@vocoweb/kernel 1.0.0

package/dist/index.d.mts

@@ -0,0 +1,2670 @@
+import { U as UserDataExport, C as ContrastResult, A as AriaValidationResult, K as KeyboardNavigationResult, a as ComplianceLevel, b as AccessibilityViolation, D as DataRegion, c as AuditRecorderConfig, d as AuditAction, e as AuditQueryFilters } from './react-CSDXc0m4.mjs';
+export { f as AccessibilityAudit, g as AccessibilityProps, h as ApiError, i as ApiResponse, j as AuditExport, k as AuditLogEntry, l as AuditQueryResult, m as AuditRecord, n as AuthSession, B as ButtonProps, o as CookieConsent, p as CookieConsentChoice, q as CookieConsentProps, F as FormProps, I as InputProps, P as PaginatedResponse, r as PaginationParams, s as PrivacyPolicy, t as PrivacyPolicyProps, R as RequestDestination, T as TermsOfService, u as TermsOfServiceProps, v as TriggerConfig, w as UserId, V as VocoAuditLog, x as VocoAuditLogProps, y as VocoAuth, z as VocoButton, E as VocoForm, G as VocoInput } from './react-CSDXc0m4.mjs';
+import { ClassValue } from 'clsx';
+import { z } from 'zod';
+import * as _supabase_auth_js from '@supabase/auth-js';
+import { Session, User, SupabaseClient } from '@supabase/supabase-js';
+import * as Stripe from 'stripe';
+import Stripe__default from 'stripe';
+import 'react/jsx-runtime';
+import 'react';
+
+/**
+ * Custom error classes for @vocoweb/kernel
+ */
+/**
+ * Base VocoWeb error
+ */
+declare class VocoError extends Error {
+    code: string;
+    statusCode: number;
+    details?: Record<string, unknown> | undefined;
+    constructor(message: string, code: string, statusCode?: number, details?: Record<string, unknown> | undefined);
+    toJSON(): {
+        name: string;
+        message: string;
+        code: string;
+        statusCode: number;
+        details: Record<string, unknown> | undefined;
+    };
+}
+/**
+ * Authentication errors
+ */
+declare class VocoAuthError extends VocoError {
+    constructor(message: string, code?: string, details?: Record<string, unknown>);
+    static invalidCredentials(): VocoAuthError;
+    static sessionExpired(): VocoAuthError;
+    static unauthorized(message?: string): VocoAuthError;
+    static forbidden(message?: string): VocoAuthError;
+}
+/**
+ * Payment errors
+ */
+declare class VocoBillingError extends VocoError {
+    constructor(message: string, code?: string, details?: Record<string, unknown>);
+    static invalidVatNumber(vatNumber: string): VocoBillingError;
+    static vatValidationFailed(vatNumber: string, reason: string): VocoBillingError;
+    static paymentRequired(message?: string): VocoBillingError;
+    static checkoutFailed(reason: string): VocoBillingError;
+    static subscriptionNotFound(): VocoBillingError;
+    static invoiceNotFound(invoiceId: string): VocoBillingError;
+}
+/**
+ * Configuration errors
+ */
+declare class VocoConfigError extends VocoError {
+    constructor(message: string, code?: string, details?: Record<string, unknown>);
+    static missingEnvVar(varName: string): VocoConfigError;
+    static invalidConfig(message: string): VocoConfigError;
+}
+/**
+ * Compliance errors
+ */
+declare class VocoComplianceError extends VocoError {
+    constructor(message: string, code?: string, details?: Record<string, unknown>);
+    static deletionFailed(userId: string, reason: string): VocoComplianceError;
+    static deletionInProgress(userId: string): VocoComplianceError;
+    static invalidEntityType(entityType: string): VocoComplianceError;
+    static anonymizationFailed(table: string, reason: string): VocoComplianceError;
+    static externalApiFailed(service: string, reason: string): VocoComplianceError;
+    static dataExportFailed(userId: string, reason: string): VocoComplianceError;
+    static egressBlocked(destination: string, reason: string): VocoComplianceError;
+}
+/**
+ * Accessibility errors
+ */
+declare class VocoAccessibilityError extends VocoError {
+    constructor(message: string, code?: string, details?: Record<string, unknown>);
+    static missingAriaLabel(component: string, prop: string): VocoAccessibilityError;
+    static contrastRatioFailed(fg: string, bg: string, ratio: number): VocoAccessibilityError;
+    static keyboardNavigationMissing(component: string): VocoAccessibilityError;
+}
+/**
+ * Validation errors using Zod
+ */
+declare class VocoValidationError extends VocoError {
+    field: string;
+    constructor(message: string, field: string, details?: Record<string, unknown>);
+    static fromZod(error: {
+        fieldErrors: Record<string, string[]>;
+    }): VocoValidationError;
+}
+/**
+ * Network errors
+ */
+declare class VocoNetworkError extends VocoError {
+    constructor(message: string, details?: Record<string, unknown>);
+    static fetchFailed(url: string, status?: number): VocoNetworkError;
+    static timeout(operation: string, timeoutMs: number): VocoNetworkError;
+}
+/**
+ * Type guard for VocoWeb errors
+ */
+declare function isVocoError(error: unknown): error is VocoError;
+/**
+ * Get a user-friendly error message
+ */
+declare function getErrorMessage(error: unknown): string;
+/**
+ * Format error for API responses
+ */
+declare function formatApiError(error: unknown): {
+    name: string;
+    message: string;
+    code: string;
+    statusCode: number;
+    details: Record<string, unknown> | undefined;
+} | {
+    name: string;
+    message: string;
+    code: string;
+    statusCode: number;
+};
+
+/**
+ * Shared utility functions for @vocoweb/kernel
+ */
+
+/**
+ * Merge Tailwind CSS classes with proper precedence
+ */
+declare function cn(...inputs: ClassValue[]): string;
+/**
+ * Format currency for display
+ */
+declare function formatCurrency(amount: number, currency?: string, locale?: string): string;
+/**
+ * Format date for display
+ */
+declare function formatDate(date: Date | string, locale?: string, options?: Intl.DateTimeFormatOptions): string;
+/**
+ * Format relative time (e.g., "2 hours ago")
+ */
+declare function formatRelativeTime(date: Date | string, locale?: string): string;
+/**
+ * Generate a random ID
+ */
+declare function generateId(prefix?: string): string;
+/**
+ * Deep clone an object
+ */
+declare function deepClone<T>(obj: T): T;
+/**
+ * Safe JSON parse with fallback
+ */
+declare function safeJsonParse<T>(str: string, fallback: T): T;
+/**
+ * Debounce a function
+ */
+declare function debounce<T extends (...args: unknown[]) => unknown>(func: T, wait: number): (...args: Parameters<T>) => void;
+/**
+ * Throttle a function
+ */
+declare function throttle<T extends (...args: unknown[]) => unknown>(func: T, limit: number): (...args: Parameters<T>) => void;
+/**
+ * Sleep for a specified duration
+ */
+declare function sleep(ms: number): Promise<void>;
+/**
+ * Retry a function with exponential backoff
+ */
+declare function retry<T>(fn: () => Promise<T>, options?: {
+    maxAttempts?: number;
+    initialDelay?: number;
+    maxDelay?: number;
+    backoffMultiplier?: number;
+    retryIf?: (error: unknown) => boolean;
+}): Promise<T>;
+/**
+ * Check if running in browser
+ */
+declare const isBrowser: boolean;
+/**
+ * Check if running in server environment
+ */
+declare const isServer: boolean;
+/**
+ * Get environment variable (server-side)
+ */
+declare function getEnv(key: string, fallback?: string): string;
+/**
+ * Validate email format
+ */
+declare function isValidEmail(email: string): boolean;
+/**
+ * Truncate text with ellipsis
+ */
+declare function truncate(str: string, maxLength: number): string;
+/**
+ * Capitalize first letter
+ */
+declare function capitalize(str: string): string;
+/**
+ * Convert camelCase to kebab-case
+ */
+declare function camelToKebab(str: string): string;
+/**
+ * Convert kebab-case to camelCase
+ */
+declare function kebabToCamel(str: string): string;
+/**
+ * Get initials from name
+ */
+declare function getInitials(name: string, maxLength?: number): string;
+/**
+ * Pluralize a word
+ */
+declare function pluralize(count: number, singular: string, plural?: string): string;
+/**
+ * Format a list of items
+ */
+declare function formatList(items: string[], locale?: string): string;
+/**
+ * Clamp a number between min and max
+ */
+declare function clamp(value: number, min: number, max: number): number;
+/**
+ * Round to a specified number of decimal places
+ */
+declare function roundTo(value: number, decimals: number): number;
+/**
+ * Check if a value is defined (not null or undefined)
+ */
+declare function isDefined<T>(value: T | null | undefined): value is T;
+/**
+ * Filter out null and undefined values from an array
+ */
+declare function filterDefined<T>(array: Array<T | null | undefined>): T[];
+/**
+ * Create a promise that resolves after a timeout or rejects if the timeout is exceeded
+ */
+declare function withTimeout<T>(promise: Promise<T>, timeoutMs: number, timeoutError?: Error): Promise<T>;
+/**
+ * Batch array items into chunks of specified size
+ */
+declare function chunk<T>(array: T[], size: number): T[][];
+/**
+ * Group array items by a key function
+ */
+declare function groupBy<T, K extends string | number>(array: T[], keyFn: (item: T) => K): Record<K, T[]>;
+/**
+ * Create a promise that can be resolved externally
+ */
+declare function createDeferred<T>(): {
+    promise: Promise<T>;
+    resolve: (value: T | PromiseLike<T>) => void;
+    reject: (reason?: unknown) => void;
+};
+
+/**
+ * Environment configuration for @vocoweb/kernel
+ * Validates all required environment variables at startup
+ */
+
+/**
+ * Supabase configuration schema
+ */
+declare const SupabaseConfigSchema: z.ZodObject<{
+    url: z.ZodString;
+    anonKey: z.ZodString;
+    serviceRoleKey: z.ZodString;
+}, "strip", z.ZodTypeAny, {
+    url: string;
+    anonKey: string;
+    serviceRoleKey: string;
+}, {
+    url: string;
+    anonKey: string;
+    serviceRoleKey: string;
+}>;
+/**
+ * Stripe configuration schema
+ */
+declare const StripeConfigSchema: z.ZodObject<{
+    secretKey: z.ZodString;
+    publishableKey: z.ZodString;
+    webhookSecret: z.ZodOptional<z.ZodString>;
+}, "strip", z.ZodTypeAny, {
+    secretKey: string;
+    publishableKey: string;
+    webhookSecret?: string | undefined;
+}, {
+    secretKey: string;
+    publishableKey: string;
+    webhookSecret?: string | undefined;
+}>;
+/**
+ * App configuration schema
+ */
+declare const AppConfigSchema: z.ZodObject<{
+    url: z.ZodDefault<z.ZodOptional<z.ZodString>>;
+    name: z.ZodDefault<z.ZodOptional<z.ZodString>>;
