@venturekit/auth 0.0.0-dev.20260427225816 → 0.0.0-dev.20260429113801

package/dist/server/cognito-client.d.ts

@@ -0,0 +1,18 @@
+/**
+ * Internal Cognito client cache.
+ *
+ * The server flows in this directory all hit the same Cognito User Pool
+ * within a Lambda invocation, so we cache one
+ * `CognitoIdentityProviderClient` per region. The cache is keyed by region
+ * because a single deployment could (in theory) host pools in multiple
+ * regions — in practice every flow uses the region from
+ * {@link AuthServerConfig.region}, so the cache stays at size 1.
+ *
+ * This module is **not** part of the public API surface; consumers go
+ * through `sign-in.ts`, `refresh.ts`, `revoke.ts`.
+ */
+import { CognitoIdentityProviderClient } from '@aws-sdk/client-cognito-identity-provider';
+export declare function getCognitoClient(region: string): CognitoIdentityProviderClient;
+/** Test-only — clear the cached clients between vitest runs. */
+export declare function _resetCognitoClientCacheForTesting(): void;
+//# sourceMappingURL=cognito-client.d.ts.map

package/dist/server/cognito-client.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"cognito-client.d.ts","sourceRoot":"","sources":["../../src/server/cognito-client.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;GAYG;AAEH,OAAO,EAAE,6BAA6B,EAAE,MAAM,2CAA2C,CAAC;AAI1F,wBAAgB,gBAAgB,CAAC,MAAM,EAAE,MAAM,GAAG,6BAA6B,CAM9E;AAED,gEAAgE;AAChE,wBAAgB,kCAAkC,IAAI,IAAI,CAEzD"}

package/dist/server/cognito-client.js

@@ -0,0 +1,28 @@
+/**
+ * Internal Cognito client cache.
+ *
+ * The server flows in this directory all hit the same Cognito User Pool
+ * within a Lambda invocation, so we cache one
+ * `CognitoIdentityProviderClient` per region. The cache is keyed by region
+ * because a single deployment could (in theory) host pools in multiple
+ * regions — in practice every flow uses the region from
+ * {@link AuthServerConfig.region}, so the cache stays at size 1.
+ *
+ * This module is **not** part of the public API surface; consumers go
+ * through `sign-in.ts`, `refresh.ts`, `revoke.ts`.
+ */
+import { CognitoIdentityProviderClient } from '@aws-sdk/client-cognito-identity-provider';
+const cache = new Map();
+export function getCognitoClient(region) {
+    const existing = cache.get(region);
+    if (existing)
+        return existing;
+    const client = new CognitoIdentityProviderClient({ region });
+    cache.set(region, client);
+    return client;
+}
+/** Test-only — clear the cached clients between vitest runs. */
+export function _resetCognitoClientCacheForTesting() {
+    cache.clear();
+}
+//# sourceMappingURL=cognito-client.js.map

package/dist/server/cognito-client.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"cognito-client.js","sourceRoot":"","sources":["../../src/server/cognito-client.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;GAYG;AAEH,OAAO,EAAE,6BAA6B,EAAE,MAAM,2CAA2C,CAAC;AAE1F,MAAM,KAAK,GAAG,IAAI,GAAG,EAAyC,CAAC;AAE/D,MAAM,UAAU,gBAAgB,CAAC,MAAc;IAC7C,MAAM,QAAQ,GAAG,KAAK,CAAC,GAAG,CAAC,MAAM,CAAC,CAAC;IACnC,IAAI,QAAQ;QAAE,OAAO,QAAQ,CAAC;IAC9B,MAAM,MAAM,GAAG,IAAI,6BAA6B,CAAC,EAAE,MAAM,EAAE,CAAC,CAAC;IAC7D,KAAK,CAAC,GAAG,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;IAC1B,OAAO,MAAM,CAAC;AAChB,CAAC;AAED,gEAAgE;AAChE,MAAM,UAAU,kCAAkC;IAChD,KAAK,CAAC,KAAK,EAAE,CAAC;AAChB,CAAC"}

package/dist/server/config.d.ts

@@ -0,0 +1,35 @@
+/**
+ * Server-side auth configuration.
+ *
+ * `AuthServerConfig` is the minimal set of values the server flows in
+ * `@venturekit/auth/server` need to talk to Cognito:
+ *
+ *   - `region`        — AWS region the user pool lives in
+ *   - `userPoolId`    — Cognito User Pool id
+ *   - `appClientId`   — Cognito User Pool app client id
+ *
+ * Most consumers will call {@link loadAuthServerConfig} which reads these
+ * from environment variables (`COGNITO_REGION`/`AWS_REGION`,
+ * `COGNITO_USER_POOL_ID`, `COGNITO_APP_CLIENT_ID`). The VentureKit
+ * deploy pipeline injects these into the Lambda environment when an
+ * `auth` intent is declared in `vk.config.ts`.
+ *
+ * Tests / scripts can pass a `config` argument explicitly to every flow
+ * and skip env-var loading entirely.
+ */
+export interface AuthServerConfig {
+    region: string;
+    userPoolId: string;
+    appClientId: string;
+}
+/**
+ * Read server-side auth configuration from environment variables.
+ *
+ * Throws when any required value is missing — server flows fail fast at
+ * first auth call rather than silently producing 401s on a misconfigured
+ * deploy.
+ *
+ * @param env Source of environment variables. Defaults to `process.env`.
+ */
+export declare function loadAuthServerConfig(env?: NodeJS.ProcessEnv | Record<string, string | undefined>): AuthServerConfig;
+//# sourceMappingURL=config.d.ts.map

package/dist/server/config.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"config.d.ts","sourceRoot":"","sources":["../../src/server/config.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;GAkBG;AAEH,MAAM,WAAW,gBAAgB;IAC/B,MAAM,EAAE,MAAM,CAAC;IACf,UAAU,EAAE,MAAM,CAAC;IACnB,WAAW,EAAE,MAAM,CAAC;CACrB;AAED;;;;;;;;GAQG;AACH,wBAAgB,oBAAoB,CAClC,GAAG,GAAE,MAAM,CAAC,UAAU,GAAG,MAAM,CAAC,MAAM,EAAE,MAAM,GAAG,SAAS,CAAe,GACxE,gBAAgB,CAqBlB"}

package/dist/server/config.js

@@ -0,0 +1,52 @@
+/**
+ * Server-side auth configuration.
+ *
+ * `AuthServerConfig` is the minimal set of values the server flows in
+ * `@venturekit/auth/server` need to talk to Cognito:
+ *
+ *   - `region`        — AWS region the user pool lives in
+ *   - `userPoolId`    — Cognito User Pool id
+ *   - `appClientId`   — Cognito User Pool app client id
+ *
+ * Most consumers will call {@link loadAuthServerConfig} which reads these
+ * from environment variables (`COGNITO_REGION`/`AWS_REGION`,
+ * `COGNITO_USER_POOL_ID`, `COGNITO_APP_CLIENT_ID`). The VentureKit
+ * deploy pipeline injects these into the Lambda environment when an
+ * `auth` intent is declared in `vk.config.ts`.
+ *
+ * Tests / scripts can pass a `config` argument explicitly to every flow
+ * and skip env-var loading entirely.
+ */
+/**
+ * Read server-side auth configuration from environment variables.
+ *
+ * Throws when any required value is missing — server flows fail fast at
+ * first auth call rather than silently producing 401s on a misconfigured
+ * deploy.
+ *
+ * @param env Source of environment variables. Defaults to `process.env`.
+ */
+export function loadAuthServerConfig(env = process.env) {
+    const region = env['COGNITO_REGION'] ?? env['AWS_REGION'];
+    const userPoolId = env['COGNITO_USER_POOL_ID'];
+    const appClientId = env['COGNITO_APP_CLIENT_ID'];
+    const missing = [];
+    if (!region)
+        missing.push('COGNITO_REGION (or AWS_REGION)');
+    if (!userPoolId)
+        missing.push('COGNITO_USER_POOL_ID');
+    if (!appClientId)
+        missing.push('COGNITO_APP_CLIENT_ID');
+    if (missing.length > 0) {
+        throw new Error(`[@venturekit/auth/server] missing env var(s): ${missing.join(', ')} — ` +
+            `VentureKit's auth intent in vk.config.ts injects these into the Lambda ` +
+            `environment from the deployed user pool. Set them manually in .env.local ` +
+            `for local dev.`);
+    }
+    return {
+        region: region,
+        userPoolId: userPoolId,
+        appClientId: appClientId,
+    };
+}
+//# sourceMappingURL=config.js.map

package/dist/server/config.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"config.js","sourceRoot":"","sources":["../../src/server/config.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;GAkBG;AAQH;;;;;;;;GAQG;AACH,MAAM,UAAU,oBAAoB,CAClC,MAA8D,OAAO,CAAC,GAAG;IAEzE,MAAM,MAAM,GAAG,GAAG,CAAC,gBAAgB,CAAC,IAAI,GAAG,CAAC,YAAY,CAAC,CAAC;IAC1D,MAAM,UAAU,GAAG,GAAG,CAAC,sBAAsB,CAAC,CAAC;IAC/C,MAAM,WAAW,GAAG,GAAG,CAAC,uBAAuB,CAAC,CAAC;IACjD,MAAM,OAAO,GAAa,EAAE,CAAC;IAC7B,IAAI,CAAC,MAAM;QAAE,OAAO,CAAC,IAAI,CAAC,gCAAgC,CAAC,CAAC;IAC5D,IAAI,CAAC,UAAU;QAAE,OAAO,CAAC,IAAI,CAAC,sBAAsB,CAAC,CAAC;IACtD,IAAI,CAAC,WAAW;QAAE,OAAO,CAAC,IAAI,CAAC,uBAAuB,CAAC,CAAC;IACxD,IAAI,OAAO,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;QACvB,MAAM,IAAI,KAAK,CACb,iDAAiD,OAAO,CAAC,IAAI,CAAC,IAAI,CAAC,KAAK;YACtE,yEAAyE;YACzE,2EAA2E;YAC3E,gBAAgB,CACnB,CAAC;IACJ,CAAC;IACD,OAAO;QACL,MAAM,EAAE,MAAO;QACf,UAAU,EAAE,UAAW;QACvB,WAAW,EAAE,WAAY;KAC1B,CAAC;AACJ,CAAC"}

package/dist/server/cookies.d.ts

@@ -0,0 +1,75 @@
+/**
+ * Session cookie helpers — read from inbound `Cookie:` headers, build
+ * `Set-Cookie` header values for outgoing responses.
+ *
+ * **Cookie attributes** (every auth cookie):
+ *   - `HttpOnly` — JS in the browser cannot read these. The browser
+ *     attaches them automatically when fetching with
+ *     `credentials: 'include'`.
+ *   - `Secure` — set when {@link CookieOptions.secure} is true (default:
+ *     `process.env.NODE_ENV === 'production'`). Omitted in dev so cookies
+ *     work over plain HTTP localhost.
+ *   - `SameSite=Lax` for the id/access cookies, `SameSite=Strict` for
+ *     the refresh cookie. The refresh cookie is only ever sent to the
+ *     paths under {@link CookieOptions.refreshPath} (default `/auth`)
+ *     so it never leaks to non-auth handlers.
+ *   - `Path=/` for the id/access tokens, `Path=/auth` for refresh.
+ *
+ * The cookies are **host-only** (no `Domain` attribute) so they're
+ * scoped to the host the response came from. The browser sends them on
+ * every request to that host, including cross-origin XHR from a sibling
+ * subdomain when `credentials: 'include'` is used and both hosts share
+ * the same registrable domain.
+ */
+export declare const ID_TOKEN_COOKIE = "vk_id_token";
+export declare const ACCESS_TOKEN_COOKIE = "vk_access_token";
+export declare const REFRESH_TOKEN_COOKIE = "vk_refresh_token";
+export interface SessionTokens {
+    idToken: string;
+    accessToken: string;
+    /** May be omitted on refresh — Cognito doesn't always rotate it. */
+    refreshToken?: string;
+    /** Seconds until id/access tokens expire (typically 3600). */
+    expiresIn: number;
+}
+export interface CookieOptions {
+    /**
+     * Emit the `Secure` flag. Defaults to
+     * `process.env.NODE_ENV === 'production'`.
+     */
+    secure?: boolean;
+    /**
+     * Path scope for the refresh cookie. Defaults to `/auth`. The refresh
+     * token is never sent on requests outside this prefix.
+     */
+    refreshPath?: string;
+    /**
+     * Lifetime of the refresh cookie in seconds. Defaults to 30 days.
+     */
+    refreshMaxAgeSeconds?: number;
+}
+/**
+ * Build the `Set-Cookie` header values to attach to a sign-in / refresh
+ * response. Returns an array — API Gateway v2 supports multi-valued
+ * `Set-Cookie` via the `cookies: string[]` field on
+ * `APIGatewayProxyStructuredResultV2`.
+ *
+ * The refresh slot is skipped when {@link SessionTokens.refreshToken} is
+ * empty, which is the normal case after a refresh exchange (Cognito's
+ * `REFRESH_TOKEN_AUTH` doesn't rotate the refresh token).
+ */
+export declare function buildSessionCookies(tokens: SessionTokens, options?: CookieOptions): string[];
+/**
+ * Build the `Set-Cookie` header values that clear all auth cookies.
+ * Used on sign-out and as a defensive cleanup when refresh fails
+ * terminally so the next attempt goes straight to sign-in.
+ */
+export declare function buildClearSessionCookies(options?: CookieOptions): string[];
+/**
+ * Read a single cookie out of a `Cookie:` header value. Returns `null`
+ * when the cookie is absent. Permissive: duplicates take the last
+ * occurrence, whitespace around `=` is allowed, URL-encoded values are
+ * decoded.
+ */
+export declare function readCookieFromHeader(rawCookieHeader: string | undefined | null, name: string): string | null;
+//# sourceMappingURL=cookies.d.ts.map

