@scryan7371/sdr-security 0.1.1

package/README.md

@@ -0,0 +1,72 @@
+# sdr-security
+
+Reusable auth/security capability for API and app clients.
+
+## Surfaces
+
+- `api`: shared auth types and input validation helpers.
+- `app`: typed client for auth endpoints.
+
+## API Integration
+
+Use shared helpers/types in your API controllers/services where useful:
+
+- `sanitizeEmail`
+- `isValidEmail`
+- `isStrongPassword`
+- `AuthResponse`, `RegisterResponse`, `SafeUser`
+
+## App Integration
+
+Create one client per app session and reuse it across screens:
+
+```ts
+import { app as sdrSecurity } from '@scryan7371/sdr-security';
+
+const securityClient = sdrSecurity.createSecurityClient({
+  baseUrl,
+  getAccessToken: () => accessToken,
+});
+```
+
+Methods:
+
+- `register`
+- `login`
+- `loginWithGoogle`
+- `refresh`
+- `revoke`
+- `logout`
+- `requestEmailVerification`
+- `verifyEmail`
+- `requestPhoneVerification`
+- `verifyPhone`
+
+## Private Registry Publish (GitHub Packages)
+
+1. Set your token:
+
+```bash
+export GITHUB_PACKAGES_TOKEN=ghp_xxx
+```
+
+2. Publish:
+
+```bash
+npm publish
+```
+
+## Install From Any Environment
+
+1. Add auth to your consuming project's `.npmrc`:
+
+```ini
+@scryan7371:registry=https://npm.pkg.github.com
+//npm.pkg.github.com/:_authToken=${GITHUB_PACKAGES_TOKEN}
+```
+
+2. Install a pinned version:
+
+```bash
+npm install @scryan7371/sdr-security@0.1.0
+```

package/dist/api/access-policy.d.ts

@@ -0,0 +1,15 @@
+export type AccessPolicyUser = {
+    isActive: boolean;
+    emailVerifiedAt: string | Date | null;
+    phoneVerifiedAt?: string | Date | null;
+    adminApprovedAt: string | Date | null;
+};
+export type AccessPolicyOptions = {
+    requireEmailVerification?: boolean;
+    requirePhoneVerification?: boolean;
+    requireAdminApproval?: boolean;
+    requireActive?: boolean;
+};
+export type AccessBlockReason = "EMAIL_VERIFICATION_REQUIRED" | "PHONE_VERIFICATION_REQUIRED" | "ADMIN_APPROVAL_REQUIRED" | "ACCOUNT_DEACTIVATED";
+export declare const getAuthBlockReason: (user: AccessPolicyUser, options?: AccessPolicyOptions) => AccessBlockReason | null;
+export declare const accessBlockReasonToMessage: (reason: AccessBlockReason) => string;

package/dist/api/access-policy.js

@@ -0,0 +1,41 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.accessBlockReasonToMessage = exports.getAuthBlockReason = void 0;
+const DEFAULT_OPTIONS = {
+    requireEmailVerification: true,
+    requirePhoneVerification: false,
+    requireAdminApproval: true,
+    requireActive: true,
+};
+const getAuthBlockReason = (user, options = {}) => {
+    const effective = { ...DEFAULT_OPTIONS, ...options };
+    if (effective.requireActive && !user.isActive) {
+        return "ACCOUNT_DEACTIVATED";
+    }
+    if (effective.requireEmailVerification && !user.emailVerifiedAt) {
+        return "EMAIL_VERIFICATION_REQUIRED";
+    }
+    if (effective.requirePhoneVerification && !user.phoneVerifiedAt) {
+        return "PHONE_VERIFICATION_REQUIRED";
+    }
+    if (effective.requireAdminApproval && !user.adminApprovedAt) {
+        return "ADMIN_APPROVAL_REQUIRED";
+    }
+    return null;
+};
+exports.getAuthBlockReason = getAuthBlockReason;
+const accessBlockReasonToMessage = (reason) => {
+    switch (reason) {
+        case "EMAIL_VERIFICATION_REQUIRED":
+            return "Email verification required";
+        case "PHONE_VERIFICATION_REQUIRED":
+            return "Phone verification required";
+        case "ADMIN_APPROVAL_REQUIRED":
+            return "Admin approval required";
+        case "ACCOUNT_DEACTIVATED":
+            return "Account deactivated";
+        default:
+            return "Unauthorized";
+    }
+};
+exports.accessBlockReasonToMessage = accessBlockReasonToMessage;

