@stratal/framework 0.0.0-canary-3e932c7 → 0.0.0-canary-41a9140

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
@@ -73,6 +73,9 @@ declare class InvalidEmailError extends HttpException {
73
73
  declare class SessionExpiredError extends HttpException {
74
74
  constructor();
75
75
  }
76
+ declare class FreshSessionRequiredError extends HttpException {
77
+ constructor();
78
+ }
76
79
  declare class EmailNotVerifiedError extends HttpException {
77
80
  readonly email?: string | undefined;
78
81
  constructor(email?: string | undefined);
@@ -255,5 +258,5 @@ declare function mapBetterAuthError(error: APIError): ApplicationError;
255
258
  */
256
259
  declare function isAPIError(error: unknown): error is APIError;
257
260
  //#endregion
258
- export { AUTH_OPTIONS, AUTH_SERVICE, AccountAlreadyExistsError, AccountNotFoundError, AuthModule, AuthModuleAsyncOptions, AuthService, AuthValidationFailedError, CannotUnlinkLastAccountError, CredentialAccountNotFoundError, EmailAlreadyVerifiedError, EmailCannotBeUpdatedError, EmailMismatchError, EmailNotVerifiedError, IdTokenNotSupportedError, InvalidCallbackUrlError, InvalidCredentialsError, InvalidEmailError, InvalidOriginError, InvalidPasswordError, InvalidTokenError, OrganizationConflictError, OrganizationInvitationNotFoundError, OrganizationInvitationRecipientMismatchError, OrganizationLimitReachedError, OrganizationMemberNotFoundError, OrganizationMembershipError, OrganizationNotFoundError, OrganizationPermissionDeniedError, OrganizationRoleNotFoundError, OrganizationTeamNotFoundError, PasswordTooLongError, PasswordTooShortError, ProviderNotFoundError, SessionExpiredError, SessionVerificationMiddleware, SocialAccountLinkedError, TokenExpiredError, TokenRequiredError, UserAlreadyHasPasswordError, UserEmailNotFoundError, UserNotFoundError, getErrorHandlerConfig, isAPIError, mapBetterAuthError, wrapBetterAuth };
261
+ export { AUTH_OPTIONS, AUTH_SERVICE, AccountAlreadyExistsError, AccountNotFoundError, AuthModule, AuthModuleAsyncOptions, AuthService, AuthValidationFailedError, CannotUnlinkLastAccountError, CredentialAccountNotFoundError, EmailAlreadyVerifiedError, EmailCannotBeUpdatedError, EmailMismatchError, EmailNotVerifiedError, FreshSessionRequiredError, IdTokenNotSupportedError, InvalidCallbackUrlError, InvalidCredentialsError, InvalidEmailError, InvalidOriginError, InvalidPasswordError, InvalidTokenError, OrganizationConflictError, OrganizationInvitationNotFoundError, OrganizationInvitationRecipientMismatchError, OrganizationLimitReachedError, OrganizationMemberNotFoundError, OrganizationMembershipError, OrganizationNotFoundError, OrganizationPermissionDeniedError, OrganizationRoleNotFoundError, OrganizationTeamNotFoundError, PasswordTooLongError, PasswordTooShortError, ProviderNotFoundError, SessionExpiredError, SessionVerificationMiddleware, SocialAccountLinkedError, TokenExpiredError, TokenRequiredError, UserAlreadyHasPasswordError, UserEmailNotFoundError, UserNotFoundError, getErrorHandlerConfig, isAPIError, mapBetterAuthError, wrapBetterAuth };
259
262
  //# sourceMappingURL=index.d.mts.map
@@ -1 +1 @@
1
- {"version":3,"file":"index.d.mts","names":[],"sources":["../../src/context/router-context.augment.ts","../../src/auth/auth.module.ts","../../src/auth/auth.tokens.ts","../../src/auth/errors/auth-errors.ts","../../src/auth/errors/invalid-token.error.ts","../../src/auth/errors/organization-errors.ts","../../src/auth/errors/token-required.error.ts","../../src/auth/services/auth.service.ts","../../src/auth/middleware/session-verification.middleware.ts","../../src/auth/utils/auth-helpers.ts","../../src/auth/utils/better-auth-error-handler.ts"],"mappings":";;;;;;;;;;;YAaY,aAAA;;;;;;;IAOR,IAAA,IAAQ,QAAQ;EAAA;AAAA;;;UCqDH,sBAAA,kBAAwC,iBAAA,GAAoB,iBAAA,UACnE,kBAAA,CAAmB,QAAA;EAWuB;;;;EANlD,aAAA,GAAgB,oBAAA;AAAA;AAAA,cAML,UAAA,YAAsB,iBAAA;EAqBI;;;;;;EAdrC,eAAA,CAAgB,MAAA,EAAQ,MAAA;;;;AC3F1B;;;;AAA8D;AAG9D;;SDsGS,YAAA,kBAA8B,iBAAA,EACnC,OAAA,EAAS,sBAAA,CAAuB,QAAA,IAC/B,aAAA;AAAA;;;;cC3GQ,YAAA;;cAGA,YAAA;;;cCFA,iBAAA,SAA0B,aAAa;EAAA,SACtB,KAAA;cAAA,KAAA;AAAA;AAAA,cAKjB,uBAAA,SAAgC,aAAa;EAAb,WAAA;AAAA;AAAA,cAIhC,oBAAA,SAA6B,aAAa;EAAb,WAAA;AAAA;AAAA,cAI7B,iBAAA,SAA0B,aAAa;EAAA,SACtB,KAAA;cAAA,KAAA;AAAA;AAAA,cAKjB,mBAAA,SAA4B,aAAa;EAAb,WAAA;AAAA;AAAA,cAI5B,qBAAA,SAA8B,aAAa;EAAA,SAC1B,KAAA;cAAA,KAAA;AAAA;AAAA,cAKjB,qBAAA,SAA8B,aAAa;EAAA,SAC1B,SAAA;cAAA,SAAA;AAAA;AAAA,cAKjB,oBAAA,SAA6B,aAAa;EAAA,SACzB,SAAA;cAAA,SAAA;AAAA;AAAA,cAKjB,yBAAA,SAAkC,aAAa;EAAA,SAC9B,KAAA;cAAA,KAAA;AAAA;AAAA,cAKjB,wBAAA,SAAiC,aAAa;EAAA,SAC7B,QAAA;cAAA,QAAA;AAAA;AAAA,cAKjB,4BAAA,SAAqC,aAAa;EAAb,WAAA;AAAA;AAAA,cAIrC,qBAAA,SAA8B,aAAa;EAAA,SAC1B,QAAA;cAAA,QAAA;AAAA;AAAA,cAKjB,sBAAA,SAA+B,aAAa;EAAb,WAAA;AAAA;AAAA,cAI/B,oBAAA,SAA6B,aAAa;EAAb,WAAA;AAAA;AAAA,cAI7B,8BAAA,SAAuC,aAAa;EAAb,WAAA;AAAA;AAAA,cAIvC,2BAAA,SAAoC,aAAa;EAAb,WAAA;AAAA;AAAA,cAIpC,yBAAA,SAAkC,aAAa;EAAA,SAC9B,MAAA;cAAA,MAAA;AAAA;AAAA,cAKjB,wBAAA,SAAiC,aAAa;EAAb,WAAA;AAAA;AAAA,cAIjC,iBAAA,SAA0B,aAAa;EAAb,WAAA;AAAA;AAAA,cAI1B,uBAAA,SAAgC,aAAa;EAAb,WAAA;AAAA;AAAA,cAIhC,kBAAA,SAA2B,aAAa;EAAb,WAAA;AAAA;AAAA,cAI3B,yBAAA,SAAkC,aAAa;EAAb,WAAA;AAAA;AAAA,cAIlC,yBAAA,SAAkC,aAAa;EAAb,WAAA;AAAA;AAAA,cAIlC,kBAAA,SAA2B,aAAa;EAAb,WAAA;AAAA;;;cC9G3B,iBAAA,SAA0B,aAAa;EAAb,WAAA;AAAA;;;cCA1B,yBAAA,SAAkC,aAAa;EAAb,WAAA;AAAA;AAAA,cAGlC,+BAAA,SAAwC,aAAa;EAAb,WAAA;AAAA;AAAA,cAGxC,mCAAA,SAA4C,aAAa;EAAb,WAAA;AAAA;AAAA,cAG5C,iCAAA,SAA0C,aAAa;EAAb,WAAA;AAAA;AAAA,cAG1C,4CAAA,SAAqD,aAAa;EAAb,WAAA;AAAA;AAAA,cAGrD,yBAAA,SAAkC,aAAa;EAAb,WAAA;AAAA;AAAA,cAGlC,6BAAA,SAAsC,aAAa;EAAb,WAAA;AAAA;AAAA,cAGtC,2BAAA,SAAoC,aAAa;EAAb,WAAA;AAAA;AAAA,cAGpC,6BAAA,SAAsC,aAAa;EAAb,WAAA;AAAA;AAAA,cAGtC,6BAAA,SAAsC,aAAa;EAAb,WAAA;AAAA;;;cC3BtC,kBAAA,SAA2B,aAAa;EAAb,WAAA;AAAA;;;;;;;;;;;;ANQmB;;;;;;;;;AAUvC;;;;cOSP,WAAA,kBAA6B,iBAAA,GAAoB,iBAAA;EAAA,mBAIjB,OAAA,EAAS,QAAA;EAAA,QAH5C,aAAA;cAGmC,OAAA,EAAS,QAAA;ENwCuB;;;EAAA,IMlCvE,IAAA,IAAQ,IAAA,CAAK,QAAA;AAAA;;;;;;;;;;AP7BwC;;;;cQS9C,6BAAA,YAAyC,UAAA;EAAA,iBAGjC,WAAA;EAAA,QAC4B,MAAA;cAD5B,WAAA,EAAa,WAAA,EACe,MAAA,EAAQ,aAAA;EAGjD,MAAA,CAAO,GAAA,EAAK,aAAA,EAAe,IAAA,EAAM,IAAA,GAAO,OAAA;AAAA;;;;;;;iBCnBhC,qBAAA,IAAyB,iBAAiB;;;;cAe7C,cAAA,MAA2B,EAAA,QAAU,OAAA,CAAQ,CAAA,MAAK,OAAA,CAAQ,CAAA;;;;;;iBCsBvD,kBAAA,CAAmB,KAAA,EAAO,QAAA,GAAW,gBAAgB;;;;;AVlCV;iBUmP3C,UAAA,CAAW,KAAA,YAAiB,KAAA,IAAS,QAAQ"}
1
+ {"version":3,"file":"index.d.mts","names":[],"sources":["../../src/context/router-context.augment.ts","../../src/auth/auth.module.ts","../../src/auth/auth.tokens.ts","../../src/auth/errors/auth-errors.ts","../../src/auth/errors/invalid-token.error.ts","../../src/auth/errors/organization-errors.ts","../../src/auth/errors/token-required.error.ts","../../src/auth/services/auth.service.ts","../../src/auth/middleware/session-verification.middleware.ts","../../src/auth/utils/auth-helpers.ts","../../src/auth/utils/better-auth-error-handler.ts"],"mappings":";;;;;;;;;;;YAaY,aAAA;;;;;;;IAOR,IAAA,IAAQ,QAAQ;EAAA;AAAA;;;UCqDH,sBAAA,kBAAwC,iBAAA,GAAoB,iBAAA,UACnE,kBAAA,CAAmB,QAAA;EAWuB;;;;EANlD,aAAA,GAAgB,oBAAA;AAAA;AAAA,cAML,UAAA,YAAsB,iBAAA;EAqBI;;;;;;EAdrC,eAAA,CAAgB,MAAA,EAAQ,MAAA;;;;AC3F1B;;;;AAA8D;AAG9D;;SDsGS,YAAA,kBAA8B,iBAAA,EACnC,OAAA,EAAS,sBAAA,CAAuB,QAAA,IAC/B,aAAA;AAAA;;;;cC3GQ,YAAA;;cAGA,YAAA;;;cCFA,iBAAA,SAA0B,aAAa;EAAA,SACtB,KAAA;cAAA,KAAA;AAAA;AAAA,cAKjB,uBAAA,SAAgC,aAAa;EAAb,WAAA;AAAA;AAAA,cAIhC,oBAAA,SAA6B,aAAa;EAAb,WAAA;AAAA;AAAA,cAI7B,iBAAA,SAA0B,aAAa;EAAA,SACtB,KAAA;cAAA,KAAA;AAAA;AAAA,cAKjB,mBAAA,SAA4B,aAAa;EAAb,WAAA;AAAA;AAAA,cAI5B,yBAAA,SAAkC,aAAa;EAAb,WAAA;AAAA;AAAA,cAIlC,qBAAA,SAA8B,aAAa;EAAA,SAC1B,KAAA;cAAA,KAAA;AAAA;AAAA,cAKjB,qBAAA,SAA8B,aAAa;EAAA,SAC1B,SAAA;cAAA,SAAA;AAAA;AAAA,cAKjB,oBAAA,SAA6B,aAAa;EAAA,SACzB,SAAA;cAAA,SAAA;AAAA;AAAA,cAKjB,yBAAA,SAAkC,aAAa;EAAA,SAC9B,KAAA;cAAA,KAAA;AAAA;AAAA,cAKjB,wBAAA,SAAiC,aAAa;EAAA,SAC7B,QAAA;cAAA,QAAA;AAAA;AAAA,cAKjB,4BAAA,SAAqC,aAAa;EAAb,WAAA;AAAA;AAAA,cAIrC,qBAAA,SAA8B,aAAa;EAAA,SAC1B,QAAA;cAAA,QAAA;AAAA;AAAA,cAKjB,sBAAA,SAA+B,aAAa;EAAb,WAAA;AAAA;AAAA,cAI/B,oBAAA,SAA6B,aAAa;EAAb,WAAA;AAAA;AAAA,cAI7B,8BAAA,SAAuC,aAAa;EAAb,WAAA;AAAA;AAAA,cAIvC,2BAAA,SAAoC,aAAa;EAAb,WAAA;AAAA;AAAA,cAIpC,yBAAA,SAAkC,aAAa;EAAA,SAC9B,MAAA;cAAA,MAAA;AAAA;AAAA,cAKjB,wBAAA,SAAiC,aAAa;EAAb,WAAA;AAAA;AAAA,cAIjC,iBAAA,SAA0B,aAAa;EAAb,WAAA;AAAA;AAAA,cAI1B,uBAAA,SAAgC,aAAa;EAAb,WAAA;AAAA;AAAA,cAIhC,kBAAA,SAA2B,aAAa;EAAb,WAAA;AAAA;AAAA,cAI3B,yBAAA,SAAkC,aAAa;EAAb,WAAA;AAAA;AAAA,cAIlC,yBAAA,SAAkC,aAAa;EAAb,WAAA;AAAA;AAAA,cAIlC,kBAAA,SAA2B,aAAa;EAAb,WAAA;AAAA;;;cClH3B,iBAAA,SAA0B,aAAa;EAAb,WAAA;AAAA;;;cCA1B,yBAAA,SAAkC,aAAa;EAAb,WAAA;AAAA;AAAA,cAGlC,+BAAA,SAAwC,aAAa;EAAb,WAAA;AAAA;AAAA,cAGxC,mCAAA,SAA4C,aAAa;EAAb,WAAA;AAAA;AAAA,cAG5C,iCAAA,SAA0C,aAAa;EAAb,WAAA;AAAA;AAAA,cAG1C,4CAAA,SAAqD,aAAa;EAAb,WAAA;AAAA;AAAA,cAGrD,yBAAA,SAAkC,aAAa;EAAb,WAAA;AAAA;AAAA,cAGlC,6BAAA,SAAsC,aAAa;EAAb,WAAA;AAAA;AAAA,cAGtC,2BAAA,SAAoC,aAAa;EAAb,WAAA;AAAA;AAAA,cAGpC,6BAAA,SAAsC,aAAa;EAAb,WAAA;AAAA;AAAA,cAGtC,6BAAA,SAAsC,aAAa;EAAb,WAAA;AAAA;;;cC3BtC,kBAAA,SAA2B,aAAa;EAAb,WAAA;AAAA;;;;;;;;;;;;ANQmB;;;;;;;;;AAUvC;;;;cOSP,WAAA,kBAA6B,iBAAA,GAAoB,iBAAA;EAAA,mBAIjB,OAAA,EAAS,QAAA;EAAA,QAH5C,aAAA;cAGmC,OAAA,EAAS,QAAA;ENwCuB;;;EAAA,IMlCvE,IAAA,IAAQ,IAAA,CAAK,QAAA;AAAA;;;;;;;;;;AP7BwC;;;;cQS9C,6BAAA,YAAyC,UAAA;EAAA,iBAGjC,WAAA;EAAA,QAC4B,MAAA;cAD5B,WAAA,EAAa,WAAA,EACe,MAAA,EAAQ,aAAA;EAGjD,MAAA,CAAO,GAAA,EAAK,aAAA,EAAe,IAAA,EAAM,IAAA,GAAO,OAAA;AAAA;;;;;;;iBCnBhC,qBAAA,IAAyB,iBAAiB;;;;cAe7C,cAAA,MAA2B,EAAA,QAAU,OAAA,CAAQ,CAAA,MAAK,OAAA,CAAQ,CAAA;;;;;;iBCuBvD,kBAAA,CAAmB,KAAA,EAAO,QAAA,GAAW,gBAAgB;;;;;AVnCV;iBUqP3C,UAAA,CAAW,KAAA,YAAiB,KAAA,IAAS,QAAQ"}
@@ -166,6 +166,11 @@ var SessionExpiredError = class extends HttpException {
166
166
  super(401, "Session expired");
167
167
  }
168
168
  };
169
+ var FreshSessionRequiredError = class extends HttpException {
170
+ constructor() {
171
+ super(403, "Fresh session required");
172
+ }
173
+ };
169
174
  var EmailNotVerifiedError = class extends HttpException {
170
175
  email;
171
176
  constructor(email) {
@@ -363,7 +368,8 @@ function mapBetterAuthError(error) {
363
368
  if (errorCode === "INVALID_EMAIL_OR_PASSWORD") return new InvalidCredentialsError();
364
369
  if (errorCode === "INVALID_PASSWORD") return new InvalidPasswordError();
365
370
  if (errorCode === "INVALID_EMAIL") return new InvalidEmailError();
366
- if (errorCode === "SESSION_EXPIRED" || errorCode === "SESSION_NOT_FRESH") return new SessionExpiredError();
371
+ if (errorCode === "SESSION_EXPIRED") return new SessionExpiredError();
372
+ if (errorCode === "SESSION_NOT_FRESH") return new FreshSessionRequiredError();
367
373
  if (errorCode === "FAILED_TO_CREATE_SESSION") return new AuthError("Failed to create session");
368
374
  if (errorCode === "FAILED_TO_GET_SESSION") return new AuthError("Failed to retrieve session");
369
375
  if (errorCode === "EMAIL_NOT_VERIFIED") return new EmailNotVerifiedError();
@@ -532,6 +538,6 @@ let AuthModule = _AuthModule = class AuthModule {
532
538
  };
533
539
  AuthModule = _AuthModule = __decorate([Module({ providers: [AuthContext] })], AuthModule);
534
540
  //#endregion
535
- export { AUTH_OPTIONS, AUTH_SERVICE, AccountAlreadyExistsError, AccountNotFoundError, AuthModule, AuthService, AuthValidationFailedError, CannotUnlinkLastAccountError, CredentialAccountNotFoundError, EmailAlreadyVerifiedError, EmailCannotBeUpdatedError, EmailMismatchError, EmailNotVerifiedError, IdTokenNotSupportedError, InvalidCallbackUrlError, InvalidCredentialsError, InvalidEmailError, InvalidOriginError, InvalidPasswordError, InvalidTokenError, OrganizationConflictError, OrganizationInvitationNotFoundError, OrganizationInvitationRecipientMismatchError, OrganizationLimitReachedError, OrganizationMemberNotFoundError, OrganizationMembershipError, OrganizationNotFoundError, OrganizationPermissionDeniedError, OrganizationRoleNotFoundError, OrganizationTeamNotFoundError, PasswordTooLongError, PasswordTooShortError, ProviderNotFoundError, SessionExpiredError, SessionVerificationMiddleware, SocialAccountLinkedError, TokenExpiredError, TokenRequiredError, UserAlreadyHasPasswordError, UserEmailNotFoundError, UserNotFoundError, getErrorHandlerConfig, isAPIError, mapBetterAuthError, wrapBetterAuth };
