@soulcraft/sdk 1.5.0 → 1.5.1

package/dist/modules/auth/middleware.d.ts

@@ -1,31 +1,41 @@
 /**
  * @module modules/auth/middleware
- * @description Hono auth middleware factories and remote session verification
- * for Soulcraft product backends.
+ * @description Hono auth middleware factories, remote session verification, and
+ * dev/guest session utilities for Soulcraft product backends.
  *
- * Provides framework-agnostic middleware that products mount in their Hono server
- * to authenticate requests against a better-auth instance (local or remote IdP).
+ * ## Session verification strategies
  *
- * The middleware pattern is product-agnostic — Workshop, Venue, and Academy all
- * use the same factories, passing their own `auth` instance. This replaces the
- * per-product copies of `requireAuth` / `optionalAuth` in Workshop's better-auth.ts.
+ * All products share the same `createAuthMiddleware` factory, but each product
+ * selects the right session verifier for its deployment context:
  *
- * ## Remote session verification
+ * ```
+ * Production (all products):
+ *   createRemoteSessionVerifier({ idpUrl: 'https://auth.soulcraft.com' })
+ *
+ * Development (all products):
+ *   createDevSessionVerifier({ role: 'owner' })   // auto-login, no OAuth needed
+ *
+ * Workshop standalone (legacy / local OAuth):
+ *   createAuthMiddleware(betterAuthInstance)       // BetterAuthLike overload
+ * ```
+ *
+ * ## Dev and guest endpoint factories
  *
- * `createRemoteSessionVerifier` is used by products that delegate authentication
- * to the central IdP (`auth.soulcraft.com`) but need to verify sessions without
- * running a full better-auth instance. It proxies the session lookup via HTTP with
- * an LRU cache to avoid per-request round-trips to the IdP.
+ * - `createDevLoginHandler` — mounts a `/api/dev/login` endpoint for role-switching
+ *   during development. Issues a signed dev session cookie. No-ops in production.
+ * - `createGuestSessionHandler` — mounts a `/api/guest/session` endpoint so Venue
+ *   visitors can obtain a guest session (platformRole `'guest'`) for anonymous
+ *   browse and booking flows, before they create an account.
  *
- * @example Hono setup (Workshop)
+ * @example Production setup (Venue / Academy)
  * ```typescript
- * import { createAuthMiddleware } from '@soulcraft/sdk/server'
- * import { auth } from './better-auth.js'
+ * import { createAuthMiddleware, createRemoteSessionVerifier } from '@soulcraft/sdk/server'
  *
- * const { requireAuth, optionalAuth } = createAuthMiddleware(auth)
+ * const verifySession = createRemoteSessionVerifier({ idpUrl: process.env.SOULCRAFT_IDP_URL! })
+ * const { requireAuth, optionalAuth } = createAuthMiddleware(verifySession)
  *
- * app.get('/api/workspaces', requireAuth, async (c) => {
- *   const user = c.get('user')! // SoulcraftSessionUser, guaranteed non-null
+ * app.get('/api/bookings', requireAuth, async (c) => {
+ *   const user = c.get('user')! // SoulcraftSessionUser
  * })
  * ```
  */
@@ -54,41 +64,48 @@ export interface BetterAuthLike {
     };
 }
 /**
- * @description Options for createAuthMiddleware().
+ * A session verifier function — the common abstraction for session resolution
+ * across all products in non-standalone auth mode.
+ *
+ * Returned by `createRemoteSessionVerifier` and `createDevSessionVerifier`.
+ * `createAuthMiddleware` accepts either a `BetterAuthLike` instance (Workshop
+ * standalone mode) or a `SessionVerifier` function (all other products and modes).
+ */
+export type SessionVerifier = (cookieHeader: string) => Promise<SoulcraftSession | null>;
+/**
+ * Options for `createAuthMiddleware()`.
  */
 export interface AuthMiddlewareOptions {
     /**
-     * If true, a synthetic dev user is injected in non-production environments,
-     * bypassing the session check entirely. Set to false to disable dev auto-login
-     * (e.g. for integration test servers that need real auth even in dev).
+     * If true, a synthetic dev user is injected in non-production environments
+     * when a `BetterAuthLike` auth instance is provided and session lookup fails.
+     * Not used when a `SessionVerifier` function is provided — use
+     * `createDevSessionVerifier` instead for full dev auto-login in that mode.
      * @default true
      */
     devAutoLogin?: boolean;
 }
 /**
- * @description The object returned by createAuthMiddleware().
+ * The object returned by `createAuthMiddleware()`.
  */
 export interface AuthMiddleware {
     /**
-     * Require authentication. Resolves the better-auth session. If the session is
-     * valid, attaches the typed user to the Hono context and calls next(). Returns
-     * HTTP 401 if unauthenticated.
-     *
-     * In development mode (unless devAutoLogin is disabled), a synthetic dev user
-     * is injected automatically.
+     * Require authentication. Resolves the session from request cookies. If the
+     * session is valid, attaches the typed user to the Hono context under the
+     * `'user'` key and calls `next()`. Returns HTTP 401 if unauthenticated.
      */
     requireAuth: (c: AuthContext, next: Next) => Promise<void | Response>;
     /**
      * Optional authentication. Resolves the session if one exists, but does not
-     * reject unauthenticated requests. User will be null for anonymous requests.
+     * reject unauthenticated requests. User will be `null` for anonymous requests.
      */
     optionalAuth: (c: AuthContext, next: Next) => Promise<void | Response>;
 }
 /**
- * @description Options for createRemoteSessionVerifier().
+ * Options for `createRemoteSessionVerifier()`.
  */
 export interface RemoteSessionVerifierOptions {
-    /** The central IdP base URL, e.g. "https://auth.soulcraft.com". */
+    /** The central IdP base URL, e.g. `"https://auth.soulcraft.com"`. */
     idpUrl: string;
     /** Session cache TTL in milliseconds. Default: 30 000 (30 seconds). */
     cacheTtlMs?: number;
@@ -96,7 +113,7 @@ export interface RemoteSessionVerifierOptions {
     cacheMax?: number;
 }
 /**
- * @description Options for createDevSessionVerifier().
+ * Options for `createDevSessionVerifier()`.
  */
 export interface DevSessionVerifierOptions {
     /**
@@ -116,40 +133,101 @@ export interface DevSessionVerifierOptions {
     name?: string;
 }
 /**
- * @description Creates Hono auth middleware bound to a specific better-auth instance.
+ * Options for `createDevLoginHandler()`.
+ */
+export interface DevLoginHandlerOptions {
+    /**
+     * Allowed platform roles. The role must be in this list for the handler to
+     * issue a session cookie. Defaults to all non-guest platform roles.
+     * @default ['creator','viewer','customer','staff','manager','owner','learner','instructor']
+     */
+    allowedRoles?: SoulcraftSessionUser['platformRole'][];
+    /**
+     * Cookie name for the issued dev session.
+     * @default 'soulcraft_dev_session'
+     */
+    cookieName?: string;
+    /**
+     * Session cookie max-age in seconds.
+     * @default 86400 (24 hours)
+     */
+    maxAgeSeconds?: number;
+}
+/**
+ * Options for `createGuestSessionHandler()`.
+ */
+export interface GuestSessionHandlerOptions {
+    /**
+     * Cookie name for the issued guest session.
+     * @default 'soulcraft_guest_session'
+     */
+    cookieName?: string;
+    /**
+     * Guest session max-age in seconds.
+     * @default 3600 (1 hour)
+     */
+    maxAgeSeconds?: number;
+    /**
+     * An optional callback invoked when a new guest session is created.
+     * Receives the generated guest ID. Useful for analytics or initializing
+     * a guest cart/basket in the product's store.
+     *
+     * @param guestId - The newly generated unique guest ID.
+     */
+    onGuestCreated?: (guestId: string) => Promise<void> | void;
+}
+/**
+ * Creates Hono auth middleware from a `SessionVerifier` function or a `BetterAuthLike`
+ * instance.
+ *
+ * **Preferred form (all products in OIDC-client mode):**
+ * Pass a `SessionVerifier` returned by `createRemoteSessionVerifier` or
+ * `createDevSessionVerifier`. The middleware reads the request cookie header and
+ * passes it to the verifier.
  *
- * Returns `requireAuth` and `optionalAuth` middleware functions. Both functions
- * resolve the session from request cookies/headers using better-auth's `getSession`
- * API and attach the user to the Hono context under the `'user'` variable key.
+ * **Legacy form (Workshop standalone mode):**
+ * Pass a `better-auth` instance directly. The middleware calls `auth.api.getSession`.
+ * In non-production environments and when `devAutoLogin` is enabled, a synthetic dev
+ * user is injected on failed lookups so local dev works without OAuth.
  *
- * In non-production environments (`NODE_ENV !== 'production'`), a synthetic dev
- * user is injected automatically to allow local development without OAuth setup.
- * Disable this with `options.devAutoLogin = false`.
+ * Both forms return identical `{ requireAuth, optionalAuth }` middleware.
  *
- * @param auth - The product's better-auth instance.
- * @param options - Optional middleware configuration.
+ * @param authOrVerifier - A `better-auth` instance or a `SessionVerifier` function.
+ * @param options - Optional middleware configuration (only applies to `BetterAuthLike` form).
  * @returns Middleware pair: `{ requireAuth, optionalAuth }`.
  *
- * @example
+ * @example Verifier form (Venue / Academy / Workshop in OIDC mode)
  * ```typescript
- * const { requireAuth, optionalAuth } = createAuthMiddleware(auth)
- * app.get('/api/me', requireAuth, (c) => c.json(c.get('user')))
+ * const verifySession = createRemoteSessionVerifier({ idpUrl: process.env.SOULCRAFT_IDP_URL! })
+ * const { requireAuth } = createAuthMiddleware(verifySession)
+ * ```
+ *
+ * @example BetterAuth form (Workshop dev standalone)
+ * ```typescript
+ * import { auth } from './better-auth.js'
+ * const { requireAuth } = createAuthMiddleware(auth)
  * ```
  */
-export declare function createAuthMiddleware(auth: BetterAuthLike, options?: AuthMiddlewareOptions): AuthMiddleware;
+export declare function createAuthMiddleware(authOrVerifier: BetterAuthLike | SessionVerifier, options?: AuthMiddlewareOptions): AuthMiddleware;
 /**
- * @description Creates a cached remote session verifier that proxies session lookups
- * to the central IdP at `auth.soulcraft.com`.
+ * Creates a cached remote session verifier that proxies session lookups to
+ * the central IdP at `auth.soulcraft.com`.
  *
- * Used by products that operate as OIDC clients and need to verify sessions without
- * running a full better-auth instance locally. Caches successful lookups to avoid
- * per-request HTTP calls to the IdP.
+ * Used by products that operate as OIDC clients (Venue, Academy, and Workshop
+ * in production). Caches successful lookups in an LRU cache to avoid per-request
+ * HTTP round-trips to the IdP.
  *
  * The verifier sends the cookie header to the IdP's `/api/auth/get-session` endpoint
- * and returns the resolved `SoulcraftSession` or null if the session is invalid.
+ * and returns the resolved `SoulcraftSession` or `null` if the session is invalid.
+ *
+ * Pass the returned function directly to `createAuthMiddleware`:
+ * ```typescript
+ * const verifySession = createRemoteSessionVerifier({ idpUrl: process.env.SOULCRAFT_IDP_URL! })
+ * const { requireAuth } = createAuthMiddleware(verifySession)
+ * ```
  *
  * @param options - IdP URL, cache TTL, and max cache size.
- * @returns An async function that accepts a cookie header string and returns a session or null.
+ * @returns A `SessionVerifier` — async function that accepts a cookie header string.
  *
  * @example
  * ```typescript
@@ -162,35 +240,31 @@ export declare function createAuthMiddleware(auth: BetterAuthLike, options?: Aut
  * if (!session) return c.json({ error: 'Unauthorized' }, 401)
  * ```
  */
-export declare function createRemoteSessionVerifier(options: RemoteSessionVerifierOptions): (cookieHeader: string) => Promise<SoulcraftSession | null>;
