@thebes/cadmus 0.2.1

package/LICENSE

@@ -0,0 +1,21 @@
+MIT License
+
+Copyright (c) 2026 BowenLabs
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.

package/README.md

@@ -0,0 +1,150 @@
+# @thebes/cadmus
+
+V8-first, Cloudflare-native full-stack framework primitives.
+
+> **0.x — active development.** APIs will change. Not production-ready.
+> Star [bowenlabs/project-thebes](https://github.com/bowenlabs/project-thebes) to follow along.
+
+---
+
+## What is Cadmus?
+
+Cadmus provides the primitives needed to build complete web applications
+on Cloudflare Workers without Node.js assumptions, adapter layers, or
+configuration overhead.
+
+Cloudflare is an exceptional platform — ethical, privacy-focused, at-cost
+pricing. Cadmus makes building on it feel complete.
+
+**Inspired by:** Vue's progressive adoption model, Hono's V8-first proof of concept.
+
+---
+
+## Install
+
+```bash
+npm install @thebes/cadmus
+# or
+pnpm add @thebes/cadmus
+```
+
+---
+
+## Primitives
+
+Each primitive is independently usable — import only what you need:
+
+```typescript
+import { db }              from '@thebes/cadmus/db'
+import { createMagicLink } from '@thebes/cadmus/auth'
+import { upload }          from '@thebes/cadmus/storage'
+import { purgeCache }      from '@thebes/cadmus/cache'
+import { sendEmail }       from '@thebes/cadmus/email'
+import { rateLimit }       from '@thebes/cadmus/rate-limit'
+import { createSession }   from '@thebes/cadmus/session'
+import { enqueue }         from '@thebes/cadmus/queues'
+```
+
+Hono users get ergonomic middleware via a separate entrypoint:
+
+```typescript
+import { cadmusAuth, cadmusRateLimit } from '@thebes/cadmus/hono'
+```
+
+**A CMS engine on top of the primitives above** — model content as
+collections and get a generated Drizzle schema, a typed, access-controlled,
+hook-driven Local API, and a Payload-equivalent REST API
+(`mountCmsRoutes`, also from `@thebes/cadmus/hono`):
+
+```typescript
+import { createLocalApi, defineCmsConfig } from '@thebes/cadmus/cms'
+```
+
+See [`src/cms/README.md`](./src/cms/README.md) for the full reference —
+config/plugins, access control, hooks, relationship `depth` resolution,
+draft/publish versioning, and mounting the REST API.
+
+---
+
+## Design principles
+
+- **V8-first** — no Node.js APIs. Web Crypto, Web Fetch, Web Streams throughout.
+- **Independent primitives** — zero cross-primitive dependencies. Use one or all.
+- **Raw bindings** — pass `env.KV`, `env.DB` directly. Explicit over magic.
+- **Thrown errors** — `CadmusError` and typed subclasses. Reliable `instanceof` checks.
+- **Composing, not wrapping** — Cadmus uses Hono, Drizzle, and Astro rather
+  than reimplementing what they do well.
+
+---
+
+## Email (`@thebes/cadmus/email`)
+
+Thin wrapper over the CF Email Workers `send_email` binding.
+
+```typescript
+import { sendEmail } from '@thebes/cadmus/email'
+
+await sendEmail(env.EMAIL, {
+  from: 'noreply@yourdomain.com',
+  to: 'owner@example.com',
+  subject: 'Your magic link',
+  html: '<p>Click <a href="https://example.com">here</a></p>',
+})
+```
+
+`sendEmail` throws `CadmusEmailError` on failure — wrap calls in a
+best-effort handler if the surrounding flow shouldn't fail just because
+an email didn't send (e.g. a form submission notification).
+
+**Required setup — before sending anything:**
+
+1. The `from` address must be on a domain with **Cloudflare Email Routing**
+   enabled (Cloudflare dashboard → your domain → Email → Email Routing).
+2. Add the DNS records Cloudflare generates for that domain:
+   - **SPF** — `TXT` record authorizing Cloudflare to send on the domain's behalf
+   - **DKIM** — `TXT` record for signing outbound mail
+   - **DMARC** — `TXT` record (`_dmarc.yourdomain.com`) declaring your policy
+   Cloudflare's Email Routing setup screen lists the exact records to add.
+3. Add `send_email` to the binding's `wrangler.jsonc`:
+   ```jsonc
+   { "send_email": [{ "name": "EMAIL" }] }
+   ```
+
+**Local dev:** `env.EMAIL` is `undefined` in `wrangler dev` unless you
+configure a destination address for it — there is no real routing for
+`localhost`. Callers should check for the binding (or catch
+`CadmusEmailError`) and fall back to logging rather than assuming
+`sendEmail` always succeeds in dev.
+
+---
+
+## Compatibility
+
+| Framework | Status |
+|---|---|
+| Astro + `@astrojs/cloudflare` | ✅ Tested |
+| TanStack Start + `@cloudflare/vite-plugin` | ✅ Tested |
+| Hono on Workers | ✅ Tested |
+| Raw Cloudflare Workers | ✅ Tested |
+| Others | 🔲 Should work — PRs with tests welcome |
+
+---
+
+## Community primitives
+
+Third-party integrations and opinionated patterns live under
+`@cadmus-community/*`. Contribution guide forthcoming.
+
+---
+
+## License
+
+MIT — [LICENSE](./LICENSE)
+
+---
+
+## Maintained by
+
+[BowenLabs](https://bowenlabs.com) — one person, built with care.
+PRs welcome. No SLA. If you're building something critical on `0.x`,
+be comfortable reading and if necessary patching the source.

package/dist/astro/index.cjs

@@ -0,0 +1,149 @@
+Object.defineProperty(exports, Symbol.toStringTag, { value: "Module" });
+const require_auth_index = require("../auth/index.cjs");
+const require_rate_limit_index = require("../rate-limit/index.cjs");
+//#region src/astro/index.ts
+const DEFAULT_COOKIE_NAME = "cadmus_session";
+const DEFAULT_COOKIE_MAX_AGE_SECONDS = 3600 * 24 * 7;
+const DEFAULT_MAGIC_LINK_TTL_SECONDS = 900;
+const DEFAULT_RATE_LIMIT = {
+	limit: 3,
+	windowSeconds: 900
+};
+const KV_RETRY_ATTEMPTS = 2;
+const KV_RETRY_DELAY_MS = 100;
+function sleep(ms) {
+	return new Promise((resolve) => setTimeout(resolve, ms));
+}
+function isSafeRedirect(value) {
+	return !!value && value.startsWith("/") && !value.startsWith("//");
+}
+function resolve(value, context, fallback) {
+	if (value === void 0) return fallback;
+	return typeof value === "function" ? value(context) : value;
+}
+function defaultIsLocalDev(context) {
+	const hostname = context.url.hostname;
+	return hostname === "localhost" || hostname === "127.0.0.1";
+}
+function defaultOnLocalDev(_context, { email, verifyUrl }) {
+	console.log(`[dev] Magic link for ${email}: ${verifyUrl.toString()}`);
+}
+/**
+* Builds the magic-link request (`POST`) and verify (`GET`) Astro
+* `APIRoute` handlers — mount both at the same route, e.g.
