAG,aAAa,CAAC,aAAa,CAAC,CAAC;IACzC,MAAM,OAAO,GAAG,wBAAwB,CAAC,aAAa,CAAC,CAAC;IACxD,MAAM,OAAO,GAAG,MAAM,0BAA0B,CAAC,aAAa,CAAC,CAAC;IAChE,MAAM,KAAK,GAAG,4BAA4B,CAAC,OAAO,CAAC,CAAC;IACpD,MAAM,MAAM,GAAG,4BAA4B,CAAC,OAAO,CAAC,CAAC;IACrD,MAAM,mBAAmB,GAAG,MAAM,CAAC,YAAY,CAAC;IAChD,IAAI,gBAAoD,CAAC;IAEzD,IAAI,aAAa,CAAC,OAAO,EAAE,CAAC;QAC1B,gBAAgB,GAAG,sBAAsB,CAAC,aAAa,CAAC,OAAO,EAAE;YAC/D,GAAG,CAAC,aAAa,CAAC,gBAAgB,EAAE,UAAU,KAAK,SAAS;gBAC1D,CAAC,CAAC,EAAE,UAAU,EAAE,aAAa,CAAC,gBAAgB,CAAC,UAAU,EAAE;gBAC3D,CAAC,CAAC,EAAE,CAAC;YACP,GAAG,CAAC,aAAa,CAAC,gBAAgB,EAAE,2BAA2B,KAAK,SAAS;gBAC3E,CAAC,CAAC,EAAE,2BAA2B,EAAE,aAAa,CAAC,gBAAgB,CAAC,2BAA2B,EAAE;gBAC7F,CAAC,CAAC,EAAE,CAAC;SACR,CAAC,CAAC;QAEH,aAAa,CAAC,gBAAgB,EAAE,QAAQ,EAAE,CAAC,gBAAgB,CAAC,CAAC;QAE7D,IAAI,gBAAgB,CAAC,MAAM,KAAK,SAAS,EAAE,CAAC;YAC1C,MAAM,eAAe,CACnB,yBAAyB,EACzB,0CAA0C,gBAAgB,CAAC,QAAQ,CAAC,IAAI,CAAC,IAAI,CAAC,GAAG,CAClF,CAAC;QACJ,CAAC;QAED,IAAI,gBAAgB,CAAC,MAAM,KAAK,iBAAiB,IAAI,aAAa,CAAC,gBAAgB,EAAE,oBAAoB,EAAE,CAAC;YAC1G,MAAM,eAAe,CACnB,+BAA+B,EAC/B,+CAA+C,gBAAgB,CAAC,QAAQ,CAAC,IAAI,CAAC,IAAI,CAAC,GAAG,CACvF,CAAC;QACJ,CAAC;IACH,CAAC;IAED,MAAM,kBAAkB,GAAG,CAAC,OAAiC,EAAoB,EAAE;QACjF,OAAO,GAAG,CAAC,kBAAkB,CAAC,wBAAwB,CAAC,mBAAmB,EAAE,OAAO,CAAC,CAAC,CAAC;IACxF,CAAC,CAAC;IAEF,OAAO;QACL,GAAG;QACH,OAAO;QACP,OAAO;QACP,KAAK;QACL,MAAM;QACN,GAAG,CAAC,gBAAgB,KAAK,SAAS,CAAC,CAAC,CAAC,EAAE,gBAAgB,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC;QAC/D,kBAAkB;QAClB,gBAAgB,CAAC,oBAA+C,EAAE,OAAiC;YACjG,OAAO,GAAG,CAAC,gBAAgB,CAAC,oBAAoB,EAAE,wBAAwB,CAAC,mBAAmB,EAAE,OAAO,CAAC,CAAC,CAAC;QAC5G,CAAC;QACD,0BAA0B,CAAC,OAA2B,EAAE,OAAiC;YACvF,OAAO,GAAG,CAAC,0BAA0B,CAAC,OAAO,EAAE,wBAAwB,CAAC,mBAAmB,EAAE,OAAO,CAAC,CAAC,CAAC;QACzG,CAAC;KACF,CAAC;AACJ,CAAC"}

package/dist/csrf/index.d.ts

@@ -0,0 +1,7 @@
+import type { Middleware } from "@pureq/pureq";
+import type { AuthCsrfOptions, AuthCsrfProtection } from "../shared";
+/** Create a CSRF protection handler with HMAC-based safe comparison. */
+export declare function createAuthCsrfProtection(options: AuthCsrfOptions): AuthCsrfProtection;
+/** Shorthand: create CSRF middleware directly. */
+export declare function withCsrfProtection(options: AuthCsrfOptions): Middleware;
+//# sourceMappingURL=index.d.ts.map

package/dist/csrf/index.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../src/csrf/index.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,UAAU,EAAiB,MAAM,cAAc,CAAC;AAG9D,OAAO,KAAK,EAAE,eAAe,EAAE,kBAAkB,EAAE,MAAM,WAAW,CAAC;AA2ErE,wEAAwE;AACxE,wBAAgB,wBAAwB,CAAC,OAAO,EAAE,eAAe,GAAG,kBAAkB,CAuErF;AAED,kDAAkD;AAClD,wBAAgB,kBAAkB,CAAC,OAAO,EAAE,eAAe,GAAG,UAAU,CAEvE"}

