@rovela-ai/sdk 0.3.19 → 0.3.21

package/dist/admin/hooks/useAdminAuth.js

@@ -1,37 +1,41 @@
 'use client';
 /**
- * @rovela/sdk/admin/hooks/useAdminAuth
+ * @rovela-ai/sdk/admin/hooks/useAdminAuth
  *
  * Client-side admin authentication hook.
- * Separate from customer auth - uses 'admin-credentials' provider.
+ *
+ * Completely self-contained: does NOT use `next-auth/react` because that
+ * library reads from a module-global `__NEXTAUTH` object that can only
+ * point at one basePath at a time. We need the admin session to live at
+ * `/api/admin-auth/*` while the customer session keeps its default
+ * `/api/auth/*`, so admin auth talks to its own endpoint directly via
+ * `fetch()`.
+ *
+ * Public API matches the previous version: `{ admin, isAuthenticated,
+ * isLoading, isOwner, signIn, signOut }`. Existing callers
+ * (AdminLoginForm, AdminAcceptInviteForm, AdminResetPasswordForm) keep
+ * working without changes.
  */
 import { useCallback, useMemo } from 'react';
-import { useSession, signIn as nextAuthSignIn, signOut as nextAuthSignOut } from 'next-auth/react';
+import { useAdminSession } from './useAdminSession';
+// =============================================================================
+// Constants
 // =============================================================================
-// Hook Implementation
+const ADMIN_BASE_PATH = '/api/admin-auth';
+// =============================================================================
+// Hook
 // =============================================================================
 /**
  * Admin authentication hook for auth state and actions.
  *
- * @returns Admin auth state and methods
- *
  * @example
  * ```typescript
  * function AdminDashboard() {
- *   const {
- *     admin,
- *     isAuthenticated,
- *     isLoading,
- *     isOwner,
- *     signIn,
- *     signOut,
- *   } = useAdminAuth()
+ *   const { admin, isAuthenticated, isLoading, isOwner, signIn, signOut } =
+ *     useAdminAuth()
  *
  *   if (isLoading) return <div>Loading...</div>
- *
- *   if (!isAuthenticated) {
- *     return <AdminLoginForm />
- *   }
+ *   if (!isAuthenticated) return <AdminLoginForm />
  *
  *   return (
  *     <div>
@@ -44,60 +48,80 @@ import { useSession, signIn as nextAuthSignIn, signOut as nextAuthSignOut } from
  * ```
  */
 export function useAdminAuth() {
-    // Defensive handling: useSession() returns undefined if no SessionProvider
-    const sessionResult = useSession();
-    const session = sessionResult?.data ?? null;
-    const status = sessionResult?.status ?? 'loading';
-    const update = sessionResult?.update;
-    // Memoized admin data
+    const { data, status, update } = useAdminSession();
+    // Memoized admin data. `useAdminSession` already fetches from the admin
+    // endpoint, which sets `user.role` on every successful session — so we
+    // don't need to role-filter here. The absence of a role means the admin
+    // cookie was empty, which `useAdminSession` already represents as
+    // `unauthenticated`.
     const admin = useMemo(() => {
-        if (!session?.user)
+        if (!data?.user)
             return null;
-        // Cast to admin session type
-        const user = session.user;
-        // Verify this is an admin session (has role field)
-        if (!user.role)
+        // Narrow: admin JWT always carries a role; treat missing role as invalid.
+        if (!data.user.role)
             return null;
-        return user;
-    }, [session?.user]);
-    // Derived state
+        return data.user;
+    }, [data?.user]);
     const isLoading = status === 'loading';
     const isAuthenticated = status === 'authenticated' && !!admin;
     const isOwner = admin?.role === 'owner';
     /**
-     * Sign in with email and password.
-     * Uses 'admin-credentials' provider (separate from customer auth).
-     *
-     * IMPORTANT: After successful sign-in, this calls update() to refresh
-     * the session state. This is critical for iframe contexts where navigation
-     * happens before the session state updates, causing redirect loops.
+     * Sign in an admin by POSTing credentials to the admin NextAuth
+     * endpoint. Mimics what `next-auth/react` `signIn()` does internally,
+     * but targets `/api/admin-auth` instead of the default `/api/auth`.
      */
     const signIn = useCallback(async (options) => {
         const { email, password, redirectTo, rememberMe = false } = options;
         try {
-            const result = await nextAuthSignIn('admin-credentials', {
+            // 1. CSRF token from the admin endpoint
+            const csrfRes = await fetch(`${ADMIN_BASE_PATH}/csrf`, {
+                credentials: 'include',
+                headers: { Accept: 'application/json' },
+            });
+            if (!csrfRes.ok) {
+                return {
+                    success: false,
+                    error: 'Could not initialize sign-in. Please try again.',
+                };
+            }
+            const { csrfToken } = (await csrfRes.json());
+            // 2. POST credentials. `json: 'true'` tells NextAuth to return
+            //    JSON instead of a 302 redirect.
+            const body = new URLSearchParams({
                 email,
                 password,
-                // NextAuth credentials are always stringified — the provider's
-                // authorize() compares `credentials.rememberMe === 'true'`.
-                rememberMe: rememberMe.toString(),
-                redirect: false,
+                rememberMe: rememberMe ? 'true' : 'false',
+                csrfToken,
                 callbackUrl: redirectTo || '/admin',
+                json: 'true',
             });
-            if (result?.error) {
-                // Parse error from NextAuth
+            const res = await fetch(`${ADMIN_BASE_PATH}/callback/admin-credentials`, {
+                method: 'POST',
+                credentials: 'include',
+                headers: {
+                    'Content-Type': 'application/x-www-form-urlencoded',
+                    Accept: 'application/json',
+                },
+                body: body.toString(),
+            });
+            // NextAuth returns { url } on success; { error } or { url: ?error= } on failure.
+            const parsed = await res.json().catch(() => null);
+            const payload = parsed;
+            const errorStr = payload?.error;
+            const url = payload?.url;
+            const hasError = !!errorStr || (!!url && typeof url === 'string' && url.includes('error='));
+            if (hasError) {
+                const msg = errorStr || 'Invalid email or password';
                 return {
                     success: false,
-                    error: result.error.includes('Invalid')
+                    error: msg.includes('Invalid') || msg === 'CredentialsSignin'
                         ? 'Invalid email or password'
-                        : result.error,
+                        : msg,
                 };
             }
-            // CRITICAL: Trigger session update before returning success
-            // Without this, components checking useSession() may see stale state
-            if (update) {
-                await update();
-            }
+            // Re-fetch the admin session so any useAdminSession consumer sees
+            // the new state immediately (mirrors NextAuth's update() semantic).
+            await update();
             return { success: true };
         }
         catch (error) {
@@ -109,11 +133,42 @@ export function useAdminAuth() {
         }
     }, [update]);
     /**
-     * Sign out the current admin.
+     * Sign out the current admin by POSTing to the admin NextAuth endpoint.
      */
     const signOut = useCallback(async () => {
-        await nextAuthSignOut({ redirect: false });
-    }, []);
+        try {
+            const csrfRes = await fetch(`${ADMIN_BASE_PATH}/csrf`, {
+                credentials: 'include',
+                headers: { Accept: 'application/json' },
+            });
+            if (!csrfRes.ok) {
+                // Session stays; nothing we can do from the client without CSRF.
+                return;
+            }
+            const { csrfToken } = (await csrfRes.json());
+            await fetch(`${ADMIN_BASE_PATH}/signout`, {
+                method: 'POST',
+                credentials: 'include',
+                headers: {
+                    'Content-Type': 'application/x-www-form-urlencoded',
+                    Accept: 'application/json',
+                },
+                body: new URLSearchParams({
+                    csrfToken,
+                    callbackUrl: '/admin/login',
+                    json: 'true',
+                }).toString(),
+            });
+        }
+        catch (error) {
+            console.error('[useAdminAuth] Sign out error:', error);
+        }
+        finally {
+            // Always refresh local state. If the cookie was cleared, status
+            // flips to 'unauthenticated'.
+            await update();
+        }
+    }, [update]);
     return {
         // State
         admin,

