aaspai-authx 0.0.1

package/dist/express/index.cjs

@@ -0,0 +1,1699 @@
+"use strict";
+var __create = Object.create;
+var __defProp = Object.defineProperty;
+var __getOwnPropDesc = Object.getOwnPropertyDescriptor;
+var __getOwnPropNames = Object.getOwnPropertyNames;
+var __getProtoOf = Object.getPrototypeOf;
+var __hasOwnProp = Object.prototype.hasOwnProperty;
+var __export = (target, all) => {
+  for (var name in all)
+    __defProp(target, name, { get: all[name], enumerable: true });
+};
+var __copyProps = (to, from, except, desc) => {
+  if (from && typeof from === "object" || typeof from === "function") {
+    for (let key of __getOwnPropNames(from))
+      if (!__hasOwnProp.call(to, key) && key !== except)
+        __defProp(to, key, { get: () => from[key], enumerable: !(desc = __getOwnPropDesc(from, key)) || desc.enumerable });
+  }
+  return to;
+};
+var __toESM = (mod, isNodeMode, target) => (target = mod != null ? __create(__getProtoOf(mod)) : {}, __copyProps(
+  // If the importer is in node compatibility mode or this is not an ESM
+  // file that has been converted to a CommonJS file using a Babel-
+  // compatible transform (i.e. "__esModule" has not been set), then set
+  // "default" to the CommonJS "module.exports" for node compatibility.
+  isNodeMode || !mod || !mod.__esModule ? __defProp(target, "default", { value: mod, enumerable: true }) : target,
+  mod
+));
+var __toCommonJS = (mod) => __copyProps(__defProp({}, "__esModule", { value: true }), mod);
+
+// src/express/index.ts
+var express_exports = {};
+__export(express_exports, {
+  createAdminRouter: () => createAdminRouter,
+  createAuthRouter: () => createAuthRouter,
+  createDashboardRouter: () => createDashboardRouter,
+  createEmailRouter: () => createEmailRouter,
+  createProjectsRouter: () => createProjectsRouter
+});
+module.exports = __toCommonJS(express_exports);
+
+// src/express/auth.routes.ts
+var import_bcryptjs = __toESM(require("bcryptjs"), 1);
+var import_crypto = require("crypto");
+var import_express = __toESM(require("express"), 1);
+var import_jsonwebtoken4 = __toESM(require("jsonwebtoken"), 1);
+
+// src/config/loadConfig.ts
+function loadConfig() {
+  return {
+    orgDomain: process.env.ORG_DOMAIN,
+    orgId: process.env.ORG_ID,
+    email: {
+      host: process.env.EMAIL_HOST || "smtp.postmarkapp.com",
+      port: process.env.EMAIL_PORT ? Number(process.env.EMAIL_PORT) : 587,
+      secure: (process.env.EMAIL_SECURE || "false") === "true",
+      user: process.env.EMAIL_USER,
+      pass: process.env.EMAIL_PASSWORD,
+      from: process.env.EMAIL_FROM,
+      jwtSecret: process.env.EMAIL_JWT_SECRET
+    },
+    cookies: {
+      domain: process.env.COOKIE_DOMAIN,
+      secure: (process.env.COOKIE_SECURE || "true") === "true",
+      accessTtlMs: 24 * 60 * 60 * 1e3,
+      refreshTtlMs: 7 * 24 * 60 * 60 * 1e3
+    },
+    oidc: {
+      jwtSecret: process.env.JWT_SECRET
+    },
+    aws: {
+      bucket: process.env.AWS_S3_BUCKET,
+      region: process.env.AWS_REGION,
+      accessKeyId: process.env.AWS_ACCESS_KEY_ID,
+      secretAccessKey: process.env.AWS_SECRET_ACCESS_KEY
+    }
+  };
+}
+
+// src/config/index.ts
+var config = loadConfig();
+function configureAuthX(overrides = {}) {
+  return deepMerge(config, overrides);
+}
+function deepMerge(target, source) {
+  if (!source) {
+    return target;
+  }
+  for (const key of Object.keys(source)) {
+    const value = source[key];
+    if (value === void 0) continue;
+    if (Array.isArray(value)) {
+      target[key] = [...value];
+      continue;
+    }
+    if (isPlainObject(value)) {
+      if (!isPlainObject(target[key])) {
+        target[key] = {};
+      }
+      deepMerge(target[key], value);
+      continue;
+    }
+    target[key] = value;
+  }
+  return target;
+}
+function isPlainObject(value) {
+  return typeof value === "object" && value !== null && !Array.isArray(value);
+}
+
+// src/core/roles.config.ts
+var PLATFORM_ROLES = [
+  {
+    role: "platform_admin",
+    permissions: [
+      "projects.create",
+      "projects.read",
+      "projects.update",
+      "projects.delete",
+      "users.manage",
+      "api.manage"
+    ]
+  },
+  {
+    role: "platform_manager",
+    permissions: [
+      "projects.read",
+      "projects.update",
+      "users.read"
+    ]
+  },
+  {
+    role: "platform_user",
+    permissions: ["projects.read"]
+  }
+];
+function getPermissionsForRoles(roles) {
+  if (!Array.isArray(roles) || roles.length === 0) {
+    return [];
+  }
+  const permissionSet = /* @__PURE__ */ new Set();
+  for (const roleName of roles) {
+    const roleConfig = PLATFORM_ROLES.find((r) => r.role === roleName);
+    if (roleConfig && Array.isArray(roleConfig.permissions)) {
+      for (const perm of roleConfig.permissions) {
+        permissionSet.add(perm);
+      }
+    }
+  }
+  return Array.from(permissionSet);
+}
+
+// src/core/session.ts
+function buildSession(payload) {
+  const userId = payload?.sub || payload?.userId || payload?.id || "";
+  const email = payload?.email || payload?.email_address || "";
+  const roles = payload?.realm_access?.roles || payload?.roles || payload?.["cognito:groups"] || (Array.isArray(payload?.role) ? payload.role : []) || [];
+  const normalizedRoles = Array.isArray(roles) ? roles.map(String).filter(Boolean) : [];
+  const permissions = getPermissionsForRoles(normalizedRoles);
+  const session = {
+    userId,
+    email,
+    roles: normalizedRoles,
+    permissions
+  };
+  if (payload?.projectId) session.projectId = payload.projectId;
+  if (payload?.orgId) session.orgId = payload.orgId;
+  if (payload?.org_id) session.org_id = payload.org_id;
+  if (payload?.authType) session.authType = payload.authType;
+  Object.keys(payload || {}).forEach((key) => {
+    if (![
+      "sub",
+      "userId",
+      "id",
+      "email",
+      "email_address",
+      "realm_access",
+      "roles",
+      "cognito:groups",
+      "role",
+      "projectId",
+      "orgId",
+      "org_id",
+      "authType"
+    ].includes(key)) {
+      session[key] = payload[key];
+    }
+  });
+  return session;
+}
+
+// src/models/user.model.ts
+var import_mongoose = __toESM(require("mongoose"), 1);
+var import_uuid = require("uuid");
+var MetadataSchema = new import_mongoose.default.Schema(
+  {
+    key: { type: String, required: true },
+    value: { type: import_mongoose.default.Schema.Types.Mixed, required: true }
+  },
+  { _id: false }
+);
+var OrgUserSchema = new import_mongoose.default.Schema(
+  {
+    id: { type: String, default: (0, import_uuid.v4)(), index: true },
+    email: { type: String, required: true, unique: true },
+    firstName: { type: String, required: true },
+    lastName: { type: String, required: true },
+    orgId: { type: String },
+    projectId: { type: String, required: true },
