npm - @rovela-ai/sdk - Versions diffs - 0.2.0 → 0.3.0 - Mend

@rovela-ai/sdk 0.2.0 → 0.3.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (178) hide show

package/dist/admin/api/accept-invite.d.ts +65 -0
package/dist/admin/api/accept-invite.d.ts.map +1 -0
package/dist/admin/api/accept-invite.js +115 -0
package/dist/admin/api/accept-invite.js.map +1 -0
package/dist/admin/api/categories.d.ts.map +1 -1
package/dist/admin/api/categories.js +21 -28
package/dist/admin/api/categories.js.map +1 -1
package/dist/admin/api/customers.d.ts.map +1 -1
package/dist/admin/api/customers.js +17 -25
package/dist/admin/api/customers.js.map +1 -1
package/dist/admin/api/forgot-password.d.ts +39 -0
package/dist/admin/api/forgot-password.d.ts.map +1 -0
package/dist/admin/api/forgot-password.js +66 -0
package/dist/admin/api/forgot-password.js.map +1 -0
package/dist/admin/api/index.d.ts +6 -0
package/dist/admin/api/index.d.ts.map +1 -1
package/dist/admin/api/index.js +9 -0
package/dist/admin/api/index.js.map +1 -1
package/dist/admin/api/me.d.ts +72 -0
package/dist/admin/api/me.d.ts.map +1 -0
package/dist/admin/api/me.js +177 -0
package/dist/admin/api/me.js.map +1 -0
package/dist/admin/api/orders.d.ts.map +1 -1
package/dist/admin/api/orders.js +21 -28
package/dist/admin/api/orders.js.map +1 -1
package/dist/admin/api/products.d.ts.map +1 -1
package/dist/admin/api/products.js +33 -37
package/dist/admin/api/products.js.map +1 -1
package/dist/admin/api/refund.d.ts.map +1 -1
package/dist/admin/api/refund.js +5 -7
package/dist/admin/api/refund.js.map +1 -1
package/dist/admin/api/reset-password.d.ts +49 -0
package/dist/admin/api/reset-password.d.ts.map +1 -0
package/dist/admin/api/reset-password.js +99 -0
package/dist/admin/api/reset-password.js.map +1 -0
package/dist/admin/api/return.d.ts.map +1 -1
package/dist/admin/api/return.js +9 -12
package/dist/admin/api/return.js.map +1 -1
package/dist/admin/api/settings.d.ts.map +1 -1
package/dist/admin/api/settings.js +9 -12
package/dist/admin/api/settings.js.map +1 -1
package/dist/admin/api/shipping.d.ts.map +1 -1
package/dist/admin/api/shipping.js +65 -61
package/dist/admin/api/shipping.js.map +1 -1
package/dist/admin/api/stats.d.ts.map +1 -1
package/dist/admin/api/stats.js +5 -7
package/dist/admin/api/stats.js.map +1 -1
package/dist/admin/api/stripe-status.d.ts.map +1 -1
package/dist/admin/api/stripe-status.js +5 -7
package/dist/admin/api/stripe-status.js.map +1 -1
package/dist/admin/api/tax-zones.d.ts.map +1 -1
package/dist/admin/api/tax-zones.js +21 -28
package/dist/admin/api/tax-zones.js.map +1 -1
package/dist/admin/api/users.d.ts +142 -0
package/dist/admin/api/users.d.ts.map +1 -0
package/dist/admin/api/users.js +356 -0
package/dist/admin/api/users.js.map +1 -0
package/dist/admin/components/AdminAcceptInviteForm.d.ts +3 -0
package/dist/admin/components/AdminAcceptInviteForm.d.ts.map +1 -0
package/dist/admin/components/AdminAcceptInviteForm.js +137 -0
package/dist/admin/components/AdminAcceptInviteForm.js.map +1 -0
package/dist/admin/components/AdminAccountPage.d.ts +10 -0
package/dist/admin/components/AdminAccountPage.d.ts.map +1 -0
package/dist/admin/components/AdminAccountPage.js +123 -0
package/dist/admin/components/AdminAccountPage.js.map +1 -0
package/dist/admin/components/AdminForgotPasswordForm.d.ts +8 -0
package/dist/admin/components/AdminForgotPasswordForm.d.ts.map +1 -0
package/dist/admin/components/AdminForgotPasswordForm.js +59 -0
package/dist/admin/components/AdminForgotPasswordForm.js.map +1 -0
package/dist/admin/components/AdminNav.d.ts.map +1 -1
package/dist/admin/components/AdminNav.js +39 -8
package/dist/admin/components/AdminNav.js.map +1 -1
package/dist/admin/components/AdminResetPasswordForm.d.ts +12 -0
package/dist/admin/components/AdminResetPasswordForm.d.ts.map +1 -0
package/dist/admin/components/AdminResetPasswordForm.js +134 -0
package/dist/admin/components/AdminResetPasswordForm.js.map +1 -0
package/dist/admin/components/AdminUserMenu.d.ts.map +1 -1
package/dist/admin/components/AdminUserMenu.js +2 -2
package/dist/admin/components/AdminUserMenu.js.map +1 -1
package/dist/admin/components/InviteUserDialog.d.ts +3 -0
package/dist/admin/components/InviteUserDialog.d.ts.map +1 -0
package/dist/admin/components/InviteUserDialog.js +127 -0
package/dist/admin/components/InviteUserDialog.js.map +1 -0
package/dist/admin/components/UsersTable.d.ts +3 -0
package/dist/admin/components/UsersTable.d.ts.map +1 -0
package/dist/admin/components/UsersTable.js +399 -0
package/dist/admin/components/UsersTable.js.map +1 -0
package/dist/admin/components/index.d.ts +9 -0
package/dist/admin/components/index.d.ts.map +1 -1
package/dist/admin/components/index.js +9 -0
package/dist/admin/components/index.js.map +1 -1
package/dist/admin/config.d.ts.map +1 -1
package/dist/admin/config.js +23 -1
package/dist/admin/config.js.map +1 -1
package/dist/admin/hooks/index.d.ts +4 -0
package/dist/admin/hooks/index.d.ts.map +1 -1
package/dist/admin/hooks/index.js +3 -0
package/dist/admin/hooks/index.js.map +1 -1
package/dist/admin/hooks/useAdminMe.d.ts +31 -0
package/dist/admin/hooks/useAdminMe.d.ts.map +1 -0
package/dist/admin/hooks/useAdminMe.js +103 -0
package/dist/admin/hooks/useAdminMe.js.map +1 -0
package/dist/admin/hooks/useAdminPermissions.d.ts +3 -0
package/dist/admin/hooks/useAdminPermissions.d.ts.map +1 -0
package/dist/admin/hooks/useAdminPermissions.js +51 -0
package/dist/admin/hooks/useAdminPermissions.js.map +1 -0
package/dist/admin/hooks/useAdminUsers.d.ts +3 -0
package/dist/admin/hooks/useAdminUsers.d.ts.map +1 -0
package/dist/admin/hooks/useAdminUsers.js +240 -0
package/dist/admin/hooks/useAdminUsers.js.map +1 -0
package/dist/admin/index.d.ts +4 -4
package/dist/admin/index.d.ts.map +1 -1
package/dist/admin/index.js +20 -2
package/dist/admin/index.js.map +1 -1
package/dist/admin/permissions.d.ts +92 -0
package/dist/admin/permissions.d.ts.map +1 -0
package/dist/admin/permissions.js +201 -0
package/dist/admin/permissions.js.map +1 -0
package/dist/admin/server/admin-invite.d.ts +122 -0
package/dist/admin/server/admin-invite.d.ts.map +1 -0
package/dist/admin/server/admin-invite.js +235 -0
package/dist/admin/server/admin-invite.js.map +1 -0
package/dist/admin/server/admin-password-reset.d.ts +87 -0
package/dist/admin/server/admin-password-reset.d.ts.map +1 -0
package/dist/admin/server/admin-password-reset.js +220 -0
package/dist/admin/server/admin-password-reset.js.map +1 -0
package/dist/admin/server/admin-self-service.d.ts +86 -0
package/dist/admin/server/admin-self-service.d.ts.map +1 -0
package/dist/admin/server/admin-self-service.js +188 -0
package/dist/admin/server/admin-self-service.js.map +1 -0
package/dist/admin/server/admin-service.d.ts.map +1 -1
package/dist/admin/server/admin-service.js +21 -2
package/dist/admin/server/admin-service.js.map +1 -1
package/dist/admin/server/admin-session.d.ts +126 -0
package/dist/admin/server/admin-session.d.ts.map +1 -0
package/dist/admin/server/admin-session.js +215 -0
package/dist/admin/server/admin-session.js.map +1 -0
package/dist/admin/server/index.d.ts +7 -0
package/dist/admin/server/index.d.ts.map +1 -1
package/dist/admin/server/index.js +20 -0
package/dist/admin/server/index.js.map +1 -1
package/dist/admin/server/user-management.d.ts +223 -0
package/dist/admin/server/user-management.d.ts.map +1 -0
package/dist/admin/server/user-management.js +846 -0
package/dist/admin/server/user-management.js.map +1 -0
package/dist/admin/types.d.ts +153 -2
package/dist/admin/types.d.ts.map +1 -1
package/dist/core/db/queries.d.ts +19 -13
package/dist/core/db/queries.d.ts.map +1 -1
package/dist/core/db/schema.d.ts +327 -9
package/dist/core/db/schema.d.ts.map +1 -1
package/dist/core/db/schema.js +80 -3
package/dist/core/db/schema.js.map +1 -1
package/dist/core/types.d.ts +19 -3
package/dist/core/types.d.ts.map +1 -1
package/dist/emails/index.d.ts +2 -2
package/dist/emails/index.d.ts.map +1 -1
package/dist/emails/index.js +3 -1
package/dist/emails/index.js.map +1 -1
package/dist/emails/send/admin-auth.d.ts +94 -0
package/dist/emails/send/admin-auth.d.ts.map +1 -0
package/dist/emails/send/admin-auth.js +118 -0
package/dist/emails/send/admin-auth.js.map +1 -0
package/dist/emails/send/index.d.ts +2 -0
package/dist/emails/send/index.d.ts.map +1 -1
package/dist/emails/send/index.js +4 -0
package/dist/emails/send/index.js.map +1 -1
package/dist/emails/templates/admin-invite.d.ts +40 -0
package/dist/emails/templates/admin-invite.d.ts.map +1 -0
package/dist/emails/templates/admin-invite.js +62 -0
package/dist/emails/templates/admin-invite.js.map +1 -0
package/dist/emails/templates/index.d.ts +1 -0
package/dist/emails/templates/index.d.ts.map +1 -1
package/dist/emails/templates/index.js +4 -0
package/dist/emails/templates/index.js.map +1 -1
package/dist/emails/types.d.ts +22 -1
package/dist/emails/types.d.ts.map +1 -1
package/package.json +21 -1

