authvital-sdk 0.1.1-dev.3.cefb119.0

package/dist/server.js

@@ -0,0 +1,2915 @@
+"use strict";Object.defineProperty(exports, "__esModule", {value: true}); function _interopRequireWildcard(obj) { if (obj && obj.__esModule) { return obj; } else { var newObj = {}; if (obj != null) { for (var key in obj) { if (Object.prototype.hasOwnProperty.call(obj, key)) { newObj[key] = obj[key]; } } } newObj.default = obj; return newObj; } } function _nullishCoalesce(lhs, rhsFn) { if (lhs != null) { return lhs; } else { return rhsFn(); } } function _optionalChain(ops) { let lastAccessLHS = undefined; let value = ops[0]; let i = 1; while (i < ops.length) { const op = ops[i]; const fn = ops[i + 1]; i += 2; if ((op === 'optionalAccess' || op === 'optionalCall') && value == null) { return undefined; } if (op === 'access' || op === 'optionalAccess') { lastAccessLHS = value; value = fn(value); } else if (op === 'call' || op === 'optionalCall') { value = fn((...args) => value.call(lastAccessLHS, ...args)); lastAccessLHS = undefined; } } return value; }
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+var _chunkFXVD4Y5Gjs = require('./chunk-FXVD4Y5G.js');
+
+// src/server/jwt-validator.ts
+var JwtValidator = class {
+  constructor(config) {
+    this.jwksCache = null;
+    this.jwksCacheTime = 0;
+    this.fetchPromise = null;
+    if (!config.authVitalHost) {
+      throw new Error(
+        "authVitalHost is required. Pass it in config or set AV_HOST environment variable."
+      );
+    }
+    this.config = {
+      authVitalHost: config.authVitalHost.replace(/\/$/, ""),
+      // Remove trailing slash
+      cacheTtl: _nullishCoalesce(config.cacheTtl, () => ( 3600)),
+      audience: config.audience,
+      issuer: _nullishCoalesce(config.issuer, () => ( config.authVitalHost.replace(/\/$/, "")))
+    };
+  }
+  /**
+   * Get the JWKS URL for this IDP
+   */
+  getJwksUrl() {
+    return `${this.config.authVitalHost}/.well-known/jwks.json`;
+  }
+  /**
+   * Get the OpenID Configuration URL
+   */
+  getOpenIdConfigUrl() {
+    return `${this.config.authVitalHost}/.well-known/openid-configuration`;
+  }
+  /**
+   * Fetch public keys from the JWKS endpoint
+   * Results are cached according to cacheTtl
+   */
+  async getPublicKeys(forceRefresh = false) {
+    const now = Date.now();
+    const cacheExpired = now - this.jwksCacheTime > this.config.cacheTtl * 1e3;
+    if (!forceRefresh && this.jwksCache && !cacheExpired) {
+      return this.jwksCache;
+    }
+    if (this.fetchPromise) {
+      return this.fetchPromise;
+    }
+    this.fetchPromise = this.fetchJwks();
+    try {
+      const jwks = await this.fetchPromise;
+      this.jwksCache = jwks;
+      this.jwksCacheTime = now;
+      return jwks;
+    } finally {
+      this.fetchPromise = null;
+    }
+  }
+  /**
+   * Fetch JWKS from the IDP
+   */
+  async fetchJwks() {
+    const response = await fetch(this.getJwksUrl());
+    if (!response.ok) {
+      throw new Error(`Failed to fetch JWKS: ${response.status} ${response.statusText}`);
+    }
+    const jwks = await response.json();
+    if (!jwks.keys || !Array.isArray(jwks.keys)) {
+      throw new Error("Invalid JWKS response: missing keys array");
+    }
+    return jwks;
+  }
+  /**
+   * Find a key by its ID (kid)
+   */
+  async findKey(kid, allowRefresh = true) {
+    const jwks = await this.getPublicKeys();
+    let key = jwks.keys.find((k) => k.kid === kid);
+    if (!key && allowRefresh) {
+      const refreshedJwks = await this.getPublicKeys(true);
+      key = refreshedJwks.keys.find((k) => k.kid === kid);
+    }
+    return key || null;
+  }
+  /**
+   * Decode a JWT without verification (to get header/payload)
+   */
+  decodeToken(token) {
+    try {
+      const parts = token.split(".");
+      if (parts.length !== 3) return null;
+      const header = JSON.parse(this.base64UrlDecode(parts[0]));
+      const payload = JSON.parse(this.base64UrlDecode(parts[1]));
+      return { header, payload };
+    } catch (e2) {
+      return null;
+    }
+  }
+  /**
+   * Validate a JWT token
+   * 
+   * @param token - The JWT to validate
+   * @returns Validation result with payload if valid
+   */
+  async validateToken(token) {
+    try {
+      const decoded = this.decodeToken(token);
+      if (!decoded) {
+        return { valid: false, error: "Invalid token format" };
+      }
+      const { header, payload } = decoded;
+      if (header.alg !== "RS256") {
+        return { valid: false, error: `Unsupported algorithm: ${header.alg}` };
+      }
+      if (!header.kid) {
+        return { valid: false, error: "Token missing kid header" };
+      }
+      const key = await this.findKey(header.kid);
+      if (!key) {
+        return { valid: false, error: `Unknown signing key: ${header.kid}` };
+      }
+      const isValid = await this.verifySignature(token, key);
+      if (!isValid) {
+        return { valid: false, error: "Invalid signature" };
+      }
+      if (payload.exp && payload.exp < Math.floor(Date.now() / 1e3)) {
+        return { valid: false, error: "Token expired" };
+      }
+      if (payload.nbf && payload.nbf > Math.floor(Date.now() / 1e3)) {
+        return { valid: false, error: "Token not yet valid" };
+      }
+      if (payload.iss !== this.config.issuer) {
+        return { valid: false, error: `Invalid issuer: expected ${this.config.issuer}, got ${payload.iss}` };
+      }
+      if (this.config.audience) {
+        const audiences = Array.isArray(payload.aud) ? payload.aud : [payload.aud];
+        if (!audiences.includes(this.config.audience)) {
+          return { valid: false, error: `Invalid audience: ${payload.aud}` };
+        }
+      }
+      return { valid: true, payload };
+    } catch (error) {
+      return {
+        valid: false,
+        error: error instanceof Error ? error.message : "Token validation failed"
+      };
+    }
+  }
+  /**
+   * Verify RS256 signature using Web Crypto API
+   */
+  async verifySignature(token, jwk) {
+    const parts = token.split(".");
+    if (parts.length !== 3) return false;
+    const [headerB64, payloadB64, signatureB64] = parts;
+    const data = new TextEncoder().encode(`${headerB64}.${payloadB64}`);
+    const signatureBytes = this.base64UrlDecodeToBuffer(signatureB64);
+    const signature = new Uint8Array(signatureBytes).buffer;
+    const cryptoKey = await crypto.subtle.importKey(
+      "jwk",
+      {
+        kty: jwk.kty,
+        n: jwk.n,
+        e: jwk.e,
+        alg: "RS256",
+        use: "sig"
+      },
+      {
+        name: "RSASSA-PKCS1-v1_5",
+        hash: "SHA-256"
+      },
+      false,
+      ["verify"]
+    );
+    return crypto.subtle.verify(
+      "RSASSA-PKCS1-v1_5",
+      cryptoKey,
+      signature,
+      data
+    );
+  }
+  /**
+   * Base64URL decode to string
+   */
+  base64UrlDecode(str) {
+    const padded = str + "===".slice(0, (4 - str.length % 4) % 4);
+    const base64 = padded.replace(/-/g, "+").replace(/_/g, "/");
+    if (typeof Buffer !== "undefined") {
+      return Buffer.from(base64, "base64").toString("utf-8");
+    }
+    return decodeURIComponent(
+      atob(base64).split("").map((c) => "%" + ("00" + c.charCodeAt(0).toString(16)).slice(-2)).join("")
+    );
+  }
+  /**
+   * Base64URL decode to Uint8Array
+   */
+  base64UrlDecodeToBuffer(str) {
+    const padded = str + "===".slice(0, (4 - str.length % 4) % 4);
+    const base64 = padded.replace(/-/g, "+").replace(/_/g, "/");
+    if (typeof Buffer !== "undefined") {
+      return new Uint8Array(Buffer.from(base64, "base64"));
+    }
+    const binary = atob(base64);
+    const bytes = new Uint8Array(binary.length);
+    for (let i = 0; i < binary.length; i++) {
+      bytes[i] = binary.charCodeAt(i);
+    }
+    return bytes;
+  }
+  /**
+   * Clear the JWKS cache (useful for testing or forced refresh)
+   */
+  clearCache() {
+    this.jwksCache = null;
+    this.jwksCacheTime = 0;
+  }
+  // ===========================================================================
+  // PERMISSION HELPER METHODS
+  // ===========================================================================
+  /**
+   * Check if the JWT payload has a specific tenant permission
+   * 
+   * @param payload - Decoded JWT payload
+   * @param permission - Permission to check (e.g., 'licenses:manage')
+   * @returns true if user has the permission (wildcards supported)
+   * 
+   * @example
+   * ```ts
+   * const { user } = await validator.getCurrentUser(authHeader);
+   * if (validator.hasTenantPermission(user, 'licenses:manage')) {
+   *   // User can manage licenses
+   * }
+   * ```
+   */
+  hasTenantPermission(payload, permission) {
+    const permissions = payload.tenant_permissions;
+    if (!permissions) return false;
+    return permissions.some(
+      (p) => p === permission || this.matchesWildcard(p, permission)
+    );
+  }
+  /**
+   * Check if the JWT payload has a specific app permission
+   * 
+   * @param payload - Decoded JWT payload
+   * @param permission - Permission to check (e.g., 'projects:create')
+   * @returns true if user has the permission (wildcards supported)
+   * 
+   * @example
+   * ```ts
+   * const { user } = await validator.getCurrentUser(authHeader);
+   * if (validator.hasAppPermission(user, 'projects:create')) {
+   *   // User can create projects
+   * }
+   * ```
+   */
+  hasAppPermission(payload, permission) {
+    const permissions = payload.app_permissions;
+    if (!permissions) return false;
+    return permissions.some(
+      (p) => p === permission || this.matchesWildcard(p, permission)
+    );
+  }
+  /**
+   * Check if the JWT payload has a specific feature enabled
+   * 
+   * This reads from the `license.features` array in the JWT.
+   * No API call needed - feature information is embedded in the token!
+   * 
+   * @param payload - Decoded JWT payload
+   * @param featureKey - Feature to check (e.g., 'sso', 'audit_logs')
+   * @returns true if feature is enabled
+   * 
+   * @example
+   * ```ts
+   * const { user } = await validator.getCurrentUser(authHeader);
+   * if (validator.hasFeature(user, 'sso')) {
+   *   // User's tenant has SSO enabled
+   * }
+   * ```
+   */
+  hasFeature(payload, featureKey) {
+    const license = payload.license;
+    return _nullishCoalesce(_optionalChain([license, 'optionalAccess', _ => _.features, 'optionalAccess', _2 => _2.includes, 'call', _3 => _3(featureKey)]), () => ( false));
+  }
+  /**
+   * Get the license type from JWT payload
+   * 
+   * @param payload - Decoded JWT payload
+   * @returns License type slug (e.g., 'pro', 'enterprise') or null
+   * 
+   * @example
+   * ```ts
+   * const { user } = await validator.getCurrentUser(authHeader);
+   * const licenseType = validator.getLicenseType(user);
+   * if (licenseType === 'enterprise') {
+   *   // Show enterprise features
+   * }
+   * ```
+   */
+  getLicenseType(payload) {
+    const license = payload.license;
+    return _nullishCoalesce(_optionalChain([license, 'optionalAccess', _4 => _4.type]), () => ( null));
+  }
+  /**
+   * Check if wildcard pattern matches permission
+   * 
+   * @example
+   * - '*' matches everything
+   * - 'licenses:*' matches 'licenses:manage', 'licenses:view', etc.
+   * - 'licenses:manage' only matches 'licenses:manage'
+   */
+  matchesWildcard(pattern, permission) {
+    if (pattern === "*") return true;
+    if (!pattern.includes("*")) return pattern === permission;
+    const [patternResource] = pattern.split(":");
+    const [permResource] = permission.split(":");
+    if (pattern.endsWith(":*")) {
+      return patternResource === permResource;
+    }
+    return false;
+  }
+  /**
+   * Get the current user from an Authorization header.
+   * This is the helper for implementing `/api/auth/me` endpoints.
