@venturekit/auth 0.0.0-dev.20260307234057

package/LICENSE

@@ -0,0 +1,191 @@
+
+                                 Apache License
+                           Version 2.0, January 2004
+                        http://www.apache.org/licenses/
+
+   TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION
+
+   1. Definitions.
+
+      "License" shall mean the terms and conditions for use, reproduction,
+      and distribution as defined by Sections 1 through 9 of this document.
+
+      "Licensor" shall mean the copyright owner or entity authorized by
+      the copyright owner that is granting the License.
+
+      "Legal Entity" shall mean the union of the acting entity and all
+      other entities that control, are controlled by, or are under common
+      control with that entity. For the purposes of this definition,
+      "control" means (i) the power, direct or indirect, to cause the
+      direction or management of such entity, whether by contract or
+      otherwise, or (ii) ownership of fifty percent (50%) or more of the
+      outstanding shares, or (iii) beneficial ownership of such entity.
+
+      "You" (or "Your") shall mean an individual or Legal Entity
+      exercising permissions granted by this License.
+
+      "Source" form shall mean the preferred form for making modifications,
+      including but not limited to software source code, documentation
+      source, and configuration files.
+
+      "Object" form shall mean any form resulting from mechanical
+      transformation or translation of a Source form, including but
+      not limited to compiled object code, generated documentation,
+      and conversions to other media types.
+
+      "Work" shall mean the work of authorship, whether in Source or
+      Object form, made available under the License, as indicated by a
+      copyright notice that is included in or attached to the work
+      (an example is provided in the Appendix below).
+
+      "Derivative Works" shall mean any work, whether in Source or Object
+      form, that is based on (or derived from) the Work and for which the
+      editorial revisions, annotations, elaborations, or other modifications
+      represent, as a whole, an original work of authorship. For the purposes
+      of this License, Derivative Works shall not include works that remain
+      separable from, or merely link (or bind by name) to the interfaces of,
+      the Work and Derivative Works thereof.
+
+      "Contribution" shall mean any work of authorship, including
+      the original version of the Work and any modifications or additions
+      to that Work or Derivative Works thereof, that is intentionally
+      submitted to the Licensor for inclusion in the Work by the copyright owner
+      or by an individual or Legal Entity authorized to submit on behalf of
+      the copyright owner. For the purposes of this definition, "submitted"
+      means any form of electronic, verbal, or written communication sent
+      to the Licensor or its representatives, including but not limited to
+      communication on electronic mailing lists, source code control systems,
+      and issue tracking systems that are managed by, or on behalf of, the
+      Licensor for the purpose of discussing and improving the Work, but
+      excluding communication that is conspicuously marked or otherwise
+      designated in writing by the copyright owner as "Not a Contribution."
+
+      "Contributor" shall mean Licensor and any individual or Legal Entity
+      on behalf of whom a Contribution has been received by the Licensor and
+      subsequently incorporated within the Work.
+
+   2. Grant of Copyright License. Subject to the terms and conditions of
+      this License, each Contributor hereby grants to You a perpetual,
+      worldwide, non-exclusive, no-charge, royalty-free, irrevocable
+      copyright license to reproduce, prepare Derivative Works of,
+      publicly display, publicly perform, sublicense, and distribute the
+      Work and such Derivative Works in Source or Object form.
+
+   3. Grant of Patent License. Subject to the terms and conditions of
+      this License, each Contributor hereby grants to You a perpetual,
+      worldwide, non-exclusive, no-charge, royalty-free, irrevocable
+      (except as stated in this section) patent license to make, have made,
+      use, offer to sell, sell, import, and otherwise transfer the Work,
+      where such license applies only to those patent claims licensable
+      by such Contributor that are necessarily infringed by their
+      Contribution(s) alone or by combination of their Contribution(s)
+      with the Work to which such Contribution(s) was submitted. If You
+      institute patent litigation against any entity (including a
+      cross-claim or counterclaim in a lawsuit) alleging that the Work
+      or a Contribution incorporated within the Work constitutes direct
+      or contributory patent infringement, then any patent licenses
+      granted to You under this License for that Work shall terminate
+      as of the date such litigation is filed.
+
+   4. Redistribution. You may reproduce and distribute copies of the
+      Work or Derivative Works thereof in any medium, with or without
+      modifications, and in Source or Object form, provided that You
+      meet the following conditions:
+
+      (a) You must give any other recipients of the Work or
+          Derivative Works a copy of this License; and
+
+      (b) You must cause any modified files to carry prominent notices
+          stating that You changed the files; and
+
+      (c) You must retain, in the Source form of any Derivative Works
+          that You distribute, all copyright, patent, trademark, and
+          attribution notices from the Source form of the Work,
+          excluding those notices that do not pertain to any part of
+          the Derivative Works; and
+
+      (d) If the Work includes a "NOTICE" text file as part of its
+          distribution, then any Derivative Works that You distribute must
+          include a readable copy of the attribution notices contained
+          within such NOTICE file, excluding any notices that do not
+          pertain to any part of the Derivative Works, in at least one
+          of the following places: within a NOTICE text file distributed
+          as part of the Derivative Works; within the Source form or
+          documentation, if provided along with the Derivative Works; or,
+          within a display generated by the Derivative Works, if and
+          wherever such third-party notices normally appear. The contents
+          of the NOTICE file are for informational purposes only and
+          do not modify the License. You may add Your own attribution
+          notices within Derivative Works that You distribute, alongside
+          or as an addendum to the NOTICE text from the Work, provided
+          that such additional attribution notices cannot be construed
+          as modifying the License.
+
+      You may add Your own copyright statement to Your modifications and
+      may provide additional or different license terms and conditions
+      for use, reproduction, or distribution of Your modifications, or
+      for any such Derivative Works as a whole, provided Your use,
+      reproduction, and distribution of the Work otherwise complies with
+      the conditions stated in this License.
+
+   5. Submission of Contributions. Unless You explicitly state otherwise,
+      any Contribution intentionally submitted for inclusion in the Work
+      by You to the Licensor shall be under the terms and conditions of
+      this License, without any additional terms or conditions.
+      Notwithstanding the above, nothing herein shall supersede or modify
+      the terms of any separate license agreement you may have executed
+      with Licensor regarding such Contributions.
+
+   6. Trademarks. This License does not grant permission to use the trade
+      names, trademarks, service marks, or product names of the Licensor,
+      except as required for reasonable and customary use in describing the
+      origin of the Work and reproducing the content of the NOTICE file.
+
+   7. Disclaimer of Warranty. Unless required by applicable law or
+      agreed to in writing, Licensor provides the Work (and each
+      Contributor provides its Contributions) on an "AS IS" BASIS,
+      WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
+      implied, including, without limitation, any warranties or conditions
+      of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A
+      PARTICULAR PURPOSE. You are solely responsible for determining the
+      appropriateness of using or redistributing the Work and assume any
+      risks associated with Your exercise of permissions under this License.
+
+   8. Limitation of Liability. In no event and under no legal theory,
+      whether in tort (including negligence), contract, or otherwise,
+      unless required by applicable law (such as deliberate and grossly
+      negligent acts) or agreed to in writing, shall any Contributor be
+      liable to You for damages, including any direct, indirect, special,
+      incidental, or consequential damages of any character arising as a
+      result of this License or out of the use or inability to use the
+      Work (including but not limited to damages for loss of goodwill,
+      work stoppage, computer failure or malfunction, or any and all
+      other commercial damages or losses), even if such Contributor
+      has been advised of the possibility of such damages.
+
+   9. Accepting Warranty or Additional Liability. While redistributing
+      the Work or Derivative Works thereof, You may choose to offer,
+      and charge a fee for, acceptance of support, warranty, indemnity,
+      or other liability obligations and/or rights consistent with this
+      License. However, in accepting such obligations, You may act only
+      on Your own behalf and on Your sole responsibility, not on behalf
+      of any other Contributor, and only if You agree to indemnify,
+      defend, and hold each Contributor harmless for any liability
+      incurred by, or claims asserted against, such Contributor by reason
+      of your accepting any such warranty or additional liability.
+
+   END OF TERMS AND CONDITIONS
+
+   Copyright 2025 VentureKit Contributors
+
+   Licensed under the Apache License, Version 2.0 (the "License");
+   you may not use this file except in compliance with the License.
+   You may obtain a copy of the License at
+
+       http://www.apache.org/licenses/LICENSE-2.0
+
+   Unless required by applicable law or agreed to in writing, software
+   distributed under the License is distributed on an "AS IS" BASIS,
+   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+   See the License for the specific language governing permissions and
+   limitations under the License.