541
+ export { AUTH_OPTIONS, AUTH_SERVICE, AccountAlreadyExistsError, AccountNotFoundError, AuthModule, AuthService, AuthValidationFailedError, CannotUnlinkLastAccountError, CredentialAccountNotFoundError, EmailAlreadyVerifiedError, EmailCannotBeUpdatedError, EmailMismatchError, EmailNotVerifiedError, FreshSessionRequiredError, IdTokenNotSupportedError, InvalidCallbackUrlError, InvalidCredentialsError, InvalidEmailError, InvalidOriginError, InvalidPasswordError, InvalidTokenError, OrganizationConflictError, OrganizationInvitationNotFoundError, OrganizationInvitationRecipientMismatchError, OrganizationLimitReachedError, OrganizationMemberNotFoundError, OrganizationMembershipError, OrganizationNotFoundError, OrganizationPermissionDeniedError, OrganizationRoleNotFoundError, OrganizationTeamNotFoundError, PasswordTooLongError, PasswordTooShortError, ProviderNotFoundError, SessionExpiredError, SessionVerificationMiddleware, SocialAccountLinkedError, TokenExpiredError, TokenRequiredError, UserAlreadyHasPasswordError, UserEmailNotFoundError, UserNotFoundError, getErrorHandlerConfig, isAPIError, mapBetterAuthError, wrapBetterAuth };
536
542
 
537
543
  //# sourceMappingURL=index.mjs.map
@@ -1 +1 @@
1
- {"version":3,"file":"index.mjs","names":[],"sources":["../../src/context/router-context.augment.ts","../../src/auth/auth.tokens.ts","../../src/auth/middleware/session-verification.middleware.ts","../../src/auth/rate-limit-bridge.ts","../../src/auth/errors/auth-errors.ts","../../src/auth/errors/invalid-token.error.ts","../../src/auth/errors/organization-errors.ts","../../src/auth/errors/token-required.error.ts","../../src/auth/utils/better-auth-error-handler.ts","../../src/auth/utils/auth-helpers.ts","../../src/auth/services/auth.service.ts","../../src/auth/auth.module.ts"],"sourcesContent":["/**\n * Augments Stratal's `RouterContext` with a `user()` accessor backed by the\n * request-scoped {@link AuthContext}.\n *\n * Side-effect import: registers the `user` macro on `RouterContext` and the\n * `declare module` augmentation that exposes it at the type level. Imported by\n * {@link AuthModule} so it runs whenever auth is configured.\n */\nimport { DI_TOKENS } from 'stratal/di'\nimport { RouterContext } from 'stratal/router'\nimport type { AuthContext, AuthUser } from './auth-context'\n\ndeclare module 'stratal/router' {\n interface RouterContext {\n /**\n * The authenticated user for the current request.\n *\n * Throws `UserNotAuthenticatedError` if the request is unauthenticated.\n * Provided by `@stratal/framework`'s `AuthModule` via {@link AuthContext}.\n */\n user(): AuthUser\n }\n}\n\nRouterContext.macro('user', function (this: RouterContext): AuthUser {\n return this.getContainer().resolve<AuthContext>(DI_TOKENS.AuthContext).requireUser()\n})\n","/** Token for AuthService - core authentication service */\nexport const AUTH_SERVICE = Symbol.for('stratal:auth:service')\n\n/** Token for Better Auth options configuration */\nexport const AUTH_OPTIONS = Symbol.for('stratal:auth:options')\n","import { DI_TOKENS, inject, Transient } from 'stratal/di'\nimport { LOGGER_TOKENS, type LoggerService } from 'stratal/logger'\nimport type { Middleware, Next, RouterContext } from 'stratal/router'\nimport { type AuthContext } from '../../context/auth-context'\nimport { AUTH_SERVICE } from '../auth.tokens'\nimport type { AuthService } from '../services/auth.service'\n\n/**\n * Session Verification Middleware\n *\n * Verifies user session via Better Auth and populates AuthContext with\n * the authenticated user.\n *\n * **Responsibilities:**\n * - Calls Better Auth's getSession() API\n * - Populates AuthContext with the user record if the session is valid\n * - Continues request chain regardless of session status\n */\n@Transient()\nexport class SessionVerificationMiddleware implements Middleware {\n constructor(\n @inject(AUTH_SERVICE)\n private readonly authService: AuthService,\n @inject(LOGGER_TOKENS.LoggerService) private logger: LoggerService\n ) { }\n\n async handle(ctx: RouterContext, next: Next): Promise<void> {\n try {\n const result = await this.authService.auth.api.getSession({\n headers: ctx.c.req.raw.headers\n })\n\n if (result) {\n const authContext = ctx.getContainer().resolve<AuthContext>(DI_TOKENS.AuthContext)\n authContext.setAuthContext({\n user: result.user,\n })\n }\n } catch (error: unknown) {\n this.logger.debug('Session validation failed (e.g., invalidated in DB)', { error })\n }\n\n return next()\n }\n}\n","/**\n * Rate-limit bridge between Stratal's `RateLimiterModule` and better-auth.\n *\n * Importing this file (transitively, via `auth.module.ts`) does two things:\n *\n * 1. Augments `RateLimiterRegistry` with `forPath()` + `pathEntries()` via\n * Stratal's `Macroable`. Path-keyed rules registered on the same registry\n * used for Stratal's own throttling are projected into better-auth's\n * `customRules` by {@link projectCustomRules}.\n * 2. Exports {@link createBetterAuthRateLimitStorage} — adapts Stratal's\n * {@link IRateLimiterStore} into better-auth's `customStorage`, so both\n * systems share one backing store.\n *\n * `AuthModule.forRootAsync` wires both automatically when `RateLimiterModule`\n * is imported. Users with explicit `rateLimit.customStorage` /\n * `rateLimit.customRules` keys in their auth factory keep precedence.\n *\n * Frictions, documented for path-keyed entries:\n *\n * - `Limit.by(...)` is meaningless. Better-auth scopes per-IP+path.\n * - Multiple `Limit`s reduce to the most restrictive (smallest max-per-second).\n * - `Limit.none()` projects to `false` (better-auth's \"disable\" sentinel).\n * - `Limit.response(...)` is a no-op. Better-auth renders its own 429.\n * - Snapshot caveat: `customRules` is built once at AuthService construction,\n * so register all `forPath()` entries inside `OnInitialize` hooks.\n */\nimport { type IRateLimiterStore, type Limit, RateLimiterRegistry } from 'stratal/rate-limiter'\n\n/**\n * Resolver attached to a path-keyed limiter entry. Receives the native\n * `Request` (better-auth's customRules invokes us with the live Request)\n * and returns one or more `Limit`s. Async is supported.\n */\nexport type PathLimitResolver = (\n req: Request,\n) => Limit | Limit[] | Promise<Limit | Limit[]>\n\ninterface BetterAuthRateLimit {\n key: string\n count: number\n lastRequest: number\n}\n\ninterface BetterAuthRateLimitRule {\n window: number\n max: number\n}\n\ntype BetterAuthCustomRule =\n | BetterAuthRateLimitRule\n | false\n | ((req: Request) => Promise<BetterAuthRateLimitRule | false>)\n\n// Per-instance path map — keyed by registry so we don't pin GC roots.\nconst pathResolvers = new WeakMap<RateLimiterRegistry, Map<string, PathLimitResolver>>()\n\nfunction getOrCreatePathMap(registry: RateLimiterRegistry): Map<string, PathLimitResolver> {\n let map = pathResolvers.get(registry)\n if (!map) {\n map = new Map()\n pathResolvers.set(registry, map)\n }\n return map\n}\n\nRateLimiterRegistry.macro('forPath', function (\n this: RateLimiterRegistry,\n path: string,\n resolver: PathLimitResolver,\n): void {\n getOrCreatePathMap(this).set(path, resolver)\n})\n\nRateLimiterRegistry.macro('pathEntries', function (\n this: RateLimiterRegistry,\n): IterableIterator<[string, PathLimitResolver]> {\n return (pathResolvers.get(this) ?? new Map<string, PathLimitResolver>()).entries()\n})\n\ndeclare module 'stratal/rate-limiter' {\n interface RateLimiterRegistry {\n /**\n * Register a rate-limit rule for a better-auth path pattern. The rule\n * is projected into better-auth's `rateLimit.customRules` automatically\n * when both modules are imported.\n *\n * @example\n * limiter.forPath('/sign-in/email', () => Limit.perSeconds(10, 3))\n * limiter.forPath('/two-factor/*', async (req) => { ... })\n * limiter.forPath('/forget-password', () => Limit.none())\n */\n forPath(path: string, resolver: PathLimitResolver): void\n\n /**\n * Iterate every path-keyed entry registered via `forPath`. Used by the\n * auth bridge to project entries into better-auth's `customRules`.\n */\n pathEntries(): IterableIterator<[string, PathLimitResolver]>\n }\n}\n\n// Better-auth manages window expiry itself by reading `lastRequest`. We still\n// need a TTL on the underlying KV so dead records don't accumulate. 1 day\n// covers any reasonable better-auth window without colliding with the next.\nconst BETTER_AUTH_TTL_SECONDS = 86_400\nconst BETTER_AUTH_KEY_PREFIX = 'ba-rl:'\n\n/**\n * Adapt Stratal's `IRateLimiterStore` into better-auth's `customStorage` shape.\n * Better-auth supplies its own `RateLimit` records (`{ key, count, lastRequest }`);\n * the adapter just persists them under a separate key namespace.\n */\nexport function createBetterAuthRateLimitStorage(store: IRateLimiterStore): {\n get: (key: string) => Promise<BetterAuthRateLimit | null>\n set: (key: string, value: BetterAuthRateLimit, update?: boolean) => Promise<void>\n} {\n return {\n async get(key) {\n return await store.get<BetterAuthRateLimit>(`${BETTER_AUTH_KEY_PREFIX}${key}`)\n },\n async set(key, value, _update) {\n await store.set(`${BETTER_AUTH_KEY_PREFIX}${key}`, value, BETTER_AUTH_TTL_SECONDS)\n },\n }\n}\n\n/**\n * Project every `forPath` entry on the registry into better-auth's\n * `customRules` shape. Each entry becomes an async function that resolves\n * the user's `Limit`(s) and reduces them to a single `{ window, max }` pair\n * (or `false` for `Limit.none()`).\n *\n * Multi-`Limit` reduction picks the most restrictive — smallest\n * `max / windowSeconds` ratio; ties favour the first.\n */\nexport function projectCustomRules(\n registry: RateLimiterRegistry,\n): Record<string, BetterAuthCustomRule> {\n const rules: Record<string, BetterAuthCustomRule> = {}\n\n for (const [path, resolver] of registry.pathEntries()) {\n rules[path] = async (req: Request): Promise<BetterAuthRateLimitRule | false> => {\n const resolved = await resolver(req)\n const candidates = (Array.isArray(resolved) ? resolved : [resolved]).filter((l) => !l.disabled)\n if (candidates.length === 0) return false\n\n const chosen = candidates.reduce((a, b) =>\n a.max / a.windowSeconds <= b.max / b.windowSeconds ? a : b,\n )\n\n return { window: chosen.windowSeconds, max: chosen.max }\n }\n }\n\n return rules\n}\n","import { HttpException } from 'stratal/errors'\n\nexport class UserNotFoundError extends HttpException {\n constructor(public readonly email?: string) {\n super(404, 'User not found')\n }\n}\n\nexport class InvalidCredentialsError extends HttpException {\n constructor() { super(401, 'Invalid email or password') }\n}\n\nexport class InvalidPasswordError extends HttpException {\n constructor() { super(401, 'Invalid password') }\n}\n\nexport class InvalidEmailError extends HttpException {\n constructor(public readonly email?: string) {\n super(422, 'Invalid email address')\n }\n}\n\nexport class SessionExpiredError extends HttpException {\n constructor() { super(401, 'Session expired') }\n}\n\nexport class EmailNotVerifiedError extends HttpException {\n constructor(public readonly email?: string) {\n super(403, 'Email not verified')\n }\n}\n\nexport class PasswordTooShortError extends HttpException {\n constructor(public readonly minLength?: number) {\n super(422, 'Password too short')\n }\n}\n\nexport class PasswordTooLongError extends HttpException {\n constructor(public readonly maxLength?: number) {\n super(422, 'Password too long')\n }\n}\n\nexport class AccountAlreadyExistsError extends HttpException {\n constructor(public readonly email?: string) {\n super(409, 'Account already exists')\n }\n}\n\nexport class SocialAccountLinkedError extends HttpException {\n constructor(public readonly provider?: string) {\n super(409, 'Social account already linked')\n }\n}\n\nexport class CannotUnlinkLastAccountError extends HttpException {\n constructor() { super(409, 'Cannot unlink last account') }\n}\n\nexport class ProviderNotFoundError extends HttpException {\n constructor(public readonly provider?: string) {\n super(404, 'Authentication provider not found')\n }\n}\n\nexport class UserEmailNotFoundError extends HttpException {\n constructor() { super(404, 'User email not found') }\n}\n\nexport class AccountNotFoundError extends HttpException {\n constructor() { super(404, 'Account not found') }\n}\n\nexport class CredentialAccountNotFoundError extends HttpException {\n constructor() { super(404, 'Credential account not found') }\n}\n\nexport class UserAlreadyHasPasswordError extends HttpException {\n constructor() { super(409, 'User already has a password') }\n}\n\nexport class EmailCannotBeUpdatedError extends HttpException {\n constructor(public readonly reason?: string) {\n super(422, 'Email cannot be updated')\n }\n}\n\nexport class IdTokenNotSupportedError extends HttpException {\n constructor() { super(422, 'ID token not supported') }\n}\n\nexport class TokenExpiredError extends HttpException {\n constructor() { super(401, 'Token expired') }\n}\n\nexport class InvalidCallbackUrlError extends HttpException {\n constructor() { super(422, 'Invalid callback URL') }\n}\n\nexport class InvalidOriginError extends HttpException {\n constructor() { super(403, 'Invalid request origin') }\n}\n\nexport class AuthValidationFailedError extends HttpException {\n constructor() { super(422, 'Authentication validation failed') }\n}\n\nexport class EmailAlreadyVerifiedError extends HttpException {\n constructor() { super(409, 'Email already verified') }\n}\n\nexport class EmailMismatchError extends HttpException {\n constructor() { super(422, 'Email mismatch') }\n}\n","import { HttpException } from 'stratal/errors'\n\nexport class InvalidTokenError extends HttpException {\n constructor() { super(401, 'Invalid or expired token') }\n}\n","import { HttpException } from 'stratal/errors'\n\nexport class OrganizationNotFoundError extends HttpException {\n constructor() { super(404, 'Organization not found') }\n}\nexport class OrganizationMemberNotFoundError extends HttpException {\n constructor() { super(404, 'Organization member not found') }\n}\nexport class OrganizationInvitationNotFoundError extends HttpException {\n constructor() { super(404, 'Invitation not found') }\n}\nexport class OrganizationPermissionDeniedError extends HttpException {\n constructor() { super(403, 'Organization permission denied') }\n}\nexport class OrganizationInvitationRecipientMismatchError extends HttpException {\n constructor() { super(403, 'Invitation recipient mismatch') }\n}\nexport class OrganizationConflictError extends HttpException {\n constructor() { super(409, 'Organization resource conflict') }\n}\nexport class OrganizationLimitReachedError extends HttpException {\n constructor() { super(422, 'Organization limit reached') }\n}\nexport class OrganizationMembershipError extends HttpException {\n constructor() { super(422, 'Organization membership constraint violated') }\n}\nexport class OrganizationTeamNotFoundError extends HttpException {\n constructor() { super(404, 'Team not found') }\n}\nexport class OrganizationRoleNotFoundError extends HttpException {\n constructor() { super(404, 'Role not found') }\n}\n","import { HttpException } from 'stratal/errors'\n\nexport class TokenRequiredError extends HttpException {\n constructor() { super(401, 'Verification token is required') }\n}\n","import { APIError } from 'better-auth/api'\nimport { AuthError } from 'stratal/errors'\nimport type { ApplicationError } from 'stratal/errors'\nimport {\n AccountAlreadyExistsError,\n AccountNotFoundError,\n AuthValidationFailedError,\n CannotUnlinkLastAccountError,\n CredentialAccountNotFoundError,\n EmailAlreadyVerifiedError,\n EmailCannotBeUpdatedError,\n EmailMismatchError,\n EmailNotVerifiedError,\n IdTokenNotSupportedError,\n InvalidCallbackUrlError,\n InvalidCredentialsError,\n InvalidEmailError,\n InvalidOriginError,\n InvalidPasswordError,\n InvalidTokenError,\n OrganizationConflictError,\n OrganizationInvitationNotFoundError,\n OrganizationInvitationRecipientMismatchError,\n OrganizationLimitReachedError,\n OrganizationMemberNotFoundError,\n OrganizationMembershipError,\n OrganizationNotFoundError,\n OrganizationPermissionDeniedError,\n OrganizationRoleNotFoundError,\n OrganizationTeamNotFoundError,\n PasswordTooLongError,\n PasswordTooShortError,\n ProviderNotFoundError,\n SessionExpiredError,\n SocialAccountLinkedError,\n TokenExpiredError,\n UserAlreadyHasPasswordError,\n UserEmailNotFoundError,\n UserNotFoundError,\n} from '../errors'\n\n/**\n * Maps Better Auth API error codes to ApplicationError instances.\n */\nexport function mapBetterAuthError(error: APIError): ApplicationError {\n const errorCode = error.body?.code\n\n if (error.status === 'FOUND') {\n const headers = error.headers as Headers\n const location = headers.get('location') ?? ''\n\n if (location.includes('INVALID_TOKEN')) return new InvalidTokenError()\n if (location.includes('EXPIRED_TOKEN')) return new TokenExpiredError()\n if (location.includes('ATTEMPTS_EXCEEDED')) return new InvalidTokenError()\n if (location.includes('new_user_signup_disabled')) return new UserNotFoundError()\n if (location.includes('failed_to_create_user')) return new AuthError('Failed to create user')\n if (location.includes('failed_to_create_session')) return new AuthError('Failed to create session')\n }\n\n if (!errorCode) {\n return new AuthError('An authentication error occurred')\n }\n\n // ── Base Error Codes ──────────────────────────────────────────────────\n\n // User errors\n if (errorCode === 'USER_NOT_FOUND' || errorCode === 'INVALID_USER') return new UserNotFoundError()\n if (errorCode === 'USER_EMAIL_NOT_FOUND') return new UserEmailNotFoundError()\n\n // Credential errors\n if (errorCode === 'INVALID_EMAIL_OR_PASSWORD') return new InvalidCredentialsError()\n if (errorCode === 'INVALID_PASSWORD') return new InvalidPasswordError()\n if (errorCode === 'INVALID_EMAIL') return new InvalidEmailError()\n\n // Session errors\n if (errorCode === 'SESSION_EXPIRED' || errorCode === 'SESSION_NOT_FRESH') return new SessionExpiredError()\n if (errorCode === 'FAILED_TO_CREATE_SESSION') return new AuthError('Failed to create session')\n if (errorCode === 'FAILED_TO_GET_SESSION') return new AuthError('Failed to retrieve session')\n\n // Email verification\n if (errorCode === 'EMAIL_NOT_VERIFIED') return new EmailNotVerifiedError()\n if (errorCode === 'EMAIL_CAN_NOT_BE_UPDATED') return new EmailCannotBeUpdatedError()\n if (errorCode === 'EMAIL_ALREADY_VERIFIED') return new EmailAlreadyVerifiedError()\n if (errorCode === 'EMAIL_MISMATCH') return new EmailMismatchError()\n\n // Password validation\n if (errorCode === 'PASSWORD_TOO_SHORT') return new PasswordTooShortError(8)\n if (errorCode === 'PASSWORD_TOO_LONG') return new PasswordTooLongError(128)\n\n // Account errors\n if (errorCode === 'USER_ALREADY_EXISTS' || errorCode === 'USER_ALREADY_EXISTS_USE_ANOTHER_EMAIL') {\n return new AccountAlreadyExistsError()\n }\n if (errorCode === 'ACCOUNT_NOT_FOUND') return new AccountNotFoundError()\n if (errorCode === 'CREDENTIAL_ACCOUNT_NOT_FOUND') return new CredentialAccountNotFoundError()\n if (errorCode === 'FAILED_TO_UNLINK_LAST_ACCOUNT') return new CannotUnlinkLastAccountError()\n\n // User creation/update errors\n if (errorCode === 'FAILED_TO_CREATE_USER') return new AuthError('Failed to create user')\n if (errorCode === 'FAILED_TO_UPDATE_USER') return new AuthError('Failed to update user')\n if (errorCode === 'FAILED_TO_GET_USER_INFO') return new AuthError('Failed to retrieve user info')\n\n // Social account errors\n if (errorCode === 'SOCIAL_ACCOUNT_ALREADY_LINKED' || errorCode === 'LINKED_ACCOUNT_ALREADY_EXISTS') {\n return new SocialAccountLinkedError()\n }\n if (errorCode === 'PROVIDER_NOT_FOUND') return new ProviderNotFoundError()\n\n // Token errors\n if (errorCode === 'ID_TOKEN_NOT_SUPPORTED') return new IdTokenNotSupportedError()\n if (errorCode === 'INVALID_TOKEN') return new InvalidTokenError()\n if (errorCode === 'TOKEN_EXPIRED') return new TokenExpiredError()\n\n // Password management\n if (errorCode === 'USER_ALREADY_HAS_PASSWORD' || errorCode === 'PASSWORD_ALREADY_SET') {\n return new UserAlreadyHasPasswordError()\n }\n\n // Callback/redirect URL errors\n if (\n errorCode === 'INVALID_CALLBACK_URL'\n || errorCode === 'INVALID_REDIRECT_URL'\n || errorCode === 'INVALID_NEW_USER_CALLBACK_URL'\n || errorCode === 'INVALID_ERROR_CALLBACK_URL'\n || errorCode === 'CALLBACK_URL_REQUIRED'\n ) {\n return new InvalidCallbackUrlError()\n }\n\n // Origin/CORS errors\n if (\n errorCode === 'INVALID_ORIGIN'\n || errorCode === 'MISSING_OR_NULL_ORIGIN'\n || errorCode === 'CROSS_SITE_NAVIGATION_LOGIN_BLOCKED'\n ) {\n return new InvalidOriginError()\n }\n\n // Validation errors\n if (\n errorCode === 'VALIDATION_ERROR'\n || errorCode === 'MISSING_FIELD'\n || errorCode === 'FIELD_NOT_ALLOWED'\n || errorCode === 'BODY_MUST_BE_AN_OBJECT'\n || errorCode === 'ASYNC_VALIDATION_NOT_SUPPORTED'\n || errorCode === 'METHOD_NOT_ALLOWED_DEFER_SESSION_REQUIRED'\n ) {\n return new AuthValidationFailedError()\n }\n\n // Verification errors\n if (errorCode === 'FAILED_TO_CREATE_VERIFICATION' || errorCode === 'VERIFICATION_EMAIL_NOT_ENABLED') {\n return new AuthError('Failed to create session')\n }\n\n // ── Organization Plugin Error Codes ───────────────────────────────────\n\n // Organization not found\n if (errorCode === 'ORGANIZATION_NOT_FOUND' || errorCode === 'NO_ACTIVE_ORGANIZATION') {\n return new OrganizationNotFoundError()\n }\n\n // Member not found\n if (\n errorCode === 'MEMBER_NOT_FOUND'\n || errorCode === 'USER_IS_NOT_A_MEMBER_OF_THE_ORGANIZATION'\n || errorCode === 'USER_IS_NOT_A_MEMBER_OF_THE_TEAM'\n ) {\n return new OrganizationMemberNotFoundError()\n }\n\n // Invitation not found\n if (errorCode === 'INVITATION_NOT_FOUND' || errorCode === 'FAILED_TO_RETRIEVE_INVITATION') {\n return new OrganizationInvitationNotFoundError()\n }\n\n // Invitation recipient mismatch\n if (\n errorCode === 'YOU_ARE_NOT_THE_RECIPIENT_OF_THE_INVITATION'\n || errorCode === 'EMAIL_VERIFICATION_REQUIRED_BEFORE_ACCEPTING_OR_REJECTING_INVITATION'\n ) {\n return new OrganizationInvitationRecipientMismatchError()\n }\n\n // Team not found\n if (errorCode === 'TEAM_NOT_FOUND' || errorCode === 'YOU_DO_NOT_HAVE_AN_ACTIVE_TEAM') {\n return new OrganizationTeamNotFoundError()\n }\n\n // Role not found\n if (errorCode === 'ROLE_NOT_FOUND' || errorCode === 'INVALID_RESOURCE') {\n return new OrganizationRoleNotFoundError()\n }\n\n // Organization conflict/already exists\n if (\n errorCode === 'ORGANIZATION_ALREADY_EXISTS'\n || errorCode === 'ORGANIZATION_SLUG_ALREADY_TAKEN'\n || errorCode === 'USER_IS_ALREADY_A_MEMBER_OF_THIS_ORGANIZATION'\n || errorCode === 'USER_IS_ALREADY_INVITED_TO_THIS_ORGANIZATION'\n || errorCode === 'TEAM_ALREADY_EXISTS'\n || errorCode === 'ROLE_NAME_IS_ALREADY_TAKEN'\n ) {\n return new OrganizationConflictError()\n }\n\n // Organization limit reached\n if (\n errorCode === 'YOU_HAVE_REACHED_THE_MAXIMUM_NUMBER_OF_ORGANIZATIONS'\n || errorCode === 'YOU_HAVE_REACHED_THE_MAXIMUM_NUMBER_OF_TEAMS'\n || errorCode === 'ORGANIZATION_MEMBERSHIP_LIMIT_REACHED'\n || errorCode === 'INVITATION_LIMIT_REACHED'\n || errorCode === 'TEAM_MEMBER_LIMIT_REACHED'\n || errorCode === 'TOO_MANY_ROLES'\n ) {\n return new OrganizationLimitReachedError()\n }\n\n // Organization membership constraints\n if (\n errorCode === 'YOU_CANNOT_LEAVE_THE_ORGANIZATION_AS_THE_ONLY_OWNER'\n || errorCode === 'YOU_CANNOT_LEAVE_THE_ORGANIZATION_WITHOUT_AN_OWNER'\n || errorCode === 'UNABLE_TO_REMOVE_LAST_TEAM'\n || errorCode === 'CANNOT_DELETE_A_PRE_DEFINED_ROLE'\n || errorCode === 'ROLE_IS_ASSIGNED_TO_MEMBERS'\n || errorCode === 'YOU_CANNOT_IMPERSONATE_ADMINS'\n || errorCode === 'YOU_CANNOT_BAN_YOURSELF'\n || errorCode === 'YOU_CANNOT_REMOVE_YOURSELF'\n || errorCode === 'INVITER_IS_NO_LONGER_A_MEMBER_OF_THE_ORGANIZATION'\n ) {\n return new OrganizationMembershipError()\n }\n\n // Organization permission denied (catch-all for YOU_ARE_NOT_ALLOWED_TO_* patterns)\n if (\n errorCode.startsWith('YOU_ARE_NOT_ALLOWED_TO_')\n || errorCode === 'YOU_ARE_NOT_A_MEMBER_OF_THIS_ORGANIZATION'\n || errorCode === 'YOU_CAN_NOT_ACCESS_THE_MEMBERS_OF_THIS_TEAM'\n || errorCode === 'YOU_MUST_BE_IN_AN_ORGANIZATION_TO_CREATE_A_ROLE'\n || errorCode === 'MISSING_AC_INSTANCE'\n ) {\n return new OrganizationPermissionDeniedError()\n }\n\n // Unknown error code\n return new AuthError('An authentication error occurred')\n}\n\n/**\n * Type guard to check if an error is a Better Auth APIError.