+    supportEmail: z.ZodDefault<z.ZodOptional<z.ZodString>>;
+    legalEmail: z.ZodDefault<z.ZodOptional<z.ZodString>>;
+}, "strip", z.ZodTypeAny, {
+    url: string;
+    name: string;
+    supportEmail: string;
+    legalEmail: string;
+}, {
+    url?: string | undefined;
+    name?: string | undefined;
+    supportEmail?: string | undefined;
+    legalEmail?: string | undefined;
+}>;
+/**
+ * Data residency configuration schema
+ */
+declare const ResidencyConfigSchema: z.ZodObject<{
+    enabled: z.ZodDefault<z.ZodOptional<z.ZodBoolean>>;
+    region: z.ZodDefault<z.ZodOptional<z.ZodEnum<["eu", "us", "apac", "global"]>>>;
+    strictMode: z.ZodDefault<z.ZodOptional<z.ZodBoolean>>;
+}, "strip", z.ZodTypeAny, {
+    enabled: boolean;
+    region: "eu" | "us" | "apac" | "global";
+    strictMode: boolean;
+}, {
+    enabled?: boolean | undefined;
+    region?: "eu" | "us" | "apac" | "global" | undefined;
+    strictMode?: boolean | undefined;
+}>;
+/**
+ * Accessibility configuration schema
+ */
+declare const AccessibilityConfigSchema: z.ZodObject<{
+    enforceContrast: z.ZodDefault<z.ZodOptional<z.ZodBoolean>>;
+    enforceAriaLabels: z.ZodDefault<z.ZodOptional<z.ZodBoolean>>;
+    enforceKeyboardNav: z.ZodDefault<z.ZodOptional<z.ZodBoolean>>;
+    contrastRatio: z.ZodDefault<z.ZodOptional<z.ZodNumber>>;
+}, "strip", z.ZodTypeAny, {
+    enforceContrast: boolean;
+    enforceAriaLabels: boolean;
+    enforceKeyboardNav: boolean;
+    contrastRatio: number;
+}, {
+    enforceContrast?: boolean | undefined;
+    enforceAriaLabels?: boolean | undefined;
+    enforceKeyboardNav?: boolean | undefined;
+    contrastRatio?: number | undefined;
+}>;
+/**
+ * Complete kernel configuration schema
+ */
+declare const KernelConfigSchema: z.ZodObject<{
+    supabase: z.ZodObject<{
+        url: z.ZodString;
+        anonKey: z.ZodString;
+        serviceRoleKey: z.ZodString;
+    }, "strip", z.ZodTypeAny, {
+        url: string;
+        anonKey: string;
+        serviceRoleKey: string;
+    }, {
+        url: string;
+        anonKey: string;
+        serviceRoleKey: string;
+    }>;
+    stripe: z.ZodObject<{
+        secretKey: z.ZodString;
+        publishableKey: z.ZodString;
+        webhookSecret: z.ZodOptional<z.ZodString>;
+    }, "strip", z.ZodTypeAny, {
+        secretKey: string;
+        publishableKey: string;
+        webhookSecret?: string | undefined;
+    }, {
+        secretKey: string;
+        publishableKey: string;
+        webhookSecret?: string | undefined;
+    }>;
+    app: z.ZodObject<{
+        url: z.ZodDefault<z.ZodOptional<z.ZodString>>;
+        name: z.ZodDefault<z.ZodOptional<z.ZodString>>;
+        supportEmail: z.ZodDefault<z.ZodOptional<z.ZodString>>;
+        legalEmail: z.ZodDefault<z.ZodOptional<z.ZodString>>;
+    }, "strip", z.ZodTypeAny, {
+        url: string;
+        name: string;
+        supportEmail: string;
+        legalEmail: string;
+    }, {
+        url?: string | undefined;
+        name?: string | undefined;
+        supportEmail?: string | undefined;
+        legalEmail?: string | undefined;
+    }>;
+    residency: z.ZodObject<{
+        enabled: z.ZodDefault<z.ZodOptional<z.ZodBoolean>>;
+        region: z.ZodDefault<z.ZodOptional<z.ZodEnum<["eu", "us", "apac", "global"]>>>;
+        strictMode: z.ZodDefault<z.ZodOptional<z.ZodBoolean>>;
+    }, "strip", z.ZodTypeAny, {
+        enabled: boolean;
+        region: "eu" | "us" | "apac" | "global";
+        strictMode: boolean;
+    }, {
+        enabled?: boolean | undefined;
+        region?: "eu" | "us" | "apac" | "global" | undefined;
+        strictMode?: boolean | undefined;
+    }>;
+    accessibility: z.ZodObject<{
+        enforceContrast: z.ZodDefault<z.ZodOptional<z.ZodBoolean>>;
+        enforceAriaLabels: z.ZodDefault<z.ZodOptional<z.ZodBoolean>>;
+        enforceKeyboardNav: z.ZodDefault<z.ZodOptional<z.ZodBoolean>>;
+        contrastRatio: z.ZodDefault<z.ZodOptional<z.ZodNumber>>;
+    }, "strip", z.ZodTypeAny, {
+        enforceContrast: boolean;
+        enforceAriaLabels: boolean;
+        enforceKeyboardNav: boolean;
+        contrastRatio: number;
+    }, {
+        enforceContrast?: boolean | undefined;
+        enforceAriaLabels?: boolean | undefined;
+        enforceKeyboardNav?: boolean | undefined;
+        contrastRatio?: number | undefined;
+    }>;
+}, "strip", z.ZodTypeAny, {
+    supabase: {
+        url: string;
+        anonKey: string;
+        serviceRoleKey: string;
+    };
+    stripe: {
+        secretKey: string;
+        publishableKey: string;
+        webhookSecret?: string | undefined;
+    };
+    app: {
+        url: string;
+        name: string;
+        supportEmail: string;
+        legalEmail: string;
+    };
+    residency: {
+        enabled: boolean;
+        region: "eu" | "us" | "apac" | "global";
+        strictMode: boolean;
+    };
+    accessibility: {
+        enforceContrast: boolean;
+        enforceAriaLabels: boolean;
+        enforceKeyboardNav: boolean;
+        contrastRatio: number;
+    };
+}, {
+    supabase: {
+        url: string;
+        anonKey: string;
+        serviceRoleKey: string;
+    };
+    stripe: {
+        secretKey: string;
+        publishableKey: string;
+        webhookSecret?: string | undefined;
+    };
+    app: {
+        url?: string | undefined;
+        name?: string | undefined;
+        supportEmail?: string | undefined;
+        legalEmail?: string | undefined;
+    };
+    residency: {
+        enabled?: boolean | undefined;
+        region?: "eu" | "us" | "apac" | "global" | undefined;
+        strictMode?: boolean | undefined;
+    };
+    accessibility: {
+        enforceContrast?: boolean | undefined;
+        enforceAriaLabels?: boolean | undefined;
+        enforceKeyboardNav?: boolean | undefined;
+        contrastRatio?: number | undefined;
+    };
+}>;
+/**
+ * Parsed configuration types
+ */
+type SupabaseConfig = z.infer<typeof SupabaseConfigSchema>;
+type StripeConfig = z.infer<typeof StripeConfigSchema>;
+type AppConfig = z.infer<typeof AppConfigSchema>;
+type ResidencyConfig = z.infer<typeof ResidencyConfigSchema>;
+type AccessibilityConfig = z.infer<typeof AccessibilityConfigSchema>;
+type KernelConfig = z.infer<typeof KernelConfigSchema>;
+/**
+ * Validate and parse kernel configuration
+ */
+declare function validateConfig(config: Record<string, unknown>): KernelConfig;
+/**
+ * Load configuration from environment variables
+ */
+declare function loadConfigFromEnv(): KernelConfig;
+/**
+ * Get the kernel configuration (cached)
+ */
+declare function getConfig(): KernelConfig;
+/**
+ * Reset cached configuration (useful for testing)
+ */
+declare function resetConfig(): void;
+/**
+ * Set configuration manually (useful for testing or custom initialization)
+ */
+declare function setConfig(config: KernelConfig): void;
+/**
+ * Get Supabase configuration
+ */
+declare function getSupabaseConfig(): SupabaseConfig;
+/**
+ * Get Stripe configuration
+ */
+declare function getStripeConfig(): StripeConfig;
+/**
+ * Get App configuration
+ */
+declare function getAppConfig(): AppConfig;
+/**
+ * Get Data Residency configuration
+ */
+declare function getResidencyConfig(): ResidencyConfig;
+/**
+ * Get Accessibility configuration
+ */
+declare function getAccessibilityConfig(): AccessibilityConfig;
+/**
+ * Check if all required environment variables are set
+ */
+declare function checkRequiredEnvVars(): boolean;
+/**
+ * Environment-aware check: runs validation only in development or when explicitly enabled
+ */
+declare function validateEnvironment(skipProduction?: boolean): boolean;
+/**
+ * Export a singleton instance for convenience
+ */
+declare const config: {
+    get: typeof getConfig;
+    supabase: typeof getSupabaseConfig;
+    stripe: typeof getStripeConfig;
+    app: typeof getAppConfig;
+    residency: typeof getResidencyConfig;
+    accessibility: typeof getAccessibilityConfig;
+    validate: typeof validateEnvironment;
+    check: typeof checkRequiredEnvVars;
+};
+
+/**
+ * Type definitions for the Auth module
+ */
+
+/**
+ * OAuth provider types
+ */
+type OAuthProvider = 'google' | 'github' | 'azure' | 'bitbucket';
+/**
+ * OAuth options
+ */
+interface OAuthOptions {
+    provider?: OAuthProvider;
+    redirectTo?: string;
+    scopes?: string;
+    queryParams?: Record<string, string>;
+    skipBrowserRedirect?: boolean;
+}
+/**
+ * Sign in with email/password options
+ */
+interface SignInWithPasswordOptions {
+    email: string;
+    password: string;
+}
+/**
+ * Sign up options
+ */
+interface SignUpOptions {
+    email: string;
+    password: string;
+    metadata?: Record<string, unknown>;
+}
+/**
+ * Reset password options
+ */
+interface ResetPasswordOptions {
+    email: string;
+    redirectTo?: string;
+}
+/**
+ * Update user options
+ */
+interface UpdateUserOptions {
+    email?: string;
+    password?: string;
+    metadata?: Record<string, unknown>;
+}
+/**
+ * Auth state change callback
+ */
+type AuthStateChangeCallback = (event: 'INITIAL_SESSION' | 'SIGNED_IN' | 'SIGNED_OUT' | 'TOKEN_REFRESHED' | 'USER_UPDATED', session: Session | null) => void;
+/**
+ * Subscription handle for auth state changes
+ */
+interface AuthSubscription {
+    unsubscribe: () => void;
+}
+/**
+ * User role types
+ */
+type UserRole = 'admin' | 'user' | 'guest' | 'premium';
+/**
+ * Extended user with role
+ */
+interface UserWithRole extends User {
+    role?: UserRole;
+}
+/**
+ * Server-side request types
+ */
+interface AuthRequest {
+    headers: {
+        get(name: string): string | null;
+    };
+    cookies?: {
+        get(name: string): {
+            value: string;
+        } | undefined;
+    };
+}
+/**
+ * Verified user from server-side auth
+ */
+interface VerifiedUser {
+    id: string;
+    email: string;
+    role?: UserRole;
+}
+
+/**
+ * Supabase client configuration
+ * Singleton pattern to prevent multiple instances
+ */
+
+/**
+ * Client type enum
+ */
+declare enum ClientType {
+    Browser = "browser",
+    Server = "server",
+    ServiceRole = "service_role"
+}
+/**
+ * Get the browser Supabase client (uses anon key)
+ * Only works in browser environment
+ */
+declare function getBrowserClient(): SupabaseClient;
+/**
+ * Get the server Supabase client (uses anon key)
+ * For server-side operations with user context
+ */
+declare function getServerClient(): SupabaseClient;
+/**
+ * Get the service role client (uses service role key)
+ * For admin operations - use with caution!