package/dist/csrf/index.js

@@ -0,0 +1,126 @@
+import { markPolicyMiddleware } from "@pureq/pureq";
+import { generateSecureId } from "@pureq/pureq";
+import { createAuthError } from "../shared";
+const DEFAULT_SAFE_METHODS = ["GET", "HEAD", "OPTIONS"];
+const MAX_CSRF_TOKEN_LENGTH = 2048;
+function getHeader(headers, name) {
+    if (!headers) {
+        return null;
+    }
+    const normalized = name.toLowerCase();
+    for (const [key, value] of Object.entries(headers)) {
+        if (key.toLowerCase() === normalized) {
+            return typeof value === "string" ? value : null;
+        }
+    }
+    return null;
+}
+function toUrl(url) {
+    try {
+        return new URL(url);
+    }
+    catch {
+        return new URL(url, "http://localhost");
+    }
+}
+function getRequestToken(req, options) {
+    if (options.headerName) {
+        const headerValue = getHeader(req.headers, options.headerName);
+        if (headerValue) {
+            return headerValue;
+        }
+    }
+    if (options.queryParamName) {
+        const parsed = toUrl(req.url);
+        const queryValue = parsed.searchParams.get(options.queryParamName);
+        if (queryValue) {
+            return queryValue;
+        }
+    }
+    return null;
+}
+/**
+ * SEC-H8: HMAC-based constant-time token comparison.
+ * Instead of comparing tokens directly, we HMAC both with a random key
+ * and compare the digests. This defeats timing side-channels regardless of
+ * JIT optimization behavior.
+ */
+async function hmacTokenEquals(candidate, expected, hmacKey) {
+    const encoder = new TextEncoder();
+    const [candidateDigest, expectedDigest] = await Promise.all([
+        crypto.subtle.sign("HMAC", hmacKey, encoder.encode(candidate)),
+        crypto.subtle.sign("HMAC", hmacKey, encoder.encode(expected)),
+    ]);
+    const a = new Uint8Array(candidateDigest);
+    const b = new Uint8Array(expectedDigest);
+    if (a.length !== b.length) {
+        return false;
+    }
+    let diff = 0;
+    for (let i = 0; i < a.length; i++) {
+        diff |= a[i] ^ b[i];
+    }
+    return diff === 0;
+}
+/** Create a CSRF protection handler with HMAC-based safe comparison. */
+export function createAuthCsrfProtection(options) {
+    if (typeof options.expectedToken !== "function") {
+        throw new Error("pureq: CSRF protection requires an expectedToken provider");
+    }
+    const headerName = options.headerName ?? "x-csrf-token";
+    const queryParamName = options.queryParamName ?? "csrfToken";
+    const safeMethods = options.safeMethods ?? DEFAULT_SAFE_METHODS;
+    // Generate a per-instance HMAC key for constant-time comparison
+    const hmacKeyPromise = crypto.subtle.generateKey({ name: "HMAC", hash: "SHA-256" }, false, ["sign"]);
+    const issueToken = async () => {
+        const token = options.tokenFactory ? await options.tokenFactory() : generateSecureId("csrf");
+        if (!token.trim()) {
+            throw createAuthError("PUREQ_AUTH_CSRF_INVALID_TOKEN", "pureq: CSRF token factory returned an empty token");
+        }
+        return token;
+    };
+    const verify = async (req) => {
+        if (safeMethods.includes(req.method)) {
+            return true;
+        }
+        const expected = await options.expectedToken();
+        if (!expected) {
+            return false;
+        }
+        if (expected.length > MAX_CSRF_TOKEN_LENGTH) {
+            return false;
+        }
+        const candidate = getRequestToken(req, { headerName, queryParamName });
+        if (candidate === null || candidate.length > MAX_CSRF_TOKEN_LENGTH) {
+            return false;
+        }
+        const hmacKey = await hmacKeyPromise;
+        return hmacTokenEquals(candidate, expected, hmacKey);
+    };
+    const middleware = () => {
+        const policy = async (req, next) => {
+            const verified = await verify(req);
+            if (!verified) {
+                throw createAuthError("PUREQ_AUTH_CSRF_FAILED", "pureq: CSRF validation failed", {
+                    details: {
+                        method: req.method,
+                        headerName,
+                        queryParamName,
+                    },
+                });
+            }
+            return next(req);
+        };
+        return markPolicyMiddleware(policy, { name: "csrfProtection", kind: "auth" });
+    };
+    return {
+        issueToken,
+        verify,
+        middleware,
+    };
+}
+/** Shorthand: create CSRF middleware directly. */
+export function withCsrfProtection(options) {
+    return createAuthCsrfProtection(options).middleware();
+}
+//# sourceMappingURL=index.js.map

