@scryan7371/sdr-security 0.1.1 → 0.1.2

package/README.md

@@ -15,13 +15,112 @@ Use shared helpers/types in your API controllers/services where useful:
 - `isValidEmail`
 - `isStrongPassword`
 - `AuthResponse`, `RegisterResponse`, `SafeUser`
+- `notifyAdminsOnEmailVerified`
+- `notifyUserOnAdminApproval`
+
+## Nest Integration
+
+Import the Nest surface from `@scryan7371/sdr-security/nest`.
+
+```ts
+import { Module } from "@nestjs/common";
+import {
+  SecurityWorkflowsModule,
+  SECURITY_WORKFLOW_NOTIFIER,
+} from "@scryan7371/sdr-security/nest";
+import { EmailService } from "./notifications/email.service";
+
+@Module({
+  imports: [
+    SecurityWorkflowsModule.forRoot({
+      notifierProvider: {
+        provide: SECURITY_WORKFLOW_NOTIFIER,
+        useFactory: (emailService: EmailService) => ({
+          sendAdminsUserEmailVerified: ({ adminEmails, user }) =>
+            emailService.sendEmailVerifiedNotificationToAdmins(
+              adminEmails,
+              user,
+            ),
+          sendUserAccountApproved: ({ email, firstName }) =>
+            emailService.sendAccountApproved(email, firstName),
+        }),
+        inject: [EmailService],
+      },
+    }),
+  ],
+})
+export class AppModule {}
+```
+
+Optional Swagger setup in consuming app:
+
+```ts
+import { setupSecuritySwagger } from "@scryan7371/sdr-security/nest";
+
+setupSecuritySwagger(app); // default path: /docs/security
+```
+
+Routes exposed by the shared controller:
+
+- `POST /security/auth/register`
+- `POST /security/auth/login`
+- `POST /security/auth/forgot-password`
+- `POST /security/auth/reset-password`
+- `GET /security/auth/verify-email?token=...`
+- `POST /security/auth/change-password` (JWT required)
+- `POST /security/auth/logout` (JWT required)
+- `POST /security/auth/refresh`
+- `GET /security/auth/me/roles` (JWT required)
+- `POST /security/workflows/users/:id/email-verified`
+  - marks `email_verified_at` and notifies admins.
+- `PATCH /security/workflows/users/:id/admin-approval` with `{ approved: boolean }`
+  - updates `admin_approved_at` and notifies user when approved (admin JWT required).
+- `PATCH /security/workflows/users/:id/active` with `{ active: boolean }` (admin JWT required)
+- `GET /security/workflows/roles` (admin JWT required)
+- `POST /security/workflows/roles` (admin JWT required)
+- `DELETE /security/workflows/roles/:role` (admin JWT required)
+- `GET /security/workflows/users/:id/roles` (admin JWT required)
+- `PUT /security/workflows/users/:id/roles` (admin JWT required)
+- `POST /security/workflows/users/:id/roles` with `{ role: string }` (admin JWT required)
+- `DELETE /security/workflows/users/:id/roles/:role` (admin JWT required)
+
+### Shared notification workflows
+
+Use these helpers to standardize notification behavior across apps while still
+keeping app-specific email sending in your own services.