+   * 
+   * - Does NOT call the IDP
+   * - Validates JWT signature using cached JWKS
+   * - Returns the decoded JWT payload
+   * 
+   * @example
+   * ```ts
+   * const validator = createJwtValidator({ authVitalHost: process.env.AV_HOST });
+   * 
+   * // GET /api/auth/me
+   * app.get('/api/auth/me', async (req, res) => {
+   *   const result = await validator.getCurrentUser(req.headers.authorization);
+   *   
+   *   if (!result.authenticated) {
+   *     return res.status(401).json({ error: result.error });
+   *   }
+   *   
+   *   res.json(result.user);
+   * });
+   * ```
+   */
+  async getCurrentUser(authorizationHeader) {
+    if (!authorizationHeader) {
+      return {
+        authenticated: false,
+        user: null,
+        error: "Missing Authorization header"
+      };
+    }
+    if (!authorizationHeader.startsWith("Bearer ")) {
+      return {
+        authenticated: false,
+        user: null,
+        error: "Invalid Authorization header format (expected Bearer token)"
+      };
+    }
+    const token = authorizationHeader.slice(7);
+    if (!token) {
+      return {
+        authenticated: false,
+        user: null,
+        error: "Empty token"
+      };
+    }
+    const validationResult = await this.validateToken(token);
+    if (!validationResult.valid) {
+      return {
+        authenticated: false,
+        user: null,
+        error: validationResult.error
+      };
+    }
+    return {
+      authenticated: true,
+      user: validationResult.payload
+    };
+  }
+};
+function createJwtValidator(config) {
+  return new JwtValidator(config);
+}
+async function getCurrentUser(authorizationHeader, validator) {
+  if (!authorizationHeader) {
+    return {
+      authenticated: false,
+      user: null,
+      error: "Missing Authorization header"
+    };
+  }
+  if (!authorizationHeader.startsWith("Bearer ")) {
+    return {
+      authenticated: false,
+      user: null,
+      error: "Invalid Authorization header format (expected Bearer token)"
+    };
+  }
+  const token = authorizationHeader.slice(7);
+  if (!token) {
+    return {
+      authenticated: false,
+      user: null,
+      error: "Empty token"
+    };
+  }
+  const validationResult = await validator.validateToken(token);
+  if (!validationResult.valid) {
+    return {
+      authenticated: false,
+      user: null,
+      error: validationResult.error
+    };
+  }
+  return {
+    authenticated: true,
+    user: validationResult.payload
+  };
+}
+async function getCurrentUserFromConfig(authorizationHeader, config) {
+  const validator = createJwtValidator(config);
+  return getCurrentUser(authorizationHeader, validator);
+}
+function createJwtMiddleware(config) {
+  const validator = createJwtValidator(config);
+  return async (req, res, next) => {
+    const authHeader = _optionalChain([req, 'access', _5 => _5.headers, 'optionalAccess', _6 => _6.authorization]);
+    if (!_optionalChain([authHeader, 'optionalAccess', _7 => _7.startsWith, 'call', _8 => _8("Bearer ")])) {
+      return res.status(401).json({ error: "Missing or invalid Authorization header" });
+    }
+    const token = authHeader.slice(7);
+    const result = await validator.validateToken(token);
+    if (!result.valid) {
+      return res.status(401).json({ error: result.error || "Invalid token" });
+    }
+    req.user = result.payload;
+    next();
+  };
+}
+async function createPassportJwtOptions(config) {
+  if (!config.authVitalHost) {
+    throw new Error(
+      "authVitalHost is required. Pass it in config or set AV_HOST environment variable."
+    );
+  }
+  const validator = createJwtValidator(config);
+  return {
+    jwtFromRequest: (req) => {
+      const authHeader = _optionalChain([req, 'access', _9 => _9.headers, 'optionalAccess', _10 => _10.authorization]);
+      if (_optionalChain([authHeader, 'optionalAccess', _11 => _11.startsWith, 'call', _12 => _12("Bearer ")])) {
+        return authHeader.slice(7);
+      }
+      return null;
+    },
+    secretOrKeyProvider: async (_req, rawJwt, done) => {
+      try {
+        const decoded = validator.decodeToken(rawJwt);
+        if (!_optionalChain([decoded, 'optionalAccess', _13 => _13.header, 'access', _14 => _14.kid])) {
+          return done(new Error("Token missing kid header"));
+        }
+        const jwks = await validator.getPublicKeys();
+        const key = jwks.keys.find((k) => k.kid === decoded.header.kid);
+        if (!key) {
+          return done(new Error(`Unknown signing key: ${decoded.header.kid}`));
+        }
+        const pem = jwkToPem(key);
+        done(null, pem);
+      } catch (error) {
+        done(error);
+      }
+    },
+    issuer: _nullishCoalesce(config.issuer, () => ( config.authVitalHost.replace(/\/$/, ""))),
+    audience: config.audience,
+    algorithms: ["RS256"]
+  };
+}
+function jwkToPem(jwk) {
+  if (jwk.kty !== "RSA" || !jwk.n || !jwk.e) {
+    throw new Error("Only RSA keys are supported");
+  }
+  const n = base64UrlToBase64(jwk.n);
+  const e = base64UrlToBase64(jwk.e);
+  const nBytes = Buffer.from(n, "base64");
+  const eBytes = Buffer.from(e, "base64");
+  const rsaPublicKey = Buffer.concat([
+    Buffer.from([48]),
+    // SEQUENCE
+    encodeLength(nBytes.length + eBytes.length + 4 + (nBytes[0] & 128 ? 1 : 0) + (eBytes[0] & 128 ? 1 : 0)),
+    Buffer.from([2]),
+    // INTEGER (modulus)
+    encodeLength(nBytes.length + (nBytes[0] & 128 ? 1 : 0)),
+    nBytes[0] & 128 ? Buffer.from([0]) : Buffer.alloc(0),
+    nBytes,
+    Buffer.from([2]),
+    // INTEGER (exponent)
+    encodeLength(eBytes.length + (eBytes[0] & 128 ? 1 : 0)),
+    eBytes[0] & 128 ? Buffer.from([0]) : Buffer.alloc(0),
+    eBytes
+  ]);
+  const rsaOid = Buffer.from([48, 13, 6, 9, 42, 134, 72, 134, 247, 13, 1, 1, 1, 5, 0]);
+  const bitString = Buffer.concat([
+    Buffer.from([3]),
+    encodeLength(rsaPublicKey.length + 1),
+    Buffer.from([0]),
+    rsaPublicKey
+  ]);
+  const spki = Buffer.concat([
+    Buffer.from([48]),
+    encodeLength(rsaOid.length + bitString.length),
+    rsaOid,
+    bitString
+  ]);
+  const base64 = spki.toString("base64");
+  const lines = base64.match(/.{1,64}/g) || [];
+  return `-----BEGIN PUBLIC KEY-----
+${lines.join("\n")}
+-----END PUBLIC KEY-----`;
+}
+function base64UrlToBase64(str) {
+  const padded = str + "===".slice(0, (4 - str.length % 4) % 4);
+  return padded.replace(/-/g, "+").replace(/_/g, "/");
+}
+function encodeLength(len) {
+  if (len < 128) {
+    return Buffer.from([len]);
+  }
+  const bytes = [];
+  while (len > 0) {
+    bytes.unshift(len & 255);
+    len >>= 8;
+  }
+  return Buffer.from([128 | bytes.length, ...bytes]);
+}
+
+// src/server/base-client.ts
+function extractAuthorizationHeader(request) {
+  const headers = request.headers;
+  if (headers && typeof headers.get === "function") {
+    return headers.get("authorization") || headers.get("Authorization");
+  }
+  if (headers && typeof headers === "object") {
+    return headers.authorization || headers.Authorization || null;
+  }
+  return null;
+}
+function appendClientIdToUri(uri, clientId) {
+  if (!uri) return null;
+  const separator = uri.includes("?") ? "&" : "?";
+  return `${uri}${separator}client_id=${encodeURIComponent(clientId)}`;
+}
+var BaseClient = class {
+  constructor(config) {
+    this.accessToken = null;
+    this.tokenExpiresAt = 0;
+    if (!config.authVitalHost) {
+      throw new Error(
+        "authVitalHost is required. Pass it in config or set AV_HOST environment variable."
+      );
+    }
+    this.config = {
+      ...config,
+      authVitalHost: config.authVitalHost.replace(/\/$/, "")
+      // Remove trailing slash
+    };
+    this.jwtValidator = new JwtValidator({
+      authVitalHost: this.config.authVitalHost,
+      cacheTtl: config.jwksCacheTtl,
+      audience: _nullishCoalesce(config.audience, () => ( config.clientId))
+    });
+  }
+  // ===========================================================================
+  // GET CURRENT USER (JWT Validation)
+  // ===========================================================================
+  /**
+   * Validate JWT from an incoming request and return the decoded user.
+   *
+   * - Extracts Authorization header from the request
+   * - Validates JWT signature using cached JWKS (public endpoint, no auth needed)
+   * - Returns decoded JWT payload
+   * - Does NOT call the IDP
+   *
+   * @example
+   * ```ts
+   * // Express
+   * app.get('/api/auth/me', async (req, res) => {
+   *   const { authenticated, user, error } = await authvital.getCurrentUser(req);
+   *   if (!authenticated) return res.status(401).json({ error });
+   *   res.json(user);
+   * });
+   * ```
+   */
+  async getCurrentUser(request) {
+    const authHeader = extractAuthorizationHeader(request);
+    if (!authHeader) {
+      return {
+        authenticated: false,
+        user: null,
+        error: "Missing Authorization header"
+      };
+    }
+    if (!authHeader.startsWith("Bearer ")) {
+      return {
+        authenticated: false,
+        user: null,
+        error: "Invalid Authorization header format (expected Bearer token)"
+      };
+    }
+    const token = authHeader.slice(7);
+    if (!token) {
+      return {
+        authenticated: false,
+        user: null,
+        error: "Empty token"
+      };
+    }
+    const result = await this.jwtValidator.validateToken(token);
+    if (!result.valid) {
+      return {
+        authenticated: false,
+        user: null,
+        error: result.error
+      };
+    }
+    return {
+      authenticated: true,
+      user: result.payload
+    };
+  }
+  // ===========================================================================
+  // VALIDATE REQUEST & EXTRACT CLAIMS
+  // ===========================================================================
+  /**
+   * Validate the JWT from an incoming request and extract key claims.
+   *
+   * This is the recommended way to get user/tenant context for API calls.
+   * Throws an error if the token is invalid or missing required claims.
+   *
+   * @param request - The incoming HTTP request (Express, Next.js, Fetch API, etc.)
+   * @returns Validated claims including sub (userId) and tenantId
+   * @throws Error if token is invalid or missing tenant_id claim
+   *
+   * @example
+   * ```ts
+   * // Express
+   * app.get('/api/members', async (req, res) => {
+   *   const claims = await authvital.validateRequest(req);
+   *   const members = await authvital.memberships.listForApplication(claims);
+   *   res.json(members);
+   * });
+   * ```
+   */
+  async validateRequest(request) {
+    const { authenticated, user, error } = await this.getCurrentUser(request);
+    if (!authenticated || !user) {
+      throw new Error(error || "Unauthorized");
+    }
+    if (!user.sub) {
+      throw new Error("Invalid token: missing sub claim");
+    }
+    const tenantId = user.tenant_id;
+    if (!tenantId) {
+      throw new Error(
+        "Invalid token: missing tenant_id claim. Ensure the token was issued for a specific tenant."
+      );
+    }
+    return {
+      sub: user.sub,
+      tenantId,
+      tenantSubdomain: user.tenant_subdomain,
+      email: user.email,
+      payload: user
+    };
+  }
+  // ===========================================================================
+  // INTERNAL: Token Management for M2M calls
+  // ===========================================================================
+  /**
+   * Get M2M access token (client_credentials flow)
+   *
+   * Returns cached token if still valid, otherwise fetches a new one.
+   */
+  async getAccessToken() {
+    if (this.accessToken && Date.now() < this.tokenExpiresAt - 6e4) {
+      return this.accessToken;
+    }
+    const response = await fetch(`${this.config.authVitalHost}/oauth/token`, {
+      method: "POST",
+      headers: { "Content-Type": "application/json" },
+      body: JSON.stringify({
+        grant_type: "client_credentials",
+        client_id: this.config.clientId,
+        client_secret: this.config.clientSecret,
+        scope: "system:admin"
+      })
+    });
+    if (!response.ok) {
+      const error = await response.json().catch(() => ({}));
+      throw new Error(
+        error.message || `Token exchange failed: ${response.status}`
+      );
+    }
+    const data = await response.json();
+    this.accessToken = data.access_token;
+    this.tokenExpiresAt = Date.now() + data.expires_in * 1e3;
+    return this.accessToken;
+  }
+  /**
+   * Make an M2M authenticated request
+   *
+   * Uses client_credentials token for machine-to-machine calls.