package/dist/csrf/index.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.js","sourceRoot":"","sources":["../../src/csrf/index.ts"],"names":[],"mappings":"AACA,OAAO,EAAE,oBAAoB,EAAE,MAAM,cAAc,CAAC;AACpD,OAAO,EAAE,gBAAgB,EAAE,MAAM,cAAc,CAAC;AAEhD,OAAO,EAAE,eAAe,EAAE,MAAM,WAAW,CAAC;AAE5C,MAAM,oBAAoB,GAAuC,CAAC,KAAK,EAAE,MAAM,EAAE,SAAS,CAAC,CAAC;AAC5F,MAAM,qBAAqB,GAAG,IAAI,CAAC;AAEnC,SAAS,SAAS,CAAC,OAAiC,EAAE,IAAY;IAChE,IAAI,CAAC,OAAO,EAAE,CAAC;QACb,OAAO,IAAI,CAAC;IACd,CAAC;IAED,MAAM,UAAU,GAAG,IAAI,CAAC,WAAW,EAAE,CAAC;IACtC,KAAK,MAAM,CAAC,GAAG,EAAE,KAAK,CAAC,IAAI,MAAM,CAAC,OAAO,CAAC,OAAO,CAAC,EAAE,CAAC;QACnD,IAAI,GAAG,CAAC,WAAW,EAAE,KAAK,UAAU,EAAE,CAAC;YACrC,OAAO,OAAO,KAAK,KAAK,QAAQ,CAAC,CAAC,CAAC,KAAK,CAAC,CAAC,CAAC,IAAI,CAAC;QAClD,CAAC;IACH,CAAC;IAED,OAAO,IAAI,CAAC;AACd,CAAC;AAED,SAAS,KAAK,CAAC,GAAW;IACxB,IAAI,CAAC;QACH,OAAO,IAAI,GAAG,CAAC,GAAG,CAAC,CAAC;IACtB,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,IAAI,GAAG,CAAC,GAAG,EAAE,kBAAkB,CAAC,CAAC;IAC1C,CAAC;AACH,CAAC;AAED,SAAS,eAAe,CAAC,GAA4B,EAAE,OAA+D;IACpH,IAAI,OAAO,CAAC,UAAU,EAAE,CAAC;QACvB,MAAM,WAAW,GAAG,SAAS,CAAC,GAAG,CAAC,OAAO,EAAE,OAAO,CAAC,UAAU,CAAC,CAAC;QAC/D,IAAI,WAAW,EAAE,CAAC;YAChB,OAAO,WAAW,CAAC;QACrB,CAAC;IACH,CAAC;IAED,IAAI,OAAO,CAAC,cAAc,EAAE,CAAC;QAC3B,MAAM,MAAM,GAAG,KAAK,CAAC,GAAG,CAAC,GAAG,CAAC,CAAC;QAC9B,MAAM,UAAU,GAAG,MAAM,CAAC,YAAY,CAAC,GAAG,CAAC,OAAO,CAAC,cAAc,CAAC,CAAC;QACnE,IAAI,UAAU,EAAE,CAAC;YACf,OAAO,UAAU,CAAC;QACpB,CAAC;IACH,CAAC;IAED,OAAO,IAAI,CAAC;AACd,CAAC;AAED;;;;;GAKG;AACH,KAAK,UAAU,eAAe,CAAC,SAAiB,EAAE,QAAgB,EAAE,OAAkB;IACpF,MAAM,OAAO,GAAG,IAAI,WAAW,EAAE,CAAC;IAClC,MAAM,CAAC,eAAe,EAAE,cAAc,CAAC,GAAG,MAAM,OAAO,CAAC,GAAG,CAAC;QAC1D,MAAM,CAAC,MAAM,CAAC,IAAI,CAAC,MAAM,EAAE,OAAO,EAAE,OAAO,CAAC,MAAM,CAAC,SAAS,CAAC,CAAC;QAC9D,MAAM,CAAC,MAAM,CAAC,IAAI,CAAC,MAAM,EAAE,OAAO,EAAE,OAAO,CAAC,MAAM,CAAC,QAAQ,CAAC,CAAC;KAC9D,CAAC,CAAC;IAEH,MAAM,CAAC,GAAG,IAAI,UAAU,CAAC,eAAe,CAAC,CAAC;IAC1C,MAAM,CAAC,GAAG,IAAI,UAAU,CAAC,cAAc,CAAC,CAAC;IAEzC,IAAI,CAAC,CAAC,MAAM,KAAK,CAAC,CAAC,MAAM,EAAE,CAAC;QAC1B,OAAO,KAAK,CAAC;IACf,CAAC;IAED,IAAI,IAAI,GAAG,CAAC,CAAC;IACb,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,CAAC,CAAC,MAAM,EAAE,CAAC,EAAE,EAAE,CAAC;QAClC,IAAI,IAAI,CAAC,CAAC,CAAC,CAAE,GAAG,CAAC,CAAC,CAAC,CAAE,CAAC;IACxB,CAAC;IACD,OAAO,IAAI,KAAK,CAAC,CAAC;AACpB,CAAC;AAED,wEAAwE;AACxE,MAAM,UAAU,wBAAwB,CAAC,OAAwB;IAC/D,IAAI,OAAO,OAAO,CAAC,aAAa,KAAK,UAAU,EAAE,CAAC;QAChD,MAAM,IAAI,KAAK,CAAC,2DAA2D,CAAC,CAAC;IAC/E,CAAC;IAED,MAAM,UAAU,GAAG,OAAO,CAAC,UAAU,IAAI,cAAc,CAAC;IACxD,MAAM,cAAc,GAAG,OAAO,CAAC,cAAc,IAAI,WAAW,CAAC;IAC7D,MAAM,WAAW,GAAG,OAAO,CAAC,WAAW,IAAI,oBAAoB,CAAC;IAEhE,gEAAgE;IAChE,MAAM,cAAc,GAAG,MAAM,CAAC,MAAM,CAAC,WAAW,CAC9C,EAAE,IAAI,EAAE,MAAM,EAAE,IAAI,EAAE,SAAS,EAAE,EACjC,KAAK,EACL,CAAC,MAAM,CAAC,CACT,CAAC;IAEF,MAAM,UAAU,GAAG,KAAK,IAAqB,EAAE;QAC7C,MAAM,KAAK,GAAG,OAAO,CAAC,YAAY,CAAC,CAAC,CAAC,MAAM,OAAO,CAAC,YAAY,EAAE,CAAC,CAAC,CAAC,gBAAgB,CAAC,MAAM,CAAC,CAAC;QAC7F,IAAI,CAAC,KAAK,CAAC,IAAI,EAAE,EAAE,CAAC;YAClB,MAAM,eAAe,CAAC,+BAA+B,EAAE,mDAAmD,CAAC,CAAC;QAC9G,CAAC;QACD,OAAO,KAAK,CAAC;IACf,CAAC,CAAC;IAEF,MAAM,MAAM,GAAG,KAAK,EAAE,GAA4B,EAAoB,EAAE;QACtE,IAAI,WAAW,CAAC,QAAQ,CAAC,GAAG,CAAC,MAAM,CAAC,EAAE,CAAC;YACrC,OAAO,IAAI,CAAC;QACd,CAAC;QAED,MAAM,QAAQ,GAAG,MAAM,OAAO,CAAC,aAAa,EAAE,CAAC;QAC/C,IAAI,CAAC,QAAQ,EAAE,CAAC;YACd,OAAO,KAAK,CAAC;QACf,CAAC;QAED,IAAI,QAAQ,CAAC,MAAM,GAAG,qBAAqB,EAAE,CAAC;YAC5C,OAAO,KAAK,CAAC;QACf,CAAC;QAED,MAAM,SAAS,GAAG,eAAe,CAAC,GAAG,EAAE,EAAE,UAAU,EAAE,cAAc,EAAE,CAAC,CAAC;QACvE,IAAI,SAAS,KAAK,IAAI,IAAI,SAAS,CAAC,MAAM,GAAG,qBAAqB,EAAE,CAAC;YACnE,OAAO,KAAK,CAAC;QACf,CAAC;QAED,MAAM,OAAO,GAAG,MAAM,cAAc,CAAC;QACrC,OAAO,eAAe,CAAC,SAAS,EAAE,QAAQ,EAAE,OAAO,CAAC,CAAC;IACvD,CAAC,CAAC;IAEF,MAAM,UAAU,GAAG,GAAe,EAAE;QAClC,MAAM,MAAM,GAAe,KAAK,EAAE,GAAG,EAAE,IAAI,EAAE,EAAE;YAC7C,MAAM,QAAQ,GAAG,MAAM,MAAM,CAAC,GAAG,CAAC,CAAC;YACnC,IAAI,CAAC,QAAQ,EAAE,CAAC;gBACd,MAAM,eAAe,CAAC,wBAAwB,EAAE,+BAA+B,EAAE;oBAC/E,OAAO,EAAE;wBACP,MAAM,EAAE,GAAG,CAAC,MAAM;wBAClB,UAAU;wBACV,cAAc;qBACf;iBACF,CAAC,CAAC;YACL,CAAC;YAED,OAAO,IAAI,CAAC,GAAG,CAAC,CAAC;QACnB,CAAC,CAAC;QAEF,OAAO,oBAAoB,CAAC,MAAM,EAAE,EAAE,IAAI,EAAE,gBAAgB,EAAE,IAAI,EAAE,MAAM,EAAE,CAAC,CAAC;IAChF,CAAC,CAAC;IAEF,OAAO;QACL,UAAU;QACV,MAAM;QACN,UAAU;KACX,CAAC;AACJ,CAAC;AAED,kDAAkD;AAClD,MAAM,UAAU,kBAAkB,CAAC,OAAwB;IACzD,OAAO,wBAAwB,CAAC,OAAO,CAAC,CAAC,UAAU,EAAE,CAAC;AACxD,CAAC"}