+
+```ts
+import { api as sdrSecurity } from "@scryan7371/sdr-security";
+
+await sdrSecurity.notifyAdminsOnEmailVerified({
+  user: {
+    id: user.id,
+    email: user.email,
+    firstName: user.firstName,
+    lastName: user.lastName,
+  },
+  listAdminEmails: () => usersService.listAdminEmails(),
+  notifyAdmins: ({ adminEmails, user }) =>
+    emailService.sendEmailVerifiedNotificationToAdmins(adminEmails, user),
+});
+
+await sdrSecurity.notifyUserOnAdminApproval({
+  approved: body.approved,
+  user: {
+    email: user.email,
+    firstName: user.firstName,
+  },
+  notifyUser: ({ email, firstName }) =>
+    emailService.sendAccountApproved(email, firstName),
+});
+```
 
 ## App Integration
 
 Create one client per app session and reuse it across screens:
 
 ```ts
-import { app as sdrSecurity } from '@scryan7371/sdr-security';
+import { app as sdrSecurity } from "@scryan7371/sdr-security";
 
 const securityClient = sdrSecurity.createSecurityClient({
   baseUrl,
@@ -42,31 +141,94 @@ Methods:
 - `requestPhoneVerification`
 - `verifyPhone`
 
-## Private Registry Publish (GitHub Packages)
+## Publish (npmjs)
 
-1. Set your token:
+1. Configure project-local npm auth (`.npmrc`):
+
+```ini
+registry=https://registry.npmjs.org/
+@scryan7371:registry=https://registry.npmjs.org/
+//registry.npmjs.org/:_authToken=${NPM_TOKEN}
+```
+
+2. Set token, bump version, and publish:
 
 ```bash
-export GITHUB_PACKAGES_TOKEN=ghp_xxx
+export NPM_TOKEN=xxxx
+npm version patch
+npm publish --access public --registry=https://registry.npmjs.org --userconfig .npmrc
 ```
 
-2. Publish:
+3. Push commit and tags:
 
 ```bash
-npm publish
+git push
+git push --tags
 ```
 
-## Install From Any Environment
+## CI Publish (GitHub Actions)
 
-1. Add auth to your consuming project's `.npmrc`:
+Tag pushes like `sdr-security-v*` trigger `.github/workflows/publish.yml`.
 
-```ini
-@scryan7371:registry=https://npm.pkg.github.com
-//npm.pkg.github.com/:_authToken=${GITHUB_PACKAGES_TOKEN}
-```
+Required repo secret:
 
-2. Install a pinned version:
+- `NPM_TOKEN` (npm granular token with read/write + bypass 2FA for automation).
+
+## Install
+
+Install a pinned version:
 
 ```bash
 npm install @scryan7371/sdr-security@0.1.0
 ```
+
+## Database Integration Test
+
+A sample Postgres integration test is included at:
+
+- `src/integration/database.integration.test.ts`
+
+Run it with:
+
+```bash
+npm run test:db
+```
+
+Configuration resolution order:
+
+1. `.env.test` (if present)
+2. `.env.dev` (if present)
+3. existing process env
+
+Supported env vars:
+
+- `SECURITY_TEST_DATABASE_URL` (preferred)
+- or `DB_HOST`, `DB_PORT`, `DB_USER`, `DB_PASSWORD`, `DB_NAME`
+- optional fallback: `DATABASE_URL`
+- optional debug:
+  - `SECURITY_TEST_KEEP_SCHEMA=true` (do not drop schema after test run)
+  - `SECURITY_TEST_SCHEMA=your_schema_name` (use fixed schema name)
+
+See `.env.test.example` for a template.
+
+## Release Script
+
+You can automate version bump + tag + push with:
+
+```bash
+npm run release:patch
+npm run release:minor
+npm run release:major
+```
+
+What it does:
+
+1. Verifies clean git working tree
+2. Runs `npm test`
+3. Runs `npm run build`
+4. Bumps `package.json` + `package-lock.json`
+5. Commits as `chore(release): vX.Y.Z`
+6. Tags as `sdr-security-vX.Y.Z`
+7. Pushes commit and tag
+
+This tag format triggers `.github/workflows/publish.yml`.