package/dist/api/access-policy.test.d.ts

@@ -0,0 +1 @@
+export {};

package/dist/api/access-policy.test.js

@@ -0,0 +1,67 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+const vitest_1 = require("vitest");
+const access_policy_1 = require("./access-policy");
+const baseUser = {
+    isActive: true,
+    emailVerifiedAt: new Date(),
+    phoneVerifiedAt: null,
+    adminApprovedAt: new Date(),
+};
+(0, vitest_1.describe)("getAuthBlockReason", () => {
+    (0, vitest_1.it)("returns null for user meeting default requirements", () => {
+        (0, vitest_1.expect)((0, access_policy_1.getAuthBlockReason)(baseUser)).toBeNull();
+    });
+    (0, vitest_1.it)("blocks deactivated users first", () => {
+        (0, vitest_1.expect)((0, access_policy_1.getAuthBlockReason)({
+            ...baseUser,
+            isActive: false,
+            emailVerifiedAt: null,
+            adminApprovedAt: null,
+        })).toBe("ACCOUNT_DEACTIVATED");
+    });
+    (0, vitest_1.it)("blocks when email verification is required and missing", () => {
+        (0, vitest_1.expect)((0, access_policy_1.getAuthBlockReason)({
+            ...baseUser,
+            emailVerifiedAt: null,
+        })).toBe("EMAIL_VERIFICATION_REQUIRED");
+    });
+    (0, vitest_1.it)("does not block missing phone when phone verification is disabled", () => {
+        (0, vitest_1.expect)((0, access_policy_1.getAuthBlockReason)({
+            ...baseUser,
+            phoneVerifiedAt: null,
+        })).toBeNull();
+    });
+    (0, vitest_1.it)("blocks missing phone when phone verification is enabled", () => {
+        (0, vitest_1.expect)((0, access_policy_1.getAuthBlockReason)({
+            ...baseUser,
+            phoneVerifiedAt: null,
+        }, { requirePhoneVerification: true })).toBe("PHONE_VERIFICATION_REQUIRED");
+    });
+    (0, vitest_1.it)("blocks when admin approval is required and missing", () => {
+        (0, vitest_1.expect)((0, access_policy_1.getAuthBlockReason)({
+            ...baseUser,
+            adminApprovedAt: null,
+        })).toBe("ADMIN_APPROVAL_REQUIRED");
+    });
+    (0, vitest_1.it)("respects disabled flags", () => {
+        (0, vitest_1.expect)((0, access_policy_1.getAuthBlockReason)({
+            ...baseUser,
+            isActive: false,
+            emailVerifiedAt: null,
+            adminApprovedAt: null,
+        }, {
+            requireActive: false,
+            requireEmailVerification: false,
+            requireAdminApproval: false,
+        })).toBeNull();
+    });
+});
+(0, vitest_1.describe)("accessBlockReasonToMessage", () => {
+    (0, vitest_1.it)("maps each reason to expected message", () => {
+        (0, vitest_1.expect)((0, access_policy_1.accessBlockReasonToMessage)("EMAIL_VERIFICATION_REQUIRED")).toBe("Email verification required");
+        (0, vitest_1.expect)((0, access_policy_1.accessBlockReasonToMessage)("PHONE_VERIFICATION_REQUIRED")).toBe("Phone verification required");
+        (0, vitest_1.expect)((0, access_policy_1.accessBlockReasonToMessage)("ADMIN_APPROVAL_REQUIRED")).toBe("Admin approval required");
+        (0, vitest_1.expect)((0, access_policy_1.accessBlockReasonToMessage)("ACCOUNT_DEACTIVATED")).toBe("Account deactivated");
+    });
+});