\n * Uses duck typing to handle bundler environments (e.g. Vite)\n * where instanceof may fail across module boundaries.\n */\nexport function isAPIError(error: unknown): error is APIError {\n if (error instanceof APIError) return true\n\n return (\n error instanceof Error\n && error.name === 'APIError'\n && 'status' in error\n && 'statusCode' in error\n )\n}\n","import type { BetterAuthOptions } from 'better-auth'\nimport { isAPIError, mapBetterAuthError } from './better-auth-error-handler'\n\n/**\n * Get shared Better Auth error handler configuration.\n * Use this in Better Auth config's onAPIError option.\n */\nexport function getErrorHandlerConfig(): BetterAuthOptions['onAPIError'] {\n return {\n throw: false,\n onError: (error) => {\n if (isAPIError(error)) {\n throw mapBetterAuthError(error)\n }\n throw error\n },\n }\n}\n\n/**\n * Wrap a Better Auth function in a try/catch block and map errors to ApplicationError.\n */\nexport const wrapBetterAuth = async <T>(fn: () => Promise<T>): Promise<T> => {\n try {\n return await fn()\n } catch (error) {\n if (isAPIError(error)) {\n throw mapBetterAuthError(error)\n }\n throw error\n }\n}\n","import type { Auth, BetterAuthOptions } from 'better-auth';\nimport { betterAuth } from 'better-auth/minimal';\nimport { inject, Request } from 'stratal/di';\nimport { AUTH_OPTIONS, AUTH_SERVICE } from '../auth.tokens';\nimport { getErrorHandlerConfig } from '../utils';\n\n/**\n * AuthService\n *\n * Base authentication service using Better Auth.\n * Configured via AuthModule.forRootAsync() from the application layer.\n *\n * **Extensibility:**\n * Extend this class to add custom methods. Subclasses inherit\n * `@Request(AUTH_SERVICE)` scope automatically — no decorator needed.\n *\n * @example\n * ```typescript\n * @Request(AUTH_SERVICE)\n * export class AppAuthService extends AuthService<AuthOptions> {\n * async signInMagicLink(email: string) {\n * return wrapBetterAuth(async () => {\n * return this.auth.api.signInMagicLink({ body: { email }, headers: new Headers() })\n * })\n * }\n * }\n * ```\n */\n@Request(AUTH_SERVICE)\nexport class AuthService<TOptions extends BetterAuthOptions = BetterAuthOptions> {\n private _authInstance?: Auth<TOptions>\n\n constructor(\n @inject(AUTH_OPTIONS) protected readonly options: TOptions\n ) {}\n\n /**\n * Get the Better Auth instance.\n */\n get auth(): Auth<TOptions> {\n this._authInstance ??= betterAuth({\n ...this.options,\n onAPIError: getErrorHandlerConfig()\n }) as Auth<TOptions>;\n\n return this._authInstance\n }\n}\n","/**\n * Auth Module\n *\n * Provides configurable authentication using Better Auth.\n * Use `forRootAsync` to configure Better Auth options from the application layer.\n *\n * Optionally pass `accessControl` to enable permission-based authorization.\n * This auto-adds the Stratal AC plugin to Better Auth and registers `AccessService`.\n *\n * @example Without access control\n * ```typescript\n * @Module({\n * imports: [\n * AuthModule.forRootAsync({\n * inject: [DI_TOKENS.Database, CONFIG_TOKENS.ConfigService],\n * useFactory: (db, config) => createAuthOptions(db, config)\n * })\n * ]\n * })\n * export class AppModule {}\n * ```\n *\n * @example With access control\n * ```typescript\n * import { createAccessControl } from '@stratal/framework/access-control'\n * import { admin } from 'better-auth/plugins'\n *\n * const permissions = createAccessControl({\n * resources: { posts: ['create', 'read', 'update', 'delete'] } as const,\n * roles: { admin: { posts: ['create', 'read', 'update', 'delete'] }, user: { posts: ['read'] } },\n * })\n *\n * @Module({\n * imports: [\n * AuthModule.forRootAsync({\n * inject: [DI_TOKENS.Database],\n * useFactory: (db) => ({\n * database: ...,\n * plugins: [admin({ ...permissions })],\n * }),\n * accessControl: permissions,\n * })\n * ]\n * })\n * ```\n */\n\nimport type { BetterAuthOptions } from 'better-auth'\nimport { CONTAINER_TOKEN, type Container } from 'stratal/di'\nimport type { AsyncModuleOptions, DynamicModule } from 'stratal/module'\nimport { Module } from 'stratal/module'\nimport type { IRateLimiterStore, RateLimiterRegistry } from 'stratal/rate-limiter'\nimport { RATE_LIMITER_TOKENS } from 'stratal/rate-limiter'\nimport type { RouteConfigurable, Router } from 'stratal/router'\nimport { createStratalAcPlugin } from '../access-control/plugin'\nimport { AccessService } from '../access-control/services/access.service'\nimport { AC_TOKENS } from '../access-control/tokens'\nimport type { AccessControlOptions } from '../access-control/types'\nimport { AuthContext } from '../context/auth-context'\n// Side-effect import: registers the `user()` macro on `RouterContext` and its\n// type augmentation, backed by the request-scoped `AuthContext`.\nimport '../context/router-context.augment'\nimport { AUTH_OPTIONS, AUTH_SERVICE } from './auth.tokens'\nimport { SessionVerificationMiddleware } from './middleware/session-verification.middleware'\n// Side-effect import: registers `forPath`/`pathEntries` macros on\n// `RateLimiterRegistry` and the `declare module` augmentation that exposes\n// them at the type level. Must run before any consumer calls `forPath()`.\nimport {\n createBetterAuthRateLimitStorage,\n projectCustomRules,\n} from './rate-limit-bridge'\nimport { AuthService } from './services/auth.service'\n\nexport interface AuthModuleAsyncOptions<TOptions extends BetterAuthOptions = BetterAuthOptions>\n extends AsyncModuleOptions<TOptions> {\n /**\n * Optional access control configuration.\n * When provided, registers AccessService and auto-adds the Stratal AC plugin to Better Auth.\n */\n accessControl?: AccessControlOptions\n}\n\n@Module({\n providers: [AuthContext]\n})\nexport class AuthModule implements RouteConfigurable {\n /**\n * Configure auth middleware globally.\n *\n * SessionVerificationMiddleware verifies the session and populates the\n * request-scoped AuthContext with the authenticated user.\n */\n configureRoutes(router: Router): void {\n router.use(SessionVerificationMiddleware)\n }\n\n /**\n * Configure AuthModule with async options factory.\n * Optionally provide `accessControl` to enable permission-based authorization.\n *\n * When `RateLimiterModule` is also imported, better-auth's `rateLimit`\n * block is auto-wired: `customStorage` shares Stratal's backing store, and\n * any `RateLimiterRegistry.forPath(...)` entries are projected into\n * `customRules`. User-supplied `rateLimit.{customStorage, customRules}` keys\n * take precedence on a per-key basis.\n */\n static forRootAsync<TOptions extends BetterAuthOptions>(\n options: AuthModuleAsyncOptions<TOptions>\n ): DynamicModule {\n const { accessControl } = options\n const userInject = options.inject ?? []\n const userFactory = options.useFactory as (...args: unknown[]) => TOptions\n\n const authOptionsProvider = {\n provide: AUTH_OPTIONS,\n useFactory: (container: Container, ...userDeps: unknown[]): BetterAuthOptions => {\n let raw = userFactory(...userDeps) as BetterAuthOptions\n\n if (accessControl) {\n raw = {\n ...raw,\n plugins: [createStratalAcPlugin(accessControl), ...(raw.plugins ?? [])],\n }\n }\n\n const rateLimiterPresent = container.isRegistered(\n RATE_LIMITER_TOKENS.ModuleMarker,\n )\n\n if (rateLimiterPresent) {\n const store = container.resolve<IRateLimiterStore>(RATE_LIMITER_TOKENS.Store)\n const registry = container.resolve<RateLimiterRegistry>(RATE_LIMITER_TOKENS.Registry)\n\n raw = {\n ...raw,\n rateLimit: {\n enabled: true,\n ...raw.rateLimit,\n customStorage: raw.rateLimit?.customStorage ?? createBetterAuthRateLimitStorage(store),\n customRules: {\n ...projectCustomRules(registry),\n ...(raw.rateLimit?.customRules ?? {}),\n },\n },\n }\n }\n\n return raw\n },\n inject: [CONTAINER_TOKEN, ...userInject],\n }\n\n return {\n module: AuthModule,\n providers: [\n authOptionsProvider,\n {\n provide: AUTH_SERVICE,\n useClass: AuthService,\n },\n ...(accessControl\n ? [\n { provide: AC_TOKENS.Options, useValue: accessControl as unknown as object },\n { provide: AC_TOKENS.AccessService, useClass: AccessService },\n ]\n : []),\n ],\n }\n }\n}\n"],"mappings":";;;;;;;;;;;;;;;;;;;;;AAwBA,cAAc,MAAM,QAAQ,WAAyC;CACnE,OAAO,KAAK,aAAa,EAAE,QAAqB,UAAU,WAAW,EAAE,YAAY;AACrF,CAAC;;;;ACzBD,MAAa,eAAe,OAAO,IAAI,sBAAsB;;AAG7D,MAAa,eAAe,OAAO,IAAI,sBAAsB;;;ACetD,IAAA,gCAAA,MAAM,8BAAoD;CAG5C;CAC4B;CAH/C,YACE,aAEA,QACA;EAFiB,KAAA,cAAA;EAC4B,KAAA,SAAA;CAC3C;CAEJ,MAAM,OAAO,KAAoB,MAA2B;EAC1D,IAAI;GACF,MAAM,SAAS,MAAM,KAAK,YAAY,KAAK,IAAI,WAAW,EACxD,SAAS,IAAI,EAAE,IAAI,IAAI,QACzB,CAAC;GAED,IAAI,QAEF,IADwB,aAAa,EAAE,QAAqB,UAAU,WAC5D,EAAE,eAAe,EACzB,MAAM,OAAO,KACf,CAAC;EAEL,SAAS,OAAgB;GACvB,KAAK,OAAO,MAAM,uDAAuD,EAAE,MAAM,CAAC;EACpF;EAEA,OAAO,KAAK;CACd;AACF;;CA1BC,UAAU;oBAGN,OAAO,YAAY,CAAA;oBAEnB,OAAO,cAAc,aAAa,CAAA;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;AC+BvC,MAAM,gCAAgB,IAAI,QAA6D;AAEvF,SAAS,mBAAmB,UAA+D;CACzF,IAAI,MAAM,cAAc,IAAI,QAAQ;CACpC,IAAI,CAAC,KAAK;EACR,sBAAM,IAAI,IAAI;EACd,cAAc,IAAI,UAAU,GAAG;CACjC;CACA,OAAO;AACT;AAEA,oBAAoB,MAAM,WAAW,SAEnC,MACA,UACM;CACN,mBAAmB,IAAI,EAAE,IAAI,MAAM,QAAQ;AAC7C,CAAC;AAED,oBAAoB,MAAM,eAAe,WAEQ;CAC/C,QAAQ,cAAc,IAAI,IAAI,qBAAK,IAAI,IAA+B,GAAG,QAAQ;AACnF,CAAC;AA2BD,MAAM,0BAA0B;AAChC,MAAM,yBAAyB;;;;;;AAO/B,SAAgB,iCAAiC,OAG/C;CACA,OAAO;EACL,MAAM,IAAI,KAAK;GACb,OAAO,MAAM,MAAM,IAAyB,GAAG,yBAAyB,KAAK;EAC/E;EACA,MAAM,IAAI,KAAK,OAAO,SAAS;GAC7B,MAAM,MAAM,IAAI,GAAG,yBAAyB,OAAO,OAAO,uBAAuB;EACnF;CACF;AACF;;;;;;;;;;AAWA,SAAgB,mBACd,UACsC;CACtC,MAAM,QAA8C,CAAC;CAErD,KAAK,MAAM,CAAC,MAAM,aAAa,SAAS,YAAY,GAClD,MAAM,QAAQ,OAAO,QAA2D;EAC9E,MAAM,WAAW,MAAM,SAAS,GAAG;EACnC,MAAM,cAAc,MAAM,QAAQ,QAAQ,IAAI,WAAW,CAAC,QAAQ,GAAG,QAAQ,MAAM,CAAC,EAAE,QAAQ;EAC9F,IAAI,WAAW,WAAW,GAAG,OAAO;EAEpC,MAAM,SAAS,WAAW,QAAQ,GAAG,MACnC,EAAE,MAAM,EAAE,iBAAiB,EAAE,MAAM,EAAE,gBAAgB,IAAI,CAC3D;EAEA,OAAO;GAAE,QAAQ,OAAO;GAAe,KAAK,OAAO;EAAI;CACzD;CAGF,OAAO;AACT;;;ACzJA,IAAa,oBAAb,cAAuC,cAAc;CACvB;CAA5B,YAAY,OAAgC;EAC1C,MAAM,KAAK,gBAAgB;EADD,KAAA,QAAA;CAE5B;AACF;AAEA,IAAa,0BAAb,cAA6C,cAAc;CACzD,cAAc;EAAE,MAAM,KAAK,2BAA2B;CAAE;AAC1D;AAEA,IAAa,uBAAb,cAA0C,cAAc;CACtD,cAAc;EAAE,MAAM,KAAK,kBAAkB;CAAE;AACjD;AAEA,IAAa,oBAAb,cAAuC,cAAc;CACvB;CAA5B,YAAY,OAAgC;EAC1C,MAAM,KAAK,uBAAuB;EADR,KAAA,QAAA;CAE5B;AACF;AAEA,IAAa,sBAAb,cAAyC,cAAc;CACrD,cAAc;EAAE,MAAM,KAAK,iBAAiB;CAAE;AAChD;AAEA,IAAa,wBAAb,cAA2C,cAAc;CAC3B;CAA5B,YAAY,OAAgC;EAC1C,MAAM,KAAK,oBAAoB;EADL,KAAA,QAAA;CAE5B;AACF;AAEA,IAAa,wBAAb,cAA2C,cAAc;CAC3B;CAA5B,YAAY,WAAoC;EAC9C,MAAM,KAAK,oBAAoB;EADL,KAAA,YAAA;CAE5B;AACF;AAEA,IAAa,uBAAb,cAA0C,cAAc;CAC1B;CAA5B,YAAY,WAAoC;EAC9C,MAAM,KAAK,mBAAmB;EADJ,KAAA,YAAA;CAE5B;AACF;AAEA,IAAa,4BAAb,cAA+C,cAAc;CAC/B;CAA5B,YAAY,OAAgC;EAC1C,MAAM,KAAK,wBAAwB;EADT,KAAA,QAAA;CAE5B;AACF;AAEA,IAAa,2BAAb,cAA8C,cAAc;CAC9B;CAA5B,YAAY,UAAmC;EAC7C,MAAM,KAAK,+BAA+B;EADhB,KAAA,WAAA;CAE5B;AACF;AAEA,IAAa,+BAAb,cAAkD,cAAc;CAC9D,cAAc;EAAE,MAAM,KAAK,4BAA4B;CAAE;AAC3D;AAEA,IAAa,wBAAb,cAA2C,cAAc;CAC3B;CAA5B,YAAY,UAAmC;EAC7C,MAAM,KAAK,mCAAmC;EADpB,KAAA,WAAA;CAE5B;AACF;AAEA,IAAa,yBAAb,cAA4C,cAAc;CACxD,cAAc;EAAE,MAAM,KAAK,sBAAsB;CAAE;AACrD;AAEA,IAAa,uBAAb,cAA0C,cAAc;CACtD,cAAc;EAAE,MAAM,KAAK,mBAAmB;CAAE;AAClD;AAEA,IAAa,iCAAb,cAAoD,cAAc;CAChE,cAAc;EAAE,MAAM,KAAK,8BAA8B;CAAE;AAC7D;AAEA,IAAa,8BAAb,cAAiD,cAAc;CAC7D,cAAc;EAAE,MAAM,KAAK,6BAA6B;CAAE;AAC5D;AAEA,IAAa,4BAAb,cAA+C,cAAc;CAC/B;CAA5B,YAAY,QAAiC;EAC3C,MAAM,KAAK,yBAAyB;EADV,KAAA,SAAA;CAE5B;AACF;AAEA,IAAa,2BAAb,cAA8C,cAAc;CAC1D,cAAc;EAAE,MAAM,KAAK,wBAAwB;CAAE;AACvD;AAEA,IAAa,oBAAb,cAAuC,cAAc;CACnD,cAAc;EAAE,MAAM,KAAK,eAAe;CAAE;AAC9C;AAEA,IAAa,0BAAb,cAA6C,cAAc;CACzD,cAAc;EAAE,MAAM,KAAK,sBAAsB;CAAE;AACrD;AAEA,IAAa,qBAAb,cAAwC,cAAc;CACpD,cAAc;EAAE,MAAM,KAAK,wBAAwB;CAAE;AACvD;AAEA,IAAa,4BAAb,cAA+C,cAAc;CAC3D,cAAc;EAAE,MAAM,KAAK,kCAAkC;CAAE;AACjE;AAEA,IAAa,4BAAb,cAA+C,cAAc;CAC3D,cAAc;EAAE,MAAM,KAAK,wBAAwB;CAAE;AACvD;AAEA,IAAa,qBAAb,cAAwC,cAAc;CACpD,cAAc;EAAE,MAAM,KAAK,gBAAgB;CAAE;AAC/C;;;AChHA,IAAa,oBAAb,cAAuC,cAAc;CACnD,cAAc;EAAE,MAAM,KAAK,0BAA0B;CAAE;AACzD;;;ACFA,IAAa,4BAAb,cAA+C,cAAc;CAC3D,cAAc;EAAE,MAAM,KAAK,wBAAwB;CAAE;AACvD;AACA,IAAa,kCAAb,cAAqD,cAAc;CACjE,cAAc;EAAE,MAAM,KAAK,+BAA+B;CAAE;AAC9D;AACA,IAAa,sCAAb,cAAyD,cAAc;CACrE,cAAc;EAAE,MAAM,KAAK,sBAAsB;CAAE;AACrD;AACA,IAAa,oCAAb,cAAuD,cAAc;CACnE,cAAc;EAAE,MAAM,KAAK,gCAAgC;CAAE;AAC/D;AACA,IAAa,+CAAb,cAAkE,cAAc;CAC9E,cAAc;EAAE,MAAM,KAAK,+BAA+B;CAAE;AAC9D;AACA,IAAa,4BAAb,cAA+C,cAAc;CAC3D,cAAc;EAAE,MAAM,KAAK,gCAAgC;CAAE;AAC/D;AACA,IAAa,gCAAb,cAAmD,cAAc;CAC/D,cAAc;EAAE,MAAM,KAAK,4BAA4B;CAAE;AAC3D;AACA,IAAa,8BAAb,cAAiD,cAAc;CAC7D,cAAc;EAAE,MAAM,KAAK,6CAA6C;CAAE;AAC5E;AACA,IAAa,gCAAb,cAAmD,cAAc;CAC/D,cAAc;EAAE,MAAM,KAAK,gBAAgB;CAAE;AAC/C;AACA,IAAa,gCAAb,cAAmD,cAAc;CAC/D,cAAc;EAAE,MAAM,KAAK,gBAAgB;CAAE;AAC/C;;;AC7BA,IAAa,qBAAb,cAAwC,cAAc;CACpD,cAAc;EAAE,MAAM,KAAK,gCAAgC;CAAE;AAC/D;;;;;;ACwCA,SAAgB,mBAAmB,OAAmC;CACpE,MAAM,YAAY,MAAM,MAAM;CAE9B,IAAI,MAAM,WAAW,SAAS;EAE5B,MAAM,WADU,MAAM,QACG,IAAI,UAAU,KAAK;EAE5C,IAAI,SAAS,SAAS,eAAe,GAAG,OAAO,IAAI,kBAAkB;EACrE,IAAI,SAAS,SAAS,eAAe,GAAG,OAAO,IAAI,kBAAkB;EACrE,IAAI,SAAS,SAAS,mBAAmB,GAAG,OAAO,IAAI,kBAAkB;EACzE,IAAI,SAAS,SAAS,0BAA0B,GAAG,OAAO,IAAI,kBAAkB;EAChF,IAAI,SAAS,SAAS,uBAAuB,GAAG,OAAO,IAAI,UAAU,uBAAuB;EAC5F,IAAI,SAAS,SAAS,0BAA0B,GAAG,OAAO,IAAI,UAAU,0BAA0B;CACpG;CAEA,IAAI,CAAC,WACH,OAAO,IAAI,UAAU,kCAAkC;CAMzD,IAAI,cAAc,oBAAoB,cAAc,gBAAgB,OAAO,IAAI,kBAAkB;CACjG,IAAI,cAAc,wBAAwB,OAAO,IAAI,uBAAuB;CAG5E,IAAI,cAAc,6BAA6B,OAAO,IAAI,wBAAwB;CAClF,IAAI,cAAc,oBAAoB,OAAO,IAAI,qBAAqB;CACtE,IAAI,cAAc,iBAAiB,OAAO,IAAI,kBAAkB;CAGhE,IAAI,cAAc,qBAAqB,cAAc,qBAAqB,OAAO,IAAI,oBAAoB;CACzG,IAAI,cAAc,4BAA4B,OAAO,IAAI,UAAU,0BAA0B;CAC7F,IAAI,cAAc,yBAAyB,OAAO,IAAI,UAAU,4BAA4B;CAG5F,IAAI,cAAc,sBAAsB,OAAO,IAAI,sBAAsB;CACzE,IAAI,cAAc,4BAA4B,OAAO,IAAI,0BAA0B;CACnF,IAAI,cAAc,0BAA0B,OAAO,IAAI,0BAA0B;CACjF,IAAI,cAAc,kBAAkB,OAAO,IAAI,mBAAmB;CAGlE,IAAI,cAAc,sBAAsB,OAAO,IAAI,sBAAsB,CAAC;CAC1E,IAAI,cAAc,qBAAqB,OAAO,IAAI,qBAAqB,GAAG;CAG1E,IAAI,cAAc,yBAAyB,cAAc,yCACvD,OAAO,IAAI,0BAA0B;CAEvC,IAAI,cAAc,qBAAqB,OAAO,IAAI,qBAAqB;CACvE,IAAI,cAAc,gCAAgC,OAAO,IAAI,+BAA+B;CAC5F,IAAI,cAAc,iCAAiC,OAAO,IAAI,6BAA6B;CAG3F,IAAI,cAAc,yBAAyB,OAAO,IAAI,UAAU,uBAAuB;CACvF,IAAI,cAAc,yBAAyB,OAAO,IAAI,UAAU,uBAAuB;CACvF,IAAI,cAAc,2BAA2B,OAAO,IAAI,UAAU,8BAA8B;CAGhG,IAAI,cAAc,mCAAmC,cAAc,iCACjE,OAAO,IAAI,yBAAyB;CAEtC,IAAI,cAAc,sBAAsB,OAAO,IAAI,sBAAsB;CAGzE,IAAI,cAAc,0BAA0B,OAAO,IAAI,yBAAyB;CAChF,IAAI,cAAc,iBAAiB,OAAO,IAAI,kBAAkB;CAChE,IAAI,cAAc,iBAAiB,OAAO,IAAI,kBAAkB;CAGhE,IAAI,cAAc,+BAA+B,cAAc,wBAC7D,OAAO,IAAI,4BAA4B;CAIzC,IACE,cAAc,0BACX,cAAc,0BACd,cAAc,mCACd,cAAc,gCACd,cAAc,yBAEjB,OAAO,IAAI,wBAAwB;CAIrC,IACE,cAAc,oBACX,cAAc,4BACd,cAAc,uCAEjB,OAAO,IAAI,mBAAmB;CAIhC,IACE,cAAc,sBACX,cAAc,mBACd,cAAc,uBACd,cAAc,4BACd,cAAc,oCACd,cAAc,6CAEjB,OAAO,IAAI,0BAA0B;CAIvC,IAAI,cAAc,mCAAmC,cAAc,kCACjE,OAAO,IAAI,UAAU,0BAA0B;CAMjD,IAAI,cAAc,4BAA4B,cAAc,0BAC1D,OAAO,IAAI,0BAA0B;CAIvC,IACE,cAAc,sBACX,cAAc,8CACd,cAAc,oCAEjB,OAAO,IAAI,gCAAgC;CAI7C,IAAI,cAAc,0BAA0B,cAAc,iCACxD,OAAO,IAAI,oCAAoC;CAIjD,IACE,cAAc,iDACX,cAAc,wEAEjB,OAAO,IAAI,6CAA6C;CAI1D,IAAI,cAAc,oBAAoB,cAAc,kCAClD,OAAO,IAAI,8BAA8B;CAI3C,IAAI,cAAc,oBAAoB,cAAc,oBAClD,OAAO,IAAI,8BAA8B;CAI3C,IACE,cAAc,iCACX,cAAc,qCACd,cAAc,mDACd,cAAc,kDACd,cAAc,yBACd,cAAc,8BAEjB,OAAO,IAAI,0BAA0B;CAIvC,IACE,cAAc,0DACX,cAAc,kDACd,cAAc,2CACd,cAAc,8BACd,cAAc,+BACd,cAAc,kBAEjB,OAAO,IAAI,8BAA8B;CAI3C,IACE,cAAc,yDACX,cAAc,wDACd,cAAc,gCACd,cAAc,sCACd,cAAc,iCACd,cAAc,mCACd,cAAc,6BACd,cAAc,gCACd,cAAc,qDAEjB,OAAO,IAAI,4BAA4B;CAIzC,IACE,UAAU,WAAW,yBAAyB,KAC3C,cAAc,+CACd,cAAc,iDACd,cAAc,qDACd,cAAc,uBAEjB,OAAO,IAAI,kCAAkC;CAI/C,OAAO,IAAI,UAAU,kCAAkC;AACzD;;;;;;AAOA,SAAgB,WAAW,OAAmC;CAC5D,IAAI,iBAAiB,UAAU,OAAO;CAEtC,OACE,iBAAiB,SACd,MAAM,SAAS,cACf,YAAY,SACZ,gBAAgB;AAEvB;;;;;;;AC/PA,SAAgB,wBAAyD;CACvE,OAAO;EACL,OAAO;EACP,UAAU,UAAU;GAClB,IAAI,WAAW,KAAK,GAClB,MAAM,mBAAmB,KAAK;GAEhC,MAAM;EACR;CACF;AACF;;;;AAKA,MAAa,iBAAiB,OAAU,OAAqC;CAC3E,IAAI;EACF,OAAO,MAAM,GAAG;CAClB,SAAS,OAAO;EACd,IAAI,WAAW,KAAK,GAClB,MAAM,mBAAmB,KAAK;EAEhC,MAAM;CACR;AACF;;;ACFO,IAAA,cAAA,MAAM,YAAoE;CAIpC;CAH3C;CAEA,YACE,SACA;EADyC,KAAA,UAAA;CACxC;;;;CAKH,IAAI,OAAuB;EACzB,KAAK,kBAAkB,WAAW;GAC9B,GAAG,KAAK;GACR,YAAY,sBAAsB;EACtC,CAAC;EAED,OAAO,KAAK;CACd;AACF;0BAnBC,QAAQ,YAAY,GAAA,gBAAA,GAKhB,OAAO,YAAY,CAAA,CAAA,GAAA,WAAA;;;;ACoDjB,IAAA,aAAA,cAAA,MAAM,WAAwC;;;;;;;CAOnD,gBAAgB,QAAsB;EACpC,OAAO,IAAI,6BAA6B;CAC1C;;;;;;;;;;;CAYA,OAAO,aACL,SACe;EACf,MAAM,EAAE,kBAAkB;EAC1B,MAAM,aAAa,QAAQ,UAAU,CAAC;EACtC,MAAM,cAAc,QAAQ;EAE5B,MAAM,sBAAsB;GAC1B,SAAS;GACT,aAAa,WAAsB,GAAG,aAA2C;IAC/E,IAAI,MAAM,YAAY,GAAG,QAAQ;IAEjC,IAAI,eACF,MAAM;KACJ,GAAG;KACH,SAAS,CAAC,sBAAsB,aAAa,GAAG,GAAI,IAAI,WAAW,CAAC,CAAE;IACxE;IAOF,IAJ2B,UAAU,aACnC,oBAAoB,YAGD,GAAG;KACtB,MAAM,QAAQ,UAAU,QAA2B,oBAAoB,KAAK;KAC5E,MAAM,WAAW,UAAU,QAA6B,oBAAoB,QAAQ;KAEpF,MAAM;MACJ,GAAG;MACH,WAAW;OACT,SAAS;OACT,GAAG,IAAI;OACP,eAAe,IAAI,WAAW,iBAAiB,iCAAiC,KAAK;OACrF,aAAa;QACX,GAAG,mBAAmB,QAAQ;QAC9B,GAAI,IAAI,WAAW,eAAe,CAAC;OACrC;MACF;KACF;IACF;IAEA,OAAO;GACT;GACA,QAAQ,CAAC,iBAAiB,GAAG,UAAU;EACzC;EAEA,OAAO;GACL,QAAA;GACA,WAAW;IACT;IACA;KACE,SAAS;KACT,UAAU;IACZ;IACA,GAAI,gBACA,CACA;KAAE,SAAS,UAAU;KAAS,UAAU;IAAmC,GAC3E;KAAE,SAAS,UAAU;KAAe,UAAU;IAAc,CAC9D,IACE,CAAC;GACP;EACF;CACF;AACF;uCAvFC,OAAO,EACN,WAAW,CAAC,WAAW,EACzB,CAAC,CAAA,GAAA,UAAA"}
1
+ {"version":3,"file":"index.mjs","names":[],"sources":["../../src/context/router-context.augment.ts","../../src/auth/auth.tokens.ts","../../src/auth/middleware/session-verification.middleware.ts","../../src/auth/rate-limit-bridge.ts","../../src/auth/errors/auth-errors.ts","../../src/auth/errors/invalid-token.error.ts","../../src/auth/errors/organization-errors.ts","../../src/auth/errors/token-required.error.ts","../../src/auth/utils/better-auth-error-handler.ts","../../src/auth/utils/auth-helpers.ts","../../src/auth/services/auth.service.ts","../../src/auth/auth.module.ts"],"sourcesContent":["/**\n * Augments Stratal's `RouterContext` with a `user()` accessor backed by the\n * request-scoped {@link AuthContext}.\n *\n * Side-effect import: registers the `user` macro on `RouterContext` and the\n * `declare module` augmentation that exposes it at the type level. Imported by\n * {@link AuthModule} so it runs whenever auth is configured.\n */\nimport { DI_TOKENS } from 'stratal/di'\nimport { RouterContext } from 'stratal/router'\nimport type { AuthContext, AuthUser } from './auth-context'\n\ndeclare module 'stratal/router' {\n interface RouterContext {\n /**\n * The authenticated user for the current request.\n *\n * Throws `UserNotAuthenticatedError` if the request is unauthenticated.\n * Provided by `@stratal/framework`'s `AuthModule` via {@link AuthContext}.\n */\n user(): AuthUser\n }\n}\n\nRouterContext.macro('user', function (this: RouterContext): AuthUser {\n return this.getContainer().resolve<AuthContext>(DI_TOKENS.AuthContext).requireUser()\n})\n","/** Token for AuthService - core authentication service */\nexport const AUTH_SERVICE = Symbol.for('stratal:auth:service')\n\n/** Token for Better Auth options configuration */\nexport const AUTH_OPTIONS = Symbol.for('stratal:auth:options')\n","import { DI_TOKENS, inject, Transient } from 'stratal/di'\nimport { LOGGER_TOKENS, type LoggerService } from 'stratal/logger'\nimport type { Middleware, Next, RouterContext } from 'stratal/router'\nimport { type AuthContext } from '../../context/auth-context'\nimport { AUTH_SERVICE } from '../auth.tokens'\nimport type { AuthService } from '../services/auth.service'\n\n/**\n * Session Verification Middleware\n *\n * Verifies user session via Better Auth and populates AuthContext with\n * the authenticated user.\n *\n * **Responsibilities:**\n * - Calls Better Auth's getSession() API\n * - Populates AuthContext with the user record if the session is valid\n * - Continues request chain regardless of session status\n */\n@Transient()\nexport class SessionVerificationMiddleware implements Middleware {\n constructor(\n @inject(AUTH_SERVICE)\n private readonly authService: AuthService,\n @inject(LOGGER_TOKENS.LoggerService) private logger: LoggerService\n ) { }\n\n async handle(ctx: RouterContext, next: Next): Promise<void> {\n try {\n const result = await this.authService.auth.api.getSession({\n headers: ctx.c.req.raw.headers\n })\n\n if (result) {\n const authContext = ctx.getContainer().resolve<AuthContext>(DI_TOKENS.AuthContext)\n authContext.setAuthContext({\n user: result.user,\n })\n }\n } catch (error: unknown) {\n this.logger.debug('Session validation failed (e.g., invalidated in DB)', { error })\n }\n\n return next()\n }\n}\n","/**\n * Rate-limit bridge between Stratal's `RateLimiterModule` and better-auth.\n *\n * Importing this file (transitively, via `auth.module.ts`) does two things:\n *\n * 1. Augments `RateLimiterRegistry` with `forPath()` + `pathEntries()` via\n * Stratal's `Macroable`. Path-keyed rules registered on the same registry\n * used for Stratal's own throttling are projected into better-auth's\n * `customRules` by {@link projectCustomRules}.\n * 2. Exports {@link createBetterAuthRateLimitStorage} — adapts Stratal's\n * {@link IRateLimiterStore} into better-auth's `customStorage`, so both\n * systems share one backing store.\n *\n * `AuthModule.forRootAsync` wires both automatically when `RateLimiterModule`\n * is imported. Users with explicit `rateLimit.customStorage` /\n * `rateLimit.customRules` keys in their auth factory keep precedence.\n *\n * Frictions, documented for path-keyed entries:\n *\n * - `Limit.by(...)` is meaningless. Better-auth scopes per-IP+path.\n * - Multiple `Limit`s reduce to the most restrictive (smallest max-per-second).\n * - `Limit.none()` projects to `false` (better-auth's \"disable\" sentinel).\n * - `Limit.response(...)` is a no-op. Better-auth renders its own 429.\n * - Snapshot caveat: `customRules` is built once at AuthService construction,\n * so register all `forPath()` entries inside `OnInitialize` hooks.\n */\nimport { type IRateLimiterStore, type Limit, RateLimiterRegistry } from 'stratal/rate-limiter'\n\n/**\n * Resolver attached to a path-keyed limiter entry. Receives the native\n * `Request` (better-auth's customRules invokes us with the live Request)\n * and returns one or more `Limit`s. Async is supported.\n */\nexport type PathLimitResolver = (\n req: Request,\n) => Limit | Limit[] | Promise<Limit | Limit[]>\n\ninterface BetterAuthRateLimit {\n key: string\n count: number\n lastRequest: number\n}\n\ninterface BetterAuthRateLimitRule {\n window: number\n max: number\n}\n\ntype BetterAuthCustomRule =\n | BetterAuthRateLimitRule\n | false\n | ((req: Request) => Promise<BetterAuthRateLimitRule | false>)\n\n// Per-instance path map — keyed by registry so we don't pin GC roots.