package/dist/api/contracts.d.ts

@@ -44,3 +44,15 @@ export type DebugCodeResponse = {
     success: true;
     debugCode?: string;
 };
+export type GenericSuccessResponse = {
+    success: true;
+};
+export type UserActiveResponse = {
+    success: true;
+    userId: string;
+    active: boolean;
+};
+export type AdminNotificationResponse = {
+    success: true;
+    notified: boolean;
+};

package/dist/api/index.d.ts

@@ -3,3 +3,4 @@ export * from "./migrations";
 export * from "./access-policy";
 export * from "./validation";
 export * from "./roles";
+export * from "./notification-workflows";

package/dist/api/index.js

@@ -19,3 +19,4 @@ __exportStar(require("./migrations"), exports);
 __exportStar(require("./access-policy"), exports);
 __exportStar(require("./validation"), exports);
 __exportStar(require("./roles"), exports);
+__exportStar(require("./notification-workflows"), exports);

package/dist/api/migrations/1739520000000-create-password-reset-tokens.d.ts

@@ -0,0 +1,9 @@
+export declare class CreatePasswordResetTokens1739520000000 {
+    name: string;
+    up(queryRunner: {
+        query: (sql: string) => Promise<unknown>;
+    }): Promise<void>;
+    down(queryRunner: {
+        query: (sql: string) => Promise<unknown>;
+    }): Promise<void>;
+}

package/dist/api/migrations/1739520000000-create-password-reset-tokens.js

@@ -0,0 +1,42 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.CreatePasswordResetTokens1739520000000 = void 0;
+class CreatePasswordResetTokens1739520000000 {
+    name = "CreatePasswordResetTokens1739520000000";
+    async up(queryRunner) {
+        const userTableRef = getUserTableReference();
+        await queryRunner.query(`
+      CREATE TABLE IF NOT EXISTS "security_password_reset_token" (
+        "id" uuid PRIMARY KEY NOT NULL DEFAULT uuid_generate_v4(),
+        "user_id" varchar NOT NULL,
+        "token" varchar NOT NULL,
+        "expires_at" timestamptz NOT NULL,
+        "used_at" timestamptz,
+        "created_at" timestamptz NOT NULL DEFAULT now(),
+        CONSTRAINT "FK_security_password_reset_token_user_id" FOREIGN KEY ("user_id") REFERENCES ${userTableRef} ("id") ON DELETE CASCADE
+      )
+    `);
+        await queryRunner.query(`CREATE UNIQUE INDEX IF NOT EXISTS "IDX_security_password_reset_token_token" ON "security_password_reset_token" ("token")`);
+        await queryRunner.query(`CREATE INDEX IF NOT EXISTS "IDX_security_password_reset_token_user_id" ON "security_password_reset_token" ("user_id")`);
+    }
+    async down(queryRunner) {
+        await queryRunner.query(`DROP INDEX IF EXISTS "IDX_security_password_reset_token_user_id"`);
+        await queryRunner.query(`DROP INDEX IF EXISTS "IDX_security_password_reset_token_token"`);
+        await queryRunner.query(`DROP TABLE IF EXISTS "security_password_reset_token"`);
+    }
+}
+exports.CreatePasswordResetTokens1739520000000 = CreatePasswordResetTokens1739520000000;
+const getUserTableReference = () => {
+    const table = getSafeIdentifier(process.env.USER_TABLE, "app_user");
+    const schema = process.env.USER_TABLE_SCHEMA
+        ? getSafeIdentifier(process.env.USER_TABLE_SCHEMA, "public")
+        : "public";
+    return `"${schema}"."${table}"`;
+};
+const getSafeIdentifier = (value, fallback) => {
+    const resolved = value?.trim() || fallback;
+    if (!resolved || !/^[A-Za-z_][A-Za-z0-9_]*$/.test(resolved)) {
+        throw new Error(`Invalid SQL identifier: ${resolved}`);
+    }
+    return resolved;
+};

package/dist/api/migrations/index.d.ts

@@ -2,5 +2,6 @@ import { AddRefreshTokens1700000000001 } from "./1700000000001-add-refresh-token
 import { AddGoogleSubjectToUser1739490000000 } from "./1739490000000-add-google-subject-to-user";
 import { CreateSecurityIdentity1739500000000 } from "./1739500000000-create-security-identity";
 import { CreateSecurityRoles1739510000000 } from "./1739510000000-create-security-roles";
+import { CreatePasswordResetTokens1739520000000 } from "./1739520000000-create-password-reset-tokens";
