@veloxts/auth 0.3.4 → 0.3.6

package/dist/jwt.d.ts

@@ -3,6 +3,14 @@
  * @module auth/jwt
  */
 import type { JwtConfig, TokenPair, TokenPayload, User } from './types.js';
+/**
+ * Validates a time string format
+ * Supports: '1s', '15m', '1h', '7d', etc.
+ * Minimum valid value is '1s' (1 second)
+ *
+ * @returns true if valid, false otherwise
+ */
+export declare function isValidTimespan(time: string): boolean;
 /**
  * Parses time string to seconds
  * Supports: '15m', '1h', '7d', '30d', etc.
@@ -12,6 +20,14 @@ export declare function parseTimeToSeconds(time: string): number;
  * Generate a unique token ID
  */
 export declare function generateTokenId(): string;
+/**
+ * Validates token expiration against security bounds
+ *
+ * @param accessExpiry - Access token expiry string (e.g., '15m')
+ * @param refreshExpiry - Refresh token expiry string (e.g., '7d')
+ * @throws Error if expiration times are outside security bounds
+ */
+export declare function validateTokenExpiration(accessExpiry: string, refreshExpiry: string): void;
 /**
  * JWT token manager
  *
@@ -41,16 +57,23 @@ export declare class JwtManager {
     constructor(config: JwtConfig);
     /**
      * Creates a JWT token with the given payload
+     *
+     * @param payload - Token payload (sub, email, type required)
+     * @param expiresIn - Expiration time string (e.g., '15m', '7d')
+     * @param options - Additional options
+     * @param options.notBefore - Delay in seconds before token becomes valid (default: 0)
      */
     createToken(payload: Omit<TokenPayload, 'iat' | 'exp'> & {
         sub: string;
         email: string;
         type: TokenPayload['type'];
-    }, expiresIn: string): string;
+    }, expiresIn: string, options?: {
+        notBefore?: number;
+    }): string;
     /**
      * Verifies a JWT token and returns the payload
      *
-     * @throws Error if token is invalid or expired
+     * @throws AuthError if token is invalid or expired
      */
     verifyToken(token: string): TokenPayload;
     /**
@@ -58,13 +81,13 @@ export declare class JwtManager {
      *
      * @param user - The user to create tokens for
      * @param additionalClaims - Custom claims to include (cannot override reserved claims)
-     * @throws Error if additionalClaims contains reserved JWT claims
+     * @throws AuthError if additionalClaims contains reserved JWT claims
      */
     createTokenPair(user: User, additionalClaims?: Record<string, unknown>): TokenPair;
     /**
      * Refreshes tokens using a valid refresh token
      *
-     * @throws Error if refresh token is invalid or not a refresh token
+     * @throws AuthError if refresh token is invalid or not a refresh token
      */
     refreshTokens(refreshToken: string, userLoader?: (userId: string) => Promise<User | null>): Promise<TokenPair>;
     refreshTokens(refreshToken: string): TokenPair;
@@ -79,10 +102,16 @@ export declare class JwtManager {
      */
     extractFromHeader(authHeader: string | undefined): string | null;
 }
+/**
+ * Creates a new JWT manager instance (succinct API)
+ */
+export declare function jwtManager(config: JwtConfig): JwtManager;
 /**
  * Creates a new JWT manager instance
+ *
+ * @deprecated Use `jwtManager()` instead. Will be removed in v0.9.
  */
-export declare function createJwtManager(config: JwtConfig): JwtManager;
+export declare const createJwtManager: typeof jwtManager;
 /**
  * Token store interface for revocation management
  */

package/dist/jwt.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"jwt.d.ts","sourceRoot":"","sources":["../src/jwt.ts"],"names":[],"mappings":"AAAA;;;GAGG;AAIH,OAAO,KAAK,EAAE,SAAS,EAAE,SAAS,EAAE,YAAY,EAAE,IAAI,EAAE,MAAM,YAAY,CAAC;AAuC3E;;;GAGG;AACH,wBAAgB,kBAAkB,CAAC,IAAI,EAAE,MAAM,GAAG,MAAM,CAqBvD;AA4BD;;GAEG;AACH,wBAAgB,eAAe,IAAI,MAAM,CAExC;AAMD;;;;;;;;;;;;;;;;;;;;;;;GAuBG;AACH,qBAAa,UAAU;IACrB,OAAO,CAAC,QAAQ,CAAC,MAAM,CAGX;gBAEA,MAAM,EAAE,SAAS;IAyB7B;;OAEG;IACH,WAAW,CACT,OAAO,EAAE,IAAI,CAAC,YAAY,EAAE,KAAK,GAAG,KAAK,CAAC,GAAG;QAC3C,GAAG,EAAE,MAAM,CAAC;QACZ,KAAK,EAAE,MAAM,CAAC;QACd,IAAI,EAAE,YAAY,CAAC,MAAM,CAAC,CAAC;KAC5B,EACD,SAAS,EAAE,MAAM,GAChB,MAAM;IAsBT;;;;OAIG;IACH,WAAW,CAAC,KAAK,EAAE,MAAM,GAAG,YAAY;IAkFxC;;;;;;OAMG;IACH,eAAe,CAAC,IAAI,EAAE,IAAI,EAAE,gBAAgB,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,GAAG,SAAS;IA0ClF;;;;OAIG;IACH,aAAa,CACX,YAAY,EAAE,MAAM,EACpB,UAAU,CAAC,EAAE,CAAC,MAAM,EAAE,MAAM,KAAK,OAAO,CAAC,IAAI,GAAG,IAAI,CAAC,GACpD,OAAO,CAAC,SAAS,CAAC;IACrB,aAAa,CAAC,YAAY,EAAE,MAAM,GAAG,SAAS;IA8B9C;;;OAGG;IACH,WAAW,CAAC,KAAK,EAAE,MAAM,GAAG,YAAY,GAAG,IAAI;IAa/C;;;OAGG;IACH,iBAAiB,CAAC,UAAU,EAAE,MAAM,GAAG,SAAS,GAAG,MAAM,GAAG,IAAI;CAYjE;AAED;;GAEG;AACH,wBAAgB,gBAAgB,CAAC,MAAM,EAAE,SAAS,GAAG,UAAU,CAE9D;AAMD;;GAEG;AACH,MAAM,WAAW,UAAU;IACzB,qCAAqC;IACrC,MAAM,EAAE,CAAC,OAAO,EAAE,MAAM,KAAK,IAAI,GAAG,OAAO,CAAC,IAAI,CAAC,CAAC;IAClD,kCAAkC;IAClC,SAAS,EAAE,CAAC,OAAO,EAAE,MAAM,KAAK,OAAO,GAAG,OAAO,CAAC,OAAO,CAAC,CAAC;IAC3D,oDAAoD;IACpD,KAAK,EAAE,MAAM,IAAI,CAAC;CACnB;AAED;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GA6BG;AACH,wBAAgB,wBAAwB,IAAI,UAAU,CAYrD"}
+{"version":3,"file":"jwt.d.ts","sourceRoot":"","sources":["../src/jwt.ts"],"names":[],"mappings":"AAAA;;;GAGG;AAIH,OAAO,KAAK,EAAE,SAAS,EAAE,SAAS,EAAE,YAAY,EAAE,IAAI,EAAE,MAAM,YAAY,CAAC;AA+E3E;;;;;;GAMG;AACH,wBAAgB,eAAe,CAAC,IAAI,EAAE,MAAM,GAAG,OAAO,CAQrD;AAED;;;GAGG;AACH,wBAAgB,kBAAkB,CAAC,IAAI,EAAE,MAAM,GAAG,MAAM,CAyBvD;AA4BD;;GAEG;AACH,wBAAgB,eAAe,IAAI,MAAM,CAExC;AAED;;;;;;GAMG;AACH,wBAAgB,uBAAuB,CAAC,YAAY,EAAE,MAAM,EAAE,aAAa,EAAE,MAAM,GAAG,IAAI,CAkEzF;AAMD;;;;;;;;;;;;;;;;;;;;;;;GAuBG;AACH,qBAAa,UAAU;IACrB,OAAO,CAAC,QAAQ,CAAC,MAAM,CAGX;gBAEA,MAAM,EAAE,SAAS;IAyD7B;;;;;;;OAOG;IACH,WAAW,CACT,OAAO,EAAE,IAAI,CAAC,YAAY,EAAE,KAAK,GAAG,KAAK,CAAC,GAAG;QAC3C,GAAG,EAAE,MAAM,CAAC;QACZ,KAAK,EAAE,MAAM,CAAC;QACd,IAAI,EAAE,YAAY,CAAC,MAAM,CAAC,CAAC;KAC5B,EACD,SAAS,EAAE,MAAM,EACjB,OAAO,CAAC,EAAE;QAAE,SAAS,CAAC,EAAE,MAAM,CAAA;KAAE,GAC/B,MAAM;IA2BT;;;;OAIG;IACH,WAAW,CAAC,KAAK,EAAE,MAAM,GAAG,YAAY;IA6FxC;;;;;;OAMG;IACH,eAAe,CAAC,IAAI,EAAE,IAAI,EAAE,gBAAgB,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,GAAG,SAAS;IA4ClF;;;;OAIG;IACH,aAAa,CACX,YAAY,EAAE,MAAM,EACpB,UAAU,CAAC,EAAE,CAAC,MAAM,EAAE,MAAM,KAAK,OAAO,CAAC,IAAI,GAAG,IAAI,CAAC,GACpD,OAAO,CAAC,SAAS,CAAC;IACrB,aAAa,CAAC,YAAY,EAAE,MAAM,GAAG,SAAS;IA8B9C;;;OAGG;IACH,WAAW,CAAC,KAAK,EAAE,MAAM,GAAG,YAAY,GAAG,IAAI;IAa/C;;;OAGG;IACH,iBAAiB,CAAC,UAAU,EAAE,MAAM,GAAG,SAAS,GAAG,MAAM,GAAG,IAAI;CAYjE;AAED;;GAEG;AACH,wBAAgB,UAAU,CAAC,MAAM,EAAE,SAAS,GAAG,UAAU,CAExD;AAED;;;;GAIG;AACH,eAAO,MAAM,gBAAgB,mBAAa,CAAC;AAM3C;;GAEG;AACH,MAAM,WAAW,UAAU;IACzB,qCAAqC;IACrC,MAAM,EAAE,CAAC,OAAO,EAAE,MAAM,KAAK,IAAI,GAAG,OAAO,CAAC,IAAI,CAAC,CAAC;IAClD,kCAAkC;IAClC,SAAS,EAAE,CAAC,OAAO,EAAE,MAAM,KAAK,OAAO,GAAG,OAAO,CAAC,OAAO,CAAC,CAAC;IAC3D,oDAAoD;IACpD,KAAK,EAAE,MAAM,IAAI,CAAC;CACnB;AAED;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GA6BG;AACH,wBAAgB,wBAAwB,IAAI,UAAU,CAYrD"}

package/dist/jwt.js

@@ -3,6 +3,7 @@
  * @module auth/jwt
  */
 import { createHmac, randomBytes, timingSafeEqual } from 'node:crypto';
+import { AuthError } from './types.js';
 // ============================================================================
 // Constants
 // ============================================================================
@@ -17,6 +18,38 @@ const MIN_SECRET_LENGTH = 64;
  * Minimum unique characters in secret for entropy validation
  */
 const MIN_SECRET_ENTROPY_CHARS = 16;
+// ============================================================================
+// Token Expiration Bounds (Security Phase 3.1)
+// ============================================================================
+/**
+ * Minimum access token expiry: 1 minute
+ * Shorter tokens increase security but may impact UX
+ */
+const MIN_ACCESS_TOKEN_SECONDS = 60;
+/**
+ * Maximum access token expiry: 1 hour
+ * Longer lived tokens are a security risk if stolen
+ */
+const MAX_ACCESS_TOKEN_SECONDS = 60 * 60;
+/**
+ * Minimum refresh token expiry: 1 hour
+ * Too short reduces usability
+ */
+const MIN_REFRESH_TOKEN_SECONDS = 60 * 60;
+/**
+ * Maximum refresh token expiry: 30 days
+ * Longer lived refresh tokens increase risk window
+ */
+const MAX_REFRESH_TOKEN_SECONDS = 30 * 24 * 60 * 60;
+/**
+ * Recommended maximum access token expiry: 15 minutes
+ * Beyond this, consider shorter lived tokens with refresh
+ */
+const RECOMMENDED_MAX_ACCESS_SECONDS = 15 * 60;
+/**
+ * Recommended maximum refresh token expiry: 7 days
+ */
+const RECOMMENDED_MAX_REFRESH_SECONDS = 7 * 24 * 60 * 60;
 /**
  * Reserved JWT claims that cannot be overridden via additionalClaims
  */
@@ -34,6 +67,22 @@ const RESERVED_JWT_CLAIMS = new Set([
 // ============================================================================
 // JWT Implementation
 // ============================================================================
+/**
+ * Validates a time string format
+ * Supports: '1s', '15m', '1h', '7d', etc.