package/dist/cognito/config.d.ts

@@ -0,0 +1,29 @@
+/**
+ * Cognito Configuration
+ */
+import type { CognitoConfig, PasswordPolicy, MfaConfig, TokenConfig } from '../types';
+/**
+ * Default password policy
+ */
+export declare const DEFAULT_PASSWORD_POLICY: PasswordPolicy;
+/**
+ * Default MFA configuration
+ */
+export declare const DEFAULT_MFA_CONFIG: MfaConfig;
+/**
+ * Default token configuration
+ */
+export declare const DEFAULT_TOKEN_CONFIG: TokenConfig;
+/**
+ * Default Cognito configuration
+ */
+export declare const DEFAULT_COGNITO_CONFIG: CognitoConfig;
+/**
+ * Create Cognito configuration from partial input
+ */
+export declare function createCognitoConfig(input?: Partial<CognitoConfig> & {
+    passwordPolicy?: Partial<PasswordPolicy>;
+    mfa?: Partial<MfaConfig>;
+    tokens?: Partial<TokenConfig>;
+}): CognitoConfig;
+//# sourceMappingURL=config.d.ts.map

package/dist/cognito/config.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"config.d.ts","sourceRoot":"","sources":["../../src/cognito/config.ts"],"names":[],"mappings":"AAAA;;GAEG;AAEH,OAAO,KAAK,EAAE,aAAa,EAAE,cAAc,EAAE,SAAS,EAAE,WAAW,EAAE,MAAM,UAAU,CAAC;AAEtF;;GAEG;AACH,eAAO,MAAM,uBAAuB,EAAE,cAOrC,CAAC;AAEF;;GAEG;AACH,eAAO,MAAM,kBAAkB,EAAE,SAGhC,CAAC;AAEF;;GAEG;AACH,eAAO,MAAM,oBAAoB,EAAE,WAIlC,CAAC;AAEF;;GAEG;AACH,eAAO,MAAM,sBAAsB,EAAE,aAapC,CAAC;AAEF;;GAEG;AACH,wBAAgB,mBAAmB,CACjC,KAAK,CAAC,EAAE,OAAO,CAAC,aAAa,CAAC,GAAG;IAC/B,cAAc,CAAC,EAAE,OAAO,CAAC,cAAc,CAAC,CAAC;IACzC,GAAG,CAAC,EAAE,OAAO,CAAC,SAAS,CAAC,CAAC;IACzB,MAAM,CAAC,EAAE,OAAO,CAAC,WAAW,CAAC,CAAC;CAC/B,GACA,aAAa,CAuBf"}

package/dist/cognito/config.js

@@ -0,0 +1,74 @@
+/**
+ * Cognito Configuration
+ */
+/**
+ * Default password policy
+ */
+export const DEFAULT_PASSWORD_POLICY = {
+    minLength: 8,
+    requireLowercase: true,
+    requireUppercase: true,
+    requireNumbers: true,
+    requireSymbols: false,
+    tempPasswordValidityDays: 7,
+};
+/**
+ * Default MFA configuration
+ */
+export const DEFAULT_MFA_CONFIG = {
+    mode: 'optional',
+    methods: ['totp'],
+};
+/**
+ * Default token configuration
+ */
+export const DEFAULT_TOKEN_CONFIG = {
+    accessTokenValidityMinutes: 60,
+    idTokenValidityMinutes: 60,
+    refreshTokenValidityDays: 30,
+};
+/**
+ * Default Cognito configuration
+ */
+export const DEFAULT_COGNITO_CONFIG = {
+    signInAliases: {
+        email: true,
+        phone: false,
+        username: false,
+    },
+    selfSignUpEnabled: true,
+    autoVerifyEmail: true,
+    autoVerifyPhone: false,
+    passwordPolicy: DEFAULT_PASSWORD_POLICY,
+    mfa: DEFAULT_MFA_CONFIG,
+    tokens: DEFAULT_TOKEN_CONFIG,
+    accountRecovery: 'email',
+};
+/**
+ * Create Cognito configuration from partial input
+ */
+export function createCognitoConfig(input) {
+    if (!input)
+        return DEFAULT_COGNITO_CONFIG;
+    return {
+        ...DEFAULT_COGNITO_CONFIG,
+        ...input,
+        signInAliases: {
+            ...DEFAULT_COGNITO_CONFIG.signInAliases,
+            ...input.signInAliases,
+        },
+        passwordPolicy: {
+            ...DEFAULT_PASSWORD_POLICY,
+            ...input.passwordPolicy,
+        },
+        mfa: {
+            ...DEFAULT_MFA_CONFIG,
+            ...input.mfa,
+        },
+        tokens: {
+            ...DEFAULT_TOKEN_CONFIG,
+            ...input.tokens,
+        },
+    };
+}
+//# sourceMappingURL=config.js.map

package/dist/cognito/config.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"config.js","sourceRoot":"","sources":["../../src/cognito/config.ts"],"names":[],"mappings":"AAAA;;GAEG;AAIH;;GAEG;AACH,MAAM,CAAC,MAAM,uBAAuB,GAAmB;IACrD,SAAS,EAAE,CAAC;IACZ,gBAAgB,EAAE,IAAI;IACtB,gBAAgB,EAAE,IAAI;IACtB,cAAc,EAAE,IAAI;IACpB,cAAc,EAAE,KAAK;IACrB,wBAAwB,EAAE,CAAC;CAC5B,CAAC;AAEF;;GAEG;AACH,MAAM,CAAC,MAAM,kBAAkB,GAAc;IAC3C,IAAI,EAAE,UAAU;IAChB,OAAO,EAAE,CAAC,MAAM,CAAC;CAClB,CAAC;AAEF;;GAEG;AACH,MAAM,CAAC,MAAM,oBAAoB,GAAgB;IAC/C,0BAA0B,EAAE,EAAE;IAC9B,sBAAsB,EAAE,EAAE;IAC1B,wBAAwB,EAAE,EAAE;CAC7B,CAAC;AAEF;;GAEG;AACH,MAAM,CAAC,MAAM,sBAAsB,GAAkB;IACnD,aAAa,EAAE;QACb,KAAK,EAAE,IAAI;QACX,KAAK,EAAE,KAAK;QACZ,QAAQ,EAAE,KAAK;KAChB;IACD,iBAAiB,EAAE,IAAI;IACvB,eAAe,EAAE,IAAI;IACrB,eAAe,EAAE,KAAK;IACtB,cAAc,EAAE,uBAAuB;IACvC,GAAG,EAAE,kBAAkB;IACvB,MAAM,EAAE,oBAAoB;IAC5B,eAAe,EAAE,OAAO;CACzB,CAAC;AAEF;;GAEG;AACH,MAAM,UAAU,mBAAmB,CACjC,KAIC;IAED,IAAI,CAAC,KAAK;QAAE,OAAO,sBAAsB,CAAC;IAE1C,OAAO;QACL,GAAG,sBAAsB;QACzB,GAAG,KAAK;QACR,aAAa,EAAE;YACb,GAAG,sBAAsB,CAAC,aAAa;YACvC,GAAG,KAAK,CAAC,aAAa;SACvB;QACD,cAAc,EAAE;YACd,GAAG,uBAAuB;YAC1B,GAAG,KAAK,CAAC,cAAc;SACxB;QACD,GAAG,EAAE;YACH,GAAG,kBAAkB;YACrB,GAAG,KAAK,CAAC,GAAG;SACb;QACD,MAAM,EAAE;YACN,GAAG,oBAAoB;YACvB,GAAG,KAAK,CAAC,MAAM;SAChB;KACF,CAAC;AACJ,CAAC"}

package/dist/cognito/index.d.ts

@@ -0,0 +1,9 @@
+/**
+ * Cognito Construct
+ *
+ * Creates and configures AWS Cognito User Pool for VentureKit.
+ */
+export { createCognitoConfig, DEFAULT_COGNITO_CONFIG } from './config';
+export { buildUserPoolConfig } from './user-pool';
+export type { UserPoolOutputs, UserPoolInfraConfig } from './user-pool';
+//# sourceMappingURL=index.d.ts.map

package/dist/cognito/index.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../src/cognito/index.ts"],"names":[],"mappings":"AAAA;;;;GAIG;AAEH,OAAO,EAAE,mBAAmB,EAAE,sBAAsB,EAAE,MAAM,UAAU,CAAC;AACvE,OAAO,EAAE,mBAAmB,EAAE,MAAM,aAAa,CAAC;AAClD,YAAY,EAAE,eAAe,EAAE,mBAAmB,EAAE,MAAM,aAAa,CAAC"}

package/dist/cognito/index.js

@@ -0,0 +1,8 @@
+/**
+ * Cognito Construct
+ *
+ * Creates and configures AWS Cognito User Pool for VentureKit.
+ */
+export { createCognitoConfig, DEFAULT_COGNITO_CONFIG } from './config';
+export { buildUserPoolConfig } from './user-pool';
+//# sourceMappingURL=index.js.map

package/dist/cognito/index.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.js","sourceRoot":"","sources":["../../src/cognito/index.ts"],"names":[],"mappings":"AAAA;;;;GAIG;AAEH,OAAO,EAAE,mBAAmB,EAAE,sBAAsB,EAAE,MAAM,UAAU,CAAC;AACvE,OAAO,EAAE,mBAAmB,EAAE,MAAM,aAAa,CAAC"}

package/dist/cognito/user-pool.d.ts

@@ -0,0 +1,81 @@
+/**
+ * Cognito User Pool Configuration Builder
+ *
+ * @deprecated Use intent-based infrastructure instead:
+ * ```typescript
+ * defineVenture({
+ *   infrastructure: {
+ *     auth: [{ id: 'main', signInWith: ['email'], allowSignUp: true }]
+ *   }
+ * })
+ * ```
+ *
+ * This file is kept for backward compatibility.
+ * New projects should use the intent-based API in @venturekit/infra.
+ */
+import type { CognitoConfig } from '../types';
+/**
+ * User Pool outputs
+ */
+export interface UserPoolOutputs {
+    userPoolId: string;
+    userPoolArn: string;
+    userPoolClientId: string;
+    userPoolDomain?: string;
+}
+/**
+ * User Pool configuration for infrastructure layer
+ */
+export interface UserPoolInfraConfig {
+    name: string;
+    signInAliases: {
+        email: boolean;
+        phone: boolean;
+        preferredUsername: boolean;
+    };
+    selfSignUpEnabled: boolean;
+    autoVerify: {
+        email: boolean;
+        phone: boolean;
+    };
+    passwordPolicy: {
+        minLength: number;
+        requireLowercase: boolean;
+        requireUppercase: boolean;
+        requireDigits: boolean;
+        requireSymbols: boolean;
+        tempPasswordValidity: {
+            days: number;
+        };
+    };
+    mfa: 'on' | 'optional' | 'off';
+    mfaSecondFactor: {
+        sms: boolean;
+        otp: boolean;
+    };
+    accountRecovery: string;
+    customAttributes?: Record<string, {
+        dataType: string;
+        mutable: boolean;
+    }>;
+    tokens: {
+        accessTokenValidityMinutes: number;
+        idTokenValidityMinutes: number;
+        refreshTokenValidityDays: number;
+    };
+    appClients: Array<{
+        name: string;
+        allowedScopes: string[];
+    }>;
+}
+/**
+ * Build Cognito User Pool configuration for infrastructure layer
+ *
+ * This returns a configuration object that @venturekit/infra uses
+ * to create the actual Cognito resources via SST.
+ */
+export declare function buildUserPoolConfig(name: string, config: CognitoConfig, appClients: Array<{
+    name: string;
+    allowedScopes: string[];
+}>): UserPoolInfraConfig;
+//# sourceMappingURL=user-pool.d.ts.map