 export declare const securityMigrations: (typeof AddRefreshTokens1700000000001)[];
-export { AddRefreshTokens1700000000001, AddGoogleSubjectToUser1739490000000, CreateSecurityIdentity1739500000000, CreateSecurityRoles1739510000000, };
+export { AddRefreshTokens1700000000001, AddGoogleSubjectToUser1739490000000, CreateSecurityIdentity1739500000000, CreateSecurityRoles1739510000000, CreatePasswordResetTokens1739520000000, };

package/dist/api/migrations/index.js

@@ -1,6 +1,6 @@
 "use strict";
 Object.defineProperty(exports, "__esModule", { value: true });
-exports.CreateSecurityRoles1739510000000 = exports.CreateSecurityIdentity1739500000000 = exports.AddGoogleSubjectToUser1739490000000 = exports.AddRefreshTokens1700000000001 = exports.securityMigrations = void 0;
+exports.CreatePasswordResetTokens1739520000000 = exports.CreateSecurityRoles1739510000000 = exports.CreateSecurityIdentity1739500000000 = exports.AddGoogleSubjectToUser1739490000000 = exports.AddRefreshTokens1700000000001 = exports.securityMigrations = void 0;
 const _1700000000001_add_refresh_tokens_1 = require("./1700000000001-add-refresh-tokens");
 Object.defineProperty(exports, "AddRefreshTokens1700000000001", { enumerable: true, get: function () { return _1700000000001_add_refresh_tokens_1.AddRefreshTokens1700000000001; } });
 const _1739490000000_add_google_subject_to_user_1 = require("./1739490000000-add-google-subject-to-user");
@@ -9,9 +9,12 @@ const _1739500000000_create_security_identity_1 = require("./1739500000000-creat
 Object.defineProperty(exports, "CreateSecurityIdentity1739500000000", { enumerable: true, get: function () { return _1739500000000_create_security_identity_1.CreateSecurityIdentity1739500000000; } });
 const _1739510000000_create_security_roles_1 = require("./1739510000000-create-security-roles");
 Object.defineProperty(exports, "CreateSecurityRoles1739510000000", { enumerable: true, get: function () { return _1739510000000_create_security_roles_1.CreateSecurityRoles1739510000000; } });
+const _1739520000000_create_password_reset_tokens_1 = require("./1739520000000-create-password-reset-tokens");
+Object.defineProperty(exports, "CreatePasswordResetTokens1739520000000", { enumerable: true, get: function () { return _1739520000000_create_password_reset_tokens_1.CreatePasswordResetTokens1739520000000; } });
 exports.securityMigrations = [
     _1700000000001_add_refresh_tokens_1.AddRefreshTokens1700000000001,
     _1739490000000_add_google_subject_to_user_1.AddGoogleSubjectToUser1739490000000,
     _1739500000000_create_security_identity_1.CreateSecurityIdentity1739500000000,
     _1739510000000_create_security_roles_1.CreateSecurityRoles1739510000000,
+    _1739520000000_create_password_reset_tokens_1.CreatePasswordResetTokens1739520000000,
 ];

package/dist/api/migrations/migrations.test.d.ts

@@ -0,0 +1 @@
+export {};

package/dist/api/migrations/migrations.test.js

@@ -0,0 +1,134 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+const vitest_1 = require("vitest");
+const _1700000000001_add_refresh_tokens_1 = require("./1700000000001-add-refresh-tokens");
+const _1739490000000_add_google_subject_to_user_1 = require("./1739490000000-add-google-subject-to-user");
+const _1739500000000_create_security_identity_1 = require("./1739500000000-create-security-identity");
+const _1739510000000_create_security_roles_1 = require("./1739510000000-create-security-roles");
+const _1739520000000_create_password_reset_tokens_1 = require("./1739520000000-create-password-reset-tokens");
+const index_1 = require("./index");
+const originalEnv = { ...process.env };
+(0, vitest_1.afterEach)(() => {
+    process.env = { ...originalEnv };
+    vitest_1.vi.restoreAllMocks();
+});
+(0, vitest_1.describe)("security migrations", () => {
+    (0, vitest_1.it)("exports migration list", () => {
+        (0, vitest_1.expect)(index_1.securityMigrations.length).toBe(5);
+        (0, vitest_1.expect)(index_1.securityMigrations[0]).toBe(_1700000000001_add_refresh_tokens_1.AddRefreshTokens1700000000001);