+    roles: { type: [String], default: [] },
+    emailVerified: { type: Boolean, default: false },
+    lastEmailSent: { type: [Date], default: [] },
+    lastPasswordReset: { type: Date },
+    metadata: { type: [MetadataSchema], default: [] },
+    passwordHash: { type: String }
+  },
+  { timestamps: true, collection: "users" }
+);
+var OrgUser = import_mongoose.default.model("OrgUser", OrgUserSchema);
+
+// src/utils/extract.ts
+var import_cookie = require("cookie");
+function extractToken(req, opts) {
+  const headerNames = opts?.headerNames ?? ["authorization", "token"];
+  const cookieNames = opts?.cookieNames ?? ["access_token", "authorization"];
+  const queryNames = opts?.queryNames ?? ["access_token", "token"];
+  for (const h of headerNames) {
+    const raw = req.headers[h];
+    if (raw) {
+      const lower = raw.toLowerCase();
+      if (lower.startsWith("bearer ")) return raw.slice(7).trim();
+      if (!raw.includes(" ")) return raw.trim();
+    }
+  }
+  const ch = req.headers["cookie"];
+  if (typeof ch === "string") {
+    const parsed = (0, import_cookie.parse)(ch);
+    for (const c of cookieNames) if (parsed[c]) return parsed[c];
+  }
+  for (const q of queryNames) {
+    const v = req.query?.[q];
+    if (typeof v === "string" && v) return v;
+  }
+  return null;
+}
+function readProjectId(req) {
+  const ch = req.headers["cookie"];
+  if (typeof ch === "string") {
+    try {
+      const parsed = (0, import_cookie.parse)(ch);
+      return parsed["projectId"] || null;
+    } catch {
+    }
+  }
+  return null;
+}
+
+// src/utils/jwt.ts
+var import_jsonwebtoken = __toESM(require("jsonwebtoken"), 1);
+function verifyJwt(token) {
+  return new Promise((resolve, reject) => {
+    import_jsonwebtoken.default.verify(
+      token,
+      process.env.JWT_SECRET,
+      // This is your shared secret (string)
+      {
+        algorithms: ["HS256"],
+        // Only allow HS256
+        complete: false
+        // We only want payload
+      },
+      (err, decoded) => {
+        if (err) {
+          reject(err);
+        } else {
+          resolve(decoded);
+        }
+      }
+    );
+  });
+}
+
+// src/middlewares/auth.middleware.ts
+function requireAuth() {
+  return async (req, res, next) => {
+    try {
+      const apiKey = req.headers["x-api-key"] || req.headers["x-apikey"];
+      const userId = req.headers["x-user-id"] || req.headers["x-userId"];
+      if (apiKey) {
+        if (apiKey !== process.env.SERVER_API_KEY) {
+          return res.status(401).json({ error: "Invalid API key" });
+        }
+        if (!userId) {
+          return res.status(401).json({ error: "User Id is Required" });
+        }
+        const user = await OrgUser.findOne({ id: userId }).lean();
+        if (!user) {
+          return res.status(401).json({ error: "User not found" });
+        }
+        const session2 = buildSession({
+          sub: user.id.toString(),
+          email: user.email,
+          roles: user.roles || []
+        });
+        session2.authType = "api-key";
+        session2.projectId = readProjectId(req) || user.projectId || void 0;
+        req.user = session2;
+        return next();
+      }
+      const token = extractToken(req);
+      if (!token) {
+        return res.status(401).json({ error: "Missing token" });
+      }
+      const claims = await verifyJwt(token);
+      const session = buildSession(claims);
+      const pid = readProjectId(req);
+      if (pid) session.projectId = pid;
+      req.user = session;
+      next();
+    } catch (e) {
+      res.status(401).json({ error: e?.message || "Unauthorized" });
+    }
+  };
+}
+
+// src/middlewares/validators.ts
+function isEmail(v) {
+  return /^[^\s@]+@[^\s@]+\.[^\s@]+$/.test(v);
+}
+function isPasswordStrong(v) {
+  return typeof v === "string" && v.length >= 6 && /[A-Z]/.test(v) && /[^a-zA-Z0-9]/.test(v);
+}
+function validateSignup(req, res, next) {
+  const { firstName, lastName, email, password, projectId, metadata } = req.body || {};
+  if (!firstName || !lastName)
+    return res.status(400).json({ error: "firstName,lastName required" });
+  if (!isEmail(email)) return res.status(400).json({ error: "invalid email" });
+  if (!isPasswordStrong(password))
+    return res.status(400).json({ error: "weak password" });
+  if (!projectId) return res.status(400).json({ error: "projectId required" });
+  if (!Array.isArray(metadata))
+    return res.status(400).json({ error: "metadata must be array" });
+  next();
+}
+function validateLogin(req, res, next) {
+  const { email, password } = req.body || {};
+  if (!isEmail(email)) return res.status(400).json({ error: "invalid email" });
+  if (typeof password !== "string")
+    return res.status(400).json({ error: "password required" });
+  next();
+}
+function validateResetPassword(req, res, next) {
+  const { token, newPassword } = req.body || {};
+  if (!token) return res.status(400).json({ error: "token required" });
+  if (!isPasswordStrong(newPassword))
+    return res.status(400).json({ error: "weak password" });
+  next();
+}
+function validateResendEmail(req, res, next) {
+  const { email } = req.body || {};
+  if (!isEmail(email)) return res.status(400).json({ error: "invalid email" });
+  next();
+}
+function validateSendInvite(req, res, next) {
+  const { email, role } = req.body || {};
+  if (!isEmail(email)) return res.status(400).json({ error: "invalid email" });
+  if (!["platform_user", "org_admin"].includes(role))
+    return res.status(400).json({ error: "invalid role" });
+  next();
+}
+
+// src/models/invite.model.ts
+var import_mongoose2 = __toESM(require("mongoose"), 1);
+var InviteSchema = new import_mongoose2.default.Schema(
+  {
+    id: { type: String, required: true, index: true },
+    email: { type: String, required: true },
+    role: {
+      type: String,
+      enum: ["platform_user", "org_admin"],
+      required: true
+    },
+    invitedBy: { type: String },
+    usedBy: { type: String },
+    isUsed: { type: Boolean, default: false },
+    usedAt: { type: Date },
+    expiresAt: { type: Date },
+    isExpired: { type: Boolean, default: false }
+  },
+  { timestamps: true, collection: "invites" }
+);
+var Invite = import_mongoose2.default.model("Invite", InviteSchema);
+
+// src/services/auth-admin.service.ts
+var import_bcrypt = __toESM(require("bcrypt"), 1);
+var import_jsonwebtoken2 = __toESM(require("jsonwebtoken"), 1);
+
+// src/models/client.model.ts
+var import_mongoose3 = __toESM(require("mongoose"), 1);
+var ClientSchema = new import_mongoose3.Schema(
+  {
+    clientId: {
+      type: String,
+      required: true,
+      unique: true,
+      index: true
+    },
+    redirectUris: {
+      type: [String],
+      default: []
+    },
+    publicClient: {
+      type: Boolean,
+      default: false
+    },
+    // Optional: if you want confidential clients