package/dist/server/cookies.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"cookies.d.ts","sourceRoot":"","sources":["../../src/server/cookies.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;GAsBG;AAEH,eAAO,MAAM,eAAe,gBAAgB,CAAC;AAC7C,eAAO,MAAM,mBAAmB,oBAAoB,CAAC;AACrD,eAAO,MAAM,oBAAoB,qBAAqB,CAAC;AAIvD,MAAM,WAAW,aAAa;IAC5B,OAAO,EAAE,MAAM,CAAC;IAChB,WAAW,EAAE,MAAM,CAAC;IACpB,oEAAoE;IACpE,YAAY,CAAC,EAAE,MAAM,CAAC;IACtB,8DAA8D;IAC9D,SAAS,EAAE,MAAM,CAAC;CACnB;AAED,MAAM,WAAW,aAAa;IAC5B;;;OAGG;IACH,MAAM,CAAC,EAAE,OAAO,CAAC;IACjB;;;OAGG;IACH,WAAW,CAAC,EAAE,MAAM,CAAC;IACrB;;OAEG;IACH,oBAAoB,CAAC,EAAE,MAAM,CAAC;CAC/B;AA0CD;;;;;;;;;GASG;AACH,wBAAgB,mBAAmB,CACjC,MAAM,EAAE,aAAa,EACrB,OAAO,CAAC,EAAE,aAAa,GACtB,MAAM,EAAE,CAqBV;AAED;;;;GAIG;AACH,wBAAgB,wBAAwB,CAAC,OAAO,CAAC,EAAE,aAAa,GAAG,MAAM,EAAE,CAY1E;AAED;;;;;GAKG;AACH,wBAAgB,oBAAoB,CAClC,eAAe,EAAE,MAAM,GAAG,SAAS,GAAG,IAAI,EAC1C,IAAI,EAAE,MAAM,GACX,MAAM,GAAG,IAAI,CAef"}

package/dist/server/cookies.js

@@ -0,0 +1,109 @@
+/**
+ * Session cookie helpers — read from inbound `Cookie:` headers, build
+ * `Set-Cookie` header values for outgoing responses.
+ *
+ * **Cookie attributes** (every auth cookie):
+ *   - `HttpOnly` — JS in the browser cannot read these. The browser
+ *     attaches them automatically when fetching with
+ *     `credentials: 'include'`.
+ *   - `Secure` — set when {@link CookieOptions.secure} is true (default:
+ *     `process.env.NODE_ENV === 'production'`). Omitted in dev so cookies
+ *     work over plain HTTP localhost.
+ *   - `SameSite=Lax` for the id/access cookies, `SameSite=Strict` for
+ *     the refresh cookie. The refresh cookie is only ever sent to the
+ *     paths under {@link CookieOptions.refreshPath} (default `/auth`)
+ *     so it never leaks to non-auth handlers.
+ *   - `Path=/` for the id/access tokens, `Path=/auth` for refresh.
+ *
+ * The cookies are **host-only** (no `Domain` attribute) so they're
+ * scoped to the host the response came from. The browser sends them on
+ * every request to that host, including cross-origin XHR from a sibling
+ * subdomain when `credentials: 'include'` is used and both hosts share
+ * the same registrable domain.
+ */
+export const ID_TOKEN_COOKIE = 'vk_id_token';
+export const ACCESS_TOKEN_COOKIE = 'vk_access_token';
+export const REFRESH_TOKEN_COOKIE = 'vk_refresh_token';
+const REFRESH_MAX_AGE_SECONDS = 30 * 24 * 60 * 60; // 30 days
+function resolve(opts) {
+    return {
+        secure: opts?.secure ?? process.env.NODE_ENV === 'production',
+        refreshPath: opts?.refreshPath ?? '/auth',
+        refreshMaxAgeSeconds: opts?.refreshMaxAgeSeconds ?? REFRESH_MAX_AGE_SECONDS,
+    };
+}
+function buildSetCookie(name, value, attrs, secure) {
+    const parts = [`${name}=${encodeURIComponent(value)}`];
+    parts.push(`Path=${attrs.path ?? '/'}`);
+    parts.push(`SameSite=${attrs.sameSite ?? 'Lax'}`);
+    parts.push('HttpOnly');
+    if (secure)
+        parts.push('Secure');
+    if (typeof attrs.maxAge === 'number') {
+        parts.push(`Max-Age=${Math.floor(attrs.maxAge)}`);
+    }
+    return parts.join('; ');
+}
+/**
+ * Build the `Set-Cookie` header values to attach to a sign-in / refresh
+ * response. Returns an array — API Gateway v2 supports multi-valued
+ * `Set-Cookie` via the `cookies: string[]` field on
+ * `APIGatewayProxyStructuredResultV2`.
+ *
+ * The refresh slot is skipped when {@link SessionTokens.refreshToken} is
+ * empty, which is the normal case after a refresh exchange (Cognito's
+ * `REFRESH_TOKEN_AUTH` doesn't rotate the refresh token).
+ */
+export function buildSessionCookies(tokens, options) {
+    const { secure, refreshPath, refreshMaxAgeSeconds } = resolve(options);
+    const accessMaxAge = Math.max(60, Math.min(tokens.expiresIn, 3600));
+    const headers = [];
+    headers.push(buildSetCookie(ID_TOKEN_COOKIE, tokens.idToken, { maxAge: accessMaxAge }, secure));
+    headers.push(buildSetCookie(ACCESS_TOKEN_COOKIE, tokens.accessToken, { maxAge: accessMaxAge }, secure));
+    if (tokens.refreshToken) {
+        headers.push(buildSetCookie(REFRESH_TOKEN_COOKIE, tokens.refreshToken, {
+            path: refreshPath,
+            maxAge: refreshMaxAgeSeconds,
+            sameSite: 'Strict',
+        }, secure));
+    }
+    return headers;
+}
+/**
+ * Build the `Set-Cookie` header values that clear all auth cookies.
+ * Used on sign-out and as a defensive cleanup when refresh fails
+ * terminally so the next attempt goes straight to sign-in.
+ */
+export function buildClearSessionCookies(options) {
+    const { secure, refreshPath } = resolve(options);
+    return [
+        buildSetCookie(ID_TOKEN_COOKIE, '', { maxAge: 0 }, secure),
+        buildSetCookie(ACCESS_TOKEN_COOKIE, '', { maxAge: 0 }, secure),
+        buildSetCookie(REFRESH_TOKEN_COOKIE, '', { path: refreshPath, maxAge: 0, sameSite: 'Strict' }, secure),
+    ];
+}
+/**
+ * Read a single cookie out of a `Cookie:` header value. Returns `null`
+ * when the cookie is absent. Permissive: duplicates take the last
+ * occurrence, whitespace around `=` is allowed, URL-encoded values are
+ * decoded.
+ */
+export function readCookieFromHeader(rawCookieHeader, name) {
+    if (!rawCookieHeader)
+        return null;
+    const target = `${name}=`;
+    let found = null;
+    for (const part of rawCookieHeader.split(';')) {
+        const trimmed = part.trim();
+        if (trimmed.startsWith(target)) {
+            try {
+                found = decodeURIComponent(trimmed.slice(target.length));
+            }
+            catch {
+                found = trimmed.slice(target.length);
+            }
+        }
+    }
+    return found;
+}
+//# sourceMappingURL=cookies.js.map

package/dist/server/cookies.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"cookies.js","sourceRoot":"","sources":["../../src/server/cookies.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;GAsBG;AAEH,MAAM,CAAC,MAAM,eAAe,GAAG,aAAa,CAAC;AAC7C,MAAM,CAAC,MAAM,mBAAmB,GAAG,iBAAiB,CAAC;AACrD,MAAM,CAAC,MAAM,oBAAoB,GAAG,kBAAkB,CAAC;AAEvD,MAAM,uBAAuB,GAAG,EAAE,GAAG,EAAE,GAAG,EAAE,GAAG,EAAE,CAAC,CAAC,UAAU;AAkC7D,SAAS,OAAO,CAAC,IAAoB;IACnC,OAAO;QACL,MAAM,EAAE,IAAI,EAAE,MAAM,IAAI,OAAO,CAAC,GAAG,CAAC,QAAQ,KAAK,YAAY;QAC7D,WAAW,EAAE,IAAI,EAAE,WAAW,IAAI,OAAO;QACzC,oBAAoB,EAAE,IAAI,EAAE,oBAAoB,IAAI,uBAAuB;KAC5E,CAAC;AACJ,CAAC;AAWD,SAAS,cAAc,CACrB,IAAY,EACZ,KAAa,EACb,KAAkB,EAClB,MAAe;IAEf,MAAM,KAAK,GAAG,CAAC,GAAG,IAAI,IAAI,kBAAkB,CAAC,KAAK,CAAC,EAAE,CAAC,CAAC;IACvD,KAAK,CAAC,IAAI,CAAC,QAAQ,KAAK,CAAC,IAAI,IAAI,GAAG,EAAE,CAAC,CAAC;IACxC,KAAK,CAAC,IAAI,CAAC,YAAY,KAAK,CAAC,QAAQ,IAAI,KAAK,EAAE,CAAC,CAAC;IAClD,KAAK,CAAC,IAAI,CAAC,UAAU,CAAC,CAAC;IACvB,IAAI,MAAM;QAAE,KAAK,CAAC,IAAI,CAAC,QAAQ,CAAC,CAAC;IACjC,IAAI,OAAO,KAAK,CAAC,MAAM,KAAK,QAAQ,EAAE,CAAC;QACrC,KAAK,CAAC,IAAI,CAAC,WAAW,IAAI,CAAC,KAAK,CAAC,KAAK,CAAC,MAAM,CAAC,EAAE,CAAC,CAAC;IACpD,CAAC;IACD,OAAO,KAAK,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;AAC1B,CAAC;AAED;;;;;;;;;GASG;AACH,MAAM,UAAU,mBAAmB,CACjC,MAAqB,EACrB,OAAuB;IAEvB,MAAM,EAAE,MAAM,EAAE,WAAW,EAAE,oBAAoB,EAAE,GAAG,OAAO,CAAC,OAAO,CAAC,CAAC;IACvE,MAAM,YAAY,GAAG,IAAI,CAAC,GAAG,CAAC,EAAE,EAAE,IAAI,CAAC,GAAG,CAAC,MAAM,CAAC,SAAS,EAAE,IAAI,CAAC,CAAC,CAAC;IACpE,MAAM,OAAO,GAAa,EAAE,CAAC;IAC7B,OAAO,CAAC,IAAI,CAAC,cAAc,CAAC,eAAe,EAAE,MAAM,CAAC,OAAO,EAAE,EAAE,MAAM,EAAE,YAAY,EAAE,EAAE,MAAM,CAAC,CAAC,CAAC;IAChG,OAAO,CAAC,IAAI,CAAC,cAAc,CAAC,mBAAmB,EAAE,MAAM,CAAC,WAAW,EAAE,EAAE,MAAM,EAAE,YAAY,EAAE,EAAE,MAAM,CAAC,CAAC,CAAC;IACxG,IAAI,MAAM,CAAC,YAAY,EAAE,CAAC;QACxB,OAAO,CAAC,IAAI,CACV,cAAc,CACZ,oBAAoB,EACpB,MAAM,CAAC,YAAY,EACnB;YACE,IAAI,EAAE,WAAW;YACjB,MAAM,EAAE,oBAAoB;YAC5B,QAAQ,EAAE,QAAQ;SACnB,EACD,MAAM,CACP,CACF,CAAC;IACJ,CAAC;IACD,OAAO,OAAO,CAAC;AACjB,CAAC;AAED;;;;GAIG;AACH,MAAM,UAAU,wBAAwB,CAAC,OAAuB;IAC9D,MAAM,EAAE,MAAM,EAAE,WAAW,EAAE,GAAG,OAAO,CAAC,OAAO,CAAC,CAAC;IACjD,OAAO;QACL,cAAc,CAAC,eAAe,EAAE,EAAE,EAAE,EAAE,MAAM,EAAE,CAAC,EAAE,EAAE,MAAM,CAAC;QAC1D,cAAc,CAAC,mBAAmB,EAAE,EAAE,EAAE,EAAE,MAAM,EAAE,CAAC,EAAE,EAAE,MAAM,CAAC;QAC9D,cAAc,CACZ,oBAAoB,EACpB,EAAE,EACF,EAAE,IAAI,EAAE,WAAW,EAAE,MAAM,EAAE,CAAC,EAAE,QAAQ,EAAE,QAAQ,EAAE,EACpD,MAAM,CACP;KACF,CAAC;AACJ,CAAC;AAED;;;;;GAKG;AACH,MAAM,UAAU,oBAAoB,CAClC,eAA0C,EAC1C,IAAY;IAEZ,IAAI,CAAC,eAAe;QAAE,OAAO,IAAI,CAAC;IAClC,MAAM,MAAM,GAAG,GAAG,IAAI,GAAG,CAAC;IAC1B,IAAI,KAAK,GAAkB,IAAI,CAAC;IAChC,KAAK,MAAM,IAAI,IAAI,eAAe,CAAC,KAAK,CAAC,GAAG,CAAC,EAAE,CAAC;QAC9C,MAAM,OAAO,GAAG,IAAI,CAAC,IAAI,EAAE,CAAC;QAC5B,IAAI,OAAO,CAAC,UAAU,CAAC,MAAM,CAAC,EAAE,CAAC;YAC/B,IAAI,CAAC;gBACH,KAAK,GAAG,kBAAkB,CAAC,OAAO,CAAC,KAAK,CAAC,MAAM,CAAC,MAAM,CAAC,CAAC,CAAC;YAC3D,CAAC;YAAC,MAAM,CAAC;gBACP,KAAK,GAAG,OAAO,CAAC,KAAK,CAAC,MAAM,CAAC,MAAM,CAAC,CAAC;YACvC,CAAC;QACH,CAAC;IACH,CAAC;IACD,OAAO,KAAK,CAAC;AACf,CAAC"}