\nconst pathResolvers = new WeakMap<RateLimiterRegistry, Map<string, PathLimitResolver>>()\n\nfunction getOrCreatePathMap(registry: RateLimiterRegistry): Map<string, PathLimitResolver> {\n let map = pathResolvers.get(registry)\n if (!map) {\n map = new Map()\n pathResolvers.set(registry, map)\n }\n return map\n}\n\nRateLimiterRegistry.macro('forPath', function (\n this: RateLimiterRegistry,\n path: string,\n resolver: PathLimitResolver,\n): void {\n getOrCreatePathMap(this).set(path, resolver)\n})\n\nRateLimiterRegistry.macro('pathEntries', function (\n this: RateLimiterRegistry,\n): IterableIterator<[string, PathLimitResolver]> {\n return (pathResolvers.get(this) ?? new Map<string, PathLimitResolver>()).entries()\n})\n\ndeclare module 'stratal/rate-limiter' {\n interface RateLimiterRegistry {\n /**\n * Register a rate-limit rule for a better-auth path pattern. The rule\n * is projected into better-auth's `rateLimit.customRules` automatically\n * when both modules are imported.\n *\n * @example\n * limiter.forPath('/sign-in/email', () => Limit.perSeconds(10, 3))\n * limiter.forPath('/two-factor/*', async (req) => { ... })\n * limiter.forPath('/forget-password', () => Limit.none())\n */\n forPath(path: string, resolver: PathLimitResolver): void\n\n /**\n * Iterate every path-keyed entry registered via `forPath`. Used by the\n * auth bridge to project entries into better-auth's `customRules`.\n */\n pathEntries(): IterableIterator<[string, PathLimitResolver]>\n }\n}\n\n// Better-auth manages window expiry itself by reading `lastRequest`. We still\n// need a TTL on the underlying KV so dead records don't accumulate. 1 day\n// covers any reasonable better-auth window without colliding with the next.\nconst BETTER_AUTH_TTL_SECONDS = 86_400\nconst BETTER_AUTH_KEY_PREFIX = 'ba-rl:'\n\n/**\n * Adapt Stratal's `IRateLimiterStore` into better-auth's `customStorage` shape.\n * Better-auth supplies its own `RateLimit` records (`{ key, count, lastRequest }`);\n * the adapter just persists them under a separate key namespace.\n */\nexport function createBetterAuthRateLimitStorage(store: IRateLimiterStore): {\n get: (key: string) => Promise<BetterAuthRateLimit | null>\n set: (key: string, value: BetterAuthRateLimit, update?: boolean) => Promise<void>\n} {\n return {\n async get(key) {\n return await store.get<BetterAuthRateLimit>(`${BETTER_AUTH_KEY_PREFIX}${key}`)\n },\n async set(key, value, _update) {\n await store.set(`${BETTER_AUTH_KEY_PREFIX}${key}`, value, BETTER_AUTH_TTL_SECONDS)\n },\n }\n}\n\n/**\n * Project every `forPath` entry on the registry into better-auth's\n * `customRules` shape. Each entry becomes an async function that resolves\n * the user's `Limit`(s) and reduces them to a single `{ window, max }` pair\n * (or `false` for `Limit.none()`).\n *\n * Multi-`Limit` reduction picks the most restrictive — smallest\n * `max / windowSeconds` ratio; ties favour the first.\n */\nexport function projectCustomRules(\n registry: RateLimiterRegistry,\n): Record<string, BetterAuthCustomRule> {\n const rules: Record<string, BetterAuthCustomRule> = {}\n\n for (const [path, resolver] of registry.pathEntries()) {\n rules[path] = async (req: Request): Promise<BetterAuthRateLimitRule | false> => {\n const resolved = await resolver(req)\n const candidates = (Array.isArray(resolved) ? resolved : [resolved]).filter((l) => !l.disabled)\n if (candidates.length === 0) return false\n\n const chosen = candidates.reduce((a, b) =>\n a.max / a.windowSeconds <= b.max / b.windowSeconds ? a : b,\n )\n\n return { window: chosen.windowSeconds, max: chosen.max }\n }\n }\n\n return rules\n}\n","import { HttpException } from 'stratal/errors'\n\nexport class UserNotFoundError extends HttpException {\n constructor(public readonly email?: string) {\n super(404, 'User not found')\n }\n}\n\nexport class InvalidCredentialsError extends HttpException {\n constructor() { super(401, 'Invalid email or password') }\n}\n\nexport class InvalidPasswordError extends HttpException {\n constructor() { super(401, 'Invalid password') }\n}\n\nexport class InvalidEmailError extends HttpException {\n constructor(public readonly email?: string) {\n super(422, 'Invalid email address')\n }\n}\n\nexport class SessionExpiredError extends HttpException {\n constructor() { super(401, 'Session expired') }\n}\n\nexport class FreshSessionRequiredError extends HttpException {\n constructor() { super(403, 'Fresh session required') }\n}\n\nexport class EmailNotVerifiedError extends HttpException {\n constructor(public readonly email?: string) {\n super(403, 'Email not verified')\n }\n}\n\nexport class PasswordTooShortError extends HttpException {\n constructor(public readonly minLength?: number) {\n super(422, 'Password too short')\n }\n}\n\nexport class PasswordTooLongError extends HttpException {\n constructor(public readonly maxLength?: number) {\n super(422, 'Password too long')\n }\n}\n\nexport class AccountAlreadyExistsError extends HttpException {\n constructor(public readonly email?: string) {\n super(409, 'Account already exists')\n }\n}\n\nexport class SocialAccountLinkedError extends HttpException {\n constructor(public readonly provider?: string) {\n super(409, 'Social account already linked')\n }\n}\n\nexport class CannotUnlinkLastAccountError extends HttpException {\n constructor() { super(409, 'Cannot unlink last account') }\n}\n\nexport class ProviderNotFoundError extends HttpException {\n constructor(public readonly provider?: string) {\n super(404, 'Authentication provider not found')\n }\n}\n\nexport class UserEmailNotFoundError extends HttpException {\n constructor() { super(404, 'User email not found') }\n}\n\nexport class AccountNotFoundError extends HttpException {\n constructor() { super(404, 'Account not found') }\n}\n\nexport class CredentialAccountNotFoundError extends HttpException {\n constructor() { super(404, 'Credential account not found') }\n}\n\nexport class UserAlreadyHasPasswordError extends HttpException {\n constructor() { super(409, 'User already has a password') }\n}\n\nexport class EmailCannotBeUpdatedError extends HttpException {\n constructor(public readonly reason?: string) {\n super(422, 'Email cannot be updated')\n }\n}\n\nexport class IdTokenNotSupportedError extends HttpException {\n constructor() { super(422, 'ID token not supported') }\n}\n\nexport class TokenExpiredError extends HttpException {\n constructor() { super(401, 'Token expired') }\n}\n\nexport class InvalidCallbackUrlError extends HttpException {\n constructor() { super(422, 'Invalid callback URL') }\n}\n\nexport class InvalidOriginError extends HttpException {\n constructor() { super(403, 'Invalid request origin') }\n}\n\nexport class AuthValidationFailedError extends HttpException {\n constructor() { super(422, 'Authentication validation failed') }\n}\n\nexport class EmailAlreadyVerifiedError extends HttpException {\n constructor() { super(409, 'Email already verified') }\n}\n\nexport class EmailMismatchError extends HttpException {\n constructor() { super(422, 'Email mismatch') }\n}\n","import { HttpException } from 'stratal/errors'\n\nexport class InvalidTokenError extends HttpException {\n constructor() { super(401, 'Invalid or expired token') }\n}\n","import { HttpException } from 'stratal/errors'\n\nexport class OrganizationNotFoundError extends HttpException {\n constructor() { super(404, 'Organization not found') }\n}\nexport class OrganizationMemberNotFoundError extends HttpException {\n constructor() { super(404, 'Organization member not found') }\n}\nexport class OrganizationInvitationNotFoundError extends HttpException {\n constructor() { super(404, 'Invitation not found') }\n}\nexport class OrganizationPermissionDeniedError extends HttpException {\n constructor() { super(403, 'Organization permission denied') }\n}\nexport class OrganizationInvitationRecipientMismatchError extends HttpException {\n constructor() { super(403, 'Invitation recipient mismatch') }\n}\nexport class OrganizationConflictError extends HttpException {\n constructor() { super(409, 'Organization resource conflict') }\n}\nexport class OrganizationLimitReachedError extends HttpException {\n constructor() { super(422, 'Organization limit reached') }\n}\nexport class OrganizationMembershipError extends HttpException {\n constructor() { super(422, 'Organization membership constraint violated') }\n}\nexport class OrganizationTeamNotFoundError extends HttpException {\n constructor() { super(404, 'Team not found') }\n}\nexport class OrganizationRoleNotFoundError extends HttpException {\n constructor() { super(404, 'Role not found') }\n}\n","import { HttpException } from 'stratal/errors'\n\nexport class TokenRequiredError extends HttpException {\n constructor() { super(401, 'Verification token is required') }\n}\n","import { APIError } from 'better-auth/api'\nimport { AuthError } from 'stratal/errors'\nimport type { ApplicationError } from 'stratal/errors'\nimport {\n AccountAlreadyExistsError,\n AccountNotFoundError,\n AuthValidationFailedError,\n CannotUnlinkLastAccountError,\n CredentialAccountNotFoundError,\n EmailAlreadyVerifiedError,\n EmailCannotBeUpdatedError,\n EmailMismatchError,\n EmailNotVerifiedError,\n FreshSessionRequiredError,\n IdTokenNotSupportedError,\n InvalidCallbackUrlError,\n InvalidCredentialsError,\n InvalidEmailError,\n InvalidOriginError,\n InvalidPasswordError,\n InvalidTokenError,\n OrganizationConflictError,\n OrganizationInvitationNotFoundError,\n OrganizationInvitationRecipientMismatchError,\n OrganizationLimitReachedError,\n OrganizationMemberNotFoundError,\n OrganizationMembershipError,\n OrganizationNotFoundError,\n OrganizationPermissionDeniedError,\n OrganizationRoleNotFoundError,\n OrganizationTeamNotFoundError,\n PasswordTooLongError,\n PasswordTooShortError,\n ProviderNotFoundError,\n SessionExpiredError,\n SocialAccountLinkedError,\n TokenExpiredError,\n UserAlreadyHasPasswordError,\n UserEmailNotFoundError,\n UserNotFoundError,\n} from '../errors'\n\n/**\n * Maps Better Auth API error codes to ApplicationError instances.\n */\nexport function mapBetterAuthError(error: APIError): ApplicationError {\n const errorCode = error.body?.code\n\n if (error.status === 'FOUND') {\n const headers = error.headers as Headers\n const location = headers.get('location') ?? ''\n\n if (location.includes('INVALID_TOKEN')) return new InvalidTokenError()\n if (location.includes('EXPIRED_TOKEN')) return new TokenExpiredError()\n if (location.includes('ATTEMPTS_EXCEEDED')) return new InvalidTokenError()\n if (location.includes('new_user_signup_disabled')) return new UserNotFoundError()\n if (location.includes('failed_to_create_user')) return new AuthError('Failed to create user')\n if (location.includes('failed_to_create_session')) return new AuthError('Failed to create session')\n }\n\n if (!errorCode) {\n return new AuthError('An authentication error occurred')\n }\n\n // ── Base Error Codes ──────────────────────────────────────────────────\n\n // User errors\n if (errorCode === 'USER_NOT_FOUND' || errorCode === 'INVALID_USER') return new UserNotFoundError()\n if (errorCode === 'USER_EMAIL_NOT_FOUND') return new UserEmailNotFoundError()\n\n // Credential errors\n if (errorCode === 'INVALID_EMAIL_OR_PASSWORD') return new InvalidCredentialsError()\n if (errorCode === 'INVALID_PASSWORD') return new InvalidPasswordError()\n if (errorCode === 'INVALID_EMAIL') return new InvalidEmailError()\n\n // Session errors\n if (errorCode === 'SESSION_EXPIRED') return new SessionExpiredError()\n if (errorCode === 'SESSION_NOT_FRESH') return new FreshSessionRequiredError()\n if (errorCode === 'FAILED_TO_CREATE_SESSION') return new AuthError('Failed to create session')\n if (errorCode === 'FAILED_TO_GET_SESSION') return new AuthError('Failed to retrieve session')\n\n // Email verification\n if (errorCode === 'EMAIL_NOT_VERIFIED') return new EmailNotVerifiedError()\n if (errorCode === 'EMAIL_CAN_NOT_BE_UPDATED') return new EmailCannotBeUpdatedError()\n if (errorCode === 'EMAIL_ALREADY_VERIFIED') return new EmailAlreadyVerifiedError()\n if (errorCode === 'EMAIL_MISMATCH') return new EmailMismatchError()\n\n // Password validation\n if (errorCode === 'PASSWORD_TOO_SHORT') return new PasswordTooShortError(8)\n if (errorCode === 'PASSWORD_TOO_LONG') return new PasswordTooLongError(128)\n\n // Account errors\n if (errorCode === 'USER_ALREADY_EXISTS' || errorCode === 'USER_ALREADY_EXISTS_USE_ANOTHER_EMAIL') {\n return new AccountAlreadyExistsError()\n }\n if (errorCode === 'ACCOUNT_NOT_FOUND') return new AccountNotFoundError()\n if (errorCode === 'CREDENTIAL_ACCOUNT_NOT_FOUND') return new CredentialAccountNotFoundError()\n if (errorCode === 'FAILED_TO_UNLINK_LAST_ACCOUNT') return new CannotUnlinkLastAccountError()\n\n // User creation/update errors\n if (errorCode === 'FAILED_TO_CREATE_USER') return new AuthError('Failed to create user')\n if (errorCode === 'FAILED_TO_UPDATE_USER') return new AuthError('Failed to update user')\n if (errorCode === 'FAILED_TO_GET_USER_INFO') return new AuthError('Failed to retrieve user info')\n\n // Social account errors\n if (errorCode === 'SOCIAL_ACCOUNT_ALREADY_LINKED' || errorCode === 'LINKED_ACCOUNT_ALREADY_EXISTS') {\n return new SocialAccountLinkedError()\n }\n if (errorCode === 'PROVIDER_NOT_FOUND') return new ProviderNotFoundError()\n\n // Token errors\n if (errorCode === 'ID_TOKEN_NOT_SUPPORTED') return new IdTokenNotSupportedError()\n if (errorCode === 'INVALID_TOKEN') return new InvalidTokenError()\n if (errorCode === 'TOKEN_EXPIRED') return new TokenExpiredError()\n\n // Password management\n if (errorCode === 'USER_ALREADY_HAS_PASSWORD' || errorCode === 'PASSWORD_ALREADY_SET') {\n return new UserAlreadyHasPasswordError()\n }\n\n // Callback/redirect URL errors\n if (\n errorCode === 'INVALID_CALLBACK_URL'\n || errorCode === 'INVALID_REDIRECT_URL'\n || errorCode === 'INVALID_NEW_USER_CALLBACK_URL'\n || errorCode === 'INVALID_ERROR_CALLBACK_URL'\n || errorCode === 'CALLBACK_URL_REQUIRED'\n ) {\n return new InvalidCallbackUrlError()\n }\n\n // Origin/CORS errors\n if (\n errorCode === 'INVALID_ORIGIN'\n || errorCode === 'MISSING_OR_NULL_ORIGIN'\n || errorCode === 'CROSS_SITE_NAVIGATION_LOGIN_BLOCKED'\n ) {\n return new InvalidOriginError()\n }\n\n // Validation errors\n if (\n errorCode === 'VALIDATION_ERROR'\n || errorCode === 'MISSING_FIELD'\n || errorCode === 'FIELD_NOT_ALLOWED'\n || errorCode === 'BODY_MUST_BE_AN_OBJECT'\n || errorCode === 'ASYNC_VALIDATION_NOT_SUPPORTED'\n || errorCode === 'METHOD_NOT_ALLOWED_DEFER_SESSION_REQUIRED'\n ) {\n return new AuthValidationFailedError()\n }\n\n // Verification errors\n if (errorCode === 'FAILED_TO_CREATE_VERIFICATION' || errorCode === 'VERIFICATION_EMAIL_NOT_ENABLED') {\n return new AuthError('Failed to create session')\n }\n\n // ── Organization Plugin Error Codes ───────────────────────────────────\n\n // Organization not found\n if (errorCode === 'ORGANIZATION_NOT_FOUND' || errorCode === 'NO_ACTIVE_ORGANIZATION') {\n return new OrganizationNotFoundError()\n }\n\n // Member not found\n if (\n errorCode === 'MEMBER_NOT_FOUND'\n || errorCode === 'USER_IS_NOT_A_MEMBER_OF_THE_ORGANIZATION'\n || errorCode === 'USER_IS_NOT_A_MEMBER_OF_THE_TEAM'\n ) {\n return new OrganizationMemberNotFoundError()\n }\n\n // Invitation not found\n if (errorCode === 'INVITATION_NOT_FOUND' || errorCode === 'FAILED_TO_RETRIEVE_INVITATION') {\n return new OrganizationInvitationNotFoundError()\n }\n\n // Invitation recipient mismatch\n if (\n errorCode === 'YOU_ARE_NOT_THE_RECIPIENT_OF_THE_INVITATION'\n || errorCode === 'EMAIL_VERIFICATION_REQUIRED_BEFORE_ACCEPTING_OR_REJECTING_INVITATION'\n ) {\n return new OrganizationInvitationRecipientMismatchError()\n }\n\n // Team not found\n if (errorCode === 'TEAM_NOT_FOUND' || errorCode === 'YOU_DO_NOT_HAVE_AN_ACTIVE_TEAM') {\n return new OrganizationTeamNotFoundError()\n }\n\n // Role not found\n if (errorCode === 'ROLE_NOT_FOUND' || errorCode === 'INVALID_RESOURCE') {\n return new OrganizationRoleNotFoundError()\n }\n\n // Organization conflict/already exists\n if (\n errorCode === 'ORGANIZATION_ALREADY_EXISTS'\n || errorCode === 'ORGANIZATION_SLUG_ALREADY_TAKEN'\n || errorCode === 'USER_IS_ALREADY_A_MEMBER_OF_THIS_ORGANIZATION'\n || errorCode === 'USER_IS_ALREADY_INVITED_TO_THIS_ORGANIZATION'\n || errorCode === 'TEAM_ALREADY_EXISTS'\n || errorCode === 'ROLE_NAME_IS_ALREADY_TAKEN'\n ) {\n return new OrganizationConflictError()\n }\n\n // Organization limit reached\n if (\n errorCode === 'YOU_HAVE_REACHED_THE_MAXIMUM_NUMBER_OF_ORGANIZATIONS'\n || errorCode === 'YOU_HAVE_REACHED_THE_MAXIMUM_NUMBER_OF_TEAMS'\n || errorCode === 'ORGANIZATION_MEMBERSHIP_LIMIT_REACHED'\n || errorCode === 'INVITATION_LIMIT_REACHED'\n || errorCode === 'TEAM_MEMBER_LIMIT_REACHED'\n || errorCode === 'TOO_MANY_ROLES'\n ) {\n return new OrganizationLimitReachedError()\n }\n\n // Organization membership constraints\n if (\n errorCode === 'YOU_CANNOT_LEAVE_THE_ORGANIZATION_AS_THE_ONLY_OWNER'\n || errorCode === 'YOU_CANNOT_LEAVE_THE_ORGANIZATION_WITHOUT_AN_OWNER'\n || errorCode === 'UNABLE_TO_REMOVE_LAST_TEAM'\n || errorCode === 'CANNOT_DELETE_A_PRE_DEFINED_ROLE'\n || errorCode === 'ROLE_IS_ASSIGNED_TO_MEMBERS'\n || errorCode === 'YOU_CANNOT_IMPERSONATE_ADMINS'\n || errorCode === 'YOU_CANNOT_BAN_YOURSELF'\n || errorCode === 'YOU_CANNOT_REMOVE_YOURSELF'\n || errorCode === 'INVITER_IS_NO_LONGER_A_MEMBER_OF_THE_ORGANIZATION'\n ) {\n return new OrganizationMembershipError()\n }\n\n // Organization permission denied (catch-all for YOU_ARE_NOT_ALLOWED_TO_* patterns)\n if (\n errorCode.startsWith('YOU_ARE_NOT_ALLOWED_TO_')\n || errorCode === 'YOU_ARE_NOT_A_MEMBER_OF_THIS_ORGANIZATION'\n || errorCode === 'YOU_CAN_NOT_ACCESS_THE_MEMBERS_OF_THIS_TEAM'\n || errorCode === 'YOU_MUST_BE_IN_AN_ORGANIZATION_TO_CREATE_A_ROLE'\n || errorCode === 'MISSING_AC_INSTANCE'\n ) {\n return new OrganizationPermissionDeniedError()\n }\n\n // Unknown error code\n return new AuthError('An authentication error occurred')\n}\n\n/**\n * Type guard to check if an error is a Better Auth APIError.\n * Uses duck typing to handle bundler environments (e.g. Vite)\n * where instanceof may fail across module boundaries.\n */\nexport function isAPIError(error: unknown): error is APIError {\n if (error instanceof APIError) return true\n\n return (\n error instanceof Error\n && error.name === 'APIError'\n && 'status' in error\n && 'statusCode' in error\n )\n}\n","import type { BetterAuthOptions } from 'better-auth'\nimport { isAPIError, mapBetterAuthError } from './better-auth-error-handler'\n\n/**\n * Get shared Better Auth error handler configuration.\n * Use this in Better Auth config's onAPIError option.\n */\nexport function getErrorHandlerConfig(): BetterAuthOptions['onAPIError'] {\n return {\n throw: false,\n onError: (error) => {\n if (isAPIError(error)) {\n throw mapBetterAuthError(error)\n }\n throw error\n },\n }\n}\n\n/**\n * Wrap a Better Auth function in a try/catch block and map errors to ApplicationError.\n */\nexport const wrapBetterAuth = async <T>(fn: () => Promise<T>): Promise<T> => {\n try {\n return await fn()\n } catch (error) {\n if (isAPIError(error)) {\n throw mapBetterAuthError(error)\n }\n throw error\n }\n}\n","import type { Auth, BetterAuthOptions } from 'better-auth';\nimport { betterAuth } from 'better-auth/minimal';\nimport { inject, Request } from 'stratal/di';\nimport { AUTH_OPTIONS, AUTH_SERVICE } from '../auth.tokens';\nimport { getErrorHandlerConfig } from '../utils';\n\n/**\n * AuthService\n *\n * Base authentication service using Better Auth.\n * Configured via AuthModule.forRootAsync() from the application layer.\n *\n * **Extensibility:**\n * Extend this class to add custom methods. Subclasses inherit\n * `@Request(AUTH_SERVICE)` scope automatically — no decorator needed.\n *\n * @example\n * ```typescript\n * @Request(AUTH_SERVICE)\n * export class AppAuthService extends AuthService<AuthOptions> {\n * async signInMagicLink(email: string) {\n * return wrapBetterAuth(async () => {\n * return this.auth.api.signInMagicLink({ body: { email }, headers: new Headers() })\n * })\n * }\n * }\n * ```\n */\n@Request(AUTH_SERVICE)\nexport class AuthService<TOptions extends BetterAuthOptions = BetterAuthOptions> {\n private _authInstance?: Auth<TOptions>\n\n constructor(\n @inject(AUTH_OPTIONS) protected readonly options: TOptions\n ) {}\n\n /**\n * Get the Better Auth instance.\n */\n get auth(): Auth<TOptions> {\n this._authInstance ??= betterAuth({\n ...this.options,\n onAPIError: getErrorHandlerConfig()\n }) as Auth<TOptions>;\n\n return this._authInstance\n }\n}\n","/**\n * Auth Module\n *\n * Provides configurable authentication using Better Auth.\n * Use `forRootAsync` to configure Better Auth options from the application layer.\n *\n * Optionally pass `accessControl` to enable permission-based authorization.\n * This auto-adds the Stratal AC plugin to Better Auth and registers `AccessService`.\n *\n * @example Without access control\n * ```typescript\n * @Module({\n * imports: [\n * AuthModule.forRootAsync({\n * inject: [DI_TOKENS.Database, CONFIG_TOKENS.ConfigService],\n * useFactory: (db, config) => createAuthOptions(db, config)\n * })\n * ]\n * })\n * export class AppModule {}\n * ```\n *\n * @example With access control\n * ```typescript\n * import { createAccessControl } from '@stratal/framework/access-control'\n * import { admin } from 'better-auth/plugins'\n *\n * const permissions = createAccessControl({\n * resources: { posts: ['create', 'read', 'update', 'delete'] } as const,\n * roles: { admin: { posts: ['create', 'read', 'update', 'delete'] }, user: { posts: ['read'] } },\n * })\n *\n * @Module({\n * imports: [\n * AuthModule.forRootAsync({\n * inject: [DI_TOKENS.Database],\n * useFactory: (db) => ({\n * database: ...,\n * plugins: [admin({ ...permissions })],\n * }),\n * accessControl: permissions,\n * })\n * ]\n * })\n * ```\n */\n\nimport type { BetterAuthOptions } from 'better-auth'\nimport { CONTAINER_TOKEN, type Container } from 'stratal/di'\nimport type { AsyncModuleOptions, DynamicModule } from 'stratal/module'\nimport { Module } from 'stratal/module'\nimport type { IRateLimiterStore, RateLimiterRegistry } from 'stratal/rate-limiter'\nimport { RATE_LIMITER_TOKENS } from 'stratal/rate-limiter'\nimport type { RouteConfigurable, Router } from 'stratal/router'\nimport { createStratalAcPlugin } from '../access-control/plugin'\nimport { AccessService } from '../access-control/services/access.service'\nimport { AC_TOKENS } from '../access-control/tokens'\nimport type { AccessControlOptions } from '../access-control/types'\nimport { AuthContext } from '../context/auth-context'\n// Side-effect import: registers the `user()` macro on `RouterContext` and its\n// type augmentation, backed by the request-scoped `AuthContext`.\nimport '../context/router-context.augment'\nimport { AUTH_OPTIONS, AUTH_SERVICE } from './auth.tokens'\nimport { SessionVerificationMiddleware } from './middleware/session-verification.middleware'\n// Side-effect import: registers `forPath`/`pathEntries` macros on\n// `RateLimiterRegistry` and the `declare module` augmentation that exposes\n// them at the type level. Must run before any consumer calls `forPath()`.\nimport {\n createBetterAuthRateLimitStorage,\n projectCustomRules,\n} from './rate-limit-bridge'\nimport { AuthService } from './services/auth.service'\n\nexport interface AuthModuleAsyncOptions<TOptions extends BetterAuthOptions = BetterAuthOptions>\n extends AsyncModuleOptions<TOptions> {\n /**\n * Optional access control configuration.\n * When provided, registers AccessService and auto-adds the Stratal AC plugin to Better Auth.\n */\n accessControl?: AccessControlOptions\n}\n\n@Module({\n providers: [AuthContext]\n})\nexport class AuthModule implements RouteConfigurable {\n /**\n * Configure auth middleware globally.