npm - @valentinkolb/cloud - Versions diffs - 0.1.0 - Mend

@valentinkolb/cloud 0.1.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (196) hide show

package/package.json +69 -0
package/public/logo.svg +1 -0
package/scripts/build.ts +113 -0
package/scripts/preload.ts +73 -0
package/src/_internal/define-app.ts +399 -0
package/src/_internal/heartbeat.ts +33 -0
package/src/_internal/registry.ts +100 -0
package/src/_internal/runtime-context.ts +38 -0
package/src/api/accounts-entities.ts +134 -0
package/src/api/admin-lifecycle.ts +210 -0
package/src/api/auth/schemas.ts +28 -0
package/src/api/auth.ts +230 -0
package/src/api/index.ts +66 -0
package/src/api/me.ts +206 -0
package/src/api/search/schemas.ts +43 -0
package/src/api/search.ts +130 -0
package/src/clients/core.ts +19 -0
package/src/config/env.ts +23 -0
package/src/config/index.ts +6 -0
package/src/config/ssr.ts +58 -0
package/src/contracts/app.ts +140 -0
package/src/contracts/index.ts +5 -0
package/src/contracts/profile.ts +67 -0
package/src/contracts/registry.ts +50 -0
package/src/contracts/settings-types.ts +84 -0
package/src/contracts/shared.ts +258 -0
package/src/contracts/widgets.ts +121 -0
package/src/index.ts +6 -0
package/src/server/api/index.ts +1 -0
package/src/server/api/respond.ts +55 -0
package/src/server/api-client.ts +54 -0
package/src/server/app-context.ts +39 -0
package/src/server/index.ts +62 -0
package/src/server/middleware/auth.ts +168 -0
package/src/server/middleware/index.ts +7 -0
package/src/server/middleware/middleware.ts +47 -0
package/src/server/middleware/openapi.ts +126 -0
package/src/server/middleware/rate-limit.ts +126 -0
package/src/server/middleware/request-logger.ts +41 -0
package/src/server/middleware/validator.ts +35 -0
package/src/server/services/access.ts +294 -0
package/src/server/services/freeipa/client.ts +100 -0
package/src/server/services/freeipa/index.ts +9 -0
package/src/server/services/freeipa/session.ts +78 -0
package/src/server/services/freeipa/tls.ts +48 -0
package/src/server/services/freeipa/util.ts +60 -0
package/src/server/services/geo.ts +154 -0
package/src/server/services/index.ts +28 -0
package/src/server/services/services.ts +13 -0
package/src/services/account-lifecycle/audit.ts +41 -0
package/src/services/account-lifecycle/index.ts +907 -0
package/src/services/account-lifecycle/scheduler.ts +347 -0
package/src/services/account-model.ts +21 -0
package/src/services/accounts/app.ts +966 -0
package/src/services/accounts/authz.ts +22 -0
package/src/services/accounts/base-group.ts +11 -0
package/src/services/accounts/base-user.ts +45 -0
package/src/services/accounts/entities.ts +529 -0
package/src/services/accounts/group-sql.ts +106 -0
package/src/services/accounts/groups.ts +246 -0
package/src/services/accounts/index.ts +14 -0
package/src/services/accounts/ipa-data.ts +64 -0
package/src/services/accounts/lifecycle.ts +2 -0
package/src/services/accounts/local-groups.ts +491 -0
package/src/services/accounts/model.ts +135 -0
package/src/services/accounts/switching.ts +117 -0
package/src/services/accounts/users.ts +714 -0
package/src/services/auth-flows/index.ts +6 -0
package/src/services/auth-flows/ipa.ts +128 -0
package/src/services/auth-flows/magic-link.ts +119 -0
package/src/services/freeipa-config.ts +89 -0
package/src/services/index.ts +46 -0
package/src/services/ipa/auth.ts +122 -0
package/src/services/ipa/groups.ts +684 -0
package/src/services/ipa/guard.ts +17 -0
package/src/services/ipa/index.ts +17 -0
package/src/services/ipa/profile.ts +90 -0
package/src/services/ipa/search.ts +154 -0
package/src/services/ipa/sync.ts +740 -0
package/src/services/ipa/users.ts +794 -0
package/src/services/logging/index.ts +294 -0
package/src/services/notifications/email.ts +123 -0
package/src/services/notifications/index.ts +413 -0
package/src/services/postgres.ts +51 -0
package/src/services/providers/index.ts +27 -0
package/src/services/providers/local/auth.ts +13 -0
package/src/services/providers/local/index.ts +4 -0
package/src/services/providers/local/users.ts +255 -0
package/src/services/session/index.ts +137 -0
package/src/services/settings/api.ts +61 -0
package/src/services/settings/app.ts +101 -0
package/src/services/settings/crypto.ts +69 -0
package/src/services/settings/defaults.ts +824 -0
package/src/services/settings/index.ts +203 -0
package/src/services/settings/namespace.ts +9 -0
package/src/services/settings/snapshot.ts +49 -0
package/src/services/settings/store.ts +179 -0
package/src/services/settings/templates.ts +10 -0
package/src/services/weather/forecast.ts +287 -0
package/src/services/weather/geo.ts +110 -0
package/src/services/weather/index.ts +99 -0
package/src/services/weather/location.ts +24 -0
package/src/services/weather/locations.ts +125 -0
package/src/services/weather/migrate.ts +22 -0
package/src/services/weather/types.ts +61 -0
package/src/services/weather/ui.ts +50 -0
package/src/shared/account-display.ts +17 -0
package/src/shared/account-session.ts +15 -0
package/src/shared/icons.ts +109 -0