package/dist/admin/hooks/useAdminAuth.js.map

@@ -1 +1 @@
-{"version":3,"file":"useAdminAuth.js","sourceRoot":"","sources":["../../../src/admin/hooks/useAdminAuth.ts"],"names":[],"mappings":"AAAA,YAAY,CAAA;AAEZ;;;;;GAKG;AAEH,OAAO,EAAE,WAAW,EAAE,OAAO,EAAE,MAAM,OAAO,CAAA;AAC5C,OAAO,EAAE,UAAU,EAAE,MAAM,IAAI,cAAc,EAAE,OAAO,IAAI,eAAe,EAAE,MAAM,iBAAiB,CAAA;AAQlG,gFAAgF;AAChF,sBAAsB;AACtB,gFAAgF;AAEhF;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GAgCG;AACH,MAAM,UAAU,YAAY;IAC1B,2EAA2E;IAC3E,MAAM,aAAa,GAAG,UAAU,EAAE,CAAA;IAClC,MAAM,OAAO,GAAG,aAAa,EAAE,IAAI,IAAI,IAAI,CAAA;IAC3C,MAAM,MAAM,GAAG,aAAa,EAAE,MAAM,IAAI,SAAS,CAAA;IACjD,MAAM,MAAM,GAAG,aAAa,EAAE,MAAM,CAAA;IAEpC,sBAAsB;IACtB,MAAM,KAAK,GAAG,OAAO,CAAC,GAAwB,EAAE;QAC9C,IAAI,CAAC,OAAO,EAAE,IAAI;YAAE,OAAO,IAAI,CAAA;QAC/B,6BAA6B;QAC7B,MAAM,IAAI,GAAG,OAAO,CAAC,IAA+B,CAAA;QACpD,mDAAmD;QACnD,IAAI,CAAC,IAAI,CAAC,IAAI;YAAE,OAAO,IAAI,CAAA;QAC3B,OAAO,IAAI,CAAA;IACb,CAAC,EAAE,CAAC,OAAO,EAAE,IAAI,CAAC,CAAC,CAAA;IAEnB,gBAAgB;IAChB,MAAM,SAAS,GAAG,MAAM,KAAK,SAAS,CAAA;IACtC,MAAM,eAAe,GAAG,MAAM,KAAK,eAAe,IAAI,CAAC,CAAC,KAAK,CAAA;IAC7D,MAAM,OAAO,GAAG,KAAK,EAAE,IAAI,KAAK,OAAO,CAAA;IAEvC;;;;;;;OAOG;IACH,MAAM,MAAM,GAAG,WAAW,CAAC,KAAK,EAAE,OAA2B,EAA8B,EAAE;QAC3F,MAAM,EAAE,KAAK,EAAE,QAAQ,EAAE,UAAU,EAAE,UAAU,GAAG,KAAK,EAAE,GAAG,OAAO,CAAA;QAEnE,IAAI,CAAC;YACH,MAAM,MAAM,GAAG,MAAM,cAAc,CAAC,mBAAmB,EAAE;gBACvD,KAAK;gBACL,QAAQ;gBACR,+DAA+D;gBAC/D,4DAA4D;gBAC5D,UAAU,EAAE,UAAU,CAAC,QAAQ,EAAE;gBACjC,QAAQ,EAAE,KAAK;gBACf,WAAW,EAAE,UAAU,IAAI,QAAQ;aACpC,CAAC,CAAA;YAEF,IAAI,MAAM,EAAE,KAAK,EAAE,CAAC;gBAClB,4BAA4B;gBAC5B,OAAO;oBACL,OAAO,EAAE,KAAK;oBACd,KAAK,EAAE,MAAM,CAAC,KAAK,CAAC,QAAQ,CAAC,SAAS,CAAC;wBACrC,CAAC,CAAC,2BAA2B;wBAC7B,CAAC,CAAC,MAAM,CAAC,KAAK;iBACjB,CAAA;YACH,CAAC;YAED,4DAA4D;YAC5D,qEAAqE;YACrE,IAAI,MAAM,EAAE,CAAC;gBACX,MAAM,MAAM,EAAE,CAAA;YAChB,CAAC;YAED,OAAO,EAAE,OAAO,EAAE,IAAI,EAAE,CAAA;QAC1B,CAAC;QAAC,OAAO,KAAK,EAAE,CAAC;YACf,OAAO,CAAC,KAAK,CAAC,+BAA+B,EAAE,KAAK,CAAC,CAAA;YACrD,OAAO;gBACL,OAAO,EAAE,KAAK;gBACd,KAAK,EAAE,qDAAqD;aAC7D,CAAA;QACH,CAAC;IACH,CAAC,EAAE,CAAC,MAAM,CAAC,CAAC,CAAA;IAEZ;;OAEG;IACH,MAAM,OAAO,GAAG,WAAW,CAAC,KAAK,IAAmB,EAAE;QACpD,MAAM,eAAe,CAAC,EAAE,QAAQ,EAAE,KAAK,EAAE,CAAC,CAAA;IAC5C,CAAC,EAAE,EAAE,CAAC,CAAA;IAEN,OAAO;QACL,QAAQ;QACR,KAAK;QACL,eAAe;QACf,SAAS;QACT,OAAO;QAEP,UAAU;QACV,MAAM;QACN,OAAO;KACR,CAAA;AACH,CAAC"}
+{"version":3,"file":"useAdminAuth.js","sourceRoot":"","sources":["../../../src/admin/hooks/useAdminAuth.ts"],"names":[],"mappings":"AAAA,YAAY,CAAA;AAEZ;;;;;;;;;;;;;;;;GAgBG;AAEH,OAAO,EAAE,WAAW,EAAE,OAAO,EAAE,MAAM,OAAO,CAAA;AAC5C,OAAO,EAAE,eAAe,EAAE,MAAM,mBAAmB,CAAA;AAQnD,gFAAgF;AAChF,YAAY;AACZ,gFAAgF;AAEhF,MAAM,eAAe,GAAG,iBAAiB,CAAA;AAEzC,gFAAgF;AAChF,OAAO;AACP,gFAAgF;AAEhF;;;;;;;;;;;;;;;;;;;;;GAqBG;AACH,MAAM,UAAU,YAAY;IAC1B,MAAM,EAAE,IAAI,EAAE,MAAM,EAAE,MAAM,EAAE,GAAG,eAAe,EAAE,CAAA;IAElD,wEAAwE;IACxE,uEAAuE;IACvE,wEAAwE;IACxE,kEAAkE;IAClE,qBAAqB;IACrB,MAAM,KAAK,GAAG,OAAO,CAAC,GAAwB,EAAE;QAC9C,IAAI,CAAC,IAAI,EAAE,IAAI;YAAE,OAAO,IAAI,CAAA;QAC5B,0EAA0E;QAC1E,IAAI,CAAC,IAAI,CAAC,IAAI,CAAC,IAAI;YAAE,OAAO,IAAI,CAAA;QAChC,OAAO,IAAI,CAAC,IAA+B,CAAA;IAC7C,CAAC,EAAE,CAAC,IAAI,EAAE,IAAI,CAAC,CAAC,CAAA;IAEhB,MAAM,SAAS,GAAG,MAAM,KAAK,SAAS,CAAA;IACtC,MAAM,eAAe,GAAG,MAAM,KAAK,eAAe,IAAI,CAAC,CAAC,KAAK,CAAA;IAC7D,MAAM,OAAO,GAAG,KAAK,EAAE,IAAI,KAAK,OAAO,CAAA;IAEvC;;;;OAIG;IACH,MAAM,MAAM,GAAG,WAAW,CACxB,KAAK,EAAE,OAA2B,EAA8B,EAAE;QAChE,MAAM,EAAE,KAAK,EAAE,QAAQ,EAAE,UAAU,EAAE,UAAU,GAAG,KAAK,EAAE,GAAG,OAAO,CAAA;QAEnE,IAAI,CAAC;YACH,wCAAwC;YACxC,MAAM,OAAO,GAAG,MAAM,KAAK,CAAC,GAAG,eAAe,OAAO,EAAE;gBACrD,WAAW,EAAE,SAAS;gBACtB,OAAO,EAAE,EAAE,MAAM,EAAE,kBAAkB,EAAE;aACxC,CAAC,CAAA;YACF,IAAI,CAAC,OAAO,CAAC,EAAE,EAAE,CAAC;gBAChB,OAAO;oBACL,OAAO,EAAE,KAAK;oBACd,KAAK,EAAE,iDAAiD;iBACzD,CAAA;YACH,CAAC;YACD,MAAM,EAAE,SAAS,EAAE,GAAG,CAAC,MAAM,OAAO,CAAC,IAAI,EAAE,CAA0B,CAAA;YAErE,+DAA+D;YAC/D,qCAAqC;YACrC,MAAM,IAAI,GAAG,IAAI,eAAe,CAAC;gBAC/B,KAAK;gBACL,QAAQ;gBACR,UAAU,EAAE,UAAU,CAAC,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC,OAAO;gBACzC,SAAS;gBACT,WAAW,EAAE,UAAU,IAAI,QAAQ;gBACnC,IAAI,EAAE,MAAM;aACb,CAAC,CAAA;YAEF,MAAM,GAAG,GAAG,MAAM,KAAK,CACrB,GAAG,eAAe,6BAA6B,EAC/C;gBACE,MAAM,EAAE,MAAM;gBACd,WAAW,EAAE,SAAS;gBACtB,OAAO,EAAE;oBACP,cAAc,EAAE,mCAAmC;oBACnD,MAAM,EAAE,kBAAkB;iBAC3B;gBACD,IAAI,EAAE,IAAI,CAAC,QAAQ,EAAE;aACtB,CACF,CAAA;YAED,iFAAiF;YACjF,MAAM,MAAM,GAAG,MAAM,GAAG,CAAC,IAAI,EAAE,CAAC,KAAK,CAAC,GAAG,EAAE,CAAC,IAAI,CAAC,CAAA;YACjD,MAAM,OAAO,GAAG,MAAiD,CAAA;YACjE,MAAM,QAAQ,GAAG,OAAO,EAAE,KAAK,CAAA;YAC/B,MAAM,GAAG,GAAG,OAAO,EAAE,GAAG,CAAA;YACxB,MAAM,QAAQ,GACZ,CAAC,CAAC,QAAQ,IAAI,CAAC,CAAC,CAAC,GAAG,IAAI,OAAO,GAAG,KAAK,QAAQ,IAAI,GAAG,CAAC,QAAQ,CAAC,QAAQ,CAAC,CAAC,CAAA;YAE5E,IAAI,QAAQ,EAAE,CAAC;gBACb,MAAM,GAAG,GAAG,QAAQ,IAAI,2BAA2B,CAAA;gBACnD,OAAO;oBACL,OAAO,EAAE,KAAK;oBACd,KAAK,EAAE,GAAG,CAAC,QAAQ,CAAC,SAAS,CAAC,IAAI,GAAG,KAAK,mBAAmB;wBAC3D,CAAC,CAAC,2BAA2B;wBAC7B,CAAC,CAAC,GAAG;iBACR,CAAA;YACH,CAAC;YAED,kEAAkE;YAClE,oEAAoE;YACpE,MAAM,MAAM,EAAE,CAAA;YAEd,OAAO,EAAE,OAAO,EAAE,IAAI,EAAE,CAAA;QAC1B,CAAC;QAAC,OAAO,KAAK,EAAE,CAAC;YACf,OAAO,CAAC,KAAK,CAAC,+BAA+B,EAAE,KAAK,CAAC,CAAA;YACrD,OAAO;gBACL,OAAO,EAAE,KAAK;gBACd,KAAK,EAAE,qDAAqD;aAC7D,CAAA;QACH,CAAC;IACH,CAAC,EACD,CAAC,MAAM,CAAC,CACT,CAAA;IAED;;OAEG;IACH,MAAM,OAAO,GAAG,WAAW,CAAC,KAAK,IAAmB,EAAE;QACpD,IAAI,CAAC;YACH,MAAM,OAAO,GAAG,MAAM,KAAK,CAAC,GAAG,eAAe,OAAO,EAAE;gBACrD,WAAW,EAAE,SAAS;gBACtB,OAAO,EAAE,EAAE,MAAM,EAAE,kBAAkB,EAAE;aACxC,CAAC,CAAA;YACF,IAAI,CAAC,OAAO,CAAC,EAAE,EAAE,CAAC;gBAChB,iEAAiE;gBACjE,OAAM;YACR,CAAC;YACD,MAAM,EAAE,SAAS,EAAE,GAAG,CAAC,MAAM,OAAO,CAAC,IAAI,EAAE,CAA0B,CAAA;YAErE,MAAM,KAAK,CAAC,GAAG,eAAe,UAAU,EAAE;gBACxC,MAAM,EAAE,MAAM;gBACd,WAAW,EAAE,SAAS;gBACtB,OAAO,EAAE;oBACP,cAAc,EAAE,mCAAmC;oBACnD,MAAM,EAAE,kBAAkB;iBAC3B;gBACD,IAAI,EAAE,IAAI,eAAe,CAAC;oBACxB,SAAS;oBACT,WAAW,EAAE,cAAc;oBAC3B,IAAI,EAAE,MAAM;iBACb,CAAC,CAAC,QAAQ,EAAE;aACd,CAAC,CAAA;QACJ,CAAC;QAAC,OAAO,KAAK,EAAE,CAAC;YACf,OAAO,CAAC,KAAK,CAAC,gCAAgC,EAAE,KAAK,CAAC,CAAA;QACxD,CAAC;gBAAS,CAAC;YACT,gEAAgE;YAChE,8BAA8B;YAC9B,MAAM,MAAM,EAAE,CAAA;QAChB,CAAC;IACH,CAAC,EAAE,CAAC,MAAM,CAAC,CAAC,CAAA;IAEZ,OAAO;QACL,QAAQ;QACR,KAAK;QACL,eAAe;QACf,SAAS;QACT,OAAO;QAEP,UAAU;QACV,MAAM;QACN,OAAO;KACR,CAAA;AACH,CAAC"}

package/dist/admin/hooks/useAdminSession.d.ts

@@ -0,0 +1,23 @@
+export type AdminSessionStatus = 'loading' | 'authenticated' | 'unauthenticated';
+/**
+ * Shape returned by `/api/admin-auth/session` when an admin is signed in.
+ * This mirrors the session.user shape the admin JWT session callback writes.
+ */
+export interface AdminSessionPayload {
+    user: {
+        id: string;
+        email: string;
+        name: string;
+        role: 'owner' | 'admin' | 'administrator' | 'manager' | 'user';
+        sessionVersion?: number;
+    };
+    expires?: string;
+}
+export interface UseAdminSessionReturn {
+    data: AdminSessionPayload | null;
+    status: AdminSessionStatus;
+    /** Re-fetch the session from the server. Returns the new session (or null). */
+    update: () => Promise<AdminSessionPayload | null>;
+}
+export declare function useAdminSession(): UseAdminSessionReturn;
+//# sourceMappingURL=useAdminSession.d.ts.map

package/dist/admin/hooks/useAdminSession.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"useAdminSession.d.ts","sourceRoot":"","sources":["../../../src/admin/hooks/useAdminSession.ts"],"names":[],"mappings":"AAoDA,MAAM,MAAM,kBAAkB,GAAG,SAAS,GAAG,eAAe,GAAG,iBAAiB,CAAA;AAEhF;;;GAGG;AACH,MAAM,WAAW,mBAAmB;IAClC,IAAI,EAAE;QACJ,EAAE,EAAE,MAAM,CAAA;QACV,KAAK,EAAE,MAAM,CAAA;QACb,IAAI,EAAE,MAAM,CAAA;QACZ,IAAI,EAAE,OAAO,GAAG,OAAO,GAAG,eAAe,GAAG,SAAS,GAAG,MAAM,CAAA;QAC9D,cAAc,CAAC,EAAE,MAAM,CAAA;KACxB,CAAA;IACD,OAAO,CAAC,EAAE,MAAM,CAAA;CACjB;AAED,MAAM,WAAW,qBAAqB;IACpC,IAAI,EAAE,mBAAmB,GAAG,IAAI,CAAA;IAChC,MAAM,EAAE,kBAAkB,CAAA;IAC1B,+EAA+E;IAC/E,MAAM,EAAE,MAAM,OAAO,CAAC,mBAAmB,GAAG,IAAI,CAAC,CAAA;CAClD;AAYD,wBAAgB,eAAe,IAAI,qBAAqB,CAiEvD"}

