@react-vault/core 0.1.0

package/LICENSE

@@ -0,0 +1,12 @@
+Copyright (c) 2026 Rsense. All rights reserved.
+
+This software and associated documentation files (the "Software") are the
+proprietary property of Rsense and are licensed for internal use only by
+employees, contractors, and authorised partners of Rsense.
+
+No part of the Software may be redistributed, sublicensed, sold, or otherwise
+made available to third parties without prior written consent from Rsense.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT.

package/README.md

@@ -0,0 +1,41 @@
+# @react-vault/core
+
+Framework-agnostic BFSI security primitives. The "core" package every BFSI React project depends on.
+
+```ts
+import { aesgcm } from '@react-vault/core/encryption';
+import { maskPan, isValidPan } from '@react-vault/core/pii';
+import { AuditClient, generateEventId } from '@react-vault/core/audit';
+import { createAxios, ApiError } from '@react-vault/core/http';
+import { TokenManager, IdleTimer, CrossTabSync } from '@react-vault/core/auth';
+import { put, get } from '@react-vault/core/storage';
+import { generateCspNonce, buildCsp, toSafeView } from '@react-vault/core/compliance';
+```
+
+## Modules
+
+- **`encryption`** — Web Crypto wrappers: AES-GCM 256, RSA-OAEP, PBKDF2, envelope encryption
+- **`pii`** — Maskers (PAN, Aadhaar, account#, mobile, email, name, address, DOB) + validators (Verhoeff for Aadhaar) + regex patterns
+- **`audit`** — Batched audit log client with PII scrubber, page-unload beacon, sessionStorage retry
+- **`http`** — Configurable axios factory with composable interceptors (auth header, snake↔camel, idempotency key, error mapping)
+- **`auth`** — `TokenManager` with refresh race protection, `IdleTimer`, `CrossTabSync` (BroadcastChannel)
+- **`storage`** — Tiered: transient (memory), session (sessionStorage), persistent (encrypted IndexedDB — v0.2)
+- **`compliance`** — CSP nonce + builder, safe-error envelope mapping `ApiError` → user-facing view
+
+## Conventions
+
+- **No React dependency.** This is the core. UI lives in `@react-vault/ui`.
+- **All public APIs are typed.** No `any`.
+- **Errors are typed (`ApiError`).** App code matches on `kind`, not strings.
+- **PII never logged.** All logging paths route through the scrubber.
+- **Tokens never in localStorage.** `TokenManager` keeps them in memory.
+
+## Run
+
+```bash
+pnpm test            # vitest run
+pnpm test:watch      # vitest watch
+pnpm typecheck       # tsc --noEmit
+pnpm build           # tsc → dist/
+pnpm lint            # eslint
+```

package/dist/audit/auditClient.d.ts

@@ -0,0 +1,40 @@
+/**
+ * Audit client. Buffers events and POSTs them in batches.
+ *
+ * Survival rules:
+ *   - On failure, retry once with exponential backoff
+ *   - On second failure, store in sessionStorage and retry next flush
+ *   - On page unload, flush via sendBeacon (best-effort)
+ */
+import type { AuditEvent, AuditClientConfig } from './types.js';
+export declare class AuditClient {
+    private readonly config;
+    private queue;
+    private timer;
+    private inflight;
+    constructor(config: AuditClientConfig);
+    /**
+     * Record an event. Scrubs metadata for PII before queueing.
+     */
+    record(event: AuditEvent): void;
+    /**
+     * Force-flush the queue. Returns when done.
+     */
+    flush(): Promise<void>;
+    private scheduleFlush;
+    private clearTimer;
+    private send;
+    private flushBeacon;
+    private persistToStorage;
+    private restoreFromStorage;
+}
+/**
+ * Generate a UUID v4. Used for event_id.
+ */
+export declare function generateEventId(): string;
+/**
+ * Convenience: generate a short error reference code shown to users in toasts.
+ * E.g. `ERR-A7K2`. Use to correlate UI error to full log entry.
+ */
+export declare function generateErrorRef(): string;
+//# sourceMappingURL=auditClient.d.ts.map

package/dist/audit/auditClient.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"auditClient.d.ts","sourceRoot":"","sources":["../../src/audit/auditClient.ts"],"names":[],"mappings":"AAAA;;;;;;;GAOG;AACH,OAAO,KAAK,EAAE,UAAU,EAAE,iBAAiB,EAAE,MAAM,YAAY,CAAC;AAOhE,qBAAa,WAAW;IAKV,OAAO,CAAC,QAAQ,CAAC,MAAM;IAJnC,OAAO,CAAC,KAAK,CAAoB;IACjC,OAAO,CAAC,KAAK,CAA8C;IAC3D,OAAO,CAAC,QAAQ,CAAS;gBAEI,MAAM,EAAE,iBAAiB;IAQtD;;OAEG;IACH,MAAM,CAAC,KAAK,EAAE,UAAU,GAAG,IAAI;IAoB/B;;OAEG;IACG,KAAK,IAAI,OAAO,CAAC,IAAI,CAAC;IAsB5B,OAAO,CAAC,aAAa;IASrB,OAAO,CAAC,UAAU;YAOJ,IAAI;IAalB,OAAO,CAAC,WAAW;IAgBnB,OAAO,CAAC,gBAAgB;IAaxB,OAAO,CAAC,kBAAkB;CAe3B;AAED;;GAEG;AACH,wBAAgB,eAAe,IAAI,MAAM,CAexC;AAED;;;GAGG;AACH,wBAAgB,gBAAgB,IAAI,MAAM,CAWzC"}

