convex-zen 0.0.1

package/dist/component/core/verifications.d.ts

@@ -0,0 +1,34 @@
+/**
+ * Create a verification code for a given identifier and type.
+ * Any previous verification of the same type is replaced.
+ * Returns the raw code (to be sent to the user) and the expiry.
+ */
+export declare const create: import("convex/server").RegisteredMutation<"internal", any, Promise<{
+    code: string;
+    expiresAt: number;
+}>>;
+/**
+ * Get verification record without consuming it.
+ */
+export declare const getByIdentifierType: import("convex/server").RegisteredQuery<"internal", any, Promise<any>>;
+/**
+ * Verify a code for an identifier and type.
+ * Increments attempt count; invalidates after MAX_ATTEMPTS.
+ * Returns status: "valid" | "invalid" | "expired" | "too_many_attempts"
+ */
+export declare const verify: import("convex/server").RegisteredMutation<"internal", any, Promise<{
+    status: "invalid";
+} | {
+    status: "expired";
+} | {
+    status: "too_many_attempts";
+} | {
+    status: "valid";
+}>>;
+/** Delete a verification record (e.g., after successful use or on cancel). */
+export declare const invalidate: import("convex/server").RegisteredMutation<"internal", any, Promise<void>>;
+/**
+ * Cleanup expired verifications (intended to be scheduled).
+ */
+export declare const cleanup: import("convex/server").RegisteredMutation<"internal", any, Promise<void>>;
+//# sourceMappingURL=verifications.d.ts.map

package/dist/component/core/verifications.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"verifications.d.ts","sourceRoot":"","sources":["../../../src/component/core/verifications.ts"],"names":[],"mappings":"AAaA;;;;GAIG;AACH,eAAO,MAAM,MAAM;;;GAwCjB,CAAC;AAEH;;GAEG;AACH,eAAO,MAAM,mBAAmB,wEAgB9B,CAAC;AAEH;;;;GAIG;AACH,eAAO,MAAM,MAAM;;;;;;;;GA+CjB,CAAC;AAEH,8EAA8E;AAC9E,eAAO,MAAM,UAAU,4EAmBrB,CAAC;AAEH;;GAEG;AACH,eAAO,MAAM,OAAO,4EAYlB,CAAC"}

package/dist/component/core/verifications.js

@@ -0,0 +1,135 @@
+import { v } from "convex/values";
+import { internalMutation, internalQuery } from "../_generated/server";
+import { generateCode, hashToken } from "../lib/crypto";
+/** Max attempts before a verification code is locked. */
+const MAX_ATTEMPTS = 10;
+/** Email verification TTL: 60 minutes. */
+const EMAIL_VERIFICATION_TTL_MS = 60 * 60 * 1000;
+/** Password reset TTL: 15 minutes. */
+const PASSWORD_RESET_TTL_MS = 15 * 60 * 1000;
+/**
+ * Create a verification code for a given identifier and type.
+ * Any previous verification of the same type is replaced.
+ * Returns the raw code (to be sent to the user) and the expiry.
+ */
+export const create = internalMutation({
+    args: {
+        identifier: v.string(),
+        type: v.union(v.literal("email-verification"), v.literal("password-reset")),
+    },
+    handler: async (ctx, { identifier, type }) => {
+        const now = Date.now();
+        const code = generateCode();
+        const codeHash = await hashToken(code);
+        const ttl = type === "email-verification"
+            ? EMAIL_VERIFICATION_TTL_MS
+            : PASSWORD_RESET_TTL_MS;
+        const expiresAt = now + ttl;
+        // Remove any existing verification of this type for this identifier
+        const existing = await ctx.db
+            .query("verifications")
+            .withIndex("by_identifier_type", (q) => q.eq("identifier", identifier).eq("type", type))
+            .unique();
+        if (existing) {
+            await ctx.db.delete(existing._id);
+        }
+        await ctx.db.insert("verifications", {
+            identifier,
+            type,
+            codeHash,
+            expiresAt,
+            attempts: 0,
+            createdAt: now,
+        });
+        return { code, expiresAt };
+    },
+});
+/**
+ * Get verification record without consuming it.
+ */
+export const getByIdentifierType = internalQuery({
+    args: {
+        identifier: v.string(),
+        type: v.union(v.literal("email-verification"), v.literal("password-reset")),
+    },
+    handler: async (ctx, { identifier, type }) => {
+        return await ctx.db
+            .query("verifications")
+            .withIndex("by_identifier_type", (q) => q.eq("identifier", identifier).eq("type", type))
+            .unique();
+    },
+});
+/**
+ * Verify a code for an identifier and type.
+ * Increments attempt count; invalidates after MAX_ATTEMPTS.
+ * Returns status: "valid" | "invalid" | "expired" | "too_many_attempts"
+ */
+export const verify = internalMutation({
+    args: {
+        identifier: v.string(),
+        type: v.union(v.literal("email-verification"), v.literal("password-reset")),
+        code: v.string(),
+    },
+    handler: async (ctx, { identifier, type, code }) => {
+        const record = await ctx.db
+            .query("verifications")
+            .withIndex("by_identifier_type", (q) => q.eq("identifier", identifier).eq("type", type))
+            .unique();
+        if (!record) {
+            return { status: "invalid" };
+        }
+        const now = Date.now();
+        if (record.expiresAt < now) {
+            await ctx.db.delete(record._id);
+            return { status: "expired" };
+        }
+        if (record.attempts >= MAX_ATTEMPTS) {
+            return { status: "too_many_attempts" };
+        }
+        const codeHash = await hashToken(code);
+        if (codeHash !== record.codeHash) {
+            // Increment attempts
+            await ctx.db.patch(record._id, { attempts: record.attempts + 1 });
+            if (record.attempts + 1 >= MAX_ATTEMPTS) {
+                return { status: "too_many_attempts" };
+            }
+            return { status: "invalid" };
+        }
+        // Valid — delete the verification (single-use)
+        await ctx.db.delete(record._id);
+        return { status: "valid" };
+    },
+});
+/** Delete a verification record (e.g., after successful use or on cancel). */
+export const invalidate = internalMutation({
+    args: {
+        identifier: v.string(),
+        type: v.union(v.literal("email-verification"), v.literal("password-reset")),
+    },
+    handler: async (ctx, { identifier, type }) => {
+        const record = await ctx.db
+            .query("verifications")
+            .withIndex("by_identifier_type", (q) => q.eq("identifier", identifier).eq("type", type))
+            .unique();
+        if (record) {
+            await ctx.db.delete(record._id);
+        }
+    },
+});
+/**
+ * Cleanup expired verifications (intended to be scheduled).
+ */
+export const cleanup = internalMutation({
+    args: {},
+    handler: async (ctx) => {
+        const now = Date.now();
+        // Collect and delete expired records
+        const allVerifications = await ctx.db.query("verifications").collect();
+        for (const v of allVerifications) {
+            if (v.expiresAt < now) {
+                await ctx.db.delete(v._id);
+            }
+        }
+    },
+});
+//# sourceMappingURL=verifications.js.map