+export declare function createRemoteSessionVerifier(options: RemoteSessionVerifierOptions): SessionVerifier;
 /**
- * @description Creates a session verifier that always resolves to a synthetic dev session.
+ * Creates a session verifier that always resolves to a synthetic dev session.
  *
- * Intended for products that run as OIDC clients (`SOULCRAFT_IDP_URL` set) but need
- * local development auth without network calls, SQLite, or real cookies. The returned
- * verifier always succeeds — any non-empty cookie header (or empty) resolves to the
- * configured synthetic user.
+ * Intended for products that run as OIDC clients but need local development auth
+ * without OAuth, network calls, SQLite, or real cookies. The returned verifier always
+ * succeeds — any request resolves to the configured synthetic user.
  *
- * Designed to be a drop-in replacement for `createRemoteSessionVerifier` in local dev:
+ * Designed as a drop-in replacement for `createRemoteSessionVerifier` in local dev:
  *
  * ```typescript
  * const verifySession = process.env.SOULCRAFT_IDP_URL
  *   ? createRemoteSessionVerifier({ idpUrl: process.env.SOULCRAFT_IDP_URL })
  *   : createDevSessionVerifier({ role: 'owner' })
- * ```
  *
- * This eliminates the need for a local `better-auth` instance, SQLite database, and
- * cookie management when iterating on features in OIDC-client mode.
+ * const { requireAuth } = createAuthMiddleware(verifySession)
+ * ```
  *
  * **Never use in production.** The verifier performs no validation whatsoever.
  *
  * @param options - Optional synthetic user configuration.
- * @returns An async function with the same signature as `createRemoteSessionVerifier`.
+ * @returns A `SessionVerifier` with the same signature as `createRemoteSessionVerifier`.
  *
- * @example SvelteKit hooks.server.ts
+ * @example
  * ```typescript
- * import { createRemoteSessionVerifier, createDevSessionVerifier } from '@soulcraft/sdk/server'
- *
  * const verifySession = process.env.SOULCRAFT_IDP_URL
  *   ? createRemoteSessionVerifier({ idpUrl: process.env.SOULCRAFT_IDP_URL })
  *   : createDevSessionVerifier({ role: 'owner' })
@@ -202,5 +276,109 @@ export declare function createRemoteSessionVerifier(options: RemoteSessionVerifi
  * }
  * ```
  */
-export declare function createDevSessionVerifier(options?: DevSessionVerifierOptions): (cookieHeader: string) => Promise<SoulcraftSession | null>;
+export declare function createDevSessionVerifier(options?: DevSessionVerifierOptions): SessionVerifier;
+/**
+ * Creates a Hono request handler for a dev login endpoint.
+ *
+ * Mount at `/api/dev/login` to get a role-switching endpoint for local
+ * development. Accepts `?role=<platformRole>` and optional `?email=` / `?name=`
+ * query params. Issues a signed base64url session cookie that `createAuthMiddleware`
+ * (when used with a `SessionVerifier` that reads dev cookies) can resolve.
+ *
+ * **Guards against production use:** the handler returns HTTP 404 when
+ * `NODE_ENV === 'production'` — it is safe to leave mounted in all environments.
+ *
+ * @param options - Allowed roles, cookie name, and max-age.
+ * @returns A Hono-compatible request handler `(c: Context) => Response`.
+ *
+ * @example
+ * ```typescript
+ * import { createDevLoginHandler } from '@soulcraft/sdk/server'
+ *
+ * // In your Hono server setup:
+ * app.get('/api/dev/login', createDevLoginHandler({ allowedRoles: ['owner', 'staff', 'customer'] }))
+ *
+ * // Usage: GET /api/dev/login?role=staff → sets cookie + redirects to /
+ * ```
+ */
+export declare function createDevLoginHandler(options?: DevLoginHandlerOptions): (c: Context) => Response | Promise<Response>;
+/**
+ * Creates a session verifier that reads the cookie issued by `createDevLoginHandler`.
+ *
+ * Use this together with `createDevLoginHandler` when you want dev role-switching
+ * (e.g. clicking "Login as Staff" in a dev UI) rather than a fixed synthetic user.
+ *
+ * The verifier decodes the base64url cookie value and returns the embedded session.
+ * Falls back to `null` (unauthenticated) if the cookie is absent or expired.
+ *
+ * ```typescript
+ * // Only one of these in dev — pick what fits your workflow:
+ *
+ * // Option A: Fixed dev user, no login UI needed
+ * const verifySession = createDevSessionVerifier({ role: 'owner' })
+ *
+ * // Option B: Role-switching dev login UI
+ * app.get('/api/dev/login', createDevLoginHandler({ allowedRoles: ['owner', 'staff', 'customer'] }))
+ * const verifySession = createDevCookieVerifier()
+ * ```
+ *
+ * @param cookieName - Must match the `cookieName` passed to `createDevLoginHandler`. Default: `'soulcraft_dev_session'`.
+ * @returns A `SessionVerifier` compatible with `createAuthMiddleware`.
+ */
+export declare function createDevCookieVerifier(cookieName?: string): SessionVerifier;
+/**
+ * Creates a Hono request handler that issues a guest session cookie.
+ *
+ * Venue visitors can browse and initiate bookings without creating an account.
+ * This handler mounts at e.g. `/api/guest/session` and issues a session cookie
+ * with `platformRole: 'guest'` and a unique guest ID on each call (if no valid
+ * guest session already exists).
+ *
+ * The guest session cookie can be verified using `createGuestCookieVerifier`,
+ * which returns a `SessionVerifier` compatible with `createAuthMiddleware`.
+ *
+ * @param options - Cookie name, max-age, and optional `onGuestCreated` callback.
+ * @returns A Hono-compatible request handler.
+ *
+ * @example
+ * ```typescript
+ * import { createGuestSessionHandler, createGuestCookieVerifier, createAuthMiddleware } from '@soulcraft/sdk/server'
+ *
+ * // Issue guest sessions
+ * app.post('/api/guest/session', createGuestSessionHandler({
+ *   onGuestCreated: async (guestId) => {
+ *     await db.guests.insert({ id: guestId, createdAt: new Date() })
+ *   },
+ * }))
+ *
+ * // Verify guest sessions in optional auth (guests can browse)
+ * const verifyGuest = createGuestCookieVerifier()
+ * const verifySession = createRemoteSessionVerifier({ idpUrl: process.env.SOULCRAFT_IDP_URL! })
+ *
+ * // Compose: check real session first, fall back to guest
+ * const { optionalAuth } = createAuthMiddleware(async (cookie) =>
+ *   await verifySession(cookie) ?? await verifyGuest(cookie)
+ * )
+ * ```
+ */
+export declare function createGuestSessionHandler(options?: GuestSessionHandlerOptions): (c: Context) => Promise<Response>;
+/**
+ * Creates a session verifier that reads the cookie issued by `createGuestSessionHandler`.
+ *
+ * Returns the guest `SoulcraftSession` or `null` if no valid guest cookie is present.
+ * Compose with `createRemoteSessionVerifier` to allow both authenticated and guest access:
+ *
+ * ```typescript
+ * const verifyReal = createRemoteSessionVerifier({ idpUrl: process.env.SOULCRAFT_IDP_URL! })
+ * const verifyGuest = createGuestCookieVerifier()
+ *
+ * const { optionalAuth } = createAuthMiddleware(async (cookie) =>
+ *   await verifyReal(cookie) ?? await verifyGuest(cookie)
+ * )
+ * ```
+ *
+ * @param cookieName - Must match the `cookieName` passed to `createGuestSessionHandler`. Default: `'soulcraft_guest_session'`.
+ * @returns A `SessionVerifier` compatible with `createAuthMiddleware`.
+ */
+export declare function createGuestCookieVerifier(cookieName?: string): SessionVerifier;
 //# sourceMappingURL=middleware.d.ts.map

package/dist/modules/auth/middleware.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"middleware.d.ts","sourceRoot":"","sources":["../../../src/modules/auth/middleware.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GA8BG;AAIH,OAAO,KAAK,EAAE,oBAAoB,EAAE,gBAAgB,EAAE,MAAM,YAAY,CAAA;AACxE,OAAO,KAAK,EAAE,OAAO,EAAE,IAAI,EAAE,MAAM,MAAM,CAAA;AAMzC,uEAAuE;AACvE,eAAO,MAAM,aAAa,EAAG,MAAe,CAAA;AAE5C,mEAAmE;AACnE,MAAM,MAAM,WAAW,GAAG,OAAO,CAAC;IAAE,SAAS,EAAE;QAAE,CAAC,aAAa,CAAC,EAAE,oBAAoB,GAAG,IAAI,CAAA;KAAE,CAAA;CAAE,CAAC,CAAA;AAElG,iEAAiE;AACjE,MAAM,WAAW,cAAc;IAC7B,GAAG,EAAE;QACH,UAAU,CAAC,IAAI,EAAE;YAAE,OAAO,EAAE,OAAO,CAAA;SAAE,GAAG,OAAO,CAAC;YAAE,IAAI,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC;YAAC,OAAO,EAAE;gBAAE,EAAE,EAAE,MAAM,CAAC;gBAAC,SAAS,EAAE,IAAI,GAAG,MAAM,GAAG,MAAM,CAAA;aAAE,CAAA;SAAE,GAAG,IAAI,CAAC,CAAA;KACtJ,CAAA;CACF;AAED;;GAEG;AACH,MAAM,WAAW,qBAAqB;IACpC;;;;;OAKG;IACH,YAAY,CAAC,EAAE,OAAO,CAAA;CACvB;AAED;;GAEG;AACH,MAAM,WAAW,cAAc;IAC7B;;;;;;;OAOG;IACH,WAAW,EAAE,CAAC,CAAC,EAAE,WAAW,EAAE,IAAI,EAAE,IAAI,KAAK,OAAO,CAAC,IAAI,GAAG,QAAQ,CAAC,CAAA;IAErE;;;OAGG;IACH,YAAY,EAAE,CAAC,CAAC,EAAE,WAAW,EAAE,IAAI,EAAE,IAAI,KAAK,OAAO,CAAC,IAAI,GAAG,QAAQ,CAAC,CAAA;CACvE;AAED;;GAEG;AACH,MAAM,WAAW,4BAA4B;IAC3C,mEAAmE;IACnE,MAAM,EAAE,MAAM,CAAA;IACd,uEAAuE;IACvE,UAAU,CAAC,EAAE,MAAM,CAAA;IACnB,6CAA6C;IAC7C,QAAQ,CAAC,EAAE,MAAM,CAAA;CAClB;AAED;;GAEG;AACH,MAAM,WAAW,yBAAyB;IACxC;;;OAGG;IACH,IAAI,CAAC,EAAE,oBAAoB,CAAC,cAAc,CAAC,CAAA;IAC3C;;;OAGG;IACH,KAAK,CAAC,EAAE,MAAM,CAAA;IACd;;;OAGG;IACH,IAAI,CAAC,EAAE,MAAM,CAAA;CACd;AAMD;;;;;;;;;;;;;;;;;;;;GAoBG;AACH,wBAAgB,oBAAoB,CAClC,IAAI,EAAE,cAAc,EACpB,OAAO,GAAE,qBAA0B,GAClC,cAAc,CA+DhB;AAMD;;;;;;;;;;;;;;;;;;;;;;;;GAwBG;AACH,wBAAgB,2BAA2B,CACzC,OAAO,EAAE,4BAA4B,GACpC,CAAC,YAAY,EAAE,MAAM,KAAK,OAAO,CAAC,gBAAgB,GAAG,IAAI,CAAC,CA4D5D;AAMD;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GAsCG;AACH,wBAAgB,wBAAwB,CACtC,OAAO,GAAE,yBAA8B,GACtC,CAAC,YAAY,EAAE,MAAM,KAAK,OAAO,CAAC,gBAAgB,GAAG,IAAI,CAAC,CAqB5D"}
+{"version":3,"file":"middleware.d.ts","sourceRoot":"","sources":["../../../src/modules/auth/middleware.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GAwCG;AAIH,OAAO,KAAK,EAAE,oBAAoB,EAAE,gBAAgB,EAAE,MAAM,YAAY,CAAA;AACxE,OAAO,KAAK,EAAE,OAAO,EAAE,IAAI,EAAE,MAAM,MAAM,CAAA;AAMzC,uEAAuE;AACvE,eAAO,MAAM,aAAa,EAAG,MAAe,CAAA;AAE5C,mEAAmE;AACnE,MAAM,MAAM,WAAW,GAAG,OAAO,CAAC;IAAE,SAAS,EAAE;QAAE,CAAC,aAAa,CAAC,EAAE,oBAAoB,GAAG,IAAI,CAAA;KAAE,CAAA;CAAE,CAAC,CAAA;AAElG,iEAAiE;AACjE,MAAM,WAAW,cAAc;IAC7B,GAAG,EAAE;QACH,UAAU,CAAC,IAAI,EAAE;YAAE,OAAO,EAAE,OAAO,CAAA;SAAE,GAAG,OAAO,CAAC;YAAE,IAAI,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC;YAAC,OAAO,EAAE;gBAAE,EAAE,EAAE,MAAM,CAAC;gBAAC,SAAS,EAAE,IAAI,GAAG,MAAM,GAAG,MAAM,CAAA;aAAE,CAAA;SAAE,GAAG,IAAI,CAAC,CAAA;KACtJ,CAAA;CACF;AAED;;;;;;;GAOG;AACH,MAAM,MAAM,eAAe,GAAG,CAAC,YAAY,EAAE,MAAM,KAAK,OAAO,CAAC,gBAAgB,GAAG,IAAI,CAAC,CAAA;AAExF;;GAEG;AACH,MAAM,WAAW,qBAAqB;IACpC;;;;;;OAMG;IACH,YAAY,CAAC,EAAE,OAAO,CAAA;CACvB;AAED;;GAEG;AACH,MAAM,WAAW,cAAc;IAC7B;;;;OAIG;IACH,WAAW,EAAE,CAAC,CAAC,EAAE,WAAW,EAAE,IAAI,EAAE,IAAI,KAAK,OAAO,CAAC,IAAI,GAAG,QAAQ,CAAC,CAAA;IAErE;;;OAGG;IACH,YAAY,EAAE,CAAC,CAAC,EAAE,WAAW,EAAE,IAAI,EAAE,IAAI,KAAK,OAAO,CAAC,IAAI,GAAG,QAAQ,CAAC,CAAA;CACvE;AAED;;GAEG;AACH,MAAM,WAAW,4BAA4B;IAC3C,qEAAqE;IACrE,MAAM,EAAE,MAAM,CAAA;IACd,uEAAuE;IACvE,UAAU,CAAC,EAAE,MAAM,CAAA;IACnB,6CAA6C;IAC7C,QAAQ,CAAC,EAAE,MAAM,CAAA;CAClB;AAED;;GAEG;AACH,MAAM,WAAW,yBAAyB;IACxC;;;OAGG;IACH,IAAI,CAAC,EAAE,oBAAoB,CAAC,cAAc,CAAC,CAAA;IAC3C;;;OAGG;IACH,KAAK,CAAC,EAAE,MAAM,CAAA;IACd;;;OAGG;IACH,IAAI,CAAC,EAAE,MAAM,CAAA;CACd;AAED;;GAEG;AACH,MAAM,WAAW,sBAAsB;IACrC;;;;OAIG;IACH,YAAY,CAAC,EAAE,oBAAoB,CAAC,cAAc,CAAC,EAAE,CAAA;IACrD;;;OAGG;IACH,UAAU,CAAC,EAAE,MAAM,CAAA;IACnB;;;OAGG;IACH,aAAa,CAAC,EAAE,MAAM,CAAA;CACvB;AAED;;GAEG;AACH,MAAM,WAAW,0BAA0B;IACzC;;;OAGG;IACH,UAAU,CAAC,EAAE,MAAM,CAAA;IACnB;;;OAGG;IACH,aAAa,CAAC,EAAE,MAAM,CAAA;IACtB;;;;;;OAMG;IACH,cAAc,CAAC,EAAE,CAAC,OAAO,EAAE,MAAM,KAAK,OAAO,CAAC,IAAI,CAAC,GAAG,IAAI,CAAA;CAC3D;AAqDD;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GA+BG;AACH,wBAAgB,oBAAoB,CAClC,cAAc,EAAE,cAAc,GAAG,eAAe,EAChD,OAAO,GAAE,qBAA0B,GAClC,cAAc,CAyEhB;AAMD;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GA8BG;AACH,wBAAgB,2BAA2B,CACzC,OAAO,EAAE,4BAA4B,GACpC,eAAe,CA4DjB;AAMD;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GAkCG;AACH,wBAAgB,wBAAwB,CACtC,OAAO,GAAE,yBAA8B,GACtC,eAAe,CAqBjB;AAMD;;;;;;;;;;;;;;;;;;;;;;;GAuBG;AACH,wBAAgB,qBAAqB,CACnC,OAAO,GAAE,sBAA2B,GACnC,CAAC,CAAC,EAAE,OAAO,KAAK,QAAQ,GAAG,OAAO,CAAC,QAAQ,CAAC,CA2D9C;AAMD;;;;;;;;;;;;;;;;;;;;;;GAsBG;AACH,wBAAgB,uBAAuB,CACrC,UAAU,SAA0B,GACnC,eAAe,CAMjB;AAMD;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GAkCG;AACH,wBAAgB,yBAAyB,CACvC,OAAO,GAAE,0BAA+B,GACvC,CAAC,CAAC,EAAE,OAAO,KAAK,OAAO,CAAC,QAAQ,CAAC,CAkDnC;AAMD;;;;;;;;;;;;;;;;;GAiBG;AACH,wBAAgB,yBAAyB,CACvC,UAAU,SAA4B,GACrC,eAAe,CAMjB"}