+ * Minimum valid value is '1s' (1 second)
+ *
+ * @returns true if valid, false otherwise
+ */
+export function isValidTimespan(time) {
+    const match = time.match(/^(\d+)([smhd])$/);
+    if (!match) {
+        return false;
+    }
+    const value = parseInt(match[1], 10);
+    // Value must be at least 1
+    return value >= 1;
+}
 /**
  * Parses time string to seconds
  * Supports: '15m', '1h', '7d', '30d', etc.
@@ -41,7 +90,7 @@ const RESERVED_JWT_CLAIMS = new Set([
 export function parseTimeToSeconds(time) {
     const match = time.match(/^(\d+)([smhd])$/);
     if (!match) {
-        throw new Error(`Invalid time format: ${time}. Use format like '15m', '1h', '7d'`);
+        throw new AuthError(`Invalid time format: ${time}. Use format like '15m', '1h', '7d'`, 400, 'INVALID_TIME_FORMAT');
     }
     const value = parseInt(match[1], 10);
     const unit = match[2];
@@ -55,7 +104,7 @@ export function parseTimeToSeconds(time) {
         case 'd':
             return value * 60 * 60 * 24;
         default:
-            throw new Error(`Unknown time unit: ${unit}`);
+            throw new AuthError(`Unknown time unit: ${unit}`, 400, 'INVALID_TIME_UNIT');
     }
 }
 /**
@@ -87,6 +136,49 @@ function createSignature(data, secret) {
 export function generateTokenId() {
     return randomBytes(16).toString('hex');
 }
+/**
+ * Validates token expiration against security bounds
+ *
+ * @param accessExpiry - Access token expiry string (e.g., '15m')
+ * @param refreshExpiry - Refresh token expiry string (e.g., '7d')
+ * @throws Error if expiration times are outside security bounds
+ */
+export function validateTokenExpiration(accessExpiry, refreshExpiry) {
+    const accessSeconds = parseTimeToSeconds(accessExpiry);
+    const refreshSeconds = parseTimeToSeconds(refreshExpiry);
+    // Validate access token bounds
+    if (accessSeconds < MIN_ACCESS_TOKEN_SECONDS) {
+        throw new AuthError(`Access token expiry (${accessExpiry} = ${accessSeconds}s) is below minimum of ` +
+            `${MIN_ACCESS_TOKEN_SECONDS}s (1 minute). Very short tokens cause excessive refreshes.`, 400, 'INVALID_TOKEN_EXPIRY');
+    }
+    if (accessSeconds > MAX_ACCESS_TOKEN_SECONDS) {
+        throw new AuthError(`Access token expiry (${accessExpiry} = ${accessSeconds}s) exceeds maximum of ` +
+            `${MAX_ACCESS_TOKEN_SECONDS}s (1 hour). Long-lived access tokens are a security risk.`, 400, 'INVALID_TOKEN_EXPIRY');
+    }
+    // Validate refresh token bounds
+    if (refreshSeconds < MIN_REFRESH_TOKEN_SECONDS) {
+        throw new AuthError(`Refresh token expiry (${refreshExpiry} = ${refreshSeconds}s) is below minimum of ` +
+            `${MIN_REFRESH_TOKEN_SECONDS}s (1 hour). Very short refresh tokens impact usability.`, 400, 'INVALID_TOKEN_EXPIRY');
+    }
+    if (refreshSeconds > MAX_REFRESH_TOKEN_SECONDS) {
+        throw new AuthError(`Refresh token expiry (${refreshExpiry} = ${refreshSeconds}s) exceeds maximum of ` +
+            `${MAX_REFRESH_TOKEN_SECONDS}s (30 days). Long-lived refresh tokens increase attack window.`, 400, 'INVALID_TOKEN_EXPIRY');
+    }
+    // Warn about exceeding recommended limits (non-fatal)
+    if (accessSeconds > RECOMMENDED_MAX_ACCESS_SECONDS) {
+        console.warn(`[Security] Access token expiry (${accessExpiry}) exceeds recommended maximum of 15 minutes. ` +
+            'Consider using shorter-lived access tokens with refresh.');
+    }
+    if (refreshSeconds > RECOMMENDED_MAX_REFRESH_SECONDS) {
+        console.warn(`[Security] Refresh token expiry (${refreshExpiry}) exceeds recommended maximum of 7 days. ` +
+            'Long-lived refresh tokens increase the window for token theft attacks.');
+    }
+    // Ensure refresh tokens outlive access tokens
+    if (refreshSeconds <= accessSeconds) {
+        throw new AuthError(`Refresh token expiry (${refreshExpiry} = ${refreshSeconds}s) must be longer than ` +
+            `access token expiry (${accessExpiry} = ${accessSeconds}s).`, 400, 'INVALID_TOKEN_EXPIRY');
+    }
+}
 // ============================================================================
 // JWT Manager Class
 // ============================================================================
@@ -119,31 +211,56 @@ export class JwtManager {
     constructor(config) {
         // Validate secret length (Critical Fix #1)
         if (!config.secret || config.secret.length < MIN_SECRET_LENGTH) {
-            throw new Error(`JWT secret must be at least ${MIN_SECRET_LENGTH} characters long (512 bits). ` +
-                'Generate with: openssl rand -base64 64');
+            throw new AuthError(`JWT secret must be at least ${MIN_SECRET_LENGTH} characters long (512 bits). ` +
+                'Generate with: openssl rand -base64 64', 500, 'INVALID_JWT_SECRET');
         }
         // Validate secret entropy - check for sufficient unique characters
         const uniqueChars = new Set(config.secret).size;
         if (uniqueChars < MIN_SECRET_ENTROPY_CHARS) {
-            throw new Error(`JWT secret has insufficient entropy (only ${uniqueChars} unique characters). ` +
-                'Use cryptographically random data with at least 16 unique characters.');
+            throw new AuthError(`JWT secret has insufficient entropy (only ${uniqueChars} unique characters). ` +
+                'Use cryptographically random data with at least 16 unique characters.', 500, 'INVALID_JWT_SECRET');
+        }
+        // Validate accessTokenExpiry format if provided
+        if (config.accessTokenExpiry !== undefined && !isValidTimespan(config.accessTokenExpiry)) {
+            throw new AuthError(`Invalid accessTokenExpiry "${config.accessTokenExpiry}". ` +
+                `Use formats like "15m", "1h", "7d". Minimum is "1s".`, 400, 'INVALID_TOKEN_EXPIRY');
+        }
+        // Validate refreshTokenExpiry format if provided
+        if (config.refreshTokenExpiry !== undefined && !isValidTimespan(config.refreshTokenExpiry)) {
+            throw new AuthError(`Invalid refreshTokenExpiry "${config.refreshTokenExpiry}". ` +
+                `Use formats like "15m", "1h", "7d". Minimum is "1s".`, 400, 'INVALID_TOKEN_EXPIRY');
         }