+    });
+    (0, vitest_1.it)("runs add refresh tokens migration up/down", async () => {
+        const query = vitest_1.vi.fn().mockResolvedValue(undefined);
+        const migration = new _1700000000001_add_refresh_tokens_1.AddRefreshTokens1700000000001();
+        await migration.up({ query });
+        await migration.down({ query });
+        (0, vitest_1.expect)(query).toHaveBeenCalledWith(vitest_1.expect.stringContaining('CREATE TABLE "refresh_token"'));
+        (0, vitest_1.expect)(query).toHaveBeenCalledWith(vitest_1.expect.stringContaining('DROP TABLE "refresh_token"'));
+    });
+    (0, vitest_1.it)("uses schema/table env in refresh token migration", async () => {
+        process.env.USER_TABLE = "users";
+        process.env.USER_TABLE_SCHEMA = "security";
+        const query = vitest_1.vi.fn().mockResolvedValue(undefined);
+        await new _1700000000001_add_refresh_tokens_1.AddRefreshTokens1700000000001().up({ query });
+        (0, vitest_1.expect)(query).toHaveBeenCalledWith(vitest_1.expect.stringContaining('REFERENCES "security"."users" ("id")'));
+    });
+    (0, vitest_1.it)("throws for invalid identifiers in refresh token migration", async () => {
+        process.env.USER_TABLE = "bad-name;drop";
+        const query = vitest_1.vi.fn().mockResolvedValue(undefined);
+        await (0, vitest_1.expect)(new _1700000000001_add_refresh_tokens_1.AddRefreshTokens1700000000001().up({ query })).rejects.toThrow("Invalid SQL identifier");
+    });
+    (0, vitest_1.it)("keeps legacy google subject migration as no-op", async () => {
+        const migration = new _1739490000000_add_google_subject_to_user_1.AddGoogleSubjectToUser1739490000000();
+        await (0, vitest_1.expect)(migration.up()).resolves.toBeUndefined();
+        await (0, vitest_1.expect)(migration.down()).resolves.toBeUndefined();
+    });
+    (0, vitest_1.it)("runs security identity migration path with google_subject present", async () => {
+        const query = vitest_1.vi
+            .fn()
+            .mockResolvedValueOnce(undefined)
+            .mockResolvedValueOnce(undefined)
+            .mockResolvedValueOnce(undefined)
+            .mockResolvedValueOnce(undefined)
+            .mockResolvedValueOnce([{ "?column?": 1 }])
+            .mockResolvedValueOnce(undefined)
+            .mockResolvedValueOnce(undefined)
+            .mockResolvedValueOnce(undefined);
+        const migration = new _1739500000000_create_security_identity_1.CreateSecurityIdentity1739500000000();
+        await migration.up({ query });
+        await migration.down({ query });
+        (0, vitest_1.expect)(query).toHaveBeenCalledWith(vitest_1.expect.stringContaining('CREATE TABLE IF NOT EXISTS "security_identity"'));
+        (0, vitest_1.expect)(query).toHaveBeenCalledWith(vitest_1.expect.stringContaining('DROP TABLE IF EXISTS "security_identity"'));
+    });
+    (0, vitest_1.it)("skips google_subject migration block when column absent", async () => {
+        const query = vitest_1.vi
+            .fn()
+            .mockResolvedValueOnce(undefined)
+            .mockResolvedValueOnce(undefined)
+            .mockResolvedValueOnce(undefined)
+            .mockResolvedValueOnce(undefined)
+            .mockResolvedValueOnce([]);
+        await new _1739500000000_create_security_identity_1.CreateSecurityIdentity1739500000000().up({ query });
+        (0, vitest_1.expect)(query).not.toHaveBeenCalledWith(vitest_1.expect.stringContaining('DROP COLUMN IF EXISTS "google_subject"'));
+    });
+    (0, vitest_1.it)("throws for invalid identifiers in identity migration", async () => {
+        process.env.USER_TABLE_SCHEMA = "bad-schema!";
+        const query = vitest_1.vi.fn().mockResolvedValue(undefined);
+        await (0, vitest_1.expect)(new _1739500000000_create_security_identity_1.CreateSecurityIdentity1739500000000().up({ query })).rejects.toThrow("Invalid SQL identifier");
+    });
+    (0, vitest_1.it)("runs security roles migration path with legacy role column", async () => {