package/dist/modules/auth/middleware.js

@@ -1,31 +1,41 @@
 /**
  * @module modules/auth/middleware
- * @description Hono auth middleware factories and remote session verification
- * for Soulcraft product backends.
+ * @description Hono auth middleware factories, remote session verification, and
+ * dev/guest session utilities for Soulcraft product backends.
  *
- * Provides framework-agnostic middleware that products mount in their Hono server
- * to authenticate requests against a better-auth instance (local or remote IdP).
+ * ## Session verification strategies
  *
- * The middleware pattern is product-agnostic — Workshop, Venue, and Academy all
- * use the same factories, passing their own `auth` instance. This replaces the
- * per-product copies of `requireAuth` / `optionalAuth` in Workshop's better-auth.ts.
+ * All products share the same `createAuthMiddleware` factory, but each product
+ * selects the right session verifier for its deployment context:
  *
- * ## Remote session verification
+ * ```
+ * Production (all products):
+ *   createRemoteSessionVerifier({ idpUrl: 'https://auth.soulcraft.com' })
+ *
+ * Development (all products):
+ *   createDevSessionVerifier({ role: 'owner' })   // auto-login, no OAuth needed
+ *
+ * Workshop standalone (legacy / local OAuth):
+ *   createAuthMiddleware(betterAuthInstance)       // BetterAuthLike overload
+ * ```
  *
- * `createRemoteSessionVerifier` is used by products that delegate authentication
- * to the central IdP (`auth.soulcraft.com`) but need to verify sessions without
- * running a full better-auth instance. It proxies the session lookup via HTTP with
- * an LRU cache to avoid per-request round-trips to the IdP.
+ * ## Dev and guest endpoint factories
  *
- * @example Hono setup (Workshop)
+ * - `createDevLoginHandler` — mounts a `/api/dev/login` endpoint for role-switching
+ *   during development. Issues a signed dev session cookie. No-ops in production.
+ * - `createGuestSessionHandler` — mounts a `/api/guest/session` endpoint so Venue
+ *   visitors can obtain a guest session (platformRole `'guest'`) for anonymous
+ *   browse and booking flows, before they create an account.
+ *
+ * @example Production setup (Venue / Academy)
  * ```typescript
- * import { createAuthMiddleware } from '@soulcraft/sdk/server'
- * import { auth } from './better-auth.js'
+ * import { createAuthMiddleware, createRemoteSessionVerifier } from '@soulcraft/sdk/server'
  *
- * const { requireAuth, optionalAuth } = createAuthMiddleware(auth)
+ * const verifySession = createRemoteSessionVerifier({ idpUrl: process.env.SOULCRAFT_IDP_URL! })
+ * const { requireAuth, optionalAuth } = createAuthMiddleware(verifySession)
  *
- * app.get('/api/workspaces', requireAuth, async (c) => {
- *   const user = c.get('user')! // SoulcraftSessionUser, guaranteed non-null
+ * app.get('/api/bookings', requireAuth, async (c) => {
+ *   const user = c.get('user')! // SoulcraftSessionUser
  * })
  * ```
  */
@@ -37,30 +47,108 @@ import { computeEmailHash } from './config.js';
 /** The Hono context variable key where the resolved user is stored. */
 export const AUTH_USER_KEY = 'user';
 // ─────────────────────────────────────────────────────────────────────────────
+// Shared internal helpers
+// ─────────────────────────────────────────────────────────────────────────────
+/** Resolve a raw user record from a better-auth session into a `SoulcraftSessionUser`. */
+function _resolveUser(raw) {
+    const email = String(raw['email'] ?? '');
+    const emailHash = raw['emailHash']
+        ? String(raw['emailHash'])
+        : computeEmailHash(email);
+    return {
+        id: String(raw['id'] ?? ''),
+        email,
+        name: String(raw['name'] ?? ''),
+        image: raw['image'] ?? null,
+        platformRole: raw['platformRole'] ?? 'creator',
+        emailHash,
+    };
+}
+/** Parse a simple `name=value` cookie from a raw cookie header string. */
+function _parseCookie(cookieHeader, name) {
+    for (const part of cookieHeader.split(';')) {
+        const [k, ...rest] = part.trim().split('=');
+        if (k?.trim() === name)
+            return rest.join('=').trim();
+    }
+    return undefined;
+}
+/** Encode a dev/guest session payload as a compact JSON+base64url string (unsigned). */
+function _encodeSessionCookie(session) {
+    return Buffer.from(JSON.stringify(session)).toString('base64url');
+}
+/** Decode a session payload encoded by `_encodeSessionCookie`. Returns null on any error. */
+function _decodeSessionCookie(value) {
+    try {
+        const raw = JSON.parse(Buffer.from(value, 'base64url').toString('utf-8'));
+        if (!raw.user || !raw.sessionId || !raw.expiresAt)
+            return null;
+        if (raw.expiresAt < Date.now())
+            return null;
+        return raw;
+    }
+    catch {
+        return null;
+    }
+}
+// ─────────────────────────────────────────────────────────────────────────────
 // createAuthMiddleware
 // ─────────────────────────────────────────────────────────────────────────────
 /**
- * @description Creates Hono auth middleware bound to a specific better-auth instance.
+ * Creates Hono auth middleware from a `SessionVerifier` function or a `BetterAuthLike`
+ * instance.
+ *
+ * **Preferred form (all products in OIDC-client mode):**
+ * Pass a `SessionVerifier` returned by `createRemoteSessionVerifier` or
+ * `createDevSessionVerifier`. The middleware reads the request cookie header and
+ * passes it to the verifier.
  *
- * Returns `requireAuth` and `optionalAuth` middleware functions. Both functions
- * resolve the session from request cookies/headers using better-auth's `getSession`
- * API and attach the user to the Hono context under the `'user'` variable key.
+ * **Legacy form (Workshop standalone mode):**
+ * Pass a `better-auth` instance directly. The middleware calls `auth.api.getSession`.
+ * In non-production environments and when `devAutoLogin` is enabled, a synthetic dev
+ * user is injected on failed lookups so local dev works without OAuth.
  *
- * In non-production environments (`NODE_ENV !== 'production'`), a synthetic dev
- * user is injected automatically to allow local development without OAuth setup.
- * Disable this with `options.devAutoLogin = false`.
+ * Both forms return identical `{ requireAuth, optionalAuth }` middleware.
  *
- * @param auth - The product's better-auth instance.
- * @param options - Optional middleware configuration.
+ * @param authOrVerifier - A `better-auth` instance or a `SessionVerifier` function.
+ * @param options - Optional middleware configuration (only applies to `BetterAuthLike` form).
  * @returns Middleware pair: `{ requireAuth, optionalAuth }`.
  *
- * @example
+ * @example Verifier form (Venue / Academy / Workshop in OIDC mode)
+ * ```typescript
+ * const verifySession = createRemoteSessionVerifier({ idpUrl: process.env.SOULCRAFT_IDP_URL! })
+ * const { requireAuth } = createAuthMiddleware(verifySession)
+ * ```
+ *
+ * @example BetterAuth form (Workshop dev standalone)
  * ```typescript
- * const { requireAuth, optionalAuth } = createAuthMiddleware(auth)
- * app.get('/api/me', requireAuth, (c) => c.json(c.get('user')))
+ * import { auth } from './better-auth.js'
+ * const { requireAuth } = createAuthMiddleware(auth)
  * ```
  */
-export function createAuthMiddleware(auth, options = {}) {
+export function createAuthMiddleware(authOrVerifier, options = {}) {
+    const isVerifier = typeof authOrVerifier === 'function';
+    if (isVerifier) {
+        const verify = authOrVerifier;
+        const requireAuth = async (c, next) => {
+            const cookieHeader = c.req.header('cookie') ?? '';
+            const session = await verify(cookieHeader);
+            if (!session)
+                return c.json({ error: 'Authentication required' }, 401);
+            c.set(AUTH_USER_KEY, session.user);
+            await next();
+            return;
+        };
+        const optionalAuth = async (c, next) => {
+            const cookieHeader = c.req.header('cookie') ?? '';
+            const session = await verify(cookieHeader);
+            c.set(AUTH_USER_KEY, session?.user ?? null);
+            await next();
+        };
+        return { requireAuth, optionalAuth };
+    }
+    // BetterAuthLike form (Workshop standalone)
+    const auth = authOrVerifier;
     const devAutoLogin = options.devAutoLogin ?? true;
     const isDev = process.env['NODE_ENV'] !== 'production';
     const DEV_USER = {
@@ -71,20 +159,6 @@ export function createAuthMiddleware(auth, options = {}) {
         emailHash: computeEmailHash('dev@localhost'),
         platformRole: 'creator',
     };
-    function resolveUser(raw) {
-        const email = String(raw['email'] ?? '');
-        const emailHash = raw['emailHash']
-            ? String(raw['emailHash'])
-            : computeEmailHash(email);
-        return {
-            id: String(raw['id'] ?? ''),
-            email,
-            name: String(raw['name'] ?? ''),
-            image: raw['image'] ?? null,
-            platformRole: raw['platformRole'] ?? 'creator',
-            emailHash,
-        };
-    }
     const requireAuth = async (c, next) => {
         if (isDev && devAutoLogin) {
             if (!c.get(AUTH_USER_KEY))
@@ -96,7 +170,7 @@ export function createAuthMiddleware(auth, options = {}) {
         if (!session?.user) {
             return c.json({ error: 'Authentication required' }, 401);
         }
-        c.set(AUTH_USER_KEY, resolveUser(session.user));
+        c.set(AUTH_USER_KEY, _resolveUser(session.user));
         await next();
         return;
     };
@@ -109,7 +183,7 @@ export function createAuthMiddleware(auth, options = {}) {
         }
         const session = await auth.api.getSession({ headers: c.req.raw.headers });
         if (session?.user) {
-            c.set(AUTH_USER_KEY, resolveUser(session.user));
+            c.set(AUTH_USER_KEY, _resolveUser(session.user));
         }
         else {
             c.set(AUTH_USER_KEY, null);
@@ -122,18 +196,24 @@ export function createAuthMiddleware(auth, options = {}) {
 // createRemoteSessionVerifier
 // ─────────────────────────────────────────────────────────────────────────────
 /**
- * @description Creates a cached remote session verifier that proxies session lookups
- * to the central IdP at `auth.soulcraft.com`.
+ * Creates a cached remote session verifier that proxies session lookups to
+ * the central IdP at `auth.soulcraft.com`.
  *
- * Used by products that operate as OIDC clients and need to verify sessions without
- * running a full better-auth instance locally. Caches successful lookups to avoid
- * per-request HTTP calls to the IdP.
+ * Used by products that operate as OIDC clients (Venue, Academy, and Workshop
+ * in production). Caches successful lookups in an LRU cache to avoid per-request
+ * HTTP round-trips to the IdP.
  *
  * The verifier sends the cookie header to the IdP's `/api/auth/get-session` endpoint
- * and returns the resolved `SoulcraftSession` or null if the session is invalid.
+ * and returns the resolved `SoulcraftSession` or `null` if the session is invalid.
+ *
+ * Pass the returned function directly to `createAuthMiddleware`:
+ * ```typescript
+ * const verifySession = createRemoteSessionVerifier({ idpUrl: process.env.SOULCRAFT_IDP_URL! })
+ * const { requireAuth } = createAuthMiddleware(verifySession)
+ * ```
  *
  * @param options - IdP URL, cache TTL, and max cache size.
- * @returns An async function that accepts a cookie header string and returns a session or null.
+ * @returns A `SessionVerifier` — async function that accepts a cookie header string.
  *
  * @example
  * ```typescript