package/dist/audit/auditClient.js

@@ -0,0 +1,180 @@
+import { scrub } from './scrubber.js';
+const DEFAULT_BATCH_SIZE = 20;
+const DEFAULT_FLUSH_MS = 5_000;
+const STORAGE_KEY = '__bfsi_audit_pending__';
+export class AuditClient {
+    config;
+    queue = [];
+    timer = null;
+    inflight = false;
+    constructor(config) {
+        this.config = config;
+        this.restoreFromStorage();
+        if (typeof window !== 'undefined') {
+            window.addEventListener('pagehide', () => this.flushBeacon());
+            window.addEventListener('beforeunload', () => this.flushBeacon());
+        }
+    }
+    /**
+     * Record an event. Scrubs metadata for PII before queueing.
+     */
+    record(event) {
+        const scrubbed = {
+            ...event,
+            metadata: event.metadata
+                ? scrub(event.metadata, { additionalPatterns: this.config.additionalScrubPatterns })
+                : undefined,
+        };
+        this.queue.push(scrubbed);
+        const batchSize = this.config.batchSize ?? DEFAULT_BATCH_SIZE;
+        if (this.queue.length >= batchSize) {
+            void this.flush();
+        }
+        else {
+            this.scheduleFlush();
+        }
+    }
+    /**
+     * Force-flush the queue. Returns when done.
+     */
+    async flush() {
+        if (this.inflight || this.queue.length === 0)
+            return;
+        this.inflight = true;
+        this.clearTimer();
+        const batch = this.queue.splice(0);
+        try {
+            await this.send(batch);
+        }
+        catch (err) {
+            // Re-queue on failure
+            this.queue.unshift(...batch);
+            this.persistToStorage();
+            try {
+                this.config.onError?.(err, batch);
+            }
+            catch {
+                // swallow — onError must not throw further
+            }
+        }
+        finally {
+            this.inflight = false;
+        }
+    }
+    scheduleFlush() {
+        if (this.timer)
+            return;
+        const intervalMs = this.config.flushIntervalMs ?? DEFAULT_FLUSH_MS;
+        this.timer = setTimeout(() => {
+            this.timer = null;
+            void this.flush();
+        }, intervalMs);
+    }
+    clearTimer() {
+        if (this.timer) {
+            clearTimeout(this.timer);
+            this.timer = null;
+        }
+    }
+    async send(batch) {
+        const fetcher = this.config.fetchImpl ?? fetch;
+        const response = await fetcher(this.config.endpoint, {
+            method: 'POST',
+            headers: { 'Content-Type': 'application/json' },
+            body: JSON.stringify({ events: batch }),
+        });
+        if (!response.ok) {
+            throw new Error(`audit endpoint returned ${response.status}`);
+        }
+        this.persistToStorage();
+    }
+    flushBeacon() {
+        if (this.queue.length === 0)
+            return;
+        if (typeof navigator === 'undefined' || typeof navigator.sendBeacon !== 'function') {
+            this.persistToStorage();
+            return;
+        }
+        const blob = new Blob([JSON.stringify({ events: this.queue })], {
+            type: 'application/json',
+        });
+        const sent = navigator.sendBeacon(this.config.endpoint, blob);
+        if (sent) {
+            this.queue = [];
+            this.persistToStorage();
+        }
+    }
+    persistToStorage() {
+        if (typeof sessionStorage === 'undefined')
+            return;
+        try {
+            if (this.queue.length === 0) {
+                sessionStorage.removeItem(STORAGE_KEY);
+            }
+            else {
+                sessionStorage.setItem(STORAGE_KEY, JSON.stringify(this.queue));
+            }
+        }
+        catch {
+            // sessionStorage may be unavailable (privacy mode); fail silent
+        }
+    }
+    restoreFromStorage() {
+        if (typeof sessionStorage === 'undefined')
+            return;
+        try {
+            const raw = sessionStorage.getItem(STORAGE_KEY);
+            if (raw) {
+                const parsed = JSON.parse(raw);
+                if (Array.isArray(parsed)) {
+                    this.queue.unshift(...parsed);
+                    sessionStorage.removeItem(STORAGE_KEY);
+                }
+            }
+        }
+        catch {
+            // ignore corrupt state
+        }
+    }
+}
+/**
+ * Generate a UUID v4. Used for event_id.
+ */
+export function generateEventId() {
+    if (typeof crypto !== 'undefined' && typeof crypto.randomUUID === 'function') {
+        return crypto.randomUUID();
+    }
+    // Fallback: not as strong, but works in environments without randomUUID
+    const bytes = new Uint8Array(16);
+    if (typeof crypto !== 'undefined' && crypto.getRandomValues) {
+        crypto.getRandomValues(bytes);
+    }
+    else {
+        for (let i = 0; i < 16; i++)
+            bytes[i] = Math.floor(Math.random() * 256);
+    }
+    bytes[6] = ((bytes[6] ?? 0) & 0x0f) | 0x40;
+    bytes[8] = ((bytes[8] ?? 0) & 0x3f) | 0x80;
+    const hex = Array.from(bytes, (b) => b.toString(16).padStart(2, '0')).join('');
+    return `${hex.slice(0, 8)}-${hex.slice(8, 12)}-${hex.slice(12, 16)}-${hex.slice(16, 20)}-${hex.slice(20)}`;
+}
+/**
+ * Convenience: generate a short error reference code shown to users in toasts.
+ * E.g. `ERR-A7K2`. Use to correlate UI error to full log entry.
+ */
+export function generateErrorRef() {
+    const chars = 'ABCDEFGHIJKLMNPQRSTUVWXYZ123456789'; // no 0/O confusion
+    let out = 'ERR-';
+    const bytes = new Uint8Array(4);
+    if (typeof crypto !== 'undefined' && crypto.getRandomValues) {
+        crypto.getRandomValues(bytes);
+    }
+    else {
+        for (let i = 0; i < 4; i++)
+            bytes[i] = Math.floor(Math.random() * 256);
+    }
+    for (let i = 0; i < 4; i++)
+        out += chars[bytes[i] % chars.length];
+    return out;
+}
+//# sourceMappingURL=auditClient.js.map