package/dist/server/errors.d.ts

@@ -0,0 +1,20 @@
+/**
+ * Auth errors thrown by the server-side flows in `@venturekit/auth/server`.
+ *
+ * `AuthError` carries a stable machine-readable `code` (e.g.
+ * `invalid_credentials`, `password_reset_required`) and an HTTP status
+ * hint so route handlers can map it straight to a typed response without
+ * inspecting Cognito-specific error names.
+ */
+export declare class AuthError extends Error {
+    readonly code: string;
+    readonly status: number;
+    constructor(code: string, message: string, status?: number);
+}
+/**
+ * Map an underlying provider error (e.g. an AWS SDK error name) to a
+ * stable {@link AuthError}. Unknown error names fall through with their
+ * original `name` as `code` and the supplied default status.
+ */
+export declare function mapProviderError(err: unknown, fallbackCode: string, fallbackStatus?: number): AuthError;
+//# sourceMappingURL=errors.d.ts.map

package/dist/server/errors.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"errors.d.ts","sourceRoot":"","sources":["../../src/server/errors.ts"],"names":[],"mappings":"AAAA;;;;;;;GAOG;AAEH,qBAAa,SAAU,SAAQ,KAAK;IAClC,QAAQ,CAAC,IAAI,EAAE,MAAM,CAAC;IACtB,QAAQ,CAAC,MAAM,EAAE,MAAM,CAAC;gBACZ,IAAI,EAAE,MAAM,EAAE,OAAO,EAAE,MAAM,EAAE,MAAM,SAAM;CAMxD;AAED;;;;GAIG;AACH,wBAAgB,gBAAgB,CAC9B,GAAG,EAAE,OAAO,EACZ,YAAY,EAAE,MAAM,EACpB,cAAc,SAAM,GACnB,SAAS,CAoBX"}

package/dist/server/errors.js

@@ -0,0 +1,45 @@
+/**
+ * Auth errors thrown by the server-side flows in `@venturekit/auth/server`.
+ *
+ * `AuthError` carries a stable machine-readable `code` (e.g.
+ * `invalid_credentials`, `password_reset_required`) and an HTTP status
+ * hint so route handlers can map it straight to a typed response without
+ * inspecting Cognito-specific error names.
+ */
+export class AuthError extends Error {
+    code;
+    status;
+    constructor(code, message, status = 401) {
+        super(message);
+        this.name = 'AuthError';
+        this.code = code;
+        this.status = status;
+    }
+}
+/**
+ * Map an underlying provider error (e.g. an AWS SDK error name) to a
+ * stable {@link AuthError}. Unknown error names fall through with their
+ * original `name` as `code` and the supplied default status.
+ */
+export function mapProviderError(err, fallbackCode, fallbackStatus = 401) {
+    const e = err;
+    const code = e.name ?? fallbackCode;
+    const message = e.message ?? 'Authentication failed';
+    switch (code) {
+        case 'NotAuthorizedException':
+        case 'UserNotFoundException':
+            return new AuthError('invalid_credentials', 'Incorrect email or password', 401);
+        case 'UserNotConfirmedException':
+            return new AuthError('user_not_confirmed', message, 403);
+        case 'PasswordResetRequiredException':
+            return new AuthError('password_reset_required', message, 403);
+        case 'TooManyRequestsException':
+        case 'TooManyFailedAttemptsException':
+            return new AuthError('too_many_requests', message, 429);
+        case 'InvalidParameterException':
+            return new AuthError('invalid_parameter', message, 422);
+        default:
+            return new AuthError(code, message, fallbackStatus);
+    }
+}
+//# sourceMappingURL=errors.js.map

package/dist/server/errors.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"errors.js","sourceRoot":"","sources":["../../src/server/errors.ts"],"names":[],"mappings":"AAAA;;;;;;;GAOG;AAEH,MAAM,OAAO,SAAU,SAAQ,KAAK;IACzB,IAAI,CAAS;IACb,MAAM,CAAS;IACxB,YAAY,IAAY,EAAE,OAAe,EAAE,MAAM,GAAG,GAAG;QACrD,KAAK,CAAC,OAAO,CAAC,CAAC;QACf,IAAI,CAAC,IAAI,GAAG,WAAW,CAAC;QACxB,IAAI,CAAC,IAAI,GAAG,IAAI,CAAC;QACjB,IAAI,CAAC,MAAM,GAAG,MAAM,CAAC;IACvB,CAAC;CACF;AAED;;;;GAIG;AACH,MAAM,UAAU,gBAAgB,CAC9B,GAAY,EACZ,YAAoB,EACpB,cAAc,GAAG,GAAG;IAEpB,MAAM,CAAC,GAAG,GAA0C,CAAC;IACrD,MAAM,IAAI,GAAG,CAAC,CAAC,IAAI,IAAI,YAAY,CAAC;IACpC,MAAM,OAAO,GAAG,CAAC,CAAC,OAAO,IAAI,uBAAuB,CAAC;IACrD,QAAQ,IAAI,EAAE,CAAC;QACb,KAAK,wBAAwB,CAAC;QAC9B,KAAK,uBAAuB;YAC1B,OAAO,IAAI,SAAS,CAAC,qBAAqB,EAAE,6BAA6B,EAAE,GAAG,CAAC,CAAC;QAClF,KAAK,2BAA2B;YAC9B,OAAO,IAAI,SAAS,CAAC,oBAAoB,EAAE,OAAO,EAAE,GAAG,CAAC,CAAC;QAC3D,KAAK,gCAAgC;YACnC,OAAO,IAAI,SAAS,CAAC,yBAAyB,EAAE,OAAO,EAAE,GAAG,CAAC,CAAC;QAChE,KAAK,0BAA0B,CAAC;QAChC,KAAK,gCAAgC;YACnC,OAAO,IAAI,SAAS,CAAC,mBAAmB,EAAE,OAAO,EAAE,GAAG,CAAC,CAAC;QAC1D,KAAK,2BAA2B;YAC9B,OAAO,IAAI,SAAS,CAAC,mBAAmB,EAAE,OAAO,EAAE,GAAG,CAAC,CAAC;QAC1D;YACE,OAAO,IAAI,SAAS,CAAC,IAAI,EAAE,OAAO,EAAE,cAAc,CAAC,CAAC;IACxD,CAAC;AACH,CAAC"}

package/dist/server/index.d.ts

@@ -0,0 +1,38 @@
+/**
+ * @venturekit/auth/server
+ *
+ * Server-side authentication primitives for Lambda / Node handlers
+ * fronting a Cognito User Pool.
+ *
+ * **Responsibilities**
+ *   - Password / refresh / revoke flows against Cognito's user-facing
+ *     `InitiateAuth` and `RevokeToken` endpoints
+ *     ({@link signInWithPassword}, {@link refreshSession},
+ *     {@link revokeRefreshToken}).
+ *   - JWT verification against the User Pool's JWKS
+ *     ({@link verifyAndDecode}).
+ *   - HTTP-only session cookie helpers
+ *     ({@link buildSessionCookies}, {@link buildClearSessionCookies},
+ *     {@link readCookieFromHeader}).
+ *   - A stable {@link AuthError} surface that hides Cognito-specific
+ *     error names from route handlers.
+ *
+ * Consumers should import from `@venturekit/auth/server` rather than
+ * the package root so the lightweight client-safe entry stays free of
+ * AWS SDK dependencies.
+ */
+export { AuthError, mapProviderError } from './errors.js';
+export type { AuthServerConfig } from './config.js';
+export { loadAuthServerConfig } from './config.js';
+export type { SignInCredentials, SignInResult } from './sign-in.js';
+export { signInWithPassword } from './sign-in.js';
+export type { RefreshResult } from './refresh.js';
+export { refreshSession } from './refresh.js';
+export { revokeRefreshToken } from './revoke.js';
+export type { VerifyOptions } from './verify.js';
+export { verifyAndDecode } from './verify.js';
+export type { SessionTokens, CookieOptions } from './cookies.js';
+export { ID_TOKEN_COOKIE, ACCESS_TOKEN_COOKIE, REFRESH_TOKEN_COOKIE, buildSessionCookies, buildClearSessionCookies, readCookieFromHeader, } from './cookies.js';
+export type { CookieAuthMiddlewareOptions } from './middleware.js';
+export { cookieAuthMiddleware, extractToken } from './middleware.js';
+//# sourceMappingURL=index.d.ts.map

package/dist/server/index.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../src/server/index.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;GAsBG;AAEH,OAAO,EAAE,SAAS,EAAE,gBAAgB,EAAE,MAAM,aAAa,CAAC;AAC1D,YAAY,EAAE,gBAAgB,EAAE,MAAM,aAAa,CAAC;AACpD,OAAO,EAAE,oBAAoB,EAAE,MAAM,aAAa,CAAC;AAEnD,YAAY,EAAE,iBAAiB,EAAE,YAAY,EAAE,MAAM,cAAc,CAAC;AACpE,OAAO,EAAE,kBAAkB,EAAE,MAAM,cAAc,CAAC;AAElD,YAAY,EAAE,aAAa,EAAE,MAAM,cAAc,CAAC;AAClD,OAAO,EAAE,cAAc,EAAE,MAAM,cAAc,CAAC;AAE9C,OAAO,EAAE,kBAAkB,EAAE,MAAM,aAAa,CAAC;AAEjD,YAAY,EAAE,aAAa,EAAE,MAAM,aAAa,CAAC;AACjD,OAAO,EAAE,eAAe,EAAE,MAAM,aAAa,CAAC;AAE9C,YAAY,EAAE,aAAa,EAAE,aAAa,EAAE,MAAM,cAAc,CAAC;AACjE,OAAO,EACL,eAAe,EACf,mBAAmB,EACnB,oBAAoB,EACpB,mBAAmB,EACnB,wBAAwB,EACxB,oBAAoB,GACrB,MAAM,cAAc,CAAC;AAEtB,YAAY,EAAE,2BAA2B,EAAE,MAAM,iBAAiB,CAAC;AACnE,OAAO,EAAE,oBAAoB,EAAE,YAAY,EAAE,MAAM,iBAAiB,CAAC"}

package/dist/server/index.js

@@ -0,0 +1,32 @@
+/**
+ * @venturekit/auth/server
+ *
+ * Server-side authentication primitives for Lambda / Node handlers
+ * fronting a Cognito User Pool.
+ *
+ * **Responsibilities**
+ *   - Password / refresh / revoke flows against Cognito's user-facing
+ *     `InitiateAuth` and `RevokeToken` endpoints
+ *     ({@link signInWithPassword}, {@link refreshSession},
+ *     {@link revokeRefreshToken}).
+ *   - JWT verification against the User Pool's JWKS
+ *     ({@link verifyAndDecode}).
+ *   - HTTP-only session cookie helpers
+ *     ({@link buildSessionCookies}, {@link buildClearSessionCookies},
+ *     {@link readCookieFromHeader}).
+ *   - A stable {@link AuthError} surface that hides Cognito-specific
+ *     error names from route handlers.
+ *
+ * Consumers should import from `@venturekit/auth/server` rather than
+ * the package root so the lightweight client-safe entry stays free of
+ * AWS SDK dependencies.
+ */
+export { AuthError, mapProviderError } from './errors.js';
+export { loadAuthServerConfig } from './config.js';
+export { signInWithPassword } from './sign-in.js';
+export { refreshSession } from './refresh.js';
+export { revokeRefreshToken } from './revoke.js';
+export { verifyAndDecode } from './verify.js';
+export { ID_TOKEN_COOKIE, ACCESS_TOKEN_COOKIE, REFRESH_TOKEN_COOKIE, buildSessionCookies, buildClearSessionCookies, readCookieFromHeader, } from './cookies.js';
+export { cookieAuthMiddleware, extractToken } from './middleware.js';
+//# sourceMappingURL=index.js.map