package/dist/component/core/verifications.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"verifications.js","sourceRoot":"","sources":["../../../src/component/core/verifications.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,CAAC,EAAE,MAAM,eAAe,CAAC;AAClC,OAAO,EAAE,gBAAgB,EAAE,aAAa,EAAE,MAAM,sBAAsB,CAAC;AACvE,OAAO,EAAE,YAAY,EAAE,SAAS,EAAE,MAAM,eAAe,CAAC;AAExD,yDAAyD;AACzD,MAAM,YAAY,GAAG,EAAE,CAAC;AAExB,0CAA0C;AAC1C,MAAM,yBAAyB,GAAG,EAAE,GAAG,EAAE,GAAG,IAAI,CAAC;AAEjD,sCAAsC;AACtC,MAAM,qBAAqB,GAAG,EAAE,GAAG,EAAE,GAAG,IAAI,CAAC;AAE7C;;;;GAIG;AACH,MAAM,CAAC,MAAM,MAAM,GAAG,gBAAgB,CAAC;IACrC,IAAI,EAAE;QACJ,UAAU,EAAE,CAAC,CAAC,MAAM,EAAE;QACtB,IAAI,EAAE,CAAC,CAAC,KAAK,CACX,CAAC,CAAC,OAAO,CAAC,oBAAoB,CAAC,EAC/B,CAAC,CAAC,OAAO,CAAC,gBAAgB,CAAC,CAC5B;KACF;IACD,OAAO,EAAE,KAAK,EAAE,GAAG,EAAE,EAAE,UAAU,EAAE,IAAI,EAAE,EAAE,EAAE;QAC3C,MAAM,GAAG,GAAG,IAAI,CAAC,GAAG,EAAE,CAAC;QACvB,MAAM,IAAI,GAAG,YAAY,EAAE,CAAC;QAC5B,MAAM,QAAQ,GAAG,MAAM,SAAS,CAAC,IAAI,CAAC,CAAC;QACvC,MAAM,GAAG,GACP,IAAI,KAAK,oBAAoB;YAC3B,CAAC,CAAC,yBAAyB;YAC3B,CAAC,CAAC,qBAAqB,CAAC;QAC5B,MAAM,SAAS,GAAG,GAAG,GAAG,GAAG,CAAC;QAE5B,oEAAoE;QACpE,MAAM,QAAQ,GAAG,MAAM,GAAG,CAAC,EAAE;aAC1B,KAAK,CAAC,eAAe,CAAC;aACtB,SAAS,CAAC,oBAAoB,EAAE,CAAC,CAAC,EAAE,EAAE,CACrC,CAAC,CAAC,EAAE,CAAC,YAAY,EAAE,UAAU,CAAC,CAAC,EAAE,CAAC,MAAM,EAAE,IAAI,CAAC,CAChD;aACA,MAAM,EAAE,CAAC;QACZ,IAAI,QAAQ,EAAE,CAAC;YACb,MAAM,GAAG,CAAC,EAAE,CAAC,MAAM,CAAC,QAAQ,CAAC,GAAG,CAAC,CAAC;QACpC,CAAC;QAED,MAAM,GAAG,CAAC,EAAE,CAAC,MAAM,CAAC,eAAe,EAAE;YACnC,UAAU;YACV,IAAI;YACJ,QAAQ;YACR,SAAS;YACT,QAAQ,EAAE,CAAC;YACX,SAAS,EAAE,GAAG;SACf,CAAC,CAAC;QAEH,OAAO,EAAE,IAAI,EAAE,SAAS,EAAE,CAAC;IAC7B,CAAC;CACF,CAAC,CAAC;AAEH;;GAEG;AACH,MAAM,CAAC,MAAM,mBAAmB,GAAG,aAAa,CAAC;IAC/C,IAAI,EAAE;QACJ,UAAU,EAAE,CAAC,CAAC,MAAM,EAAE;QACtB,IAAI,EAAE,CAAC,CAAC,KAAK,CACX,CAAC,CAAC,OAAO,CAAC,oBAAoB,CAAC,EAC/B,CAAC,CAAC,OAAO,CAAC,gBAAgB,CAAC,CAC5B;KACF;IACD,OAAO,EAAE,KAAK,EAAE,GAAG,EAAE,EAAE,UAAU,EAAE,IAAI,EAAE,EAAE,EAAE;QAC3C,OAAO,MAAM,GAAG,CAAC,EAAE;aAChB,KAAK,CAAC,eAAe,CAAC;aACtB,SAAS,CAAC,oBAAoB,EAAE,CAAC,CAAC,EAAE,EAAE,CACrC,CAAC,CAAC,EAAE,CAAC,YAAY,EAAE,UAAU,CAAC,CAAC,EAAE,CAAC,MAAM,EAAE,IAAI,CAAC,CAChD;aACA,MAAM,EAAE,CAAC;IACd,CAAC;CACF,CAAC,CAAC;AAEH;;;;GAIG;AACH,MAAM,CAAC,MAAM,MAAM,GAAG,gBAAgB,CAAC;IACrC,IAAI,EAAE;QACJ,UAAU,EAAE,CAAC,CAAC,MAAM,EAAE;QACtB,IAAI,EAAE,CAAC,CAAC,KAAK,CACX,CAAC,CAAC,OAAO,CAAC,oBAAoB,CAAC,EAC/B,CAAC,CAAC,OAAO,CAAC,gBAAgB,CAAC,CAC5B;QACD,IAAI,EAAE,CAAC,CAAC,MAAM,EAAE;KACjB;IACD,OAAO,EAAE,KAAK,EAAE,GAAG,EAAE,EAAE,UAAU,EAAE,IAAI,EAAE,IAAI,EAAE,EAAE,EAAE;QACjD,MAAM,MAAM,GAAG,MAAM,GAAG,CAAC,EAAE;aACxB,KAAK,CAAC,eAAe,CAAC;aACtB,SAAS,CAAC,oBAAoB,EAAE,CAAC,CAAC,EAAE,EAAE,CACrC,CAAC,CAAC,EAAE,CAAC,YAAY,EAAE,UAAU,CAAC,CAAC,EAAE,CAAC,MAAM,EAAE,IAAI,CAAC,CAChD;aACA,MAAM,EAAE,CAAC;QAEZ,IAAI,CAAC,MAAM,EAAE,CAAC;YACZ,OAAO,EAAE,MAAM,EAAE,SAAkB,EAAE,CAAC;QACxC,CAAC;QAED,MAAM,GAAG,GAAG,IAAI,CAAC,GAAG,EAAE,CAAC;QAEvB,IAAI,MAAM,CAAC,SAAS,GAAG,GAAG,EAAE,CAAC;YAC3B,MAAM,GAAG,CAAC,EAAE,CAAC,MAAM,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC;YAChC,OAAO,EAAE,MAAM,EAAE,SAAkB,EAAE,CAAC;QACxC,CAAC;QAED,IAAI,MAAM,CAAC,QAAQ,IAAI,YAAY,EAAE,CAAC;YACpC,OAAO,EAAE,MAAM,EAAE,mBAA4B,EAAE,CAAC;QAClD,CAAC;QAED,MAAM,QAAQ,GAAG,MAAM,SAAS,CAAC,IAAI,CAAC,CAAC;QAEvC,IAAI,QAAQ,KAAK,MAAM,CAAC,QAAQ,EAAE,CAAC;YACjC,qBAAqB;YACrB,MAAM,GAAG,CAAC,EAAE,CAAC,KAAK,CAAC,MAAM,CAAC,GAAG,EAAE,EAAE,QAAQ,EAAE,MAAM,CAAC,QAAQ,GAAG,CAAC,EAAE,CAAC,CAAC;YAClE,IAAI,MAAM,CAAC,QAAQ,GAAG,CAAC,IAAI,YAAY,EAAE,CAAC;gBACxC,OAAO,EAAE,MAAM,EAAE,mBAA4B,EAAE,CAAC;YAClD,CAAC;YACD,OAAO,EAAE,MAAM,EAAE,SAAkB,EAAE,CAAC;QACxC,CAAC;QAED,+CAA+C;QAC/C,MAAM,GAAG,CAAC,EAAE,CAAC,MAAM,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC;QAChC,OAAO,EAAE,MAAM,EAAE,OAAgB,EAAE,CAAC;IACtC,CAAC;CACF,CAAC,CAAC;AAEH,8EAA8E;AAC9E,MAAM,CAAC,MAAM,UAAU,GAAG,gBAAgB,CAAC;IACzC,IAAI,EAAE;QACJ,UAAU,EAAE,CAAC,CAAC,MAAM,EAAE;QACtB,IAAI,EAAE,CAAC,CAAC,KAAK,CACX,CAAC,CAAC,OAAO,CAAC,oBAAoB,CAAC,EAC/B,CAAC,CAAC,OAAO,CAAC,gBAAgB,CAAC,CAC5B;KACF;IACD,OAAO,EAAE,KAAK,EAAE,GAAG,EAAE,EAAE,UAAU,EAAE,IAAI,EAAE,EAAE,EAAE;QAC3C,MAAM,MAAM,GAAG,MAAM,GAAG,CAAC,EAAE;aACxB,KAAK,CAAC,eAAe,CAAC;aACtB,SAAS,CAAC,oBAAoB,EAAE,CAAC,CAAC,EAAE,EAAE,CACrC,CAAC,CAAC,EAAE,CAAC,YAAY,EAAE,UAAU,CAAC,CAAC,EAAE,CAAC,MAAM,EAAE,IAAI,CAAC,CAChD;aACA,MAAM,EAAE,CAAC;QACZ,IAAI,MAAM,EAAE,CAAC;YACX,MAAM,GAAG,CAAC,EAAE,CAAC,MAAM,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC;QAClC,CAAC;IACH,CAAC;CACF,CAAC,CAAC;AAEH;;GAEG;AACH,MAAM,CAAC,MAAM,OAAO,GAAG,gBAAgB,CAAC;IACtC,IAAI,EAAE,EAAE;IACR,OAAO,EAAE,KAAK,EAAE,GAAG,EAAE,EAAE;QACrB,MAAM,GAAG,GAAG,IAAI,CAAC,GAAG,EAAE,CAAC;QACvB,qCAAqC;QACrC,MAAM,gBAAgB,GAAG,MAAM,GAAG,CAAC,EAAE,CAAC,KAAK,CAAC,eAAe,CAAC,CAAC,OAAO,EAAE,CAAC;QACvE,KAAK,MAAM,CAAC,IAAI,gBAAgB,EAAE,CAAC;YACjC,IAAI,CAAC,CAAC,SAAS,GAAG,GAAG,EAAE,CAAC;gBACtB,MAAM,GAAG,CAAC,EAAE,CAAC,MAAM,CAAC,CAAC,CAAC,GAAG,CAAC,CAAC;YAC7B,CAAC;QACH,CAAC;IACH,CAAC;CACF,CAAC,CAAC"}

