aaspai-authx 0.0.1

package/dist/index.cjs

@@ -0,0 +1,2266 @@
+"use strict";
+var __create = Object.create;
+var __defProp = Object.defineProperty;
+var __getOwnPropDesc = Object.getOwnPropertyDescriptor;
+var __getOwnPropNames = Object.getOwnPropertyNames;
+var __getProtoOf = Object.getPrototypeOf;
+var __hasOwnProp = Object.prototype.hasOwnProperty;
+var __export = (target, all) => {
+  for (var name in all)
+    __defProp(target, name, { get: all[name], enumerable: true });
+};
+var __copyProps = (to, from, except, desc) => {
+  if (from && typeof from === "object" || typeof from === "function") {
+    for (let key of __getOwnPropNames(from))
+      if (!__hasOwnProp.call(to, key) && key !== except)
+        __defProp(to, key, { get: () => from[key], enumerable: !(desc = __getOwnPropDesc(from, key)) || desc.enumerable });
+  }
+  return to;
+};
+var __toESM = (mod, isNodeMode, target) => (target = mod != null ? __create(__getProtoOf(mod)) : {}, __copyProps(
+  // If the importer is in node compatibility mode or this is not an ESM
+  // file that has been converted to a CommonJS file using a Babel-
+  // compatible transform (i.e. "__esModule" has not been set), then set
+  // "default" to the CommonJS "module.exports" for node compatibility.
+  isNodeMode || !mod || !mod.__esModule ? __defProp(target, "default", { value: mod, enumerable: true }) : target,
+  mod
+));
+var __toCommonJS = (mod) => __copyProps(__defProp({}, "__esModule", { value: true }), mod);
+var __decorateClass = (decorators, target, key, kind) => {
+  var result = kind > 1 ? void 0 : kind ? __getOwnPropDesc(target, key) : target;
+  for (var i = decorators.length - 1, decorator; i >= 0; i--)
+    if (decorator = decorators[i])
+      result = (kind ? decorator(target, key, result) : decorator(result)) || result;
+  if (kind && result) __defProp(target, key, result);
+  return result;
+};
+
+// src/index.ts
+var src_exports = {};
+__export(src_exports, {
+  AuthAdminService: () => AuthAdminService,
+  AuthXGuard: () => AuthXGuard,
+  AuthXProvider: () => AuthXProvider,
+  AuthXSessionDecorator: () => AuthXSessionDecorator,
+  AuthXStrategy: () => AuthXStrategy,
+  EmailService: () => EmailService,
+  HasPermission: () => HasPermission,
+  HasRole: () => HasRole,
+  PLATFORM_ROLES: () => PLATFORM_ROLES,
+  Permissions: () => Permissions,
+  ProjectsService: () => ProjectsService,
+  Roles: () => Roles,
+  SignedIn: () => SignedIn,
+  SignedOut: () => SignedOut,
+  UploadsService: () => UploadsService,
+  authorize: () => authorize,
+  authx: () => authx,
+  buildSession: () => buildSession,
+  createAuthXStrategy: () => createAuthXStrategy,
+  express: () => express_exports,
+  getPermissionsForRoles: () => getPermissionsForRoles,
+  hasAllPermissions: () => hasAllPermissions,
+  hasAllRoles: () => hasAllRoles,
+  hasAnyPermission: () => hasAnyPermission,
+  hasAnyRole: () => hasAnyRole,
+  hasPermission: () => hasPermission,
+  hasRole: () => hasRole,
+  nest: () => nest,
+  requireAuth: () => requireAuth,
+  requirePermission: () => requirePermission2,
+  requirePermissionLegacy: () => requirePermission,
+  requireRole: () => requireRole,
+  useAuthX: () => useAuthX,
+  useAuthXContext: () => useAuthXContext,
+  useHasPermission: () => useHasPermission,
+  useHasRole: () => useHasRole,
+  withAuthRoute: () => withAuthRoute
+});
+module.exports = __toCommonJS(src_exports);
+
+// src/express/index.ts
+var express_exports = {};
+__export(express_exports, {
+  createAdminRouter: () => createAdminRouter,
+  createAuthRouter: () => createAuthRouter,
+  createDashboardRouter: () => createDashboardRouter,
+  createEmailRouter: () => createEmailRouter,
+  createProjectsRouter: () => createProjectsRouter
+});
+
+// src/express/auth.routes.ts
+var import_bcryptjs = __toESM(require("bcryptjs"), 1);
+var import_crypto = require("crypto");
+var import_express = __toESM(require("express"), 1);
+var import_jsonwebtoken4 = __toESM(require("jsonwebtoken"), 1);
+
+// src/config/loadConfig.ts
+function loadConfig() {
+  return {
+    orgDomain: process.env.ORG_DOMAIN,
+    orgId: process.env.ORG_ID,
+    email: {
+      host: process.env.EMAIL_HOST || "smtp.postmarkapp.com",
+      port: process.env.EMAIL_PORT ? Number(process.env.EMAIL_PORT) : 587,
+      secure: (process.env.EMAIL_SECURE || "false") === "true",
+      user: process.env.EMAIL_USER,
+      pass: process.env.EMAIL_PASSWORD,
+      from: process.env.EMAIL_FROM,
+      jwtSecret: process.env.EMAIL_JWT_SECRET
+    },
+    cookies: {
+      domain: process.env.COOKIE_DOMAIN,
+      secure: (process.env.COOKIE_SECURE || "true") === "true",
+      accessTtlMs: 24 * 60 * 60 * 1e3,
+      refreshTtlMs: 7 * 24 * 60 * 60 * 1e3
+    },
+    oidc: {
+      jwtSecret: process.env.JWT_SECRET
+    },
+    aws: {
+      bucket: process.env.AWS_S3_BUCKET,
+      region: process.env.AWS_REGION,
+      accessKeyId: process.env.AWS_ACCESS_KEY_ID,
+      secretAccessKey: process.env.AWS_SECRET_ACCESS_KEY
+    }
+  };
+}
+
+// src/config/index.ts
+var config = loadConfig();
+function configureAuthX(overrides = {}) {
+  return deepMerge(config, overrides);
+}
+function deepMerge(target, source) {
+  if (!source) {
+    return target;
+  }
+  for (const key of Object.keys(source)) {
+    const value = source[key];
+    if (value === void 0) continue;
+    if (Array.isArray(value)) {
+      target[key] = [...value];
+      continue;
+    }
+    if (isPlainObject(value)) {
+      if (!isPlainObject(target[key])) {
+        target[key] = {};
+      }
+      deepMerge(target[key], value);
+      continue;
+    }
+    target[key] = value;
+  }
+  return target;
+}
+function isPlainObject(value) {
+  return typeof value === "object" && value !== null && !Array.isArray(value);
+}
+
+// src/core/roles.config.ts
+var PLATFORM_ROLES = [
+  {
+    role: "platform_admin",
+    permissions: [
+      "projects.create",
+      "projects.read",
+      "projects.update",
+      "projects.delete",
+      "users.manage",
+      "api.manage"
+    ]
+  },
+  {
+    role: "platform_manager",
+    permissions: [
+      "projects.read",
+      "projects.update",
+      "users.read"
+    ]
+  },
+  {
+    role: "platform_user",
+    permissions: ["projects.read"]
+  }
+];
+function getPermissionsForRoles(roles) {
+  if (!Array.isArray(roles) || roles.length === 0) {
+    return [];
+  }
+  const permissionSet = /* @__PURE__ */ new Set();
+  for (const roleName of roles) {
+    const roleConfig = PLATFORM_ROLES.find((r) => r.role === roleName);
+    if (roleConfig && Array.isArray(roleConfig.permissions)) {
+      for (const perm of roleConfig.permissions) {
+        permissionSet.add(perm);
+      }
+    }
+  }
+  return Array.from(permissionSet);
+}
+
+// src/core/session.ts
+function buildSession(payload) {
+  const userId = payload?.sub || payload?.userId || payload?.id || "";
+  const email = payload?.email || payload?.email_address || "";
+  const roles = payload?.realm_access?.roles || payload?.roles || payload?.["cognito:groups"] || (Array.isArray(payload?.role) ? payload.role : []) || [];
+  const normalizedRoles = Array.isArray(roles) ? roles.map(String).filter(Boolean) : [];
+  const permissions = getPermissionsForRoles(normalizedRoles);
+  const session = {
+    userId,
+    email,
+    roles: normalizedRoles,
+    permissions
+  };
+  if (payload?.projectId) session.projectId = payload.projectId;
+  if (payload?.orgId) session.orgId = payload.orgId;
+  if (payload?.org_id) session.org_id = payload.org_id;
+  if (payload?.authType) session.authType = payload.authType;
+  Object.keys(payload || {}).forEach((key) => {
+    if (![
+      "sub",
+      "userId",
+      "id",
+      "email",
+      "email_address",
+      "realm_access",
+      "roles",
+      "cognito:groups",
+      "role",
+      "projectId",
+      "orgId",
+      "org_id",
+      "authType"
+    ].includes(key)) {
+      session[key] = payload[key];
+    }
+  });
+  return session;
+}
+
+// src/models/user.model.ts
+var import_mongoose = __toESM(require("mongoose"), 1);
+var import_uuid = require("uuid");
+var MetadataSchema = new import_mongoose.default.Schema(
+  {
+    key: { type: String, required: true },
+    value: { type: import_mongoose.default.Schema.Types.Mixed, required: true }
+  },
+  { _id: false }
+);
+var OrgUserSchema = new import_mongoose.default.Schema(
+  {
+    id: { type: String, default: (0, import_uuid.v4)(), index: true },
+    email: { type: String, required: true, unique: true },