+    secret: {
+      type: String,
+      required: function() {
+        return !this.publicClient;
+      }
+    }
+  },
+  {
+    timestamps: true
+  }
+);
+var ClientModel = import_mongoose3.default.models.Client || import_mongoose3.default.model("Client", ClientSchema);
+
+// src/models/rolePermission.model.ts
+var import_mongoose4 = __toESM(require("mongoose"), 1);
+var RolePermissionSchema = new import_mongoose4.Schema(
+  {
+    orgId: { type: String, default: null, index: true },
+    role: { type: String, required: true },
+    permissions: { type: [String], default: [] }
+  },
+  {
+    timestamps: true
+  }
+);
+RolePermissionSchema.index({ orgId: 1, role: 1 }, { unique: true });
+var RolePermissionModel = import_mongoose4.default.model(
+  "RolePermission",
+  RolePermissionSchema,
+  "role_permissions"
+);
+
+// src/services/auth-admin.service.ts
+var AuthAdminService = class {
+  token;
+  async getAdminToken() {
+    return this.ensureAdminToken();
+  }
+  // -------------------------------------------------------------------
+  // CLIENTS
+  // -------------------------------------------------------------------
+  async createClient(clientId, redirectUris = [], publicClient = false) {
+    const client = await ClientModel.create({
+      clientId,
+      redirectUris,
+      publicClient
+    });
+    return client;
+  }
+  async updateClient(id, patch) {
+    await ClientModel.findByIdAndUpdate(id, patch);
+  }
+  // -------------------------------------------------------------------
+  // USERS
+  // -------------------------------------------------------------------
+  async listUsersInRealm(_realm, filter) {
+    return OrgUser.find(filter || {});
+  }
+  async getUserById(userId) {
+    return OrgUser.findOne({ id: userId });
+  }
+  async isUserEmailVerified(userId) {
+    const user = await OrgUser.findOne({ id: userId });
+    return user?.emailVerified;
+  }
+  async createUserInRealm(payload) {
+    const hashedPassword = payload.credentials?.[0]?.value ? await import_bcrypt.default.hash(payload.credentials[0].value, 10) : void 0;
+    const user = await OrgUser.create({
+      username: payload.username,
+      email: payload.email,
+      firstName: payload.firstName,
+      lastName: payload.lastName,
+      projectId: payload.projectId,
+      emailVerified: payload.emailVerified || false,
+      passwordHash: hashedPassword,
+      enabled: true
+    });
+    return user;
+  }
+  async assignRealmRole(userId, roleName) {
+    const role = await RolePermissionModel.findOne({ name: roleName });
+    if (!role) throw new Error(`Role not found: ${roleName}`);
+    await OrgUser.findOneAndUpdate(
+      { id: userId },
+      {
+        $addToSet: { roles: role._id }
+      }
+    );
+  }
+  async updateUserEmailVerified(userId, emailVerified) {
+    await OrgUser.findOneAndUpdate({ id: userId }, { emailVerified });
+  }
+  async updateUserPassword(userId, newPassword) {
+    const hashed = await import_bcrypt.default.hash(newPassword, 10);
+    await OrgUser.findOneAndUpdate({ id: userId }, { password: hashed });
+  }
+  // -------------------------------------------------------------------
+  // ADMIN TOKEN (self-issued JWT)
+  // -------------------------------------------------------------------
+  async ensureAdminToken() {
+    const now = Math.floor(Date.now() / 1e3);
+    if (this.token && this.token.exp - 30 > now) {
+      return this.token.accessToken;
+    }
+    const payload = {
+      type: "admin",
+      system: true
+    };
+    const accessToken = import_jsonwebtoken2.default.sign(payload, process.env.JWT_SECRET, {
+      expiresIn: "1h"
+    });
+    this.token = {
+      accessToken,
+      exp: now + 3600
+    };
+    return this.token.accessToken;
+  }
+};
+
+// src/services/email.service.ts
+var import_jsonwebtoken3 = __toESM(require("jsonwebtoken"), 1);
+var import_nodemailer = __toESM(require("nodemailer"), 1);
+var EmailService = class {
+  transporter;
+  MAX_EMAILS = 5;
+  WINDOW_MINUTES = 15;
+  BLOCK_HOURS = 1;
+  constructor() {
+    this.transporter = import_nodemailer.default.createTransport({
+      host: process.env.EMAIL_HOST || "smtp.postmarkapp.com",
+      port: process.env.EMAIL_PORT ? Number(process.env.EMAIL_PORT) : 587,
+      secure: (process.env.EMAIL_SECURE || "false") === "true",
+      auth: { user: process.env.EMAIL_USER, pass: process.env.EMAIL_PASSWORD }
+    });
+  }
+  sign(payload, ttlSec = 60 * 60 * 24) {
+    return import_jsonwebtoken3.default.sign(payload, process.env.EMAIL_JWT_SECRET, { expiresIn: ttlSec });
+  }
+  verify(token) {
+    return import_jsonwebtoken3.default.verify(token, process.env.EMAIL_JWT_SECRET);
+  }
+  async send(to, subject, html) {
+    await this.transporter.sendMail({
+      from: process.env.EMAIL_FROM,
+      to,
+      subject,
+      html
+    });
+  }
+  canSend(lastEmailSent) {
+    const now = Date.now();
+    const windowStart = now - this.WINDOW_MINUTES * 60 * 1e3;
+    const emailsInWindow = (lastEmailSent || []).map((d) => new Date(d)).filter((d) => d.getTime() >= windowStart);
+    if (emailsInWindow.length >= this.MAX_EMAILS)
+      return {
+        ok: false,
+        reason: "RATE_LIMIT",
+        waitMs: this.BLOCK_HOURS * 60 * 60 * 1e3
+      };
+    return { ok: true };
+  }
+};
+
+// src/utils/cookie.ts
+function cookieOpts(isRefresh = false) {
+  const maxAge = isRefresh ? config.cookies.refreshTtlMs : config.cookies.accessTtlMs;
+  const secure = process.env.NODE_ENV === "production" ? process.env.COOKIE_SECURE ?? true : false;
+  return {
+    httpOnly: true,
+    secure,
+    sameSite: "none",
+    domain: process.env.COOKIE_DOMAIN,
+    maxAge
+  };
+}
+function clearOpts() {
+  const secure = process.env.NODE_ENV === "production" ? process.env.COOKIE_SECURE ?? true : false;
+  return {
+    domain: process.env.COOKIE_DOMAIN,
+    sameSite: "none",
+    secure
+  };
+}
+
+// src/express/auth.routes.ts
+function createAuthRouter(options = {}) {
+  if (options.config) {
+    configureAuthX(options.config);
+  }
+  const r = (0, import_express.Router)();
+  const email = new EmailService();
+  const authAdmin = new AuthAdminService();
+  r.use(import_express.default.json());
+  r.use(import_express.default.urlencoded({ extended: true }));
+  r.get(
+    "/healthz",
+    (_req, res) => res.json({ status: "ok", server: "org-server" })
+  );
+  r.post("/login", validateLogin, async (req, res) => {
+    const { email: emailAddress, password } = req.body || {};
+    try {
+      const user = await OrgUser.findOne({ email: emailAddress }).select("+password").lean();
+      if (!user) {
+        return res.status(400).json({
+          error: "Invalid email or password",
+          code: "INVALID_CREDENTIALS"
+        });
+      }
+      if (!user.emailVerified) {