+        // Store config with defaults
+        const accessExpiry = config.accessTokenExpiry ?? DEFAULT_ACCESS_EXPIRY;
+        const refreshExpiry = config.refreshTokenExpiry ?? DEFAULT_REFRESH_EXPIRY;
+        // Validate expiration bounds (Security Phase 3.1)
+        // This prevents developers from setting insecure expiration times
+        validateTokenExpiration(accessExpiry, refreshExpiry);
         this.config = {
             ...config,
-            accessTokenExpiry: config.accessTokenExpiry ?? DEFAULT_ACCESS_EXPIRY,
-            refreshTokenExpiry: config.refreshTokenExpiry ?? DEFAULT_REFRESH_EXPIRY,
+            accessTokenExpiry: accessExpiry,
+            refreshTokenExpiry: refreshExpiry,
         };
     }
     /**
      * Creates a JWT token with the given payload
+     *
+     * @param payload - Token payload (sub, email, type required)
+     * @param expiresIn - Expiration time string (e.g., '15m', '7d')
+     * @param options - Additional options
+     * @param options.notBefore - Delay in seconds before token becomes valid (default: 0)
      */
-    createToken(payload, expiresIn) {
+    createToken(payload, expiresIn, options) {
         const now = Math.floor(Date.now() / 1000);
         const exp = now + parseTimeToSeconds(expiresIn);
+        // Security Phase 3.3: Add not-before (nbf) claim
+        // nbf = issued at + optional delay (default: 0, meaning valid immediately)
+        const nbf = now + (options?.notBefore ?? 0);
         const fullPayload = {
             ...payload,
             iat: now,
             exp,
+            nbf, // Token is not valid before this time
         };
         // Create header
         const header = { alg: 'HS256', typ: 'JWT' };
@@ -157,12 +274,12 @@ export class JwtManager {
     /**
      * Verifies a JWT token and returns the payload
      *
-     * @throws Error if token is invalid or expired
+     * @throws AuthError if token is invalid or expired
      */
     verifyToken(token) {
         const parts = token.split('.');
         if (parts.length !== 3) {
-            throw new Error('Invalid token format');
+            throw new AuthError('Invalid token format', 401, 'INVALID_TOKEN');
         }
         const [encodedHeader, encodedPayload, signature] = parts;
         // Critical Fix #2: Validate algorithm BEFORE signature verification
@@ -172,14 +289,14 @@ export class JwtManager {
             header = JSON.parse(base64urlDecode(encodedHeader));
         }
         catch {
-            throw new Error('Invalid token header');
+            throw new AuthError('Invalid token header', 401, 'INVALID_TOKEN');
         }
         // Only allow HS256 - reject "none", RS256, and other algorithms
         if (header.alg !== 'HS256') {
-            throw new Error(`Invalid algorithm: ${header.alg}. Only HS256 is supported.`);
+            throw new AuthError(`Invalid algorithm: ${header.alg}. Only HS256 is supported.`, 401, 'INVALID_TOKEN');
         }
         if (header.typ !== 'JWT') {
-            throw new Error('Invalid token type in header');
+            throw new AuthError('Invalid token type in header', 401, 'INVALID_TOKEN');
         }
         // Verify signature using timing-safe comparison to prevent timing attacks
         const signatureInput = `${encodedHeader}.${encodedPayload}`;
@@ -187,7 +304,7 @@ export class JwtManager {
         const sigBuffer = Buffer.from(signature, 'utf8');
         const expectedBuffer = Buffer.from(expectedSignature, 'utf8');
         if (sigBuffer.length !== expectedBuffer.length || !timingSafeEqual(sigBuffer, expectedBuffer)) {
-            throw new Error('Invalid token signature');
+            throw new AuthError('Invalid token signature', 401, 'INVALID_TOKEN');
         }
         // Decode payload
         let payload;
@@ -199,29 +316,32 @@ export class JwtManager {
                 typeof decoded.iat !== 'number' ||
                 typeof decoded.exp !== 'number' ||
                 (decoded.type !== 'access' && decoded.type !== 'refresh')) {
-                throw new Error('Missing required token fields');
+                throw new AuthError('Missing required token fields', 401, 'INVALID_TOKEN');
             }
             payload = decoded;
         }
         catch (error) {
-            throw new Error(error instanceof Error ? error.message : 'Invalid token payload');
+            if (error instanceof AuthError) {
+                throw error;
+            }
+            throw new AuthError(error instanceof Error ? error.message : 'Invalid token payload', 401, 'INVALID_TOKEN');
         }
         // Check expiration
         const now = Math.floor(Date.now() / 1000);
         if (payload.exp < now) {
-            throw new Error('Token has expired');
+            throw new AuthError('Token has expired', 401, 'TOKEN_EXPIRED');
         }
         // Check not-before claim if present (Medium Fix #10)
         if (typeof payload.nbf === 'number' && payload.nbf > now) {
-            throw new Error('Token not yet valid');
+            throw new AuthError('Token not yet valid', 401, 'TOKEN_NOT_YET_VALID');
         }
         // Verify issuer if configured
         if (this.config.issuer && payload.iss !== this.config.issuer) {
-            throw new Error('Invalid token issuer');
+            throw new AuthError('Invalid token issuer', 401, 'INVALID_TOKEN');
         }
         // Verify audience if configured
         if (this.config.audience && payload.aud !== this.config.audience) {
-            throw new Error('Invalid token audience');
+            throw new AuthError('Invalid token audience', 401, 'INVALID_TOKEN');
         }
         return payload;
     }
@@ -230,15 +350,15 @@ export class JwtManager {
      *
      * @param user - The user to create tokens for
      * @param additionalClaims - Custom claims to include (cannot override reserved claims)
-     * @throws Error if additionalClaims contains reserved JWT claims
+     * @throws AuthError if additionalClaims contains reserved JWT claims
      */
     createTokenPair(user, additionalClaims) {
         // Critical Fix #3: Validate additionalClaims don't contain reserved claims