+* `export const { POST, GET } = createMagicLinkHandlers(options)` from
+* `src/pages/api/auth/[...path].ts`, or wire `POST`/`GET` into separate
+* `magic-link.ts`/`verify.ts` routes matching `verifyPath` below.
+*/
+function createMagicLinkHandlers(options) {
+	const cookieName = options.cookieName ?? DEFAULT_COOKIE_NAME;
+	const cookieMaxAgeSeconds = options.cookieMaxAgeSeconds ?? DEFAULT_COOKIE_MAX_AGE_SECONDS;
+	const magicLinkTtlSeconds = options.magicLinkTtlSeconds ?? DEFAULT_MAGIC_LINK_TTL_SECONDS;
+	const rateLimit = options.rateLimit === false ? null : options.rateLimit ?? DEFAULT_RATE_LIMIT;
+	const verifyPath = options.verifyPath ?? "/api/auth/verify";
+	const loginPath = options.loginPath ?? "/login";
+	const isLocalDev = options.isLocalDev ?? defaultIsLocalDev;
+	const onLocalDev = options.onLocalDev ?? defaultOnLocalDev;
+	const POST = async (context) => {
+		const body = await context.request.json().catch(() => null);
+		const email = body?.email?.trim().toLowerCase();
+		if (!email) return Response.json({ ok: true });
+		const redirect = isSafeRedirect(body?.redirect) ? body.redirect : null;
+		const kv = options.kv(context);
+		if (rateLimit) {
+			const { allowed } = await require_rate_limit_index.checkRateLimit(kv, `magiclink:ratelimit:${email}`, rateLimit.limit, rateLimit.windowSeconds);
+			if (!allowed) return Response.json({ ok: true });
+		}
+		if (!await options.findUser(context, email)) return Response.json({ ok: true });
+		const token = require_auth_index.generateToken();
+		const hash = await require_auth_index.hashToken(token);
+		await kv.put(`magiclink:${hash}`, email, { expirationTtl: magicLinkTtlSeconds });
+		const verifyUrl = new URL(verifyPath, context.url);
+		verifyUrl.searchParams.set("token", token);
+		if (redirect) verifyUrl.searchParams.set("redirect", redirect);
+		if (isLocalDev(context)) await onLocalDev(context, {
+			email,
+			verifyUrl
+		});
+		else await options.sendMagicLinkEmail(context, {
+			email,
+			verifyUrl
+		});
+		return Response.json({ ok: true });
+	};
+	const GET = async (context) => {
+		const token = context.url.searchParams.get("token");
+		if (!token) return context.redirect(`${loginPath}?error=invalid`);
+		const kv = options.kv(context);
+		const key = `magiclink:${await require_auth_index.hashToken(token)}`;
+		let email = null;
+		for (let attempt = 0; attempt <= KV_RETRY_ATTEMPTS; attempt++) {
+			email = await kv.get(key);
+			if (email !== null) break;
+			if (attempt < KV_RETRY_ATTEMPTS) await sleep(KV_RETRY_DELAY_MS);
+		}
+		if (email === null) return context.redirect(`${loginPath}?error=invalid`);
+		await kv.delete(key);
+		const user = await options.findUser(context, email);
+		if (!user) return context.redirect(`${loginPath}?error=unauthorized`);
+		const { sessionId } = await options.createSession(context, user);
+		const signature = await require_auth_index.signSession(sessionId, options.secret(context));
+		context.cookies.set(cookieName, `${sessionId}.${signature}`, {
+			httpOnly: true,
+			secure: true,
+			sameSite: "lax",
+			path: "/",
+			maxAge: cookieMaxAgeSeconds
+		});
+		const requestedRedirect = context.url.searchParams.get("redirect");
+		const redirectTo = isSafeRedirect(requestedRedirect) ? requestedRedirect : resolve(options.defaultRedirect, context, "/");
+		return context.redirect(redirectTo);
+	};
+	return {
+		POST,
+		GET
+	};
+}
+/** Builds a logout `APIRoute` — clears the session cookie and its backing store entry. */
+function createLogoutHandler(options) {
+	const cookieName = options.cookieName ?? DEFAULT_COOKIE_NAME;
+	return async (context) => {
+		const cookieValue = context.cookies.get(cookieName)?.value;
+		if (cookieValue) {
+			const [sessionId] = cookieValue.split(".");
+			if (sessionId) await options.deleteSession(context, sessionId);
+		}
+		context.cookies.delete(cookieName, { path: "/" });
+		return context.redirect(resolve(options.redirectTo, context, "/login"));
+	};
+}
+/**
+* Astro middleware that verifies the session cookie's signature and
+* populates `context.locals[localsKey]` with the resolved session, or
+* null if there isn't one. Mirrors `cadmusAuth()`'s role in the Hono
+* layer: it authenticates the request, it doesn't gate access — pages
+* and routes downstream decide what to do with a null session.