+ * Should only be used server-side for privileged operations.
+ */
+declare function getServiceRoleClient(): SupabaseClient;
+/**
+ * Get a Supabase client based on type
+ */
+declare function getClient(type?: ClientType): SupabaseClient;
+/**
+ * Reset all clients (useful for testing)
+ */
+declare function resetClients(): void;
+/**
+ * Check if a specific client type is initialized
+ */
+declare function isClientInitialized(type: ClientType): boolean;
+
+/**
+ * Client-side authentication functions
+ * These functions are meant to be used in the browser
+ */
+
+/**
+ * Sign in with OAuth provider (e.g., Google, GitHub)
+ *
+ * @example
+ * await auth.loginWithGoogle({ redirectTo: '/dashboard' });
+ */
+declare function loginWithOAuth(options?: OAuthOptions): Promise<void>;
+/**
+ * Sign in with Google OAuth (convenience function)
+ *
+ * @example
+ * await auth.loginWithGoogle();
+ */
+declare function loginWithGoogle(redirectTo?: string): Promise<void>;
+/**
+ * Sign in with GitHub OAuth
+ *
+ * @example
+ * await auth.loginWithGitHub();
+ */
+declare function loginWithGitHub(redirectTo?: string): Promise<void>;
+/**
+ * Sign in with email and password
+ *
+ * @example
+ * await auth.signInWithPassword({ email: 'user@example.com', password: 'password123' });
+ */
+declare function signInWithPassword(options: SignInWithPasswordOptions): Promise<{
+    data: {
+        session: Session | null;
+        user: User | null;
+    };
+}>;
+/**
+ * Sign up a new user
+ *
+ * @example
+ * await auth.signUp({
+ *   email: 'user@example.com',
+ *   password: 'password123',
+ *   metadata: { name: 'John Doe' }
+ * });
+ */
+declare function signUp(options: SignUpOptions): Promise<{
+    data: {
+        session: Session | null;
+        user: User | null;
+    };
+}>;
+/**
+ * Sign out the current user
+ *
+ * @example
+ * await auth.logout();
+ */
+declare function logout(): Promise<void>;
+/**
+ * Get the current session
+ *
+ * @example
+ * const session = await auth.getSession();
+ * if (session) {
+ *   console.log('User is logged in:', session.user);
+ * }
+ */
+declare function getSession(): Promise<Session | null>;
+/**
+ * Get the current user
+ *
+ * @example
+ * const user = await auth.getUser();
+ * if (user) {
+ *   console.log('User email:', user.email);
+ * }
+ */
+declare function getUser(): Promise<User | null>;
+/**
+ * Refresh the current session
+ *
+ * @example
+ * await auth.refreshSession();
+ */
+declare function refreshSession(): Promise<Session | null>;
+/**
+ * Update the current user
+ *
+ * @example
+ * await auth.updateUser({ metadata: { name: 'Jane Doe' } });
+ */
+declare function updateUser(options: UpdateUserOptions): Promise<User>;
+/**
+ * Send a password reset email
+ *
+ * @example
+ * await auth.resetPassword({ email: 'user@example.com' });
+ */
+declare function resetPassword(options: ResetPasswordOptions): Promise<void>;
+/**
+ * Subscribe to auth state changes
+ *
+ * @example
+ * const subscription = auth.onAuthStateChange((event, session) => {
+ *   console.log('Auth event:', event, 'Session:', session);
+ * });
+ *
+ * // Later: unsubscribe
+ * subscription.unsubscribe();
+ */
+declare function onAuthStateChange(callback: AuthStateChangeCallback): AuthSubscription;
+/**
+ * Get the access token for API requests
+ *
+ * @example
+ * const token = await auth.getAccessToken();
+ * const response = await fetch('/api/protected', {
+ *   headers: { Authorization: `Bearer ${token}` }
+ * });
+ */
+declare function getAccessToken(): Promise<string | null>;
+/**
+ * Check if a user is currently authenticated
+ *
+ * @example
+ * if (await auth.isAuthenticated()) {
+ *   console.log('User is logged in');
+ * }
+ */
+declare function isAuthenticated(): Promise<boolean>;
+/**
+ * Client authentication API
+ */
+declare const clientAuth: {
+    loginWithOAuth: typeof loginWithOAuth;
+    loginWithGoogle: typeof loginWithGoogle;
+    loginWithGitHub: typeof loginWithGitHub;
+    signInWithPassword: typeof signInWithPassword;
+    signUp: typeof signUp;
+    logout: typeof logout;
+    getSession: typeof getSession;
+    getUser: typeof getUser;
+    refreshSession: typeof refreshSession;
+    updateUser: typeof updateUser;
+    resetPassword: typeof resetPassword;
+    onAuthStateChange: typeof onAuthStateChange;
+    getAccessToken: typeof getAccessToken;
+    isAuthenticated: typeof isAuthenticated;
+};
+
+/**
+ * Server-side authentication functions
+ * These functions are meant to be used in API routes, middleware, and server components
+ */
+
+/**
+ * JWT token payload
+ */
+interface JWTPayload {
+    sub: string;
+    email: string;
+    role?: UserRole;
+    exp: number;
+    iat: number;
+    aud: string;
+}
+/**
+ * Decode and verify a JWT token
+ *
+ * @example
+ * const payload = await auth.decodeToken('eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9...');
+ */
+declare function decodeToken(token: string): JWTPayload;
+/**
+ * Verify a JWT token and return the user
+ *
+ * @example
+ * const user = await auth.verifyToken(request);
+ */
+declare function verifyToken(request: AuthRequest): Promise<VerifiedUser>;
+/**
+ * Verify a JWT token and return the session
+ *
+ * @example
+ * const session = await auth.verifySession(request);
+ */
+declare function verifySession(request: AuthRequest): Promise<Session>;
+/**
+ * Require an authenticated user for a protected route
+ * Throws 401 if user is not authenticated
+ *
+ * @example
+ * export async function GET(request: Request) {
+ *   const user = await auth.requireUser(request);
+ *   return Response.json({ user });
+ * }
+ */
+declare function requireUser(request: AuthRequest): Promise<VerifiedUser>;
+/**
+ * Require a specific role for a protected route
+ * Throws 403 if user doesn't have the required role
+ *
+ * @example
+ * export async function DELETE(request: Request) {
+ *   const user = await auth.requireRole(request, 'admin');
+ *   return Response.json({ user });
+ * }
+ */
+declare function requireRole(request: AuthRequest, allowedRoles: UserRole[]): Promise<VerifiedUser>;
+/**
+ * Check if a user has a specific role
+ *
+ * @example
+ * if (await auth.hasRole(request, 'admin')) {
+ *   // Show admin features
+ * }
+ */
+declare function hasRole(request: AuthRequest, role: UserRole): Promise<boolean>;
+/**
+ * Get a user by ID (admin function)
+ *
+ * @example
+ * const user = await auth.getUserById('user-id-here');
+ */
+declare function getUserById(userId: string): Promise<User | null>;
+/**
+ * Update a user's role (admin function)
+ *
+ * @example
+ * await auth.updateUserRole('user-id-here', 'admin');
+ */
+declare function updateUserRole(userId: string, role: UserRole): Promise<void>;
+/**
+ * Delete a user (admin function)
+ *
+ * @example
+ * await auth.deleteUser('user-id-here');
+ */
+declare function deleteUser(userId: string): Promise<void>;
+/**
+ * Create a middleware-compatible auth function
+ *
+ * @example
+ * // In Next.js middleware
+ * import { createMiddleware } from '@vocoweb/kernel/auth';
+ *
+ * export const middleware = createMiddleware({
+ *   publicRoutes: ['/api/public', '/login'],
+ * });
+ */
+declare function createMiddleware(options?: {
+    publicRoutes?: string[];
+    apiPrefix?: string;
+}): (request: Request) => Promise<Request | Response>;
+/**
+ * Server authentication API
+ */
+declare const serverAuth: {
+    verifyToken: typeof verifyToken;
+    verifySession: typeof verifySession;
+    requireUser: typeof requireUser;
+    requireRole: typeof requireRole;
+    hasRole: typeof hasRole;
+    getUserById: typeof getUserById;
+    updateUserRole: typeof updateUserRole;
+    deleteUser: typeof deleteUser;
+    createMiddleware: typeof createMiddleware;
+};
+
+/**
+ * Main authentication API
+ *
+ * @example
+ * import { auth } from '@vocoweb/kernel';
+ *
+ * // Client-side
+ * await auth.loginWithGoogle();
+ * await auth.logout();
+ *
+ * // Server-side
+ * const user = await auth.requireUser(request);
+ */
+declare const auth: {
+    loginWithOAuth: typeof loginWithOAuth;
+    loginWithGoogle: typeof loginWithGoogle;
+    loginWithGitHub: typeof loginWithGitHub;
+    signInWithPassword: typeof signInWithPassword;
+    signUp: typeof signUp;
+    logout: typeof logout;
+    getSession: typeof getSession;
+    getUser: typeof getUser;
+    refreshSession: typeof refreshSession;
+    updateUser: typeof updateUser;
+    resetPassword: typeof resetPassword;
+    onAuthStateChange: typeof onAuthStateChange;
+    getAccessToken: typeof getAccessToken;
+    isAuthenticated: typeof isAuthenticated;
+    verifyToken: typeof verifyToken;
+    verifySession: typeof verifySession;
+    requireUser: typeof requireUser;
+    requireRole: typeof requireRole;
+    hasRole: typeof hasRole;
+    getUserById: typeof getUserById;
+    updateUserRole: typeof updateUserRole;
+    deleteUser: typeof deleteUser;
+    createMiddleware: typeof createMiddleware;
+};
+
+/**
+ * VocoAuthClient class for OOP usage
+ *
+ * @example
+ * const client = new VocoAuthClient();
+ * await client.loginWithGoogle();
+ */
+declare class VocoAuthClient {
+    /**
+     * Sign in with Google OAuth
+     */
+    loginWithGoogle(redirectTo?: string): Promise<void>;
+    /**
+     * Sign in with email and password
+     */
+    signInWithPassword(options: SignInWithPasswordOptions): Promise<{
+        data: {
+            session: _supabase_auth_js.Session | null;
+            user: _supabase_auth_js.User | null;
+        };
+    }>;
+    /**
+     * Sign up a new user
+     */
+    signUp(options: SignUpOptions): Promise<{
+        data: {
+            session: _supabase_auth_js.Session | null;
+            user: _supabase_auth_js.User | null;
+        };
+    }>;
+    /**
+     * Sign out the current user
+     */
+    logout(): Promise<void>;
+    /**
+     * Get the current session
+     */
+    getSession(): Promise<_supabase_auth_js.Session | null>;
+    /**
+     * Get the current user
+     */
+    getUser(): Promise<_supabase_auth_js.User | null>;
+    /**
+     * Subscribe to auth state changes
+     */
+    onAuthStateChange(callback: AuthStateChangeCallback): AuthSubscription;
+}
+
+/**
+ * Type definitions for the Billing module
+ */
+
+/**
+ * Checkout session options
+ */
+interface CheckoutOptions {
+    /**
+     * Stripe Price ID
+     */
+    priceId: string;