+        return res.status(400).json({
+          error: "Please verify your email before logging in.",
+          code: "EMAIL_NOT_VERIFIED"
+        });
+      }
+      const isPasswordValid = user.passwordHash ? await import_bcryptjs.default.compare(password, user.passwordHash) : false;
+      if (!isPasswordValid) {
+        return res.status(400).json({
+          error: "Invalid email or password",
+          code: "INVALID_CREDENTIALS"
+        });
+      }
+      const tokens = generateTokens(user);
+      setAuthCookies(res, tokens);
+      if (user.projectId) {
+        res.cookie(options.projectCookieName || "projectId", user.projectId, {
+          ...cookieOpts(false),
+          httpOnly: true
+        });
+      }
+      return res.json({
+        message: "Login successful",
+        user: toUserResponse(user)
+      });
+    } catch (err) {
+      console.error("Login error:", err);
+      return res.status(500).json({ error: "Internal server error" });
+    }
+  });
+  r.post("/signup", validateSignup, async (req, res) => {
+    const {
+      firstName,
+      lastName,
+      email: emailAddress,
+      password,
+      projectId,
+      metadata
+    } = req.body || {};
+    try {
+      const kcUser = await authAdmin.createUserInRealm({
+        username: emailAddress,
+        email: emailAddress,
+        firstName,
+        lastName,
+        projectId,
+        credentials: [{ type: "password", value: password, temporary: false }]
+      });
+      await authAdmin.assignRealmRole(kcUser.id, "platform_user");
+      const user = await OrgUser.findOneAndUpdate(
+        { email: kcUser.email },
+        {
+          id: kcUser.id,
+          email: kcUser.email,
+          firstName,
+          lastName,
+          projectId,
+          metadata,
+          roles: ["platform_user"],
+          emailVerified: false
+        },
+        { upsert: true, new: true, setDefaultsOnInsert: true }
+      );
+      const emailResult = await sendRateLimitedEmail({
+        emailService: email,
+        user,
+        subject: "Verify your email",
+        html: buildVerificationTemplate(
+          email.sign({ userId: kcUser.id, email: kcUser.email }),
+          options
+        )
+      });
+      if (emailResult.rateLimited) {
+        return res.status(429).json({
+          ok: false,
+          error: "Too many verification emails sent. Please try again later.",
+          waitMs: emailResult.waitMs
+        });
+      }
+      return res.json({
+        id: user.id,
+        email: user.email,
+        message: "Verification email sent. Please check your inbox."
+      });
+    } catch (err) {
+      return respondWithKeycloakError(res, err, "Signup failed");
+    }
+  });
+  r.get("/me", requireAuth(), (req, res) => {
+    return res.json(req.user || null);
+  });
+  r.post("/logout", async (_req, res) => {
+    res.clearCookie("access_token", clearOpts());
+    res.clearCookie("refresh_token", clearOpts());
+    res.json({ ok: true });
+  });
+  r.put("/:userId/metadata", requireAuth(), async (req, res) => {
+    const { userId } = req.params;
+    const { metadata } = req.body || {};
+    const user = await OrgUser.findOne({ id: userId });
+    if (!user)
+      return res.status(404).json({ ok: false, error: "User not found" });
+    const map = new Map(
+      (user.metadata || []).map((m) => [m.key, m.value])
+    );
+    for (const item of metadata || []) map.set(item.key, item.value);
+    user.metadata = Array.from(map.entries()).map(([key, value]) => ({
+      key,
+      value
+    }));
+    await user.save();
+    res.json({ ok: true, metadata: user.metadata });
+  });
+  r.get("/verify-email", async (req, res) => {
+    const token = String(req.query.token || "");
+    if (!token) {
+      return res.status(400).json({ error: "Verification token is required" });
+    }
+    try {
+      const payload = email.verify(token);
+      await authAdmin.updateUserEmailVerified(payload.userId, true);
+      await OrgUser.updateOne(
+        { id: payload.userId },
+        { $set: { emailVerified: true } }
+      );
+      res.json({ ok: true, message: "Email verified" });
+    } catch (err) {
+      res.status(400).json({ ok: false, error: err?.message || "Invalid token" });
+    }
+  });
+  r.post(
+    "/resend-verification-email",
+    validateResendEmail,
+    async (req, res) => {
+      const user = await OrgUser.findOne({ email: req.body.email });
+      if (!user)
+        return res.status(404).json({ ok: false, error: "User not found" });
+      const verified = await authAdmin.isUserEmailVerified(user.id);
+      if (verified) {
+        return res.status(400).json({ ok: false, error: "Email is already verified" });
+      }
+      const token = email.sign({
+        email: user.email,
+        userId: user.id
+      });
+      const resendResult = await sendRateLimitedEmail({
+        emailService: email,
+        user,
+        subject: "Verify your email",
+        html: buildVerificationTemplate(token, options)
+      });
+      if (resendResult.rateLimited) {
+        return res.status(429).json({
+          ok: false,
+          error: "Too many verification emails sent. Please try again later.",
+          waitMs: resendResult.waitMs
+        });
+      }
+      res.json({ ok: true });
+    }
+  );
+  r.post("/forgot-password", validateResendEmail, async (req, res) => {
+    const user = await OrgUser.findOne({ email: req.body.email });
+    if (!user)
+      return res.status(404).json({ ok: false, error: "User not found" });
+    const resetToken = email.sign(
+      {
+        userId: user.id,
+        email: user.email,
+        firstName: user.firstName,
+        lastName: user.lastName
+      },
+      60 * 60
+    );
+    const resetResult = await sendRateLimitedEmail({
+      emailService: email,
+      user,
+      subject: "Reset password",
+      html: buildResetTemplate(resetToken, options)
+    });
+    if (resetResult.rateLimited) {
+      return res.status(429).json({
+        ok: false,
+        error: "Please wait before requesting another password reset email.",
+        waitMs: resetResult.waitMs
+      });
+    }
+    res.json({ ok: true, message: "Password reset email sent" });
+  });
+  r.post("/reset-password", validateResetPassword, async (req, res) => {
+    const { token, newPassword } = req.body || {};
+    try {
+      const payload = email.verify(token);
+      const user = await OrgUser.findOne({ keycloakId: payload.userId });
+      if (!user) {
+        return res.status(404).json({ ok: false, error: "User not found" });
+      }
+      if (user.lastPasswordReset && payload.iat * 1e3 < user.lastPasswordReset.getTime()) {
+        return res.status(400).json({
+          ok: false,
+          error: "This reset link has already been used. Please request a new one."
+        });
+      }
+      await authAdmin.updateUserPassword(payload.userId, newPassword);
+      user.lastPasswordReset = /* @__PURE__ */ new Date();
+      await user.save();
+      res.json({ ok: true, message: "Password updated successfully" });
+    } catch (err) {
+      res.status(400).json({ ok: false, error: err?.message || "Invalid or expired token" });
+    }
+  });
+  r.post(
+    "/send-invite",
+    requireAuth(),
+    validateSendInvite,
+    async (req, res) => {
+      const { email: emailAddress, role } = req.body || {};
+      const existingUser = await OrgUser.findOne({ email: emailAddress });
+      if (existingUser) {
+        return res.status(400).json({ ok: false, error: "User with this email already exists" });
+      }
+      const existingInvite = await Invite.findOne({
+        email: emailAddress,
+        isUsed: false,
+        isExpired: false
+      });
+      if (existingInvite) {
+        return res.status(400).json({
+          ok: false,
+          error: "An active invite already exists for this email"
+        });
+      }
+      const token = email.sign({
+        email: emailAddress,
+        role,
+        inviteId: (0, import_crypto.randomUUID)()
+      });
+      const invite = await Invite.create({
+        id: token,
+        email: emailAddress,
+        role,
+        invitedBy: req.user?.sub,
+        isUsed: false,
+        expiresAt: new Date(Date.now() + 7 * 24 * 60 * 60 * 1e3)
+      });
+      await email.send(
+        emailAddress,
+        "You are invited",
+        `<a href="${getFrontendBaseUrl(options)}/auth/accept-invite?token=${token}">Accept</a>`
+      );
+      res.json({
+        ok: true,
+        inviteId: invite.id,
+        email: invite.email,
+        role: invite.role,
+        expiresAt: invite.expiresAt
+      });
+    }
+  );
+  r.get("/accept-invite", async (req, res) => {
+    const inv = await Invite.findOne({ id: String(req.query.token) });
+    res.json({ ok: !!inv && !inv.isUsed && !inv.isExpired });
+  });
+  r.post("/accept-invite", async (req, res) => {
+    const { token, firstName, lastName, password, projectId } = req.body || {};
+    if (!token || !firstName || !lastName || !isPasswordStrong(password || "")) {
+      return res.status(400).json({ ok: false, error: "Invalid payload" });
+    }
+    const invite = await Invite.findOne({
+      id: token,
+      isUsed: false,
+      isExpired: false
+    });
+    if (!invite) {
+      return res.status(400).json({ ok: false, error: "Invitation not found or already used" });
+    }
+    if (invite.expiresAt && invite.expiresAt.getTime() < Date.now()) {
+      invite.isExpired = true;
+      await invite.save();
+      return res.status(400).json({ ok: false, error: "Invitation has expired" });
+    }
+    try {
+      const kcUser = await authAdmin.createUserInRealm({
+        username: invite.email,
+        email: invite.email,
+        firstName,
+        lastName,
+        projectId,
+        emailVerified: true,
+        credentials: [{ type: "password", value: password, temporary: false }]
+      });
+      await authAdmin.assignRealmRole(kcUser.id, invite.role);
+      await OrgUser.findOneAndUpdate(
+        { email: invite.email },
+        {
+          id: kcUser.id,
+          email: invite.email,
+          firstName,
+          lastName,
+          roles: [invite.role],
+          emailVerified: true
+        },
+        { upsert: true, new: true, setDefaultsOnInsert: true }
+      );
+      invite.isUsed = true;
+      invite.usedAt = /* @__PURE__ */ new Date();
+      invite.usedBy = kcUser.id;
+      await invite.save();
+      res.json({
+        ok: true,
+        message: "Account created successfully.",
+        email: invite.email
+      });
+    } catch (err) {
+      res.status(400).json({
+        ok: false,
+        error: err?.response?.data?.error_description || err?.message || "Failed to create account"
+      });
+    }
+  });
+  r.get("/invites", requireAuth(), async (_req, res) => {
+    const invites = await Invite.find().sort({ createdAt: -1 }).lean();
+    res.json(invites);
+  });
+  r.delete("/invites/:inviteId", requireAuth(), async (req, res) => {
+    await Invite.deleteOne({ id: req.params.inviteId });
+    res.json({ ok: true });
+  });
+  r.get("/get-user-by-email", async (req, res) => {
+    const user = await OrgUser.findOne({ email: req.query.email }).lean();
+    res.json(user || null);
+  });
+  r.get("/google", async (_req, res) => {
+    res.json({ url: "/auth/google/callback?code=demo" });
+  });
+  r.get("/google/callback", async (_req, res) => {
+    res.cookie(
+      "access_token",
+      "ACCESS.TOKEN.PLACEHOLDER",
+      cookieOpts(false)
+    );
+    res.redirect("/");
+  });
+  r.get("/get-users", async (req, res) => {
+    const user = await OrgUser.find({ projectId: req.query.projectId }).lean();
+    res.json(user || null);
+  });
+  return r;
+}
+function setAuthCookies(res, tokens) {
+  if (tokens?.access_token) {
+    res.cookie("access_token", tokens.access_token, {
+      httpOnly: true,
+      secure: false,
+      sameSite: "lax",
+      maxAge: 24 * 60 * 60 * 1e3,
+      // 24 hours
+      path: "/"
+    });
+  }
+  if (tokens?.refresh_token) {
+    res.cookie("refresh_token", tokens.refresh_token, {
+      httpOnly: true,
+      secure: false,
+      sameSite: "lax",
+      maxAge: 24 * 60 * 60 * 1e3,
+      // 24 hours
+      path: "/"
+    });
+  }
+}
+function toUserResponse(user) {
+  if (!user) return null;
+  return {
+    sub: user.id || user.keycloakId,
+    email: user.email,
+    firstName: user.firstName,
+    lastName: user.lastName,
+    projectId: user.projectId,
+    metadata: user.metadata,
+    roles: user.roles
+  };
+}
+function respondWithKeycloakError(res, err, fallback, status = 400) {
+  const description = err?.response?.data?.error_description || err?.response?.data?.errorMessage || err?.message || fallback;
+  return res.status(status).json({ ok: false, error: description });
+}
+function buildVerificationTemplate(token, options) {
+  return `<a href="${getFrontendBaseUrl(options)}/auth/verify-email?token=${token}">Verify</a>`;
+}
+function buildResetTemplate(token, options) {
+  return `<a href="${getFrontendBaseUrl(options)}/auth/reset-password?token=${token}">Reset</a>`;
+}
+function getFrontendBaseUrl(options) {
+  if (options.frontendBaseUrl)
+    return options.frontendBaseUrl.replace(/\/$/, "");
+  const domain = process.env.ORG_DOMAIN?.replace(/\/$/, "");
+  if (!domain) return "";
+  return domain.startsWith("http") ? domain : `https://${domain}`;
+}
+async function sendRateLimitedEmail({
+  emailService,
+  user,
+  subject,
+  html
+}) {
+  const can = emailService.canSend(user?.lastEmailSent || []);
+  if (!can.ok) {
+    return { rateLimited: true, waitMs: can.waitMs };
+  }
+  await emailService.send(user.email, subject, html);
+  user.lastEmailSent = [...user.lastEmailSent || [], /* @__PURE__ */ new Date()];
+  await user.save();
+  return { rateLimited: false };
+}
+function generateTokens(user) {
+  const accessToken = import_jsonwebtoken4.default.sign(
+    {
+      sub: user.id.toString(),
+      email: user.email,
+      roles: user.roles || [],
+      type: "user"
+    },
+    process.env.JWT_SECRET,
+    { expiresIn: "1h" }
+  );
+  const refreshToken = import_jsonwebtoken4.default.sign(