package/dist/debug/index.d.ts

@@ -0,0 +1,8 @@
+import type { AuthDebugLogger } from "../shared";
+/**
+ * FEAT-L1: Debug logger for auth operations.
+ * When enabled, logs all middleware, session, and OIDC operations.
+ */
+export declare function createAuthDebugLogger(enabled?: boolean, logger?: Pick<Console, "log" | "warn" | "error">): AuthDebugLogger;
+export type { AuthDebugLogger } from "../shared";
+//# sourceMappingURL=index.d.ts.map

package/dist/debug/index.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../src/debug/index.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,eAAe,EAAE,MAAM,WAAW,CAAC;AAEjD;;;GAGG;AACH,wBAAgB,qBAAqB,CACnC,OAAO,UAAQ,EACf,MAAM,GAAE,IAAI,CAAC,OAAO,EAAE,KAAK,GAAG,MAAM,GAAG,OAAO,CAAW,GACxD,eAAe,CAcjB;AAED,YAAY,EAAE,eAAe,EAAE,MAAM,WAAW,CAAC"}

package/dist/debug/index.js

@@ -0,0 +1,21 @@
+/**
+ * FEAT-L1: Debug logger for auth operations.
+ * When enabled, logs all middleware, session, and OIDC operations.
+ */
+export function createAuthDebugLogger(enabled = false, logger = console) {
+    return {
+        enabled,
+        log(category, message, data) {
+            if (!enabled) {
+                return;
+            }
+            if (data !== undefined) {
+                logger.log(`[pureq/auth/${category}]`, message, data);
+            }
+            else {
+                logger.log(`[pureq/auth/${category}]`, message);
+            }
+        },
+    };
+}
+//# sourceMappingURL=index.js.map

package/dist/debug/index.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.js","sourceRoot":"","sources":["../../src/debug/index.ts"],"names":[],"mappings":"AAEA;;;GAGG;AACH,MAAM,UAAU,qBAAqB,CACnC,OAAO,GAAG,KAAK,EACf,SAAkD,OAAO;IAEzD,OAAO;QACL,OAAO;QACP,GAAG,CAAC,QAAgB,EAAE,OAAe,EAAE,IAAc;YACnD,IAAI,CAAC,OAAO,EAAE,CAAC;gBACb,OAAO;YACT,CAAC;YACD,IAAI,IAAI,KAAK,SAAS,EAAE,CAAC;gBACvB,MAAM,CAAC,GAAG,CAAC,eAAe,QAAQ,GAAG,EAAE,OAAO,EAAE,IAAI,CAAC,CAAC;YACxD,CAAC;iBAAM,CAAC;gBACN,MAAM,CAAC,GAAG,CAAC,eAAe,QAAQ,GAAG,EAAE,OAAO,CAAC,CAAC;YAClD,CAAC;QACH,CAAC;KACF,CAAC;AACJ,CAAC"}

package/dist/encryption/index.d.ts

@@ -0,0 +1,8 @@
+import type { AuthEncryption } from "../shared";
+/**
+ * FEAT-H7: AES-256-GCM encryption using Web Crypto API.
+ * Zero dependencies. Works in browsers, Node.js, Cloudflare Workers, Deno.
+ */
+export declare function createAuthEncryption(secret: string): AuthEncryption;
+export type { AuthEncryption } from "../shared";
+//# sourceMappingURL=index.d.ts.map

package/dist/encryption/index.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../src/encryption/index.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,cAAc,EAAE,MAAM,WAAW,CAAC;AAEhD;;;GAGG;AACH,wBAAgB,oBAAoB,CAAC,MAAM,EAAE,MAAM,GAAG,cAAc,CAqEnE;AAED,YAAY,EAAE,cAAc,EAAE,MAAM,WAAW,CAAC"}

package/dist/encryption/index.js

@@ -0,0 +1,43 @@
+/**
+ * FEAT-H7: AES-256-GCM encryption using Web Crypto API.
+ * Zero dependencies. Works in browsers, Node.js, Cloudflare Workers, Deno.
+ */
+export function createAuthEncryption(secret) {
+    const encoder = new TextEncoder();
+    const decoder = new TextDecoder();
+    let cachedKey = null;
+    const deriveKey = async () => {
+        if (cachedKey) {
+            return cachedKey;
+        }
+        const keyMaterial = await crypto.subtle.importKey("raw", encoder.encode(secret), { name: "PBKDF2" }, false, ["deriveKey"]);
+        cachedKey = await crypto.subtle.deriveKey({
+            name: "PBKDF2",
+            salt: encoder.encode("pureq-auth-encryption-v1"),
+            iterations: 100000,
+            hash: "SHA-256",
+        }, keyMaterial, { name: "AES-GCM", length: 256 }, false, ["encrypt", "decrypt"]);
+        return cachedKey;
+    };
+    return {
+        async encrypt(payload) {
+            const key = await deriveKey();
+            const iv = crypto.getRandomValues(new Uint8Array(12));
+            const plaintext = encoder.encode(JSON.stringify(payload));
+            const ciphertext = await crypto.subtle.encrypt({ name: "AES-GCM", iv }, key, plaintext);
+            const combined = new Uint8Array(iv.length + new Uint8Array(ciphertext).length);
+            combined.set(iv);
+            combined.set(new Uint8Array(ciphertext), iv.length);
+            return btoa(String.fromCharCode(...combined));
+        },
+        async decrypt(token) {
+            const key = await deriveKey();
+            const combined = Uint8Array.from(atob(token), (c) => c.charCodeAt(0));
+            const iv = combined.slice(0, 12);
+            const ciphertext = combined.slice(12);
+            const plaintext = await crypto.subtle.decrypt({ name: "AES-GCM", iv }, key, ciphertext);
+            return JSON.parse(decoder.decode(plaintext));
+        },
+    };
+}
+//# sourceMappingURL=index.js.map

