npm - aaspai-authx - Versions diffs - 0.0.1 - Mend

aaspai-authx 0.0.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (23) hide show

package/LICENSE +3 -0
package/README.md +12 -0
package/dist/express/index.cjs +1699 -0
package/dist/express/index.cjs.map +1 -0
package/dist/express/index.d.cts +3 -0
package/dist/express/index.d.ts +3 -0
package/dist/express/index.js +1658 -0
package/dist/express/index.js.map +1 -0
package/dist/index-KOTz0ZcH.d.cts +23 -0
package/dist/index-KOTz0ZcH.d.ts +23 -0
package/dist/index.cjs +2266 -0
package/dist/index.cjs.map +1 -0
package/dist/index.d.cts +1420 -0
package/dist/index.d.ts +1420 -0
package/dist/index.js +2204 -0
package/dist/index.js.map +1 -0
package/dist/nest/index.cjs +1720 -0
package/dist/nest/index.cjs.map +1 -0
package/dist/nest/index.d.cts +28 -0
package/dist/nest/index.d.ts +28 -0
package/dist/nest/index.js +1683 -0
package/dist/nest/index.js.map +1 -0
package/package.json +96 -0

package/dist/express/index.js ADDED Viewed

@@ -0,0 +1,1658 @@
+// src/express/auth.routes.ts
+import bcrypt2 from "bcryptjs";
+import { randomUUID } from "crypto";
+import express, { Router } from "express";
+import jwt4 from "jsonwebtoken";
+// src/config/loadConfig.ts
+function loadConfig() {
+  return {
+    orgDomain: process.env.ORG_DOMAIN,
+    orgId: process.env.ORG_ID,
+    email: {
+      host: process.env.EMAIL_HOST || "smtp.postmarkapp.com",
+      port: process.env.EMAIL_PORT ? Number(process.env.EMAIL_PORT) : 587,
+      secure: (process.env.EMAIL_SECURE || "false") === "true",
+      user: process.env.EMAIL_USER,
+      pass: process.env.EMAIL_PASSWORD,
+      from: process.env.EMAIL_FROM,
+      jwtSecret: process.env.EMAIL_JWT_SECRET
+    },
+    cookies: {
+      domain: process.env.COOKIE_DOMAIN,
+      secure: (process.env.COOKIE_SECURE || "true") === "true",
+      accessTtlMs: 24 * 60 * 60 * 1e3,
+      refreshTtlMs: 7 * 24 * 60 * 60 * 1e3
+    },
+    oidc: {
+      jwtSecret: process.env.JWT_SECRET
+    },
+    aws: {
+      bucket: process.env.AWS_S3_BUCKET,
+      region: process.env.AWS_REGION,
+      accessKeyId: process.env.AWS_ACCESS_KEY_ID,
+      secretAccessKey: process.env.AWS_SECRET_ACCESS_KEY
+    }
+  };
+}
+// src/config/index.ts
+var config = loadConfig();
+function configureAuthX(overrides = {}) {
+  return deepMerge(config, overrides);
+}
+function deepMerge(target, source) {
+  if (!source) {
+    return target;
+  }
+  for (const key of Object.keys(source)) {
+    const value = source[key];
+    if (value === void 0) continue;
+    if (Array.isArray(value)) {
+      target[key] = [...value];
+      continue;
+    }
+    if (isPlainObject(value)) {
+      if (!isPlainObject(target[key])) {
+        target[key] = {};
+      }
+      deepMerge(target[key], value);
+      continue;
+    }
+    target[key] = value;
+  }
+  return target;
+}
+function isPlainObject(value) {
+  return typeof value === "object" && value !== null && !Array.isArray(value);
+}
+// src/core/roles.config.ts
+var PLATFORM_ROLES = [
+  {
+    role: "platform_admin",
+    permissions: [
+      "projects.create",
+      "projects.read",
+      "projects.update",
+      "projects.delete",
+      "users.manage",
+      "api.manage"
+    ]
+  },
+  {
+    role: "platform_manager",
+    permissions: [
+      "projects.read",
+      "projects.update",
+      "users.read"
+    ]
+  },
+  {
+    role: "platform_user",
+    permissions: ["projects.read"]
+  }
+];
+function getPermissionsForRoles(roles) {
+  if (!Array.isArray(roles) || roles.length === 0) {
+    return [];
+  }
+  const permissionSet = /* @__PURE__ */ new Set();
+  for (const roleName of roles) {
+    const roleConfig = PLATFORM_ROLES.find((r) => r.role === roleName);
+    if (roleConfig && Array.isArray(roleConfig.permissions)) {
+      for (const perm of roleConfig.permissions) {
+        permissionSet.add(perm);
+      }
+    }
+  }
+  return Array.from(permissionSet);
+}
+// src/core/session.ts
+function buildSession(payload) {
+  const userId = payload?.sub || payload?.userId || payload?.id || "";
+  const email = payload?.email || payload?.email_address || "";
+  const roles = payload?.realm_access?.roles || payload?.roles || payload?.["cognito:groups"] || (Array.isArray(payload?.role) ? payload.role : []) || [];
+  const normalizedRoles = Array.isArray(roles) ? roles.map(String).filter(Boolean) : [];
+  const permissions = getPermissionsForRoles(normalizedRoles);
+  const session = {
+    userId,
+    email,
+    roles: normalizedRoles,
+    permissions
+  };
+  if (payload?.projectId) session.projectId = payload.projectId;
+  if (payload?.orgId) session.orgId = payload.orgId;
+  if (payload?.org_id) session.org_id = payload.org_id;
+  if (payload?.authType) session.authType = payload.authType;
+  Object.keys(payload || {}).forEach((key) => {
+    if (![
+      "sub",
+      "userId",
+      "id",
+      "email",
+      "email_address",
+      "realm_access",
+      "roles",
+      "cognito:groups",
+      "role",
+      "projectId",
+      "orgId",
+      "org_id",
+      "authType"
+    ].includes(key)) {
+      session[key] = payload[key];
+    }
+  });
+  return session;
+}
+// src/models/user.model.ts
+import mongoose from "mongoose";
+import { v4 as uuid } from "uuid";
+var MetadataSchema = new mongoose.Schema(
+  {
+    key: { type: String, required: true },
+    value: { type: mongoose.Schema.Types.Mixed, required: true }
+  },
+  { _id: false }
+);
+var OrgUserSchema = new mongoose.Schema(
+  {
+    id: { type: String, default: uuid(), index: true },
+    email: { type: String, required: true, unique: true },
+    firstName: { type: String, required: true },
+    lastName: { type: String, required: true },
+    orgId: { type: String },
+    projectId: { type: String, required: true },
+    roles: { type: [String], default: [] },
+    emailVerified: { type: Boolean, default: false },
+    lastEmailSent: { type: [Date], default: [] },
+    lastPasswordReset: { type: Date },
+    metadata: { type: [MetadataSchema], default: [] },
+    passwordHash: { type: String }
+  },
+  { timestamps: true, collection: "users" }
+);
+var OrgUser = mongoose.model("OrgUser", OrgUserSchema);
+// src/utils/extract.ts
+import { parse as parseCookie } from "cookie";
+function extractToken(req, opts) {
+  const headerNames = opts?.headerNames ?? ["authorization", "token"];
+  const cookieNames = opts?.cookieNames ?? ["access_token", "authorization"];