package/dist/api/contracts.d.ts

@@ -0,0 +1,46 @@
+export declare const ADMIN_ROLE = "ADMIN";
+export type UserRole = string;
+export type SafeUser = {
+    id: string;
+    email: string;
+    firstName: string | null;
+    lastName: string | null;
+    phone: string | null;
+    roles: UserRole[];
+    emailVerifiedAt: string | Date | null;
+    phoneVerifiedAt: string | Date | null;
+    adminApprovedAt: string | Date | null;
+    isActive: boolean;
+};
+export type UserRolesResponse = {
+    userId: string;
+    roles: UserRole[];
+};
+export type RoleDefinition = {
+    role: UserRole;
+    description: string | null;
+    isSystem: boolean;
+};
+export type RoleCatalogResponse = {
+    roles: RoleDefinition[];
+};
+export type AuthResponse = {
+    accessToken: string;
+    accessTokenExpiresIn: string;
+    refreshToken: string;
+    refreshTokenExpiresAt: string | Date;
+    user: SafeUser;
+};
+export type RegisterResponse = {
+    success: true;
+    user: SafeUser;
+    debugToken?: string;
+};
+export type DebugTokenResponse = {
+    success: true;
+    debugToken?: string;
+};
+export type DebugCodeResponse = {
+    success: true;
+    debugCode?: string;
+};

package/dist/api/contracts.js

@@ -0,0 +1,4 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.ADMIN_ROLE = void 0;
+exports.ADMIN_ROLE = "ADMIN";

package/dist/api/index.d.ts

@@ -0,0 +1,5 @@
+export * from "./contracts";
+export * from "./migrations";
+export * from "./access-policy";
+export * from "./validation";
+export * from "./roles";

package/dist/api/index.js

@@ -0,0 +1,21 @@
+"use strict";
+var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    var desc = Object.getOwnPropertyDescriptor(m, k);
+    if (!desc || ("get" in desc ? !m.__esModule : desc.writable || desc.configurable)) {
+      desc = { enumerable: true, get: function() { return m[k]; } };
+    }
+    Object.defineProperty(o, k2, desc);
+}) : (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    o[k2] = m[k];
+}));
+var __exportStar = (this && this.__exportStar) || function(m, exports) {
+    for (var p in m) if (p !== "default" && !Object.prototype.hasOwnProperty.call(exports, p)) __createBinding(exports, m, p);
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+__exportStar(require("./contracts"), exports);
+__exportStar(require("./migrations"), exports);
+__exportStar(require("./access-policy"), exports);
+__exportStar(require("./validation"), exports);
+__exportStar(require("./roles"), exports);

package/dist/api/migrations/1700000000001-add-refresh-tokens.d.ts

@@ -0,0 +1,9 @@
+export declare class AddRefreshTokens1700000000001 {
+    name: string;
+    up(queryRunner: {
+        query: (sql: string) => Promise<unknown>;
+    }): Promise<void>;
+    down(queryRunner: {
+        query: (sql: string) => Promise<unknown>;
+    }): Promise<void>;
+}

package/dist/api/migrations/1700000000001-add-refresh-tokens.js

@@ -0,0 +1,40 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.AddRefreshTokens1700000000001 = void 0;
+class AddRefreshTokens1700000000001 {
+    name = "AddRefreshTokens1700000000001";
+    async up(queryRunner) {
+        const userTableRef = getUserTableReference();
+        await queryRunner.query(`
+      CREATE TABLE "refresh_token" (
+        "id" varchar PRIMARY KEY NOT NULL,
+        "token_hash" varchar NOT NULL,
+        "expires_at" timestamptz NOT NULL,
+        "revoked_at" timestamptz,
+        "userId" varchar,
+        "created_at" timestamptz NOT NULL DEFAULT (CURRENT_TIMESTAMP),
+        CONSTRAINT "FK_refresh_token_user" FOREIGN KEY ("userId") REFERENCES ${userTableRef} ("id") ON DELETE CASCADE ON UPDATE NO ACTION
+      )
+    `);
+        await queryRunner.query(`CREATE INDEX "IDX_refresh_token_user" ON "refresh_token" ("userId")`);
+    }
+    async down(queryRunner) {
+        await queryRunner.query(`DROP INDEX "IDX_refresh_token_user"`);
+        await queryRunner.query(`DROP TABLE "refresh_token"`);
+    }
+}
+exports.AddRefreshTokens1700000000001 = AddRefreshTokens1700000000001;
+const getUserTableReference = () => {
+    const table = getSafeIdentifier(process.env.USER_TABLE, "app_user");
+    const schema = process.env.USER_TABLE_SCHEMA
+        ? getSafeIdentifier(process.env.USER_TABLE_SCHEMA, "")
+        : "";
+    return schema ? `"${schema}"."${table}"` : `"${table}"`;
+};
+const getSafeIdentifier = (value, fallback) => {
+    const resolved = value?.trim() || fallback;
+    if (!resolved || !/^[A-Za-z_][A-Za-z0-9_]*$/.test(resolved)) {
+        throw new Error(`Invalid SQL identifier: ${resolved}`);
+    }
+    return resolved;
+};