+*/
+function cadmusAuthGuard(options) {
+	const cookieName = options.cookieName ?? DEFAULT_COOKIE_NAME;
+	const localsKey = options.localsKey ?? "session";
+	const handler = async (context, next) => {
+		const cookieValue = context.cookies.get(cookieName)?.value;
+		let session = null;
+		if (cookieValue) {
+			const [sessionId, signature] = cookieValue.split(".");
+			if (sessionId && signature) {
+				if (await require_auth_index.verifySession(sessionId, signature, options.secret(context))) session = await options.getSession(context, sessionId);
+			}
+		}
+		context.locals[localsKey] = session;
+		return next();
+	};
+	return handler;
+}
+//#endregion
+exports.cadmusAuthGuard = cadmusAuthGuard;
+exports.createLogoutHandler = createLogoutHandler;
+exports.createMagicLinkHandlers = createMagicLinkHandlers;
+
+//# sourceMappingURL=index.cjs.map

package/dist/astro/index.cjs.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.cjs","names":["checkRateLimit","generateToken","hashToken","signSession","verifySession"],"sources":["../../src/astro/index.ts"],"sourcesContent":["// Copyright (c) 2026 BowenLabs. All rights reserved.\n// Cadmus is MIT licensed. See LICENSE in the repo root.\n//\n// @thebes/cadmus/astro\n//\n// Peer-integration layer for Astro — the same \"peer, not a dependency\"\n// treatment @thebes/cadmus/hono already gets (see that module's\n// index.ts). `astro` is an optional peer dependency; this entrypoint is\n// excluded from the package root export for the same reason hono is.\n// Unlike the hono layer, every `astro` import below is `import type` —\n// nothing from the real `astro` package executes in this module. Astro's\n// own `defineMiddleware` is `(fn) => fn`, a type-inference convenience\n// for app code calling it inline, not anything we need at runtime; we\n// return the typed function directly instead of importing it, so this\n// module stays V8-first with no Astro runtime in the bundled output.\n//\n// These handlers are thin HTTP plumbing over cadmus/auth, cadmus/session,\n// and cadmus/rate-limit — they don't introduce new crypto or storage\n// logic. What's genuinely app-specific (looking up a user by email,\n// shaping a session payload, sending the actual email) is always a\n// caller-supplied function, mirroring how @thebes/cadmus/hono's\n// mountCmsRoutes takes a `resolveContext` callback instead of guessing at\n// the app's auth model.\n\nimport type { APIContext, APIRoute, MiddlewareHandler } from \"astro\";\nimport {\n  generateToken,\n  hashToken,\n  signSession,\n  verifySession,\n} from \"../auth/index.js\";\nimport { checkRateLimit } from \"../rate-limit/index.js\";\n\nconst DEFAULT_COOKIE_NAME = \"cadmus_session\";\nconst DEFAULT_COOKIE_MAX_AGE_SECONDS = 60 * 60 * 24 * 7; // 7 days\nconst DEFAULT_MAGIC_LINK_TTL_SECONDS = 60 * 15; // 15 min\nconst DEFAULT_RATE_LIMIT = { limit: 3, windowSeconds: 60 * 15 };\nconst KV_RETRY_ATTEMPTS = 2;\nconst KV_RETRY_DELAY_MS = 100;\n\nfunction sleep(ms: number): Promise<void> {\n  return new Promise((resolve) => setTimeout(resolve, ms));\n}\n\n// Only a same-origin relative path is safe to redirect to — a protocol-\n// relative \"//host/...\" or absolute URL turns this into an open redirect.\nfunction isSafeRedirect(value: string | null | undefined): value is string {\n  return !!value && value.startsWith(\"/\") && !value.startsWith(\"//\");\n}\n\nfunction resolve<TContext>(\n  value: string | ((context: TContext) => string) | undefined,\n  context: TContext,\n  fallback: string,\n): string {\n  if (value === undefined) return fallback;\n  return typeof value === \"function\" ? value(context) : value;\n}\n\nexport interface MagicLinkHandlersOptions<TUser> {\n  /** Resolves the KV namespace magic-link tokens are stored in, per request. */\n  kv: (context: APIContext) => KVNamespace;\n  /** Resolves the secret session cookies are HMAC-signed with — must match cadmusAuthGuard's `secret`. */\n  secret: (context: APIContext) => string;\n  /**\n   * Looks up the user a request's email belongs to. Returning null is\n   * indistinguishable to the client from a successful send — this is\n   * the anti-enumeration guarantee the same way the hand-rolled\n   * Worker 1 route this replaces always returned `{ ok: true }`.\n   */\n  findUser: (context: APIContext, email: string) => Promise<TUser | null>;\n  /** Creates a session for a verified user, returning the session ID to sign into the cookie. */\n  createSession: (\n    context: APIContext,\n    user: TUser,\n  ) => Promise<{ sessionId: string }>;\n  /** Sends the magic-link email. Not called when `isLocalDev` returns true — see that option. */\n  sendMagicLinkEmail: (\n    context: APIContext,\n    params: { email: string; verifyUrl: URL },\n  ) => Promise<void>;\n  /** Cookie name the session is signed into. Defaults to \"cadmus_session\". */\n  cookieName?: string;\n  /** Cookie `maxAge` in seconds. Defaults to 7 days. */\n  cookieMaxAgeSeconds?: number;\n  /** Magic-link token TTL in seconds. Defaults to 15 minutes. */\n  magicLinkTtlSeconds?: number;\n  /**\n   * Per-email rate limit on magic-link requests, keyed in the same KV\n   * namespace `kv` resolves. Defaults to 3 requests / 15 minutes. Pass\n   * `false` to disable.