+   */
+  async request(method, path, body, isRetry = false) {
+    const token = await this.getAccessToken();
+    const response = await fetch(`${this.config.authVitalHost}${path}`, {
+      method,
+      headers: {
+        Authorization: `Bearer ${token}`,
+        "Content-Type": "application/json"
+      },
+      body: body ? JSON.stringify(body) : void 0
+    });
+    if (response.status === 401 && !isRetry) {
+      this.accessToken = null;
+      this.tokenExpiresAt = 0;
+      return this.request(method, path, body, true);
+    }
+    if (!response.ok) {
+      const error = await response.json().catch(() => ({}));
+      throw new Error(
+        error.message || `Request failed: ${response.status}`
+      );
+    }
+    return response.json();
+  }
+  /**
+   * Make an authenticated request using the JWT from the original request
+   *
+   * This version forwards the user's JWT token instead of using the
+   * M2M (client_credentials) token. Used for endpoints that require
+   * user context and validate tenant permissions.
+   *
+   * @param originalRequest - The incoming request with JWT
+   * @param method - HTTP method
+   * @param path - API path
+   * @param body - Request body (for POST/PUT)
+   * @returns Parsed response
+   * @throws Error if request fails or JWT is required
+   */
+  async authenticatedRequest(originalRequest, method, path, body) {
+    const authHeader = extractAuthorizationHeader(originalRequest);
+    if (!authHeader) {
+      throw new Error("No Authorization header found in request");
+    }
+    const options = {
+      method,
+      headers: {
+        "Content-Type": "application/json",
+        Authorization: authHeader
+      }
+    };
+    if (body && method !== "GET") {
+      options.body = JSON.stringify(body);
+    }
+    const response = await fetch(`${this.config.authVitalHost}${path}`, options);
+    if (!response.ok) {
+      const error = await response.text();
+      try {
+        const json = JSON.parse(error);
+        throw new Error(
+          json.message || `Request failed: ${response.status} ${error}`
+        );
+      } catch (e3) {
+        throw new Error(`Request failed: ${response.status} ${error}`);
+      }
+    }
+    return response.json();
+  }
+};
+
+// src/server/namespaces/invitations.ts
+function createInvitationsNamespace(client) {
+  return {
+    /**
+     * Send an invitation to join a tenant
+     *
+     * Automatically validates JWT and uses tenantId from it.
+     * If a user with this email already exists, uses that user.
+     * If not, creates a new user with the provided details.
+     * Returns only the user's sub (ID) and invitation expiry for security.
+     *
+     * @example
+     * ```ts
+     * // First, get the role ID from available roles
+     * const { roles } = await authvital.memberships.getTenantRoles();
+     * const adminRole = roles.find(r => r.slug === 'admin');
+     *
+     * const { sub, expiresAt } = await authvital.invitations.send(request, {
+     *   email: 'newuser@example.com',
+     *   givenName: 'John',
+     *   familyName: 'Doe',
+     *   roleId: adminRole?.id,  // Use role ID, not slug
+     * });
+     * // sub = user's ID (can be used in your app's database)
+     * // expiresAt = when the invitation expires
+     * ```
+     */
+    send: async (request, params) => {
+      const claims = await client.validateRequest(request);
+      return client.request("POST", "/api/integration/invitations/send", {
+        ...params,
+        tenantId: claims.tenantId,
+        // Auto-include clientId from SDK config (allows redirect after invite acceptance)
+        // Can be overridden by explicitly passing clientId in params
+        clientId: _nullishCoalesce(params.clientId, () => ( client.config.clientId))
+      });
+    },
+    /**
+     * Get all pending invitations for a tenant
+     *
+     * Automatically validates JWT and uses tenantId from it.
+     *
+     * @example
+     * ```ts
+     * const { invitations, totalCount } = await authvital.invitations.listPending(request);
+     * ```
+     */
+    listPending: async (request) => {
+      const claims = await client.validateRequest(request);
+      const params = new URLSearchParams({ tenantId: claims.tenantId });
+      return client.request(
+        "GET",
+        `/api/integration/invitations/pending?${params.toString()}`
+      );
+    },
+    /**
+     * Resend an invitation (generates new token, extends expiry)
+     *
+     * Automatically validates JWT and uses tenantId from it.
+     * Returns the new expiration date
+     *
+     * @example
+     * ```ts
+     * const { expiresAt } = await authvital.invitations.resend(request, {
+     *   invitationId: 'inv-123',
+     *   expiresInDays: 7,
+     * });
+     * ```
+     */
+    resend: async (request, params) => {
+      await client.validateRequest(request);
+      return client.request(
+        "POST",
+        "/api/integration/invitations/resend",
+        params
+      );
+    },
+    /**
+     * Revoke an invitation
+     *
+     * @example
+     * ```ts
+     * await authvital.invitations.revoke(request, 'inv-123');
+     * ```
+     */
+    revoke: async (request, invitationId) => {
+      await client.validateRequest(request);
+      return client.request(
+        "DELETE",
+        `/api/integration/invitations/${encodeURIComponent(invitationId)}`
+      );
+    }
+  };
+}
+
+// src/server/namespaces/memberships.ts
+function createMembershipsNamespace(client) {
+  return {
+    /**
+     * Get all memberships for the authenticated user's tenant
+     *
+     * Automatically validates JWT and uses tenantId from it.
+     *
+     * @param request - The incoming HTTP request
+     * @param options - Optional filters and configuration
+     *
+     * @example
+     * ```ts
+     * app.get('/api/team', async (req, res) => {
+     *   const members = await authvital.memberships.listForTenant(req, {
+     *     status: 'ACTIVE',
+     *   });
+     *   res.json(members);
+     * });
+     * ```
+     */
+    listForTenant: async (request, options) => {
+      const claims = await client.validateRequest(request);
+      const params = new URLSearchParams({ tenantId: claims.tenantId });
+      if (_optionalChain([options, 'optionalAccess', _15 => _15.status])) params.set("status", options.status);
+      if (_optionalChain([options, 'optionalAccess', _16 => _16.includeRoles]) !== void 0)
+        params.set("includeRoles", String(options.includeRoles));
+      const response = await client.request(
+        "GET",
+        `/api/integration/tenant-memberships?${params.toString()}`
+      );
+      if (_optionalChain([options, 'optionalAccess', _17 => _17.appendClientId]) && response.initiateLoginUri) {
+        response.initiateLoginUri = appendClientIdToUri(
+          response.initiateLoginUri,
+          client.config.clientId
+        );
+      }
+      return response;
+    },
+    /**
+     * Get all memberships for your application in the authenticated user's tenant
+     *
+     * Automatically uses clientId from SDK config and tenantId from the validated JWT.
+     *
+     * @param request - The incoming HTTP request
+     * @param options - Optional filters and configuration
+     *
+     * @example
+     * ```ts
+     * app.get('/api/members', async (req, res) => {
+     *   const { memberships } = await authvital.memberships.listForApplication(req);
+     *   res.json(memberships);
+     * });
+     * ```
+     */
+    listForApplication: async (request, options) => {
+      const claims = await client.validateRequest(request);
+      const params = new URLSearchParams({
+        clientId: client.config.clientId,
+        tenantId: claims.tenantId
+      });
+      if (_optionalChain([options, 'optionalAccess', _18 => _18.status])) params.set("status", options.status);
+      const response = await client.request(
+        "GET",
+        `/api/integration/application-memberships?${params.toString()}`
+      );
+      if (_optionalChain([options, 'optionalAccess', _19 => _19.appendClientId])) {
+        response.memberships = response.memberships.map((m) => ({
+          ...m,
+          tenant: {
+            ...m.tenant,
+            initiateLoginUri: appendClientIdToUri(m.tenant.initiateLoginUri, client.config.clientId)
+          }
+        }));
+      }
+      return response;
+    },
+    /**
+     * Validate that the authenticated user is a member of their tenant
+     *
+     * @param request - The incoming HTTP request
+     */
+    validate: async (request) => {
+      const claims = await client.validateRequest(request);
+      const params = new URLSearchParams({ userId: claims.sub, tenantId: claims.tenantId });
+      return client.request("GET", `/api/integration/validate-membership?${params.toString()}`);
+    },
+    /**
+     * Get all tenants for the authenticated user
+     *
+     * Returns all tenants the user is a member of, with optional role information.
+     *
+     * @param request - The incoming HTTP request
+     * @param options - Optional filters and configuration
+     *
+     * @example
+     * ```ts
+     * app.get('/api/my-tenants', async (req, res) => {
+     *   const result = await authvital.memberships.listTenantsForUser(req, {
+     *     status: 'ACTIVE',
+     *     appendClientId: true,
+     *   });
+     *   res.json(result.memberships);
+     * });
+     * ```
+     */
+    listTenantsForUser: async (request, options) => {
+      const claims = await client.validateRequest(request);
+      const params = new URLSearchParams({ userId: claims.sub });
+      if (_optionalChain([options, 'optionalAccess', _20 => _20.status])) params.set("status", options.status);
+      if (_optionalChain([options, 'optionalAccess', _21 => _21.includeRoles]) !== void 0)
+        params.set("includeRoles", String(options.includeRoles));
+      const response = await client.request(
+        "GET",
+        `/api/integration/user-tenants?${params.toString()}`
+      );
+      if (_optionalChain([options, 'optionalAccess', _22 => _22.appendClientId])) {
+        response.memberships = response.memberships.map((m) => ({
+          ...m,
+          tenant: {
+            ...m.tenant,
+            initiateLoginUri: appendClientIdToUri(m.tenant.initiateLoginUri, client.config.clientId)
+          }
+        }));
+      }
+      return response;
+    },
+    /**
+     * Get all available tenant roles (IDP-level)
+     *
+     * Returns the role definitions (owner, admin, member, etc.) that can be
+     * assigned to memberships. These are instance-wide, not tenant-specific.
+     * Use this to populate a role picker dropdown.
+     *
+     * @example
+     * ```ts
+     * app.get('/api/roles', async (req, res) => {
+     *   const { roles } = await authvital.memberships.getTenantRoles();
+     *   res.json(roles);
+     *   // [{ slug: 'owner', name: 'Owner', ... }, { slug: 'admin', ... }, ...]
+     * });
+     * ```
+     */
+    getTenantRoles: async () => {
+      return client.request("GET", "/api/integration/tenant-roles");
+    },
+    /**
+     * Get all roles for your application
+     *
+     * Returns the role definitions (admin, editor, viewer, etc.) specific to
+     * your application. Uses the clientId from SDK config automatically.
+     * Use this to populate a role picker for invite flows or role assignment.
+     *
+     * NOTE: These are APPLICATION-specific roles, different from tenant roles
+     * (owner/admin/member). Application roles are used for fine-grained
+     * permissions within your app.
+     *
+     * @example
+     * ```ts
+     * app.get('/api/app-roles', async (req, res) => {
+     *   const { roles } = await authvital.memberships.getApplicationRoles();
+     *   res.json(roles);
+     *   // [{ slug: 'admin', name: 'Admin', permissions: [...] }, ...]
+     * });
+     *
+     * // Use in invite flow:
+     * const { roles } = await authvital.memberships.getApplicationRoles();
+     * const editorRole = roles.find(r => r.slug === 'editor');
+     * await authvital.invitations.send(request, {
+     *   email: 'user@example.com',
+     *   roleId: editorRole?.id,
+     * });
+     * ```
+     */
+    getApplicationRoles: async () => {
+      const params = new URLSearchParams({ clientId: client.config.clientId });
+      return client.request(
+        "GET",
+        `/api/integration/application-roles?${params.toString()}`
+      );
+    },
+    /**
+     * Set a member's tenant role (replaces any existing roles)
+     *
+     * Performs a pre-flight check using the caller's JWT to catch obvious
+     * permission violations before calling the IDP. The IDP then does the
+     * full authoritative check (e.g., admin can't demote an owner).