package/dist/api/migrations/1739490000000-add-google-subject-to-user.d.ts

@@ -0,0 +1,5 @@
+export declare class AddGoogleSubjectToUser1739490000000 {
+    name: string;
+    up(): Promise<void>;
+    down(): Promise<void>;
+}

package/dist/api/migrations/1739490000000-add-google-subject-to-user.js

@@ -0,0 +1,14 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.AddGoogleSubjectToUser1739490000000 = void 0;
+class AddGoogleSubjectToUser1739490000000 {
+    name = "AddGoogleSubjectToUser1739490000000";
+    // Legacy migration retained for backward compatibility with existing migration history.
+    async up() {
+        return;
+    }
+    async down() {
+        return;
+    }
+}
+exports.AddGoogleSubjectToUser1739490000000 = AddGoogleSubjectToUser1739490000000;

package/dist/api/migrations/1739500000000-create-security-identity.d.ts

@@ -0,0 +1,9 @@
+export declare class CreateSecurityIdentity1739500000000 {
+    name: string;
+    up(queryRunner: {
+        query: (sql: string, params?: unknown[]) => Promise<unknown>;
+    }): Promise<void>;
+    down(queryRunner: {
+        query: (sql: string) => Promise<unknown>;
+    }): Promise<void>;
+}

package/dist/api/migrations/1739500000000-create-security-identity.js

@@ -0,0 +1,68 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.CreateSecurityIdentity1739500000000 = void 0;
+class CreateSecurityIdentity1739500000000 {
+    name = "CreateSecurityIdentity1739500000000";
+    async up(queryRunner) {
+        const userTable = getSafeIdentifier(process.env.USER_TABLE, "app_user");
+        const userSchema = getSafeIdentifier(process.env.USER_TABLE_SCHEMA, "public");
+        const userTableRef = `"${userSchema}"."${userTable}"`;
+        await queryRunner.query(`CREATE EXTENSION IF NOT EXISTS "uuid-ossp"`);
+        await queryRunner.query(`
+      CREATE TABLE IF NOT EXISTS "security_identity" (
+        "id" uuid PRIMARY KEY NOT NULL DEFAULT uuid_generate_v4(),
+        "user_id" varchar NOT NULL,
+        "provider" varchar NOT NULL,
+        "provider_subject" varchar NOT NULL,
+        "created_at" timestamptz NOT NULL DEFAULT now(),
+        "updated_at" timestamptz NOT NULL DEFAULT now(),
+        CONSTRAINT "FK_security_identity_user_id" FOREIGN KEY ("user_id") REFERENCES ${userTableRef} ("id") ON DELETE CASCADE
+      )
+    `);
+        await queryRunner.query(`CREATE UNIQUE INDEX IF NOT EXISTS "IDX_security_identity_provider_subject" ON "security_identity" ("provider", "provider_subject")`);
+        await queryRunner.query(`CREATE UNIQUE INDEX IF NOT EXISTS "IDX_security_identity_user_provider" ON "security_identity" ("user_id", "provider")`);
+        const hasGoogleSubjectColumn = (await queryRunner.query(`
+        SELECT 1
+        FROM information_schema.columns
+        WHERE table_schema = $1
+          AND table_name = $2
+          AND column_name = 'google_subject'
+        LIMIT 1
+      `, [userSchema, userTable]));
+        if (hasGoogleSubjectColumn.length > 0) {
+            await queryRunner.query(`
+        INSERT INTO "security_identity" (
+          "user_id",
+          "provider",
+          "provider_subject",
+          "created_at",
+          "updated_at"
+        )
+        SELECT
+          "id",
+          'google',
+          "google_subject",
+          now(),
+          now()
+        FROM ${userTableRef}
+        WHERE "google_subject" IS NOT NULL
+        ON CONFLICT ("provider", "provider_subject") DO NOTHING
+      `);
+            await queryRunner.query(`DROP INDEX IF EXISTS "IDX_app_user_google_subject"`);
+            await queryRunner.query(`ALTER TABLE ${userTableRef} DROP COLUMN IF EXISTS "google_subject"`);
+        }
+    }
+    async down(queryRunner) {
+        await queryRunner.query(`DROP INDEX IF EXISTS "IDX_security_identity_user_provider"`);
+        await queryRunner.query(`DROP INDEX IF EXISTS "IDX_security_identity_provider_subject"`);
+        await queryRunner.query(`DROP TABLE IF EXISTS "security_identity"`);
+    }
+}
+exports.CreateSecurityIdentity1739500000000 = CreateSecurityIdentity1739500000000;
+const getSafeIdentifier = (value, fallback) => {
+    const resolved = value?.trim() || fallback;
+    if (!resolved || !/^[A-Za-z_][A-Za-z0-9_]*$/.test(resolved)) {
+        throw new Error(`Invalid SQL identifier: ${resolved}`);
+    }
+    return resolved;
+};