package/dist/server/index.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.js","sourceRoot":"","sources":["../../src/server/index.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;GAsBG;AAEH,OAAO,EAAE,SAAS,EAAE,gBAAgB,EAAE,MAAM,aAAa,CAAC;AAE1D,OAAO,EAAE,oBAAoB,EAAE,MAAM,aAAa,CAAC;AAGnD,OAAO,EAAE,kBAAkB,EAAE,MAAM,cAAc,CAAC;AAGlD,OAAO,EAAE,cAAc,EAAE,MAAM,cAAc,CAAC;AAE9C,OAAO,EAAE,kBAAkB,EAAE,MAAM,aAAa,CAAC;AAGjD,OAAO,EAAE,eAAe,EAAE,MAAM,aAAa,CAAC;AAG9C,OAAO,EACL,eAAe,EACf,mBAAmB,EACnB,oBAAoB,EACpB,mBAAmB,EACnB,wBAAwB,EACxB,oBAAoB,GACrB,MAAM,cAAc,CAAC;AAGtB,OAAO,EAAE,oBAAoB,EAAE,YAAY,EAAE,MAAM,iBAAiB,CAAC"}

package/dist/server/middleware.d.ts

@@ -0,0 +1,76 @@
+/**
+ * `@venturekit/runtime`-compatible auth middleware.
+ *
+ * Transparently reads the session JWT from either:
+ *   - the `vk_id_token` cookie (default; configurable via
+ *     {@link CookieAuthMiddlewareOptions.cookieName}), OR
+ *   - the `Authorization: Bearer <token>` header (bearer wins when both
+ *     are present — simplifies mixed SPA + CLI clients).
+ *
+ * Verifies the token against the User Pool's JWKS via
+ * {@link verifyAndDecode} and populates `ctx.user` with the verified
+ * claims. When the token is missing / invalid / expired, `ctx.user`
+ * stays `null`; the downstream `handler({ scopes: [...] })` gate in
+ * `@venturekit/runtime` raises the 401. Public routes (no `scopes`)
+ * pass through unaffected.
+ *
+ * **Why a middleware and not a gateway authorizer?** API Gateway's
+ * `HttpJwtAuthorizer` only reads `Authorization: Bearer`; it cannot
+ * read cookies. This middleware runs inside the Lambda so HttpOnly
+ * cookie-based sessions (XSS-safer than localStorage bearers) keep
+ * working. The JWKS verifier caches keys across warm invocations
+ * ({@link verifyAndDecode}), so the per-request cost is the same
+ * signature-verify a gateway authorizer would do.
+ */
+import type { APIGatewayProxyEventV2 } from 'aws-lambda';
+import type { Middleware, RequestContext } from '@venturekit/runtime';
+import type { AuthServerConfig } from './config.js';
+export interface CookieAuthMiddlewareOptions {
+    /**
+     * Cookie name carrying the session JWT. Defaults to `vk_id_token`
+     * (matches the cookie `buildSessionCookies` sets).
+     */
+    cookieName?: string;
+    /**
+     * Which token type to verify:
+     *   - `'id'` (default) — matches id-token cookies which carry `email`
+     *     and Cognito `custom:*` attributes. Use this for browser sessions.
+     *   - `'access'` — matches access tokens which carry `scope` and
+     *     `client_id`. Use this for service-to-service bearer calls.
+     */
+    tokenUse?: 'id' | 'access';
+    /**
+     * Explicit Cognito config. Defaults to
+     * {@link loadAuthServerConfig} (reads env vars). Providing this in
+     * tests lets you construct a middleware without touching env.
+     */
+    config?: AuthServerConfig;
+}
+/**
+ * Build a `@venturekit/runtime` middleware that verifies a session JWT
+ * and populates `ctx.user` with the verified claims.
+ *
+ * @example
+ * ```ts
+ * import { handler } from '@venturekit/runtime';
+ * import { cookieAuthMiddleware } from '@venturekit/auth/server';
+ *
+ * export const main = handler(
+ *   async (body, ctx) => ({ userId: ctx.user!.id }),
+ *   {
+ *     scopes: ['cms.admin'],
+ *     middleware: [cookieAuthMiddleware()],
+ *   },
+ * );
+ * ```
+ */
+export declare function cookieAuthMiddleware(options?: CookieAuthMiddlewareOptions): Middleware<RequestContext>;
+/**
+ * Pull the session token out of the request. Bearer header wins over
+ * cookie so a mixed client (browser + CLI) stays predictable.
+ *
+ * Exported for tests only — route handlers should use
+ * {@link cookieAuthMiddleware} instead.
+ */
+export declare function extractToken(event: APIGatewayProxyEventV2, cookieName?: string): string | null;
+//# sourceMappingURL=middleware.d.ts.map

package/dist/server/middleware.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"middleware.d.ts","sourceRoot":"","sources":["../../src/server/middleware.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;;GAuBG;AAEH,OAAO,KAAK,EAAE,sBAAsB,EAAE,MAAM,YAAY,CAAC;AAKzD,OAAO,KAAK,EAAE,UAAU,EAAE,cAAc,EAAE,MAAM,qBAAqB,CAAC;AAGtE,OAAO,KAAK,EAAE,gBAAgB,EAAE,MAAM,aAAa,CAAC;AAGpD,MAAM,WAAW,2BAA2B;IAC1C;;;OAGG;IACH,UAAU,CAAC,EAAE,MAAM,CAAC;IACpB;;;;;;OAMG;IACH,QAAQ,CAAC,EAAE,IAAI,GAAG,QAAQ,CAAC;IAC3B;;;;OAIG;IACH,MAAM,CAAC,EAAE,gBAAgB,CAAC;CAC3B;AAED;;;;;;;;;;;;;;;;;GAiBG;AACH,wBAAgB,oBAAoB,CAClC,OAAO,GAAE,2BAAgC,GACxC,UAAU,CAAC,cAAc,CAAC,CAgC5B;AAED;;;;;;GAMG;AACH,wBAAgB,YAAY,CAC1B,KAAK,EAAE,sBAAsB,EAC7B,UAAU,GAAE,MAAwB,GACnC,MAAM,GAAG,IAAI,CAaf"}

package/dist/server/middleware.js

@@ -0,0 +1,115 @@
+/**
+ * `@venturekit/runtime`-compatible auth middleware.
+ *
+ * Transparently reads the session JWT from either:
+ *   - the `vk_id_token` cookie (default; configurable via
+ *     {@link CookieAuthMiddlewareOptions.cookieName}), OR
+ *   - the `Authorization: Bearer <token>` header (bearer wins when both
+ *     are present — simplifies mixed SPA + CLI clients).
+ *
+ * Verifies the token against the User Pool's JWKS via
+ * {@link verifyAndDecode} and populates `ctx.user` with the verified
+ * claims. When the token is missing / invalid / expired, `ctx.user`
+ * stays `null`; the downstream `handler({ scopes: [...] })` gate in
+ * `@venturekit/runtime` raises the 401. Public routes (no `scopes`)
+ * pass through unaffected.
+ *
+ * **Why a middleware and not a gateway authorizer?** API Gateway's
+ * `HttpJwtAuthorizer` only reads `Authorization: Bearer`; it cannot
+ * read cookies. This middleware runs inside the Lambda so HttpOnly
+ * cookie-based sessions (XSS-safer than localStorage bearers) keep
+ * working. The JWKS verifier caches keys across warm invocations
+ * ({@link verifyAndDecode}), so the per-request cost is the same
+ * signature-verify a gateway authorizer would do.
+ */
+import { ID_TOKEN_COOKIE, readCookieFromHeader } from './cookies.js';
+import { verifyAndDecode } from './verify.js';
+import { loadAuthServerConfig } from './config.js';
+/**
+ * Build a `@venturekit/runtime` middleware that verifies a session JWT
+ * and populates `ctx.user` with the verified claims.
+ *
+ * @example
+ * ```ts
+ * import { handler } from '@venturekit/runtime';
+ * import { cookieAuthMiddleware } from '@venturekit/auth/server';
+ *
+ * export const main = handler(
+ *   async (body, ctx) => ({ userId: ctx.user!.id }),
+ *   {
+ *     scopes: ['cms.admin'],
+ *     middleware: [cookieAuthMiddleware()],
+ *   },
+ * );
+ * ```
+ */
+export function cookieAuthMiddleware(options = {}) {
+    const cookieName = options.cookieName ?? ID_TOKEN_COOKIE;
+    const tokenUse = options.tokenUse ?? 'id';
+    // Resolve config lazily so a route module can import the middleware
+    // factory at file-load time without the env vars being set (tests,
+    // local type-only imports, etc.). The first actual request resolves
+    // and caches it — if the env is misconfigured, the error surfaces on
+    // first auth attempt rather than at cold start.
+    let resolvedConfig = options.config ?? null;
+    const getConfig = () => {
+        if (!resolvedConfig)
+            resolvedConfig = loadAuthServerConfig();
+        return resolvedConfig;
+    };
+    return {
+        name: 'cookieAuth',
+        fn: async (ctx, next) => {
+            const token = extractToken(ctx.rawEvent, cookieName);
+            if (token) {
+                const cfg = getConfig();
+                const claims = await verifyAndDecode(token, {
+                    userPoolId: cfg.userPoolId,
+                    clientId: cfg.appClientId,
+                    tokenUse,
+                });
+                if (claims) {
+                    ctx.user = claimsToUserContext(claims);
+                }
+            }
+            return next();
+        },
+    };
+}
+/**
+ * Pull the session token out of the request. Bearer header wins over
+ * cookie so a mixed client (browser + CLI) stays predictable.
+ *
+ * Exported for tests only — route handlers should use
+ * {@link cookieAuthMiddleware} instead.
+ */
+export function extractToken(event, cookieName = ID_TOKEN_COOKIE) {
+    const headers = event.headers ?? {};
+    const authHeader = (headers['authorization'] ?? headers['Authorization']);
+    if (authHeader) {
+        const match = authHeader.match(/^Bearer\s+(.+)$/i);
+        if (match && match[1])
+            return match[1].trim();
+    }
+    const cookieHeader = (headers['cookie'] ?? headers['Cookie']);
+    return readCookieFromHeader(cookieHeader, cookieName);
+}
+function claimsToUserContext(claims) {
+    const sub = claims['sub'];
+    const email = claims['email'];
+    // `scope` appears on access tokens (space-separated). ID tokens don't
+    // carry scopes; if the app uses ID tokens, scope-based route gating
+    // should be backed by `custom:*` role/scope attributes on the user
+    // pool and mapped in a downstream mapper.
+    const scopeClaim = claims['scope'];
+    const scopes = typeof scopeClaim === 'string'
+        ? scopeClaim.split(' ').filter(Boolean)
+        : [];
+    return {
+        id: typeof sub === 'string' ? sub : '',
+        email: typeof email === 'string' ? email : undefined,
+        scopes,
+        claims,
+    };
+}
+//# sourceMappingURL=middleware.js.map