package/src/shared/index.ts +10 -0
package/src/shared/markdown/client.ts +130 -0
package/src/shared/markdown/extensions/code.ts +58 -0
package/src/shared/markdown/extensions/images.ts +43 -0
package/src/shared/markdown/extensions/info-blocks.ts +93 -0
package/src/shared/markdown/extensions/katex.ts +120 -0
package/src/shared/markdown/extensions/links.ts +34 -0
package/src/shared/markdown/extensions/tables.ts +88 -0
package/src/shared/markdown/extensions/task-list.ts +53 -0
package/src/shared/markdown/index.ts +97 -0
package/src/shared/markdown/shared.ts +36 -0
package/src/ssr/AdminLayout.tsx +42 -0
package/src/ssr/AdminSidebar.tsx +95 -0
package/src/ssr/Footer.island.tsx +62 -0
package/src/ssr/GlobalSearchDialog.tsx +389 -0
package/src/ssr/GlobalSearchHelpDialog.tsx +106 -0
package/src/ssr/GlobalSearchTrigger.island.tsx +42 -0
package/src/ssr/HotkeysHelpRail.island.tsx +99 -0
package/src/ssr/Layout.tsx +326 -0
package/src/ssr/MoreAppsDropdown.island.tsx +61 -0
package/src/ssr/NavMenu.island.tsx +108 -0
package/src/ssr/ThemeToggleRail.island.tsx +27 -0
package/src/ssr/index.ts +5 -0
package/src/ssr/islands/SearchBar.island.tsx +77 -0
package/src/ssr/islands/index.ts +1 -0
package/src/ssr/runtime.ts +22 -0
package/src/styles/base-popover.css +28 -0
package/src/styles/effects.css +65 -0
package/src/styles/global.css +133 -0
package/src/styles/input.css +54 -0
package/src/styles/tokens.css +35 -0
package/src/styles/utilities-buttons.css +125 -0
package/src/styles/utilities-feedback.css +65 -0
package/src/styles/utilities-layout.css +122 -0
package/src/styles/utilities-navigation.css +196 -0
package/src/types/ambient.d.ts +8 -0
package/src/ui/admin-settings.tsx +148 -0
package/src/ui/dialog-core.ts +146 -0
package/src/ui/filter/FilterChip.tsx +196 -0
package/src/ui/filter/index.ts +2 -0
package/src/ui/index.ts +19 -0
package/src/ui/input/Checkbox.tsx +55 -0
package/src/ui/input/ColorInput.tsx +122 -0
package/src/ui/input/DateTimeInput.tsx +86 -0
package/src/ui/input/ImageInput.tsx +170 -0
package/src/ui/input/NumberInput.tsx +113 -0
package/src/ui/input/PinInput.tsx +169 -0
package/src/ui/input/SegmentedControl.tsx +99 -0
package/src/ui/input/Select.tsx +288 -0
package/src/ui/input/SelectChip.tsx +61 -0
package/src/ui/input/Slider.tsx +118 -0
package/src/ui/input/Switch.tsx +62 -0
package/src/ui/input/TagsInput.tsx +115 -0
package/src/ui/input/TextInput.tsx +160 -0
package/src/ui/input/index.ts +13 -0
package/src/ui/input/types.ts +42 -0
package/src/ui/input/util.tsx +105 -0
package/src/ui/ipa/Avatar.tsx +28 -0
package/src/ui/ipa/GroupView.tsx +36 -0
package/src/ui/ipa/LoginBtn.tsx +16 -0
package/src/ui/ipa/UserView.tsx +58 -0
package/src/ui/ipa/index.ts +4 -0
package/src/ui/misc/ContextMenu.tsx +211 -0
package/src/ui/misc/CopyButton.tsx +28 -0
package/src/ui/misc/Dropdown.tsx +194 -0
package/src/ui/misc/EntitySearch.tsx +213 -0
package/src/ui/misc/Lightbox.tsx +194 -0
package/src/ui/misc/LinkCard.tsx +34 -0
package/src/ui/misc/LogEntriesTable.tsx +61 -0
package/src/ui/misc/MarkdownView.tsx +65 -0
package/src/ui/misc/Pagination.tsx +51 -0
package/src/ui/misc/PermissionEditor.tsx +379 -0
package/src/ui/misc/ProgressBar.tsx +47 -0
package/src/ui/misc/RemoveBtn.tsx +27 -0
package/src/ui/misc/StatCell.tsx +90 -0
package/src/ui/misc/index.ts +18 -0
package/src/ui/navigation.ts +32 -0
package/src/ui/prompts.tsx +854 -0
package/src/ui/sidebar.tsx +468 -0
package/src/ui/widgets/Widget.tsx +62 -0
package/src/ui/widgets/WidgetCard.tsx +19 -0
package/src/ui/widgets/WidgetHero.tsx +39 -0
package/src/ui/widgets/WidgetList.tsx +84 -0
package/src/ui/widgets/WidgetPills.tsx +68 -0
package/src/ui/widgets/WidgetStat.tsx +67 -0
package/src/ui/widgets/WidgetStatus.tsx +62 -0
package/src/ui/widgets/index.ts +9 -0

package/src/services/account-lifecycle/index.ts ADDED Viewed

@@ -0,0 +1,907 @@
+import { sql } from "bun";
+import type { User } from "../../contracts/shared";
+import { logger } from "../logging";
+import { notifications } from "../notifications";
+import { applyIpaAccountTransitionPolicy } from "../accounts/switching";
+import { get as getSetting } from "../settings";
+import { renderTemplate } from "../settings/templates";
+import { session } from "../session";
+import { getConfiguredExpiryDays, parseIpaAccountTransitionPolicy } from "../account-model";
+import { getFreeIpaConfig } from "../freeipa-config";
+import { parsePgJsonRecord } from "../postgres";
+import { dates } from "../../shared";
+import { freeipa } from "../../server/services";
+import { writeDeletedAccountAudit } from "./audit";
+import { getIpaUrl } from "../ipa/guard";
+const log = logger("auth:lifecycle");
+type DbRow = Record<string, unknown>;
+const DAY_MS = 24 * 60 * 60 * 1000;
+type ReminderKind = "account_expiry";
+type ReminderCandidate = {
+  userId: string;
+  uid: string;
+  mail: string;
+  givenName: string;
+  displayName: string;
+  expiresAt: Date;
+  kind: ReminderKind;
+  accountKind: "ipa" | "local-user" | "local-guest";