package/dist/admin/server/admin-service.js.map CHANGED Viewed

	@@ -1 +1 @@
1	- {"version":3,"file":"admin-service.js","sourceRoot":"","sources":["../../../src/admin/server/admin-service.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AAEH,OAAO,EAAE,EAAE,EAAE,MAAM,aAAa,CAAA;~~AAChC~~,OAAO,EAAE,KAAK,EAAE,MAAM,sBAAsB,CAAA;AAC5C,OAAO,KAAK,MAAM,MAAM,sBAAsB,CAAA;AAC9C,OAAO,EAAE,YAAY,EAAE,cAAc,EAAE,MAAM,4BAA4B,CAAA;AAsBzE,gFAAgF;AAChF,uBAAuB;AACvB,gFAAgF;AAEhF;;;;;;;;;;;;;;;;GAgBG;AACH,MAAM,CAAC,KAAK,UAAU,iBAAiB,CACrC,KAAa,EACb,QAAgB;IAEhB,MAAM,EAAE,GAAG,KAAK,EAAE,CAAA;IAElB,sBAAsB;IACtB,MAAM,CAAC,KAAK,CAAC,GAAG,MAAM,EAAE;SACrB,MAAM,EAAE;SACR,IAAI,CAAC,MAAM,CAAC,WAAW,CAAC;SACxB,KAAK,CAAC,EAAE,CAAC,MAAM,CAAC,WAAW,CAAC,KAAK,EAAE,KAAK,CAAC,WAAW,EAAE,CAAC,IAAI,EAAE,CAAC,CAAC;SAC/D,KAAK,CAAC,CAAC,CAAC,CAAA;IAEX,IAAI,CAAC,KAAK,EAAE,CAAC;QACX,OAAO;YACL,OAAO,EAAE,KAAK;YACd,KAAK,EAAE,2BAA2B;YAClC,IAAI,EAAE,qBAAqB;SAC5B,CAAA;IACH,CAAC;IAED,kBAAkB;IAClB,MAAM,eAAe,GAAG,MAAM,cAAc,CAAC,QAAQ,EAAE,KAAK,CAAC,YAAY,CAAC,CAAA;IAC1E,IAAI,CAAC,eAAe,EAAE,CAAC;QACrB,OAAO;YACL,OAAO,EAAE,KAAK;YACd,KAAK,EAAE,2BAA2B;YAClC,IAAI,EAAE,qBAAqB;SAC5B,CAAA;IACH,CAAC;IAED,OAAO,EAAE,OAAO,EAAE,IAAI,EAAE,KAAK,EAAE,CAAA;AACjC,CAAC;AAED,gFAAgF;AAChF,aAAa;AACb,gFAAgF;AAEhF;;;;;;;;;;;;;;;;;;;;GAoBG;AACH,MAAM,CAAC,KAAK,UAAU,WAAW,CAC/B,KAAa,EACb,QAAgB,EAChB,IAAY,EACZ,OAA0B,OAAO;IAEjC,MAAM,EAAE,GAAG,KAAK,EAAE,CAAA;IAElB,gBAAgB;IAChB,MAAM,YAAY,GAAG,MAAM,YAAY,CAAC,QAAQ,CAAC,CAAA;IAEjD,IAAI,CAAC;QACH,MAAM,CAAC,KAAK,CAAC,GAAG,MAAM,EAAE;aACrB,MAAM,CAAC,MAAM,CAAC,WAAW,CAAC;aAC1B,MAAM,CAAC;YACN,KAAK,EAAE,KAAK,CAAC,WAAW,EAAE,CAAC,IAAI,EAAE;YACjC,IAAI,EAAE,IAAI,CAAC,IAAI,EAAE;YACjB,YAAY;YACZ,IAAI;SACL,CAAC;aACD,SAAS,EAAE,CAAA;QAEd,OAAO,EAAE,KAAK,EAAE,CAAA;IAClB,CAAC;IAAC,OAAO,KAAc,EAAE,CAAC;QACxB,wCAAwC;QACxC,MAAM,GAAG,GAAG,KAAqD,CAAA;QACjE,IAAI,GAAG,CAAC,IAAI,KAAK,OAAO,IAAI,GAAG,CAAC,KAAK,EAAE,IAAI,KAAK,OAAO,EAAE,CAAC;YACxD,MAAM,IAAI,KAAK,CAAC,yCAAyC,CAAC,CAAA;QAC5D,CAAC;QACD,MAAM,KAAK,CAAA;IACb,CAAC;AACH,CAAC;AAED;;;;;;;;;;;;;GAaG;AACH,MAAM,CAAC,KAAK,UAAU,mBAAmB,CACvC,OAAe;IAEf,MAAM,EAAE,GAAG,KAAK,EAAE,CAAA;IAElB,MAAM,CAAC,KAAK,CAAC,GAAG,MAAM,EAAE;SACrB,MAAM,CAAC;QACN,EAAE,EAAE,MAAM,CAAC,WAAW,CAAC,EAAE;QACzB,KAAK,EAAE,MAAM,CAAC,WAAW,CAAC,KAAK;QAC/B,IAAI,EAAE,MAAM,CAAC,WAAW,CAAC,IAAI;QAC7B,IAAI,EAAE,MAAM,CAAC,WAAW,CAAC,IAAI;KAC9B,CAAC;SACD,IAAI,CAAC,MAAM,CAAC,WAAW,CAAC;SACxB,KAAK,CAAC,EAAE,CAAC,MAAM,CAAC,WAAW,CAAC,EAAE,EAAE,OAAO,CAAC,CAAC;SACzC,KAAK,CAAC,CAAC,CAAC,CAAA;IAEX,IAAI,CAAC,KAAK,EAAE,CAAC;QACX,OAAO,IAAI,CAAA;IACb,CAAC;IAED,OAAO;QACL,EAAE,EAAE,KAAK,CAAC,EAAE;QACZ,KAAK,EAAE,KAAK,CAAC,KAAK;QAClB,IAAI,EAAE,KAAK,CAAC,IAAI;QAChB,IAAI,EAAE,KAAK,CAAC,IAAI;KACjB,CAAA;AACH,CAAC;AAED;;;;;GAKG;AACH,MAAM,CAAC,KAAK,UAAU,gBAAgB,CACpC,KAAa;IAEb,MAAM,EAAE,GAAG,KAAK,EAAE,CAAA;IAElB,MAAM,CAAC,KAAK,CAAC,GAAG,MAAM,EAAE;SACrB,MAAM,EAAE;SACR,IAAI,CAAC,MAAM,CAAC,WAAW,CAAC;SACxB,KAAK,CAAC,EAAE,CAAC,MAAM,CAAC,WAAW,CAAC,KAAK,EAAE,KAAK,CAAC,WAAW,EAAE,CAAC,IAAI,EAAE,CAAC,CAAC;SAC/D,KAAK,CAAC,CAAC,CAAC,CAAA;IAEX,OAAO,KAAK,IAAI,IAAI,CAAA;AACtB,CAAC;AAED;;;;;GAKG;AACH,MAAM,CAAC,KAAK,UAAU,aAAa,CACjC,OAAe;IAEf,MAAM,EAAE,GAAG,KAAK,EAAE,CAAA;IAElB,MAAM,CAAC,KAAK,CAAC,GAAG,MAAM,EAAE;SACrB,MAAM,EAAE;SACR,IAAI,CAAC,MAAM,CAAC,WAAW,CAAC;SACxB,KAAK,CAAC,EAAE,CAAC,MAAM,CAAC,WAAW,CAAC,EAAE,EAAE,OAAO,CAAC,CAAC;SACzC,KAAK,CAAC,CAAC,CAAC,CAAA;IAEX,OAAO,KAAK,IAAI,IAAI,CAAA;AACtB,CAAC;AAED;;;;;;;;;;;GAWG;AACH,MAAM,CAAC,KAAK,UAAU,WAAW,CAC/B,OAAe,EACf,IAAuC;IAEvC,MAAM,EAAE,GAAG,KAAK,EAAE,CAAA;IAElB,MAAM,UAAU,GAAkC,EAAE,CAAA;IAEpD,IAAI,IAAI,CAAC,IAAI,KAAK,SAAS,EAAE,CAAC;QAC5B,UAAU,CAAC,IAAI,GAAG,IAAI,CAAC,IAAI,CAAC,IAAI,EAAE,CAAA;IACpC,CAAC;IAED,IAAI,IAAI,CAAC,KAAK,KAAK,SAAS,EAAE,CAAC;QAC7B,UAAU,CAAC,KAAK,GAAG,IAAI,CAAC,KAAK,CAAC,WAAW,EAAE,CAAC,IAAI,EAAE,CAAA;IACpD,CAAC;IAED,IAAI,MAAM,CAAC,IAAI,CAAC,UAAU,CAAC,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;QACzC,0CAA0C;QAC1C,OAAO,aAAa,CAAC,OAAO,CAAC,CAAA;IAC/B,CAAC;IAED,MAAM,CAAC,KAAK,CAAC,GAAG,MAAM,EAAE;SACrB,MAAM,CAAC,MAAM,CAAC,WAAW,CAAC;SAC1B,GAAG,CAAC,UAAU,CAAC;SACf,KAAK,CAAC,EAAE,CAAC,MAAM,CAAC,WAAW,CAAC,EAAE,EAAE,OAAO,CAAC,CAAC;SACzC,SAAS,EAAE,CAAA;IAEd,OAAO,KAAK,IAAI,IAAI,CAAA;AACtB,CAAC;AAED;;;;;;;;;;GAUG;AACH,MAAM,CAAC,KAAK,UAAU,mBAAmB,CACvC,OAAe,EACf,WAAmB;IAEnB,MAAM,EAAE,GAAG,KAAK,EAAE,CAAA;IAElB,MAAM,YAAY,GAAG,MAAM,YAAY,CAAC,WAAW,CAAC,CAAA;IAEpD,MAAM,EAAE;SACL,MAAM,CAAC,MAAM,CAAC,WAAW,CAAC;SAC1B,GAAG,CAAC,~~EAAE,~~YAAY,EAAE,CAAC;~~SACrB~~,KAAK,CAAC,EAAE,CAAC,MAAM,CAAC,WAAW,CAAC,EAAE,EAAE,OAAO,CAAC,CAAC,CAAA;AAC9C,CAAC;AAED;;;;;GAKG;AACH,MAAM,CAAC,KAAK,UAAU,gBAAgB,CAAC,KAAa;IAClD,MAAM,KAAK,GAAG,MAAM,gBAAgB,CAAC,KAAK,CAAC,CAAA;IAC3C,OAAO,CAAC,CAAC,KAAK,CAAA;AAChB,CAAC;AAED;;;GAGG;AACH,MAAM,CAAC,KAAK,UAAU,WAAW;IAC/B,MAAM,EAAE,GAAG,KAAK,EAAE,CAAA;IAElB,MAAM,MAAM,GAAG,MAAM,EAAE;SACpB,MAAM,CAAC,EAAE,EAAE,EAAE,MAAM,CAAC,WAAW,CAAC,EAAE,EAAE,CAAC;SACrC,IAAI,CAAC,MAAM,CAAC,WAAW,CAAC,CAAA;IAE3B,OAAO,MAAM,CAAC,MAAM,CAAA;AACtB,CAAC"}