+     *
+     * Role hierarchy: owner > admin > member
+     * - Owners can change anyone's role
+     * - Admins can change admins and members, but cannot touch owners or promote to owner
+     * - Members cannot change roles
+     *
+     * @param request - The incoming HTTP request (used to read caller's JWT)
+     * @param membershipId - The membership to update
+     * @param roleSlug - The role slug to set (e.g., 'admin', 'member', 'owner')
+     *
+     * @example
+     * ```ts
+     * app.put('/api/team/:membershipId/role', async (req, res) => {
+     *   const result = await authvital.memberships.setMemberRole(
+     *     req,
+     *     req.params.membershipId,
+     *     req.body.role, // e.g., 'admin'
+     *   );
+     *   res.json(result.role); // { id, name, slug }
+     * });
+     * ```
+     */
+    setMemberRole: async (request, membershipId, roleSlug) => {
+      const claims = await client.validateRequest(request);
+      const callerRoles = _nullishCoalesce(claims.payload.tenant_roles, () => ( []));
+      const isOwner = callerRoles.includes("owner");
+      const isAdmin = callerRoles.includes("admin");
+      if (!isOwner && !isAdmin) {
+        throw new Error(
+          "Insufficient permissions: only owners and admins can change member roles"
+        );
+      }
+      if (!isOwner && roleSlug === "owner") {
+        throw new Error("Insufficient permissions: only owners can promote to owner");
+      }
+      return client.request(
+        "PUT",
+        `/api/integration/memberships/${encodeURIComponent(membershipId)}/tenant-role`,
+        { roleSlug, callerUserId: claims.sub }
+      );
+    }
+  };
+}
+
+// src/server/namespaces/permissions.ts
+function createPermissionsNamespace(client) {
+  return {
+    /**
+     * Check if the authenticated user has a specific permission
+     *
+     * @param request - The incoming HTTP request
+     * @param permission - The permission to check (e.g., 'users:write')
+     *
+     * @example
+     * ```ts
+     * app.post('/api/users', async (req, res) => {
+     *   const { allowed } = await authvital.permissions.check(req, 'users:write');
+     *   if (!allowed) return res.status(403).json({ error: 'Forbidden' });
+     *   // ... create user
+     * });
+     * ```
+     */
+    check: async (request, permission) => {
+      const claims = await client.validateRequest(request);
+      return client.request("POST", "/api/integration/check-permission", {
+        userId: claims.sub,
+        tenantId: claims.tenantId,
+        permission
+      });
+    },
+    /**
+     * Check multiple permissions at once for the authenticated user
+     *
+     * @param request - The incoming HTTP request
+     * @param permissions - Array of permissions to check
+     *
+     * @example
+     * ```ts
+     * const { results } = await authvital.permissions.checkMany(req, ['users:read', 'users:write']);
+     * // results = { 'users:read': true, 'users:write': false }
+     * ```
+     */
+    checkMany: async (request, permissions) => {
+      const claims = await client.validateRequest(request);
+      return client.request("POST", "/api/integration/check-permissions", {
+        userId: claims.sub,
+        tenantId: claims.tenantId,
+        permissions
+      });
+    },
+    /**
+     * Get all permissions for the authenticated user
+     *
+     * @param request - The incoming HTTP request
+     *
+     * @example
+     * ```ts
+     * app.get('/api/my-permissions', async (req, res) => {
+     *   const perms = await authvital.permissions.list(req);
+     *   res.json(perms);
+     * });
+     * ```
+     */
+    list: async (request) => {
+      const claims = await client.validateRequest(request);
+      const params = new URLSearchParams({ userId: claims.sub, tenantId: claims.tenantId });
+      return client.request(
+        "GET",
+        `/api/integration/user-permissions?${params.toString()}`
+      );
+    }
+  };
+}
+
+// src/server/namespaces/entitlements.ts
+function createEntitlementsNamespace(client) {
+  return {
+    /**
+     * Check if a quota-based action is allowed
+     *
+     * This is the main "gatekeeper" function. Use it before any quota-consuming action.
+     *
+     * @param request - The incoming HTTP request
+     * @param featureKey - The quota to check (e.g., 'seats', 'projects')
+     * @param options - Optional: appScope and incrementCount
+     *
+     * @example
+     * ```ts
+     * // Before adding a team member
+     * const check = await authvital.entitlements.canPerform(req, 'seats');
+     * if (!check.allowed) {
+     *   return res.status(403).json({ error: check.reason });
+     * }
+     * // Add the member...
+     * await authvital.entitlements.incrementUsage(req, 'seats');
+     * ```
+     */
+    canPerform: async (request, featureKey, _options) => {
+      const claims = await client.validateRequest(request);
+      if (featureKey === "seats") {
+        const params = new URLSearchParams({
+          tenantId: claims.tenantId,
+          clientId: client.config.clientId
+        });
+        const seatsResult = await client.request("GET", `/api/integration/check-seats?${params.toString()}`);
+        if (seatsResult.unlimited) {
+          return {
+            allowed: true,
+            reason: void 0,
+            currentUsage: seatsResult.memberCount,
+            limit: void 0
+          };
+        }
+        const canAddSeat = seatsResult.totalSeatsAvailable > 0;
+        return {
+          allowed: canAddSeat,
+          reason: canAddSeat ? void 0 : "No available seats. Upgrade your subscription to add more team members.",
+          currentUsage: seatsResult.totalSeatsAssigned,
+          limit: seatsResult.totalSeatsOwned
+        };
+      }
+      return {
+        allowed: true,
+        reason: void 0,
+        currentUsage: 0,
+        limit: void 0
+      };
+    },
+    // Note: The following methods reference billing endpoints that don't exist yet.
+    // They should be implemented if/when billing features are added.
+    // For now, we keep them for API compatibility but they'll throw errors.
+    //
+    // TODO: If billing is ever needed, implement:
+    // - /billing/tenants/{tenantId}/check-feature/{featureKey}
+    // - /billing/tenants/{tenantId}/check-app-access/{applicationId}
+    // - /billing/tenants/{tenantId}/status
+    // - /billing/tenants/{tenantId}/usage/increment
+    /**
+     * Decrement usage for a quota (call after removing resource)
+     *
+     * @param request - The incoming HTTP request
+     * @param featureKey - The quota to decrement (e.g., 'seats')
+     * @param options - Optional: appScope and amount to decrement by
+     *
+     * @example
+     * ```ts
+     * // After removing a team member
+     * await authvital.entitlements.decrementUsage(req, 'seats');
+     * ```
+     */
+    decrementUsage: async (request, featureKey, options) => {
+      const claims = await client.validateRequest(request);
+      return client.request("POST", `/billing/tenants/${claims.tenantId}/usage/decrement`, {
+        featureKey,
+        appScope: _optionalChain([options, 'optionalAccess', _23 => _23.appScope]) || "global",
+        value: _optionalChain([options, 'optionalAccess', _24 => _24.by]) || 1
+      });
+    }
+  };
+}
+
+// src/server/namespaces/licenses-user.ts
+function createUserLicenseOperations(client) {
+  return {
+    /**
+     * Grant a license to a user
+     *
+     * @param request - The incoming HTTP request
+     * @param options - License grant options
+     *
+     * @example
+     * ```ts
+     * // Grant pro license to a team member
+     * await authvital.licenses.grant(req, {
+     *   userId: 'user-123',
+     *   applicationId: 'app-456',
+     *   licenseTypeId: 'license-pro',
+     * });
+     * ```
+     */
+    grant: async (request, options) => {
+      const claims = await client.validateRequest(request);
+      return client.request("POST", "/api/integration/licenses/grant", {
+        tenantId: claims.tenantId,
+        userId: options.userId || claims.sub,
+        applicationId: options.applicationId,
+        licenseTypeId: options.licenseTypeId
+      });
+    },
+    /**
+     * Revoke a license from a user
+     *
+     * @param request - The incoming HTTP request
+     * @param options - License revoke options
+     *
+     * @example
+     * ```ts
+     * await authvital.licenses.revoke(req, {
+     *   userId: 'user-123',
+     *   applicationId: 'app-456',
+     * });
+     * ```
+     */
+    revoke: async (request, options) => {
+      const claims = await client.validateRequest(request);
+      return client.request("POST", "/api/integration/licenses/revoke", {
+        tenantId: claims.tenantId,
+        userId: options.userId || claims.sub,
+        applicationId: options.applicationId
+      });
+    },
+    /**
+     * Change a user's license type
+     *
+     * @param request - The incoming HTTP request
+     * @param options - License change options
+     *
+     * @example
+     * ```ts
+     * // Upgrade user from basic to pro
+     * await authvital.licenses.changeType(req, {
+     *   userId: 'user-123',
+     *   applicationId: 'app-456',
+     *   newLicenseTypeId: 'license-pro',
+     * });
+     * ```
+     */
+    changeType: async (request, options) => {
+      const claims = await client.validateRequest(request);
+      return client.request("POST", "/api/integration/licenses/change-type", {
+        tenantId: claims.tenantId,
+        userId: options.userId || claims.sub,
+        applicationId: options.applicationId,
+        newLicenseTypeId: options.newLicenseTypeId
+      });
+    },
+    /**
+     * Get all licenses for a user
+     *
+     * @param request - The incoming HTTP request
+     * @param userId - User ID (optional, defaults to authenticated user)
+     *
+     * @returns List of license assignments with license type details
+     *
+     * @example
+     * ```ts
+     * const licenses = await authvital.licenses.listForUser(req);
+     * // [{ id: 'assignment-1', licenseType: 'pro', applicationId: 'app-1', ... }]
+     * ```
+     */
+    listForUser: async (request, userId) => {
+      const claims = await client.validateRequest(request);
+      return client.request(
+        "GET",
+        `/api/integration/licenses/tenants/${claims.tenantId}/users/${userId || claims.sub}`
+      );
+    },
+    /**
+     * Check if a user has a license (uses tenant from JWT)
+     *
+     * This endpoint validates the JWT and checks if the user
+     * (or specified user) has a valid license for the application.
+     *
+     * @param request - The incoming HTTP request with JWT
+     * @param userId - User to check (or omit to check authenticated user)
+     * @param applicationId - Application to check
+     *
+     * @returns License check result with hasLicense flag and license details
+     *
+     * @example
+     * ```ts
+     * const result = await authvital.licenses.check(req, undefined, 'my-app-id');
+     * if (result.hasLicense) {
+     *   console.log('User has', result.licenseType, 'license');
+     * }
+     * ```
+     */
+    check: async (request, userId, applicationId) => {
+      await client.getCurrentUser(request);
+      const params = new URLSearchParams();
+      if (userId) params.set("userId", userId);
+      params.set("applicationId", applicationId);
+      return client.authenticatedRequest(
+        request,
+        "GET",
+        `/api/integration/licenses/check?${params.toString()}`
+      );
+    },
+    /**
+     * Check if user has a specific feature enabled
+     *
+     * This validates the JWT and checks if the user's license
+     * includes the specified feature.
+     *
+     * @param request - The incoming HTTP request with JWT
+     * @param userId - User to check (or omit to check authenticated user)
+     * @param applicationId - Application to check
+     * @param featureKey - Feature to check (e.g., 'sso', 'audit_logs')
+     *
+     * @returns Result with hasFeature boolean
+     *
+     * @example
+     * ```ts
+     * const { hasFeature } = await authvital.licenses.hasFeature(req, undefined, 'my-app-id', 'sso');
+     * if (hasFeature) {
+     *   // Show SSO option
+     * }
+     * ```
+     */
+    hasFeature: async (request, userId, applicationId, featureKey) => {
+      await client.getCurrentUser(request);
+      const params = new URLSearchParams();
+      if (userId) params.set("userId", userId);
+      params.set("applicationId", applicationId);
+      params.set("featureKey", featureKey);
+      return client.authenticatedRequest(
+        request,
+        "GET",
+        `/api/integration/licenses/feature?${params.toString()}`
+      );
+    },
+    /**
+     * Get all licensed users for an app in the authenticated tenant
+     *
+     * Returns all users with valid licenses for the specified application.
+     * The tenant is extracted from the JWT.
+     *
+     * @param request - The incoming HTTP request with JWT
+     * @param applicationId - Application ID
+     *
+     * @returns List of licensed users with license details
+     *
+     * @example
+     * ```ts
+     * const users = await authvital.licenses.getAppLicensedUsers(req, 'my-app-id');
+     * users.forEach(u => console.log(u.email, '-', u.licenseType));
+     * ```
+     */
+    getAppLicensedUsers: async (request, applicationId) => {
+      await client.getCurrentUser(request);
+      return client.authenticatedRequest(
+        request,
+        "GET",
+        `/api/integration/licenses/apps/${encodeURIComponent(applicationId)}/users`
+      );
+    },
+    /**
+     * Count licensed users for an app in the authenticated tenant
+     *
+     * @param request - The incoming HTTP request with JWT
+     * @param applicationId - Application ID
+     *
+     * @returns Count of users with licenses
+     *
+     * @example
+     * ```ts
+     * const { count } = await authvital.licenses.countLicensedUsers(req, 'my-app-id');
+     * console.log(`${count} users have licenses`);
+     * ```
+     */
+    countLicensedUsers: async (request, applicationId) => {
+      await client.getCurrentUser(request);
+      return client.authenticatedRequest(
+        request,
+        "GET",
+        `/api/integration/licenses/apps/${encodeURIComponent(applicationId)}/count`
+      );
+    },
+    /**
+     * Get the license type for a user (local check - API call)
+     *
+     * This is a convenience wrapper around `check` for getting just the license type.