package/dist/server/middleware.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"middleware.js","sourceRoot":"","sources":["../../src/server/middleware.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;;GAuBG;AAQH,OAAO,EAAE,eAAe,EAAE,oBAAoB,EAAE,MAAM,cAAc,CAAC;AACrE,OAAO,EAAE,eAAe,EAAE,MAAM,aAAa,CAAC;AAE9C,OAAO,EAAE,oBAAoB,EAAE,MAAM,aAAa,CAAC;AAwBnD;;;;;;;;;;;;;;;;;GAiBG;AACH,MAAM,UAAU,oBAAoB,CAClC,UAAuC,EAAE;IAEzC,MAAM,UAAU,GAAG,OAAO,CAAC,UAAU,IAAI,eAAe,CAAC;IACzD,MAAM,QAAQ,GAAG,OAAO,CAAC,QAAQ,IAAI,IAAI,CAAC;IAC1C,oEAAoE;IACpE,mEAAmE;IACnE,oEAAoE;IACpE,qEAAqE;IACrE,gDAAgD;IAChD,IAAI,cAAc,GAA4B,OAAO,CAAC,MAAM,IAAI,IAAI,CAAC;IACrE,MAAM,SAAS,GAAG,GAAqB,EAAE;QACvC,IAAI,CAAC,cAAc;YAAE,cAAc,GAAG,oBAAoB,EAAE,CAAC;QAC7D,OAAO,cAAc,CAAC;IACxB,CAAC,CAAC;IAEF,OAAO;QACL,IAAI,EAAE,YAAY;QAClB,EAAE,EAAE,KAAK,EAAE,GAAG,EAAE,IAAI,EAAE,EAAE;YACtB,MAAM,KAAK,GAAG,YAAY,CAAC,GAAG,CAAC,QAAQ,EAAE,UAAU,CAAC,CAAC;YACrD,IAAI,KAAK,EAAE,CAAC;gBACV,MAAM,GAAG,GAAG,SAAS,EAAE,CAAC;gBACxB,MAAM,MAAM,GAAG,MAAM,eAAe,CAAC,KAAK,EAAE;oBAC1C,UAAU,EAAE,GAAG,CAAC,UAAU;oBAC1B,QAAQ,EAAE,GAAG,CAAC,WAAW;oBACzB,QAAQ;iBACT,CAAC,CAAC;gBACH,IAAI,MAAM,EAAE,CAAC;oBACX,GAAG,CAAC,IAAI,GAAG,mBAAmB,CAAC,MAAM,CAAC,CAAC;gBACzC,CAAC;YACH,CAAC;YACD,OAAO,IAAI,EAAE,CAAC;QAChB,CAAC;KACF,CAAC;AACJ,CAAC;AAED;;;;;;GAMG;AACH,MAAM,UAAU,YAAY,CAC1B,KAA6B,EAC7B,aAAqB,eAAe;IAEpC,MAAM,OAAO,GAAG,KAAK,CAAC,OAAO,IAAI,EAAE,CAAC;IACpC,MAAM,UAAU,GAAG,CAAC,OAAO,CAAC,eAAe,CAAC,IAAI,OAAO,CAAC,eAAe,CAAC,CAE3D,CAAC;IACd,IAAI,UAAU,EAAE,CAAC;QACf,MAAM,KAAK,GAAG,UAAU,CAAC,KAAK,CAAC,kBAAkB,CAAC,CAAC;QACnD,IAAI,KAAK,IAAI,KAAK,CAAC,CAAC,CAAC;YAAE,OAAO,KAAK,CAAC,CAAC,CAAC,CAAC,IAAI,EAAE,CAAC;IAChD,CAAC;IACD,MAAM,YAAY,GAAG,CAAC,OAAO,CAAC,QAAQ,CAAC,IAAI,OAAO,CAAC,QAAQ,CAAC,CAE/C,CAAC;IACd,OAAO,oBAAoB,CAAC,YAAY,EAAE,UAAU,CAAC,CAAC;AACxD,CAAC;AAED,SAAS,mBAAmB,CAC1B,MAA+B;IAE/B,MAAM,GAAG,GAAG,MAAM,CAAC,KAAK,CAAC,CAAC;IAC1B,MAAM,KAAK,GAAG,MAAM,CAAC,OAAO,CAAC,CAAC;IAC9B,sEAAsE;IACtE,oEAAoE;IACpE,mEAAmE;IACnE,0CAA0C;IAC1C,MAAM,UAAU,GAAG,MAAM,CAAC,OAAO,CAAC,CAAC;IACnC,MAAM,MAAM,GACV,OAAO,UAAU,KAAK,QAAQ;QAC5B,CAAC,CAAC,UAAU,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC,MAAM,CAAC,OAAO,CAAC;QACvC,CAAC,CAAC,EAAE,CAAC;IACT,OAAO;QACL,EAAE,EAAE,OAAO,GAAG,KAAK,QAAQ,CAAC,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE;QACtC,KAAK,EAAE,OAAO,KAAK,KAAK,QAAQ,CAAC,CAAC,CAAC,KAAK,CAAC,CAAC,CAAC,SAAS;QACpD,MAAM;QACN,MAAM;KACP,CAAC;AACJ,CAAC"}

package/dist/server/refresh.d.ts

@@ -0,0 +1,31 @@
+/**
+ * Server-side refresh-token flow against a Cognito User Pool.
+ *
+ * Uses the `REFRESH_TOKEN_AUTH` flow to swap a refresh token for a fresh
+ * id+access token pair. Cognito does NOT rotate the refresh token by
+ * default; the same one stays valid until its User-Pool-configured TTL
+ * or until {@link revokeRefreshToken} is called — so the returned
+ * `refreshToken` is always the empty string.
+ */
+import type { AuthServerConfig } from './config.js';
+export interface RefreshResult {
+    idToken: string;
+    accessToken: string;
+    /**
+     * Always `''` — Cognito's `REFRESH_TOKEN_AUTH` flow does not rotate
+     * the refresh token. Callers should NOT overwrite their stored refresh
+     * cookie with this value.
+     */
+    refreshToken: string;
+    /** Seconds until the id/access tokens expire. */
+    expiresIn: number;
+}
+/**
+ * Exchange a refresh token for fresh id + access tokens.
+ *
+ * Throws {@link AuthError} when the refresh token is expired / revoked
+ * / malformed; route handlers should clear session cookies on terminal
+ * failures so the user is redirected straight to sign-in.
+ */
+export declare function refreshSession(refreshToken: string, config?: AuthServerConfig): Promise<RefreshResult>;
+//# sourceMappingURL=refresh.d.ts.map

package/dist/server/refresh.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"refresh.d.ts","sourceRoot":"","sources":["../../src/server/refresh.ts"],"names":[],"mappings":"AAAA;;;;;;;;GAQG;AAGH,OAAO,KAAK,EAAE,gBAAgB,EAAE,MAAM,aAAa,CAAC;AAKpD,MAAM,WAAW,aAAa;IAC5B,OAAO,EAAE,MAAM,CAAC;IAChB,WAAW,EAAE,MAAM,CAAC;IACpB;;;;OAIG;IACH,YAAY,EAAE,MAAM,CAAC;IACrB,iDAAiD;IACjD,SAAS,EAAE,MAAM,CAAC;CACnB;AAED;;;;;;GAMG;AACH,wBAAsB,cAAc,CAClC,YAAY,EAAE,MAAM,EACpB,MAAM,GAAE,gBAAyC,GAChD,OAAO,CAAC,aAAa,CAAC,CA4BxB"}

package/dist/server/refresh.js

@@ -0,0 +1,45 @@
+/**
+ * Server-side refresh-token flow against a Cognito User Pool.
+ *
+ * Uses the `REFRESH_TOKEN_AUTH` flow to swap a refresh token for a fresh
+ * id+access token pair. Cognito does NOT rotate the refresh token by
+ * default; the same one stays valid until its User-Pool-configured TTL
+ * or until {@link revokeRefreshToken} is called — so the returned
+ * `refreshToken` is always the empty string.
+ */
+import { InitiateAuthCommand } from '@aws-sdk/client-cognito-identity-provider';
+import { loadAuthServerConfig } from './config.js';
+import { getCognitoClient } from './cognito-client.js';
+import { AuthError, mapProviderError } from './errors.js';
+/**
+ * Exchange a refresh token for fresh id + access tokens.
+ *
+ * Throws {@link AuthError} when the refresh token is expired / revoked
+ * / malformed; route handlers should clear session cookies on terminal
+ * failures so the user is redirected straight to sign-in.
+ */
+export async function refreshSession(refreshToken, config = loadAuthServerConfig()) {
+    const client = getCognitoClient(config.region);
+    let res;
+    try {
+        res = await client.send(new InitiateAuthCommand({
+            ClientId: config.appClientId,
+            AuthFlow: 'REFRESH_TOKEN_AUTH',
+            AuthParameters: { REFRESH_TOKEN: refreshToken },
+        }));
+    }
+    catch (err) {
+        throw mapProviderError(err, 'refresh_failed');
+    }
+    const result = res.AuthenticationResult;
+    if (!result?.IdToken || !result.AccessToken || !result.ExpiresIn) {
+        throw new AuthError('incomplete_auth_result', 'Identity provider returned an incomplete refresh result', 500);
+    }
+    return {
+        idToken: result.IdToken,
+        accessToken: result.AccessToken,
+        refreshToken: '',
+        expiresIn: result.ExpiresIn,
+    };
+}
+//# sourceMappingURL=refresh.js.map

package/dist/server/refresh.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"refresh.js","sourceRoot":"","sources":["../../src/server/refresh.ts"],"names":[],"mappings":"AAAA;;;;;;;;GAQG;AAEH,OAAO,EAAE,mBAAmB,EAAE,MAAM,2CAA2C,CAAC;AAEhF,OAAO,EAAE,oBAAoB,EAAE,MAAM,aAAa,CAAC;AACnD,OAAO,EAAE,gBAAgB,EAAE,MAAM,qBAAqB,CAAC;AACvD,OAAO,EAAE,SAAS,EAAE,gBAAgB,EAAE,MAAM,aAAa,CAAC;AAe1D;;;;;;GAMG;AACH,MAAM,CAAC,KAAK,UAAU,cAAc,CAClC,YAAoB,EACpB,SAA2B,oBAAoB,EAAE;IAEjD,MAAM,MAAM,GAAG,gBAAgB,CAAC,MAAM,CAAC,MAAM,CAAC,CAAC;IAC/C,IAAI,GAAG,CAAC;IACR,IAAI,CAAC;QACH,GAAG,GAAG,MAAM,MAAM,CAAC,IAAI,CACrB,IAAI,mBAAmB,CAAC;YACtB,QAAQ,EAAE,MAAM,CAAC,WAAW;YAC5B,QAAQ,EAAE,oBAAoB;YAC9B,cAAc,EAAE,EAAE,aAAa,EAAE,YAAY,EAAE;SAChD,CAAC,CACH,CAAC;IACJ,CAAC;IAAC,OAAO,GAAG,EAAE,CAAC;QACb,MAAM,gBAAgB,CAAC,GAAG,EAAE,gBAAgB,CAAC,CAAC;IAChD,CAAC;IACD,MAAM,MAAM,GAAG,GAAG,CAAC,oBAAoB,CAAC;IACxC,IAAI,CAAC,MAAM,EAAE,OAAO,IAAI,CAAC,MAAM,CAAC,WAAW,IAAI,CAAC,MAAM,CAAC,SAAS,EAAE,CAAC;QACjE,MAAM,IAAI,SAAS,CACjB,wBAAwB,EACxB,yDAAyD,EACzD,GAAG,CACJ,CAAC;IACJ,CAAC;IACD,OAAO;QACL,OAAO,EAAE,MAAM,CAAC,OAAO;QACvB,WAAW,EAAE,MAAM,CAAC,WAAW;QAC/B,YAAY,EAAE,EAAE;QAChB,SAAS,EAAE,MAAM,CAAC,SAAS;KAC5B,CAAC;AACJ,CAAC"}

package/dist/server/revoke.d.ts

@@ -0,0 +1,18 @@
+/**
+ * Best-effort refresh-token revocation against a Cognito User Pool.
+ *
+ * Sign-out routes call this to invalidate a refresh token server-side
+ * even though the cookies are about to be cleared on the response. We
+ * swallow + log all errors because logout shouldn't fail the user just
+ * because the server-side revoke had a hiccup — the cookies clear
+ * regardless.
+ */
+import type { AuthServerConfig } from './config.js';
+/**
+ * Revoke a refresh token at the identity provider.
+ *
+ * **Best-effort.** Failures are logged via `console.warn` and swallowed —
+ * the function never throws.
+ */
+export declare function revokeRefreshToken(refreshToken: string, config?: AuthServerConfig): Promise<void>;
+//# sourceMappingURL=revoke.d.ts.map

package/dist/server/revoke.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"revoke.d.ts","sourceRoot":"","sources":["../../src/server/revoke.ts"],"names":[],"mappings":"AAAA;;;;;;;;GAQG;AAGH,OAAO,KAAK,EAAE,gBAAgB,EAAE,MAAM,aAAa,CAAC;AAIpD;;;;;GAKG;AACH,wBAAsB,kBAAkB,CACtC,YAAY,EAAE,MAAM,EACpB,MAAM,GAAE,gBAAyC,GAChD,OAAO,CAAC,IAAI,CAAC,CAaf"}

package/dist/server/revoke.js

@@ -0,0 +1,32 @@
+/**
+ * Best-effort refresh-token revocation against a Cognito User Pool.
+ *
+ * Sign-out routes call this to invalidate a refresh token server-side
+ * even though the cookies are about to be cleared on the response. We
+ * swallow + log all errors because logout shouldn't fail the user just
+ * because the server-side revoke had a hiccup — the cookies clear
+ * regardless.
+ */
+import { RevokeTokenCommand } from '@aws-sdk/client-cognito-identity-provider';
+import { loadAuthServerConfig } from './config.js';
+import { getCognitoClient } from './cognito-client.js';
+/**
+ * Revoke a refresh token at the identity provider.
+ *
+ * **Best-effort.** Failures are logged via `console.warn` and swallowed —
+ * the function never throws.
+ */
+export async function revokeRefreshToken(refreshToken, config = loadAuthServerConfig()) {
+    const client = getCognitoClient(config.region);
+    try {
+        await client.send(new RevokeTokenCommand({
+            ClientId: config.appClientId,
+            Token: refreshToken,
+        }));
+    }
+    catch (err) {
+        // eslint-disable-next-line no-console
+        console.warn('[@venturekit/auth/server] refresh-token revoke failed (ignored):', err);
+    }
+}
+//# sourceMappingURL=revoke.js.map

package/dist/server/revoke.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"revoke.js","sourceRoot":"","sources":["../../src/server/revoke.ts"],"names":[],"mappings":"AAAA;;;;;;;;GAQG;AAEH,OAAO,EAAE,kBAAkB,EAAE,MAAM,2CAA2C,CAAC;AAE/E,OAAO,EAAE,oBAAoB,EAAE,MAAM,aAAa,CAAC;AACnD,OAAO,EAAE,gBAAgB,EAAE,MAAM,qBAAqB,CAAC;AAEvD;;;;;GAKG;AACH,MAAM,CAAC,KAAK,UAAU,kBAAkB,CACtC,YAAoB,EACpB,SAA2B,oBAAoB,EAAE;IAEjD,MAAM,MAAM,GAAG,gBAAgB,CAAC,MAAM,CAAC,MAAM,CAAC,CAAC;IAC/C,IAAI,CAAC;QACH,MAAM,MAAM,CAAC,IAAI,CACf,IAAI,kBAAkB,CAAC;YACrB,QAAQ,EAAE,MAAM,CAAC,WAAW;YAC5B,KAAK,EAAE,YAAY;SACpB,CAAC,CACH,CAAC;IACJ,CAAC;IAAC,OAAO,GAAG,EAAE,CAAC;QACb,sCAAsC;QACtC,OAAO,CAAC,IAAI,CAAC,kEAAkE,EAAE,GAAG,CAAC,CAAC;IACxF,CAAC;AACH,CAAC"}