1	+ {"version":3,"file":"admin-service.js","sourceRoot":"","sources":["../../../src/admin/server/admin-service.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AAEH,OAAO,EAAE,EAAE,EAAE,GAAG,EAAE,MAAM,aAAa,CAAA;AACrC,OAAO,EAAE,KAAK,EAAE,MAAM,sBAAsB,CAAA;AAC5C,OAAO,KAAK,MAAM,MAAM,sBAAsB,CAAA;AAC9C,OAAO,EAAE,YAAY,EAAE,cAAc,EAAE,MAAM,4BAA4B,CAAA;AAsBzE,gFAAgF;AAChF,uBAAuB;AACvB,gFAAgF;AAEhF;;;;;;;;;;;;;;;;GAgBG;AACH,MAAM,CAAC,KAAK,UAAU,iBAAiB,CACrC,KAAa,EACb,QAAgB;IAEhB,MAAM,EAAE,GAAG,KAAK,EAAE,CAAA;IAElB,sBAAsB;IACtB,MAAM,CAAC,KAAK,CAAC,GAAG,MAAM,EAAE;SACrB,MAAM,EAAE;SACR,IAAI,CAAC,MAAM,CAAC,WAAW,CAAC;SACxB,KAAK,CAAC,EAAE,CAAC,MAAM,CAAC,WAAW,CAAC,KAAK,EAAE,KAAK,CAAC,WAAW,EAAE,CAAC,IAAI,EAAE,CAAC,CAAC;SAC/D,KAAK,CAAC,CAAC,CAAC,CAAA;IAEX,IAAI,CAAC,KAAK,EAAE,CAAC;QACX,OAAO;YACL,OAAO,EAAE,KAAK;YACd,KAAK,EAAE,2BAA2B;YAClC,IAAI,EAAE,qBAAqB;SAC5B,CAAA;IACH,CAAC;IAED,qEAAqE;IACrE,yEAAyE;IACzE,wEAAwE;IACxE,mDAAmD;IACnD,MAAM,WAAW,GAAI,KAA6B,CAAC,MAAM,IAAI,QAAQ,CAAA;IACrE,IAAI,WAAW,KAAK,QAAQ,IAAI,CAAC,KAAK,CAAC,YAAY,EAAE,CAAC;QACpD,OAAO;YACL,OAAO,EAAE,KAAK;YACd,KAAK,EAAE,2BAA2B;YAClC,IAAI,EAAE,qBAAqB;SAC5B,CAAA;IACH,CAAC;IAED,kBAAkB;IAClB,MAAM,eAAe,GAAG,MAAM,cAAc,CAAC,QAAQ,EAAE,KAAK,CAAC,YAAY,CAAC,CAAA;IAC1E,IAAI,CAAC,eAAe,EAAE,CAAC;QACrB,OAAO;YACL,OAAO,EAAE,KAAK;YACd,KAAK,EAAE,2BAA2B;YAClC,IAAI,EAAE,qBAAqB;SAC5B,CAAA;IACH,CAAC;IAED,OAAO,EAAE,OAAO,EAAE,IAAI,EAAE,KAAK,EAAE,CAAA;AACjC,CAAC;AAED,gFAAgF;AAChF,aAAa;AACb,gFAAgF;AAEhF;;;;;;;;;;;;;;;;;;;;GAoBG;AACH,MAAM,CAAC,KAAK,UAAU,WAAW,CAC/B,KAAa,EACb,QAAgB,EAChB,IAAY,EACZ,OAA0B,OAAO;IAEjC,MAAM,EAAE,GAAG,KAAK,EAAE,CAAA;IAElB,gBAAgB;IAChB,MAAM,YAAY,GAAG,MAAM,YAAY,CAAC,QAAQ,CAAC,CAAA;IAEjD,IAAI,CAAC;QACH,MAAM,CAAC,KAAK,CAAC,GAAG,MAAM,EAAE;aACrB,MAAM,CAAC,MAAM,CAAC,WAAW,CAAC;aAC1B,MAAM,CAAC;YACN,KAAK,EAAE,KAAK,CAAC,WAAW,EAAE,CAAC,IAAI,EAAE;YACjC,IAAI,EAAE,IAAI,CAAC,IAAI,EAAE;YACjB,YAAY;YACZ,IAAI;SACL,CAAC;aACD,SAAS,EAAE,CAAA;QAEd,OAAO,EAAE,KAAK,EAAE,CAAA;IAClB,CAAC;IAAC,OAAO,KAAc,EAAE,CAAC;QACxB,wCAAwC;QACxC,MAAM,GAAG,GAAG,KAAqD,CAAA;QACjE,IAAI,GAAG,CAAC,IAAI,KAAK,OAAO,IAAI,GAAG,CAAC,KAAK,EAAE,IAAI,KAAK,OAAO,EAAE,CAAC;YACxD,MAAM,IAAI,KAAK,CAAC,yCAAyC,CAAC,CAAA;QAC5D,CAAC;QACD,MAAM,KAAK,CAAA;IACb,CAAC;AACH,CAAC;AAED;;;;;;;;;;;;;GAaG;AACH,MAAM,CAAC,KAAK,UAAU,mBAAmB,CACvC,OAAe;IAEf,MAAM,EAAE,GAAG,KAAK,EAAE,CAAA;IAElB,MAAM,CAAC,KAAK,CAAC,GAAG,MAAM,EAAE;SACrB,MAAM,CAAC;QACN,EAAE,EAAE,MAAM,CAAC,WAAW,CAAC,EAAE;QACzB,KAAK,EAAE,MAAM,CAAC,WAAW,CAAC,KAAK;QAC/B,IAAI,EAAE,MAAM,CAAC,WAAW,CAAC,IAAI;QAC7B,IAAI,EAAE,MAAM,CAAC,WAAW,CAAC,IAAI;KAC9B,CAAC;SACD,IAAI,CAAC,MAAM,CAAC,WAAW,CAAC;SACxB,KAAK,CAAC,EAAE,CAAC,MAAM,CAAC,WAAW,CAAC,EAAE,EAAE,OAAO,CAAC,CAAC;SACzC,KAAK,CAAC,CAAC,CAAC,CAAA;IAEX,IAAI,CAAC,KAAK,EAAE,CAAC;QACX,OAAO,IAAI,CAAA;IACb,CAAC;IAED,OAAO;QACL,EAAE,EAAE,KAAK,CAAC,EAAE;QACZ,KAAK,EAAE,KAAK,CAAC,KAAK;QAClB,IAAI,EAAE,KAAK,CAAC,IAAI;QAChB,IAAI,EAAE,KAAK,CAAC,IAAI;KACjB,CAAA;AACH,CAAC;AAED;;;;;GAKG;AACH,MAAM,CAAC,KAAK,UAAU,gBAAgB,CACpC,KAAa;IAEb,MAAM,EAAE,GAAG,KAAK,EAAE,CAAA;IAElB,MAAM,CAAC,KAAK,CAAC,GAAG,MAAM,EAAE;SACrB,MAAM,EAAE;SACR,IAAI,CAAC,MAAM,CAAC,WAAW,CAAC;SACxB,KAAK,CAAC,EAAE,CAAC,MAAM,CAAC,WAAW,CAAC,KAAK,EAAE,KAAK,CAAC,WAAW,EAAE,CAAC,IAAI,EAAE,CAAC,CAAC;SAC/D,KAAK,CAAC,CAAC,CAAC,CAAA;IAEX,OAAO,KAAK,IAAI,IAAI,CAAA;AACtB,CAAC;AAED;;;;;GAKG;AACH,MAAM,CAAC,KAAK,UAAU,aAAa,CACjC,OAAe;IAEf,MAAM,EAAE,GAAG,KAAK,EAAE,CAAA;IAElB,MAAM,CAAC,KAAK,CAAC,GAAG,MAAM,EAAE;SACrB,MAAM,EAAE;SACR,IAAI,CAAC,MAAM,CAAC,WAAW,CAAC;SACxB,KAAK,CAAC,EAAE,CAAC,MAAM,CAAC,WAAW,CAAC,EAAE,EAAE,OAAO,CAAC,CAAC;SACzC,KAAK,CAAC,CAAC,CAAC,CAAA;IAEX,OAAO,KAAK,IAAI,IAAI,CAAA;AACtB,CAAC;AAED;;;;;;;;;;;GAWG;AACH,MAAM,CAAC,KAAK,UAAU,WAAW,CAC/B,OAAe,EACf,IAAuC;IAEvC,MAAM,EAAE,GAAG,KAAK,EAAE,CAAA;IAElB,MAAM,UAAU,GAAkC,EAAE,CAAA;IAEpD,IAAI,IAAI,CAAC,IAAI,KAAK,SAAS,EAAE,CAAC;QAC5B,UAAU,CAAC,IAAI,GAAG,IAAI,CAAC,IAAI,CAAC,IAAI,EAAE,CAAA;IACpC,CAAC;IAED,IAAI,IAAI,CAAC,KAAK,KAAK,SAAS,EAAE,CAAC;QAC7B,UAAU,CAAC,KAAK,GAAG,IAAI,CAAC,KAAK,CAAC,WAAW,EAAE,CAAC,IAAI,EAAE,CAAA;IACpD,CAAC;IAED,IAAI,MAAM,CAAC,IAAI,CAAC,UAAU,CAAC,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;QACzC,0CAA0C;QAC1C,OAAO,aAAa,CAAC,OAAO,CAAC,CAAA;IAC/B,CAAC;IAED,MAAM,CAAC,KAAK,CAAC,GAAG,MAAM,EAAE;SACrB,MAAM,CAAC,MAAM,CAAC,WAAW,CAAC;SAC1B,GAAG,CAAC,UAAU,CAAC;SACf,KAAK,CAAC,EAAE,CAAC,MAAM,CAAC,WAAW,CAAC,EAAE,EAAE,OAAO,CAAC,CAAC;SACzC,SAAS,EAAE,CAAA;IAEd,OAAO,KAAK,IAAI,IAAI,CAAA;AACtB,CAAC;AAED;;;;;;;;;;GAUG;AACH,MAAM,CAAC,KAAK,UAAU,mBAAmB,CACvC,OAAe,EACf,WAAmB;IAEnB,MAAM,EAAE,GAAG,KAAK,EAAE,CAAA;IAElB,MAAM,YAAY,GAAG,MAAM,YAAY,CAAC,WAAW,CAAC,CAAA;IAEpD,sEAAsE;IACtE,qEAAqE;IACrE,mEAAmE;IACnE,uCAAuC;IACvC,MAAM,EAAE;SACL,MAAM,CAAC,MAAM,CAAC,WAAW,CAAC;SAC1B,GAAG,CAAC;QACH,YAAY;QACZ,cAAc,EAAE,GAAG,CAAA,GAAG,MAAM,CAAC,WAAW,CAAC,cAAc,MAAM;KAC9D,CAAC;SACD,KAAK,CAAC,EAAE,CAAC,MAAM,CAAC,WAAW,CAAC,EAAE,EAAE,OAAO,CAAC,CAAC,CAAA;AAC9C,CAAC;AAED;;;;;GAKG;AACH,MAAM,CAAC,KAAK,UAAU,gBAAgB,CAAC,KAAa;IAClD,MAAM,KAAK,GAAG,MAAM,gBAAgB,CAAC,KAAK,CAAC,CAAA;IAC3C,OAAO,CAAC,CAAC,KAAK,CAAA;AAChB,CAAC;AAED;;;GAGG;AACH,MAAM,CAAC,KAAK,UAAU,WAAW;IAC/B,MAAM,EAAE,GAAG,KAAK,EAAE,CAAA;IAElB,MAAM,MAAM,GAAG,MAAM,EAAE;SACpB,MAAM,CAAC,EAAE,EAAE,EAAE,MAAM,CAAC,WAAW,CAAC,EAAE,EAAE,CAAC;SACrC,IAAI,CAAC,MAAM,CAAC,WAAW,CAAC,CAAA;IAE3B,OAAO,MAAM,CAAC,MAAM,CAAA;AACtB,CAAC"}