@@ -205,33 +285,29 @@ export function createRemoteSessionVerifier(options) {
 // createDevSessionVerifier
 // ─────────────────────────────────────────────────────────────────────────────
 /**
- * @description Creates a session verifier that always resolves to a synthetic dev session.
+ * Creates a session verifier that always resolves to a synthetic dev session.
  *
- * Intended for products that run as OIDC clients (`SOULCRAFT_IDP_URL` set) but need
- * local development auth without network calls, SQLite, or real cookies. The returned
- * verifier always succeeds — any non-empty cookie header (or empty) resolves to the
- * configured synthetic user.
+ * Intended for products that run as OIDC clients but need local development auth
+ * without OAuth, network calls, SQLite, or real cookies. The returned verifier always
+ * succeeds — any request resolves to the configured synthetic user.
  *
- * Designed to be a drop-in replacement for `createRemoteSessionVerifier` in local dev:
+ * Designed as a drop-in replacement for `createRemoteSessionVerifier` in local dev:
  *
  * ```typescript
  * const verifySession = process.env.SOULCRAFT_IDP_URL
  *   ? createRemoteSessionVerifier({ idpUrl: process.env.SOULCRAFT_IDP_URL })
  *   : createDevSessionVerifier({ role: 'owner' })
- * ```
  *
- * This eliminates the need for a local `better-auth` instance, SQLite database, and
- * cookie management when iterating on features in OIDC-client mode.
+ * const { requireAuth } = createAuthMiddleware(verifySession)
+ * ```
  *
  * **Never use in production.** The verifier performs no validation whatsoever.
  *
  * @param options - Optional synthetic user configuration.
- * @returns An async function with the same signature as `createRemoteSessionVerifier`.
+ * @returns A `SessionVerifier` with the same signature as `createRemoteSessionVerifier`.
  *
- * @example SvelteKit hooks.server.ts
+ * @example
  * ```typescript
- * import { createRemoteSessionVerifier, createDevSessionVerifier } from '@soulcraft/sdk/server'
- *
  * const verifySession = process.env.SOULCRAFT_IDP_URL
  *   ? createRemoteSessionVerifier({ idpUrl: process.env.SOULCRAFT_IDP_URL })
  *   : createDevSessionVerifier({ role: 'owner' })
@@ -263,4 +339,230 @@ export function createDevSessionVerifier(options = {}) {
         return session;
     };
 }
+// ─────────────────────────────────────────────────────────────────────────────
+// createDevLoginHandler
+// ─────────────────────────────────────────────────────────────────────────────
+/**
+ * Creates a Hono request handler for a dev login endpoint.
+ *
+ * Mount at `/api/dev/login` to get a role-switching endpoint for local
+ * development. Accepts `?role=<platformRole>` and optional `?email=` / `?name=`
+ * query params. Issues a signed base64url session cookie that `createAuthMiddleware`
+ * (when used with a `SessionVerifier` that reads dev cookies) can resolve.
+ *
+ * **Guards against production use:** the handler returns HTTP 404 when
+ * `NODE_ENV === 'production'` — it is safe to leave mounted in all environments.
+ *
+ * @param options - Allowed roles, cookie name, and max-age.
+ * @returns A Hono-compatible request handler `(c: Context) => Response`.
+ *
+ * @example
+ * ```typescript
+ * import { createDevLoginHandler } from '@soulcraft/sdk/server'
+ *
+ * // In your Hono server setup:
+ * app.get('/api/dev/login', createDevLoginHandler({ allowedRoles: ['owner', 'staff', 'customer'] }))
+ *
+ * // Usage: GET /api/dev/login?role=staff → sets cookie + redirects to /
+ * ```
+ */
+export function createDevLoginHandler(options = {}) {
+    const DEFAULT_ROLES = [
+        'creator', 'viewer', 'customer', 'staff', 'manager', 'owner', 'learner', 'instructor',
+    ];
+    const allowedRoles = options.allowedRoles ?? DEFAULT_ROLES;
+    const cookieName = options.cookieName ?? 'soulcraft_dev_session';
+    const maxAgeSeconds = options.maxAgeSeconds ?? 86_400;
+    return function devLoginHandler(c) {
+        if (process.env['NODE_ENV'] === 'production') {
+            return c.json({ error: 'Not found' }, 404);
+        }
+        const role = c.req.query('role');
+        if (!role || !allowedRoles.includes(role)) {
+            return c.json({
+                error: `Invalid role. Allowed: ${allowedRoles.join(', ')}`,
+                allowedRoles,
+            }, 400);
+        }
+        const email = c.req.query('email') ?? `dev-${role}@soulcraft.com`;
+        const name = c.req.query('name') ?? `Dev ${role.charAt(0).toUpperCase() + role.slice(1)}`;
+        const redirect = c.req.query('redirect') ?? '/';
+        const session = {
+            user: {
+                id: `dev-user-${role}`,
+                email,
+                name,
+                image: null,
+                platformRole: role,
+                emailHash: computeEmailHash(email),
+            },
+            sessionId: `dev-session-${Date.now()}`,
+            expiresAt: Date.now() + maxAgeSeconds * 1000,
+        };
+        const cookieValue = _encodeSessionCookie(session);
+        const cookieHeader = [
+            `${cookieName}=${cookieValue}`,
+            `Path=/`,
+            `HttpOnly`,
+            `SameSite=Lax`,
+            `Max-Age=${maxAgeSeconds}`,
+        ].join('; ');
+        const response = new Response(null, {
+            status: 302,
+            headers: {
+                Location: redirect,
+                'Set-Cookie': cookieHeader,
+            },
+        });
+        return response;
+    };
+}
+// ─────────────────────────────────────────────────────────────────────────────
+// createDevCookieVerifier
+// ─────────────────────────────────────────────────────────────────────────────
+/**
+ * Creates a session verifier that reads the cookie issued by `createDevLoginHandler`.
+ *
+ * Use this together with `createDevLoginHandler` when you want dev role-switching
+ * (e.g. clicking "Login as Staff" in a dev UI) rather than a fixed synthetic user.
+ *
+ * The verifier decodes the base64url cookie value and returns the embedded session.
+ * Falls back to `null` (unauthenticated) if the cookie is absent or expired.
+ *
+ * ```typescript
+ * // Only one of these in dev — pick what fits your workflow:
+ *
+ * // Option A: Fixed dev user, no login UI needed
+ * const verifySession = createDevSessionVerifier({ role: 'owner' })
+ *
+ * // Option B: Role-switching dev login UI
+ * app.get('/api/dev/login', createDevLoginHandler({ allowedRoles: ['owner', 'staff', 'customer'] }))
+ * const verifySession = createDevCookieVerifier()
+ * ```
+ *
+ * @param cookieName - Must match the `cookieName` passed to `createDevLoginHandler`. Default: `'soulcraft_dev_session'`.
+ * @returns A `SessionVerifier` compatible with `createAuthMiddleware`.
+ */
+export function createDevCookieVerifier(cookieName = 'soulcraft_dev_session') {
+    return async function verifyDevCookie(cookieHeader) {
+        const value = _parseCookie(cookieHeader, cookieName);
+        if (!value)
+            return null;
+        return _decodeSessionCookie(value);
+    };
+}
+// ─────────────────────────────────────────────────────────────────────────────
+// createGuestSessionHandler
+// ─────────────────────────────────────────────────────────────────────────────
+/**
+ * Creates a Hono request handler that issues a guest session cookie.
+ *
+ * Venue visitors can browse and initiate bookings without creating an account.
+ * This handler mounts at e.g. `/api/guest/session` and issues a session cookie
+ * with `platformRole: 'guest'` and a unique guest ID on each call (if no valid
+ * guest session already exists).
+ *
+ * The guest session cookie can be verified using `createGuestCookieVerifier`,
+ * which returns a `SessionVerifier` compatible with `createAuthMiddleware`.
+ *
+ * @param options - Cookie name, max-age, and optional `onGuestCreated` callback.
+ * @returns A Hono-compatible request handler.
+ *
+ * @example
+ * ```typescript
+ * import { createGuestSessionHandler, createGuestCookieVerifier, createAuthMiddleware } from '@soulcraft/sdk/server'
+ *
+ * // Issue guest sessions
+ * app.post('/api/guest/session', createGuestSessionHandler({
+ *   onGuestCreated: async (guestId) => {
+ *     await db.guests.insert({ id: guestId, createdAt: new Date() })
+ *   },
+ * }))
+ *
+ * // Verify guest sessions in optional auth (guests can browse)
+ * const verifyGuest = createGuestCookieVerifier()
+ * const verifySession = createRemoteSessionVerifier({ idpUrl: process.env.SOULCRAFT_IDP_URL! })
+ *
+ * // Compose: check real session first, fall back to guest
+ * const { optionalAuth } = createAuthMiddleware(async (cookie) =>
+ *   await verifySession(cookie) ?? await verifyGuest(cookie)
+ * )
+ * ```
+ */
+export function createGuestSessionHandler(options = {}) {
+    const cookieName = options.cookieName ?? 'soulcraft_guest_session';
+    const maxAgeSeconds = options.maxAgeSeconds ?? 3_600;
+    const onGuestCreated = options.onGuestCreated;
+    return async function guestSessionHandler(c) {
+        // Return existing guest session if still valid
+        const cookieHeader = c.req.header('cookie') ?? '';
+        const existingValue = _parseCookie(cookieHeader, cookieName);
+        if (existingValue) {
+            const existing = _decodeSessionCookie(existingValue);
+            if (existing)
+                return c.json({ guestId: existing.user.id, existing: true });
+        }
+        // Create a new guest session
+        const guestId = `guest-${Date.now().toString(36)}-${Math.random().toString(36).slice(2, 8)}`;
+        const email = `${guestId}@guest.soulcraft.com`;
+        const session = {
+            user: {
+                id: guestId,
+                email,
+                name: 'Guest',
+                image: null,
+                platformRole: 'guest',
+                emailHash: computeEmailHash(email),
+            },
+            sessionId: `guest-session-${Date.now()}`,
+            expiresAt: Date.now() + maxAgeSeconds * 1000,
+        };
+        if (onGuestCreated)
+            await onGuestCreated(guestId);
+        const cookieValue = _encodeSessionCookie(session);
+        const cookieHeader2 = [
+            `${cookieName}=${cookieValue}`,
+            `Path=/`,
+            `HttpOnly`,
+            `SameSite=Lax`,
+            `Max-Age=${maxAgeSeconds}`,
+        ].join('; ');
+        return new Response(JSON.stringify({ guestId, existing: false }), {
+            status: 200,
+            headers: {
+                'Content-Type': 'application/json',
+                'Set-Cookie': cookieHeader2,
+            },
+        });
+    };
+}
+// ─────────────────────────────────────────────────────────────────────────────
+// createGuestCookieVerifier
+// ─────────────────────────────────────────────────────────────────────────────
+/**
+ * Creates a session verifier that reads the cookie issued by `createGuestSessionHandler`.
+ *
+ * Returns the guest `SoulcraftSession` or `null` if no valid guest cookie is present.
+ * Compose with `createRemoteSessionVerifier` to allow both authenticated and guest access:
+ *
+ * ```typescript
+ * const verifyReal = createRemoteSessionVerifier({ idpUrl: process.env.SOULCRAFT_IDP_URL! })
+ * const verifyGuest = createGuestCookieVerifier()
+ *
+ * const { optionalAuth } = createAuthMiddleware(async (cookie) =>
+ *   await verifyReal(cookie) ?? await verifyGuest(cookie)
+ * )
+ * ```
+ *
+ * @param cookieName - Must match the `cookieName` passed to `createGuestSessionHandler`. Default: `'soulcraft_guest_session'`.
+ * @returns A `SessionVerifier` compatible with `createAuthMiddleware`.
+ */
+export function createGuestCookieVerifier(cookieName = 'soulcraft_guest_session') {
+    return async function verifyGuestCookie(cookieHeader) {
+        const value = _parseCookie(cookieHeader, cookieName);
+        if (!value)
+            return null;
+        return _decodeSessionCookie(value);
+    };
+}
 //# sourceMappingURL=middleware.js.map

