@stratal/framework 0.0.18 → 0.0.19

package/dist/access-control/index.d.mts

@@ -0,0 +1,180 @@
+import { n as RolePermissions, t as AccessControlOptions } from "../types-BLyu9dAd.mjs";
+import { M as DatabaseService } from "../index-CpFBG0Ws.mjs";
+import { t as AuthContext } from "../auth-context-BXSkiJ56.mjs";
+import { ApplicationError } from "stratal/errors";
+import { BetterAuthPlugin } from "better-auth";
+import { AccessControl, Role, Statements } from "better-auth/plugins/access";
+
+//#region src/access-control/tokens.d.ts
+declare const AC_TOKENS: {
+  /** Request-scoped access service */readonly AccessService: symbol; /** Access control module options (ac, roles) */
+  readonly Options: symbol;
+};
+//#endregion
+//#region src/access-control/create-access-control.d.ts
+/**
+ * Define access control resources and roles in one place.
+ *
+ * Returns `{ ac, roles }` — spread this directly into `accessControl`,
+ * `admin({ ...permissions })`, or `organization({ ...permissions })`.
+ *
+ * @example
+ * ```typescript
+ * export const permissions = createAccessControl({
+ *   resources: {
+ *     posts: ['create', 'read', 'update', 'delete'],
+ *     admin: ['access'],
+ *   } as const,
+ *   roles: {
+ *     admin: { posts: ['create', 'read', 'update', 'delete'], admin: ['access'] },
+ *     user:  { posts: ['create', 'read'] },
+ *   },
+ * })
+ *
+ * // In AuthModule:
+ * accessControl: permissions
+ *
+ * // With Better Auth admin plugin (same object):
+ * plugins: [admin({ ...permissions })]
+ * ```
+ */
+declare function createAccessControl<TResources extends Statements, TRoles extends Record<string, RolePermissions<TResources>>>(config: {
+  resources: TResources;
+  roles: TRoles;
+}): AccessControlOptions<TResources, TRoles>;
+//#endregion
+//#region src/access-control/extend-role.d.ts
+/**
+ * Merges two Statements types, unioning the action arrays for overlapping resource keys.
+ *
+ * @example
+ * ```typescript
+ * type A = { posts: readonly ['create', 'read'] }
+ * type B = { posts: readonly ['update']; admin: readonly ['access'] }
+ * type M = MergeStatements<A, B>
+ * // → { posts: readonly ('create' | 'read' | 'update')[]; admin: readonly ['access'] }
+ * ```
+ */
+type MergeStatements<A extends Statements, B extends Partial<Record<string, readonly string[]>>> = { [K in keyof A | keyof B]: K extends keyof A ? K extends keyof B ? readonly (A[K][number] | NonNullable<B[K]>[number])[] : A[K] : K extends keyof B ? NonNullable<B[K]> : never } & {};
+/**
+ * Extend an existing role with additional permissions.
+ *
+ * Duplicate resource keys are merged (actions are unioned), not overwritten.
+ * Better Auth has no built-in role inheritance — use this to compose roles.
+ *
+ * @example
+ * ```typescript
+ * const adminRole = ac.newRole({ posts: ['create', 'read', 'update', 'delete'] })
+ * const superAdminRole = extendRole(ac, adminRole, { users: ['ban', 'delete'] })
+ * // superAdminRole has both posts and users permissions
+ *
+ * // Duplicate keys are merged, not overwritten:
+ * const editorRole = extendRole(ac, userRole, { posts: ['update'] })
+ * // if userRole had posts: ['create', 'read'], editorRole has posts: ['create', 'read', 'update']
+ * ```
+ */
+declare function extendRole<TParent extends Statements, TExtra extends Partial<Record<string, readonly string[]>>>(ac: AccessControl<TParent>, parent: Role<TParent>, extra: TExtra): Role<MergeStatements<TParent, TExtra>>;
+//#endregion
+//#region src/access-control/plugin.d.ts
+/**
+ * Creates the Stratal access control Better Auth plugin.
+ *
+ * Ensures the `user.role` schema field exists.
+ * No endpoints are added — all permission logic lives in AccessService.
+ *
+ * Auto-added to Better Auth options when `accessControl` is provided to
+ * `AuthModule.forRootAsync()`. Users never call this directly.
+ */
+declare function createStratalAcPlugin(_options: AccessControlOptions): BetterAuthPlugin;
+//#endregion
+//#region src/access-control/services/access.service.d.ts
+/**
+ * AccessService
+ *
+ * Request-scoped service for role and permission management.
+ *
+ * Roles for the current user are read from AuthContext (populated by
+ * SessionVerificationMiddleware — no DB hit). Other users are resolved
+ * from the database.
+ *
+ * Permission checks use Better Auth's `role.authorize()` locally with
+ * OR logic — access is granted if any of the user's roles allows it.
+ *
+ * @example
+ * ```typescript
+ * // Check current user
+ * await accessService.currentUserHasPermission({ posts: ['update'] })
+ *
+ * // Check arbitrary user (e.g. from an admin action)
+ * await accessService.hasPermission(userId, { admin: ['access'] })
+ *
+ * // Assign a role
+ * await accessService.setUserRole(userId, 'admin')
+ *
+ * // Assign multiple roles
+ * await accessService.setUserRole(userId, ['editor', 'reviewer'])
+ * ```
+ */
+declare class AccessService {
+  private readonly authContext;
+  private readonly db;
+  private readonly options;
+  constructor(authContext: AuthContext, db: DatabaseService, options: AccessControlOptions);
+  /**
+   * Get all roles for a user.
+   *
+   * Uses AuthContext for the current user (no DB hit).
+   * Falls back to DB for other users.
+   */
+  getUserRoles(userId: string): Promise<string[]>;
+  /**
+   * Assign one or more roles to a user.
+   *
+   * Multiple roles are stored as a comma-separated string in `user.role`.
+   */
+  setUserRole(userId: string, role: string | string[]): Promise<void>;
+  /**
+   * Check if a user has the required permissions.
+   *
+   * Returns true if any of the user's roles grants all of the requested permissions.
+   */
+  hasPermission(userId: string, permissions: Record<string, string[]>): Promise<boolean>;
+  /**
+   * Get the merged permission set for a user across all their roles.
+   * Useful for sending to the frontend.
+   */
+  getPermissionsForUser(userId: string): Promise<Record<string, string[]>>;
+  /**
+   * Get all roles for the currently authenticated user.
+   * Reads from AuthContext — no DB hit.
+   */
+  getCurrentUserRoles(): string[];
+  /**
+   * Check if the currently authenticated user has the required permissions.
+   * Reads roles from AuthContext — no DB hit.
+   */
+  currentUserHasPermission(permissions: Record<string, string[]>): boolean;
+  /**
+   * Get merged permissions for the currently authenticated user.
+   * Reads roles from AuthContext — no DB hit.
+   */
+  getCurrentUserPermissions(): Record<string, string[]>;
+  private checkPermissions;
+  private mergePermissions;
+}
+//#endregion
+//#region src/access-control/errors/insufficient-permissions.error.d.ts
+/**
+ * InsufficientPermissionsError
+ *
+ * Thrown when a user attempts to perform an action without the required permissions.
+ * Used by AuthGuard after an authorization check fails.
+ *
+ * HTTP Status: 403 Forbidden
+ */
+declare class InsufficientPermissionsError extends ApplicationError {
+  constructor(requiredPermissions: string | string[], userId?: string);
+}
+//#endregion
+export { AC_TOKENS, type AccessControlOptions, AccessService, InsufficientPermissionsError, createAccessControl, createStratalAcPlugin, extendRole };
+//# sourceMappingURL=index.d.mts.map