package/dist/cognito/user-pool.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"user-pool.d.ts","sourceRoot":"","sources":["../../src/cognito/user-pool.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;GAcG;AAEH,OAAO,KAAK,EAAE,aAAa,EAAE,MAAM,UAAU,CAAC;AAE9C;;GAEG;AACH,MAAM,WAAW,eAAe;IAC9B,UAAU,EAAE,MAAM,CAAC;IACnB,WAAW,EAAE,MAAM,CAAC;IACpB,gBAAgB,EAAE,MAAM,CAAC;IACzB,cAAc,CAAC,EAAE,MAAM,CAAC;CACzB;AAED;;GAEG;AACH,MAAM,WAAW,mBAAmB;IAClC,IAAI,EAAE,MAAM,CAAC;IACb,aAAa,EAAE;QACb,KAAK,EAAE,OAAO,CAAC;QACf,KAAK,EAAE,OAAO,CAAC;QACf,iBAAiB,EAAE,OAAO,CAAC;KAC5B,CAAC;IACF,iBAAiB,EAAE,OAAO,CAAC;IAC3B,UAAU,EAAE;QACV,KAAK,EAAE,OAAO,CAAC;QACf,KAAK,EAAE,OAAO,CAAC;KAChB,CAAC;IACF,cAAc,EAAE;QACd,SAAS,EAAE,MAAM,CAAC;QAClB,gBAAgB,EAAE,OAAO,CAAC;QAC1B,gBAAgB,EAAE,OAAO,CAAC;QAC1B,aAAa,EAAE,OAAO,CAAC;QACvB,cAAc,EAAE,OAAO,CAAC;QACxB,oBAAoB,EAAE;YAAE,IAAI,EAAE,MAAM,CAAA;SAAE,CAAC;KACxC,CAAC;IACF,GAAG,EAAE,IAAI,GAAG,UAAU,GAAG,KAAK,CAAC;IAC/B,eAAe,EAAE;QACf,GAAG,EAAE,OAAO,CAAC;QACb,GAAG,EAAE,OAAO,CAAC;KACd,CAAC;IACF,eAAe,EAAE,MAAM,CAAC;IACxB,gBAAgB,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE;QAAE,QAAQ,EAAE,MAAM,CAAC;QAAC,OAAO,EAAE,OAAO,CAAA;KAAE,CAAC,CAAC;IAC1E,MAAM,EAAE;QACN,0BAA0B,EAAE,MAAM,CAAC;QACnC,sBAAsB,EAAE,MAAM,CAAC;QAC/B,wBAAwB,EAAE,MAAM,CAAC;KAClC,CAAC;IACF,UAAU,EAAE,KAAK,CAAC;QAAE,IAAI,EAAE,MAAM,CAAC;QAAC,aAAa,EAAE,MAAM,EAAE,CAAA;KAAE,CAAC,CAAC;CAC9D;AAED;;;;;GAKG;AACH,wBAAgB,mBAAmB,CACjC,IAAI,EAAE,MAAM,EACZ,MAAM,EAAE,aAAa,EACrB,UAAU,EAAE,KAAK,CAAC;IAAE,IAAI,EAAE,MAAM,CAAC;IAAC,aAAa,EAAE,MAAM,EAAE,CAAA;CAAE,CAAC,GAC3D,mBAAmB,CA+CrB"}

package/dist/cognito/user-pool.js

@@ -0,0 +1,70 @@
+/**
+ * Cognito User Pool Configuration Builder
+ *
+ * @deprecated Use intent-based infrastructure instead:
+ * ```typescript
+ * defineVenture({
+ *   infrastructure: {
+ *     auth: [{ id: 'main', signInWith: ['email'], allowSignUp: true }]
+ *   }
+ * })
+ * ```
+ *
+ * This file is kept for backward compatibility.
+ * New projects should use the intent-based API in @venturekit/infra.
+ */
+/**
+ * Build Cognito User Pool configuration for infrastructure layer
+ *
+ * This returns a configuration object that @venturekit/infra uses
+ * to create the actual Cognito resources via SST.
+ */
+export function buildUserPoolConfig(name, config, appClients) {
+    return {
+        name: `${name}-users`,
+        signInAliases: {
+            email: config.signInAliases.email,
+            phone: config.signInAliases.phone,
+            preferredUsername: config.signInAliases.username,
+        },
+        selfSignUpEnabled: config.selfSignUpEnabled,
+        autoVerify: {
+            email: config.autoVerifyEmail,
+            phone: config.autoVerifyPhone,
+        },
+        passwordPolicy: {
+            minLength: config.passwordPolicy.minLength,
+            requireLowercase: config.passwordPolicy.requireLowercase,
+            requireUppercase: config.passwordPolicy.requireUppercase,
+            requireDigits: config.passwordPolicy.requireNumbers,
+            requireSymbols: config.passwordPolicy.requireSymbols,
+            tempPasswordValidity: {
+                days: config.passwordPolicy.tempPasswordValidityDays,
+            },
+        },
+        mfa: config.mfa.mode === 'required' ? 'on' : config.mfa.mode === 'optional' ? 'optional' : 'off',
+        mfaSecondFactor: {
+            sms: config.mfa.methods.includes('sms'),
+            otp: config.mfa.methods.includes('totp'),
+        },
+        accountRecovery: config.accountRecovery === 'both'
+            ? 'EMAIL_AND_PHONE_WITHOUT_MFA'
+            : config.accountRecovery === 'phone'
+                ? 'PHONE_ONLY_WITHOUT_MFA'
+                : 'EMAIL_ONLY',
+        customAttributes: config.customAttributes?.reduce((acc, attr) => {
+            acc[attr.name] = {
+                dataType: attr.type === 'number' ? 'Number' : attr.type === 'boolean' ? 'Boolean' : 'String',
+                mutable: attr.mutable,
+            };
+            return acc;
+        }, {}),
+        tokens: {
+            accessTokenValidityMinutes: config.tokens.accessTokenValidityMinutes,
+            idTokenValidityMinutes: config.tokens.idTokenValidityMinutes,
+            refreshTokenValidityDays: config.tokens.refreshTokenValidityDays,
+        },
+        appClients,
+    };
+}
+//# sourceMappingURL=user-pool.js.map

package/dist/cognito/user-pool.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"user-pool.js","sourceRoot":"","sources":["../../src/cognito/user-pool.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;GAcG;AAoDH;;;;;GAKG;AACH,MAAM,UAAU,mBAAmB,CACjC,IAAY,EACZ,MAAqB,EACrB,UAA4D;IAE5D,OAAO;QACL,IAAI,EAAE,GAAG,IAAI,QAAQ;QACrB,aAAa,EAAE;YACb,KAAK,EAAE,MAAM,CAAC,aAAa,CAAC,KAAK;YACjC,KAAK,EAAE,MAAM,CAAC,aAAa,CAAC,KAAK;YACjC,iBAAiB,EAAE,MAAM,CAAC,aAAa,CAAC,QAAQ;SACjD;QACD,iBAAiB,EAAE,MAAM,CAAC,iBAAiB;QAC3C,UAAU,EAAE;YACV,KAAK,EAAE,MAAM,CAAC,eAAe;YAC7B,KAAK,EAAE,MAAM,CAAC,eAAe;SAC9B;QACD,cAAc,EAAE;YACd,SAAS,EAAE,MAAM,CAAC,cAAc,CAAC,SAAS;YAC1C,gBAAgB,EAAE,MAAM,CAAC,cAAc,CAAC,gBAAgB;YACxD,gBAAgB,EAAE,MAAM,CAAC,cAAc,CAAC,gBAAgB;YACxD,aAAa,EAAE,MAAM,CAAC,cAAc,CAAC,cAAc;YACnD,cAAc,EAAE,MAAM,CAAC,cAAc,CAAC,cAAc;YACpD,oBAAoB,EAAE;gBACpB,IAAI,EAAE,MAAM,CAAC,cAAc,CAAC,wBAAwB;aACrD;SACF;QACD,GAAG,EAAE,MAAM,CAAC,GAAG,CAAC,IAAI,KAAK,UAAU,CAAC,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC,MAAM,CAAC,GAAG,CAAC,IAAI,KAAK,UAAU,CAAC,CAAC,CAAC,UAAU,CAAC,CAAC,CAAC,KAAK;QAChG,eAAe,EAAE;YACf,GAAG,EAAE,MAAM,CAAC,GAAG,CAAC,OAAO,CAAC,QAAQ,CAAC,KAAK,CAAC;YACvC,GAAG,EAAE,MAAM,CAAC,GAAG,CAAC,OAAO,CAAC,QAAQ,CAAC,MAAM,CAAC;SACzC;QACD,eAAe,EAAE,MAAM,CAAC,eAAe,KAAK,MAAM;YAChD,CAAC,CAAC,6BAA6B;YAC/B,CAAC,CAAC,MAAM,CAAC,eAAe,KAAK,OAAO;gBAClC,CAAC,CAAC,wBAAwB;gBAC1B,CAAC,CAAC,YAAY;QAClB,gBAAgB,EAAE,MAAM,CAAC,gBAAgB,EAAE,MAAM,CAAC,CAAC,GAAG,EAAE,IAAI,EAAE,EAAE;YAC9D,GAAG,CAAC,IAAI,CAAC,IAAI,CAAC,GAAG;gBACf,QAAQ,EAAE,IAAI,CAAC,IAAI,KAAK,QAAQ,CAAC,CAAC,CAAC,QAAQ,CAAC,CAAC,CAAC,IAAI,CAAC,IAAI,KAAK,SAAS,CAAC,CAAC,CAAC,SAAS,CAAC,CAAC,CAAC,QAAQ;gBAC5F,OAAO,EAAE,IAAI,CAAC,OAAO;aACtB,CAAC;YACF,OAAO,GAAG,CAAC;QACb,CAAC,EAAE,EAA4D,CAAC;QAChE,MAAM,EAAE;YACN,0BAA0B,EAAE,MAAM,CAAC,MAAM,CAAC,0BAA0B;YACpE,sBAAsB,EAAE,MAAM,CAAC,MAAM,CAAC,sBAAsB;YAC5D,wBAAwB,EAAE,MAAM,CAAC,MAAM,CAAC,wBAAwB;SACjE;QACD,UAAU;KACX,CAAC;AACJ,CAAC"}