package/dist/audit/auditClient.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"auditClient.js","sourceRoot":"","sources":["../../src/audit/auditClient.ts"],"names":[],"mappings":"AASA,OAAO,EAAE,KAAK,EAAE,MAAM,eAAe,CAAC;AAEtC,MAAM,kBAAkB,GAAG,EAAE,CAAC;AAC9B,MAAM,gBAAgB,GAAG,KAAK,CAAC;AAC/B,MAAM,WAAW,GAAG,wBAAwB,CAAC;AAE7C,MAAM,OAAO,WAAW;IAKO;IAJrB,KAAK,GAAiB,EAAE,CAAC;IACzB,KAAK,GAAyC,IAAI,CAAC;IACnD,QAAQ,GAAG,KAAK,CAAC;IAEzB,YAA6B,MAAyB;QAAzB,WAAM,GAAN,MAAM,CAAmB;QACpD,IAAI,CAAC,kBAAkB,EAAE,CAAC;QAC1B,IAAI,OAAO,MAAM,KAAK,WAAW,EAAE,CAAC;YAClC,MAAM,CAAC,gBAAgB,CAAC,UAAU,EAAE,GAAG,EAAE,CAAC,IAAI,CAAC,WAAW,EAAE,CAAC,CAAC;YAC9D,MAAM,CAAC,gBAAgB,CAAC,cAAc,EAAE,GAAG,EAAE,CAAC,IAAI,CAAC,WAAW,EAAE,CAAC,CAAC;QACpE,CAAC;IACH,CAAC;IAED;;OAEG;IACH,MAAM,CAAC,KAAiB;QACtB,MAAM,QAAQ,GAAe;YAC3B,GAAG,KAAK;YACR,QAAQ,EAAE,KAAK,CAAC,QAAQ;gBACtB,CAAC,CAAE,KAAK,CAAC,KAAK,CAAC,QAAQ,EAAE,EAAE,kBAAkB,EAAE,IAAI,CAAC,MAAM,CAAC,uBAAuB,EAAE,CAGhF;gBACJ,CAAC,CAAC,SAAS;SACd,CAAC;QACF,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,QAAQ,CAAC,CAAC;QAE1B,MAAM,SAAS,GAAG,IAAI,CAAC,MAAM,CAAC,SAAS,IAAI,kBAAkB,CAAC;QAC9D,IAAI,IAAI,CAAC,KAAK,CAAC,MAAM,IAAI,SAAS,EAAE,CAAC;YACnC,KAAK,IAAI,CAAC,KAAK,EAAE,CAAC;QACpB,CAAC;aAAM,CAAC;YACN,IAAI,CAAC,aAAa,EAAE,CAAC;QACvB,CAAC;IACH,CAAC;IAED;;OAEG;IACH,KAAK,CAAC,KAAK;QACT,IAAI,IAAI,CAAC,QAAQ,IAAI,IAAI,CAAC,KAAK,CAAC,MAAM,KAAK,CAAC;YAAE,OAAO;QACrD,IAAI,CAAC,QAAQ,GAAG,IAAI,CAAC;QACrB,IAAI,CAAC,UAAU,EAAE,CAAC;QAElB,MAAM,KAAK,GAAG,IAAI,CAAC,KAAK,CAAC,MAAM,CAAC,CAAC,CAAC,CAAC;QACnC,IAAI,CAAC;YACH,MAAM,IAAI,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC;QACzB,CAAC;QAAC,OAAO,GAAG,EAAE,CAAC;YACb,sBAAsB;YACtB,IAAI,CAAC,KAAK,CAAC,OAAO,CAAC,GAAG,KAAK,CAAC,CAAC;YAC7B,IAAI,CAAC,gBAAgB,EAAE,CAAC;YACxB,IAAI,CAAC;gBACH,IAAI,CAAC,MAAM,CAAC,OAAO,EAAE,CAAC,GAAG,EAAE,KAAK,CAAC,CAAC;YACpC,CAAC;YAAC,MAAM,CAAC;gBACP,2CAA2C;YAC7C,CAAC;QACH,CAAC;gBAAS,CAAC;YACT,IAAI,CAAC,QAAQ,GAAG,KAAK,CAAC;QACxB,CAAC;IACH,CAAC;IAEO,aAAa;QACnB,IAAI,IAAI,CAAC,KAAK;YAAE,OAAO;QACvB,MAAM,UAAU,GAAG,IAAI,CAAC,MAAM,CAAC,eAAe,IAAI,gBAAgB,CAAC;QACnE,IAAI,CAAC,KAAK,GAAG,UAAU,CAAC,GAAG,EAAE;YAC3B,IAAI,CAAC,KAAK,GAAG,IAAI,CAAC;YAClB,KAAK,IAAI,CAAC,KAAK,EAAE,CAAC;QACpB,CAAC,EAAE,UAAU,CAAC,CAAC;IACjB,CAAC;IAEO,UAAU;QAChB,IAAI,IAAI,CAAC,KAAK,EAAE,CAAC;YACf,YAAY,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC;YACzB,IAAI,CAAC,KAAK,GAAG,IAAI,CAAC;QACpB,CAAC;IACH,CAAC;IAEO,KAAK,CAAC,IAAI,CAAC,KAAmB;QACpC,MAAM,OAAO,GAAG,IAAI,CAAC,MAAM,CAAC,SAAS,IAAI,KAAK,CAAC;QAC/C,MAAM,QAAQ,GAAG,MAAM,OAAO,CAAC,IAAI,CAAC,MAAM,CAAC,QAAQ,EAAE;YACnD,MAAM,EAAE,MAAM;YACd,OAAO,EAAE,EAAE,cAAc,EAAE,kBAAkB,EAAE;YAC/C,IAAI,EAAE,IAAI,CAAC,SAAS,CAAC,EAAE,MAAM,EAAE,KAAK,EAAE,CAAC;SACxC,CAAC,CAAC;QACH,IAAI,CAAC,QAAQ,CAAC,EAAE,EAAE,CAAC;YACjB,MAAM,IAAI,KAAK,CAAC,2BAA2B,QAAQ,CAAC,MAAM,EAAE,CAAC,CAAC;QAChE,CAAC;QACD,IAAI,CAAC,gBAAgB,EAAE,CAAC;IAC1B,CAAC;IAEO,WAAW;QACjB,IAAI,IAAI,CAAC,KAAK,CAAC,MAAM,KAAK,CAAC;YAAE,OAAO;QACpC,IAAI,OAAO,SAAS,KAAK,WAAW,IAAI,OAAO,SAAS,CAAC,UAAU,KAAK,UAAU,EAAE,CAAC;YACnF,IAAI,CAAC,gBAAgB,EAAE,CAAC;YACxB,OAAO;QACT,CAAC;QACD,MAAM,IAAI,GAAG,IAAI