package/dist/encryption/index.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.js","sourceRoot":"","sources":["../../src/encryption/index.ts"],"names":[],"mappings":"AAEA;;;GAGG;AACH,MAAM,UAAU,oBAAoB,CAAC,MAAc;IACjD,MAAM,OAAO,GAAG,IAAI,WAAW,EAAE,CAAC;IAClC,MAAM,OAAO,GAAG,IAAI,WAAW,EAAE,CAAC;IAElC,IAAI,SAAS,GAAqB,IAAI,CAAC;IAEvC,MAAM,SAAS,GAAG,KAAK,IAAwB,EAAE;QAC/C,IAAI,SAAS,EAAE,CAAC;YACd,OAAO,SAAS,CAAC;QACnB,CAAC;QAED,MAAM,WAAW,GAAG,MAAM,MAAM,CAAC,MAAM,CAAC,SAAS,CAC/C,KAAK,EACL,OAAO,CAAC,MAAM,CAAC,MAAM,CAAC,EACtB,EAAE,IAAI,EAAE,QAAQ,EAAE,EAClB,KAAK,EACL,CAAC,WAAW,CAAC,CACd,CAAC;QAEF,SAAS,GAAG,MAAM,MAAM,CAAC,MAAM,CAAC,SAAS,CACvC;YACE,IAAI,EAAE,QAAQ;YACd,IAAI,EAAE,OAAO,CAAC,MAAM,CAAC,0BAA0B,CAAC;YAChD,UAAU,EAAE,MAAO;YACnB,IAAI,EAAE,SAAS;SAChB,EACD,WAAW,EACX,EAAE,IAAI,EAAE,SAAS,EAAE,MAAM,EAAE,GAAG,EAAE,EAChC,KAAK,EACL,CAAC,SAAS,EAAE,SAAS,CAAC,CACvB,CAAC;QAEF,OAAO,SAAS,CAAC;IACnB,CAAC,CAAC;IAEF,OAAO;QACL,KAAK,CAAC,OAAO,CAAC,OAAgB;YAC5B,MAAM,GAAG,GAAG,MAAM,SAAS,EAAE,CAAC;YAC9B,MAAM,EAAE,GAAG,MAAM,CAAC,eAAe,CAAC,IAAI,UAAU,CAAC,EAAE,CAAC,CAAC,CAAC;YACtD,MAAM,SAAS,GAAG,OAAO,CAAC,MAAM,CAAC,IAAI,CAAC,SAAS,CAAC,OAAO,CAAC,CAAC,CAAC;YAE1D,MAAM,UAAU,GAAG,MAAM,MAAM,CAAC,MAAM,CAAC,OAAO,CAC5C,EAAE,IAAI,EAAE,SAAS,EAAE,EAAE,EAAE,EACvB,GAAG,EACH,SAAS,CACV,CAAC;YAEF,MAAM,QAAQ,GAAG,IAAI,UAAU,CAAC,EAAE,CAAC,MAAM,GAAG,IAAI,UAAU,CAAC,UAAU,CAAC,CAAC,MAAM,CAAC,CAAC;YAC/E,QAAQ,CAAC,GAAG,CAAC,EAAE,CAAC,CAAC;YACjB,QAAQ,CAAC,GAAG,CAAC,IAAI,UAAU,CAAC,UAAU,CAAC,EAAE,EAAE,CAAC,MAAM,CAAC,CAAC;YAEpD,OAAO,IAAI,CAAC,MAAM,CAAC,YAAY,CAAC,GAAG,QAAQ,CAAC,CAAC,CAAC;QAChD,CAAC;QAED,KAAK,CAAC,OAAO,CAAc,KAAa;YACtC,MAAM,GAAG,GAAG,MAAM,SAAS,EAAE,CAAC;YAC9B,MAAM,QAAQ,GAAG,UAAU,CAAC,IAAI,CAAC,IAAI,CAAC,KAAK,CAAC,EAAE,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,UAAU,CAAC,CAAC,CAAC,CAAC,CAAC;YACtE,MAAM,EAAE,GAAG,QAAQ,CAAC,KAAK,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC;YACjC,MAAM,UAAU,GAAG,QAAQ,CAAC,KAAK,CAAC,EAAE,CAAC,CAAC;YAEtC,MAAM,SAAS,GAAG,MAAM,MAAM,CAAC,MAAM,CAAC,OAAO,CAC3C,EAAE,IAAI,EAAE,SAAS,EAAE,EAAE,EAAE,EACvB,GAAG,EACH,UAAU,CACX,CAAC;YAEF,OAAO,IAAI,CAAC,KAAK,CAAC,OAAO,CAAC,MAAM,CAAC,SAAS,CAAC,CAAM,CAAC;QACpD,CAAC;KACF,CAAC;AACJ,CAAC"}

package/dist/events/index.d.ts

@@ -0,0 +1,22 @@
+import type { AuthSessionEvent, AuthSessionEventListener } from "../shared";
+type AuthSessionTypedEvent<T extends AuthSessionEvent["type"]> = AuthSessionEvent & {
+    readonly type: T;
+};
+export interface AuthEventAdapterOptions {
+    readonly onEvent?: AuthSessionEventListener;
+    readonly onTokensUpdated?: (event: AuthSessionTypedEvent<"tokens-updated">) => void | Promise<void>;
+    readonly onTokensCleared?: (event: AuthSessionTypedEvent<"tokens-cleared">) => void | Promise<void>;
+    readonly onSessionRefreshed?: (event: AuthSessionTypedEvent<"session-refreshed">) => void | Promise<void>;
+    readonly onSessionRefreshFailed?: (event: AuthSessionTypedEvent<"session-refresh-failed">) => void | Promise<void>;
+    readonly onSessionLogout?: (event: AuthSessionTypedEvent<"session-logout">) => void | Promise<void>;
+    readonly onSessionRegenerated?: (event: AuthSessionTypedEvent<"session-regenerated">) => void | Promise<void>;
+    readonly onError?: (error: Error, event: AuthSessionEvent) => void | Promise<void>;
+}
+export interface AuthEventAdapter {
+    readonly listener: AuthSessionEventListener;
+    dispatch(event: AuthSessionEvent): Promise<void>;
+}
+export declare function createAuthEventAdapter(options?: AuthEventAdapterOptions): AuthEventAdapter;
+export declare function composeAuthEventListeners(...listeners: readonly AuthSessionEventListener[]): AuthSessionEventListener;
+export {};
+//# sourceMappingURL=index.d.ts.map