package/dist/index.d.ts

@@ -0,0 +1,11 @@
+/**
+ * @venturekit/auth
+ *
+ * Authentication and authorization for VentureKit.
+ */
+export * from './types';
+export { createCognitoConfig, DEFAULT_COGNITO_CONFIG, buildUserPoolConfig, } from './cognito';
+export type { UserPoolOutputs, UserPoolInfraConfig } from './cognito/user-pool';
+export { hasScope, hasAnyScope, hasAllScopes, getScopesForRoles, validateRolesConfig, } from './roles';
+export { decodeToken, extractUserFromToken, isTokenExpired, getTokenExpiry, } from './session';
+//# sourceMappingURL=index.d.ts.map

package/dist/index.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":"AAAA;;;;GAIG;AAGH,cAAc,SAAS,CAAC;AAGxB,OAAO,EACL,mBAAmB,EACnB,sBAAsB,EACtB,mBAAmB,GACpB,MAAM,WAAW,CAAC;AACnB,YAAY,EAAE,eAAe,EAAE,mBAAmB,EAAE,MAAM,qBAAqB,CAAC;AAGhF,OAAO,EACL,QAAQ,EACR,WAAW,EACX,YAAY,EACZ,iBAAiB,EACjB,mBAAmB,GACpB,MAAM,SAAS,CAAC;AAGjB,OAAO,EACL,WAAW,EACX,oBAAoB,EACpB,cAAc,EACd,cAAc,GACf,MAAM,WAAW,CAAC"}

package/dist/index.js

@@ -0,0 +1,14 @@
+/**
+ * @venturekit/auth
+ *
+ * Authentication and authorization for VentureKit.
+ */
+// Types
+export * from './types';
+// Cognito
+export { createCognitoConfig, DEFAULT_COGNITO_CONFIG, buildUserPoolConfig, } from './cognito';
+// Roles
+export { hasScope, hasAnyScope, hasAllScopes, getScopesForRoles, validateRolesConfig, } from './roles';
+// Session
+export { decodeToken, extractUserFromToken, isTokenExpired, getTokenExpiry, } from './session';
+//# sourceMappingURL=index.js.map

package/dist/index.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.js","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":"AAAA;;;;GAIG;AAEH,QAAQ;AACR,cAAc,SAAS,CAAC;AAExB,UAAU;AACV,OAAO,EACL,mBAAmB,EACnB,sBAAsB,EACtB,mBAAmB,GACpB,MAAM,WAAW,CAAC;AAGnB,QAAQ;AACR,OAAO,EACL,QAAQ,EACR,WAAW,EACX,YAAY,EACZ,iBAAiB,EACjB,mBAAmB,GACpB,MAAM,SAAS,CAAC;AAEjB,UAAU;AACV,OAAO,EACL,WAAW,EACX,oBAAoB,EACpB,cAAc,EACd,cAAc,GACf,MAAM,WAAW,CAAC"}

package/dist/roles/index.d.ts

@@ -0,0 +1,27 @@
+/**
+ * Roles
+ *
+ * Utilities for managing roles and scopes.
+ */
+import type { RolesConfig } from '../types';
+/**
+ * Check if user roles grant a specific scope
+ */
+export declare function hasScope(userRoles: string[], scope: string, config: RolesConfig): boolean;
+/**
+ * Check if user roles grant any of the specified scopes
+ */
+export declare function hasAnyScope(userRoles: string[], scopes: string[], config: RolesConfig): boolean;
+/**
+ * Check if user roles grant all of the specified scopes
+ */
+export declare function hasAllScopes(userRoles: string[], scopes: string[], config: RolesConfig): boolean;
+/**
+ * Get all scopes granted by a set of roles
+ */
+export declare function getScopesForRoles(roleNames: string[], config: RolesConfig): string[];
+/**
+ * Validate roles configuration
+ */
+export declare function validateRolesConfig(config: RolesConfig): string[];
+//# sourceMappingURL=index.d.ts.map

package/dist/roles/index.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../src/roles/index.ts"],"names":[],"mappings":"AAAA;;;;GAIG;AAEH,OAAO,KAAK,EAAQ,WAAW,EAAE,MAAM,UAAU,CAAC;AAElD;;GAEG;AACH,wBAAgB,QAAQ,CACtB,SAAS,EAAE,MAAM,EAAE,EACnB,KAAK,EAAE,MAAM,EACb,MAAM,EAAE,WAAW,GAClB,OAAO,CAQT;AAED;;GAEG;AACH,wBAAgB,WAAW,CACzB,SAAS,EAAE,MAAM,EAAE,EACnB,MAAM,EAAE,MAAM,EAAE,EAChB,MAAM,EAAE,WAAW,GAClB,OAAO,CAET;AAED;;GAEG;AACH,wBAAgB,YAAY,CAC1B,SAAS,EAAE,MAAM,EAAE,EACnB,MAAM,EAAE,MAAM,EAAE,EAChB,MAAM,EAAE,WAAW,GAClB,OAAO,CAET;AAED;;GAEG;AACH,wBAAgB,iBAAiB,CAC/B,SAAS,EAAE,MAAM,EAAE,EACnB,MAAM,EAAE,WAAW,GAClB,MAAM,EAAE,CAWV;AAED;;GAEG;AACH,wBAAgB,mBAAmB,CAAC,MAAM,EAAE,WAAW,GAAG,MAAM,EAAE,CAejE"}

package/dist/roles/index.js

@@ -0,0 +1,58 @@
+/**
+ * Roles
+ *
+ * Utilities for managing roles and scopes.
+ */
+/**
+ * Check if user roles grant a specific scope
+ */
+export function hasScope(userRoles, scope, config) {
+    // Super admin has all scopes
+    if (config.superAdminRole && userRoles.includes(config.superAdminRole)) {
+        return true;
+    }
+    const userScopes = getScopesForRoles(userRoles, config);
+    return userScopes.includes(scope);
+}
+/**
+ * Check if user roles grant any of the specified scopes
+ */
+export function hasAnyScope(userRoles, scopes, config) {
+    return scopes.some(s => hasScope(userRoles, s, config));
+}
+/**
+ * Check if user roles grant all of the specified scopes
+ */
+export function hasAllScopes(userRoles, scopes, config) {
+    return scopes.every(s => hasScope(userRoles, s, config));
+}
+/**
+ * Get all scopes granted by a set of roles
+ */
+export function getScopesForRoles(roleNames, config) {
+    const scopes = new Set();
+    for (const roleName of roleNames) {
+        const role = config.roles.find((r) => r.name === roleName);
+        if (role) {
+            role.scopes.forEach((s) => scopes.add(s));
+        }
+    }
+    return Array.from(scopes);
+}
+/**
+ * Validate roles configuration
+ */
+export function validateRolesConfig(config) {
+    const errors = [];
+    const roleNames = new Set(config.roles.map((r) => r.name));
+    // Check default role exists
+    if (config.defaultRole && !roleNames.has(config.defaultRole)) {
+        errors.push(`Default role "${config.defaultRole}" is not defined`);
+    }
+    // Check super admin role exists
+    if (config.superAdminRole && !roleNames.has(config.superAdminRole)) {
+        errors.push(`Super admin role "${config.superAdminRole}" is not defined`);
+    }
+    return errors;
+}
+//# sourceMappingURL=index.js.map