+};
+type LifecycleSummary = {
+  scanned: number;
+  changed: number;
+  skipped: number;
+  failed: number;
+};
+const settingInt = async (key: string, fallback: number): Promise<number> => {
+  const raw = await getSetting<number | string | null>(key);
+  const value = typeof raw === "number" ? raw : Number(raw);
+  return Number.isFinite(value) ? value : fallback;
+};
+const getIpaExpiresDays = async (): Promise<number> => getConfiguredExpiryDays("ipa", "user");
+const getLocalUserExpiresDays = async (): Promise<number> => getConfiguredExpiryDays("local", "user");
+const getGuestExpiresDays = async (): Promise<number> => {
+  return getConfiguredExpiryDays("local", "guest");
+};
+const getDeletedAccountsRetentionDays = async (): Promise<number> => settingInt("user.account.deleted_accounts_retention_days", 365);
+const getReminderHistoryRetentionDays = async (): Promise<number> => settingInt("user.account.reminder_history_retention_days", 365);
+const parseReminderDays = async (): Promise<number[]> => {
+  const raw = await getSetting<number[]>("user.account.reminder_days");
+  const parsed = Array.isArray(raw) ? raw.filter((entry) => Number.isInteger(entry) && entry > 0) : [];
+  return [...new Set(parsed)].sort((a, b) => b - a);
+};
+const upsertReminderAttempt = async (config: {
+  userId: string;
+  uid: string;
+  mail: string;
+  displayName: string;
+  kind: ReminderKind;
+  thresholdDays: number;
+  targetExpiryAt: Date;
+}): Promise<{ id: string; status: "pending" | "sent" | "error" }> => {
+  const rows = await sql<DbRow[]>`
+    INSERT INTO auth.account_lifecycle_reminders (
+      user_id, uid, mail, display_name, kind, threshold_days, target_expiry_at, status, attempt_count, created_at
+    )
+    VALUES (
+      ${config.userId}::uuid, ${config.uid}, ${config.mail}, ${config.displayName}, ${config.kind}, ${config.thresholdDays}, ${config.targetExpiryAt}, 'pending', 0, now()
+    )
+    ON CONFLICT (user_id, kind, threshold_days, target_expiry_at) WHERE user_id IS NOT NULL DO UPDATE
+    SET uid = EXCLUDED.uid,
+        mail = EXCLUDED.mail,
+        display_name = EXCLUDED.display_name,
+        status = CASE WHEN auth.account_lifecycle_reminders.status = 'sent' THEN 'sent' ELSE 'pending' END
+    RETURNING id, status
+  `;
+  return {
+    id: rows[0]!.id as string,
+    status: rows[0]!.status as "pending" | "sent" | "error",
+  };
+};
+const markReminderSuccess = async (id: string): Promise<void> => {
+  await sql`
+    UPDATE auth.account_lifecycle_reminders
+    SET status = 'sent',
+        attempt_count = attempt_count + 1,
+        last_attempt_at = now(),
+        sent_at = now(),
+        last_error = NULL
+    WHERE id = ${id}::uuid
+  `;
+};
+const markReminderError = async (id: string, error: string): Promise<void> => {
+  await sql`
+    UPDATE auth.account_lifecycle_reminders
+    SET status = 'error',
+        attempt_count = attempt_count + 1,
+        last_attempt_at = now(),
+        last_error = ${error}
+    WHERE id = ${id}::uuid
+  `;
+};
+const deleteFromFreeIpa = async (ipaSession: string, uid: string): Promise<{ ok: true } | { ok: false; error: string }> => {
+  const response = await freeipa.client.call({ url: await getIpaUrl(), ipaSession, method: "user_del", args: [uid], options: {} });
+  if (!response.error) return { ok: true };
+  const message = (response.error.message ?? "").toLowerCase();
+  const isNotFound = message.includes("not found") || message.includes("does not exist");
+  if (isNotFound) return { ok: true };
+  return { ok: false, error: response.error.message };
+};
+const resolveExtendUrl = async (): Promise<string> => {
+  const appUrl = await getSetting<string>("app.url");
+  const base = appUrl && appUrl.length > 0 ? appUrl : "";
+  if (base.startsWith("http://") || base.startsWith("https://")) return `${base.replace(/\/+$/, "")}/auth/extend`;
+  if (base.length > 0) return `https://${base.replace(/\/+$/, "")}/auth/extend`;
+  return "/auth/extend";
+};
+const listReminderCandidates = async (thresholdDays: number): Promise<ReminderCandidate[]> => {
+  const rows = await sql<DbRow[]>`
+    SELECT id,
+           uid,
+           mail,
+           given_name,
+           display_name,
+           account_expires AS expires_at,
+           'account_expiry'::text AS kind,
+           'ipa'::text AS account_kind
+    FROM auth.users
+    WHERE provider = 'ipa'
+      AND mail IS NOT NULL
+      AND account_expires IS NOT NULL
+      AND now() >= account_expires - (${thresholdDays} * interval '1 day')
+      AND now() < account_expires
+    UNION ALL
+    SELECT id,
+           uid,
+           mail,
+           given_name,
+           display_name,
+           account_expires AS expires_at,
+           'account_expiry'::text AS kind,
+           'local-guest'::text AS account_kind
+    FROM auth.users
+    WHERE provider = 'local'
+      AND profile = 'guest'
+      AND mail IS NOT NULL
+      AND account_expires IS NOT NULL