         if (additionalClaims) {
             for (const key of Object.keys(additionalClaims)) {
                 if (RESERVED_JWT_CLAIMS.has(key)) {
-                    throw new Error(`Cannot override reserved JWT claim: ${key}. ` +
-                        `Reserved claims are: ${[...RESERVED_JWT_CLAIMS].join(', ')}`);
+                    throw new AuthError(`Cannot override reserved JWT claim: ${key}. ` +
+                        `Reserved claims are: ${[...RESERVED_JWT_CLAIMS].join(', ')}`, 400, 'INVALID_CLAIMS');
                 }
             }
         }
@@ -263,13 +383,13 @@ export class JwtManager {
     refreshTokens(refreshToken, userLoader) {
         const payload = this.verifyToken(refreshToken);
         if (payload.type !== 'refresh') {
-            throw new Error('Invalid token type: expected refresh token');
+            throw new AuthError('Invalid token type: expected refresh token', 401, 'INVALID_TOKEN');
         }
         // If userLoader provided, fetch fresh user data
         if (userLoader) {
             return userLoader(payload.sub).then((user) => {
                 if (!user) {
-                    throw new Error('User not found');
+                    throw new AuthError('User not found', 401, 'USER_NOT_FOUND');
                 }
                 return this.createTokenPair(user);
             });
@@ -313,11 +433,17 @@ export class JwtManager {
     }
 }
 /**
- * Creates a new JWT manager instance
+ * Creates a new JWT manager instance (succinct API)
  */
-export function createJwtManager(config) {
+export function jwtManager(config) {
     return new JwtManager(config);
 }
+/**
+ * Creates a new JWT manager instance
+ *
+ * @deprecated Use `jwtManager()` instead. Will be removed in v0.9.
+ */
+export const createJwtManager = jwtManager;
 /**
  * Creates an in-memory token store for development and testing
  *

package/dist/jwt.js.map

@@ -1 +1 @@
-{"version":3,"file":"jwt.js","sourceRoot":"","sources":["../src/jwt.ts"],"names":[],"mappings":"AAAA;;;GAGG;AAEH,OAAO,EAAE,UAAU,EAAE,WAAW,EAAE,eAAe,EAAE,MAAM,aAAa,CAAC;AAIvE,+EAA+E;AAC/E,YAAY;AACZ,+EAA+E;AAE/E,MAAM,qBAAqB,GAAG,KAAK,CAAC;AACpC,MAAM,sBAAsB,GAAG,IAAI,CAAC;AAEpC;;;GAGG;AACH,MAAM,iBAAiB,GAAG,EAAE,CAAC;AAE7B;;GAEG;AACH,MAAM,wBAAwB,GAAG,EAAE,CAAC;AAEpC;;GAEG;AACH,MAAM,mBAAmB,GAAG,IAAI,GAAG,CAAC;IAClC,KAAK;IACL,KAAK;IACL,KAAK;IACL,KAAK;IACL,KAAK;IACL,KAAK;IACL,KAAK;IACL,MAAM;IACN,OAAO;CACR,CAAC,CAAC;AAEH,+EAA+E;AAC/E,qBAAqB;AACrB,+EAA+E;AAE/E;;;GAGG;AACH,MAAM,UAAU,kBAAkB,CAAC,IAAY;IAC7C,MAAM,KAAK,GAAG,IAAI,CAAC,KAAK,CAAC,iBAAiB,CAAC,CAAC;IAC5C,IAAI,CAAC,KAAK,EAAE,CAAC;QACX,MAAM,IAAI,KAAK,CAAC,wBAAwB,IAAI,qCAAqC,CAAC,CAAC;IACrF,CAAC;IAED,MAAM,KAAK,GAAG,QAAQ,CAAC,KAAK,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC;IACrC,MAAM,IAAI,GAAG,KAAK,CAAC,CAAC,CAAC,CAAC;IAEtB,QAAQ,IAAI,EAAE,CAAC;QACb,KAAK,GAAG;YACN,OAAO,KAAK,CAAC;QACf,KAAK,GAAG;YACN,OAAO,KAAK,GAAG,EAAE,CAAC;QACpB,KAAK,GAAG;YACN,OAAO,KAAK,GAAG,EAAE,GAAG,EAAE,CAAC;QACzB,KAAK,GAAG;YACN,OAAO,KAAK,GAAG,EAAE,GAAG,EAAE,GAAG,EAAE,CAAC;QAC9B;YACE,MAAM,IAAI,KAAK,CAAC,sBAAsB,IAAI,EAAE,CAAC,CAAC;IAClD,CAAC;AACH,CAAC;AAED;;GAEG;AACH,SAAS,eAAe,CAAC,IAAqB;IAC5C,MAAM,MAAM,GAAG,MAAM,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC,QAAQ,CAAC,QAAQ,CAAC,CAAC;IACpD,OAAO,MAAM,CAAC,OAAO,CAAC,KAAK,EAAE,GAAG,CAAC,CAAC,OAAO,CAAC,KAAK,EAAE,GAAG,CAAC,CAAC,OAAO,CAAC,IAAI,EAAE,EAAE,CAAC,CAAC;AAC1E,CAAC;AAED;;GAEG;AACH,SAAS,eAAe,CAAC,IAAY;IACnC,MAAM,MAAM,GAAG,IAAI,CAAC,OAAO,CAAC,IAAI,EAAE,GAAG,CAAC,CAAC,OAAO,CAAC,IAAI,EAAE,GAAG,CAAC,CAAC;IAC1D,MAAM,MAAM,GAAG,MAAM,GAAG,GAAG,CAAC,MAAM,CAAC,CAAC,CAAC,GAAG,CAAC,MAAM,CAAC,MAAM,GAAG,CAAC,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC;IAClE,OAAO,MAAM,CAAC,IAAI,CAAC,MAAM,EAAE,QAAQ,CAAC,CAAC,QAAQ,CAAC,MAAM,CAAC,CAAC;AACxD,CAAC;AAED;;GAEG;AACH,SAAS,eAAe,CAAC,IAAY,EAAE,MAAc;IACnD,MAAM,IAAI,GAAG,UAAU,CAAC,QAAQ,EAAE,MAAM,CAAC,CAAC;IAC1C,IAAI,CAAC,MAAM,CAAC,IAAI,CAAC,CAAC;IAClB,OAAO,eAAe,CAAC,IAAI,CAAC,MAAM,EAAE,CAAC,CAAC;AACxC,CAAC;AAED;;GAEG;AACH,MAAM,UAAU,eAAe;IAC7B,OAAO,WAAW,CAAC,EAAE,CAAC,CAAC,QAAQ,CAAC,KAAK,CAAC,CAAC;AACzC,CAAC;AAED,+EAA+E;AAC/E,oBAAoB;AACpB,+EAA+E;AAE/E;;;;;;;;;;;;;;;;;;;;;;;GAuBG;AACH,MAAM,OAAO,UAAU;IACJ,MAAM,CAGX;IAEZ,YAAY,MAAiB;QAC3B,2CAA2C;QAC3C,IAAI,CAAC,MAAM,CAAC,MAAM,IAAI,MAAM,CAAC,MAAM,CAAC,MAAM,GAAG,iBAAiB,EAAE,CAAC;YAC/D,MAAM,IAAI,KAAK,CACb,+BAA+B,iBAAiB,+BAA+B;gBAC7E,wCAAwC,CAC3C,CAAC;QACJ,CAAC;QAED,mEAAmE;QACnE,MAAM,WAAW,GAAG,IAAI,GAAG,CAAC,MAAM,CAAC,MAAM,CAAC,CAAC,IAAI,CAAC;QAChD,IAAI,WAAW,GAAG,wBAAwB,EAAE,CAAC;YAC3C,MAAM,IAAI,KAAK,CACb,6CAA6C,WAAW,uBAAuB;gBAC7E,uEAAuE,CAC1E,CAAC;QACJ,CAAC;QAED,IAAI,CAAC,MAAM,GAAG;YACZ,GAAG,MAAM;YACT,iBAAiB,EAAE,MAAM,CAAC,iBAAiB,IAAI,qBAAqB;YACpE,kBAAkB,EAAE,MAAM,CAAC,kBAAkB,IAAI,sBAAsB;SACxE,CAAC;IACJ,CAAC;IAED;;OAEG;IACH,WAAW,CACT,OAIC,EACD,SAAiB;QAEjB,MAAM,GAAG,GAAG,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,GAAG,EAAE,GAAG,IAAI,CAAC,CAAC;QAC1C,MAAM,GAAG,GAAG,GAAG,GAAG,kBAAkB,CAAC,SAAS,CAAC,CAAC;QAEhD,MAAM,WAAW,GAAiB;YAChC,GAAG,OAAO;YACV,GAAG,EAAE,GAAG;YACR,GAAG;SACJ,CAAC;QAEF,gBAAgB;QAChB,MAAM,MAAM,GAAG,EAAE,GAAG,EAAE,OAAO,EAAE,GAAG,EAAE,KAAK,EAAE,CAAC;QAC5C,MAAM,aAAa,GAAG,eAAe,CAAC,IAAI,CAAC,SAAS,CAAC,MAAM,CAAC,CAAC,CAAC;QAC9D,MAAM,cAAc,GAAG,eAAe,CAAC,IAAI,CAAC,SAAS,CAAC,WAAW,CAAC,CAAC,CAAC;QAEpE,mBAAmB;QACnB,MAAM,cAAc,GAAG,GAAG,aAAa,IAAI,cAAc,EAAE,CAAC;QAC5D,MAAM,SAAS,GAAG,eAAe,CAAC,cAAc,EAAE,IAAI,CAAC,MAAM,CAAC,MAAM,CAAC,CAAC;QAEtE,OAAO,GAAG,cAAc,IAAI,SAAS,EAAE,CAAC;IAC1C,CAAC;IAED;;;;OAIG;IACH,WAAW,CAAC,KAAa;QACvB,MAAM,KAAK,GAAG,KAAK,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC;QAC/B,IAAI,KAAK,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;YACvB,MAAM,IAAI,KAAK,CAAC,sBAAsB,CAAC,CAAC;QAC1C,CAAC;QAED,MAAM,CAAC,aAAa,EAAE,cAAc,EAAE,SAAS,CAAC,GAAG,KAAK,CAAC;QAEzD,oEAAoE;QACpE,4DAA4D;QAC5D,IAAI,MAAoC,CAAC;QACzC,IAAI,CAAC;YACH,MAAM,GAAG,IAAI,CAAC,KAAK,CAAC,eAAe,CAAC,aAAa,CAAC,CAAiC,CAAC;QACtF,CAAC;QAAC,MAAM,CAAC;YACP,MAAM,IAAI,KAAK,CAAC,sBAAsB,CAAC,CAAC;QAC1C,CAAC;QAED,gEAAgE;QAChE,IAAI,MAAM,CAAC,GAAG,KAAK,OAAO,EAAE,CAAC;YAC3B,MAAM,IAAI,KAAK,CAAC,sBAAsB,MAAM,CAAC,GAAG,4BAA4B,CAAC,CAAC;QAChF,CAAC;QAED,IAAI,MAAM,CAAC,GAAG,KAAK,KAAK,EAAE,CAAC;YACzB,MAAM,IAAI,KAAK,CAAC,8BAA8B,CAAC,CAAC;QAClD,CAAC;QAED,0EAA0E;QAC1E,MAAM,cAAc,GAAG,GAAG,aAAa,IAAI,cAAc,EAAE,CAAC;QAC5D,MAAM,iBAAiB,GAAG,eAAe,CAAC,cAAc,EAAE,IAAI,CAAC,MAAM,CAAC,MAAM,CAAC,CAAC;QAE9E,MAAM,SAAS,GAAG,MAAM,CAAC,IAAI,CAAC,SAAS,EAAE,MAAM,CAAC,CAAC;QACjD,MAAM,cAAc,GAAG,MAAM,CAAC,IAAI,CAAC,iBAAiB,EAAE,MAAM,CAAC,CAAC;QAE9D,IAAI,SAAS,CAAC,MAAM,KAAK,cAAc,CAAC,MAAM,IAAI,CAAC,eAAe,CAAC,SAAS,EAAE,cAAc,CAAC,EAAE,CAAC;YAC9F,MAAM,IAAI,KAAK,CAAC,yBAAyB,CAAC,CAAC;QAC7C,CAAC;QAED,iBAAiB;QACjB,IAAI,OAAqB,CAAC;QAC1B,IAAI,CAAC;YACH,MAAM,OAAO,GAAG,IAAI,CAAC,KAAK,CAAC,eAAe,CAAC,cAAc,CAAC,CAA4B,CAAC;YAEvF,2BAA2B;YAC3B,IACE,OAAO,OAAO,CAAC,GAAG,KAAK,QAAQ;gBAC/B,OAAO,OAAO,CAAC,KAAK,KAAK,QAAQ;gBACjC,OAAO,OAAO,CAAC,GAAG,KAAK,QAAQ;gBAC/B,OAAO,OAAO,CAAC,GAAG,KAAK,QAAQ;gBAC/B,CAAC,OAAO,CAAC,IAAI,KAAK,QAAQ,IAAI,OAAO,CAAC,IAAI,KAAK,SAAS,CAAC,EACzD,CAAC;gBACD,MAAM,IAAI,KAAK,CAAC,+BAA+B,CAAC,CAAC;YACnD,CAAC;YAED,OAAO,GAAG,OAAuB,CAAC;QACpC,CAAC;QAAC,OAAO,KAAK,EAAE,CAAC;YACf,MAAM,IAAI,KAAK,CAAC,KAAK,YAAY,KAAK,CAAC,CAAC,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC,CAAC,uBAAuB,CAAC,CAAC;QACpF,CAAC;QAED,mBAAmB;QACnB,MAAM,GAAG,GAAG,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,GAAG,EAAE,GAAG,IAAI,CAAC,CAAC;QAC1C,IAAI,OAAO,CAAC,GAAG,GAAG,GAAG,EAAE,CAAC;YACtB,MAAM,IAAI,KAAK,CAAC,mBAAmB,CAAC,CAAC;QACvC,CAAC;QAED,qDAAqD;QACrD,IAAI,OAAO,OAAO,CAAC,GAAG,KAAK,QAAQ,IAAI,OAAO,CAAC,GAAG,GAAG,GAAG,EAAE,CAAC;YACzD,MAAM,IAAI,KAAK,CAAC,qBAAqB,CAAC,CAAC;QACzC,CAAC;QAED,8BAA8B;QAC9B,IAAI,IAAI,CAAC,MAAM,CAAC,MAAM,IAAI,OAAO,CAAC,GAAG,KAAK,IAAI,CAAC,MAAM,CAAC,MAAM,EAAE,CAAC;YAC7D,MAAM,IAAI,KAAK,CAAC,sBAAsB,CAAC,CAAC;QAC1C,CAAC;QAED,gCAAgC;QAChC,IAAI,IAAI,CAAC,MAAM,CAAC,QAAQ,IAAI,OAAO,CAAC,GAAG,KAAK,IAAI,CAAC,MAAM,CAAC,QAAQ,EAAE,CAAC;YACjE,MAAM,IAAI,KAAK,CAAC,wBAAwB,CAAC,CAAC;QAC5C,CAAC;QAED,OAAO,OAAO,CAAC;IACjB,CAAC;IAED;;;;;;OAMG;IACH,eAAe,CAAC,IAAU,EAAE,gBAA0C;QACpE,2EAA2E;QAC3E,IAAI,gBAAgB,EAAE,CAAC;YACrB,KAAK,MAAM,GAAG,IAAI,MAAM,CAAC,IAAI,CAAC,gBAAgB,CAAC,EAAE,CAAC;gBAChD,IAAI,mBAAmB,CAAC,GAAG,CAAC,GAAG,CAAC,EAAE,CAAC;oBACjC,MAAM,IAAI,KAAK,CACb,uCAAuC,GAAG,IAAI;wBAC5C,wBAAwB,CAAC,GAAG,mBAAmB,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE,CAChE,CAAC;gBACJ,CAAC;YACH,CAAC;QACH,CAAC;QAED,MAAM,OAAO,GAAG,eAAe,EAAE,CAAC;QAElC,MAAM,WAAW,GAAG;YAClB,GAAG,EAAE,IAAI,CAAC,EAAE;YACZ,KAAK,EAAE,IAAI,CAAC,KAAK;YACjB,GAAG,EAAE,OAAO;YACZ,GAAG,CAAC,IAAI,CAAC,MAAM,CAAC,MAAM,IAAI,EAAE,GAAG,EAAE,IAAI,CAAC,MAAM,CAAC,MAAM,EAAE,CAAC;YACtD,GAAG,CAAC,IAAI,CAAC,MAAM,CAAC,QAAQ,IAAI,EAAE,GAAG,EAAE,IAAI,CAAC,MAAM,CAAC,QAAQ,EAAE,CAAC;YAC1D,GAAG,gBAAgB;SACpB,CAAC;QAEF,MAAM,WAAW,GAAG,IAAI,CAAC,WAAW,CAClC,EAAE,GAAG,WAAW,EAAE,IAAI,EAAE,QAAQ,EAAE,EAClC,IAAI,CAAC,MAAM,CAAC,iBAAiB,CAC9B,CAAC;QAEF,MAAM,YAAY,GAAG,IAAI,CAAC,WAAW,CACnC,EAAE,GAAG,WAAW,EAAE,IAAI,EAAE,SAAS,EAAE,EACnC,IAAI,CAAC,MAAM,CAAC,kBAAkB,CAC/B,CAAC;QAEF,OAAO;YACL,WAAW;YACX,YAAY;YACZ,SAAS,EAAE,kBAAkB,CAAC,IAAI,CAAC,MAAM,CAAC,iBAAiB,CAAC;YAC5D,SAAS,EAAE,QAAQ;SACpB,CAAC;IACJ,CAAC;IAYD,aAAa,CACX,YAAoB,EACpB,UAAqD;QAErD,MAAM,OAAO,GAAG,IAAI,CAAC,WAAW,CAAC,YAAY,CAAC,CAAC;QAE/C,IAAI,OAAO,CAAC,IAAI,KAAK,SAAS,EAAE,CAAC;YAC/B,MAAM,IAAI,KAAK,CAAC,4CAA4C,CAAC,CAAC;QAChE,CAAC;QAED,gDAAgD;QAChD,IAAI,UAAU,EAAE,CAAC;YACf,OAAO,UAAU,CAAC,OAAO,CAAC,GAAG,CAAC,CAAC,IAAI,CAAC,CAAC,IAAI,EAAE,EAAE;gBAC3C,IAAI,CAAC,IAAI,EAAE,CAAC;oBACV,MAAM,IAAI,KAAK,CAAC,gBAAgB,CAAC,CAAC;gBACpC,CAAC;gBACD,OAAO,IAAI,CAAC,eAAe,CAAC,IAAI,CAAC,CAAC;YACpC,CAAC,CAAC,CAAC;QACL,CAAC;QAED,iDAAiD;QACjD,MAAM,IAAI,GAAS;YACjB,EAAE,EAAE,OAAO,CAAC,GAAG;YACf,KAAK,EAAE,OAAO,CAAC,KAAK;SACrB,CAAC;QAEF,OAAO,IAAI,CAAC,eAAe,CAAC,IAAI,CAAC,CAAC;IACpC,CAAC;IAED;;;OAGG;IACH,WAAW,CAAC,KAAa;QACvB,IAAI,CAAC;YACH,MAAM,KAAK,GAAG,KAAK,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC;YAC/B,IAAI,KAAK,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;gBACvB,OAAO,IAAI,CAAC;YACd,CAAC;YAED,OAAO,IAAI,CAAC,KAAK,CAAC,eAAe,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,CAAiB,CAAC;QAC/D,CAAC;QAAC,MAAM,CAAC;YACP,OAAO,IAAI,CAAC;QACd,CAAC;IACH,CAAC;IAED;;;OAGG;IACH,iBAAiB,CAAC,UAA8B;QAC9C,IAAI,CAAC,UAAU,EAAE,CAAC;YAChB,OAAO,IAAI,CAAC;QACd,CAAC;QAED,MAAM,KAAK,GAAG,UAAU,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC;QACpC,IAAI,KAAK,CAAC,MAAM,KAAK,CAAC,IAAI,KAAK,CAAC,CAAC,CAAC,CAAC,WAAW,EAAE,KAAK,QAAQ,EAAE,CAAC;YAC9D,OAAO,IAAI,CAAC;QACd,CAAC;QAED,OAAO,KAAK,CAAC,CAAC,CAAC,CAAC;IAClB,CAAC;CACF;AAED;;GAEG;AACH,MAAM,UAAU,gBAAgB,CAAC,MAAiB;IAChD,OAAO,IAAI,UAAU,CAAC,MAAM,CAAC,CAAC;AAChC,CAAC;AAkBD;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GA6BG;AACH,MAAM,UAAU,wBAAwB;IACtC,MAAM,aAAa,GAAG,IAAI,GAAG,EAAU,CAAC;IAExC,OAAO;QACL,MAAM,EAAE,CAAC,OAAe,EAAE,EAAE;YAC1B,aAAa,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC;QAC7B,CAAC;QACD,SAAS,EAAE,CAAC,OAAe,EAAE,EAAE,CAAC,aAAa,CAAC,GAAG,CAAC,OAAO,CAAC;QAC1D,KAAK,EAAE,GAAG,EAAE;YACV,aAAa,CAAC,KAAK,EAAE,CAAC;QACxB,CAAC;KACF,CAAC;AACJ,CAAC"}
+{"version":3,"file":"jwt.js","sourceRoot":"","sources":["../src/jwt.ts"],"names":[],"mappings":"AAAA;;;GAGG;AAEH,OAAO,EAAE,UAAU,EAAE,WAAW,EAAE,eAAe,EAAE,MAAM,aAAa,CAAC;AAGvE,OAAO,EAAE,SAAS,EAAE,MAAM,YAAY,CAAC;AAEvC,+EAA+E;AAC/E,YAAY;AACZ,+EAA+E;AAE/E,MAAM,qBAAqB,GAAG,KAAK,CAAC;AACpC,MAAM,sBAAsB,GAAG,IAAI,CAAC;AAEpC;;;GAGG;AACH,MAAM,iBAAiB,GAAG,EAAE,CAAC;AAE7B;;GAEG;AACH,MAAM,wBAAwB,GAAG,EAAE,CAAC;AAEpC,+EAA+E;AAC/E,+CAA+C;AAC/C,+EAA+E;AAE/E;;;GAGG;AACH,MAAM,wBAAwB,GAAG,EAAE,CAAC;AAEpC;;;GAGG;AACH,MAAM,wBAAwB,GAAG,EAAE,GAAG,EAAE,CAAC;AAEzC;;;GAGG;AACH,MAAM,yBAAyB,GAAG,EAAE,GAAG,EAAE,CAAC;AAE1C;;;GAGG;AACH,MAAM,yBAAyB,GAAG,EAAE,GAAG,EAAE,GAAG,EAAE,GAAG,EAAE,CAAC;AAEpD;;;GAGG;AACH,MAAM,8BAA8B,GAAG,EAAE,GAAG,EAAE,CAAC;AAE/C;;GAEG;AACH,MAAM,+BAA+B,GAAG,CAAC,GAAG,EAAE,GAAG,EAAE,GAAG,EAAE,CAAC;AAEzD;;GAEG;AACH,MAAM,mBAAmB,GAAG,IAAI,GAAG,CAAC;IAClC,KAAK;IACL,KAAK;IACL,KAAK;IACL,KAAK;IACL,KAAK;IACL,KAAK;IACL,KAAK;IACL,MAAM;IACN,OAAO;CACR,CAAC,CAAC;AAEH,+EAA+E;AAC/E,qBAAqB;AACrB,+EAA+E;AAE/E;;;;;;GAMG;AACH,MAAM,UAAU,eAAe,CAAC,IAAY;IAC1C,MAAM,KAAK,GAAG,IAAI,CAAC,KAAK,CAAC,iBAAiB,CAAC,CAAC;IAC5C,IAAI,CAAC,KAAK,EAAE,CAAC;QACX,OAAO,KAAK,CAAC;IACf,CAAC;IACD,MAAM,KAAK,GAAG,QAAQ,CAAC,KAAK,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC;IACrC,2BAA2B;IAC3B,OAAO,KAAK,IAAI,CAAC,CAAC;AACpB,CAAC;AAED;;;GAGG;AACH,MAAM,UAAU,kBAAkB,CAAC,IAAY;IAC7C,MAAM,KAAK,GAAG,IAAI,CAAC,KAAK,CAAC,iBAAiB,CAAC,CAAC;