package/dist/access-control/index.d.mts.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.d.mts","names":[],"sources":["../../src/access-control/tokens.ts","../../src/access-control/create-access-control.ts","../../src/access-control/extend-role.ts","../../src/access-control/plugin.ts","../../src/access-control/services/access.service.ts","../../src/access-control/errors/insufficient-permissions.error.ts"],"mappings":";;;;;;;;cAAa,SAAA;+CAKH,aAAA;WAAA,OAAA;AAAA;;;;;;;;;AALV;;;;;;;;AC8BA;;;;;;;;;;;;iBAAgB,mBAAA,oBACK,UAAA,iBACJ,MAAA,SAAe,eAAA,CAAgB,UAAA,GAAA,CAC9C,MAAA;EACA,SAAA,EAAW,UAAA;EACX,KAAA,EAAO,MAAA;AAAA,IACL,oBAAA,CAAqB,UAAA,EAAY,MAAA;;;;;;;;;;ADpCrC;;;;KEaK,eAAA,WACO,UAAA,YACA,OAAA,CAAQ,MAAA,8CAEN,CAAA,SAAU,CAAA,GAAI,CAAA,eAAgB,CAAA,GACxC,CAAA,eAAgB,CAAA,aACN,CAAA,CAAE,CAAA,YAAa,WAAA,CAAY,CAAA,CAAE,CAAA,gBACvC,CAAA,CAAE,CAAA,IACF,CAAA,eAAgB,CAAA,GAChB,WAAA,CAAY,CAAA,CAAE,CAAA;;ADQlB;;;;;;;;;;;;;;;;iBCagB,UAAA,iBACE,UAAA,iBACD,OAAA,CAAQ,MAAA,6BAAA,CAEvB,EAAA,EAAI,aAAA,CAAc,OAAA,GAClB,MAAA,EAAQ,IAAA,CAAK,OAAA,GACb,KAAA,EAAO,MAAA,GACN,IAAA,CAAK,eAAA,CAAgB,OAAA,EAAS,MAAA;;;;;;;;;AFlDjC;;;iBGYgB,qBAAA,CAAsB,QAAA,EAAU,oBAAA,GAAuB,gBAAA;;;;;;;;AHZvE;;;;;;;;AC8BA;;;;;;;;;;;;;;cGSa,aAAA;EAAA,iBAGQ,WAAA;EAAA,iBAEA,EAAA;EAAA,iBAEA,OAAA;cAJA,WAAA,EAAa,WAAA,EAEb,EAAA,EAAI,eAAA,EAEJ,OAAA,EAAS,oBAAA;EHdkB;;;;;;EGuBxC,YAAA,CAAa,MAAA,WAAiB,OAAA;EHnBb;;;;;EGoCjB,WAAA,CAAY,MAAA,UAAgB,IAAA,sBAA0B,OAAA;;AFxEmB;;;;EEqFzE,aAAA,CAAc,MAAA,UAAgB,WAAA,EAAa,MAAA,qBAA2B,OAAA;EFtElE;;;;EE+EJ,qBAAA,CAAsB,MAAA,WAAiB,OAAA,CAAQ,MAAA;EF5EnD;;;;EEqFF,mBAAA,CAAA;EFpFyC;;;;EE4FzC,wBAAA,CAAyB,WAAA,EAAa,MAAA;EF1FpB;;;;EEoGlB,yBAAA,CAAA,GAA6B,MAAA;EAAA,QAKrB,gBAAA;EAAA,QAqBA,gBAAA;AAAA;;;;;;;;;;AJnJV;cKUa,4BAAA,SAAqC,gBAAA;cACpC,mBAAA,qBAAwC,MAAA;AAAA"}

package/dist/access-control/index.mjs

@@ -0,0 +1,71 @@
+import { n as createStratalAcPlugin, t as AccessService } from "../access.service-BjYVtUJw.mjs";
+import { n as AC_TOKENS } from "../decorateParam-Dc5DGEpb.mjs";
+import { t as InsufficientPermissionsError } from "../insufficient-permissions.error-CRnOHYvq.mjs";
+import { createAccessControl as createAccessControl$1 } from "better-auth/plugins/access";
+//#region src/access-control/create-access-control.ts
+/**
+* Define access control resources and roles in one place.
+*
+* Returns `{ ac, roles }` — spread this directly into `accessControl`,
+* `admin({ ...permissions })`, or `organization({ ...permissions })`.
+*
+* @example
+* ```typescript
+* export const permissions = createAccessControl({
+*   resources: {
+*     posts: ['create', 'read', 'update', 'delete'],
+*     admin: ['access'],
+*   } as const,
+*   roles: {
+*     admin: { posts: ['create', 'read', 'update', 'delete'], admin: ['access'] },
+*     user:  { posts: ['create', 'read'] },
+*   },
+* })
+*
+* // In AuthModule:
+* accessControl: permissions
+*
+* // With Better Auth admin plugin (same object):
+* plugins: [admin({ ...permissions })]
+* ```
+*/
+function createAccessControl(config) {
+	const ac = createAccessControl$1(config.resources);
+	return {
+		ac,
+		roles: Object.fromEntries(Object.entries(config.roles).map(([name, perms]) => [name, ac.newRole(perms)]))
+	};
+}
+//#endregion
+//#region src/access-control/extend-role.ts
+/**
+* Extend an existing role with additional permissions.
+*
+* Duplicate resource keys are merged (actions are unioned), not overwritten.
+* Better Auth has no built-in role inheritance — use this to compose roles.
+*
+* @example
+* ```typescript
+* const adminRole = ac.newRole({ posts: ['create', 'read', 'update', 'delete'] })
+* const superAdminRole = extendRole(ac, adminRole, { users: ['ban', 'delete'] })
+* // superAdminRole has both posts and users permissions
+*
+* // Duplicate keys are merged, not overwritten:
+* const editorRole = extendRole(ac, userRole, { posts: ['update'] })
+* // if userRole had posts: ['create', 'read'], editorRole has posts: ['create', 'read', 'update']
+* ```
+*/
+function extendRole(ac, parent, extra) {
+	const merged = {};
+	for (const [key, actions] of Object.entries(parent.statements)) merged[key] = [...actions];
+	for (const [key, actions] of Object.entries(extra)) {
+		if (!actions) continue;
+		if (key in merged) merged[key] = [...new Set([...merged[key], ...actions])];
+		else merged[key] = [...actions];
+	}
+	return ac.newRole(merged);
+}
+//#endregion
+export { AC_TOKENS, AccessService, InsufficientPermissionsError, createAccessControl, createStratalAcPlugin, extendRole };
+
+//# sourceMappingURL=index.mjs.map