package/dist/admin/server/admin-session.d.ts ADDED Viewed

@@ -0,0 +1,126 @@
+/**
+ * @rovela/sdk/admin/server/admin-session
+ *
+ * Centralized session + permission check for admin API routes.
+ *
+ * # Why this exists
+ *
+ * Before this module, every admin API handler had its own local copy of a
+ * `requireAdmin()` helper — ten copies across products, orders, customers,
+ * refund, return, settings, stats, stripe-status, categories, shipping, and
+ * tax-zones. They were subtly buggy (imported the CUSTOMER `createAuthOptions`
+ * instead of the admin one, accidentally working because NextAuth cookies
+ * overlap), and they had no way to express role-based permissions.
+ *
+ * This module replaces all ten with a single helper that:
+ *   1. Reads the NextAuth session from the correct admin config.
+ *   2. Fetches a fresh admin row from the DB and confirms `status = 'active'`
+ *      so that deactivated users are kicked out on their next request without
+ *      waiting for the JWT to expire.
+ *   3. Optionally checks a specific `Permission` from the permission matrix.
+ *   4. Optionally enforces a minimum role rank via `meetsMinRole`.
+ *   5. Ensures the runtime schema migration has run (once per process) so
+ *      stores on an older schema still work with the new SDK code paths.
+ *
+ * # Caching
+ *
+ * The DB status check is cached in-memory for 30 seconds per admin ID. This
+ * keeps the hot path fast (most admin routes already do a DB query for their
+ * actual work; one extra read would add ~10ms, and we want to avoid even
+ * that for back-to-back requests). Cache is invalidated via
+ * `invalidateAdminSession(adminId)` after any user-management operation that
+ * changes the admin's role or status, so the next request sees the new state
+ * without waiting for the 30-second TTL.
+ *
+ * # Schema assumptions
+ *
+ * This helper assumes the store's Neon database is already on the latest
+ * admin schema (v2). Schema is applied manually via Neon MCP once per store
+ * (master branch for new stores, per-branch for existing stores that want
+ * the feature). The helper tolerates missing fields gracefully: if the
+ * `status` column doesn't exist on an older store, it's read as undefined
+ * and defaulted to 'active' so existing owner sessions keep working.
+ *
+ * # Return contract
+ *
+ * `requireAdmin()` returns a discriminated union:
+ *   - `{ ok: true, admin }`  — caller proceeds
+ *   - `{ ok: false, response }` — caller returns `response` directly
+ *
+ * This pattern keeps the happy path terse at call sites:
+ *
+ * ```ts
+ * const guard = await requireAdmin({ permission: 'products.write' })
+ * if (!guard.ok) return guard.response
+ * const { admin } = guard
+ * // ...proceed with admin.id, admin.role, etc.
+ * ```
+ */
+import { NextResponse } from 'next/server';
+import { type Permission } from '../permissions';
+import type { AdminRole } from '../../core/types';
+import type { StoreAdmin } from '../../core/db/schema';
+import type { AdminApiError } from '../types';
+export interface RequireAdminOptions {
+    /** Require a specific permission from the permission matrix. */
+    permission?: Permission;
+    /** Require at least this role rank (e.g. 'administrator' means owner OR administrator). */
+    minRole?: AdminRole;
+}
+export type RequireAdminResult = {
+    ok: true;
+    admin: StoreAdmin;
+} | {
+    ok: false;
+    response: NextResponse<AdminApiError>;
+};
+/**
+ * Invalidate the session cache for a specific admin. Call this after any
+ * user-management operation that changes the admin's role or status, so the
+ * next request sees the new state without waiting for the 30s TTL.
+ *
+ * @example
+ * ```ts
+ * await deactivateAdmin(adminId)
+ * invalidateAdminSession(adminId)
+ * ```
+ */
+export declare function invalidateAdminSession(adminId: string): void;
+/**
+ * Clear the entire admin session cache. Exposed for tests; rarely needed in
+ * production since per-admin invalidation is sufficient.
+ * @internal
+ */
+export declare function __clearAdminSessionCache(): void;
+/**
+ * Authenticate + authorize the current request as an admin.
+ *
+ * Resolves with either `{ ok: true, admin }` (caller may proceed) or
+ * `{ ok: false, response }` (caller returns `response` to the client).
+ *
+ * Never throws — any internal error is converted to a 401/403/500 response
+ * that's safe to return directly.
+ *
+ * @example
+ * ```ts
+ * // List products (any authenticated admin with 'products.read')
+ * export async function GET(request: NextRequest) {
+ *   const guard = await requireAdmin({ permission: 'products.read' })
+ *   if (!guard.ok) return guard.response
+ *   const { admin } = guard
+ *   // ...proceed, admin.role is known, admin.status === 'active'
+ * }
+ * ```
+ *
+ * @example
+ * ```ts
+ * // Change a user's role (only owners)
+ * export async function PATCH(request: NextRequest) {
+ *   const guard = await requireAdmin({ permission: 'users.write' })
+ *   if (!guard.ok) return guard.response
+ *   // ...
+ * }
+ * ```
+ */
+export declare function requireAdmin(options?: RequireAdminOptions): Promise<RequireAdminResult>;
+//# sourceMappingURL=admin-session.d.ts.map

package/dist/admin/server/admin-session.d.ts.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"admin-session.d.ts","sourceRoot":"","sources":["../../../src/admin/server/admin-session.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GAyDG;AAEH,OAAO,EAAE,YAAY,EAAE,MAAM,aAAa,CAAA;AAI1C,OAAO,EAGL,KAAK,UAAU,EAChB,MAAM,gBAAgB,CAAA;AACvB,OAAO,KAAK,EAAE,SAAS,EAAE,MAAM,kBAAkB,CAAA;AACjD,OAAO,KAAK,EAAE,UAAU,EAAE,MAAM,sBAAsB,CAAA;AACtD,OAAO,KAAK,EAAE,aAAa,EAAE,MAAM,UAAU,CAAA;AAM7C,MAAM,WAAW,mBAAmB;IAClC,gEAAgE;IAChE,UAAU,CAAC,EAAE,UAAU,CAAA;IACvB,2FAA2F;IAC3F,OAAO,CAAC,EAAE,SAAS,CAAA;CACpB;AAED,MAAM,MAAM,kBAAkB,GAC1B;IAAE,EAAE,EAAE,IAAI,CAAC;IAAC,KAAK,EAAE,UAAU,CAAA;CAAE,GAC/B;IAAE,EAAE,EAAE,KAAK,CAAC;IAAC,QAAQ,EAAE,YAAY,CAAC,aAAa,CAAC,CAAA;CAAE,CAAA;AA+BxD;;;;;;;;;;GAUG;AACH,wBAAgB,sBAAsB,CAAC,OAAO,EAAE,MAAM,GAAG,IAAI,CAE5D;AAED;;;;GAIG;AACH,wBAAgB,wBAAwB,IAAI,IAAI,CAE/C;AAwBD;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GA6BG;AACH,wBAAsB,YAAY,CAChC,OAAO,GAAE,mBAAwB,GAChC,OAAO,CAAC,kBAAkB,CAAC,CA4E7B"}