+      AND now() >= account_expires - (${thresholdDays} * interval '1 day')
+      AND now() < account_expires
+    UNION ALL
+    SELECT id,
+           uid,
+           mail,
+           given_name,
+           display_name,
+           account_expires AS expires_at,
+           'account_expiry'::text AS kind,
+           'local-user'::text AS account_kind
+    FROM auth.users
+    WHERE provider = 'local'
+      AND profile = 'user'
+      AND mail IS NOT NULL
+      AND account_expires IS NOT NULL
+      AND now() >= account_expires - (${thresholdDays} * interval '1 day')
+      AND now() < account_expires
+  `;
+  return rows.map(
+    (row): ReminderCandidate => ({
+      userId: row.id as string,
+      uid: row.uid as string,
+      mail: row.mail as string,
+      givenName: ((row.given_name as string) || "").trim(),
+      displayName: ((row.display_name as string) || "").trim(),
+      expiresAt: row.expires_at as Date,
+      kind: row.kind as ReminderKind,
+      accountKind: row.account_kind as ReminderCandidate["accountKind"],
+    }),
+  );
+};
+export const accountLifecycle = {
+  demoteExpiredIpaUsers: async (): Promise<LifecycleSummary> => {
+    const freeIpaConfig = (await getFreeIpaConfig());
+    if (!freeIpaConfig.enabled) {
+      log.info("Expired IPA demotion skipped", { reason: "freeipa_disabled" });
+      return { scanned: 0, changed: 0, skipped: 0, failed: 0 };
+    }
+    if (!freeIpaConfig.configured) {
+      throw new Error("FreeIPA is enabled but not fully configured.");
+    }
+    const rows = await sql<DbRow[]>`
+      SELECT id, uid, mail, display_name, profile, account_expires
+      FROM auth.users
+      WHERE provider = 'ipa'
+        AND account_expires IS NOT NULL
+        AND account_expires <= now()
+      ORDER BY account_expires ASC
+    `;
+    const transitionPolicy = parseIpaAccountTransitionPolicy(
+      await getSetting<string | null>("freeipa.account_transition_policy"),
+    );
+    const ipaSession = await freeipa.session.getServiceSession({
+      url: freeIpaConfig.url,
+      serviceUser: freeIpaConfig.serviceUser,
+      servicePassword: freeIpaConfig.servicePassword,
+    });
+    const summary: LifecycleSummary = {
+      scanned: rows.length,
+      changed: 0,
+      skipped: 0,
+      failed: 0,
+    };
+    for (const row of rows) {
+      const userId = row.id as string;
+      const uid = row.uid as string;
+      const previousProfile = (row.profile as User["profile"] | null) ?? "guest";
+      const ipaDelete = await deleteFromFreeIpa(ipaSession, uid);
+      if (!ipaDelete.ok) {
+        summary.failed += 1;
+        log.error("Failed to delete expired IPA account", { uid, userId, error: ipaDelete.error });
+        continue;
+      }
+      try {
+        if (transitionPolicy === "delete") {
+          await sql.begin(async (tx) => {
+            await writeDeletedAccountAudit({
+              db: tx,
+              userId,
+              uid,
+              mail: (row.mail as string) ?? null,
+              displayName: (row.display_name as string) ?? null,
+              previousProvider: "ipa",
+              previousProfile,
+              reason: "ipa_expired_deleted",
+              meta: {
+                reason: "ipa_account_expired",
+              },
+            });
+            await tx`DELETE FROM auth.users WHERE id = ${userId}::uuid`;
+          });
+        } else {
+          await sql.begin(async (tx) => {
+            const target = await applyIpaAccountTransitionPolicy({
+              userId,
+              currentProfile: previousProfile,
+              policy: transitionPolicy,
+              db: tx,
+            });
+            await writeDeletedAccountAudit({
+              db: tx,
+              userId,
+              uid,
+              mail: (row.mail as string) ?? null,
+              displayName: (row.display_name as string) ?? null,
+              previousProvider: "ipa",
+              previousProfile,
+              reason: "ipa_expired_demoted",
+              meta: {
+                accountExpiresAt: target.accountExpires?.toISOString() ?? null,
+                targetProfile: target.targetProfile,
+                policy: transitionPolicy,
+              },
+            });
+          });
+        }
+        await session.revokeAllForUser(userId);
+        summary.changed += 1;
+      } catch (error) {
+        summary.failed += 1;
+        log.error("Failed to demote expired IPA account", {
+          uid,
+          userId,
+          error: error instanceof Error ? error.message : String(error),
+        });
+      }
+    }
+    return summary;
+  },
+  cleanupExpiredGuests: async (): Promise<LifecycleSummary> => {
+    const rows = await sql<DbRow[]>`
+      SELECT id, uid, mail, display_name
+      FROM auth.users
+      WHERE provider = 'local'
+        AND profile = 'guest'
+        AND account_expires IS NOT NULL
+        AND account_expires <= now()
+      ORDER BY account_expires ASC