package/dist/admin/hooks/useAdminSession.js

@@ -0,0 +1,117 @@
+'use client';
+/**
+ * @rovela-ai/sdk/admin/hooks/useAdminSession
+ *
+ * Self-contained admin session hook — completely independent from the
+ * `next-auth/react` `<SessionProvider>` tree.
+ *
+ * # Why it exists
+ *
+ * Customer auth (`useSession` from `next-auth/react`) and admin auth both
+ * run on the same page domain but live in separate cookie jars (customer
+ * cookie vs admin cookie). NextAuth v4's client-side `useSession()`
+ * reads from a module-global `__NEXTAUTH` object whose `basePath` can be
+ * only one value at a time — making it impossible to have TWO live
+ * `<SessionProvider basePath>` trees reliably.
+ *
+ * The solution: admin pages don't need `<SessionProvider>` at all. This
+ * hook fetches `/api/admin-auth/session` directly, matching the shape of
+ * NextAuth's `useSession()` return value so `useAdminAuth` (and other
+ * consumers like `AdminBarBanner`) can use it as a drop-in replacement.
+ *
+ * The customer `<SessionProvider>` at the storefront root keeps reading
+ * the customer cookie as normal — the two systems don't touch each other.
+ *
+ * # Return contract
+ *
+ * ```ts
+ * const { data, status, update } = useAdminSession()
+ * // status: 'loading' | 'authenticated' | 'unauthenticated'
+ * // data:   AdminSessionPayload | null
+ * // update(): re-fetches from the server
+ * ```
+ *
+ * # Polling
+ *
+ * Re-fetches on:
+ *   - Mount
+ *   - Window focus (matches NextAuth default `refetchOnWindowFocus`)
+ *   - `update()` imperative call (after sign-in/out)
+ *
+ * No interval polling — the admin UI doesn't need real-time session
+ * refresh beyond what focus/mount already provide, and polling costs
+ * a fetch per tab every N seconds across the whole fleet.
+ */
+import { useCallback, useEffect, useRef, useState } from 'react';
+// =============================================================================
+// Constants
+// =============================================================================
+const ADMIN_SESSION_URL = '/api/admin-auth/session';
+// =============================================================================
+// Hook
+// =============================================================================
+export function useAdminSession() {
+    const [data, setData] = useState(null);
+    const [status, setStatus] = useState('loading');
+    const mountedRef = useRef(true);
+    const fetchSession = useCallback(async () => {
+        try {
+            const res = await fetch(ADMIN_SESSION_URL, {
+                credentials: 'include',
+                headers: { Accept: 'application/json' },
+            });
+            if (!res.ok) {
+                if (!mountedRef.current)
+                    return null;
+                setData(null);
+                setStatus('unauthenticated');
+                return null;
+            }
+            const json = (await res.json());
+            const hasUser = !!(json && json.user?.id);
+            if (!mountedRef.current)
+                return hasUser ? json : null;
+            if (hasUser) {
+                const payload = json;
+                setData(payload);
+                setStatus('authenticated');
+                return payload;
+            }
+            setData(null);
+            setStatus('unauthenticated');
+            return null;
+        }
+        catch {
+            if (!mountedRef.current)
+                return null;
+            setData(null);
+            setStatus('unauthenticated');
+            return null;
+        }
+    }, []);
+    // Initial fetch on mount + refetch on window focus
+    useEffect(() => {
+        mountedRef.current = true;
+        void fetchSession();
+        const onFocus = () => {
+            // Don't thrash: only re-fetch if we're already authenticated or known
+            // unauthenticated. Skip during a still-loading initial fetch.
+            if (mountedRef.current && status !== 'loading') {
+                void fetchSession();
+            }
+        };
+        window.addEventListener('focus', onFocus);
+        return () => {
+            mountedRef.current = false;
+            window.removeEventListener('focus', onFocus);
+        };
+        // Intentionally only depend on fetchSession: we want focus behavior
+        // to reflect the *current* session state without re-subscribing.
+        // eslint-disable-next-line react-hooks/exhaustive-deps
+    }, [fetchSession]);
+    const update = useCallback(async () => {
+        return fetchSession();
+    }, [fetchSession]);
+    return { data, status, update };
+}
+//# sourceMappingURL=useAdminSession.js.map

package/dist/admin/hooks/useAdminSession.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"useAdminSession.js","sourceRoot":"","sources":["../../../src/admin/hooks/useAdminSession.ts"],"names":[],"mappings":"AAAA,YAAY,CAAA;AAEZ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GA0CG;AAEH,OAAO,EAAE,WAAW,EAAE,SAAS,EAAE,MAAM,EAAE,QAAQ,EAAE,MAAM,OAAO,CAAA;AA8BhE,gFAAgF;AAChF,YAAY;AACZ,gFAAgF;AAEhF,MAAM,iBAAiB,GAAG,yBAAyB,CAAA;AAEnD,gFAAgF;AAChF,OAAO;AACP,gFAAgF;AAEhF,MAAM,UAAU,eAAe;IAC7B,MAAM,CAAC,IAAI,EAAE,OAAO,CAAC,GAAG,QAAQ,CAA6B,IAAI,CAAC,CAAA;IAClE,MAAM,CAAC,MAAM,EAAE,SAAS,CAAC,GAAG,QAAQ,CAAqB,SAAS,CAAC,CAAA;IACnE,MAAM,UAAU,GAAG,MAAM,CAAC,IAAI,CAAC,CAAA;IAE/B,MAAM,YAAY,GAAG,WAAW,CAAC,KAAK,IAAyC,EAAE;QAC/E,IAAI,CAAC;YACH,MAAM,GAAG,GAAG,MAAM,KAAK,CAAC,iBAAiB,EAAE;gBACzC,WAAW,EAAE,SAAS;gBACtB,OAAO,EAAE,EAAE,MAAM,EAAE,kBAAkB,EAAE;aACxC,CAAC,CAAA;YACF,IAAI,CAAC,GAAG,CAAC,EAAE,EAAE,CAAC;gBACZ,IAAI,CAAC,UAAU,CAAC,OAAO;oBAAE,OAAO,IAAI,CAAA;gBACpC,OAAO,CAAC,IAAI,CAAC,CAAA;gBACb,SAAS,CAAC,iBAAiB,CAAC,CAAA;gBAC5B,OAAO,IAAI,CAAA;YACb,CAAC;YACD,MAAM,IAAI,GAAG,CAAC,MAAM,GAAG,CAAC,IAAI,EAAE,CAAgD,CAAA;YAC9E,MAAM,OAAO,GAAG,CAAC,CAAC,CAAC,IAAI,IAAK,IAA4B,CAAC,IAAI,EAAE,EAAE,CAAC,CAAA;YAClE,IAAI,CAAC,UAAU,CAAC,OAAO;gBAAE,OAAO,OAAO,CAAC,CAAC,CAAE,IAA4B,CAAC,CAAC,CAAC,IAAI,CAAA;YAC9E,IAAI,OAAO,EAAE,CAAC;gBACZ,MAAM,OAAO,GAAG,IAA2B,CAAA;gBAC3C,OAAO,CAAC,OAAO,CAAC,CAAA;gBAChB,SAAS,CAAC,eAAe,CAAC,CAAA;gBAC1B,OAAO,OAAO,CAAA;YAChB,CAAC;YACD,OAAO,CAAC,IAAI,CAAC,CAAA;YACb,SAAS,CAAC,iBAAiB,CAAC,CAAA;YAC5B,OAAO,IAAI,CAAA;QACb,CAAC;QAAC,MAAM,CAAC;YACP,IAAI,CAAC,UAAU,CAAC,OAAO;gBAAE,OAAO,IAAI,CAAA;YACpC,OAAO,CAAC,IAAI,CAAC,CAAA;YACb,SAAS,CAAC,iBAAiB,CAAC,CAAA;YAC5B,OAAO,IAAI,CAAA;QACb,CAAC;IACH,CAAC,EAAE,EAAE,CAAC,CAAA;IAEN,mDAAmD;IACnD,SAAS,CAAC,GAAG,EAAE;QACb,UAAU,CAAC,OAAO,GAAG,IAAI,CAAA;QACzB,KAAK,YAAY,EAAE,CAAA;QAEnB,MAAM,OAAO,GAAG,GAAG,EAAE;YACnB,sEAAsE;YACtE,8DAA8D;YAC9D,IAAI,UAAU,CAAC,OAAO,IAAI,MAAM,KAAK,SAAS,EAAE,CAAC;gBAC/C,KAAK,YAAY,EAAE,CAAA;YACrB,CAAC;QACH,CAAC,CAAA;QACD,MAAM,CAAC,gBAAgB,CAAC,OAAO,EAAE,OAAO,CAAC,CAAA;QAEzC,OAAO,GAAG,EAAE;YACV,UAAU,CAAC,OAAO,GAAG,KAAK,CAAA;YAC1B,MAAM,CAAC,mBAAmB,CAAC,OAAO,EAAE,OAAO,CAAC,CAAA;QAC9C,CAAC,CAAA;QACD,oEAAoE;QACpE,iEAAiE;QACjE,uDAAuD;IACzD,CAAC,EAAE,CAAC,YAAY,CAAC,CAAC,CAAA;IAElB,MAAM,MAAM,GAAG,WAAW,CAAC,KAAK,IAAI,EAAE;QACpC,OAAO,YAAY,EAAE,CAAA;IACvB,CAAC,EAAE,CAAC,YAAY,CAAC,CAAC,CAAA;IAElB,OAAO,EAAE,IAAI,EAAE,MAAM,EAAE,MAAM,EAAE,CAAA;AACjC,CAAC"}

package/dist/admin/index.d.ts

@@ -58,7 +58,8 @@ export type { OrderStatus, ProductStatus, AdminRole, Order, OrderItem, Product,
 export { createAdminAuthOptions, adminAuthConfig, adminAuthHandlers, createAdminNextAuthHandler, getAdminSession, } from './config';
 export { authenticateAdmin, createAdmin, updateAdminPassword, findAdminForSession, findAdminByEmail, findAdminById, updateAdmin, adminEmailExists, countAdmins, requestAdminPasswordReset, validateAdminResetToken, resetAdminPassword, deleteAdminPasswordResetTokens, cleanupExpiredAdminResetTokens, listAdmins, countActiveOwners, deactivateAdmin, reactivateAdmin, hardDeleteAdmin, inviteAdmin, resendAdminInvite, cancelAdminInvite, changeAdminRole, validateInviteToken, acceptAdminInvite, deleteAdminInviteTokens, cleanupExpiredInviteTokens, changeOwnPassword, updateOwnProfile, requireAdmin, invalidateAdminSession, } from './server';
 export { createAdminAuthHandlers, getProducts, createProduct, getProduct, updateProduct, deleteProduct, addVariant, updateVariantHandler, deleteVariantHandler, getOrders, getOrder, updateOrder, processRefund, getStats, getCategories, createCategory, getCategory, updateCategory, deleteCategory, getCustomers, getCustomer, setupAdmin, checkAdminExists, getSettings, updateSettings, getStripeStatus, getShippingCarriers, createShippingCarrier, getShippingCarrier, updateShippingCarrier, deleteShippingCarrier, getShippingZones, createShippingZone, getShippingZone, updateShippingZone, deleteShippingZone, createShippingRate, updateShippingRate, deleteShippingRate, getTaxZones, createTaxZone, getTaxZone, updateTaxZone, deleteTaxZone, } from './api';
-export { useAdminAuth, useAdminStats, useAdminProducts, useAdminOrders, useAdminCategories, useAdminCustomers, useAdminUsers, useAdminPermissions, useAdminMe, useLinkedCustomerStatus, } from './hooks';
+export { useAdminAuth, useAdminSession, useAdminStats, useAdminProducts, useAdminOrders, useAdminCategories, useAdminCustomers, useAdminUsers, useAdminPermissions, useAdminMe, useLinkedCustomerStatus, } from './hooks';
+export type { AdminSessionPayload, AdminSessionStatus, UseAdminSessionReturn, } from './hooks';
 export type { CategoryTreeItem } from './hooks/useAdminCategories';
 export { AdminGuard, AdminLoginForm, AdminSetupForm, AdminLayout, AdminNav, AdminBarBanner, ExampleContentBanner, StatsCards, RecentOrders, LowStockAlert, RevenueChart, OrderStatusChart, ProductTable, ProductForm, InventoryEditor, CategorySelect, CategoryForm, SEOPreview, TagInput, VariantManager, OrderTable, OrderDetails, RefundDialog, StoreSettings, LogoUpload, PaymentSettings, ShippingSettings, TaxSettings, CustomerTable, CustomerDetails, UsersTable, AdminForgotPasswordForm, AdminResetPasswordForm, InviteUserDialog, AdminAcceptInviteForm, AdminAccountPage, PermissionsMatrix, DeleteConfirmDialog, } from './components';
 export type { AdminSetupFormProps, RevenueChartProps, OrderStatusChartProps, CategorySelectProps, CategoryFormProps, SEOPreviewProps, TagInputProps, VariantManagerProps, VariantOption, VariantData, DeleteConfirmDialogProps, LogoUploadProps, PermissionsMatrixProps, } from './components';