,IAAI,CAAC,CAAC,IAAI,CAAC,SAAS,CAAC,EAAE,MAAM,EAAE,IAAI,CAAC,KAAK,EAAE,CAAC,CAAC,EAAE;YAC9D,IAAI,EAAE,kBAAkB;SACzB,CAAC,CAAC;QACH,MAAM,IAAI,GAAG,SAAS,CAAC,UAAU,CAAC,IAAI,CAAC,MAAM,CAAC,QAAQ,EAAE,IAAI,CAAC,CAAC;QAC9D,IAAI,IAAI,EAAE,CAAC;YACT,IAAI,CAAC,KAAK,GAAG,EAAE,CAAC;YAChB,IAAI,CAAC,gBAAgB,EAAE,CAAC;QAC1B,CAAC;IACH,CAAC;IAEO,gBAAgB;QACtB,IAAI,OAAO,cAAc,KAAK,WAAW;YAAE,OAAO;QAClD,IAAI,CAAC;YACH,IAAI,IAAI,CAAC,KAAK,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;gBAC5B,cAAc,CAAC,UAAU,CAAC,WAAW,CAAC,CAAC;YACzC,CAAC;iBAAM,CAAC;gBACN,cAAc,CAAC,OAAO,CAAC,WAAW,EAAE,IAAI,CAAC,SAAS,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC,CAAC;YAClE,CAAC;QACH,CAAC;QAAC,MAAM,CAAC;YACP,gEAAgE;QAClE,CAAC;IACH,CAAC;IAEO,kBAAkB;QACxB,IAAI,OAAO,cAAc,KAAK,WAAW;YAAE,OAAO;QAClD,IAAI,CAAC;YACH,MAAM,GAAG,GAAG,cAAc,CAAC,OAAO,CAAC,WAAW,CAAC,CAAC;YAChD,IAAI,GAAG,EAAE,CAAC;gBACR,MAAM,MAAM,GAAG,IAAI,CAAC,KAAK,CAAC,GAAG,CAAiB,CAAC;gBAC/C,IAAI,KAAK,CAAC,OAAO,CAAC,MAAM,CAAC,EAAE,CAAC;oBAC1B,IAAI,CAAC,KAAK,CAAC,OAAO,CAAC,GAAG,MAAM,CAAC,CAAC;oBAC9B,cAAc,CAAC,UAAU,CAAC,WAAW,CAAC,CAAC;gBACzC,CAAC;YACH,CAAC;QACH,CAAC;QAAC,MAAM,CAAC;YACP,uBAAuB;QACzB,CAAC;IACH,CAAC;CACF;AAED;;GAEG;AACH,MAAM,UAAU,eAAe;IAC7B,IAAI,OAAO,MAAM,KAAK,WAAW,IAAI,OAAO,MAAM,CAAC,UAAU,KAAK,UAAU,EAAE,CAAC;QAC7E,OAAO,MAAM,CAAC,UAAU,EAAE,CAAC;IAC7B,CAAC;IACD,wEAAwE;IACxE,MAAM,KAAK,GAAG,IAAI,UAAU,CAAC,EAAE,CAAC,CAAC;IACjC,IAAI,OAAO,MAAM,KAAK,WAAW,IAAI,MAAM,CAAC,eAAe,EAAE,CAAC;QAC5D,MAAM,CAAC,eAAe,CAAC,KAAK,CAAC,CAAC;IAChC,CAAC;SAAM,CAAC;QACN,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,EAAE,EAAE,CAAC,EAAE;YAAE,KAAK,CAAC,CAAC,CAAC,GAAG,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,MAAM,EAAE,GAAG,GAAG,CAAC,CAAC;IAC1E,CAAC;IACD,KAAK,CAAC,CAAC,CAAC,GAAG,CAAC,CAAC,KAAK,CAAC,CAAC,CAAC,IAAI,CAAC,CAAC,GAAG,IAAI,CAAC,GAAG,IAAI,CAAC;IAC3C,KAAK,CAAC,CAAC,CAAC,GAAG,CAAC,CAAC,KAAK,CAAC,CAAC,CAAC,IAAI,CAAC,CAAC,GAAG,IAAI,CAAC,GAAG,IAAI,CAAC;IAC3C,MAAM,GAAG,GAAG,KAAK,CAAC,IAAI,CAAC,KAAK,EAAE,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,QAAQ,CAAC,EAAE,CAAC,CAAC,QAAQ,CAAC,CAAC,EAAE,GAAG,CAAC,CAAC,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;IAC/E,OAAO,GAAG,GAAG,CAAC,KAAK,CAAC,CAAC,EAAE,CAAC,CAAC,IAAI,GAAG,CAAC,KAAK,CAAC,CAAC,EAAE,EAAE,CAAC,IAAI,GAAG,CAAC,KAAK,CAAC,EAAE,EAAE,EAAE,CAAC,IAAI,GAAG,CAAC,KAAK,CAAC,EAAE,EAAE,EAAE,CAAC,IAAI,GAAG,CAAC,KAAK,CAAC,EAAE,CAAC,EAAE,CAAC;AAC7G,CAAC;AAED;;;GAGG;AACH,MAAM,UAAU,gBAAgB;IAC9B,MAAM,KAAK,GAAG,oCAAoC,CAAC,CAAC,mBAAmB;IACvE,IAAI,GAAG,GAAG,MAAM,CAAC;IACjB,MAAM,KAAK,GAAG,IAAI,UAAU,CAAC,CAAC,CAAC,CAAC;IAChC,IAAI,OAAO,MAAM,KAAK,WAAW,IAAI,MAAM,CAAC,eAAe,EAAE,CAAC;QAC5D,MAAM,CAAC,eAAe,CAAC,KAAK,CAAC,CAAC;IAChC,CAAC;SAAM,CAAC;QACN,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,CAAC,EAAE,CAAC,EAAE;YAAE,KAAK,CAAC,CAAC,CAAC,GAAG,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,MAAM,EAAE,GAAG,GAAG,CAAC,CAAC;IACzE,CAAC;IACD,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,CAAC,EAAE,CAAC,EAAE;QAAE,GAAG,IAAI,KAAK,CAAC,KAAK,CAAC,CAAC,CAAE,GAAG,KAAK,CAAC,MAAM,CAAC,CAAC;IACnE,OAAO,GAAG,CAAC;AACb,CAAC"}