+    `;
+    const summary: LifecycleSummary = {
+      scanned: rows.length,
+      changed: 0,
+      skipped: 0,
+      failed: 0,
+    };
+    for (const row of rows) {
+      const userId = row.id as string;
+      const uid = row.uid as string;
+      try {
+        await sql.begin(async (tx) => {
+          await writeDeletedAccountAudit({
+            db: tx,
+            userId,
+            uid,
+            mail: (row.mail as string) ?? null,
+            displayName: (row.display_name as string) ?? null,
+            previousProvider: "local",
+            previousProfile: "guest",
+            reason: "guest_expired_deleted",
+          });
+          await tx`DELETE FROM auth.users WHERE id = ${userId}::uuid`;
+        });
+        await session.revokeAllForUser(userId);
+        summary.changed += 1;
+      } catch (error) {
+        summary.failed += 1;
+        log.error("Failed to delete expired guest account", {
+          uid,
+          userId,
+          error: error instanceof Error ? error.message : String(error),
+        });
+      }
+    }
+    return summary;
+  },
+  cleanupExpiredLocalUsers: async (): Promise<LifecycleSummary> => {
+    const rows = await sql<DbRow[]>`
+      SELECT id, uid, mail, display_name
+      FROM auth.users
+      WHERE provider = 'local'
+        AND profile = 'user'
+        AND account_expires IS NOT NULL
+        AND account_expires <= now()
+      ORDER BY account_expires ASC
+    `;
+    const summary: LifecycleSummary = {
+      scanned: rows.length,
+      changed: 0,
+      skipped: 0,
+      failed: 0,
+    };
+    for (const row of rows) {
+      const userId = row.id as string;
+      const uid = row.uid as string;
+      try {
+        await sql.begin(async (tx) => {
+          await writeDeletedAccountAudit({
+            db: tx,
+            userId,
+            uid,
+            mail: (row.mail as string) ?? null,
+            displayName: (row.display_name as string) ?? null,
+            previousProvider: "local",
+            previousProfile: "user",
+            reason: "local_user_expired_deleted",
+          });
+          await tx`DELETE FROM auth.users WHERE id = ${userId}::uuid`;
+        });
+        await session.revokeAllForUser(userId);
+        summary.changed += 1;
+      } catch (error) {
+        summary.failed += 1;
+        log.error("Failed to delete expired local user account", {
+          uid,
+          userId,
+          error: error instanceof Error ? error.message : String(error),
+        });
+      }
+    }
+    return summary;
+  },
+  sendExpiryReminders: async (): Promise<LifecycleSummary> => {
+    const days = await parseReminderDays();
+    if (days.length === 0) {
+      return { scanned: 0, changed: 0, skipped: 0, failed: 0 };
+    }
+    const template = await getSetting<string>("mail.account_expiry_reminder");
+    const appName = (await getSetting<string>("app.name")) || "Cloud";
+    const contactEmail = (await getSetting<string>("app.contact_email")) || "";
+    const extendUrl = await resolveExtendUrl();
+    let scanned = 0;
+    let changed = 0;
+    let skipped = 0;
+    let failed = 0;
+    for (const thresholdDays of days) {
+      const candidates = await listReminderCandidates(thresholdDays);
+      scanned += candidates.length;
+      for (const candidate of candidates) {
+      const attempt = await upsertReminderAttempt({
+        userId: candidate.userId,
+        uid: candidate.uid,
+        mail: candidate.mail,
+        displayName: candidate.displayName,
+        kind: candidate.kind,
+        thresholdDays,
+        targetExpiryAt: candidate.expiresAt,
+      });
+        if (attempt.status === "sent") {
+          skipped += 1;
+          continue;
+        }
+        const expiryText = dates.formatDate(candidate.expiresAt);
+        const subject = `${appName} account expires soon`;
+        const html = renderTemplate(template, {
+          FIRST_NAME: candidate.givenName || candidate.displayName || candidate.uid,
+          DISPLAY_NAME: candidate.displayName || candidate.uid,
+          EXPIRY: expiryText,
+          EXTEND_URL: extendUrl,
+          APP_NAME: appName,
+          CONTACT_EMAIL: contactEmail,
+          ACCOUNT_KIND: candidate.accountKind,
+        });
+        try {
+          const notification = await notifications.send({
+            type: "email",
+            recipient: candidate.mail,
+            subject,
+            rawHtml: html,
+            autoSend: true,
+          });
+          if (notification.status === "error") {
+            await markReminderError(attempt.id, notification.error ?? "Notification delivery failed");
+            failed += 1;
+            continue;
+          }
+          await markReminderSuccess(attempt.id);
+          changed += 1;
+        } catch (error) {
+          const message = error instanceof Error ? error.message : String(error);
+          await markReminderError(attempt.id, message);
+          failed += 1;