+    firstName: { type: String, required: true },
+    lastName: { type: String, required: true },
+    orgId: { type: String },
+    projectId: { type: String, required: true },
+    roles: { type: [String], default: [] },
+    emailVerified: { type: Boolean, default: false },
+    lastEmailSent: { type: [Date], default: [] },
+    lastPasswordReset: { type: Date },
+    metadata: { type: [MetadataSchema], default: [] },
+    passwordHash: { type: String }
+  },
+  { timestamps: true, collection: "users" }
+);
+var OrgUser = import_mongoose.default.model("OrgUser", OrgUserSchema);
+
+// src/utils/extract.ts
+var import_cookie = require("cookie");
+function extractToken(req, opts) {
+  const headerNames = opts?.headerNames ?? ["authorization", "token"];
+  const cookieNames = opts?.cookieNames ?? ["access_token", "authorization"];
+  const queryNames = opts?.queryNames ?? ["access_token", "token"];
+  for (const h of headerNames) {
+    const raw = req.headers[h];
+    if (raw) {
+      const lower = raw.toLowerCase();
+      if (lower.startsWith("bearer ")) return raw.slice(7).trim();
+      if (!raw.includes(" ")) return raw.trim();
+    }
+  }
+  const ch = req.headers["cookie"];
+  if (typeof ch === "string") {
+    const parsed = (0, import_cookie.parse)(ch);
+    for (const c of cookieNames) if (parsed[c]) return parsed[c];
+  }
+  for (const q of queryNames) {
+    const v = req.query?.[q];
+    if (typeof v === "string" && v) return v;
+  }
+  return null;
+}
+function readProjectId(req) {
+  const ch = req.headers["cookie"];
+  if (typeof ch === "string") {
+    try {
+      const parsed = (0, import_cookie.parse)(ch);
+      return parsed["projectId"] || null;
+    } catch {
+    }
+  }
+  return null;
+}
+
+// src/utils/jwt.ts
+var import_jsonwebtoken = __toESM(require("jsonwebtoken"), 1);
+function verifyJwt(token) {
+  return new Promise((resolve, reject) => {
+    import_jsonwebtoken.default.verify(
+      token,
+      process.env.JWT_SECRET,
+      // This is your shared secret (string)
+      {
+        algorithms: ["HS256"],
+        // Only allow HS256
+        complete: false
+        // We only want payload
+      },
+      (err, decoded) => {
+        if (err) {
+          reject(err);
+        } else {
+          resolve(decoded);
+        }
+      }
+    );
+  });
+}
+
+// src/middlewares/auth.middleware.ts
+function requireAuth() {
+  return async (req, res, next) => {
+    try {
+      const apiKey = req.headers["x-api-key"] || req.headers["x-apikey"];
+      const userId = req.headers["x-user-id"] || req.headers["x-userId"];
+      if (apiKey) {
+        if (apiKey !== process.env.SERVER_API_KEY) {
+          return res.status(401).json({ error: "Invalid API key" });
+        }
+        if (!userId) {
+          return res.status(401).json({ error: "User Id is Required" });
+        }
+        const user = await OrgUser.findOne({ id: userId }).lean();
+        if (!user) {
+          return res.status(401).json({ error: "User not found" });
+        }
+        const session2 = buildSession({
+          sub: user.id.toString(),
+          email: user.email,
+          roles: user.roles || []
+        });
+        session2.authType = "api-key";
+        session2.projectId = readProjectId(req) || user.projectId || void 0;
+        req.user = session2;
+        return next();
+      }
+      const token = extractToken(req);
+      if (!token) {
+        return res.status(401).json({ error: "Missing token" });
+      }
+      const claims = await verifyJwt(token);
+      const session = buildSession(claims);
+      const pid = readProjectId(req);
+      if (pid) session.projectId = pid;
+      req.user = session;
+      next();
+    } catch (e) {
+      res.status(401).json({ error: e?.message || "Unauthorized" });
+    }
+  };
+}
+function authorize(roles = []) {
+  return (req, res, next) => {
+    if (!roles || roles.length === 0) return next();
+    const user = req.user;
+    if (!user) {
+      return res.status(401).json({ error: "Unauthorized" });
+    }
+    console.log(user, "user");
+    const have = new Set((user.roles || []).map(String));
+    const ok = roles.some((r) => have.has(r));
+    if (!ok) {
+      return res.status(403).json({ error: `Requires one of roles: ${roles.join(", ")}` });
+    }
+    next();
+  };
+}
+
+// src/middlewares/validators.ts
+function isEmail(v) {
+  return /^[^\s@]+@[^\s@]+\.[^\s@]+$/.test(v);
+}
+function isPasswordStrong(v) {
+  return typeof v === "string" && v.length >= 6 && /[A-Z]/.test(v) && /[^a-zA-Z0-9]/.test(v);
+}
+function validateSignup(req, res, next) {
+  const { firstName, lastName, email, password, projectId, metadata } = req.body || {};
+  if (!firstName || !lastName)
+    return res.status(400).json({ error: "firstName,lastName required" });
+  if (!isEmail(email)) return res.status(400).json({ error: "invalid email" });
+  if (!isPasswordStrong(password))
+    return res.status(400).json({ error: "weak password" });
+  if (!projectId) return res.status(400).json({ error: "projectId required" });
+  if (!Array.isArray(metadata))
+    return res.status(400).json({ error: "metadata must be array" });
+  next();
+}
+function validateLogin(req, res, next) {
+  const { email, password } = req.body || {};
+  if (!isEmail(email)) return res.status(400).json({ error: "invalid email" });
+  if (typeof password !== "string")
+    return res.status(400).json({ error: "password required" });
+  next();
+}
+function validateResetPassword(req, res, next) {
+  const { token, newPassword } = req.body || {};
+  if (!token) return res.status(400).json({ error: "token required" });
+  if (!isPasswordStrong(newPassword))
+    return res.status(400).json({ error: "weak password" });
+  next();
+}
+function validateResendEmail(req, res, next) {
+  const { email } = req.body || {};
+  if (!isEmail(email)) return res.status(400).json({ error: "invalid email" });
+  next();
+}
+function validateSendInvite(req, res, next) {
+  const { email, role } = req.body || {};
+  if (!isEmail(email)) return res.status(400).json({ error: "invalid email" });
+  if (!["platform_user", "org_admin"].includes(role))
+    return res.status(400).json({ error: "invalid role" });
+  next();
+}
+
+// src/models/invite.model.ts
+var import_mongoose2 = __toESM(require("mongoose"), 1);
+var InviteSchema = new import_mongoose2.default.Schema(
+  {
+    id: { type: String, required: true, index: true },
+    email: { type: String, required: true },
+    role: {
+      type: String,
+      enum: ["platform_user", "org_admin"],
+      required: true
+    },
+    invitedBy: { type: String },
+    usedBy: { type: String },
+    isUsed: { type: Boolean, default: false },
+    usedAt: { type: Date },
+    expiresAt: { type: Date },
+    isExpired: { type: Boolean, default: false }
+  },
+  { timestamps: true, collection: "invites" }
+);
+var Invite = import_mongoose2.default.model("Invite", InviteSchema);
+
+// src/services/auth-admin.service.ts
+var import_bcrypt = __toESM(require("bcrypt"), 1);
+var import_jsonwebtoken2 = __toESM(require("jsonwebtoken"), 1);
+
+// src/models/client.model.ts
+var import_mongoose3 = __toESM(require("mongoose"), 1);
+var ClientSchema = new import_mongoose3.Schema(
+  {
+    clientId: {
+      type: String,
+      required: true,
+      unique: true,
+      index: true
+    },
+    redirectUris: {
+      type: [String],
+      default: []
+    },
+    publicClient: {
+      type: Boolean,
+      default: false
+    },
+    // Optional: if you want confidential clients
+    secret: {
+      type: String,
+      required: function() {
+        return !this.publicClient;
+      }
+    }
+  },
+  {
+    timestamps: true
+  }
+);
+var ClientModel = import_mongoose3.default.models.Client || import_mongoose3.default.model("Client", ClientSchema);
+
+// src/models/rolePermission.model.ts
+var import_mongoose4 = __toESM(require("mongoose"), 1);
+var RolePermissionSchema = new import_mongoose4.Schema(
+  {
+    orgId: { type: String, default: null, index: true },
+    role: { type: String, required: true },
+    permissions: { type: [String], default: [] }
+  },
+  {
+    timestamps: true
+  }
+);
+RolePermissionSchema.index({ orgId: 1, role: 1 }, { unique: true });
+var RolePermissionModel = import_mongoose4.default.model(
+  "RolePermission",
+  RolePermissionSchema,
+  "role_permissions"
+);
+
+// src/services/auth-admin.service.ts
+var AuthAdminService = class {
+  token;
+  async getAdminToken() {