package/dist/admin/server/admin-session.js ADDED Viewed

@@ -0,0 +1,215 @@
+/**
+ * @rovela/sdk/admin/server/admin-session
+ *
+ * Centralized session + permission check for admin API routes.
+ *
+ * # Why this exists
+ *
+ * Before this module, every admin API handler had its own local copy of a
+ * `requireAdmin()` helper — ten copies across products, orders, customers,
+ * refund, return, settings, stats, stripe-status, categories, shipping, and
+ * tax-zones. They were subtly buggy (imported the CUSTOMER `createAuthOptions`
+ * instead of the admin one, accidentally working because NextAuth cookies
+ * overlap), and they had no way to express role-based permissions.
+ *
+ * This module replaces all ten with a single helper that:
+ *   1. Reads the NextAuth session from the correct admin config.
+ *   2. Fetches a fresh admin row from the DB and confirms `status = 'active'`
+ *      so that deactivated users are kicked out on their next request without
+ *      waiting for the JWT to expire.
+ *   3. Optionally checks a specific `Permission` from the permission matrix.
+ *   4. Optionally enforces a minimum role rank via `meetsMinRole`.
+ *   5. Ensures the runtime schema migration has run (once per process) so
+ *      stores on an older schema still work with the new SDK code paths.
+ *
+ * # Caching
+ *
+ * The DB status check is cached in-memory for 30 seconds per admin ID. This
+ * keeps the hot path fast (most admin routes already do a DB query for their
+ * actual work; one extra read would add ~10ms, and we want to avoid even
+ * that for back-to-back requests). Cache is invalidated via
+ * `invalidateAdminSession(adminId)` after any user-management operation that
+ * changes the admin's role or status, so the next request sees the new state
+ * without waiting for the 30-second TTL.
+ *
+ * # Schema assumptions
+ *
+ * This helper assumes the store's Neon database is already on the latest
+ * admin schema (v2). Schema is applied manually via Neon MCP once per store
+ * (master branch for new stores, per-branch for existing stores that want
+ * the feature). The helper tolerates missing fields gracefully: if the
+ * `status` column doesn't exist on an older store, it's read as undefined
+ * and defaulted to 'active' so existing owner sessions keep working.
+ *
+ * # Return contract
+ *
+ * `requireAdmin()` returns a discriminated union:
+ *   - `{ ok: true, admin }`  — caller proceeds
+ *   - `{ ok: false, response }` — caller returns `response` directly
+ *
+ * This pattern keeps the happy path terse at call sites:
+ *
+ * ```ts
+ * const guard = await requireAdmin({ permission: 'products.write' })
+ * if (!guard.ok) return guard.response
+ * const { admin } = guard
+ * // ...proceed with admin.id, admin.role, etc.
+ * ```
+ */
+import { NextResponse } from 'next/server';
+import { getServerSession } from 'next-auth';
+import { createAdminAuthOptions } from '../config';
+import { findAdminById } from './admin-service';
+import { hasPermission, meetsMinRole, } from '../permissions';
+const STATUS_CACHE_TTL_MS = 30 * 1000;
+const statusCache = new Map();
+function getCachedAdmin(adminId) {
+    const entry = statusCache.get(adminId);
+    if (!entry)
+        return null;
+    if (Date.now() > entry.expiresAt) {
+        statusCache.delete(adminId);
+        return null;
+    }
+    return entry.admin;
+}
+function setCachedAdmin(adminId, admin) {
+    statusCache.set(adminId, {
+        admin,
+        expiresAt: Date.now() + STATUS_CACHE_TTL_MS,
+    });
+}
+/**
+ * Invalidate the session cache for a specific admin. Call this after any
+ * user-management operation that changes the admin's role or status, so the
+ * next request sees the new state without waiting for the 30s TTL.
+ *
+ * @example
+ * ```ts
+ * await deactivateAdmin(adminId)
+ * invalidateAdminSession(adminId)
+ * ```
+ */
+export function invalidateAdminSession(adminId) {
+    statusCache.delete(adminId);
+}
+/**
+ * Clear the entire admin session cache. Exposed for tests; rarely needed in
+ * production since per-admin invalidation is sufficient.
+ * @internal
+ */
+export function __clearAdminSessionCache() {
+    statusCache.clear();
+}
+// =============================================================================
+// Response helpers
+// =============================================================================
+function unauthorized() {
+    return NextResponse.json({ error: 'Unauthorized', code: 'UNAUTHORIZED' }, { status: 401 });
+}
+function forbidden() {
+    return NextResponse.json({ error: 'Forbidden', code: 'FORBIDDEN' }, { status: 403 });
+}
+// =============================================================================
+// Main helper
+// =============================================================================
+/**
+ * Authenticate + authorize the current request as an admin.
+ *
+ * Resolves with either `{ ok: true, admin }` (caller may proceed) or
+ * `{ ok: false, response }` (caller returns `response` to the client).
+ *
+ * Never throws — any internal error is converted to a 401/403/500 response
+ * that's safe to return directly.
+ *
+ * @example
+ * ```ts
+ * // List products (any authenticated admin with 'products.read')
+ * export async function GET(request: NextRequest) {
+ *   const guard = await requireAdmin({ permission: 'products.read' })
+ *   if (!guard.ok) return guard.response
+ *   const { admin } = guard
+ *   // ...proceed, admin.role is known, admin.status === 'active'
+ * }
+ * ```
+ *
+ * @example
+ * ```ts
+ * // Change a user's role (only owners)
+ * export async function PATCH(request: NextRequest) {
+ *   const guard = await requireAdmin({ permission: 'users.write' })
+ *   if (!guard.ok) return guard.response
+ *   // ...
+ * }
+ * ```
+ */
+export async function requireAdmin(options = {}) {
+    // 1. NextAuth session — MUST use the admin auth options. The old duplicated
+    // helpers accidentally imported the CUSTOMER auth config and it worked
+    // because NextAuth cookies happened to overlap. Fixed here.
+    // The `as unknown as` dance is unavoidable: getServerSession's overloaded
+    // return type infers to `{}` in this generic context, and our session user
+    // carries a custom `role` field we need to read.
+    let rawSession;
+    try {
+        rawSession = await getServerSession(createAdminAuthOptions());
+    }
+    catch (err) {
+        console.error('[requireAdmin] Failed to read session:', err);
+        return { ok: false, response: unauthorized() };
+    }
+    const sessionUser = rawSession?.user;
+    if (!sessionUser?.id) {
+        return { ok: false, response: unauthorized() };
+    }
+    // 2. Fresh DB status check (cached 30s per admin).
+    let admin = getCachedAdmin(sessionUser.id);
+    if (!admin) {
+        try {
+            const fetched = await findAdminById(sessionUser.id);
+            if (!fetched) {
+                return { ok: false, response: unauthorized() };
+            }
+            admin = fetched;
+            setCachedAdmin(sessionUser.id, admin);
+        }
+        catch (err) {
+            console.error('[requireAdmin] Failed to fetch admin row:', err);
+            return { ok: false, response: unauthorized() };
+        }
+    }
+    // 3. Status must be 'active'. 'invited' admins cannot use the dashboard
+    // until they accept their invite; 'deactivated' admins are blocked entirely.
+    // The `status` column may not exist on stores running an older schema — in
+    // that case the field is undefined and we treat it as 'active' (backward
+    // compatible for stores that haven't run the v2 migration yet).
+    const status = admin.status ?? 'active';
+    if (status !== 'active') {
+        return { ok: false, response: unauthorized() };
+    }
+    // 4. Session version check (Phase 4). Compare the JWT's embedded
+    // `sessionVersion` to the DB row's current version. On any mismatch,
+    // treat as forced logout.
+    //
+    // Backward compatibility: JWTs issued before Phase 4 have no
+    // sessionVersion claim (→ undefined → 0), and all DB rows start at 0
+    // after the migration, so pre-Phase-4 sessions match cleanly. The
+    // first password change for any admin bumps the DB version to 1;
+    // their old JWTs fail the match on the next request and get kicked
+    // out — which is exactly what we want.
+    const jwtVersion = sessionUser.sessionVersion ?? 0;
+    const dbVersion = admin.sessionVersion ?? 0;
+    if (jwtVersion !== dbVersion) {
+        return { ok: false, response: unauthorized() };
+    }
+    // 5. Permission check (if requested).
+    if (options.permission && !hasPermission(admin.role, options.permission)) {
+        return { ok: false, response: forbidden() };
+    }
+    // 6. Min-role check (if requested).
+    if (options.minRole && !meetsMinRole(admin.role, options.minRole)) {
+        return { ok: false, response: forbidden() };
+    }
+    return { ok: true, admin };
+}
+//# sourceMappingURL=admin-session.js.map