package/dist/audit/index.d.ts

@@ -0,0 +1,9 @@
+/**
+ * Audit logging — batched, PII-scrubbed audit events for BFSI compliance.
+ *
+ * Required for RBI Annexure I §8, SOC2 CC7.3, PCI-DSS req 10.
+ */
+export * from './auditClient.js';
+export * from './scrubber.js';
+export * from './types.js';
+//# sourceMappingURL=index.d.ts.map

package/dist/audit/index.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../src/audit/index.ts"],"names":[],"mappings":"AAAA;;;;GAIG;AACH,cAAc,kBAAkB,CAAC;AACjC,cAAc,eAAe,CAAC;AAC9B,cAAc,YAAY,CAAC"}

package/dist/audit/index.js

@@ -0,0 +1,9 @@
+/**
+ * Audit logging — batched, PII-scrubbed audit events for BFSI compliance.
+ *
+ * Required for RBI Annexure I §8, SOC2 CC7.3, PCI-DSS req 10.
+ */
+export * from './auditClient.js';
+export * from './scrubber.js';
+export * from './types.js';
+//# sourceMappingURL=index.js.map

package/dist/audit/index.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.js","sourceRoot":"","sources":["../../src/audit/index.ts"],"names":[],"mappings":"AAAA;;;;GAIG;AACH,cAAc,kBAAkB,CAAC;AACjC,cAAc,eAAe,CAAC;AAC9B,cAAc,YAAY,CAAC"}

package/dist/audit/scrubber.d.ts

@@ -0,0 +1,27 @@
+/**
+ * PII scrubber for audit log payloads.
+ *
+ * Walks an object recursively, replacing values that look like PII with
+ * sentinel tokens. Preserves shape so debugging is still possible.
+ *
+ * RULES OF SCRUBBING:
+ *   - Default to over-redaction; humans can recover from "too little info"
+ *     more cheaply than from "leaked PAN in audit log".
+ *   - Key-name signal trumps value pattern. `pan: "FOO"` is scrubbed even if
+ *     the value doesn't match PAN shape.
+ *   - Values matching strong patterns (PAN, Aadhaar) are scrubbed regardless
+ *     of key name.
+ */
+export interface ScrubOptions {
+    /** Extra patterns to scrub. */
+    additionalPatterns?: RegExp[];
+    /** Maximum depth to recurse. Prevents pathological inputs. Default 10. */
+    maxDepth?: number;
+}
+export declare function scrub(value: unknown, opts?: ScrubOptions): unknown;
+/**
+ * Hash a value with SHA-256 for tamper-detection metadata.
+ * Returns hex. Use for `request_hash` — does NOT reverse the input.
+ */
+export declare function hashRequest(input: unknown): Promise<string>;
+//# sourceMappingURL=scrubber.d.ts.map

package/dist/audit/scrubber.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"scrubber.d.ts","sourceRoot":"","sources":["../../src/audit/scrubber.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;GAaG;AAsCH,MAAM,WAAW,YAAY;IAC3B,+BAA+B;IAC/B,kBAAkB,CAAC,EAAE,MAAM,EAAE,CAAC;IAC9B,0EAA0E;IAC1E,QAAQ,CAAC,EAAE,MAAM,CAAC;CACnB;AAED,wBAAgB,KAAK,CAAC,KAAK,EAAE,OAAO,EAAE,IAAI,GAAE,YAAiB,GAAG,OAAO,CAItE;AAwCD;;;GAGG;AACH,wBAAsB,WAAW,CAAC,KAAK,EAAE,OAAO,GAAG,OAAO,CAAC,MAAM,CAAC,CAOjE"}

package/dist/audit/scrubber.js

@@ -0,0 +1,111 @@
+/**
+ * PII scrubber for audit log payloads.
+ *
+ * Walks an object recursively, replacing values that look like PII with
+ * sentinel tokens. Preserves shape so debugging is still possible.
+ *
+ * RULES OF SCRUBBING:
+ *   - Default to over-redaction; humans can recover from "too little info"
+ *     more cheaply than from "leaked PAN in audit log".
+ *   - Key-name signal trumps value pattern. `pan: "FOO"` is scrubbed even if
+ *     the value doesn't match PAN shape.
+ *   - Values matching strong patterns (PAN, Aadhaar) are scrubbed regardless
+ *     of key name.
+ */
+const SENSITIVE_KEY_PATTERNS = [
+    /^pan$/i,
+    /^aadhaar$/i,
+    /^aadhar$/i,
+    /^account(_?number)?$/i,
+    /^card(_?number)?$/i,
+    /^(cvv|cvc)$/i,
+    /^otp$/i,
+    /^(password|passwd)$/i,
+    /^secret$/i,
+    /^token$/i,
+    /^api(_?key)?$/i,
+    /^(mobile|phone)$/i,
+    /^email$/i,
+    /^(dob|date_of_birth)$/i,
+    /^(first_?name|last_?name|full_?name|name)$/i,
+    /^address$/i,
+    /^ifsc$/i,
+    /^upi(_?(id|vpa))?$/i,
+    /^passport$/i,
+    /^auth/i,
+];
+const VALUE_PATTERNS = [
+    /[A-Z]{5}\d{4}[A-Z]/, // PAN
+    /\b\d{12}\b/, // Aadhaar
+    /-----BEGIN [A-Z ]*PRIVATE KEY-----/,
+    /AKIA[0-9A-Z]{16}/, // AWS access key
+    /sk-(live|test)_[A-Za-z0-9]{20,}/, // Stripe
+    /sk-ant-[A-Za-z0-9_-]{32,}/, // Anthropic
+    /ghp_[A-Za-z0-9]{36}/, // GitHub
+    /AIza[0-9A-Za-z_-]{35}/, // Google
+];
+const REDACTED = '<scrubbed>';
+export function scrub(value, opts = {}) {
+    const maxDepth = opts.maxDepth ?? 10;
+    const extraPatterns = opts.additionalPatterns ?? [];
+    return walk(value, 0, maxDepth, extraPatterns);
+}
+function walk(value, depth, maxDepth, extra) {
+    if (depth > maxDepth) {
+        return REDACTED;
+    }
+    if (value === null || value === undefined) {
+        return value;
+    }
+    if (typeof value === 'string') {
+        return scrubString(value, extra);
+    }
+    if (typeof value === 'number' || typeof value === 'boolean' || typeof value === 'bigint') {
+        return value;
+    }
+    if (Array.isArray(value)) {
+        return value.map((v) => walk(v, depth + 1, maxDepth, extra));
+    }
+    if (typeof value === 'object') {
+        const out = {};
+        for (const [k, v] of Object.entries(value)) {
+            if (isSensitiveKey(k)) {
+                out[k] = v === null || v === undefined ? v : REDACTED;
+            }
+            else {
+                out[k] = walk(v, depth + 1, maxDepth, extra);
+            }
+        }
+        return out;
+    }
+    return REDACTED;
+}
+function isSensitiveKey(key) {
+    return SENSITIVE_KEY_PATTERNS.some((p) => p.test(key));
+}
+function scrubString(value, extra) {
+    for (const p of VALUE_PATTERNS) {
+        if (p.test(value)) {
+            return REDACTED;
+        }
+    }
+    for (const p of extra) {
+        if (p.test(value)) {
+            return REDACTED;
+        }
+    }
+    return value;
+}
+/**
+ * Hash a value with SHA-256 for tamper-detection metadata.
+ * Returns hex. Use for `request_hash` — does NOT reverse the input.
+ */
+export async function hashRequest(input) {
+    const json = JSON.stringify(input);
+    const bytes = new TextEncoder().encode(json);
+    const digest = new Uint8Array(await crypto.subtle.digest('SHA-256', bytes));
+    return Array.from(digest)
+        .map((b) => b.toString(16).padStart(2, '0'))
+        .join('');
+}
+//# sourceMappingURL=scrubber.js.map