package/dist/component/gateway.d.ts

@@ -0,0 +1,16 @@
+export declare const signUp: any;
+export declare const signIn: any;
+export declare const verifyEmail: any;
+export declare const requestPasswordReset: any;
+export declare const resetPassword: any;
+export declare const validateSession: any;
+export declare const invalidateSession: any;
+export declare const invalidateAllSessions: any;
+export declare const getAuthorizationUrl: any;
+export declare const handleCallback: any;
+export declare const adminListUsers: any;
+export declare const adminBanUser: any;
+export declare const adminUnbanUser: import("convex/server").RegisteredAction<"public", any, Promise<any>>;
+export declare const adminSetRole: import("convex/server").RegisteredAction<"public", any, Promise<any>>;
+export declare const adminDeleteUser: import("convex/server").RegisteredAction<"public", any, Promise<any>>;
+//# sourceMappingURL=gateway.d.ts.map

package/dist/component/gateway.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"gateway.d.ts","sourceRoot":"","sources":["../../src/component/gateway.ts"],"names":[],"mappings":"AAmBA,eAAO,MAAM,MAAM,KASjB,CAAC;AAEH,eAAO,MAAM,MAAM,KAUjB,CAAC;AAEH,eAAO,MAAM,WAAW,KAOtB,CAAC;AAEH,eAAO,MAAM,oBAAoB,KAO/B,CAAC;AAEH,eAAO,MAAM,aAAa,KAQxB,CAAC;AAIH,eAAO,MAAM,eAAe,KAO1B,CAAC;AAEH,eAAO,MAAM,iBAAiB,KAI5B,CAAC;AAEH,eAAO,MAAM,qBAAqB,KAMhC,CAAC;AAIH,eAAO,MAAM,mBAAmB,KAO9B,CAAC;AAEH,eAAO,MAAM,cAAc,KAWzB,CAAC;AAIH,eAAO,MAAM,cAAc,KA4BzB,CAAC;AAEH,eAAO,MAAM,YAAY,KA8BvB,CAAC;AAEH,eAAO,MAAM,cAAc,uEA0BzB,CAAC;AAEH,eAAO,MAAM,YAAY,uEA4BvB,CAAC;AAEH,eAAO,MAAM,eAAe,uEA0B1B,CAAC"}