+    return this.ensureAdminToken();
+  }
+  // -------------------------------------------------------------------
+  // CLIENTS
+  // -------------------------------------------------------------------
+  async createClient(clientId, redirectUris = [], publicClient = false) {
+    const client = await ClientModel.create({
+      clientId,
+      redirectUris,
+      publicClient
+    });
+    return client;
+  }
+  async updateClient(id, patch) {
+    await ClientModel.findByIdAndUpdate(id, patch);
+  }
+  // -------------------------------------------------------------------
+  // USERS
+  // -------------------------------------------------------------------
+  async listUsersInRealm(_realm, filter) {
+    return OrgUser.find(filter || {});
+  }
+  async getUserById(userId) {
+    return OrgUser.findOne({ id: userId });
+  }
+  async isUserEmailVerified(userId) {
+    const user = await OrgUser.findOne({ id: userId });
+    return user?.emailVerified;
+  }
+  async createUserInRealm(payload) {
+    const hashedPassword = payload.credentials?.[0]?.value ? await import_bcrypt.default.hash(payload.credentials[0].value, 10) : void 0;
+    const user = await OrgUser.create({
+      username: payload.username,
+      email: payload.email,
+      firstName: payload.firstName,
+      lastName: payload.lastName,
+      projectId: payload.projectId,
+      emailVerified: payload.emailVerified || false,
+      passwordHash: hashedPassword,
+      enabled: true
+    });
+    return user;
+  }
+  async assignRealmRole(userId, roleName) {
+    const role = await RolePermissionModel.findOne({ name: roleName });
+    if (!role) throw new Error(`Role not found: ${roleName}`);
+    await OrgUser.findOneAndUpdate(
+      { id: userId },
+      {
+        $addToSet: { roles: role._id }
+      }
+    );
+  }
+  async updateUserEmailVerified(userId, emailVerified) {
+    await OrgUser.findOneAndUpdate({ id: userId }, { emailVerified });
+  }
+  async updateUserPassword(userId, newPassword) {
+    const hashed = await import_bcrypt.default.hash(newPassword, 10);
+    await OrgUser.findOneAndUpdate({ id: userId }, { password: hashed });
+  }
+  // -------------------------------------------------------------------
+  // ADMIN TOKEN (self-issued JWT)
+  // -------------------------------------------------------------------
+  async ensureAdminToken() {
+    const now = Math.floor(Date.now() / 1e3);
+    if (this.token && this.token.exp - 30 > now) {
+      return this.token.accessToken;
+    }
+    const payload = {
+      type: "admin",
+      system: true
+    };
+    const accessToken = import_jsonwebtoken2.default.sign(payload, process.env.JWT_SECRET, {
+      expiresIn: "1h"
+    });
+    this.token = {
+      accessToken,
+      exp: now + 3600
+    };
+    return this.token.accessToken;
+  }
+};
+
+// src/services/email.service.ts
+var import_jsonwebtoken3 = __toESM(require("jsonwebtoken"), 1);
+var import_nodemailer = __toESM(require("nodemailer"), 1);
+var EmailService = class {
+  transporter;
+  MAX_EMAILS = 5;
+  WINDOW_MINUTES = 15;
+  BLOCK_HOURS = 1;
+  constructor() {
+    this.transporter = import_nodemailer.default.createTransport({
+      host: process.env.EMAIL_HOST || "smtp.postmarkapp.com",
+      port: process.env.EMAIL_PORT ? Number(process.env.EMAIL_PORT) : 587,
+      secure: (process.env.EMAIL_SECURE || "false") === "true",
+      auth: { user: process.env.EMAIL_USER, pass: process.env.EMAIL_PASSWORD }
+    });
+  }
+  sign(payload, ttlSec = 60 * 60 * 24) {
+    return import_jsonwebtoken3.default.sign(payload, process.env.EMAIL_JWT_SECRET, { expiresIn: ttlSec });
+  }
+  verify(token) {
+    return import_jsonwebtoken3.default.verify(token, process.env.EMAIL_JWT_SECRET);
+  }
+  async send(to, subject, html) {
+    await this.transporter.sendMail({
+      from: process.env.EMAIL_FROM,
+      to,
+      subject,
+      html
+    });
+  }
+  canSend(lastEmailSent) {
+    const now = Date.now();
+    const windowStart = now - this.WINDOW_MINUTES * 60 * 1e3;
+    const emailsInWindow = (lastEmailSent || []).map((d) => new Date(d)).filter((d) => d.getTime() >= windowStart);
+    if (emailsInWindow.length >= this.MAX_EMAILS)
+      return {
+        ok: false,
+        reason: "RATE_LIMIT",
+        waitMs: this.BLOCK_HOURS * 60 * 60 * 1e3
+      };
+    return { ok: true };
+  }
+};
+
+// src/utils/cookie.ts
+function cookieOpts(isRefresh = false) {
+  const maxAge = isRefresh ? config.cookies.refreshTtlMs : config.cookies.accessTtlMs;
+  const secure = process.env.NODE_ENV === "production" ? process.env.COOKIE_SECURE ?? true : false;
+  return {
+    httpOnly: true,
+    secure,
+    sameSite: "none",
+    domain: process.env.COOKIE_DOMAIN,
+    maxAge
+  };
+}
+function clearOpts() {
+  const secure = process.env.NODE_ENV === "production" ? process.env.COOKIE_SECURE ?? true : false;
+  return {
+    domain: process.env.COOKIE_DOMAIN,
+    sameSite: "none",
+    secure
+  };
+}
+
+// src/express/auth.routes.ts
+function createAuthRouter(options = {}) {
+  if (options.config) {
+    configureAuthX(options.config);
+  }
+  const r = (0, import_express.Router)();
+  const email = new EmailService();
+  const authAdmin = new AuthAdminService();
+  r.use(import_express.default.json());
+  r.use(import_express.default.urlencoded({ extended: true }));
+  r.get(
+    "/healthz",
+    (_req, res) => res.json({ status: "ok", server: "org-server" })
+  );
+  r.post("/login", validateLogin, async (req, res) => {
+    const { email: emailAddress, password } = req.body || {};
+    try {
+      const user = await OrgUser.findOne({ email: emailAddress }).select("+password").lean();
+      if (!user) {
+        return res.status(400).json({
+          error: "Invalid email or password",
+          code: "INVALID_CREDENTIALS"
+        });
+      }
+      if (!user.emailVerified) {
+        return res.status(400).json({
+          error: "Please verify your email before logging in.",
+          code: "EMAIL_NOT_VERIFIED"
+        });
+      }
+      const isPasswordValid = user.passwordHash ? await import_bcryptjs.default.compare(password, user.passwordHash) : false;
+      if (!isPasswordValid) {
+        return res.status(400).json({
+          error: "Invalid email or password",
+          code: "INVALID_CREDENTIALS"
+        });
+      }
+      const tokens = generateTokens(user);
+      setAuthCookies(res, tokens);
+      if (user.projectId) {
+        res.cookie(options.projectCookieName || "projectId", user.projectId, {
+          ...cookieOpts(false),
+          httpOnly: true
+        });
+      }
+      return res.json({
+        message: "Login successful",
+        user: toUserResponse(user)
+      });
+    } catch (err) {
+      console.error("Login error:", err);
+      return res.status(500).json({ error: "Internal server error" });
+    }
+  });
+  r.post("/signup", validateSignup, async (req, res) => {
+    const {
+      firstName,
+      lastName,
+      email: emailAddress,
+      password,
+      projectId,
+      metadata
+    } = req.body || {};
+    try {
+      const kcUser = await authAdmin.createUserInRealm({
+        username: emailAddress,
+        email: emailAddress,
+        firstName,
+        lastName,
+        projectId,
+        credentials: [{ type: "password", value: password, temporary: false }]
+      });
+      await authAdmin.assignRealmRole(kcUser.id, "platform_user");
+      const user = await OrgUser.findOneAndUpdate(
+        { email: kcUser.email },
+        {
+          id: kcUser.id,
+          email: kcUser.email,
+          firstName,
+          lastName,
+          projectId,
+          metadata,
+          roles: ["platform_user"],
+          emailVerified: false
+        },
+        { upsert: true, new: true, setDefaultsOnInsert: true }
+      );
+      const emailResult = await sendRateLimitedEmail({
+        emailService: email,
+        user,
+        subject: "Verify your email",
+        html: buildVerificationTemplate(
+          email.sign({ userId: kcUser.id, email: kcUser.email }),
+          options
+        )
+      });
+      if (emailResult.rateLimited) {
+        return res.status(429).json({
+          ok: false,
+          error: "Too many verification emails sent. Please try again later.",
+          waitMs: emailResult.waitMs
+        });
+      }
+      return res.json({
+        id: user.id,
+        email: user.email,
+        message: "Verification email sent. Please check your inbox."