\n   */\n  rateLimit?: { limit: number; windowSeconds: number } | false;\n  /** Path the verify GET handler is mounted at — used to build the emailed link. Defaults to \"/api/auth/verify\". */\n  verifyPath?: string;\n  /** Path to redirect to on a failed verify, with `?error=invalid|unauthorized` appended. Defaults to \"/login\". */\n  loginPath?: string;\n  /** Redirect target after a successful verify when no `redirect` param was supplied. Defaults to \"/\". */\n  defaultRedirect?: string | ((context: APIContext) => string);\n  /**\n   * Whether this request should skip emailing and log the link instead —\n   * see `onLocalDev`. Defaults to checking for a localhost/127.0.0.1\n   * request hostname, since no deployed environment is ever literally\n   * that (unlike checking `sendMagicLinkEmail`'s own success/failure,\n   * which local email emulators can mask).\n   */\n  isLocalDev?: (context: APIContext) => boolean;\n  /** Called instead of `sendMagicLinkEmail` when `isLocalDev` is true. Defaults to a console.log of the link. */\n  onLocalDev?: (\n    context: APIContext,\n    params: { email: string; verifyUrl: URL },\n  ) => void | Promise<void>;\n}\n\nfunction defaultIsLocalDev(context: APIContext): boolean {\n  const hostname = context.url.hostname;\n  return hostname === \"localhost\" || hostname === \"127.0.0.1\";\n}\n\nfunction defaultOnLocalDev(\n  _context: APIContext,\n  { email, verifyUrl }: { email: string; verifyUrl: URL },\n): void {\n  console.log(`[dev] Magic link for ${email}: ${verifyUrl.toString()}`);\n}\n\n/**\n * Builds the magic-link request (`POST`) and verify (`GET`) Astro\n * `APIRoute` handlers — mount both at the same route, e.g.\n * `export const { POST, GET } = createMagicLinkHandlers(options)` from\n * `src/pages/api/auth/[...path].ts`, or wire `POST`/`GET` into separate\n * `magic-link.ts`/`verify.ts` routes matching `verifyPath` below.\n */\nexport function createMagicLinkHandlers<TUser>(\n  options: MagicLinkHandlersOptions<TUser>,\n): { POST: APIRoute; GET: APIRoute } {\n  const cookieName = options.cookieName ?? DEFAULT_COOKIE_NAME;\n  const cookieMaxAgeSeconds =\n    options.cookieMaxAgeSeconds ?? DEFAULT_COOKIE_MAX_AGE_SECONDS;\n  const magicLinkTtlSeconds =\n    options.magicLinkTtlSeconds ?? DEFAULT_MAGIC_LINK_TTL_SECONDS;\n  const rateLimit =\n    options.rateLimit === false\n      ? null\n      : (options.rateLimit ?? DEFAULT_RATE_LIMIT);\n  const verifyPath = options.verifyPath ?? \"/api/auth/verify\";\n  const loginPath = options.loginPath ?? \"/login\";\n  const isLocalDev = options.isLocalDev ?? defaultIsLocalDev;\n  const onLocalDev = options.onLocalDev ?? defaultOnLocalDev;\n\n  const POST: APIRoute = async (context) => {\n    const body = await context.request\n      .json<{ email?: string; redirect?: string }>()\n      .catch(() => null);\n    const email = body?.email?.trim().toLowerCase();\n    if (!email) return Response.json({ ok: true });\n\n    const redirect = isSafeRedirect(body?.redirect) ? body.redirect : null;\n\n    const kv = options.kv(context);\n\n    if (rateLimit) {\n      const { allowed } = await checkRateLimit(\n        kv,\n        `magiclink:ratelimit:${email}`,\n        rateLimit.limit,\n        rateLimit.windowSeconds,\n      );\n      if (!allowed) return Response.json({ ok: true });\n    }\n\n    const user = await options.findUser(context, email);\n    if (!user) return Response.json({ ok: true });\n\n    const token = generateToken();\n    const hash = await hashToken(token);\n    await kv.put(`magiclink:${hash}`, email, {\n      expirationTtl: magicLinkTtlSeconds,\n    });\n\n    const verifyUrl = new URL(verifyPath, context.url);\n    verifyUrl.searchParams.set(\"token\", token);\n    if (redirect) verifyUrl.searchParams.set(\"redirect\", redirect);\n\n    if (isLocalDev(context)) {\n      await onLocalDev(context, { email, verifyUrl });\n    } else {\n      await options.sendMagicLinkEmail(context, { email, verifyUrl });\n    }\n\n    return Response.json({ ok: true });\n  };\n\n  const GET: APIRoute = async (context) => {\n    const token = context.url.searchParams.get(\"token\");\n    if (!token) return context.redirect(`${loginPath}?error=invalid`);\n\n    const kv = options.kv(context);\n    const hash = await hashToken(token);\n    const key = `magiclink:${hash}`;\n\n    // Single use, and retried — see cadmus/session's getSession for why\n    // a read immediately following the write above can otherwise see a\n    // false negative under KV's eventual consistency.\n    let email: string | null = null;\n    for (let attempt = 0; attempt <= KV_RETRY_ATTEMPTS; attempt++) {\n      email = await kv.get(key);\n      if (email !== null) break;\n      if (attempt < KV_RETRY_ATTEMPTS) await sleep(KV_RETRY_DELAY_MS);\n    }\n    if (email === null) return context.redirect(`${loginPath}?error=invalid`);\n    await kv.delete(key);\n\n    const user = await options.findUser(context, email);\n    if (!user) return context.redirect(`${loginPath}?error=unauthorized`);\n\n    const { sessionId } = await options.createSession(context, user);\n    const signature = await signSession(sessionId, options.secret(context));\n\n    context.cookies.set(cookieName, `${sessionId}.