package/dist/admin/index.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../src/admin/index.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GAuDG;AAMH,YAAY,EAEV,WAAW,EACX,aAAa,EACb,SAAS,EACT,KAAK,EACL,SAAS,EACT,OAAO,EACP,cAAc,EACd,QAAQ,EACR,UAAU,EACV,QAAQ,EACR,iBAAiB,EACjB,QAAQ,EACR,OAAO,EAGP,aAAa,EAGb,YAAY,EACZ,cAAc,EACd,kBAAkB,EAClB,iBAAiB,EACjB,cAAc,EACd,YAAY,EACZ,WAAW,EACX,gBAAgB,EAChB,oBAAoB,EACpB,oBAAoB,EACpB,eAAe,EACf,eAAe,EACf,gBAAgB,EAChB,kBAAkB,EAClB,gBAAgB,EAChB,mBAAmB,EACnB,UAAU,EACV,YAAY,EACZ,iBAAiB,EACjB,kBAAkB,EAGlB,mBAAmB,EACnB,oBAAoB,EACpB,gBAAgB,EAChB,gBAAgB,EAChB,iBAAiB,EACjB,iBAAiB,EACjB,qBAAqB,EACrB,qBAAqB,EACrB,qBAAqB,EAGrB,WAAW,EACX,YAAY,EACZ,gBAAgB,EAGhB,YAAY,EACZ,aAAa,EACb,YAAY,EACZ,UAAU,EACV,iBAAiB,EACjB,oBAAoB,EACpB,sBAAsB,EAGtB,kBAAkB,EAClB,gBAAgB,EAChB,cAAc,EACd,oBAAoB,EACpB,kBAAkB,EAClB,mBAAmB,EACnB,qBAAqB,EACrB,mBAAmB,EACnB,qBAAqB,EAGrB,aAAa,EACb,oBAAoB,EACpB,eAAe,EACf,mBAAmB,EACnB,yBAAyB,EACzB,eAAe,EACf,qBAAqB,EACrB,qBAAqB,EACrB,0BAA0B,EAG1B,gBAAgB,EAChB,eAAe,EACf,mBAAmB,EACnB,aAAa,EACb,eAAe,EACf,iBAAiB,EACjB,kBAAkB,EAClB,iBAAiB,EACjB,gBAAgB,EAChB,oBAAoB,EACpB,eAAe,EACf,iBAAiB,EACjB,iBAAiB,EACjB,kBAAkB,EAClB,kBAAkB,EAClB,oBAAoB,EAGpB,sBAAsB,EAGtB,kBAAkB,EAClB,mBAAmB,EACnB,oBAAoB,EACpB,sBAAsB,EACtB,uBAAuB,EACvB,wBAAwB,GACzB,MAAM,SAAS,CAAA;AAMhB,OAAO,EACL,sBAAsB,EACtB,eAAe,EACf,iBAAiB,EACjB,0BAA0B,EAC1B,eAAe,GAChB,MAAM,UAAU,CAAA;AAMjB,OAAO,EACL,iBAAiB,EACjB,WAAW,EACX,mBAAmB,EACnB,mBAAmB,EACnB,gBAAgB,EAChB,aAAa,EACb,WAAW,EACX,gBAAgB,EAChB,WAAW,EAEX,yBAAyB,EACzB,uBAAuB,EACvB,kBAAkB,EAClB,8BAA8B,EAC9B,8BAA8B,EAE9B,UAAU,EACV,iBAAiB,EACjB,eAAe,EACf,eAAe,EACf,eAAe,EAEf,WAAW,EACX,iBAAiB,EACjB,iBAAiB,EACjB,eAAe,EACf,mBAAmB,EACnB,iBAAiB,EACjB,uBAAuB,EACvB,0BAA0B,EAE1B,iBAAiB,EACjB,gBAAgB,EAEhB,YAAY,EACZ,sBAAsB,GACvB,MAAM,UAAU,CAAA;AAOjB,OAAO,EACL,uBAAuB,EACvB,WAAW,EACX,aAAa,EACb,UAAU,EACV,aAAa,EACb,aAAa,EACb,UAAU,EACV,oBAAoB,EACpB,oBAAoB,EACpB,SAAS,EACT,QAAQ,EACR,WAAW,EACX,aAAa,EACb,QAAQ,EACR,aAAa,EACb,cAAc,EACd,WAAW,EACX,cAAc,EACd,cAAc,EACd,YAAY,EACZ,WAAW,EAEX,UAAU,EAEV,gBAAgB,EAEhB,WAAW,EACX,cAAc,EAEd,eAAe,EAEf,mBAAmB,EACnB,qBAAqB,EACrB,kBAAkB,EAClB,qBAAqB,EACrB,qBAAqB,EAErB,gBAAgB,EAChB,kBAAkB,EAClB,eAAe,EACf,kBAAkB,EAClB,kBAAkB,EAClB,kBAAkB,EAClB,kBAAkB,EAClB,kBAAkB,EAElB,WAAW,EACX,aAAa,EACb,UAAU,EACV,aAAa,EACb,aAAa,GACd,MAAM,OAAO,CAAA;AAMd,OAAO,EACL,YAAY,EACZ,aAAa,EACb,gBAAgB,EAChB,cAAc,EACd,kBAAkB,EAClB,iBAAiB,EAEjB,aAAa,EACb,mBAAmB,EAEnB,UAAU,EAEV,uBAAuB,GACxB,MAAM,SAAS,CAAA;AAEhB,YAAY,EAAE,gBAAgB,EAAE,MAAM,4BAA4B,CAAA;AAMlE,OAAO,EAEL,UAAU,EACV,cAAc,EACd,cAAc,EAEd,WAAW,EACX,QAAQ,EACR,cAAc,EACd,oBAAoB,EAEpB,UAAU,EACV,YAAY,EACZ,aAAa,EACb,YAAY,EACZ,gBAAgB,EAEhB,YAAY,EACZ,WAAW,EACX,eAAe,EAEf,cAAc,EACd,YAAY,EAEZ,UAAU,EACV,QAAQ,EACR,cAAc,EAEd,UAAU,EACV,YAAY,EACZ,YAAY,EAEZ,aAAa,EACb,UAAU,EACV,eAAe,EAEf,gBAAgB,EAEhB,WAAW,EAEX,aAAa,EACb,eAAe,EAEf,UAAU,EAEV,uBAAuB,EACvB,sBAAsB,EAEtB,gBAAgB,EAChB,qBAAqB,EAErB,gBAAgB,EAEhB,iBAAiB,EAEjB,mBAAmB,GACpB,MAAM,cAAc,CAAA;AAGrB,YAAY,EACV,mBAAmB,EACnB,iBAAiB,EACjB,qBAAqB,EACrB,mBAAmB,EACnB,iBAAiB,EACjB,eAAe,EACf,aAAa,EACb,mBAAmB,EACnB,aAAa,EACb,WAAW,EACX,wBAAwB,EACxB,eAAe,EACf,sBAAsB,GACvB,MAAM,cAAc,CAAA"}
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../src/admin/index.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GAuDG;AAMH,YAAY,EAEV,WAAW,EACX,aAAa,EACb,SAAS,EACT,KAAK,EACL,SAAS,EACT,OAAO,EACP,cAAc,EACd,QAAQ,EACR,UAAU,EACV,QAAQ,EACR,iBAAiB,EACjB,QAAQ,EACR,OAAO,EAGP,aAAa,EAGb,YAAY,EACZ,cAAc,EACd,kBAAkB,EAClB,iBAAiB,EACjB,cAAc,EACd,YAAY,EACZ,WAAW,EACX,gBAAgB,EAChB,oBAAoB,EACpB,oBAAoB,EACpB,eAAe,EACf,eAAe,EACf,gBAAgB,EAChB,kBAAkB,EAClB,gBAAgB,EAChB,mBAAmB,EACnB,UAAU,EACV,YAAY,EACZ,iBAAiB,EACjB,kBAAkB,EAGlB,mBAAmB,EACnB,oBAAoB,EACpB,gBAAgB,EAChB,gBAAgB,EAChB,iBAAiB,EACjB,iBAAiB,EACjB,qBAAqB,EACrB,qBAAqB,EACrB,qBAAqB,EAGrB,WAAW,EACX,YAAY,EACZ,gBAAgB,EAGhB,YAAY,EACZ,aAAa,EACb,YAAY,EACZ,UAAU,EACV,iBAAiB,EACjB,oBAAoB,EACpB,sBAAsB,EAGtB,kBAAkB,EAClB,gBAAgB,EAChB,cAAc,EACd,oBAAoB,EACpB,kBAAkB,EAClB,mBAAmB,EACnB,qBAAqB,EACrB,mBAAmB,EACnB,qBAAqB,EAGrB,aAAa,EACb,oBAAoB,EACpB,eAAe,EACf,mBAAmB,EACnB,yBAAyB,EACzB,eAAe,EACf,qBAAqB,EACrB,qBAAqB,EACrB,0BAA0B,EAG1B,gBAAgB,EAChB,eAAe,EACf,mBAAmB,EACnB,aAAa,EACb,eAAe,EACf,iBAAiB,EACjB,kBAAkB,EAClB,iBAAiB,EACjB,gBAAgB,EAChB,oBAAoB,EACpB,eAAe,EACf,iBAAiB,EACjB,iBAAiB,EACjB,kBAAkB,EAClB,kBAAkB,EAClB,oBAAoB,EAGpB,sBAAsB,EAGtB,kBAAkB,EAClB,mBAAmB,EACnB,oBAAoB,EACpB,sBAAsB,EACtB,uBAAuB,EACvB,wBAAwB,GACzB,MAAM,SAAS,CAAA;AAMhB,OAAO,EACL,sBAAsB,EACtB,eAAe,EACf,iBAAiB,EACjB,0BAA0B,EAC1B,eAAe,GAChB,MAAM,UAAU,CAAA;AAMjB,OAAO,EACL,iBAAiB,EACjB,WAAW,EACX,mBAAmB,EACnB,mBAAmB,EACnB,gBAAgB,EAChB,aAAa,EACb,WAAW,EACX,gBAAgB,EAChB,WAAW,EAEX,yBAAyB,EACzB,uBAAuB,EACvB,kBAAkB,EAClB,8BAA8B,EAC9B,8BAA8B,EAE9B,UAAU,EACV,iBAAiB,EACjB,eAAe,EACf,eAAe,EACf,eAAe,EAEf,WAAW,EACX,iBAAiB,EACjB,iBAAiB,EACjB,eAAe,EACf,mBAAmB,EACnB,iBAAiB,EACjB,uBAAuB,EACvB,0BAA0B,EAE1B,iBAAiB,EACjB,gBAAgB,EAEhB,YAAY,EACZ,sBAAsB,GACvB,MAAM,UAAU,CAAA;AAOjB,OAAO,EACL,uBAAuB,EACvB,WAAW,EACX,aAAa,EACb,UAAU,EACV,aAAa,EACb,aAAa,EACb,UAAU,EACV,oBAAoB,EACpB,oBAAoB,EACpB,SAAS,EACT,QAAQ,EACR,WAAW,EACX,aAAa,EACb,QAAQ,EACR,aAAa,EACb,cAAc,EACd,WAAW,EACX,cAAc,EACd,cAAc,EACd,YAAY,EACZ,WAAW,EAEX,UAAU,EAEV,gBAAgB,EAEhB,WAAW,EACX,cAAc,EAEd,eAAe,EAEf,mBAAmB,EACnB,qBAAqB,EACrB,kBAAkB,EAClB,qBAAqB,EACrB,qBAAqB,EAErB,gBAAgB,EAChB,kBAAkB,EAClB,eAAe,EACf,kBAAkB,EAClB,kBAAkB,EAClB,kBAAkB,EAClB,kBAAkB,EAClB,kBAAkB,EAElB,WAAW,EACX,aAAa,EACb,UAAU,EACV,aAAa,EACb,aAAa,GACd,MAAM,OAAO,CAAA;AAMd,OAAO,EACL,YAAY,EACZ,eAAe,EACf,aAAa,EACb,gBAAgB,EAChB,cAAc,EACd,kBAAkB,EAClB,iBAAiB,EAEjB,aAAa,EACb,mBAAmB,EAEnB,UAAU,EAEV,uBAAuB,GACxB,MAAM,SAAS,CAAA;AAEhB,YAAY,EACV,mBAAmB,EACnB,kBAAkB,EAClB,qBAAqB,GACtB,MAAM,SAAS,CAAA;AAEhB,YAAY,EAAE,gBAAgB,EAAE,MAAM,4BAA4B,CAAA;AAMlE,OAAO,EAEL,UAAU,EACV,cAAc,EACd,cAAc,EAEd,WAAW,EACX,QAAQ,EACR,cAAc,EACd,oBAAoB,EAEpB,UAAU,EACV,YAAY,EACZ,aAAa,EACb,YAAY,EACZ,gBAAgB,EAEhB,YAAY,EACZ,WAAW,EACX,eAAe,EAEf,cAAc,EACd,YAAY,EAEZ,UAAU,EACV,QAAQ,EACR,cAAc,EAEd,UAAU,EACV,YAAY,EACZ,YAAY,EAEZ,aAAa,EACb,UAAU,EACV,eAAe,EAEf,gBAAgB,EAEhB,WAAW,EAEX,aAAa,EACb,eAAe,EAEf,UAAU,EAEV,uBAAuB,EACvB,sBAAsB,EAEtB,gBAAgB,EAChB,qBAAqB,EAErB,gBAAgB,EAEhB,iBAAiB,EAEjB,mBAAmB,GACpB,MAAM,cAAc,CAAA;AAGrB,YAAY,EACV,mBAAmB,EACnB,iBAAiB,EACjB,qBAAqB,EACrB,mBAAmB,EACnB,iBAAiB,EACjB,eAAe,EACf,aAAa,EACb,mBAAmB,EACnB,aAAa,EACb,WAAW,EACX,wBAAwB,EACxB,eAAe,EACf,sBAAsB,GACvB,MAAM,cAAc,CAAA"}

package/dist/admin/index.js

@@ -94,7 +94,7 @@ getTaxZones, createTaxZone, getTaxZone, updateTaxZone, deleteTaxZone, } from './
 // =============================================================================
 // React Hooks
 // =============================================================================
-export { useAdminAuth, useAdminStats, useAdminProducts, useAdminOrders, useAdminCategories, useAdminCustomers, 
+export { useAdminAuth, useAdminSession, useAdminStats, useAdminProducts, useAdminOrders, useAdminCategories, useAdminCustomers, 
 // Phase 2
 useAdminUsers, useAdminPermissions, 
 // Phase 4