+      });
+    } catch (err) {
+      return respondWithKeycloakError(res, err, "Signup failed");
+    }
+  });
+  r.get("/me", requireAuth(), (req, res) => {
+    return res.json(req.user || null);
+  });
+  r.post("/logout", async (_req, res) => {
+    res.clearCookie("access_token", clearOpts());
+    res.clearCookie("refresh_token", clearOpts());
+    res.json({ ok: true });
+  });
+  r.put("/:userId/metadata", requireAuth(), async (req, res) => {
+    const { userId } = req.params;
+    const { metadata } = req.body || {};
+    const user = await OrgUser.findOne({ id: userId });
+    if (!user)
+      return res.status(404).json({ ok: false, error: "User not found" });
+    const map = new Map(
+      (user.metadata || []).map((m) => [m.key, m.value])
+    );
+    for (const item of metadata || []) map.set(item.key, item.value);
+    user.metadata = Array.from(map.entries()).map(([key, value]) => ({
+      key,
+      value
+    }));
+    await user.save();
+    res.json({ ok: true, metadata: user.metadata });
+  });
+  r.get("/verify-email", async (req, res) => {
+    const token = String(req.query.token || "");
+    if (!token) {
+      return res.status(400).json({ error: "Verification token is required" });
+    }
+    try {
+      const payload = email.verify(token);
+      await authAdmin.updateUserEmailVerified(payload.userId, true);
+      await OrgUser.updateOne(
+        { id: payload.userId },
+        { $set: { emailVerified: true } }
+      );
+      res.json({ ok: true, message: "Email verified" });
+    } catch (err) {
+      res.status(400).json({ ok: false, error: err?.message || "Invalid token" });
+    }
+  });
+  r.post(
+    "/resend-verification-email",
+    validateResendEmail,
+    async (req, res) => {
+      const user = await OrgUser.findOne({ email: req.body.email });
+      if (!user)
+        return res.status(404).json({ ok: false, error: "User not found" });
+      const verified = await authAdmin.isUserEmailVerified(user.id);
+      if (verified) {
+        return res.status(400).json({ ok: false, error: "Email is already verified" });
+      }
+      const token = email.sign({
+        email: user.email,
+        userId: user.id
+      });
+      const resendResult = await sendRateLimitedEmail({
+        emailService: email,
+        user,
+        subject: "Verify your email",
+        html: buildVerificationTemplate(token, options)
+      });
+      if (resendResult.rateLimited) {
+        return res.status(429).json({
+          ok: false,
+          error: "Too many verification emails sent. Please try again later.",
+          waitMs: resendResult.waitMs
+        });
+      }
+      res.json({ ok: true });
+    }
+  );
+  r.post("/forgot-password", validateResendEmail, async (req, res) => {
+    const user = await OrgUser.findOne({ email: req.body.email });
+    if (!user)
+      return res.status(404).json({ ok: false, error: "User not found" });
+    const resetToken = email.sign(
+      {
+        userId: user.id,
+        email: user.email,
+        firstName: user.firstName,
+        lastName: user.lastName
+      },
+      60 * 60
+    );
+    const resetResult = await sendRateLimitedEmail({
+      emailService: email,
+      user,
+      subject: "Reset password",
+      html: buildResetTemplate(resetToken, options)
+    });
+    if (resetResult.rateLimited) {
+      return res.status(429).json({
+        ok: false,
+        error: "Please wait before requesting another password reset email.",
+        waitMs: resetResult.waitMs
+      });
+    }
+    res.json({ ok: true, message: "Password reset email sent" });
+  });
+  r.post("/reset-password", validateResetPassword, async (req, res) => {
+    const { token, newPassword } = req.body || {};
+    try {
+      const payload = email.verify(token);
+      const user = await OrgUser.findOne({ keycloakId: payload.userId });
+      if (!user) {
+        return res.status(404).json({ ok: false, error: "User not found" });
+      }
+      if (user.lastPasswordReset && payload.iat * 1e3 < user.lastPasswordReset.getTime()) {
+        return res.status(400).json({
+          ok: false,
+          error: "This reset link has already been used. Please request a new one."
+        });
+      }
+      await authAdmin.updateUserPassword(payload.userId, newPassword);
+      user.lastPasswordReset = /* @__PURE__ */ new Date();
+      await user.save();
+      res.json({ ok: true, message: "Password updated successfully" });
+    } catch (err) {
+      res.status(400).json({ ok: false, error: err?.message || "Invalid or expired token" });
+    }
+  });
+  r.post(
+    "/send-invite",
+    requireAuth(),
+    validateSendInvite,
+    async (req, res) => {
+      const { email: emailAddress, role } = req.body || {};
+      const existingUser = await OrgUser.findOne({ email: emailAddress });
+      if (existingUser) {
+        return res.status(400).json({ ok: false, error: "User with this email already exists" });
+      }
+      const existingInvite = await Invite.findOne({
+        email: emailAddress,
+        isUsed: false,
+        isExpired: false
+      });
+      if (existingInvite) {
+        return res.status(400).json({
+          ok: false,
+          error: "An active invite already exists for this email"
+        });
+      }
+      const token = email.sign({
+        email: emailAddress,
+        role,
+        inviteId: (0, import_crypto.randomUUID)()
+      });
+      const invite = await Invite.create({
+        id: token,
+        email: emailAddress,
+        role,
+        invitedBy: req.user?.sub,
+        isUsed: false,
+        expiresAt: new Date(Date.now() + 7 * 24 * 60 * 60 * 1e3)
+      });
+      await email.send(
+        emailAddress,
+        "You are invited",
+        `<a href="${getFrontendBaseUrl(options)}/auth/accept-invite?token=${token}">Accept</a>`
+      );
+      res.json({
+        ok: true,
+        inviteId: invite.id,
+        email: invite.email,
+        role: invite.role,
+        expiresAt: invite.expiresAt
+      });
+    }
+  );
+  r.get("/accept-invite", async (req, res) => {
+    const inv = await Invite.findOne({ id: String(req.query.token) });
+    res.json({ ok: !!inv && !inv.isUsed && !inv.isExpired });
+  });
+  r.post("/accept-invite", async (req, res) => {
+    const { token, firstName, lastName, password, projectId } = req.body || {};
+    if (!token || !firstName || !lastName || !isPasswordStrong(password || "")) {
+      return res.status(400).json({ ok: false, error: "Invalid payload" });
+    }
+    const invite = await Invite.findOne({
+      id: token,
+      isUsed: false,
+      isExpired: false
+    });
+    if (!invite) {
+      return res.status(400).json({ ok: false, error: "Invitation not found or already used" });
+    }
+    if (invite.expiresAt && invite.expiresAt.getTime() < Date.now()) {
+      invite.isExpired = true;
+      await invite.save();
+      return res.status(400).json({ ok: false, error: "Invitation has expired" });
+    }
+    try {
+      const kcUser = await authAdmin.createUserInRealm({
+        username: invite.email,
+        email: invite.email,
+        firstName,
+        lastName,
+        projectId,
+        emailVerified: true,
+        credentials: [{ type: "password", value: password, temporary: false }]
+      });
+      await authAdmin.assignRealmRole(kcUser.id, invite.role);
+      await OrgUser.findOneAndUpdate(
+        { email: invite.email },
+        {
+          id: kcUser.id,
+          email: invite.email,
+          firstName,
+          lastName,
+          roles: [invite.role],
+          emailVerified: true
+        },
+        { upsert: true, new: true, setDefaultsOnInsert: true }
+      );
+      invite.isUsed = true;
+      invite.usedAt = /* @__PURE__ */ new Date();
+      invite.usedBy = kcUser.id;
+      await invite.save();
+      res.json({
+        ok: true,
+        message: "Account created successfully.",
+        email: invite.email
+      });
+    } catch (err) {
+      res.status(400).json({
+        ok: false,
+        error: err?.response?.data?.error_description || err?.message || "Failed to create account"
+      });
+    }
+  });
+  r.get("/invites", requireAuth(), async (_req, res) => {
+    const invites = await Invite.find().sort({ createdAt: -1 }).lean();
+    res.json(invites);
+  });
+  r.delete("/invites/:inviteId", requireAuth(), async (req, res) => {
+    await Invite.deleteOne({ id: req.params.inviteId });
+    res.json({ ok: true });
+  });
+  r.get("/get-user-by-email", async (req, res) => {
+    const user = await OrgUser.findOne({ email: req.query.email }).lean();
+    res.json(user || null);
+  });
+  r.get("/google", async (_req, res) => {
+    res.json({ url: "/auth/google/callback?code=demo" });
+  });
+  r.get("/google/callback", async (_req, res) => {
+    res.cookie(
+      "access_token",
+      "ACCESS.TOKEN.PLACEHOLDER",
+      cookieOpts(false)
+    );
+    res.redirect("/");
+  });
+  r.get("/get-users", async (req, res) => {
+    const user = await OrgUser.find({ projectId: req.query.projectId }).lean();
+    res.json(user || null);
+  });
+  return r;
+}
+function setAuthCookies(res, tokens) {
+  if (tokens?.access_token) {
+    res.cookie("access_token", tokens.access_token, {
+      httpOnly: true,
+      secure: false,
+      sameSite: "lax",
+      maxAge: 24 * 60 * 60 * 1e3,
+      // 24 hours
+      path: "/"
+    });
+  }
+  if (tokens?.refresh_token) {
+    res.cookie("refresh_token", tokens.refresh_token, {
+      httpOnly: true,
+      secure: false,
+      sameSite: "lax",
+      maxAge: 24 * 60 * 60 * 1e3,
+      // 24 hours
+      path: "/"
+    });
+  }
+}
+function toUserResponse(user) {
+  if (!user) return null;
+  return {
+    sub: user.id || user.keycloakId,
+    email: user.email,
+    firstName: user.firstName,
+    lastName: user.lastName,
+    projectId: user.projectId,
+    metadata: user.metadata,
+    roles: user.roles
+  };
+}
+function respondWithKeycloakError(res, err, fallback, status = 400) {
+  const description = err?.response?.data?.error_description || err?.response?.data?.errorMessage || err?.message || fallback;
+  return res.status(status).json({ ok: false, error: description });
+}
+function buildVerificationTemplate(token, options) {