package/dist/roles/index.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.js","sourceRoot":"","sources":["../../src/roles/index.ts"],"names":[],"mappings":"AAAA;;;;GAIG;AAIH;;GAEG;AACH,MAAM,UAAU,QAAQ,CACtB,SAAmB,EACnB,KAAa,EACb,MAAmB;IAEnB,6BAA6B;IAC7B,IAAI,MAAM,CAAC,cAAc,IAAI,SAAS,CAAC,QAAQ,CAAC,MAAM,CAAC,cAAc,CAAC,EAAE,CAAC;QACvE,OAAO,IAAI,CAAC;IACd,CAAC;IAED,MAAM,UAAU,GAAG,iBAAiB,CAAC,SAAS,EAAE,MAAM,CAAC,CAAC;IACxD,OAAO,UAAU,CAAC,QAAQ,CAAC,KAAK,CAAC,CAAC;AACpC,CAAC;AAED;;GAEG;AACH,MAAM,UAAU,WAAW,CACzB,SAAmB,EACnB,MAAgB,EAChB,MAAmB;IAEnB,OAAO,MAAM,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,CAAC,QAAQ,CAAC,SAAS,EAAE,CAAC,EAAE,MAAM,CAAC,CAAC,CAAC;AAC1D,CAAC;AAED;;GAEG;AACH,MAAM,UAAU,YAAY,CAC1B,SAAmB,EACnB,MAAgB,EAChB,MAAmB;IAEnB,OAAO,MAAM,CAAC,KAAK,CAAC,CAAC,CAAC,EAAE,CAAC,QAAQ,CAAC,SAAS,EAAE,CAAC,EAAE,MAAM,CAAC,CAAC,CAAC;AAC3D,CAAC;AAED;;GAEG;AACH,MAAM,UAAU,iBAAiB,CAC/B,SAAmB,EACnB,MAAmB;IAEnB,MAAM,MAAM,GAAG,IAAI,GAAG,EAAU,CAAC;IAEjC,KAAK,MAAM,QAAQ,IAAI,SAAS,EAAE,CAAC;QACjC,MAAM,IAAI,GAAG,MAAM,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC,CAAO,EAAE,EAAE,CAAC,CAAC,CAAC,IAAI,KAAK,QAAQ,CAAC,CAAC;QACjE,IAAI,IAAI,EAAE,CAAC;YACT,IAAI,CAAC,MAAM,CAAC,OAAO,CAAC,CAAC,CAAS,EAAE,EAAE,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,CAAC;QACpD,CAAC;IACH,CAAC;IAED,OAAO,KAAK,CAAC,IAAI,CAAC,MAAM,CAAC,CAAC;AAC5B,CAAC;AAED;;GAEG;AACH,MAAM,UAAU,mBAAmB,CAAC,MAAmB;IACrD,MAAM,MAAM,GAAa,EAAE,CAAC;IAC5B,MAAM,SAAS,GAAG,IAAI,GAAG,CAAC,MAAM,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC,CAAO,EAAE,EAAE,CAAC,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC;IAEjE,4BAA4B;IAC5B,IAAI,MAAM,CAAC,WAAW,IAAI,CAAC,SAAS,CAAC,GAAG,CAAC,MAAM,CAAC,WAAW,CAAC,EAAE,CAAC;QAC7D,MAAM,CAAC,IAAI,CAAC,iBAAiB,MAAM,CAAC,WAAW,kBAAkB,CAAC,CAAC;IACrE,CAAC;IAED,gCAAgC;IAChC,IAAI,MAAM,CAAC,cAAc,IAAI,CAAC,SAAS,CAAC,GAAG,CAAC,MAAM,CAAC,cAAc,CAAC,EAAE,CAAC;QACnE,MAAM,CAAC,IAAI,CAAC,qBAAqB,MAAM,CAAC,cAAc,kBAAkB,CAAC,CAAC;IAC5E,CAAC;IAED,OAAO,MAAM,CAAC;AAChB,CAAC"}

package/dist/session/index.d.ts

@@ -0,0 +1,33 @@
+/**
+ * Session Management
+ *
+ * Utilities for managing user sessions and tokens.
+ */
+import type { User } from '../types';
+/**
+ * Decode JWT token payload (without verification)
+ *
+ * ⚠️ SECURITY WARNING: This function does NOT verify the token signature.
+ * It only decodes the payload for reading claims.
+ *
+ * Token verification should be handled by:
+ * - API Gateway Cognito Authorizer (recommended)
+ * - AWS ALB with OIDC authentication
+ * - Manual verification using cognito-jwt-verifier
+ *
+ * Never trust decoded claims for authorization without proper verification.
+ */
+export declare function decodeToken(token: string): Record<string, unknown> | null;
+/**
+ * Extract user from ID token claims
+ */
+export declare function extractUserFromToken(idToken: string): User | null;
+/**
+ * Check if a token is expired
+ */
+export declare function isTokenExpired(token: string): boolean;
+/**
+ * Get token expiry time
+ */
+export declare function getTokenExpiry(token: string): Date | null;
+//# sourceMappingURL=index.d.ts.map

package/dist/session/index.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../src/session/index.ts"],"names":[],"mappings":"AAAA;;;;GAIG;AAEH,OAAO,KAAK,EAAE,IAAI,EAAkB,MAAM,UAAU,CAAC;AAErD;;;;;;;;;;;;GAYG;AACH,wBAAgB,WAAW,CAAC,KAAK,EAAE,MAAM,GAAG,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,GAAG,IAAI,CAWzE;AAED;;GAEG;AACH,wBAAgB,oBAAoB,CAAC,OAAO,EAAE,MAAM,GAAG,IAAI,GAAG,IAAI,CAwBjE;AAuDD;;GAEG;AACH,wBAAgB,cAAc,CAAC,KAAK,EAAE,MAAM,GAAG,OAAO,CAMrD;AAED;;GAEG;AACH,wBAAgB,cAAc,CAAC,KAAK,EAAE,MAAM,GAAG,IAAI,GAAG,IAAI,CAKzD"}

package/dist/session/index.js

@@ -0,0 +1,126 @@
+/**
+ * Session Management
+ *
+ * Utilities for managing user sessions and tokens.
+ */
+/**
+ * Decode JWT token payload (without verification)
+ *
+ * ⚠️ SECURITY WARNING: This function does NOT verify the token signature.
+ * It only decodes the payload for reading claims.
+ *
+ * Token verification should be handled by:
+ * - API Gateway Cognito Authorizer (recommended)
+ * - AWS ALB with OIDC authentication
+ * - Manual verification using cognito-jwt-verifier
+ *
+ * Never trust decoded claims for authorization without proper verification.
+ */
+export function decodeToken(token) {
+    try {
+        const parts = token.split('.');
+        if (parts.length !== 3)
+            return null;
+        const payload = parts[1];
+        const decoded = Buffer.from(payload, 'base64url').toString('utf-8');
+        return JSON.parse(decoded);
+    }
+    catch {
+        return null;
+    }
+}
+/**
+ * Extract user from ID token claims
+ */
+export function extractUserFromToken(idToken) {
+    const claims = decodeToken(idToken);
+    if (!claims)
+        return null;
+    // Determine identifier type and value
+    const { identifierType, identifier } = determineIdentifier(claims);
+    return {
+        id: claims.sub,
+        identifierType,
+        identifier,
+        email: claims.email,
+        emailVerified: claims.email_verified,
+        phone: claims.phone_number,
+        phoneVerified: claims.phone_number_verified,
+        username: claims.preferred_username ?? claims['cognito:username'],
+        name: claims.name,
+        locale: claims.locale,
+        tenantId: claims['custom:tenant_id'],
+        roles: parseRoles(claims),
+        attributes: extractCustomAttributes(claims),
+        createdAt: new Date(),
+        updatedAt: new Date(),
+    };
+}
+/**
+ * Determine primary identifier from claims
+ */
+function determineIdentifier(claims) {
+    // Check for email first
+    if (claims.email) {
+        return { identifierType: 'email', identifier: claims.email };
+    }
+    // Check for phone
+    if (claims.phone_number) {
+        return { identifierType: 'phone', identifier: claims.phone_number };
+    }
+    // Check for username
+    if (claims.preferred_username || claims['cognito:username']) {
+        return {
+            identifierType: 'username',
+            identifier: (claims.preferred_username || claims['cognito:username'])
+        };
+    }
+    // Federated identity (use sub as identifier)
+    return { identifierType: 'federated', identifier: claims.sub };
+}
+/**
+ * Parse roles from token claims
+ */
+function parseRoles(claims) {
+    const roles = claims['custom:roles'] || claims['cognito:groups'];
+    if (!roles)
+        return [];
+    if (Array.isArray(roles))
+        return roles;
+    if (typeof roles === 'string')
+        return roles.split(',').map(r => r.trim());
+    return [];
+}
+/**
+ * Extract custom attributes from claims
+ */
+function extractCustomAttributes(claims) {
+    const attributes = {};
+    for (const [key, value] of Object.entries(claims)) {
+        if (key.startsWith('custom:') && key !== 'custom:tenant_id' && key !== 'custom:roles') {
+            const attrName = key.replace('custom:', '');
+            attributes[attrName] = String(value);
+        }
+    }
+    return attributes;
+}
+/**
+ * Check if a token is expired
+ */
+export function isTokenExpired(token) {
+    const claims = decodeToken(token);
+    if (!claims || !claims.exp)
+        return true;
+    const expiry = claims.exp * 1000;
+    return Date.now() >= expiry;
+}
+/**
+ * Get token expiry time
+ */
+export function getTokenExpiry(token) {
+    const claims = decodeToken(token);
+    if (!claims || !claims.exp)
+        return null;
+    return new Date(claims.exp * 1000);
+}
+//# sourceMappingURL=index.js.map