package/dist/component/gateway.js

@@ -0,0 +1,229 @@
+/**
+ * Public gateway — the only functions callable from the host app.
+ *
+ * All functions are `action` (not `internalAction`) so they appear in the
+ * component's public API and can be reached via ctx.runAction / ctx.runQuery
+ * from the parent Convex backend. They simply delegate to the corresponding
+ * internal functions.
+ *
+ * Internal functions remain `internalAction`/`internalMutation`/`internalQuery`
+ * and are only callable from within this component.
+ */
+import { v } from "convex/values";
+import { action } from "./_generated/server";
+import { internal } from "./_generated/api";
+import { oauthProviderConfigValidator } from "./lib/validators";
+// ─── Email / Password ──────────────────────────────────────────────────────
+export const signUp = action({
+    args: {
+        email: v.string(),
+        password: v.string(),
+        name: v.optional(v.string()),
+        ipAddress: v.optional(v.string()),
+    },
+    handler: (ctx, args) => ctx.runAction(internal.providers.emailPassword.signUp, args),
+});
+export const signIn = action({
+    args: {
+        email: v.string(),
+        password: v.string(),
+        ipAddress: v.optional(v.string()),
+        userAgent: v.optional(v.string()),
+        requireEmailVerified: v.optional(v.boolean()),
+    },
+    handler: (ctx, args) => ctx.runAction(internal.providers.emailPassword.signIn, args),
+});
+export const verifyEmail = action({
+    args: {
+        email: v.string(),
+        code: v.string(),
+    },
+    handler: (ctx, args) => ctx.runAction(internal.providers.emailPassword.verifyEmail, args),
+});
+export const requestPasswordReset = action({
+    args: {
+        email: v.string(),
+        ipAddress: v.optional(v.string()),
+    },
+    handler: (ctx, args) => ctx.runAction(internal.providers.emailPassword.requestPasswordReset, args),
+});
+export const resetPassword = action({
+    args: {
+        email: v.string(),
+        code: v.string(),
+        newPassword: v.string(),
+    },
+    handler: (ctx, args) => ctx.runAction(internal.providers.emailPassword.resetPassword, args),
+});
+// ─── Sessions ──────────────────────────────────────────────────────────────
+export const validateSession = action({
+    args: {
+        token: v.string(),
+        checkBanned: v.optional(v.boolean()),
+    },
+    handler: (ctx, args) => ctx.runAction(internal.core.sessions.validate, args),
+});
+export const invalidateSession = action({
+    args: { token: v.string() },
+    handler: (ctx, args) => ctx.runMutation(internal.core.sessions.invalidateByToken, args),
+});
+export const invalidateAllSessions = action({
+    args: { userId: v.string() },
+    handler: (ctx, { userId }) => ctx.runMutation(internal.core.sessions.invalidateAll, {
+        userId: userId,
+    }),
+});
+// ─── OAuth ─────────────────────────────────────────────────────────────────
+export const getAuthorizationUrl = action({
+    args: {
+        provider: oauthProviderConfigValidator,
+        redirectUrl: v.optional(v.string()),
+    },
+    handler: (ctx, args) => ctx.runAction(internal.providers.oauth.getAuthorizationUrl, args),
+});
+export const handleCallback = action({
+    args: {
+        provider: oauthProviderConfigValidator,
+        code: v.string(),
+        state: v.string(),
+        redirectUrl: v.optional(v.string()),
+        ipAddress: v.optional(v.string()),
+        userAgent: v.optional(v.string()),
+    },
+    handler: (ctx, args) => ctx.runAction(internal.providers.oauth.handleCallback, args),
+});
+// ─── Admin ─────────────────────────────────────────────────────────────────
+export const adminListUsers = action({
+    args: {
+        adminToken: v.string(),
+        limit: v.optional(v.number()),
+        cursor: v.optional(v.string()),
+    },
+    handler: async (ctx, { adminToken, limit, cursor }) => {
+        const session = await ctx.runAction(internal.core.sessions.validate, {
+            token: adminToken,
+            checkBanned: true,
+        });
+        if (!session) {
+            throw new Error("Unauthorized");
+        }
+        const adminUser = await ctx.runQuery(internal.core.users.getById, {
+            userId: session.userId,
+        });
+        if (!adminUser || adminUser.role !== "admin") {
+            throw new Error("Forbidden");
+        }
+        return ctx.runQuery(internal.plugins.admin.listUsers, {
+            actorUserId: session.userId,
+            limit,
+            cursor,
+        });
+    },
+});
+export const adminBanUser = action({
+    args: {
+        adminToken: v.string(),
+        userId: v.string(),
+        reason: v.optional(v.string()),
+        expiresAt: v.optional(v.number()),
+    },
+    handler: async (ctx, { adminToken, userId, reason, expiresAt }) => {
+        const session = await ctx.runAction(internal.core.sessions.validate, {
+            token: adminToken,
+            checkBanned: true,
+        });
+        if (!session) {
+            throw new Error("Unauthorized");
+        }
+        const adminUser = await ctx.runQuery(internal.core.users.getById, {
+            userId: session.userId,
+        });
+        if (!adminUser || adminUser.role !== "admin") {
+            throw new Error("Forbidden");
+        }
+        return ctx.runMutation(internal.plugins.admin.banUser, {
+            actorUserId: session.userId,
+            userId: userId,
+            reason,
+            expiresAt,
+        });
+    },
+});
+export const adminUnbanUser = action({
+    args: {
+        adminToken: v.string(),
+        userId: v.string(),
+    },
+    handler: async (ctx, { adminToken, userId }) => {
+        const session = await ctx.runAction(internal.core.sessions.validate, {
+            token: adminToken,
+            checkBanned: true,
+        });
+        if (!session) {
+            throw new Error("Unauthorized");
+        }
+        const adminUser = await ctx.runQuery(internal.core.users.getById, {
+            userId: session.userId,
+        });
+        if (!adminUser || adminUser.role !== "admin") {
+            throw new Error("Forbidden");
+        }
+        return ctx.runMutation(internal.plugins.admin.unbanUser, {
+            actorUserId: session.userId,
+            userId: userId,
+        });
+    },
+});
+export const adminSetRole = action({
+    args: {
+        adminToken: v.string(),
+        userId: v.string(),
+        role: v.string(),
+    },
+    handler: async (ctx, { adminToken, userId, role }) => {
+        const session = await ctx.runAction(internal.core.sessions.validate, {
+            token: adminToken,
+            checkBanned: true,
+        });
+        if (!session) {
+            throw new Error("Unauthorized");
+        }
+        const adminUser = await ctx.runQuery(internal.core.users.getById, {
+            userId: session.userId,
+        });
+        if (!adminUser || adminUser.role !== "admin") {
+            throw new Error("Forbidden");
+        }
+        return ctx.runMutation(internal.plugins.admin.setRole, {
+            actorUserId: session.userId,
+            userId: userId,
+            role,
+        });
+    },
+});
+export const adminDeleteUser = action({
+    args: {
+        adminToken: v.string(),
+        userId: v.string(),
+    },
+    handler: async (ctx, { adminToken, userId }) => {
+        const session = await ctx.runAction(internal.core.sessions.validate, {
+            token: adminToken,
+            checkBanned: true,
+        });
+        if (!session) {
+            throw new Error("Unauthorized");
+        }
+        const adminUser = await ctx.runQuery(internal.core.users.getById, {
+            userId: session.userId,
+        });
+        if (!adminUser || adminUser.role !== "admin") {
+            throw new Error("Forbidden");
+        }
+        return ctx.runMutation(internal.plugins.admin.deleteUser, {
+            actorUserId: session.userId,
+            userId: userId,
+        });
+    },
+});
+//# sourceMappingURL=gateway.js.map