package/dist/api/migrations/1739510000000-create-security-roles.d.ts

@@ -0,0 +1,9 @@
+export declare class CreateSecurityRoles1739510000000 {
+    name: string;
+    up(queryRunner: {
+        query: (sql: string, params?: unknown[]) => Promise<unknown>;
+    }): Promise<void>;
+    down(queryRunner: {
+        query: (sql: string) => Promise<unknown>;
+    }): Promise<void>;
+}

package/dist/api/migrations/1739510000000-create-security-roles.js

@@ -0,0 +1,95 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.CreateSecurityRoles1739510000000 = void 0;
+class CreateSecurityRoles1739510000000 {
+    name = "CreateSecurityRoles1739510000000";
+    async up(queryRunner) {
+        const userTable = getSafeIdentifier(process.env.USER_TABLE, "app_user");
+        const userSchema = getSafeIdentifier(process.env.USER_TABLE_SCHEMA, "public");
+        const userTableRef = `"${userSchema}"."${userTable}"`;
+        await queryRunner.query(`CREATE EXTENSION IF NOT EXISTS "uuid-ossp"`);
+        await queryRunner.query(`
+      CREATE TABLE IF NOT EXISTS "security_role" (
+        "id" uuid PRIMARY KEY NOT NULL DEFAULT uuid_generate_v4(),
+        "role_key" varchar NOT NULL,
+        "description" text,
+        "is_system" boolean NOT NULL DEFAULT false,
+        "created_at" timestamptz NOT NULL DEFAULT now(),
+        "updated_at" timestamptz NOT NULL DEFAULT now()
+      )
+    `);
+        await queryRunner.query(`CREATE UNIQUE INDEX IF NOT EXISTS "IDX_security_role_key" ON "security_role" ("role_key")`);
+        await queryRunner.query(`
+      CREATE TABLE IF NOT EXISTS "security_user_role" (
+        "id" uuid PRIMARY KEY NOT NULL DEFAULT uuid_generate_v4(),
+        "user_id" varchar NOT NULL,
+        "role_id" uuid NOT NULL,
+        "created_at" timestamptz NOT NULL DEFAULT now(),
+        CONSTRAINT "FK_security_user_role_user_id" FOREIGN KEY ("user_id") REFERENCES ${userTableRef} ("id") ON DELETE CASCADE,
+        CONSTRAINT "FK_security_user_role_role_id" FOREIGN KEY ("role_id") REFERENCES "security_role" ("id") ON DELETE CASCADE
+      )
+    `);
+        await queryRunner.query(`CREATE UNIQUE INDEX IF NOT EXISTS "IDX_security_user_role_user_role" ON "security_user_role" ("user_id", "role_id")`);
+        await queryRunner.query(`
+      INSERT INTO "security_role" ("role_key", "description", "is_system", "created_at", "updated_at")
+      VALUES ('ADMIN', 'Administrative access', true, now(), now())
+      ON CONFLICT ("role_key") DO NOTHING
+    `);
+        const hasRoleColumn = (await queryRunner.query(`
+        SELECT 1
+        FROM information_schema.columns
+        WHERE table_schema = $1
+          AND table_name = $2
+          AND column_name = 'role'
+        LIMIT 1
+      `, [userSchema, userTable]));
+        if (hasRoleColumn.length > 0) {
+            await queryRunner.query(`
+        INSERT INTO "security_role" ("role_key", "description", "is_system", "created_at", "updated_at")
+        SELECT DISTINCT
+          CASE
+            WHEN UPPER(TRIM("role")) = 'ADMINISTRATOR' THEN 'ADMIN'
+            ELSE UPPER(TRIM("role"))
+          END AS "role_key",
+          NULL,
+          false,
+          now(),
+          now()
+        FROM ${userTableRef}
+        WHERE "role" IS NOT NULL
+          AND LENGTH(TRIM("role")) > 0
+        ON CONFLICT ("role_key") DO NOTHING
+      `);
+            await queryRunner.query(`
+        INSERT INTO "security_user_role" ("user_id", "role_id", "created_at")
+        SELECT
+          u."id" AS "user_id",
+          r."id" AS "role_id",
+          now()
+        FROM ${userTableRef} u
+        INNER JOIN "security_role" r ON r."role_key" = CASE
+          WHEN UPPER(TRIM(u."role")) = 'ADMINISTRATOR' THEN 'ADMIN'
+          ELSE UPPER(TRIM(u."role"))
+        END
+        WHERE u."role" IS NOT NULL
+          AND LENGTH(TRIM(u."role")) > 0
+        ON CONFLICT ("user_id", "role_id") DO NOTHING
+      `);
+            await queryRunner.query(`ALTER TABLE ${userTableRef} DROP COLUMN IF EXISTS "role"`);
+        }
+    }
+    async down(queryRunner) {
+        await queryRunner.query(`DROP INDEX IF EXISTS "IDX_security_user_role_user_role"`);
+        await queryRunner.query(`DROP TABLE IF EXISTS "security_user_role"`);
+        await queryRunner.query(`DROP INDEX IF EXISTS "IDX_security_role_key"`);
+        await queryRunner.query(`DROP TABLE IF EXISTS "security_role"`);
+    }
+}
+exports.CreateSecurityRoles1739510000000 = CreateSecurityRoles1739510000000;
+const getSafeIdentifier = (value, fallback) => {
+    const resolved = value?.trim() || fallback;
+    if (!resolved || !/^[A-Za-z_][A-Za-z0-9_]*$/.test(resolved)) {
+        throw new Error(`Invalid SQL identifier: ${resolved}`);
+    }
+    return resolved;
+};