+  const queryNames = opts?.queryNames ?? ["access_token", "token"];
+  for (const h of headerNames) {
+    const raw = req.headers[h];
+    if (raw) {
+      const lower = raw.toLowerCase();
+      if (lower.startsWith("bearer ")) return raw.slice(7).trim();
+      if (!raw.includes(" ")) return raw.trim();
+    }
+  }
+  const ch = req.headers["cookie"];
+  if (typeof ch === "string") {
+    const parsed = parseCookie(ch);
+    for (const c of cookieNames) if (parsed[c]) return parsed[c];
+  }
+  for (const q of queryNames) {
+    const v = req.query?.[q];
+    if (typeof v === "string" && v) return v;
+  }
+  return null;
+}
+function readProjectId(req) {
+  const ch = req.headers["cookie"];
+  if (typeof ch === "string") {
+    try {
+      const parsed = parseCookie(ch);
+      return parsed["projectId"] || null;
+    } catch {
+    }
+  }
+  return null;
+}
+// src/utils/jwt.ts
+import jwt from "jsonwebtoken";
+function verifyJwt(token) {
+  return new Promise((resolve, reject) => {
+    jwt.verify(
+      token,
+      process.env.JWT_SECRET,
+      // This is your shared secret (string)
+      {
+        algorithms: ["HS256"],
+        // Only allow HS256
+        complete: false
+        // We only want payload
+      },
+      (err, decoded) => {
+        if (err) {
+          reject(err);
+        } else {
+          resolve(decoded);
+        }
+      }
+    );
+  });
+}
+// src/middlewares/auth.middleware.ts
+function requireAuth() {
+  return async (req, res, next) => {
+    try {
+      const apiKey = req.headers["x-api-key"] || req.headers["x-apikey"];
+      const userId = req.headers["x-user-id"] || req.headers["x-userId"];
+      if (apiKey) {
+        if (apiKey !== process.env.SERVER_API_KEY) {
+          return res.status(401).json({ error: "Invalid API key" });
+        }
+        if (!userId) {
+          return res.status(401).json({ error: "User Id is Required" });
+        }
+        const user = await OrgUser.findOne({ id: userId }).lean();
+        if (!user) {
+          return res.status(401).json({ error: "User not found" });
+        }
+        const session2 = buildSession({
+          sub: user.id.toString(),
+          email: user.email,
+          roles: user.roles || []
+        });
+        session2.authType = "api-key";
+        session2.projectId = readProjectId(req) || user.projectId || void 0;
+        req.user = session2;
+        return next();
+      }
+      const token = extractToken(req);
+      if (!token) {
+        return res.status(401).json({ error: "Missing token" });
+      }
+      const claims = await verifyJwt(token);
+      const session = buildSession(claims);
+      const pid = readProjectId(req);
+      if (pid) session.projectId = pid;
+      req.user = session;
+      next();
+    } catch (e) {
+      res.status(401).json({ error: e?.message || "Unauthorized" });
+    }
+  };
+}
+// src/middlewares/validators.ts
+function isEmail(v) {
+  return /^[^\s@]+@[^\s@]+\.[^\s@]+$/.test(v);
+}
+function isPasswordStrong(v) {
+  return typeof v === "string" && v.length >= 6 && /[A-Z]/.test(v) && /[^a-zA-Z0-9]/.test(v);
+}
+function validateSignup(req, res, next) {
+  const { firstName, lastName, email, password, projectId, metadata } = req.body || {};
+  if (!firstName || !lastName)
+    return res.status(400).json({ error: "firstName,lastName required" });
+  if (!isEmail(email)) return res.status(400).json({ error: "invalid email" });
+  if (!isPasswordStrong(password))
+    return res.status(400).json({ error: "weak password" });
+  if (!projectId) return res.status(400).json({ error: "projectId required" });
+  if (!Array.isArray(metadata))
+    return res.status(400).json({ error: "metadata must be array" });
+  next();
+}
+function validateLogin(req, res, next) {
+  const { email, password } = req.body || {};
+  if (!isEmail(email)) return res.status(400).json({ error: "invalid email" });
+  if (typeof password !== "string")
+    return res.status(400).json({ error: "password required" });
+  next();
+}
+function validateResetPassword(req, res, next) {
+  const { token, newPassword } = req.body || {};
+  if (!token) return res.status(400).json({ error: "token required" });
+  if (!isPasswordStrong(newPassword))
+    return res.status(400).json({ error: "weak password" });
+  next();
+}
+function validateResendEmail(req, res, next) {
+  const { email } = req.body || {};
+  if (!isEmail(email)) return res.status(400).json({ error: "invalid email" });
+  next();
+}
+function validateSendInvite(req, res, next) {
+  const { email, role } = req.body || {};
+  if (!isEmail(email)) return res.status(400).json({ error: "invalid email" });
+  if (!["platform_user", "org_admin"].includes(role))
+    return res.status(400).json({ error: "invalid role" });
+  next();
+}
+// src/models/invite.model.ts
+import mongoose2 from "mongoose";
+var InviteSchema = new mongoose2.Schema(
+  {
+    id: { type: String, required: true, index: true },
+    email: { type: String, required: true },
+    role: {
+      type: String,
+      enum: ["platform_user", "org_admin"],
+      required: true
+    },
+    invitedBy: { type: String },
+    usedBy: { type: String },
+    isUsed: { type: Boolean, default: false },
+    usedAt: { type: Date },
+    expiresAt: { type: Date },
+    isExpired: { type: Boolean, default: false }
+  },
+  { timestamps: true, collection: "invites" }
+);
+var Invite = mongoose2.model("Invite", InviteSchema);
+// src/services/auth-admin.service.ts
+import bcrypt from "bcrypt";
+import jwt2 from "jsonwebtoken";
+// src/models/client.model.ts
+import mongoose3, { Schema } from "mongoose";
+var ClientSchema = new Schema(
+  {
+    clientId: {
+      type: String,
+      required: true,
+      unique: true,
+      index: true
+    },
+    redirectUris: {
+      type: [String],
+      default: []
+    },
+    publicClient: {
+      type: Boolean,
+      default: false
+    },
+    // Optional: if you want confidential clients
+    secret: {
+      type: String,
+      required: function() {
+        return !this.publicClient;
+      }
+    }
+  },
+  {
+    timestamps: true
+  }
+);
+var ClientModel = mongoose3.models.Client || mongoose3.model("Client", ClientSchema);
+// src/models/rolePermission.model.ts
+import mongoose4, { Schema as Schema2 } from "mongoose";
+var RolePermissionSchema = new Schema2(
+  {
+    orgId: { type: String, default: null, index: true },