package/dist/component/gateway.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"gateway.js","sourceRoot":"","sources":["../../src/component/gateway.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;GAUG;AACH,OAAO,EAAE,CAAC,EAAE,MAAM,eAAe,CAAC;AAClC,OAAO,EAAE,MAAM,EAAE,MAAM,qBAAqB,CAAC;AAC7C,OAAO,EAAE,QAAQ,EAAE,MAAM,kBAAkB,CAAC;AAE5C,OAAO,EAAE,4BAA4B,EAAE,MAAM,kBAAkB,CAAC;AAEhE,8EAA8E;AAE9E,MAAM,CAAC,MAAM,MAAM,GAAG,MAAM,CAAC;IAC3B,IAAI,EAAE;QACJ,KAAK,EAAE,CAAC,CAAC,MAAM,EAAE;QACjB,QAAQ,EAAE,CAAC,CAAC,MAAM,EAAE;QACpB,IAAI,EAAE,CAAC,CAAC,QAAQ,CAAC,CAAC,CAAC,MAAM,EAAE,CAAC;QAC5B,SAAS,EAAE,CAAC,CAAC,QAAQ,CAAC,CAAC,CAAC,MAAM,EAAE,CAAC;KAClC;IACD,OAAO,EAAE,CAAC,GAAG,EAAE,IAAI,EAAE,EAAE,CACrB,GAAG,CAAC,SAAS,CAAC,QAAQ,CAAC,SAAS,CAAC,aAAa,CAAC,MAAM,EAAE,IAAI,CAAC;CAC/D,CAAC,CAAC;AAEH,MAAM,CAAC,MAAM,MAAM,GAAG,MAAM,CAAC;IAC3B,IAAI,EAAE;QACJ,KAAK,EAAE,CAAC,CAAC,MAAM,EAAE;QACjB,QAAQ,EAAE,CAAC,CAAC,MAAM,EAAE;QACpB,SAAS,EAAE,CAAC,CAAC,QAAQ,CAAC,CAAC,CAAC,MAAM,EAAE,CAAC;QACjC,SAAS,EAAE,CAAC,CAAC,QAAQ,CAAC,CAAC,CAAC,MAAM,EAAE,CAAC;QACjC,oBAAoB,EAAE,CAAC,CAAC,QAAQ,CAAC,CAAC,CAAC,OAAO,EAAE,CAAC;KAC9C;IACD,OAAO,EAAE,CAAC,GAAG,EAAE,IAAI,EAAE,EAAE,CACrB,GAAG,CAAC,SAAS,CAAC,QAAQ,CAAC,SAAS,CAAC,aAAa,CAAC,MAAM,EAAE,IAAI,CAAC;CAC/D,CAAC,CAAC;AAEH,MAAM,CAAC,MAAM,WAAW,GAAG,MAAM,CAAC;IAChC,IAAI,EAAE;QACJ,KAAK,EAAE,CAAC,CAAC,MAAM,EAAE;QACjB,IAAI,EAAE,CAAC,CAAC,MAAM,EAAE;KACjB;IACD,OAAO,EAAE,CAAC,GAAG,EAAE,IAAI,EAAE,EAAE,CACrB,GAAG,CAAC,SAAS,CAAC,QAAQ,CAAC,SAAS,CAAC,aAAa,CAAC,WAAW,EAAE,IAAI,CAAC;CACpE,CAAC,CAAC;AAEH,MAAM,CAAC,MAAM,oBAAoB,GAAG,MAAM,CAAC;IACzC,IAAI,EAAE;QACJ,KAAK,EAAE,CAAC,CAAC,MAAM,EAAE;QACjB,SAAS,EAAE,CAAC,CAAC,QAAQ,CAAC,CAAC,CAAC,MAAM,EAAE,CAAC;KAClC;IACD,OAAO,EAAE,CAAC,GAAG,EAAE,IAAI,EAAE,EAAE,CACrB,GAAG,CAAC,SAAS,CAAC,QAAQ,CAAC,SAAS,CAAC,aAAa,CAAC,oBAAoB,EAAE,IAAI,CAAC;CAC7E,CAAC,CAAC;AAEH,MAAM,CAAC,MAAM,aAAa,GAAG,MAAM,CAAC;IAClC,IAAI,EAAE;QACJ,KAAK,EAAE,CAAC,CAAC,MAAM,EAAE;QACjB,IAAI,EAAE,CAAC,CAAC,MAAM,EAAE;QAChB,WAAW,EAAE,CAAC,CAAC,MAAM,EAAE;KACxB;IACD,OAAO,EAAE,CAAC,GAAG,EAAE,IAAI,EAAE,EAAE,CACrB,GAAG,CAAC,SAAS,CAAC,QAAQ,CAAC,SAAS,CAAC,aAAa,CAAC,aAAa,EAAE,IAAI,CAAC;CACtE,CAAC,CAAC;AAEH,8EAA8E;AAE9E,MAAM,CAAC,MAAM,eAAe,GAAG,MAAM,CAAC;IACpC,IAAI,EAAE;QACJ,KAAK,EAAE,CAAC,CAAC,MAAM,EAAE;QACjB,WAAW,EAAE,CAAC,CAAC,QAAQ,CAAC,CAAC,CAAC,OAAO,EAAE,CAAC;KACrC;IACD,OAAO,EAAE,CAAC,GAAG,EAAE,IAAI,EAAE,EAAE,CACrB,GAAG,CAAC,SAAS,CAAC,QAAQ,CAAC,IAAI,CAAC,QAAQ,CAAC,QAAQ,EAAE,IAAI,CAAC;CACvD,CAAC,CAAC;AAEH,MAAM,CAAC,MAAM,iBAAiB,GAAG,MAAM,CAAC;IACtC,IAAI,EAAE,EAAE,KAAK,EAAE,CAAC,CAAC,MAAM,EAAE,EAAE;IAC3B,OAAO,EAAE,CAAC,GAAG,EAAE,IAAI,EAAE,EAAE,CACrB,GAAG,CAAC,WAAW,CAAC,QAAQ,CAAC,IAAI,CAAC,QAAQ,CAAC,iBAAiB,EAAE,IAAI,CAAC;CAClE,CAAC,CAAC;AAEH,MAAM,CAAC,MAAM,qBAAqB,GAAG,MAAM,CAAC;IAC1C,IAAI,EAAE,EAAE,MAAM,EAAE,CAAC,CAAC,MAAM,EAAE,EAAE;IAC5B,OAAO,EAAE,CAAC,GAAG,EAAE,EAAE,MAAM,EAAE,EAAE,EAAE,CAC3B,GAAG,CAAC,WAAW,CAAC,QAAQ,CAAC,IAAI,CAAC,QAAQ,CAAC,aAAa,EAAE;QACpD,MAAM,EAAE,MAAqB;KAC9B,CAAC;CACL,CAAC,CAAC;AAEH,8EAA8E;AAE9E,MAAM,CAAC,MAAM,mBAAmB,GAAG,MAAM,CAAC;IACxC,IAAI,EAAE;QACJ,QAAQ,EAAE,4BAA4B;QACtC,WAAW,EAAE,CAAC,CAAC,QAAQ,CAAC,CAAC,CAAC,MAAM,EAAE,CAAC;KACpC;IACD,OAAO,EAAE,CAAC,GAAG,EAAE,IAAI,EAAE,EAAE,CACrB,GAAG,CAAC,SAAS,CAAC,QAAQ,CAAC,SAAS,CAAC,KAAK,CAAC,mBAAmB,EAAE,IAAI,CAAC;CACpE,CAAC,CAAC;AAEH,MAAM,CAAC,MAAM,cAAc,GAAG,MAAM,CAAC;IACnC,IAAI,EAAE;QACJ,QAAQ,EAAE,4BAA4B;QACtC,IAAI,EAAE,CAAC,CAAC,MAAM,EAAE;QAChB,KAAK,EAAE,CAAC,CAAC,MAAM,EAAE;QACjB,WAAW,EAAE,CAAC,CAAC,QAAQ,CAAC,CAAC,CAAC,MAAM,EAAE,CAAC;QACnC,SAAS,EAAE,CAAC,CAAC,QAAQ,CAAC,CAAC,CAAC,MAAM,EAAE,CAAC;QACjC,SAAS,EAAE,CAAC,CAAC,QAAQ,CAAC,CAAC,CAAC,MAAM,EAAE,CAAC;KAClC;IACD,OAAO,EAAE,CAAC,GAAG,EAAE,IAAI,EAAE,EAAE,CACrB,GAAG,CAAC,SAAS,CAAC,QAAQ,CAAC,SAAS,CAAC,KAAK,CAAC,cAAc,EAAE,IAAI,CAAC;CAC/D,CAAC,CAAC;AAEH,8EAA8E;AAE9E,MAAM,CAAC,MAAM,cAAc,GAAG,MAAM,CAAC;IACnC,IAAI,EAAE;QACJ,UAAU,EAAE,CAAC,CAAC,MAAM,EAAE;QACtB,KAAK,EAAE,CAAC,CAAC,QAAQ,CAAC,CAAC,CAAC,MAAM,EAAE,CAAC;QAC7B,MAAM,EAAE,CAAC,CAAC,QAAQ,CAAC,CAAC,CAAC,MAAM,EAAE,CAAC;KAC/B;IACD,OAAO,EAAE,KAAK,EAAE,GAAG,EAAE,EAAE,UAAU,EAAE,KAAK,EAAE,MAAM,EAAE,EAAE,EAAE;QACpD,MAAM,OAAO,GAAG,MAAM,GAAG,CAAC,SAAS,CAAC,QAAQ,CAAC,IAAI,CAAC,QAAQ,CAAC,QAAQ,EAAE;YACnE,KAAK,EAAE,UAAU;YACjB,WAAW,EAAE,IAAI;SAClB,CAAC,CAAC;QACH,IAAI,CAAC,OAAO,EAAE,CAAC;YACb,MAAM,IAAI,KAAK,CAAC,cAAc,CAAC,CAAC;QAClC,CAAC;QAED,MAAM,SAAS,GAAG,MAAM,GAAG,CAAC,QAAQ,CAAC,QAAQ,CAAC,IAAI,CAAC,KAAK,CAAC,OAAO,EAAE;YAChE,MAAM,EAAE,OAAO,CAAC,MAAM;SACvB,CAAC,CAAC;QACH,IAAI,CAAC,SAAS,IAAI,SAAS,CAAC,IAAI,KAAK,OAAO,EAAE,CAAC;YAC7C,MAAM,IAAI,KAAK,CAAC,WAAW,CAAC,CAAC;QAC/B,CAAC;QAED,OAAO,GAAG,CAAC,QAAQ,CAAC,QAAQ,CAAC,OAAO,CAAC,KAAK,CAAC,SAAS,EAAE;YACpD,WAAW,EAAE,OAAO,CAAC,MAAM;YAC3B,KAAK;YACL,MAAM;SACP,CAAC,CAAC;IACL,CAAC;CACF,CAAC,CAAC;AAEH,MAAM,CAAC,MAAM,YAAY,GAAG,MAAM,CAAC;IACjC,IAAI,EAAE;QACJ,UAAU,EAAE,CAAC,CAAC,MAAM,EAAE;QACtB,MAAM,EAAE,CAAC,CAAC,MAAM,EAAE;QAClB,MAAM,EAAE,CAAC,CAAC,QAAQ,CAAC,CAAC,CAAC,MAAM,EAAE,CAAC;QAC9B,SAAS,EAAE,CAAC,CAAC,QAAQ,CAAC,CAAC,CAAC,MAAM,EAAE,CAAC;KAClC;IACD,OAAO,EAAE,KAAK,EAAE,GAAG,EAAE,EAAE,UAAU,EAAE,MAAM,EAAE,MAAM,EAAE,SAAS,EAAE,EAAE,EAAE;QAChE,MAAM,OAAO,GAAG,MAAM,GAAG,CAAC,SAAS,CAAC,QAAQ,CAAC,IAAI,CAAC,QAAQ,CAAC,QAAQ,EAAE;YACnE,KAAK,EAAE,UAAU;YACjB,WAAW,EAAE,IAAI;SAClB,CAAC,CAAC;QACH,IAAI,CAAC,OAAO,EAAE,CAAC;YACb,MAAM,IAAI,KAAK,CAAC,cAAc,CAAC,CAAC;QAClC,CAAC;QAED,MAAM,SAAS,GAAG,MAAM,GAAG,CAAC,QAAQ,CAAC,QAAQ,CAAC,IAAI,CAAC,KAAK,CAAC,OAAO,EAAE;YAChE,MAAM,EAAE,OAAO,CAAC,MAAM;SACvB,CAAC,CAAC;QACH,IAAI,CAAC,SAAS,IAAI,SAAS,CAAC,IAAI,KAAK,OAAO,EAAE,CAAC;YAC7C,MAAM,IAAI,KAAK,CAAC,WAAW,CAAC,CAAC;QAC/B,CAAC;QAED,OAAO,GAAG,CAAC,WAAW,CAAC,QAAQ,CAAC,OAAO,CAAC,KAAK,CAAC,OAAO,EAAE;YACrD,WAAW,EAAE,OAAO,CAAC,MAAM;YAC3B,MAAM,EAAE,MAAqB;YAC7B,MAAM;YACN,SAAS;SACV,CAAC,CAAC;IACL,CAAC;CACF,CAAC,CAAC;AAEH,MAAM,CAAC,MAAM,cAAc,GAAG,MAAM,CAAC;IACnC,IAAI,EAAE;QACJ,UAAU,EAAE,CAAC,CAAC,MAAM,EAAE;QACtB,MAAM,EAAE,CAAC,CAAC,MAAM,EAAE;KACnB;IACD,OAAO,EAAE,KAAK,EAAE,GAAG,EAAE,EAAE,UAAU,EAAE,MAAM,EAAE,EAAE,EAAE;QAC7C,MAAM,OAAO,GAAG,MAAM,GAAG,CAAC,SAAS,CAAC,QAAQ,CAAC,IAAI,CAAC,QAAQ,CAAC,QAAQ,EAAE;YACnE,KAAK,EAAE,UAAU;YACjB,WAAW,EAAE,IAAI;SAClB,CAAC,CAAC;QACH,IAAI,CAAC,OAAO,EAAE,CAAC;YACb,MAAM,IAAI,KAAK,CAAC,cAAc,CAAC,CAAC;QAClC,CAAC;QAED,MAAM,SAAS,GAAG,MAAM,GAAG,CAAC,QAAQ,CAAC,QAAQ,CAAC,IAAI,CAAC,KAAK,CAAC,OAAO,EAAE;YAChE,MAAM,EAAE,OAAO,CAAC,MAAM;SACvB,CAAC,CAAC;QACH,IAAI,CAAC,SAAS,IAAI,SAAS,CAAC,IAAI,KAAK,OAAO,EAAE,CAAC;YAC7C,MAAM,IAAI,KAAK,CAAC,WAAW,CAAC,CAAC;QAC/B,CAAC;QAED,OAAO,GAAG,CAAC,WAAW,CAAC,QAAQ,CAAC,OAAO,CAAC,KAAK,CAAC,SAAS,EAAE;YACvD,WAAW,EAAE,OAAO,CAAC,MAAM;YAC3B,MAAM,EAAE,MAAqB;SAC9B,CAAC,CAAC;IACL,CAAC;CACF,CAAC,CAAC;AAEH,MAAM,CAAC,MAAM,YAAY,GAAG,MAAM,CAAC;IACjC,IAAI,EAAE;QACJ,UAAU,EAAE,CAAC,CAAC,MAAM,EAAE;QACtB,MAAM,EAAE,CAAC,CAAC,MAAM,EAAE;QAClB,IAAI,EAAE,CAAC,CAAC,MAAM,EAAE;KACjB;IACD,OAAO,EAAE,KAAK,EAAE,GAAG,EAAE,EAAE,UAAU,EAAE,MAAM,EAAE,IAAI,EAAE,EAAE,EAAE;QACnD,MAAM,OAAO,GAAG,MAAM,GAAG,CAAC,SAAS,CAAC,QAAQ,CAAC,IAAI,CAAC,QAAQ,CAAC,QAAQ,EAAE;YACnE,KAAK,EAAE,UAAU;YACjB,WAAW,EAAE,IAAI;SAClB,CAAC,CAAC;QACH,IAAI,CAAC,OAAO,EAAE,CAAC;YACb,MAAM,IAAI,KAAK,CAAC,cAAc,CAAC,CAAC;QAClC,CAAC;QAED,MAAM,SAAS,GAAG,MAAM,GAAG,CAAC,QAAQ,CAAC,QAAQ,CAAC,IAAI,CAAC,KAAK,CAAC,OAAO,EAAE;YAChE,MAAM,EAAE,OAAO,CAAC,MAAM;SACvB,CAAC,CAAC;QACH,IAAI,CAAC,SAAS,IAAI,SAAS,CAAC,IAAI,KAAK,OAAO,EAAE,CAAC;YAC7C,MAAM,IAAI,KAAK,CAAC,WAAW,CAAC,CAAC;QAC/B,CAAC;QAED,OAAO,GAAG,CAAC,WAAW,CAAC,QAAQ,CAAC,OAAO,CAAC,KAAK,CAAC,OAAO,EAAE;YACrD,WAAW,EAAE,OAAO,CAAC,MAAM;YAC3B,MAAM,EAAE,MAAqB;YAC7B,IAAI;SACL,CAAC,CAAC;IACL,CAAC;CACF,CAAC,CAAC;AAEH,MAAM,CAAC,MAAM,eAAe,GAAG,MAAM,CAAC;IACpC,IAAI,EAAE;QACJ,UAAU,EAAE,CAAC,CAAC,MAAM,EAAE;QACtB,MAAM,EAAE,CAAC,CAAC,MAAM,EAAE;KACnB;IACD,OAAO,EAAE,KAAK,EAAE,GAAG,EAAE,EAAE,UAAU,EAAE,MAAM,EAAE,EAAE,EAAE;QAC7C,MAAM,OAAO,GAAG,MAAM,GAAG,CAAC,SAAS,CAAC,QAAQ,CAAC,IAAI,CAAC,QAAQ,CAAC,QAAQ,EAAE;YACnE,KAAK,EAAE,UAAU;YACjB,WAAW,EAAE,IAAI;SAClB,CAAC,CAAC;QACH,IAAI,CAAC,OAAO,EAAE,CAAC;YACb,MAAM,IAAI,KAAK,CAAC,cAAc,CAAC,CAAC;QAClC,CAAC;QAED,MAAM,SAAS,GAAG,MAAM,GAAG,CAAC,QAAQ,CAAC,QAAQ,CAAC,IAAI,CAAC,KAAK,CAAC,OAAO,EAAE;YAChE,MAAM,EAAE,OAAO,CAAC,MAAM;SACvB,CAAC,CAAC;QACH,IAAI,CAAC,SAAS,IAAI,SAAS,CAAC,IAAI,KAAK,OAAO,EAAE,CAAC;YAC7C,MAAM,IAAI,KAAK,CAAC,WAAW,CAAC,CAAC;QAC/B,CAAC;QAED,OAAO,GAAG,CAAC,WAAW,CAAC,QAAQ,CAAC,OAAO,CAAC,KAAK,CAAC,UAAU,EAAE;YACxD,WAAW,EAAE,OAAO,CAAC,MAAM;YAC3B,MAAM,EAAE,MAAqB;SAC9B,CAAC,CAAC;IACL,CAAC;CACF,CAAC,CAAC"}