+  return `<a href="${getFrontendBaseUrl(options)}/auth/verify-email?token=${token}">Verify</a>`;
+}
+function buildResetTemplate(token, options) {
+  return `<a href="${getFrontendBaseUrl(options)}/auth/reset-password?token=${token}">Reset</a>`;
+}
+function getFrontendBaseUrl(options) {
+  if (options.frontendBaseUrl)
+    return options.frontendBaseUrl.replace(/\/$/, "");
+  const domain = process.env.ORG_DOMAIN?.replace(/\/$/, "");
+  if (!domain) return "";
+  return domain.startsWith("http") ? domain : `https://${domain}`;
+}
+async function sendRateLimitedEmail({
+  emailService,
+  user,
+  subject,
+  html
+}) {
+  const can = emailService.canSend(user?.lastEmailSent || []);
+  if (!can.ok) {
+    return { rateLimited: true, waitMs: can.waitMs };
+  }
+  await emailService.send(user.email, subject, html);
+  user.lastEmailSent = [...user.lastEmailSent || [], /* @__PURE__ */ new Date()];
+  await user.save();
+  return { rateLimited: false };
+}
+function generateTokens(user) {
+  const accessToken = import_jsonwebtoken4.default.sign(
+    {
+      sub: user.id.toString(),
+      email: user.email,
+      roles: user.roles || [],
+      type: "user"
+    },
+    process.env.JWT_SECRET,
+    { expiresIn: "1h" }
+  );
+  const refreshToken = import_jsonwebtoken4.default.sign(
+    { sub: user._id.toString() },
+    process.env.JWT_SECRET,
+    { expiresIn: "30d" }
+  );
+  return { access_token: accessToken, refresh_token: refreshToken };
+}
+
+// src/express/dashboards.routes.ts
+var import_express2 = __toESM(require("express"), 1);
+function createDashboardRouter(options) {
+  const r = (0, import_express2.Router)();
+  const kc = new AuthAdminService();
+  r.use(import_express2.default.json());
+  r.post("/", requireAuth(), async (req, res, next) => {
+    try {
+      const { slug, isPublic, authFlow, orgDomain } = req.body || {};
+      const redirectUris = [`https://${slug}.${orgDomain}/*`];
+      const created = await kc.createClient(slug, redirectUris, !!isPublic);
+      if (authFlow || isPublic != null) {
+        await kc.updateClient(created.id, {
+          authenticationFlowBindingOverrides: authFlow ? { browser: authFlow } : void 0,
+          registrationAllowed: !!isPublic
+        });
+      }
+      res.json({ clientId: created.clientId });
+    } catch (e) {
+      next(e);
+    }
+  });
+  return r;
+}
+
+// src/express/email.routes.ts
+var import_express3 = require("express");
+function createEmailRouter(options) {
+  const r = (0, import_express3.Router)();
+  r.get(
+    "/verify",
+    (req, res) => res.json({ ok: true, token: req.query.token })
+  );
+  return r;
+}
+
+// src/express/projects.routes.ts
+var import_express4 = require("express");
+
+// src/services/projects.service.ts
+var import_crypto2 = require("crypto");
+
+// src/models/moduleConnection.model.ts
+var import_mongoose5 = __toESM(require("mongoose"), 1);
+var ModuleItemSchema = new import_mongoose5.default.Schema(
+  { id: { type: String, required: true } },
+  { _id: false }
+);
+var ModuleConnectionSchema = new import_mongoose5.default.Schema(
+  {
+    projectId: { type: String, required: true, index: true },
+    modules: {
+      data: { type: [ModuleItemSchema], default: [] },
+      integration: { type: [ModuleItemSchema], default: [] },
+      storage: { type: [ModuleItemSchema], default: [] }
+    }
+  },
+  { timestamps: true, collection: "module_connection" }
+);
+var ModuleConnection = import_mongoose5.default.model(
+  "ModuleConnection",
+  ModuleConnectionSchema
+);
+
+// src/models/project.model.ts
+var import_mongoose6 = __toESM(require("mongoose"), 1);
+var ProjectSchema = new import_mongoose6.default.Schema(
+  {
+    _id: { type: String, required: true },
+    org_id: { type: String, required: true, index: true },
+    name: { type: String, required: true },
+    description: { type: String },
+    secret: { type: String, required: true }
+  },
+  { timestamps: true, collection: "projects" }
+);
+var Project = import_mongoose6.default.model("Project", ProjectSchema);
+
+// src/services/projects.service.ts
+var ProjectsService = class {
+  async create(org_id, name, description) {
+    const _id = (0, import_crypto2.randomUUID)();
+    const secret = (0, import_crypto2.randomUUID)();
+    const p = await Project.create({ _id, org_id, name, description, secret });
+    await ModuleConnection.create({
+      projectId: _id,
+      modules: { data: [], integration: [], storage: [] }
+    });
+    return p.toObject();
+  }
+  async list(org_id) {
+    return Project.find({ org_id }).lean();
+  }
+  async get(org_id, id) {
+    return Project.findOne({ org_id, _id: id }).lean();
+  }
+  async update(org_id, id, patch) {
+    return Project.findOneAndUpdate(
+      { org_id, _id: id },
+      { $set: patch },
+      { new: true }
+    ).lean();
+  }
+  async remove(org_id, id) {
+    await Project.deleteOne({ org_id, _id: id });
+    await ModuleConnection.deleteMany({ projectId: id });
+    return { ok: true };
+  }
+};
+
+// src/express/projects.routes.ts
+function createProjectsRouter(options) {
+  const r = (0, import_express4.Router)();
+  const svc = new ProjectsService();
+  r.post("/create", requireAuth(), async (req, res) => {
+    const { org_id, name, description } = req.body || {};
+    const p = await svc.create(org_id, name, description);
+    res.json(p);
+  });
+  r.get("/:org_id", requireAuth(), async (req, res) => {
+    res.json(await svc.list(req.params.org_id));
+  });
+  r.get("/:org_id/:id", requireAuth(), async (req, res) => {
+    res.json(await svc.get(req.params.org_id, req.params.id));
+  });
+  r.put("/:org_id/:id", requireAuth(), async (req, res) => {
+    res.json(
+      await svc.update(req.params.org_id, req.params.id, req.body || {})
+    );
+  });
+  r.delete("/:org_id/:id", requireAuth(), async (req, res) => {
+    res.json(await svc.remove(req.params.org_id, req.params.id));
+  });
+  return r;
+}
+
+// src/express/admin/admin.routes.ts
+var import_bcryptjs2 = __toESM(require("bcryptjs"), 1);
+var import_crypto3 = require("crypto");
+var import_express5 = __toESM(require("express"), 1);
+
+// src/core/utils.ts
+function hasRole(session, role) {
+  if (!session || !session.roles) return false;
+  return session.roles.includes(role);
+}
+function hasAnyRole(session, roles) {
+  if (!session || !session.roles || !Array.isArray(roles) || roles.length === 0) {
+    return false;
+  }
+  return roles.some((role) => session.roles.includes(role));
+}
+function hasAllRoles(session, roles) {
+  if (!session || !session.roles || !Array.isArray(roles) || roles.length === 0) {
+    return false;
+  }
+  return roles.every((role) => session.roles.includes(role));
+}
+function hasPermission(session, permission) {
+  if (!session || !session.permissions) return false;
+  return session.permissions.includes(permission);
+}
+function hasAnyPermission(session, permissions) {
+  if (!session || !session.permissions || !Array.isArray(permissions) || permissions.length === 0) {
+    return false;
+  }
+  return permissions.some((perm) => session.permissions.includes(perm));
+}
+function hasAllPermissions(session, permissions) {
+  if (!session || !session.permissions || !Array.isArray(permissions) || permissions.length === 0) {
+    return false;
+  }
+  return permissions.every((perm) => session.permissions.includes(perm));
+}
+
+// src/middlewares/requireRole.ts
+function requireRole(...roles) {
+  return (req, res, next) => {
+    const user = req.user;
+    if (!user) {
+      return res.status(401).json({ error: "Unauthorized" });
+    }
+    if (!roles || roles.length === 0) {
+      return next();
+    }
+    if (!hasAnyRole(user, roles)) {
+      return res.status(403).json({
+        error: `Requires one of roles: ${roles.join(", ")}`,
+        required: roles,
+        userRoles: user.roles
+      });
+    }
+    next();
+  };
+}
+
+// src/models/permissions.model.ts
+var import_mongoose7 = __toESM(require("mongoose"), 1);
+var PermissionsSchema = new import_mongoose7.Schema(
+  {
+    id: { type: String, required: true, index: true },
+    orgId: { type: String, default: null, index: true },
+    key: { type: String, required: true },
+    type: { type: String, required: true },
+    apiId: { type: String, required: false },
+    description: { type: String },
+    isInternal: { type: Boolean, default: false }
+  },
+  {
+    timestamps: true
+  }
+);
+PermissionsSchema.index({ orgId: 1, key: 1 }, { unique: true });
+var PermissionsModel = import_mongoose7.default.model(
+  "Permissions",
+  PermissionsSchema,
+  "permissions"
+);
+
+// src/express/admin/admin.routes.ts
+function resolveOrgId(req) {
+  const user = req.user || {};
+  const fromUser = user.orgId || user.org_id || null;
+  const fromQuery = req.query.orgId || null;
+  const fromBody = req.body && req.body.orgId || null;
+  return fromQuery || fromBody || fromUser;
+}
+function resolveProjectId(req) {
+  const user = req.user || {};
+  const fromUser = user.projectId || null;
+  const fromQuery = req.query.projectId || null;
+  const fromBody = req.body && req.body.projectId || null;
+  return fromQuery || fromBody || fromUser;
+}
+function createAdminRouter(_options = {}) {
+  const r = (0, import_express5.Router)();
+  r.use(import_express5.default.json());
+  r.use(import_express5.default.urlencoded({ extended: true }));
+  const adminGuards = [requireAuth(), requireRole("platform_admin")];
+  r.post(
+    "/users",
+    ...adminGuards,
+    async (req, res) => {
+      const {
+        firstName,
+        lastName,
+        email: emailAddress,
+        password,
+        emailVerified = false,
+        roles = []
+      } = req.body || {};
+      const projectId = resolveProjectId(req);
+      try {
+        const hashedPassword = password ? await import_bcryptjs2.default.hash(password, 10) : void 0;
+        const user = await OrgUser.create({
+          id: (0, import_crypto3.randomUUID)(),
+          email: emailAddress,
+          orgId: process.env.ORG_ID,
+          firstName,
+          lastName,
+          projectId,
+          emailVerified,
+          metadata: [],
+          passwordHash: hashedPassword,
+          roles
+        });
+        return res.json({
+          id: user.id,
+          email: user.email,
+          message: "Verification email sent. Please check your inbox."