+    role: { type: String, required: true },
+    permissions: { type: [String], default: [] }
+  },
+  {
+    timestamps: true
+  }
+);
+RolePermissionSchema.index({ orgId: 1, role: 1 }, { unique: true });
+var RolePermissionModel = mongoose4.model(
+  "RolePermission",
+  RolePermissionSchema,
+  "role_permissions"
+);
+// src/services/auth-admin.service.ts
+var AuthAdminService = class {
+  token;
+  async getAdminToken() {
+    return this.ensureAdminToken();
+  }
+  // -------------------------------------------------------------------
+  // CLIENTS
+  // -------------------------------------------------------------------
+  async createClient(clientId, redirectUris = [], publicClient = false) {
+    const client = await ClientModel.create({
+      clientId,
+      redirectUris,
+      publicClient
+    });
+    return client;
+  }
+  async updateClient(id, patch) {
+    await ClientModel.findByIdAndUpdate(id, patch);
+  }
+  // -------------------------------------------------------------------
+  // USERS
+  // -------------------------------------------------------------------
+  async listUsersInRealm(_realm, filter) {
+    return OrgUser.find(filter || {});
+  }
+  async getUserById(userId) {
+    return OrgUser.findOne({ id: userId });
+  }
+  async isUserEmailVerified(userId) {
+    const user = await OrgUser.findOne({ id: userId });
+    return user?.emailVerified;
+  }
+  async createUserInRealm(payload) {
+    const hashedPassword = payload.credentials?.[0]?.value ? await bcrypt.hash(payload.credentials[0].value, 10) : void 0;
+    const user = await OrgUser.create({
+      username: payload.username,
+      email: payload.email,
+      firstName: payload.firstName,
+      lastName: payload.lastName,
+      projectId: payload.projectId,
+      emailVerified: payload.emailVerified || false,
+      passwordHash: hashedPassword,
+      enabled: true
+    });
+    return user;
+  }
+  async assignRealmRole(userId, roleName) {
+    const role = await RolePermissionModel.findOne({ name: roleName });
+    if (!role) throw new Error(`Role not found: ${roleName}`);
+    await OrgUser.findOneAndUpdate(
+      { id: userId },
+      {
+        $addToSet: { roles: role._id }
+      }
+    );
+  }
+  async updateUserEmailVerified(userId, emailVerified) {
+    await OrgUser.findOneAndUpdate({ id: userId }, { emailVerified });
+  }
+  async updateUserPassword(userId, newPassword) {
+    const hashed = await bcrypt.hash(newPassword, 10);
+    await OrgUser.findOneAndUpdate({ id: userId }, { password: hashed });
+  }
+  // -------------------------------------------------------------------
+  // ADMIN TOKEN (self-issued JWT)
+  // -------------------------------------------------------------------
+  async ensureAdminToken() {
+    const now = Math.floor(Date.now() / 1e3);
+    if (this.token && this.token.exp - 30 > now) {
+      return this.token.accessToken;
+    }
+    const payload = {
+      type: "admin",
+      system: true
+    };
+    const accessToken = jwt2.sign(payload, process.env.JWT_SECRET, {
+      expiresIn: "1h"
+    });
+    this.token = {
+      accessToken,
+      exp: now + 3600
+    };
+    return this.token.accessToken;
+  }
+};
+// src/services/email.service.ts
+import jwt3 from "jsonwebtoken";
+import nodemailer from "nodemailer";
+var EmailService = class {
+  transporter;
+  MAX_EMAILS = 5;
+  WINDOW_MINUTES = 15;
+  BLOCK_HOURS = 1;
+  constructor() {
+    this.transporter = nodemailer.createTransport({
+      host: process.env.EMAIL_HOST || "smtp.postmarkapp.com",
+      port: process.env.EMAIL_PORT ? Number(process.env.EMAIL_PORT) : 587,
+      secure: (process.env.EMAIL_SECURE || "false") === "true",
+      auth: { user: process.env.EMAIL_USER, pass: process.env.EMAIL_PASSWORD }
+    });
+  }
+  sign(payload, ttlSec = 60 * 60 * 24) {
+    return jwt3.sign(payload, process.env.EMAIL_JWT_SECRET, { expiresIn: ttlSec });
+  }
+  verify(token) {
+    return jwt3.verify(token, process.env.EMAIL_JWT_SECRET);
+  }
+  async send(to, subject, html) {
+    await this.transporter.sendMail({
+      from: process.env.EMAIL_FROM,
+      to,
+      subject,
+      html
+    });
+  }
+  canSend(lastEmailSent) {
+    const now = Date.now();
+    const windowStart = now - this.WINDOW_MINUTES * 60 * 1e3;
+    const emailsInWindow = (lastEmailSent || []).map((d) => new Date(d)).filter((d) => d.getTime() >= windowStart);
+    if (emailsInWindow.length >= this.MAX_EMAILS)
+      return {
+        ok: false,
+        reason: "RATE_LIMIT",
+        waitMs: this.BLOCK_HOURS * 60 * 60 * 1e3
+      };
+    return { ok: true };
+  }
+};
+// src/utils/cookie.ts
+function cookieOpts(isRefresh = false) {
+  const maxAge = isRefresh ? config.cookies.refreshTtlMs : config.cookies.accessTtlMs;
+  const secure = process.env.NODE_ENV === "production" ? process.env.COOKIE_SECURE ?? true : false;
+  return {
+    httpOnly: true,
+    secure,
+    sameSite: "none",
+    domain: process.env.COOKIE_DOMAIN,
+    maxAge
+  };
+}
+function clearOpts() {
+  const secure = process.env.NODE_ENV === "production" ? process.env.COOKIE_SECURE ?? true : false;
+  return {
+    domain: process.env.COOKIE_DOMAIN,
+    sameSite: "none",
+    secure
+  };
+}
+// src/express/auth.routes.ts
+function createAuthRouter(options = {}) {
+  if (options.config) {
+    configureAuthX(options.config);
+  }
+  const r = Router();
+  const email = new EmailService();
+  const authAdmin = new AuthAdminService();
+  r.use(express.json());
+  r.use(express.urlencoded({ extended: true }));
+  r.get(
+    "/healthz",
+    (_req, res) => res.json({ status: "ok", server: "org-server" })
+  );
+  r.post("/login", validateLogin, async (req, res) => {
+    const { email: emailAddress, password } = req.body || {};
+    try {
+      const user = await OrgUser.findOne({ email: emailAddress }).select("+password").lean();
+      if (!user) {
+        return res.status(400).json({
+          error: "Invalid email or password",
+          code: "INVALID_CREDENTIALS"
+        });
+      }
+      if (!user.emailVerified) {
+        return res.status(400).json({
+          error: "Please verify your email before logging in.",
+          code: "EMAIL_NOT_VERIFIED"
+        });
+      }
+      const isPasswordValid = user.passwordHash ? await bcrypt2.compare(password, user.passwordHash) : false;
+      if (!isPasswordValid) {
+        return res.status(400).json({
+          error: "Invalid email or password",