+        const query = vitest_1.vi
+            .fn()
+            .mockResolvedValueOnce(undefined)
+            .mockResolvedValueOnce(undefined)
+            .mockResolvedValueOnce(undefined)
+            .mockResolvedValueOnce(undefined)
+            .mockResolvedValueOnce(undefined)
+            .mockResolvedValueOnce(undefined)
+            .mockResolvedValueOnce([{ "?column?": 1 }])
+            .mockResolvedValueOnce(undefined)
+            .mockResolvedValueOnce(undefined)
+            .mockResolvedValueOnce(undefined);
+        const migration = new _1739510000000_create_security_roles_1.CreateSecurityRoles1739510000000();
+        await migration.up({ query });
+        await migration.down({ query });
+        (0, vitest_1.expect)(query).toHaveBeenCalledWith(vitest_1.expect.stringContaining('CREATE TABLE IF NOT EXISTS "security_role"'));
+        (0, vitest_1.expect)(query).toHaveBeenCalledWith(vitest_1.expect.stringContaining('CREATE TABLE IF NOT EXISTS "security_user_role"'));
+        (0, vitest_1.expect)(query).toHaveBeenCalledWith(vitest_1.expect.stringContaining('DROP TABLE IF EXISTS "security_user_role"'));
+    });
+    (0, vitest_1.it)("skips legacy role backfill when role column absent", async () => {
+        const query = vitest_1.vi
+            .fn()
+            .mockResolvedValueOnce(undefined)
+            .mockResolvedValueOnce(undefined)
+            .mockResolvedValueOnce(undefined)
+            .mockResolvedValueOnce(undefined)
+            .mockResolvedValueOnce(undefined)
+            .mockResolvedValueOnce(undefined)
+            .mockResolvedValueOnce([]);
+        await new _1739510000000_create_security_roles_1.CreateSecurityRoles1739510000000().up({ query });
+        (0, vitest_1.expect)(query).not.toHaveBeenCalledWith(vitest_1.expect.stringContaining('DROP COLUMN IF EXISTS "role"'));
+    });
+    (0, vitest_1.it)("throws for invalid identifiers in roles migration", async () => {
+        process.env.USER_TABLE = "bad-name*";
+        const query = vitest_1.vi.fn().mockResolvedValue(undefined);
+        await (0, vitest_1.expect)(new _1739510000000_create_security_roles_1.CreateSecurityRoles1739510000000().up({ query })).rejects.toThrow("Invalid SQL identifier");
+    });
+    (0, vitest_1.it)("runs password reset token migration up/down", async () => {
+        const query = vitest_1.vi.fn().mockResolvedValue(undefined);
+        const migration = new _1739520000000_create_password_reset_tokens_1.CreatePasswordResetTokens1739520000000();
+        await migration.up({ query });
+        await migration.down({ query });
+        (0, vitest_1.expect)(query).toHaveBeenCalledWith(vitest_1.expect.stringContaining('CREATE TABLE IF NOT EXISTS "security_password_reset_token"'));
+        (0, vitest_1.expect)(query).toHaveBeenCalledWith(vitest_1.expect.stringContaining('DROP TABLE IF EXISTS "security_password_reset_token"'));
+    });
+    (0, vitest_1.it)("uses default public schema in password reset migration", async () => {
+        const query = vitest_1.vi.fn().mockResolvedValue(undefined);
+        await new _1739520000000_create_password_reset_tokens_1.CreatePasswordResetTokens1739520000000().up({ query });
+        (0, vitest_1.expect)(query).toHaveBeenCalledWith(vitest_1.expect.stringContaining('REFERENCES "public"."app_user" ("id")'));
+    });
+    (0, vitest_1.it)("throws for invalid identifiers in password reset migration", async () => {
+        process.env.USER_TABLE_SCHEMA = "bad.schema";
+        const query = vitest_1.vi.fn().mockResolvedValue(undefined);
+        await (0, vitest_1.expect)(new _1739520000000_create_password_reset_tokens_1.CreatePasswordResetTokens1739520000000().up({ query })).rejects.toThrow("Invalid SQL identifier");
+    });
+});

package/dist/api/notification-workflows.d.ts

@@ -0,0 +1,35 @@
+export type VerificationNotificationUser = {
+    id: string;
+    email: string;
+    firstName?: string | null;
+    lastName?: string | null;
+};