package/dist/session/index.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.js","sourceRoot":"","sources":["../../src/session/index.ts"],"names":[],"mappings":"AAAA;;;;GAIG;AAIH;;;;;;;;;;;;GAYG;AACH,MAAM,UAAU,WAAW,CAAC,KAAa;IACvC,IAAI,CAAC;QACH,MAAM,KAAK,GAAG,KAAK,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC;QAC/B,IAAI,KAAK,CAAC,MAAM,KAAK,CAAC;YAAE,OAAO,IAAI,CAAC;QAEpC,MAAM,OAAO,GAAG,KAAK,CAAC,CAAC,CAAC,CAAC;QACzB,MAAM,OAAO,GAAG,MAAM,CAAC,IAAI,CAAC,OAAO,EAAE,WAAW,CAAC,CAAC,QAAQ,CAAC,OAAO,CAAC,CAAC;QACpE,OAAO,IAAI,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC;IAC7B,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,IAAI,CAAC;IACd,CAAC;AACH,CAAC;AAED;;GAEG;AACH,MAAM,UAAU,oBAAoB,CAAC,OAAe;IAClD,MAAM,MAAM,GAAG,WAAW,CAAC,OAAO,CAAC,CAAC;IACpC,IAAI,CAAC,MAAM;QAAE,OAAO,IAAI,CAAC;IAEzB,sCAAsC;IACtC,MAAM,EAAE,cAAc,EAAE,UAAU,EAAE,GAAG,mBAAmB,CAAC,MAAM,CAAC,CAAC;IAEnE,OAAO;QACL,EAAE,EAAE,MAAM,CAAC,GAAa;QACxB,cAAc;QACd,UAAU;QACV,KAAK,EAAE,MAAM,CAAC,KAA2B;QACzC,aAAa,EAAE,MAAM,CAAC,cAAqC;QAC3D,KAAK,EAAE,MAAM,CAAC,YAAkC;QAChD,aAAa,EAAE,MAAM,CAAC,qBAA4C;QAClE,QAAQ,EAAE,MAAM,CAAC,kBAAwC,IAAI,MAAM,CAAC,kBAAkB,CAAuB;QAC7G,IAAI,EAAE,MAAM,CAAC,IAA0B;QACvC,MAAM,EAAE,MAAM,CAAC,MAA4B;QAC3C,QAAQ,EAAE,MAAM,CAAC,kBAAkB,CAAuB;QAC1D,KAAK,EAAE,UAAU,CAAC,MAAM,CAAC;QACzB,UAAU,EAAE,uBAAuB,CAAC,MAAM,CAAC;QAC3C,SAAS,EAAE,IAAI,IAAI,EAAE;QACrB,SAAS,EAAE,IAAI,IAAI,EAAE;KACtB,CAAC;AACJ,CAAC;AAED;;GAEG;AACH,SAAS,mBAAmB,CAAC,MAA+B;IAC1D,wBAAwB;IACxB,IAAI,MAAM,CAAC,KAAK,EAAE,CAAC;QACjB,OAAO,EAAE,cAAc,EAAE,OAAO,EAAE,UAAU,EAAE,MAAM,CAAC,KAAe,EAAE,CAAC;IACzE,CAAC;IAED,kBAAkB;IAClB,IAAI,MAAM,CAAC,YAAY,EAAE,CAAC;QACxB,OAAO,EAAE,cAAc,EAAE,OAAO,EAAE,UAAU,EAAE,MAAM,CAAC,YAAsB,EAAE,CAAC;IAChF,CAAC;IAED,qBAAqB;IACrB,IAAI,MAAM,CAAC,kBAAkB,IAAI,MAAM,CAAC,kBAAkB,CAAC,EAAE,CAAC;QAC5D,OAAO;YACL,cAAc,EAAE,UAAU;YAC1B,UAAU,EAAE,CAAC,MAAM,CAAC,kBAAkB,IAAI,MAAM,CAAC,kBAAkB,CAAC,CAAW;SAChF,CAAC;IACJ,CAAC;IAED,6CAA6C;IAC7C,OAAO,EAAE,cAAc,EAAE,WAAW,EAAE,UAAU,EAAE,MAAM,CAAC,GAAa,EAAE,CAAC;AAC3E,CAAC;AAED;;GAEG;AACH,SAAS,UAAU,CAAC,MAA+B;IACjD,MAAM,KAAK,GAAG,MAAM,CAAC,cAAc,CAAC,IAAI,MAAM,CAAC,gBAAgB,CAAC,CAAC;IACjE,IAAI,CAAC,KAAK;QAAE,OAAO,EAAE,CAAC;IACtB,IAAI,KAAK,CAAC,OAAO,CAAC,KAAK,CAAC;QAAE,OAAO,KAAiB,CAAC;IACnD,IAAI,OAAO,KAAK,KAAK,QAAQ;QAAE,OAAO,KAAK,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,IAAI,EAAE,CAAC,CAAC;IAC1E,OAAO,EAAE,CAAC;AACZ,CAAC;AAED;;GAEG;AACH,SAAS,uBAAuB,CAAC,MAA+B;IAC9D,MAAM,UAAU,GAA2B,EAAE,CAAC;IAE9C,KAAK,MAAM,CAAC,GAAG,EAAE,KAAK,CAAC,IAAI,MAAM,CAAC,OAAO,CAAC,MAAM,CAAC,EAAE,CAAC;QAClD,IAAI,GAAG,CAAC,UAAU,CAAC,SAAS,CAAC,IAAI,GAAG,KAAK,kBAAkB,IAAI,GAAG,KAAK,cAAc,EAAE,CAAC;YACtF,MAAM,QAAQ,GAAG,GAAG,CAAC,OAAO,CAAC,SAAS,EAAE,EAAE,CAAC,CAAC;YAC5C,UAAU,CAAC,QAAQ,CAAC,GAAG,MAAM,CAAC,KAAK,CAAC,CAAC;QACvC,CAAC;IACH,CAAC;IAED,OAAO,UAAU,CAAC;AACpB,CAAC;AAED;;GAEG;AACH,MAAM,UAAU,cAAc,CAAC,KAAa;IAC1C,MAAM,MAAM,GAAG,WAAW,CAAC,KAAK,CAAC,CAAC;IAClC,IAAI,CAAC,MAAM,IAAI,CAAC,MAAM,CAAC,GAAG;QAAE,OAAO,IAAI,CAAC;IAExC,MAAM,MAAM,GAAI,MAAM,CAAC,GAAc,GAAG,IAAI,CAAC;IAC7C,OAAO,IAAI,CAAC,GAAG,EAAE,IAAI,MAAM,CAAC;AAC9B,CAAC;AAED;;GAEG;AACH,MAAM,UAAU,cAAc,CAAC,KAAa;IAC1C,MAAM,MAAM,GAAG,WAAW,CAAC,KAAK,CAAC,CAAC;IAClC,IAAI,CAAC,MAAM,IAAI,CAAC,MAAM,CAAC,GAAG;QAAE,OAAO,IAAI,CAAC;IAExC,OAAO,IAAI,IAAI,CAAE,MAAM,CAAC,GAAc,GAAG,IAAI,CAAC,CAAC;AACjD,CAAC"}

package/dist/types/config.d.ts

@@ -0,0 +1,95 @@
+/**
+ * Auth Configuration Types
+ */
+/**
+ * Password policy
+ */
+export interface PasswordPolicy {
+    /** Minimum password length */
+    minLength: number;
+    /** Require lowercase letters */
+    requireLowercase: boolean;
+    /** Require uppercase letters */
+    requireUppercase: boolean;
+    /** Require numbers */
+    requireNumbers: boolean;
+    /** Require special characters */
+    requireSymbols: boolean;
+    /** Temporary password validity in days */
+    tempPasswordValidityDays: number;
+}
+/**
+ * MFA configuration
+ */
+export interface MfaConfig {
+    /** MFA mode */
+    mode: 'off' | 'optional' | 'required';
+    /** Allowed MFA methods */
+    methods: ('totp' | 'sms')[];
+}
+/**
+ * Token configuration
+ */
+export interface TokenConfig {
+    /** Access token validity in minutes */
+    accessTokenValidityMinutes: number;
+    /** ID token validity in minutes */
+    idTokenValidityMinutes: number;
+    /** Refresh token validity in days */
+    refreshTokenValidityDays: number;
+}
+/**
+ * Cognito User Pool configuration
+ */
+export interface CognitoConfig {
+    /** User pool name suffix (full name: {projectName}-{env}-users) */
+    poolNameSuffix?: string;
+    /** Sign-in aliases */
+    signInAliases: {
+        email: boolean;
+        phone: boolean;
+        username: boolean;
+    };
+    /** Self sign-up enabled */
+    selfSignUpEnabled: boolean;
+    /** Auto-verify email */
+    autoVerifyEmail: boolean;
+    /** Auto-verify phone */
+    autoVerifyPhone: boolean;
+    /** Password policy */
+    passwordPolicy: PasswordPolicy;
+    /** MFA configuration */
+    mfa: MfaConfig;
+    /** Token configuration */
+    tokens: TokenConfig;
+    /** Account recovery methods */
+    accountRecovery: 'email' | 'phone' | 'both';
+    /** Custom attributes */
+    customAttributes?: Array<{
+        name: string;
+        type: 'string' | 'number' | 'boolean';
+        mutable: boolean;
+    }>;
+}
+/**
+ * Auth environment configuration
+ */
+export interface AuthEnvConfig {
+    /** Cognito configuration */
+    cognito: CognitoConfig;
+    /** Roles configuration (project-specific) */
+    roles?: RolesConfig;
+}
+/**
+ * Auth environment configuration input (partial for overrides)
+ */
+export interface AuthEnvConfigInput {
+    cognito?: Partial<CognitoConfig> & {
+        passwordPolicy?: Partial<PasswordPolicy>;
+        mfa?: Partial<MfaConfig>;
+        tokens?: Partial<TokenConfig>;
+    };
+    roles?: Partial<RolesConfig>;
+}
+import type { RolesConfig } from './role';
+//# sourceMappingURL=config.d.ts.map