+          code: "INVALID_CREDENTIALS"
+        });
+      }
+      const tokens = generateTokens(user);
+      setAuthCookies(res, tokens);
+      if (user.projectId) {
+        res.cookie(options.projectCookieName || "projectId", user.projectId, {
+          ...cookieOpts(false),
+          httpOnly: true
+        });
+      }
+      return res.json({
+        message: "Login successful",
+        user: toUserResponse(user)
+      });
+    } catch (err) {
+      console.error("Login error:", err);
+      return res.status(500).json({ error: "Internal server error" });
+    }
+  });
+  r.post("/signup", validateSignup, async (req, res) => {
+    const {
+      firstName,
+      lastName,
+      email: emailAddress,
+      password,
+      projectId,
+      metadata
+    } = req.body || {};
+    try {
+      const kcUser = await authAdmin.createUserInRealm({
+        username: emailAddress,
+        email: emailAddress,
+        firstName,
+        lastName,
+        projectId,
+        credentials: [{ type: "password", value: password, temporary: false }]
+      });
+      await authAdmin.assignRealmRole(kcUser.id, "platform_user");
+      const user = await OrgUser.findOneAndUpdate(
+        { email: kcUser.email },
+        {
+          id: kcUser.id,
+          email: kcUser.email,
+          firstName,
+          lastName,
+          projectId,
+          metadata,
+          roles: ["platform_user"],
+          emailVerified: false
+        },
+        { upsert: true, new: true, setDefaultsOnInsert: true }
+      );
+      const emailResult = await sendRateLimitedEmail({
+        emailService: email,
+        user,
+        subject: "Verify your email",
+        html: buildVerificationTemplate(
+          email.sign({ userId: kcUser.id, email: kcUser.email }),
+          options
+        )
+      });
+      if (emailResult.rateLimited) {
+        return res.status(429).json({
+          ok: false,
+          error: "Too many verification emails sent. Please try again later.",
+          waitMs: emailResult.waitMs
+        });
+      }
+      return res.json({
+        id: user.id,
+        email: user.email,
+        message: "Verification email sent. Please check your inbox."
+      });
+    } catch (err) {
+      return respondWithKeycloakError(res, err, "Signup failed");
+    }
+  });
+  r.get("/me", requireAuth(), (req, res) => {
+    return res.json(req.user || null);
+  });
+  r.post("/logout", async (_req, res) => {
+    res.clearCookie("access_token", clearOpts());
+    res.clearCookie("refresh_token", clearOpts());
+    res.json({ ok: true });
+  });
+  r.put("/:userId/metadata", requireAuth(), async (req, res) => {
+    const { userId } = req.params;
+    const { metadata } = req.body || {};
+    const user = await OrgUser.findOne({ id: userId });
+    if (!user)
+      return res.status(404).json({ ok: false, error: "User not found" });
+    const map = new Map(
+      (user.metadata || []).map((m) => [m.key, m.value])
+    );
+    for (const item of metadata || []) map.set(item.key, item.value);
+    user.metadata = Array.from(map.entries()).map(([key, value]) => ({
+      key,
+      value
+    }));
+    await user.save();
+    res.json({ ok: true, metadata: user.metadata });
+  });
+  r.get("/verify-email", async (req, res) => {
+    const token = String(req.query.token || "");
+    if (!token) {
+      return res.status(400).json({ error: "Verification token is required" });
+    }
+    try {
+      const payload = email.verify(token);
+      await authAdmin.updateUserEmailVerified(payload.userId, true);
+      await OrgUser.updateOne(
+        { id: payload.userId },
+        { $set: { emailVerified: true } }
+      );
+      res.json({ ok: true, message: "Email verified" });
+    } catch (err) {
+      res.status(400).json({ ok: false, error: err?.message || "Invalid token" });
+    }
+  });
+  r.post(
+    "/resend-verification-email",
+    validateResendEmail,
+    async (req, res) => {
+      const user = await OrgUser.findOne({ email: req.body.email });
+      if (!user)
+        return res.status(404).json({ ok: false, error: "User not found" });
+      const verified = await authAdmin.isUserEmailVerified(user.id);
+      if (verified) {
+        return res.status(400).json({ ok: false, error: "Email is already verified" });
+      }
+      const token = email.sign({
+        email: user.email,
+        userId: user.id
+      });
+      const resendResult = await sendRateLimitedEmail({
+        emailService: email,
+        user,
+        subject: "Verify your email",
+        html: buildVerificationTemplate(token, options)
+      });
+      if (resendResult.rateLimited) {
+        return res.status(429).json({
+          ok: false,
+          error: "Too many verification emails sent. Please try again later.",
+          waitMs: resendResult.waitMs
+        });
+      }
+      res.json({ ok: true });
+    }
+  );
+  r.post("/forgot-password", validateResendEmail, async (req, res) => {
+    const user = await OrgUser.findOne({ email: req.body.email });
+    if (!user)
+      return res.status(404).json({ ok: false, error: "User not found" });
+    const resetToken = email.sign(
+      {
+        userId: user.id,
+        email: user.email,
+        firstName: user.firstName,
+        lastName: user.lastName
+      },
+      60 * 60
+    );
+    const resetResult = await sendRateLimitedEmail({
+      emailService: email,
+      user,
+      subject: "Reset password",
+      html: buildResetTemplate(resetToken, options)
+    });
+    if (resetResult.rateLimited) {
+      return res.status(429).json({
+        ok: false,
+        error: "Please wait before requesting another password reset email.",
+        waitMs: resetResult.waitMs
+      });
+    }
+    res.json({ ok: true, message: "Password reset email sent" });
+  });
+  r.post("/reset-password", validateResetPassword, async (req, res) => {
+    const { token, newPassword } = req.body || {};
+    try {
+      const payload = email.verify(token);
+      const user = await OrgUser.findOne({ keycloakId: payload.userId });
+      if (!user) {
+        return res.status(404).json({ ok: false, error: "User not found" });
+      }
+      if (user.lastPasswordReset && payload.iat * 1e3 < user.lastPasswordReset.getTime()) {
+        return res.status(400).json({
+          ok: false,
+          error: "This reset link has already been used. Please request a new one."