package/dist/component/lib/crypto.d.ts

@@ -0,0 +1,24 @@
+/**
+ * Cryptographic utilities using Web Crypto API.
+ * All token generation uses crypto.getRandomValues for 256+ bit entropy.
+ * Tokens are stored as SHA-256 hashes only (never raw).
+ */
+/** Generate a cryptographically secure 32-byte random hex token (256 bits). */
+export declare function generateToken(): string;
+/** SHA-256 hash a string token, returns hex string. */
+export declare function hashToken(token: string): Promise<string>;
+/** Base64url encode bytes (no padding). Used for PKCE code challenge. */
+export declare function base64url(bytes: Uint8Array): string;
+/** Generate a PKCE code verifier (32 random bytes, base64url encoded). */
+export declare function generateCodeVerifier(): string;
+/** Generate a PKCE code challenge (SHA-256 of verifier, base64url encoded). */
+export declare function generateCodeChallenge(verifier: string): Promise<string>;
+/**
+ * Generate a cryptographically secure 8-character alphanumeric code.
+ * Uses rejection sampling to avoid modulo bias.
+ * Charset: A-Z, 0-9 (36 chars) — avoids ambiguous chars like 0/O, 1/I/l.
+ */
+export declare function generateCode(): string;
+/** Generate a 32-byte random state token for OAuth (returned as hex). */
+export declare function generateState(): string;
+//# sourceMappingURL=crypto.d.ts.map

package/dist/component/lib/crypto.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"crypto.d.ts","sourceRoot":"","sources":["../../../src/component/lib/crypto.ts"],"names":[],"mappings":"AAAA;;;;GAIG;AAEH,+EAA+E;AAC/E,wBAAgB,aAAa,IAAI,MAAM,CAMtC;AAED,uDAAuD;AACvD,wBAAsB,SAAS,CAAC,KAAK,EAAE,MAAM,GAAG,OAAO,CAAC,MAAM,CAAC,CAM9D;AAED,yEAAyE;AACzE,wBAAgB,SAAS,CAAC,KAAK,EAAE,UAAU,GAAG,MAAM,CAGnD;AAED,0EAA0E;AAC1E,wBAAgB,oBAAoB,IAAI,MAAM,CAI7C;AAED,+EAA+E;AAC/E,wBAAsB,qBAAqB,CAAC,QAAQ,EAAE,MAAM,GAAG,OAAO,CAAC,MAAM,CAAC,CAK7E;AAED;;;;GAIG;AACH,wBAAgB,YAAY,IAAI,MAAM,CAOrC;AAED,yEAAyE;AACzE,wBAAgB,aAAa,IAAI,MAAM,CAEtC"}