package/dist/types/config.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"config.d.ts","sourceRoot":"","sources":["../../src/types/config.ts"],"names":[],"mappings":"AAAA;;GAEG;AAEH;;GAEG;AACH,MAAM,WAAW,cAAc;IAC7B,8BAA8B;IAC9B,SAAS,EAAE,MAAM,CAAC;IAElB,gCAAgC;IAChC,gBAAgB,EAAE,OAAO,CAAC;IAE1B,gCAAgC;IAChC,gBAAgB,EAAE,OAAO,CAAC;IAE1B,sBAAsB;IACtB,cAAc,EAAE,OAAO,CAAC;IAExB,iCAAiC;IACjC,cAAc,EAAE,OAAO,CAAC;IAExB,0CAA0C;IAC1C,wBAAwB,EAAE,MAAM,CAAC;CAClC;AAED;;GAEG;AACH,MAAM,WAAW,SAAS;IACxB,eAAe;IACf,IAAI,EAAE,KAAK,GAAG,UAAU,GAAG,UAAU,CAAC;IAEtC,0BAA0B;IAC1B,OAAO,EAAE,CAAC,MAAM,GAAG,KAAK,CAAC,EAAE,CAAC;CAC7B;AAED;;GAEG;AACH,MAAM,WAAW,WAAW;IAC1B,uCAAuC;IACvC,0BAA0B,EAAE,MAAM,CAAC;IAEnC,mCAAmC;IACnC,sBAAsB,EAAE,MAAM,CAAC;IAE/B,qCAAqC;IACrC,wBAAwB,EAAE,MAAM,CAAC;CAClC;AAED;;GAEG;AACH,MAAM,WAAW,aAAa;IAC5B,mEAAmE;IACnE,cAAc,CAAC,EAAE,MAAM,CAAC;IAExB,sBAAsB;IACtB,aAAa,EAAE;QACb,KAAK,EAAE,OAAO,CAAC;QACf,KAAK,EAAE,OAAO,CAAC;QACf,QAAQ,EAAE,OAAO,CAAC;KACnB,CAAC;IAEF,2BAA2B;IAC3B,iBAAiB,EAAE,OAAO,CAAC;IAE3B,wBAAwB;IACxB,eAAe,EAAE,OAAO,CAAC;IAEzB,wBAAwB;IACxB,eAAe,EAAE,OAAO,CAAC;IAEzB,sBAAsB;IACtB,cAAc,EAAE,cAAc,CAAC;IAE/B,wBAAwB;IACxB,GAAG,EAAE,SAAS,CAAC;IAEf,0BAA0B;IAC1B,MAAM,EAAE,WAAW,CAAC;IAEpB,+BAA+B;IAC/B,eAAe,EAAE,OAAO,GAAG,OAAO,GAAG,MAAM,CAAC;IAE5C,wBAAwB;IACxB,gBAAgB,CAAC,EAAE,KAAK,CAAC;QACvB,IAAI,EAAE,MAAM,CAAC;QACb,IAAI,EAAE,QAAQ,GAAG,QAAQ,GAAG,SAAS,CAAC;QACtC,OAAO,EAAE,OAAO,CAAC;KAClB,CAAC,CAAC;CACJ;AAED;;GAEG;AACH,MAAM,WAAW,aAAa;IAC5B,4BAA4B;IAC5B,OAAO,EAAE,aAAa,CAAC;IAEvB,6CAA6C;IAC7C,KAAK,CAAC,EAAE,WAAW,CAAC;CACrB;AAED;;GAEG;AACH,MAAM,WAAW,kBAAkB;IACjC,OAAO,CAAC,EAAE,OAAO,CAAC,aAAa,CAAC,GAAG;QACjC,cAAc,CAAC,EAAE,OAAO,CAAC,cAAc,CAAC,CAAC;QACzC,GAAG,CAAC,EAAE,OAAO,CAAC,SAAS,CAAC,CAAC;QACzB,MAAM,CAAC,EAAE,OAAO,CAAC,WAAW,CAAC,CAAC;KAC/B,CAAC;IACF,KAAK,CAAC,EAAE,OAAO,CAAC,WAAW,CAAC,CAAC;CAC9B;AAGD,OAAO,KAAK,EAAE,WAAW,EAAE,MAAM,QAAQ,CAAC"}

package/dist/types/config.js

@@ -0,0 +1,5 @@
+/**
+ * Auth Configuration Types
+ */
+export {};
+//# sourceMappingURL=config.js.map

package/dist/types/config.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"config.js","sourceRoot":"","sources":["../../src/types/config.ts"],"names":[],"mappings":"AAAA;;GAEG"}

package/dist/types/index.d.ts

@@ -0,0 +1,10 @@
+/**
+ * Auth Types
+ *
+ * Core authentication and authorization types for VentureKit.
+ */
+export * from './user';
+export * from './session';
+export * from './role';
+export * from './config';
+//# sourceMappingURL=index.d.ts.map

package/dist/types/index.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../src/types/index.ts"],"names":[],"mappings":"AAAA;;;;GAIG;AAEH,cAAc,QAAQ,CAAC;AACvB,cAAc,WAAW,CAAC;AAC1B,cAAc,QAAQ,CAAC;AACvB,cAAc,UAAU,CAAC"}

package/dist/types/index.js

@@ -0,0 +1,10 @@
+/**
+ * Auth Types
+ *
+ * Core authentication and authorization types for VentureKit.
+ */
+export * from './user';
+export * from './session';
+export * from './role';
+export * from './config';
+//# sourceMappingURL=index.js.map

package/dist/types/index.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.js","sourceRoot":"","sources":["../../src/types/index.ts"],"names":[],"mappings":"AAAA;;;;GAIG;AAEH,cAAc,QAAQ,CAAC;AACvB,cAAc,WAAW,CAAC;AAC1B,cAAc,QAAQ,CAAC;AACvB,cAAc,UAAU,CAAC"}

package/dist/types/role.d.ts

@@ -0,0 +1,34 @@
+/**
+ * Role Types
+ */
+/**
+ * Role definition
+ *
+ * A role grants access to a set of scopes.
+ * Scopes control API access (e.g., 'projects.read', 'users.admin').
+ */
+export interface Role {
+    /** Role name (e.g., 'admin', 'member', 'viewer') */
+    name: string;
+    /** Human-readable description */
+    description: string;
+    /** Scopes granted by this role */
+    scopes: string[];
+    /** Whether this is a system role (cannot be deleted) */
+    isSystem?: boolean;
+}
+/**
+ * Roles configuration
+ *
+ * Project-specific roles configuration.
+ * VentureKit does not define default roles - each project defines its own.
+ */
+export interface RolesConfig {
+    /** Available roles (project-specific) */
+    roles: Role[];
+    /** Default role for new users */
+    defaultRole?: string;
+    /** Super admin role (has all scopes) */
+    superAdminRole?: string;
+}
+//# sourceMappingURL=role.d.ts.map

package/dist/types/role.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"role.d.ts","sourceRoot":"","sources":["../../src/types/role.ts"],"names":[],"mappings":"AAAA;;GAEG;AAEH;;;;;GAKG;AACH,MAAM,WAAW,IAAI;IACnB,oDAAoD;IACpD,IAAI,EAAE,MAAM,CAAC;IAEb,iCAAiC;IACjC,WAAW,EAAE,MAAM,CAAC;IAEpB,kCAAkC;IAClC,MAAM,EAAE,MAAM,EAAE,CAAC;IAEjB,wDAAwD;IACxD,QAAQ,CAAC,EAAE,OAAO,CAAC;CACpB;AAED;;;;;GAKG;AACH,MAAM,WAAW,WAAW;IAC1B,yCAAyC;IACzC,KAAK,EAAE,IAAI,EAAE,CAAC;IAEd,iCAAiC;IACjC,WAAW,CAAC,EAAE,MAAM,CAAC;IAErB,wCAAwC;IACxC,cAAc,CAAC,EAAE,MAAM,CAAC;CACzB"}

package/dist/types/role.js

@@ -0,0 +1,5 @@
+/**
+ * Role Types
+ */
+export {};
+//# sourceMappingURL=role.js.map

package/dist/types/role.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"role.js","sourceRoot":"","sources":["../../src/types/role.ts"],"names":[],"mappings":"AAAA;;GAEG"}

package/dist/types/session.d.ts

@@ -0,0 +1,72 @@
+/**
+ * Session Types
+ */
+/**
+ * Authentication tokens
+ */
+export interface AuthTokens {
+    /** JWT access token */
+    accessToken: string;
+    /** JWT ID token */
+    idToken: string;
+    /** Refresh token (if enabled) */
+    refreshToken?: string;
+    /** Token type (always "Bearer") */
+    tokenType: 'Bearer';
+    /** Access token expiry in seconds */
+    expiresIn: number;
+}
+/**
+ * Active session
+ */
+export interface Session {
+    /** Session ID */
+    id: string;
+    /** User ID */
+    userId: string;
+    /** Tenant ID */
+    tenantId?: string;
+    /** Client ID that created this session */
+    clientId: string;
+    /** OAuth scopes for this session */
+    scopes: string[];
+    /** When the session was created */
+    createdAt: Date;
+    /** When the session expires */
+    expiresAt: Date;
+    /** Last activity timestamp */
+    lastActivityAt: Date;
+    /** IP address */
+    ipAddress?: string;
+    /** User agent */
+    userAgent?: string;
+}
+/**
+ * Login credentials
+ */
+export interface LoginCredentials {
+    email: string;
+    password: string;
+}
+/**
+ * Password reset request
+ */
+export interface PasswordResetRequest {
+    email: string;
+}
+/**
+ * Password reset confirmation
+ */
+export interface PasswordResetConfirmation {
+    email: string;
+    code: string;
+    newPassword: string;
+}
+/**
+ * Change password request
+ */
+export interface ChangePasswordRequest {
+    oldPassword: string;
+    newPassword: string;
+}
+//# sourceMappingURL=session.d.ts.map