+        });
+      }
+      await authAdmin.updateUserPassword(payload.userId, newPassword);
+      user.lastPasswordReset = /* @__PURE__ */ new Date();
+      await user.save();
+      res.json({ ok: true, message: "Password updated successfully" });
+    } catch (err) {
+      res.status(400).json({ ok: false, error: err?.message || "Invalid or expired token" });
+    }
+  });
+  r.post(
+    "/send-invite",
+    requireAuth(),
+    validateSendInvite,
+    async (req, res) => {
+      const { email: emailAddress, role } = req.body || {};
+      const existingUser = await OrgUser.findOne({ email: emailAddress });
+      if (existingUser) {
+        return res.status(400).json({ ok: false, error: "User with this email already exists" });
+      }
+      const existingInvite = await Invite.findOne({
+        email: emailAddress,
+        isUsed: false,
+        isExpired: false
+      });
+      if (existingInvite) {
+        return res.status(400).json({
+          ok: false,
+          error: "An active invite already exists for this email"
+        });
+      }
+      const token = email.sign({
+        email: emailAddress,
+        role,
+        inviteId: randomUUID()
+      });
+      const invite = await Invite.create({
+        id: token,
+        email: emailAddress,
+        role,
+        invitedBy: req.user?.sub,
+        isUsed: false,
+        expiresAt: new Date(Date.now() + 7 * 24 * 60 * 60 * 1e3)
+      });
+      await email.send(
+        emailAddress,
+        "You are invited",
+        `<a href="${getFrontendBaseUrl(options)}/auth/accept-invite?token=${token}">Accept</a>`
+      );
+      res.json({
+        ok: true,
+        inviteId: invite.id,
+        email: invite.email,
+        role: invite.role,
+        expiresAt: invite.expiresAt
+      });
+    }
+  );
+  r.get("/accept-invite", async (req, res) => {
+    const inv = await Invite.findOne({ id: String(req.query.token) });
+    res.json({ ok: !!inv && !inv.isUsed && !inv.isExpired });
+  });
+  r.post("/accept-invite", async (req, res) => {
+    const { token, firstName, lastName, password, projectId } = req.body || {};
+    if (!token || !firstName || !lastName || !isPasswordStrong(password || "")) {
+      return res.status(400).json({ ok: false, error: "Invalid payload" });
+    }
+    const invite = await Invite.findOne({
+      id: token,
+      isUsed: false,
+      isExpired: false
+    });
+    if (!invite) {
+      return res.status(400).json({ ok: false, error: "Invitation not found or already used" });
+    }
+    if (invite.expiresAt && invite.expiresAt.getTime() < Date.now()) {
+      invite.isExpired = true;
+      await invite.save();
+      return res.status(400).json({ ok: false, error: "Invitation has expired" });
+    }
+    try {
+      const kcUser = await authAdmin.createUserInRealm({
+        username: invite.email,
+        email: invite.email,
+        firstName,
+        lastName,
+        projectId,
+        emailVerified: true,
+        credentials: [{ type: "password", value: password, temporary: false }]
+      });
+      await authAdmin.assignRealmRole(kcUser.id, invite.role);
+      await OrgUser.findOneAndUpdate(
+        { email: invite.email },
+        {
+          id: kcUser.id,
+          email: invite.email,
+          firstName,
+          lastName,
+          roles: [invite.role],
+          emailVerified: true
+        },
+        { upsert: true, new: true, setDefaultsOnInsert: true }
+      );
+      invite.isUsed = true;
+      invite.usedAt = /* @__PURE__ */ new Date();
+      invite.usedBy = kcUser.id;
+      await invite.save();
+      res.json({
+        ok: true,
+        message: "Account created successfully.",
+        email: invite.email
+      });
+    } catch (err) {
+      res.status(400).json({
+        ok: false,
+        error: err?.response?.data?.error_description || err?.message || "Failed to create account"
+      });
+    }
+  });
+  r.get("/invites", requireAuth(), async (_req, res) => {
+    const invites = await Invite.find().sort({ createdAt: -1 }).lean();
+    res.json(invites);
+  });
+  r.delete("/invites/:inviteId", requireAuth(), async (req, res) => {
+    await Invite.deleteOne({ id: req.params.inviteId });
+    res.json({ ok: true });
+  });
+  r.get("/get-user-by-email", async (req, res) => {
+    const user = await OrgUser.findOne({ email: req.query.email }).lean();
+    res.json(user || null);
+  });
+  r.get("/google", async (_req, res) => {
+    res.json({ url: "/auth/google/callback?code=demo" });
+  });
+  r.get("/google/callback", async (_req, res) => {
+    res.cookie(
+      "access_token",
+      "ACCESS.TOKEN.PLACEHOLDER",
+      cookieOpts(false)
+    );
+    res.redirect("/");
+  });
+  r.get("/get-users", async (req, res) => {
+    const user = await OrgUser.find({ projectId: req.query.projectId }).lean();
+    res.json(user || null);
+  });
+  return r;
+}
+function setAuthCookies(res, tokens) {
+  if (tokens?.access_token) {
+    res.cookie("access_token", tokens.access_token, {
+      httpOnly: true,
+      secure: false,
+      sameSite: "lax",
+      maxAge: 24 * 60 * 60 * 1e3,
+      // 24 hours
+      path: "/"
+    });
+  }
+  if (tokens?.refresh_token) {
+    res.cookie("refresh_token", tokens.refresh_token, {
+      httpOnly: true,
+      secure: false,
+      sameSite: "lax",
+      maxAge: 24 * 60 * 60 * 1e3,
+      // 24 hours
+      path: "/"
+    });
+  }
+}
+function toUserResponse(user) {
+  if (!user) return null;
+  return {
+    sub: user.id || user.keycloakId,
+    email: user.email,
+    firstName: user.firstName,
+    lastName: user.lastName,
+    projectId: user.projectId,
+    metadata: user.metadata,
+    roles: user.roles
+  };
+}
+function respondWithKeycloakError(res, err, fallback, status = 400) {
+  const description = err?.response?.data?.error_description || err?.response?.data?.errorMessage || err?.message || fallback;
+  return res.status(status).json({ ok: false, error: description });
+}
+function buildVerificationTemplate(token, options) {
+  return `<a href="${getFrontendBaseUrl(options)}/auth/verify-email?token=${token}">Verify</a>`;
+}
+function buildResetTemplate(token, options) {
+  return `<a href="${getFrontendBaseUrl(options)}/auth/reset-password?token=${token}">Reset</a>`;
+}
+function getFrontendBaseUrl(options) {
+  if (options.frontendBaseUrl)
+    return options.frontendBaseUrl.replace(/\/$/, "");
+  const domain = process.env.ORG_DOMAIN?.replace(/\/$/, "");
+  if (!domain) return "";
+  return domain.startsWith("http") ? domain : `https://${domain}`;
+}
+async function sendRateLimitedEmail({
+  emailService,
+  user,
+  subject,
+  html
+}) {
+  const can = emailService.canSend(user?.lastEmailSent || []);
+  if (!can.ok) {
+    return { rateLimited: true, waitMs: can.waitMs };
+  }
+  await emailService.send(user.email, subject, html);
+  user.lastEmailSent = [...user.lastEmailSent || [], /* @__PURE__ */ new Date()];
+  await user.save();
+  return { rateLimited: false };
+}
+function generateTokens(user) {
+  const accessToken = jwt4.sign(
+    {
+      sub: user.id.toString(),
+      email: user.email,
+      roles: user.roles || [],
+      type: "user"
+    },
+    process.env.JWT_SECRET,