+    /**
+     * User ID for customer lookup/creation
+     */
+    userId: string;
+    /**
+     * VAT number for EU reverse charge (optional)
+     * Format: Country code + VAT number (e.g., "DE123456789")
+     */
+    vatNumber?: string;
+    /**
+     * Customer email (optional - will use user's email if not provided)
+     */
+    email?: string;
+    /**
+     * Customer name (optional)
+     */
+    name?: string;
+    /**
+     * URL to redirect to on success
+     */
+    successUrl?: string;
+    /**
+     * URL to redirect to on cancel
+     */
+    cancelUrl?: string;
+    /**
+     * Metadata to attach to the session
+     */
+    metadata?: Record<string, string>;
+    /**
+     * Subscription quantity (default: 1)
+     */
+    quantity?: number;
+    /**
+     * Trial period days (optional)
+     */
+    trialPeriodDays?: number;
+}
+/**
+ * Checkout session result
+ */
+interface CheckoutResult {
+    url: string;
+    sessionId: string;
+}
+/**
+ * Webhook event types
+ */
+type WebhookEvent = Stripe__default.Event;
+/**
+ * Invoice status
+ */
+type InvoiceStatus = 'draft' | 'open' | 'paid' | 'void' | 'uncollectible';
+/**
+ * Invoice with metadata
+ */
+interface Invoice {
+    id: string;
+    number: string;
+    amount: number;
+    currency: string;
+    status: InvoiceStatus;
+    createdAt: Date;
+    dueDate?: Date;
+    paidAt?: Date;
+    pdfUrl?: string;
+    metadata?: Record<string, string>;
+}
+/**
+ * Subscription status
+ */
+type SubscriptionStatus = Stripe__default.Subscription.Status;
+/**
+ * Subscription information
+ */
+interface Subscription {
+    id: string;
+    status: SubscriptionStatus;
+    priceId: string;
+    amount: number;
+    currency: string;
+    interval: 'month' | 'year';
+    currentPeriodStart: Date;
+    currentPeriodEnd: Date;
+    cancelAtPeriodEnd: boolean;
+    trialStart?: Date;
+    trialEnd?: Date;
+    metadata?: Record<string, string>;
+}
+/**
+ * Price information
+ */
+interface Price {
+    id: string;
+    productId: string;
+    amount: number;
+    currency: string;
+    interval: 'month' | 'year' | 'one_time' | null;
+    active: boolean;
+    metadata?: Record<string, string>;
+}
+/**
+ * Product information
+ */
+interface Product {
+    id: string;
+    name: string;
+    description?: string;
+    active: boolean;
+    metadata?: Record<string, string>;
+    prices?: Price[];
+}
+/**
+ * Customer information
+ */
+interface Customer {
+    id: string;
+    email?: string;
+    name?: string;
+    metadata?: Record<string, string>;
+}
+/**
+ * Payment method types
+ */
+type PaymentMethodType = Stripe__default.PaymentMethod.Type;
+/**
+ * EU VAT information
+ */
+interface VatInfo {
+    country: string;
+    vatNumber: string;
+    valid: boolean;
+    companyName?: string;
+    address?: string;
+}
+/**
+ * Tax calculation result
+ */
+interface TaxCalculation {
+    amount: number;
+    currency: string;
+    taxAmount: number;
+    taxRate: number;
+    reverseCharge: boolean;
+    vatValid: boolean;
+}
+/**
+ * Customer portal session options
+ */
+interface PortalOptions {
+    customerId: string;
+    returnUrl: string;
+}
+/**
+ * Update subscription options
+ */
+interface UpdateSubscriptionOptions {
+    subscriptionId: string;
+    priceId?: string;
+    quantity?: number;
+    metadata?: Record<string, string>;
+    cancelAtPeriodEnd?: boolean;
+}
+
+/**
+ * VAT (Value Added Tax) validation and utilities
+ * Uses the EU VIES (VAT Information Exchange System) API
+ */
+
+/**
+ * EU country codes with VAT
+ */
+declare const EU_COUNTRY_CODES: readonly ["AT", "BE", "BG", "CY", "CZ", "DE", "DK", "EE", "EL", "ES", "FI", "FR", "HR", "HU", "IE", "IT", "LT", "LU", "LV", "MT", "NL", "PL", "PT", "RO", "SE", "SI", "SK"];
+/**
+ * Extract country code and VAT number from a VAT number string
+ */
+declare function parseVatNumber(vatNumber: string): {
+    countryCode: string;
+    vatNumber: string;
+} | null;
+/**
+ * Check if a country is in the EU
+ */
+declare function isEuCountry(countryCode: string): boolean;
+/**
+ * Validate VAT number format
+ */
+declare function isValidVatFormat(vatNumber: string): boolean;
+/**
+ * Validate VAT number using VIES API
+ *
+ * @example
+ * const result = await validateVat('DE123456789');
+ * if (result.valid) {
+ *   console.log('Company:', result.companyName);
+ * }
+ */
+declare function validateVat(vatNumber: string): Promise<VatInfo>;
+/**
+ * Quick VAT format check (does not call VIES API)
+ *
+ * @example
+ * if (isValidVatFormat('DE123456789')) {
+ *   // Format is valid, but not yet verified
+ * }
+ */
+declare function quickVatCheck(vatNumber: string): boolean;
+/**
+ * Check if reverse charge applies (B2B transaction within EU)
+ */
+declare function shouldApplyReverseCharge(buyerCountry: string, sellerCountry: string, buyerVatNumber: string): boolean;
+/**
+ * Calculate tax amount with reverse charge consideration
+ *
+ * @example
+ * const tax = calculateTax({
+ *   amount: 10000, // $100.00 in cents
+ *   taxRate: 0.20, // 20% VAT
+ *   reverseCharge: true, // B2B with valid VAT
+ * });
+ * // tax.taxAmount = 0 (reverse charge)
+ */
+declare function calculateTax(options: {
+    amount: number;
+    taxRate: number;
+    reverseCharge: boolean;
+}): {
+    amount: number;
+    taxAmount: number;
+    taxRate: number;
+    reverseCharge: boolean;
+};
+/**
+ * Get standard VAT rate for a country
+ * Note: These are standard rates and may not reflect reduced rates for specific goods
+ */
+declare function getStandardVatRate(countryCode: string): number;
+/**
+ * Clear VAT validation cache (useful for testing)
+ */
+declare function clearVatCache(): void;
+/**
+ * VAT validation API
+ */
+declare const vat: {
+    validate: typeof validateVat;
+    quickCheck: typeof quickVatCheck;
+    parse: typeof parseVatNumber;
+    isEuCountry: typeof isEuCountry;
+    shouldApplyReverseCharge: typeof shouldApplyReverseCharge;
+    calculateTax: typeof calculateTax;
+    getStandardRate: typeof getStandardVatRate;
+    clearCache: typeof clearVatCache;
+};
+
+declare const vat$1_EU_COUNTRY_CODES: typeof EU_COUNTRY_CODES;
+declare const vat$1_calculateTax: typeof calculateTax;
+declare const vat$1_clearVatCache: typeof clearVatCache;
+declare const vat$1_getStandardVatRate: typeof getStandardVatRate;
+declare const vat$1_isEuCountry: typeof isEuCountry;
+declare const vat$1_isValidVatFormat: typeof isValidVatFormat;
+declare const vat$1_parseVatNumber: typeof parseVatNumber;
+declare const vat$1_quickVatCheck: typeof quickVatCheck;
+declare const vat$1_shouldApplyReverseCharge: typeof shouldApplyReverseCharge;
+declare const vat$1_validateVat: typeof validateVat;
+declare const vat$1_vat: typeof vat;
+declare namespace vat$1 {
+  export { vat$1_EU_COUNTRY_CODES as EU_COUNTRY_CODES, vat$1_calculateTax as calculateTax, vat$1_clearVatCache as clearVatCache, vat$1_getStandardVatRate as getStandardVatRate, vat$1_isEuCountry as isEuCountry, vat$1_isValidVatFormat as isValidVatFormat, vat$1_parseVatNumber as parseVatNumber, vat$1_quickVatCheck as quickVatCheck, vat$1_shouldApplyReverseCharge as shouldApplyReverseCharge, vat$1_validateVat as validateVat, vat$1_vat as vat };
+}
+
+/**
+ * Stripe checkout session creation with VAT validation
+ */
+
+/**
+ * Create Stripe checkout session with VAT validation
+ *
+ * @example
+ * const result = await createCheckoutSession({
+ *   priceId: 'price_...',
+ *   userId: 'user-123',
+ *   vatNumber: 'DE123456789',
+ *   email: 'customer@example.com',
+ * });
+ */
+declare function createCheckoutSession(options: CheckoutOptions): Promise<CheckoutResult>;
+/**
+ * Create a customer portal session
+ *
+ * @example
+ * const result = await createPortalSession({
+ *   customerId: 'cus_...',
+ *   returnUrl: 'https://app.example.com/settings',
+ * });
+ */
+declare function createPortalSession(options: {
+    customerId: string;
+    returnUrl: string;
+}): Promise<{
+    url: string;
+}>;
+/**
+ * Get checkout session by ID
+ *
+ * @example
+ * const session = await getCheckoutSession('cs_test_...');
+ */
+declare function getCheckoutSession(sessionId: string): Promise<Stripe__default.Checkout.Session>;
+/**
+ * List products with prices
+ *
+ * @example
+ * const products = await listProducts({ active: true });
+ */
+declare function listProducts(options?: {
+    active?: boolean;
+    limit?: number;
+}): Promise<Array<{
+    product: Stripe__default.Product;
+    prices: Stripe__default.Price[];
+}>>;
+/**
+ * Get product by ID with prices
+ *
+ * @example
+ * const product = await getProduct('prod_...');
+ */
+declare function getProduct(productId: string): Promise<{
+    product: Stripe__default.Product;
+    prices: Stripe__default.Price[];
+}>;
+/**
+ * Checkout API
+ */
+declare const checkout: {
+    createSession: typeof createCheckoutSession;
+    getSession: typeof getCheckoutSession;
+    createPortal: typeof createPortalSession;
+    listProducts: typeof listProducts;
+    getProduct: typeof getProduct;
+};
+
+declare const checkout$1_checkout: typeof checkout;
+declare const checkout$1_createCheckoutSession: typeof createCheckoutSession;
+declare const checkout$1_createPortalSession: typeof createPortalSession;
+declare const checkout$1_getCheckoutSession: typeof getCheckoutSession;
+declare const checkout$1_getProduct: typeof getProduct;
+declare const checkout$1_listProducts: typeof listProducts;
+declare namespace checkout$1 {
+  export { checkout$1_checkout as checkout, checkout$1_createCheckoutSession as createCheckoutSession, checkout$1_createPortalSession as createPortalSession, checkout$1_getCheckoutSession as getCheckoutSession, checkout$1_getProduct as getProduct, checkout$1_listProducts as listProducts };
+}
+
+/**
+ * Stripe webhook handler
+ * Verifies webhook signatures and processes events
+ */
+
+/**
+ * Webhook event handler type
+ */
+type WebhookEventHandler = (event: Stripe__default.Event) => void | Promise<void>;
+/**
+ * Parse and verify Stripe webhook
+ *
+ * @example
+ * import { verifyWebhook } from '@vocoweb/kernel/billing';
+ *
+ * export async function POST(request: Request) {
+ *   const body = await request.text();
+ *   const signature = request.headers.get('stripe-signature') || '';
+ *
+ *   try {
+ *     const event = verifyWebhook(body, signature);
+ *     // Process event...