package/dist/admin/server/admin-session.js.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"admin-session.js","sourceRoot":"","sources":["../../../src/admin/server/admin-session.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GAyDG;AAEH,OAAO,EAAE,YAAY,EAAE,MAAM,aAAa,CAAA;AAC1C,OAAO,EAAE,gBAAgB,EAAE,MAAM,WAAW,CAAA;AAC5C,OAAO,EAAE,sBAAsB,EAAE,MAAM,WAAW,CAAA;AAClD,OAAO,EAAE,aAAa,EAAE,MAAM,iBAAiB,CAAA;AAC/C,OAAO,EACL,aAAa,EACb,YAAY,GAEb,MAAM,gBAAgB,CAAA;AA6BvB,MAAM,mBAAmB,GAAG,EAAE,GAAG,IAAI,CAAA;AACrC,MAAM,WAAW,GAAG,IAAI,GAAG,EAA4B,CAAA;AAEvD,SAAS,cAAc,CAAC,OAAe;IACrC,MAAM,KAAK,GAAG,WAAW,CAAC,GAAG,CAAC,OAAO,CAAC,CAAA;IACtC,IAAI,CAAC,KAAK;QAAE,OAAO,IAAI,CAAA;IACvB,IAAI,IAAI,CAAC,GAAG,EAAE,GAAG,KAAK,CAAC,SAAS,EAAE,CAAC;QACjC,WAAW,CAAC,MAAM,CAAC,OAAO,CAAC,CAAA;QAC3B,OAAO,IAAI,CAAA;IACb,CAAC;IACD,OAAO,KAAK,CAAC,KAAK,CAAA;AACpB,CAAC;AAED,SAAS,cAAc,CAAC,OAAe,EAAE,KAAiB;IACxD,WAAW,CAAC,GAAG,CAAC,OAAO,EAAE;QACvB,KAAK;QACL,SAAS,EAAE,IAAI,CAAC,GAAG,EAAE,GAAG,mBAAmB;KAC5C,CAAC,CAAA;AACJ,CAAC;AAED;;;;;;;;;;GAUG;AACH,MAAM,UAAU,sBAAsB,CAAC,OAAe;IACpD,WAAW,CAAC,MAAM,CAAC,OAAO,CAAC,CAAA;AAC7B,CAAC;AAED;;;;GAIG;AACH,MAAM,UAAU,wBAAwB;IACtC,WAAW,CAAC,KAAK,EAAE,CAAA;AACrB,CAAC;AAED,gFAAgF;AAChF,mBAAmB;AACnB,gFAAgF;AAEhF,SAAS,YAAY;IACnB,OAAO,YAAY,CAAC,IAAI,CACtB,EAAE,KAAK,EAAE,cAAc,EAAE,IAAI,EAAE,cAAc,EAAE,EAC/C,EAAE,MAAM,EAAE,GAAG,EAAE,CAChB,CAAA;AACH,CAAC;AAED,SAAS,SAAS;IAChB,OAAO,YAAY,CAAC,IAAI,CACtB,EAAE,KAAK,EAAE,WAAW,EAAE,IAAI,EAAE,WAAW,EAAE,EACzC,EAAE,MAAM,EAAE,GAAG,EAAE,CAChB,CAAA;AACH,CAAC;AAED,gFAAgF;AAChF,cAAc;AACd,gFAAgF;AAEhF;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GA6BG;AACH,MAAM,CAAC,KAAK,UAAU,YAAY,CAChC,UAA+B,EAAE;IAEjC,4EAA4E;IAC5E,uEAAuE;IACvE,4DAA4D;IAC5D,0EAA0E;IAC1E,2EAA2E;IAC3E,iDAAiD;IACjD,IAAI,UAAmB,CAAA;IACvB,IAAI,CAAC;QACH,UAAU,GAAG,MAAM,gBAAgB,CAAC,sBAAsB,EAAE,CAAC,CAAA;IAC/D,CAAC;IAAC,OAAO,GAAG,EAAE,CAAC;QACb,OAAO,CAAC,KAAK,CAAC,wCAAwC,EAAE,GAAG,CAAC,CAAA;QAC5D,OAAO,EAAE,EAAE,EAAE,KAAK,EAAE,QAAQ,EAAE,YAAY,EAAE,EAAE,CAAA;IAChD,CAAC;IAED,MAAM,WAAW,GAAI,UAEZ,EAAE,IAAI,CAAA;IACf,IAAI,CAAC,WAAW,EAAE,EAAE,EAAE,CAAC;QACrB,OAAO,EAAE,EAAE,EAAE,KAAK,EAAE,QAAQ,EAAE,YAAY,EAAE,EAAE,CAAA;IAChD,CAAC;IAED,mDAAmD;IACnD,IAAI,KAAK,GAAG,cAAc,CAAC,WAAW,CAAC,EAAE,CAAC,CAAA;IAC1C,IAAI,CAAC,KAAK,EAAE,CAAC;QACX,IAAI,CAAC;YACH,MAAM,OAAO,GAAG,MAAM,aAAa,CAAC,WAAW,CAAC,EAAE,CAAC,CAAA;YACnD,IAAI,CAAC,OAAO,EAAE,CAAC;gBACb,OAAO,EAAE,EAAE,EAAE,KAAK,EAAE,QAAQ,EAAE,YAAY,EAAE,EAAE,CAAA;YAChD,CAAC;YACD,KAAK,GAAG,OAAgC,CAAA;YACxC,cAAc,CAAC,WAAW,CAAC,EAAE,EAAE,KAAK,CAAC,CAAA;QACvC,CAAC;QAAC,OAAO,GAAG,EAAE,CAAC;YACb,OAAO,CAAC,KAAK,CAAC,2CAA2C,EAAE,GAAG,CAAC,CAAA;YAC/D,OAAO,EAAE,EAAE,EAAE,KAAK,EAAE,QAAQ,EAAE,YAAY,EAAE,EAAE,CAAA;QAChD,CAAC;IACH,CAAC;IAED,wEAAwE;IACxE,6EAA6E;IAC7E,2EAA2E;IAC3E,yEAAyE;IACzE,gEAAgE;IAChE,MAAM,MAAM,GAAI,KAAwC,CAAC,MAAM,IAAI,QAAQ,CAAA;IAC3E,IAAI,MAAM,KAAK,QAAQ,EAAE,CAAC;QACxB,OAAO,EAAE,EAAE,EAAE,KAAK,EAAE,QAAQ,EAAE,YAAY,EAAE,EAAE,CAAA;IAChD,CAAC;IAED,iEAAiE;IACjE,qEAAqE;IACrE,0BAA0B;IAC1B,EAAE;IACF,6DAA6D;IAC7D,qEAAqE;IACrE,kEAAkE;IAClE,iEAAiE;IACjE,mEAAmE;IACnE,uCAAuC;IACvC,MAAM,UAAU,GAAG,WAAW,CAAC,cAAc,IAAI,CAAC,CAAA;IAClD,MAAM,SAAS,GACZ,KAAgD,CAAC,cAAc,IAAI,CAAC,CAAA;IACvE,IAAI,UAAU,KAAK,SAAS,EAAE,CAAC;QAC7B,OAAO,EAAE,EAAE,EAAE,KAAK,EAAE,QAAQ,EAAE,YAAY,EAAE,EAAE,CAAA;IAChD,CAAC;IAED,sCAAsC;IACtC,IAAI,OAAO,CAAC,UAAU,IAAI,CAAC,aAAa,CAAC,KAAK,CAAC,IAAI,EAAE,OAAO,CAAC,UAAU,CAAC,EAAE,CAAC;QACzE,OAAO,EAAE,EAAE,EAAE,KAAK,EAAE,QAAQ,EAAE,SAAS,EAAE,EAAE,CAAA;IAC7C,CAAC;IAED,oCAAoC;IACpC,IAAI,OAAO,CAAC,OAAO,IAAI,CAAC,YAAY,CAAC,KAAK,CAAC,IAAI,EAAE,OAAO,CAAC,OAAO,CAAC,EAAE,CAAC;QAClE,OAAO,EAAE,EAAE,EAAE,KAAK,EAAE,QAAQ,EAAE,SAAS,EAAE,EAAE,CAAA;IAC7C,CAAC;IAED,OAAO,EAAE,EAAE,EAAE,IAAI,EAAE,KAAK,EAAE,CAAA;AAC5B,CAAC"}

package/dist/admin/server/index.d.ts CHANGED Viewed

@@ -5,4 +5,11 @@
  * Re-exports from admin-service for cleaner imports.
  */
 export { authenticateAdmin, createAdmin, findAdminForSession, findAdminByEmail, findAdminById, updateAdmin, updateAdminPassword, adminEmailExists, countAdmins, type CreateAdminResult, type AuthenticateAdminResult, type AuthenticateAdminError, } from './admin-service';
+export { requestAdminPasswordReset, validateAdminResetToken, resetAdminPassword, deleteAdminPasswordResetTokens, cleanupExpiredAdminResetTokens, } from './admin-password-reset';
+export { listAdmins, countActiveOwners, deactivateAdmin, reactivateAdmin, hardDeleteAdmin, statusCodeFor, inviteAdmin, resendAdminInvite, cancelAdminInvite, changeAdminRole, } from './user-management';
+export type { Actor, AdminListOptions, UserManagementError, UserManagementResult, InviteAdminRequest, InviteAdminSuccess, InviteAdminResult, ResendInviteSuccess, ResendInviteResult, } from './user-management';
+export { validateInviteToken, acceptAdminInvite, deleteAdminInviteTokens, cleanupExpiredInviteTokens, createInviteToken, INVITE_EXPIRY_HOURS, } from './admin-invite';
+export type { AdminInviteSnapshot, ValidateInviteResult, AcceptInviteResult, } from './admin-invite';
+export { changeOwnPassword, updateOwnProfile, } from './admin-self-service';
+export type { SelfServiceError, ChangeOwnPasswordResult, UpdateOwnProfileResult, } from './admin-self-service';
 //# sourceMappingURL=index.d.ts.map

package/dist/admin/server/index.d.ts.map CHANGED Viewed

	@@ -1 +1 @@
1	- {"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../../src/admin/server/index.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AAMH,OAAO,EAEL,iBAAiB,EAEjB,WAAW,EACX,mBAAmB,EACnB,gBAAgB,EAChB,aAAa,EACb,WAAW,EACX,mBAAmB,EACnB,gBAAgB,EAChB,WAAW,EAEX,KAAK,iBAAiB,EACtB,KAAK,uBAAuB,EAC5B,KAAK,sBAAsB,GAC5B,MAAM,iBAAiB,CAAA"}
1	+ {"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../../src/admin/server/index.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AAMH,OAAO,EAEL,iBAAiB,EAEjB,WAAW,EACX,mBAAmB,EACnB,gBAAgB,EAChB,aAAa,EACb,WAAW,EACX,mBAAmB,EACnB,gBAAgB,EAChB,WAAW,EAEX,KAAK,iBAAiB,EACtB,KAAK,uBAAuB,EAC5B,KAAK,sBAAsB,GAC5B,MAAM,iBAAiB,CAAA;AAMxB,OAAO,EACL,yBAAyB,EACzB,uBAAuB,EACvB,kBAAkB,EAClB,8BAA8B,EAC9B,8BAA8B,GAC/B,MAAM,wBAAwB,CAAA;AAM/B,OAAO,EAEL,UAAU,EACV,iBAAiB,EACjB,eAAe,EACf,eAAe,EACf,eAAe,EACf,aAAa,EAEb,WAAW,EACX,iBAAiB,EACjB,iBAAiB,EACjB,eAAe,GAChB,MAAM,mBAAmB,CAAA;AAE1B,YAAY,EACV,KAAK,EACL,gBAAgB,EAChB,mBAAmB,EACnB,oBAAoB,EAEpB,kBAAkB,EAClB,kBAAkB,EAClB,iBAAiB,EACjB,mBAAmB,EACnB,kBAAkB,GACnB,MAAM,mBAAmB,CAAA;AAM1B,OAAO,EACL,mBAAmB,EACnB,iBAAiB,EACjB,uBAAuB,EACvB,0BAA0B,EAC1B,iBAAiB,EACjB,mBAAmB,GACpB,MAAM,gBAAgB,CAAA;AAEvB,YAAY,EACV,mBAAmB,EACnB,oBAAoB,EACpB,kBAAkB,GACnB,MAAM,gBAAgB,CAAA;AAMvB,OAAO,EACL,iBAAiB,EACjB,gBAAgB,GACjB,MAAM,sBAAsB,CAAA;AAE7B,YAAY,EACV,gBAAgB,EAChB,uBAAuB,EACvB,sBAAsB,GACvB,MAAM,sBAAsB,CAAA"}