+    { expiresIn: "1h" }
+  );
+  const refreshToken = jwt4.sign(
+    { sub: user._id.toString() },
+    process.env.JWT_SECRET,
+    { expiresIn: "30d" }
+  );
+  return { access_token: accessToken, refresh_token: refreshToken };
+}
+// src/express/dashboards.routes.ts
+import express2, { Router as Router2 } from "express";
+function createDashboardRouter(options) {
+  const r = Router2();
+  const kc = new AuthAdminService();
+  r.use(express2.json());
+  r.post("/", requireAuth(), async (req, res, next) => {
+    try {
+      const { slug, isPublic, authFlow, orgDomain } = req.body || {};
+      const redirectUris = [`https://${slug}.${orgDomain}/*`];
+      const created = await kc.createClient(slug, redirectUris, !!isPublic);
+      if (authFlow || isPublic != null) {
+        await kc.updateClient(created.id, {
+          authenticationFlowBindingOverrides: authFlow ? { browser: authFlow } : void 0,
+          registrationAllowed: !!isPublic
+        });
+      }
+      res.json({ clientId: created.clientId });
+    } catch (e) {
+      next(e);
+    }
+  });
+  return r;
+}
+// src/express/email.routes.ts
+import { Router as Router3 } from "express";
+function createEmailRouter(options) {
+  const r = Router3();
+  r.get(
+    "/verify",
+    (req, res) => res.json({ ok: true, token: req.query.token })
+  );
+  return r;
+}
+// src/express/projects.routes.ts
+import { Router as Router4 } from "express";
+// src/services/projects.service.ts
+import { randomUUID as randomUUID2 } from "crypto";
+// src/models/moduleConnection.model.ts
+import mongoose5 from "mongoose";
+var ModuleItemSchema = new mongoose5.Schema(
+  { id: { type: String, required: true } },
+  { _id: false }
+);
+var ModuleConnectionSchema = new mongoose5.Schema(
+  {
+    projectId: { type: String, required: true, index: true },
+    modules: {
+      data: { type: [ModuleItemSchema], default: [] },
+      integration: { type: [ModuleItemSchema], default: [] },
+      storage: { type: [ModuleItemSchema], default: [] }
+    }
+  },
+  { timestamps: true, collection: "module_connection" }
+);
+var ModuleConnection = mongoose5.model(
+  "ModuleConnection",
+  ModuleConnectionSchema
+);
+// src/models/project.model.ts
+import mongoose6 from "mongoose";
+var ProjectSchema = new mongoose6.Schema(
+  {
+    _id: { type: String, required: true },
+    org_id: { type: String, required: true, index: true },
+    name: { type: String, required: true },
+    description: { type: String },
+    secret: { type: String, required: true }
+  },
+  { timestamps: true, collection: "projects" }
+);
+var Project = mongoose6.model("Project", ProjectSchema);
+// src/services/projects.service.ts
+var ProjectsService = class {
+  async create(org_id, name, description) {
+    const _id = randomUUID2();
+    const secret = randomUUID2();
+    const p = await Project.create({ _id, org_id, name, description, secret });
+    await ModuleConnection.create({
+      projectId: _id,
+      modules: { data: [], integration: [], storage: [] }
+    });
+    return p.toObject();
+  }
+  async list(org_id) {
+    return Project.find({ org_id }).lean();
+  }
+  async get(org_id, id) {
+    return Project.findOne({ org_id, _id: id }).lean();
+  }
+  async update(org_id, id, patch) {
+    return Project.findOneAndUpdate(
+      { org_id, _id: id },
+      { $set: patch },
+      { new: true }
+    ).lean();
+  }
+  async remove(org_id, id) {
+    await Project.deleteOne({ org_id, _id: id });
+    await ModuleConnection.deleteMany({ projectId: id });
+    return { ok: true };
+  }
+};
+// src/express/projects.routes.ts
+function createProjectsRouter(options) {
+  const r = Router4();
+  const svc = new ProjectsService();
+  r.post("/create", requireAuth(), async (req, res) => {
+    const { org_id, name, description } = req.body || {};
+    const p = await svc.create(org_id, name, description);
+    res.json(p);
+  });
+  r.get("/:org_id", requireAuth(), async (req, res) => {
+    res.json(await svc.list(req.params.org_id));
+  });
+  r.get("/:org_id/:id", requireAuth(), async (req, res) => {
+    res.json(await svc.get(req.params.org_id, req.params.id));
+  });
+  r.put("/:org_id/:id", requireAuth(), async (req, res) => {
+    res.json(
+      await svc.update(req.params.org_id, req.params.id, req.body || {})
+    );
+  });
+  r.delete("/:org_id/:id", requireAuth(), async (req, res) => {
+    res.json(await svc.remove(req.params.org_id, req.params.id));
+  });
+  return r;
+}
+// src/express/admin/admin.routes.ts
+import bcrypt3 from "bcryptjs";
+import { randomUUID as randomUUID3 } from "crypto";
+import express3, { Router as Router5 } from "express";
+// src/core/utils.ts
+function hasAnyRole(session, roles) {
+  if (!session || !session.roles || !Array.isArray(roles) || roles.length === 0) {
+    return false;
+  }
+  return roles.some((role) => session.roles.includes(role));
+}
+// src/middlewares/requireRole.ts
+function requireRole(...roles) {
+  return (req, res, next) => {
+    const user = req.user;
+    if (!user) {
+      return res.status(401).json({ error: "Unauthorized" });
+    }
+    if (!roles || roles.length === 0) {
+      return next();
+    }
+    if (!hasAnyRole(user, roles)) {
+      return res.status(403).json({
+        error: `Requires one of roles: ${roles.join(", ")}`,
+        required: roles,
+        userRoles: user.roles
+      });
+    }
+    next();
+  };
+}
+// src/models/permissions.model.ts
+import mongoose7, { Schema as Schema3 } from "mongoose";
+var PermissionsSchema = new Schema3(
+  {
+    id: { type: String, required: true, index: true },
+    orgId: { type: String, default: null, index: true },
+    key: { type: String, required: true },
+    type: { type: String, required: true },
+    apiId: { type: String, required: false },
+    description: { type: String },
+    isInternal: { type: Boolean, default: false }
+  },
+  {
+    timestamps: true
+  }
+);
+PermissionsSchema.index({ orgId: 1, key: 1 }, { unique: true });
+var PermissionsModel = mongoose7.model(
+  "Permissions",
+  PermissionsSchema,
+  "permissions"
+);
+// src/express/admin/admin.routes.ts
+function resolveOrgId(req) {
+  const user = req.user || {};
+  const fromUser = user.orgId || user.org_id || null;
+  const fromQuery = req.query.orgId || null;
+  const fromBody = req.body && req.body.orgId || null;
+  return fromQuery || fromBody || fromUser;
+}
+function resolveProjectId(req) {
+  const user = req.user || {};
+  const fromUser = user.projectId || null;
+  const fromQuery = req.query.projectId || null;
+  const fromBody = req.body && req.body.projectId || null;
+  return fromQuery || fromBody || fromUser;
+}
+function createAdminRouter(_options = {}) {
+  const r = Router5();
+  r.use(express3.json());
+  r.use(express3.urlencoded({ extended: true }));
+  const adminGuards = [requireAuth(), requireRole("platform_admin")];
+  r.post(
+    "/users",
+    ...adminGuards,
+    async (req, res) => {
+      const {
+        firstName,
+        lastName,
+        email: emailAddress,
+        password,
+        emailVerified = false,
+        roles = []
+      } = req.body || {};
+      const projectId = resolveProjectId(req);
+      try {