+export declare const notifyAdminsOnEmailVerified: (params: {
+    user: VerificationNotificationUser;
+    listAdminEmails: () => Promise<string[]>;
+    notifyAdmins: (payload: {
+        adminEmails: string[];
+        user: VerificationNotificationUser;
+    }) => Promise<void>;
+}) => Promise<{
+    notified: false;
+    adminEmails: string[];
+} | {
+    notified: true;
+    adminEmails: string[];
+}>;
+export declare const notifyUserOnAdminApproval: (params: {
+    approved: boolean;
+    user: {
+        email: string;
+        firstName?: string | null;
+    };
+    notifyUser: (payload: {
+        email: string;
+        firstName?: string | null;
+    }) => Promise<void>;
+}) => Promise<{
+    notified: false;
+} | {
+    notified: true;
+}>;

package/dist/api/notification-workflows.js

@@ -0,0 +1,23 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.notifyUserOnAdminApproval = exports.notifyAdminsOnEmailVerified = void 0;
+const notifyAdminsOnEmailVerified = async (params) => {
+    const adminEmails = await params.listAdminEmails();
+    if (adminEmails.length === 0) {
+        return { notified: false, adminEmails };
+    }
+    await params.notifyAdmins({ adminEmails, user: params.user });
+    return { notified: true, adminEmails };
+};
+exports.notifyAdminsOnEmailVerified = notifyAdminsOnEmailVerified;
+const notifyUserOnAdminApproval = async (params) => {
+    if (!params.approved) {
+        return { notified: false };
+    }
+    await params.notifyUser({
+        email: params.user.email,
+        firstName: params.user.firstName,
+    });
+    return { notified: true };
+};
+exports.notifyUserOnAdminApproval = notifyUserOnAdminApproval;

package/dist/api/notification-workflows.test.d.ts

@@ -0,0 +1 @@
+export {};

package/dist/api/notification-workflows.test.js

@@ -0,0 +1,66 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+const vitest_1 = require("vitest");
+const notification_workflows_1 = require("./notification-workflows");
+(0, vitest_1.describe)("notification-workflows", () => {
+    (0, vitest_1.it)("notifies admins when admin recipients exist", async () => {
+        const listAdminEmails = vitest_1.vi
+            .fn()
+            .mockResolvedValue(["admin@example.com"]);
+        const notifyAdmins = vitest_1.vi.fn().mockResolvedValue(undefined);
+        const result = await (0, notification_workflows_1.notifyAdminsOnEmailVerified)({
+            user: {
+                id: "user-1",
+                email: "user@example.com",
+                firstName: "User",
+                lastName: "One",
+            },
+            listAdminEmails,
+            notifyAdmins,
+        });
+        (0, vitest_1.expect)(result).toEqual({
+            notified: true,
+            adminEmails: ["admin@example.com"],
+        });
+        (0, vitest_1.expect)(notifyAdmins).toHaveBeenCalledWith(vitest_1.expect.objectContaining({
+            adminEmails: ["admin@example.com"],
+            user: vitest_1.expect.objectContaining({ id: "user-1" }),
+        }));
+    });
+    (0, vitest_1.it)("skips admin notification when there are no admin recipients", async () => {
+        const notifyAdmins = vitest_1.vi.fn().mockResolvedValue(undefined);
+        const result = await (0, notification_workflows_1.notifyAdminsOnEmailVerified)({
+            user: {
+                id: "user-1",
+                email: "user@example.com",
+            },
+            listAdminEmails: vitest_1.vi.fn().mockResolvedValue([]),
+            notifyAdmins,
+        });
+        (0, vitest_1.expect)(result).toEqual({ notified: false, adminEmails: [] });
+        (0, vitest_1.expect)(notifyAdmins).not.toHaveBeenCalled();
+    });
+    (0, vitest_1.it)("notifies user when account is approved", async () => {
+        const notifyUser = vitest_1.vi.fn().mockResolvedValue(undefined);
+        const result = await (0, notification_workflows_1.notifyUserOnAdminApproval)({
+            approved: true,
+            user: { email: "user@example.com", firstName: "User" },