package/dist/admin/index.js.map

@@ -1 +1 @@
-{"version":3,"file":"index.js","sourceRoot":"","sources":["../../src/admin/index.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GAuDG;AA4HH,gFAAgF;AAChF,2BAA2B;AAC3B,gFAAgF;AAEhF,OAAO,EACL,sBAAsB,EACtB,eAAe,EACf,iBAAiB,EACjB,0BAA0B,EAC1B,eAAe,GAChB,MAAM,UAAU,CAAA;AAEjB,gFAAgF;AAChF,uBAAuB;AACvB,gFAAgF;AAEhF,OAAO,EACL,iBAAiB,EACjB,WAAW,EACX,mBAAmB,EACnB,mBAAmB,EACnB,gBAAgB,EAChB,aAAa,EACb,WAAW,EACX,gBAAgB,EAChB,WAAW;AACX,2BAA2B;AAC3B,yBAAyB,EACzB,uBAAuB,EACvB,kBAAkB,EAClB,8BAA8B,EAC9B,8BAA8B;AAC9B,4BAA4B;AAC5B,UAAU,EACV,iBAAiB,EACjB,eAAe,EACf,eAAe,EACf,eAAe;AACf,sCAAsC;AACtC,WAAW,EACX,iBAAiB,EACjB,iBAAiB,EACjB,eAAe,EACf,mBAAmB,EACnB,iBAAiB,EACjB,uBAAuB,EACvB,0BAA0B;AAC1B,yBAAyB;AACzB,iBAAiB,EACjB,gBAAgB;AAChB,oDAAoD;AACpD,YAAY,EACZ,sBAAsB,GACvB,MAAM,UAAU,CAAA;AAEjB,gFAAgF;AAChF,mDAAmD;AACnD,0EAA0E;AAC1E,gFAAgF;AAEhF,OAAO,EACL,uBAAuB,EACvB,WAAW,EACX,aAAa,EACb,UAAU,EACV,aAAa,EACb,aAAa,EACb,UAAU,EACV,oBAAoB,EACpB,oBAAoB,EACpB,SAAS,EACT,QAAQ,EACR,WAAW,EACX,aAAa,EACb,QAAQ,EACR,aAAa,EACb,cAAc,EACd,WAAW,EACX,cAAc,EACd,cAAc,EACd,YAAY,EACZ,WAAW;AACX,oCAAoC;AACpC,UAAU;AACV,gCAAgC;AAChC,gBAAgB;AAChB,WAAW;AACX,WAAW,EACX,cAAc;AACd,gBAAgB;AAChB,eAAe;AACf,oBAAoB;AACpB,mBAAmB,EACnB,qBAAqB,EACrB,kBAAkB,EAClB,qBAAqB,EACrB,qBAAqB;AACrB,yBAAyB;AACzB,gBAAgB,EAChB,kBAAkB,EAClB,eAAe,EACf,kBAAkB,EAClB,kBAAkB,EAClB,kBAAkB,EAClB,kBAAkB,EAClB,kBAAkB;AAClB,YAAY;AACZ,WAAW,EACX,aAAa,EACb,UAAU,EACV,aAAa,EACb,aAAa,GACd,MAAM,OAAO,CAAA;AAEd,gFAAgF;AAChF,cAAc;AACd,gFAAgF;AAEhF,OAAO,EACL,YAAY,EACZ,aAAa,EACb,gBAAgB,EAChB,cAAc,EACd,kBAAkB,EAClB,iBAAiB;AACjB,UAAU;AACV,aAAa,EACb,mBAAmB;AACnB,UAAU;AACV,UAAU;AACV,OAAO;AACP,uBAAuB,GACxB,MAAM,SAAS,CAAA;AAIhB,gFAAgF;AAChF,mBAAmB;AACnB,gFAAgF;AAEhF,OAAO;AACL,OAAO;AACP,UAAU,EACV,cAAc,EACd,cAAc;AACd,SAAS;AACT,WAAW,EACX,QAAQ,EACR,cAAc,EACd,oBAAoB;AACpB,YAAY;AACZ,UAAU,EACV,YAAY,EACZ,aAAa,EACb,YAAY,EACZ,gBAAgB;AAChB,WAAW;AACX,YAAY,EACZ,WAAW,EACX,eAAe;AACf,aAAa;AACb,cAAc,EACd,YAAY;AACZ,gCAAgC;AAChC,UAAU,EACV,QAAQ,EACR,cAAc;AACd,SAAS;AACT,UAAU,EACV,YAAY,EACZ,YAAY;AACZ,WAAW;AACX,aAAa,EACb,UAAU,EACV,eAAe;AACf,WAAW;AACX,gBAAgB;AAChB,MAAM;AACN,WAAW;AACX,YAAY;AACZ,aAAa,EACb,eAAe;AACf,4BAA4B;AAC5B,UAAU;AACV,uBAAuB;AACvB,uBAAuB,EACvB,sBAAsB;AACtB,4BAA4B;AAC5B,gBAAgB,EAChB,qBAAqB;AACrB,yBAAyB;AACzB,gBAAgB;AAChB,8CAA8C;AAC9C,iBAAiB;AACjB,UAAU;AACV,mBAAmB,GACpB,MAAM,cAAc,CAAA"}
+{"version":3,"file":"index.js","sourceRoot":"","sources":["../../src/admin/index.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GAuDG;AA4HH,gFAAgF;AAChF,2BAA2B;AAC3B,gFAAgF;AAEhF,OAAO,EACL,sBAAsB,EACtB,eAAe,EACf,iBAAiB,EACjB,0BAA0B,EAC1B,eAAe,GAChB,MAAM,UAAU,CAAA;AAEjB,gFAAgF;AAChF,uBAAuB;AACvB,gFAAgF;AAEhF,OAAO,EACL,iBAAiB,EACjB,WAAW,EACX,mBAAmB,EACnB,mBAAmB,EACnB,gBAAgB,EAChB,aAAa,EACb,WAAW,EACX,gBAAgB,EAChB,WAAW;AACX,2BAA2B;AAC3B,yBAAyB,EACzB,uBAAuB,EACvB,kBAAkB,EAClB,8BAA8B,EAC9B,8BAA8B;AAC9B,4BAA4B;AAC5B,UAAU,EACV,iBAAiB,EACjB,eAAe,EACf,eAAe,EACf,eAAe;AACf,sCAAsC;AACtC,WAAW,EACX,iBAAiB,EACjB,iBAAiB,EACjB,eAAe,EACf,mBAAmB,EACnB,iBAAiB,EACjB,uBAAuB,EACvB,0BAA0B;AAC1B,yBAAyB;AACzB,iBAAiB,EACjB,gBAAgB;AAChB,oDAAoD;AACpD,YAAY,EACZ,sBAAsB,GACvB,MAAM,UAAU,CAAA;AAEjB,gFAAgF;AAChF,mDAAmD;AACnD,0EAA0E;AAC1E,gFAAgF;AAEhF,OAAO,EACL,uBAAuB,EACvB,WAAW,EACX,aAAa,EACb,UAAU,EACV,aAAa,EACb,aAAa,EACb,UAAU,EACV,oBAAoB,EACpB,oBAAoB,EACpB,SAAS,EACT,QAAQ,EACR,WAAW,EACX,aAAa,EACb,QAAQ,EACR,aAAa,EACb,cAAc,EACd,WAAW,EACX,cAAc,EACd,cAAc,EACd,YAAY,EACZ,WAAW;AACX,oCAAoC;AACpC,UAAU;AACV,gCAAgC;AAChC,gBAAgB;AAChB,WAAW;AACX,WAAW,EACX,cAAc;AACd,gBAAgB;AAChB,eAAe;AACf,oBAAoB;AACpB,mBAAmB,EACnB,qBAAqB,EACrB,kBAAkB,EAClB,qBAAqB,EACrB,qBAAqB;AACrB,yBAAyB;AACzB,gBAAgB,EAChB,kBAAkB,EAClB,eAAe,EACf,kBAAkB,EAClB,kBAAkB,EAClB,kBAAkB,EAClB,kBAAkB,EAClB,kBAAkB;AAClB,YAAY;AACZ,WAAW,EACX,aAAa,EACb,UAAU,EACV,aAAa,EACb,aAAa,GACd,MAAM,OAAO,CAAA;AAEd,gFAAgF;AAChF,cAAc;AACd,gFAAgF;AAEhF,OAAO,EACL,YAAY,EACZ,eAAe,EACf,aAAa,EACb,gBAAgB,EAChB,cAAc,EACd,kBAAkB,EAClB,iBAAiB;AACjB,UAAU;AACV,aAAa,EACb,mBAAmB;AACnB,UAAU;AACV,UAAU;AACV,OAAO;AACP,uBAAuB,GACxB,MAAM,SAAS,CAAA;AAUhB,gFAAgF;AAChF,mBAAmB;AACnB,gFAAgF;AAEhF,OAAO;AACL,OAAO;AACP,UAAU,EACV,cAAc,EACd,cAAc;AACd,SAAS;AACT,WAAW,EACX,QAAQ,EACR,cAAc,EACd,oBAAoB;AACpB,YAAY;AACZ,UAAU,EACV,YAAY,EACZ,aAAa,EACb,YAAY,EACZ,gBAAgB;AAChB,WAAW;AACX,YAAY,EACZ,WAAW,EACX,eAAe;AACf,aAAa;AACb,cAAc,EACd,YAAY;AACZ,gCAAgC;AAChC,UAAU,EACV,QAAQ,EACR,cAAc;AACd,SAAS;AACT,UAAU,EACV,YAAY,EACZ,YAAY;AACZ,WAAW;AACX,aAAa,EACb,UAAU,EACV,eAAe;AACf,WAAW;AACX,gBAAgB;AAChB,MAAM;AACN,WAAW;AACX,YAAY;AACZ,aAAa,EACb,eAAe;AACf,4BAA4B;AAC5B,UAAU;AACV,uBAAuB;AACvB,uBAAuB,EACvB,sBAAsB;AACtB,4BAA4B;AAC5B,gBAAgB,EAChB,qBAAqB;AACrB,yBAAyB;AACzB,gBAAgB;AAChB,8CAA8C;AAC9C,iBAAiB;AACjB,UAAU;AACV,mBAAmB,GACpB,MAAM,cAAc,CAAA"}