package/dist/types/session.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"session.d.ts","sourceRoot":"","sources":["../../src/types/session.ts"],"names":[],"mappings":"AAAA;;GAEG;AAEH;;GAEG;AACH,MAAM,WAAW,UAAU;IACzB,uBAAuB;IACvB,WAAW,EAAE,MAAM,CAAC;IAEpB,mBAAmB;IACnB,OAAO,EAAE,MAAM,CAAC;IAEhB,iCAAiC;IACjC,YAAY,CAAC,EAAE,MAAM,CAAC;IAEtB,mCAAmC;IACnC,SAAS,EAAE,QAAQ,CAAC;IAEpB,qCAAqC;IACrC,SAAS,EAAE,MAAM,CAAC;CACnB;AAED;;GAEG;AACH,MAAM,WAAW,OAAO;IACtB,iBAAiB;IACjB,EAAE,EAAE,MAAM,CAAC;IAEX,cAAc;IACd,MAAM,EAAE,MAAM,CAAC;IAEf,gBAAgB;IAChB,QAAQ,CAAC,EAAE,MAAM,CAAC;IAElB,0CAA0C;IAC1C,QAAQ,EAAE,MAAM,CAAC;IAEjB,oCAAoC;IACpC,MAAM,EAAE,MAAM,EAAE,CAAC;IAEjB,mCAAmC;IACnC,SAAS,EAAE,IAAI,CAAC;IAEhB,+BAA+B;IAC/B,SAAS,EAAE,IAAI,CAAC;IAEhB,8BAA8B;IAC9B,cAAc,EAAE,IAAI,CAAC;IAErB,iBAAiB;IACjB,SAAS,CAAC,EAAE,MAAM,CAAC;IAEnB,iBAAiB;IACjB,SAAS,CAAC,EAAE,MAAM,CAAC;CACpB;AAED;;GAEG;AACH,MAAM,WAAW,gBAAgB;IAC/B,KAAK,EAAE,MAAM,CAAC;IACd,QAAQ,EAAE,MAAM,CAAC;CAClB;AAED;;GAEG;AACH,MAAM,WAAW,oBAAoB;IACnC,KAAK,EAAE,MAAM,CAAC;CACf;AAED;;GAEG;AACH,MAAM,WAAW,yBAAyB;IACxC,KAAK,EAAE,MAAM,CAAC;IACd,IAAI,EAAE,MAAM,CAAC;IACb,WAAW,EAAE,MAAM,CAAC;CACrB;AAED;;GAEG;AACH,MAAM,WAAW,qBAAqB;IACpC,WAAW,EAAE,MAAM,CAAC;IACpB,WAAW,EAAE,MAAM,CAAC;CACrB"}

package/dist/types/session.js

@@ -0,0 +1,5 @@
+/**
+ * Session Types
+ */
+export {};
+//# sourceMappingURL=session.js.map

package/dist/types/session.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"session.js","sourceRoot":"","sources":["../../src/types/session.ts"],"names":[],"mappings":"AAAA;;GAEG"}

package/dist/types/user.d.ts

@@ -0,0 +1,83 @@
+/**
+ * User Types
+ */
+/**
+ * User identifier type
+ */
+export type IdentifierType = 'email' | 'phone' | 'username' | 'federated';
+/**
+ * User identity from Cognito
+ *
+ * Users can be identified by email, phone, username, or federated identity.
+ * Roles grant access to scopes - scopes are not stored on the user directly.
+ */
+export interface User {
+    /** Cognito user ID (sub) */
+    id: string;
+    /** Primary identifier type */
+    identifierType: IdentifierType;
+    /** Primary identifier value (email, phone, username, or federated ID) */
+    identifier: string;
+    /** Email address (optional) */
+    email?: string;
+    /** Whether email is verified */
+    emailVerified?: boolean;
+    /** Phone number (optional) */
+    phone?: string;
+    /** Whether phone is verified */
+    phoneVerified?: boolean;
+    /** Username (optional) */
+    username?: string;
+    /** User's display name */
+    name?: string;
+    /** User's preferred locale */
+    locale?: string;
+    /** Tenant ID for multi-tenant apps */
+    tenantId?: string;
+    /** User's roles (roles grant scopes) */
+    roles: string[];
+    /** Custom attributes */
+    attributes: Record<string, string>;
+    /** When the user was created */
+    createdAt: Date;
+    /** When the user was last updated */
+    updatedAt: Date;
+}
+/**
+ * User creation input
+ */
+export interface CreateUserInput {
+    /** Primary identifier type */
+    identifierType: IdentifierType;
+    /** Primary identifier value */
+    identifier: string;
+    /** Password (optional for federated users) */
+    password?: string;
+    /** Display name */
+    name?: string;
+    /** Email (if not primary identifier) */
+    email?: string;
+    /** Phone (if not primary identifier) */
+    phone?: string;
+    /** Preferred locale */
+    locale?: string;
+    /** Tenant ID */
+    tenantId?: string;
+    /** Initial roles */
+    roles?: string[];
+    /** Custom attributes */
+    attributes?: Record<string, string>;
+    /** Send welcome message */
+    sendInvite?: boolean;
+}
+/**
+ * User update input
+ */
+export interface UpdateUserInput {
+    name?: string;
+    phone?: string;
+    locale?: string;
+    roles?: string[];
+    attributes?: Record<string, string>;
+}
+//# sourceMappingURL=user.d.ts.map

package/dist/types/user.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"user.d.ts","sourceRoot":"","sources":["../../src/types/user.ts"],"names":[],"mappings":"AAAA;;GAEG;AAEH;;GAEG;AACH,MAAM,MAAM,cAAc,GAAG,OAAO,GAAG,OAAO,GAAG,UAAU,GAAG,WAAW,CAAC;AAE1E;;;;;GAKG;AACH,MAAM,WAAW,IAAI;IACnB,4BAA4B;IAC5B,EAAE,EAAE,MAAM,CAAC;IAEX,8BAA8B;IAC9B,cAAc,EAAE,cAAc,CAAC;IAE/B,yEAAyE;IACzE,UAAU,EAAE,MAAM,CAAC;IAEnB,+BAA+B;IAC/B,KAAK,CAAC,EAAE,MAAM,CAAC;IAEf,gCAAgC;IAChC,aAAa,CAAC,EAAE,OAAO,CAAC;IAExB,8BAA8B;IAC9B,KAAK,CAAC,EAAE,MAAM,CAAC;IAEf,gCAAgC;IAChC,aAAa,CAAC,EAAE,OAAO,CAAC;IAExB,0BAA0B;IAC1B,QAAQ,CAAC,EAAE,MAAM,CAAC;IAElB,0BAA0B;IAC1B,IAAI,CAAC,EAAE,MAAM,CAAC;IAEd,8BAA8B;IAC9B,MAAM,CAAC,EAAE,MAAM,CAAC;IAEhB,sCAAsC;IACtC,QAAQ,CAAC,EAAE,MAAM,CAAC;IAElB,wCAAwC;IACxC,KAAK,EAAE,MAAM,EAAE,CAAC;IAEhB,wBAAwB;IACxB,UAAU,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;IAEnC,gCAAgC;IAChC,SAAS,EAAE,IAAI,CAAC;IAEhB,qCAAqC;IACrC,SAAS,EAAE,IAAI,CAAC;CACjB;AAED;;GAEG;AACH,MAAM,WAAW,eAAe;IAC9B,8BAA8B;IAC9B,cAAc,EAAE,cAAc,CAAC;IAE/B,+BAA+B;IAC/B,UAAU,EAAE,MAAM,CAAC;IAEnB,8CAA8C;IAC9C,QAAQ,CAAC,EAAE,MAAM,CAAC;IAElB,mBAAmB;IACnB,IAAI,CAAC,EAAE,MAAM,CAAC;IAEd,wCAAwC;IACxC,KAAK,CAAC,EAAE,MAAM,CAAC;IAEf,wCAAwC;IACxC,KAAK,CAAC,EAAE,MAAM,CAAC;IAEf,uBAAuB;IACvB,MAAM,CAAC,EAAE,MAAM,CAAC;IAEhB,gBAAgB;IAChB,QAAQ,CAAC,EAAE,MAAM,CAAC;IAElB,oBAAoB;IACpB,KAAK,CAAC,EAAE,MAAM,EAAE,CAAC;IAEjB,wBAAwB;IACxB,UAAU,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;IAEpC,2BAA2B;IAC3B,UAAU,CAAC,EAAE,OAAO,CAAC;CACtB;AAED;;GAEG;AACH,MAAM,WAAW,eAAe;IAC9B,IAAI,CAAC,EAAE,MAAM,CAAC;IACd,KAAK,CAAC,EAAE,MAAM,CAAC;IACf,MAAM,CAAC,EAAE,MAAM,CAAC;IAChB,KAAK,CAAC,EAAE,MAAM,EAAE,CAAC;IACjB,UAAU,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;CACrC"}

package/dist/types/user.js

@@ -0,0 +1,5 @@
+/**
+ * User Types
+ */
+export {};
+//# sourceMappingURL=user.js.map

package/dist/types/user.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"user.js","sourceRoot":"","sources":["../../src/types/user.ts"],"names":[],"mappings":"AAAA;;GAEG"}

package/package.json

@@ -0,0 +1,39 @@
+{
+  "name": "@venturekit/auth",
+  "version": "0.0.0-dev.20260307234057",
+  "description": "Authentication and authorization for VentureKit",
+  "type": "module",
+  "main": "./dist/index.js",
+  "types": "./dist/index.d.ts",
+  "files": [
+    "dist"
+  ],
+  "repository": {
+    "type": "git",
+    "url": "https://github.com/venturekit-dev/venturekit.private.git",
+    "directory": "packages/auth"
+  },
+  "publishConfig": {
+    "registry": "https://registry.npmjs.org",
+    "access": "public"
+  },
+  "license": "Apache-2.0",
+  "exports": {
+    ".": {
+      "import": "./dist/index.js",
+      "types": "./dist/index.d.ts"
+    }
+  },
+  "dependencies": {
+    "@venturekit/core": "0.0.0-dev.20260307234057"
+  },
+  "devDependencies": {
+    "@types/node": "^20.10.0",
+    "typescript": "^5.3.0"
+  },
+  "scripts": {
+    "build": "tsc",
+    "dev": "tsc --watch",
+    "clean": "rm -rf dist"
+  }
+}