package/dist/access-control/index.mjs.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.mjs","names":["baCreateAC"],"sources":["../../src/access-control/create-access-control.ts","../../src/access-control/extend-role.ts"],"sourcesContent":["import type { Role, Statements } from 'better-auth/plugins/access'\nimport { createAccessControl as baCreateAC } from 'better-auth/plugins/access'\nimport type { AccessControlOptions, RolePermissions } from './types'\n\n/**\n * Define access control resources and roles in one place.\n *\n * Returns `{ ac, roles }` — spread this directly into `accessControl`,\n * `admin({ ...permissions })`, or `organization({ ...permissions })`.\n *\n * @example\n * ```typescript\n * export const permissions = createAccessControl({\n *   resources: {\n *     posts: ['create', 'read', 'update', 'delete'],\n *     admin: ['access'],\n *   } as const,\n *   roles: {\n *     admin: { posts: ['create', 'read', 'update', 'delete'], admin: ['access'] },\n *     user:  { posts: ['create', 'read'] },\n *   },\n * })\n *\n * // In AuthModule:\n * accessControl: permissions\n *\n * // With Better Auth admin plugin (same object):\n * plugins: [admin({ ...permissions })]\n * ```\n */\nexport function createAccessControl<\n  TResources extends Statements,\n  TRoles extends Record<string, RolePermissions<TResources>>,\n>(config: {\n  resources: TResources\n  roles: TRoles\n}): AccessControlOptions<TResources, TRoles> {\n  const ac = baCreateAC(config.resources)\n  const roles = Object.fromEntries(\n    Object.entries(config.roles).map(([name, perms]) => [name, ac.newRole(perms as unknown as Statements)])\n  ) as { [K in keyof TRoles]: Role<TResources> }\n  return { ac, roles }\n}\n","import type { AccessControl, Role, Statements } from 'better-auth/plugins/access'\n\n/**\n * Merges two Statements types, unioning the action arrays for overlapping resource keys.\n *\n * @example\n * ```typescript\n * type A = { posts: readonly ['create', 'read'] }\n * type B = { posts: readonly ['update']; admin: readonly ['access'] }\n * type M = MergeStatements<A, B>\n * // → { posts: readonly ('create' | 'read' | 'update')[]; admin: readonly ['access'] }\n * ```\n */\ntype MergeStatements<\n  A extends Statements,\n  B extends Partial<Record<string, readonly string[]>>\n> = {\n  [K in keyof A | keyof B]: K extends keyof A\n  ? K extends keyof B\n  ? readonly (A[K][number] | NonNullable<B[K]>[number])[]\n  : A[K]\n  : K extends keyof B\n  ? NonNullable<B[K]>\n  : never\n} & {}\n\n/**\n * Extend an existing role with additional permissions.\n *\n * Duplicate resource keys are merged (actions are unioned), not overwritten.\n * Better Auth has no built-in role inheritance — use this to compose roles.\n *\n * @example\n * ```typescript\n * const adminRole = ac.newRole({ posts: ['create', 'read', 'update', 'delete'] })\n * const superAdminRole = extendRole(ac, adminRole, { users: ['ban', 'delete'] })\n * // superAdminRole has both posts and users permissions\n *\n * // Duplicate keys are merged, not overwritten:\n * const editorRole = extendRole(ac, userRole, { posts: ['update'] })\n * // if userRole had posts: ['create', 'read'], editorRole has posts: ['create', 'read', 'update']\n * ```\n */\nexport function extendRole<\n  TParent extends Statements,\n  TExtra extends Partial<Record<string, readonly string[]>>\n>(\n  ac: AccessControl<TParent>,\n  parent: Role<TParent>,\n  extra: TExtra\n): Role<MergeStatements<TParent, TExtra>> {\n  const merged: Record<string, string[]> = {}\n\n  for (const [key, actions] of Object.entries(parent.statements)) {\n    merged[key] = [...(actions as string[])]\n  }\n\n  for (const [key, actions] of Object.entries(extra)) {\n    if (!actions) continue\n    if (key in merged) {\n      merged[key] = [...new Set([...merged[key], ...actions])]\n    } else {\n      merged[key] = [...actions]\n    }\n  }\n\n  return ac.newRole(merged) as Role<MergeStatements<TParent, TExtra>>\n}\n"],"mappings":";;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;AA8BA,SAAgB,oBAGd,QAG2C;CAC3C,MAAM,KAAKA,sBAAW,OAAO,UAAU;AAIvC,QAAO;EAAE;EAAI,OAHC,OAAO,YACnB,OAAO,QAAQ,OAAO,MAAM,CAAC,KAAK,CAAC,MAAM,WAAW,CAAC,MAAM,GAAG,QAAQ,MAA+B,CAAC,CAAC,CAEvF;EAAE;;;;;;;;;;;;;;;;;;;;;ACEtB,SAAgB,WAId,IACA,QACA,OACwC;CACxC,MAAM,SAAmC,EAAE;AAE3C,MAAK,MAAM,CAAC,KAAK,YAAY,OAAO,QAAQ,OAAO,WAAW,CAC5D,QAAO,OAAO,CAAC,GAAI,QAAqB;AAG1C,MAAK,MAAM,CAAC,KAAK,YAAY,OAAO,QAAQ,MAAM,EAAE;AAClD,MAAI,CAAC,QAAS;AACd,MAAI,OAAO,OACT,QAAO,OAAO,CAAC,GAAG,IAAI,IAAI,CAAC,GAAG,OAAO,MAAM,GAAG,QAAQ,CAAC,CAAC;MAExD,QAAO,OAAO,CAAC,GAAG,QAAQ;;AAI9B,QAAO,GAAG,QAAQ,OAAO"}

package/dist/access.service-BjYVtUJw.mjs

@@ -0,0 +1,145 @@
+import { n as AC_TOKENS, t as __decorateParam } from "./decorateParam-Dc5DGEpb.mjs";
+import { t as __decorateMetadata } from "./decorateMetadata-CqtSx3_1.mjs";
+import { t as __decorate } from "./decorate-CdfCRvAc.mjs";
+import { DI_TOKENS, Transient, inject } from "stratal/di";
+//#region src/access-control/plugin.ts
+/**
+* Creates the Stratal access control Better Auth plugin.
+*
+* Ensures the `user.role` schema field exists.
+* No endpoints are added — all permission logic lives in AccessService.
+*
+* Auto-added to Better Auth options when `accessControl` is provided to
+* `AuthModule.forRootAsync()`. Users never call this directly.
+*/
+function createStratalAcPlugin(_options) {
+	return {
+		id: "stratal-ac",
+		schema: { user: { fields: { role: {
+			type: "string",
+			required: false,
+			input: false,
+			defaultValue: "user"
+		} } } }
+	};
+}
+//#endregion
+//#region src/access-control/services/access.service.ts
+function parseRoles(role) {
+	if (!role) return [];
+	return role.split(",").map((r) => r.trim()).filter(Boolean);
+}
+let AccessService = class AccessService {
+	constructor(authContext, db, options) {
+		this.authContext = authContext;
+		this.db = db;
+		this.options = options;
+	}
+	/**
+	* Get all roles for a user.
+	*
+	* Uses AuthContext for the current user (no DB hit).
+	* Falls back to DB for other users.
+	*/
+	async getUserRoles(userId) {
+		if (userId === this.authContext.getUserId()) {
+			const roles = this.authContext.getRoles();
+			if (roles.length > 0) return roles;
+		}
+		return parseRoles((await this.db.user.findUnique({
+			where: { id: userId },
+			select: { role: true }
+		}))?.role);
+	}
+	/**
+	* Assign one or more roles to a user.
+	*
+	* Multiple roles are stored as a comma-separated string in `user.role`.
+	*/
+	async setUserRole(userId, role) {
+		const roleStr = Array.isArray(role) ? role.join(",") : role;
+		await this.db.user.update({
+			where: { id: userId },
+			data: { role: roleStr }
+		});
+	}
+	/**
+	* Check if a user has the required permissions.
+	*
+	* Returns true if any of the user's roles grants all of the requested permissions.
+	*/
+	async hasPermission(userId, permissions) {
+		const roles = await this.getUserRoles(userId);
+		return this.checkPermissions(roles, permissions);
+	}
+	/**
+	* Get the merged permission set for a user across all their roles.
+	* Useful for sending to the frontend.
+	*/
+	async getPermissionsForUser(userId) {
+		const roles = await this.getUserRoles(userId);
+		return this.mergePermissions(roles);
+	}
+	/**
+	* Get all roles for the currently authenticated user.
+	* Reads from AuthContext — no DB hit.
+	*/
+	getCurrentUserRoles() {
+		return this.authContext.getRoles();
+	}
+	/**
+	* Check if the currently authenticated user has the required permissions.
+	* Reads roles from AuthContext — no DB hit.
+	*/
+	currentUserHasPermission(permissions) {
+		const roles = this.authContext.getRoles();
+		if (roles.length === 0) return false;
+		return this.checkPermissions(roles, permissions);
+	}
+	/**
+	* Get merged permissions for the currently authenticated user.
+	* Reads roles from AuthContext — no DB hit.
+	*/
+	getCurrentUserPermissions() {
+		const roles = this.authContext.getRoles();
+		return this.mergePermissions(roles);
+	}
+	checkPermissions(roles, permissions) {
+		return roles.some((roleName) => {
+			const roleObj = this.options.roles[roleName];
+			if (!roleObj) return false;
+			const specific = {};
+			for (const [resource, actions] of Object.entries(permissions)) if (actions.includes("*")) {
+				if (!roleObj.statements[resource]?.length) return false;
+			} else specific[resource] = actions;
+			return Object.keys(specific).length === 0 || roleObj.authorize(specific).success;
+		});
+	}
+	mergePermissions(roles) {
+		const result = {};
+		for (const roleName of roles) {
+			const roleObj = this.options.roles[roleName];
+			if (!roleObj) continue;
+			for (const [resource, actions] of Object.entries(roleObj.statements)) {
+				result[resource] ??= [];
+				for (const action of actions) if (!result[resource].includes(action)) result[resource].push(action);
+			}
+		}
+		return result;
+	}
+};
+AccessService = __decorate([
+	Transient(AC_TOKENS.AccessService),
+	__decorateParam(0, inject(DI_TOKENS.AuthContext)),
+	__decorateParam(1, inject(DI_TOKENS.Database)),
+	__decorateParam(2, inject(AC_TOKENS.Options)),
+	__decorateMetadata("design:paramtypes", [
+		Object,
+		Object,
+		Object
+	])
+], AccessService);
+//#endregion
+export { createStratalAcPlugin as n, AccessService as t };
+
+//# sourceMappingURL=access.service-BjYVtUJw.mjs.map