package/dist/admin/server/admin-service.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"admin-service.d.ts","sourceRoot":"","sources":["../../../src/admin/server/admin-service.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AAIH,OAAO,KAAK,MAAM,MAAM,sBAAsB,CAAA;AAE9C,OAAO,KAAK,EAAE,YAAY,EAAE,MAAM,UAAU,CAAA;AAM5C,MAAM,WAAW,iBAAiB;IAChC,KAAK,EAAE,MAAM,CAAC,UAAU,CAAA;CACzB;AAED,MAAM,WAAW,uBAAuB;IACtC,OAAO,EAAE,IAAI,CAAA;IACb,KAAK,EAAE,MAAM,CAAC,UAAU,CAAA;CACzB;AAED,MAAM,WAAW,sBAAsB;IACrC,OAAO,EAAE,KAAK,CAAA;IACd,KAAK,EAAE,MAAM,CAAA;IACb,IAAI,EAAE,qBAAqB,GAAG,iBAAiB,CAAA;CAChD;AAMD;;;;;;;;;;;;;;;;GAgBG;AACH,wBAAsB,iBAAiB,CACrC,KAAK,EAAE,MAAM,EACb,QAAQ,EAAE,MAAM,GACf,OAAO,CAAC,uBAAuB,GAAG,sBAAsB,CAAC,CA0C3D;AAMD;;;;;;;;;;;;;;;;;;;;GAoBG;AACH,wBAAsB,WAAW,CAC/B,KAAK,EAAE,MAAM,EACb,QAAQ,EAAE,MAAM,EAChB,IAAI,EAAE,MAAM,EACZ,IAAI,GAAE,OAAO,GAAG,OAAiB,GAChC,OAAO,CAAC,iBAAiB,CAAC,CA0B5B;AAED;;;;;;;;;;;;;GAaG;AACH,wBAAsB,mBAAmB,CACvC,OAAO,EAAE,MAAM,GACd,OAAO,CAAC,YAAY,GAAG,IAAI,CAAC,CAwB9B;AAED;;;;;GAKG;AACH,wBAAsB,gBAAgB,CACpC,KAAK,EAAE,MAAM,GACZ,OAAO,CAAC,MAAM,CAAC,UAAU,GAAG,IAAI,CAAC,CAUnC;AAED;;;;;GAKG;AACH,wBAAsB,aAAa,CACjC,OAAO,EAAE,MAAM,GACd,OAAO,CAAC,MAAM,CAAC,UAAU,GAAG,IAAI,CAAC,CAUnC;AAED;;;;;;;;;;;GAWG;AACH,wBAAsB,WAAW,CAC/B,OAAO,EAAE,MAAM,EACf,IAAI,EAAE;IAAE,IAAI,CAAC,EAAE,MAAM,CAAC;IAAC,KAAK,CAAC,EAAE,MAAM,CAAA;CAAE,GACtC,OAAO,CAAC,MAAM,CAAC,UAAU,GAAG,IAAI,CAAC,CAyBnC;AAED;;;;;;;;;;GAUG;AACH,wBAAsB,mBAAmB,CACvC,OAAO,EAAE,MAAM,EACf,WAAW,EAAE,MAAM,GAClB,OAAO,CAAC,IAAI,CAAC,CAgBf;AAED;;;;;GAKG;AACH,wBAAsB,gBAAgB,CAAC,KAAK,EAAE,MAAM,GAAG,OAAO,CAAC,OAAO,CAAC,CAGtE;AAED;;;GAGG;AACH,wBAAsB,WAAW,IAAI,OAAO,CAAC,MAAM,CAAC,CAQnD"}
+{"version":3,"file":"admin-service.d.ts","sourceRoot":"","sources":["../../../src/admin/server/admin-service.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AAIH,OAAO,KAAK,MAAM,MAAM,sBAAsB,CAAA;AAE9C,OAAO,KAAK,EAAE,YAAY,EAAE,MAAM,UAAU,CAAA;AAM5C,MAAM,WAAW,iBAAiB;IAChC,KAAK,EAAE,MAAM,CAAC,UAAU,CAAA;CACzB;AAED,MAAM,WAAW,uBAAuB;IACtC,OAAO,EAAE,IAAI,CAAA;IACb,KAAK,EAAE,MAAM,CAAC,UAAU,CAAA;CACzB;AAED,MAAM,WAAW,sBAAsB;IACrC,OAAO,EAAE,KAAK,CAAA;IACd,KAAK,EAAE,MAAM,CAAA;IACb,IAAI,EAAE,qBAAqB,GAAG,iBAAiB,CAAA;CAChD;AAMD;;;;;;;;;;;;;;;;GAgBG;AACH,wBAAsB,iBAAiB,CACrC,KAAK,EAAE,MAAM,EACb,QAAQ,EAAE,MAAM,GACf,OAAO,CAAC,uBAAuB,GAAG,sBAAsB,CAAC,CAyD3D;AAMD;;;;;;;;;;;;;;;;;;;;GAoBG;AACH,wBAAsB,WAAW,CAC/B,KAAK,EAAE,MAAM,EACb,QAAQ,EAAE,MAAM,EAChB,IAAI,EAAE,MAAM,EACZ,IAAI,GAAE,OAAO,GAAG,OAAiB,GAChC,OAAO,CAAC,iBAAiB,CAAC,CA0B5B;AAED;;;;;;;;;;;;;GAaG;AACH,wBAAsB,mBAAmB,CACvC,OAAO,EAAE,MAAM,GACd,OAAO,CAAC,YAAY,GAAG,IAAI,CAAC,CAwB9B;AAED;;;;;GAKG;AACH,wBAAsB,gBAAgB,CACpC,KAAK,EAAE,MAAM,GACZ,OAAO,CAAC,MAAM,CAAC,UAAU,GAAG,IAAI,CAAC,CAUnC;AAED;;;;;GAKG;AACH,wBAAsB,aAAa,CACjC,OAAO,EAAE,MAAM,GACd,OAAO,CAAC,MAAM,CAAC,UAAU,GAAG,IAAI,CAAC,CAUnC;AAED;;;;;;;;;;;GAWG;AACH,wBAAsB,WAAW,CAC/B,OAAO,EAAE,MAAM,EACf,IAAI,EAAE;IAAE,IAAI,CAAC,EAAE,MAAM,CAAC;IAAC,KAAK,CAAC,EAAE,MAAM,CAAA;CAAE,GACtC,OAAO,CAAC,MAAM,CAAC,UAAU,GAAG,IAAI,CAAC,CAyBnC;AAED;;;;;;;;;;GAUG;AACH,wBAAsB,mBAAmB,CACvC,OAAO,EAAE,MAAM,EACf,WAAW,EAAE,MAAM,GAClB,OAAO,CAAC,IAAI,CAAC,CAgBf;AAED;;;;;GAKG;AACH,wBAAsB,gBAAgB,CAAC,KAAK,EAAE,MAAM,GAAG,OAAO,CAAC,OAAO,CAAC,CAGtE;AAED;;;GAGG;AACH,wBAAsB,WAAW,IAAI,OAAO,CAAC,MAAM,CAAC,CAQnD"}

package/dist/admin/server/admin-service.js

@@ -64,6 +64,21 @@ export async function authenticateAdmin(email, password) {
             code: 'INVALID_CREDENTIALS',
         };
     }
+    // Stamp last_login_at on every successful authentication. Fire-and-forget
+    // pattern: a DB failure here must not block login. We also mirror the new
+    // timestamp onto the returned `admin` object so callers see the fresh
+    // value without an extra round-trip.
+    const loginAt = new Date();
+    try {
+        await db
+            .update(schema.storeAdmins)
+            .set({ lastLoginAt: loginAt })
+            .where(eq(schema.storeAdmins.id, admin.id));
+        admin.lastLoginAt = loginAt;
+    }
+    catch (err) {
+        console.error('[authenticateAdmin] Failed to stamp last_login_at:', err);
+    }
     return { success: true, admin };
 }
 // =============================================================================