package/dist/admin/server/index.js CHANGED Viewed

@@ -12,4 +12,24 @@ export {
 authenticateAdmin,
 // CRUD
 createAdmin, findAdminForSession, findAdminByEmail, findAdminById, updateAdmin, updateAdminPassword, adminEmailExists, countAdmins, } from './admin-service';
+// =============================================================================
+// Admin Password Reset Service
+// =============================================================================
+export { requestAdminPasswordReset, validateAdminResetToken, resetAdminPassword, deleteAdminPasswordResetTokens, cleanupExpiredAdminResetTokens, } from './admin-password-reset';
+// =============================================================================
+// User Management (Phase 2 + Phase 3)
+// =============================================================================
+export {
+// Phase 2
+listAdmins, countActiveOwners, deactivateAdmin, reactivateAdmin, hardDeleteAdmin, statusCodeFor,
+// Phase 3
+inviteAdmin, resendAdminInvite, cancelAdminInvite, changeAdminRole, } from './user-management';
+// =============================================================================
+// Admin Invite Token Service (Phase 3)
+// =============================================================================
+export { validateInviteToken, acceptAdminInvite, deleteAdminInviteTokens, cleanupExpiredInviteTokens, createInviteToken, INVITE_EXPIRY_HOURS, } from './admin-invite';
+// =============================================================================
+// Self-Service (Phase 4)
+// =============================================================================
+export { changeOwnPassword, updateOwnProfile, } from './admin-self-service';
 //# sourceMappingURL=index.js.map

package/dist/admin/server/index.js.map CHANGED Viewed

	@@ -1 +1 @@
1	- {"version":3,"file":"index.js","sourceRoot":"","sources":["../../../src/admin/server/index.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AAEH,gFAAgF;AAChF,gBAAgB;AAChB,gFAAgF;AAEhF,OAAO;AACL,iBAAiB;AACjB,iBAAiB;AACjB,OAAO;AACP,WAAW,EACX,mBAAmB,EACnB,gBAAgB,EAChB,aAAa,EACb,WAAW,EACX,mBAAmB,EACnB,gBAAgB,EAChB,WAAW,GAKZ,MAAM,iBAAiB,CAAA"}
1	+ {"version":3,"file":"index.js","sourceRoot":"","sources":["../../../src/admin/server/index.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AAEH,gFAAgF;AAChF,gBAAgB;AAChB,gFAAgF;AAEhF,OAAO;AACL,iBAAiB;AACjB,iBAAiB;AACjB,OAAO;AACP,WAAW,EACX,mBAAmB,EACnB,gBAAgB,EAChB,aAAa,EACb,WAAW,EACX,mBAAmB,EACnB,gBAAgB,EAChB,WAAW,GAKZ,MAAM,iBAAiB,CAAA;AAExB,gFAAgF;AAChF,+BAA+B;AAC/B,gFAAgF;AAEhF,OAAO,EACL,yBAAyB,EACzB,uBAAuB,EACvB,kBAAkB,EAClB,8BAA8B,EAC9B,8BAA8B,GAC/B,MAAM,wBAAwB,CAAA;AAE/B,gFAAgF;AAChF,sCAAsC;AACtC,gFAAgF;AAEhF,OAAO;AACL,UAAU;AACV,UAAU,EACV,iBAAiB,EACjB,eAAe,EACf,eAAe,EACf,eAAe,EACf,aAAa;AACb,UAAU;AACV,WAAW,EACX,iBAAiB,EACjB,iBAAiB,EACjB,eAAe,GAChB,MAAM,mBAAmB,CAAA;AAe1B,gFAAgF;AAChF,uCAAuC;AACvC,gFAAgF;AAEhF,OAAO,EACL,mBAAmB,EACnB,iBAAiB,EACjB,uBAAuB,EACvB,0BAA0B,EAC1B,iBAAiB,EACjB,mBAAmB,GACpB,MAAM,gBAAgB,CAAA;AAQvB,gFAAgF;AAChF,yBAAyB;AACzB,gFAAgF;AAEhF,OAAO,EACL,iBAAiB,EACjB,gBAAgB,GACjB,MAAM,sBAAsB,CAAA"}

package/dist/admin/server/user-management.d.ts ADDED Viewed

@@ -0,0 +1,223 @@
+/**
+ * @rovela/sdk/admin/server/user-management
+ *
+ * User lifecycle management for store admins — list, deactivate, reactivate,
+ * and hard-delete operations, with all invariants enforced at the service
+ * layer so every future caller inherits them automatically.
+ *
+ * # Invariants (enforced in every mutation)
+ *
+ *   1. Self-protection: actor cannot act on themselves via these helpers.
+ *      Self-service flows (password change, profile update) go through
+ *      dedicated `/api/admin/me/*` endpoints (Phase 4).
+ *
+ *   2. Last-owner protection: there must ALWAYS be at least one admin with
+ *      role='owner' AND status='active'. Deactivating, demoting, or deleting
+ *      the last active owner is rejected. This is enforced via an atomic
+ *      conditional UPDATE (or a pre-check for hard delete), not a
+ *      check-then-act pattern — no TOCTOU race window.
+ *
+ *   3. Lateral-escalation protection: administrators can only touch managers
+ *      and users. They cannot modify owners or other administrators.
+ *      Enforced via `canManageUser(actor, target)` from `permissions.ts`.
+ *
+ *   4. Hard delete requires prior deactivation: you cannot DELETE an admin
+ *      whose status is 'active' or 'invited'. Must call `deactivateAdmin`
+ *      first. This creates a two-step safety rail for irreversible actions.
+ *
+ *   5. Audit trail on deactivate: `deactivated_at` and `deactivated_by` are
+ *      populated from the service layer. Reactivate clears them.
+ *
+ *   6. Reactivate only applies to 'deactivated' admins, not 'invited'.
+ *      Invited admins must accept their invite (Phase 3) to become active.
+ *
+ * # Session cache invalidation
+ *
+ * Every mutation ends with `invalidateAdminSession(targetId)` so the 30-second
+ * per-admin status cache in `requireAdmin()` sees the new state on the very
+ * next request. Without this call, a deactivated admin could continue making
+ * authenticated requests for up to 30 seconds.
+ *
+ * # This module never throws on invariant failures — it returns a typed
+ * discriminated union `{ ok: true }` or `{ ok: false, error: {...} }`.
+ * Unexpected runtime errors (DB connectivity, etc.) still throw and bubble
+ * up to the API route's try/catch.
+ */
+import type { AdminRole } from '../../core/types';
+import type { StoreAdmin } from '../../core/db/schema';
+export interface AdminListOptions {
+    /** Case-insensitive substring match against name OR email. */
+    search?: string;
+    /** Filter by status. 'all' (default) returns every admin regardless of status. */
+    status?: 'all' | 'active' | 'invited' | 'deactivated';
+    /** Filter by role. 'all' (default) returns every admin regardless of role. */
+    role?: 'all' | AdminRole;
+    /** Max rows to return. Clamped to 1..100 at the API layer. */
+    limit?: number;
+    /** Offset for pagination (0-indexed). */
+    offset?: number;
+}
+export interface UserManagementError {
+    code: 'NOT_FOUND' | 'FORBIDDEN' | 'SELF_ACTION_FORBIDDEN' | 'LAST_OWNER_PROTECTED' | 'MUST_DEACTIVATE_FIRST' | 'INVALID_STATE' | 'VALIDATION_ERROR' | 'EMAIL_ALREADY_EXISTS' | 'EMAIL_ALREADY_INVITED' | 'EMAIL_DEACTIVATED_EXISTS';
+    message: string;
+}
+export type UserManagementResult = {
+    ok: true;
+} | {
+    ok: false;
+    error: UserManagementError;
+};
+export interface Actor {
+    id: string;
+    role: AdminRole;
+}
+/**
+ * List admins with filters and pagination.
+ *
+ * Returns the raw `StoreAdmin` rows — the caller is responsible for stripping
+ * sensitive fields (`passwordHash`) before serializing to JSON. The API
+ * handler does this mapping.
+ */
+export declare function listAdmins(opts?: AdminListOptions): Promise<{
+    admins: StoreAdmin[];
+    total: number;
+}>;
+/**
+ * Count admins with role='owner' and status='active'.
+ *
+ * The single source of truth for the last-owner invariant. Always queried
+ * fresh — it's a one-row COUNT, trivially fast, and caching would introduce
+ * staleness risk for a safety-critical check.
+ */
+export declare function countActiveOwners(): Promise<number>;
+/**
+ * Soft-delete an admin: set status='deactivated' and stamp audit fields.
+ *
+ * Rejects on any invariant violation. Never throws on business errors;
+ * returns a typed result the caller can branch on.
+ *
+ * Uses an atomic conditional UPDATE to enforce the last-owner invariant —
+ * no check-then-act race window. If another request deactivates the second-
+ * to-last owner between our check and our update, our UPDATE's WHERE clause
+ * will match zero rows and we return LAST_OWNER_PROTECTED.
+ */
+export declare function deactivateAdmin(actor: Actor, targetId: string): Promise<UserManagementResult>;
+/**
+ * Reactivate a previously-deactivated admin: set status='active', clear
+ * audit fields. Does NOT apply to 'invited' admins — they must accept
+ * their invite (Phase 3) to become active.
+ */
+export declare function reactivateAdmin(actor: Actor, targetId: string): Promise<UserManagementResult>;
+/**
+ * Permanently delete an admin row. Cascades to `admin_password_reset_tokens`
+ * and `admin_invite_tokens` via the `ON DELETE CASCADE` foreign keys defined
+ * in the Phase 0 schema.
+ *
+ * Requires the target to already be 'deactivated' — this is a two-step
+ * irreversible action. The API route additionally gates on `users.delete`
+ * permission (owner-only), but we re-check here for defense-in-depth.
+ *
+ * Dangling `deactivated_by` / `created_by` references on other admin rows
+ * are intentionally left as dangling UUIDs. The UI renders them as
+ * "Unknown user". Phase 4 may revisit.
+ */
+export declare function hardDeleteAdmin(actor: Actor, targetId: string): Promise<UserManagementResult>;
+/**
+ * Map a `UserManagementError.code` to the HTTP status the API handler
+ * should respond with. Exported so both the API handlers and any future
+ * caller use the same mapping.
+ */
+export declare function statusCodeFor(code: UserManagementError['code']): number;
+export interface InviteAdminRequest {
+    email: string;
+    name: string;
+    role: AdminRole;
+}
+export interface InviteAdminSuccess {
+    ok: true;
+    adminId: string;
+    token: string;
+    inviteUrl: string;
+}
+export type InviteAdminResult = InviteAdminSuccess | {
+    ok: false;
+    error: UserManagementError;
+};
+/**
+ * Invite a new admin to manage the store.
+ *
+ * Creates a `store_admins` row in `invited` status with no password,
+ * issues an invite token (72h expiry), and sends the invite email. The
+ * caller receives both the token AND the fully-qualified invite URL — so
+ * if email delivery fails, the UI can show a "copy link manually"
+ * fallback instead of silently losing the invite.
+ *
+ * # Invariants (in order)
+ *
+ *   1. `canManageUser(actor, {role})` — actor can grant the requested role.
+ *      Administrators cannot invite owners or other administrators.
+ *   2. Valid email format + name length ≥ 2.
+ *   3. Email uniqueness — rejects with a distinct error code depending on
+ *      the existing row's status (active / invited / deactivated) so the
+ *      UI can show actionable messages.
+ *   4. Legal role: must be one of 'owner' | 'administrator' | 'manager' | 'user'.
+ *      The legacy 'admin' value is never chosen by the caller here — new
+ *      invites always use the canonical names.
+ *
+ * Email send failures are logged but NOT propagated — the invite row +
+ * token are already persisted, the caller gets the URL, and the UI
+ * handles fallback display.
+ */
+export declare function inviteAdmin(actor: Actor, request: InviteAdminRequest): Promise<InviteAdminResult>;
+export interface ResendInviteSuccess {
+    ok: true;
+    token: string;
+    inviteUrl: string;
+}
+export type ResendInviteResult = ResendInviteSuccess | {
+    ok: false;
+    error: UserManagementError;
+};
+/**
+ * Resend an invite to an admin who is still in `invited` status.
+ *
+ * Generates a fresh token (invalidating any previous ones) and resends
+ * the email. Preserves the single-active-token policy — older tokens
+ * are deleted before the new one is created.
+ */
+export declare function resendAdminInvite(actor: Actor, targetId: string): Promise<ResendInviteResult>;
+/**
+ * Cancel a pending invite. Hard-deletes the `store_admins` row — which
+ * cascades via FK to delete all `admin_invite_tokens` rows for that
+ * admin. Only valid for `invited` status (not `active` / `deactivated`).
+ *
+ * Uses `users.write` permission (administrators + owners), unlike the
+ * DELETE endpoint which is owner-only. Canceling an invite for a manager
+ * or user is a normal administrator action, not a destructive one.
+ */
+export declare function cancelAdminInvite(actor: Actor, targetId: string): Promise<UserManagementResult>;
+/**
+ * Change an admin's role.
+ *
+ * Invariants (in strict order):
+ *
+ *   1. Target exists (→ NOT_FOUND).
+ *   2. Self-protection — actor cannot change their own role (→
+ *      SELF_ACTION_FORBIDDEN). A solo owner needing to demote themselves
+ *      must either invite another owner first, or use a future Phase 4
+ *      emergency-reset flow.
+ *   3. canManageUser at CURRENT role — actor must be allowed to manage
+ *      the target at their current role (administrator cannot touch
+ *      owners or other administrators).
+ *   4. canManageUser at NEW role — actor must be allowed to grant the
+ *      new role (administrator cannot promote to administrator/owner).
+ *   5. No-op fast path — if newRole === current role, return success
+ *      without touching the DB.
+ *   6. Last-owner protection — if target is currently 'owner' and the
+ *      new role is not 'owner', require `countActiveOwners() > 1`.
+ *      Enforced atomically via a conditional UPDATE so there's no
+ *      check-then-act race window.
+ *   7. Update; invalidate session cache.
+ */
+export declare function changeAdminRole(actor: Actor, targetId: string, newRole: AdminRole): Promise<UserManagementResult>;
+//# sourceMappingURL=user-management.d.ts.map