+    { sub: user._id.toString() },
+    process.env.JWT_SECRET,
+    { expiresIn: "30d" }
+  );
+  return { access_token: accessToken, refresh_token: refreshToken };
+}
+
+// src/express/dashboards.routes.ts
+var import_express2 = __toESM(require("express"), 1);
+function createDashboardRouter(options) {
+  const r = (0, import_express2.Router)();
+  const kc = new AuthAdminService();
+  r.use(import_express2.default.json());
+  r.post("/", requireAuth(), async (req, res, next) => {
+    try {
+      const { slug, isPublic, authFlow, orgDomain } = req.body || {};
+      const redirectUris = [`https://${slug}.${orgDomain}/*`];
+      const created = await kc.createClient(slug, redirectUris, !!isPublic);
+      if (authFlow || isPublic != null) {
+        await kc.updateClient(created.id, {
+          authenticationFlowBindingOverrides: authFlow ? { browser: authFlow } : void 0,
+          registrationAllowed: !!isPublic
+        });
+      }
+      res.json({ clientId: created.clientId });
+    } catch (e) {
+      next(e);
+    }
+  });
+  return r;
+}
+
+// src/express/email.routes.ts
+var import_express3 = require("express");
+function createEmailRouter(options) {
+  const r = (0, import_express3.Router)();
+  r.get(
+    "/verify",
+    (req, res) => res.json({ ok: true, token: req.query.token })
+  );
+  return r;
+}
+
+// src/express/projects.routes.ts
+var import_express4 = require("express");
+
+// src/services/projects.service.ts
+var import_crypto2 = require("crypto");
+
+// src/models/moduleConnection.model.ts
+var import_mongoose5 = __toESM(require("mongoose"), 1);
+var ModuleItemSchema = new import_mongoose5.default.Schema(
+  { id: { type: String, required: true } },
+  { _id: false }
+);
+var ModuleConnectionSchema = new import_mongoose5.default.Schema(
+  {
+    projectId: { type: String, required: true, index: true },
+    modules: {
+      data: { type: [ModuleItemSchema], default: [] },
+      integration: { type: [ModuleItemSchema], default: [] },
+      storage: { type: [ModuleItemSchema], default: [] }
+    }
+  },
+  { timestamps: true, collection: "module_connection" }
+);
+var ModuleConnection = import_mongoose5.default.model(
+  "ModuleConnection",
+  ModuleConnectionSchema
+);
+
+// src/models/project.model.ts
+var import_mongoose6 = __toESM(require("mongoose"), 1);
+var ProjectSchema = new import_mongoose6.default.Schema(
+  {
+    _id: { type: String, required: true },
+    org_id: { type: String, required: true, index: true },
+    name: { type: String, required: true },
+    description: { type: String },
+    secret: { type: String, required: true }
+  },
+  { timestamps: true, collection: "projects" }
+);
+var Project = import_mongoose6.default.model("Project", ProjectSchema);
+
+// src/services/projects.service.ts
+var ProjectsService = class {
+  async create(org_id, name, description) {
+    const _id = (0, import_crypto2.randomUUID)();
+    const secret = (0, import_crypto2.randomUUID)();
+    const p = await Project.create({ _id, org_id, name, description, secret });
+    await ModuleConnection.create({
+      projectId: _id,
+      modules: { data: [], integration: [], storage: [] }
+    });
+    return p.toObject();
+  }
+  async list(org_id) {
+    return Project.find({ org_id }).lean();
+  }
+  async get(org_id, id) {
+    return Project.findOne({ org_id, _id: id }).lean();
+  }
+  async update(org_id, id, patch) {
+    return Project.findOneAndUpdate(
+      { org_id, _id: id },
+      { $set: patch },
+      { new: true }
+    ).lean();
+  }
+  async remove(org_id, id) {
+    await Project.deleteOne({ org_id, _id: id });
+    await ModuleConnection.deleteMany({ projectId: id });
+    return { ok: true };
+  }
+};
+
+// src/express/projects.routes.ts
+function createProjectsRouter(options) {
+  const r = (0, import_express4.Router)();
+  const svc = new ProjectsService();
+  r.post("/create", requireAuth(), async (req, res) => {
+    const { org_id, name, description } = req.body || {};
+    const p = await svc.create(org_id, name, description);
+    res.json(p);
+  });
+  r.get("/:org_id", requireAuth(), async (req, res) => {
+    res.json(await svc.list(req.params.org_id));
+  });
+  r.get("/:org_id/:id", requireAuth(), async (req, res) => {
+    res.json(await svc.get(req.params.org_id, req.params.id));
+  });
+  r.put("/:org_id/:id", requireAuth(), async (req, res) => {
+    res.json(
+      await svc.update(req.params.org_id, req.params.id, req.body || {})
+    );
+  });
+  r.delete("/:org_id/:id", requireAuth(), async (req, res) => {
+    res.json(await svc.remove(req.params.org_id, req.params.id));
+  });
+  return r;
+}
+
+// src/express/admin/admin.routes.ts
+var import_bcryptjs2 = __toESM(require("bcryptjs"), 1);
+var import_crypto3 = require("crypto");
+var import_express5 = __toESM(require("express"), 1);
+
+// src/core/utils.ts
+function hasAnyRole(session, roles) {
+  if (!session || !session.roles || !Array.isArray(roles) || roles.length === 0) {
+    return false;
+  }
+  return roles.some((role) => session.roles.includes(role));
+}
+
+// src/middlewares/requireRole.ts
+function requireRole(...roles) {
+  return (req, res, next) => {
+    const user = req.user;
+    if (!user) {
+      return res.status(401).json({ error: "Unauthorized" });
+    }
+    if (!roles || roles.length === 0) {
+      return next();
+    }
+    if (!hasAnyRole(user, roles)) {
+      return res.status(403).json({
+        error: `Requires one of roles: ${roles.join(", ")}`,
+        required: roles,
+        userRoles: user.roles
+      });
+    }
+    next();
+  };
+}
+
+// src/models/permissions.model.ts
+var import_mongoose7 = __toESM(require("mongoose"), 1);
+var PermissionsSchema = new import_mongoose7.Schema(
+  {
+    id: { type: String, required: true, index: true },
+    orgId: { type: String, default: null, index: true },
+    key: { type: String, required: true },
+    type: { type: String, required: true },
+    apiId: { type: String, required: false },
+    description: { type: String },
+    isInternal: { type: Boolean, default: false }
+  },
+  {
+    timestamps: true
+  }
+);
+PermissionsSchema.index({ orgId: 1, key: 1 }, { unique: true });
+var PermissionsModel = import_mongoose7.default.model(
+  "Permissions",
+  PermissionsSchema,
+  "permissions"
+);
+
+// src/express/admin/admin.routes.ts
+function resolveOrgId(req) {
+  const user = req.user || {};
+  const fromUser = user.orgId || user.org_id || null;
+  const fromQuery = req.query.orgId || null;
+  const fromBody = req.body && req.body.orgId || null;
+  return fromQuery || fromBody || fromUser;
+}
+function resolveProjectId(req) {
+  const user = req.user || {};
+  const fromUser = user.projectId || null;
+  const fromQuery = req.query.projectId || null;
+  const fromBody = req.body && req.body.projectId || null;
+  return fromQuery || fromBody || fromUser;
+}
+function createAdminRouter(_options = {}) {
+  const r = (0, import_express5.Router)();
+  r.use(import_express5.default.json());
+  r.use(import_express5.default.urlencoded({ extended: true }));
+  const adminGuards = [requireAuth(), requireRole("platform_admin")];
+  r.post(
+    "/users",
+    ...adminGuards,
+    async (req, res) => {
+      const {
+        firstName,
+        lastName,
+        email: emailAddress,
+        password,
+        emailVerified = false,
+        roles = []
+      } = req.body || {};