package/dist/server/sign-in.d.ts

@@ -0,0 +1,40 @@
+/**
+ * Server-side password sign-in against a Cognito User Pool.
+ *
+ * Uses the `USER_PASSWORD_AUTH` flow — a public Cognito flow that
+ * accepts username + password directly over TLS to Cognito's regular
+ * endpoint. The User Pool's app client must have
+ * `ALLOW_USER_PASSWORD_AUTH` enabled (VentureKit's CDK stack enables it
+ * by default).
+ *
+ * Picked over `ADMIN_USER_PASSWORD_AUTH` because the latter would
+ * require both `adminUserPassword: true` on the app client AND
+ * `cognito-idp:AdminInitiateAuth` on the Lambda role — neither of which
+ * is enabled out of the box.
+ *
+ * Errors are wrapped in {@link AuthError} via {@link mapProviderError}
+ * so route handlers can map them to typed responses without inspecting
+ * Cognito-specific error names.
+ */
+import type { AuthServerConfig } from './config.js';
+export interface SignInResult {
+    idToken: string;
+    accessToken: string;
+    refreshToken: string;
+    /** Seconds until the id/access tokens expire. */
+    expiresIn: number;
+}
+export interface SignInCredentials {
+    email: string;
+    password: string;
+}
+/**
+ * Authenticate a user with email + password and return freshly-minted
+ * id, access, and refresh tokens.
+ *
+ * @param credentials  Email + password (email is lower-cased before send).
+ * @param config       Optional explicit config; defaults to env vars via
+ *                     {@link loadAuthServerConfig}.
+ */
+export declare function signInWithPassword(credentials: SignInCredentials, config?: AuthServerConfig): Promise<SignInResult>;
+//# sourceMappingURL=sign-in.d.ts.map

package/dist/server/sign-in.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"sign-in.d.ts","sourceRoot":"","sources":["../../src/server/sign-in.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;GAiBG;AAMH,OAAO,KAAK,EAAE,gBAAgB,EAAE,MAAM,aAAa,CAAC;AAKpD,MAAM,WAAW,YAAY;IAC3B,OAAO,EAAE,MAAM,CAAC;IAChB,WAAW,EAAE,MAAM,CAAC;IACpB,YAAY,EAAE,MAAM,CAAC;IACrB,iDAAiD;IACjD,SAAS,EAAE,MAAM,CAAC;CACnB;AAED,MAAM,WAAW,iBAAiB;IAChC,KAAK,EAAE,MAAM,CAAC;IACd,QAAQ,EAAE,MAAM,CAAC;CAClB;AAED;;;;;;;GAOG;AACH,wBAAsB,kBAAkB,CACtC,WAAW,EAAE,iBAAiB,EAC9B,MAAM,GAAE,gBAAyC,GAChD,OAAO,CAAC,YAAY,CAAC,CAkBvB"}

package/dist/server/sign-in.js

@@ -0,0 +1,63 @@
+/**
+ * Server-side password sign-in against a Cognito User Pool.
+ *
+ * Uses the `USER_PASSWORD_AUTH` flow — a public Cognito flow that
+ * accepts username + password directly over TLS to Cognito's regular
+ * endpoint. The User Pool's app client must have
+ * `ALLOW_USER_PASSWORD_AUTH` enabled (VentureKit's CDK stack enables it
+ * by default).
+ *
+ * Picked over `ADMIN_USER_PASSWORD_AUTH` because the latter would
+ * require both `adminUserPassword: true` on the app client AND
+ * `cognito-idp:AdminInitiateAuth` on the Lambda role — neither of which
+ * is enabled out of the box.
+ *
+ * Errors are wrapped in {@link AuthError} via {@link mapProviderError}
+ * so route handlers can map them to typed responses without inspecting
+ * Cognito-specific error names.
+ */
+import { InitiateAuthCommand, } from '@aws-sdk/client-cognito-identity-provider';
+import { loadAuthServerConfig } from './config.js';
+import { getCognitoClient } from './cognito-client.js';
+import { AuthError, mapProviderError } from './errors.js';
+/**
+ * Authenticate a user with email + password and return freshly-minted
+ * id, access, and refresh tokens.
+ *
+ * @param credentials  Email + password (email is lower-cased before send).
+ * @param config       Optional explicit config; defaults to env vars via
+ *                     {@link loadAuthServerConfig}.
+ */
+export async function signInWithPassword(credentials, config = loadAuthServerConfig()) {
+    const client = getCognitoClient(config.region);
+    let res;
+    try {
+        res = await client.send(new InitiateAuthCommand({
+            ClientId: config.appClientId,
+            AuthFlow: 'USER_PASSWORD_AUTH',
+            AuthParameters: {
+                USERNAME: credentials.email.toLowerCase(),
+                PASSWORD: credentials.password,
+            },
+        }));
+    }
+    catch (err) {
+        throw mapProviderError(err, 'auth_failed');
+    }
+    return extractSignInTokens(res.AuthenticationResult);
+}
+function extractSignInTokens(result) {
+    if (!result?.IdToken ||
+        !result.AccessToken ||
+        !result.RefreshToken ||
+        !result.ExpiresIn) {
+        throw new AuthError('incomplete_auth_result', 'Identity provider returned an incomplete authentication result', 500);
+    }
+    return {
+        idToken: result.IdToken,
+        accessToken: result.AccessToken,
+        refreshToken: result.RefreshToken,
+        expiresIn: result.ExpiresIn,
+    };
+}
+//# sourceMappingURL=sign-in.js.map

package/dist/server/sign-in.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"sign-in.js","sourceRoot":"","sources":["../../src/server/sign-in.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;GAiBG;AAEH,OAAO,EACL,mBAAmB,GAEpB,MAAM,2CAA2C,CAAC;AAEnD,OAAO,EAAE,oBAAoB,EAAE,MAAM,aAAa,CAAC;AACnD,OAAO,EAAE,gBAAgB,EAAE,MAAM,qBAAqB,CAAC;AACvD,OAAO,EAAE,SAAS,EAAE,gBAAgB,EAAE,MAAM,aAAa,CAAC;AAe1D;;;;;;;GAOG;AACH,MAAM,CAAC,KAAK,UAAU,kBAAkB,CACtC,WAA8B,EAC9B,SAA2B,oBAAoB,EAAE;IAEjD,MAAM,MAAM,GAAG,gBAAgB,CAAC,MAAM,CAAC,MAAM,CAAC,CAAC;IAC/C,IAAI,GAAG,CAAC;IACR,IAAI,CAAC;QACH,GAAG,GAAG,MAAM,MAAM,CAAC,IAAI,CACrB,IAAI,mBAAmB,CAAC;YACtB,QAAQ,EAAE,MAAM,CAAC,WAAW;YAC5B,QAAQ,EAAE,oBAAoB;YAC9B,cAAc,EAAE;gBACd,QAAQ,EAAE,WAAW,CAAC,KAAK,CAAC,WAAW,EAAE;gBACzC,QAAQ,EAAE,WAAW,CAAC,QAAQ;aAC/B;SACF,CAAC,CACH,CAAC;IACJ,CAAC;IAAC,OAAO,GAAG,EAAE,CAAC;QACb,MAAM,gBAAgB,CAAC,GAAG,EAAE,aAAa,CAAC,CAAC;IAC7C,CAAC;IACD,OAAO,mBAAmB,CAAC,GAAG,CAAC,oBAAoB,CAAC,CAAC;AACvD,CAAC;AAED,SAAS,mBAAmB,CAC1B,MAA4C;IAE5C,IACE,CAAC,MAAM,EAAE,OAAO;QAChB,CAAC,MAAM,CAAC,WAAW;QACnB,CAAC,MAAM,CAAC,YAAY;QACpB,CAAC,MAAM,CAAC,SAAS,EACjB,CAAC;QACD,MAAM,IAAI,SAAS,CACjB,wBAAwB,EACxB,gEAAgE,EAChE,GAAG,CACJ,CAAC;IACJ,CAAC;IACD,OAAO;QACL,OAAO,EAAE,MAAM,CAAC,OAAO;QACvB,WAAW,EAAE,MAAM,CAAC,WAAW;QAC/B,YAAY,EAAE,MAAM,CAAC,YAAY;QACjC,SAAS,EAAE,MAAM,CAAC,SAAS;KAC5B,CAAC;AACJ,CAAC"}

package/dist/server/verify.d.ts

@@ -0,0 +1,31 @@
+/**
+ * JWT verification against a Cognito User Pool's JWKS.
+ *
+ * Wraps `aws-jwt-verify`'s `CognitoJwtVerifier` so consumers don't take
+ * a direct dependency on it. The verifier is cached per
+ * `(userPoolId, tokenUse, clientId)` tuple so the JWKS is fetched once
+ * per cold start.
+ *
+ * Use this when API Gateway is NOT fronting your Lambda with a Cognito
+ * Authorizer — for example, cookie-based sessions where the Lambda
+ * itself reads the cookie and verifies the token.
+ */
+export interface VerifyOptions {
+    userPoolId: string;
+    /** App client id(s) the token must have been issued to. */
+    clientId?: string | string[];
+    /** Defaults to `'access'`. Use `'id'` for id tokens. */
+    tokenUse?: 'access' | 'id';
+}
+/**
+ * Verify a Cognito-signed JWT and return its claims, or `null` when the
+ * token is invalid / expired / issued to a different client.
+ *
+ * Verification covers signature (against the User Pool's JWKS),
+ * `exp`/`iat`, `iss`, `token_use`, and `aud`/`client_id` (when
+ * `clientId` is provided).
+ */
+export declare function verifyAndDecode(token: string, options: VerifyOptions): Promise<Record<string, unknown> | null>;
+/** Test-only — drop the cached verifiers between vitest runs. */
+export declare function _resetVerifierCacheForTesting(): void;
+//# sourceMappingURL=verify.d.ts.map

package/dist/server/verify.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"verify.d.ts","sourceRoot":"","sources":["../../src/server/verify.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;GAWG;AAIH,MAAM,WAAW,aAAa;IAC5B,UAAU,EAAE,MAAM,CAAC;IACnB,2DAA2D;IAC3D,QAAQ,CAAC,EAAE,MAAM,GAAG,MAAM,EAAE,CAAC;IAC7B,wDAAwD;IACxD,QAAQ,CAAC,EAAE,QAAQ,GAAG,IAAI,CAAC;CAC5B;AAcD;;;;;;;GAOG;AACH,wBAAsB,eAAe,CACnC,KAAK,EAAE,MAAM,EACb,OAAO,EAAE,aAAa,GACrB,OAAO,CAAC,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,GAAG,IAAI,CAAC,CAiBzC;AAED,iEAAiE;AACjE,wBAAgB,6BAA6B,IAAI,IAAI,CAEpD"}

package/dist/server/verify.js

@@ -0,0 +1,53 @@
+/**
+ * JWT verification against a Cognito User Pool's JWKS.
+ *
+ * Wraps `aws-jwt-verify`'s `CognitoJwtVerifier` so consumers don't take
+ * a direct dependency on it. The verifier is cached per
+ * `(userPoolId, tokenUse, clientId)` tuple so the JWKS is fetched once
+ * per cold start.
+ *
+ * Use this when API Gateway is NOT fronting your Lambda with a Cognito
+ * Authorizer — for example, cookie-based sessions where the Lambda
+ * itself reads the cookie and verifies the token.
+ */
+import { CognitoJwtVerifier } from 'aws-jwt-verify';
+const verifierCache = new Map();
+function cacheKey(opts) {
+    const tokenUse = opts.tokenUse ?? 'access';
+    const clientId = Array.isArray(opts.clientId)
+        ? opts.clientId.join(',')
+        : (opts.clientId ?? 'null');
+    return `${opts.userPoolId}|${tokenUse}|${clientId}`;
+}
+/**
+ * Verify a Cognito-signed JWT and return its claims, or `null` when the
+ * token is invalid / expired / issued to a different client.
+ *
+ * Verification covers signature (against the User Pool's JWKS),
+ * `exp`/`iat`, `iss`, `token_use`, and `aud`/`client_id` (when
+ * `clientId` is provided).
+ */
+export async function verifyAndDecode(token, options) {
+    const key = cacheKey(options);
+    let verifier = verifierCache.get(key);
+    if (!verifier) {
+        verifier = CognitoJwtVerifier.create({
+            userPoolId: options.userPoolId,
+            tokenUse: options.tokenUse ?? 'access',
+            clientId: options.clientId ?? null,
+        });
+        verifierCache.set(key, verifier);
+    }
+    try {
+        const payload = await verifier.verify(token);
+        return payload;
+    }
+    catch {
+        return null;
+    }
+}
+/** Test-only — drop the cached verifiers between vitest runs. */
+export function _resetVerifierCacheForTesting() {
+    verifierCache.clear();
+}
+//# sourceMappingURL=verify.js.map