package/dist/access.service-BjYVtUJw.mjs.map

@@ -0,0 +1 @@
+{"version":3,"file":"access.service-BjYVtUJw.mjs","names":[],"sources":["../src/access-control/plugin.ts","../src/access-control/services/access.service.ts"],"sourcesContent":["import type { BetterAuthPlugin } from 'better-auth'\nimport type { AccessControlOptions } from './types'\n\n/**\n * Creates the Stratal access control Better Auth plugin.\n *\n * Ensures the `user.role` schema field exists.\n * No endpoints are added — all permission logic lives in AccessService.\n *\n * Auto-added to Better Auth options when `accessControl` is provided to\n * `AuthModule.forRootAsync()`. Users never call this directly.\n */\nexport function createStratalAcPlugin(_options: AccessControlOptions): BetterAuthPlugin {\n  return {\n    id: 'stratal-ac',\n    schema: {\n      user: {\n        fields: {\n          role: {\n            type: 'string',\n            required: false,\n            input: false,\n            defaultValue: 'user',\n          },\n        },\n      },\n    },\n  }\n}\n","import type { DatabaseService } from '@stratal/framework/database'\nimport { DI_TOKENS, inject, Transient } from 'stratal/di'\nimport type { AuthContext } from '../../context/auth-context'\nimport { AC_TOKENS } from '../tokens'\nimport type { AccessControlOptions } from '../types'\n\nfunction parseRoles(role: string | null | undefined): string[] {\n  if (!role) return []\n  return role.split(',').map(r => r.trim()).filter(Boolean)\n}\n\n/**\n * AccessService\n *\n * Request-scoped service for role and permission management.\n *\n * Roles for the current user are read from AuthContext (populated by\n * SessionVerificationMiddleware — no DB hit). Other users are resolved\n * from the database.\n *\n * Permission checks use Better Auth's `role.authorize()` locally with\n * OR logic — access is granted if any of the user's roles allows it.\n *\n * @example\n * ```typescript\n * // Check current user\n * await accessService.currentUserHasPermission({ posts: ['update'] })\n *\n * // Check arbitrary user (e.g. from an admin action)\n * await accessService.hasPermission(userId, { admin: ['access'] })\n *\n * // Assign a role\n * await accessService.setUserRole(userId, 'admin')\n *\n * // Assign multiple roles\n * await accessService.setUserRole(userId, ['editor', 'reviewer'])\n * ```\n */\n@Transient(AC_TOKENS.AccessService)\nexport class AccessService {\n  constructor(\n    @inject(DI_TOKENS.AuthContext)\n    private readonly authContext: AuthContext,\n    @inject(DI_TOKENS.Database)\n    private readonly db: DatabaseService,\n    @inject(AC_TOKENS.Options)\n    private readonly options: AccessControlOptions\n  ) { }\n\n  /**\n   * Get all roles for a user.\n   *\n   * Uses AuthContext for the current user (no DB hit).\n   * Falls back to DB for other users.\n   */\n  async getUserRoles(userId: string): Promise<string[]> {\n    if (userId === this.authContext.getUserId()) {\n      const roles = this.authContext.getRoles()\n      if (roles.length > 0) return roles\n    }\n    const user = await (this.db).user.findUnique({\n      where: { id: userId },\n      select: { role: true },\n    })\n    return parseRoles(user?.role)\n  }\n\n  /**\n   * Assign one or more roles to a user.\n   *\n   * Multiple roles are stored as a comma-separated string in `user.role`.\n   */\n  async setUserRole(userId: string, role: string | string[]): Promise<void> {\n    const roleStr = Array.isArray(role) ? role.join(',') : role\n    await this.db.user.update({\n      where: { id: userId },\n      data: { role: roleStr },\n    })\n  }\n\n  /**\n   * Check if a user has the required permissions.\n   *\n   * Returns true if any of the user's roles grants all of the requested permissions.\n   */\n  async hasPermission(userId: string, permissions: Record<string, string[]>): Promise<boolean> {\n    const roles = await this.getUserRoles(userId)\n    return this.checkPermissions(roles, permissions)\n  }\n\n  /**\n   * Get the merged permission set for a user across all their roles.\n   * Useful for sending to the frontend.\n   */\n  async getPermissionsForUser(userId: string): Promise<Record<string, string[]>> {\n    const roles = await this.getUserRoles(userId)\n    return this.mergePermissions(roles)\n  }\n\n  /**\n   * Get all roles for the currently authenticated user.\n   * Reads from AuthContext — no DB hit.