package/dist/admin/server/user-management.d.ts.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"user-management.d.ts","sourceRoot":"","sources":["../../../src/admin/server/user-management.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GA4CG;AAMH,OAAO,KAAK,EAAE,SAAS,EAAE,MAAM,kBAAkB,CAAA;AACjD,OAAO,KAAK,EAAE,UAAU,EAAE,MAAM,sBAAsB,CAAA;AAetD,MAAM,WAAW,gBAAgB;IAC/B,8DAA8D;IAC9D,MAAM,CAAC,EAAE,MAAM,CAAA;IACf,kFAAkF;IAClF,MAAM,CAAC,EAAE,KAAK,GAAG,QAAQ,GAAG,SAAS,GAAG,aAAa,CAAA;IACrD,8EAA8E;IAC9E,IAAI,CAAC,EAAE,KAAK,GAAG,SAAS,CAAA;IACxB,8DAA8D;IAC9D,KAAK,CAAC,EAAE,MAAM,CAAA;IACd,yCAAyC;IACzC,MAAM,CAAC,EAAE,MAAM,CAAA;CAChB;AAED,MAAM,WAAW,mBAAmB;IAClC,IAAI,EACA,WAAW,GACX,WAAW,GACX,uBAAuB,GACvB,sBAAsB,GACtB,uBAAuB,GACvB,eAAe,GAEf,kBAAkB,GAClB,sBAAsB,GACtB,uBAAuB,GACvB,0BAA0B,CAAA;IAC9B,OAAO,EAAE,MAAM,CAAA;CAChB;AAED,MAAM,MAAM,oBAAoB,GAC5B;IAAE,EAAE,EAAE,IAAI,CAAA;CAAE,GACZ;IAAE,EAAE,EAAE,KAAK,CAAC;IAAC,KAAK,EAAE,mBAAmB,CAAA;CAAE,CAAA;AAE7C,MAAM,WAAW,KAAK;IACpB,EAAE,EAAE,MAAM,CAAA;IACV,IAAI,EAAE,SAAS,CAAA;CAChB;AAMD;;;;;;GAMG;AACH,wBAAsB,UAAU,CAAC,IAAI,GAAE,gBAAqB,GAAG,OAAO,CAAC;IACrE,MAAM,EAAE,UAAU,EAAE,CAAA;IACpB,KAAK,EAAE,MAAM,CAAA;CACd,CAAC,CA0DD;AAMD;;;;;;GAMG;AACH,wBAAsB,iBAAiB,IAAI,OAAO,CAAC,MAAM,CAAC,CAYzD;AAMD;;;;;;;;;;GAUG;AACH,wBAAsB,eAAe,CACnC,KAAK,EAAE,KAAK,EACZ,QAAQ,EAAE,MAAM,GACf,OAAO,CAAC,oBAAoB,CAAC,CAmH/B;AAMD;;;;GAIG;AACH,wBAAsB,eAAe,CACnC,KAAK,EAAE,KAAK,EACZ,QAAQ,EAAE,MAAM,GACf,OAAO,CAAC,oBAAoB,CAAC,CAqE/B;AAMD;;;;;;;;;;;;GAYG;AACH,wBAAsB,eAAe,CACnC,KAAK,EAAE,KAAK,EACZ,QAAQ,EAAE,MAAM,GACf,OAAO,CAAC,oBAAoB,CAAC,CAgG/B;AAMD;;;;GAIG;AACH,wBAAgB,aAAa,CAAC,IAAI,EAAE,mBAAmB,CAAC,MAAM,CAAC,GAAG,MAAM,CAqBvE;AAMD,MAAM,WAAW,kBAAkB;IACjC,KAAK,EAAE,MAAM,CAAA;IACb,IAAI,EAAE,MAAM,CAAA;IACZ,IAAI,EAAE,SAAS,CAAA;CAChB;AAED,MAAM,WAAW,kBAAkB;IACjC,EAAE,EAAE,IAAI,CAAA;IACR,OAAO,EAAE,MAAM,CAAA;IACf,KAAK,EAAE,MAAM,CAAA;IACb,SAAS,EAAE,MAAM,CAAA;CAClB;AAED,MAAM,MAAM,iBAAiB,GACzB,kBAAkB,GAClB;IAAE,EAAE,EAAE,KAAK,CAAC;IAAC,KAAK,EAAE,mBAAmB,CAAA;CAAE,CAAA;AAE7C;;;;;;;;;;;;;;;;;;;;;;;;GAwBG;AACH,wBAAsB,WAAW,CAC/B,KAAK,EAAE,KAAK,EACZ,OAAO,EAAE,kBAAkB,GAC1B,OAAO,CAAC,iBAAiB,CAAC,CA2J5B;AAMD,MAAM,WAAW,mBAAmB;IAClC,EAAE,EAAE,IAAI,CAAA;IACR,KAAK,EAAE,MAAM,CAAA;IACb,SAAS,EAAE,MAAM,CAAA;CAClB;AAED,MAAM,MAAM,kBAAkB,GAC1B,mBAAmB,GACnB;IAAE,EAAE,EAAE,KAAK,CAAC;IAAC,KAAK,EAAE,mBAAmB,CAAA;CAAE,CAAA;AAE7C;;;;;;GAMG;AACH,wBAAsB,iBAAiB,CACrC,KAAK,EAAE,KAAK,EACZ,QAAQ,EAAE,MAAM,GACf,OAAO,CAAC,kBAAkB,CAAC,CA8D7B;AAMD;;;;;;;;GAQG;AACH,wBAAsB,iBAAiB,CACrC,KAAK,EAAE,KAAK,EACZ,QAAQ,EAAE,MAAM,GACf,OAAO,CAAC,oBAAoB,CAAC,CAgE/B;AAMD;;;;;;;;;;;;;;;;;;;;;;GAsBG;AACH,wBAAsB,eAAe,CACnC,KAAK,EAAE,KAAK,EACZ,QAAQ,EAAE,MAAM,EAChB,OAAO,EAAE,SAAS,GACjB,OAAO,CAAC,oBAAoB,CAAC,CAsH/B"}