package/dist/admin/server/admin-service.js.map

@@ -1 +1 @@
-{"version":3,"file":"admin-service.js","sourceRoot":"","sources":["../../../src/admin/server/admin-service.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AAEH,OAAO,EAAE,EAAE,EAAE,GAAG,EAAE,MAAM,aAAa,CAAA;AACrC,OAAO,EAAE,KAAK,EAAE,MAAM,sBAAsB,CAAA;AAC5C,OAAO,KAAK,MAAM,MAAM,sBAAsB,CAAA;AAC9C,OAAO,EAAE,YAAY,EAAE,cAAc,EAAE,MAAM,4BAA4B,CAAA;AAsBzE,gFAAgF;AAChF,uBAAuB;AACvB,gFAAgF;AAEhF;;;;;;;;;;;;;;;;GAgBG;AACH,MAAM,CAAC,KAAK,UAAU,iBAAiB,CACrC,KAAa,EACb,QAAgB;IAEhB,MAAM,EAAE,GAAG,KAAK,EAAE,CAAA;IAElB,sBAAsB;IACtB,MAAM,CAAC,KAAK,CAAC,GAAG,MAAM,EAAE;SACrB,MAAM,EAAE;SACR,IAAI,CAAC,MAAM,CAAC,WAAW,CAAC;SACxB,KAAK,CAAC,EAAE,CAAC,MAAM,CAAC,WAAW,CAAC,KAAK,EAAE,KAAK,CAAC,WAAW,EAAE,CAAC,IAAI,EAAE,CAAC,CAAC;SAC/D,KAAK,CAAC,CAAC,CAAC,CAAA;IAEX,IAAI,CAAC,KAAK,EAAE,CAAC;QACX,OAAO;YACL,OAAO,EAAE,KAAK;YACd,KAAK,EAAE,2BAA2B;YAClC,IAAI,EAAE,qBAAqB;SAC5B,CAAA;IACH,CAAC;IAED,qEAAqE;IACrE,yEAAyE;IACzE,wEAAwE;IACxE,mDAAmD;IACnD,MAAM,WAAW,GAAI,KAA6B,CAAC,MAAM,IAAI,QAAQ,CAAA;IACrE,IAAI,WAAW,KAAK,QAAQ,IAAI,CAAC,KAAK,CAAC,YAAY,EAAE,CAAC;QACpD,OAAO;YACL,OAAO,EAAE,KAAK;YACd,KAAK,EAAE,2BAA2B;YAClC,IAAI,EAAE,qBAAqB;SAC5B,CAAA;IACH,CAAC;IAED,kBAAkB;IAClB,MAAM,eAAe,GAAG,MAAM,cAAc,CAAC,QAAQ,EAAE,KAAK,CAAC,YAAY,CAAC,CAAA;IAC1E,IAAI,CAAC,eAAe,EAAE,CAAC;QACrB,OAAO;YACL,OAAO,EAAE,KAAK;YACd,KAAK,EAAE,2BAA2B;YAClC,IAAI,EAAE,qBAAqB;SAC5B,CAAA;IACH,CAAC;IAED,OAAO,EAAE,OAAO,EAAE,IAAI,EAAE,KAAK,EAAE,CAAA;AACjC,CAAC;AAED,gFAAgF;AAChF,aAAa;AACb,gFAAgF;AAEhF;;;;;;;;;;;;;;;;;;;;GAoBG;AACH,MAAM,CAAC,KAAK,UAAU,WAAW,CAC/B,KAAa,EACb,QAAgB,EAChB,IAAY,EACZ,OAA0B,OAAO;IAEjC,MAAM,EAAE,GAAG,KAAK,EAAE,CAAA;IAElB,gBAAgB;IAChB,MAAM,YAAY,GAAG,MAAM,YAAY,CAAC,QAAQ,CAAC,CAAA;IAEjD,IAAI,CAAC;QACH,MAAM,CAAC,KAAK,CAAC,GAAG,MAAM,EAAE;aACrB,MAAM,CAAC,MAAM,CAAC,WAAW,CAAC;aAC1B,MAAM,CAAC;YACN,KAAK,EAAE,KAAK,CAAC,WAAW,EAAE,CAAC,IAAI,EAAE;YACjC,IAAI,EAAE,IAAI,CAAC,IAAI,EAAE;YACjB,YAAY;YACZ,IAAI;SACL,CAAC;aACD,SAAS,EAAE,CAAA;QAEd,OAAO,EAAE,KAAK,EAAE,CAAA;IAClB,CAAC;IAAC,OAAO,KAAc,EAAE,CAAC;QACxB,wCAAwC;QACxC,MAAM,GAAG,GAAG,KAAqD,CAAA;QACjE,IAAI,GAAG,CAAC,IAAI,KAAK,OAAO,IAAI,GAAG,CAAC,KAAK,EAAE,IAAI,KAAK,OAAO,EAAE,CAAC;YACxD,MAAM,IAAI,KAAK,CAAC,yCAAyC,CAAC,CAAA;QAC5D,CAAC;QACD,MAAM,KAAK,CAAA;IACb,CAAC;AACH,CAAC;AAED;;;;;;;;;;;;;GAaG;AACH,MAAM,CAAC,KAAK,UAAU,mBAAmB,CACvC,OAAe;IAEf,MAAM,EAAE,GAAG,KAAK,EAAE,CAAA;IAElB,MAAM,CAAC,KAAK,CAAC,GAAG,MAAM,EAAE;SACrB,MAAM,CAAC;QACN,EAAE,EAAE,MAAM,CAAC,WAAW,CAAC,EAAE;QACzB,KAAK,EAAE,MAAM,CAAC,WAAW,CAAC,KAAK;QAC/B,IAAI,EAAE,MAAM,CAAC,WAAW,CAAC,IAAI;QAC7B,IAAI,EAAE,MAAM,CAAC,WAAW,CAAC,IAAI;KAC9B,CAAC;SACD,IAAI,CAAC,MAAM,CAAC,WAAW,CAAC;SACxB,KAAK,CAAC,EAAE,CAAC,MAAM,CAAC,WAAW,CAAC,EAAE,EAAE,OAAO,CAAC,CAAC;SACzC,KAAK,CAAC,CAAC,CAAC,CAAA;IAEX,IAAI,CAAC,KAAK,EAAE,CAAC;QACX,OAAO,IAAI,CAAA;IACb,CAAC;IAED,OAAO;QACL,EAAE,EAAE,KAAK,CAAC,EAAE;QACZ,KAAK,EAAE,KAAK,CAAC,KAAK;QAClB,IAAI,EAAE,KAAK,CAAC,IAAI;QAChB,IAAI,EAAE,KAAK,CAAC,IAAI;KACjB,CAAA;AACH,CAAC;AAED;;;;;GAKG;AACH,MAAM,CAAC,KAAK,UAAU,gBAAgB,CACpC,KAAa;IAEb,MAAM,EAAE,GAAG,KAAK,EAAE,CAAA;IAElB,MAAM,CAAC,KAAK,CAAC,GAAG,MAAM,EAAE;SACrB,MAAM,EAAE;SACR,IAAI,CAAC,MAAM,CAAC,WAAW,CAAC;SACxB,KAAK,CAAC,EAAE,CAAC,MAAM,CAAC,WAAW,CAAC,KAAK,EAAE,KAAK,CAAC,WAAW,EAAE,CAAC,IAAI,EAAE,CAAC,CAAC;SAC/D,KAAK,CAAC,CAAC,CAAC,CAAA;IAEX,OAAO,KAAK,IAAI,IAAI,CAAA;AACtB,CAAC;AAED;;;;;GAKG;AACH,MAAM,CAAC,KAAK,UAAU,aAAa,CACjC,OAAe;IAEf,MAAM,EAAE,GAAG,KAAK,EAAE,CAAA;IAElB,MAAM,CAAC,KAAK,CAAC,GAAG,MAAM,EAAE;SACrB,MAAM,EAAE;SACR,IAAI,CAAC,MAAM,CAAC,WAAW,CAAC;SACxB,KAAK,CAAC,EAAE,CAAC,MAAM,CAAC,WAAW,CAAC,EAAE,EAAE,OAAO,CAAC,CAAC;SACzC,KAAK,CAAC,CAAC,CAAC,CAAA;IAEX,OAAO,KAAK,IAAI,IAAI,CAAA;AACtB,CAAC;AAED;;;;;;;;;;;GAWG;AACH,MAAM,CAAC,KAAK,UAAU,WAAW,CAC/B,OAAe,EACf,IAAuC;IAEvC,MAAM,EAAE,GAAG,KAAK,EAAE,CAAA;IAElB,MAAM,UAAU,GAAkC,EAAE,CAAA;IAEpD,IAAI,IAAI,CAAC,IAAI,KAAK,SAAS,EAAE,CAAC;QAC5B,UAAU,CAAC,IAAI,GAAG,IAAI,CAAC,IAAI,CAAC,IAAI,EAAE,CAAA;IACpC,CAAC;IAED,IAAI,IAAI,CAAC,KAAK,KAAK,SAAS,EAAE,CAAC;QAC7B,UAAU,CAAC,KAAK,GAAG,IAAI,CAAC,KAAK,CAAC,WAAW,EAAE,CAAC,IAAI,EAAE,CAAA;IACpD,CAAC;IAED,IAAI,MAAM,CAAC,IAAI,CAAC,UAAU,CAAC,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;QACzC,0CAA0C;QAC1C,OAAO,aAAa,CAAC,OAAO,CAAC,CAAA;IAC/B,CAAC;IAED,MAAM,CAAC,KAAK,CAAC,GAAG,MAAM,EAAE;SACrB,MAAM,CAAC,MAAM,CAAC,WAAW,CAAC;SAC1B,GAAG,CAAC,UAAU,CAAC;SACf,KAAK,CAAC,EAAE,CAAC,MAAM,CAAC,WAAW,CAAC,EAAE,EAAE,OAAO,CAAC,CAAC;SACzC,SAAS,EAAE,CAAA;IAEd,OAAO,KAAK,IAAI,IAAI,CAAA;AACtB,CAAC;AAED;;;;;;;;;;GAUG;AACH,MAAM,CAAC,KAAK,UAAU,mBAAmB,CACvC,OAAe,EACf,WAAmB;IAEnB,MAAM,EAAE,GAAG,KAAK,EAAE,CAAA;IAElB,MAAM,YAAY,GAAG,MAAM,YAAY,CAAC,WAAW,CAAC,CAAA;IAEpD,sEAAsE;IACtE,qEAAqE;IACrE,mEAAmE;IACnE,uCAAuC;IACvC,MAAM,EAAE;SACL,MAAM,CAAC,MAAM,CAAC,WAAW,CAAC;SAC1B,GAAG,CAAC;QACH,YAAY;QACZ,cAAc,EAAE,GAAG,CAAA,GAAG,MAAM,CAAC,WAAW,CAAC,cAAc,MAAM;KAC9D,CAAC;SACD,KAAK,CAAC,EAAE,CAAC,MAAM,CAAC,WAAW,CAAC,EAAE,EAAE,OAAO,CAAC,CAAC,CAAA;AAC9C,CAAC;AAED;;;;;GAKG;AACH,MAAM,CAAC,KAAK,UAAU,gBAAgB,CAAC,KAAa;IAClD,MAAM,KAAK,GAAG,MAAM,gBAAgB,CAAC,KAAK,CAAC,CAAA;IAC3C,OAAO,CAAC,CAAC,KAAK,CAAA;AAChB,CAAC;AAED;;;GAGG;AACH,MAAM,CAAC,KAAK,UAAU,WAAW;IAC/B,MAAM,EAAE,GAAG,KAAK,EAAE,CAAA;IAElB,MAAM,MAAM,GAAG,MAAM,EAAE;SACpB,MAAM,CAAC,EAAE,EAAE,EAAE,MAAM,CAAC,WAAW,CAAC,EAAE,EAAE,CAAC;SACrC,IAAI,CAAC,MAAM,CAAC,WAAW,CAAC,CAAA;IAE3B,OAAO,MAAM,CAAC,MAAM,CAAA;AACtB,CAAC"}
+{"version":3,"file":"admin-service.js","sourceRoot":"","sources":["../../../src/admin/server/admin-service.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AAEH,OAAO,EAAE,EAAE,EAAE,GAAG,EAAE,MAAM,aAAa,CAAA;AACrC,OAAO,EAAE,KAAK,EAAE,MAAM,sBAAsB,CAAA;AAC5C,OAAO,KAAK,MAAM,MAAM,sBAAsB,CAAA;AAC9C,OAAO,EAAE,YAAY,EAAE,cAAc,EAAE,MAAM,4BAA4B,CAAA;AAsBzE,gFAAgF;AAChF,uBAAuB;AACvB,gFAAgF;AAEhF;;;;;;;;;;;;;;;;GAgBG;AACH,MAAM,CAAC,KAAK,UAAU,iBAAiB,CACrC,KAAa,EACb,QAAgB;IAEhB,MAAM,EAAE,GAAG,KAAK,EAAE,CAAA;IAElB,sBAAsB;IACtB,MAAM,CAAC,KAAK,CAAC,GAAG,MAAM,EAAE;SACrB,MAAM,EAAE;SACR,IAAI,CAAC,MAAM,CAAC,WAAW,CAAC;SACxB,KAAK,CAAC,EAAE,CAAC,MAAM,CAAC,WAAW,CAAC,KAAK,EAAE,KAAK,CAAC,WAAW,EAAE,CAAC,IAAI,EAAE,CAAC,CAAC;SAC/D,KAAK,CAAC,CAAC,CAAC,CAAA;IAEX,IAAI,CAAC,KAAK,EAAE,CAAC;QACX,OAAO;YACL,OAAO,EAAE,KAAK;YACd,KAAK,EAAE,2BAA2B;YAClC,IAAI,EAAE,qBAAqB;SAC5B,CAAA;IACH,CAAC;IAED,qEAAqE;IACrE,yEAAyE;IACzE,wEAAwE;IACxE,mDAAmD;IACnD,MAAM,WAAW,GAAI,KAA6B,CAAC,MAAM,IAAI,QAAQ,CAAA;IACrE,IAAI,WAAW,KAAK,QAAQ,IAAI,CAAC,KAAK,CAAC,YAAY,EAAE,CAAC;QACpD,OAAO;YACL,OAAO,EAAE,KAAK;YACd,KAAK,EAAE,2BAA2B;YAClC,IAAI,EAAE,qBAAqB;SAC5B,CAAA;IACH,CAAC;IAED,kBAAkB;IAClB,MAAM,eAAe,GAAG,MAAM,cAAc,CAAC,QAAQ,EAAE,KAAK,CAAC,YAAY,CAAC,CAAA;IAC1E,IAAI,CAAC,eAAe,EAAE,CAAC;QACrB,OAAO;YACL,OAAO,EAAE,KAAK;YACd,KAAK,EAAE,2BAA2B;YAClC,IAAI,EAAE,qBAAqB;SAC5B,CAAA;IACH,CAAC;IAED,0EAA0E;IAC1E,0EAA0E;IAC1E,sEAAsE;IACtE,qCAAqC;IACrC,MAAM,OAAO,GAAG,IAAI,IAAI,EAAE,CAAA;IAC1B,IAAI,CAAC;QACH,MAAM,EAAE;aACL,MAAM,CAAC,MAAM,CAAC,WAAW,CAAC;aAC1B,GAAG,CAAC,EAAE,WAAW,EAAE,OAAO,EAAE,CAAC;aAC7B,KAAK,CAAC,EAAE,CAAC,MAAM,CAAC,WAAW,CAAC,EAAE,EAAE,KAAK,CAAC,EAAE,CAAC,CAAC,CAC5C;QAAC,KAAuC,CAAC,WAAW,GAAG,OAAO,CAAA;IACjE,CAAC;IAAC,OAAO,GAAG,EAAE,CAAC;QACb,OAAO,CAAC,KAAK,CAAC,oDAAoD,EAAE,GAAG,CAAC,CAAA;IAC1E,CAAC;IAED,OAAO,EAAE,OAAO,EAAE,IAAI,EAAE,KAAK,EAAE,CAAA;AACjC,CAAC;AAED,gFAAgF;AAChF,aAAa;AACb,gFAAgF;AAEhF;;;;;;;;;;;;;;;;;;;;GAoBG;AACH,MAAM,CAAC,KAAK,UAAU,WAAW,CAC/B,KAAa,EACb,QAAgB,EAChB,IAAY,EACZ,OAA0B,OAAO;IAEjC,MAAM,EAAE,GAAG,KAAK,EAAE,CAAA;IAElB,gBAAgB;IAChB,MAAM,YAAY,GAAG,MAAM,YAAY,CAAC,QAAQ,CAAC,CAAA;IAEjD,IAAI,CAAC;QACH,MAAM,CAAC,KAAK,CAAC,GAAG,MAAM,EAAE;aACrB,MAAM,CAAC,MAAM,CAAC,WAAW,CAAC;aAC1B,MAAM,CAAC;YACN,KAAK,EAAE,KAAK,CAAC,WAAW,EAAE,CAAC,IAAI,EAAE;YACjC,IAAI,EAAE,IAAI,CAAC,IAAI,EAAE;YACjB,YAAY;YACZ,IAAI;SACL,CAAC;aACD,SAAS,EAAE,CAAA;QAEd,OAAO,EAAE,KAAK,EAAE,CAAA;IAClB,CAAC;IAAC,OAAO,KAAc,EAAE,CAAC;QACxB,wCAAwC;QACxC,MAAM,GAAG,GAAG,KAAqD,CAAA;QACjE,IAAI,GAAG,CAAC,IAAI,KAAK,OAAO,IAAI,GAAG,CAAC,KAAK,EAAE,IAAI,KAAK,OAAO,EAAE,CAAC;YACxD,MAAM,IAAI,KAAK,CAAC,yCAAyC,CAAC,CAAA;QAC5D,CAAC;QACD,MAAM,KAAK,CAAA;IACb,CAAC;AACH,CAAC;AAED;;;;;;;;;;;;;GAaG;AACH,MAAM,CAAC,KAAK,UAAU,mBAAmB,CACvC,OAAe;IAEf,MAAM,EAAE,GAAG,KAAK,EAAE,CAAA;IAElB,MAAM,CAAC,KAAK,CAAC,GAAG,MAAM,EAAE;SACrB,MAAM,CAAC;QACN,EAAE,EAAE,MAAM,CAAC,WAAW,CAAC,EAAE;QACzB,KAAK,EAAE,MAAM,CAAC,WAAW,CAAC,KAAK;QAC/B,IAAI,EAAE,MAAM,CAAC,WAAW,CAAC,IAAI;QAC7B,IAAI,EAAE,MAAM,CAAC,WAAW,CAAC,IAAI;KAC9B,CAAC;SACD,IAAI,CAAC,MAAM,CAAC,WAAW,CAAC;SACxB,KAAK,CAAC,EAAE,CAAC,MAAM,CAAC,WAAW,CAAC,EAAE,EAAE,OAAO,CAAC,CAAC;SACzC,KAAK,CAAC,CAAC,CAAC,CAAA;IAEX,IAAI,CAAC,KAAK,EAAE,CAAC;QACX,OAAO,IAAI,CAAA;IACb,CAAC;IAED,OAAO;QACL,EAAE,EAAE,KAAK,CAAC,EAAE;QACZ,KAAK,EAAE,KAAK,CAAC,KAAK;QAClB,IAAI,EAAE,KAAK,CAAC,IAAI;QAChB,IAAI,EAAE,KAAK,CAAC,IAAI;KACjB,CAAA;AACH,CAAC;AAED;;;;;GAKG;AACH,MAAM,CAAC,KAAK,UAAU,gBAAgB,CACpC,KAAa;IAEb,MAAM,EAAE,GAAG,KAAK,EAAE,CAAA;IAElB,MAAM,CAAC,KAAK,CAAC,GAAG,MAAM,EAAE;SACrB,MAAM,EAAE;SACR,IAAI,CAAC,MAAM,CAAC,WAAW,CAAC;SACxB,KAAK,CAAC,EAAE,CAAC,MAAM,CAAC,WAAW,CAAC,KAAK,EAAE,KAAK,CAAC,WAAW,EAAE,CAAC,IAAI,EAAE,CAAC,CAAC;SAC/D,KAAK,CAAC,CAAC,CAAC,CAAA;IAEX,OAAO,KAAK,IAAI,IAAI,CAAA;AACtB,CAAC;AAED;;;;;GAKG;AACH,MAAM,CAAC,KAAK,UAAU,aAAa,CACjC,OAAe;IAEf,MAAM,EAAE,GAAG,KAAK,EAAE,CAAA;IAElB,MAAM,CAAC,KAAK,CAAC,GAAG,MAAM,EAAE;SACrB,MAAM,EAAE;SACR,IAAI,CAAC,MAAM,CAAC,WAAW,CAAC;SACxB,KAAK,CAAC,EAAE,CAAC,MAAM,CAAC,WAAW,CAAC,EAAE,EAAE,OAAO,CAAC,CAAC;SACzC,KAAK,CAAC,CAAC,CAAC,CAAA;IAEX,OAAO,KAAK,IAAI,IAAI,CAAA;AACtB,CAAC;AAED;;;;;;;;;;;GAWG;AACH,MAAM,CAAC,KAAK,UAAU,WAAW,CAC/B,OAAe,EACf,IAAuC;IAEvC,MAAM,EAAE,GAAG,KAAK,EAAE,CAAA;IAElB,MAAM,UAAU,GAAkC,EAAE,CAAA;IAEpD,IAAI,IAAI,CAAC,IAAI,KAAK,SAAS,EAAE,CAAC;QAC5B,UAAU,CAAC,IAAI,GAAG,IAAI,CAAC,IAAI,CAAC,IAAI,EAAE,CAAA;IACpC,CAAC;IAED,IAAI,IAAI,CAAC,KAAK,KAAK,SAAS,EAAE,CAAC;QAC7B,UAAU,CAAC,KAAK,GAAG,IAAI,CAAC,KAAK,CAAC,WAAW,EAAE,CAAC,IAAI,EAAE,CAAA;IACpD,CAAC;IAED,IAAI,MAAM,CAAC,IAAI,CAAC,UAAU,CAAC,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;QACzC,0CAA0C;QAC1C,OAAO,aAAa,CAAC,OAAO,CAAC,CAAA;IAC/B,CAAC;IAED,MAAM,CAAC,KAAK,CAAC,GAAG,MAAM,EAAE;SACrB,MAAM,CAAC,MAAM,CAAC,WAAW,CAAC;SAC1B,GAAG,CAAC,UAAU,CAAC;SACf,KAAK,CAAC,EAAE,CAAC,MAAM,CAAC,WAAW,CAAC,EAAE,EAAE,OAAO,CAAC,CAAC;SACzC,SAAS,EAAE,CAAA;IAEd,OAAO,KAAK,IAAI,IAAI,CAAA;AACtB,CAAC;AAED;;;;;;;;;;GAUG;AACH,MAAM,CAAC,KAAK,UAAU,mBAAmB,CACvC,OAAe,EACf,WAAmB;IAEnB,MAAM,EAAE,GAAG,KAAK,EAAE,CAAA;IAElB,MAAM,YAAY,GAAG,MAAM,YAAY,CAAC,WAAW,CAAC,CAAA;IAEpD,sEAAsE;IACtE,qEAAqE;IACrE,mEAAmE;IACnE,uCAAuC;IACvC,MAAM,EAAE;SACL,MAAM,CAAC,MAAM,CAAC,WAAW,CAAC;SAC1B,GAAG,CAAC;QACH,YAAY;QACZ,cAAc,EAAE,GAAG,CAAA,GAAG,MAAM,CAAC,WAAW,CAAC,cAAc,MAAM;KAC9D,CAAC;SACD,KAAK,CAAC,EAAE,CAAC,MAAM,CAAC,WAAW,CAAC,EAAE,EAAE,OAAO,CAAC,CAAC,CAAA;AAC9C,CAAC;AAED;;;;;GAKG;AACH,MAAM,CAAC,KAAK,UAAU,gBAAgB,CAAC,KAAa;IAClD,MAAM,KAAK,GAAG,MAAM,gBAAgB,CAAC,KAAK,CAAC,CAAA;IAC3C,OAAO,CAAC,CAAC,KAAK,CAAA;AAChB,CAAC;AAED;;;GAGG;AACH,MAAM,CAAC,KAAK,UAAU,WAAW;IAC/B,MAAM,EAAE,GAAG,KAAK,EAAE,CAAA;IAElB,MAAM,MAAM,GAAG,MAAM,EAAE;SACpB,MAAM,CAAC,EAAE,EAAE,EAAE,MAAM,CAAC,WAAW,CAAC,EAAE,EAAE,CAAC;SACrC,IAAI,CAAC,MAAM,CAAC,WAAW,CAAC,CAAA;IAE3B,OAAO,MAAM,CAAC,MAAM,CAAA;AACtB,CAAC"}