IAC5C,IAAI,CAAC,KAAK,EAAE,CAAC;QACX,MAAM,IAAI,SAAS,CACjB,wBAAwB,IAAI,qCAAqC,EACjE,GAAG,EACH,qBAAqB,CACtB,CAAC;IACJ,CAAC;IAED,MAAM,KAAK,GAAG,QAAQ,CAAC,KAAK,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC;IACrC,MAAM,IAAI,GAAG,KAAK,CAAC,CAAC,CAAC,CAAC;IAEtB,QAAQ,IAAI,EAAE,CAAC;QACb,KAAK,GAAG;YACN,OAAO,KAAK,CAAC;QACf,KAAK,GAAG;YACN,OAAO,KAAK,GAAG,EAAE,CAAC;QACpB,KAAK,GAAG;YACN,OAAO,KAAK,GAAG,EAAE,GAAG,EAAE,CAAC;QACzB,KAAK,GAAG;YACN,OAAO,KAAK,GAAG,EAAE,GAAG,EAAE,GAAG,EAAE,CAAC;QAC9B;YACE,MAAM,IAAI,SAAS,CAAC,sBAAsB,IAAI,EAAE,EAAE,GAAG,EAAE,mBAAmB,CAAC,CAAC;IAChF,CAAC;AACH,CAAC;AAED;;GAEG;AACH,SAAS,eAAe,CAAC,IAAqB;IAC5C,MAAM,MAAM,GAAG,MAAM,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC,QAAQ,CAAC,QAAQ,CAAC,CAAC;IACpD,OAAO,MAAM,CAAC,OAAO,CAAC,KAAK,EAAE,GAAG,CAAC,CAAC,OAAO,CAAC,KAAK,EAAE,GAAG,CAAC,CAAC,OAAO,CAAC,IAAI,EAAE,EAAE,CAAC,CAAC;AAC1E,CAAC;AAED;;GAEG;AACH,SAAS,eAAe,CAAC,IAAY;IACnC,MAAM,MAAM,GAAG,IAAI,CAAC,OAAO,CAAC,IAAI,EAAE,GAAG,CAAC,CAAC,OAAO,CAAC,IAAI,EAAE,GAAG,CAAC,CAAC;IAC1D,MAAM,MAAM,GAAG,MAAM,GAAG,GAAG,CAAC,MAAM,CAAC,CAAC,CAAC,GAAG,CAAC,MAAM,CAAC,MAAM,GAAG,CAAC,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC;IAClE,OAAO,MAAM,CAAC,IAAI,CAAC,MAAM,EAAE,QAAQ,CAAC,CAAC,QAAQ,CAAC,MAAM,CAAC,CAAC;AACxD,CAAC;AAED;;GAEG;AACH,SAAS,eAAe,CAAC,IAAY,EAAE,MAAc;IACnD,MAAM,IAAI,GAAG,UAAU,CAAC,QAAQ,EAAE,MAAM,CAAC,CAAC;IAC1C,IAAI,CAAC,MAAM,CAAC,IAAI,CAAC,CAAC;IAClB,OAAO,eAAe,CAAC,IAAI,CAAC,MAAM,EAAE,CAAC,CAAC;AACxC,CAAC;AAED;;GAEG;AACH,MAAM,UAAU,eAAe;IAC7B,OAAO,WAAW,CAAC,EAAE,CAAC,CAAC,QAAQ,CAAC,KAAK,CAAC,CAAC;AACzC,CAAC;AAED;;;;;;GAMG;AACH,MAAM,UAAU,uBAAuB,CAAC,YAAoB,EAAE,aAAqB;IACjF,MAAM,aAAa,GAAG,kBAAkB,CAAC,YAAY,CAAC,CAAC;IACvD,MAAM,cAAc,GAAG,kBAAkB,CAAC,aAAa,CAAC,CAAC;IAEzD,+BAA+B;IAC/B,IAAI,aAAa,GAAG,wBAAwB,EAAE,CAAC;QAC7C,MAAM,IAAI,SAAS,CACjB,wBAAwB,YAAY,MAAM,aAAa,yBAAyB;YAC9E,GAAG,wBAAwB,4DAA4D,EACzF,GAAG,EACH,sBAAsB,CACvB,CAAC;IACJ,CAAC;IAED,IAAI,aAAa,GAAG,wBAAwB,EAAE,CAAC;QAC7C,MAAM,IAAI,SAAS,CACjB,wBAAwB,YAAY,MAAM,aAAa,wBAAwB;YAC7E,GAAG,wBAAwB,2DAA2D,EACxF,GAAG,EACH,sBAAsB,CACvB,CAAC;IACJ,CAAC;IAED,gCAAgC;IAChC,IAAI,cAAc,GAAG,yBAAyB,EAAE,CAAC;QAC/C,MAAM,IAAI,SAAS,CACjB,yBAAyB,aAAa,MAAM,cAAc,yBAAyB;YACjF,GAAG,yBAAyB,yDAAyD,EACvF,GAAG,EACH,sBAAsB,CACvB,CAAC;IACJ,CAAC;IAED,IAAI,cAAc,GAAG,yBAAyB,EAAE,CAAC;QAC/C,MAAM,IAAI,SAAS,CACjB,yBAAyB,aAAa,MAAM,cAAc,wBAAwB;YAChF,GAAG,yBAAyB,gEAAgE,EAC9F,GAAG,EACH,sBAAsB,CACvB,CAAC;IACJ,CAAC;IAED,sDAAsD;IACtD,IAAI,aAAa,GAAG,8BAA8B,EAAE,CAAC;QACnD,OAAO,CAAC,IAAI,CACV,mCAAmC,YAAY,+CAA+C;YAC5F,0DAA0D,CAC7D,CAAC;IACJ,CAAC;IAED,IAAI,cAAc,GAAG,+BAA+B,EAAE,CAAC;QACrD,OAAO,CAAC,IAAI,CACV,oCAAoC,aAAa,2CAA2C;YAC1F,wEAAwE,CAC3E,CAAC;IACJ,CAAC;IAED,8CAA8C;IAC9C,IAAI,cAAc,IAAI,aAAa,EAAE,CAAC;QACpC,MAAM,IAAI,SAAS,CACjB,yBAAyB,aAAa,MAAM,cAAc,yBAAyB;YACjF,wBAAwB,YAAY,MAAM,aAAa,KAAK,EAC9D,GAAG,EACH,sBAAsB,CACvB,CAAC;IACJ,CAAC;AACH,CAAC;AAED,+EAA+E;AAC/E,oBAAoB;AACpB,+EAA+E;AAE/E;;;;;;;;;;;;;;;;;;;;;;;GAuBG;AACH,MAAM,OAAO,UAAU;IACJ,MAAM,CAGX;IAEZ,YAAY,MAAiB;QAC3B,2CAA2C;QAC3C,IAAI,CAAC,MAAM,CAAC,MAAM,IAAI,MAAM,CAAC,MAAM,CAAC,MAAM,GAAG,iBAAiB,EAAE,CAAC;YAC/D,MAAM,IAAI,SAAS,CACjB,+BAA+B,iBAAiB,+BAA+B;gBAC7E,wCAAwC,EAC1C,GAAG,EACH,oBAAoB,CACrB,CAAC;QACJ,CAAC;QAED,mEAAmE;QACnE,MAAM,WAAW,GAAG,IAAI,GAAG,CAAC,MAAM,CAAC,MAAM,CAAC,CAAC,IAAI,CAAC;QAChD,IAAI,WAAW,GAAG,wBAAwB,EAAE,CAAC;YAC3C,MAAM,IAAI,SAAS,CACjB,6CAA6C,WAAW,uBAAuB;gBAC7E,uEAAuE,EACzE,GAAG,EACH,oBAAoB,CACrB,CAAC;QACJ,CAAC;QAED,gDAAgD;QAChD,IAAI,MAAM,CAAC,iBAAiB,KAAK,SAAS,IAAI,CAAC,eAAe,CAAC,MAAM,CAAC,iBAAiB,CAAC,EAAE,CAAC;YACzF,MAAM,IAAI,SAAS,CACjB,8BAA8B,MAAM,CAAC,iBAAiB,KAAK;gBACzD,sDAAsD,EACxD,GAAG,EACH,sBAAsB,CACvB,CAAC;QACJ,CAAC;QAED,iDAAiD;QACjD,IAAI,MAAM,CAAC,kBAAkB,KAAK,SAAS,IAAI,CAAC,eAAe,CAAC,MAAM,CAAC,kBAAkB,CAAC,EAAE,CAAC;YAC3F,MAAM,IAAI,SAAS,CACjB,+BAA+B,MAAM,CAAC,kBAAkB,KAAK;gBAC3D,sDAAsD,EACxD,GAAG,EACH,sBAAsB,CACvB,CAAC;QACJ,CAAC;QAED,6BAA6B;QAC7B,MAAM,YAAY,GAAG,MAAM,CAAC,iBAAiB,IAAI,qBAAqB,CAAC;QACvE,MAAM,aAAa,GAAG,MAAM,CAAC,kBAAkB,IAAI,sBAAsB,CAAC;QAE1E,kDAAkD;QAClD,kEAAkE;QAClE,uBAAuB,CAAC,YAAY,EAAE,aAAa,CAAC,CAAC;QAErD,IAAI,CAAC,MAAM,GAAG;YACZ,GAAG,MAAM;YACT,iBAAiB,EAAE,YAAY;YAC/B,kBAAkB,EAAE,aAAa;SAClC,CAAC;IACJ,CAAC;IAED;;;;;;;OAOG;IACH,WAAW,CACT,OAIC,EACD,SAAiB,EACjB,OAAgC;QAEhC,MAAM,GAAG,GAAG,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,GAAG,EAAE,GAAG,IAAI,CAAC,CAAC;QAC1C,MAAM,GAAG,GAAG,GAAG,GAAG,kBAAkB,CAAC,SAAS,CAAC,CAAC;QAEhD,iDAAiD;QACjD,2EAA2E;QAC3E,MAAM,GAAG,GAAG,GAAG,GAAG,CAAC,OAAO,EAAE,SAAS,IAAI,CAAC,CAAC,CAAC;QAE5C,MAAM,WAAW,GAAiB;YAChC,GAAG,OAAO;YACV,GAAG,EAAE,GAAG;YACR,GAAG;YACH,GAAG,EAAE,sCAAsC;SAC5C,CAAC;QAEF,gBAAgB;QAChB,MAAM,MAAM,GAAG,EAAE,GAAG,EAAE,OAAO,EAAE,GAAG,EAAE,KAAK,EAAE,CAAC;QAC5C,MAAM,aAAa,GAAG,eAAe,CAAC,IAAI,CAAC,SAAS,CAAC,MAAM,CAAC,CAAC,CAAC;QAC9D,MAAM,cAAc,GAAG,eAAe,CAAC,IAAI,CAAC,SAAS,CAAC,WAAW,CAAC,CAAC,CAAC;QAEpE,mBAAmB;QACnB,MAAM,cAAc,GAAG,GAAG,aAAa,IAAI,cAAc,EAAE,CAAC;QAC5D,MAAM,SAAS,GAAG,eAAe,CAAC,cAAc,EAAE,IAAI,CAAC,MAAM,CAAC,MAAM,CAAC,CAAC;QAEtE,OAAO,GAAG,cAAc,IAAI,SAAS,EAAE,CAAC;IAC1C,CAAC;IAED;;;;OAIG;IACH,WAAW,CAAC,KAAa;QACvB,MAAM,KAAK,GAAG,KAAK,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC;QAC/B,IAAI,KAAK,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;YACvB,MAAM,IAAI,SAAS,CAAC,sBAAsB,EAAE,GAAG,EAAE,eAAe,CAAC,CAAC;QACpE,CAAC;QAED,MAAM,CAAC,aAAa,EAAE,cAAc,EAAE,SAAS,CAAC,GAAG,KAAK,CAAC;QAEzD,oEAAoE;QACpE,4DAA4D;QAC5D,IAAI,MAAoC,CAAC;QACzC,IAAI,CAAC;YACH,MAAM,GAAG,IAAI,CAAC,KAAK,CAAC,eAAe,CAAC,aAAa,CAAC,CAAiC,CAAC;QACtF,CAAC;QAAC,MAAM,CAAC;YACP,MAAM,IAAI,SAAS,CAAC,sBAAsB,EAAE,GAAG,EAAE,eAAe,CAAC,CAAC;QACpE,CAAC;QAED,gEAAgE;QAChE,IAAI,MAAM,CAAC,GAAG,KAAK,OAAO,EAAE,CAAC;YAC3B,MAAM,IAAI,SAAS,CACjB,sBAAsB,MAAM,CAAC,GAAG,4BAA4B,EAC5D,GAAG,EACH,eAAe,CAChB,CAAC;QACJ,CAAC;QAED,IAAI,MAAM,CAAC,GAAG,KAAK,KAAK,EAAE,CAAC;YACzB,MAAM,IAAI,SAAS,CAAC,8BAA8B,EAAE,GAAG,EAAE,eAAe,CAAC,CAAC;QAC5E,CAAC;QAED,0EAA0E;QAC1E,MAAM,cAAc,GAAG,GAAG,aAAa,IAAI,cAAc,EAAE,CAAC;QAC5D,MAAM,iBAAiB,GAAG,eAAe,CAAC,cAAc,EAAE,IAAI,CAAC,MAAM,CAAC,MAAM,CAAC,CAAC;QAE9E,MAAM,SAAS,GAAG,MAAM,CAAC,IAAI,CAAC,SAAS,EAAE,MAAM,CAAC,CAAC;QACjD,MAAM,cAAc,GAAG,MAAM,CAAC,IAAI,CAAC,iBAAiB,EAAE,MAAM,CAAC,CAAC;QAE9D,IAAI,SAAS,CAAC,MAAM,KAAK,cAAc,CAAC,MAAM,IAAI,CAAC,eAAe,CAAC,SAAS,EAAE,cAAc,CAAC,EAAE,CAAC;YAC9F,MAAM,IAAI,SAAS,CAAC,yBAAyB,EAAE,GAAG,EAAE,eAAe,CAAC,CAAC;QACvE,CAAC;QAED,iBAAiB;QACjB,IAAI,OAAqB,CAAC;QAC1B,IAAI,CAAC;YACH,MAAM,OAAO,GAAG,IAAI,CAAC,KAAK,CAAC,eAAe,CAAC,cAAc,CAAC,CAA4B,CAAC;YAEvF,2BAA2B;YAC3B,IACE,OAAO,OAAO,CAAC,GAAG,KAAK,QAAQ;gBAC/B,OAAO,OAAO,CAAC,KAAK,KAAK,QAAQ;gBACjC,OAAO,OAAO,CAAC,GAAG,KAAK,QAAQ;gBAC/B,OAAO,OAAO,CAAC,GAAG,KAAK,QAAQ;gBAC/B,CAAC,OAAO,CAAC,IAAI,KAAK,QAAQ,IAAI,OAAO,CAAC,IAAI,KAAK,SAAS,CAAC,EACzD,CAAC;gBACD,MAAM,IAAI,SAAS,CAAC,+BAA+B,EAAE,GAAG,EAAE,eAAe,CAAC,CAAC;YAC7E,CAAC;YAED,OAAO,GAAG,OAAuB,CAAC;QACpC,CAAC;QAAC,OAAO,KAAK,EAAE,CAAC;YACf,IAAI,KAAK,YAAY,SAAS,EAAE,CAAC;gBAC/B,MAAM,KAAK,CAAC;YACd,CAAC;YACD,MAAM,IAAI,SAAS,CACjB,KAAK,YAAY,KAAK,CAAC,CAAC,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC,CAAC,uBAAuB,EAChE,GAAG,EACH,eAAe,CAChB,CAAC;QACJ,CAAC;QAED,mBAAmB;QACnB,MAAM,GAAG,GAAG,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,GAAG,EAAE,GAAG,IAAI,CAAC,CAAC;QAC1C,IAAI,OAAO,CAAC,GAAG,GAAG,GAAG,EAAE,CAAC;YACtB,MAAM,IAAI,SAAS,CAAC,mBAAmB,EAAE,GAAG,EAAE,eAAe,CAAC,CAAC;QACjE,CAAC;QAED,qDAAqD;QACrD,IAAI,OAAO,OAAO,CAAC,GAAG,KAAK,QAAQ,IAAI,OAAO,CAAC,GAAG,GAAG,GAAG,EAAE,CAAC;YACzD,MAAM,IAAI,SAAS,CAAC,qBAAqB,EAAE,GAAG,EAAE,qBAAqB,CAAC,CAAC;QACzE,CAAC;QAED,8BAA8B;QAC9B,IAAI,IAAI,CAAC,MAAM,CAAC,MAAM,IAAI,OAAO,CAAC,GAAG,KAAK,IAAI,CAAC,MAAM,CAAC,MAAM,EAAE,CAAC;YAC7D,MAAM,IAAI,SAAS,CAAC,sBAAsB,EAAE,GAAG,EAAE,eAAe,CAAC,CAAC;QACpE,CAAC;QAED,gCAAgC;QAChC,IAAI,IAAI,CAAC,MAAM,CAAC,QAAQ,IAAI,OAAO,CAAC,GAAG,KAAK,IAAI,CAAC,MAAM,CAAC,QAAQ,EAAE,CAAC;YACjE,MAAM,IAAI,SAAS,CAAC,wBAAwB,EAAE,GAAG,EAAE,eAAe,CAAC,CAAC;QACtE,CAAC;QAED,OAAO,OAAO,CAAC;IACjB,CAAC;IAED;;;;;;OAMG;IACH,eAAe,CAAC,IAAU,EAAE,gBAA0C;QACpE,2EAA2E;QAC3E,IAAI,gBAAgB,EAAE,CAAC;YACrB,KAAK,MAAM,GAAG,IAAI,MAAM,CAAC,IAAI,CAAC,gBAAgB,CAAC,EAAE,CAAC;gBAChD,IAAI,mBAAmB,CAAC,GAAG,CAAC,GAAG,CAAC,EAAE,CAAC;oBACjC,MAAM,IAAI,SAAS,CACjB,uCAAuC,GAAG,IAAI;wBAC5C,wBAAwB,CAAC,GAAG,mBAAmB,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE,EAC/D,GAAG,EACH,gBAAgB,CACjB,CAAC;gBACJ,CAAC;YACH,CAAC;QACH,CAAC;QAED,MAAM,OAAO,GAAG,eAAe,EAAE,CAAC;QAElC,MAAM,WAAW,GAAG;YAClB,GAAG,EAAE,IAAI,CAAC,EAAE;YACZ,KAAK,EAAE,IAAI,CAAC,KAAK;YACjB,GAAG,EAAE,OAAO;YACZ,GAAG,CAAC,IAAI,CAAC,MAAM,CAAC,MAAM,IAAI,EAAE,GAAG,EAAE,IAAI,CAAC,MAAM,CAAC,MAAM,EAAE,CAAC;YACtD,GAAG,CAAC,IAAI,CAAC,MAAM,CAAC,QAAQ,IAAI,EAAE,GAAG,EAAE,IAAI,CAAC,MAAM,CAAC,QAAQ,EAAE,CAAC;YAC1D,GAAG,gBAAgB;SACpB,CAAC;QAEF,MAAM,WAAW,GAAG,IAAI,CAAC,WAAW,CAClC,EAAE,GAAG,WAAW,EAAE,IAAI,EAAE,QAAQ,EAAE,EAClC,IAAI,CAAC,MAAM,CAAC,iBAAiB,CAC9B,CAAC;QAEF,MAAM,YAAY,GAAG,IAAI,CAAC,WAAW,CACnC,EAAE,GAAG,WAAW,EAAE,IAAI,EAAE,SAAS,EAAE,EACnC,IAAI,CAAC,MAAM,CAAC,kBAAkB,CAC/B,CAAC;QAEF,OAAO;YACL,WAAW;YACX,YAAY;YACZ,SAAS,EAAE,kBAAkB,CAAC,IAAI,CAAC,MAAM,CAAC,iBAAiB,CAAC;YAC5D,SAAS,EAAE,QAAQ;SACpB,CAAC;IACJ,CAAC;IAYD,aAAa,CACX,YAAoB,EACpB,UAAqD;QAErD,MAAM,OAAO,GAAG,IAAI,CAAC,WAAW,CAAC,YAAY,CAAC,CAAC;QAE/C,IAAI,OAAO,CAAC,IAAI,KAAK,SAAS,EAAE,CAAC;YAC/B,MAAM,IAAI,SAAS,CAAC,4CAA4C,EAAE,GAAG,EAAE,eAAe,CAAC,CAAC;QAC1F,CAAC;QAED,gDAAgD;QAChD,IAAI,UAAU,EAAE,CAAC;YACf,OAAO,UAAU,CAAC,OAAO,CAAC,GAAG,CAAC,CAAC,IAAI,CAAC,CAAC,IAAI,EAAE,EAAE;gBAC3C,IAAI,CAAC,IAAI,EAAE,CAAC;oBACV,MAAM,IAAI,SAAS,CAAC,gBAAgB,EAAE,GAAG,EAAE,gBAAgB,CAAC,CAAC;gBAC/D,CAAC;gBACD,OAAO,IAAI,CAAC,eAAe,CAAC,IAAI,CAAC,CAAC;YACpC,CAAC,CAAC,CAAC;QACL,CAAC;QAED,iDAAiD;QACjD,MAAM,IAAI,GAAS;YACjB,EAAE,EAAE,OAAO,CAAC,GAAG;YACf,KAAK,EAAE,OAAO,CAAC,KAAK;SACrB,CAAC;QAEF,OAAO,IAAI,CAAC,eAAe,CAAC,IAAI,CAAC,CAAC;IACpC,CAAC;IAED;;;OAGG;IACH,WAAW,CAAC,KAAa;QACvB,IAAI,CAAC;YACH,MAAM,KAAK,GAAG,KAAK,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC;YAC/B,IAAI,KAAK,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;gBACvB,OAAO,IAAI,CAAC;YACd,CAAC;YAED,OAAO,IAAI,CAAC,KAAK,CAAC,eAAe,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,CAAiB,CAAC;QAC/D,CAAC;QAAC,MAAM,CAAC;YACP,OAAO,IAAI,CAAC;QACd,CAAC;IACH,CAAC;IAED;;;OAGG;IACH,iBAAiB,CAAC,UAA8B;QAC9C,IAAI,CAAC,UAAU,EAAE,CAAC;YAChB,OAAO,IAAI,CAAC;QACd,CAAC;QAED,MAAM,KAAK,GAAG,UAAU,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC;QACpC,IAAI,KAAK,CAAC,MAAM,KAAK,CAAC,IAAI,KAAK,CAAC,CAAC,CAAC,CAAC,WAAW,EAAE,KAAK,QAAQ,EAAE,CAAC;YAC9D,OAAO,IAAI,CAAC;QACd,CAAC;QAED,OAAO,KAAK,CAAC,CAAC,CAAC,CAAC;IAClB,CAAC;CACF;AAED;;GAEG;AACH,MAAM,UAAU,UAAU,CAAC,MAAiB;IAC1C,OAAO,IAAI,UAAU,CAAC,MAAM,CAAC,CAAC;AAChC,CAAC;AAED;;;;GAIG;AACH,MAAM,CAAC,MAAM,gBAAgB,GAAG,UAAU,CAAC;AAkB3C;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GA6BG;AACH,MAAM,UAAU,wBAAwB;IACtC,MAAM,aAAa,GAAG,IAAI,GAAG,EAAU,CAAC;IAExC,OAAO;QACL,MAAM,EAAE,CAAC,OAAe,EAAE,EAAE;YAC1B,aAAa,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC;QAC7B,CAAC;QACD,SAAS,EAAE,CAAC,OAAe,EAAE,EAAE,CAAC,aAAa,CAAC,GAAG,CAAC,OAAO,CAAC;QAC1D,KAAK,EAAE,GAAG,EAAE;YACV,aAAa,CAAC,KAAK,EAAE,CAAC;QACxB,CAAC;KACF,CAAC;AACJ,CAAC"}

package/dist/middleware.d.ts

@@ -7,7 +7,7 @@ import type { MiddlewareFunction } from '@veloxts/router';
 import { JwtManager } from './jwt.js';
 import type { AuthConfig, AuthContext, AuthMiddlewareOptions, GuardDefinition, User } from './types.js';
 /**
- * Creates an authentication middleware for procedures
+ * Creates an authentication middleware for procedures (succinct API)
  *
  * This middleware:
  * 1. Extracts JWT from Authorization header
@@ -18,7 +18,7 @@ import type { AuthConfig, AuthContext, AuthMiddlewareOptions, GuardDefinition, U
  *
  * @example
  * ```typescript
- * const auth = createAuthMiddleware(authConfig);
+ * const auth = authMiddleware(authConfig);
  *
  * // Use in procedures
  * const getProfile = procedure()
@@ -43,7 +43,7 @@ import type { AuthConfig, AuthContext, AuthMiddlewareOptions, GuardDefinition, U
  *   });
  * ```
  */
-export declare function createAuthMiddleware(config: AuthConfig): {
+export declare function authMiddleware(config: AuthConfig): {
     middleware: <TInput, TContext extends BaseContext, TOutput>(options?: AuthMiddlewareOptions) => MiddlewareFunction<TInput, TContext, TContext & {
         user?: User;
         auth: AuthContext;
@@ -59,11 +59,17 @@ export declare function createAuthMiddleware(config: AuthConfig): {
     jwt: JwtManager;
 };
 /**
- * Creates a rate limiting middleware
+ * Creates an authentication middleware for procedures
+ *
+ * @deprecated Use `authMiddleware()` instead. Will be removed in v0.9.