+     *
+     * @param request - The incoming HTTP request with JWT
+     * @param userId - User to check (or omit to check authenticated user)
+     * @param applicationId - Application to check
+     *
+     * @returns License type slug or null
+     *
+     * @example
+     * ```ts
+     * const licenseType = await authvital.licenses.getUserLicenseType(req, undefined, 'my-app-id');
+     * if (licenseType === 'enterprise') {
+     *   // Show enterprise features
+     * }
+     * ```
+     */
+    getUserLicenseType: async (request, userId, applicationId) => {
+      const params = new URLSearchParams();
+      if (userId) params.set("userId", userId);
+      params.set("applicationId", applicationId);
+      const result = await client.authenticatedRequest(
+        request,
+        "GET",
+        `/api/integration/licenses/check?${params.toString()}`
+      );
+      return result.licenseType;
+    },
+    /**
+     * Get all license holders for an application
+     *
+     * @param request - The incoming HTTP request
+     * @param applicationId - Application ID
+     *
+     * @returns List of all users with licenses for the application
+     *
+     * @example
+     * ```ts
+     * const holders = await authvital.licenses.getHolders(req, 'app-456');
+     * // [{ userId: 'user-1', licenseType: 'pro', ... }, ...]
+     * ```
+     */
+    getHolders: async (request, applicationId) => {
+      const claims = await client.validateRequest(request);
+      return client.request(
+        "GET",
+        `/api/integration/licenses/tenants/${claims.tenantId}/applications/${applicationId}/holders`
+      );
+    },
+    /**
+     * Get license audit log
+     *
+     * @param request - The incoming HTTP request
+     * @param options - Filter options
+     *
+     * @returns Audit log entries with pagination
+     *
+     * @example
+     * ```ts
+     * const auditLog = await authvital.licenses.getAuditLog(req, {
+     *   userId: 'user-123',
+     *   limit: 50,
+     * });
+     * ```
+     */
+    getAuditLog: async (request, options) => {
+      const claims = await client.validateRequest(request);
+      const params = new URLSearchParams({
+        limit: (_optionalChain([options, 'optionalAccess', _25 => _25.limit]) || 50).toString(),
+        offset: (_optionalChain([options, 'optionalAccess', _26 => _26.offset]) || 0).toString()
+      });
+      if (_optionalChain([options, 'optionalAccess', _27 => _27.userId])) params.append("userId", options.userId);
+      if (_optionalChain([options, 'optionalAccess', _28 => _28.applicationId])) params.append("applicationId", options.applicationId);
+      return client.request(
+        "GET",
+        `/api/integration/licenses/tenants/${claims.tenantId}/audit-log?${params.toString()}`
+      );
+    },
+    /**
+     * Get usage overview for tenant
+     *
+     * @param request - The incoming HTTP request
+     *
+     * @returns Usage overview with seat counts and utilization
+     *
+     * @example
+     * ```ts
+     * const usage = await authvital.licenses.getUsageOverview(req);
+     * // { totalSeats: 10, seatsAssigned: 8, utilization: 80, ... }
+     * ```
+     */
+    getUsageOverview: async (request) => {
+      const claims = await client.validateRequest(request);
+      return client.request(
+        "GET",
+        `/api/integration/licenses/tenants/${claims.tenantId}/usage-overview`
+      );
+    },
+    /**
+     * Get usage trends for tenant
+     *
+     * @param request - The incoming HTTP request
+     * @param days - Number of days to look back (default: 30)
+     *
+     * @returns Daily usage data
+     *
+     * @example
+     * ```ts
+     * const trends = await authvital.licenses.getUsageTrends(req, 30);
+     * // [{ date: '2024-01-01', seatsAssigned: 8, ... }, ...]
+     * ```
+     */
+    getUsageTrends: async (request, days) => {
+      const claims = await client.validateRequest(request);
+      const params = new URLSearchParams({ days: (days || 30).toString() });
+      return client.request(
+        "GET",
+        `/api/integration/licenses/tenants/${claims.tenantId}/usage-trends?${params.toString()}`
+      );
+    }
+  };
+}
+
+// src/server/namespaces/licenses-admin.ts
+function createAdminLicenseOperations(client) {
+  return {
+    /**
+     * Get full license overview for a tenant
+     *
+     * Returns all subscriptions (inventory) and utilization stats.
+     * Requires M2M authentication.
+     *
+     * @example
+     * ```ts
+     * const overview = await authvital.licenses.getTenantOverview('tenant-123');
+     * console.log(`Using ${overview.totalSeatsAssigned} of ${overview.totalSeatsOwned} seats`);
+     * ```
+     */
+    getTenantOverview: async (tenantId) => {
+      return client.request(
+        "GET",
+        `/api/licensing/tenants/${encodeURIComponent(tenantId)}/license-overview`
+      );
+    },
+    /**
+     * Get all license assignments for a user in a tenant
+     *
+     * @example
+     * ```ts
+     * const licenses = await authvital.licenses.getUserLicenses('tenant-123', 'user-456');
+     * licenses.forEach(l => console.log(`Has ${l.licenseTypeName} for ${l.applicationId}`));
+     * ```
+     */
+    getUserLicenses: async (tenantId, userId) => {
+      return client.request(
+        "GET",
+        `/api/licensing/tenants/${encodeURIComponent(tenantId)}/users/${encodeURIComponent(userId)}/licenses`
+      );
+    },
+    /**
+     * Get all subscriptions for a tenant
+     *
+     * Returns the tenant's "wallet" - all their purchased license seats.
+     *
+     * @example
+     * ```ts
+     * const subscriptions = await authvital.licenses.getTenantSubscriptions('tenant-123');
+     * subscriptions.forEach(sub => {
+     *   console.log(`${sub.applicationName}: ${sub.quantityAvailable} seats available`);
+     * });
+     * ```
+     */
+    getTenantSubscriptions: async (tenantId) => {
+      return client.request(
+        "GET",
+        `/api/licensing/tenants/${encodeURIComponent(tenantId)}/subscriptions`
+      );
+    },
+    /**
+     * Get tenant members with their license assignments
+     *
+     * Returns all members along with their license status for each application.
+     * Useful for admin dashboards.
+     *
+     * @example
+     * ```ts
+     * const members = await authvital.licenses.getMembersWithLicenses('tenant-123');
+     * members.forEach(member => {
+     *   console.log(`${member.user.email} has ${member.licenses.length} licenses`);
+     * });
+     * ```
+     */
+    getMembersWithLicenses: async (tenantId) => {
+      return client.request(
+        "GET",
+        `/api/licensing/tenants/${encodeURIComponent(tenantId)}/members-with-licenses`
+      );
+    },
+    /**
+     * Get available license types for tenant provisioning
+     *
+     * Returns all ACTIVE license types across all applications that the tenant
+     * could purchase/provision. Includes info about existing subscriptions.
+     *
+     * @example
+     * ```ts
+     * const available = await authvital.licenses.getAvailableLicenseTypes('tenant-123');
+     * available.forEach(type => {
+     *   if (type.hasSubscription) {
+     *     console.log(`Already have: ${type.name} (${type.existingSubscription?.quantityPurchased} seats)`);
+     *   } else {
+     *     console.log(`Can add: ${type.name}`);
+     *   }
+     * });
+     * ```
+     */
+    getAvailableLicenseTypes: async (tenantId) => {
+      return client.request(
+        "GET",
+        `/api/licensing/tenants/${encodeURIComponent(tenantId)}/available-license-types`
+      );
+    },
+    /**
+     * Grant a license to a user (M2M version)
+     *
+     * Assigns a seat from the tenant's subscription to a user.
+     * Requires M2M authentication with licensing permissions.
+     *
+     * @throws Error if no seats available or user already has a license for this app
+     *
+     * @example
+     * ```ts
+     * const assignment = await authvital.licenses.grantToUser({
+     *   tenantId: 'tenant-123',
+     *   userId: 'user-456',
+     *   applicationId: 'app-789',
+     *   licenseTypeId: 'pro-license',
+     * });
+     * ```
+     */
+    grantToUser: async (params) => {
+      return client.request("POST", "/api/licensing/licenses/grant", params);
+    },
+    /**
+     * Revoke a license from a user (M2M version)
+     *
+     * Returns the seat to the tenant's pool.
+     *
+     * @example
+     * ```ts
+     * await authvital.licenses.revokeFromUser({
+     *   tenantId: 'tenant-123',
+     *   userId: 'user-456',
+     *   applicationId: 'app-789',
+     * });
+     * ```
+     */
+    revokeFromUser: async (params) => {
+      await client.request("POST", "/api/licensing/licenses/revoke", params);
+    },
+    /**
+     * Change a user's license type (M2M version)
+     *
+     * Moves a user from one license type to another for the same application.
+     *
+     * @example
+     * ```ts
+     * const newAssignment = await authvital.licenses.changeUserType({
+     *   tenantId: 'tenant-123',
+     *   userId: 'user-456',
+     *   applicationId: 'app-789',
+     *   newLicenseTypeId: 'enterprise-license',
+     * });
+     * ```
+     */
+    changeUserType: async (params) => {
+      return client.request(
+        "POST",
+        "/api/licensing/licenses/change-type",
+        params
+      );
+    },
+    /**
+     * Bulk grant licenses to multiple users
+     *
+     * @example
+     * ```ts
+     * const results = await authvital.licenses.grantBulk([
+     *   { tenantId: 'tenant-123', userId: 'user-1', applicationId: 'app-789', licenseTypeId: 'pro' },
+     *   { tenantId: 'tenant-123', userId: 'user-2', applicationId: 'app-789', licenseTypeId: 'pro' },
+     * ]);
+     * results.forEach(r => console.log(`${r.userId}: ${r.success ? 'Success' : r.error}`));
+     * ```
+     */
+    grantBulk: async (assignments) => {
+      return client.request("POST", "/api/licensing/licenses/grant-bulk", {
+        assignments
+      });
+    },
+    /**
+     * Bulk revoke licenses from multiple users
+     *
+     * @example
+     * ```ts
+     * const result = await authvital.licenses.revokeBulk([
+     *   { tenantId: 'tenant-123', userId: 'user-1', applicationId: 'app-789' },
+     *   { tenantId: 'tenant-123', userId: 'user-2', applicationId: 'app-789' },
+     * ]);
+     * console.log(`Revoked ${result.revokedCount} licenses`);
+     * result.failures.forEach(f => console.error(`Failed: ${f.error}`));
+     * ```
+     */
+    revokeBulk: async (revocations) => {
+      return client.request(
+        "POST",
+        "/api/licensing/licenses/revoke-bulk",
+        {
+          revocations
+        }
+      );
+    }
+  };
+}
+
+// src/server/namespaces/licenses.ts
+function createLicensesNamespace(client) {
+  const userOps = createUserLicenseOperations(client);
+  const adminOps = createAdminLicenseOperations(client);
+  return {
+    // User-scoped operations (JWT auth)
+    ...userOps,
+    // Admin operations (M2M)
+    ...adminOps
+  };
+}
+
+// src/server/namespaces/sessions.ts
+function createSessionsNamespace(client) {
+  return {
+    /**
+     * Get all active sessions for the authenticated user
+     *
+     * Returns a list of active sessions with metadata (device info, location, etc.).
+     * Useful for building "manage sessions" UI.
+     *
+     * @example
+     * ```ts
+     * app.get('/api/sessions', async (req, res) => {
+     *   const { sessions, count } = await authvital.sessions.list(req);
+     *   res.json(sessions);
+     * });
+     * ```
+     */
+    list: async (request, options) => {
+      await client.validateRequest(request);
+      const authHeader = extractAuthorizationHeader(request);
+      const params = new URLSearchParams();
+      if (_optionalChain([options, 'optionalAccess', _29 => _29.applicationId])) params.set("application_id", options.applicationId);
+      const url = `/oauth/sessions${params.toString() ? `?${params.toString()}` : ""}`;
+      const response = await fetch(`${client.config.authVitalHost}${url}`, {
+        method: "GET",
+        headers: {
+          Authorization: authHeader,
+          "Content-Type": "application/json"
+        }
+      });
+      if (!response.ok) {
+        const error = await response.json().catch(() => ({ message: response.statusText }));
+        throw new Error(error.message || `Request failed: ${response.status}`);
+      }
+      return response.json();
+    },
+    /**
+     * Revoke a specific session by ID
+     *
+     * Call this from "manage sessions" UI to logout a specific device.
+     * User can only revoke their own sessions.
+     *
+     * @example
+     * ```ts
+     * app.post('/api/sessions/:id/revoke', async (req, res) => {
+     *   const result = await authvital.sessions.revoke(req, req.params.id);
+     *   res.json(result);
+     * });
+     * ```
+     */
+    revoke: async (request, sessionId) => {
+      await client.validateRequest(request);
+      const authHeader = extractAuthorizationHeader(request);
+      const response = await fetch(
+        `${client.config.authVitalHost}/oauth/sessions/${encodeURIComponent(sessionId)}/revoke`,
+        {
+          method: "POST",
+          headers: {
+            Authorization: authHeader,
+            "Content-Type": "application/json"
+          }
+        }
+      );
+      if (!response.ok) {
+        const error = await response.json().catch(() => ({ message: response.statusText }));
+        throw new Error(error.message || `Request failed: ${response.status}`);
+      }
+      return response.json();
+    },
+    /**
+     * Revoke ALL sessions for the authenticated user
+     *
+     * Call this when user clicks "logout everywhere".