+        const hashedPassword = password ? await bcrypt3.hash(password, 10) : void 0;
+        const user = await OrgUser.create({
+          id: randomUUID3(),
+          email: emailAddress,
+          orgId: process.env.ORG_ID,
+          firstName,
+          lastName,
+          projectId,
+          emailVerified,
+          metadata: [],
+          passwordHash: hashedPassword,
+          roles
+        });
+        return res.json({
+          id: user.id,
+          email: user.email,
+          message: "Verification email sent. Please check your inbox."
+        });
+      } catch (err) {
+        console.error("Create user error:", err);
+        return res.status(500).json({ error: "INTERNAL_ERROR" });
+      }
+    }
+  );
+  r.delete(
+    "/users",
+    ...adminGuards,
+    async (req, res) => {
+      try {
+        const userId = req?.body?.id || req?.query?.id;
+        if (!userId) {
+          return res.status(400).json({
+            error: "VALIDATION_ERROR",
+            message: "UserId is required (send in body.id or ?id=...)"
+          });
+        }
+        const deleted = await OrgUser.findOneAndDelete({ id: userId }).exec();
+        if (!deleted) {
+          return res.status(404).json({
+            error: "NOT_FOUND",
+            message: "User not found or already deleted"
+          });
+        }
+        return res.status(200).json({
+          ok: true,
+          message: "User deleted successfully",
+          deletedUser: {
+            id: deleted.id,
+            firstName: deleted.firstName,
+            email: deleted.email,
+            orgId: deleted.orgId
+          }
+        });
+      } catch (err) {
+        console.error("Delete user error:", err);
+        return res.status(500).json({ error: "INTERNAL_ERROR" });
+      }
+    }
+  );
+  r.put(
+    "/users/:id",
+    ...adminGuards,
+    async (req, res) => {
+      const userId = req.params.id;
+      const {
+        firstName,
+        lastName,
+        email: emailAddress,
+        password,
+        emailVerified,
+        roles
+      } = req.body || {};
+      try {
+        const existingUser = await OrgUser.findOne({
+          id: userId,
+          orgId: process.env.ORG_ID
+        });
+        if (!existingUser) {
+          return res.status(404).json({ error: "USER_NOT_FOUND" });
+        }
+        if (firstName !== void 0) existingUser.firstName = firstName;
+        if (lastName !== void 0) existingUser.lastName = lastName;
+        if (emailAddress !== void 0) existingUser.email = emailAddress;
+        if (emailVerified !== void 0)
+          existingUser.emailVerified = emailVerified;
+        if (roles !== void 0) existingUser.roles = roles;
+        if (password) {
+          existingUser.passwordHash = await bcrypt3.hash(password, 10);
+        }
+        await existingUser.save();
+        return res.json({
+          id: existingUser.id,
+          email: existingUser.email,
+          message: "User updated successfully."
+        });
+      } catch (err) {
+        console.error("Update user error:", err);
+        return res.status(500).json({ error: "INTERNAL_ERROR" });
+      }
+    }
+  );
+  r.get(
+    "/permissions",
+    ...adminGuards,
+    async (req, res) => {
+      try {
+        const orgId = resolveOrgId(req);
+        const filter = {};
+        if (orgId !== null) {
+          filter.orgId = orgId;
+        } else {
+          filter.orgId = null;
+        }
+        const items = await PermissionsModel.find(filter).lean().exec();
+        return res.json(items);
+      } catch (err) {
+        return res.status(500).json({ error: "INTERNAL_ERROR" });
+      }
+    }
+  );
+  r.post(
+    "/permissions",
+    ...adminGuards,
+    async (req, res) => {
+      try {
+        const orgId = resolveOrgId(req);
+        const {
+          key,
+          type,
+          apiId,
+          description,
+          isInternal = false
+        } = req.body || {};
+        if (!key || !type) {
+          return res.status(400).json({
+            error: "VALIDATION_ERROR",
+            message: "permission key, and permission type are required"
+          });
+        }
+        const id = randomUUID3();
+        const permission = await PermissionsModel.create({
+          id,
+          orgId: orgId ?? null,
+          key,
+          type,
+          apiId,
+          description,
+          isInternal: !!isInternal
+        });
+        await RolePermissionModel.findOneAndUpdate(
+          { orgId: orgId ?? null, role: "platform_admin" },
+          { $addToSet: { permissions: key } },
+          { upsert: true, new: true }
+        ).exec();
+        return res.status(201).json(permission);
+      } catch (err) {
+        if (err && err.code === 11e3) {
+          return res.status(409).json({
+            error: "DUPLICATE_PERMISSION",
+            message: "Permission key already exists for this org"
+          });
+        }
+        return res.status(500).json({ error: "INTERNAL_ERROR" });
+      }
+    }
+  );
+  r.put(
+    "/permissions/:id",
+    ...adminGuards,
+    async (req, res) => {
+      try {
+        const orgId = resolveOrgId(req);
+        const permissionId = req.params.id;
+        const { key, type, apiId, description, isInternal } = req.body || {};
+        const existing = await PermissionsModel.findOne({
+          id: permissionId,
+          orgId: orgId ?? null
+        });
+        if (!existing) {
+          return res.status(404).json({
+            error: "NOT_FOUND",
+            message: "Permission does not exist"
+          });
+        }
+        const oldKey = existing.key;
+        if (key !== void 0) existing.key = key;
+        if (type !== void 0) existing.type = type;
+        if (apiId !== void 0) existing.apiId = apiId;
+        if (description !== void 0) existing.description = description;
+        if (isInternal !== void 0) existing.isInternal = !!isInternal;
+        await existing.save();
+        if (oldKey !== key) {
+          await RolePermissionModel.updateMany(
+            {
+              orgId: orgId ?? null,
+              permissions: oldKey
+            },
+            {
+              $pull: { permissions: oldKey }
+            }
+          );
+          await RolePermissionModel.updateMany(
+            {
+              orgId: orgId ?? null
+            },
+            {
+              $addToSet: { permissions: key }
+            }
+          );
+        }
+        return res.json(existing);
+      } catch (err) {
+        if (err && err.code === 11e3) {
+          return res.status(409).json({
+            error: "DUPLICATE_PERMISSION",
+            message: "Permission key already exists for this org"
+          });
+        }
+        console.error("Update permission error:", err);
+        return res.status(500).json({ error: "INTERNAL_ERROR" });
+      }
+    }
+  );
+  r.delete(
+    "/permissions",
+    ...adminGuards,
+    async (req, res) => {
+      try {
+        const permissionId = req?.body?.id || req?.query?.id;
+        if (!permissionId) {
+          return res.status(400).json({
+            error: "VALIDATION_ERROR",
+            message: "Permission id is required (send in body.id or ?id=...)"