+ */
+export declare const createAuthMiddleware: typeof authMiddleware;
+/**
+ * Creates a rate limiting middleware (succinct API)
  *
  * @example
  * ```typescript
- * const rateLimit = createRateLimitMiddleware({
+ * const rateLimit = rateLimitMiddleware({
  *   max: 100,
  *   windowMs: 60000, // 1 minute
  * });
@@ -74,12 +80,18 @@ export declare function createAuthMiddleware(config: AuthConfig): {
  *   .mutation(handler);
  * ```
  */
-export declare function createRateLimitMiddleware<TInput, TContext extends BaseContext, TOutput>(options: {
+export declare function rateLimitMiddleware<TInput, TContext extends BaseContext, TOutput>(options: {
     max?: number;
     windowMs?: number;
     keyGenerator?: (ctx: TContext) => string;
     message?: string;
 }): MiddlewareFunction<TInput, TContext, TContext, TOutput>;
+/**
+ * Creates a rate limiting middleware
+ *
+ * @deprecated Use `rateLimitMiddleware()` instead. Will be removed in v0.9.
+ */
+export declare const createRateLimitMiddleware: typeof rateLimitMiddleware;
 /**
  * Clears rate limit store (useful for testing)
  */

package/dist/middleware.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"middleware.d.ts","sourceRoot":"","sources":["../src/middleware.ts"],"names":[],"mappings":"AAAA;;;GAGG;AAEH,OAAO,KAAK,EAAE,WAAW,EAAE,MAAM,eAAe,CAAC;AACjD,OAAO,KAAK,EAAE,kBAAkB,EAAE,MAAM,iBAAiB,CAAC;AAG1D,OAAO,EAAE,UAAU,EAAE,MAAM,UAAU,CAAC;AACtC,OAAO,KAAK,EACV,UAAU,EACV,WAAW,EACX,qBAAqB,EACrB,eAAe,EAEf,IAAI,EACL,MAAM,YAAY,CAAC;AAOpB;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GAoCG;AACH,wBAAgB,oBAAoB,CAAC,MAAM,EAAE,UAAU;iBAMjC,MAAM,EAAE,QAAQ,SAAS,WAAW,EAAE,OAAO,YACtD,qBAAqB,KAC7B,kBAAkB,CAAC,MAAM,EAAE,QAAQ,EAAE,QAAQ,GAAG;QAAE,IAAI,CAAC,EAAE,IAAI,CAAC;QAAC,IAAI,EAAE,WAAW,CAAA;KAAE,EAAE,OAAO,CAAC;kBA8H1E,MAAM,EAAE,QAAQ,SAAS,WAAW,EAAE,OAAO,WACvD,KAAK,CAAC,eAAe,GAAG,MAAM,CAAC,KACvC,kBAAkB,CAAC,MAAM,EAAE,QAAQ,EAAE,QAAQ,GAAG;QAAE,IAAI,EAAE,IAAI,CAAC;QAAC,IAAI,EAAE,WAAW,CAAA;KAAE,EAAE,OAAO,CAAC;mBAYxE,MAAM,EAAE,QAAQ,SAAS,WAAW,EAAE,OAAO,OAAK,kBAAkB,CACxF,MAAM,EACN,QAAQ,EACR,QAAQ,GAAG;QAAE,IAAI,CAAC,EAAE,IAAI,CAAC;QAAC,IAAI,EAAE,WAAW,CAAA;KAAE,EAC7C,OAAO,CACR;;EAUF;AAkBD;;;;;;;;;;;;;;;GAeG;AACH,wBAAgB,yBAAyB,CAAC,MAAM,EAAE,QAAQ,SAAS,WAAW,EAAE,OAAO,EAAE,OAAO,EAAE;IAChG,GAAG,CAAC,EAAE,MAAM,CAAC;IACb,QAAQ,CAAC,EAAE,MAAM,CAAC;IAClB,YAAY,CAAC,EAAE,CAAC,GAAG,EAAE,QAAQ,KAAK,MAAM,CAAC;IACzC,OAAO,CAAC,EAAE,MAAM,CAAC;CAClB,GAAG,kBAAkB,CAAC,MAAM,EAAE,QAAQ,EAAE,QAAQ,EAAE,OAAO,CAAC,CAuC1D;AAED;;GAEG;AACH,wBAAgB,mBAAmB,IAAI,IAAI,CAE1C"}
+{"version":3,"file":"middleware.d.ts","sourceRoot":"","sources":["../src/middleware.ts"],"names":[],"mappings":"AAAA;;;GAGG;AAEH,OAAO,KAAK,EAAE,WAAW,EAAE,MAAM,eAAe,CAAC;AACjD,OAAO,KAAK,EAAE,kBAAkB,EAAE,MAAM,iBAAiB,CAAC;AAG1D,OAAO,EAAE,UAAU,EAAE,MAAM,UAAU,CAAC;AACtC,OAAO,KAAK,EACV,UAAU,EACV,WAAW,EACX,qBAAqB,EACrB,eAAe,EAEf,IAAI,EACL,MAAM,YAAY,CAAC;AAOpB;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GAoCG;AACH,wBAAgB,cAAc,CAAC,MAAM,EAAE,UAAU;iBAM3B,MAAM,EAAE,QAAQ,SAAS,WAAW,EAAE,OAAO,YACtD,qBAAqB,KAC7B,kBAAkB,CAAC,MAAM,EAAE,QAAQ,EAAE,QAAQ,GAAG;QAAE,IAAI,CAAC,EAAE,IAAI,CAAC;QAAC,IAAI,EAAE,WAAW,CAAA;KAAE,EAAE,OAAO,CAAC;kBA8H1E,MAAM,EAAE,QAAQ,SAAS,WAAW,EAAE,OAAO,WACvD,KAAK,CAAC,eAAe,GAAG,MAAM,CAAC,KACvC,kBAAkB,CAAC,MAAM,EAAE,QAAQ,EAAE,QAAQ,GAAG;QAAE,IAAI,EAAE,IAAI,CAAC;QAAC,IAAI,EAAE,WAAW,CAAA;KAAE,EAAE,OAAO,CAAC;mBAYxE,MAAM,EAAE,QAAQ,SAAS,WAAW,EAAE,OAAO,OAAK,kBAAkB,CACxF,MAAM,EACN,QAAQ,EACR,QAAQ,GAAG;QAAE,IAAI,CAAC,EAAE,IAAI,CAAC;QAAC,IAAI,EAAE,WAAW,CAAA;KAAE,EAC7C,OAAO,CACR;;EAUF;AAED;;;;GAIG;AACH,eAAO,MAAM,oBAAoB,uBAAiB,CAAC;AAkBnD;;;;;;;;;;;;;;;GAeG;AACH,wBAAgB,mBAAmB,CAAC,MAAM,EAAE,QAAQ,SAAS,WAAW,EAAE,OAAO,EAAE,OAAO,EAAE;IAC1F,GAAG,CAAC,EAAE,MAAM,CAAC;IACb,QAAQ,CAAC,EAAE,MAAM,CAAC;IAClB,YAAY,CAAC,EAAE,CAAC,GAAG,EAAE,QAAQ,KAAK,MAAM,CAAC;IACzC,OAAO,CAAC,EAAE,MAAM,CAAC;CAClB,GAAG,kBAAkB,CAAC,MAAM,EAAE,QAAQ,EAAE,QAAQ,EAAE,OAAO,CAAC,CAuC1D;AAED;;;;GAIG;AACH,eAAO,MAAM,yBAAyB,4BAAsB,CAAC;AAE7D;;GAEG;AACH,wBAAgB,mBAAmB,IAAI,IAAI,CAE1C"}

package/dist/middleware.js

@@ -9,7 +9,7 @@ import { AuthError } from './types.js';
 // Auth Middleware Factory
 // ============================================================================
 /**
- * Creates an authentication middleware for procedures
+ * Creates an authentication middleware for procedures (succinct API)
  *
  * This middleware:
  * 1. Extracts JWT from Authorization header
@@ -20,7 +20,7 @@ import { AuthError } from './types.js';
  *
  * @example
  * ```typescript
- * const auth = createAuthMiddleware(authConfig);
+ * const auth = authMiddleware(authConfig);
  *
  * // Use in procedures
  * const getProfile = procedure()
@@ -45,7 +45,7 @@ import { AuthError } from './types.js';
  *   });
  * ```
  */
-export function createAuthMiddleware(config) {
+export function authMiddleware(config) {
     const jwt = new JwtManager(config.jwt);
     /**
      * Creates the actual middleware function
@@ -170,6 +170,12 @@ export function createAuthMiddleware(config) {
         jwt,
     };
 }
+/**
+ * Creates an authentication middleware for procedures
+ *
+ * @deprecated Use `authMiddleware()` instead. Will be removed in v0.9.
+ */
+export const createAuthMiddleware = authMiddleware;
 // ============================================================================
 // Error Helpers
 // ============================================================================
@@ -183,11 +189,11 @@ export function createAuthMiddleware(config) {
  */
 const rateLimitStore = new Map();
 /**
- * Creates a rate limiting middleware
+ * Creates a rate limiting middleware (succinct API)
  *
  * @example
  * ```typescript
- * const rateLimit = createRateLimitMiddleware({
+ * const rateLimit = rateLimitMiddleware({
  *   max: 100,
  *   windowMs: 60000, // 1 minute
  * });
@@ -198,7 +204,7 @@ const rateLimitStore = new Map();
  *   .mutation(handler);
  * ```
  */
-export function createRateLimitMiddleware(options) {
+export function rateLimitMiddleware(options) {
     const max = options.max ?? 100;
     const windowMs = options.windowMs ?? 60000;
     const keyGenerator = options.keyGenerator ?? ((ctx) => ctx.request.ip ?? 'unknown');
@@ -221,17 +227,23 @@ export function createRateLimitMiddleware(options) {
             // Increment count
             record.count++;
         }
-        // Check limit
-        if (record.count > max) {
-            throw new AuthError(message, 429, 'RATE_LIMIT_EXCEEDED');
-        }
-        // Add rate limit headers
+        // Add rate limit headers (always, even on 429 responses)
         ctx.reply.header('X-RateLimit-Limit', String(max));
         ctx.reply.header('X-RateLimit-Remaining', String(Math.max(0, max - record.count)));
         ctx.reply.header('X-RateLimit-Reset', String(Math.ceil(record.resetAt / 1000)));
+        // Check limit (after setting headers so they're included in 429 response)
+        if (record.count > max) {
+            throw new AuthError(message, 429, 'RATE_LIMIT_EXCEEDED');
+        }
         return next();
     };
 }
+/**
+ * Creates a rate limiting middleware
+ *
+ * @deprecated Use `rateLimitMiddleware()` instead. Will be removed in v0.9.
+ */
+export const createRateLimitMiddleware = rateLimitMiddleware;
 /**
  * Clears rate limit store (useful for testing)
  */