package/dist/events/index.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../src/events/index.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,gBAAgB,EAAE,wBAAwB,EAAE,MAAM,WAAW,CAAC;AAE5E,KAAK,qBAAqB,CAAC,CAAC,SAAS,gBAAgB,CAAC,MAAM,CAAC,IAAI,gBAAgB,GAAG;IAClF,QAAQ,CAAC,IAAI,EAAE,CAAC,CAAC;CAClB,CAAC;AAEF,MAAM,WAAW,uBAAuB;IACtC,QAAQ,CAAC,OAAO,CAAC,EAAE,wBAAwB,CAAC;IAC5C,QAAQ,CAAC,eAAe,CAAC,EAAE,CAAC,KAAK,EAAE,qBAAqB,CAAC,gBAAgB,CAAC,KAAK,IAAI,GAAG,OAAO,CAAC,IAAI,CAAC,CAAC;IACpG,QAAQ,CAAC,eAAe,CAAC,EAAE,CAAC,KAAK,EAAE,qBAAqB,CAAC,gBAAgB,CAAC,KAAK,IAAI,GAAG,OAAO,CAAC,IAAI,CAAC,CAAC;IACpG,QAAQ,CAAC,kBAAkB,CAAC,EAAE,CAAC,KAAK,EAAE,qBAAqB,CAAC,mBAAmB,CAAC,KAAK,IAAI,GAAG,OAAO,CAAC,IAAI,CAAC,CAAC;IAC1G,QAAQ,CAAC,sBAAsB,CAAC,EAAE,CAAC,KAAK,EAAE,qBAAqB,CAAC,wBAAwB,CAAC,KAAK,IAAI,GAAG,OAAO,CAAC,IAAI,CAAC,CAAC;IACnH,QAAQ,CAAC,eAAe,CAAC,EAAE,CAAC,KAAK,EAAE,qBAAqB,CAAC,gBAAgB,CAAC,KAAK,IAAI,GAAG,OAAO,CAAC,IAAI,CAAC,CAAC;IACpG,QAAQ,CAAC,oBAAoB,CAAC,EAAE,CAAC,KAAK,EAAE,qBAAqB,CAAC,qBAAqB,CAAC,KAAK,IAAI,GAAG,OAAO,CAAC,IAAI,CAAC,CAAC;IAC9G,QAAQ,CAAC,OAAO,CAAC,EAAE,CAAC,KAAK,EAAE,KAAK,EAAE,KAAK,EAAE,gBAAgB,KAAK,IAAI,GAAG,OAAO,CAAC,IAAI,CAAC,CAAC;CACpF;AAED,MAAM,WAAW,gBAAgB;IAC/B,QAAQ,CAAC,QAAQ,EAAE,wBAAwB,CAAC;IAC5C,QAAQ,CAAC,KAAK,EAAE,gBAAgB,GAAG,OAAO,CAAC,IAAI,CAAC,CAAC;CAClD;AAwBD,wBAAgB,sBAAsB,CAAC,OAAO,GAAE,uBAA4B,GAAG,gBAAgB,CAsD9F;AAED,wBAAgB,yBAAyB,CAAC,GAAG,SAAS,EAAE,SAAS,wBAAwB,EAAE,GAAG,wBAAwB,CAMrH"}

package/dist/events/index.js

@@ -0,0 +1,53 @@
+async function runSafely(handler, event, onError) {
+    if (!handler) {
+        return;
+    }
+    try {
+        await handler(event);
+    }
+    catch (error) {
+        const normalized = error instanceof Error ? error : new Error(String(error));
+        if (onError) {
+            await onError(normalized, event);
+            return;
+        }
+        throw normalized;
+    }
+}
+export function createAuthEventAdapter(options = {}) {
+    const dispatch = async (event) => {
+        await options.onEvent?.(event);
+        switch (event.type) {
+            case "tokens-updated":
+                await runSafely(options.onTokensUpdated, event, options.onError);
+                break;
+            case "tokens-cleared":
+                await runSafely(options.onTokensCleared, event, options.onError);
+                break;
+            case "session-refreshed":
+                await runSafely(options.onSessionRefreshed, event, options.onError);
+                break;
+            case "session-refresh-failed":
+                await runSafely(options.onSessionRefreshFailed, event, options.onError);
+                break;
+            case "session-logout":
+                await runSafely(options.onSessionLogout, event, options.onError);
+                break;
+            case "session-regenerated":
+                await runSafely(options.onSessionRegenerated, event, options.onError);
+                break;
+        }
+    };
+    return {
+        listener: dispatch,
+        dispatch,
+    };
+}
+export function composeAuthEventListeners(...listeners) {
+    return async (event) => {
+        for (const listener of listeners) {
+            await listener(event);
+        }
+    };
+}
+//# sourceMappingURL=index.js.map