package/dist/admin/server/admin-session.d.ts

@@ -12,18 +12,17 @@
  *
  * # Which auth config we read
  *
- * The sandbox template mounts exactly ONE NextAuth endpoint at
- * `/api/auth/[...nextauth]/route.ts`, wired to `createAuthOptions()` from
- * `@rovela-ai/sdk/auth`. That unified config handles BOTH `credentials`
- * (customer) and `admin-credentials` providers, and it's the config that
- * writes the session cookie the browser sends back on every request.
- *
- * `requireAdmin` MUST read through the same config. Reading from a separate
- * `createAdminAuthOptions()` (which used its own cookie name + SameSite) —
- * as an earlier iteration of this file did — produced a read/write mismatch
- * that rejected every admin API call with 401 regardless of DB state.
- *
- * This module replaces all ten legacy helpers with a single gatekeeper that:
+ * Post two-cookie split (SDK 0.3.20), the sandbox template mounts a dedicated
+ * admin NextAuth endpoint at `/api/admin-auth/[...nextauth]/route.ts`, wired
+ * to `createAdminAuthOptions()` from `@rovela-ai/sdk/admin`. That config
+ * writes `__Secure-rovela.admin.session-token`, distinct from the customer
+ * cookie, so an admin and a customer session can coexist in the same browser
+ * (the foundation of the "linked customer" feature).
+ *
+ * `requireAdmin` reads through the SAME admin config it's paired with, so
+ * the cookie name and SameSite policy match between write and read.
+ *
+ * This module replaces all legacy per-route helpers with a single gatekeeper that:
  *   1. Reads the NextAuth session via the unified `createAuthOptions()`.
  *   2. Fetches a fresh admin row from the DB and confirms `status = 'active'`
  *      so that deactivated users are kicked out on their next request without

package/dist/admin/server/admin-session.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"admin-session.d.ts","sourceRoot":"","sources":["../../../src/admin/server/admin-session.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GAoEG;AAEH,OAAO,EAAE,YAAY,EAAE,MAAM,aAAa,CAAA;AAI1C,OAAO,EAGL,KAAK,UAAU,EAChB,MAAM,gBAAgB,CAAA;AACvB,OAAO,KAAK,EAAE,SAAS,EAAE,MAAM,kBAAkB,CAAA;AACjD,OAAO,KAAK,EAAE,UAAU,EAAE,MAAM,sBAAsB,CAAA;AACtD,OAAO,KAAK,EAAE,aAAa,EAAE,MAAM,UAAU,CAAA;AAM7C,MAAM,WAAW,mBAAmB;IAClC,gEAAgE;IAChE,UAAU,CAAC,EAAE,UAAU,CAAA;IACvB,2FAA2F;IAC3F,OAAO,CAAC,EAAE,SAAS,CAAA;CACpB;AAED,MAAM,MAAM,kBAAkB,GAC1B;IAAE,EAAE,EAAE,IAAI,CAAC;IAAC,KAAK,EAAE,UAAU,CAAA;CAAE,GAC/B;IAAE,EAAE,EAAE,KAAK,CAAC;IAAC,QAAQ,EAAE,YAAY,CAAC,aAAa,CAAC,CAAA;CAAE,CAAA;AA+BxD;;;;;;;;;;GAUG;AACH,wBAAgB,sBAAsB,CAAC,OAAO,EAAE,MAAM,GAAG,IAAI,CAE5D;AAED;;;;GAIG;AACH,wBAAgB,wBAAwB,IAAI,IAAI,CAE/C;AAwBD;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GA6BG;AACH,wBAAsB,YAAY,CAChC,OAAO,GAAE,mBAAwB,GAChC,OAAO,CAAC,kBAAkB,CAAC,CA+E7B"}
+{"version":3,"file":"admin-session.d.ts","sourceRoot":"","sources":["../../../src/admin/server/admin-session.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GAmEG;AAEH,OAAO,EAAE,YAAY,EAAE,MAAM,aAAa,CAAA;AAI1C,OAAO,EAGL,KAAK,UAAU,EAChB,MAAM,gBAAgB,CAAA;AACvB,OAAO,KAAK,EAAE,SAAS,EAAE,MAAM,kBAAkB,CAAA;AACjD,OAAO,KAAK,EAAE,UAAU,EAAE,MAAM,sBAAsB,CAAA;AACtD,OAAO,KAAK,EAAE,aAAa,EAAE,MAAM,UAAU,CAAA;AAM7C,MAAM,WAAW,mBAAmB;IAClC,gEAAgE;IAChE,UAAU,CAAC,EAAE,UAAU,CAAA;IACvB,2FAA2F;IAC3F,OAAO,CAAC,EAAE,SAAS,CAAA;CACpB;AAED,MAAM,MAAM,kBAAkB,GAC1B;IAAE,EAAE,EAAE,IAAI,CAAC;IAAC,KAAK,EAAE,UAAU,CAAA;CAAE,GAC/B;IAAE,EAAE,EAAE,KAAK,CAAC;IAAC,QAAQ,EAAE,YAAY,CAAC,aAAa,CAAC,CAAA;CAAE,CAAA;AA+BxD;;;;;;;;;;GAUG;AACH,wBAAgB,sBAAsB,CAAC,OAAO,EAAE,MAAM,GAAG,IAAI,CAE5D;AAED;;;;GAIG;AACH,wBAAgB,wBAAwB,IAAI,IAAI,CAE/C;AAwBD;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GA6BG;AACH,wBAAsB,YAAY,CAChC,OAAO,GAAE,mBAAwB,GAChC,OAAO,CAAC,kBAAkB,CAAC,CAgF7B"}

package/dist/admin/server/admin-session.js

@@ -12,18 +12,17 @@
  *
  * # Which auth config we read
  *
- * The sandbox template mounts exactly ONE NextAuth endpoint at
- * `/api/auth/[...nextauth]/route.ts`, wired to `createAuthOptions()` from
- * `@rovela-ai/sdk/auth`. That unified config handles BOTH `credentials`
- * (customer) and `admin-credentials` providers, and it's the config that
- * writes the session cookie the browser sends back on every request.
- *
- * `requireAdmin` MUST read through the same config. Reading from a separate
- * `createAdminAuthOptions()` (which used its own cookie name + SameSite) —
- * as an earlier iteration of this file did — produced a read/write mismatch
- * that rejected every admin API call with 401 regardless of DB state.
- *
- * This module replaces all ten legacy helpers with a single gatekeeper that:
+ * Post two-cookie split (SDK 0.3.20), the sandbox template mounts a dedicated
+ * admin NextAuth endpoint at `/api/admin-auth/[...nextauth]/route.ts`, wired
+ * to `createAdminAuthOptions()` from `@rovela-ai/sdk/admin`. That config
+ * writes `__Secure-rovela.admin.session-token`, distinct from the customer
+ * cookie, so an admin and a customer session can coexist in the same browser
+ * (the foundation of the "linked customer" feature).
+ *
+ * `requireAdmin` reads through the SAME admin config it's paired with, so
+ * the cookie name and SameSite policy match between write and read.
+ *
+ * This module replaces all legacy per-route helpers with a single gatekeeper that:
  *   1. Reads the NextAuth session via the unified `createAuthOptions()`.
  *   2. Fetches a fresh admin row from the DB and confirms `status = 'active'`
  *      so that deactivated users are kicked out on their next request without
@@ -69,7 +68,7 @@
  */
 import { NextResponse } from 'next/server';
 import { getServerSession } from 'next-auth';
-import { createAuthOptions } from '../../auth/config';
+import { createAdminAuthOptions } from '../config';
 import { findAdminById } from './admin-service';
 import { hasPermission, meetsMinRole, } from '../permissions';
 const STATUS_CACHE_TTL_MS = 30 * 1000;
@@ -155,18 +154,19 @@ function forbidden() {
  * ```
  */
 export async function requireAdmin(options = {}) {
-    // 1. NextAuth session — read through the UNIFIED auth config. The sandbox
-    // template mounts one NextAuth endpoint (`/api/auth/[...nextauth]`) wired
-    // to `createAuthOptions()`, so that's the config that writes the session
-    // cookie. Reading from the same config guarantees the cookie name and
-    // SameSite policy match between write and read. See the file-level comment
-    // for the full rationale.
+    // 1. NextAuth admin session — read through the ADMIN auth config. Post
+    // two-cookie-split (SDK 0.3.20), the template mounts a dedicated admin
+    // endpoint at `/api/admin-auth/[...nextauth]` wired to
+    // `createAdminAuthOptions()`, which writes its own cookie
+    // (`__Secure-rovela.admin.session-token`). Customer cookies live in a
+    // separate jar and cannot reach this endpoint.
+    //
     // The `as unknown as` dance is unavoidable: getServerSession's overloaded
     // return type infers to `{}` in this generic context, and our session user
     // carries a custom `role` field we need to read.
     let rawSession;
     try {
-        rawSession = await getServerSession(createAuthOptions());
+        rawSession = await getServerSession(createAdminAuthOptions());
     }
     catch (err) {
         console.error('[requireAdmin] Failed to read session:', err);