package/dist/server/verify.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"verify.js","sourceRoot":"","sources":["../../src/server/verify.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;GAWG;AAEH,OAAO,EAAE,kBAAkB,EAAE,MAAM,gBAAgB,CAAC;AAYpD,MAAM,aAAa,GAAG,IAAI,GAAG,EAAoB,CAAC;AAElD,SAAS,QAAQ,CAAC,IAAmB;IACnC,MAAM,QAAQ,GAAG,IAAI,CAAC,QAAQ,IAAI,QAAQ,CAAC;IAC3C,MAAM,QAAQ,GAAG,KAAK,CAAC,OAAO,CAAC,IAAI,CAAC,QAAQ,CAAC;QAC3C,CAAC,CAAC,IAAI,CAAC,QAAQ,CAAC,IAAI,CAAC,GAAG,CAAC;QACzB,CAAC,CAAC,CAAC,IAAI,CAAC,QAAQ,IAAI,MAAM,CAAC,CAAC;IAC9B,OAAO,GAAG,IAAI,CAAC,UAAU,IAAI,QAAQ,IAAI,QAAQ,EAAE,CAAC;AACtD,CAAC;AAED;;;;;;;GAOG;AACH,MAAM,CAAC,KAAK,UAAU,eAAe,CACnC,KAAa,EACb,OAAsB;IAEtB,MAAM,GAAG,GAAG,QAAQ,CAAC,OAAO,CAAC,CAAC;IAC9B,IAAI,QAAQ,GAAG,aAAa,CAAC,GAAG,CAAC,GAAG,CAAC,CAAC;IACtC,IAAI,CAAC,QAAQ,EAAE,CAAC;QACd,QAAQ,GAAG,kBAAkB,CAAC,MAAM,CAAC;YACnC,UAAU,EAAE,OAAO,CAAC,UAAU;YAC9B,QAAQ,EAAE,OAAO,CAAC,QAAQ,IAAI,QAAQ;YACtC,QAAQ,EAAE,OAAO,CAAC,QAAQ,IAAI,IAAI;SACnC,CAAC,CAAC;QACH,aAAa,CAAC,GAAG,CAAC,GAAG,EAAE,QAAQ,CAAC,CAAC;IACnC,CAAC;IACD,IAAI,CAAC;QACH,MAAM,OAAO,GAAG,MAAM,QAAQ,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC;QAC7C,OAAO,OAAkC,CAAC;IAC5C,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,IAAI,CAAC;IACd,CAAC;AACH,CAAC;AAED,iEAAiE;AACjE,MAAM,UAAU,6BAA6B;IAC3C,aAAa,CAAC,KAAK,EAAE,CAAC;AACxB,CAAC"}

package/dist/session/index.d.ts

@@ -27,28 +27,8 @@ export declare function decodeTokenUnsafe(token: string): Record<string, unknown
  * @deprecated Use `decodeTokenUnsafe` or `verifyAndDecode`.
  */
 export declare const decodeToken: typeof decodeTokenUnsafe;
-/**
- * Verify a Cognito/JWKS-signed JWT and return its claims, or `null` if the
- * token is invalid/expired/untrusted. Uses `aws-jwt-verify` under the hood,
- * which is lazily imported so the dependency is optional.
- *
- * @example
- * ```ts
- * const claims = await verifyAndDecode(token, {
- *   userPoolId: process.env.COGNITO_USER_POOL_ID!,
- *   clientId: process.env.COGNITO_CLIENT_ID!,
- *   tokenUse: 'access',
- * });
- * if (!claims) throw new UnauthorizedError();
- * ```
- *
- * Requires `aws-jwt-verify` to be installed at the consumer site.
- */
-export declare function verifyAndDecode(token: string, options: {
-    userPoolId: string;
-    clientId?: string | string[];
-    tokenUse?: 'access' | 'id';
-}): Promise<Record<string, unknown> | null>;
+export { verifyAndDecode } from '../server/verify.js';
+export type { VerifyOptions } from '../server/verify.js';
 /**
  * Extract user from ID token claims.
  *

package/dist/session/index.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../src/session/index.ts"],"names":[],"mappings":"AAAA;;;;GAIG;AAEH,OAAO,KAAK,EAAE,IAAI,EAAkB,MAAM,mBAAmB,CAAC;AAE9D;;;;;;;;;;;;;GAaG;AACH,wBAAgB,iBAAiB,CAAC,KAAK,EAAE,MAAM,GAAG,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,GAAG,IAAI,CAW/E;AAED;;;;;;GAMG;AACH,eAAO,MAAM,WAAW,0BAAoB,CAAC;AAE7C;;;;;;;;;;;;;;;;GAgBG;AACH,wBAAsB,eAAe,CACnC,KAAK,EAAE,MAAM,EACb,OAAO,EAAE;IACP,UAAU,EAAE,MAAM,CAAC;IACnB,QAAQ,CAAC,EAAE,MAAM,GAAG,MAAM,EAAE,CAAC;IAC7B,QAAQ,CAAC,EAAE,QAAQ,GAAG,IAAI,CAAC;CAC5B,GACA,OAAO,CAAC,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,GAAG,IAAI,CAAC,CA0BzC;AAED;;;;;GAKG;AACH,wBAAgB,oBAAoB,CAAC,OAAO,EAAE,MAAM,GAAG,IAAI,GAAG,IAAI,CAwBjE;AAuDD;;GAEG;AACH,wBAAgB,cAAc,CAAC,KAAK,EAAE,MAAM,GAAG,OAAO,CAMrD;AAED;;GAEG;AACH,wBAAgB,cAAc,CAAC,KAAK,EAAE,MAAM,GAAG,IAAI,GAAG,IAAI,CAKzD"}
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../src/session/index.ts"],"names":[],"mappings":"AAAA;;;;GAIG;AAEH,OAAO,KAAK,EAAE,IAAI,EAAkB,MAAM,mBAAmB,CAAC;AAE9D;;;;;;;;;;;;;GAaG;AACH,wBAAgB,iBAAiB,CAAC,KAAK,EAAE,MAAM,GAAG,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,GAAG,IAAI,CAW/E;AAED;;;;;;GAMG;AACH,eAAO,MAAM,WAAW,0BAAoB,CAAC;AAK7C,OAAO,EAAE,eAAe,EAAE,MAAM,qBAAqB,CAAC;AACtD,YAAY,EAAE,aAAa,EAAE,MAAM,qBAAqB,CAAC;AAEzD;;;;;GAKG;AACH,wBAAgB,oBAAoB,CAAC,OAAO,EAAE,MAAM,GAAG,IAAI,GAAG,IAAI,CAwBjE;AAuDD;;GAEG;AACH,wBAAgB,cAAc,CAAC,KAAK,EAAE,MAAM,GAAG,OAAO,CAMrD;AAED;;GAEG;AACH,wBAAgB,cAAc,CAAC,KAAK,EAAE,MAAM,GAAG,IAAI,GAAG,IAAI,CAKzD"}

package/dist/session/index.js

@@ -38,47 +38,10 @@ export function decodeTokenUnsafe(token) {
  * @deprecated Use `decodeTokenUnsafe` or `verifyAndDecode`.
  */
 export const decodeToken = decodeTokenUnsafe;
-/**
- * Verify a Cognito/JWKS-signed JWT and return its claims, or `null` if the
- * token is invalid/expired/untrusted. Uses `aws-jwt-verify` under the hood,
- * which is lazily imported so the dependency is optional.
- *
- * @example
- * ```ts
- * const claims = await verifyAndDecode(token, {
- *   userPoolId: process.env.COGNITO_USER_POOL_ID!,
- *   clientId: process.env.COGNITO_CLIENT_ID!,
- *   tokenUse: 'access',
- * });
- * if (!claims) throw new UnauthorizedError();
- * ```
- *
- * Requires `aws-jwt-verify` to be installed at the consumer site.
- */
-export async function verifyAndDecode(token, options) {
-    let CognitoJwtVerifier;
-    try {
-        // Lazy, peer-optional import — consumers only pay the cost if they use it.
-        ({ CognitoJwtVerifier } = await import(
-        /* @vite-ignore */ 'aws-jwt-verify'));
-    }
-    catch {
-        throw new Error("verifyAndDecode requires 'aws-jwt-verify'. " +
-            "Install it with: pnpm add aws-jwt-verify");
-    }
-    const verifier = CognitoJwtVerifier.create({
-        userPoolId: options.userPoolId,
-        tokenUse: options.tokenUse ?? 'access',
-        clientId: options.clientId ?? null,
-    });
-    try {
-        const payload = await verifier.verify(token);
-        return payload;
-    }
-    catch {
-        return null;
-    }
-}
+// `verifyAndDecode` now lives in `../server/verify.ts` and is re-exported
+// from the package root for backward compatibility. Server-side consumers
+// should import from `@venturekit/auth/server` instead.
+export { verifyAndDecode } from '../server/verify.js';
 /**
  * Extract user from ID token claims.
  *