+        });
+      } catch (err) {
+        console.error("Create user error:", err);
+        return res.status(500).json({ error: "INTERNAL_ERROR" });
+      }
+    }
+  );
+  r.delete(
+    "/users",
+    ...adminGuards,
+    async (req, res) => {
+      try {
+        const userId = req?.body?.id || req?.query?.id;
+        if (!userId) {
+          return res.status(400).json({
+            error: "VALIDATION_ERROR",
+            message: "UserId is required (send in body.id or ?id=...)"
+          });
+        }
+        const deleted = await OrgUser.findOneAndDelete({ id: userId }).exec();
+        if (!deleted) {
+          return res.status(404).json({
+            error: "NOT_FOUND",
+            message: "User not found or already deleted"
+          });
+        }
+        return res.status(200).json({
+          ok: true,
+          message: "User deleted successfully",
+          deletedUser: {
+            id: deleted.id,
+            firstName: deleted.firstName,
+            email: deleted.email,
+            orgId: deleted.orgId
+          }
+        });
+      } catch (err) {
+        console.error("Delete user error:", err);
+        return res.status(500).json({ error: "INTERNAL_ERROR" });
+      }
+    }
+  );
+  r.put(
+    "/users/:id",
+    ...adminGuards,
+    async (req, res) => {
+      const userId = req.params.id;
+      const {
+        firstName,
+        lastName,
+        email: emailAddress,
+        password,
+        emailVerified,
+        roles
+      } = req.body || {};
+      try {
+        const existingUser = await OrgUser.findOne({
+          id: userId,
+          orgId: process.env.ORG_ID
+        });
+        if (!existingUser) {
+          return res.status(404).json({ error: "USER_NOT_FOUND" });
+        }
+        if (firstName !== void 0) existingUser.firstName = firstName;
+        if (lastName !== void 0) existingUser.lastName = lastName;
+        if (emailAddress !== void 0) existingUser.email = emailAddress;
+        if (emailVerified !== void 0)
+          existingUser.emailVerified = emailVerified;
+        if (roles !== void 0) existingUser.roles = roles;
+        if (password) {
+          existingUser.passwordHash = await import_bcryptjs2.default.hash(password, 10);
+        }
+        await existingUser.save();
+        return res.json({
+          id: existingUser.id,
+          email: existingUser.email,
+          message: "User updated successfully."
+        });
+      } catch (err) {
+        console.error("Update user error:", err);
+        return res.status(500).json({ error: "INTERNAL_ERROR" });
+      }
+    }
+  );
+  r.get(
+    "/permissions",
+    ...adminGuards,
+    async (req, res) => {
+      try {
+        const orgId = resolveOrgId(req);
+        const filter = {};
+        if (orgId !== null) {
+          filter.orgId = orgId;
+        } else {
+          filter.orgId = null;
+        }
+        const items = await PermissionsModel.find(filter).lean().exec();
+        return res.json(items);
+      } catch (err) {
+        return res.status(500).json({ error: "INTERNAL_ERROR" });
+      }
+    }
+  );
+  r.post(
+    "/permissions",
+    ...adminGuards,
+    async (req, res) => {
+      try {
+        const orgId = resolveOrgId(req);
+        const {
+          key,
+          type,
+          apiId,
+          description,
+          isInternal = false
+        } = req.body || {};
+        if (!key || !type) {
+          return res.status(400).json({
+            error: "VALIDATION_ERROR",
+            message: "permission key, and permission type are required"
+          });
+        }
+        const id = (0, import_crypto3.randomUUID)();
+        const permission = await PermissionsModel.create({
+          id,
+          orgId: orgId ?? null,
+          key,
+          type,
+          apiId,
+          description,
+          isInternal: !!isInternal
+        });
+        await RolePermissionModel.findOneAndUpdate(
+          { orgId: orgId ?? null, role: "platform_admin" },
+          { $addToSet: { permissions: key } },
+          { upsert: true, new: true }
+        ).exec();
+        return res.status(201).json(permission);
+      } catch (err) {
+        if (err && err.code === 11e3) {
+          return res.status(409).json({
+            error: "DUPLICATE_PERMISSION",
+            message: "Permission key already exists for this org"
+          });
+        }
+        return res.status(500).json({ error: "INTERNAL_ERROR" });
+      }
+    }
+  );
+  r.put(
+    "/permissions/:id",
+    ...adminGuards,
+    async (req, res) => {
+      try {
+        const orgId = resolveOrgId(req);
+        const permissionId = req.params.id;
+        const { key, type, apiId, description, isInternal } = req.body || {};
+        const existing = await PermissionsModel.findOne({
+          id: permissionId,
+          orgId: orgId ?? null
+        });
+        if (!existing) {
+          return res.status(404).json({
+            error: "NOT_FOUND",
+            message: "Permission does not exist"
+          });
+        }
+        const oldKey = existing.key;
+        if (key !== void 0) existing.key = key;
+        if (type !== void 0) existing.type = type;
+        if (apiId !== void 0) existing.apiId = apiId;
+        if (description !== void 0) existing.description = description;
+        if (isInternal !== void 0) existing.isInternal = !!isInternal;
+        await existing.save();
+        if (oldKey !== key) {
+          await RolePermissionModel.updateMany(
+            {
+              orgId: orgId ?? null,
+              permissions: oldKey
+            },
+            {
+              $pull: { permissions: oldKey }
+            }
+          );
+          await RolePermissionModel.updateMany(
+            {
+              orgId: orgId ?? null
+            },
+            {
+              $addToSet: { permissions: key }
+            }
+          );
+        }
+        return res.json(existing);
+      } catch (err) {
+        if (err && err.code === 11e3) {
+          return res.status(409).json({
+            error: "DUPLICATE_PERMISSION",
+            message: "Permission key already exists for this org"
+          });
+        }
+        console.error("Update permission error:", err);
+        return res.status(500).json({ error: "INTERNAL_ERROR" });
+      }
+    }
+  );
+  r.delete(
+    "/permissions",
+    ...adminGuards,
+    async (req, res) => {
+      try {
+        const permissionId = req?.body?.id || req?.query?.id;
+        if (!permissionId) {
+          return res.status(400).json({
+            error: "VALIDATION_ERROR",
+            message: "Permission id is required (send in body.id or ?id=...)"
+          });
+        }
+        const existing = await PermissionsModel.findOne({ id: permissionId });
+        if (!existing) {
+          return res.status(404).json({
+            error: "NOT_FOUND",
+            message: "Permission not found or already deleted"
+          });
+        }
+        const { key, orgId } = existing;
+        await PermissionsModel.deleteOne({ id: permissionId });
+        await RolePermissionModel.updateMany(
+          { orgId: orgId ?? null },
+          { $pull: { permissions: key } }
+        );
+        return res.status(200).json({
+          ok: true,
+          message: "Permission deleted successfully",
+          deletedPermission: {
+            id: existing.id,
+            key: existing.key,
+            type: existing.type,
+            apiId: existing.apiId,
+            description: existing.description,
+            isInternal: existing.isInternal,
+            orgId: existing.orgId
+          }
+        });
+      } catch (err) {
+        console.error("Delete permission error:", err);
+        return res.status(500).json({ error: "INTERNAL_ERROR" });
+      }
+    }
+  );
+  r.get(
+    "/roles",
+    ...adminGuards,
+    async (req, res) => {
+      try {
+        const orgId = resolveOrgId(req);
+        const filter = {};
+        if (orgId !== null) {
+          filter.orgId = orgId;
+        } else {
+          filter.orgId = null;
+        }
+        const roles = await RolePermissionModel.find(filter).lean().exec();
+        return res.json(roles);
+      } catch (err) {
+        return res.status(500).json({ error: "INTERNAL_ERROR" });
+      }
+    }
+  );
+  r.post(
+    "/roles",
+    ...adminGuards,
+    async (req, res) => {
+      try {
+        const orgId = resolveOrgId(req);
+        const { role, permissions } = req.body || {};
+        if (!role || !Array.isArray(permissions)) {
+          return res.status(400).json({
+            error: "VALIDATION_ERROR",
+            message: "role and permissions[] are required"
+          });
+        }
+        const id = (0, import_crypto3.randomUUID)();
+        const doc = await RolePermissionModel.findOneAndUpdate(
+          { orgId: orgId ?? null, role },
+          { $set: { permissions } },
+          { upsert: true, new: true }
+        ).exec();
+        return res.status(200).json(doc);
+      } catch (err) {
+        return res.status(500).json({ error: "INTERNAL_ERROR" });
+      }
+    }
+  );
+  r.put(
+    "/roles/:id",
+    ...adminGuards,
+    async (req, res) => {
+      try {
+        const orgId = resolveOrgId(req);
+        const roleId = req.params.id;
+        const { role: newRoleName, permissions } = req.body || {};
+        if (!newRoleName || !Array.isArray(permissions)) {
+          return res.status(400).json({
+            error: "VALIDATION_ERROR",
+            message: "role and permissions are required"
+          });
+        }
+        const existing = await RolePermissionModel.findById(roleId);
+        if (!existing) {
+          return res.status(404).json({
+            error: "ROLE_NOT_FOUND",
+            message: "Role does not exist"
+          });
+        }
+        const oldRoleName = existing.role;
+        existing.role = newRoleName;
+        existing.permissions = permissions;
+        await existing.save();
+        if (oldRoleName !== newRoleName) {
+          await OrgUser.updateMany(
+            {
+              orgId: orgId ?? null,
+              roles: oldRoleName
+            },
+            {
+              $pull: { roles: oldRoleName }
+            }
+          );
+          await OrgUser.updateMany(
+            {
+              orgId: orgId ?? null,
+              roles: { $ne: newRoleName }
+              // avoid duplicates
+            },
+            {
+              $addToSet: { roles: newRoleName }
+            }
+          );
+        }
+        return res.status(200).json(existing);
+      } catch (err) {
+        console.error("Update role error:", err);
+        return res.status(500).json({ error: "INTERNAL_ERROR" });
+      }
+    }
+  );
+  r.delete(
+    "/roles",
+    ...adminGuards,
+    async (req, res) => {
+      try {
+        const roleId = req?.body?.id || req?.query?.id;
+        if (!roleId) {
+          return res.status(400).json({
+            error: "VALIDATION_ERROR",
+            message: "Role _id is required (send in body.id or ?id=...)"