+      const projectId = resolveProjectId(req);
+      try {
+        const hashedPassword = password ? await import_bcryptjs2.default.hash(password, 10) : void 0;
+        const user = await OrgUser.create({
+          id: (0, import_crypto3.randomUUID)(),
+          email: emailAddress,
+          orgId: process.env.ORG_ID,
+          firstName,
+          lastName,
+          projectId,
+          emailVerified,
+          metadata: [],
+          passwordHash: hashedPassword,
+          roles
+        });
+        return res.json({
+          id: user.id,
+          email: user.email,
+          message: "Verification email sent. Please check your inbox."
+        });
+      } catch (err) {
+        console.error("Create user error:", err);
+        return res.status(500).json({ error: "INTERNAL_ERROR" });
+      }
+    }
+  );
+  r.delete(
+    "/users",
+    ...adminGuards,
+    async (req, res) => {
+      try {
+        const userId = req?.body?.id || req?.query?.id;
+        if (!userId) {
+          return res.status(400).json({
+            error: "VALIDATION_ERROR",
+            message: "UserId is required (send in body.id or ?id=...)"
+          });
+        }
+        const deleted = await OrgUser.findOneAndDelete({ id: userId }).exec();
+        if (!deleted) {
+          return res.status(404).json({
+            error: "NOT_FOUND",
+            message: "User not found or already deleted"
+          });
+        }
+        return res.status(200).json({
+          ok: true,
+          message: "User deleted successfully",
+          deletedUser: {
+            id: deleted.id,
+            firstName: deleted.firstName,
+            email: deleted.email,
+            orgId: deleted.orgId
+          }
+        });
+      } catch (err) {
+        console.error("Delete user error:", err);
+        return res.status(500).json({ error: "INTERNAL_ERROR" });
+      }
+    }
+  );
+  r.put(
+    "/users/:id",
+    ...adminGuards,
+    async (req, res) => {
+      const userId = req.params.id;
+      const {
+        firstName,
+        lastName,
+        email: emailAddress,
+        password,
+        emailVerified,
+        roles
+      } = req.body || {};
+      try {
+        const existingUser = await OrgUser.findOne({
+          id: userId,
+          orgId: process.env.ORG_ID
+        });
+        if (!existingUser) {
+          return res.status(404).json({ error: "USER_NOT_FOUND" });
+        }
+        if (firstName !== void 0) existingUser.firstName = firstName;
+        if (lastName !== void 0) existingUser.lastName = lastName;
+        if (emailAddress !== void 0) existingUser.email = emailAddress;
+        if (emailVerified !== void 0)
+          existingUser.emailVerified = emailVerified;
+        if (roles !== void 0) existingUser.roles = roles;
+        if (password) {
+          existingUser.passwordHash = await import_bcryptjs2.default.hash(password, 10);
+        }
+        await existingUser.save();
+        return res.json({
+          id: existingUser.id,
+          email: existingUser.email,
+          message: "User updated successfully."
+        });
+      } catch (err) {
+        console.error("Update user error:", err);
+        return res.status(500).json({ error: "INTERNAL_ERROR" });
+      }
+    }
+  );
+  r.get(
+    "/permissions",
+    ...adminGuards,
+    async (req, res) => {
+      try {
+        const orgId = resolveOrgId(req);
+        const filter = {};
+        if (orgId !== null) {
+          filter.orgId = orgId;
+        } else {
+          filter.orgId = null;
+        }
+        const items = await PermissionsModel.find(filter).lean().exec();
+        return res.json(items);
+      } catch (err) {
+        return res.status(500).json({ error: "INTERNAL_ERROR" });
+      }
+    }
+  );
+  r.post(
+    "/permissions",
+    ...adminGuards,
+    async (req, res) => {
+      try {
+        const orgId = resolveOrgId(req);
+        const {
+          key,
+          type,
+          apiId,
+          description,
+          isInternal = false
+        } = req.body || {};
+        if (!key || !type) {
+          return res.status(400).json({
+            error: "VALIDATION_ERROR",
+            message: "permission key, and permission type are required"
+          });
+        }
+        const id = (0, import_crypto3.randomUUID)();
+        const permission = await PermissionsModel.create({
+          id,
+          orgId: orgId ?? null,
+          key,
+          type,
+          apiId,
+          description,
+          isInternal: !!isInternal
+        });
+        await RolePermissionModel.findOneAndUpdate(
+          { orgId: orgId ?? null, role: "platform_admin" },
+          { $addToSet: { permissions: key } },
+          { upsert: true, new: true }
+        ).exec();
+        return res.status(201).json(permission);
+      } catch (err) {
+        if (err && err.code === 11e3) {
+          return res.status(409).json({
+            error: "DUPLICATE_PERMISSION",
+            message: "Permission key already exists for this org"
+          });
+        }
+        return res.status(500).json({ error: "INTERNAL_ERROR" });
+      }
+    }
+  );
+  r.put(
+    "/permissions/:id",
+    ...adminGuards,
+    async (req, res) => {
+      try {
+        const orgId = resolveOrgId(req);
+        const permissionId = req.params.id;
+        const { key, type, apiId, description, isInternal } = req.body || {};
+        const existing = await PermissionsModel.findOne({
+          id: permissionId,
+          orgId: orgId ?? null
+        });
+        if (!existing) {
+          return res.status(404).json({
+            error: "NOT_FOUND",
+            message: "Permission does not exist"
+          });
+        }
+        const oldKey = existing.key;
+        if (key !== void 0) existing.key = key;
+        if (type !== void 0) existing.type = type;
+        if (apiId !== void 0) existing.apiId = apiId;
+        if (description !== void 0) existing.description = description;
+        if (isInternal !== void 0) existing.isInternal = !!isInternal;
+        await existing.save();
+        if (oldKey !== key) {
+          await RolePermissionModel.updateMany(
+            {
+              orgId: orgId ?? null,
+              permissions: oldKey
+            },
+            {
+              $pull: { permissions: oldKey }
+            }
+          );
+          await RolePermissionModel.updateMany(
+            {
+              orgId: orgId ?? null
+            },
+            {
+              $addToSet: { permissions: key }
+            }
+          );
+        }
+        return res.json(existing);
+      } catch (err) {
+        if (err && err.code === 11e3) {
+          return res.status(409).json({
+            error: "DUPLICATE_PERMISSION",
+            message: "Permission key already exists for this org"
+          });
+        }
+        console.error("Update permission error:", err);
+        return res.status(500).json({ error: "INTERNAL_ERROR" });
+      }
+    }
+  );
+  r.delete(
+    "/permissions",
+    ...adminGuards,
+    async (req, res) => {
+      try {
+        const permissionId = req?.body?.id || req?.query?.id;
+        if (!permissionId) {
+          return res.status(400).json({
+            error: "VALIDATION_ERROR",
+            message: "Permission id is required (send in body.id or ?id=...)"