+ *   } catch (error) {
+ *     return Response.json({ error: 'Invalid webhook' }, { status: 400 });
+ *   }
+ * }
+ */
+declare function verifyWebhook(payload: string | Buffer, signature: string, secret?: string): Stripe__default.Event;
+/**
+ * Register a handler for a specific webhook event type
+ *
+ * @example
+ * onWebhookEvent('checkout.session.completed', async (event) => {
+ *   const session = event.data.object as Stripe.Checkout.Session;
+ *   console.log('Checkout completed:', session.id);
+ * });
+ */
+declare function onWebhookEvent(eventType: string, handler: WebhookEventHandler): void;
+/**
+ * Unregister all handlers for an event type
+ */
+declare function offWebhookEvent(eventType: string): void;
+/**
+ * Process a webhook event by calling registered handlers
+ *
+ * @example
+ * const event = verifyWebhook(body, signature);
+ * await handleWebhook(event);
+ */
+declare function handleWebhook(event: Stripe__default.Event): Promise<void>;
+/**
+ * Create a standardized webhook handler for Next.js API routes
+ *
+ * @example
+ * export const POST = handleWebhookRequest({
+ *   onCheckoutCompleted: async (session) => {
+ *     // Handle successful checkout
+ *   },
+ *   onInvoicePaid: async (invoice) => {
+ *     // Handle paid invoice
+ *   },
+ * });
+ */
+declare function handleWebhookRequest(config?: {
+    onCheckoutCompleted?: (session: Stripe__default.Checkout.Session) => void | Promise<void>;
+    onInvoicePaid?: (invoice: Stripe__default.Invoice) => void | Promise<void>;
+    onInvoiceFailed?: (invoice: Stripe__default.Invoice) => void | Promise<void>;
+    onSubscriptionCreated?: (subscription: Stripe__default.Subscription) => void | Promise<void>;
+    onSubscriptionUpdated?: (subscription: Stripe__default.Subscription) => void | Promise<void>;
+    onSubscriptionDeleted?: (subscription: Stripe__default.Subscription) => void | Promise<void>;
+    onCustomerCreated?: (customer: Stripe__default.Customer) => void | Promise<void>;
+    onEvent?: (event: Stripe__default.Event) => void | Promise<void>;
+}): (request: Request) => Promise<Response>;
+/**
+ * Middleware-style webhook handler for Express
+ *
+ * @example
+ * app.post('/webhook', expressWebhookHandler({
+ *   onCheckoutCompleted: async (session) => {
+ *     // Handle checkout
+ *   },
+ * }));
+ */
+declare function expressWebhookHandler(config?: {
+    onCheckoutCompleted?: (session: Stripe__default.Checkout.Session) => void | Promise<void>;
+    onInvoicePaid?: (invoice: Stripe__default.Invoice) => void | Promise<void>;
+    onInvoiceFailed?: (invoice: Stripe__default.Invoice) => void | Promise<void>;
+    onSubscriptionCreated?: (subscription: Stripe__default.Subscription) => void | Promise<void>;
+    onSubscriptionUpdated?: (subscription: Stripe__default.Subscription) => void | Promise<void>;
+    onSubscriptionDeleted?: (subscription: Stripe__default.Subscription) => void | Promise<void>;
+    onCustomerCreated?: (customer: Stripe__default.Customer) => void | Promise<void>;
+    onEvent?: (event: Stripe__default.Event) => void | Promise<void>;
+}): (req: {
+    body?: string;
+    headers: {
+        "stripe-signature"?: string;
+    };
+}, res: {
+    status(code: number): {
+        json(data: unknown): void;
+    };
+    json(data: unknown): void;
+}) => Promise<void>;
+/**
+ * Webhook API
+ */
+declare const webhook: {
+    verify: typeof verifyWebhook;
+    handle: typeof handleWebhook;
+    on: typeof onWebhookEvent;
+    off: typeof offWebhookEvent;
+    createHandler: typeof handleWebhookRequest;
+    expressHandler: typeof expressWebhookHandler;
+};
+/**
+ * Common Stripe webhook event types
+ */
+declare const WebhookEvents: {
+    readonly CHECKOUT_COMPLETED: "checkout.session.completed";
+    readonly CHECKOUT_EXPIRED: "checkout.session.expired";
+    readonly INVOICE_CREATED: "invoice.created";
+    readonly INVOICE_PAID: "invoice.paid";
+    readonly INVOICE_PAYMENT_FAILED: "invoice.payment_failed";
+    readonly INVOICE_SENT: "invoice.sent";
+    readonly INVOICE_UPCOMING: "invoice.upcoming";
+    readonly INVOICE_VOIDED: "invoice.voided";
+    readonly INVOICE_MARKED_UNCOLLECTIBLE: "invoice.marked_uncollectible";
+    readonly SUBSCRIPTION_CREATED: "customer.subscription.created";
+    readonly SUBSCRIPTION_UPDATED: "customer.subscription.updated";
+    readonly SUBSCRIPTION_DELETED: "customer.subscription.deleted";
+    readonly SUBSCRIPTION_TRIAL_WILL_END: "customer.subscription.trial_will_end";
+    readonly CUSTOMER_CREATED: "customer.created";
+    readonly CUSTOMER_UPDATED: "customer.updated";
+    readonly CUSTOMER_DELETED: "customer.deleted";
+};
+
+type webhook$1_WebhookEventHandler = WebhookEventHandler;
+declare const webhook$1_WebhookEvents: typeof WebhookEvents;
+declare const webhook$1_expressWebhookHandler: typeof expressWebhookHandler;
+declare const webhook$1_handleWebhook: typeof handleWebhook;
+declare const webhook$1_handleWebhookRequest: typeof handleWebhookRequest;
+declare const webhook$1_offWebhookEvent: typeof offWebhookEvent;
+declare const webhook$1_onWebhookEvent: typeof onWebhookEvent;
+declare const webhook$1_verifyWebhook: typeof verifyWebhook;
+declare const webhook$1_webhook: typeof webhook;
+declare namespace webhook$1 {
+  export { type webhook$1_WebhookEventHandler as WebhookEventHandler, webhook$1_WebhookEvents as WebhookEvents, webhook$1_expressWebhookHandler as expressWebhookHandler, webhook$1_handleWebhook as handleWebhook, webhook$1_handleWebhookRequest as handleWebhookRequest, webhook$1_offWebhookEvent as offWebhookEvent, webhook$1_onWebhookEvent as onWebhookEvent, webhook$1_verifyWebhook as verifyWebhook, webhook$1_webhook as webhook };
+}
+
+/**
+ * Invoice management
+ */
+
+/**
+ * Get invoice by ID
+ *
+ * @example
+ * const invoice = await getInvoice('in_...');
+ */
+declare function getInvoice(invoiceId: string): Promise<Invoice>;
+/**
+ * List invoices for a customer
+ *
+ * @example
+ * const invoices = await getInvoices('cus_...');
+ */
+declare function getInvoices(customerId: string, options?: {
+    limit?: number;
+    status?: Invoice['status'];
+}): Promise<{
+    invoices: Invoice[];
+    hasMore: boolean;
+}>;
+/**
+ * List invoices for a user (by user_id metadata)
+ *
+ * @example
+ * const invoices = await getUserInvoices('user-123');
+ */
+declare function getUserInvoices(userId: string, options?: {
+    limit?: number;
+    status?: Invoice['status'];
+}): Promise<{
+    invoices: Invoice[];
+    hasMore: boolean;
+}>;
+/**
+ * Get upcoming invoice for a subscription
+ *
+ * @example
+ * const invoice = await getUpcomingInvoice('sub_...');
+ */
+declare function getUpcomingInvoice(subscriptionId: string): Promise<Invoice | null>;
+/**
+ * Create an invoice for a subscription immediately
+ *
+ * @example
+ * const invoice = await createInvoice('sub_...');
+ */
+declare function createInvoice(subscriptionId: string): Promise<Invoice>;
+/**
+ * Pay an invoice (for automatic collection invoices)
+ *
+ * @example
+ * const invoice = await payInvoice('in_...');
+ */
+declare function payInvoice(invoiceId: string): Promise<Invoice>;
+/**
+ * Void an invoice
+ *
+ * @example
+ * const invoice = await voidInvoice('in_...');
+ */
+declare function voidInvoice(invoiceId: string): Promise<Invoice>;
+/**
+ * Send an invoice to the customer
+ *
+ * @example
+ * await sendInvoice('in_...');
+ */
+declare function sendInvoice(invoiceId: string): Promise<void>;
+/**
+ * Get invoice line items
+ *
+ * @example
+ * const lines = await getInvoiceLines('in_...');
+ */
+declare function getInvoiceLines(invoiceId: string): Promise<Stripe__default.InvoiceLineItem[]>;
+/**
+ * Invoices API
+ */
+declare const invoices: {
+    get: typeof getInvoice;
+    list: typeof getInvoices;
+    getUser: typeof getUserInvoices;
+    getUpcoming: typeof getUpcomingInvoice;
+    create: typeof createInvoice;
+    pay: typeof payInvoice;
+    void: typeof voidInvoice;
+    send: typeof sendInvoice;
+    getLines: typeof getInvoiceLines;
+};
+
+declare const invoices$1_createInvoice: typeof createInvoice;
+declare const invoices$1_getInvoice: typeof getInvoice;
+declare const invoices$1_getInvoiceLines: typeof getInvoiceLines;
+declare const invoices$1_getInvoices: typeof getInvoices;
+declare const invoices$1_getUpcomingInvoice: typeof getUpcomingInvoice;
+declare const invoices$1_getUserInvoices: typeof getUserInvoices;
+declare const invoices$1_invoices: typeof invoices;
+declare const invoices$1_payInvoice: typeof payInvoice;
+declare const invoices$1_sendInvoice: typeof sendInvoice;
+declare const invoices$1_voidInvoice: typeof voidInvoice;
+declare namespace invoices$1 {
+  export { invoices$1_createInvoice as createInvoice, invoices$1_getInvoice as getInvoice, invoices$1_getInvoiceLines as getInvoiceLines, invoices$1_getInvoices as getInvoices, invoices$1_getUpcomingInvoice as getUpcomingInvoice, invoices$1_getUserInvoices as getUserInvoices, invoices$1_invoices as invoices, invoices$1_payInvoice as payInvoice, invoices$1_sendInvoice as sendInvoice, invoices$1_voidInvoice as voidInvoice };
+}
+
+/**
+ * Main billing API
+ *
+ * @example
+ * import { billing } from '@vocoweb/kernel';
+ *
+ * // Create checkout with VAT validation
+ * const session = await billing.createCheckoutSession({
+ *   priceId: 'price_...',
+ *   userId: 'user-123',
+ *   vatNumber: 'DE123456789',
+ * });
+ *
+ * // Validate VAT number
+ * const vat = await billing.validateVat('DE123456789');
+ *
+ * // Get user invoices
+ * const { invoices } = await billing.getInvoices('user-123');
+ */
+declare const billing: {
+    validateVat: typeof validateVat;
+    quickVatCheck: typeof quickVatCheck;
+    parseVatNumber: typeof parseVatNumber;
+    isEuCountry: typeof isEuCountry;
+    shouldApplyReverseCharge: typeof shouldApplyReverseCharge;
+    calculateTax: typeof calculateTax;
+    getStandardVatRate: typeof getStandardVatRate;
+    createCheckoutSession: typeof createCheckoutSession;
+    getCheckoutSession: typeof getCheckoutSession;
+    createPortalSession: typeof createPortalSession;
+    listProducts: typeof listProducts;
+    getProduct: typeof getProduct;
+    verifyWebhook: typeof verifyWebhook;
+    handleWebhook: typeof handleWebhook;
+    onWebhookEvent: typeof onWebhookEvent;
+    offWebhookEvent: typeof offWebhookEvent;