+          log.error("Failed to send expiry reminder", {
+            userId: candidate.userId,
+            uid: candidate.uid,
+            kind: candidate.kind,
+            thresholdDays,
+            error: message,
+          });
+        }
+      }
+    }
+    return { scanned, changed, skipped, failed };
+  },
+  cleanupLifecycleAudit: async (): Promise<LifecycleSummary> => {
+    const [deletedAccountsRetentionDays, reminderHistoryRetentionDays] = await Promise.all([
+      getDeletedAccountsRetentionDays(),
+      getReminderHistoryRetentionDays(),
+    ]);
+    const deletedRows =
+      deletedAccountsRetentionDays > 0
+        ? await sql<DbRow[]>`
+            DELETE FROM auth.deleted_accounts
+            WHERE deleted_at < now() - (${deletedAccountsRetentionDays} * interval '1 day')
+            RETURNING id
+          `
+        : [];
+    const reminderRows =
+      reminderHistoryRetentionDays > 0
+        ? await sql<DbRow[]>`
+            DELETE FROM auth.account_lifecycle_reminders
+            WHERE created_at < now() - (${reminderHistoryRetentionDays} * interval '1 day')
+            RETURNING id
+          `
+        : [];
+    return {
+      scanned: deletedRows.length + reminderRows.length,
+      changed: deletedRows.length + reminderRows.length,
+      skipped: 0,
+      failed: 0,
+    };
+  },
+  runIpaBackfill: async (): Promise<LifecycleSummary> => {
+    const freeIpaConfig = (await getFreeIpaConfig());
+    if (!freeIpaConfig.enabled) {
+      log.info("IPA backfill skipped", { reason: "freeipa_disabled" });
+      return { scanned: 0, changed: 0, skipped: 0, failed: 0 };
+    }
+    if (!freeIpaConfig.configured) {
+      throw new Error("FreeIPA is enabled but not fully configured.");
+    }
+    const configuredDays = await getIpaExpiresDays();
+    if (configuredDays <= 0) {
+      return { scanned: 0, changed: 0, skipped: 0, failed: 0 };
+    }
+    const days = Math.max(configuredDays, 7);
+    const minimumExpiry = new Date(Date.now() + days * DAY_MS);
+    minimumExpiry.setUTCHours(23, 59, 59, 0);
+    const ipaExpiry = freeipa.util.toGeneralizedTime(minimumExpiry);
+    const ipaSession = await freeipa.session.getServiceSession({
+      url: freeIpaConfig.url,
+      serviceUser: freeIpaConfig.serviceUser,
+      servicePassword: freeIpaConfig.servicePassword,
+    });
+    const rows = await sql<DbRow[]>`
+      SELECT id, uid, account_expires
+      FROM auth.users
+      WHERE provider = 'ipa'
+        AND (account_expires IS NULL OR account_expires < ${minimumExpiry})
+      ORDER BY uid
+    `;
+    const summary: LifecycleSummary = {
+      scanned: rows.length,
+      changed: 0,
+      skipped: 0,
+      failed: 0,
+    };
+    for (const row of rows) {
+      const userId = row.id as string;
+      const uid = row.uid as string;
+      const remote = await freeipa.client.call({
+        url: freeIpaConfig.url,
+        ipaSession,
+        method: "user_show",
+        args: [uid],
+        options: { all: true },
+      });
+      if (remote.error) {
+        summary.failed += 1;
+        log.error("IPA backfill read failed", { uid, userId, error: remote.error.message });
+        continue;
+      }
+      const remoteResult = remote.result?.result as Record<string, unknown> | undefined;
+      const remoteExpiry = freeipa.util.parseGeneralizedTime(remoteResult?.krbprincipalexpiration);
+      if (remoteExpiry && remoteExpiry >= minimumExpiry) {
+        await sql`
+          UPDATE auth.users
+          SET account_expires = ${remoteExpiry}
+          WHERE id = ${userId}::uuid
+        `;
+        await sql`
+          INSERT INTO auth.user_ipa_data (user_id, synced_at)
+          VALUES (${userId}::uuid, now())
+          ON CONFLICT (user_id) DO UPDATE SET synced_at = EXCLUDED.synced_at
+        `;
+        summary.skipped += 1;
+        continue;
+      }
+      const response = await freeipa.client.call({
+        url: freeIpaConfig.url,
+        ipaSession,
+        method: "user_mod",
+        args: [uid],
+        options: { krbprincipalexpiration: ipaExpiry },
+      });
+      if (response.error) {
+        summary.failed += 1;
+        log.error("IPA backfill failed", { uid, userId, error: response.error.message });
+        continue;
+      }
+      await sql`
+        UPDATE auth.users
+        SET account_expires = ${minimumExpiry}
+        WHERE id = ${userId}::uuid
+      `;
+      await sql`
+        INSERT INTO auth.user_ipa_data (user_id, synced_at)
+        VALUES (${userId}::uuid, now())
+        ON CONFLICT (user_id) DO UPDATE SET synced_at = EXCLUDED.synced_at
+      `;
+      summary.changed += 1;
+    }
+    return summary;
+  },
+  runLocalUserBackfill: async (): Promise<LifecycleSummary> => {
+    const configuredDays = await getLocalUserExpiresDays();
+    if (configuredDays <= 0) {
+      return { scanned: 0, changed: 0, skipped: 0, failed: 0 };
+    }
+    const days = Math.max(configuredDays, 7);