+          });
+        }
+        const existing = await PermissionsModel.findOne({ id: permissionId });
+        if (!existing) {
+          return res.status(404).json({
+            error: "NOT_FOUND",
+            message: "Permission not found or already deleted"
+          });
+        }
+        const { key, orgId } = existing;
+        await PermissionsModel.deleteOne({ id: permissionId });
+        await RolePermissionModel.updateMany(
+          { orgId: orgId ?? null },
+          { $pull: { permissions: key } }
+        );
+        return res.status(200).json({
+          ok: true,
+          message: "Permission deleted successfully",
+          deletedPermission: {
+            id: existing.id,
+            key: existing.key,
+            type: existing.type,
+            apiId: existing.apiId,
+            description: existing.description,
+            isInternal: existing.isInternal,
+            orgId: existing.orgId
+          }
+        });
+      } catch (err) {
+        console.error("Delete permission error:", err);
+        return res.status(500).json({ error: "INTERNAL_ERROR" });
+      }
+    }
+  );
+  r.get(
+    "/roles",
+    ...adminGuards,
+    async (req, res) => {
+      try {
+        const orgId = resolveOrgId(req);
+        const filter = {};
+        if (orgId !== null) {
+          filter.orgId = orgId;
+        } else {
+          filter.orgId = null;
+        }
+        const roles = await RolePermissionModel.find(filter).lean().exec();
+        return res.json(roles);
+      } catch (err) {
+        return res.status(500).json({ error: "INTERNAL_ERROR" });
+      }
+    }
+  );
+  r.post(
+    "/roles",
+    ...adminGuards,
+    async (req, res) => {
+      try {
+        const orgId = resolveOrgId(req);
+        const { role, permissions } = req.body || {};
+        if (!role || !Array.isArray(permissions)) {
+          return res.status(400).json({
+            error: "VALIDATION_ERROR",
+            message: "role and permissions[] are required"
+          });
+        }
+        const id = (0, import_crypto3.randomUUID)();
+        const doc = await RolePermissionModel.findOneAndUpdate(
+          { orgId: orgId ?? null, role },
+          { $set: { permissions } },
+          { upsert: true, new: true }
+        ).exec();
+        return res.status(200).json(doc);
+      } catch (err) {
+        return res.status(500).json({ error: "INTERNAL_ERROR" });
+      }
+    }
+  );
+  r.put(
+    "/roles/:id",
+    ...adminGuards,
+    async (req, res) => {
+      try {
+        const orgId = resolveOrgId(req);
+        const roleId = req.params.id;
+        const { role: newRoleName, permissions } = req.body || {};
+        if (!newRoleName || !Array.isArray(permissions)) {
+          return res.status(400).json({
+            error: "VALIDATION_ERROR",
+            message: "role and permissions are required"
+          });
+        }
+        const existing = await RolePermissionModel.findById(roleId);
+        if (!existing) {
+          return res.status(404).json({
+            error: "ROLE_NOT_FOUND",
+            message: "Role does not exist"
+          });
+        }
+        const oldRoleName = existing.role;
+        existing.role = newRoleName;
+        existing.permissions = permissions;
+        await existing.save();
+        if (oldRoleName !== newRoleName) {
+          await OrgUser.updateMany(
+            {
+              orgId: orgId ?? null,
+              roles: oldRoleName
+            },
+            {
+              $pull: { roles: oldRoleName }
+            }
+          );
+          await OrgUser.updateMany(
+            {
+              orgId: orgId ?? null,
+              roles: { $ne: newRoleName }
+              // avoid duplicates
+            },
+            {
+              $addToSet: { roles: newRoleName }
+            }
+          );
+        }
+        return res.status(200).json(existing);
+      } catch (err) {
+        console.error("Update role error:", err);
+        return res.status(500).json({ error: "INTERNAL_ERROR" });
+      }
+    }
+  );
+  r.delete(
+    "/roles",
+    ...adminGuards,
+    async (req, res) => {
+      try {
+        const roleId = req?.body?.id || req?.query?.id;
+        if (!roleId) {
+          return res.status(400).json({
+            error: "VALIDATION_ERROR",
+            message: "Role _id is required (send in body.id or ?id=...)"
+          });
+        }
+        if (!/^[0-9a-fA-F]{24}$/.test(roleId)) {
+          return res.status(400).json({
+            error: "VALIDATION_ERROR",
+            message: "Invalid role _id format"
+          });
+        }
+        const deleted = await RolePermissionModel.findByIdAndDelete(roleId).exec();
+        if (!deleted) {
+          return res.status(404).json({
+            error: "NOT_FOUND",
+            message: "Role not found or already deleted"
+          });
+        }
+        return res.status(200).json({
+          ok: true,
+          message: "Role deleted successfully",
+          deletedRole: {
+            _id: deleted._id,
+            role: deleted.role,
+            orgId: deleted.orgId
+          }
+        });
+      } catch (err) {
+        console.error("Delete role error:", err);
+        return res.status(500).json({ error: "INTERNAL_ERROR" });
+      }
+    }
+  );
+  return r;
+}
+// Annotate the CommonJS export names for ESM import in node:
+0 && (module.exports = {
+  createAdminRouter,
+  createAuthRouter,
+  createDashboardRouter,
+  createEmailRouter,
+  createProjectsRouter
+});
+//# sourceMappingURL=index.cjs.map