${signature}`, {\n      httpOnly: true,\n      secure: true,\n      sameSite: \"lax\",\n      path: \"/\",\n      maxAge: cookieMaxAgeSeconds,\n    });\n\n    // Re-validated here too — this query param isn't signed alongside\n    // the token, so the request-side check above doesn't cover it.\n    const requestedRedirect = context.url.searchParams.get(\"redirect\");\n    const redirectTo = isSafeRedirect(requestedRedirect)\n      ? requestedRedirect\n      : resolve(options.defaultRedirect, context, \"/\");\n    return context.redirect(redirectTo);\n  };\n\n  return { POST, GET };\n}\n\nexport interface LogoutHandlerOptions {\n  /** Cookie name the session is signed into. Must match createMagicLinkHandlers' `cookieName`. */\n  cookieName?: string;\n  /** Deletes the session identified by the cookie's session ID (e.g. from KV). */\n  deleteSession: (context: APIContext, sessionId: string) => Promise<void>;\n  /** Where to redirect after logout. Defaults to \"/login\". */\n  redirectTo?: string | ((context: APIContext) => string);\n}\n\n/** Builds a logout `APIRoute` — clears the session cookie and its backing store entry. */\nexport function createLogoutHandler(options: LogoutHandlerOptions): APIRoute {\n  const cookieName = options.cookieName ?? DEFAULT_COOKIE_NAME;\n\n  return async (context) => {\n    const cookieValue = context.cookies.get(cookieName)?.value;\n    if (cookieValue) {\n      const [sessionId] = cookieValue.split(\".\");\n      if (sessionId) await options.deleteSession(context, sessionId);\n    }\n    context.cookies.delete(cookieName, { path: \"/\" });\n    return context.redirect(resolve(options.redirectTo, context, \"/login\"));\n  };\n}\n\nexport interface AuthGuardOptions<TSession> {\n  /** Cookie name the session is signed into. Must match createMagicLinkHandlers' `cookieName`. */\n  cookieName?: string;\n  /** Resolves the secret session cookies are HMAC-signed with — must match createMagicLinkHandlers' `secret`. */\n  secret: (context: APIContext) => string;\n  /** Reads the session for a verified session ID (e.g. from KV). Returning null treats the session as missing. */\n  getSession: (\n    context: APIContext,\n    sessionId: string,\n  ) => Promise<TSession | null>;\n  /** Key set on `context.locals`. Defaults to \"session\". */\n  localsKey?: string;\n}\n\n/**\n * Astro middleware that verifies the session cookie's signature and\n * populates `context.locals[localsKey]` with the resolved session, or\n * null if there isn't one. Mirrors `cadmusAuth()`'s role in the Hono\n * layer: it authenticates the request, it doesn't gate access — pages\n * and routes downstream decide what to do with a null session.\n */\nexport function cadmusAuthGuard<TSession>(\n  options: AuthGuardOptions<TSession>,\n): MiddlewareHandler {\n  const cookieName = options.cookieName ?? DEFAULT_COOKIE_NAME;\n  const localsKey = options.localsKey ?? \"session\";\n\n  const handler: MiddlewareHandler = async (context, next) => {\n    const cookieValue = context.cookies.get(cookieName)?.value;\n    let session: TSession | null = null;\n\n    if (cookieValue) {\n      const [sessionId, signature] = cookieValue.split(\".\");\n      if (sessionId && signature) {\n        const valid = await verifySession(\n          sessionId,\n          signature,\n          options.secret(context),\n        );\n        if (valid) session = await options.getSession(context, sessionId);\n      }\n    }\n\n    (context.locals as Record<string, unknown>)[localsKey] = session;\n    return next();\n  };\n\n  return handler;\n}\n"],"mappings":";;;;AAiCA,MAAM,sBAAsB;AAC5B,MAAM,iCAAiC,OAAU,KAAK;AACtD,MAAM,iCAAiC;AACvC,MAAM,qBAAqB;CAAE,OAAO;CAAG,eAAe;AAAQ;AAC9D,MAAM,oBAAoB;AAC1B,MAAM,oBAAoB;AAE1B,SAAS,MAAM,IAA2B;CACxC,OAAO,IAAI,SAAS,YAAY,WAAW,SAAS,EAAE,CAAC;AACzD;AAIA,SAAS,eAAe,OAAmD;CACzE,OAAO,CAAC,CAAC,SAAS,MAAM,WAAW,GAAG,KAAK,CAAC,MAAM,WAAW,IAAI;AACnE;AAEA,SAAS,QACP,OACA,SACA,UACQ;CACR,IAAI,UAAU,KAAA,GAAW,OAAO;CAChC,OAAO,OAAO,UAAU,aAAa,MAAM,OAAO,IAAI;AACxD;AAyDA,SAAS,kBAAkB,SAA8B;CACvD,MAAM,WAAW,QAAQ,IAAI;CAC7B,OAAO,aAAa,eAAe,aAAa;AAClD;AAEA,SAAS,kBACP,UACA,EAAE,OAAO,aACH;CACN,QAAQ,IAAI,wBAAwB,MAAM,IAAI,UAAU,SAAS,GAAG;AACtE;;;;;;;;AASA,SAAgB,wBACd,SACmC;CACnC,MAAM,aAAa,QAAQ,cAAc;CACzC,MAAM,sBACJ,QAAQ,uBAAuB;CACjC,MAAM,sBACJ,QAAQ,uBAAuB;CACjC,MAAM,YACJ,QAAQ,cAAc,QAClB,OACC,QAAQ,aAAa;CAC5B,MAAM,aAAa,QAAQ,cAAc;CACzC,MAAM,YAAY,QAAQ,aAAa;CACvC,MAAM,aAAa,QAAQ,cAAc;CACzC,MAAM,aAAa,QAAQ,cAAc;CAEzC,MAAM,OAAiB,OAAO,YAAY;EACxC,MAAM,OAAO,MAAM,QAAQ,QACxB,KAA4C,CAAC,CAC7C,YAAY,IAAI;EACnB,MAAM,QAAQ,MAAM,OAAO,KAAK,CAAC,CAAC,YAAY;EAC9C,IAAI,CAAC,OAAO,OAAO,SAAS,KAAK,EAAE,IAAI,KAAK,CAAC;EAE7C,MAAM,WAAW,eAAe,MAAM,QAAQ,IAAI,KAAK,WAAW;EAElE,MAAM,KAAK,QAAQ,GAAG,OAAO;EAE7B,IAAI,WAAW;GACb,MAAM,EAAE,YAAY,MAAMA,yBAAAA,eACxB,IACA,uBAAuB,SACvB,UAAU,OACV,UAAU,aACZ;GACA,IAAI,CAAC,SAAS,OAAO,SAAS,KAAK,EAAE,IAAI,KAAK,CAAC;EACjD;EAGA,IAAI,CAAC,MADc,QAAQ,SAAS,SAAS,KAAK,GACvC,OAAO,SAAS,KAAK,EAAE,IAAI,KAAK,CAAC;EAE5C,MAAM,QAAQC,mBAAAA,cAAc;EAC5B,MAAM,OAAO,MAAMC,mBAAAA,UAAU,KAAK;EAClC,MAAM,GAAG,IAAI,aAAa,QAAQ,OAAO,EACvC,eAAe,oBACjB,CAAC;EAED,MAAM,YAAY,IAAI,IAAI,YAAY,QAAQ,GAAG;EACjD,UAAU,aAAa,IAAI,SAAS,KAAK;EACzC,IAAI,UAAU,UAAU,aAAa,IAAI,YAAY,QAAQ;EAE7D,IAAI,WAAW,OAAO,GACpB,MAAM,WAAW,SAAS;GAAE;GAAO;EAAU,CAAC;OAE9C,MAAM,QAAQ,mBAAmB,SAAS;GAAE;GAAO;EAAU,CAAC;EAGhE,OAAO,SAAS,KAAK,EAAE,IAAI,KAAK,CAAC;CACnC;CAEA,MAAM,MAAgB,OAAO,YAAY;EACvC,MAAM,QAAQ,QAAQ,IAAI,aAAa,IAAI,OAAO;EAClD,IAAI,CAAC,OAAO,OAAO,QAAQ,SAAS,GAAG,UAAU,eAAe;EAEhE,MAAM,KAAK,QAAQ,GAAG,OAAO;EAE7B,MAAM,MAAM,aAAa,MADNA,mBAAAA,UAAU,KAAK;EAMlC,IAAI,QAAuB;EAC3B,KAAK,IAAI,UAAU,GAAG,WAAW,mBAAmB,WAAW;GAC7D,QAAQ,MAAM,GAAG,IAAI,GAAG;GACxB,IAAI,UAAU,MAAM;GACpB,IAAI,UAAU,mBAAmB,MAAM,MAAM,iBAAiB;EAChE;EACA,IAAI,UAAU,MAAM,OAAO,QAAQ,SAAS,GAAG,UAAU,eAAe;EACxE,MAAM,GAAG,OAAO,GAAG;EAEnB,MAAM,OAAO,MAAM,QAAQ,SAAS,SAAS,KAAK;EAClD,IAAI,CAAC,MAAM,OAAO,QAAQ,SAAS,GAAG,UAAU,oBAAoB;EAEpE,MAAM,EAAE,cAAc,MAAM,QAAQ,cAAc,SAAS,IAAI;EAC/D,MAAM,YAAY,MAAMC,mBAAAA,YAAY,WAAW,QAAQ,OAAO,OAAO,CAAC;EAEtE,QAAQ,QAAQ,IAAI,YAAY,GAAG,UAAU,GAAG,aAAa;GAC3D,UAAU;GACV,QAAQ;GACR,UAAU;GACV,MAAM;GACN,QAAQ;EACV,CAAC;EAID,MAAM,oBAAoB,QAAQ,IAAI,aAAa,IAAI,UAAU;EACjE,MAAM,aAAa,eAAe,iBAAiB,IAC/C,oBACA,QAAQ,QAAQ,iBAAiB,SAAS,GAAG;EACjD,OAAO,QAAQ,SAAS,UAAU;CACpC;CAEA,OAAO;EAAE;EAAM;CAAI;AACrB;;AAYA,SAAgB,oBAAoB,SAAyC;CAC3E,MAAM,aAAa,QAAQ,cAAc;CAEzC,OAAO,OAAO,YAAY;EACxB,MAAM,cAAc,QAAQ,QAAQ,IAAI,UAAU,CAAC,EAAE;EACrD,IAAI,aAAa;GACf,MAAM,CAAC,aAAa,YAAY,MAAM,GAAG;GACzC,IAAI,WAAW,MAAM,QAAQ,cAAc,SAAS,SAAS;EAC/D;EACA,QAAQ,QAAQ,OAAO,YAAY,EAAE,MAAM,IAAI,CAAC;EAChD,OAAO,QAAQ,SAAS,QAAQ,QAAQ,YAAY,SAAS,QAAQ,CAAC;CACxE;AACF;;;;;;;;AAuBA,SAAgB,gBACd,SACmB;CACnB,MAAM,aAAa,QAAQ,cAAc;CACzC,MAAM,YAAY,QAAQ,aAAa;CAEvC,MAAM,UAA6B,OAAO,SAAS,SAAS;EAC1D,MAAM,cAAc,QAAQ,QAAQ,IAAI,UAAU,CAAC,EAAE;EACrD,IAAI,UAA2B;EAE/B,IAAI,aAAa;GACf,MAAM,CAAC,WAAW,aAAa,YAAY,MAAM,GAAG;GACpD,IAAI,aAAa;QAMX,MALgBC,mBAAAA,cAClB,WACA,WACA,QAAQ,OAAO,OAAO,CACxB,GACW,UAAU,MAAM,QAAQ,WAAW,SAAS,SAAS;GAAA;EAEpE;EAEA,QAAS,OAAmC,aAAa;EACzD,OAAO,KAAK;CACd;CAEA,OAAO;AACT"}

package/dist/astro/index.d.cts

@@ -0,0 +1,101 @@
+import { APIContext, APIRoute, MiddlewareHandler } from "astro";
+
+//#region src/astro/index.d.ts
+interface MagicLinkHandlersOptions<TUser> {
+  /** Resolves the KV namespace magic-link tokens are stored in, per request. */
+  kv: (context: APIContext) => KVNamespace;
+  /** Resolves the secret session cookies are HMAC-signed with — must match cadmusAuthGuard's `secret`. */
+  secret: (context: APIContext) => string;
+  /**
+   * Looks up the user a request's email belongs to. Returning null is
+   * indistinguishable to the client from a successful send — this is
+   * the anti-enumeration guarantee the same way the hand-rolled
+   * Worker 1 route this replaces always returned `{ ok: true }`.
+   */
+  findUser: (context: APIContext, email: string) => Promise<TUser | null>;
+  /** Creates a session for a verified user, returning the session ID to sign into the cookie. */
+  createSession: (context: APIContext, user: TUser) => Promise<{
+    sessionId: string;
+  }>;
+  /** Sends the magic-link email. Not called when `isLocalDev` returns true — see that option. */
+  sendMagicLinkEmail: (context: APIContext, params: {
+    email: string;
+    verifyUrl: URL;
+  }) => Promise<void>;
+  /** Cookie name the session is signed into. Defaults to "cadmus_session". */
+  cookieName?: string;
+  /** Cookie `maxAge` in seconds. Defaults to 7 days. */
+  cookieMaxAgeSeconds?: number;
+  /** Magic-link token TTL in seconds. Defaults to 15 minutes. */
+  magicLinkTtlSeconds?: number;
+  /**
+   * Per-email rate limit on magic-link requests, keyed in the same KV
+   * namespace `kv` resolves. Defaults to 3 requests / 15 minutes. Pass
+   * `false` to disable.
+   */
+  rateLimit?: {
+    limit: number;
+    windowSeconds: number;
+  } | false;
+  /** Path the verify GET handler is mounted at — used to build the emailed link. Defaults to "/api/auth/verify". */
+  verifyPath?: string;
+  /** Path to redirect to on a failed verify, with `?error=invalid|unauthorized` appended. Defaults to "/login". */
+  loginPath?: string;
+  /** Redirect target after a successful verify when no `redirect` param was supplied. Defaults to "/". */
+  defaultRedirect?: string | ((context: APIContext) => string);
+  /**
+   * Whether this request should skip emailing and log the link instead —
+   * see `onLocalDev`. Defaults to checking for a localhost/127.0.0.1
+   * request hostname, since no deployed environment is ever literally
+   * that (unlike checking `sendMagicLinkEmail`'s own success/failure,
+   * which local email emulators can mask).
+   */
+  isLocalDev?: (context: APIContext) => boolean;
+  /** Called instead of `sendMagicLinkEmail` when `isLocalDev` is true. Defaults to a console.log of the link. */
+  onLocalDev?: (context: APIContext, params: {
+    email: string;
+    verifyUrl: URL;
+  }) => void | Promise<void>;
+}
+/**
+ * Builds the magic-link request (`POST`) and verify (`GET`) Astro
+ * `APIRoute` handlers — mount both at the same route, e.g.
+ * `export const { POST, GET } = createMagicLinkHandlers(options)` from
+ * `src/pages/api/auth/[...path].ts`, or wire `POST`/`GET` into separate
+ * `magic-link.ts`/`verify.ts` routes matching `verifyPath` below.