+          });
+        }
+        if (!/^[0-9a-fA-F]{24}$/.test(roleId)) {
+          return res.status(400).json({
+            error: "VALIDATION_ERROR",
+            message: "Invalid role _id format"
+          });
+        }
+        const deleted = await RolePermissionModel.findByIdAndDelete(roleId).exec();
+        if (!deleted) {
+          return res.status(404).json({
+            error: "NOT_FOUND",
+            message: "Role not found or already deleted"
+          });
+        }
+        return res.status(200).json({
+          ok: true,
+          message: "Role deleted successfully",
+          deletedRole: {
+            _id: deleted._id,
+            role: deleted.role,
+            orgId: deleted.orgId
+          }
+        });
+      } catch (err) {
+        console.error("Delete role error:", err);
+        return res.status(500).json({ error: "INTERNAL_ERROR" });
+      }
+    }
+  );
+  return r;
+}
+
+// src/nest/index.ts
+var nest = {
+  mountAuthRouter(app, options) {
+    const httpAdapter = app.getHttpAdapter().getInstance();
+    const authRouter = createAuthRouter(options.routerOptions || {});
+    const authPath = options.authBasePath || "/auth";
+    httpAdapter.use(authPath, authRouter);
+    const adminRouter = createAdminRouter(options);
+    const adminPath = options.adminBasePath || "/admin";
+    httpAdapter.use(adminPath, adminRouter);
+    const dashboardRouter = createDashboardRouter(options);
+    const dashboardPath = options.dashboardBasePath || "/dashboards";
+    httpAdapter.use(dashboardPath, dashboardRouter);
+    const emailRouter = createEmailRouter(options);
+    const emailPath = options.emailBasePath || "/email";
+    httpAdapter.use(emailPath, emailRouter);
+    const projectsRouter = createProjectsRouter(options);
+    const projectsPath = options.projectsBasePath || "/projects";
+    httpAdapter.use(projectsPath, projectsRouter);
+    return {
+      authRouter,
+      dashboardRouter,
+      emailRouter,
+      projectsRouter,
+      adminRouter
+    };
+  }
+};
+
+// src/middlewares/permission.middleware.ts
+function requirePermission(permissionKey) {
+  return async (req, res, next) => {
+    try {
+      console.log("INSIDE PERMISSION MIDDLEWARE", permissionKey);
+      const user = req.user;
+      if (!user) {
+        return res.status(401).json({ error: "Unauthorized" });
+      }
+      const roles = Array.isArray(user.roles) ? user.roles : [];
+      if (!roles.length) {
+        return res.status(403).json({ error: "Forbidden", reason: "NO_ROLES" });
+      }
+      if (roles.includes("platform_admin")) {
+        return next();
+      }
+      const orgId = user.orgId || user.org_id || user.projectId || null;
+      const rolePermissions = await RolePermissionModel.find({
+        orgId,
+        role: { $in: roles }
+      }).lean().exec();
+      const allowed = /* @__PURE__ */ new Set();
+      for (const rp of rolePermissions) {
+        if (Array.isArray(rp.permissions)) {
+          for (const p of rp.permissions) {
+            allowed.add(p);
+          }
+        }
+      }
+      if (!allowed.has(permissionKey)) {
+        return res.status(403).json({
+          error: "Forbidden",
+          reason: "MISSING_PERMISSION",
+          permission: permissionKey
+        });
+      }
+      return next();
+    } catch (err) {
+      return next(err);
+    }
+  };
+}
+
+// src/middlewares/requirePermission.ts
+function requirePermission2(permission) {
+  return (req, res, next) => {
+    const user = req.user;
+    if (!user) {
+      return res.status(401).json({ error: "Unauthorized" });
+    }
+    if (!permission) {
+      return next();
+    }
+    if (!hasPermission(user, permission)) {
+      return res.status(403).json({
+        error: "Forbidden",
+        reason: "MISSING_PERMISSION",
+        permission,
+        userPermissions: user.permissions
+      });
+    }
+    next();
+  };
+}
+
+// src/services/upload.service.ts
+var import_client_s3 = require("@aws-sdk/client-s3");
+var import_crypto4 = require("crypto");
+var UploadsService = class {
+  s3;
+  constructor() {
+    this.s3 = new import_client_s3.S3Client({
+      region: process.env.AWS_REGION,
+      credentials: {
+        accessKeyId: process.env.AWS_ACCESS_KEY_ID,
+        secretAccessKey: process.env.AWS_SECRET_ACCESS_KEY
+      }
+    });
+  }
+  async uploadPublicImage(buffer, mimetype, ext) {
+    const key = `${(0, import_crypto4.randomUUID)()}.${ext}`;
+    await this.s3.send(
+      new import_client_s3.PutObjectCommand({
+        Bucket: process.env.AWS_S3_BUCKET,
+        Key: key,
+        Body: buffer,
+        ACL: "public-read",
+        ContentType: mimetype
+      })
+    );
+    return `https://${process.env.AWS_S3_BUCKET}.s3.${process.env.AWS_REGION}.amazonaws.com/${key}`;
+  }
+};
+
+// src/nest/authx.guard.ts
+var import_common3 = require("@nestjs/common");
+var import_core = require("@nestjs/core");
+var import_passport = require("@nestjs/passport");
+
+// src/nest/decorators/permissions.decorator.ts
+var import_common = require("@nestjs/common");
+var PERMISSIONS_KEY = "permissions";
+var Permissions = (...permissions) => (0, import_common.SetMetadata)(PERMISSIONS_KEY, permissions);
+
+// src/nest/decorators/roles.decorator.ts
+var import_common2 = require("@nestjs/common");
+var ROLES_KEY = "roles";
+var Roles = (...roles) => (0, import_common2.SetMetadata)(ROLES_KEY, roles);
+
+// src/nest/authx.guard.ts
+var AuthXGuard = class extends (0, import_passport.AuthGuard)("authx") {
+  reflector = new import_core.Reflector();
+  constructor() {
+    super();
+  }
+  /**
+   * Override handleRequest to convert Passport errors to NestJS exceptions
+   * This prevents the "Right-hand side of 'instanceof' is not an object" error
+   */
+  handleRequest(err, user, info, context) {
+    if (err || !user) {
+      const message = err?.message || info?.message || "Authentication required";
+      throw new import_common3.UnauthorizedException(message);
+    }
+    return user;
+  }
+  async canActivate(context) {
+    try {
+      let authenticated;
+      try {
+        authenticated = await super.canActivate(context);
+      } catch (passportError) {
+        const message = passportError?.message || "Authentication required";
+        throw new import_common3.UnauthorizedException(message);
+      }
+      if (!authenticated) {
+        throw new import_common3.UnauthorizedException("Authentication required");
+      }
+      const request = context.switchToHttp().getRequest();
+      const user = request.user;
+      if (!user) {
+        throw new import_common3.UnauthorizedException("Authentication required");
+      }
+      const requiredRoles = this.reflector.getAllAndOverride(
+        ROLES_KEY,
+        [context.getHandler(), context.getClass()]
+      );
+      const requiredPermissions = this.reflector.getAllAndOverride(
+        PERMISSIONS_KEY,
+        [context.getHandler(), context.getClass()]
+      );
+      if (requiredRoles && requiredRoles.length > 0) {
+        if (!hasAnyRole(user, requiredRoles)) {
+          throw new import_common3.ForbiddenException(
+            `Requires one of roles: ${requiredRoles.join(", ")}`
+          );
+        }
+      }
+      if (requiredPermissions && requiredPermissions.length > 0) {
+        if (!hasAnyPermission(user, requiredPermissions)) {
+          throw new import_common3.ForbiddenException(
+            `Requires one of permissions: ${requiredPermissions.join(", ")}`
+          );
+        }
+      }
+      return true;
+    } catch (error) {
+      if (error instanceof import_common3.UnauthorizedException || error instanceof import_common3.ForbiddenException) {
+        throw error;
+      }
+      const errorMessage = error instanceof Error ? error.message : String(error);
+      throw new import_common3.UnauthorizedException(errorMessage || "Authentication failed");
+    }
+  }
+};
+AuthXGuard = __decorateClass([
+  (0, import_common3.Injectable)()
+], AuthXGuard);
+
+// src/nest/decorators/session.decorator.ts
+var import_common4 = require("@nestjs/common");
+var AuthXSessionDecorator = (0, import_common4.createParamDecorator)(
+  (data, ctx) => {
+    const request = ctx.switchToHttp().getRequest();
+    return request.user || null;
+  }
+);
+
+// src/passport/authx.strategy.ts
+var import_passport2 = require("passport");