\n   */\n  getCurrentUserRoles(): string[] {\n    return this.authContext.getRoles()\n  }\n\n  /**\n   * Check if the currently authenticated user has the required permissions.\n   * Reads roles from AuthContext — no DB hit.\n   */\n  currentUserHasPermission(permissions: Record<string, string[]>): boolean {\n    const roles = this.authContext.getRoles()\n    if (roles.length === 0) return false\n    return this.checkPermissions(roles, permissions)\n  }\n\n  /**\n   * Get merged permissions for the currently authenticated user.\n   * Reads roles from AuthContext — no DB hit.\n   */\n  getCurrentUserPermissions(): Record<string, string[]> {\n    const roles = this.authContext.getRoles()\n    return this.mergePermissions(roles)\n  }\n\n  private checkPermissions(roles: string[], permissions: Record<string, string[]>): boolean {\n    return roles.some(roleName => {\n      const roleObj = this.options.roles[roleName]\n      if (!roleObj) return false\n\n      const specific: Record<string, string[]> = {}\n\n      for (const [resource, actions] of Object.entries(permissions)) {\n        if (actions.includes('*')) {\n          // Wildcard: role must have at least one action defined for this resource\n          const roleActions = (roleObj.statements as Record<string, readonly string[]>)[resource]\n          if (!roleActions?.length) return false\n        } else {\n          specific[resource] = actions\n        }\n      }\n\n      return Object.keys(specific).length === 0 || roleObj.authorize(specific).success\n    })\n  }\n\n  private mergePermissions(roles: string[]): Record<string, string[]> {\n    const result: Record<string, string[]> = {}\n    for (const roleName of roles) {\n      const roleObj = this.options.roles[roleName]\n      if (!roleObj) continue\n      for (const [resource, actions] of Object.entries(roleObj.statements)) {\n        result[resource] ??= []\n        for (const action of actions as string[]) {\n          if (!result[resource].includes(action)) {\n            result[resource].push(action)\n          }\n        }\n      }\n    }\n    return result\n  }\n}\n"],"mappings":";;;;;;;;;;;;;;AAYA,SAAgB,sBAAsB,UAAkD;AACtF,QAAO;EACL,IAAI;EACJ,QAAQ,EACN,MAAM,EACJ,QAAQ,EACN,MAAM;GACJ,MAAM;GACN,UAAU;GACV,OAAO;GACP,cAAc;GACf,EACF,EACF,EACF;EACF;;;;ACrBH,SAAS,WAAW,MAA2C;AAC7D,KAAI,CAAC,KAAM,QAAO,EAAE;AACpB,QAAO,KAAK,MAAM,IAAI,CAAC,KAAI,MAAK,EAAE,MAAM,CAAC,CAAC,OAAO,QAAQ;;AA+BpD,IAAA,gBAAA,MAAM,cAAc;CACzB,YACE,aAEA,IAEA,SAEA;AALiB,OAAA,cAAA;AAEA,OAAA,KAAA;AAEA,OAAA,UAAA;;;;;;;;CASnB,MAAM,aAAa,QAAmC;AACpD,MAAI,WAAW,KAAK,YAAY,WAAW,EAAE;GAC3C,MAAM,QAAQ,KAAK,YAAY,UAAU;AACzC,OAAI,MAAM,SAAS,EAAG,QAAO;;AAM/B,SAAO,YAAW,MAJE,KAAK,GAAI,KAAK,WAAW;GAC3C,OAAO,EAAE,IAAI,QAAQ;GACrB,QAAQ,EAAE,MAAM,MAAM;GACvB,CAAC,GACsB,KAAK;;;;;;;CAQ/B,MAAM,YAAY,QAAgB,MAAwC;EACxE,MAAM,UAAU,MAAM,QAAQ,KAAK,GAAG,KAAK,KAAK,IAAI,GAAG;AACvD,QAAM,KAAK,GAAG,KAAK,OAAO;GACxB,OAAO,EAAE,IAAI,QAAQ;GACrB,MAAM,EAAE,MAAM,SAAS;GACxB,CAAC;;;;;;;CAQJ,MAAM,cAAc,QAAgB,aAAyD;EAC3F,MAAM,QAAQ,MAAM,KAAK,aAAa,OAAO;AAC7C,SAAO,KAAK,iBAAiB,OAAO,YAAY;;;;;;CAOlD,MAAM,sBAAsB,QAAmD;EAC7E,MAAM,QAAQ,MAAM,KAAK,aAAa,OAAO;AAC7C,SAAO,KAAK,iBAAiB,MAAM;;;;;;CAOrC,sBAAgC;AAC9B,SAAO,KAAK,YAAY,UAAU;;;;;;CAOpC,yBAAyB,aAAgD;EACvE,MAAM,QAAQ,KAAK,YAAY,UAAU;AACzC,MAAI,MAAM,WAAW,EAAG,QAAO;AAC/B,SAAO,KAAK,iBAAiB,OAAO,YAAY;;;;;;CAOlD,4BAAsD;EACpD,MAAM,QAAQ,KAAK,YAAY,UAAU;AACzC,SAAO,KAAK,iBAAiB,MAAM;;CAGrC,iBAAyB,OAAiB,aAAgD;AACxF,SAAO,MAAM,MAAK,aAAY;GAC5B,MAAM,UAAU,KAAK,QAAQ,MAAM;AACnC,OAAI,CAAC,QAAS,QAAO;GAErB,MAAM,WAAqC,EAAE;AAE7C,QAAK,MAAM,CAAC,UAAU,YAAY,OAAO,QAAQ,YAAY,CAC3D,KAAI,QAAQ,SAAS,IAAI;QAGnB,CADiB,QAAQ,WAAiD,WAC5D,OAAQ,QAAO;SAEjC,UAAS,YAAY;AAIzB,UAAO,OAAO,KAAK,SAAS,CAAC,WAAW,KAAK,QAAQ,UAAU,SAAS,CAAC;IACzE;;CAGJ,iBAAyB,OAA2C;EAClE,MAAM,SAAmC,EAAE;AAC3C,OAAK,MAAM,YAAY,OAAO;GAC5B,MAAM,UAAU,KAAK,QAAQ,MAAM;AACnC,OAAI,CAAC,QAAS;AACd,QAAK,MAAM,CAAC,UAAU,YAAY,OAAO,QAAQ,QAAQ,WAAW,EAAE;AACpE,WAAO,cAAc,EAAE;AACvB,SAAK,MAAM,UAAU,QACnB,KAAI,CAAC,OAAO,UAAU,SAAS,OAAO,CACpC,QAAO,UAAU,KAAK,OAAO;;;AAKrC,SAAO;;;;CA3HV,UAAU,UAAU,cAAc;oBAG9B,OAAO,UAAU,YAAY,CAAA;oBAE7B,OAAO,UAAU,SAAS,CAAA;oBAE1B,OAAO,UAAU,QAAQ,CAAA"}

package/dist/auth/index.d.mts

@@ -1,3 +1,4 @@
+import { t as AccessControlOptions } from "../types-BLyu9dAd.mjs";
 import { AsyncModuleOptions, DynamicModule } from "stratal/module";
 import { ApplicationError } from "stratal/errors";
 import { LoggerService } from "stratal/logger";
@@ -6,19 +7,27 @@ import { APIError } from "better-auth/api";
 import { Middleware, Next, RouteConfigurable, Router, RouterContext } from "stratal/router";
 