+          });
+        }
+        const existing = await PermissionsModel.findOne({ id: permissionId });
+        if (!existing) {
+          return res.status(404).json({
+            error: "NOT_FOUND",
+            message: "Permission not found or already deleted"
+          });
+        }
+        const { key, orgId } = existing;
+        await PermissionsModel.deleteOne({ id: permissionId });
+        await RolePermissionModel.updateMany(
+          { orgId: orgId ?? null },
+          { $pull: { permissions: key } }
+        );
+        return res.status(200).json({
+          ok: true,
+          message: "Permission deleted successfully",
+          deletedPermission: {
+            id: existing.id,
+            key: existing.key,
+            type: existing.type,
+            apiId: existing.apiId,
+            description: existing.description,
+            isInternal: existing.isInternal,
+            orgId: existing.orgId
+          }
+        });
+      } catch (err) {
+        console.error("Delete permission error:", err);
+        return res.status(500).json({ error: "INTERNAL_ERROR" });
+      }
+    }
+  );
+  r.get(
+    "/roles",
+    ...adminGuards,
+    async (req, res) => {
+      try {
+        const orgId = resolveOrgId(req);
+        const filter = {};
+        if (orgId !== null) {
+          filter.orgId = orgId;
+        } else {
+          filter.orgId = null;
+        }
+        const roles = await RolePermissionModel.find(filter).lean().exec();
+        return res.json(roles);
+      } catch (err) {
+        return res.status(500).json({ error: "INTERNAL_ERROR" });
+      }
+    }
+  );
+  r.post(
+    "/roles",
+    ...adminGuards,
+    async (req, res) => {
+      try {
+        const orgId = resolveOrgId(req);
+        const { role, permissions } = req.body || {};
+        if (!role || !Array.isArray(permissions)) {
+          return res.status(400).json({
+            error: "VALIDATION_ERROR",
+            message: "role and permissions[] are required"
+          });
+        }
+        const id = randomUUID3();
+        const doc = await RolePermissionModel.findOneAndUpdate(
+          { orgId: orgId ?? null, role },
+          { $set: { permissions } },
+          { upsert: true, new: true }
+        ).exec();
+        return res.status(200).json(doc);
+      } catch (err) {
+        return res.status(500).json({ error: "INTERNAL_ERROR" });
+      }
+    }
+  );
+  r.put(
+    "/roles/:id",
+    ...adminGuards,
+    async (req, res) => {
+      try {
+        const orgId = resolveOrgId(req);
+        const roleId = req.params.id;
+        const { role: newRoleName, permissions } = req.body || {};
+        if (!newRoleName || !Array.isArray(permissions)) {
+          return res.status(400).json({
+            error: "VALIDATION_ERROR",
+            message: "role and permissions are required"
+          });
+        }
+        const existing = await RolePermissionModel.findById(roleId);
+        if (!existing) {
+          return res.status(404).json({
+            error: "ROLE_NOT_FOUND",
+            message: "Role does not exist"
+          });
+        }
+        const oldRoleName = existing.role;
+        existing.role = newRoleName;
+        existing.permissions = permissions;
+        await existing.save();
+        if (oldRoleName !== newRoleName) {
+          await OrgUser.updateMany(
+            {
+              orgId: orgId ?? null,
+              roles: oldRoleName
+            },
+            {
+              $pull: { roles: oldRoleName }
+            }
+          );
+          await OrgUser.updateMany(
+            {
+              orgId: orgId ?? null,
+              roles: { $ne: newRoleName }
+              // avoid duplicates
+            },
+            {
+              $addToSet: { roles: newRoleName }
+            }
+          );
+        }
+        return res.status(200).json(existing);
+      } catch (err) {
+        console.error("Update role error:", err);
+        return res.status(500).json({ error: "INTERNAL_ERROR" });
+      }
+    }
+  );
+  r.delete(
+    "/roles",
+    ...adminGuards,
+    async (req, res) => {
+      try {
+        const roleId = req?.body?.id || req?.query?.id;
+        if (!roleId) {
+          return res.status(400).json({
+            error: "VALIDATION_ERROR",
+            message: "Role _id is required (send in body.id or ?id=...)"
+          });
+        }
+        if (!/^[0-9a-fA-F]{24}$/.test(roleId)) {
+          return res.status(400).json({
+            error: "VALIDATION_ERROR",
+            message: "Invalid role _id format"
+          });
+        }
+        const deleted = await RolePermissionModel.findByIdAndDelete(roleId).exec();
+        if (!deleted) {
+          return res.status(404).json({
+            error: "NOT_FOUND",
+            message: "Role not found or already deleted"
+          });
+        }
+        return res.status(200).json({
+          ok: true,
+          message: "Role deleted successfully",
+          deletedRole: {
+            _id: deleted._id,
+            role: deleted.role,
+            orgId: deleted.orgId
+          }
+        });
+      } catch (err) {
+        console.error("Delete role error:", err);
+        return res.status(500).json({ error: "INTERNAL_ERROR" });
+      }
+    }
+  );
+  return r;
+}
+export {
+  createAdminRouter,
+  createAuthRouter,
+  createDashboardRouter,
+  createEmailRouter,
+  createProjectsRouter
+};
+//# sourceMappingURL=index.js.map