package/dist/modules/auth/middleware.js.map

@@ -1 +1 @@
-{"version":3,"file":"middleware.js","sourceRoot":"","sources":["../../../src/modules/auth/middleware.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GA8BG;AAEH,OAAO,EAAE,QAAQ,EAAE,MAAM,WAAW,CAAA;AACpC,OAAO,EAAE,gBAAgB,EAAE,MAAM,aAAa,CAAA;AAI9C,gFAAgF;AAChF,QAAQ;AACR,gFAAgF;AAEhF,uEAAuE;AACvE,MAAM,CAAC,MAAM,aAAa,GAAG,MAAe,CAAA;AA+E5C,gFAAgF;AAChF,uBAAuB;AACvB,gFAAgF;AAEhF;;;;;;;;;;;;;;;;;;;;GAoBG;AACH,MAAM,UAAU,oBAAoB,CAClC,IAAoB,EACpB,UAAiC,EAAE;IAEnC,MAAM,YAAY,GAAG,OAAO,CAAC,YAAY,IAAI,IAAI,CAAA;IACjD,MAAM,KAAK,GAAG,OAAO,CAAC,GAAG,CAAC,UAAU,CAAC,KAAK,YAAY,CAAA;IAEtD,MAAM,QAAQ,GAAyB;QACrC,EAAE,EAAE,cAAc;QAClB,KAAK,EAAE,eAAe;QACtB,IAAI,EAAE,UAAU;QAChB,KAAK,EAAE,IAAI;QACX,SAAS,EAAE,gBAAgB,CAAC,eAAe,CAAC;QAC5C,YAAY,EAAE,SAAS;KACxB,CAAA;IAED,SAAS,WAAW,CAAC,GAA4B;QAC/C,MAAM,KAAK,GAAG,MAAM,CAAC,GAAG,CAAC,OAAO,CAAC,IAAI,EAAE,CAAC,CAAA;QACxC,MAAM,SAAS,GAAG,GAAG,CAAC,WAAW,CAAC;YAChC,CAAC,CAAC,MAAM,CAAC,GAAG,CAAC,WAAW,CAAC,CAAC;YAC1B,CAAC,CAAC,gBAAgB,CAAC,KAAK,CAAC,CAAA;QAE3B,OAAO;YACL,EAAE,EAAE,MAAM,CAAC,GAAG,CAAC,IAAI,CAAC,IAAI,EAAE,CAAC;YAC3B,KAAK;YACL,IAAI,EAAE,MAAM,CAAC,GAAG,CAAC,MAAM,CAAC,IAAI,EAAE,CAAC;YAC/B,KAAK,EAAG,GAAG,CAAC,OAAO,CAA+B,IAAI,IAAI;YAC1D,YAAY,EAAG,GAAG,CAAC,cAAc,CAA0C,IAAI,SAAS;YACxF,SAAS;SACV,CAAA;IACH,CAAC;IAED,MAAM,WAAW,GAAkC,KAAK,EAAE,CAAC,EAAE,IAAI,EAAE,EAAE;QACnE,IAAI,KAAK,IAAI,YAAY,EAAE,CAAC;YAC1B,IAAI,CAAC,CAAC,CAAC,GAAG,CAAC,aAAa,CAAC;gBAAE,CAAC,CAAC,GAAG,CAAC,aAAa,EAAE,QAAQ,CAAC,CAAA;YACzD,MAAM,IAAI,EAAE,CAAA;YACZ,OAAM;QACR,CAAC;QAED,MAAM,OAAO,GAAG,MAAM,IAAI,CAAC,GAAG,CAAC,UAAU,CAAC,EAAE,OAAO,EAAE,CAAC,CAAC,GAAG,CAAC,GAAG,CAAC,OAAO,EAAE,CAAC,CAAA;QACzE,IAAI,CAAC,OAAO,EAAE,IAAI,EAAE,CAAC;YACnB,OAAO,CAAC,CAAC,IAAI,CAAC,EAAE,KAAK,EAAE,yBAAyB,EAAE,EAAE,GAAG,CAAC,CAAA;QAC1D,CAAC;QAED,CAAC,CAAC,GAAG,CAAC,aAAa,EAAE,WAAW,CAAC,OAAO,CAAC,IAAI,CAAC,CAAC,CAAA;QAC/C,MAAM,IAAI,EAAE,CAAA;QACZ,OAAM;IACR,CAAC,CAAA;IAED,MAAM,YAAY,GAAmC,KAAK,EAAE,CAAC,EAAE,IAAI,EAAE,EAAE;QACrE,IAAI,KAAK,IAAI,YAAY,EAAE,CAAC;YAC1B,IAAI,CAAC,CAAC,CAAC,GAAG,CAAC,aAAa,CAAC;gBAAE,CAAC,CAAC,GAAG,CAAC,aAAa,EAAE,QAAQ,CAAC,CAAA;YACzD,MAAM,IAAI,EAAE,CAAA;YACZ,OAAM;QACR,CAAC;QAED,MAAM,OAAO,GAAG,MAAM,IAAI,CAAC,GAAG,CAAC,UAAU,CAAC,EAAE,OAAO,EAAE,CAAC,CAAC,GAAG,CAAC,GAAG,CAAC,OAAO,EAAE,CAAC,CAAA;QACzE,IAAI,OAAO,EAAE,IAAI,EAAE,CAAC;YAClB,CAAC,CAAC,GAAG,CAAC,aAAa,EAAE,WAAW,CAAC,OAAO,CAAC,IAAI,CAAC,CAAC,CAAA;QACjD,CAAC;aAAM,CAAC;YACN,CAAC,CAAC,GAAG,CAAC,aAAa,EAAE,IAAI,CAAC,CAAA;QAC5B,CAAC;QACD,MAAM,IAAI,EAAE,CAAA;IACd,CAAC,CAAA;IAED,OAAO,EAAE,WAAW,EAAE,YAAY,EAAE,CAAA;AACtC,CAAC;AAED,gFAAgF;AAChF,8BAA8B;AAC9B,gFAAgF;AAEhF;;;;;;;;;;;;;;;;;;;;;;;;GAwBG;AACH,MAAM,UAAU,2BAA2B,CACzC,OAAqC;IAErC,MAAM,QAAQ,GAAG,OAAO,CAAC,UAAU,IAAI,MAAM,CAAA;IAC7C,MAAM,QAAQ,GAAG,OAAO,CAAC,QAAQ,IAAI,GAAG,CAAA;IACxC,MAAM,UAAU,GAAG,GAAG,OAAO,CAAC,MAAM,CAAC,OAAO,CAAC,KAAK,EAAE,EAAE,CAAC,uBAAuB,CAAA;IAE9E,MAAM,KAAK,GAAG,IAAI,QAAQ,CAA2B;QACnD,GAAG,EAAE,QAAQ;QACb,GAAG,EAAE,QAAQ;KACd,CAAC,CAAA;IAEF,OAAO,KAAK,UAAU,mBAAmB,CACvC,YAAoB;QAEpB,IAAI,CAAC,YAAY;YAAE,OAAO,IAAI,CAAA;QAE9B,iEAAiE;QACjE,MAAM,MAAM,GAAG,KAAK,CAAC,GAAG,CAAC,YAAY,CAAC,CAAA;QACtC,IAAI,MAAM,KAAK,SAAS;YAAE,OAAO,MAAM,CAAA;QAEvC,IAAI,QAAkB,CAAA;QACtB,IAAI,CAAC;YACH,QAAQ,GAAG,MAAM,KAAK,CAAC,UAAU,EAAE;gBACjC,OAAO,EAAE,EAAE,MAAM,EAAE,YAAY,EAAE;gBACjC,WAAW,EAAE,SAAS;aACvB,CAAC,CAAA;QACJ,CAAC;QAAC,MAAM,CAAC;YACP,OAAO,IAAI,CAAA;QACb,CAAC;QAED,IAAI,CAAC,QAAQ,CAAC,EAAE;YAAE,OAAO,IAAI,CAAA;QAE7B,IAAI,IAA6B,CAAA;QACjC,IAAI,CAAC;YACH,IAAI,GAAG,MAAM,QAAQ,CAAC,IAAI,EAA6B,CAAA;QACzD,CAAC;QAAC,MAAM,CAAC;YACP,OAAO,IAAI,CAAA;QACb,CAAC;QAED,MAAM,OAAO,GAAG,IAAI,CAAC,MAAM,CAAwC,CAAA;QACnE,MAAM,UAAU,GAAG,IAAI,CAAC,SAAS,CAAwC,CAAA;QAEzE,IAAI,CAAC,OAAO,IAAI,CAAC,UAAU;YAAE,OAAO,IAAI,CAAA;QAExC,MAAM,KAAK,GAAG,MAAM,CAAC,OAAO,CAAC,OAAO,CAAC,IAAI,EAAE,CAAC,CAAA;QAC5C,MAAM,OAAO,GAAqB;YAChC,IAAI,EAAE;gBACJ,EAAE,EAAE,MAAM,CAAC,OAAO,CAAC,IAAI,CAAC,IAAI,EAAE,CAAC;gBAC/B,KAAK;gBACL,IAAI,EAAE,MAAM,CAAC,OAAO,CAAC,MAAM,CAAC,IAAI,EAAE,CAAC;gBACnC,KAAK,EAAG,OAAO,CAAC,OAAO,CAA+B,IAAI,IAAI;gBAC9D,YAAY,EAAG,OAAO,CAAC,cAAc,CAA0C,IAAI,SAAS;gBAC5F,SAAS,EAAE,OAAO,CAAC,WAAW,CAAC,CAAC,CAAC,CAAC,MAAM,CAAC,OAAO,CAAC,WAAW,CAAC,CAAC,CAAC,CAAC,CAAC,gBAAgB,CAAC,KAAK,CAAC;aACzF;YACD,SAAS,EAAE,MAAM,CAAC,UAAU,CAAC,IAAI,CAAC,IAAI,EAAE,CAAC;YACzC,SAAS,EAAE,MAAM,CAAC,UAAU,CAAC,WAAW,CAAC,IAAI,CAAC,CAAC;SAChD,CAAA;QAED,KAAK,CAAC,GAAG,CAAC,YAAY,EAAE,OAAO,CAAC,CAAA;QAChC,OAAO,OAAO,CAAA;IAChB,CAAC,CAAA;AACH,CAAC;AAED,gFAAgF;AAChF,2BAA2B;AAC3B,gFAAgF;AAEhF;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GAsCG;AACH,MAAM,UAAU,wBAAwB,CACtC,UAAqC,EAAE;IAEvC,MAAM,IAAI,GAAG,OAAO,CAAC,IAAI,IAAI,OAAO,CAAA;IACpC,MAAM,KAAK,GAAG,OAAO,CAAC,KAAK,IAAI,mBAAmB,CAAA;IAClD,MAAM,IAAI,GAAG,OAAO,CAAC,IAAI,IAAI,UAAU,CAAA;IAEvC,MAAM,OAAO,GAAqB;QAChC,IAAI,EAAE;YACJ,EAAE,EAAE,cAAc;YAClB,KAAK;YACL,IAAI;YACJ,KAAK,EAAE,IAAI;YACX,YAAY,EAAE,IAAI;YAClB,SAAS,EAAE,gBAAgB,CAAC,KAAK,CAAC;SACnC;QACD,SAAS,EAAE,iBAAiB;QAC5B,SAAS,EAAE,IAAI,CAAC,GAAG,EAAE,GAAG,EAAE,GAAG,EAAE,GAAG,EAAE,GAAG,EAAE,GAAG,IAAI;KACjD,CAAA;IAED,OAAO,KAAK,UAAU,gBAAgB;QACpC,OAAO,OAAO,CAAA;IAChB,CAAC,CAAA;AACH,CAAC"}
+{"version":3,"file":"middleware.js","sourceRoot":"","sources":["../../../src/modules/auth/middleware.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GAwCG;AAEH,OAAO,EAAE,QAAQ,EAAE,MAAM,WAAW,CAAA;AACpC,OAAO,EAAE,gBAAgB,EAAE,MAAM,aAAa,CAAA;AAI9C,gFAAgF;AAChF,QAAQ;AACR,gFAAgF;AAEhF,uEAAuE;AACvE,MAAM,CAAC,MAAM,aAAa,GAAG,MAAe,CAAA;AAqI5C,gFAAgF;AAChF,0BAA0B;AAC1B,gFAAgF;AAEhF,0FAA0F;AAC1F,SAAS,YAAY,CAAC,GAA4B;IAChD,MAAM,KAAK,GAAG,MAAM,CAAC,GAAG,CAAC,OAAO,CAAC,IAAI,EAAE,CAAC,CAAA;IACxC,MAAM,SAAS,GAAG,GAAG,CAAC,WAAW,CAAC;QAChC,CAAC,CAAC,MAAM,CAAC,GAAG,CAAC,WAAW,CAAC,CAAC;QAC1B,CAAC,CAAC,gBAAgB,CAAC,KAAK,CAAC,CAAA;IAE3B,OAAO;QACL,EAAE,EAAE,MAAM,CAAC,GAAG,CAAC,IAAI,CAAC,IAAI,EAAE,CAAC;QAC3B,KAAK;QACL,IAAI,EAAE,MAAM,CAAC,GAAG,CAAC,MAAM,CAAC,IAAI,EAAE,CAAC;QAC/B,KAAK,EAAG,GAAG,CAAC,OAAO,CAA+B,IAAI,IAAI;QAC1D,YAAY,EAAG,GAAG,CAAC,cAAc,CAA0C,IAAI,SAAS;QACxF,SAAS;KACV,CAAA;AACH,CAAC;AAED,0EAA0E;AAC1E,SAAS,YAAY,CAAC,YAAoB,EAAE,IAAY;IACtD,KAAK,MAAM,IAAI,IAAI,YAAY,CAAC,KAAK,CAAC,GAAG,CAAC,EAAE,CAAC;QAC3C,MAAM,CAAC,CAAC,EAAE,GAAG,IAAI,CAAC,GAAG,IAAI,CAAC,IAAI,EAAE,CAAC,KAAK,CAAC,GAAG,CAAC,CAAA;QAC3C,IAAI,CAAC,EAAE,IAAI,EAAE,KAAK,IAAI;YAAE,OAAO,IAAI,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC,IAAI,EAAE,CAAA;IACtD,CAAC;IACD,OAAO,SAAS,CAAA;AAClB,CAAC;AAED,wFAAwF;AACxF,SAAS,oBAAoB,CAAC,OAAyB;IACrD,OAAO,MAAM,CAAC,IAAI,CAAC,IAAI,CAAC,SAAS,CAAC,OAAO,CAAC,CAAC,CAAC,QAAQ,CAAC,WAAW,CAAC,CAAA;AACnE,CAAC;AAED,6FAA6F;AAC7F,SAAS,oBAAoB,CAAC,KAAa;IACzC,IAAI,CAAC;QACH,MAAM,GAAG,GAAG,IAAI,CAAC,KAAK,CAAC,MAAM,CAAC,IAAI,CAAC,KAAK,EAAE,WAAW,CAAC,CAAC,QAAQ,CAAC,OAAO,CAAC,CAAqB,CAAA;QAC7F,IAAI,CAAC,GAAG,CAAC,IAAI,IAAI,CAAC,GAAG,CAAC,SAAS,IAAI,CAAC,GAAG,CAAC,SAAS;YAAE,OAAO,IAAI,CAAA;QAC9D,IAAI,GAAG,CAAC,SAAS,GAAG,IAAI,CAAC,GAAG,EAAE;YAAE,OAAO,IAAI,CAAA;QAC3C,OAAO,GAAG,CAAA;IACZ,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,IAAI,CAAA;IACb,CAAC;AACH,CAAC;AAED,gFAAgF;AAChF,uBAAuB;AACvB,gFAAgF;AAEhF;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GA+BG;AACH,MAAM,UAAU,oBAAoB,CAClC,cAAgD,EAChD,UAAiC,EAAE;IAEnC,MAAM,UAAU,GAAG,OAAO,cAAc,KAAK,UAAU,CAAA;IAEvD,IAAI,UAAU,EAAE,CAAC;QACf,MAAM,MAAM,GAAG,cAAiC,CAAA;QAEhD,MAAM,WAAW,GAAkC,KAAK,EAAE,CAAC,EAAE,IAAI,EAAE,EAAE;YACnE,MAAM,YAAY,GAAG,CAAC,CAAC,GAAG,CAAC,MAAM,CAAC,QAAQ,CAAC,IAAI,EAAE,CAAA;YACjD,MAAM,OAAO,GAAG,MAAM,MAAM,CAAC,YAAY,CAAC,CAAA;YAC1C,IAAI,CAAC,OAAO;gBAAE,OAAO,CAAC,CAAC,IAAI,CAAC,EAAE,KAAK,EAAE,yBAAyB,EAAE,EAAE,GAAG,CAAC,CAAA;YACtE,CAAC,CAAC,GAAG,CAAC,aAAa,EAAE,OAAO,CAAC,IAAI,CAAC,CAAA;YAClC,MAAM,IAAI,EAAE,CAAA;YACZ,OAAM;QACR,CAAC,CAAA;QAED,MAAM,YAAY,GAAmC,KAAK,EAAE,CAAC,EAAE,IAAI,EAAE,EAAE;YACrE,MAAM,YAAY,GAAG,CAAC,CAAC,GAAG,CAAC,MAAM,CAAC,QAAQ,CAAC,IAAI,EAAE,CAAA;YACjD,MAAM,OAAO,GAAG,MAAM,MAAM,CAAC,YAAY,CAAC,CAAA;YAC1C,CAAC,CAAC,GAAG,CAAC,aAAa,EAAE,OAAO,EAAE,IAAI,IAAI,IAAI,CAAC,CAAA;YAC3C,MAAM,IAAI,EAAE,CAAA;QACd,CAAC,CAAA;QAED,OAAO,EAAE,WAAW,EAAE,YAAY,EAAE,CAAA;IACtC,CAAC;IAED,4CAA4C;IAC5C,MAAM,IAAI,GAAG,cAAgC,CAAA;IAC7C,MAAM,YAAY,GAAG,OAAO,CAAC,YAAY,IAAI,IAAI,CAAA;IACjD,MAAM,KAAK,GAAG,OAAO,CAAC,GAAG,CAAC,UAAU,CAAC,KAAK,YAAY,CAAA;IAEtD,MAAM,QAAQ,GAAyB;QACrC,EAAE,EAAE,cAAc;QAClB,KAAK,EAAE,eAAe;QACtB,IAAI,EAAE,UAAU;QAChB,KAAK,EAAE,IAAI;QACX,SAAS,EAAE,gBAAgB,CAAC,eAAe,CAAC;QAC5C,YAAY,EAAE,SAAS;KACxB,CAAA;IAED,MAAM,WAAW,GAAkC,KAAK,EAAE,CAAC,EAAE,IAAI,EAAE,EAAE;QACnE,IAAI,KAAK,IAAI,YAAY,EAAE,CAAC;YAC1B,IAAI,CAAC,CAAC,CAAC,GAAG,CAAC,aAAa,CAAC;gBAAE,CAAC,CAAC,GAAG,CAAC,aAAa,EAAE,QAAQ,CAAC,CAAA;YACzD,MAAM,IAAI,EAAE,CAAA;YACZ,OAAM;QACR,CAAC;QAED,MAAM,OAAO,GAAG,MAAM,IAAI,CAAC,GAAG,CAAC,UAAU,CAAC,EAAE,OAAO,EAAE,CAAC,CAAC,GAAG,CAAC,GAAG,CAAC,OAAO,EAAE,CAAC,CAAA;QACzE,IAAI,CAAC,OAAO,EAAE,IAAI,EAAE,CAAC;YACnB,OAAO,CAAC,CAAC,IAAI,CAAC,EAAE,KAAK,EAAE,yBAAyB,EAAE,EAAE,GAAG,CAAC,CAAA;QAC1D,CAAC;QAED,CAAC,CAAC,GAAG,CAAC,aAAa,EAAE,YAAY,CAAC,OAAO,CAAC,IAAI,CAAC,CAAC,CAAA;QAChD,MAAM,IAAI,EAAE,CAAA;QACZ,OAAM;IACR,CAAC,CAAA;IAED,MAAM,YAAY,GAAmC,KAAK,EAAE,CAAC,EAAE,IAAI,EAAE,EAAE;QACrE,IAAI,KAAK,IAAI,YAAY,EAAE,CAAC;YAC1B,IAAI,CAAC,CAAC,CAAC,GAAG,CAAC,aAAa,CAAC;gBAAE,CAAC,CAAC,GAAG,CAAC,aAAa,EAAE,QAAQ,CAAC,CAAA;YACzD,MAAM,IAAI,EAAE,CAAA;YACZ,OAAM;QACR,CAAC;QAED,MAAM,OAAO,GAAG,MAAM,IAAI,CAAC,GAAG,CAAC,UAAU,CAAC,EAAE,OAAO,EAAE,CAAC,CAAC,GAAG,CAAC,GAAG,CAAC,OAAO,EAAE,CAAC,CAAA;QACzE,IAAI,OAAO,EAAE,IAAI,EAAE,CAAC;YAClB,CAAC,CAAC,GAAG,CAAC,aAAa,EAAE,YAAY,CAAC,OAAO,CAAC,IAAI,CAAC,CAAC,CAAA;QAClD,CAAC;aAAM,CAAC;YACN,CAAC,CAAC,GAAG,CAAC,aAAa,EAAE,IAAI,CAAC,CAAA;QAC5B,CAAC;QACD,MAAM,IAAI,EAAE,CAAA;IACd,CAAC,CAAA;IAED,OAAO,EAAE,WAAW,EAAE,YAAY,EAAE,CAAA;AACtC,CAAC;AAED,gFAAgF;AAChF,8BAA8B;AAC9B,gFAAgF;AAEhF;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GA8BG;AACH,MAAM,UAAU,2BAA2B,CACzC,OAAqC;IAErC,MAAM,QAAQ,GAAG,OAAO,CAAC,UAAU,IAAI,MAAM,CAAA;IAC7C,MAAM,QAAQ,GAAG,OAAO,CAAC,QAAQ,IAAI,GAAG,CAAA;IACxC,MAAM,UAAU,GAAG,GAAG,OAAO,CAAC,MAAM,CAAC,OAAO,CAAC,KAAK,EAAE,EAAE,CAAC,uBAAuB,CAAA;IAE9E,MAAM,KAAK,GAAG,IAAI,QAAQ,CAA2B;QACnD,GAAG,EAAE,QAAQ;QACb,GAAG,EAAE,QAAQ;KACd,CAAC,CAAA;IAEF,OAAO,KAAK,UAAU,mBAAmB,CACvC,YAAoB;QAEpB,IAAI,CAAC,YAAY;YAAE,OAAO,IAAI,CAAA;QAE9B,iEAAiE;QACjE,MAAM,MAAM,GAAG,KAAK,CAAC,GAAG,CAAC,YAAY,CAAC,CAAA;QACtC,IAAI,MAAM,KAAK,SAAS;YAAE,OAAO,MAAM,CAAA;QAEvC,IAAI,QAAkB,CAAA;QACtB,IAAI,CAAC;YACH,QAAQ,GAAG,MAAM,KAAK,CAAC,UAAU,EAAE;gBACjC,OAAO,EAAE,EAAE,MAAM,EAAE,YAAY,EAAE;gBACjC,WAAW,EAAE,SAAS;aACvB,CAAC,CAAA;QACJ,CAAC;QAAC,MAAM,CAAC;YACP,OAAO,IAAI,CAAA;QACb,CAAC;QAED,IAAI,CAAC,QAAQ,CAAC,EAAE;YAAE,OAAO,IAAI,CAAA;QAE7B,IAAI,IAA6B,CAAA;QACjC,IAAI,CAAC;YACH,IAAI,GAAG,MAAM,QAAQ,CAAC,IAAI,EAA6B,CAAA;QACzD,CAAC;QAAC,MAAM,CAAC;YACP,OAAO,IAAI,CAAA;QACb,CAAC;QAED,MAAM,OAAO,GAAG,IAAI,CAAC,MAAM,CAAwC,CAAA;QACnE,MAAM,UAAU,GAAG,IAAI,CAAC,SAAS,CAAwC,CAAA;QAEzE,IAAI,CAAC,OAAO,IAAI,CAAC,UAAU;YAAE,OAAO,IAAI,CAAA;QAExC,MAAM,KAAK,GAAG,MAAM,CAAC,OAAO,CAAC,OAAO,CAAC,IAAI,EAAE,CAAC,CAAA;QAC5C,MAAM,OAAO,GAAqB;YAChC,IAAI,EAAE;gBACJ,EAAE,EAAE,MAAM,CAAC,OAAO,CAAC,IAAI,CAAC,IAAI,EAAE,CAAC;gBAC/B,KAAK;gBACL,IAAI,EAAE,MAAM,CAAC,OAAO,CAAC,MAAM,CAAC,IAAI,EAAE,CAAC;gBACnC,KAAK,EAAG,OAAO,CAAC,OAAO,CAA+B,IAAI,IAAI;gBAC9D,YAAY,EAAG,OAAO,CAAC,cAAc,CAA0C,IAAI,SAAS;gBAC5F,SAAS,EAAE,OAAO,CAAC,WAAW,CAAC,CAAC,CAAC,CAAC,MAAM,CAAC,OAAO,CAAC,WAAW,CAAC,CAAC,CAAC,CAAC,CAAC,gBAAgB,CAAC,KAAK,CAAC;aACzF;YACD,SAAS,EAAE,MAAM,CAAC,UAAU,CAAC,IAAI,CAAC,IAAI,EAAE,CAAC;YACzC,SAAS,EAAE,MAAM,CAAC,UAAU,CAAC,WAAW,CAAC,IAAI,CAAC,CAAC;SAChD,CAAA;QAED,KAAK,CAAC,GAAG,CAAC,YAAY,EAAE,OAAO,CAAC,CAAA;QAChC,OAAO,OAAO,CAAA;IAChB,CAAC,CAAA;AACH,CAAC;AAED,gFAAgF;AAChF,2BAA2B;AAC3B,gFAAgF;AAEhF;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GAkCG;AACH,MAAM,UAAU,wBAAwB,CACtC,UAAqC,EAAE;IAEvC,MAAM,IAAI,GAAG,OAAO,CAAC,IAAI,IAAI,OAAO,CAAA;IACpC,MAAM,KAAK,GAAG,OAAO,CAAC,KAAK,IAAI,mBAAmB,CAAA;IAClD,MAAM,IAAI,GAAG,OAAO,CAAC,IAAI,IAAI,UAAU,CAAA;IAEvC,MAAM,OAAO,GAAqB;QAChC,IAAI,EAAE;YACJ,EAAE,EAAE,cAAc;YAClB,KAAK;YACL,IAAI;YACJ,KAAK,EAAE,IAAI;YACX,YAAY,EAAE,IAAI;YAClB,SAAS,EAAE,gBAAgB,CAAC,KAAK,CAAC;SACnC;QACD,SAAS,EAAE,iBAAiB;QAC5B,SAAS,EAAE,IAAI,CAAC,GAAG,EAAE,GAAG,EAAE,GAAG,EAAE,GAAG,EAAE,GAAG,EAAE,GAAG,IAAI;KACjD,CAAA;IAED,OAAO,KAAK,UAAU,gBAAgB;QACpC,OAAO,OAAO,CAAA;IAChB,CAAC,CAAA;AACH,CAAC;AAED,gFAAgF;AAChF,wBAAwB;AACxB,gFAAgF;AAEhF;;;;;;;;;;;;;;;;;;;;;;;GAuBG;AACH,MAAM,UAAU,qBAAqB,CACnC,UAAkC,EAAE;IAEpC,MAAM,aAAa,GAA2C;QAC5D,SAAS,EAAE,QAAQ,EAAE,UAAU,EAAE,OAAO,EAAE,SAAS,EAAE,OAAO,EAAE,SAAS,EAAE,YAAY;KACtF,CAAA;IACD,MAAM,YAAY,GAAG,OAAO,CAAC,YAAY,IAAI,aAAa,CAAA;IAC1D,MAAM,UAAU,GAAG,OAAO,CAAC,UAAU,IAAI,uBAAuB,CAAA;IAChE,MAAM,aAAa,GAAG,OAAO,CAAC,aAAa,IAAI,MAAM,CAAA;IAErD,OAAO,SAAS,eAAe,CAAC,CAAU;QACxC,IAAI,OAAO,CAAC,GAAG,CAAC,UAAU,CAAC,KAAK,YAAY,EAAE,CAAC;YAC7C,OAAO,CAAC,CAAC,IAAI,CAAC,EAAE,KAAK,EAAE,WAAW,EAAE,EAAE,GAAG,CAAC,CAAA;QAC5C,CAAC;QAED,MAAM,IAAI,GAAG,CAAC,CAAC,GAAG,CAAC,KAAK,CAAC,MAAM,CAAqD,CAAA;QACpF,IAAI,CAAC,IAAI,IAAI,CAAC,YAAY,CAAC,QAAQ,CAAC,IAAI,CAAC,EAAE,CAAC;YAC1C,OAAO,CAAC,CAAC,IAAI,CACX;gBACE,KAAK,EAAE,0BAA0B,YAAY,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE;gBAC1D,YAAY;aACb,EACD,GAAG,CACJ,CAAA;QACH,CAAC;QAED,MAAM,KAAK,GAAG,CAAC,CAAC,GAAG,CAAC,KAAK,CAAC,OAAO,CAAC,IAAI,OAAO,IAAI,gBAAgB,CAAA;QACjE,MAAM,IAAI,GAAG,CAAC,CAAC,GAAG,CAAC,KAAK,CAAC,MAAM,CAAC,IAAI,OAAO,IAAI,CAAC,MAAM,CAAC,CAAC,CAAC,CAAC,WAAW,EAAE,GAAG,IAAI,CAAC,KAAK,CAAC,CAAC,CAAC,EAAE,CAAA;QACzF,MAAM,QAAQ,GAAG,CAAC,CAAC,GAAG,CAAC,KAAK,CAAC,UAAU,CAAC,IAAI,GAAG,CAAA;QAE/C,MAAM,OAAO,GAAqB;YAChC,IAAI,EAAE;gBACJ,EAAE,EAAE,YAAY,IAAI,EAAE;gBACtB,KAAK;gBACL,IAAI;gBACJ,KAAK,EAAE,IAAI;gBACX,YAAY,EAAE,IAAI;gBAClB,SAAS,EAAE,gBAAgB,CAAC,KAAK,CAAC;aACnC;YACD,SAAS,EAAE,eAAe,IAAI,CAAC,GAAG,EAAE,EAAE;YACtC,SAAS,EAAE,IAAI,CAAC,GAAG,EAAE,GAAG,aAAa,GAAG,IAAI;SAC7C,CAAA;QAED,MAAM,WAAW,GAAG,oBAAoB,CAAC,OAAO,CAAC,CAAA;QACjD,MAAM,YAAY,GAAG;YACnB,GAAG,UAAU,IAAI,WAAW,EAAE;YAC9B,QAAQ;YACR,UAAU;YACV,cAAc;YACd,WAAW,aAAa,EAAE;SAC3B,CAAC,IAAI,CAAC,IAAI,CAAC,CAAA;QAEZ,MAAM,QAAQ,GAAG,IAAI,QAAQ,CAAC,IAAI,EAAE;YAClC,MAAM,EAAE,GAAG;YACX,OAAO,EAAE;gBACP,QAAQ,EAAE,QAAQ;gBAClB,YAAY,EAAE,YAAY;aAC3B;SACF,CAAC,CAAA;QACF,OAAO,QAAQ,CAAA;IACjB,CAAC,CAAA;AACH,CAAC;AAED,gFAAgF;AAChF,0BAA0B;AAC1B,gFAAgF;AAEhF;;;;;;;;;;;;;;;;;;;;;;GAsBG;AACH,MAAM,UAAU,uBAAuB,CACrC,UAAU,GAAG,uBAAuB;IAEpC,OAAO,KAAK,UAAU,eAAe,CAAC,YAAoB;QACxD,MAAM,KAAK,GAAG,YAAY,CAAC,YAAY,EAAE,UAAU,CAAC,CAAA;QACpD,IAAI,CAAC,KAAK;YAAE,OAAO,IAAI,CAAA;QACvB,OAAO,oBAAoB,CAAC,KAAK,CAAC,CAAA;IACpC,CAAC,CAAA;AACH,CAAC;AAED,gFAAgF;AAChF,4BAA4B;AAC5B,gFAAgF;AAEhF;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GAkCG;AACH,MAAM,UAAU,yBAAyB,CACvC,UAAsC,EAAE;IAExC,MAAM,UAAU,GAAG,OAAO,CAAC,UAAU,IAAI,yBAAyB,CAAA;IAClE,MAAM,aAAa,GAAG,OAAO,CAAC,aAAa,IAAI,KAAK,CAAA;IACpD,MAAM,cAAc,GAAG,OAAO,CAAC,cAAc,CAAA;IAE7C,OAAO,KAAK,UAAU,mBAAmB,CAAC,CAAU;QAClD,+CAA+C;QAC/C,MAAM,YAAY,GAAG,CAAC,CAAC,GAAG,CAAC,MAAM,CAAC,QAAQ,CAAC,IAAI,EAAE,CAAA;QACjD,MAAM,aAAa,GAAG,YAAY,CAAC,YAAY,EAAE,UAAU,CAAC,CAAA;QAC5D,IAAI,aAAa,EAAE,CAAC;YAClB,MAAM,QAAQ,GAAG,oBAAoB,CAAC,aAAa,CAAC,CAAA;YACpD,IAAI,QAAQ;gBAAE,OAAO,CAAC,CAAC,IAAI,CAAC,EAAE,OAAO,EAAE,QAAQ,CAAC,IAAI,CAAC,EAAE,EAAE,QAAQ,EAAE,IAAI,EAAE,CAAC,CAAA;QAC5E,CAAC;QAED,6BAA6B;QAC7B,MAAM,OAAO,GAAG,SAAS,IAAI,CAAC,GAAG,EAAE,CAAC,QAAQ,CAAC,EAAE,CAAC,IAAI,IAAI,CAAC,MAAM,EAAE,CAAC,QAAQ,CAAC,EAAE,CAAC,CAAC,KAAK,CAAC,CAAC,EAAE,CAAC,CAAC,EAAE,CAAA;QAC5F,MAAM,KAAK,GAAG,GAAG,OAAO,sBAAsB,CAAA;QAE9C,MAAM,OAAO,GAAqB;YAChC,IAAI,EAAE;gBACJ,EAAE,EAAE,OAAO;gBACX,KAAK;gBACL,IAAI,EAAE,OAAO;gBACb,KAAK,EAAE,IAAI;gBACX,YAAY,EAAE,OAAO;gBACrB,SAAS,EAAE,gBAAgB,CAAC,KAAK,CAAC;aACnC;YACD,SAAS,EAAE,iBAAiB,IAAI,CAAC,GAAG,EAAE,EAAE;YACxC,SAAS,EAAE,IAAI,CAAC,GAAG,EAAE,GAAG,aAAa,GAAG,IAAI;SAC7C,CAAA;QAED,IAAI,cAAc;YAAE,MAAM,cAAc,CAAC,OAAO,CAAC,CAAA;QAEjD,MAAM,WAAW,GAAG,oBAAoB,CAAC,OAAO,CAAC,CAAA;QACjD,MAAM,aAAa,GAAG;YACpB,GAAG,UAAU,IAAI,WAAW,EAAE;YAC9B,QAAQ;YACR,UAAU;YACV,cAAc;YACd,WAAW,aAAa,EAAE;SAC3B,CAAC,IAAI,CAAC,IAAI,CAAC,CAAA;QAEZ,OAAO,IAAI,QAAQ,CAAC,IAAI,CAAC,SAAS,CAAC,EAAE,OAAO,EAAE,QAAQ,EAAE,KAAK,EAAE,CAAC,EAAE;YAChE,MAAM,EAAE,GAAG;YACX,OAAO,EAAE;gBACP,cAAc,EAAE,kBAAkB;gBAClC,YAAY,EAAE,aAAa;aAC5B;SACF,CAAC,CAAA;IACJ,CAAC,CAAA;AACH,CAAC;AAED,gFAAgF;AAChF,4BAA4B;AAC5B,gFAAgF;AAEhF;;;;;;;;;;;;;;;;;GAiBG;AACH,MAAM,UAAU,yBAAyB,CACvC,UAAU,GAAG,yBAAyB;IAEtC,OAAO,KAAK,UAAU,iBAAiB,CAAC,YAAoB;QAC1D,MAAM,KAAK,GAAG,YAAY,CAAC,YAAY,EAAE,UAAU,CAAC,CAAA;QACpD,IAAI,CAAC,KAAK;YAAE,OAAO,IAAI,CAAA;QACvB,OAAO,oBAAoB,CAAC,KAAK,CAAC,CAAA;IACpC,CAAC,CAAA;AACH,CAAC"}