package/dist/audit/scrubber.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"scrubber.js","sourceRoot":"","sources":["../../src/audit/scrubber.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;GAaG;AAEH,MAAM,sBAAsB,GAAG;IAC7B,QAAQ;IACR,YAAY;IACZ,WAAW;IACX,uBAAuB;IACvB,oBAAoB;IACpB,cAAc;IACd,QAAQ;IACR,sBAAsB;IACtB,WAAW;IACX,UAAU;IACV,gBAAgB;IAChB,mBAAmB;IACnB,UAAU;IACV,wBAAwB;IACxB,6CAA6C;IAC7C,YAAY;IACZ,SAAS;IACT,qBAAqB;IACrB,aAAa;IACb,QAAQ;CACT,CAAC;AAEF,MAAM,cAAc,GAAG;IACrB,oBAAoB,EAAE,MAAM;IAC5B,YAAY,EAAE,UAAU;IACxB,oCAAoC;IACpC,kBAAkB,EAAE,iBAAiB;IACrC,iCAAiC,EAAE,SAAS;IAC5C,2BAA2B,EAAE,YAAY;IACzC,qBAAqB,EAAE,SAAS;IAChC,uBAAuB,EAAE,SAAS;CACnC,CAAC;AAEF,MAAM,QAAQ,GAAG,YAAY,CAAC;AAS9B,MAAM,UAAU,KAAK,CAAC,KAAc,EAAE,OAAqB,EAAE;IAC3D,MAAM,QAAQ,GAAG,IAAI,CAAC,QAAQ,IAAI,EAAE,CAAC;IACrC,MAAM,aAAa,GAAG,IAAI,CAAC,kBAAkB,IAAI,EAAE,CAAC;IACpD,OAAO,IAAI,CAAC,KAAK,EAAE,CAAC,EAAE,QAAQ,EAAE,aAAa,CAAC,CAAC;AACjD,CAAC;AAED,SAAS,IAAI,CAAC,KAAc,EAAE,KAAa,EAAE,QAAgB,EAAE,KAAe;IAC5E,IAAI,KAAK,GAAG,QAAQ,EAAE,CAAC;QAAA,OAAO,QAAQ,CAAC;IAAA,CAAC;IACxC,IAAI,KAAK,KAAK,IAAI,IAAI,KAAK,KAAK,SAAS,EAAE,CAAC;QAAA,OAAO,KAAK,CAAC;IAAA,CAAC;IAC1D,IAAI,OAAO,KAAK,KAAK,QAAQ,EAAE,CAAC;QAAA,OAAO,WAAW,CAAC,KAAK,EAAE,KAAK,CAAC,CAAC;IAAA,CAAC;IAClE,IAAI,OAAO,KAAK,KAAK,QAAQ,IAAI,OAAO,KAAK,KAAK,SAAS,IAAI,OAAO,KAAK,KAAK,QAAQ,EAAE,CAAC;QACzF,OAAO,KAAK,CAAC;IACf,CAAC;IACD,IAAI,KAAK,CAAC,OAAO,CAAC,KAAK,CAAC,EAAE,CAAC;QACzB,OAAO,KAAK,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,IAAI,CAAC,CAAC,EAAE,KAAK,GAAG,CAAC,EAAE,QAAQ,EAAE,KAAK,CAAC,CAAC,CAAC;IAC/D,CAAC;IACD,IAAI,OAAO,KAAK,KAAK,QAAQ,EAAE,CAAC;QAC9B,MAAM,GAAG,GAA4B,EAAE,CAAC;QACxC,KAAK,MAAM,CAAC,CAAC,EAAE,CAAC,CAAC,IAAI,MAAM,CAAC,OAAO,CAAC,KAAK,CAAC,EAAE,CAAC;YAC3C,IAAI,cAAc,CAAC,CAAC,CAAC,EAAE,CAAC;gBACtB,GAAG,CAAC,CAAC,CAAC,GAAG,CAAC,KAAK,IAAI,IAAI,CAAC,KAAK,SAAS,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,QAAQ,CAAC;YACxD,CAAC;iBAAM,CAAC;gBACN,GAAG,CAAC,CAAC,CAAC,GAAG,IAAI,CAAC,CAAC,EAAE,KAAK,GAAG,CAAC,EAAE,QAAQ,EAAE,KAAK,CAAC,CAAC;YAC/C,CAAC;QACH,CAAC;QACD,OAAO,GAAG,CAAC;IACb,CAAC;IACD,OAAO,QAAQ,CAAC;AAClB,CAAC;AAED,SAAS,cAAc,CAAC,GAAW;IACjC,OAAO,sBAAsB,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC,CAAC;AACzD,CAAC;AAED,SAAS,WAAW,CAAC,KAAa,EAAE,KAAe;IACjD,KAAK,MAAM,CAAC,IAAI,cAAc,EAAE,CAAC;QAC/B,IAAI,CAAC,CAAC,IAAI,CAAC,KAAK,CAAC,EAAE,CAAC;YAAA,OAAO,QAAQ,CAAC;QAAA,CAAC;IACvC,CAAC;IACD,KAAK,MAAM,CAAC,IAAI,KAAK,EAAE,CAAC;QACtB,IAAI,CAAC,CAAC,IAAI,CAAC,KAAK,CAAC,EAAE,CAAC;YAAA,OAAO,QAAQ,CAAC;QAAA,CAAC;IACvC,CAAC;IACD,OAAO,KAAK,CAAC;AACf,CAAC;AAED;;;GAGG;AACH,MAAM,CAAC,KAAK,UAAU,WAAW,CAAC,KAAc;IAC9C,MAAM,IAAI,GAAG,IAAI,CAAC,SAAS,CAAC,KAAK,CAAC,CAAC;IACnC,MAAM,KAAK,GAAG,IAAI,WAAW,EAAE,CAAC,MAAM,CAAC,IAAI,CAAC,CAAC;IAC7C,MAAM,MAAM,GAAG,IAAI,UAAU,CAAC,MAAM,MAAM,CAAC,MAAM,CAAC,MAAM,CAAC,SAAS,EAAE,KAAK,CAAC,CAAC,CAAC;IAC5E,OAAO,KAAK,CAAC,IAAI,CAAC,MAAM,CAAC;SACtB,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,QAAQ,CAAC,EAAE,CAAC,CAAC,QAAQ,CAAC,CAAC,EAAE,GAAG,CAAC,CAAC;SAC3C,IAAI,CAAC,EAAE,CAAC,CAAC;AACd,CAAC"}