package/dist/api/migrations/index.d.ts

@@ -0,0 +1,6 @@
+import { AddRefreshTokens1700000000001 } from "./1700000000001-add-refresh-tokens";
+import { AddGoogleSubjectToUser1739490000000 } from "./1739490000000-add-google-subject-to-user";
+import { CreateSecurityIdentity1739500000000 } from "./1739500000000-create-security-identity";
+import { CreateSecurityRoles1739510000000 } from "./1739510000000-create-security-roles";
+export declare const securityMigrations: (typeof AddRefreshTokens1700000000001)[];
+export { AddRefreshTokens1700000000001, AddGoogleSubjectToUser1739490000000, CreateSecurityIdentity1739500000000, CreateSecurityRoles1739510000000, };

package/dist/api/migrations/index.js

@@ -0,0 +1,17 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.CreateSecurityRoles1739510000000 = exports.CreateSecurityIdentity1739500000000 = exports.AddGoogleSubjectToUser1739490000000 = exports.AddRefreshTokens1700000000001 = exports.securityMigrations = void 0;
+const _1700000000001_add_refresh_tokens_1 = require("./1700000000001-add-refresh-tokens");
+Object.defineProperty(exports, "AddRefreshTokens1700000000001", { enumerable: true, get: function () { return _1700000000001_add_refresh_tokens_1.AddRefreshTokens1700000000001; } });
+const _1739490000000_add_google_subject_to_user_1 = require("./1739490000000-add-google-subject-to-user");
+Object.defineProperty(exports, "AddGoogleSubjectToUser1739490000000", { enumerable: true, get: function () { return _1739490000000_add_google_subject_to_user_1.AddGoogleSubjectToUser1739490000000; } });
+const _1739500000000_create_security_identity_1 = require("./1739500000000-create-security-identity");
+Object.defineProperty(exports, "CreateSecurityIdentity1739500000000", { enumerable: true, get: function () { return _1739500000000_create_security_identity_1.CreateSecurityIdentity1739500000000; } });
+const _1739510000000_create_security_roles_1 = require("./1739510000000-create-security-roles");
+Object.defineProperty(exports, "CreateSecurityRoles1739510000000", { enumerable: true, get: function () { return _1739510000000_create_security_roles_1.CreateSecurityRoles1739510000000; } });
+exports.securityMigrations = [
+    _1700000000001_add_refresh_tokens_1.AddRefreshTokens1700000000001,
+    _1739490000000_add_google_subject_to_user_1.AddGoogleSubjectToUser1739490000000,
+    _1739500000000_create_security_identity_1.CreateSecurityIdentity1739500000000,
+    _1739510000000_create_security_roles_1.CreateSecurityRoles1739510000000,
+];