package/dist/modules/auth/types.d.ts

@@ -15,6 +15,7 @@
  *
  * - `creator`    — Workshop user: creates workspaces, kits, and publishes to Venue
  * - `viewer`     — Read-only consumer of published Workshop content
+ * - `guest`      — Venue anonymous visitor: can browse and initiate booking without an account
  * - `customer`   — Venue customer: books sessions, manages loyalty account
  * - `staff`      — Venue staff: check in guests, run POS, log sessions
  * - `manager`    — Venue manager: all staff capabilities + analytics, scheduling
@@ -22,7 +23,7 @@
  * - `learner`    — Academy learner: enrolled in courses, tracks progress
  * - `instructor` — Academy instructor: creates courses, manages live sessions
  */
-export type PlatformRole = 'creator' | 'viewer' | 'customer' | 'staff' | 'manager' | 'owner' | 'learner' | 'instructor';
+export type PlatformRole = 'creator' | 'viewer' | 'guest' | 'customer' | 'staff' | 'manager' | 'owner' | 'learner' | 'instructor';
 /**
  * Auth providers supported across the Soulcraft platform.
  *
@@ -69,13 +70,13 @@ export interface SoulcraftUserFields {
      */
     platformRole: PlatformRole;
     /**
-     * SHA-256 hex digest of the user's canonical email address.
+     * Full SHA-256 hex digest (64 characters) of the user's canonical email address.
      *
      * Computed once at account creation and never changes, even if the user updates
      * their email or switches OAuth providers. Used by Workshop to deterministically
      * locate the user's Brainy data directory without exposing the email in paths.
      *
-     * Path pattern: `{brainyDataPath}/{emailHash.slice(0,8)}/{workspaceId}/`
+     * Path pattern: `{brainyDataPath}/{emailHash}/{workspaceId}/`
      *
      * @see computeEmailHash in modules/auth/config.ts
      */

package/dist/modules/auth/types.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"types.d.ts","sourceRoot":"","sources":["../../../src/modules/auth/types.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;GAWG;AAMH;;;;;;;;;;;GAWG;AACH,MAAM,MAAM,YAAY,GACpB,SAAS,GACT,QAAQ,GACR,UAAU,GACV,OAAO,GACP,SAAS,GACT,OAAO,GACP,SAAS,GACT,YAAY,CAAA;AAEhB;;;;;;;;GAQG;AACH,MAAM,MAAM,qBAAqB,GAAG,QAAQ,GAAG,QAAQ,GAAG,OAAO,GAAG,SAAS,GAAG,YAAY,CAAA;AAM5F;;;;;;GAMG;AACH,MAAM,WAAW,qBAAqB;IACpC,mDAAmD;IACnD,EAAE,EAAE,MAAM,CAAA;IACV,8DAA8D;IAC9D,IAAI,EAAE,MAAM,CAAA;IACZ,6CAA6C;IAC7C,IAAI,EAAE,MAAM,CAAA;IACZ,yCAAyC;IACzC,OAAO,EAAE,UAAU,GAAG,OAAO,GAAG,SAAS,GAAG,QAAQ,CAAA;IACpD;;;;;OAKG;IACH,QAAQ,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAA;CAClC;AAMD;;;;GAIG;AACH,MAAM,WAAW,mBAAmB;IAClC;;;OAGG;IACH,YAAY,EAAE,YAAY,CAAA;IAC1B;;;;;;;;;;OAUG;IACH,SAAS,EAAE,MAAM,CAAA;CAClB;AAED;;;;GAIG;AACH,MAAM,WAAW,oBAAoB;IACnC,kCAAkC;IAClC,EAAE,EAAE,MAAM,CAAA;IACV,4BAA4B;IAC5B,KAAK,EAAE,MAAM,CAAA;IACb,oBAAoB;IACpB,IAAI,EAAE,MAAM,CAAA;IACZ,mDAAmD;IACnD,KAAK,CAAC,EAAE,MAAM,GAAG,IAAI,CAAA;IACrB,4DAA4D;IAC5D,YAAY,EAAE,YAAY,CAAA;IAC1B,6DAA6D;IAC7D,SAAS,EAAE,MAAM,CAAA;CAClB;AAED;;GAEG;AACH,MAAM,WAAW,gBAAgB;IAC/B,8BAA8B;IAC9B,IAAI,EAAE,oBAAoB,CAAA;IAC1B,kCAAkC;IAClC,SAAS,EAAE,MAAM,CAAA;IACjB,oDAAoD;IACpD,SAAS,EAAE,MAAM,CAAA;CAClB;AAMD;;;;;GAKG;AACH,MAAM,WAAW,gBAAgB;IAC/B,sEAAsE;IACtE,MAAM,EAAE,MAAM,CAAA;IACd,wEAAwE;IACxE,QAAQ,EAAE,MAAM,CAAA;IAChB,yCAAyC;IACzC,YAAY,EAAE,MAAM,CAAA;IACpB;;;;;OAKG;IACH,WAAW,CAAC,EAAE,MAAM,CAAA;CACrB;AAED;;;;;GAKG;AACH,MAAM,MAAM,QAAQ,GAAG,YAAY,GAAG,aAAa,CAAA;AAMnD;;;;;;GAMG;AACH,MAAM,WAAW,UAAU;IACzB;;;;OAIG;IACH,WAAW,CAAC,KAAK,EAAE,MAAM,EAAE,MAAM,EAAE,MAAM,GAAG,OAAO,CAAC,OAAO,mBAAmB,EAAE,qBAAqB,GAAG,IAAI,CAAC,CAAA;IAE7G;;;OAGG;IACH,WAAW,CAAC,OAAO,EAAE,OAAO,mBAAmB,EAAE,4BAA4B,GAAG,OAAO,CAAC,MAAM,CAAC,CAAA;CAChG"}
+{"version":3,"file":"types.d.ts","sourceRoot":"","sources":["../../../src/modules/auth/types.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;GAWG;AAMH;;;;;;;;;;;;GAYG;AACH,MAAM,MAAM,YAAY,GACpB,SAAS,GACT,QAAQ,GACR,OAAO,GACP,UAAU,GACV,OAAO,GACP,SAAS,GACT,OAAO,GACP,SAAS,GACT,YAAY,CAAA;AAEhB;;;;;;;;GAQG;AACH,MAAM,MAAM,qBAAqB,GAAG,QAAQ,GAAG,QAAQ,GAAG,OAAO,GAAG,SAAS,GAAG,YAAY,CAAA;AAM5F;;;;;;GAMG;AACH,MAAM,WAAW,qBAAqB;IACpC,mDAAmD;IACnD,EAAE,EAAE,MAAM,CAAA;IACV,8DAA8D;IAC9D,IAAI,EAAE,MAAM,CAAA;IACZ,6CAA6C;IAC7C,IAAI,EAAE,MAAM,CAAA;IACZ,yCAAyC;IACzC,OAAO,EAAE,UAAU,GAAG,OAAO,GAAG,SAAS,GAAG,QAAQ,CAAA;IACpD;;;;;OAKG;IACH,QAAQ,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAA;CAClC;AAMD;;;;GAIG;AACH,MAAM,WAAW,mBAAmB;IAClC;;;OAGG;IACH,YAAY,EAAE,YAAY,CAAA;IAC1B;;;;;;;;;;OAUG;IACH,SAAS,EAAE,MAAM,CAAA;CAClB;AAED;;;;GAIG;AACH,MAAM,WAAW,oBAAoB;IACnC,kCAAkC;IAClC,EAAE,EAAE,MAAM,CAAA;IACV,4BAA4B;IAC5B,KAAK,EAAE,MAAM,CAAA;IACb,oBAAoB;IACpB,IAAI,EAAE,MAAM,CAAA;IACZ,mDAAmD;IACnD,KAAK,CAAC,EAAE,MAAM,GAAG,IAAI,CAAA;IACrB,4DAA4D;IAC5D,YAAY,EAAE,YAAY,CAAA;IAC1B,6DAA6D;IAC7D,SAAS,EAAE,MAAM,CAAA;CAClB;AAED;;GAEG;AACH,MAAM,WAAW,gBAAgB;IAC/B,8BAA8B;IAC9B,IAAI,EAAE,oBAAoB,CAAA;IAC1B,kCAAkC;IAClC,SAAS,EAAE,MAAM,CAAA;IACjB,oDAAoD;IACpD,SAAS,EAAE,MAAM,CAAA;CAClB;AAMD;;;;;GAKG;AACH,MAAM,WAAW,gBAAgB;IAC/B,sEAAsE;IACtE,MAAM,EAAE,MAAM,CAAA;IACd,wEAAwE;IACxE,QAAQ,EAAE,MAAM,CAAA;IAChB,yCAAyC;IACzC,YAAY,EAAE,MAAM,CAAA;IACpB;;;;;OAKG;IACH,WAAW,CAAC,EAAE,MAAM,CAAA;CACrB;AAED;;;;;GAKG;AACH,MAAM,MAAM,QAAQ,GAAG,YAAY,GAAG,aAAa,CAAA;AAMnD;;;;;;GAMG;AACH,MAAM,WAAW,UAAU;IACzB;;;;OAIG;IACH,WAAW,CAAC,KAAK,EAAE,MAAM,EAAE,MAAM,EAAE,MAAM,GAAG,OAAO,CAAC,OAAO,mBAAmB,EAAE,qBAAqB,GAAG,IAAI,CAAC,CAAA;IAE7G;;;OAGG;IACH,WAAW,CAAC,OAAO,EAAE,OAAO,mBAAmB,EAAE,4BAA4B,GAAG,OAAO,CAAC,MAAM,CAAC,CAAA;CAChG"}

package/dist/server/index.d.ts

@@ -40,8 +40,8 @@ export type { BrainyPostMessageHandlerConfig, BrainyPostMessageHandler, } from '
 export { createHallModule, generateTurnCredentials, HallClient, } from './hall-handlers.js';
 export type { HallConnectionOptions, HallModule, TurnCredentialOptions, TurnCredentials, } from './hall-handlers.js';
 export type { HallRoom, HallRoomEvents, RoomOptions, ConceptInput, RecordingManifest, TranscriptEvent, ConceptMentionEvent, RelationProposedEvent, SpeakerChangedEvent, PeerJoinedEvent, PeerLeftEvent, } from '../modules/hall/types.js';
-export { createAuthMiddleware, createRemoteSessionVerifier, createDevSessionVerifier, AUTH_USER_KEY, } from '../modules/auth/middleware.js';
-export type { AuthMiddlewareOptions, AuthMiddleware, AuthContext, BetterAuthLike, RemoteSessionVerifierOptions, DevSessionVerifierOptions, } from '../modules/auth/middleware.js';
+export { createAuthMiddleware, createRemoteSessionVerifier, createDevSessionVerifier, createDevLoginHandler, createDevCookieVerifier, createGuestSessionHandler, createGuestCookieVerifier, AUTH_USER_KEY, } from '../modules/auth/middleware.js';
+export type { AuthMiddlewareOptions, AuthMiddleware, AuthContext, BetterAuthLike, SessionVerifier, RemoteSessionVerifierOptions, DevSessionVerifierOptions, DevLoginHandlerOptions, GuestSessionHandlerOptions, } from '../modules/auth/middleware.js';
 export { createBackchannelLogoutHandler } from '../modules/auth/backchannel.js';
 export type { BackchannelLogoutConfig, BackchannelAuthLike, } from '../modules/auth/backchannel.js';
 export { verifyServiceToken, extractBearerToken, } from '../modules/auth/service-token.js';