+     * Revokes all active sessions, forcing re-authentication on all devices.
+     *
+     * @example
+     * ```ts
+     * app.post('/api/logout-all', async (req, res) => {
+     *   const result = await authvital.sessions.revokeAll(req);
+     *   res.json({ message: `Logged out of ${result.count} devices` });
+     * });
+     * ```
+     */
+    revokeAll: async (request, options) => {
+      await client.validateRequest(request);
+      const authHeader = extractAuthorizationHeader(request);
+      const response = await fetch(`${client.config.authVitalHost}/oauth/logout-all`, {
+        method: "POST",
+        headers: {
+          Authorization: authHeader,
+          "Content-Type": "application/json"
+        },
+        body: JSON.stringify({
+          application_id: _optionalChain([options, 'optionalAccess', _30 => _30.applicationId])
+        })
+      });
+      if (!response.ok) {
+        const error = await response.json().catch(() => ({ message: response.statusText }));
+        throw new Error(error.message || `Request failed: ${response.status}`);
+      }
+      return response.json();
+    },
+    /**
+     * Logout current session
+     *
+     * Revokes the session associated with the current refresh token.
+     * Call this for normal logout.
+     *
+     * Note: For browser apps, prefer redirecting to /oauth/logout which
+     * handles cookie clearing automatically.
+     *
+     * @example
+     * ```ts
+     * app.post('/api/logout', async (req, res) => {
+     *   // Get refresh token from cookie or body
+     *   const refreshToken = req.cookies.refresh_token || req.body.refresh_token;
+     *   const result = await authvital.sessions.logout(refreshToken);
+     *   res.clearCookie('refresh_token');
+     *   res.json(result);
+     * });
+     * ```
+     */
+    logout: async (refreshToken) => {
+      const response = await fetch(`${client.config.authVitalHost}/oauth/logout`, {
+        method: "POST",
+        headers: {
+          "Content-Type": "application/json"
+        },
+        body: JSON.stringify({
+          refresh_token: refreshToken
+        })
+      });
+      if (!response.ok) {
+        const error = await response.json().catch(() => ({ message: response.statusText }));
+        throw new Error(error.message || `Request failed: ${response.status}`);
+      }
+      return response.json();
+    }
+  };
+}
+
+// src/server/authvital.ts
+var AuthVital = class extends BaseClient {
+  constructor() {
+    super(...arguments);
+    // ===========================================================================
+    // NAMESPACED APIS
+    // ===========================================================================
+    this.invitations = createInvitationsNamespace(this);
+    this.memberships = createMembershipsNamespace(this);
+    this.permissions = createPermissionsNamespace(this);
+    this.entitlements = createEntitlementsNamespace(this);
+    this.licenses = createLicensesNamespace(this);
+    this.sessions = createSessionsNamespace(this);
+  }
+  // ===========================================================================
+  // PERMISSION HELPERS (Read from JWT - No API call!)
+  // ===========================================================================
+  /**
+   * Check tenant permission from JWT (no API call)
+   * Returns true if user has the specified tenant permission.
+   *
+   * Reads from the `tenant_permissions` claim in the JWT.
+   * Wildcards are supported (e.g., `licenses:*` matches `licenses:manage`).
+   *
+   * @example
+   * ```ts
+   * if (await authvital.hasTenantPermission(req, 'licenses:manage')) {
+   *   // User can manage licenses - show admin UI
+   * }
+   * ```
+   */
+  async hasTenantPermission(request, permission) {
+    const { user } = await this.getCurrentUser(request);
+    if (!user) return false;
+    return this.jwtValidator.hasTenantPermission(user, permission);
+  }
+  /**
+   * Check app permission from JWT (no API call)
+   * Returns true if user has the specified app permission.
+   *
+   * Reads from the `app_permissions` claim in the JWT.
+   *
+   * @example
+   * ```ts
+   * if (await authvital.hasAppPermission(req, 'projects:create')) {
+   *   // User can create projects
+   * }
+   * ```
+   */
+  async hasAppPermission(request, permission) {
+    const { user } = await this.getCurrentUser(request);
+    if (!user) return false;
+    return this.jwtValidator.hasAppPermission(user, permission);
+  }
+  /**
+   * Check feature from JWT license claim (no API call)
+   * Returns true if the feature is enabled in the user's license.
+   *
+   * Reads from the `license.features` array in the JWT.
+   *
+   * @example
+   * ```ts
+   * if (await authvital.hasFeatureFromJwt(req, 'sso')) {
+   *   // User's tenant has SSO enabled
+   * }
+   * ```
+   */
+  async hasFeatureFromJwt(request, featureKey) {
+    const { user } = await this.getCurrentUser(request);
+    if (!user) return false;
+    return this.jwtValidator.hasFeature(user, featureKey);
+  }
+  /**
+   * Get license type from JWT (no API call)
+   * Returns the license type slug (e.g., 'pro', 'enterprise') or null.
+   *
+   * Reads from the `license.type` claim in the JWT.
+   *
+   * @example
+   * ```ts
+   * const licenseType = await authvital.getLicenseTypeFromJwt(req);
+   * if (licenseType === 'enterprise') {
+   *   // Show enterprise features
+   * }
+   * ```
+   */
+  async getLicenseTypeFromJwt(request) {
+    const { user } = await this.getCurrentUser(request);
+    if (!user) return null;
+    return this.jwtValidator.getLicenseType(user);
+  }
+  /**
+   * Get all tenant permissions from JWT (no API call)
+   * Returns the array of tenant permissions granted to the user.
+   *
+   * @example
+   * ```ts
+   * const permissions = await authvital.getTenantPermissions(req);
+   * console.log(permissions); // ['licenses:view', 'members:invite', ...]
+   * ```
+   */
+  async getTenantPermissions(request) {
+    const { user } = await this.getCurrentUser(request);
+    return _nullishCoalesce(_optionalChain([user, 'optionalAccess', _31 => _31.tenant_permissions]), () => ( []));
+  }
+  /**
+   * Get all app permissions from JWT (no API call)
+   * Returns the array of app permissions granted to the user.
+   *
+   * @example
+   * ```ts
+   * const permissions = await authvital.getAppPermissions(req);
+   * console.log(permissions); // ['projects:create', 'datasets:read', ...]
+   * ```
+   */
+  async getAppPermissions(request) {
+    const { user } = await this.getCurrentUser(request);
+    return _nullishCoalesce(_optionalChain([user, 'optionalAccess', _32 => _32.app_permissions]), () => ( []));
+  }
+  /**
+   * Get all tenant roles from JWT (no API call)
+   * Returns the array of tenant role slugs for the user.
+   *
+   * @example
+   * ```ts
+   * const roles = await authvital.getTenantRoles(req);
+   * console.log(roles); // ['owner', 'admin']
+   * ```
+   */
+  async getTenantRoles(request) {
+    const { user } = await this.getCurrentUser(request);
+    return _nullishCoalesce(_optionalChain([user, 'optionalAccess', _33 => _33.tenant_roles]), () => ( []));
+  }
+  /**
+   * Get all app roles from JWT (no API call)
+   * Returns the array of app role slugs for the user.
+   *
+   * @example
+   * ```ts
+   * const roles = await authvital.getAppRoles(req);
+   * console.log(roles); // ['editor', 'viewer']
+   * ```
+   */
+  async getAppRoles(request) {
+    const { user } = await this.getCurrentUser(request);
+    return _nullishCoalesce(_optionalChain([user, 'optionalAccess', _34 => _34.app_roles]), () => ( []));
+  }
+  // ===========================================================================
+  // MANAGEMENT URLs (extract tenantId from JWT)
+  // ===========================================================================
+  /**
+   * Get URL for tenant members management page
+   * Extracts tenantId from the request JWT
+   */
+  async getMembersUrl(req) {
+    const { tenantId } = await this.validateRequest(req);
+    return `${this.config.authVitalHost}/tenant/${tenantId}/members`;
+  }
+  /**
+   * Get URL for tenant applications management page
+   * Extracts tenantId from the request JWT
+   */
+  async getApplicationsUrl(req) {
+    const { tenantId } = await this.validateRequest(req);
+    return `${this.config.authVitalHost}/tenant/${tenantId}/applications`;
+  }
+  /**
+   * Get URL for tenant settings page
+   * Extracts tenantId from the request JWT
+   */
+  async getSettingsUrl(req) {
+    const { tenantId } = await this.validateRequest(req);
+    return `${this.config.authVitalHost}/tenant/${tenantId}/settings`;
+  }
+  /**
+   * Get URL for tenant overview page
+   * Extracts tenantId from the request JWT
+   */
+  async getOverviewUrl(req) {
+    const { tenantId } = await this.validateRequest(req);
+    return `${this.config.authVitalHost}/tenant/${tenantId}/overview`;
+  }
+  /**
+   * Get URL for user account settings page
+   * (Does not require tenantId)
+   */
+  getAccountSettingsUrl() {
+    return `${this.config.authVitalHost}/account/settings`;
+  }
+  /**
+   * Get all management URLs at once
+   * Extracts tenantId from the request JWT
+   *
+   * @example
+   * ```typescript
+   * const urls = await authvital.getManagementUrls(req);
+   * res.json({ urls });
+   * // {
+   * //   overview: 'https://auth.example.com/tenant/abc/overview',
+   * //   members: 'https://auth.example.com/tenant/abc/members',
+   * //   applications: 'https://auth.example.com/tenant/abc/applications',
+   * //   settings: 'https://auth.example.com/tenant/abc/settings',
+   * //   accountSettings: 'https://auth.example.com/account/settings',
+   * // }
+   * ```
+   */
+  async getManagementUrls(req) {
+    const { tenantId } = await this.validateRequest(req);
+    const base = this.config.authVitalHost;
+    return {
+      overview: `${base}/tenant/${tenantId}/overview`,
+      members: `${base}/tenant/${tenantId}/members`,
+      applications: `${base}/tenant/${tenantId}/applications`,
+      settings: `${base}/tenant/${tenantId}/settings`,
+      accountSettings: `${base}/account/settings`
+    };
+  }
+};
+function createAuthVital(config) {
+  return new AuthVital(config);
+}
+
+// src/server/oauth-flow.ts
+var _crypto = require('crypto'); var crypto2 = _interopRequireWildcard(_crypto);
+function generateCodeVerifier() {
+  return crypto2.randomBytes(32).toString("base64url");
+}
+function generateCodeChallenge(verifier) {
+  const hash = crypto2.createHash("sha256").update(verifier).digest();
+  return hash.toString("base64url");
+}
+function generatePKCE() {
+  const codeVerifier = generateCodeVerifier();
+  const codeChallenge = generateCodeChallenge(codeVerifier);
+  return { codeVerifier, codeChallenge };
+}
+function generateState() {
+  return crypto2.randomBytes(16).toString("base64url");
+}
+function encodeState(csrf, appState) {
+  const payload = { csrf, appState };
+  return Buffer.from(JSON.stringify(payload)).toString("base64url");
+}
+function decodeState(state) {
+  try {
+    const json = Buffer.from(state, "base64url").toString("utf-8");
+    return JSON.parse(json);
+  } catch (e4) {
+    return null;
+  }
+}
+function encodeStateWithVerifier(csrf, codeVerifier) {
+  const encodedVerifier = Buffer.from(codeVerifier).toString("base64url");
+  return `${csrf}:${encodedVerifier}`;
+}
+function decodeStateWithVerifier(state) {
+  const colonIndex = state.indexOf(":");
+  if (colonIndex === -1) return null;
+  const csrf = state.substring(0, colonIndex);
+  const encodedVerifier = state.substring(colonIndex + 1);
+  try {
+    const codeVerifier = Buffer.from(encodedVerifier, "base64url").toString("utf-8");
+    return { csrf, codeVerifier };
+  } catch (e5) {
+    return null;
+  }
+}
+function buildAuthorizeUrl(params) {
+  const url = new URL(`${params.authVitalHost}/oauth/authorize`);
+  url.searchParams.set("client_id", params.clientId);
+  url.searchParams.set("redirect_uri", params.redirectUri);
+  url.searchParams.set("response_type", "code");
+  url.searchParams.set("scope", params.scope || "openid profile email");
+  url.searchParams.set("state", params.state);
+  url.searchParams.set("code_challenge", params.codeChallenge);
+  url.searchParams.set("code_challenge_method", "S256");
+  if (params.nonce) {
+    url.searchParams.set("nonce", params.nonce);
+  }
+  return url.toString();
+}
+async function exchangeCodeForTokens(params) {
+  const body = {
+    grant_type: "authorization_code",
+    code: params.code,
+    redirect_uri: params.redirectUri,
+    client_id: params.clientId,
+    code_verifier: params.codeVerifier
+  };
+  if (params.clientSecret) {
+    body.client_secret = params.clientSecret;
+  }
+  const response = await fetch(`${params.authVitalHost}/oauth/token`, {
+    method: "POST",
+    headers: { "Content-Type": "application/json" },
+    body: JSON.stringify(body)
+  });
+  if (!response.ok) {
+    const error = await response.json().catch(() => ({}));
+    throw new Error(error.message || `Token exchange failed: ${response.status}`);
+  }
+  return response.json();
+}
+async function refreshAccessToken(params) {
+  const body = {