+ */
+declare function createMagicLinkHandlers<TUser>(options: MagicLinkHandlersOptions<TUser>): {
+  POST: APIRoute;
+  GET: APIRoute;
+};
+interface LogoutHandlerOptions {
+  /** Cookie name the session is signed into. Must match createMagicLinkHandlers' `cookieName`. */
+  cookieName?: string;
+  /** Deletes the session identified by the cookie's session ID (e.g. from KV). */
+  deleteSession: (context: APIContext, sessionId: string) => Promise<void>;
+  /** Where to redirect after logout. Defaults to "/login". */
+  redirectTo?: string | ((context: APIContext) => string);
+}
+/** Builds a logout `APIRoute` — clears the session cookie and its backing store entry. */
+declare function createLogoutHandler(options: LogoutHandlerOptions): APIRoute;
+interface AuthGuardOptions<TSession> {
+  /** Cookie name the session is signed into. Must match createMagicLinkHandlers' `cookieName`. */
+  cookieName?: string;
+  /** Resolves the secret session cookies are HMAC-signed with — must match createMagicLinkHandlers' `secret`. */
+  secret: (context: APIContext) => string;
+  /** Reads the session for a verified session ID (e.g. from KV). Returning null treats the session as missing. */
+  getSession: (context: APIContext, sessionId: string) => Promise<TSession | null>;
+  /** Key set on `context.locals`. Defaults to "session". */
+  localsKey?: string;
+}
+/**
+ * Astro middleware that verifies the session cookie's signature and
+ * populates `context.locals[localsKey]` with the resolved session, or
+ * null if there isn't one. Mirrors `cadmusAuth()`'s role in the Hono
+ * layer: it authenticates the request, it doesn't gate access — pages
+ * and routes downstream decide what to do with a null session.
+ */
+declare function cadmusAuthGuard<TSession>(options: AuthGuardOptions<TSession>): MiddlewareHandler;
+//#endregion
+export { AuthGuardOptions, LogoutHandlerOptions, MagicLinkHandlersOptions, cadmusAuthGuard, createLogoutHandler, createMagicLinkHandlers };
+//# sourceMappingURL=index.d.cts.map

package/dist/astro/index.d.cts.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.d.cts","names":[],"sources":["../../src/astro/index.ts"],"mappings":";;;UA2DiB,wBAAA;;EAEf,EAAA,GAAK,OAAA,EAAS,UAAA,KAAe,WAAA;EAFU;EAIvC,MAAA,GAAS,OAAA,EAAS,UAAA;EAFJ;;;;;;EASd,QAAA,GAAW,OAAA,EAAS,UAAA,EAAY,KAAA,aAAkB,OAAA,CAAQ,KAAA;EAIlD;EAFR,aAAA,GACE,OAAA,EAAS,UAAA,EACT,IAAA,EAAM,KAAA,KACH,OAAA;IAAU,SAAA;EAAA;EAKV;EAHL,kBAAA,GACE,OAAA,EAAS,UAAA,EACT,MAAA;IAAU,KAAA;IAAe,SAAA,EAAW,GAAA;EAAA,MACjC,OAAA;EA+BO;EA7BZ,UAAA;EA6BmB;EA3BnB,mBAAA;EAvBA;EAyBA,mBAAA;EAzBK;;;;;EA+BL,SAAA;IAAc,KAAA;IAAe,aAAA;EAAA;EAtBqB;EAwBlD,UAAA;EAtBA;EAwBA,SAAA;EAvBE;EAyBF,eAAA,cAA6B,OAAA,EAAS,UAAA;EAxBpC;;;;;;;EAgCF,UAAA,IAAc,OAAA,EAAS,UAAA;EA3Be;EA6BtC,UAAA,IACE,OAAA,EAAS,UAAA,EACT,MAAA;IAAU,KAAA;IAAe,SAAA,EAAW,GAAA;EAAA,aAC1B,OAAA;AAAA;;;;;;;;iBAsBE,uBAAA,QACd,OAAA,EAAS,wBAAA,CAAyB,KAAA;EAC/B,IAAA,EAAM,QAAA;EAAU,GAAA,EAAK,QAAA;AAAA;AAAA,UAwGT,oBAAA;EAlIJ;EAoIX,UAAA;EAnIY;EAqIZ,aAAA,GAAgB,OAAA,EAAS,UAAA,EAAY,SAAA,aAAsB,OAAA;EArIrB;EAuItC,UAAA,cAAwB,OAAA,EAAS,UAAA;AAAA;;iBAInB,mBAAA,CAAoB,OAAA,EAAS,oBAAA,GAAuB,QAAQ;AAAA,UAc3D,gBAAA;EAlIsB;EAoIrC,UAAA;EAnIkC;EAqIlC,MAAA,GAAS,OAAA,EAAS,UAAA;EApIT;EAsIT,UAAA,GACE,OAAA,EAAS,UAAA,EACT,SAAA,aACG,OAAA,CAAQ,QAAA;EAzImB;EA2IhC,SAAA;AAAA;;;;;;;;iBAUc,eAAA,WACd,OAAA,EAAS,gBAAA,CAAiB,QAAA,IACzB,iBAAA"}

package/dist/astro/index.d.ts

@@ -0,0 +1,101 @@
+import { APIContext, APIRoute, MiddlewareHandler } from "astro";
+
+//#region src/astro/index.d.ts
+interface MagicLinkHandlersOptions<TUser> {
+  /** Resolves the KV namespace magic-link tokens are stored in, per request. */
+  kv: (context: APIContext) => KVNamespace;
+  /** Resolves the secret session cookies are HMAC-signed with — must match cadmusAuthGuard's `secret`. */
+  secret: (context: APIContext) => string;
+  /**
+   * Looks up the user a request's email belongs to. Returning null is
+   * indistinguishable to the client from a successful send — this is
+   * the anti-enumeration guarantee the same way the hand-rolled
+   * Worker 1 route this replaces always returned `{ ok: true }`.
+   */
+  findUser: (context: APIContext, email: string) => Promise<TUser | null>;
+  /** Creates a session for a verified user, returning the session ID to sign into the cookie. */
+  createSession: (context: APIContext, user: TUser) => Promise<{
+    sessionId: string;
+  }>;
+  /** Sends the magic-link email. Not called when `isLocalDev` returns true — see that option. */
+  sendMagicLinkEmail: (context: APIContext, params: {
+    email: string;
+    verifyUrl: URL;
+  }) => Promise<void>;
+  /** Cookie name the session is signed into. Defaults to "cadmus_session". */
+  cookieName?: string;
+  /** Cookie `maxAge` in seconds. Defaults to 7 days. */
+  cookieMaxAgeSeconds?: number;
+  /** Magic-link token TTL in seconds. Defaults to 15 minutes. */
+  magicLinkTtlSeconds?: number;
+  /**
+   * Per-email rate limit on magic-link requests, keyed in the same KV
+   * namespace `kv` resolves. Defaults to 3 requests / 15 minutes. Pass
+   * `false` to disable.