+    handleWebhookRequest: typeof handleWebhookRequest;
+    expressWebhookHandler: typeof expressWebhookHandler;
+    getInvoice: typeof getInvoice;
+    getInvoices: typeof getInvoices;
+    getUserInvoices: typeof getUserInvoices;
+    getUpcomingInvoice: typeof getUpcomingInvoice;
+    createInvoice: typeof createInvoice;
+    payInvoice: typeof payInvoice;
+    voidInvoice: typeof voidInvoice;
+    sendInvoice: typeof sendInvoice;
+    getInvoiceLines: typeof getInvoiceLines;
+};
+
+/**
+ * BillingClient class for OOP usage
+ */
+declare class BillingClient {
+    /**
+     * Create a checkout session
+     */
+    createCheckoutSession(options: CheckoutOptions): Promise<CheckoutResult>;
+    /**
+     * Validate VAT number
+     */
+    validateVat(vatNumber: string): Promise<VatInfo>;
+    /**
+     * Get invoices for a user
+     */
+    getInvoices(userId: string): Promise<{
+        invoices: Invoice[];
+        hasMore: boolean;
+    }>;
+    /**
+     * Verify webhook signature
+     */
+    verifyWebhook(payload: string | Buffer, signature: string, secret?: string): Stripe.Stripe.Event;
+    /**
+     * Create customer portal session
+     */
+    createPortalSession(options: PortalOptions): Promise<{
+        url: string;
+    }>;
+}
+
+/**
+ * GDPR Data Export functionality
+ * Allows users to request all their data as required by GDPR
+ */
+
+/**
+ * Export all user data for GDPR compliance
+ *
+ * This function fetches all data associated with a user from:
+ * - User profile
+ * - Projects
+ * - Websites
+ * - Usage logs
+ * - Subscriptions
+ * - Invoices
+ * - Audit logs
+ *
+ * @example
+ * const exportData = await exportUserData('user-123');
+ * // Returns all user data in structured format
+ */
+declare function exportUserData(userId: string): Promise<UserDataExport>;
+/**
+ * Export user data as downloadable JSON string
+ *
+ * @example
+ * const json = await exportUserDataAsJson('user-123');
+ * // Send to user via email or download
+ */
+declare function exportUserDataAsJson(userId: string): Promise<string>;
+/**
+ * Create a data export file name
+ *
+ * @example
+ * const filename = createExportFilename('user-123');
+ * // Returns: "user-data-export-user-123-20250208.json"
+ */
+declare function createExportFilename(userId: string): string;
+/**
+ * Check if user has pending export requests
+ *
+ * @example
+ * const hasPending = await hasPendingExports('user-123');
+ */
+declare function hasPendingExports(userId: string): Promise<boolean>;
+/**
+ * Request a data export (creates a pending export record)
+ *
+ * @example
+ * const exportId = await requestDataExport('user-123');
+ */
+declare function requestDataExport(userId: string): Promise<string>;
+/**
+ * Process pending data exports
+ * This should be called by a background job or cron
+ *
+ * @example
+ * await processPendingExports();
+ */
+declare function processPendingExports(limit?: number): Promise<number>;
+/**
+ * Get completed export for a user
+ *
+ * @example
+ * const export = await getUserExport('user-123');
+ */
+declare function getUserExport(userId: string): Promise<UserDataExport | null>;
+/**
+ * Data export API
+ */
+declare const dataExport: {
+    export: typeof exportUserData;
+    exportAsJson: typeof exportUserDataAsJson;
+    createFilename: typeof createExportFilename;
+    hasPending: typeof hasPendingExports;
+    request: typeof requestDataExport;
+    processPending: typeof processPendingExports;
+    getUser: typeof getUserExport;
+};
+
+/**
+ * Module C: Shield (Legal Compliance)
+ * GDPR-compliant legal components and data export
+ */
+
+/**
+ * Main legal compliance API
+ *
+ * @example
+ * import { legal } from '@vocoweb/kernel';
+ *
+ * // Export user data for GDPR
+ * const exportData = await legal.exportUserData('user-123');
+ *
+ * // Check for pending exports
+ * const hasPending = await legal.hasPendingExports('user-123');
+ */
+declare const legal: {
+    exportUserData: typeof exportUserData;
+    exportUserDataAsJson: typeof exportUserDataAsJson;
+    createExportFilename: typeof createExportFilename;
+    hasPendingExports: typeof hasPendingExports;
+    requestDataExport: typeof requestDataExport;
+    processPendingExports: typeof processPendingExports;
+    getUserExport: typeof getUserExport;
+};
+
+/**
+ * Privacy and GDPR type definitions
+ */
+/**
+ * Action to perform on a dependency during deletion
+ */
+type DependencyAction = {
+    table: string;
+    foreign_key: string;
+    action: 'delete' | 'anonymize' | 'retain';
+    cascade?: boolean;
+    keep_fields?: string[];
+};
+/**
+ * External API call configuration
+ */
+type ExternalApiConfig = {
+    service: 'supabase' | 'stripe' | 'sendgrid' | 'openai' | string;
+    action: string;
+    endpoint?: string;
+    method?: string;
+    required?: boolean;
+    lookup_key?: string;
+    lookup_table?: string;
+};
+/**
+ * External API call result
+ */
+type ExternalApiCall = {
+    service: string;
+    action: string;
+    status: 'pending' | 'completed' | 'failed';
+    error?: string;
+    timestamp: Date;
+};
+/**
+ * Compliance map configuration for an entity type
+ */
+type ComplianceMapConfig = {
+    table: string;
+    primary_key: string;
+    dependencies: DependencyAction[];
+    external_apis?: ExternalApiConfig[];
+};
+/**
+ * Full compliance map
+ */
+type ComplianceMap = {
+    [entityType: string]: ComplianceMapConfig;
+};
+/**
+ * Result of a deletion operation
+ */
+type DeletionResult = {
+    success: boolean;
+    userId: string;
+    deletedTables: string[];
+    anonymizedTables: string[];
+    retainedTables: string[];
+    externalApiCalls: ExternalApiCall[];
+    errors: Array<{
+        table: string;
+        error: string;
+    }>;
+    completedAt: Date;
+};
+/**
+ * Scheduled deletion
+ */
+type ScheduledDeletion = {
+    id: string;
+    userId: string;
+    entityType: 'user' | 'project' | 'website';
+    scheduledFor: Date;
+    status: 'pending' | 'processing' | 'completed' | 'cancelled' | 'failed';
+    createdAt: Date;
+    cancelledAt?: Date;
+    completedAt?: Date;
+    error?: string;
+};
+/**
+ * Data export record
+ */
+type DataExportRecord = {
+    id: string;
+    userId: string;
+    status: 'pending' | 'processing' | 'completed' | 'failed';
+    requestedAt: Date;
+    completedAt?: Date;
+    data?: any;
+    error?: string;
+};
+/**
+ * Deletion status details
+ */
+type DeletionStatusDetails = {
+    status: 'pending' | 'processing' | 'completed' | 'failed' | 'not_found';
+    tracker?: DeletionTracker;
+};
+/**
+ * Deletion status tracker
+ * Stores deletion progress for audit trail
+ */
+interface DeletionTracker {
+    userId: string;
+    startedAt: Date;
+    status: 'pending' | 'processing' | 'completed' | 'failed';
+    deletedTables: string[];
+    anonymizedTables: string[];
+    retainedTables: string[];
+    externalApiCalls: ExternalApiCall[];
+    errors: Array<{
+        table: string;
+        error: string;
+    }>;
+}
+
+/**
+ * GDPR Erasure Engine (Article 17 - Right to be Forgotten)
+ * Cascading deletion with external API cleanup
+ */
+
+/**
+ * Perform cascading deletion based on compliance map
+ *
+ * This function:
+ * 1. Reads the compliance-map.json configuration
+ * 2. Executes cascading deletions in dependency order
+ * 3. Calls external APIs for cleanup (Supabase, Stripe, SendGrid)
+ * 4. Creates an audit trail of all actions
+ *
+ * @example
+ * const result = await obliterateUserData('user-123');
+ * // Returns: { deletedTables: [...], anonymizedTables: [...], ... }
+ */
+declare function obliterateUserData(userId: string, entityType?: 'user' | 'project' | 'website'): Promise<DeletionResult>;
+/**
+ * Check deletion status for a user
+ */
+declare function checkDeletionStatus(userId: string): Promise<{
+    status: 'pending' | 'processing' | 'completed' | 'failed' | 'not_found';
+    tracker?: DeletionTracker;
+}>;
+/**
+ * Schedule delayed deletion (30-day grace period)
+ *
+ * This creates a pending deletion that can be cancelled within 30 days
+ *
+ * @example
+ * const deletionId = await scheduleDeletion('user-123');
+ * // User can cancel within 30 days
+ */
+declare function scheduleDeletion(userId: string, entityType?: 'user' | 'project' | 'website', delayDays?: number): Promise<string>;
+/**
+ * Cancel scheduled deletion
+ *
+ * @example
+ * await cancelScheduledDeletion('deletion-id-123');
+ */
+declare function cancelScheduledDeletion(deletionId: string): Promise<void>;
+/**
+ * Process scheduled deletions (should be called by cron job)
+ *
+ * @example
+ * const processed = await processScheduledDeletions();
+ */
+declare function processScheduledDeletions(limit?: number): Promise<number>;
+/**
+ * Export the obliterate module
+ */
+declare const obliterate: {
+    userData: typeof obliterateUserData;
+    checkStatus: typeof checkDeletionStatus;
+    schedule: typeof scheduleDeletion;
+    cancel: typeof cancelScheduledDeletion;
+    processScheduled: typeof processScheduledDeletions;
+};
+
+/**
+ * Main privacy/GDPR API
+ *
+ * @example
+ * import { privacy } from '@vocoweb/kernel';
+ *
+ * // GDPR deletion (right to be forgotten)
+ * const result = await privacy.obliterate('user-123');
+ *
+ * // GDPR data export
+ * const exportData = await privacy.exportUserData('user-123');
+ */
+declare const privacy: {
+    obliterate: typeof obliterateUserData;
+    exportUserData: typeof exportUserData;
+    checkDeletionStatus: (userId: string) => Promise<{
+        status: "pending" | "processing" | "completed" | "failed" | "not_found";
+        tracker?: DeletionTracker;
+    }>;
+};
+
+/**
+ * Accessibility validators for WCAG 2.1 AA compliance
+ */
+
+/**
+ * Check color contrast ratio against WCAG standards
+ *
+ * @param foreground - Foreground color (hex)
+ * @param background - Background color (hex)
+ * @returns Contrast result with WCAG AA/AAA compliance
+ *
+ * @example
+ * const result = checkColorContrast('#ffffff', '#000000');
+ * // Returns: { ratio: 21, aa: true, aaa: true, ... }
+ */
+declare function checkColorContrast(foreground: string, background: string): ContrastResult;
+/**
+ * Validate ARIA attributes on an element
+ *
+ * @param ariaLabel - ARIA label value
+ * @param ariaLabelledby - ARIA labelledby value
+ * @param elementType - Type of element (button, input, etc.)