+    grant_type: "refresh_token",
+    refresh_token: params.refreshToken,
+    client_id: params.clientId
+  };
+  if (params.clientSecret) {
+    body.client_secret = params.clientSecret;
+  }
+  const response = await fetch(`${params.authVitalHost}/oauth/token`, {
+    method: "POST",
+    headers: { "Content-Type": "application/json" },
+    body: JSON.stringify(body)
+  });
+  if (!response.ok) {
+    const error = await response.json().catch(() => ({}));
+    throw new Error(error.message || `Token refresh failed: ${response.status}`);
+  }
+  return response.json();
+}
+function decodeJwt(token) {
+  try {
+    const parts = token.split(".");
+    if (parts.length !== 3) return null;
+    const payload = Buffer.from(parts[1], "base64url").toString("utf-8");
+    return JSON.parse(payload);
+  } catch (e6) {
+    return null;
+  }
+}
+var OAuthFlow = class {
+  constructor(config) {
+    this.config = config;
+  }
+  /**
+   * Start the OAuth flow - generates PKCE, state, and authorize URL
+   * 
+   * @param options.appState - Optional app-specific state to pass through OAuth (e.g., return URL)
+   */
+  startFlow(options) {
+    const { codeVerifier, codeChallenge } = generatePKCE();
+    const csrfNonce = generateState();
+    const state = encodeState(csrfNonce, _optionalChain([options, 'optionalAccess', _35 => _35.appState]));
+    const authorizeUrl = buildAuthorizeUrl({
+      authVitalHost: this.config.authVitalHost,
+      clientId: this.config.clientId,
+      redirectUri: this.config.redirectUri,
+      state,
+      codeChallenge,
+      scope: this.config.scope
+    });
+    return { authorizeUrl, state, codeVerifier, codeChallenge };
+  }
+  /**
+   * Handle the OAuth callback - verify state and exchange code for tokens
+   * 
+   * @param code - Authorization code from callback
+   * @param receivedState - State parameter from callback URL
+   * @param expectedState - State that was stored when starting the flow
+   * @param codeVerifier - PKCE code verifier that was stored when starting the flow
+   * @returns Token response with optional appState that was passed through
+   * @throws Error if state doesn't match (CSRF) or token exchange fails
+   */
+  async handleCallback(code, receivedState, expectedState, codeVerifier) {
+    const receivedPayload = decodeState(receivedState);
+    const expectedPayload = decodeState(expectedState);
+    if (!receivedPayload || !expectedPayload) {
+      if (receivedState !== expectedState) {
+        throw new Error("State mismatch - possible CSRF attack");
+      }
+    } else {
+      if (receivedPayload.csrf !== expectedPayload.csrf) {
+        throw new Error("State mismatch - possible CSRF attack");
+      }
+    }
+    const tokens = await exchangeCodeForTokens({
+      authVitalHost: this.config.authVitalHost,
+      clientId: this.config.clientId,
+      clientSecret: this.config.clientSecret,
+      code,
+      codeVerifier,
+      redirectUri: this.config.redirectUri
+    });
+    return {
+      ...tokens,
+      appState: _optionalChain([receivedPayload, 'optionalAccess', _36 => _36.appState])
+    };
+  }
+  /**
+   * Refresh tokens using refresh token
+   */
+  async refreshTokens(refreshToken) {
+    return refreshAccessToken({
+      authVitalHost: this.config.authVitalHost,
+      clientId: this.config.clientId,
+      clientSecret: this.config.clientSecret,
+      refreshToken
+    });
+  }
+};
+
+// src/server/urls.ts
+function getSignupUrl(options) {
+  const url = new URL(`${options.authVitalHost}/auth/signup`);
+  url.searchParams.set("client_id", options.clientId);
+  if (options.redirectUri) {
+    url.searchParams.set("redirect_uri", options.redirectUri);
+  }
+  if (options.email) {
+    url.searchParams.set("email", options.email);
+  }
+  if (options.inviteToken) {
+    url.searchParams.set("invite_token", options.inviteToken);
+  }
+  return url.toString();
+}
+function getLoginUrl(options) {
+  const url = new URL(`${options.authVitalHost}/auth/login`);
+  url.searchParams.set("client_id", options.clientId);
+  if (options.redirectUri) {
+    url.searchParams.set("redirect_uri", options.redirectUri);
+  }
+  if (options.email) {
+    url.searchParams.set("email", options.email);
+  }
+  if (options.tenantHint) {
+    url.searchParams.set("tenant_hint", options.tenantHint);
+  }
+  return url.toString();
+}
+function getPasswordResetUrl(options) {
+  const url = new URL(`${options.authVitalHost}/auth/reset-password`);
+  url.searchParams.set("client_id", options.clientId);
+  if (options.redirectUri) {
+    url.searchParams.set("redirect_uri", options.redirectUri);
+  }
+  if (options.email) {
+    url.searchParams.set("email", options.email);
+  }
+  return url.toString();
+}
+function getInviteAcceptUrl(options) {
+  const url = new URL(`${options.authVitalHost}/auth/accept-invite`);
+  url.searchParams.set("client_id", options.clientId);
+  url.searchParams.set("token", options.inviteToken);
+  if (options.redirectUri) {
+    url.searchParams.set("redirect_uri", options.redirectUri);
+  }
+  return url.toString();
+}
+function getLogoutUrl(options) {
+  const url = new URL(`${options.authVitalHost}/api/auth/logout/redirect`);
+  if (options.postLogoutRedirectUri) {
+    url.searchParams.set("post_logout_redirect_uri", options.postLogoutRedirectUri);
+  }
+  return url.toString();
+}
+function getAccountSettingsUrl(authVitalHost) {
+  return `${authVitalHost.replace(/\/$/, "")}/account/settings`;
+}
+
+// src/sync/prisma-schema.ts
+var IDENTITY_SCHEMA = `
+// =============================================================================
+// AUTHVITAL IDENTITY (synced from IDP)
+// =============================================================================
+// Copy this into your schema.prisma and customize as needed.
+// The sync handler only touches these base fields.
+
+model Identity {
+  // \u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500
+  // CORE IDENTITY (synced from AuthVital - OIDC Standard Claims)
+  // \u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500
+  id                String    @id                      // AuthVital subject ID (sub claim)
+  username          String?   @unique                  // Unique handle (@janesmith)
+  displayName       String?   @map("display_name")     // Full name (OIDC: name)
+  givenName         String?   @map("given_name")       // First name
+  familyName        String?   @map("family_name")      // Last name
+  middleName        String?   @map("middle_name")      // Middle name(s)
+  nickname          String?                            // Casual name
+  pictureUrl        String?   @map("picture_url")      // Profile picture URL
+  website           String?                            // Personal URL
+  gender            String?                            // Gender identity
+  birthdate         String?                            // YYYY-MM-DD
+  zoneinfo          String?                            // IANA timezone
+  locale            String?                            // Language (e.g., en-US)
+  
+  // \u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500
+  // EMAIL SCOPE (OIDC Standard)
+  // \u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500
+  email             String?   @unique
+  emailVerified     Boolean   @default(false) @map("email_verified")
+  
+  // \u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500
+  // PHONE SCOPE (OIDC Standard)
+  // \u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500
+  phone             String?   @unique
+  phoneVerified     Boolean   @default(false) @map("phone_verified")
+  
+  // \u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500
+  // TENANT CONTEXT (for multi-tenant apps)
+  // \u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500
+  tenantId          String?   @map("tenant_id")        // Current tenant ID
+  appRole           String?   @map("app_role")         // Role slug (e.g., "admin")
+  groups            String[]  @default([])             // Group slugs in tenant
+  
+  // \u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500
+  // STATUS
+  // \u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500
+  isActive          Boolean   @default(true) @map("is_active")       // IDP-level: can user log in at all?
+  hasAppAccess      Boolean   @default(true) @map("has_app_access")  // App-level: does user have access to THIS app?
+  
+  // \u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500
+  // SYNC METADATA
+  // \u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500
+  syncedAt          DateTime  @default(now()) @map("synced_at")
+  createdAt         DateTime  @default(now()) @map("created_at")
+  updatedAt         DateTime  @updatedAt @map("updated_at")
+  
+  // \u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500
+  // RELATIONS
+  // \u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500
+  sessions          IdentitySession[]
+  
+  // \u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500
+  // ADD YOUR APP-SPECIFIC RELATIONS BELOW
+  // \u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500
+  // profile         UserProfile?
+  // posts           Post[]
+  
+  @@index([tenantId])
+  @@index([email])
+  @@index([username])
+  @@map("av_identities")
+}
+`;
+var IDENTITY_SESSION_SCHEMA = `
+// =============================================================================
+// AUTHVITAL IDENTITY SESSION (optional - for session management)
+// =============================================================================
+
+model IdentitySession {
+  id              String    @id @default(cuid())
+  identityId      String    @map("identity_id")
+  identity        Identity  @relation(fields: [identityId], references: [id], onDelete: Cascade)
+  
+  authSessionId   String?   @map("auth_session_id")   // AuthVital session ID
+  deviceInfo      String?   @map("device_info")       // Parsed device info
+  ipAddress       String?   @map("ip_address")
+  userAgent       String?   @map("user_agent")
+  
+  createdAt       DateTime  @default(now()) @map("created_at")
+  lastActiveAt    DateTime  @default(now()) @map("last_active_at")
+  expiresAt       DateTime  @map("expires_at")
+  revokedAt       DateTime? @map("revoked_at")
+  
+  @@index([identityId])
+  @@index([authSessionId])
+  @@map("av_identity_sessions")
+}
+`;
+var FULL_SCHEMA = `${IDENTITY_SCHEMA}
+
+${IDENTITY_SESSION_SCHEMA}`;
+function printSchema() {
+  console.log("// ============================================================================");
+  console.log("// AUTHVITAL SDK - PRISMA SCHEMA SNIPPET");
+  console.log("// Copy the following into your schema.prisma file");
+  console.log("// ============================================================================");
+  console.log(FULL_SCHEMA);
+}
+
+// src/sync/identity-sync-handler.ts
+function extractOidcFields(data) {
+  const fields = {};
+  if (data.preferred_username !== void 0) fields.username = data.preferred_username;
+  if (data.name !== void 0) fields.displayName = data.name;
+  if (data.given_name !== void 0) fields.givenName = data.given_name;
+  if (data.family_name !== void 0) fields.familyName = data.family_name;
+  if (data.middle_name !== void 0) fields.middleName = data.middle_name;
+  if (data.nickname !== void 0) fields.nickname = data.nickname;
+  if (data.picture !== void 0) fields.pictureUrl = data.picture;
+  if (data.website !== void 0) fields.website = data.website;
+  if (data.gender !== void 0) fields.gender = data.gender;
+  if (data.birthdate !== void 0) fields.birthdate = data.birthdate;
+  if (data.zoneinfo !== void 0) fields.zoneinfo = data.zoneinfo;
+  if (data.locale !== void 0) fields.locale = data.locale;
+  if (data.email !== void 0) fields.email = data.email;
+  if (data.email_verified !== void 0) fields.emailVerified = data.email_verified;
+  if (data.phone_number !== void 0) fields.phone = data.phone_number;
+  if (data.phone_number_verified !== void 0) fields.phoneVerified = data.phone_number_verified;
+  if (data.groups !== void 0) fields.groups = data.groups;
+  return fields;
+}
+var IdentitySyncHandler = class extends _chunkFXVD4Y5Gjs.AuthVitalEventHandler {
+  /**
+   * Create a new identity sync handler
+   * 
+   * @param prismaOrResolver - Either a Prisma client (shared DB) or a resolver function (tenant-isolated DBs)
+   * 
+   * @example Shared database
+   * ```typescript
+   * new IdentitySyncHandler(prisma)
+   * ```
+   * 
+   * @example Tenant-isolated databases
+   * ```typescript
+   * new IdentitySyncHandler((tenantId) => getTenantPrisma(tenantId))
+   * ```
+   */
+  constructor(prismaOrResolver) {
+    super();
+    this.prismaOrResolver = prismaOrResolver;
+    this.isResolver = typeof prismaOrResolver === "function";
+  }
+  /**
+   * Get the Prisma client for the given tenant
+   * - Shared DB mode: Returns the single client (tenantId ignored)
+   * - Tenant-isolated mode: Calls resolver with tenantId
+   */
+  async getClient(tenantId) {
+    if (this.isResolver) {
+      if (!tenantId) {
+        throw new Error(
+          "[IdentitySyncHandler] Tenant-isolated mode requires tenant_id in webhook event. Ensure webhooks are configured with tenant context."