+            notifyUser,
+        });
+        (0, vitest_1.expect)(result).toEqual({ notified: true });
+        (0, vitest_1.expect)(notifyUser).toHaveBeenCalledWith({
+            email: "user@example.com",
+            firstName: "User",
+        });
+    });
+    (0, vitest_1.it)("skips user notification when approval is false", async () => {
+        const notifyUser = vitest_1.vi.fn().mockResolvedValue(undefined);
+        const result = await (0, notification_workflows_1.notifyUserOnAdminApproval)({
+            approved: false,
+            user: { email: "user@example.com" },
+            notifyUser,
+        });
+        (0, vitest_1.expect)(result).toEqual({ notified: false });
+        (0, vitest_1.expect)(notifyUser).not.toHaveBeenCalled();
+    });
+});

package/dist/api/validation.test.d.ts

@@ -0,0 +1 @@
+export {};

package/dist/api/validation.test.js

@@ -0,0 +1,20 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+const vitest_1 = require("vitest");
+const validation_1 = require("./validation");
+(0, vitest_1.describe)("validation", () => {
+    (0, vitest_1.it)("sanitizes email", () => {
+        (0, vitest_1.expect)((0, validation_1.sanitizeEmail)("  USER@Example.COM ")).toBe("user@example.com");
+    });
+    (0, vitest_1.it)("validates email format", () => {
+        (0, vitest_1.expect)((0, validation_1.isValidEmail)("bad-email")).toBe(false);
+        (0, vitest_1.expect)((0, validation_1.isValidEmail)("u@e\\.c")).toBe(true);
+    });
+    (0, vitest_1.it)("checks password strength", () => {
+        (0, vitest_1.expect)((0, validation_1.isStrongPassword)("Abc123")).toBe(false);
+        (0, vitest_1.expect)((0, validation_1.isStrongPassword)("lowercase123")).toBe(false);
+        (0, vitest_1.expect)((0, validation_1.isStrongPassword)("UPPERCASE123")).toBe(false);
+        (0, vitest_1.expect)((0, validation_1.isStrongPassword)("NoDigitsHere")).toBe(false);
+        (0, vitest_1.expect)((0, validation_1.isStrongPassword)("Abc\\d")).toBe(true);
+    });
+});

package/dist/app/client.d.ts

@@ -1,4 +1,4 @@
-import type { AuthResponse, DebugCodeResponse, DebugTokenResponse, RoleCatalogResponse, RegisterResponse, UserRolesResponse } from "../api/contracts";
+import type { AdminNotificationResponse, AuthResponse, DebugCodeResponse, GenericSuccessResponse, RoleCatalogResponse, RegisterResponse, UserActiveResponse, UserRolesResponse } from "../api/contracts";
 type FetchLike = typeof fetch;
 export type SecurityClientOptions = {
     baseUrl: string;
@@ -32,10 +32,18 @@ export declare const createSecurityClient: (options: SecurityClientOptions) => {
     }) => Promise<{
         success: true;
     }>;
-    requestEmailVerification: () => Promise<DebugTokenResponse>;
+    changePassword: (payload: {
+        currentPassword: string;
+        newPassword: string;
+    }) => Promise<GenericSuccessResponse>;
     verifyEmail: (token: string) => Promise<{
         success: true;
     }>;
+    forgotPassword: (email: string) => Promise<GenericSuccessResponse>;
+    resetPassword: (payload: {
+        token: string;
+        newPassword: string;
+    }) => Promise<GenericSuccessResponse>;
     requestPhoneVerification: () => Promise<DebugCodeResponse>;
     verifyPhone: (code: string) => Promise<{
         success: true;
@@ -48,5 +56,12 @@ export declare const createSecurityClient: (options: SecurityClientOptions) => {
     }) => Promise<RoleCatalogResponse>;
     getUserRoles: (userId: string) => Promise<UserRolesResponse>;
     setUserRoles: (userId: string, roles: string[]) => Promise<UserRolesResponse>;
+    approveUser: (userId: string, approved: boolean) => Promise<AdminNotificationResponse>;
+    setUserActive: (userId: string, active: boolean) => Promise<UserActiveResponse>;
+    removeRole: (role: string) => Promise<{
+        success: boolean;
+    }>;
+    assignRoleToUser: (userId: string, role: string) => Promise<UserRolesResponse>;
+    removeRoleFromUser: (userId: string, role: string) => Promise<UserRolesResponse>;
 };
 export {};