 //#region src/auth/auth.module.d.ts
+interface AuthModuleAsyncOptions<TOptions extends BetterAuthOptions = BetterAuthOptions> extends AsyncModuleOptions<TOptions> {
+  /**
+   * Optional access control configuration.
+   * When provided, registers AccessService and auto-adds the Stratal AC plugin to Better Auth.
+   */
+  accessControl?: AccessControlOptions;
+}
 declare class AuthModule implements RouteConfigurable {
   /**
    * Configure auth middleware globally.
    *
    * Registers middlewares in order:
    * 1. AuthContextMiddleware - Creates and registers AuthContext in request container
-   * 2. SessionVerificationMiddleware - Verifies session and populates AuthContext with userId
+   * 2. SessionVerificationMiddleware - Verifies session and populates AuthContext with userId + role
    */
   configureRoutes(router: Router): void;
   /**
-   * Configure AuthModule with async options factory
+   * Configure AuthModule with async options factory.
+   * Optionally provide `accessControl` to enable permission-based authorization.
    */
-  static forRootAsync<TOptions extends BetterAuthOptions>(options: AsyncModuleOptions<TOptions>): DynamicModule;
+  static forRootAsync<TOptions extends BetterAuthOptions>(options: AuthModuleAsyncOptions<TOptions>): DynamicModule;
 }
 //#endregion
 //#region src/auth/auth.tokens.d.ts
@@ -100,12 +109,62 @@ declare class IdTokenNotSupportedError extends ApplicationError {
 declare class TokenExpiredError extends ApplicationError {
   constructor();
 }
+declare class InvalidCallbackUrlError extends ApplicationError {
+  constructor();
+}
+declare class InvalidOriginError extends ApplicationError {
+  constructor();
+}
+declare class AuthValidationFailedError extends ApplicationError {
+  constructor();
+}
+declare class EmailAlreadyVerifiedError extends ApplicationError {
+  constructor();
+}
+declare class EmailMismatchError extends ApplicationError {
+  constructor();
+}
+declare class BetterAuthUnknownError extends ApplicationError {
+  constructor(errorCode?: string);
+}
 //#endregion
 //#region src/auth/errors/invalid-token.error.d.ts
 declare class InvalidTokenError extends ApplicationError {
   constructor();
 }
 //#endregion
+//#region src/auth/errors/organization-errors.d.ts
+declare class OrganizationNotFoundError extends ApplicationError {
+  constructor();
+}
+declare class OrganizationMemberNotFoundError extends ApplicationError {
+  constructor();
+}
+declare class OrganizationInvitationNotFoundError extends ApplicationError {
+  constructor();
+}
+declare class OrganizationPermissionDeniedError extends ApplicationError {
+  constructor();
+}
+declare class OrganizationInvitationRecipientMismatchError extends ApplicationError {
+  constructor();
+}
+declare class OrganizationConflictError extends ApplicationError {
+  constructor();
+}
+declare class OrganizationLimitReachedError extends ApplicationError {
+  constructor();
+}
+declare class OrganizationMembershipError extends ApplicationError {
+  constructor();
+}
+declare class OrganizationTeamNotFoundError extends ApplicationError {
+  constructor();
+}
+declare class OrganizationRoleNotFoundError extends ApplicationError {
+  constructor();
+}
+//#endregion
 //#region src/auth/errors/token-required.error.d.ts
 declare class TokenRequiredError extends ApplicationError {
   constructor();
@@ -116,6 +175,65 @@ declare class VerificationFailedError extends ApplicationError {
   constructor();
 }
 //#endregion
+//#region src/auth/i18n/en.d.ts
+declare const authMessages: {
+  readonly en: {
+    readonly auth: {
+      readonly errors: {
+        readonly tokenRequired: "Verification token is required";
+        readonly invalidToken: "Invalid or expired verification token";
+        readonly verificationFailed: "Verification failed. Please try again.";
+        readonly userNotFound: "User not found. Please check your credentials.";
+        readonly invalidCredentials: "Invalid email or password";
+        readonly invalidPassword: "Invalid password";
+        readonly invalidEmail: "Invalid email address";
+        readonly sessionExpired: "Your session has expired. Please sign in again.";
+        readonly emailNotVerified: "Please verify your email address before signing in";
+        readonly passwordTooShort: "Password must be at least {minLength} characters";
+        readonly passwordTooLong: "Password must be at most {maxLength} characters";
+        readonly accountAlreadyExists: "An account with this email already exists";
+        readonly failedToCreateUser: "Failed to create user account. Please try again.";
+        readonly failedToCreateSession: "Failed to create session. Please try again.";
+        readonly failedToGetSession: "Failed to retrieve session. Please try again.";
+        readonly failedToUpdateUser: "Failed to update user information. Please try again.";
+        readonly failedToGetUserInfo: "Failed to retrieve user information. Please try again.";
+        readonly socialAccountLinked: "This social account is already linked to another user";
+        readonly providerNotFound: "Authentication provider not found";
+        readonly userEmailNotFound: "User email address not found";
+        readonly accountNotFound: "Account not found";
+        readonly credentialAccountNotFound: "Credential account not found";
+        readonly cannotUnlinkLastAccount: "Cannot unlink your last account";
+        readonly userAlreadyHasPassword: "User already has a password set";
+        readonly emailCannotBeUpdated: "Email address cannot be updated at this time";
+        readonly tokenExpired: "The verification token has expired. Please request a new verification email.";
+        readonly invalidCallbackUrl: "Invalid callback URL";
+        readonly invalidOrigin: "Request origin is not allowed";
+        readonly validationFailed: "Authentication validation failed";
+        readonly emailAlreadyVerified: "Email address is already verified";
+        readonly emailMismatch: "Email address does not match";
+        readonly unknownError: "An authentication error occurred";
+      };
+      readonly org: {
+        readonly organizationNotFound: "Organization not found";
+        readonly memberNotFound: "Member not found";
+        readonly invitationNotFound: "Invitation not found";
+        readonly permissionDenied: "You do not have permission to perform this action";
+        readonly invitationRecipientMismatch: "You are not the recipient of this invitation";
+        readonly conflict: "A resource with this identifier already exists";
+        readonly limitReached: "The maximum limit has been reached";
+        readonly membershipError: "This action cannot be performed due to membership constraints";
+        readonly teamNotFound: "Team not found";
+        readonly roleNotFound: "Role not found";
+      };
+    };
+  };
+};
+declare module 'stratal/i18n' {
+  interface AppMessageNamespaces {
+    auth: typeof authMessages['en']['auth'];
+  }
+} //# sourceMappingURL=en.d.ts.map
+//#endregion
 //#region src/auth/middleware/auth-context.middleware.d.ts
 /**
  * Auth Context Middleware
@@ -201,5 +319,5 @@ declare function mapBetterAuthError(error: APIError): ApplicationError;
  */
 declare function isAPIError(error: unknown): error is APIError;
 //#endregion
-export { AUTH_OPTIONS, AUTH_SERVICE, AccountAlreadyExistsError, AccountNotFoundError, AuthContextMiddleware, AuthModule, AuthService, CannotUnlinkLastAccountError, CredentialAccountNotFoundError, EmailCannotBeUpdatedError, EmailNotVerifiedError, FailedToCreateSessionError, FailedToCreateUserError, FailedToGetSessionError, FailedToGetUserInfoError, FailedToUpdateUserError, IdTokenNotSupportedError, InvalidCredentialsError, InvalidEmailError, InvalidPasswordError, InvalidTokenError, PasswordTooLongError, PasswordTooShortError, ProviderNotFoundError, SessionExpiredError, SessionVerificationMiddleware, SocialAccountLinkedError, TokenExpiredError, TokenRequiredError, UserAlreadyHasPasswordError, UserEmailNotFoundError, UserNotFoundError, VerificationFailedError, getErrorHandlerConfig, isAPIError, mapBetterAuthError, wrapBetterAuth };
+export { AUTH_OPTIONS, AUTH_SERVICE, AccountAlreadyExistsError, AccountNotFoundError, AuthContextMiddleware, AuthModule, AuthModuleAsyncOptions, AuthService, AuthValidationFailedError, BetterAuthUnknownError, CannotUnlinkLastAccountError, CredentialAccountNotFoundError, EmailAlreadyVerifiedError, EmailCannotBeUpdatedError, EmailMismatchError, EmailNotVerifiedError, FailedToCreateSessionError, FailedToCreateUserError, FailedToGetSessionError, FailedToGetUserInfoError, FailedToUpdateUserError, IdTokenNotSupportedError, InvalidCallbackUrlError, InvalidCredentialsError, InvalidEmailError, InvalidOriginError, InvalidPasswordError, InvalidTokenError, OrganizationConflictError, OrganizationInvitationNotFoundError, OrganizationInvitationRecipientMismatchError, OrganizationLimitReachedError, OrganizationMemberNotFoundError, OrganizationMembershipError, OrganizationNotFoundError, OrganizationPermissionDeniedError, OrganizationRoleNotFoundError, OrganizationTeamNotFoundError, PasswordTooLongError, PasswordTooShortError, ProviderNotFoundError, SessionExpiredError, SessionVerificationMiddleware, SocialAccountLinkedError, TokenExpiredError, TokenRequiredError, UserAlreadyHasPasswordError, UserEmailNotFoundError, UserNotFoundError, VerificationFailedError, authMessages, getErrorHandlerConfig, isAPIError, mapBetterAuthError, wrapBetterAuth };
 //# sourceMappingURL=index.d.mts.map