package/dist/api/roles.d.ts

@@ -0,0 +1,3 @@
+export declare const normalizeRoleName: (value: string) => string;
+export declare const hasRole: (roles: string[], role: string) => boolean;
+export declare const isAdmin: (roles: string[]) => boolean;

package/dist/api/roles.js

@@ -0,0 +1,29 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.isAdmin = exports.hasRole = exports.normalizeRoleName = void 0;
+const contracts_1 = require("./contracts");
+const normalizeRoleName = (value) => {
+    const normalized = value.trim().toUpperCase().replace(/\s+/g, "_");
+    if (!normalized || !/^[A-Z][A-Z0-9_]*$/.test(normalized)) {
+        throw new Error("Invalid role name");
+    }
+    if (normalized === "ADMINISTRATOR") {
+        return contracts_1.ADMIN_ROLE;
+    }
+    return normalized;
+};
+exports.normalizeRoleName = normalizeRoleName;
+const hasRole = (roles, role) => {
+    const normalizedRole = (0, exports.normalizeRoleName)(role);
+    return roles.some((assignedRole) => {
+        try {
+            return (0, exports.normalizeRoleName)(assignedRole) === normalizedRole;
+        }
+        catch {
+            return false;
+        }
+    });
+};
+exports.hasRole = hasRole;
+const isAdmin = (roles) => (0, exports.hasRole)(roles, contracts_1.ADMIN_ROLE);
+exports.isAdmin = isAdmin;

package/dist/api/roles.test.d.ts

@@ -0,0 +1 @@
+export {};

package/dist/api/roles.test.js

@@ -0,0 +1,19 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+const vitest_1 = require("vitest");
+const roles_1 = require("./roles");
+(0, vitest_1.describe)("roles", () => {
+    (0, vitest_1.it)("normalizes role names", () => {
+        (0, vitest_1.expect)((0, roles_1.normalizeRoleName)("admin")).toBe("ADMIN");
+        (0, vitest_1.expect)((0, roles_1.normalizeRoleName)("case manager")).toBe("CASE_MANAGER");
+        (0, vitest_1.expect)((0, roles_1.normalizeRoleName)("ADMINISTRATOR")).toBe("ADMIN");
+    });
+    (0, vitest_1.it)("checks role membership", () => {
+        (0, vitest_1.expect)((0, roles_1.hasRole)(["ADMIN", "MEMBER"], "admin")).toBe(true);
+        (0, vitest_1.expect)((0, roles_1.hasRole)(["MEMBER"], "ADMIN")).toBe(false);
+    });
+    (0, vitest_1.it)("checks admin role", () => {
+        (0, vitest_1.expect)((0, roles_1.isAdmin)(["ADMIN"])).toBe(true);
+        (0, vitest_1.expect)((0, roles_1.isAdmin)(["MEMBER"])).toBe(false);
+    });
+});

package/dist/api/validation.d.ts

@@ -0,0 +1,3 @@
+export declare const sanitizeEmail: (email: string) => string;
+export declare const isValidEmail: (value: string) => boolean;
+export declare const isStrongPassword: (value: string) => boolean;

package/dist/api/validation.js

@@ -0,0 +1,9 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.isStrongPassword = exports.isValidEmail = exports.sanitizeEmail = void 0;
+const sanitizeEmail = (email) => email.trim().toLowerCase();
+exports.sanitizeEmail = sanitizeEmail;
+const isValidEmail = (value) => /^[^\\s@]+@[^\\s@]+\\.[^\\s@]+$/.test(value);
+exports.isValidEmail = isValidEmail;
+const isStrongPassword = (value) => /[A-Z]/.test(value) && /[a-z]/.test(value) && /\\d/.test(value);
+exports.isStrongPassword = isStrongPassword;