package/dist/server/index.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../src/server/index.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GAgCG;AAGH,OAAO,EACL,kBAAkB,EAClB,gBAAgB,GACjB,MAAM,oBAAoB,CAAA;AAC3B,YAAY,EACV,kBAAkB,EAClB,iBAAiB,GAClB,MAAM,oBAAoB,CAAA;AAG3B,OAAO,EACL,mBAAmB,EACnB,qBAAqB,GACtB,MAAM,eAAe,CAAA;AACtB,YAAY,EACV,mBAAmB,EACnB,qBAAqB,EACrB,eAAe,EACf,SAAS,GACV,MAAM,eAAe,CAAA;AAGtB,OAAO,EAAE,8BAA8B,EAAE,MAAM,0BAA0B,CAAA;AACzE,YAAY,EACV,8BAA8B,EAC9B,wBAAwB,GACzB,MAAM,0BAA0B,CAAA;AAGjC,OAAO,EACL,gBAAgB,EAChB,uBAAuB,EACvB,UAAU,GACX,MAAM,oBAAoB,CAAA;AAC3B,YAAY,EACV,qBAAqB,EACrB,UAAU,EACV,qBAAqB,EACrB,eAAe,GAChB,MAAM,oBAAoB,CAAA;AAC3B,YAAY,EACV,QAAQ,EACR,cAAc,EACd,WAAW,EACX,YAAY,EACZ,iBAAiB,EACjB,eAAe,EACf,mBAAmB,EACnB,qBAAqB,EACrB,mBAAmB,EACnB,eAAe,EACf,aAAa,GACd,MAAM,0BAA0B,CAAA;AAGjC,OAAO,EACL,oBAAoB,EACpB,2BAA2B,EAC3B,wBAAwB,EACxB,aAAa,GACd,MAAM,+BAA+B,CAAA;AACtC,YAAY,EACV,qBAAqB,EACrB,cAAc,EACd,WAAW,EACX,cAAc,EACd,4BAA4B,EAC5B,yBAAyB,GAC1B,MAAM,+BAA+B,CAAA;AACtC,OAAO,EAAE,8BAA8B,EAAE,MAAM,gCAAgC,CAAA;AAC/E,YAAY,EACV,uBAAuB,EACvB,mBAAmB,GACpB,MAAM,gCAAgC,CAAA;AAGvC,OAAO,EACL,kBAAkB,EAClB,kBAAkB,GACnB,MAAM,kCAAkC,CAAA;AAGzC,OAAO,EACL,qBAAqB,EACrB,wBAAwB,EACxB,WAAW,EACX,mBAAmB,GACpB,MAAM,2BAA2B,CAAA;AAGlC,OAAO,EAAE,SAAS,EAAE,MAAM,iBAAiB,CAAA;AAC3C,YAAY,EAAE,gBAAgB,EAAE,MAAM,iBAAiB,CAAA;AAGvD,OAAO,EAAE,eAAe,EAAE,MAAM,mBAAmB,CAAA;AACnD,YAAY,EACV,SAAS,EACT,kBAAkB,EAClB,mBAAmB,EACnB,qBAAqB,GACtB,MAAM,mBAAmB,CAAA;AAG1B,OAAO,EAAE,mBAAmB,EAAE,MAAM,6BAA6B,CAAA;AACjE,YAAY,EAAE,0BAA0B,EAAE,MAAM,6BAA6B,CAAA;AAC7E,OAAO,EAAE,mBAAmB,EAAE,MAAM,6BAA6B,CAAA;AACjE,YAAY,EAAE,0BAA0B,EAAE,MAAM,6BAA6B,CAAA;AAC7E,OAAO,EAAE,gBAAgB,EAAE,MAAM,0BAA0B,CAAA;AAC3D,OAAO,EAAE,yBAAyB,EAAE,MAAM,mCAAmC,CAAA;AAG7E,YAAY,EAAE,gBAAgB,EAAE,MAAM,aAAa,CAAA;AACnD,OAAO,EAAE,qBAAqB,EAAE,qBAAqB,EAAE,MAAM,2BAA2B,CAAA;AACxF,YAAY,EAAE,4BAA4B,EAAE,qBAAqB,EAAE,MAAM,2BAA2B,CAAA;AACpG,OAAO,EAAE,cAAc,EAAE,MAAM,wBAAwB,CAAA"}
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../src/server/index.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GAgCG;AAGH,OAAO,EACL,kBAAkB,EAClB,gBAAgB,GACjB,MAAM,oBAAoB,CAAA;AAC3B,YAAY,EACV,kBAAkB,EAClB,iBAAiB,GAClB,MAAM,oBAAoB,CAAA;AAG3B,OAAO,EACL,mBAAmB,EACnB,qBAAqB,GACtB,MAAM,eAAe,CAAA;AACtB,YAAY,EACV,mBAAmB,EACnB,qBAAqB,EACrB,eAAe,EACf,SAAS,GACV,MAAM,eAAe,CAAA;AAGtB,OAAO,EAAE,8BAA8B,EAAE,MAAM,0BAA0B,CAAA;AACzE,YAAY,EACV,8BAA8B,EAC9B,wBAAwB,GACzB,MAAM,0BAA0B,CAAA;AAGjC,OAAO,EACL,gBAAgB,EAChB,uBAAuB,EACvB,UAAU,GACX,MAAM,oBAAoB,CAAA;AAC3B,YAAY,EACV,qBAAqB,EACrB,UAAU,EACV,qBAAqB,EACrB,eAAe,GAChB,MAAM,oBAAoB,CAAA;AAC3B,YAAY,EACV,QAAQ,EACR,cAAc,EACd,WAAW,EACX,YAAY,EACZ,iBAAiB,EACjB,eAAe,EACf,mBAAmB,EACnB,qBAAqB,EACrB,mBAAmB,EACnB,eAAe,EACf,aAAa,GACd,MAAM,0BAA0B,CAAA;AAGjC,OAAO,EACL,oBAAoB,EACpB,2BAA2B,EAC3B,wBAAwB,EACxB,qBAAqB,EACrB,uBAAuB,EACvB,yBAAyB,EACzB,yBAAyB,EACzB,aAAa,GACd,MAAM,+BAA+B,CAAA;AACtC,YAAY,EACV,qBAAqB,EACrB,cAAc,EACd,WAAW,EACX,cAAc,EACd,eAAe,EACf,4BAA4B,EAC5B,yBAAyB,EACzB,sBAAsB,EACtB,0BAA0B,GAC3B,MAAM,+BAA+B,CAAA;AACtC,OAAO,EAAE,8BAA8B,EAAE,MAAM,gCAAgC,CAAA;AAC/E,YAAY,EACV,uBAAuB,EACvB,mBAAmB,GACpB,MAAM,gCAAgC,CAAA;AAGvC,OAAO,EACL,kBAAkB,EAClB,kBAAkB,GACnB,MAAM,kCAAkC,CAAA;AAGzC,OAAO,EACL,qBAAqB,EACrB,wBAAwB,EACxB,WAAW,EACX,mBAAmB,GACpB,MAAM,2BAA2B,CAAA;AAGlC,OAAO,EAAE,SAAS,EAAE,MAAM,iBAAiB,CAAA;AAC3C,YAAY,EAAE,gBAAgB,EAAE,MAAM,iBAAiB,CAAA;AAGvD,OAAO,EAAE,eAAe,EAAE,MAAM,mBAAmB,CAAA;AACnD,YAAY,EACV,SAAS,EACT,kBAAkB,EAClB,mBAAmB,EACnB,qBAAqB,GACtB,MAAM,mBAAmB,CAAA;AAG1B,OAAO,EAAE,mBAAmB,EAAE,MAAM,6BAA6B,CAAA;AACjE,YAAY,EAAE,0BAA0B,EAAE,MAAM,6BAA6B,CAAA;AAC7E,OAAO,EAAE,mBAAmB,EAAE,MAAM,6BAA6B,CAAA;AACjE,YAAY,EAAE,0BAA0B,EAAE,MAAM,6BAA6B,CAAA;AAC7E,OAAO,EAAE,gBAAgB,EAAE,MAAM,0BAA0B,CAAA;AAC3D,OAAO,EAAE,yBAAyB,EAAE,MAAM,mCAAmC,CAAA;AAG7E,YAAY,EAAE,gBAAgB,EAAE,MAAM,aAAa,CAAA;AACnD,OAAO,EAAE,qBAAqB,EAAE,qBAAqB,EAAE,MAAM,2BAA2B,CAAA;AACxF,YAAY,EAAE,4BAA4B,EAAE,qBAAqB,EAAE,MAAM,2BAA2B,CAAA;AACpG,OAAO,EAAE,cAAc,EAAE,MAAM,wBAAwB,CAAA"}

package/dist/server/index.js

@@ -39,8 +39,8 @@ export { createBrainyHandler, createBrainyWsHandler, } from './handlers.js';
 export { createBrainyPostMessageHandler } from './postmessage-handler.js';
 // ── Hall module factory + TURN utilities ─────────────────────────────────────
 export { createHallModule, generateTurnCredentials, HallClient, } from './hall-handlers.js';
-// ── Auth middleware + backchannel logout ──────────────────────────────────────
-export { createAuthMiddleware, createRemoteSessionVerifier, createDevSessionVerifier, AUTH_USER_KEY, } from '../modules/auth/middleware.js';
+// ── Auth middleware + session factories ───────────────────────────────────────
+export { createAuthMiddleware, createRemoteSessionVerifier, createDevSessionVerifier, createDevLoginHandler, createDevCookieVerifier, createGuestSessionHandler, createGuestCookieVerifier, AUTH_USER_KEY, } from '../modules/auth/middleware.js';
 export { createBackchannelLogoutHandler } from '../modules/auth/backchannel.js';
 // ── Service token verification ────────────────────────────────────────────────
 export { verifyServiceToken, extractBearerToken, } from '../modules/auth/service-token.js';

package/dist/server/index.js.map

@@ -1 +1 @@
-{"version":3,"file":"index.js","sourceRoot":"","sources":["../../src/server/index.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GAgCG;AAEH,iFAAiF;AACjF,OAAO,EACL,kBAAkB,EAClB,gBAAgB,GACjB,MAAM,oBAAoB,CAAA;AAM3B,iFAAiF;AACjF,OAAO,EACL,mBAAmB,EACnB,qBAAqB,GACtB,MAAM,eAAe,CAAA;AAQtB,iFAAiF;AACjF,OAAO,EAAE,8BAA8B,EAAE,MAAM,0BAA0B,CAAA;AAMzE,gFAAgF;AAChF,OAAO,EACL,gBAAgB,EAChB,uBAAuB,EACvB,UAAU,GACX,MAAM,oBAAoB,CAAA;AAqB3B,iFAAiF;AACjF,OAAO,EACL,oBAAoB,EACpB,2BAA2B,EAC3B,wBAAwB,EACxB,aAAa,GACd,MAAM,+BAA+B,CAAA;AAStC,OAAO,EAAE,8BAA8B,EAAE,MAAM,gCAAgC,CAAA;AAM/E,iFAAiF;AACjF,OAAO,EACL,kBAAkB,EAClB,kBAAkB,GACnB,MAAM,kCAAkC,CAAA;AAEzC,mFAAmF;AACnF,OAAO,EACL,qBAAqB,EACrB,wBAAwB,EACxB,WAAW,EACX,mBAAmB,GACpB,MAAM,2BAA2B,CAAA;AAElC,iFAAiF;AACjF,OAAO,EAAE,SAAS,EAAE,MAAM,iBAAiB,CAAA;AAG3C,iFAAiF;AACjF,OAAO,EAAE,eAAe,EAAE,MAAM,mBAAmB,CAAA;AAQnD,qFAAqF;AACrF,OAAO,EAAE,mBAAmB,EAAE,MAAM,6BAA6B,CAAA;AAEjE,OAAO,EAAE,mBAAmB,EAAE,MAAM,6BAA6B,CAAA;AAEjE,OAAO,EAAE,gBAAgB,EAAE,MAAM,0BAA0B,CAAA;AAC3D,OAAO,EAAE,yBAAyB,EAAE,MAAM,mCAAmC,CAAA;AAI7E,OAAO,EAAE,qBAAqB,EAAE,qBAAqB,EAAE,MAAM,2BAA2B,CAAA;AAExF,OAAO,EAAE,cAAc,EAAE,MAAM,wBAAwB,CAAA"}
+{"version":3,"file":"index.js","sourceRoot":"","sources":["../../src/server/index.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GAgCG;AAEH,iFAAiF;AACjF,OAAO,EACL,kBAAkB,EAClB,gBAAgB,GACjB,MAAM,oBAAoB,CAAA;AAM3B,iFAAiF;AACjF,OAAO,EACL,mBAAmB,EACnB,qBAAqB,GACtB,MAAM,eAAe,CAAA;AAQtB,iFAAiF;AACjF,OAAO,EAAE,8BAA8B,EAAE,MAAM,0BAA0B,CAAA;AAMzE,gFAAgF;AAChF,OAAO,EACL,gBAAgB,EAChB,uBAAuB,EACvB,UAAU,GACX,MAAM,oBAAoB,CAAA;AAqB3B,iFAAiF;AACjF,OAAO,EACL,oBAAoB,EACpB,2BAA2B,EAC3B,wBAAwB,EACxB,qBAAqB,EACrB,uBAAuB,EACvB,yBAAyB,EACzB,yBAAyB,EACzB,aAAa,GACd,MAAM,+BAA+B,CAAA;AAYtC,OAAO,EAAE,8BAA8B,EAAE,MAAM,gCAAgC,CAAA;AAM/E,iFAAiF;AACjF,OAAO,EACL,kBAAkB,EAClB,kBAAkB,GACnB,MAAM,kCAAkC,CAAA;AAEzC,mFAAmF;AACnF,OAAO,EACL,qBAAqB,EACrB,wBAAwB,EACxB,WAAW,EACX,mBAAmB,GACpB,MAAM,2BAA2B,CAAA;AAElC,iFAAiF;AACjF,OAAO,EAAE,SAAS,EAAE,MAAM,iBAAiB,CAAA;AAG3C,iFAAiF;AACjF,OAAO,EAAE,eAAe,EAAE,MAAM,mBAAmB,CAAA;AAQnD,qFAAqF;AACrF,OAAO,EAAE,mBAAmB,EAAE,MAAM,6BAA6B,CAAA;AAEjE,OAAO,EAAE,mBAAmB,EAAE,MAAM,6BAA6B,CAAA;AAEjE,OAAO,EAAE,gBAAgB,EAAE,MAAM,0BAA0B,CAAA;AAC3D,OAAO,EAAE,yBAAyB,EAAE,MAAM,mCAAmC,CAAA;AAI7E,OAAO,EAAE,qBAAqB,EAAE,qBAAqB,EAAE,MAAM,2BAA2B,CAAA;AAExF,OAAO,EAAE,cAAc,EAAE,MAAM,wBAAwB,CAAA"}

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@soulcraft/sdk",
-  "version": "1.5.0",
+  "version": "1.5.1",
   "description": "The unified Soulcraft platform SDK — data, auth, AI, billing, and notifications",
   "type": "module",
   "publishConfig": {