package/dist/auth/index.d.mts.map

@@ -1 +1 @@
-{"version":3,"file":"index.d.mts","names":[],"sources":["../../src/auth/auth.module.ts","../../src/auth/auth.tokens.ts","../../src/auth/errors/auth-errors.ts","../../src/auth/errors/invalid-token.error.ts","../../src/auth/errors/token-required.error.ts","../../src/auth/errors/verification-failed.error.ts","../../src/auth/middleware/auth-context.middleware.ts","../../src/auth/services/auth.service.ts","../../src/auth/middleware/session-verification.middleware.ts","../../src/auth/utils/auth-helpers.ts","../../src/auth/utils/better-auth-error-handler.ts"],"mappings":";;;;;;;;cAgCa,UAAA,YAAsB,iBAAA;EAe1B;;;;;;;EAPP,eAAA,CAAgB,MAAA,EAAQ,MAAA;EASR;;;EAAA,OAFT,YAAA,kBAA8B,iBAAA,CAAA,CACnC,OAAA,EAAS,kBAAA,CAAmB,QAAA,IAC3B,aAAA;AAAA;;;;cChDQ,YAAA;;cAGA,YAAA;;;cCFA,iBAAA,SAA0B,gBAAA;cACzB,KAAA;AAAA;AAAA,cAKD,uBAAA,SAAgC,gBAAA;EAAA,WAAA,CAAA;AAAA;AAAA,cAMhC,oBAAA,SAA6B,gBAAA;EAAA,WAAA,CAAA;AAAA;AAAA,cAM7B,iBAAA,SAA0B,gBAAA;cACzB,KAAA;AAAA;AAAA,cAKD,mBAAA,SAA4B,gBAAA;EAAA,WAAA,CAAA;AAAA;AAAA,cAM5B,qBAAA,SAA8B,gBAAA;cAC7B,KAAA;AAAA;AAAA,cAKD,qBAAA,SAA8B,gBAAA;cAC7B,SAAA;AAAA;AAAA,cAKD,oBAAA,SAA6B,gBAAA;cAC5B,SAAA;AAAA;AAAA,cAKD,yBAAA,SAAkC,gBAAA;cACjC,KAAA;AAAA;AAAA,cAKD,uBAAA,SAAgC,gBAAA;cAC/B,MAAA;AAAA;AAAA,cAKD,0BAAA,SAAmC,gBAAA;cAClC,MAAA;AAAA;AAAA,cAKD,uBAAA,SAAgC,gBAAA;cAC/B,MAAA;AAAA;AAAA,cAKD,wBAAA,SAAiC,gBAAA;cAChC,QAAA;AAAA;AAAA,cAKD,4BAAA,SAAqC,gBAAA;EAAA,WAAA,CAAA;AAAA;AAAA,cAMrC,qBAAA,SAA8B,gBAAA;cAC7B,QAAA;AAAA;AAAA,cAKD,sBAAA,SAA+B,gBAAA;EAAA,WAAA,CAAA;AAAA;AAAA,cAM/B,oBAAA,SAA6B,gBAAA;EAAA,WAAA,CAAA;AAAA;AAAA,cAM7B,8BAAA,SAAuC,gBAAA;EAAA,WAAA,CAAA;AAAA;AAAA,cAMvC,2BAAA,SAAoC,gBAAA;EAAA,WAAA,CAAA;AAAA;AAAA,cAMpC,yBAAA,SAAkC,gBAAA;cACjC,MAAA;AAAA;AAAA,cAKD,uBAAA,SAAgC,gBAAA;cAC/B,MAAA;AAAA;AAAA,cAKD,wBAAA,SAAiC,gBAAA;cAChC,MAAA;AAAA;AAAA,cAKD,wBAAA,SAAiC,gBAAA;EAAA,WAAA,CAAA;AAAA;AAAA,cAMjC,iBAAA,SAA0B,gBAAA;EAAA,WAAA,CAAA;AAAA;;;cC1I1B,iBAAA,SAA0B,gBAAA;EAAA,WAAA,CAAA;AAAA;;;cCA1B,kBAAA,SAA2B,gBAAA;EAAA,WAAA,CAAA;AAAA;;;cCA3B,uBAAA,SAAgC,gBAAA;EAAA,WAAA,CAAA;AAAA;;;;;;;;;;cCUhC,qBAAA,YAAiC,UAAA;EACtC,MAAA,CAAO,GAAA,EAAK,aAAA,EAAe,IAAA,EAAM,IAAA,GAAO,OAAA;AAAA;;;;;;;;;;ANgBhD;;;;;;;;;;;;;;cOAa,WAAA,kBAA6B,iBAAA,GAAoB,iBAAA;EAAA,mBAIjB,OAAA,EAAS,QAAA;EAAA,QAH5C,YAAA;cAGmC,OAAA,EAAS,QAAA;EPezC;;;EAAA,IOJP,IAAA,CAAA,GAAQ,IAAA,CAAK,QAAA;AAAA;;;;;;;;APfnB;;;;;cQVa,6BAAA,YAAyC,UAAA;EAAA,iBAGjC,WAAA;EAAA,QAC4B,MAAA;cAD5B,WAAA,EAAa,WAAA,EACe,MAAA,EAAQ,aAAA;EAGjD,MAAA,CAAO,GAAA,EAAK,aAAA,EAAe,IAAA,EAAM,IAAA,GAAO,OAAA;AAAA;;;;;;;iBCnBhC,qBAAA,CAAA,GAAyB,iBAAA;;;ATsBzC;cSPa,cAAA,MAA2B,EAAA,QAAU,OAAA,CAAQ,CAAA,MAAK,OAAA,CAAQ,CAAA;;;;;;iBCavD,kBAAA,CAAmB,KAAA,EAAO,QAAA,GAAW,gBAAA;;;AVNrD;;;iBUuFgB,UAAA,CAAW,KAAA,YAAiB,KAAA,IAAS,QAAA"}
+{"version":3,"file":"index.d.mts","names":[],"sources":["../../src/auth/auth.module.ts","../../src/auth/auth.tokens.ts","../../src/auth/errors/auth-errors.ts","../../src/auth/errors/invalid-token.error.ts","../../src/auth/errors/organization-errors.ts","../../src/auth/errors/token-required.error.ts","../../src/auth/errors/verification-failed.error.ts","../../src/auth/i18n/en.ts","../../src/auth/middleware/auth-context.middleware.ts","../../src/auth/services/auth.service.ts","../../src/auth/middleware/session-verification.middleware.ts","../../src/auth/utils/auth-helpers.ts","../../src/auth/utils/better-auth-error-handler.ts"],"mappings":";;;;;;;;;UA8DiB,sBAAA,kBAAwC,iBAAA,GAAoB,iBAAA,UACnE,kBAAA,CAAmB,QAAA;EAgCX;;;;EA3BhB,aAAA,GAAgB,oBAAA;AAAA;AAAA,cASL,UAAA,YAAsB,iBAAA;EC5E2B;;AAG9D;;;;;EDiFE,eAAA,CAAgB,MAAA,EAAQ,MAAA;;;AEnF1B;;SF2FS,YAAA,kBAA8B,iBAAA,CAAA,CACnC,OAAA,EAAS,sBAAA,CAAuB,QAAA,IAC/B,aAAA;AAAA;;;;cC9FQ,YAAA;;cAGA,YAAA;;;cCFA,iBAAA,SAA0B,gBAAA;cACzB,KAAA;AAAA;AAAA,cAKD,uBAAA,SAAgC,gBAAA;EAAA,WAAA,CAAA;AAAA;AAAA,cAMhC,oBAAA,SAA6B,gBAAA;EAAA,WAAA,CAAA;AAAA;AAAA,cAM7B,iBAAA,SAA0B,gBAAA;cACzB,KAAA;AAAA;AAAA,cAKD,mBAAA,SAA4B,gBAAA;EAAA,WAAA,CAAA;AAAA;AAAA,cAM5B,qBAAA,SAA8B,gBAAA;cAC7B,KAAA;AAAA;AAAA,cAKD,qBAAA,SAA8B,gBAAA;cAC7B,SAAA;AAAA;AAAA,cAKD,oBAAA,SAA6B,gBAAA;cAC5B,SAAA;AAAA;AAAA,cAKD,yBAAA,SAAkC,gBAAA;cACjC,KAAA;AAAA;AAAA,cAKD,uBAAA,SAAgC,gBAAA;cAC/B,MAAA;AAAA;AAAA,cAKD,0BAAA,SAAmC,gBAAA;cAClC,MAAA;AAAA;AAAA,cAKD,uBAAA,SAAgC,gBAAA;cAC/B,MAAA;AAAA;AAAA,cAKD,wBAAA,SAAiC,gBAAA;cAChC,QAAA;AAAA;AAAA,cAKD,4BAAA,SAAqC,gBAAA;EAAA,WAAA,CAAA;AAAA;AAAA,cAMrC,qBAAA,SAA8B,gBAAA;cAC7B,QAAA;AAAA;AAAA,cAKD,sBAAA,SAA+B,gBAAA;EAAA,WAAA,CAAA;AAAA;AAAA,cAM/B,oBAAA,SAA6B,gBAAA;EAAA,WAAA,CAAA;AAAA;AAAA,cAM7B,8BAAA,SAAuC,gBAAA;EAAA,WAAA,CAAA;AAAA;AAAA,cAMvC,2BAAA,SAAoC,gBAAA;EAAA,WAAA,CAAA;AAAA;AAAA,cAMpC,yBAAA,SAAkC,gBAAA;cACjC,MAAA;AAAA;AAAA,cAKD,uBAAA,SAAgC,gBAAA;cAC/B,MAAA;AAAA;AAAA,cAKD,wBAAA,SAAiC,gBAAA;cAChC,MAAA;AAAA;AAAA,cAKD,wBAAA,SAAiC,gBAAA;EAAA,WAAA,CAAA;AAAA;AAAA,cAMjC,iBAAA,SAA0B,gBAAA;EAAA,WAAA,CAAA;AAAA;AAAA,cAM1B,uBAAA,SAAgC,gBAAA;EAAA,WAAA,CAAA;AAAA;AAAA,cAMhC,kBAAA,SAA2B,gBAAA;EAAA,WAAA,CAAA;AAAA;AAAA,cAM3B,yBAAA,SAAkC,gBAAA;EAAA,WAAA,CAAA;AAAA;AAAA,cAMlC,yBAAA,SAAkC,gBAAA;EAAA,WAAA,CAAA;AAAA;AAAA,cAMlC,kBAAA,SAA2B,gBAAA;EAAA,WAAA,CAAA;AAAA;AAAA,cAM3B,sBAAA,SAA+B,gBAAA;cAC9B,SAAA;AAAA;;;cC/KD,iBAAA,SAA0B,gBAAA;EAAA,WAAA,CAAA;AAAA;;;cCA1B,yBAAA,SAAkC,gBAAA;EAAA,WAAA,CAAA;AAAA;AAAA,cAMlC,+BAAA,SAAwC,gBAAA;EAAA,WAAA,CAAA;AAAA;AAAA,cAMxC,mCAAA,SAA4C,gBAAA;EAAA,WAAA,CAAA;AAAA;AAAA,cAM5C,iCAAA,SAA0C,gBAAA;EAAA,WAAA,CAAA;AAAA;AAAA,cAM1C,4CAAA,SAAqD,gBAAA;EAAA,WAAA,CAAA;AAAA;AAAA,cAMrD,yBAAA,SAAkC,gBAAA;EAAA,WAAA,CAAA;AAAA;AAAA,cAMlC,6BAAA,SAAsC,gBAAA;EAAA,WAAA,CAAA;AAAA;AAAA,cAMtC,2BAAA,SAAoC,gBAAA;EAAA,WAAA,CAAA;AAAA;AAAA,cAMpC,6BAAA,SAAsC,gBAAA;EAAA,WAAA,CAAA;AAAA;AAAA,cAMtC,6BAAA,SAAsC,gBAAA;EAAA,WAAA,CAAA;AAAA;;;cCtDtC,kBAAA,SAA2B,gBAAA;EAAA,WAAA,CAAA;AAAA;;;cCA3B,uBAAA,SAAgC,gBAAA;EAAA,WAAA,CAAA;AAAA;;;cCFhC,YAAA;EAAA;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;YAsDD,oBAAA;IACR,IAAA,SAAa,YAAA;EAAA;AAAA;;;;;;;;;;cC3CJ,qBAAA,YAAiC,UAAA;EACtC,MAAA,CAAO,GAAA,EAAK,aAAA,EAAe,IAAA,EAAM,IAAA,GAAO,OAAA;AAAA;;;;;;;;;;;ARiDhD;;;;;;;;;;;;;cSjCa,WAAA,kBAA6B,iBAAA,GAAoB,iBAAA;EAAA,mBAIjB,OAAA,EAAS,QAAA;EAAA,QAH5C,YAAA;cAGmC,OAAA,EAAS,QAAA;ETmChB;;AAGtC;EAHsC,ISxBhC,IAAA,CAAA,GAAQ,IAAA,CAAK,QAAA;AAAA;;;;;;;;;ATkBnB;;;;cU3Ca,6BAAA,YAAyC,UAAA;EAAA,iBAGjC,WAAA;EAAA,QAC4B,MAAA;cAD5B,WAAA,EAAa,WAAA,EACe,MAAA,EAAQ,aAAA;EAGjD,MAAA,CAAO,GAAA,EAAK,aAAA,EAAe,IAAA,EAAM,IAAA,GAAO,OAAA;AAAA;;;;;;;iBCnBhC,qBAAA,CAAA,GAAyB,iBAAA;;;;cAe5B,cAAA,MAA2B,EAAA,QAAU,OAAA,CAAQ,CAAA,MAAK,OAAA,CAAQ,CAAA;;;;;;iBC2BvD,kBAAA,CAAmB,KAAA,EAAO,QAAA,GAAW,gBAAA;;;;AZarD;;iBYoMgB,UAAA,CAAW,KAAA,YAAiB,KAAA,IAAS,QAAA"}