+   */
+  rateLimit?: {
+    limit: number;
+    windowSeconds: number;
+  } | false;
+  /** Path the verify GET handler is mounted at — used to build the emailed link. Defaults to "/api/auth/verify". */
+  verifyPath?: string;
+  /** Path to redirect to on a failed verify, with `?error=invalid|unauthorized` appended. Defaults to "/login". */
+  loginPath?: string;
+  /** Redirect target after a successful verify when no `redirect` param was supplied. Defaults to "/". */
+  defaultRedirect?: string | ((context: APIContext) => string);
+  /**
+   * Whether this request should skip emailing and log the link instead —
+   * see `onLocalDev`. Defaults to checking for a localhost/127.0.0.1
+   * request hostname, since no deployed environment is ever literally
+   * that (unlike checking `sendMagicLinkEmail`'s own success/failure,
+   * which local email emulators can mask).
+   */
+  isLocalDev?: (context: APIContext) => boolean;
+  /** Called instead of `sendMagicLinkEmail` when `isLocalDev` is true. Defaults to a console.log of the link. */
+  onLocalDev?: (context: APIContext, params: {
+    email: string;
+    verifyUrl: URL;
+  }) => void | Promise<void>;
+}
+/**
+ * Builds the magic-link request (`POST`) and verify (`GET`) Astro
+ * `APIRoute` handlers — mount both at the same route, e.g.
+ * `export const { POST, GET } = createMagicLinkHandlers(options)` from
+ * `src/pages/api/auth/[...path].ts`, or wire `POST`/`GET` into separate
+ * `magic-link.ts`/`verify.ts` routes matching `verifyPath` below.
+ */
+declare function createMagicLinkHandlers<TUser>(options: MagicLinkHandlersOptions<TUser>): {
+  POST: APIRoute;
+  GET: APIRoute;
+};
+interface LogoutHandlerOptions {
+  /** Cookie name the session is signed into. Must match createMagicLinkHandlers' `cookieName`. */
+  cookieName?: string;
+  /** Deletes the session identified by the cookie's session ID (e.g. from KV). */
+  deleteSession: (context: APIContext, sessionId: string) => Promise<void>;
+  /** Where to redirect after logout. Defaults to "/login". */
+  redirectTo?: string | ((context: APIContext) => string);
+}
+/** Builds a logout `APIRoute` — clears the session cookie and its backing store entry. */
+declare function createLogoutHandler(options: LogoutHandlerOptions): APIRoute;
+interface AuthGuardOptions<TSession> {
+  /** Cookie name the session is signed into. Must match createMagicLinkHandlers' `cookieName`. */
+  cookieName?: string;
+  /** Resolves the secret session cookies are HMAC-signed with — must match createMagicLinkHandlers' `secret`. */
+  secret: (context: APIContext) => string;
+  /** Reads the session for a verified session ID (e.g. from KV). Returning null treats the session as missing. */
+  getSession: (context: APIContext, sessionId: string) => Promise<TSession | null>;
+  /** Key set on `context.locals`. Defaults to "session". */
+  localsKey?: string;
+}
+/**
+ * Astro middleware that verifies the session cookie's signature and
+ * populates `context.locals[localsKey]` with the resolved session, or
+ * null if there isn't one. Mirrors `cadmusAuth()`'s role in the Hono
+ * layer: it authenticates the request, it doesn't gate access — pages
+ * and routes downstream decide what to do with a null session.
+ */
+declare function cadmusAuthGuard<TSession>(options: AuthGuardOptions<TSession>): MiddlewareHandler;
+//#endregion
+export { AuthGuardOptions, LogoutHandlerOptions, MagicLinkHandlersOptions, cadmusAuthGuard, createLogoutHandler, createMagicLinkHandlers };
+//# sourceMappingURL=index.d.ts.map

package/dist/astro/index.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.d.ts","names":[],"sources":["../../src/astro/index.ts"],"mappings":";;;UA2DiB,wBAAA;;EAEf,EAAA,GAAK,OAAA,EAAS,UAAA,KAAe,WAAA;EAFU;EAIvC,MAAA,GAAS,OAAA,EAAS,UAAA;EAFJ;;;;;;EASd,QAAA,GAAW,OAAA,EAAS,UAAA,EAAY,KAAA,aAAkB,OAAA,CAAQ,KAAA;EAIlD;EAFR,aAAA,GACE,OAAA,EAAS,UAAA,EACT,IAAA,EAAM,KAAA,KACH,OAAA;IAAU,SAAA;EAAA;EAKV;EAHL,kBAAA,GACE,OAAA,EAAS,UAAA,EACT,MAAA;IAAU,KAAA;IAAe,SAAA,EAAW,GAAA;EAAA,MACjC,OAAA;EA+BO;EA7BZ,UAAA;EA6BmB;EA3BnB,mBAAA;EAvBA;EAyBA,mBAAA;EAzBK;;;;;EA+BL,SAAA;IAAc,KAAA;IAAe,aAAA;EAAA;EAtBqB;EAwBlD,UAAA;EAtBA;EAwBA,SAAA;EAvBE;EAyBF,eAAA,cAA6B,OAAA,EAAS,UAAA;EAxBpC;;;;;;;EAgCF,UAAA,IAAc,OAAA,EAAS,UAAA;EA3Be;EA6BtC,UAAA,IACE,OAAA,EAAS,UAAA,EACT,MAAA;IAAU,KAAA;IAAe,SAAA,EAAW,GAAA;EAAA,aAC1B,OAAA;AAAA;;;;;;;;iBAsBE,uBAAA,QACd,OAAA,EAAS,wBAAA,CAAyB,KAAA;EAC/B,IAAA,EAAM,QAAA;EAAU,GAAA,EAAK,QAAA;AAAA;AAAA,UAwGT,oBAAA;EAlIJ;EAoIX,UAAA;EAnIY;EAqIZ,aAAA,GAAgB,OAAA,EAAS,UAAA,EAAY,SAAA,aAAsB,OAAA;EArIrB;EAuItC,UAAA,cAAwB,OAAA,EAAS,UAAA;AAAA;;iBAInB,mBAAA,CAAoB,OAAA,EAAS,oBAAA,GAAuB,QAAQ;AAAA,UAc3D,gBAAA;EAlIsB;EAoIrC,UAAA;EAnIkC;EAqIlC,MAAA,GAAS,OAAA,EAAS,UAAA;EApIT;EAsIT,UAAA,GACE,OAAA,EAAS,UAAA,EACT,SAAA,aACG,OAAA,CAAQ,QAAA;EAzImB;EA2IhC,SAAA;AAAA;;;;;;;;iBAUc,eAAA,WACd,OAAA,EAAS,gBAAA,CAAiB,QAAA,IACzB,iBAAA"}