\n *\n * SessionVerificationMiddleware verifies the session and populates the\n * request-scoped AuthContext with the authenticated user.\n */\n configureRoutes(router: Router): void {\n router.use(SessionVerificationMiddleware)\n }\n\n /**\n * Configure AuthModule with async options factory.\n * Optionally provide `accessControl` to enable permission-based authorization.\n *\n * When `RateLimiterModule` is also imported, better-auth's `rateLimit`\n * block is auto-wired: `customStorage` shares Stratal's backing store, and\n * any `RateLimiterRegistry.forPath(...)` entries are projected into\n * `customRules`. User-supplied `rateLimit.{customStorage, customRules}` keys\n * take precedence on a per-key basis.\n */\n static forRootAsync<TOptions extends BetterAuthOptions>(\n options: AuthModuleAsyncOptions<TOptions>\n ): DynamicModule {\n const { accessControl } = options\n const userInject = options.inject ?? []\n const userFactory = options.useFactory as (...args: unknown[]) => TOptions\n\n const authOptionsProvider = {\n provide: AUTH_OPTIONS,\n useFactory: (container: Container, ...userDeps: unknown[]): BetterAuthOptions => {\n let raw = userFactory(...userDeps) as BetterAuthOptions\n\n if (accessControl) {\n raw = {\n ...raw,\n plugins: [createStratalAcPlugin(accessControl), ...(raw.plugins ?? [])],\n }\n }\n\n const rateLimiterPresent = container.isRegistered(\n RATE_LIMITER_TOKENS.ModuleMarker,\n )\n\n if (rateLimiterPresent) {\n const store = container.resolve<IRateLimiterStore>(RATE_LIMITER_TOKENS.Store)\n const registry = container.resolve<RateLimiterRegistry>(RATE_LIMITER_TOKENS.Registry)\n\n raw = {\n ...raw,\n rateLimit: {\n enabled: true,\n ...raw.rateLimit,\n customStorage: raw.rateLimit?.customStorage ?? createBetterAuthRateLimitStorage(store),\n customRules: {\n ...projectCustomRules(registry),\n ...(raw.rateLimit?.customRules ?? {}),\n },\n },\n }\n }\n\n return raw\n },\n inject: [CONTAINER_TOKEN, ...userInject],\n }\n\n return {\n module: AuthModule,\n providers: [\n authOptionsProvider,\n {\n provide: AUTH_SERVICE,\n useClass: AuthService,\n },\n ...(accessControl\n ? [\n { provide: AC_TOKENS.Options, useValue: accessControl as unknown as object },\n { provide: AC_TOKENS.AccessService, useClass: AccessService },\n ]\n : []),\n ],\n }\n }\n}\n"],"mappings":";;;;;;;;;;;;;;;;;;;;;AAwBA,cAAc,MAAM,QAAQ,WAAyC;CACnE,OAAO,KAAK,aAAa,EAAE,QAAqB,UAAU,WAAW,EAAE,YAAY;AACrF,CAAC;;;;ACzBD,MAAa,eAAe,OAAO,IAAI,sBAAsB;;AAG7D,MAAa,eAAe,OAAO,IAAI,sBAAsB;;;ACetD,IAAA,gCAAA,MAAM,8BAAoD;CAG5C;CAC4B;CAH/C,YACE,aAEA,QACA;EAFiB,KAAA,cAAA;EAC4B,KAAA,SAAA;CAC3C;CAEJ,MAAM,OAAO,KAAoB,MAA2B;EAC1D,IAAI;GACF,MAAM,SAAS,MAAM,KAAK,YAAY,KAAK,IAAI,WAAW,EACxD,SAAS,IAAI,EAAE,IAAI,IAAI,QACzB,CAAC;GAED,IAAI,QAEF,IADwB,aAAa,EAAE,QAAqB,UAAU,WAC5D,EAAE,eAAe,EACzB,MAAM,OAAO,KACf,CAAC;EAEL,SAAS,OAAgB;GACvB,KAAK,OAAO,MAAM,uDAAuD,EAAE,MAAM,CAAC;EACpF;EAEA,OAAO,KAAK;CACd;AACF;;CA1BC,UAAU;oBAGN,OAAO,YAAY,CAAA;oBAEnB,OAAO,cAAc,aAAa,CAAA;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;AC+BvC,MAAM,gCAAgB,IAAI,QAA6D;AAEvF,SAAS,mBAAmB,UAA+D;CACzF,IAAI,MAAM,cAAc,IAAI,QAAQ;CACpC,IAAI,CAAC,KAAK;EACR,sBAAM,IAAI,IAAI;EACd,cAAc,IAAI,UAAU,GAAG;CACjC;CACA,OAAO;AACT;AAEA,oBAAoB,MAAM,WAAW,SAEnC,MACA,UACM;CACN,mBAAmB,IAAI,EAAE,IAAI,MAAM,QAAQ;AAC7C,CAAC;AAED,oBAAoB,MAAM,eAAe,WAEQ;CAC/C,QAAQ,cAAc,IAAI,IAAI,qBAAK,IAAI,IAA+B,GAAG,QAAQ;AACnF,CAAC;AA2BD,MAAM,0BAA0B;AAChC,MAAM,yBAAyB;;;;;;AAO/B,SAAgB,iCAAiC,OAG/C;CACA,OAAO;EACL,MAAM,IAAI,KAAK;GACb,OAAO,MAAM,MAAM,IAAyB,GAAG,yBAAyB,KAAK;EAC/E;EACA,MAAM,IAAI,KAAK,OAAO,SAAS;GAC7B,MAAM,MAAM,IAAI,GAAG,yBAAyB,OAAO,OAAO,uBAAuB;EACnF;CACF;AACF;;;;;;;;;;AAWA,SAAgB,mBACd,UACsC;CACtC,MAAM,QAA8C,CAAC;CAErD,KAAK,MAAM,CAAC,MAAM,aAAa,SAAS,YAAY,GAClD,MAAM,QAAQ,OAAO,QAA2D;EAC9E,MAAM,WAAW,MAAM,SAAS,GAAG;EACnC,MAAM,cAAc,MAAM,QAAQ,QAAQ,IAAI,WAAW,CAAC,QAAQ,GAAG,QAAQ,MAAM,CAAC,EAAE,QAAQ;EAC9F,IAAI,WAAW,WAAW,GAAG,OAAO;EAEpC,MAAM,SAAS,WAAW,QAAQ,GAAG,MACnC,EAAE,MAAM,EAAE,iBAAiB,EAAE,MAAM,EAAE,gBAAgB,IAAI,CAC3D;EAEA,OAAO;GAAE,QAAQ,OAAO;GAAe,KAAK,OAAO;EAAI;CACzD;CAGF,OAAO;AACT;;;ACzJA,IAAa,oBAAb,cAAuC,cAAc;CACvB;CAA5B,YAAY,OAAgC;EAC1C,MAAM,KAAK,gBAAgB;EADD,KAAA,QAAA;CAE5B;AACF;AAEA,IAAa,0BAAb,cAA6C,cAAc;CACzD,cAAc;EAAE,MAAM,KAAK,2BAA2B;CAAE;AAC1D;AAEA,IAAa,uBAAb,cAA0C,cAAc;CACtD,cAAc;EAAE,MAAM,KAAK,kBAAkB;CAAE;AACjD;AAEA,IAAa,oBAAb,cAAuC,cAAc;CACvB;CAA5B,YAAY,OAAgC;EAC1C,MAAM,KAAK,uBAAuB;EADR,KAAA,QAAA;CAE5B;AACF;AAEA,IAAa,sBAAb,cAAyC,cAAc;CACrD,cAAc;EAAE,MAAM,KAAK,iBAAiB;CAAE;AAChD;AAEA,IAAa,4BAAb,cAA+C,cAAc;CAC3D,cAAc;EAAE,MAAM,KAAK,wBAAwB;CAAE;AACvD;AAEA,IAAa,wBAAb,cAA2C,cAAc;CAC3B;CAA5B,YAAY,OAAgC;EAC1C,MAAM,KAAK,oBAAoB;EADL,KAAA,QAAA;CAE5B;AACF;AAEA,IAAa,wBAAb,cAA2C,cAAc;CAC3B;CAA5B,YAAY,WAAoC;EAC9C,MAAM,KAAK,oBAAoB;EADL,KAAA,YAAA;CAE5B;AACF;AAEA,IAAa,uBAAb,cAA0C,cAAc;CAC1B;CAA5B,YAAY,WAAoC;EAC9C,MAAM,KAAK,mBAAmB;EADJ,KAAA,YAAA;CAE5B;AACF;AAEA,IAAa,4BAAb,cAA+C,cAAc;CAC/B;CAA5B,YAAY,OAAgC;EAC1C,MAAM,KAAK,wBAAwB;EADT,KAAA,QAAA;CAE5B;AACF;AAEA,IAAa,2BAAb,cAA8C,cAAc;CAC9B;CAA5B,YAAY,UAAmC;EAC7C,MAAM,KAAK,+BAA+B;EADhB,KAAA,WAAA;CAE5B;AACF;AAEA,IAAa,+BAAb,cAAkD,cAAc;CAC9D,cAAc;EAAE,MAAM,KAAK,4BAA4B;CAAE;AAC3D;AAEA,IAAa,wBAAb,cAA2C,cAAc;CAC3B;CAA5B,YAAY,UAAmC;EAC7C,MAAM,KAAK,mCAAmC;EADpB,KAAA,WAAA;CAE5B;AACF;AAEA,IAAa,yBAAb,cAA4C,cAAc;CACxD,cAAc;EAAE,MAAM,KAAK,sBAAsB;CAAE;AACrD;AAEA,IAAa,uBAAb,cAA0C,cAAc;CACtD,cAAc;EAAE,MAAM,KAAK,mBAAmB;CAAE;AAClD;AAEA,IAAa,iCAAb,cAAoD,cAAc;CAChE,cAAc;EAAE,MAAM,KAAK,8BAA8B;CAAE;AAC7D;AAEA,IAAa,8BAAb,cAAiD,cAAc;CAC7D,cAAc;EAAE,MAAM,KAAK,6BAA6B;CAAE;AAC5D;AAEA,IAAa,4BAAb,cAA+C,cAAc;CAC/B;CAA5B,YAAY,QAAiC;EAC3C,MAAM,KAAK,yBAAyB;EADV,KAAA,SAAA;CAE5B;AACF;AAEA,IAAa,2BAAb,cAA8C,cAAc;CAC1D,cAAc;EAAE,MAAM,KAAK,wBAAwB;CAAE;AACvD;AAEA,IAAa,oBAAb,cAAuC,cAAc;CACnD,cAAc;EAAE,MAAM,KAAK,eAAe;CAAE;AAC9C;AAEA,IAAa,0BAAb,cAA6C,cAAc;CACzD,cAAc;EAAE,MAAM,KAAK,sBAAsB;CAAE;AACrD;AAEA,IAAa,qBAAb,cAAwC,cAAc;CACpD,cAAc;EAAE,MAAM,KAAK,wBAAwB;CAAE;AACvD;AAEA,IAAa,4BAAb,cAA+C,cAAc;CAC3D,cAAc;EAAE,MAAM,KAAK,kCAAkC;CAAE;AACjE;AAEA,IAAa,4BAAb,cAA+C,cAAc;CAC3D,cAAc;EAAE,MAAM,KAAK,wBAAwB;CAAE;AACvD;AAEA,IAAa,qBAAb,cAAwC,cAAc;CACpD,cAAc;EAAE,MAAM,KAAK,gBAAgB;CAAE;AAC/C;;;ACpHA,IAAa,oBAAb,cAAuC,cAAc;CACnD,cAAc;EAAE,MAAM,KAAK,0BAA0B;CAAE;AACzD;;;ACFA,IAAa,4BAAb,cAA+C,cAAc;CAC3D,cAAc;EAAE,MAAM,KAAK,wBAAwB;CAAE;AACvD;AACA,IAAa,kCAAb,cAAqD,cAAc;CACjE,cAAc;EAAE,MAAM,KAAK,+BAA+B;CAAE;AAC9D;AACA,IAAa,sCAAb,cAAyD,cAAc;CACrE,cAAc;EAAE,MAAM,KAAK,sBAAsB;CAAE;AACrD;AACA,IAAa,oCAAb,cAAuD,cAAc;CACnE,cAAc;EAAE,MAAM,KAAK,gCAAgC;CAAE;AAC/D;AACA,IAAa,+CAAb,cAAkE,cAAc;CAC9E,cAAc;EAAE,MAAM,KAAK,+BAA+B;CAAE;AAC9D;AACA,IAAa,4BAAb,cAA+C,cAAc;CAC3D,cAAc;EAAE,MAAM,KAAK,gCAAgC;CAAE;AAC/D;AACA,IAAa,gCAAb,cAAmD,cAAc;CAC/D,cAAc;EAAE,MAAM,KAAK,4BAA4B;CAAE;AAC3D;AACA,IAAa,8BAAb,cAAiD,cAAc;CAC7D,cAAc;EAAE,MAAM,KAAK,6CAA6C;CAAE;AAC5E;AACA,IAAa,gCAAb,cAAmD,cAAc;CAC/D,cAAc;EAAE,MAAM,KAAK,gBAAgB;CAAE;AAC/C;AACA,IAAa,gCAAb,cAAmD,cAAc;CAC/D,cAAc;EAAE,MAAM,KAAK,gBAAgB;CAAE;AAC/C;;;AC7BA,IAAa,qBAAb,cAAwC,cAAc;CACpD,cAAc;EAAE,MAAM,KAAK,gCAAgC;CAAE;AAC/D;;;;;;ACyCA,SAAgB,mBAAmB,OAAmC;CACpE,MAAM,YAAY,MAAM,MAAM;CAE9B,IAAI,MAAM,WAAW,SAAS;EAE5B,MAAM,WADU,MAAM,QACG,IAAI,UAAU,KAAK;EAE5C,IAAI,SAAS,SAAS,eAAe,GAAG,OAAO,IAAI,kBAAkB;EACrE,IAAI,SAAS,SAAS,eAAe,GAAG,OAAO,IAAI,kBAAkB;EACrE,IAAI,SAAS,SAAS,mBAAmB,GAAG,OAAO,IAAI,kBAAkB;EACzE,IAAI,SAAS,SAAS,0BAA0B,GAAG,OAAO,IAAI,kBAAkB;EAChF,IAAI,SAAS,SAAS,uBAAuB,GAAG,OAAO,IAAI,UAAU,uBAAuB;EAC5F,IAAI,SAAS,SAAS,0BAA0B,GAAG,OAAO,IAAI,UAAU,0BAA0B;CACpG;CAEA,IAAI,CAAC,WACH,OAAO,IAAI,UAAU,kCAAkC;CAMzD,IAAI,cAAc,oBAAoB,cAAc,gBAAgB,OAAO,IAAI,kBAAkB;CACjG,IAAI,cAAc,wBAAwB,OAAO,IAAI,uBAAuB;CAG5E,IAAI,cAAc,6BAA6B,OAAO,IAAI,wBAAwB;CAClF,IAAI,cAAc,oBAAoB,OAAO,IAAI,qBAAqB;CACtE,IAAI,cAAc,iBAAiB,OAAO,IAAI,kBAAkB;CAGhE,IAAI,cAAc,mBAAmB,OAAO,IAAI,oBAAoB;CACpE,IAAI,cAAc,qBAAqB,OAAO,IAAI,0BAA0B;CAC5E,IAAI,cAAc,4BAA4B,OAAO,IAAI,UAAU,0BAA0B;CAC7F,IAAI,cAAc,yBAAyB,OAAO,IAAI,UAAU,4BAA4B;CAG5F,IAAI,cAAc,sBAAsB,OAAO,IAAI,sBAAsB;CACzE,IAAI,cAAc,4BAA4B,OAAO,IAAI,0BAA0B;CACnF,IAAI,cAAc,0BAA0B,OAAO,IAAI,0BAA0B;CACjF,IAAI,cAAc,kBAAkB,OAAO,IAAI,mBAAmB;CAGlE,IAAI,cAAc,sBAAsB,OAAO,IAAI,sBAAsB,CAAC;CAC1E,IAAI,cAAc,qBAAqB,OAAO,IAAI,qBAAqB,GAAG;CAG1E,IAAI,cAAc,yBAAyB,cAAc,yCACvD,OAAO,IAAI,0BAA0B;CAEvC,IAAI,cAAc,qBAAqB,OAAO,IAAI,qBAAqB;CACvE,IAAI,cAAc,gCAAgC,OAAO,IAAI,+BAA+B;CAC5F,IAAI,cAAc,iCAAiC,OAAO,IAAI,6BAA6B;CAG3F,IAAI,cAAc,yBAAyB,OAAO,IAAI,UAAU,uBAAuB;CACvF,IAAI,cAAc,yBAAyB,OAAO,IAAI,UAAU,uBAAuB;CACvF,IAAI,cAAc,2BAA2B,OAAO,IAAI,UAAU,8BAA8B;CAGhG,IAAI,cAAc,mCAAmC,cAAc,iCACjE,OAAO,IAAI,yBAAyB;CAEtC,IAAI,cAAc,sBAAsB,OAAO,IAAI,sBAAsB;CAGzE,IAAI,cAAc,0BAA0B,OAAO,IAAI,yBAAyB;CAChF,IAAI,cAAc,iBAAiB,OAAO,IAAI,kBAAkB;CAChE,IAAI,cAAc,iBAAiB,OAAO,IAAI,kBAAkB;CAGhE,IAAI,cAAc,+BAA+B,cAAc,wBAC7D,OAAO,IAAI,4BAA4B;CAIzC,IACE,cAAc,0BACX,cAAc,0BACd,cAAc,mCACd,cAAc,gCACd,cAAc,yBAEjB,OAAO,IAAI,wBAAwB;CAIrC,IACE,cAAc,oBACX,cAAc,4BACd,cAAc,uCAEjB,OAAO,IAAI,mBAAmB;CAIhC,IACE,cAAc,sBACX,cAAc,mBACd,cAAc,uBACd,cAAc,4BACd,cAAc,oCACd,cAAc,6CAEjB,OAAO,IAAI,0BAA0B;CAIvC,IAAI,cAAc,mCAAmC,cAAc,kCACjE,OAAO,IAAI,UAAU,0BAA0B;CAMjD,IAAI,cAAc,4BAA4B,cAAc,0BAC1D,OAAO,IAAI,0BAA0B;CAIvC,IACE,cAAc,sBACX,cAAc,8CACd,cAAc,oCAEjB,OAAO,IAAI,gCAAgC;CAI7C,IAAI,cAAc,0BAA0B,cAAc,iCACxD,OAAO,IAAI,oCAAoC;CAIjD,IACE,cAAc,iDACX,cAAc,wEAEjB,OAAO,IAAI,6CAA6C;CAI1D,IAAI,cAAc,oBAAoB,cAAc,kCAClD,OAAO,IAAI,8BAA8B;CAI3C,IAAI,cAAc,oBAAoB,cAAc,oBAClD,OAAO,IAAI,8BAA8B;CAI3C,IACE,cAAc,iCACX,cAAc,qCACd,cAAc,mDACd,cAAc,kDACd,cAAc,yBACd,cAAc,8BAEjB,OAAO,IAAI,0BAA0B;CAIvC,IACE,cAAc,0DACX,cAAc,kDACd,cAAc,2CACd,cAAc,8BACd,cAAc,+BACd,cAAc,kBAEjB,OAAO,IAAI,8BAA8B;CAI3C,IACE,cAAc,yDACX,cAAc,wDACd,cAAc,gCACd,cAAc,sCACd,cAAc,iCACd,cAAc,mCACd,cAAc,6BACd,cAAc,gCACd,cAAc,qDAEjB,OAAO,IAAI,4BAA4B;CAIzC,IACE,UAAU,WAAW,yBAAyB,KAC3C,cAAc,+CACd,cAAc,iDACd,cAAc,qDACd,cAAc,uBAEjB,OAAO,IAAI,kCAAkC;CAI/C,OAAO,IAAI,UAAU,kCAAkC;AACzD;;;;;;AAOA,SAAgB,WAAW,OAAmC;CAC5D,IAAI,iBAAiB,UAAU,OAAO;CAEtC,OACE,iBAAiB,SACd,MAAM,SAAS,cACf,YAAY,SACZ,gBAAgB;AAEvB;;;;;;;ACjQA,SAAgB,wBAAyD;CACvE,OAAO;EACL,OAAO;EACP,UAAU,UAAU;GAClB,IAAI,WAAW,KAAK,GAClB,MAAM,mBAAmB,KAAK;GAEhC,MAAM;EACR;CACF;AACF;;;;AAKA,MAAa,iBAAiB,OAAU,OAAqC;CAC3E,IAAI;EACF,OAAO,MAAM,GAAG;CAClB,SAAS,OAAO;EACd,IAAI,WAAW,KAAK,GAClB,MAAM,mBAAmB,KAAK;EAEhC,MAAM;CACR;AACF;;;ACFO,IAAA,cAAA,MAAM,YAAoE;CAIpC;CAH3C;CAEA,YACE,SACA;EADyC,KAAA,UAAA;CACxC;;;;CAKH,IAAI,OAAuB;EACzB,KAAK,kBAAkB,WAAW;GAC9B,GAAG,KAAK;GACR,YAAY,sBAAsB;EACtC,CAAC;EAED,OAAO,KAAK;CACd;AACF;0BAnBC,QAAQ,YAAY,GAAA,gBAAA,GAKhB,OAAO,YAAY,CAAA,CAAA,GAAA,WAAA;;;;ACoDjB,IAAA,aAAA,cAAA,MAAM,WAAwC;;;;;;;CAOnD,gBAAgB,QAAsB;EACpC,OAAO,IAAI,6BAA6B;CAC1C;;;;;;;;;;;CAYA,OAAO,aACL,SACe;EACf,MAAM,EAAE,kBAAkB;EAC1B,MAAM,aAAa,QAAQ,UAAU,CAAC;EACtC,MAAM,cAAc,QAAQ;EAE5B,MAAM,sBAAsB;GAC1B,SAAS;GACT,aAAa,WAAsB,GAAG,aAA2C;IAC/E,IAAI,MAAM,YAAY,GAAG,QAAQ;IAEjC,IAAI,eACF,MAAM;KACJ,GAAG;KACH,SAAS,CAAC,sBAAsB,aAAa,GAAG,GAAI,IAAI,WAAW,CAAC,CAAE;IACxE;IAOF,IAJ2B,UAAU,aACnC,oBAAoB,YAGD,GAAG;KACtB,MAAM,QAAQ,UAAU,QAA2B,oBAAoB,KAAK;KAC5E,MAAM,WAAW,UAAU,QAA6B,oBAAoB,QAAQ;KAEpF,MAAM;MACJ,GAAG;MACH,WAAW;OACT,SAAS;OACT,GAAG,IAAI;OACP,eAAe,IAAI,WAAW,iBAAiB,iCAAiC,KAAK;OACrF,aAAa;QACX,GAAG,mBAAmB,QAAQ;QAC9B,GAAI,IAAI,WAAW,eAAe,CAAC;OACrC;MACF;KACF;IACF;IAEA,OAAO;GACT;GACA,QAAQ,CAAC,iBAAiB,GAAG,UAAU;EACzC;EAEA,OAAO;GACL,QAAA;GACA,WAAW;IACT;IACA;KACE,SAAS;KACT,UAAU;IACZ;IACA,GAAI,gBACA,CACA;KAAE,SAAS,UAAU;KAAS,UAAU;IAAmC,GAC3E;KAAE,SAAS,UAAU;KAAe,UAAU;IAAc,CAC9D,IACE,CAAC;GACP;EACF;CACF;AACF;uCAvFC,OAAO,EACN,WAAW,CAAC,WAAW,EACzB,CAAC,CAAA,GAAA,UAAA"}
package/package.json CHANGED
@@ -1,6 +1,6 @@
1
1
  {
2
2
  "name": "@stratal/framework",
3
- "version": "0.0.0-canary-3e932c7",
3
+ "version": "0.0.0-canary-41a9140",
4
4
  "type": "module",
5
5
  "license": "MIT",
6
6
  "author": "Temitayo Fadojutimi",
@@ -77,7 +77,7 @@
77
77
  "@zenstackhq/schema": ">=3.6",
78
78
  "better-auth": ">=1.6",
79
79
  "pg": "^8.0.0",
80
- "stratal": "0.0.0-canary-3e932c7"
80
+ "stratal": "0.0.0-canary-41a9140"
81
81
  },
82
82
  "devDependencies": {
83
83
  "@better-auth/core": "^1.6.14",