package/dist/session/index.js.map

@@ -1 +1 @@
-{"version":3,"file":"index.js","sourceRoot":"","sources":["../../src/session/index.ts"],"names":[],"mappings":"AAAA;;;;GAIG;AAIH;;;;;;;;;;;;;GAaG;AACH,MAAM,UAAU,iBAAiB,CAAC,KAAa;IAC7C,IAAI,CAAC;QACH,MAAM,KAAK,GAAG,KAAK,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC;QAC/B,IAAI,KAAK,CAAC,MAAM,KAAK,CAAC;YAAE,OAAO,IAAI,CAAC;QAEpC,MAAM,OAAO,GAAG,KAAK,CAAC,CAAC,CAAC,CAAC;QACzB,MAAM,OAAO,GAAG,MAAM,CAAC,IAAI,CAAC,OAAO,EAAE,WAAW,CAAC,CAAC,QAAQ,CAAC,OAAO,CAAC,CAAC;QACpE,OAAO,IAAI,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC;IAC7B,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,IAAI,CAAC;IACd,CAAC;AACH,CAAC;AAED;;;;;;GAMG;AACH,MAAM,CAAC,MAAM,WAAW,GAAG,iBAAiB,CAAC;AAE7C;;;;;;;;;;;;;;;;GAgBG;AACH,MAAM,CAAC,KAAK,UAAU,eAAe,CACnC,KAAa,EACb,OAIC;IAED,IAAI,kBAAuB,CAAC;IAC5B,IAAI,CAAC;QACH,2EAA2E;QAC3E,CAAC,EAAE,kBAAkB,EAAE,GAAG,MAAM,MAAM;QACpC,kBAAkB,CAAC,gBAA0B,CAC9C,CAAC,CAAC;IACL,CAAC;IAAC,MAAM,CAAC;QACP,MAAM,IAAI,KAAK,CACb,6CAA6C;YAC3C,0CAA0C,CAC7C,CAAC;IACJ,CAAC;IAED,MAAM,QAAQ,GAAG,kBAAkB,CAAC,MAAM,CAAC;QACzC,UAAU,EAAE,OAAO,CAAC,UAAU;QAC9B,QAAQ,EAAE,OAAO,CAAC,QAAQ,IAAI,QAAQ;QACtC,QAAQ,EAAE,OAAO,CAAC,QAAQ,IAAI,IAAI;KACnC,CAAC,CAAC;IAEH,IAAI,CAAC;QACH,MAAM,OAAO,GAAG,MAAM,QAAQ,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC;QAC7C,OAAO,OAAkC,CAAC;IAC5C,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,IAAI,CAAC;IACd,CAAC;AACH,CAAC;AAED;;;;;GAKG;AACH,MAAM,UAAU,oBAAoB,CAAC,OAAe;IAClD,MAAM,MAAM,GAAG,iBAAiB,CAAC,OAAO,CAAC,CAAC;IAC1C,IAAI,CAAC,MAAM;QAAE,OAAO,IAAI,CAAC;IAEzB,sCAAsC;IACtC,MAAM,EAAE,cAAc,EAAE,UAAU,EAAE,GAAG,mBAAmB,CAAC,MAAM,CAAC,CAAC;IAEnE,OAAO;QACL,EAAE,EAAE,MAAM,CAAC,GAAa;QACxB,cAAc;QACd,UAAU;QACV,KAAK,EAAE,MAAM,CAAC,KAA2B;QACzC,aAAa,EAAE,MAAM,CAAC,cAAqC;QAC3D,KAAK,EAAE,MAAM,CAAC,YAAkC;QAChD,aAAa,EAAE,MAAM,CAAC,qBAA4C;QAClE,QAAQ,EAAE,MAAM,CAAC,kBAAwC,IAAI,MAAM,CAAC,kBAAkB,CAAuB;QAC7G,IAAI,EAAE,MAAM,CAAC,IAA0B;QACvC,MAAM,EAAE,MAAM,CAAC,MAA4B;QAC3C,QAAQ,EAAE,MAAM,CAAC,kBAAkB,CAAuB;QAC1D,KAAK,EAAE,UAAU,CAAC,MAAM,CAAC;QACzB,UAAU,EAAE,uBAAuB,CAAC,MAAM,CAAC;QAC3C,SAAS,EAAE,IAAI,IAAI,EAAE;QACrB,SAAS,EAAE,IAAI,IAAI,EAAE;KACtB,CAAC;AACJ,CAAC;AAED;;GAEG;AACH,SAAS,mBAAmB,CAAC,MAA+B;IAC1D,wBAAwB;IACxB,IAAI,MAAM,CAAC,KAAK,EAAE,CAAC;QACjB,OAAO,EAAE,cAAc,EAAE,OAAO,EAAE,UAAU,EAAE,MAAM,CAAC,KAAe,EAAE,CAAC;IACzE,CAAC;IAED,kBAAkB;IAClB,IAAI,MAAM,CAAC,YAAY,EAAE,CAAC;QACxB,OAAO,EAAE,cAAc,EAAE,OAAO,EAAE,UAAU,EAAE,MAAM,CAAC,YAAsB,EAAE,CAAC;IAChF,CAAC;IAED,qBAAqB;IACrB,IAAI,MAAM,CAAC,kBAAkB,IAAI,MAAM,CAAC,kBAAkB,CAAC,EAAE,CAAC;QAC5D,OAAO;YACL,cAAc,EAAE,UAAU;YAC1B,UAAU,EAAE,CAAC,MAAM,CAAC,kBAAkB,IAAI,MAAM,CAAC,kBAAkB,CAAC,CAAW;SAChF,CAAC;IACJ,CAAC;IAED,6CAA6C;IAC7C,OAAO,EAAE,cAAc,EAAE,WAAW,EAAE,UAAU,EAAE,MAAM,CAAC,GAAa,EAAE,CAAC;AAC3E,CAAC;AAED;;GAEG;AACH,SAAS,UAAU,CAAC,MAA+B;IACjD,MAAM,KAAK,GAAG,MAAM,CAAC,cAAc,CAAC,IAAI,MAAM,CAAC,gBAAgB,CAAC,CAAC;IACjE,IAAI,CAAC,KAAK;QAAE,OAAO,EAAE,CAAC;IACtB,IAAI,KAAK,CAAC,OAAO,CAAC,KAAK,CAAC;QAAE,OAAO,KAAiB,CAAC;IACnD,IAAI,OAAO,KAAK,KAAK,QAAQ;QAAE,OAAO,KAAK,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,IAAI,EAAE,CAAC,CAAC;IAC1E,OAAO,EAAE,CAAC;AACZ,CAAC;AAED;;GAEG;AACH,SAAS,uBAAuB,CAAC,MAA+B;IAC9D,MAAM,UAAU,GAA2B,EAAE,CAAC;IAE9C,KAAK,MAAM,CAAC,GAAG,EAAE,KAAK,CAAC,IAAI,MAAM,CAAC,OAAO,CAAC,MAAM,CAAC,EAAE,CAAC;QAClD,IAAI,GAAG,CAAC,UAAU,CAAC,SAAS,CAAC,IAAI,GAAG,KAAK,kBAAkB,IAAI,GAAG,KAAK,cAAc,EAAE,CAAC;YACtF,MAAM,QAAQ,GAAG,GAAG,CAAC,OAAO,CAAC,SAAS,EAAE,EAAE,CAAC,CAAC;YAC5C,UAAU,CAAC,QAAQ,CAAC,GAAG,MAAM,CAAC,KAAK,CAAC,CAAC;QACvC,CAAC;IACH,CAAC;IAED,OAAO,UAAU,CAAC;AACpB,CAAC;AAED;;GAEG;AACH,MAAM,UAAU,cAAc,CAAC,KAAa;IAC1C,MAAM,MAAM,GAAG,iBAAiB,CAAC,KAAK,CAAC,CAAC;IACxC,IAAI,CAAC,MAAM,IAAI,CAAC,MAAM,CAAC,GAAG;QAAE,OAAO,IAAI,CAAC;IAExC,MAAM,MAAM,GAAI,MAAM,CAAC,GAAc,GAAG,IAAI,CAAC;IAC7C,OAAO,IAAI,CAAC,GAAG,EAAE,IAAI,MAAM,CAAC;AAC9B,CAAC;AAED;;GAEG;AACH,MAAM,UAAU,cAAc,CAAC,KAAa;IAC1C,MAAM,MAAM,GAAG,iBAAiB,CAAC,KAAK,CAAC,CAAC;IACxC,IAAI,CAAC,MAAM,IAAI,CAAC,MAAM,CAAC,GAAG;QAAE,OAAO,IAAI,CAAC;IAExC,OAAO,IAAI,IAAI,CAAE,MAAM,CAAC,GAAc,GAAG,IAAI,CAAC,CAAC;AACjD,CAAC"}
+{"version":3,"file":"index.js","sourceRoot":"","sources":["../../src/session/index.ts"],"names":[],"mappings":"AAAA;;;;GAIG;AAIH;;;;;;;;;;;;;GAaG;AACH,MAAM,UAAU,iBAAiB,CAAC,KAAa;IAC7C,IAAI,CAAC;QACH,MAAM,KAAK,GAAG,KAAK,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC;QAC/B,IAAI,KAAK,CAAC,MAAM,KAAK,CAAC;YAAE,OAAO,IAAI,CAAC;QAEpC,MAAM,OAAO,GAAG,KAAK,CAAC,CAAC,CAAC,CAAC;QACzB,MAAM,OAAO,GAAG,MAAM,CAAC,IAAI,CAAC,OAAO,EAAE,WAAW,CAAC,CAAC,QAAQ,CAAC,OAAO,CAAC,CAAC;QACpE,OAAO,IAAI,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC;IAC7B,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,IAAI,CAAC;IACd,CAAC;AACH,CAAC;AAED;;;;;;GAMG;AACH,MAAM,CAAC,MAAM,WAAW,GAAG,iBAAiB,CAAC;AAE7C,0EAA0E;AAC1E,0EAA0E;AAC1E,wDAAwD;AACxD,OAAO,EAAE,eAAe,EAAE,MAAM,qBAAqB,CAAC;AAGtD;;;;;GAKG;AACH,MAAM,UAAU,oBAAoB,CAAC,OAAe;IAClD,MAAM,MAAM,GAAG,iBAAiB,CAAC,OAAO,CAAC,CAAC;IAC1C,IAAI,CAAC,MAAM;QAAE,OAAO,IAAI,CAAC;IAEzB,sCAAsC;IACtC,MAAM,EAAE,cAAc,EAAE,UAAU,EAAE,GAAG,mBAAmB,CAAC,MAAM,CAAC,CAAC;IAEnE,OAAO;QACL,EAAE,EAAE,MAAM,CAAC,GAAa;QACxB,cAAc;QACd,UAAU;QACV,KAAK,EAAE,MAAM,CAAC,KAA2B;QACzC,aAAa,EAAE,MAAM,CAAC,cAAqC;QAC3D,KAAK,EAAE,MAAM,CAAC,YAAkC;QAChD,aAAa,EAAE,MAAM,CAAC,qBAA4C;QAClE,QAAQ,EAAE,MAAM,CAAC,kBAAwC,IAAI,MAAM,CAAC,kBAAkB,CAAuB;QAC7G,IAAI,EAAE,MAAM,CAAC,IAA0B;QACvC,MAAM,EAAE,MAAM,CAAC,MAA4B;QAC3C,QAAQ,EAAE,MAAM,CAAC,kBAAkB,CAAuB;QAC1D,KAAK,EAAE,UAAU,CAAC,MAAM,CAAC;QACzB,UAAU,EAAE,uBAAuB,CAAC,MAAM,CAAC;QAC3C,SAAS,EAAE,IAAI,IAAI,EAAE;QACrB,SAAS,EAAE,IAAI,IAAI,EAAE;KACtB,CAAC;AACJ,CAAC;AAED;;GAEG;AACH,SAAS,mBAAmB,CAAC,MAA+B;IAC1D,wBAAwB;IACxB,IAAI,MAAM,CAAC,KAAK,EAAE,CAAC;QACjB,OAAO,EAAE,cAAc,EAAE,OAAO,EAAE,UAAU,EAAE,MAAM,CAAC,KAAe,EAAE,CAAC;IACzE,CAAC;IAED,kBAAkB;IAClB,IAAI,MAAM,CAAC,YAAY,EAAE,CAAC;QACxB,OAAO,EAAE,cAAc,EAAE,OAAO,EAAE,UAAU,EAAE,MAAM,CAAC,YAAsB,EAAE,CAAC;IAChF,CAAC;IAED,qBAAqB;IACrB,IAAI,MAAM,CAAC,kBAAkB,IAAI,MAAM,CAAC,kBAAkB,CAAC,EAAE,CAAC;QAC5D,OAAO;YACL,cAAc,EAAE,UAAU;YAC1B,UAAU,EAAE,CAAC,MAAM,CAAC,kBAAkB,IAAI,MAAM,CAAC,kBAAkB,CAAC,CAAW;SAChF,CAAC;IACJ,CAAC;IAED,6CAA6C;IAC7C,OAAO,EAAE,cAAc,EAAE,WAAW,EAAE,UAAU,EAAE,MAAM,CAAC,GAAa,EAAE,CAAC;AAC3E,CAAC;AAED;;GAEG;AACH,SAAS,UAAU,CAAC,MAA+B;IACjD,MAAM,KAAK,GAAG,MAAM,CAAC,cAAc,CAAC,IAAI,MAAM,CAAC,gBAAgB,CAAC,CAAC;IACjE,IAAI,CAAC,KAAK;QAAE,OAAO,EAAE,CAAC;IACtB,IAAI,KAAK,CAAC,OAAO,CAAC,KAAK,CAAC;QAAE,OAAO,KAAiB,CAAC;IACnD,IAAI,OAAO,KAAK,KAAK,QAAQ;QAAE,OAAO,KAAK,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,IAAI,EAAE,CAAC,CAAC;IAC1E,OAAO,EAAE,CAAC;AACZ,CAAC;AAED;;GAEG;AACH,SAAS,uBAAuB,CAAC,MAA+B;IAC9D,MAAM,UAAU,GAA2B,EAAE,CAAC;IAE9C,KAAK,MAAM,CAAC,GAAG,EAAE,KAAK,CAAC,IAAI,MAAM,CAAC,OAAO,CAAC,MAAM,CAAC,EAAE,CAAC;QAClD,IAAI,GAAG,CAAC,UAAU,CAAC,SAAS,CAAC,IAAI,GAAG,KAAK,kBAAkB,IAAI,GAAG,KAAK,cAAc,EAAE,CAAC;YACtF,MAAM,QAAQ,GAAG,GAAG,CAAC,OAAO,CAAC,SAAS,EAAE,EAAE,CAAC,CAAC;YAC5C,UAAU,CAAC,QAAQ,CAAC,GAAG,MAAM,CAAC,KAAK,CAAC,CAAC;QACvC,CAAC;IACH,CAAC;IAED,OAAO,UAAU,CAAC;AACpB,CAAC;AAED;;GAEG;AACH,MAAM,UAAU,cAAc,CAAC,KAAa;IAC1C,MAAM,MAAM,GAAG,iBAAiB,CAAC,KAAK,CAAC,CAAC;IACxC,IAAI,CAAC,MAAM,IAAI,CAAC,MAAM,CAAC,GAAG;QAAE,OAAO,IAAI,CAAC;IAExC,MAAM,MAAM,GAAI,MAAM,CAAC,GAAc,GAAG,IAAI,CAAC;IAC7C,OAAO,IAAI,CAAC,GAAG,EAAE,IAAI,MAAM,CAAC;AAC9B,CAAC;AAED;;GAEG;AACH,MAAM,UAAU,cAAc,CAAC,KAAa;IAC1C,MAAM,MAAM,GAAG,iBAAiB,CAAC,KAAK,CAAC,CAAC;IACxC,IAAI,CAAC,MAAM,IAAI,CAAC,MAAM,CAAC,GAAG;QAAE,OAAO,IAAI,CAAC;IAExC,OAAO,IAAI,IAAI,CAAE,MAAM,CAAC,GAAc,GAAG,IAAI,CAAC,CAAC;AACjD,CAAC"}

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@venturekit/auth",
-  "version": "0.0.0-dev.20260427225816",
+  "version": "0.0.0-dev.20260429113801",
   "description": "Authentication and authorization for VentureKit",
   "type": "module",
   "main": "./dist/index.js",
@@ -22,12 +22,28 @@
     ".": {
       "import": "./dist/index.js",
       "types": "./dist/index.d.ts"
+    },
+    "./server": {
+      "import": "./dist/server/index.js",
+      "types": "./dist/server/index.d.ts"
     }
   },
   "dependencies": {
-    "@venturekit/core": "0.0.0-dev.20260427225816"
+    "@venturekit/core": "0.0.0-dev.20260429113801",
+    "@aws-sdk/client-cognito-identity-provider": "^3.668.0",
+    "aws-jwt-verify": "^4.0.1"
+  },
+  "peerDependencies": {
+    "@venturekit/runtime": "0.0.0-dev.20260429113801"
+  },
+  "peerDependenciesMeta": {
+    "@venturekit/runtime": {
+      "optional": true
+    }
   },
   "devDependencies": {
+    "@venturekit/runtime": "0.0.0-dev.20260429113801",
+    "@types/aws-lambda": "^8.10.131",
     "@types/node": "^25.6.0",
     "typescript": "^5.3.0"
   },