+ * @returns Validation result with any issues found
+ *
+ * @example
+ * const result = validateAriaLabel(undefined, undefined, 'button');
+ * // Returns: { valid: false, issues: [{ severity: 'error', message: '...' }] }
+ */
+declare function validateAriaLabel(ariaLabel?: string, ariaLabelledby?: string, elementType?: string): AriaValidationResult;
+/**
+ * Test keyboard navigation for a component
+ *
+ * @param element - DOM element to test
+ * @returns Keyboard navigation result
+ *
+ * @example
+ * const button = document.querySelector('button');
+ * const result = testKeyboardNavigation(button);
+ */
+declare function testKeyboardNavigation(element: unknown): KeyboardNavigationResult;
+/**
+ * Run comprehensive accessibility audit on a color scheme
+ *
+ * @param colors - Object with foreground and background colors
+ * @param level - WCAG compliance level to test against
+ * @returns Array of accessibility violations
+ *
+ * @example
+ * const violations = auditColorScheme({
+ *   primary: '#ffffff',
+ *   background: '#000000'
+ * }, 'AA');
+ */
+declare function auditColorScheme(colors: Record<string, {
+    foreground?: string;
+    background?: string;
+}>, level?: ComplianceLevel): AccessibilityViolation[];
+/**
+ * Validate that all interactive elements have accessible names
+ *
+ * @param elements - Array of element descriptors
+ * @returns Array of accessibility violations
+ */
+declare function validateInteractiveElements(elements: Array<{
+    type: string;
+    hasLabel?: boolean;
+    hasAriaLabel?: string;
+    id?: string;
+}>): AccessibilityViolation[];
+/**
+ * Check if a focus indicator meets WCAG requirements
+ *
+ * @param element - CSS selector or element to check
+ * @returns Whether the focus indicator is sufficient
+ */
+declare function validateFocusIndicator(element: unknown): boolean;
+/**
+ * Get suggested color pairings for improved contrast
+ *
+ * @param color - Color to find pairings for
+ * @param targetRatio - Target contrast ratio (default 4.5 for AA)
+ * @returns Array of suggested colors with their contrast ratios
+ */
+declare function getSuggestedColorPairings(color: string, targetRatio?: number): Array<{
+    color: string;
+    ratio: number;
+}>;
+/**
+ * Accessibility validators API
+ */
+declare const validators: {
+    checkColorContrast: typeof checkColorContrast;
+    validateAriaLabel: typeof validateAriaLabel;
+    testKeyboardNavigation: typeof testKeyboardNavigation;
+    auditColorScheme: typeof auditColorScheme;
+    validateInteractiveElements: typeof validateInteractiveElements;
+    validateFocusIndicator: typeof validateFocusIndicator;
+    getSuggestedColorPairings: typeof getSuggestedColorPairings;
+};
+/**
+ * Create a contrast error with suggestions
+ */
+declare function throwContrastError(fg: string, bg: string, ratio: number): never;
+
+/**
+ * Module 2: EAA Enforcer (Accessibility)
+ * WCAG 2.1 AA compliant components and validators
+ */
+
+/**
+ * Main accessibility API
+ *
+ * @example
+ * import { accessibility } from '@vocoweb/kernel';
+ *
+ * // Check color contrast
+ * const result = accessibility.checkColorContrast('#ffffff', '#000000');
+ *
+ * // Validate ARIA labels
+ * const validation = accessibility.validateAriaLabel(undefined, undefined, 'button');
+ */
+declare const accessibility: {
+    checkColorContrast: typeof checkColorContrast;
+    validateAriaLabel: typeof validateAriaLabel;
+    testKeyboardNavigation: typeof testKeyboardNavigation;
+    auditColorScheme: typeof auditColorScheme;
+    validateFocusIndicator: typeof validateFocusIndicator;
+    getSuggestedColorPairings: typeof getSuggestedColorPairings;
+    validateInteractiveElements: typeof validateInteractiveElements;
+};
+
+/**
+ * Data Residency type definitions for GDPR compliance
+ */
+
+/**
+ * IP geolocation result
+ */
+interface IpGeolocation {
+    ip: string;
+    country: string;
+    region?: string;
+    city?: string;
+    isEu: boolean;
+    latitude?: number;
+    longitude?: number;
+}
+/**
+ * Destination rule
+ */
+interface DestinationRule {
+    pattern: string | RegExp;
+    allowedRegions: DataRegion[];
+    description?: string;
+}
+/**
+ * Data residency configuration
+ */
+interface DataResidencyConfig {
+    /**
+     * Default region for data storage
+     */
+    defaultRegion: DataRegion;
+    /**
+     * Allowed regions for data processing
+     */
+    allowedRegions: DataRegion[];
+    /**
+     * Blocked destinations (patterns)
+     */
+    blockedDestinations: string[];
+    /**
+     * Allowed destinations with region restrictions
+     */
+    destinationRules: DestinationRule[];
+    /**
+     * Whether to block all non-EU egress
+     */
+    blockNonEuEgress: boolean;
+    /**
+     * Supabase region (for detecting if requests stay within EU)
+     */
+    supabaseRegion: string;
+    /**
+     * Custom headers to check for region
+     */
+    regionHeaders?: string[];
+}
+/**
+ * Request analysis result
+ */
+interface RequestAnalysis {
+    url: string;
+    method: string;
+    destination: string;
+    region: DataRegion;
+    allowed: boolean;
+    reason?: string;
+    matchedRule?: DestinationRule;
+}
+/**
+ * Egress block event
+ */
+interface EgressBlockEvent {
+    timestamp: Date;
+    ip: string;
+    url: string;
+    method: string;
+    region: DataRegion;
+    reason: string;
+    userId?: string;
+}
+/**
+ * Middleware options
+ */
+interface MiddlewareOptions {
+    /**
+     * Custom configuration
+     */
+    config?: Partial<DataResidencyConfig>;
+    /**
+     * Paths to exclude from checks
+     */
+    excludePaths?: string[];
+    /**
+     * Handler for blocked requests
+     */
+    onBlocked?: (event: EgressBlockEvent) => void | Promise<void>;
+    /**
+     * Whether to log allowed requests
+     */
+    logAllowed?: boolean;
+}
+
+/**
+ * Region detection and IP geolocation
+ */
+
+/**
+ * Supabase EU regions
+ */
+declare const SUPABASE_EU_REGIONS: string[];
+/**
+ * Detect region from IP address
+ * Uses a free IP geolocation API or falls back to headers
+ *
+ * @param ip - IP address to detect
+ * @param headers - Optional headers for region detection
+ * @returns Detected region
+ */
+declare function detectRegion(ip: string, headers?: Record<string, string | undefined>): Promise<DataRegion>;
+/**
+ * Detect region from request headers
+ */
+declare function detectRegionFromHeaders(headers?: Record<string, string | undefined>): DataRegion | null;
+/**
+ * Get IP geolocation information
+ *
+ * @param ip - IP address to lookup
+ * @returns Geolocation information
+ */
+declare function getIpGeolocation(ip: string): Promise<IpGeolocation>;
+/**
+ * Check if an IP is private/local
+ */
+declare function isPrivateIp(ip: string): boolean;
+/**
+ * Parse IP from headers (handles X-Forwarded-For, etc.)
+ */
+declare function parseIpFromHeaders(headers: Record<string, string | undefined>): string;
+/**
+ * Detect if a URL points to an EU-hosted service
+ */
+declare function detectUrlRegion(url: string): DataRegion;
+/**
+ * Region detection API
+ */
+declare const detector: {
+    detectRegion: typeof detectRegion;
+    detectRegionFromHeaders: typeof detectRegionFromHeaders;
+    getIpGeolocation: typeof getIpGeolocation;
+    isPrivateIp: typeof isPrivateIp;
+    parseIpFromHeaders: typeof parseIpFromHeaders;
+    detectUrlRegion: typeof detectUrlRegion;
+    isEuCountry: typeof isEuCountry;
+};
+
+/**
+ * Destination whitelist management
+ * Controls which external services and endpoints can be called
+ */
+
+/**
+ * Default allowed destinations for EU data residency
+ */
+declare const DEFAULT_ALLOWED_DESTINATIONS: DestinationRule[];
+/**
+ * Default blocked destinations (high-risk)
+ */
+declare const DEFAULT_BLOCKED_DESTINATIONS: string[];
+/**
+ * Check if a destination is allowed based on rules
+ *
+ * @param url - Destination URL
+ * @param rules - Destination rules to check
+ * @param currentRegion - Current data region
+ * @returns Whether the destination is allowed
+ */
+declare function checkDestinationAgainstRules(url: string, rules: DestinationRule[], currentRegion?: string): {
+    allowed: boolean;
+    matchedRule?: DestinationRule;
+    reason?: string;
+};
+/**
+ * Create a custom whitelist configuration
+ */
+declare function createWhitelist(customRules: Partial<DestinationRule>[]): DestinationRule[];
+/**
+ * Validate whitelist configuration
+ */
+declare function validateWhitelist(rules: DestinationRule[]): {
+    valid: boolean;
+    errors: string[];
+};
+/**
+ * Add a destination to the whitelist
+ */
+declare function addToWhitelist(rules: DestinationRule[], newRule: DestinationRule): DestinationRule[];
+/**
+ * Remove a destination from the whitelist
+ */
+declare function removeFromWhitelist(rules: DestinationRule[], pattern: string | RegExp): DestinationRule[];
+/**
+ * Get whitelist statistics
+ */
+declare function getWhitelistStats(rules: DestinationRule[]): {
+    total: number;
+    byRegion: Record<string, number>;
+};
+/**
+ * Whitelist management API
+ */
+declare const whitelist: {
+    DEFAULT_ALLOWED_DESTINATIONS: DestinationRule[];
+    DEFAULT_BLOCKED_DESTINATIONS: string[];
+    checkDestinationAgainstRules: typeof checkDestinationAgainstRules;
+    createWhitelist: typeof createWhitelist;
+    validateWhitelist: typeof validateWhitelist;
+    addToWhitelist: typeof addToWhitelist;
+    removeFromWhitelist: typeof removeFromWhitelist;
+    getWhitelistStats: typeof getWhitelistStats;
+};
+
+/**
+ * Next.js middleware for data residency enforcement
+ * Blocks outgoing requests to non-EU destinations
+ */
+
+/**
+ * Default configuration
+ */
+declare const DEFAULT_CONFIG: {
+    defaultRegion: DataRegion;
+    allowedRegions: DataRegion[];
+    blockedDestinations: string[];
+    destinationRules: typeof whitelist.DEFAULT_ALLOWED_DESTINATIONS;
+    blockNonEuEgress: boolean;
+    supabaseRegion: string;
+    regionHeaders: string[];
+};
+/**
+ * Create a Next.js middleware for data residency
+ *
+ * @example
+ * // middleware.ts
+ * import { createDataResidencyMiddleware } from '@vocoweb/kernel/residency';
+ *
+ * export default createDataResidencyMiddleware({
+ *   blockNonEuEgress: true,
+ *   onBlocked: async (event) => {
+ *     console.log('Blocked egress:', event);
+ *   }
+ * });
+ */
+declare function createDataResidencyMiddleware(options?: MiddlewareOptions): (request: Request) => Promise<Response | undefined>;
+/**
+ * Analyze a request to determine if it's allowed
+ */
+declare function analyzeRequest(request: Request, currentRegion: DataRegion, config: typeof DEFAULT_CONFIG): RequestAnalysis;
+/**