+        );
+      }
+      return this.prismaOrResolver(tenantId);
+    }
+    return this.prismaOrResolver;
+  }
+  // ===========================================================================
+  // SUBJECT EVENTS (identity lifecycle)
+  // ===========================================================================
+  async onSubjectCreated(event) {
+    const prisma = await this.getClient(event.tenant_id);
+    const data = event.data;
+    const oidcFields = extractOidcFields(data);
+    const identityData = {
+      id: data.sub,
+      ...oidcFields,
+      tenantId: _nullishCoalesce(event.tenant_id, () => ( null)),
+      isActive: true
+    };
+    await prisma.identity.upsert({
+      where: { id: data.sub },
+      create: identityData,
+      update: {
+        ...oidcFields,
+        syncedAt: /* @__PURE__ */ new Date()
+      }
+    });
+  }
+  async onSubjectUpdated(event) {
+    const prisma = await this.getClient(event.tenant_id);
+    const data = event.data;
+    const oidcFields = extractOidcFields(data);
+    const updateData = {
+      syncedAt: /* @__PURE__ */ new Date()
+    };
+    const changedFields = _nullishCoalesce(data.changed_fields, () => ( []));
+    if (changedFields.length === 0) {
+      Object.assign(updateData, oidcFields);
+    } else {
+      const fieldMap = {
+        "preferred_username": "username",
+        "username": "username",
+        "name": "displayName",
+        "display_name": "displayName",
+        "given_name": "givenName",
+        "family_name": "familyName",
+        "middle_name": "middleName",
+        "nickname": "nickname",
+        "picture": "pictureUrl",
+        "website": "website",
+        "gender": "gender",
+        "birthdate": "birthdate",
+        "zoneinfo": "zoneinfo",
+        "locale": "locale",
+        "email": "email",
+        "email_verified": "emailVerified",
+        "phone_number": "phone",
+        "phone_verified": "phoneVerified",
+        "groups": "groups"
+      };
+      for (const field of changedFields) {
+        const mappedField = fieldMap[field];
+        if (mappedField && mappedField in oidcFields) {
+          updateData[mappedField] = oidcFields[mappedField];
+        }
+      }
+    }
+    await prisma.identity.upsert({
+      where: { id: data.sub },
+      create: {
+        id: data.sub,
+        ...oidcFields,
+        isActive: true
+      },
+      update: updateData
+    });
+  }
+  async onSubjectDeleted(event) {
+    const prisma = await this.getClient(event.tenant_id);
+    const { sub } = event.data;
+    try {
+      await prisma.identity.delete({
+        where: { id: sub }
+      });
+    } catch (e7) {
+      console.warn(`[IdentitySyncHandler] Identity ${sub} not found for deletion`);
+    }
+  }
+  async onSubjectDeactivated(event) {
+    const prisma = await this.getClient(event.tenant_id);
+    const { sub } = event.data;
+    await prisma.identity.update({
+      where: { id: sub },
+      data: {
+        isActive: false,
+        syncedAt: /* @__PURE__ */ new Date()
+      }
+    });
+  }
+  // ===========================================================================
+  // MEMBER EVENTS (tenant context)
+  // ===========================================================================
+  async onMemberJoined(event) {
+    const prisma = await this.getClient(event.tenant_id);
+    const data = event.data;
+    const tenantId = event.tenant_id;
+    const oidcFields = extractOidcFields(data);
+    const primaryRole = _nullishCoalesce(_optionalChain([data, 'access', _37 => _37.tenant_roles, 'optionalAccess', _38 => _38[0]]), () => ( null));
+    await prisma.identity.upsert({
+      where: { id: data.sub },
+      create: {
+        id: data.sub,
+        ...oidcFields,
+        tenantId: _nullishCoalesce(tenantId, () => ( null)),
+        appRole: primaryRole,
+        isActive: true
+      },
+      update: {
+        ...oidcFields,
+        tenantId: _nullishCoalesce(tenantId, () => ( null)),
+        appRole: primaryRole,
+        groups: _nullishCoalesce(data.groups, () => ( [])),
+        syncedAt: /* @__PURE__ */ new Date()
+      }
+    });
+  }
+  async onMemberLeft(event) {
+    const prisma = await this.getClient(event.tenant_id);
+    const { sub } = event.data;
+    await prisma.identity.update({
+      where: { id: sub },
+      data: {
+        tenantId: null,
+        appRole: null,
+        groups: [],
+        syncedAt: /* @__PURE__ */ new Date()
+      }
+    });
+  }
+  async onMemberRoleChanged(event) {
+    const prisma = await this.getClient(event.tenant_id);
+    const data = event.data;
+    const oidcFields = extractOidcFields(data);
+    const primaryRole = _nullishCoalesce(_optionalChain([data, 'access', _39 => _39.tenant_roles, 'optionalAccess', _40 => _40[0]]), () => ( null));
+    await prisma.identity.update({
+      where: { id: data.sub },
+      data: {
+        ...oidcFields,
+        appRole: primaryRole,
+        groups: _nullishCoalesce(data.groups, () => ( [])),
+        syncedAt: /* @__PURE__ */ new Date()
+      }
+    });
+  }
+  // ===========================================================================
+  // APP ACCESS EVENTS (app-specific role)
+  // ===========================================================================
+  async onAppAccessGranted(event) {
+    const prisma = await this.getClient(event.tenant_id);
+    const data = event.data;
+    const tenantId = event.tenant_id;
+    const oidcFields = extractOidcFields(data);
+    await prisma.identity.upsert({
+      where: { id: data.sub },
+      create: {
+        id: data.sub,
+        ...oidcFields,
+        tenantId: _nullishCoalesce(tenantId, () => ( null)),
+        appRole: _nullishCoalesce(data.role_slug, () => ( null)),
+        isActive: true,
+        hasAppAccess: true
+      },
+      update: {
+        ...oidcFields,
+        tenantId: _nullishCoalesce(tenantId, () => ( null)),
+        appRole: _nullishCoalesce(data.role_slug, () => ( null)),
+        hasAppAccess: true,
+        groups: _nullishCoalesce(data.groups, () => ( [])),
+        syncedAt: /* @__PURE__ */ new Date()
+      }
+    });
+  }
+  async onAppAccessRevoked(event) {
+    const prisma = await this.getClient(event.tenant_id);
+    const { sub } = event.data;
+    await prisma.identity.update({
+      where: { id: sub },
+      data: {
+        appRole: null,
+        hasAppAccess: false,
+        syncedAt: /* @__PURE__ */ new Date()
+      }
+    });
+  }
+  async onAppAccessRoleChanged(event) {
+    const prisma = await this.getClient(event.tenant_id);
+    const data = event.data;
+    const oidcFields = extractOidcFields(data);
+    await prisma.identity.update({
+      where: { id: data.sub },
+      data: {
+        ...oidcFields,
+        appRole: _nullishCoalesce(data.role_slug, () => ( null)),
+        groups: _nullishCoalesce(data.groups, () => ( [])),
+        syncedAt: /* @__PURE__ */ new Date()
+      }
+    });
+  }
+};
+
+// src/sync/session-cleanup.ts
+async function cleanupSessions(prisma, options = {}) {
+  const {
+    expiredOlderThanDays = 30,
+    deleteRevoked = false,
+    dryRun = false
+  } = options;
+  const cutoffDate = /* @__PURE__ */ new Date();
+  cutoffDate.setDate(cutoffDate.getDate() - expiredOlderThanDays);
+  const whereConditions = [
+    // Expired sessions older than cutoff
+    { expiresAt: { lt: cutoffDate } }
+  ];
+  if (deleteRevoked) {
+    whereConditions.push({ revokedAt: { lt: cutoffDate } });
+  }
+  if (dryRun) {
+    console.log("[SessionCleanup] DRY RUN - Would delete sessions:");
+    console.log(`  - Expired before: ${cutoffDate.toISOString()}`);
+    if (deleteRevoked) {
+      console.log(`  - Revoked before: ${cutoffDate.toISOString()}`);
+    }
+    return {
+      deletedCount: 0,
+      // Can't know without actually querying
+      dryRun: true
+    };
+  }
+  const result = await prisma.identitySession.deleteMany({
+    where: {
+      OR: whereConditions
+    }
+  });
+  console.log(`[SessionCleanup] Deleted ${result.count} sessions`);
+  return {
+    deletedCount: result.count,
+    dryRun: false
+  };
+}
+function getCleanupSQL(options = {}) {
+  const { expiredOlderThanDays = 30, deleteRevoked = false } = options;
+  let sql = `-- AuthVital SDK: Session Cleanup
+-- Run this periodically (e.g., daily via pg_cron)
+
+DELETE FROM av_identity_sessions
+WHERE expires_at < NOW() - INTERVAL '${expiredOlderThanDays} days'`;
+  if (deleteRevoked) {
+    sql += `
+   OR revoked_at < NOW() - INTERVAL '${expiredOlderThanDays} days'`;
+  }
+  sql += ";";
+  return sql;
+}
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+exports.AppAccessEventHandler = _chunkFXVD4Y5Gjs.AppAccessEventHandler; exports.AuthVital = AuthVital; exports.AuthVitalEventHandler = _chunkFXVD4Y5Gjs.AuthVitalEventHandler; exports.BaseClient = BaseClient; exports.FULL_SCHEMA = FULL_SCHEMA; exports.IDENTITY_SCHEMA = IDENTITY_SCHEMA; exports.IDENTITY_SESSION_SCHEMA = IDENTITY_SESSION_SCHEMA; exports.IdentitySyncHandler = IdentitySyncHandler; exports.InviteEventHandler = _chunkFXVD4Y5Gjs.InviteEventHandler; exports.JwtValidator = JwtValidator; exports.LicenseEventHandler = _chunkFXVD4Y5Gjs.LicenseEventHandler; exports.MemberEventHandler = _chunkFXVD4Y5Gjs.MemberEventHandler; exports.OAuthFlow = OAuthFlow; exports.SYNC_EVENT_TYPES = _chunkFXVD4Y5Gjs.SYNC_EVENT_TYPES; exports.SubjectEventHandler = _chunkFXVD4Y5Gjs.SubjectEventHandler; exports.WebhookRouter = _chunkFXVD4Y5Gjs.WebhookRouter; exports.WebhookVerifier = _chunkFXVD4Y5Gjs.AuthVitalWebhooks; exports.appendClientIdToUri = appendClientIdToUri; exports.buildAuthorizeUrl = buildAuthorizeUrl; exports.cleanupSessions = cleanupSessions; exports.createAuthVital = createAuthVital; exports.createEntitlementsNamespace = createEntitlementsNamespace; exports.createInvitationsNamespace = createInvitationsNamespace; exports.createJwtMiddleware = createJwtMiddleware; exports.createJwtValidator = createJwtValidator; exports.createLicensesNamespace = createLicensesNamespace; exports.createMembershipsNamespace = createMembershipsNamespace; exports.createPassportJwtOptions = createPassportJwtOptions; exports.createPermissionsNamespace = createPermissionsNamespace; exports.createSessionsNamespace = createSessionsNamespace; exports.decodeJwt = decodeJwt; exports.decodeState = decodeState; exports.decodeStateWithVerifier = decodeStateWithVerifier; exports.encodeState = encodeState; exports.encodeStateWithVerifier = encodeStateWithVerifier; exports.exchangeCodeForTokens = exchangeCodeForTokens; exports.extractAuthorizationHeader = extractAuthorizationHeader; exports.generateCodeChallenge = generateCodeChallenge; exports.generateCodeVerifier = generateCodeVerifier; exports.generatePKCE = generatePKCE; exports.generateState = generateState; exports.getAccountSettingsUrl = getAccountSettingsUrl; exports.getCleanupSQL = getCleanupSQL; exports.getCurrentUser = getCurrentUser; exports.getCurrentUserFromConfig = getCurrentUserFromConfig; exports.getInviteAcceptUrl = getInviteAcceptUrl; exports.getLoginUrl = getLoginUrl; exports.getLogoutUrl = getLogoutUrl; exports.getPasswordResetUrl = getPasswordResetUrl; exports.getSignupUrl = getSignupUrl; exports.isAppAccessEvent = _chunkFXVD4Y5Gjs.isAppAccessEvent; exports.isInviteEvent = _chunkFXVD4Y5Gjs.isInviteEvent; exports.isLicenseEvent = _chunkFXVD4Y5Gjs.isLicenseEvent; exports.isMemberEvent = _chunkFXVD4Y5Gjs.isMemberEvent; exports.isSubjectEvent = _chunkFXVD4Y5Gjs.isSubjectEvent; exports.printSchema = printSchema; exports.refreshAccessToken = refreshAccessToken;