package/dist/events/index.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.js","sourceRoot":"","sources":["../../src/events/index.ts"],"names":[],"mappings":"AAsBA,KAAK,UAAU,SAAS,CACtB,OAAgF,EAChF,KAA+B,EAC/B,OAAsF;IAEtF,IAAI,CAAC,OAAO,EAAE,CAAC;QACb,OAAO;IACT,CAAC;IAED,IAAI,CAAC;QACH,MAAM,OAAO,CAAC,KAAK,CAAC,CAAC;IACvB,CAAC;IAAC,OAAO,KAAK,EAAE,CAAC;QACf,MAAM,UAAU,GAAG,KAAK,YAAY,KAAK,CAAC,CAAC,CAAC,KAAK,CAAC,CAAC,CAAC,IAAI,KAAK,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC,CAAC;QAC7E,IAAI,OAAO,EAAE,CAAC;YACZ,MAAM,OAAO,CAAC,UAAU,EAAE,KAAK,CAAC,CAAC;YACjC,OAAO;QACT,CAAC;QAED,MAAM,UAAU,CAAC;IACnB,CAAC;AACH,CAAC;AAED,MAAM,UAAU,sBAAsB,CAAC,UAAmC,EAAE;IAC1E,MAAM,QAAQ,GAAG,KAAK,EAAE,KAAuB,EAAiB,EAAE;QAChE,MAAM,OAAO,CAAC,OAAO,EAAE,CAAC,KAAK,CAAC,CAAC;QAE/B,QAAQ,KAAK,CAAC,IAAI,EAAE,CAAC;YACnB,KAAK,gBAAgB;gBACnB,MAAM,SAAS,CACb,OAAO,CAAC,eAAe,EACvB,KAAgD,EAChD,OAAO,CAAC,OAAO,CAChB,CAAC;gBACF,MAAM;YACR,KAAK,gBAAgB;gBACnB,MAAM,SAAS,CACb,OAAO,CAAC,eAAe,EACvB,KAAgD,EAChD,OAAO,CAAC,OAAO,CAChB,CAAC;gBACF,MAAM;YACR,KAAK,mBAAmB;gBACtB,MAAM,SAAS,CACb,OAAO,CAAC,kBAAkB,EAC1B,KAAmD,EACnD,OAAO,CAAC,OAAO,CAChB,CAAC;gBACF,MAAM;YACR,KAAK,wBAAwB;gBAC3B,MAAM,SAAS,CACb,OAAO,CAAC,sBAAsB,EAC9B,KAAwD,EACxD,OAAO,CAAC,OAAO,CAChB,CAAC;gBACF,MAAM;YACR,KAAK,gBAAgB;gBACnB,MAAM,SAAS,CACb,OAAO,CAAC,eAAe,EACvB,KAAgD,EAChD,OAAO,CAAC,OAAO,CAChB,CAAC;gBACF,MAAM;YACR,KAAK,qBAAqB;gBACxB,MAAM,SAAS,CACb,OAAO,CAAC,oBAAoB,EAC5B,KAAqD,EACrD,OAAO,CAAC,OAAO,CAChB,CAAC;gBACF,MAAM;QACV,CAAC;IACH,CAAC,CAAC;IAEF,OAAO;QACL,QAAQ,EAAE,QAAQ;QAClB,QAAQ;KACT,CAAC;AACJ,CAAC;AAED,MAAM,UAAU,yBAAyB,CAAC,GAAG,SAA8C;IACzF,OAAO,KAAK,EAAE,KAAK,EAAE,EAAE;QACrB,KAAK,MAAM,QAAQ,IAAI,SAAS,EAAE,CAAC;YACjC,MAAM,QAAQ,CAAC,KAAK,CAAC,CAAC;QACxB,CAAC;IACH,CAAC,CAAC;AACJ,CAAC"}

package/dist/framework/index.d.ts

@@ -0,0 +1,10 @@
+import type { AuthFrameworkContext, AuthFrameworkContextOptions } from "../shared";
+export { createAuthRouteHandlerRecipe, createAuthServerActionRecipe, mapAuthErrorToHttp } from "./recipes";
+export { createExpressAuthKitPack, createFastifyAuthKitPack, createNextAuthKitPack, createReactAuthKitBootstrapPack, } from "./packs";
+/**
+ * Create a framework context that bootstraps auth from a request.
+ * ARCH-3: Catches bootstrap errors and falls back to empty session.
+ */
+export declare function createAuthFrameworkContext(options?: AuthFrameworkContextOptions): Promise<AuthFrameworkContext>;
+export type { AuthFrameworkContext, AuthFrameworkContextOptions } from "../shared";
+//# sourceMappingURL=index.d.ts.map

package/dist/framework/index.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../src/framework/index.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EACV,oBAAoB,EACpB,2BAA2B,EAI5B,MAAM,WAAW,CAAC;AAEnB,OAAO,EAAE,4BAA4B,EAAE,4BAA4B,EAAE,kBAAkB,EAAE,MAAM,WAAW,CAAC;AAC3G,OAAO,EACL,wBAAwB,EACxB,wBAAwB,EACxB,qBAAqB,EACrB,+BAA+B,GAChC,MAAM,SAAS,CAAC;AAkBjB;;;GAGG;AACH,wBAAsB,0BAA0B,CAC9C,OAAO,GAAE,2BAAgC,GACxC,OAAO,CAAC,oBAAoB,CAAC,CAyD/B;AAED,YAAY,EAAE,oBAAoB,EAAE,2BAA2B,EAAE,MAAM,WAAW,CAAC"}