package/dist/component/lib/crypto.js

@@ -0,0 +1,57 @@
+/**
+ * Cryptographic utilities using Web Crypto API.
+ * All token generation uses crypto.getRandomValues for 256+ bit entropy.
+ * Tokens are stored as SHA-256 hashes only (never raw).
+ */
+/** Generate a cryptographically secure 32-byte random hex token (256 bits). */
+export function generateToken() {
+    const bytes = new Uint8Array(32);
+    crypto.getRandomValues(bytes);
+    return Array.from(bytes)
+        .map((b) => b.toString(16).padStart(2, "0"))
+        .join("");
+}
+/** SHA-256 hash a string token, returns hex string. */
+export async function hashToken(token) {
+    const encoder = new TextEncoder();
+    const data = encoder.encode(token);
+    const hashBuffer = await crypto.subtle.digest("SHA-256", data);
+    const hashArray = Array.from(new Uint8Array(hashBuffer));
+    return hashArray.map((b) => b.toString(16).padStart(2, "0")).join("");
+}
+/** Base64url encode bytes (no padding). Used for PKCE code challenge. */
+export function base64url(bytes) {
+    const base64 = btoa(String.fromCharCode(...bytes));
+    return base64.replace(/\+/g, "-").replace(/\//g, "_").replace(/=/g, "");
+}
+/** Generate a PKCE code verifier (32 random bytes, base64url encoded). */
+export function generateCodeVerifier() {
+    const bytes = new Uint8Array(32);
+    crypto.getRandomValues(bytes);
+    return base64url(bytes);
+}
+/** Generate a PKCE code challenge (SHA-256 of verifier, base64url encoded). */
+export async function generateCodeChallenge(verifier) {
+    const encoder = new TextEncoder();
+    const data = encoder.encode(verifier);
+    const hashBuffer = await crypto.subtle.digest("SHA-256", data);
+    return base64url(new Uint8Array(hashBuffer));
+}
+/**
+ * Generate a cryptographically secure 8-character alphanumeric code.
+ * Uses rejection sampling to avoid modulo bias.
+ * Charset: A-Z, 0-9 (36 chars) — avoids ambiguous chars like 0/O, 1/I/l.
+ */
+export function generateCode() {
+    const charset = "ABCDEFGHJKLMNPQRSTUVWXYZ23456789"; // 32 chars, power of 2
+    const bytes = new Uint8Array(8);
+    crypto.getRandomValues(bytes);
+    return Array.from(bytes)
+        .map((b) => charset[b & 31]) // 32 = 2^5, no bias since 256 / 32 = 8 exactly
+        .join("");
+}
+/** Generate a 32-byte random state token for OAuth (returned as hex). */
+export function generateState() {
+    return generateToken();
+}
+//# sourceMappingURL=crypto.js.map

package/dist/component/lib/crypto.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"crypto.js","sourceRoot":"","sources":["../../../src/component/lib/crypto.ts"],"names":[],"mappings":"AAAA;;;;GAIG;AAEH,+EAA+E;AAC/E,MAAM,UAAU,aAAa;IAC3B,MAAM,KAAK,GAAG,IAAI,UAAU,CAAC,EAAE,CAAC,CAAC;IACjC,MAAM,CAAC,eAAe,CAAC,KAAK,CAAC,CAAC;IAC9B,OAAO,KAAK,CAAC,IAAI,CAAC,KAAK,CAAC;SACrB,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,QAAQ,CAAC,EAAE,CAAC,CAAC,QAAQ,CAAC,CAAC,EAAE,GAAG,CAAC,CAAC;SAC3C,IAAI,CAAC,EAAE,CAAC,CAAC;AACd,CAAC;AAED,uDAAuD;AACvD,MAAM,CAAC,KAAK,UAAU,SAAS,CAAC,KAAa;IAC3C,MAAM,OAAO,GAAG,IAAI,WAAW,EAAE,CAAC;IAClC,MAAM,IAAI,GAAG,OAAO,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC;IACnC,MAAM,UAAU,GAAG,MAAM,MAAM,CAAC,MAAM,CAAC,MAAM,CAAC,SAAS,EAAE,IAAI,CAAC,CAAC;IAC/D,MAAM,SAAS,GAAG,KAAK,CAAC,IAAI,CAAC,IAAI,UAAU,CAAC,UAAU,CAAC,CAAC,CAAC;IACzD,OAAO,SAAS,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,QAAQ,CAAC,EAAE,CAAC,CAAC,QAAQ,CAAC,CAAC,EAAE,GAAG,CAAC,CAAC,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;AACxE,CAAC;AAED,yEAAyE;AACzE,MAAM,UAAU,SAAS,CAAC,KAAiB;IACzC,MAAM,MAAM,GAAG,IAAI,CAAC,MAAM,CAAC,YAAY,CAAC,GAAG,KAAK,CAAC,CAAC,CAAC;IACnD,OAAO,MAAM,CAAC,OAAO,CAAC,KAAK,EAAE,GAAG,CAAC,CAAC,OAAO,CAAC,KAAK,EAAE,GAAG,CAAC,CAAC,OAAO,CAAC,IAAI,EAAE,EAAE,CAAC,CAAC;AAC1E,CAAC;AAED,0EAA0E;AAC1E,MAAM,UAAU,oBAAoB;IAClC,MAAM,KAAK,GAAG,IAAI,UAAU,CAAC,EAAE,CAAC,CAAC;IACjC,MAAM,CAAC,eAAe,CAAC,KAAK,CAAC,CAAC;IAC9B,OAAO,SAAS,CAAC,KAAK,CAAC,CAAC;AAC1B,CAAC;AAED,+EAA+E;AAC/E,MAAM,CAAC,KAAK,UAAU,qBAAqB,CAAC,QAAgB;IAC1D,MAAM,OAAO,GAAG,IAAI,WAAW,EAAE,CAAC;IAClC,MAAM,IAAI,GAAG,OAAO,CAAC,MAAM,CAAC,QAAQ,CAAC,CAAC;IACtC,MAAM,UAAU,GAAG,MAAM,MAAM,CAAC,MAAM,CAAC,MAAM,CAAC,SAAS,EAAE,IAAI,CAAC,CAAC;IAC/D,OAAO,SAAS,CAAC,IAAI,UAAU,CAAC,UAAU,CAAC,CAAC,CAAC;AAC/C,CAAC;AAED;;;;GAIG;AACH,MAAM,UAAU,YAAY;IAC1B,MAAM,OAAO,GAAG,kCAAkC,CAAC,CAAC,uBAAuB;IAC3E,MAAM,KAAK,GAAG,IAAI,UAAU,CAAC,CAAC,CAAC,CAAC;IAChC,MAAM,CAAC,eAAe,CAAC,KAAK,CAAC,CAAC;IAC9B,OAAO,KAAK,CAAC,IAAI,CAAC,KAAK,CAAC;SACrB,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,OAAO,CAAC,CAAC,GAAG,EAAE,CAAC,CAAC,CAAC,+CAA+C;SAC3E,IAAI,CAAC,EAAE,CAAC,CAAC;AACd,CAAC;AAED,yEAAyE;AACzE,MAAM,UAAU,aAAa;IAC3B,OAAO,aAAa,EAAE,CAAC;AACzB,CAAC"}

package/dist/component/lib/rateLimit.d.ts

@@ -0,0 +1,26 @@
+/**
+ * Check if a key is currently rate limited.
+ * Returns { limited: true, retryAfter } if locked, { limited: false } otherwise.
+ */
+export declare const check: import("convex/server").RegisteredQuery<"internal", {
+    key: string;
+}, Promise<{
+    limited: false;
+    retryAfter?: never;
+} | {
+    limited: true;
+    retryAfter: number;
+}>>;
+/**
+ * Increment failure count for a key. Applies lockout if threshold reached.
+ */
+export declare const increment: import("convex/server").RegisteredMutation<"internal", {
+    key: string;
+}, Promise<void>>;
+/**
+ * Reset rate limit for a key (called on successful auth).
+ */
+export declare const reset: import("convex/server").RegisteredMutation<"internal", {
+    key: string;
+}, Promise<void>>;
+//# sourceMappingURL=rateLimit.d.ts.map

package/dist/component/lib/rateLimit.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"rateLimit.d.ts","sourceRoot":"","sources":["../../../src/component/lib/rateLimit.ts"],"names":[],"mappings":"AAYA;;;GAGG;AACH,eAAO,MAAM,KAAK;;;;;;;;GA4BhB,CAAC;AAEH;;GAEG;AACH,eAAO,MAAM,SAAS;;iBA0CpB,CAAC;AAEH;;GAEG;AACH,eAAO,MAAM,KAAK;;iBAchB,CAAC"}