+ * Validate a destination against the residency policy
+ *
+ * @example
+ * const result = isDestinationAllowed('https://api.example.com', 'eu');
+ * // Returns: { allowed: false, reason: '...' }
+ */
+declare function isDestinationAllowed(url: string, clientRegion?: DataRegion, config?: Partial<typeof DEFAULT_CONFIG>): Promise<{
+    allowed: boolean;
+    reason?: string;
+}>;
+/**
+ * Create a fetch wrapper that enforces data residency
+ *
+ * @example
+ * const safeFetch = createSafeFetch({ blockNonEuEgress: true });
+ * await safeFetch('https://api.example.com/data');
+ */
+declare function createSafeFetch(options?: MiddlewareOptions): (url: string | URL, init?: RequestInit) => Promise<Response>;
+/**
+ * Middleware and utilities API
+ */
+declare const middleware: {
+    create: typeof createDataResidencyMiddleware;
+    analyzeRequest: typeof analyzeRequest;
+    isDestinationAllowed: typeof isDestinationAllowed;
+    createSafeFetch: typeof createSafeFetch;
+};
+
+/**
+ * Module 3: Sovereignty Shield (Data Residency)
+ * Egress blocking for GDPR compliance
+ */
+
+/**
+ * Main data residency API
+ *
+ * @example
+ * import { residency } from '@vocoweb/kernel';
+ *
+ * // Check if a destination is allowed
+ * const result = await residency.isDestinationAllowed('https://api.example.com', 'eu');
+ *
+ * // Create a middleware
+ * const middleware = residency.createMiddleware({ blockNonEuEgress: true });
+ *
+ * // Create a safe fetch wrapper
+ * const safeFetch = residency.createSafeFetch();
+ */
+declare const residency: {
+    detectRegion: typeof detectRegion;
+    detectUrlRegion: typeof detectUrlRegion;
+    parseIpFromHeaders: typeof parseIpFromHeaders;
+    isDestinationAllowed: typeof isDestinationAllowed;
+    createMiddleware: typeof createDataResidencyMiddleware;
+    createSafeFetch: typeof createSafeFetch;
+};
+
+/**
+ * Audit Log Recorder
+ * Shadow recording for database mutations
+ */
+
+/**
+ * Configure audit recorder
+ *
+ * @example
+ * configureRecorder({
+ *   excludeTables: ['temp_tables'],
+ *   batchSize: 200
+ * });
+ */
+declare function configureRecorder(config: Partial<AuditRecorderConfig>): void;
+/**
+ * Record a database mutation
+ *
+ * @param tableName - Table being modified
+ * @param action - Type of action
+ * @param recordId - ID of the record
+ * @param oldValue - Old value (for UPDATE/DELETE)
+ * @param newValue - New value (for INSERT/UPDATE)
+ * @param userId - User making the change
+ * @param metadata - Additional metadata
+ *
+ * @example
+ * await recordMutation(
+ *   'users',
+ *   'UPDATE',
+ *   'user-123',
+ *   { name: 'Old Name' },
+ *   { name: 'New Name' },
+ *   'user-456'
+ * );
+ */
+declare function recordMutation(tableName: string, action: AuditAction, recordId: string, oldValue: Record<string, unknown> | null, newValue: Record<string, unknown> | null, userId: string, metadata?: Record<string, unknown>): Promise<void>;
+/**
+ * Flush pending records to database
+ */
+declare function flushRecords(): Promise<void>;
+/**
+ * Query audit logs
+ *
+ * @param filters - Query filters
+ * @returns Query result
+ *
+ * @example
+ * const result = await queryLogs({
+ *   userId: 'user-123',
+ *   action: 'UPDATE',
+ *   limit: 50
+ * });
+ */
+declare function queryLogs(filters?: AuditQueryFilters): Promise<{
+    logs: Array<{
+        id: string;
+        tableName: string;
+        recordId: string;
+        action: AuditAction;
+        oldValue: Record<string, unknown> | null;
+        newValue: Record<string, unknown> | null;
+        userId: string;
+        timestamp: Date;
+    }>;
+    total: number;
+    hasMore: boolean;
+}>;
+/**
+ * Export audit logs as CSV
+ *
+ * @param filters - Query filters
+ * @returns CSV string
+ *
+ * @example
+ * const csv = await exportAuditLogs({ userId: 'user-123' });
+ */
+declare function exportAuditLogs(filters?: AuditQueryFilters): Promise<string>;
+/**
+ * Get audit statistics for a user
+ *
+ * @param userId - User ID
+ * @returns Statistics
+ */
+declare function getAuditStats(userId: string): Promise<{
+    total: number;
+    byAction: Record<string, number>;
+    byTable: Record<string, number>;
+    lastActivity: Date | null;
+}>;
+/**
+ * Create database trigger for audit logging
+ *
+ * This generates the SQL for creating a PostgreSQL trigger
+ *
+ * @example
+ * const sql = createTriggerSQL('users', ['id', 'email', 'name']);
+ */
+declare function createTriggerSQL(tableName: string, _trackFields?: string[]): string;
+/**
+ * Create audit triggers for multiple tables
+ *
+ * @param tables - Tables to create triggers for
+ * @returns SQL for all triggers
+ */
+declare function createTriggersForTables(tables: string[]): string;
+/**
+ * Audit recorder API
+ */
+declare const recorder: {
+    configure: typeof configureRecorder;
+    recordMutation: typeof recordMutation;
+    flushRecords: typeof flushRecords;
+    queryLogs: typeof queryLogs;
+    exportAuditLogs: typeof exportAuditLogs;
+    getAuditStats: typeof getAuditStats;
+    createTriggerSQL: typeof createTriggerSQL;
+    createTriggersForTables: typeof createTriggersForTables;
+};
+
+/**
+ * Module 4: Audit Log (Enterprise)
+ * Shadow recording for database mutations
+ */
+
+/**
+ * Main audit API
+ *
+ * @example
+ * import { audit } from '@vocoweb/kernel';
+ *
+ * // Record a mutation
+ * await audit.recordMutation(
+ *   'users',
+ *   'UPDATE',
+ *   'user-123',
+ *   { name: 'Old Name' },
+ *   { name: 'New Name' },
+ *   'user-456'
+ * );
+ *
+ * // Query logs
+ * const result = await audit.queryLogs({ userId: 'user-123' });
+ *
+ * // Export logs
+ * const csv = await audit.exportAuditLogs({ userId: 'user-123' });
+ */
+declare const audit: {
+    configure: typeof configureRecorder;
+    recordMutation: typeof recordMutation;
+    flushRecords: typeof flushRecords;
+    queryLogs: typeof queryLogs;
+    getAuditStats: typeof getAuditStats;
+    exportAuditLogs: typeof exportAuditLogs;
+    createTriggerSQL: typeof createTriggerSQL;
+    createTriggersForTables: typeof createTriggersForTables;
+};
+
+/**
+ * @vocoweb/kernel
+ *
+ * Production-ready authentication, payments, and compliance kernel for B2B SaaS.
+ *
+ * @example
+ * ```ts
+ * import { auth, billing, legal, privacy } from '@vocoweb/kernel';
+ * ```
+ */
+
+declare const VERSION = "1.0.0";
+
+export { type AccessibilityConfig, AccessibilityViolation, type AppConfig, AriaValidationResult, AuditAction, AuditQueryFilters, AuditRecorderConfig, type AuthRequest, type AuthStateChangeCallback, type AuthSubscription, BillingClient, type CheckoutOptions, type CheckoutResult, ClientType, ComplianceLevel, type ComplianceMap, type ComplianceMapConfig, ContrastResult, type Customer, DEFAULT_ALLOWED_DESTINATIONS, DEFAULT_BLOCKED_DESTINATIONS, type DataExportRecord, DataRegion, type DataResidencyConfig, type DeletionResult, type DeletionStatusDetails, type DeletionTracker, type DependencyAction, type DestinationRule, EU_COUNTRY_CODES, type EgressBlockEvent, type ExternalApiCall, type ExternalApiConfig, type Invoice, type InvoiceStatus, type IpGeolocation, type KernelConfig, KeyboardNavigationResult, type MiddlewareOptions, type OAuthOptions, type OAuthProvider, type PaymentMethodType, type PortalOptions, type Price, type Product, type RequestAnalysis, type ResetPasswordOptions, type ResidencyConfig, SUPABASE_EU_REGIONS, type ScheduledDeletion, type SignInWithPasswordOptions, type SignUpOptions, type StripeConfig, type Subscription, type SubscriptionStatus, type SupabaseConfig, type TaxCalculation, type UpdateSubscriptionOptions, type UpdateUserOptions, type UserRole, type UserWithRole, VERSION, type VatInfo, type VerifiedUser, VocoAccessibilityError, VocoAuthClient, VocoAuthError, VocoBillingError, VocoComplianceError, VocoConfigError, VocoError, VocoNetworkError, VocoValidationError, type WebhookEvent, type WebhookEventHandler, WebhookEvents, accessibility, addToWhitelist, analyzeRequest, audit, auditColorScheme, auth, billing, calculateTax, camelToKebab, cancelScheduledDeletion, capitalize, checkColorContrast, checkDeletionStatus, checkDestinationAgainstRules, checkRequiredEnvVars, checkout$1 as checkout, chunk, clamp, clearVatCache, clientAuth, cn, config, configureRecorder, createCheckoutSession, createDataResidencyMiddleware, createDeferred, createExportFilename, createInvoice, createMiddleware, createPortalSession, createSafeFetch, createTriggerSQL, createTriggersForTables, createWhitelist, dataExport, debounce, decodeToken, deepClone, deleteUser, detectRegion, detectRegionFromHeaders, detectUrlRegion, detector, exportAuditLogs, exportUserData as exportUser, exportUserData, exportUserDataAsJson, expressWebhookHandler, filterDefined, flushRecords, formatApiError, formatCurrency, formatDate, formatList, formatRelativeTime, generateId, getAccessToken, getAccessibilityConfig, getAppConfig, getAuditStats, getBrowserClient, getCheckoutSession, getClient, getConfig, getEnv, getErrorMessage, getInitials, getInvoice, getInvoiceLines, getInvoices, getIpGeolocation, getProduct, getResidencyConfig, getServerClient, getServiceRoleClient, getSession, getStandardVatRate, getStripeConfig, getSuggestedColorPairings, getSupabaseConfig, getUpcomingInvoice, getUser, getUserById, getUserExport, getUserInvoices, getWhitelistStats, groupBy, handleWebhook, handleWebhookRequest, hasPendingExports, hasRole, invoices$1 as invoices, isAuthenticated, isBrowser, isClientInitialized, isDefined, isDestinationAllowed, isEuCountry, isPrivateIp, isServer, isValidEmail, isValidVatFormat, isVocoError, kebabToCamel, legal, exportUserData as legalExportUserData, listProducts, loadConfigFromEnv, loginWithGitHub, loginWithGoogle, loginWithOAuth, logout, middleware, obliterate, obliterateUserData, offWebhookEvent, onAuthStateChange, onWebhookEvent, parseIpFromHeaders, parseVatNumber, payInvoice, pluralize, privacy, processPendingExports, processScheduledDeletions, queryLogs, quickVatCheck, recordMutation, recorder, refreshSession, removeFromWhitelist, requestDataExport, requireRole, requireUser, resetClients, resetConfig, resetPassword, residency, retry, roundTo, safeJsonParse, scheduleDeletion, sendInvoice, serverAuth, setConfig, shouldApplyReverseCharge, loginWithOAuth as signInWithOAuth, signInWithPassword, signUp, sleep, testKeyboardNavigation, throttle, throwContrastError, truncate, updateUser, updateUserRole, validateAriaLabel, validateConfig, validateEnvironment, validateFocusIndicator, validateInteractiveElements, validateVat, validateWhitelist, validators, vat$1 as vat, verifySession, verifyToken, verifyWebhook, voidInvoice, webhook$1 as webhook, whitelist, withTimeout };