package/dist/audit/types.d.ts

@@ -0,0 +1,42 @@
+/**
+ * Audit event shape. Matches the backend `POST /api/audit` contract.
+ */
+export interface AuditEvent {
+    /** Client-generated UUID v4. Backend re-stamps if needed for legal record. */
+    event_id: string;
+    /** Dot-separated convention: <feature>.<entity>.<action> */
+    event_name: string;
+    /** Who did it. From session. */
+    actor_id: string;
+    /** Session correlation. */
+    actor_session_id?: string;
+    /** Type of resource the action targets. */
+    target_type?: string;
+    /** Resource ID. */
+    target_id?: string;
+    /** ISO 8601. Client clock; backend re-stamps. */
+    timestamp: string;
+    /** Outcome of the action. */
+    outcome: 'success' | 'failure' | 'pending';
+    /** SHA-256 of the request body (for tamper detection). */
+    request_hash?: string;
+    /** Non-PII context. User agent, viewport, feature flag state, etc. */
+    client_metadata?: Record<string, unknown>;
+    /** Free-form metadata. Will be scrubbed for PII before send. */
+    metadata?: Record<string, unknown>;
+}
+export interface AuditClientConfig {
+    /** Endpoint to POST events to. */
+    endpoint: string;
+    /** Max events to batch before sending. Default 20. */
+    batchSize?: number;
+    /** Max ms between flushes regardless of batch size. Default 5000. */
+    flushIntervalMs?: number;
+    /** Custom fetch (e.g. authenticated fetch). Default `fetch`. */
+    fetchImpl?: typeof fetch;
+    /** Called on send failure. Useful for surfacing to error monitoring. */
+    onError?: (err: unknown, batch: AuditEvent[]) => void;
+    /** Additional PII patterns to scrub (beyond defaults). */
+    additionalScrubPatterns?: RegExp[];
+}
+//# sourceMappingURL=types.d.ts.map

package/dist/audit/types.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"types.d.ts","sourceRoot":"","sources":["../../src/audit/types.ts"],"names":[],"mappings":"AAAA;;GAEG;AACH,MAAM,WAAW,UAAU;IACzB,8EAA8E;IAC9E,QAAQ,EAAE,MAAM,CAAC;IACjB,4DAA4D;IAC5D,UAAU,EAAE,MAAM,CAAC;IACnB,gCAAgC;IAChC,QAAQ,EAAE,MAAM,CAAC;IACjB,2BAA2B;IAC3B,gBAAgB,CAAC,EAAE,MAAM,CAAC;IAC1B,2CAA2C;IAC3C,WAAW,CAAC,EAAE,MAAM,CAAC;IACrB,mBAAmB;IACnB,SAAS,CAAC,EAAE,MAAM,CAAC;IACnB,iDAAiD;IACjD,SAAS,EAAE,MAAM,CAAC;IAClB,6BAA6B;IAC7B,OAAO,EAAE,SAAS,GAAG,SAAS,GAAG,SAAS,CAAC;IAC3C,0DAA0D;IAC1D,YAAY,CAAC,EAAE,MAAM,CAAC;IACtB,sEAAsE;IACtE,eAAe,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC;IAC1C,gEAAgE;IAChE,QAAQ,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC;CACpC;AAED,MAAM,WAAW,iBAAiB;IAChC,kCAAkC;IAClC,QAAQ,EAAE,MAAM,CAAC;IACjB,sDAAsD;IACtD,SAAS,CAAC,EAAE,MAAM,CAAC;IACnB,qEAAqE;IACrE,eAAe,CAAC,EAAE,MAAM,CAAC;IACzB,gEAAgE;IAChE,SAAS,CAAC,EAAE,OAAO,KAAK,CAAC;IACzB,wEAAwE;IACxE,OAAO,CAAC,EAAE,CAAC,GAAG,EAAE,OAAO,EAAE,KAAK,EAAE,UAAU,EAAE,KAAK,IAAI,CAAC;IACtD,0DAA0D;IAC1D,uBAAuB,CAAC,EAAE,MAAM,EAAE,CAAC;CACpC"}

package/dist/audit/types.js

@@ -0,0 +1,2 @@
+export {};
+//# sourceMappingURL=types.js.map

package/dist/audit/types.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"types.js","sourceRoot":"","sources":["../../src/audit/types.ts"],"names":[],"mappings":""}

package/dist/auth/crossTabSync.d.ts

@@ -0,0 +1,15 @@
+export type AuthBroadcast = {
+    type: 'logout';
+    reason: 'user' | 'idle' | 'expired' | 'forced';
+} | {
+    type: 'login';
+};
+export declare class CrossTabSync {
+    private readonly onMessage;
+    private channel;
+    constructor(onMessage: (msg: AuthBroadcast) => void);
+    start(): void;
+    stop(): void;
+    broadcast(msg: AuthBroadcast): void;
+}
+//# sourceMappingURL=crossTabSync.d.ts.map