+var AuthXStrategy = class extends import_passport2.Strategy {
+  name = "authx";
+  authenticate(req) {
+    try {
+      console.log("AuthXStrategy.authenticate - starting");
+      const token = extractToken(req);
+      console.log("AuthXStrategy.authenticate - token extracted:", token ? "yes" : "no");
+      if (!token) {
+        console.log("AuthXStrategy.authenticate - no token, failing");
+        return this.fail({ message: "Missing token" }, 401);
+      }
+      console.log("AuthXStrategy.authenticate - verifying JWT");
+      verifyJwt(token).then((claims) => {
+        console.log("AuthXStrategy.authenticate - JWT verified successfully");
+        const session = buildSession(claims);
+        req.user = session;
+        return this.success(session);
+      }).catch((error) => {
+        console.log("AuthXStrategy.authenticate - JWT verification failed:", error?.message || error);
+        return this.fail({ message: error?.message || "Unauthorized" }, 401);
+      });
+    } catch (error) {
+      console.log("AuthXStrategy.authenticate - exception caught:", error?.message || error);
+      return this.fail({ message: error?.message || "Unauthorized" }, 401);
+    }
+  }
+};
+function createAuthXStrategy() {
+  return new AuthXStrategy();
+}
+
+// src/next/server/authx.ts
+var import_headers = require("next/headers");
+async function authx() {
+  try {
+    const cookieStore = await (0, import_headers.cookies)();
+    const token = cookieStore.get("access_token")?.value || cookieStore.get("authorization")?.value || cookieStore.get("auth_token")?.value || null;
+    if (!token) {
+      return { session: null };
+    }
+    const claims = await verifyJwt(token);
+    const session = buildSession(claims);
+    return { session };
+  } catch (error) {
+    return { session: null };
+  }
+}
+
+// src/next/server/withAuthRoute.ts
+var import_server = require("next/server");
+function withAuthRoute(permissionOrHandler, handler) {
+  let permission;
+  let routeHandler;
+  if (typeof permissionOrHandler === "string") {
+    permission = permissionOrHandler;
+    routeHandler = handler;
+  } else {
+    permission = void 0;
+    routeHandler = permissionOrHandler;
+  }
+  return async (req, context) => {
+    const { session } = await authx();
+    if (!session) {
+      return new import_server.NextResponse(
+        JSON.stringify({ error: "Unauthorized" }),
+        { status: 401, headers: { "Content-Type": "application/json" } }
+      );
+    }
+    if (permission && !hasPermission(session, permission)) {
+      return new import_server.NextResponse(
+        JSON.stringify({
+          error: "Forbidden",
+          reason: "MISSING_PERMISSION",
+          permission
+        }),
+        { status: 403, headers: { "Content-Type": "application/json" } }
+      );
+    }
+    return routeHandler(req, session, context);
+  };
+}
+
+// src/next/client/AuthXProvider.tsx
+var import_react = require("react");
+var import_jsx_runtime = require("react/jsx-runtime");
+var AuthXContext = (0, import_react.createContext)(void 0);
+function AuthXProvider({ children, apiUrl = "/auth/me" }) {
+  const [session, setSession] = (0, import_react.useState)(null);
+  const [isLoading, setIsLoading] = (0, import_react.useState)(true);
+  const [error, setError] = (0, import_react.useState)(null);
+  const fetchSession = async () => {
+    try {
+      setIsLoading(true);
+      setError(null);
+      const response = await fetch(apiUrl, {
+        credentials: "include"
+        // Include cookies
+      });
+      if (!response.ok) {
+        if (response.status === 401) {
+          setSession(null);
+          return;
+        }
+        throw new Error(`Failed to fetch session: ${response.statusText}`);
+      }
+      const data = await response.json();
+      setSession(data.user || data.session || data);
+    } catch (err) {
+      setError(err instanceof Error ? err : new Error("Unknown error"));
+      setSession(null);
+    } finally {
+      setIsLoading(false);
+    }
+  };
+  (0, import_react.useEffect)(() => {
+    fetchSession();
+  }, [apiUrl]);
+  const value = {
+    session,
+    isLoading,
+    error,
+    refetch: fetchSession
+  };
+  return /* @__PURE__ */ (0, import_jsx_runtime.jsx)(AuthXContext.Provider, { value, children });
+}
+function useAuthXContext() {
+  const context = (0, import_react.useContext)(AuthXContext);
+  if (context === void 0) {
+    throw new Error("useAuthX must be used within an AuthXProvider");
+  }
+  return context;
+}
+
+// src/next/client/HasPermission.tsx
+var import_jsx_runtime2 = require("react/jsx-runtime");
+function HasPermission({
+  permission,
+  children,
+  fallback = null
+}) {
+  const { session, isLoading } = useAuthXContext();
+  if (isLoading) {
+    return null;
+  }
+  if (!session) {
+    return /* @__PURE__ */ (0, import_jsx_runtime2.jsx)(import_jsx_runtime2.Fragment, { children: fallback });
+  }
+  const hasPerm = hasPermission(session, permission);
+  if (!hasPerm) {
+    return /* @__PURE__ */ (0, import_jsx_runtime2.jsx)(import_jsx_runtime2.Fragment, { children: fallback });
+  }
+  return /* @__PURE__ */ (0, import_jsx_runtime2.jsx)(import_jsx_runtime2.Fragment, { children });
+}
+
+// src/next/client/HasRole.tsx
+var import_jsx_runtime3 = require("react/jsx-runtime");
+function HasRole({ role, children, fallback = null }) {
+  const { session, isLoading } = useAuthXContext();
+  if (isLoading) {
+    return null;
+  }
+  if (!session) {
+    return /* @__PURE__ */ (0, import_jsx_runtime3.jsx)(import_jsx_runtime3.Fragment, { children: fallback });
+  }
+  const roles = Array.isArray(role) ? role : [role];
+  const hasRole2 = hasAnyRole(session, roles);
+  if (!hasRole2) {
+    return /* @__PURE__ */ (0, import_jsx_runtime3.jsx)(import_jsx_runtime3.Fragment, { children: fallback });
+  }
+  return /* @__PURE__ */ (0, import_jsx_runtime3.jsx)(import_jsx_runtime3.Fragment, { children });
+}
+
+// src/next/client/SignedIn.tsx
+var import_jsx_runtime4 = require("react/jsx-runtime");
+function SignedIn({ children, fallback = null }) {
+  const { session, isLoading } = useAuthXContext();
+  if (isLoading) {
+    return null;
+  }
+  if (!session) {
+    return /* @__PURE__ */ (0, import_jsx_runtime4.jsx)(import_jsx_runtime4.Fragment, { children: fallback });
+  }
+  return /* @__PURE__ */ (0, import_jsx_runtime4.jsx)(import_jsx_runtime4.Fragment, { children });
+}
+
+// src/next/client/SignedOut.tsx
+var import_jsx_runtime5 = require("react/jsx-runtime");
+function SignedOut({ children, fallback = null }) {
+  const { session, isLoading } = useAuthXContext();
+  if (isLoading) {
+    return null;
+  }
+  if (session) {
+    return /* @__PURE__ */ (0, import_jsx_runtime5.jsx)(import_jsx_runtime5.Fragment, { children: fallback });
+  }
+  return /* @__PURE__ */ (0, import_jsx_runtime5.jsx)(import_jsx_runtime5.Fragment, { children });
+}
+
+// src/next/client/useAuthX.ts
+function useAuthX() {
+  const { session, isLoading, error, refetch } = useAuthXContext();
+  return {
+    session,
+    isLoading,
+    error,
+    refetch,
+    isSignedIn: !!session,
+    userId: session?.userId || null,
+    email: session?.email || null,
+    roles: session?.roles || [],
+    permissions: session?.permissions || []
+  };
+}
+function useHasRole(role) {
+  const { session } = useAuthXContext();
+  if (!session || !session.roles) return false;
+  return session.roles.includes(role);
+}
+function useHasPermission(permission) {
+  const { session } = useAuthXContext();
+  if (!session || !session.permissions) return false;
+  return session.permissions.includes(permission);
+}
+// Annotate the CommonJS export names for ESM import in node:
+0 && (module.exports = {
+  AuthAdminService,
+  AuthXGuard,
+  AuthXProvider,
+  AuthXSessionDecorator,
+  AuthXStrategy,
+  EmailService,
+  HasPermission,
+  HasRole,
+  PLATFORM_ROLES,
+  Permissions,
+  ProjectsService,
+  Roles,
+  SignedIn,
+  SignedOut,
+  UploadsService,
+  authorize,
+  authx,
+  buildSession,
+  createAuthXStrategy,
+  express,
+  getPermissionsForRoles,
+  hasAllPermissions,
+  hasAllRoles,
+  hasAnyPermission,
+  hasAnyRole,
+  hasPermission,
+  hasRole,
+  nest,
+  requireAuth,
+  requirePermission,
+  requirePermissionLegacy,
+  requireRole,
+  useAuthX,
+  useAuthXContext,
+  useHasPermission,
+  useHasRole,
+  withAuthRoute
+});
+//# sourceMappingURL=index.cjs.map