+    const target = new Date(Date.now() + days * DAY_MS);
+    const rows = await sql<DbRow[]>`
+      UPDATE auth.users
+      SET account_expires = ${target}
+      WHERE provider = 'local'
+        AND profile = 'user'
+        AND (account_expires IS NULL OR account_expires < ${target})
+      RETURNING id
+    `;
+    return {
+      scanned: rows.length,
+      changed: rows.length,
+      skipped: 0,
+      failed: 0,
+    };
+  },
+  runGuestBackfill: async (): Promise<LifecycleSummary> => {
+    const configuredDays = await getGuestExpiresDays();
+    if (configuredDays <= 0) {
+      return { scanned: 0, changed: 0, skipped: 0, failed: 0 };
+    }
+    const days = Math.max(configuredDays, 7);
+    const target = new Date(Date.now() + days * DAY_MS);
+    const rows = await sql<DbRow[]>`
+      UPDATE auth.users
+      SET account_expires = ${target}
+      WHERE provider = 'local'
+        AND profile = 'guest'
+        AND (account_expires IS NULL OR account_expires < ${target})
+      RETURNING id
+    `;
+    return {
+      scanned: rows.length,
+      changed: rows.length,
+      skipped: 0,
+      failed: 0,
+    };
+  },
+  extendCurrentUserAccount: async (config: {
+    user: User;
+    ipaSession?: string | null;
+  }): Promise<{ message: string; newExpiry?: string }> => {
+    if (config.user.provider === "ipa") {
+      const freeIpaConfig = (await getFreeIpaConfig());
+      if (!freeIpaConfig.enabled) {
+        return { message: "FreeIPA is disabled." };
+      }
+      const configuredDays = await getIpaExpiresDays();
+      if (configuredDays <= 0) {
+        return { message: "Automatic account expiry is disabled for IPA accounts." };
+      }
+      if (!config.ipaSession) {
+        throw new Error("IPA session required to extend an IPA-backed account.");
+      }
+      const expiresAt = new Date(Date.now() + configuredDays * DAY_MS);
+      expiresAt.setUTCHours(23, 59, 59, 0);
+      const ipaExpiry = freeipa.util.toGeneralizedTime(expiresAt);
+      const response = await freeipa.client.call({
+        url: freeIpaConfig.url,
+        ipaSession: config.ipaSession,
+        method: "user_mod",
+        args: [config.user.uid],
+        options: { krbprincipalexpiration: ipaExpiry },
+      });
+      if (response.error) {
+        throw new Error(response.error.message || "Failed to extend IPA account.");
+      }
+      await sql`
+        UPDATE auth.users
+        SET account_expires = ${expiresAt}
+        WHERE id = ${config.user.id}::uuid
+      `;
+      await sql`
+        INSERT INTO auth.user_ipa_data (user_id, synced_at)
+        VALUES (${config.user.id}::uuid, now())
+        ON CONFLICT (user_id) DO UPDATE SET synced_at = EXCLUDED.synced_at
+      `;
+      return {
+        message: `Account extended until ${dates.formatDate(expiresAt)}.`,
+        newExpiry: expiresAt.toISOString(),
+      };
+    }
+    if (config.user.provider === "local" && config.user.profile === "guest") {
+      const guestDays = await getGuestExpiresDays();
+      if (guestDays <= 0) {
+        await sql`
+          UPDATE auth.users
+          SET account_expires = NULL
+          WHERE id = ${config.user.id}::uuid
+        `;
+        return { message: "Guest account expiry is disabled." };
+      }
+      const expiresAt = new Date(Date.now() + guestDays * DAY_MS);
+      await sql`
+        UPDATE auth.users
+        SET account_expires = ${expiresAt}
+        WHERE id = ${config.user.id}::uuid
+      `;
+      return {
+        message: `Guest account extended until ${dates.formatDate(expiresAt)}.`,
+        newExpiry: expiresAt.toISOString(),
+      };
+    }
+    if (config.user.provider === "local" && config.user.profile === "user") {
+      const localUserDays = await getLocalUserExpiresDays();
+      if (localUserDays <= 0) {
+        await sql`
+          UPDATE auth.users
+          SET account_expires = NULL
+          WHERE id = ${config.user.id}::uuid
+        `;
+        return { message: "Local user account expiry is disabled." };
+      }
+      const expiresAt = new Date(Date.now() + localUserDays * DAY_MS);
+      await sql`
+        UPDATE auth.users
+        SET account_expires = ${expiresAt}
+        WHERE id = ${config.user.id}::uuid
+      `;
+      return {
+        message: `Account extended until ${dates.formatDate(expiresAt)}.`,
+        newExpiry: expiresAt.toISOString(),
+      };
+    }
+    return { message: "Your account does not support extension." };
+  },
+  listDeletedAccounts: async (config: { page: number; perPage: number; reason?: string; search?: string }) => {
+    const offset = (config.page - 1) * config.perPage;
+    const reason = config.reason?.trim() || null;
+    const search = config.search?.trim().toLowerCase() || null;
+    const pattern = search ? `%${freeipa.util.escapeLike(search)}%` : null;
+    const countRows = await sql<DbRow[]>`
+      SELECT COUNT(*)::int AS total
+      FROM auth.deleted_accounts