package/dist/auth/crossTabSync.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"crossTabSync.d.ts","sourceRoot":"","sources":["../../src/auth/crossTabSync.ts"],"names":[],"mappings":"AAQA,MAAM,MAAM,aAAa,GACrB;IAAE,IAAI,EAAE,QAAQ,CAAC;IAAC,MAAM,EAAE,MAAM,GAAG,MAAM,GAAG,SAAS,GAAG,QAAQ,CAAA;CAAE,GAClE;IAAE,IAAI,EAAE,OAAO,CAAA;CAAE,CAAC;AAEtB,qBAAa,YAAY;IAIrB,OAAO,CAAC,QAAQ,CAAC,SAAS;IAH5B,OAAO,CAAC,OAAO,CAAiC;gBAG7B,SAAS,EAAE,CAAC,GAAG,EAAE,aAAa,KAAK,IAAI;IAG1D,KAAK,IAAI,IAAI;IAQb,IAAI,IAAI,IAAI;IAKZ,SAAS,CAAC,GAAG,EAAE,aAAa,GAAG,IAAI;CAGpC"}

package/dist/auth/crossTabSync.js

@@ -0,0 +1,30 @@
+/**
+ * Cross-tab logout sync via BroadcastChannel.
+ *
+ * Use case: user logs out in one tab → all other tabs follow.
+ * Falls back gracefully when BroadcastChannel is unavailable.
+ */
+const CHANNEL_NAME = 'bfsi-auth';
+export class CrossTabSync {
+    onMessage;
+    channel = null;
+    constructor(onMessage) {
+        this.onMessage = onMessage;
+    }
+    start() {
+        if (typeof BroadcastChannel === 'undefined')
+            return;
+        this.channel = new BroadcastChannel(CHANNEL_NAME);
+        this.channel.addEventListener('message', (ev) => {
+            this.onMessage(ev.data);
+        });
+    }
+    stop() {
+        this.channel?.close();
+        this.channel = null;
+    }
+    broadcast(msg) {
+        this.channel?.postMessage(msg);
+    }
+}
+//# sourceMappingURL=crossTabSync.js.map

package/dist/auth/crossTabSync.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"crossTabSync.js","sourceRoot":"","sources":["../../src/auth/crossTabSync.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AACH,MAAM,YAAY,GAAG,WAAW,CAAC;AAMjC,MAAM,OAAO,YAAY;IAIJ;IAHX,OAAO,GAA4B,IAAI,CAAC;IAEhD,YACmB,SAAuC;QAAvC,cAAS,GAAT,SAAS,CAA8B;IACvD,CAAC;IAEJ,KAAK;QACH,IAAI,OAAO,gBAAgB,KAAK,WAAW;YAAE,OAAO;QACpD,IAAI,CAAC,OAAO,GAAG,IAAI,gBAAgB,CAAC,YAAY,CAAC,CAAC;QAClD,IAAI,CAAC,OAAO,CAAC,gBAAgB,CAAC,SAAS,EAAE,CAAC,EAA+B,EAAE,EAAE;YAC3E,IAAI,CAAC,SAAS,CAAC,EAAE,CAAC,IAAI,CAAC,CAAC;QAC1B,CAAC,CAAC,CAAC;IACL,CAAC;IAED,IAAI;QACF,IAAI,CAAC,OAAO,EAAE,KAAK,EAAE,CAAC;QACtB,IAAI,CAAC,OAAO,GAAG,IAAI,CAAC;IACtB,CAAC;IAED,SAAS,CAAC,GAAkB;QAC1B,IAAI,CAAC,OAAO,EAAE,WAAW,CAAC,GAAG,CAAC,CAAC;IACjC,CAAC;CACF"}

package/dist/auth/idleTimer.d.ts

@@ -0,0 +1,34 @@
+/**
+ * Idle timer. Calls back when no user activity for `idleMs`.
+ *
+ * Listens to: mousemove, keydown, touchstart, scroll, focus.
+ * Use to auto-logout after inactivity (RBI Annexure I §6.2).
+ */
+export interface IdleTimerConfig {
+    /** Milliseconds of inactivity before onIdle fires. */
+    idleMs: number;
+    /** Called when idle threshold is crossed. */
+    onIdle: () => void;
+    /** Called on activity AFTER idle (resumed). Optional. */
+    onResume?: () => void;
+    /** Custom events to listen to. Default is the activity set above. */
+    events?: readonly string[];
+}
+export declare class IdleTimer {
+    private readonly config;
+    private timer;
+    private isIdle;
+    private readonly handler;
+    private readonly events;
+    constructor(config: IdleTimerConfig);
+    start(): void;
+    stop(): void;
+    /**
+     * Manually report activity. Useful for events outside the default set
+     * (e.g. API success indicating server-side activity).
+     */
+    reportActivity(): void;
+    private onActivity;
+    private resetTimer;
+}
+//# sourceMappingURL=idleTimer.d.ts.map

package/dist/auth/idleTimer.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"idleTimer.d.ts","sourceRoot":"","sources":["../../src/auth/idleTimer.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AACH,MAAM,WAAW,eAAe;IAC9B,sDAAsD;IACtD,MAAM,EAAE,MAAM,CAAC;IACf,6CAA6C;IAC7C,MAAM,EAAE,MAAM,IAAI,CAAC;IACnB,yDAAyD;IACzD,QAAQ,CAAC,EAAE,MAAM,IAAI,CAAC;IACtB,qEAAqE;IACrE,MAAM,CAAC,EAAE,SAAS,MAAM,EAAE,CAAC;CAC5B;AAID,qBAAa,SAAS;IAMR,OAAO,CAAC,QAAQ,CAAC,MAAM;IALnC,OAAO,CAAC,KAAK,CAA8C;IAC3D,OAAO,CAAC,MAAM,CAAS;IACvB,OAAO,CAAC,QAAQ,CAAC,OAAO,CAAa;IACrC,OAAO,CAAC,QAAQ,CAAC,MAAM,CAAoB;gBAEd,MAAM,EAAE,eAAe;IAKpD,KAAK,IAAI,IAAI;IAQb,IAAI,IAAI,IAAI;IASZ;;;OAGG;IACH,cAAc,IAAI,IAAI;IAItB,OAAO,CAAC,UAAU;IAQlB,OAAO,CAAC,UAAU;CAOnB"}