+      WHERE (${reason}::text IS NULL OR reason = ${reason})
+        AND (
+          ${pattern}::text IS NULL
+          OR LOWER(uid) LIKE ${pattern} ESCAPE '\\'
+          OR LOWER(COALESCE(display_name, '')) LIKE ${pattern} ESCAPE '\\'
+          OR LOWER(COALESCE(mail, '')) LIKE ${pattern} ESCAPE '\\'
+        )
+    `;
+    const rows = await sql<DbRow[]>`
+      SELECT id, deleted_user_id, uid, mail, display_name, previous_provider, previous_profile, reason, deleted_at, meta
+      FROM auth.deleted_accounts
+      WHERE (${reason}::text IS NULL OR reason = ${reason})
+        AND (
+          ${pattern}::text IS NULL
+          OR LOWER(uid) LIKE ${pattern} ESCAPE '\\'
+          OR LOWER(COALESCE(display_name, '')) LIKE ${pattern} ESCAPE '\\'
+          OR LOWER(COALESCE(mail, '')) LIKE ${pattern} ESCAPE '\\'
+        )
+      ORDER BY deleted_at DESC
+      LIMIT ${config.perPage}
+      OFFSET ${offset}
+    `;
+    return {
+      items: rows.map((row) => ({
+        id: row.id as string,
+        deletedUserId: row.deleted_user_id as string,
+        uid: row.uid as string,
+        mail: (row.mail as string) ?? null,
+        displayName: (row.display_name as string) ?? null,
+        previousProvider: (row.previous_provider as string) ?? null,
+        previousProfile: (row.previous_profile as string) ?? null,
+        reason: row.reason as string,
+        deletedAt: (row.deleted_at as Date).toISOString(),
+        meta: parsePgJsonRecord(row.meta) ?? {},
+      })),
+      total: Number(countRows[0]?.total ?? 0),
+      page: config.page,
+      perPage: config.perPage,
+    };
+  },
+  listReminderAudit: async (config: { page: number; perPage: number; status?: string; kind?: ReminderKind; search?: string }) => {
+    const offset = (config.page - 1) * config.perPage;
+    const status = config.status?.trim() || null;
+    const kind = config.kind ?? null;
+    const search = config.search?.trim().toLowerCase() || null;
+    const pattern = search ? `%${freeipa.util.escapeLike(search)}%` : null;
+    const countRows = await sql<DbRow[]>`
+      SELECT COUNT(*)::int AS total
+      FROM auth.account_lifecycle_reminders r
+      LEFT JOIN auth.users u ON u.id = r.user_id
+      WHERE (${status}::text IS NULL OR r.status = ${status})
+        AND (${kind}::text IS NULL OR r.kind = ${kind})
+        AND (
+          ${pattern}::text IS NULL
+          OR LOWER(COALESCE(r.uid, u.uid, '')) LIKE ${pattern} ESCAPE '\\'
+          OR LOWER(COALESCE(r.mail, u.mail, '')) LIKE ${pattern} ESCAPE '\\'
+          OR LOWER(COALESCE(r.display_name, u.display_name, '')) LIKE ${pattern} ESCAPE '\\'
+        )
+    `;
+    const rows = await sql<DbRow[]>`
+      SELECT r.id,
+             r.user_id,
+             r.uid AS reminder_uid,
+             r.mail AS reminder_mail,
+             r.display_name AS reminder_display_name,
+             r.kind,
+             r.threshold_days,
+             r.target_expiry_at,
+             r.status,
+             r.attempt_count,
+             r.last_attempt_at,
+             r.sent_at,
+             r.last_error,
+             r.created_at,
+             u.uid AS live_uid,
+             u.mail AS live_mail,
+             u.display_name AS live_display_name
+      FROM auth.account_lifecycle_reminders r
+      LEFT JOIN auth.users u ON u.id = r.user_id
+      WHERE (${status}::text IS NULL OR r.status = ${status})
+        AND (${kind}::text IS NULL OR r.kind = ${kind})
+        AND (
+          ${pattern}::text IS NULL
+          OR LOWER(COALESCE(r.uid, u.uid, '')) LIKE ${pattern} ESCAPE '\\'
+          OR LOWER(COALESCE(r.mail, u.mail, '')) LIKE ${pattern} ESCAPE '\\'
+          OR LOWER(COALESCE(r.display_name, u.display_name, '')) LIKE ${pattern} ESCAPE '\\'
+        )
+      ORDER BY r.created_at DESC
+      LIMIT ${config.perPage}
+      OFFSET ${offset}
+    `;
+    return {
+      items: rows.map((row) => ({
+        id: row.id as string,
+        userId: (row.user_id as string) ?? null,
+        uid: ((row.reminder_uid as string) ?? (row.live_uid as string) ?? null),
+        mail: ((row.reminder_mail as string) ?? (row.live_mail as string) ?? null),
+        displayName: ((row.reminder_display_name as string) ?? (row.live_display_name as string) ?? null),
+        kind: row.kind as string,
+        thresholdDays: Number(row.threshold_days),
+        targetExpiryAt: (row.target_expiry_at as Date).toISOString(),
+        status: row.status as string,
+        attemptCount: Number(row.attempt_count),
+        lastAttemptAt: row.last_attempt_at ? (row.last_attempt_at as Date).toISOString() : null,
+        sentAt: row.sent_at ? (row.sent_at as Date).toISOString() : null,
+        lastError: (row.last_error as string) ?? null,
+        createdAt: (row.created_at as Date).toISOString(),
+      })),
+      total: Number(countRows[0]?.total ?? 0),
+      page: config.page,
+      perPage: config.perPage,
+    };
+  },
+};
+export type AccountLifecycleService = typeof accountLifecycle;